github.com/replicatedhq/ship@v0.55.0/integration/init/istio/expected/rendered.yaml (about) 1 apiVersion: apiextensions.k8s.io/v1beta1 2 kind: CustomResourceDefinition 3 metadata: 4 annotations: 5 helm.sh/hook: crd-install 6 labels: 7 app: mixer 8 chart: istio 9 heritage: Tiller 10 istio: mixer-adapter 11 package: adapter 12 release: istio 13 name: adapters.config.istio.io 14 spec: 15 group: config.istio.io 16 names: 17 categories: 18 - istio-io 19 - policy-istio-io 20 kind: adapter 21 plural: adapters 22 singular: adapter 23 scope: Namespaced 24 version: v1alpha2 25 --- 26 apiVersion: apiextensions.k8s.io/v1beta1 27 kind: CustomResourceDefinition 28 metadata: 29 annotations: 30 helm.sh/hook: crd-install 31 labels: 32 app: mixer 33 chart: istio 34 heritage: Tiller 35 istio: mixer-instance 36 package: apikey 37 release: istio 38 name: apikeys.config.istio.io 39 spec: 40 group: config.istio.io 41 names: 42 categories: 43 - istio-io 44 - policy-istio-io 45 kind: apikey 46 plural: apikeys 47 singular: apikey 48 scope: Namespaced 49 version: v1alpha2 50 --- 51 apiVersion: apiextensions.k8s.io/v1beta1 52 kind: CustomResourceDefinition 53 metadata: 54 annotations: 55 helm.sh/hook: crd-install 56 labels: 57 app: mixer 58 chart: istio 59 heritage: Tiller 60 istio: core 61 package: istio.io.mixer 62 release: istio 63 name: attributemanifests.config.istio.io 64 spec: 65 group: config.istio.io 66 names: 67 categories: 68 - istio-io 69 - policy-istio-io 70 kind: attributemanifest 71 plural: attributemanifests 72 singular: attributemanifest 73 scope: Namespaced 74 version: v1alpha2 75 --- 76 apiVersion: apiextensions.k8s.io/v1beta1 77 kind: CustomResourceDefinition 78 metadata: 79 annotations: 80 helm.sh/hook: crd-install 81 labels: 82 app: mixer 83 chart: istio 84 heritage: Tiller 85 istio: mixer-instance 86 package: authorization 87 release: istio 88 name: authorizations.config.istio.io 89 spec: 90 group: config.istio.io 91 names: 92 categories: 93 - istio-io 94 - policy-istio-io 95 kind: authorization 96 plural: authorizations 97 singular: authorization 98 scope: Namespaced 99 version: v1alpha2 100 --- 101 apiVersion: apiextensions.k8s.io/v1beta1 102 kind: CustomResourceDefinition 103 metadata: 104 annotations: 105 helm.sh/hook: crd-install 106 labels: 107 app: mixer 108 chart: istio 109 heritage: Tiller 110 istio: mixer-adapter 111 package: bypass 112 release: istio 113 name: bypasses.config.istio.io 114 spec: 115 group: config.istio.io 116 names: 117 categories: 118 - istio-io 119 - policy-istio-io 120 kind: bypass 121 plural: bypasses 122 singular: bypass 123 scope: Namespaced 124 version: v1alpha2 125 --- 126 apiVersion: apiextensions.k8s.io/v1beta1 127 kind: CustomResourceDefinition 128 metadata: 129 annotations: 130 helm.sh/hook: crd-install 131 labels: 132 app: mixer 133 chart: istio 134 heritage: Tiller 135 istio: mixer-instance 136 package: checknothing 137 release: istio 138 name: checknothings.config.istio.io 139 spec: 140 group: config.istio.io 141 names: 142 categories: 143 - istio-io 144 - policy-istio-io 145 kind: checknothing 146 plural: checknothings 147 singular: checknothing 148 scope: Namespaced 149 version: v1alpha2 150 --- 151 apiVersion: apiextensions.k8s.io/v1beta1 152 kind: CustomResourceDefinition 153 metadata: 154 annotations: 155 helm.sh/hook: crd-install 156 labels: 157 app: mixer 158 chart: istio 159 heritage: Tiller 160 istio: mixer-adapter 161 package: circonus 162 release: istio 163 name: circonuses.config.istio.io 164 spec: 165 group: config.istio.io 166 names: 167 categories: 168 - istio-io 169 - policy-istio-io 170 kind: circonus 171 plural: circonuses 172 singular: circonus 173 scope: Namespaced 174 version: v1alpha2 175 --- 176 apiVersion: apiextensions.k8s.io/v1beta1 177 kind: CustomResourceDefinition 178 metadata: 179 annotations: 180 helm.sh/hook: crd-install 181 labels: 182 app: istio-pilot 183 heritage: Tiller 184 istio: rbac 185 release: istio 186 name: clusterrbacconfigs.rbac.istio.io 187 spec: 188 group: rbac.istio.io 189 names: 190 categories: 191 - istio-io 192 - rbac-istio-io 193 kind: ClusterRbacConfig 194 plural: clusterrbacconfigs 195 singular: clusterrbacconfig 196 scope: Cluster 197 version: v1alpha1 198 --- 199 apiVersion: apiextensions.k8s.io/v1beta1 200 kind: CustomResourceDefinition 201 metadata: 202 annotations: 203 helm.sh/hook: crd-install 204 labels: 205 app: mixer 206 chart: istio 207 heritage: Tiller 208 istio: mixer-adapter 209 package: denier 210 release: istio 211 name: deniers.config.istio.io 212 spec: 213 group: config.istio.io 214 names: 215 categories: 216 - istio-io 217 - policy-istio-io 218 kind: denier 219 plural: deniers 220 singular: denier 221 scope: Namespaced 222 version: v1alpha2 223 --- 224 apiVersion: apiextensions.k8s.io/v1beta1 225 kind: CustomResourceDefinition 226 metadata: 227 annotations: 228 helm.sh/hook: crd-install 229 labels: 230 app: istio-pilot 231 chart: istio 232 heritage: Tiller 233 release: istio 234 name: destinationrules.networking.istio.io 235 spec: 236 group: networking.istio.io 237 names: 238 categories: 239 - istio-io 240 - networking-istio-io 241 kind: DestinationRule 242 listKind: DestinationRuleList 243 plural: destinationrules 244 singular: destinationrule 245 scope: Namespaced 246 version: v1alpha3 247 --- 248 apiVersion: apiextensions.k8s.io/v1beta1 249 kind: CustomResourceDefinition 250 metadata: 251 annotations: 252 helm.sh/hook: crd-install 253 labels: 254 app: mixer 255 chart: istio 256 heritage: Tiller 257 istio: mixer-instance 258 package: edge 259 release: istio 260 name: edges.config.istio.io 261 spec: 262 group: config.istio.io 263 names: 264 categories: 265 - istio-io 266 - policy-istio-io 267 kind: edge 268 plural: edges 269 singular: edge 270 scope: Namespaced 271 version: v1alpha2 272 --- 273 apiVersion: apiextensions.k8s.io/v1beta1 274 kind: CustomResourceDefinition 275 metadata: 276 annotations: 277 helm.sh/hook: crd-install 278 labels: 279 app: istio-pilot 280 chart: istio 281 heritage: Tiller 282 release: istio 283 name: envoyfilters.networking.istio.io 284 spec: 285 group: networking.istio.io 286 names: 287 categories: 288 - istio-io 289 - networking-istio-io 290 kind: EnvoyFilter 291 plural: envoyfilters 292 singular: envoyfilter 293 scope: Namespaced 294 version: v1alpha3 295 --- 296 apiVersion: apiextensions.k8s.io/v1beta1 297 kind: CustomResourceDefinition 298 metadata: 299 annotations: 300 helm.sh/hook: crd-install 301 labels: 302 app: mixer 303 chart: istio 304 heritage: Tiller 305 istio: mixer-adapter 306 package: fluentd 307 release: istio 308 name: fluentds.config.istio.io 309 spec: 310 group: config.istio.io 311 names: 312 categories: 313 - istio-io 314 - policy-istio-io 315 kind: fluentd 316 plural: fluentds 317 singular: fluentd 318 scope: Namespaced 319 version: v1alpha2 320 --- 321 apiVersion: apiextensions.k8s.io/v1beta1 322 kind: CustomResourceDefinition 323 metadata: 324 annotations: 325 helm.sh/hook: crd-install 326 helm.sh/hook-weight: "-5" 327 labels: 328 app: istio-pilot 329 chart: istio 330 heritage: Tiller 331 release: istio 332 name: gateways.networking.istio.io 333 spec: 334 group: networking.istio.io 335 names: 336 categories: 337 - istio-io 338 - networking-istio-io 339 kind: Gateway 340 plural: gateways 341 singular: gateway 342 scope: Namespaced 343 version: v1alpha3 344 --- 345 apiVersion: apiextensions.k8s.io/v1beta1 346 kind: CustomResourceDefinition 347 metadata: 348 annotations: 349 helm.sh/hook: crd-install 350 labels: 351 app: mixer 352 chart: istio 353 heritage: Tiller 354 istio: mixer-handler 355 package: handler 356 release: istio 357 name: handlers.config.istio.io 358 spec: 359 group: config.istio.io 360 names: 361 categories: 362 - istio-io 363 - policy-istio-io 364 kind: handler 365 plural: handlers 366 singular: handler 367 scope: Namespaced 368 version: v1alpha2 369 --- 370 apiVersion: apiextensions.k8s.io/v1beta1 371 kind: CustomResourceDefinition 372 metadata: 373 annotations: 374 helm.sh/hook: crd-install 375 labels: 376 app: istio-mixer 377 chart: istio 378 heritage: Tiller 379 release: istio 380 name: httpapispecbindings.config.istio.io 381 spec: 382 group: config.istio.io 383 names: 384 categories: 385 - istio-io 386 - apim-istio-io 387 kind: HTTPAPISpecBinding 388 plural: httpapispecbindings 389 singular: httpapispecbinding 390 scope: Namespaced 391 version: v1alpha2 392 --- 393 apiVersion: apiextensions.k8s.io/v1beta1 394 kind: CustomResourceDefinition 395 metadata: 396 annotations: 397 helm.sh/hook: crd-install 398 labels: 399 app: istio-mixer 400 chart: istio 401 heritage: Tiller 402 release: istio 403 name: httpapispecs.config.istio.io 404 spec: 405 group: config.istio.io 406 names: 407 categories: 408 - istio-io 409 - apim-istio-io 410 kind: HTTPAPISpec 411 plural: httpapispecs 412 singular: httpapispec 413 scope: Namespaced 414 version: v1alpha2 415 --- 416 apiVersion: apiextensions.k8s.io/v1beta1 417 kind: CustomResourceDefinition 418 metadata: 419 annotations: 420 helm.sh/hook: crd-install 421 labels: 422 app: mixer 423 chart: istio 424 heritage: Tiller 425 istio: mixer-instance 426 package: instance 427 release: istio 428 name: instances.config.istio.io 429 spec: 430 group: config.istio.io 431 names: 432 categories: 433 - istio-io 434 - policy-istio-io 435 kind: instance 436 plural: instances 437 singular: instance 438 scope: Namespaced 439 version: v1alpha2 440 --- 441 apiVersion: apiextensions.k8s.io/v1beta1 442 kind: CustomResourceDefinition 443 metadata: 444 annotations: 445 helm.sh/hook: crd-install 446 labels: 447 app: mixer 448 chart: istio 449 heritage: Tiller 450 istio: mixer-adapter 451 package: kubernetesenv 452 release: istio 453 name: kubernetesenvs.config.istio.io 454 spec: 455 group: config.istio.io 456 names: 457 categories: 458 - istio-io 459 - policy-istio-io 460 kind: kubernetesenv 461 plural: kubernetesenvs 462 singular: kubernetesenv 463 scope: Namespaced 464 version: v1alpha2 465 --- 466 apiVersion: apiextensions.k8s.io/v1beta1 467 kind: CustomResourceDefinition 468 metadata: 469 annotations: 470 helm.sh/hook: crd-install 471 labels: 472 app: mixer 473 chart: istio 474 heritage: Tiller 475 istio: mixer-instance 476 package: adapter.template.kubernetes 477 release: istio 478 name: kuberneteses.config.istio.io 479 spec: 480 group: config.istio.io 481 names: 482 categories: 483 - istio-io 484 - policy-istio-io 485 kind: kubernetes 486 plural: kuberneteses 487 singular: kubernetes 488 scope: Namespaced 489 version: v1alpha2 490 --- 491 apiVersion: apiextensions.k8s.io/v1beta1 492 kind: CustomResourceDefinition 493 metadata: 494 annotations: 495 helm.sh/hook: crd-install 496 labels: 497 app: mixer 498 chart: istio 499 heritage: Tiller 500 istio: mixer-adapter 501 package: listchecker 502 release: istio 503 name: listcheckers.config.istio.io 504 spec: 505 group: config.istio.io 506 names: 507 categories: 508 - istio-io 509 - policy-istio-io 510 kind: listchecker 511 plural: listcheckers 512 singular: listchecker 513 scope: Namespaced 514 version: v1alpha2 515 --- 516 apiVersion: apiextensions.k8s.io/v1beta1 517 kind: CustomResourceDefinition 518 metadata: 519 annotations: 520 helm.sh/hook: crd-install 521 labels: 522 app: mixer 523 chart: istio 524 heritage: Tiller 525 istio: mixer-instance 526 package: listentry 527 release: istio 528 name: listentries.config.istio.io 529 spec: 530 group: config.istio.io 531 names: 532 categories: 533 - istio-io 534 - policy-istio-io 535 kind: listentry 536 plural: listentries 537 singular: listentry 538 scope: Namespaced 539 version: v1alpha2 540 --- 541 apiVersion: apiextensions.k8s.io/v1beta1 542 kind: CustomResourceDefinition 543 metadata: 544 annotations: 545 helm.sh/hook: crd-install 546 labels: 547 app: mixer 548 chart: istio 549 heritage: Tiller 550 istio: mixer-instance 551 package: logentry 552 release: istio 553 name: logentries.config.istio.io 554 spec: 555 group: config.istio.io 556 names: 557 categories: 558 - istio-io 559 - policy-istio-io 560 kind: logentry 561 plural: logentries 562 singular: logentry 563 scope: Namespaced 564 version: v1alpha2 565 --- 566 apiVersion: apiextensions.k8s.io/v1beta1 567 kind: CustomResourceDefinition 568 metadata: 569 annotations: 570 helm.sh/hook: crd-install 571 labels: 572 app: mixer 573 chart: istio 574 heritage: Tiller 575 istio: mixer-adapter 576 package: memquota 577 release: istio 578 name: memquotas.config.istio.io 579 spec: 580 group: config.istio.io 581 names: 582 categories: 583 - istio-io 584 - policy-istio-io 585 kind: memquota 586 plural: memquotas 587 singular: memquota 588 scope: Namespaced 589 version: v1alpha2 590 --- 591 apiVersion: apiextensions.k8s.io/v1beta1 592 kind: CustomResourceDefinition 593 metadata: 594 annotations: 595 helm.sh/hook: crd-install 596 labels: 597 app: istio-citadel 598 chart: istio 599 heritage: Tiller 600 release: istio 601 name: meshpolicies.authentication.istio.io 602 spec: 603 group: authentication.istio.io 604 names: 605 categories: 606 - istio-io 607 - authentication-istio-io 608 kind: MeshPolicy 609 listKind: MeshPolicyList 610 plural: meshpolicies 611 singular: meshpolicy 612 scope: Cluster 613 version: v1alpha1 614 --- 615 apiVersion: apiextensions.k8s.io/v1beta1 616 kind: CustomResourceDefinition 617 metadata: 618 annotations: 619 helm.sh/hook: crd-install 620 labels: 621 app: mixer 622 chart: istio 623 heritage: Tiller 624 istio: mixer-instance 625 package: metric 626 release: istio 627 name: metrics.config.istio.io 628 spec: 629 group: config.istio.io 630 names: 631 categories: 632 - istio-io 633 - policy-istio-io 634 kind: metric 635 plural: metrics 636 singular: metric 637 scope: Namespaced 638 version: v1alpha2 639 --- 640 apiVersion: apiextensions.k8s.io/v1beta1 641 kind: CustomResourceDefinition 642 metadata: 643 annotations: 644 helm.sh/hook: crd-install 645 labels: 646 app: mixer 647 chart: istio 648 heritage: Tiller 649 istio: mixer-adapter 650 package: noop 651 release: istio 652 name: noops.config.istio.io 653 spec: 654 group: config.istio.io 655 names: 656 categories: 657 - istio-io 658 - policy-istio-io 659 kind: noop 660 plural: noops 661 singular: noop 662 scope: Namespaced 663 version: v1alpha2 664 --- 665 apiVersion: apiextensions.k8s.io/v1beta1 666 kind: CustomResourceDefinition 667 metadata: 668 annotations: 669 helm.sh/hook: crd-install 670 labels: 671 app: mixer 672 chart: istio 673 heritage: Tiller 674 istio: mixer-adapter 675 package: opa 676 release: istio 677 name: opas.config.istio.io 678 spec: 679 group: config.istio.io 680 names: 681 categories: 682 - istio-io 683 - policy-istio-io 684 kind: opa 685 plural: opas 686 singular: opa 687 scope: Namespaced 688 version: v1alpha2 689 --- 690 apiVersion: apiextensions.k8s.io/v1beta1 691 kind: CustomResourceDefinition 692 metadata: 693 annotations: 694 helm.sh/hook: crd-install 695 labels: 696 app: istio-citadel 697 chart: istio 698 heritage: Tiller 699 release: istio 700 name: policies.authentication.istio.io 701 spec: 702 group: authentication.istio.io 703 names: 704 categories: 705 - istio-io 706 - authentication-istio-io 707 kind: Policy 708 plural: policies 709 singular: policy 710 scope: Namespaced 711 version: v1alpha1 712 --- 713 apiVersion: apiextensions.k8s.io/v1beta1 714 kind: CustomResourceDefinition 715 metadata: 716 annotations: 717 helm.sh/hook: crd-install 718 labels: 719 app: mixer 720 chart: istio 721 heritage: Tiller 722 istio: mixer-adapter 723 package: prometheus 724 release: istio 725 name: prometheuses.config.istio.io 726 spec: 727 group: config.istio.io 728 names: 729 categories: 730 - istio-io 731 - policy-istio-io 732 kind: prometheus 733 plural: prometheuses 734 singular: prometheus 735 scope: Namespaced 736 version: v1alpha2 737 --- 738 apiVersion: apiextensions.k8s.io/v1beta1 739 kind: CustomResourceDefinition 740 metadata: 741 annotations: 742 helm.sh/hook: crd-install 743 labels: 744 app: mixer 745 chart: istio 746 heritage: Tiller 747 istio: mixer-instance 748 package: quota 749 release: istio 750 name: quotas.config.istio.io 751 spec: 752 group: config.istio.io 753 names: 754 categories: 755 - istio-io 756 - policy-istio-io 757 kind: quota 758 plural: quotas 759 singular: quota 760 scope: Namespaced 761 version: v1alpha2 762 --- 763 apiVersion: apiextensions.k8s.io/v1beta1 764 kind: CustomResourceDefinition 765 metadata: 766 annotations: 767 helm.sh/hook: crd-install 768 labels: 769 app: istio-mixer 770 chart: istio 771 heritage: Tiller 772 release: istio 773 name: quotaspecbindings.config.istio.io 774 spec: 775 group: config.istio.io 776 names: 777 categories: 778 - istio-io 779 - apim-istio-io 780 kind: QuotaSpecBinding 781 plural: quotaspecbindings 782 singular: quotaspecbinding 783 scope: Namespaced 784 version: v1alpha2 785 --- 786 apiVersion: apiextensions.k8s.io/v1beta1 787 kind: CustomResourceDefinition 788 metadata: 789 annotations: 790 helm.sh/hook: crd-install 791 labels: 792 app: istio-mixer 793 chart: istio 794 heritage: Tiller 795 release: istio 796 name: quotaspecs.config.istio.io 797 spec: 798 group: config.istio.io 799 names: 800 categories: 801 - istio-io 802 - apim-istio-io 803 kind: QuotaSpec 804 plural: quotaspecs 805 singular: quotaspec 806 scope: Namespaced 807 version: v1alpha2 808 --- 809 apiVersion: apiextensions.k8s.io/v1beta1 810 kind: CustomResourceDefinition 811 metadata: 812 annotations: 813 helm.sh/hook: crd-install 814 labels: 815 app: mixer 816 chart: istio 817 heritage: Tiller 818 istio: rbac 819 package: istio.io.mixer 820 release: istio 821 name: rbacconfigs.rbac.istio.io 822 spec: 823 group: rbac.istio.io 824 names: 825 categories: 826 - istio-io 827 - rbac-istio-io 828 kind: RbacConfig 829 plural: rbacconfigs 830 singular: rbacconfig 831 scope: Namespaced 832 version: v1alpha1 833 --- 834 apiVersion: apiextensions.k8s.io/v1beta1 835 kind: CustomResourceDefinition 836 metadata: 837 annotations: 838 helm.sh/hook: crd-install 839 labels: 840 app: mixer 841 chart: istio 842 heritage: Tiller 843 istio: mixer-adapter 844 package: rbac 845 release: istio 846 name: rbacs.config.istio.io 847 spec: 848 group: config.istio.io 849 names: 850 categories: 851 - istio-io 852 - policy-istio-io 853 kind: rbac 854 plural: rbacs 855 singular: rbac 856 scope: Namespaced 857 version: v1alpha2 858 --- 859 apiVersion: apiextensions.k8s.io/v1beta1 860 kind: CustomResourceDefinition 861 metadata: 862 annotations: 863 helm.sh/hook: crd-install 864 labels: 865 app: mixer 866 chart: istio 867 heritage: Tiller 868 istio: mixer-adapter 869 package: redisquota 870 release: istio 871 name: redisquotas.config.istio.io 872 spec: 873 group: config.istio.io 874 names: 875 kind: redisquota 876 plural: redisquotas 877 singular: redisquota 878 scope: Namespaced 879 version: v1alpha2 880 --- 881 apiVersion: apiextensions.k8s.io/v1beta1 882 kind: CustomResourceDefinition 883 metadata: 884 annotations: 885 helm.sh/hook: crd-install 886 labels: 887 app: mixer 888 chart: istio 889 heritage: Tiller 890 istio: mixer-instance 891 package: reportnothing 892 release: istio 893 name: reportnothings.config.istio.io 894 spec: 895 group: config.istio.io 896 names: 897 categories: 898 - istio-io 899 - policy-istio-io 900 kind: reportnothing 901 plural: reportnothings 902 singular: reportnothing 903 scope: Namespaced 904 version: v1alpha2 905 --- 906 apiVersion: apiextensions.k8s.io/v1beta1 907 kind: CustomResourceDefinition 908 metadata: 909 annotations: 910 helm.sh/hook: crd-install 911 labels: 912 app: mixer 913 chart: istio 914 heritage: Tiller 915 istio: core 916 package: istio.io.mixer 917 release: istio 918 name: rules.config.istio.io 919 spec: 920 group: config.istio.io 921 names: 922 categories: 923 - istio-io 924 - policy-istio-io 925 kind: rule 926 plural: rules 927 singular: rule 928 scope: Namespaced 929 version: v1alpha2 930 --- 931 apiVersion: apiextensions.k8s.io/v1beta1 932 kind: CustomResourceDefinition 933 metadata: 934 annotations: 935 helm.sh/hook: crd-install 936 labels: 937 app: mixer 938 chart: istio 939 heritage: Tiller 940 istio: mixer-instance 941 package: servicecontrolreport 942 release: istio 943 name: servicecontrolreports.config.istio.io 944 spec: 945 group: config.istio.io 946 names: 947 categories: 948 - istio-io 949 - policy-istio-io 950 kind: servicecontrolreport 951 plural: servicecontrolreports 952 singular: servicecontrolreport 953 scope: Namespaced 954 version: v1alpha2 955 --- 956 apiVersion: apiextensions.k8s.io/v1beta1 957 kind: CustomResourceDefinition 958 metadata: 959 annotations: 960 helm.sh/hook: crd-install 961 labels: 962 app: mixer 963 chart: istio 964 heritage: Tiller 965 istio: mixer-adapter 966 package: servicecontrol 967 release: istio 968 name: servicecontrols.config.istio.io 969 spec: 970 group: config.istio.io 971 names: 972 categories: 973 - istio-io 974 - policy-istio-io 975 kind: servicecontrol 976 plural: servicecontrols 977 singular: servicecontrol 978 scope: Namespaced 979 version: v1alpha2 980 --- 981 apiVersion: apiextensions.k8s.io/v1beta1 982 kind: CustomResourceDefinition 983 metadata: 984 annotations: 985 helm.sh/hook: crd-install 986 labels: 987 app: istio-pilot 988 chart: istio 989 heritage: Tiller 990 release: istio 991 name: serviceentries.networking.istio.io 992 spec: 993 group: networking.istio.io 994 names: 995 categories: 996 - istio-io 997 - networking-istio-io 998 kind: ServiceEntry 999 listKind: ServiceEntryList 1000 plural: serviceentries 1001 singular: serviceentry 1002 scope: Namespaced 1003 version: v1alpha3 1004 --- 1005 apiVersion: apiextensions.k8s.io/v1beta1 1006 kind: CustomResourceDefinition 1007 metadata: 1008 annotations: 1009 helm.sh/hook: crd-install 1010 labels: 1011 app: mixer 1012 chart: istio 1013 heritage: Tiller 1014 istio: rbac 1015 package: istio.io.mixer 1016 release: istio 1017 name: servicerolebindings.rbac.istio.io 1018 spec: 1019 group: rbac.istio.io 1020 names: 1021 categories: 1022 - istio-io 1023 - rbac-istio-io 1024 kind: ServiceRoleBinding 1025 plural: servicerolebindings 1026 singular: servicerolebinding 1027 scope: Namespaced 1028 version: v1alpha1 1029 --- 1030 apiVersion: apiextensions.k8s.io/v1beta1 1031 kind: CustomResourceDefinition 1032 metadata: 1033 annotations: 1034 helm.sh/hook: crd-install 1035 labels: 1036 app: mixer 1037 chart: istio 1038 heritage: Tiller 1039 istio: rbac 1040 package: istio.io.mixer 1041 release: istio 1042 name: serviceroles.rbac.istio.io 1043 spec: 1044 group: rbac.istio.io 1045 names: 1046 categories: 1047 - istio-io 1048 - rbac-istio-io 1049 kind: ServiceRole 1050 plural: serviceroles 1051 singular: servicerole 1052 scope: Namespaced 1053 version: v1alpha1 1054 --- 1055 apiVersion: apiextensions.k8s.io/v1beta1 1056 kind: CustomResourceDefinition 1057 metadata: 1058 annotations: 1059 helm.sh/hook: crd-install 1060 labels: 1061 app: mixer 1062 chart: istio 1063 heritage: Tiller 1064 istio: mixer-adapter 1065 package: signalfx 1066 release: istio 1067 name: signalfxs.config.istio.io 1068 spec: 1069 group: config.istio.io 1070 names: 1071 categories: 1072 - istio-io 1073 - policy-istio-io 1074 kind: signalfx 1075 plural: signalfxs 1076 singular: signalfx 1077 scope: Namespaced 1078 version: v1alpha2 1079 --- 1080 apiVersion: apiextensions.k8s.io/v1beta1 1081 kind: CustomResourceDefinition 1082 metadata: 1083 annotations: 1084 helm.sh/hook: crd-install 1085 labels: 1086 app: mixer 1087 chart: istio 1088 heritage: Tiller 1089 istio: mixer-adapter 1090 package: solarwinds 1091 release: istio 1092 name: solarwindses.config.istio.io 1093 spec: 1094 group: config.istio.io 1095 names: 1096 categories: 1097 - istio-io 1098 - policy-istio-io 1099 kind: solarwinds 1100 plural: solarwindses 1101 singular: solarwinds 1102 scope: Namespaced 1103 version: v1alpha2 1104 --- 1105 apiVersion: apiextensions.k8s.io/v1beta1 1106 kind: CustomResourceDefinition 1107 metadata: 1108 annotations: 1109 helm.sh/hook: crd-install 1110 labels: 1111 app: mixer 1112 chart: istio 1113 heritage: Tiller 1114 istio: mixer-adapter 1115 package: stackdriver 1116 release: istio 1117 name: stackdrivers.config.istio.io 1118 spec: 1119 group: config.istio.io 1120 names: 1121 categories: 1122 - istio-io 1123 - policy-istio-io 1124 kind: stackdriver 1125 plural: stackdrivers 1126 singular: stackdriver 1127 scope: Namespaced 1128 version: v1alpha2 1129 --- 1130 apiVersion: apiextensions.k8s.io/v1beta1 1131 kind: CustomResourceDefinition 1132 metadata: 1133 annotations: 1134 helm.sh/hook: crd-install 1135 labels: 1136 app: mixer 1137 chart: istio 1138 heritage: Tiller 1139 istio: mixer-adapter 1140 package: statsd 1141 release: istio 1142 name: statsds.config.istio.io 1143 spec: 1144 group: config.istio.io 1145 names: 1146 categories: 1147 - istio-io 1148 - policy-istio-io 1149 kind: statsd 1150 plural: statsds 1151 singular: statsd 1152 scope: Namespaced 1153 version: v1alpha2 1154 --- 1155 apiVersion: apiextensions.k8s.io/v1beta1 1156 kind: CustomResourceDefinition 1157 metadata: 1158 annotations: 1159 helm.sh/hook: crd-install 1160 labels: 1161 app: mixer 1162 chart: istio 1163 heritage: Tiller 1164 istio: mixer-adapter 1165 package: stdio 1166 release: istio 1167 name: stdios.config.istio.io 1168 spec: 1169 group: config.istio.io 1170 names: 1171 categories: 1172 - istio-io 1173 - policy-istio-io 1174 kind: stdio 1175 plural: stdios 1176 singular: stdio 1177 scope: Namespaced 1178 version: v1alpha2 1179 --- 1180 apiVersion: apiextensions.k8s.io/v1beta1 1181 kind: CustomResourceDefinition 1182 metadata: 1183 annotations: 1184 helm.sh/hook: crd-install 1185 labels: 1186 app: mixer 1187 chart: istio 1188 heritage: Tiller 1189 istio: mixer-template 1190 package: template 1191 release: istio 1192 name: templates.config.istio.io 1193 spec: 1194 group: config.istio.io 1195 names: 1196 categories: 1197 - istio-io 1198 - policy-istio-io 1199 kind: template 1200 plural: templates 1201 singular: template 1202 scope: Namespaced 1203 version: v1alpha2 1204 --- 1205 apiVersion: apiextensions.k8s.io/v1beta1 1206 kind: CustomResourceDefinition 1207 metadata: 1208 annotations: 1209 helm.sh/hook: crd-install 1210 labels: 1211 app: mixer 1212 chart: istio 1213 heritage: Tiller 1214 istio: mixer-instance 1215 package: tracespan 1216 release: istio 1217 name: tracespans.config.istio.io 1218 spec: 1219 group: config.istio.io 1220 names: 1221 categories: 1222 - istio-io 1223 - policy-istio-io 1224 kind: tracespan 1225 plural: tracespans 1226 singular: tracespan 1227 scope: Namespaced 1228 version: v1alpha2 1229 --- 1230 apiVersion: apiextensions.k8s.io/v1beta1 1231 kind: CustomResourceDefinition 1232 metadata: 1233 annotations: 1234 helm.sh/hook: crd-install 1235 labels: 1236 app: istio-pilot 1237 chart: istio 1238 heritage: Tiller 1239 release: istio 1240 name: virtualservices.networking.istio.io 1241 spec: 1242 group: networking.istio.io 1243 names: 1244 categories: 1245 - istio-io 1246 - networking-istio-io 1247 kind: VirtualService 1248 listKind: VirtualServiceList 1249 plural: virtualservices 1250 singular: virtualservice 1251 scope: Namespaced 1252 version: v1alpha3 1253 --- 1254 apiVersion: admissionregistration.k8s.io/v1beta1 1255 kind: MutatingWebhookConfiguration 1256 metadata: 1257 labels: 1258 app: sidecarInjectorWebhook 1259 release: istio 1260 name: istio-sidecar-injector 1261 namespace: default 1262 webhooks: 1263 - clientConfig: 1264 caBundle: "" 1265 service: 1266 name: istio-sidecar-injector 1267 namespace: default 1268 path: /inject 1269 failurePolicy: Fail 1270 name: sidecar-injector.istio.io 1271 namespaceSelector: 1272 matchLabels: 1273 istio-injection: enabled 1274 rules: 1275 - apiGroups: 1276 - "" 1277 apiVersions: 1278 - v1 1279 operations: 1280 - CREATE 1281 resources: 1282 - pods 1283 --- 1284 apiVersion: v1 1285 kind: ServiceAccount 1286 metadata: 1287 labels: 1288 app: security 1289 release: istio 1290 name: istio-citadel-service-account 1291 namespace: default 1292 --- 1293 apiVersion: v1 1294 kind: ServiceAccount 1295 metadata: 1296 annotations: 1297 helm.sh/hook: post-delete 1298 helm.sh/hook-delete-policy: hook-succeeded 1299 helm.sh/hook-weight: "1" 1300 labels: 1301 app: security 1302 release: istio 1303 name: istio-cleanup-secrets-service-account 1304 namespace: default 1305 --- 1306 apiVersion: v1 1307 kind: ServiceAccount 1308 metadata: 1309 labels: 1310 app: gateways 1311 release: istio 1312 name: istio-egressgateway-service-account 1313 namespace: default 1314 --- 1315 apiVersion: v1 1316 kind: ServiceAccount 1317 metadata: 1318 labels: 1319 app: galley 1320 release: istio 1321 name: istio-galley-service-account 1322 namespace: default 1323 --- 1324 apiVersion: v1 1325 kind: ServiceAccount 1326 metadata: 1327 labels: 1328 app: gateways 1329 release: istio 1330 name: istio-ingressgateway-service-account 1331 namespace: default 1332 --- 1333 apiVersion: v1 1334 kind: ServiceAccount 1335 metadata: 1336 labels: 1337 app: mixer 1338 release: istio 1339 name: istio-mixer-service-account 1340 namespace: default 1341 --- 1342 apiVersion: v1 1343 kind: ServiceAccount 1344 metadata: 1345 labels: 1346 app: pilot 1347 release: istio 1348 name: istio-pilot-service-account 1349 namespace: default 1350 --- 1351 apiVersion: v1 1352 kind: ServiceAccount 1353 metadata: 1354 labels: 1355 app: security 1356 release: istio 1357 name: istio-security-post-install-account 1358 namespace: default 1359 --- 1360 apiVersion: v1 1361 kind: ServiceAccount 1362 metadata: 1363 labels: 1364 app: sidecarInjectorWebhook 1365 istio: sidecar-injector 1366 release: istio 1367 name: istio-sidecar-injector-service-account 1368 namespace: default 1369 --- 1370 apiVersion: v1 1371 kind: ServiceAccount 1372 metadata: 1373 labels: 1374 app: prometheus 1375 release: istio 1376 name: prometheus 1377 namespace: default 1378 --- 1379 apiVersion: rbac.authorization.k8s.io/v1beta1 1380 kind: ClusterRole 1381 metadata: 1382 labels: 1383 app: security 1384 release: istio 1385 name: istio-citadel-default 1386 rules: 1387 - apiGroups: 1388 - "" 1389 resources: 1390 - secrets 1391 verbs: 1392 - create 1393 - get 1394 - watch 1395 - list 1396 - update 1397 - delete 1398 - apiGroups: 1399 - "" 1400 resources: 1401 - serviceaccounts 1402 verbs: 1403 - get 1404 - watch 1405 - list 1406 - apiGroups: 1407 - "" 1408 resources: 1409 - services 1410 verbs: 1411 - get 1412 - watch 1413 - list 1414 --- 1415 apiVersion: rbac.authorization.k8s.io/v1beta1 1416 kind: ClusterRole 1417 metadata: 1418 annotations: 1419 helm.sh/hook: post-delete 1420 helm.sh/hook-delete-policy: hook-succeeded 1421 helm.sh/hook-weight: "1" 1422 labels: 1423 app: security 1424 release: istio 1425 name: istio-cleanup-secrets-default 1426 rules: 1427 - apiGroups: 1428 - "" 1429 resources: 1430 - secrets 1431 verbs: 1432 - list 1433 - delete 1434 --- 1435 apiVersion: rbac.authorization.k8s.io/v1beta1 1436 kind: ClusterRole 1437 metadata: 1438 labels: 1439 app: gateways 1440 release: istio 1441 name: istio-egressgateway-default 1442 rules: 1443 - apiGroups: 1444 - networking.istio.io 1445 resources: 1446 - virtualservices 1447 - destinationrules 1448 - gateways 1449 verbs: 1450 - get 1451 - watch 1452 - list 1453 - update 1454 --- 1455 apiVersion: rbac.authorization.k8s.io/v1beta1 1456 kind: ClusterRole 1457 metadata: 1458 labels: 1459 app: galley 1460 release: istio 1461 name: istio-galley-default 1462 rules: 1463 - apiGroups: 1464 - admissionregistration.k8s.io 1465 resources: 1466 - validatingwebhookconfigurations 1467 verbs: 1468 - '*' 1469 - apiGroups: 1470 - config.istio.io 1471 resources: 1472 - '*' 1473 verbs: 1474 - get 1475 - list 1476 - watch 1477 - apiGroups: 1478 - networking.istio.io 1479 resources: 1480 - '*' 1481 verbs: 1482 - get 1483 - list 1484 - watch 1485 - apiGroups: 1486 - authentication.istio.io 1487 resources: 1488 - '*' 1489 verbs: 1490 - get 1491 - list 1492 - watch 1493 - apiGroups: 1494 - rbac.istio.io 1495 resources: 1496 - '*' 1497 verbs: 1498 - get 1499 - list 1500 - watch 1501 - apiGroups: 1502 - '*' 1503 resourceNames: 1504 - istio-galley 1505 resources: 1506 - deployments 1507 verbs: 1508 - get 1509 - apiGroups: 1510 - '*' 1511 resourceNames: 1512 - istio-galley 1513 resources: 1514 - endpoints 1515 verbs: 1516 - get 1517 --- 1518 apiVersion: rbac.authorization.k8s.io/v1beta1 1519 kind: ClusterRole 1520 metadata: 1521 labels: 1522 app: gateways 1523 release: istio 1524 name: istio-ingressgateway-default 1525 rules: 1526 - apiGroups: 1527 - networking.istio.io 1528 resources: 1529 - virtualservices 1530 - destinationrules 1531 - gateways 1532 verbs: 1533 - get 1534 - watch 1535 - list 1536 - update 1537 --- 1538 apiVersion: rbac.authorization.k8s.io/v1beta1 1539 kind: ClusterRole 1540 metadata: 1541 labels: 1542 app: mixer 1543 release: istio 1544 name: istio-mixer-default 1545 rules: 1546 - apiGroups: 1547 - config.istio.io 1548 resources: 1549 - '*' 1550 verbs: 1551 - create 1552 - get 1553 - list 1554 - watch 1555 - patch 1556 - apiGroups: 1557 - rbac.istio.io 1558 resources: 1559 - '*' 1560 verbs: 1561 - get 1562 - list 1563 - watch 1564 - apiGroups: 1565 - apiextensions.k8s.io 1566 resources: 1567 - customresourcedefinitions 1568 verbs: 1569 - get 1570 - list 1571 - watch 1572 - apiGroups: 1573 - "" 1574 resources: 1575 - configmaps 1576 - endpoints 1577 - pods 1578 - services 1579 - namespaces 1580 - secrets 1581 - replicationcontrollers 1582 verbs: 1583 - get 1584 - list 1585 - watch 1586 - apiGroups: 1587 - extensions 1588 resources: 1589 - replicasets 1590 verbs: 1591 - get 1592 - list 1593 - watch 1594 - apiGroups: 1595 - apps 1596 resources: 1597 - replicasets 1598 verbs: 1599 - get 1600 - list 1601 - watch 1602 --- 1603 apiVersion: rbac.authorization.k8s.io/v1beta1 1604 kind: ClusterRole 1605 metadata: 1606 labels: 1607 app: pilot 1608 release: istio 1609 name: istio-pilot-default 1610 rules: 1611 - apiGroups: 1612 - config.istio.io 1613 resources: 1614 - '*' 1615 verbs: 1616 - '*' 1617 - apiGroups: 1618 - rbac.istio.io 1619 resources: 1620 - '*' 1621 verbs: 1622 - get 1623 - watch 1624 - list 1625 - apiGroups: 1626 - networking.istio.io 1627 resources: 1628 - '*' 1629 verbs: 1630 - '*' 1631 - apiGroups: 1632 - authentication.istio.io 1633 resources: 1634 - '*' 1635 verbs: 1636 - '*' 1637 - apiGroups: 1638 - apiextensions.k8s.io 1639 resources: 1640 - customresourcedefinitions 1641 verbs: 1642 - '*' 1643 - apiGroups: 1644 - extensions 1645 resources: 1646 - ingresses 1647 - ingresses/status 1648 verbs: 1649 - '*' 1650 - apiGroups: 1651 - "" 1652 resources: 1653 - configmaps 1654 verbs: 1655 - create 1656 - get 1657 - list 1658 - watch 1659 - update 1660 - apiGroups: 1661 - "" 1662 resources: 1663 - endpoints 1664 - pods 1665 - services 1666 verbs: 1667 - get 1668 - list 1669 - watch 1670 - apiGroups: 1671 - "" 1672 resources: 1673 - namespaces 1674 - nodes 1675 - secrets 1676 verbs: 1677 - get 1678 - list 1679 - watch 1680 --- 1681 apiVersion: rbac.authorization.k8s.io/v1beta1 1682 kind: ClusterRole 1683 metadata: 1684 labels: 1685 app: security 1686 release: istio 1687 name: istio-security-post-install-default 1688 rules: 1689 - apiGroups: 1690 - authentication.istio.io 1691 resources: 1692 - '*' 1693 verbs: 1694 - '*' 1695 - apiGroups: 1696 - networking.istio.io 1697 resources: 1698 - '*' 1699 verbs: 1700 - '*' 1701 - apiGroups: 1702 - admissionregistration.k8s.io 1703 resources: 1704 - validatingwebhookconfigurations 1705 verbs: 1706 - get 1707 - apiGroups: 1708 - extensions 1709 resources: 1710 - deployments 1711 - replicasets 1712 verbs: 1713 - get 1714 - list 1715 - watch 1716 --- 1717 apiVersion: rbac.authorization.k8s.io/v1beta1 1718 kind: ClusterRole 1719 metadata: 1720 labels: 1721 app: sidecarInjectorWebhook 1722 istio: sidecar-injector 1723 release: istio 1724 name: istio-sidecar-injector-default 1725 rules: 1726 - apiGroups: 1727 - "" 1728 resources: 1729 - configmaps 1730 verbs: 1731 - get 1732 - list 1733 - watch 1734 - apiGroups: 1735 - admissionregistration.k8s.io 1736 resources: 1737 - mutatingwebhookconfigurations 1738 verbs: 1739 - get 1740 - list 1741 - watch 1742 - patch 1743 --- 1744 apiVersion: rbac.authorization.k8s.io/v1beta1 1745 kind: ClusterRole 1746 metadata: 1747 labels: 1748 app: prometheus 1749 release: istio 1750 name: prometheus-default 1751 rules: 1752 - apiGroups: 1753 - "" 1754 resources: 1755 - nodes 1756 - services 1757 - endpoints 1758 - pods 1759 - nodes/proxy 1760 verbs: 1761 - get 1762 - list 1763 - watch 1764 - apiGroups: 1765 - "" 1766 resources: 1767 - configmaps 1768 verbs: 1769 - get 1770 - nonResourceURLs: 1771 - /metrics 1772 verbs: 1773 - get 1774 --- 1775 apiVersion: rbac.authorization.k8s.io/v1beta1 1776 kind: ClusterRoleBinding 1777 metadata: 1778 labels: 1779 app: security 1780 release: istio 1781 name: istio-citadel-default 1782 roleRef: 1783 apiGroup: rbac.authorization.k8s.io 1784 kind: ClusterRole 1785 name: istio-citadel-default 1786 subjects: 1787 - kind: ServiceAccount 1788 name: istio-citadel-service-account 1789 namespace: default 1790 --- 1791 apiVersion: rbac.authorization.k8s.io/v1beta1 1792 kind: ClusterRoleBinding 1793 metadata: 1794 annotations: 1795 helm.sh/hook: post-delete 1796 helm.sh/hook-delete-policy: hook-succeeded 1797 helm.sh/hook-weight: "2" 1798 labels: 1799 app: security 1800 release: istio 1801 name: istio-cleanup-secrets-default 1802 roleRef: 1803 apiGroup: rbac.authorization.k8s.io 1804 kind: ClusterRole 1805 name: istio-cleanup-secrets-default 1806 subjects: 1807 - kind: ServiceAccount 1808 name: istio-cleanup-secrets-service-account 1809 namespace: default 1810 --- 1811 apiVersion: rbac.authorization.k8s.io/v1beta1 1812 kind: ClusterRoleBinding 1813 metadata: 1814 labels: 1815 app: gateways 1816 release: istio 1817 name: istio-egressgateway-default 1818 roleRef: 1819 apiGroup: rbac.authorization.k8s.io 1820 kind: ClusterRole 1821 name: istio-egressgateway-default 1822 subjects: 1823 - kind: ServiceAccount 1824 name: istio-egressgateway-service-account 1825 namespace: default 1826 --- 1827 apiVersion: rbac.authorization.k8s.io/v1beta1 1828 kind: ClusterRoleBinding 1829 metadata: 1830 labels: 1831 app: galley 1832 release: istio 1833 name: istio-galley-admin-role-binding-default 1834 roleRef: 1835 apiGroup: rbac.authorization.k8s.io 1836 kind: ClusterRole 1837 name: istio-galley-default 1838 subjects: 1839 - kind: ServiceAccount 1840 name: istio-galley-service-account 1841 namespace: default 1842 --- 1843 apiVersion: rbac.authorization.k8s.io/v1beta1 1844 kind: ClusterRoleBinding 1845 metadata: 1846 labels: 1847 app: gateways 1848 release: istio 1849 name: istio-ingressgateway-default 1850 roleRef: 1851 apiGroup: rbac.authorization.k8s.io 1852 kind: ClusterRole 1853 name: istio-ingressgateway-default 1854 subjects: 1855 - kind: ServiceAccount 1856 name: istio-ingressgateway-service-account 1857 namespace: default 1858 --- 1859 apiVersion: rbac.authorization.k8s.io/v1beta1 1860 kind: ClusterRoleBinding 1861 metadata: 1862 labels: 1863 app: mixer 1864 release: istio 1865 name: istio-mixer-admin-role-binding-default 1866 roleRef: 1867 apiGroup: rbac.authorization.k8s.io 1868 kind: ClusterRole 1869 name: istio-mixer-default 1870 subjects: 1871 - kind: ServiceAccount 1872 name: istio-mixer-service-account 1873 namespace: default 1874 --- 1875 apiVersion: rbac.authorization.k8s.io/v1beta1 1876 kind: ClusterRoleBinding 1877 metadata: 1878 labels: 1879 app: pilot 1880 release: istio 1881 name: istio-pilot-default 1882 roleRef: 1883 apiGroup: rbac.authorization.k8s.io 1884 kind: ClusterRole 1885 name: istio-pilot-default 1886 subjects: 1887 - kind: ServiceAccount 1888 name: istio-pilot-service-account 1889 namespace: default 1890 --- 1891 apiVersion: rbac.authorization.k8s.io/v1beta1 1892 kind: ClusterRoleBinding 1893 metadata: 1894 labels: 1895 app: security 1896 release: istio 1897 name: istio-security-post-install-role-binding-default 1898 roleRef: 1899 apiGroup: rbac.authorization.k8s.io 1900 kind: ClusterRole 1901 name: istio-security-post-install-default 1902 subjects: 1903 - kind: ServiceAccount 1904 name: istio-security-post-install-account 1905 namespace: default 1906 --- 1907 apiVersion: rbac.authorization.k8s.io/v1beta1 1908 kind: ClusterRoleBinding 1909 metadata: 1910 labels: 1911 app: sidecarInjectorWebhook 1912 istio: sidecar-injector 1913 release: istio 1914 name: istio-sidecar-injector-admin-role-binding-default 1915 roleRef: 1916 apiGroup: rbac.authorization.k8s.io 1917 kind: ClusterRole 1918 name: istio-sidecar-injector-default 1919 subjects: 1920 - kind: ServiceAccount 1921 name: istio-sidecar-injector-service-account 1922 namespace: default 1923 --- 1924 apiVersion: rbac.authorization.k8s.io/v1beta1 1925 kind: ClusterRoleBinding 1926 metadata: 1927 labels: 1928 app: prometheus 1929 release: istio 1930 name: prometheus-default 1931 roleRef: 1932 apiGroup: rbac.authorization.k8s.io 1933 kind: ClusterRole 1934 name: prometheus-default 1935 subjects: 1936 - kind: ServiceAccount 1937 name: prometheus 1938 namespace: default 1939 --- 1940 apiVersion: v1 1941 data: 1942 accesslist.yaml: |- 1943 allowed: 1944 - spiffe://cluster.local/ns/default/sa/istio-mixer-service-account 1945 - spiffe://cluster.local/ns/default/sa/istio-pilot-service-account 1946 validatingwebhookconfiguration.yaml: |- 1947 apiVersion: admissionregistration.k8s.io/v1beta1 1948 kind: ValidatingWebhookConfiguration 1949 metadata: 1950 name: istio-galley 1951 namespace: default 1952 labels: 1953 app: galley 1954 chart: galley 1955 heritage: Tiller 1956 release: istio 1957 istio: galley 1958 webhooks: 1959 - name: pilot.validation.istio.io 1960 clientConfig: 1961 service: 1962 name: istio-galley 1963 namespace: default 1964 path: "/admitpilot" 1965 caBundle: "" 1966 rules: 1967 - operations: 1968 - CREATE 1969 - UPDATE 1970 apiGroups: 1971 - config.istio.io 1972 apiVersions: 1973 - v1alpha2 1974 resources: 1975 - httpapispecs 1976 - httpapispecbindings 1977 - quotaspecs 1978 - quotaspecbindings 1979 - operations: 1980 - CREATE 1981 - UPDATE 1982 apiGroups: 1983 - rbac.istio.io 1984 apiVersions: 1985 - "*" 1986 resources: 1987 - "*" 1988 - operations: 1989 - CREATE 1990 - UPDATE 1991 apiGroups: 1992 - authentication.istio.io 1993 apiVersions: 1994 - "*" 1995 resources: 1996 - "*" 1997 - operations: 1998 - CREATE 1999 - UPDATE 2000 apiGroups: 2001 - networking.istio.io 2002 apiVersions: 2003 - "*" 2004 resources: 2005 - destinationrules 2006 - envoyfilters 2007 - gateways 2008 - serviceentries 2009 - virtualservices 2010 failurePolicy: Fail 2011 - name: mixer.validation.istio.io 2012 clientConfig: 2013 service: 2014 name: istio-galley 2015 namespace: default 2016 path: "/admitmixer" 2017 caBundle: "" 2018 rules: 2019 - operations: 2020 - CREATE 2021 - UPDATE 2022 apiGroups: 2023 - config.istio.io 2024 apiVersions: 2025 - v1alpha2 2026 resources: 2027 - rules 2028 - attributemanifests 2029 - circonuses 2030 - deniers 2031 - fluentds 2032 - kubernetesenvs 2033 - listcheckers 2034 - memquotas 2035 - noops 2036 - opas 2037 - prometheuses 2038 - rbacs 2039 - servicecontrols 2040 - solarwindses 2041 - stackdrivers 2042 - statsds 2043 - stdios 2044 - apikeys 2045 - authorizations 2046 - checknothings 2047 # - kuberneteses 2048 - listentries 2049 - logentries 2050 - metrics 2051 - quotas 2052 - reportnothings 2053 - servicecontrolreports 2054 - tracespans 2055 failurePolicy: Fail 2056 kind: ConfigMap 2057 metadata: 2058 labels: 2059 app: galley 2060 istio: galley 2061 release: istio 2062 name: istio-galley-configuration 2063 namespace: default 2064 --- 2065 apiVersion: v1 2066 data: 2067 custom-resources.yaml: |- 2068 # Authentication policy to enable permissive mode for all services (that have sidecar) in the mesh. 2069 apiVersion: "authentication.istio.io/v1alpha1" 2070 kind: "MeshPolicy" 2071 metadata: 2072 name: "default" 2073 labels: 2074 app: security 2075 chart: security 2076 heritage: Tiller 2077 release: istio 2078 spec: 2079 peers: 2080 - mtls: 2081 mode: PERMISSIVE 2082 run.sh: |- 2083 #!/bin/sh 2084 2085 set -x 2086 2087 if [ "$#" -ne "1" ]; then 2088 echo "first argument should be path to custom resource yaml" 2089 exit 1 2090 fi 2091 2092 pathToResourceYAML=${1} 2093 2094 kubectl get validatingwebhookconfiguration istio-galley 2>/dev/null 2095 if [ "$?" -eq 0 ]; then 2096 echo "istio-galley validatingwebhookconfiguration found - waiting for istio-galley deployment to be ready" 2097 while true; do 2098 kubectl -n default get deployment istio-galley 2>/dev/null 2099 if [ "$?" -eq 0 ]; then 2100 break 2101 fi 2102 sleep 1 2103 done 2104 kubectl -n default rollout status deployment istio-galley 2105 if [ "$?" -ne 0 ]; then 2106 echo "istio-galley deployment rollout status check failed" 2107 exit 1 2108 fi 2109 echo "istio-galley deployment ready for configuration validation" 2110 fi 2111 sleep 5 2112 kubectl apply -f ${pathToResourceYAML} 2113 kind: ConfigMap 2114 metadata: 2115 labels: 2116 app: security 2117 istio: citadel 2118 release: istio 2119 name: istio-security-custom-resources 2120 namespace: default 2121 --- 2122 apiVersion: v1 2123 data: 2124 config: "policy: enabled\ntemplate: |-\n initContainers:\n - name: istio-init\n image: \"gcr.io/istio-release/proxy_init:master-latest-daily\"\n args:\n - \"-p\"\n - [[ .MeshConfig.ProxyListenPort ]]\n - \"-u\"\n - 1337\n - \"-m\"\n - [[ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode ]]\n - \"-i\"\n - \"[[ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` \"*\" ]]\"\n - \"-x\"\n - \"[[ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` \"\" ]]\"\n - \"-b\"\n - \"[[ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` (includeInboundPorts .Spec.Containers) ]]\"\n - \"-d\"\n - \"[[ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` 15020 ) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` \"\" ) ]]\"\n imagePullPolicy: IfNotPresent\n resources:\n requests:\n cpu: 10m\n memory: 10Mi\n limits:\n cpu: 10m\n memory: 10Mi\n securityContext:\n capabilities:\n add:\n - NET_ADMIN\n restartPolicy: Always\n \n containers:\n - name: istio-proxy\n image: [[ annotation .ObjectMeta `sidecar.istio.io/proxyImage` \"gcr.io/istio-release/proxyv2:master-latest-daily\" ]]\n\n ports:\n - containerPort: 15090\n protocol: TCP\n name: http-envoy-prom\n\n args:\n - proxy\n - sidecar\n - --configPath\n - [[ .ProxyConfig.ConfigPath ]]\n - --binaryPath\n - [[ .ProxyConfig.BinaryPath ]]\n - --serviceCluster\n [[ if ne \"\" (index .ObjectMeta.Labels \"app\") -]]\n - [[ index .ObjectMeta.Labels \"app\" ]].[[ valueOrDefault .DeploymentMeta.Namespace \"default\" ]]\n [[ else -]]\n - [[ valueOrDefault .DeploymentMeta.Name \"istio-proxy\" ]].[[ valueOrDefault .DeploymentMeta.Namespace \"default\" ]]\n [[ end -]]\n - --drainDuration\n - [[ formatDuration .ProxyConfig.DrainDuration ]]\n - --parentShutdownDuration\n - [[ formatDuration .ProxyConfig.ParentShutdownDuration ]]\n - --discoveryAddress\n - [[ .ProxyConfig.DiscoveryAddress ]]\n - --zipkinAddress\n - [[ .ProxyConfig.GetTracing.GetZipkin.GetAddress ]]\n - --connectTimeout\n - [[ formatDuration .ProxyConfig.ConnectTimeout ]]\n - --proxyAdminPort\n - [[ .ProxyConfig.ProxyAdminPort ]]\n [[ if gt .ProxyConfig.Concurrency 0 -]]\n - --concurrency\n - [[ .ProxyConfig.Concurrency ]]\n [[ end -]]\n - --controlPlaneAuthPolicy\n - [[ annotation .ObjectMeta `sidecar.istio.io/controlPlaneAuthPolicy` .ProxyConfig.ControlPlaneAuthPolicy ]]\n [[- if (ne (annotation .ObjectMeta `status.sidecar.istio.io/port` 15020 ) \"0\") ]]\n - --statusPort\n - [[ annotation .ObjectMeta `status.sidecar.istio.io/port` 15020 ]]\n - --applicationPorts\n - \"[[ annotation .ObjectMeta `readiness.status.sidecar.istio.io/applicationPorts` (applicationPorts .Spec.Containers) ]]\"\n [[- end ]]\n env:\n - name: POD_NAME\n valueFrom:\n fieldRef:\n fieldPath: metadata.name\n - name: POD_NAMESPACE\n valueFrom:\n fieldRef:\n fieldPath: metadata.namespace\n - name: INSTANCE_IP\n valueFrom:\n fieldRef:\n fieldPath: status.podIP\n - name: ISTIO_META_POD_NAME\n valueFrom:\n fieldRef:\n fieldPath: metadata.name\n - name: ISTIO_META_INTERCEPTION_MODE\n value: [[ or (index .ObjectMeta.Annotations \"sidecar.istio.io/interceptionMode\") .ProxyConfig.InterceptionMode.String ]]\n [[ if .ObjectMeta.Annotations ]]\n - name: ISTIO_METAJSON_ANNOTATIONS\n value: |\n [[ toJSON .ObjectMeta.Annotations ]]\n [[ end ]]\n [[ range $k,$v := .ObjectMeta.Labels ]]\n - name: ISTIO_META_[[ $k ]]\n value: \"[[ $v ]]\"\n [[ end ]]\n imagePullPolicy: IfNotPresent\n [[ if (ne (annotation .ObjectMeta `status.sidecar.istio.io/port` 15020 ) \"0\") ]]\n readinessProbe:\n httpGet:\n path: /healthz/ready\n port: [[ annotation .ObjectMeta `status.sidecar.istio.io/port` 15020 ]]\n initialDelaySeconds: [[ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` 1 ]]\n periodSeconds: [[ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` 2 ]]\n failureThreshold: [[ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` 30 ]]\n [[ end -]]securityContext:\n \n readOnlyRootFilesystem: true\n [[ if eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) \"TPROXY\" -]]\n capabilities:\n add:\n - NET_ADMIN\n runAsGroup: 1337\n [[ else -]]\n runAsUser: 1337\n [[- end ]]\n resources:\n [[ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -]]\n requests:\n cpu: \"[[ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` ]]\"\n memory: \"[[ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` ]]\"\n [[ else -]]\n requests:\n cpu: 10m\n \n [[ end -]]\n volumeMounts:\n - mountPath: /etc/istio/proxy\n name: istio-envoy\n - mountPath: /etc/certs/\n name: istio-certs\n readOnly: true\n \n \n volumes:\n \n \n - emptyDir:\n medium: Memory\n name: istio-envoy\n - name: istio-certs\n secret:\n optional: true\n [[ if eq .Spec.ServiceAccountName \"\" -]]\n secretName: istio.default\n [[ else -]]\n secretName: [[ printf \"istio.%s\" .Spec.ServiceAccountName ]]\n [[ end -]]" 2125 kind: ConfigMap 2126 metadata: 2127 labels: 2128 app: istio 2129 istio: sidecar-injector 2130 release: istio 2131 name: istio-sidecar-injector 2132 namespace: default 2133 --- 2134 apiVersion: v1 2135 data: 2136 mesh: "# Set the following variable to true to disable policy checks by the Mixer.\n# Note that metrics will still be reported to the Mixer.\ndisablePolicyChecks: false\n\n# Set enableTracing to false to disable request tracing.\nenableTracing: true\n\n# Set accessLogFile to empty string to disable access log.\naccessLogFile: \"/dev/stdout\"\n#\n# Deprecated: mixer is using EDS\nmixerCheckServer: istio-policy.default.svc.cluster.local:9091\nmixerReportServer: istio-telemetry.default.svc.cluster.local:9091\n\n# Unix Domain Socket through which envoy communicates with NodeAgent SDS to get\n# key/cert for mTLS. Use secret-mount files instead of SDS if set to empty. \nsdsUdsPath: \"\"\n\n#\ndefaultConfig:\n #\n # TCP connection timeout between Envoy & the application, and between Envoys.\n connectTimeout: 10s\n #\n ### ADVANCED SETTINGS #############\n # Where should envoy's configuration be stored in the istio-proxy container\n configPath: \"/etc/istio/proxy\"\n binaryPath: \"/usr/local/bin/envoy\"\n # The pseudo service name used for Envoy.\n serviceCluster: istio-proxy\n # These settings that determine how long an old Envoy\n # process should be kept alive after an occasional reload.\n drainDuration: 45s\n parentShutdownDuration: 1m0s\n #\n # The mode used to redirect inbound connections to Envoy. This setting\n # has no effect on outbound traffic: iptables REDIRECT is always used for\n # outbound connections.\n # If \"REDIRECT\", use iptables REDIRECT to NAT and redirect to Envoy.\n # The \"REDIRECT\" mode loses source addresses during redirection.\n # If \"TPROXY\", use iptables TPROXY to redirect to Envoy.\n # The \"TPROXY\" mode preserves both the source and destination IP\n # addresses and ports, so that they can be used for advanced filtering\n # and manipulation.\n # The \"TPROXY\" mode also configures the sidecar to run with the\n # CAP_NET_ADMIN capability, which is required to use TPROXY.\n #interceptionMode: REDIRECT\n #\n # Port where Envoy listens (on local host) for admin commands\n # You can exec into the istio-proxy container in a pod and\n # curl the admin port (curl http://localhost:15000/) to obtain\n # diagnostic information from Envoy. See\n # https://lyft.github.io/envoy/docs/operations/admin.html\n # for more details\n proxyAdminPort: 15000\n #\n # Set concurrency to a specific number to control the number of Proxy worker threads.\n # If set to 0 (default), then start worker thread for each CPU thread/core.\n concurrency: 0\n #\n tracing:\n zipkin:\n # Address of the Zipkin collector\n address: zipkin.default:9411\n #\n # Mutual TLS authentication between sidecars and istio control plane.\n controlPlaneAuthPolicy: NONE\n #\n # Address where istio Pilot service is running\n discoveryAddress: istio-pilot.default:15010" 2137 kind: ConfigMap 2138 metadata: 2139 labels: 2140 app: istio 2141 release: istio 2142 name: istio 2143 namespace: default 2144 --- 2145 apiVersion: v1 2146 data: 2147 prometheus.yml: |- 2148 global: 2149 scrape_interval: 15s 2150 scrape_configs: 2151 2152 - job_name: 'istio-mesh' 2153 # Override the global default and scrape targets from this job every 5 seconds. 2154 scrape_interval: 5s 2155 2156 kubernetes_sd_configs: 2157 - role: endpoints 2158 namespaces: 2159 names: 2160 - default 2161 2162 relabel_configs: 2163 - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name] 2164 action: keep 2165 regex: istio-telemetry;prometheus 2166 2167 2168 # Scrape config for envoy stats 2169 - job_name: 'envoy-stats' 2170 metrics_path: /stats/prometheus 2171 kubernetes_sd_configs: 2172 - role: pod 2173 2174 relabel_configs: 2175 - source_labels: [__meta_kubernetes_pod_container_port_name] 2176 action: keep 2177 regex: '.*-envoy-prom' 2178 - source_labels: [__address__, __meta_kubernetes_pod_annotation_prometheus_io_port] 2179 action: replace 2180 regex: ([^:]+)(?::\d+)?;(\d+) 2181 replacement: $1:15090 2182 target_label: __address__ 2183 - action: labelmap 2184 regex: __meta_kubernetes_pod_label_(.+) 2185 - source_labels: [__meta_kubernetes_namespace] 2186 action: replace 2187 target_label: namespace 2188 - source_labels: [__meta_kubernetes_pod_name] 2189 action: replace 2190 target_label: pod_name 2191 2192 metric_relabel_configs: 2193 # Exclude some of the envoy metrics that have massive cardinality 2194 # This list may need to be pruned further moving forward, as informed 2195 # by performance and scalability testing. 2196 - source_labels: [ cluster_name ] 2197 regex: '(outbound|inbound|prometheus_stats).*' 2198 action: drop 2199 - source_labels: [ tcp_prefix ] 2200 regex: '(outbound|inbound|prometheus_stats).*' 2201 action: drop 2202 - source_labels: [ listener_address ] 2203 regex: '(.+)' 2204 action: drop 2205 - source_labels: [ http_conn_manager_listener_prefix ] 2206 regex: '(.+)' 2207 action: drop 2208 - source_labels: [ http_conn_manager_prefix ] 2209 regex: '(.+)' 2210 action: drop 2211 - source_labels: [ __name__ ] 2212 regex: 'envoy_tls.*' 2213 action: drop 2214 - source_labels: [ __name__ ] 2215 regex: 'envoy_tcp_downstream.*' 2216 action: drop 2217 - source_labels: [ __name__ ] 2218 regex: 'envoy_http_(stats|admin).*' 2219 action: drop 2220 - source_labels: [ __name__ ] 2221 regex: 'envoy_cluster_(lb|retry|bind|internal|max|original).*' 2222 action: drop 2223 2224 2225 - job_name: 'istio-policy' 2226 # Override the global default and scrape targets from this job every 5 seconds. 2227 scrape_interval: 5s 2228 # metrics_path defaults to '/metrics' 2229 # scheme defaults to 'http'. 2230 2231 kubernetes_sd_configs: 2232 - role: endpoints 2233 namespaces: 2234 names: 2235 - default 2236 2237 2238 relabel_configs: 2239 - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name] 2240 action: keep 2241 regex: istio-policy;http-monitoring 2242 2243 - job_name: 'istio-telemetry' 2244 # Override the global default and scrape targets from this job every 5 seconds. 2245 scrape_interval: 5s 2246 # metrics_path defaults to '/metrics' 2247 # scheme defaults to 'http'. 2248 2249 kubernetes_sd_configs: 2250 - role: endpoints 2251 namespaces: 2252 names: 2253 - default 2254 2255 relabel_configs: 2256 - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name] 2257 action: keep 2258 regex: istio-telemetry;http-monitoring 2259 2260 - job_name: 'pilot' 2261 # Override the global default and scrape targets from this job every 5 seconds. 2262 scrape_interval: 5s 2263 # metrics_path defaults to '/metrics' 2264 # scheme defaults to 'http'. 2265 2266 kubernetes_sd_configs: 2267 - role: endpoints 2268 namespaces: 2269 names: 2270 - default 2271 2272 relabel_configs: 2273 - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name] 2274 action: keep 2275 regex: istio-pilot;http-monitoring 2276 2277 - job_name: 'galley' 2278 # Override the global default and scrape targets from this job every 5 seconds. 2279 scrape_interval: 5s 2280 # metrics_path defaults to '/metrics' 2281 # scheme defaults to 'http'. 2282 2283 kubernetes_sd_configs: 2284 - role: endpoints 2285 namespaces: 2286 names: 2287 - default 2288 2289 relabel_configs: 2290 - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name] 2291 action: keep 2292 regex: istio-galley;http-monitoring 2293 2294 # scrape config for API servers 2295 - job_name: 'kubernetes-apiservers' 2296 kubernetes_sd_configs: 2297 - role: endpoints 2298 namespaces: 2299 names: 2300 - default 2301 scheme: https 2302 tls_config: 2303 ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt 2304 bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token 2305 relabel_configs: 2306 - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name] 2307 action: keep 2308 regex: kubernetes;https 2309 2310 # scrape config for nodes (kubelet) 2311 - job_name: 'kubernetes-nodes' 2312 scheme: https 2313 tls_config: 2314 ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt 2315 bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token 2316 kubernetes_sd_configs: 2317 - role: node 2318 relabel_configs: 2319 - action: labelmap 2320 regex: __meta_kubernetes_node_label_(.+) 2321 - target_label: __address__ 2322 replacement: kubernetes.default.svc:443 2323 - source_labels: [__meta_kubernetes_node_name] 2324 regex: (.+) 2325 target_label: __metrics_path__ 2326 replacement: /api/v1/nodes/${1}/proxy/metrics 2327 2328 # Scrape config for Kubelet cAdvisor. 2329 # 2330 # This is required for Kubernetes 1.7.3 and later, where cAdvisor metrics 2331 # (those whose names begin with 'container_') have been removed from the 2332 # Kubelet metrics endpoint. This job scrapes the cAdvisor endpoint to 2333 # retrieve those metrics. 2334 # 2335 # In Kubernetes 1.7.0-1.7.2, these metrics are only exposed on the cAdvisor 2336 # HTTP endpoint; use "replacement: /api/v1/nodes/${1}:4194/proxy/metrics" 2337 # in that case (and ensure cAdvisor's HTTP server hasn't been disabled with 2338 # the --cadvisor-port=0 Kubelet flag). 2339 # 2340 # This job is not necessary and should be removed in Kubernetes 1.6 and 2341 # earlier versions, or it will cause the metrics to be scraped twice. 2342 - job_name: 'kubernetes-cadvisor' 2343 scheme: https 2344 tls_config: 2345 ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt 2346 bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token 2347 kubernetes_sd_configs: 2348 - role: node 2349 relabel_configs: 2350 - action: labelmap 2351 regex: __meta_kubernetes_node_label_(.+) 2352 - target_label: __address__ 2353 replacement: kubernetes.default.svc:443 2354 - source_labels: [__meta_kubernetes_node_name] 2355 regex: (.+) 2356 target_label: __metrics_path__ 2357 replacement: /api/v1/nodes/${1}/proxy/metrics/cadvisor 2358 2359 # scrape config for service endpoints. 2360 - job_name: 'kubernetes-service-endpoints' 2361 kubernetes_sd_configs: 2362 - role: endpoints 2363 relabel_configs: 2364 - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_scrape] 2365 action: keep 2366 regex: true 2367 - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_scheme] 2368 action: replace 2369 target_label: __scheme__ 2370 regex: (https?) 2371 - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_path] 2372 action: replace 2373 target_label: __metrics_path__ 2374 regex: (.+) 2375 - source_labels: [__address__, __meta_kubernetes_service_annotation_prometheus_io_port] 2376 action: replace 2377 target_label: __address__ 2378 regex: ([^:]+)(?::\d+)?;(\d+) 2379 replacement: $1:$2 2380 - action: labelmap 2381 regex: __meta_kubernetes_service_label_(.+) 2382 - source_labels: [__meta_kubernetes_namespace] 2383 action: replace 2384 target_label: kubernetes_namespace 2385 - source_labels: [__meta_kubernetes_service_name] 2386 action: replace 2387 target_label: kubernetes_name 2388 2389 - job_name: 'kubernetes-pods' 2390 kubernetes_sd_configs: 2391 - role: pod 2392 relabel_configs: # If first two labels are present, pod should be scraped by the istio-secure job. 2393 - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_scrape] 2394 action: keep 2395 regex: true 2396 - source_labels: [__meta_kubernetes_pod_annotation_sidecar_istio_io_status] 2397 action: drop 2398 regex: (.+) 2399 - source_labels: [__meta_kubernetes_pod_annotation_istio_mtls] 2400 action: drop 2401 regex: (true) 2402 - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_path] 2403 action: replace 2404 target_label: __metrics_path__ 2405 regex: (.+) 2406 - source_labels: [__address__, __meta_kubernetes_pod_annotation_prometheus_io_port] 2407 action: replace 2408 regex: ([^:]+)(?::\d+)?;(\d+) 2409 replacement: $1:$2 2410 target_label: __address__ 2411 - action: labelmap 2412 regex: __meta_kubernetes_pod_label_(.+) 2413 - source_labels: [__meta_kubernetes_namespace] 2414 action: replace 2415 target_label: namespace 2416 - source_labels: [__meta_kubernetes_pod_name] 2417 action: replace 2418 target_label: pod_name 2419 2420 - job_name: 'kubernetes-pods-istio-secure' 2421 scheme: https 2422 tls_config: 2423 ca_file: /etc/istio-certs/root-cert.pem 2424 cert_file: /etc/istio-certs/cert-chain.pem 2425 key_file: /etc/istio-certs/key.pem 2426 insecure_skip_verify: true # prometheus does not support secure naming. 2427 kubernetes_sd_configs: 2428 - role: pod 2429 relabel_configs: 2430 - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_scrape] 2431 action: keep 2432 regex: true 2433 # sidecar status annotation is added by sidecar injector and 2434 # istio_workload_mtls_ability can be specifically placed on a pod to indicate its ability to receive mtls traffic. 2435 - source_labels: [__meta_kubernetes_pod_annotation_sidecar_istio_io_status, __meta_kubernetes_pod_annotation_istio_mtls] 2436 action: keep 2437 regex: (([^;]+);([^;]*))|(([^;]*);(true)) 2438 - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_path] 2439 action: replace 2440 target_label: __metrics_path__ 2441 regex: (.+) 2442 - source_labels: [__address__] # Only keep address that is host:port 2443 action: keep # otherwise an extra target with ':443' is added for https scheme 2444 regex: ([^:]+):(\d+) 2445 - source_labels: [__address__, __meta_kubernetes_pod_annotation_prometheus_io_port] 2446 action: replace 2447 regex: ([^:]+)(?::\d+)?;(\d+) 2448 replacement: $1:$2 2449 target_label: __address__ 2450 - action: labelmap 2451 regex: __meta_kubernetes_pod_label_(.+) 2452 - source_labels: [__meta_kubernetes_namespace] 2453 action: replace 2454 target_label: namespace 2455 - source_labels: [__meta_kubernetes_pod_name] 2456 action: replace 2457 target_label: pod_name 2458 kind: ConfigMap 2459 metadata: 2460 labels: 2461 app: prometheus 2462 release: istio 2463 name: prometheus 2464 namespace: default 2465 --- 2466 apiVersion: v1 2467 kind: Service 2468 metadata: 2469 labels: 2470 app: security 2471 istio: citadel 2472 release: istio 2473 name: istio-citadel 2474 namespace: default 2475 spec: 2476 ports: 2477 - name: grpc-citadel 2478 port: 8060 2479 protocol: TCP 2480 targetPort: 8060 2481 - name: http-monitoring 2482 port: 9093 2483 selector: 2484 istio: citadel 2485 --- 2486 apiVersion: v1 2487 kind: Service 2488 metadata: 2489 annotations: null 2490 labels: 2491 app: istio-egressgateway 2492 istio: egressgateway 2493 release: istio 2494 name: istio-egressgateway 2495 namespace: default 2496 spec: 2497 ports: 2498 - name: http2 2499 port: 80 2500 - name: https 2501 port: 443 2502 selector: 2503 app: istio-egressgateway 2504 istio: egressgateway 2505 type: ClusterIP 2506 --- 2507 apiVersion: v1 2508 kind: Service 2509 metadata: 2510 labels: 2511 app: galley 2512 istio: galley 2513 release: istio 2514 name: istio-galley 2515 namespace: default 2516 spec: 2517 ports: 2518 - name: https-validation 2519 port: 443 2520 - name: http-monitoring 2521 port: 9093 2522 - name: grpc-mcp 2523 port: 9901 2524 selector: 2525 istio: galley 2526 --- 2527 apiVersion: v1 2528 kind: Service 2529 metadata: 2530 annotations: null 2531 labels: 2532 app: istio-ingressgateway 2533 istio: ingressgateway 2534 release: istio 2535 name: istio-ingressgateway 2536 namespace: default 2537 spec: 2538 ports: 2539 - name: http2 2540 nodePort: 31380 2541 port: 80 2542 targetPort: 80 2543 - name: https 2544 nodePort: 31390 2545 port: 443 2546 - name: tcp 2547 nodePort: 31400 2548 port: 31400 2549 - name: http-kiali 2550 port: 15029 2551 targetPort: 15029 2552 - name: http2-prometheus 2553 port: 15030 2554 targetPort: 15030 2555 - name: http2-grafana 2556 port: 15031 2557 targetPort: 15031 2558 - name: http2-tracing 2559 port: 15032 2560 targetPort: 15032 2561 selector: 2562 app: istio-ingressgateway 2563 istio: ingressgateway 2564 type: LoadBalancer 2565 --- 2566 apiVersion: v1 2567 kind: Service 2568 metadata: 2569 labels: 2570 app: pilot 2571 istio: pilot 2572 release: istio 2573 name: istio-pilot 2574 namespace: default 2575 spec: 2576 ports: 2577 - name: grpc-xds 2578 port: 15010 2579 - name: https-xds 2580 port: 15011 2581 - name: http-legacy-discovery 2582 port: 8080 2583 - name: http-monitoring 2584 port: 9093 2585 selector: 2586 istio: pilot 2587 --- 2588 apiVersion: v1 2589 kind: Service 2590 metadata: 2591 labels: 2592 app: mixer 2593 istio: mixer 2594 release: istio 2595 name: istio-policy 2596 namespace: default 2597 spec: 2598 ports: 2599 - name: grpc-mixer 2600 port: 9091 2601 - name: grpc-mixer-mtls 2602 port: 15004 2603 - name: http-monitoring 2604 port: 9093 2605 selector: 2606 istio: mixer 2607 istio-mixer-type: policy 2608 --- 2609 apiVersion: v1 2610 kind: Service 2611 metadata: 2612 labels: 2613 app: sidecarInjectorWebhook 2614 istio: sidecar-injector 2615 release: istio 2616 name: istio-sidecar-injector 2617 namespace: default 2618 spec: 2619 ports: 2620 - port: 443 2621 selector: 2622 istio: sidecar-injector 2623 --- 2624 apiVersion: v1 2625 kind: Service 2626 metadata: 2627 labels: 2628 app: mixer 2629 istio: mixer 2630 release: istio 2631 name: istio-telemetry 2632 namespace: default 2633 spec: 2634 ports: 2635 - name: grpc-mixer 2636 port: 9091 2637 - name: grpc-mixer-mtls 2638 port: 15004 2639 - name: http-monitoring 2640 port: 9093 2641 - name: prometheus 2642 port: 42422 2643 selector: 2644 istio: mixer 2645 istio-mixer-type: telemetry 2646 --- 2647 apiVersion: v1 2648 kind: Service 2649 metadata: 2650 annotations: 2651 prometheus.io/scrape: "true" 2652 labels: 2653 app: prometheus 2654 release: istio 2655 name: prometheus 2656 namespace: default 2657 spec: 2658 ports: 2659 - name: http-prometheus 2660 port: 9090 2661 protocol: TCP 2662 selector: 2663 app: prometheus 2664 --- 2665 apiVersion: extensions/v1beta1 2666 kind: Deployment 2667 metadata: 2668 labels: 2669 app: security 2670 istio: citadel 2671 release: istio 2672 name: istio-citadel 2673 namespace: default 2674 spec: 2675 replicas: 1 2676 template: 2677 metadata: 2678 annotations: 2679 scheduler.alpha.kubernetes.io/critical-pod: "" 2680 sidecar.istio.io/inject: "false" 2681 labels: 2682 app: security 2683 chart: security 2684 heritage: Tiller 2685 istio: citadel 2686 release: istio 2687 version: 1.1.0 2688 spec: 2689 affinity: 2690 nodeAffinity: 2691 preferredDuringSchedulingIgnoredDuringExecution: 2692 - preference: 2693 matchExpressions: 2694 - key: beta.kubernetes.io/arch 2695 operator: In 2696 values: 2697 - amd64 2698 weight: 2 2699 - preference: 2700 matchExpressions: 2701 - key: beta.kubernetes.io/arch 2702 operator: In 2703 values: 2704 - ppc64le 2705 weight: 2 2706 - preference: 2707 matchExpressions: 2708 - key: beta.kubernetes.io/arch 2709 operator: In 2710 values: 2711 - s390x 2712 weight: 2 2713 requiredDuringSchedulingIgnoredDuringExecution: 2714 nodeSelectorTerms: 2715 - matchExpressions: 2716 - key: beta.kubernetes.io/arch 2717 operator: In 2718 values: 2719 - amd64 2720 - ppc64le 2721 - s390x 2722 containers: 2723 - args: 2724 - --append-dns-names=true 2725 - --grpc-port=8060 2726 - --grpc-hostname=citadel 2727 - --citadel-storage-namespace=default 2728 - --custom-dns-names=istio-pilot-service-account.default:istio-pilot.default 2729 - --self-signed-ca=true 2730 - --identity-domain=cluster.local 2731 image: gcr.io/istio-release/citadel:master-latest-daily 2732 imagePullPolicy: IfNotPresent 2733 name: citadel 2734 resources: 2735 requests: 2736 cpu: 10m 2737 serviceAccountName: istio-citadel-service-account 2738 --- 2739 apiVersion: extensions/v1beta1 2740 kind: Deployment 2741 metadata: 2742 labels: 2743 app: istio-egressgateway 2744 istio: egressgateway 2745 release: istio 2746 name: istio-egressgateway 2747 namespace: default 2748 spec: 2749 replicas: 1 2750 template: 2751 metadata: 2752 annotations: 2753 scheduler.alpha.kubernetes.io/critical-pod: "" 2754 sidecar.istio.io/inject: "false" 2755 labels: 2756 app: istio-egressgateway 2757 chart: gateways 2758 heritage: Tiller 2759 istio: egressgateway 2760 release: istio 2761 version: 1.1.0 2762 spec: 2763 affinity: 2764 nodeAffinity: 2765 preferredDuringSchedulingIgnoredDuringExecution: 2766 - preference: 2767 matchExpressions: 2768 - key: beta.kubernetes.io/arch 2769 operator: In 2770 values: 2771 - amd64 2772 weight: 2 2773 - preference: 2774 matchExpressions: 2775 - key: beta.kubernetes.io/arch 2776 operator: In 2777 values: 2778 - ppc64le 2779 weight: 2 2780 - preference: 2781 matchExpressions: 2782 - key: beta.kubernetes.io/arch 2783 operator: In 2784 values: 2785 - s390x 2786 weight: 2 2787 requiredDuringSchedulingIgnoredDuringExecution: 2788 nodeSelectorTerms: 2789 - matchExpressions: 2790 - key: beta.kubernetes.io/arch 2791 operator: In 2792 values: 2793 - amd64 2794 - ppc64le 2795 - s390x 2796 containers: 2797 - args: 2798 - proxy 2799 - router 2800 - --log_output_level 2801 - info 2802 - --drainDuration 2803 - 45s 2804 - --parentShutdownDuration 2805 - 1m0s 2806 - --connectTimeout 2807 - 10s 2808 - --serviceCluster 2809 - istio-egressgateway 2810 - --zipkinAddress 2811 - zipkin:9411 2812 - --proxyAdminPort 2813 - "15000" 2814 - --controlPlaneAuthPolicy 2815 - NONE 2816 - --discoveryAddress 2817 - istio-pilot:15010 2818 env: 2819 - name: POD_NAME 2820 valueFrom: 2821 fieldRef: 2822 apiVersion: v1 2823 fieldPath: metadata.name 2824 - name: POD_NAMESPACE 2825 valueFrom: 2826 fieldRef: 2827 apiVersion: v1 2828 fieldPath: metadata.namespace 2829 - name: INSTANCE_IP 2830 valueFrom: 2831 fieldRef: 2832 apiVersion: v1 2833 fieldPath: status.podIP 2834 - name: ISTIO_META_POD_NAME 2835 valueFrom: 2836 fieldRef: 2837 fieldPath: metadata.name 2838 - name: ISTIO_META_REQUESTED_NETWORK_VIEW 2839 value: "" 2840 image: gcr.io/istio-release/proxyv2:master-latest-daily 2841 imagePullPolicy: IfNotPresent 2842 name: istio-proxy 2843 ports: 2844 - containerPort: 80 2845 - containerPort: 443 2846 - containerPort: 15090 2847 name: http-envoy-prom 2848 protocol: TCP 2849 resources: 2850 requests: 2851 cpu: 10m 2852 volumeMounts: 2853 - mountPath: /etc/certs 2854 name: istio-certs 2855 readOnly: true 2856 - mountPath: /etc/istio/egressgateway-certs 2857 name: egressgateway-certs 2858 readOnly: true 2859 - mountPath: /etc/istio/egressgateway-ca-certs 2860 name: egressgateway-ca-certs 2861 readOnly: true 2862 serviceAccountName: istio-egressgateway-service-account 2863 volumes: 2864 - name: istio-certs 2865 secret: 2866 optional: true 2867 secretName: istio.istio-egressgateway-service-account 2868 - name: egressgateway-certs 2869 secret: 2870 optional: true 2871 secretName: istio-egressgateway-certs 2872 - name: egressgateway-ca-certs 2873 secret: 2874 optional: true 2875 secretName: istio-egressgateway-ca-certs 2876 --- 2877 apiVersion: extensions/v1beta1 2878 kind: Deployment 2879 metadata: 2880 labels: 2881 app: galley 2882 istio: galley 2883 release: istio 2884 name: istio-galley 2885 namespace: default 2886 spec: 2887 replicas: 1 2888 strategy: 2889 rollingUpdate: 2890 maxSurge: 1 2891 maxUnavailable: 0 2892 template: 2893 metadata: 2894 annotations: 2895 scheduler.alpha.kubernetes.io/critical-pod: "" 2896 sidecar.istio.io/inject: "false" 2897 labels: 2898 app: galley 2899 chart: galley 2900 heritage: Tiller 2901 istio: galley 2902 release: istio 2903 version: 1.1.0 2904 spec: 2905 affinity: 2906 nodeAffinity: 2907 preferredDuringSchedulingIgnoredDuringExecution: 2908 - preference: 2909 matchExpressions: 2910 - key: beta.kubernetes.io/arch 2911 operator: In 2912 values: 2913 - amd64 2914 weight: 2 2915 - preference: 2916 matchExpressions: 2917 - key: beta.kubernetes.io/arch 2918 operator: In 2919 values: 2920 - ppc64le 2921 weight: 2 2922 - preference: 2923 matchExpressions: 2924 - key: beta.kubernetes.io/arch 2925 operator: In 2926 values: 2927 - s390x 2928 weight: 2 2929 requiredDuringSchedulingIgnoredDuringExecution: 2930 nodeSelectorTerms: 2931 - matchExpressions: 2932 - key: beta.kubernetes.io/arch 2933 operator: In 2934 values: 2935 - amd64 2936 - ppc64le 2937 - s390x 2938 containers: 2939 - command: 2940 - /usr/local/bin/galley 2941 - --caCertFile=/etc/istio/certs/root-cert.pem 2942 - --tlsCertFile=/etc/istio/certs/cert-chain.pem 2943 - --tlsKeyFile=/etc/istio/certs/key.pem 2944 - --livenessProbeInterval=1s 2945 - --livenessProbePath=/healthliveness 2946 - --readinessProbePath=/healthready 2947 - --readinessProbeInterval=1s 2948 - --insecure=true 2949 - --validation-webhook-config-file 2950 - /etc/istio/config/validatingwebhookconfiguration.yaml 2951 image: gcr.io/istio-release/galley:master-latest-daily 2952 imagePullPolicy: IfNotPresent 2953 livenessProbe: 2954 exec: 2955 command: 2956 - /usr/local/bin/galley 2957 - probe 2958 - --probe-path=/healthliveness 2959 - --interval=10s 2960 initialDelaySeconds: 5 2961 periodSeconds: 5 2962 name: galley 2963 ports: 2964 - containerPort: 443 2965 - containerPort: 9093 2966 - containerPort: 9901 2967 readinessProbe: 2968 exec: 2969 command: 2970 - /usr/local/bin/galley 2971 - probe 2972 - --probe-path=/healthready 2973 - --interval=10s 2974 initialDelaySeconds: 5 2975 periodSeconds: 5 2976 resources: 2977 requests: 2978 cpu: 10m 2979 volumeMounts: 2980 - mountPath: /etc/istio/certs 2981 name: certs 2982 readOnly: true 2983 - mountPath: /etc/istio/config 2984 name: config 2985 readOnly: true 2986 serviceAccountName: istio-galley-service-account 2987 volumes: 2988 - name: certs 2989 secret: 2990 secretName: istio.istio-galley-service-account 2991 - configMap: 2992 name: istio-galley-configuration 2993 name: config 2994 --- 2995 apiVersion: extensions/v1beta1 2996 kind: Deployment 2997 metadata: 2998 labels: 2999 app: istio-ingressgateway 3000 istio: ingressgateway 3001 release: istio 3002 name: istio-ingressgateway 3003 namespace: default 3004 spec: 3005 replicas: 1 3006 template: 3007 metadata: 3008 annotations: 3009 scheduler.alpha.kubernetes.io/critical-pod: "" 3010 sidecar.istio.io/inject: "false" 3011 labels: 3012 app: istio-ingressgateway 3013 chart: gateways 3014 heritage: Tiller 3015 istio: ingressgateway 3016 release: istio 3017 version: 1.1.0 3018 spec: 3019 affinity: 3020 nodeAffinity: 3021 preferredDuringSchedulingIgnoredDuringExecution: 3022 - preference: 3023 matchExpressions: 3024 - key: beta.kubernetes.io/arch 3025 operator: In 3026 values: 3027 - amd64 3028 weight: 2 3029 - preference: 3030 matchExpressions: 3031 - key: beta.kubernetes.io/arch 3032 operator: In 3033 values: 3034 - ppc64le 3035 weight: 2 3036 - preference: 3037 matchExpressions: 3038 - key: beta.kubernetes.io/arch 3039 operator: In 3040 values: 3041 - s390x 3042 weight: 2 3043 requiredDuringSchedulingIgnoredDuringExecution: 3044 nodeSelectorTerms: 3045 - matchExpressions: 3046 - key: beta.kubernetes.io/arch 3047 operator: In 3048 values: 3049 - amd64 3050 - ppc64le 3051 - s390x 3052 containers: 3053 - args: 3054 - proxy 3055 - router 3056 - --log_output_level 3057 - info 3058 - --drainDuration 3059 - 45s 3060 - --parentShutdownDuration 3061 - 1m0s 3062 - --connectTimeout 3063 - 10s 3064 - --serviceCluster 3065 - istio-ingressgateway 3066 - --zipkinAddress 3067 - zipkin:9411 3068 - --proxyAdminPort 3069 - "15000" 3070 - --controlPlaneAuthPolicy 3071 - NONE 3072 - --discoveryAddress 3073 - istio-pilot:15010 3074 env: 3075 - name: POD_NAME 3076 valueFrom: 3077 fieldRef: 3078 apiVersion: v1 3079 fieldPath: metadata.name 3080 - name: POD_NAMESPACE 3081 valueFrom: 3082 fieldRef: 3083 apiVersion: v1 3084 fieldPath: metadata.namespace 3085 - name: INSTANCE_IP 3086 valueFrom: 3087 fieldRef: 3088 apiVersion: v1 3089 fieldPath: status.podIP 3090 - name: ISTIO_META_POD_NAME 3091 valueFrom: 3092 fieldRef: 3093 fieldPath: metadata.name 3094 image: gcr.io/istio-release/proxyv2:master-latest-daily 3095 imagePullPolicy: IfNotPresent 3096 name: istio-proxy 3097 ports: 3098 - containerPort: 80 3099 - containerPort: 443 3100 - containerPort: 31400 3101 - containerPort: 15029 3102 - containerPort: 15030 3103 - containerPort: 15031 3104 - containerPort: 15032 3105 - containerPort: 15090 3106 name: http-envoy-prom 3107 protocol: TCP 3108 resources: 3109 requests: 3110 cpu: 10m 3111 volumeMounts: 3112 - mountPath: /etc/certs 3113 name: istio-certs 3114 readOnly: true 3115 - mountPath: /etc/istio/ingressgateway-certs 3116 name: ingressgateway-certs 3117 readOnly: true 3118 - mountPath: /etc/istio/ingressgateway-ca-certs 3119 name: ingressgateway-ca-certs 3120 readOnly: true 3121 serviceAccountName: istio-ingressgateway-service-account 3122 volumes: 3123 - name: istio-certs 3124 secret: 3125 optional: true 3126 secretName: istio.istio-ingressgateway-service-account 3127 - name: ingressgateway-certs 3128 secret: 3129 optional: true 3130 secretName: istio-ingressgateway-certs 3131 - name: ingressgateway-ca-certs 3132 secret: 3133 optional: true 3134 secretName: istio-ingressgateway-ca-certs 3135 --- 3136 apiVersion: extensions/v1beta1 3137 kind: Deployment 3138 metadata: 3139 annotations: 3140 checksum/config-volume: f8da08b6b8c170dde721efd680270b2901e750d4aa186ebb6c22bef5b78a43f9 3141 labels: 3142 app: pilot 3143 istio: pilot 3144 release: istio 3145 name: istio-pilot 3146 namespace: default 3147 spec: 3148 replicas: 1 3149 template: 3150 metadata: 3151 annotations: 3152 scheduler.alpha.kubernetes.io/critical-pod: "" 3153 sidecar.istio.io/inject: "false" 3154 labels: 3155 app: pilot 3156 chart: pilot 3157 heritage: Tiller 3158 istio: pilot 3159 release: istio 3160 version: 1.1.0 3161 spec: 3162 affinity: 3163 nodeAffinity: 3164 preferredDuringSchedulingIgnoredDuringExecution: 3165 - preference: 3166 matchExpressions: 3167 - key: beta.kubernetes.io/arch 3168 operator: In 3169 values: 3170 - amd64 3171 weight: 2 3172 - preference: 3173 matchExpressions: 3174 - key: beta.kubernetes.io/arch 3175 operator: In 3176 values: 3177 - ppc64le 3178 weight: 2 3179 - preference: 3180 matchExpressions: 3181 - key: beta.kubernetes.io/arch 3182 operator: In 3183 values: 3184 - s390x 3185 weight: 2 3186 requiredDuringSchedulingIgnoredDuringExecution: 3187 nodeSelectorTerms: 3188 - matchExpressions: 3189 - key: beta.kubernetes.io/arch 3190 operator: In 3191 values: 3192 - amd64 3193 - ppc64le 3194 - s390x 3195 containers: 3196 - args: 3197 - discovery 3198 env: 3199 - name: POD_NAME 3200 valueFrom: 3201 fieldRef: 3202 apiVersion: v1 3203 fieldPath: metadata.name 3204 - name: POD_NAMESPACE 3205 valueFrom: 3206 fieldRef: 3207 apiVersion: v1 3208 fieldPath: metadata.namespace 3209 - name: PILOT_CACHE_SQUASH 3210 value: "5" 3211 - name: GODEBUG 3212 value: gctrace=2 3213 - name: PILOT_PUSH_THROTTLE_COUNT 3214 value: "100" 3215 - name: PILOT_TRACE_SAMPLING 3216 value: "100" 3217 image: gcr.io/istio-release/pilot:master-latest-daily 3218 imagePullPolicy: IfNotPresent 3219 name: discovery 3220 ports: 3221 - containerPort: 8080 3222 - containerPort: 15010 3223 readinessProbe: 3224 httpGet: 3225 path: /ready 3226 port: 8080 3227 initialDelaySeconds: 5 3228 periodSeconds: 30 3229 timeoutSeconds: 5 3230 resources: 3231 requests: 3232 cpu: 500m 3233 memory: 2048Mi 3234 volumeMounts: 3235 - mountPath: /etc/istio/config 3236 name: config-volume 3237 - mountPath: /etc/certs 3238 name: istio-certs 3239 readOnly: true 3240 - args: 3241 - proxy 3242 - --serviceCluster 3243 - istio-pilot 3244 - --templateFile 3245 - /etc/istio/proxy/envoy_pilot.yaml.tmpl 3246 - --controlPlaneAuthPolicy 3247 - NONE 3248 env: 3249 - name: POD_NAME 3250 valueFrom: 3251 fieldRef: 3252 apiVersion: v1 3253 fieldPath: metadata.name 3254 - name: POD_NAMESPACE 3255 valueFrom: 3256 fieldRef: 3257 apiVersion: v1 3258 fieldPath: metadata.namespace 3259 - name: INSTANCE_IP 3260 valueFrom: 3261 fieldRef: 3262 apiVersion: v1 3263 fieldPath: status.podIP 3264 image: gcr.io/istio-release/proxyv2:master-latest-daily 3265 imagePullPolicy: IfNotPresent 3266 name: istio-proxy 3267 ports: 3268 - containerPort: 15003 3269 - containerPort: 15005 3270 - containerPort: 15007 3271 - containerPort: 15011 3272 resources: 3273 requests: 3274 cpu: 10m 3275 volumeMounts: 3276 - mountPath: /etc/certs 3277 name: istio-certs 3278 readOnly: true 3279 serviceAccountName: istio-pilot-service-account 3280 volumes: 3281 - configMap: 3282 name: istio 3283 name: config-volume 3284 - name: istio-certs 3285 secret: 3286 optional: true 3287 secretName: istio.istio-pilot-service-account 3288 --- 3289 apiVersion: extensions/v1beta1 3290 kind: Deployment 3291 metadata: 3292 labels: 3293 app: mixer 3294 istio: mixer 3295 release: istio 3296 name: istio-policy 3297 namespace: default 3298 spec: 3299 replicas: 1 3300 template: 3301 metadata: 3302 annotations: 3303 scheduler.alpha.kubernetes.io/critical-pod: "" 3304 sidecar.istio.io/inject: "false" 3305 labels: 3306 app: mixer 3307 chart: mixer 3308 heritage: Tiller 3309 istio: mixer 3310 istio-mixer-type: policy 3311 release: istio 3312 version: 1.1.0 3313 spec: 3314 affinity: 3315 nodeAffinity: 3316 preferredDuringSchedulingIgnoredDuringExecution: 3317 - preference: 3318 matchExpressions: 3319 - key: beta.kubernetes.io/arch 3320 operator: In 3321 values: 3322 - amd64 3323 weight: 2 3324 - preference: 3325 matchExpressions: 3326 - key: beta.kubernetes.io/arch 3327 operator: In 3328 values: 3329 - ppc64le 3330 weight: 2 3331 - preference: 3332 matchExpressions: 3333 - key: beta.kubernetes.io/arch 3334 operator: In 3335 values: 3336 - s390x 3337 weight: 2 3338 requiredDuringSchedulingIgnoredDuringExecution: 3339 nodeSelectorTerms: 3340 - matchExpressions: 3341 - key: beta.kubernetes.io/arch 3342 operator: In 3343 values: 3344 - amd64 3345 - ppc64le 3346 - s390x 3347 containers: 3348 - args: 3349 - --address 3350 - unix:///sock/mixer.socket 3351 - --configStoreURL=k8s:// 3352 - --configDefaultNamespace=default 3353 - --trace_zipkin_url=http://zipkin:9411/api/v1/spans 3354 env: 3355 - name: GODEBUG 3356 value: gctrace=2 3357 image: gcr.io/istio-release/mixer:master-latest-daily 3358 imagePullPolicy: IfNotPresent 3359 livenessProbe: 3360 httpGet: 3361 path: /version 3362 port: 9093 3363 initialDelaySeconds: 5 3364 periodSeconds: 5 3365 name: mixer 3366 ports: 3367 - containerPort: 9093 3368 - containerPort: 42422 3369 resources: 3370 requests: 3371 cpu: 10m 3372 volumeMounts: 3373 - mountPath: /sock 3374 name: uds-socket 3375 - args: 3376 - proxy 3377 - --serviceCluster 3378 - istio-policy 3379 - --templateFile 3380 - /etc/istio/proxy/envoy_policy.yaml.tmpl 3381 - --controlPlaneAuthPolicy 3382 - NONE 3383 env: 3384 - name: POD_NAME 3385 valueFrom: 3386 fieldRef: 3387 apiVersion: v1 3388 fieldPath: metadata.name 3389 - name: POD_NAMESPACE 3390 valueFrom: 3391 fieldRef: 3392 apiVersion: v1 3393 fieldPath: metadata.namespace 3394 - name: INSTANCE_IP 3395 valueFrom: 3396 fieldRef: 3397 apiVersion: v1 3398 fieldPath: status.podIP 3399 image: gcr.io/istio-release/proxyv2:master-latest-daily 3400 imagePullPolicy: IfNotPresent 3401 name: istio-proxy 3402 ports: 3403 - containerPort: 9091 3404 - containerPort: 15004 3405 - containerPort: 15090 3406 name: http-envoy-prom 3407 protocol: TCP 3408 resources: 3409 requests: 3410 cpu: 10m 3411 volumeMounts: 3412 - mountPath: /etc/certs 3413 name: istio-certs 3414 readOnly: true 3415 - mountPath: /sock 3416 name: uds-socket 3417 serviceAccountName: istio-mixer-service-account 3418 volumes: 3419 - name: istio-certs 3420 secret: 3421 optional: true 3422 secretName: istio.istio-mixer-service-account 3423 - emptyDir: {} 3424 name: uds-socket 3425 --- 3426 apiVersion: extensions/v1beta1 3427 kind: Deployment 3428 metadata: 3429 labels: 3430 app: sidecarInjectorWebhook 3431 istio: sidecar-injector 3432 release: istio 3433 name: istio-sidecar-injector 3434 namespace: default 3435 spec: 3436 replicas: 1 3437 template: 3438 metadata: 3439 annotations: 3440 scheduler.alpha.kubernetes.io/critical-pod: "" 3441 sidecar.istio.io/inject: "false" 3442 labels: 3443 app: sidecarInjectorWebhook 3444 chart: sidecarInjectorWebhook 3445 heritage: Tiller 3446 istio: sidecar-injector 3447 release: istio 3448 version: 1.1.0 3449 spec: 3450 affinity: 3451 nodeAffinity: 3452 preferredDuringSchedulingIgnoredDuringExecution: 3453 - preference: 3454 matchExpressions: 3455 - key: beta.kubernetes.io/arch 3456 operator: In 3457 values: 3458 - amd64 3459 weight: 2 3460 - preference: 3461 matchExpressions: 3462 - key: beta.kubernetes.io/arch 3463 operator: In 3464 values: 3465 - ppc64le 3466 weight: 2 3467 - preference: 3468 matchExpressions: 3469 - key: beta.kubernetes.io/arch 3470 operator: In 3471 values: 3472 - s390x 3473 weight: 2 3474 requiredDuringSchedulingIgnoredDuringExecution: 3475 nodeSelectorTerms: 3476 - matchExpressions: 3477 - key: beta.kubernetes.io/arch 3478 operator: In 3479 values: 3480 - amd64 3481 - ppc64le 3482 - s390x 3483 containers: 3484 - args: 3485 - --caCertFile=/etc/istio/certs/root-cert.pem 3486 - --tlsCertFile=/etc/istio/certs/cert-chain.pem 3487 - --tlsKeyFile=/etc/istio/certs/key.pem 3488 - --injectConfig=/etc/istio/inject/config 3489 - --meshConfig=/etc/istio/config/mesh 3490 - --healthCheckInterval=2s 3491 - --healthCheckFile=/health 3492 image: gcr.io/istio-release/sidecar_injector:master-latest-daily 3493 imagePullPolicy: IfNotPresent 3494 livenessProbe: 3495 exec: 3496 command: 3497 - /usr/local/bin/sidecar-injector 3498 - probe 3499 - --probe-path=/health 3500 - --interval=4s 3501 initialDelaySeconds: 4 3502 periodSeconds: 4 3503 name: sidecar-injector-webhook 3504 readinessProbe: 3505 exec: 3506 command: 3507 - /usr/local/bin/sidecar-injector 3508 - probe 3509 - --probe-path=/health 3510 - --interval=4s 3511 initialDelaySeconds: 4 3512 periodSeconds: 4 3513 resources: 3514 requests: 3515 cpu: 10m 3516 volumeMounts: 3517 - mountPath: /etc/istio/config 3518 name: config-volume 3519 readOnly: true 3520 - mountPath: /etc/istio/certs 3521 name: certs 3522 readOnly: true 3523 - mountPath: /etc/istio/inject 3524 name: inject-config 3525 readOnly: true 3526 serviceAccountName: istio-sidecar-injector-service-account 3527 volumes: 3528 - configMap: 3529 name: istio 3530 name: config-volume 3531 - name: certs 3532 secret: 3533 secretName: istio.istio-sidecar-injector-service-account 3534 - configMap: 3535 items: 3536 - key: config 3537 path: config 3538 name: istio-sidecar-injector 3539 name: inject-config 3540 --- 3541 apiVersion: extensions/v1beta1 3542 kind: Deployment 3543 metadata: 3544 labels: 3545 app: mixer 3546 istio: mixer 3547 release: istio 3548 name: istio-telemetry 3549 namespace: default 3550 spec: 3551 replicas: 1 3552 template: 3553 metadata: 3554 annotations: 3555 scheduler.alpha.kubernetes.io/critical-pod: "" 3556 sidecar.istio.io/inject: "false" 3557 labels: 3558 app: mixer 3559 chart: mixer 3560 heritage: Tiller 3561 istio: mixer 3562 istio-mixer-type: telemetry 3563 release: istio 3564 version: 1.1.0 3565 spec: 3566 containers: 3567 - args: 3568 - --address 3569 - unix:///sock/mixer.socket 3570 - --configStoreURL=k8s:// 3571 - --configDefaultNamespace=default 3572 - --trace_zipkin_url=http://zipkin:9411/api/v1/spans 3573 env: 3574 - name: GODEBUG 3575 value: gctrace=2 3576 image: gcr.io/istio-release/mixer:master-latest-daily 3577 imagePullPolicy: IfNotPresent 3578 livenessProbe: 3579 httpGet: 3580 path: /version 3581 port: 9093 3582 initialDelaySeconds: 5 3583 periodSeconds: 5 3584 name: mixer 3585 ports: 3586 - containerPort: 9093 3587 - containerPort: 42422 3588 resources: 3589 requests: 3590 cpu: 10m 3591 volumeMounts: 3592 - mountPath: /sock 3593 name: uds-socket 3594 - args: 3595 - proxy 3596 - --serviceCluster 3597 - istio-telemetry 3598 - --templateFile 3599 - /etc/istio/proxy/envoy_telemetry.yaml.tmpl 3600 - --controlPlaneAuthPolicy 3601 - NONE 3602 env: 3603 - name: POD_NAME 3604 valueFrom: 3605 fieldRef: 3606 apiVersion: v1 3607 fieldPath: metadata.name 3608 - name: POD_NAMESPACE 3609 valueFrom: 3610 fieldRef: 3611 apiVersion: v1 3612 fieldPath: metadata.namespace 3613 - name: INSTANCE_IP 3614 valueFrom: 3615 fieldRef: 3616 apiVersion: v1 3617 fieldPath: status.podIP 3618 image: gcr.io/istio-release/proxyv2:master-latest-daily 3619 imagePullPolicy: IfNotPresent 3620 name: istio-proxy 3621 ports: 3622 - containerPort: 15090 3623 name: http-envoy-prom 3624 protocol: TCP 3625 resources: 3626 requests: 3627 cpu: 10m 3628 volumeMounts: 3629 - mountPath: /etc/certs 3630 name: istio-certs 3631 readOnly: true 3632 - mountPath: /sock 3633 name: uds-socket 3634 serviceAccountName: istio-mixer-service-account 3635 volumes: 3636 - name: istio-certs 3637 secret: 3638 optional: true 3639 secretName: istio.istio-mixer-service-account 3640 - emptyDir: {} 3641 name: uds-socket 3642 --- 3643 apiVersion: extensions/v1beta1 3644 kind: Deployment 3645 metadata: 3646 labels: 3647 app: prometheus 3648 release: istio 3649 name: prometheus 3650 namespace: default 3651 spec: 3652 replicas: 1 3653 template: 3654 metadata: 3655 annotations: 3656 scheduler.alpha.kubernetes.io/critical-pod: "" 3657 sidecar.istio.io/inject: "false" 3658 labels: 3659 app: prometheus 3660 chart: prometheus 3661 heritage: Tiller 3662 release: istio 3663 version: 1.1.0 3664 spec: 3665 affinity: 3666 nodeAffinity: 3667 preferredDuringSchedulingIgnoredDuringExecution: 3668 - preference: 3669 matchExpressions: 3670 - key: beta.kubernetes.io/arch 3671 operator: In 3672 values: 3673 - amd64 3674 weight: 2 3675 - preference: 3676 matchExpressions: 3677 - key: beta.kubernetes.io/arch 3678 operator: In 3679 values: 3680 - ppc64le 3681 weight: 2 3682 - preference: 3683 matchExpressions: 3684 - key: beta.kubernetes.io/arch 3685 operator: In 3686 values: 3687 - s390x 3688 weight: 2 3689 requiredDuringSchedulingIgnoredDuringExecution: 3690 nodeSelectorTerms: 3691 - matchExpressions: 3692 - key: beta.kubernetes.io/arch 3693 operator: In 3694 values: 3695 - amd64 3696 - ppc64le 3697 - s390x 3698 containers: 3699 - args: 3700 - --storage.tsdb.retention=6h 3701 - --config.file=/etc/prometheus/prometheus.yml 3702 image: docker.io/prom/prometheus:v2.3.1 3703 imagePullPolicy: IfNotPresent 3704 livenessProbe: 3705 httpGet: 3706 path: /-/healthy 3707 port: 9090 3708 name: prometheus 3709 ports: 3710 - containerPort: 9090 3711 name: http 3712 readinessProbe: 3713 httpGet: 3714 path: /-/ready 3715 port: 9090 3716 resources: 3717 requests: 3718 cpu: 10m 3719 volumeMounts: 3720 - mountPath: /etc/prometheus 3721 name: config-volume 3722 - mountPath: /etc/istio-certs 3723 name: istio-certs 3724 serviceAccountName: prometheus 3725 volumes: 3726 - configMap: 3727 name: prometheus 3728 name: config-volume 3729 - name: istio-certs 3730 secret: 3731 defaultMode: 420 3732 optional: true 3733 secretName: istio.default 3734 --- 3735 apiVersion: autoscaling/v2beta1 3736 kind: HorizontalPodAutoscaler 3737 metadata: 3738 labels: 3739 app: gateways 3740 release: istio 3741 name: istio-egressgateway 3742 namespace: default 3743 spec: 3744 maxReplicas: 5 3745 metrics: 3746 - resource: 3747 name: cpu 3748 targetAverageUtilization: 80 3749 type: Resource 3750 minReplicas: 1 3751 scaleTargetRef: 3752 apiVersion: apps/v1beta1 3753 kind: Deployment 3754 name: istio-egressgateway 3755 --- 3756 apiVersion: autoscaling/v2beta1 3757 kind: HorizontalPodAutoscaler 3758 metadata: 3759 labels: 3760 app: gateways 3761 release: istio 3762 name: istio-ingressgateway 3763 namespace: default 3764 spec: 3765 maxReplicas: 5 3766 metrics: 3767 - resource: 3768 name: cpu 3769 targetAverageUtilization: 80 3770 type: Resource 3771 minReplicas: 1 3772 scaleTargetRef: 3773 apiVersion: apps/v1beta1 3774 kind: Deployment 3775 name: istio-ingressgateway 3776 --- 3777 apiVersion: autoscaling/v2beta1 3778 kind: HorizontalPodAutoscaler 3779 metadata: 3780 labels: 3781 app: pilot 3782 release: istio 3783 name: istio-pilot 3784 namespace: default 3785 spec: 3786 maxReplicas: 5 3787 metrics: 3788 - resource: 3789 name: cpu 3790 targetAverageUtilization: 80 3791 type: Resource 3792 minReplicas: 1 3793 scaleTargetRef: 3794 apiVersion: apps/v1beta1 3795 kind: Deployment 3796 name: istio-pilot 3797 --- 3798 apiVersion: autoscaling/v2beta1 3799 kind: HorizontalPodAutoscaler 3800 metadata: 3801 labels: 3802 app: mixer 3803 release: istio 3804 name: istio-policy 3805 namespace: default 3806 spec: 3807 maxReplicas: 5 3808 metrics: 3809 - resource: 3810 name: cpu 3811 targetAverageUtilization: 80 3812 type: Resource 3813 minReplicas: 1 3814 scaleTargetRef: 3815 apiVersion: apps/v1beta1 3816 kind: Deployment 3817 name: istio-policy 3818 --- 3819 apiVersion: autoscaling/v2beta1 3820 kind: HorizontalPodAutoscaler 3821 metadata: 3822 labels: 3823 app: mixer 3824 release: istio 3825 name: istio-telemetry 3826 namespace: default 3827 spec: 3828 maxReplicas: 5 3829 metrics: 3830 - resource: 3831 name: cpu 3832 targetAverageUtilization: 80 3833 type: Resource 3834 minReplicas: 1 3835 scaleTargetRef: 3836 apiVersion: apps/v1beta1 3837 kind: Deployment 3838 name: istio-telemetry 3839 --- 3840 apiVersion: batch/v1 3841 kind: Job 3842 metadata: 3843 annotations: 3844 helm.sh/hook: post-delete 3845 helm.sh/hook-delete-policy: hook-succeeded 3846 helm.sh/hook-weight: "3" 3847 labels: 3848 app: security 3849 release: istio 3850 name: istio-cleanup-secrets 3851 namespace: default 3852 spec: 3853 template: 3854 metadata: 3855 labels: 3856 app: security 3857 chart: security 3858 heritage: Tiller 3859 release: istio 3860 version: 1.1.0 3861 name: istio-cleanup-secrets 3862 spec: 3863 containers: 3864 - command: 3865 - /bin/bash 3866 - -c 3867 - | 3868 kubectl get secret --all-namespaces | grep "istio.io/key-and-cert" | while read -r entry; do 3869 ns=$(echo $entry | awk '{print $1}'); 3870 name=$(echo $entry | awk '{print $2}'); 3871 kubectl delete secret $name -n $ns; 3872 done 3873 image: gcr.io/istio-release/kubectl:master-latest-daily 3874 imagePullPolicy: IfNotPresent 3875 name: kubectl 3876 restartPolicy: OnFailure 3877 serviceAccountName: istio-cleanup-secrets-service-account 3878 --- 3879 apiVersion: batch/v1 3880 kind: Job 3881 metadata: 3882 annotations: 3883 helm.sh/hook: post-install 3884 helm.sh/hook-delete-policy: hook-succeeded 3885 labels: 3886 app: security 3887 release: istio 3888 name: istio-security-post-install 3889 namespace: default 3890 spec: 3891 template: 3892 metadata: 3893 labels: 3894 app: security 3895 chart: security 3896 heritage: Tiller 3897 release: istio 3898 version: 1.1.0 3899 name: istio-security-post-install 3900 spec: 3901 containers: 3902 - command: 3903 - /bin/bash 3904 - /tmp/security/run.sh 3905 - /tmp/security/custom-resources.yaml 3906 image: gcr.io/istio-release/kubectl:master-latest-daily 3907 imagePullPolicy: IfNotPresent 3908 name: kubectl 3909 volumeMounts: 3910 - mountPath: /tmp/security 3911 name: tmp-configmap-security 3912 restartPolicy: OnFailure 3913 serviceAccountName: istio-security-post-install-account 3914 volumes: 3915 - configMap: 3916 name: istio-security-custom-resources 3917 name: tmp-configmap-security 3918 --- 3919 apiVersion: config.istio.io/v1alpha2 3920 kind: attributemanifest 3921 metadata: 3922 labels: 3923 app: mixer 3924 chart: mixer 3925 heritage: Tiller 3926 release: istio 3927 name: istioproxy 3928 namespace: default 3929 spec: 3930 attributes: 3931 api.operation: 3932 valueType: STRING 3933 api.protocol: 3934 valueType: STRING 3935 api.service: 3936 valueType: STRING 3937 api.version: 3938 valueType: STRING 3939 connection.duration: 3940 valueType: DURATION 3941 connection.event: 3942 valueType: STRING 3943 connection.id: 3944 valueType: STRING 3945 connection.mtls: 3946 valueType: BOOL 3947 connection.received.bytes: 3948 valueType: INT64 3949 connection.received.bytes_total: 3950 valueType: INT64 3951 connection.requested_server_name: 3952 valueType: STRING 3953 connection.sent.bytes: 3954 valueType: INT64 3955 connection.sent.bytes_total: 3956 valueType: INT64 3957 context.protocol: 3958 valueType: STRING 3959 context.reporter.kind: 3960 valueType: STRING 3961 context.reporter.local: 3962 valueType: BOOL 3963 context.reporter.uid: 3964 valueType: STRING 3965 context.time: 3966 valueType: TIMESTAMP 3967 context.timestamp: 3968 valueType: TIMESTAMP 3969 destination.port: 3970 valueType: INT64 3971 destination.principal: 3972 valueType: STRING 3973 destination.uid: 3974 valueType: STRING 3975 origin.ip: 3976 valueType: IP_ADDRESS 3977 origin.uid: 3978 valueType: STRING 3979 origin.user: 3980 valueType: STRING 3981 rbac.permissive.effective_policy_id: 3982 valueType: STRING 3983 rbac.permissive.response_code: 3984 valueType: STRING 3985 request.api_key: 3986 valueType: STRING 3987 request.auth.audiences: 3988 valueType: STRING 3989 request.auth.claims: 3990 valueType: STRING_MAP 3991 request.auth.presenter: 3992 valueType: STRING 3993 request.auth.principal: 3994 valueType: STRING 3995 request.auth.raw_claims: 3996 valueType: STRING 3997 request.headers: 3998 valueType: STRING_MAP 3999 request.host: 4000 valueType: STRING 4001 request.id: 4002 valueType: STRING 4003 request.method: 4004 valueType: STRING 4005 request.path: 4006 valueType: STRING 4007 request.reason: 4008 valueType: STRING 4009 request.referer: 4010 valueType: STRING 4011 request.scheme: 4012 valueType: STRING 4013 request.size: 4014 valueType: INT64 4015 request.time: 4016 valueType: TIMESTAMP 4017 request.total_size: 4018 valueType: INT64 4019 request.useragent: 4020 valueType: STRING 4021 response.code: 4022 valueType: INT64 4023 response.duration: 4024 valueType: DURATION 4025 response.grpc_message: 4026 valueType: STRING 4027 response.grpc_status: 4028 valueType: STRING 4029 response.headers: 4030 valueType: STRING_MAP 4031 response.size: 4032 valueType: INT64 4033 response.time: 4034 valueType: TIMESTAMP 4035 response.total_size: 4036 valueType: INT64 4037 source.principal: 4038 valueType: STRING 4039 source.uid: 4040 valueType: STRING 4041 source.user: 4042 valueType: STRING 4043 --- 4044 apiVersion: config.istio.io/v1alpha2 4045 kind: attributemanifest 4046 metadata: 4047 labels: 4048 app: mixer 4049 chart: mixer 4050 heritage: Tiller 4051 release: istio 4052 name: kubernetes 4053 namespace: default 4054 spec: 4055 attributes: 4056 destination.container.name: 4057 valueType: STRING 4058 destination.ip: 4059 valueType: IP_ADDRESS 4060 destination.labels: 4061 valueType: STRING_MAP 4062 destination.metadata: 4063 valueType: STRING_MAP 4064 destination.name: 4065 valueType: STRING 4066 destination.namespace: 4067 valueType: STRING 4068 destination.owner: 4069 valueType: STRING 4070 destination.service: 4071 valueType: STRING 4072 destination.service.host: 4073 valueType: STRING 4074 destination.service.name: 4075 valueType: STRING 4076 destination.service.namespace: 4077 valueType: STRING 4078 destination.service.uid: 4079 valueType: STRING 4080 destination.serviceAccount: 4081 valueType: STRING 4082 destination.workload.name: 4083 valueType: STRING 4084 destination.workload.namespace: 4085 valueType: STRING 4086 destination.workload.uid: 4087 valueType: STRING 4088 source.ip: 4089 valueType: IP_ADDRESS 4090 source.labels: 4091 valueType: STRING_MAP 4092 source.metadata: 4093 valueType: STRING_MAP 4094 source.name: 4095 valueType: STRING 4096 source.namespace: 4097 valueType: STRING 4098 source.owner: 4099 valueType: STRING 4100 source.service: 4101 valueType: STRING 4102 source.serviceAccount: 4103 valueType: STRING 4104 source.services: 4105 valueType: STRING 4106 source.workload.name: 4107 valueType: STRING 4108 source.workload.namespace: 4109 valueType: STRING 4110 source.workload.uid: 4111 valueType: STRING 4112 --- 4113 apiVersion: config.istio.io/v1alpha2 4114 kind: handler 4115 metadata: 4116 labels: 4117 app: mixer 4118 chart: mixer 4119 heritage: Tiller 4120 release: istio 4121 name: kubernetesenv 4122 namespace: default 4123 spec: 4124 compiledAdapter: kubernetesenv 4125 params: null 4126 --- 4127 apiVersion: config.istio.io/v1alpha2 4128 kind: handler 4129 metadata: 4130 labels: 4131 app: mixer 4132 chart: mixer 4133 heritage: Tiller 4134 release: istio 4135 name: prometheus 4136 namespace: default 4137 spec: 4138 compiledAdapter: prometheus 4139 params: 4140 metrics: 4141 - instance_name: requestcount.metric.default 4142 kind: COUNTER 4143 label_names: 4144 - reporter 4145 - source_app 4146 - source_principal 4147 - source_workload 4148 - source_workload_namespace 4149 - source_version 4150 - destination_app 4151 - destination_principal 4152 - destination_workload 4153 - destination_workload_namespace 4154 - destination_version 4155 - destination_service 4156 - destination_service_name 4157 - destination_service_namespace 4158 - request_protocol 4159 - response_code 4160 - permissive_response_code 4161 - permissive_response_policyid 4162 - connection_security_policy 4163 name: requests_total 4164 - buckets: 4165 explicit_buckets: 4166 bounds: 4167 - 0.005 4168 - 0.01 4169 - 0.025 4170 - 0.05 4171 - 0.1 4172 - 0.25 4173 - 0.5 4174 - 1 4175 - 2.5 4176 - 5 4177 - 10 4178 instance_name: requestduration.metric.default 4179 kind: DISTRIBUTION 4180 label_names: 4181 - reporter 4182 - source_app 4183 - source_principal 4184 - source_workload 4185 - source_workload_namespace 4186 - source_version 4187 - destination_app 4188 - destination_principal 4189 - destination_workload 4190 - destination_workload_namespace 4191 - destination_version 4192 - destination_service 4193 - destination_service_name 4194 - destination_service_namespace 4195 - request_protocol 4196 - response_code 4197 - permissive_response_code 4198 - permissive_response_policyid 4199 - connection_security_policy 4200 name: request_duration_seconds 4201 - buckets: 4202 exponentialBuckets: 4203 growthFactor: 10 4204 numFiniteBuckets: 8 4205 scale: 1 4206 instance_name: requestsize.metric.default 4207 kind: DISTRIBUTION 4208 label_names: 4209 - reporter 4210 - source_app 4211 - source_principal 4212 - source_workload 4213 - source_workload_namespace 4214 - source_version 4215 - destination_app 4216 - destination_principal 4217 - destination_workload 4218 - destination_workload_namespace 4219 - destination_version 4220 - destination_service 4221 - destination_service_name 4222 - destination_service_namespace 4223 - request_protocol 4224 - response_code 4225 - permissive_response_code 4226 - permissive_response_policyid 4227 - connection_security_policy 4228 name: request_bytes 4229 - buckets: 4230 exponentialBuckets: 4231 growthFactor: 10 4232 numFiniteBuckets: 8 4233 scale: 1 4234 instance_name: responsesize.metric.default 4235 kind: DISTRIBUTION 4236 label_names: 4237 - reporter 4238 - source_app 4239 - source_principal 4240 - source_workload 4241 - source_workload_namespace 4242 - source_version 4243 - destination_app 4244 - destination_principal 4245 - destination_workload 4246 - destination_workload_namespace 4247 - destination_version 4248 - destination_service 4249 - destination_service_name 4250 - destination_service_namespace 4251 - request_protocol 4252 - response_code 4253 - permissive_response_code 4254 - permissive_response_policyid 4255 - connection_security_policy 4256 name: response_bytes 4257 - instance_name: tcpbytesent.metric.default 4258 kind: COUNTER 4259 label_names: 4260 - reporter 4261 - source_app 4262 - source_principal 4263 - source_workload 4264 - source_workload_namespace 4265 - source_version 4266 - destination_app 4267 - destination_principal 4268 - destination_workload 4269 - destination_workload_namespace 4270 - destination_version 4271 - destination_service 4272 - destination_service_name 4273 - destination_service_namespace 4274 - connection_security_policy 4275 name: tcp_sent_bytes_total 4276 - instance_name: tcpbytereceived.metric.default 4277 kind: COUNTER 4278 label_names: 4279 - reporter 4280 - source_app 4281 - source_principal 4282 - source_workload 4283 - source_workload_namespace 4284 - source_version 4285 - destination_app 4286 - destination_principal 4287 - destination_workload 4288 - destination_workload_namespace 4289 - destination_version 4290 - destination_service 4291 - destination_service_name 4292 - destination_service_namespace 4293 - connection_security_policy 4294 name: tcp_received_bytes_total 4295 --- 4296 apiVersion: config.istio.io/v1alpha2 4297 kind: handler 4298 metadata: 4299 labels: 4300 app: mixer 4301 chart: mixer 4302 heritage: Tiller 4303 release: istio 4304 name: stdio 4305 namespace: default 4306 spec: 4307 compiledAdapter: stdio 4308 params: 4309 outputAsJson: true 4310 --- 4311 apiVersion: config.istio.io/v1alpha2 4312 kind: kubernetes 4313 metadata: 4314 labels: 4315 app: mixer 4316 chart: mixer 4317 heritage: Tiller 4318 release: istio 4319 name: attributes 4320 namespace: default 4321 spec: 4322 attribute_bindings: 4323 destination.container.name: $out.destination_container_name | "unknown" 4324 destination.ip: $out.destination_pod_ip | ip("0.0.0.0") 4325 destination.labels: $out.destination_labels | emptyStringMap() 4326 destination.name: $out.destination_pod_name | "unknown" 4327 destination.namespace: $out.destination_namespace | "default" 4328 destination.owner: $out.destination_owner | "unknown" 4329 destination.serviceAccount: $out.destination_service_account_name | "unknown" 4330 destination.uid: $out.destination_pod_uid | "unknown" 4331 destination.workload.name: $out.destination_workload_name | "unknown" 4332 destination.workload.namespace: $out.destination_workload_namespace | "unknown" 4333 destination.workload.uid: $out.destination_workload_uid | "unknown" 4334 source.ip: $out.source_pod_ip | ip("0.0.0.0") 4335 source.labels: $out.source_labels | emptyStringMap() 4336 source.name: $out.source_pod_name | "unknown" 4337 source.namespace: $out.source_namespace | "default" 4338 source.owner: $out.source_owner | "unknown" 4339 source.serviceAccount: $out.source_service_account_name | "unknown" 4340 source.uid: $out.source_pod_uid | "unknown" 4341 source.workload.name: $out.source_workload_name | "unknown" 4342 source.workload.namespace: $out.source_workload_namespace | "unknown" 4343 source.workload.uid: $out.source_workload_uid | "unknown" 4344 destination_port: destination.port | 0 4345 destination_uid: destination.uid | "" 4346 source_ip: source.ip | ip("0.0.0.0") 4347 source_uid: source.uid | "" 4348 --- 4349 apiVersion: config.istio.io/v1alpha2 4350 kind: logentry 4351 metadata: 4352 labels: 4353 app: mixer 4354 chart: mixer 4355 heritage: Tiller 4356 release: istio 4357 name: accesslog 4358 namespace: default 4359 spec: 4360 monitored_resource_type: '"global"' 4361 severity: '"Info"' 4362 timestamp: request.time 4363 variables: 4364 apiClaims: request.auth.raw_claims | "" 4365 apiKey: request.api_key | request.headers["x-api-key"] | "" 4366 clientTraceId: request.headers["x-client-trace-id"] | "" 4367 connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) 4368 destinationApp: destination.labels["app"] | "" 4369 destinationIp: destination.ip | ip("0.0.0.0") 4370 destinationName: destination.name | "" 4371 destinationNamespace: destination.namespace | "" 4372 destinationOwner: destination.owner | "" 4373 destinationPrincipal: destination.principal | "" 4374 destinationServiceHost: destination.service.host | "" 4375 destinationWorkload: destination.workload.name | "" 4376 grpcMessage: response.grpc_message | "" 4377 grpcStatus: response.grpc_status | "" 4378 httpAuthority: request.headers[":authority"] | request.host | "" 4379 latency: response.duration | "0ms" 4380 method: request.method | "" 4381 permissiveResponseCode: rbac.permissive.response_code | "none" 4382 permissiveResponsePolicyID: rbac.permissive.effective_policy_id | "none" 4383 protocol: request.scheme | context.protocol | "http" 4384 receivedBytes: request.total_size | 0 4385 referer: request.referer | "" 4386 reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") 4387 requestId: request.headers["x-request-id"] | "" 4388 requestSize: request.size | 0 4389 requestedServerName: connection.requested_server_name | "" 4390 responseCode: response.code | 0 4391 responseSize: response.size | 0 4392 responseTimestamp: response.time 4393 sentBytes: response.total_size | 0 4394 sourceApp: source.labels["app"] | "" 4395 sourceIp: source.ip | ip("0.0.0.0") 4396 sourceName: source.name | "" 4397 sourceNamespace: source.namespace | "" 4398 sourceOwner: source.owner | "" 4399 sourcePrincipal: source.principal | "" 4400 sourceWorkload: source.workload.name | "" 4401 url: request.path | "" 4402 userAgent: request.useragent | "" 4403 xForwardedFor: request.headers["x-forwarded-for"] | "0.0.0.0" 4404 --- 4405 apiVersion: config.istio.io/v1alpha2 4406 kind: logentry 4407 metadata: 4408 labels: 4409 app: mixer 4410 chart: mixer 4411 heritage: Tiller 4412 release: istio 4413 name: tcpaccesslog 4414 namespace: default 4415 spec: 4416 monitored_resource_type: '"global"' 4417 severity: '"Info"' 4418 timestamp: context.time | timestamp("2017-01-01T00:00:00Z") 4419 variables: 4420 connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) 4421 connectionDuration: connection.duration | "0ms" 4422 connectionEvent: connection.event | "" 4423 destinationApp: destination.labels["app"] | "" 4424 destinationIp: destination.ip | ip("0.0.0.0") 4425 destinationName: destination.name | "" 4426 destinationNamespace: destination.namespace | "" 4427 destinationOwner: destination.owner | "" 4428 destinationPrincipal: destination.principal | "" 4429 destinationServiceHost: destination.service.host | "" 4430 destinationWorkload: destination.workload.name | "" 4431 protocol: context.protocol | "tcp" 4432 receivedBytes: connection.received.bytes | 0 4433 reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") 4434 requestedServerName: connection.requested_server_name | "" 4435 sentBytes: connection.sent.bytes | 0 4436 sourceApp: source.labels["app"] | "" 4437 sourceIp: source.ip | ip("0.0.0.0") 4438 sourceName: source.name | "" 4439 sourceNamespace: source.namespace | "" 4440 sourceOwner: source.owner | "" 4441 sourcePrincipal: source.principal | "" 4442 sourceWorkload: source.workload.name | "" 4443 totalReceivedBytes: connection.received.bytes_total | 0 4444 totalSentBytes: connection.sent.bytes_total | 0 4445 --- 4446 apiVersion: config.istio.io/v1alpha2 4447 kind: metric 4448 metadata: 4449 labels: 4450 app: mixer 4451 chart: mixer 4452 heritage: Tiller 4453 release: istio 4454 name: requestcount 4455 namespace: default 4456 spec: 4457 dimensions: 4458 connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) 4459 destination_app: destination.labels["app"] | "unknown" 4460 destination_principal: destination.principal | "unknown" 4461 destination_service: destination.service.host | "unknown" 4462 destination_service_name: destination.service.name | "unknown" 4463 destination_service_namespace: destination.service.namespace | "unknown" 4464 destination_version: destination.labels["version"] | "unknown" 4465 destination_workload: destination.workload.name | "unknown" 4466 destination_workload_namespace: destination.workload.namespace | "unknown" 4467 permissive_response_code: rbac.permissive.response_code | "none" 4468 permissive_response_policyid: rbac.permissive.effective_policy_id | "none" 4469 reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") 4470 request_protocol: api.protocol | context.protocol | "unknown" 4471 response_code: response.code | 200 4472 source_app: source.labels["app"] | "unknown" 4473 source_principal: source.principal | "unknown" 4474 source_version: source.labels["version"] | "unknown" 4475 source_workload: source.workload.name | "unknown" 4476 source_workload_namespace: source.workload.namespace | "unknown" 4477 monitored_resource_type: '"UNSPECIFIED"' 4478 value: "1" 4479 --- 4480 apiVersion: config.istio.io/v1alpha2 4481 kind: metric 4482 metadata: 4483 labels: 4484 app: mixer 4485 chart: mixer 4486 heritage: Tiller 4487 release: istio 4488 name: requestduration 4489 namespace: default 4490 spec: 4491 dimensions: 4492 connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) 4493 destination_app: destination.labels["app"] | "unknown" 4494 destination_principal: destination.principal | "unknown" 4495 destination_service: destination.service.host | "unknown" 4496 destination_service_name: destination.service.name | "unknown" 4497 destination_service_namespace: destination.service.namespace | "unknown" 4498 destination_version: destination.labels["version"] | "unknown" 4499 destination_workload: destination.workload.name | "unknown" 4500 destination_workload_namespace: destination.workload.namespace | "unknown" 4501 permissive_response_code: rbac.permissive.response_code | "none" 4502 permissive_response_policyid: rbac.permissive.effective_policy_id | "none" 4503 reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") 4504 request_protocol: api.protocol | context.protocol | "unknown" 4505 response_code: response.code | 200 4506 source_app: source.labels["app"] | "unknown" 4507 source_principal: source.principal | "unknown" 4508 source_version: source.labels["version"] | "unknown" 4509 source_workload: source.workload.name | "unknown" 4510 source_workload_namespace: source.workload.namespace | "unknown" 4511 monitored_resource_type: '"UNSPECIFIED"' 4512 value: response.duration | "0ms" 4513 --- 4514 apiVersion: config.istio.io/v1alpha2 4515 kind: metric 4516 metadata: 4517 labels: 4518 app: mixer 4519 chart: mixer 4520 heritage: Tiller 4521 release: istio 4522 name: requestsize 4523 namespace: default 4524 spec: 4525 dimensions: 4526 connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) 4527 destination_app: destination.labels["app"] | "unknown" 4528 destination_principal: destination.principal | "unknown" 4529 destination_service: destination.service.host | "unknown" 4530 destination_service_name: destination.service.name | "unknown" 4531 destination_service_namespace: destination.service.namespace | "unknown" 4532 destination_version: destination.labels["version"] | "unknown" 4533 destination_workload: destination.workload.name | "unknown" 4534 destination_workload_namespace: destination.workload.namespace | "unknown" 4535 permissive_response_code: rbac.permissive.response_code | "none" 4536 permissive_response_policyid: rbac.permissive.effective_policy_id | "none" 4537 reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") 4538 request_protocol: api.protocol | context.protocol | "unknown" 4539 response_code: response.code | 200 4540 source_app: source.labels["app"] | "unknown" 4541 source_principal: source.principal | "unknown" 4542 source_version: source.labels["version"] | "unknown" 4543 source_workload: source.workload.name | "unknown" 4544 source_workload_namespace: source.workload.namespace | "unknown" 4545 monitored_resource_type: '"UNSPECIFIED"' 4546 value: request.size | 0 4547 --- 4548 apiVersion: config.istio.io/v1alpha2 4549 kind: metric 4550 metadata: 4551 labels: 4552 app: mixer 4553 chart: mixer 4554 heritage: Tiller 4555 release: istio 4556 name: responsesize 4557 namespace: default 4558 spec: 4559 dimensions: 4560 connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) 4561 destination_app: destination.labels["app"] | "unknown" 4562 destination_principal: destination.principal | "unknown" 4563 destination_service: destination.service.host | "unknown" 4564 destination_service_name: destination.service.name | "unknown" 4565 destination_service_namespace: destination.service.namespace | "unknown" 4566 destination_version: destination.labels["version"] | "unknown" 4567 destination_workload: destination.workload.name | "unknown" 4568 destination_workload_namespace: destination.workload.namespace | "unknown" 4569 permissive_response_code: rbac.permissive.response_code | "none" 4570 permissive_response_policyid: rbac.permissive.effective_policy_id | "none" 4571 reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") 4572 request_protocol: api.protocol | context.protocol | "unknown" 4573 response_code: response.code | 200 4574 source_app: source.labels["app"] | "unknown" 4575 source_principal: source.principal | "unknown" 4576 source_version: source.labels["version"] | "unknown" 4577 source_workload: source.workload.name | "unknown" 4578 source_workload_namespace: source.workload.namespace | "unknown" 4579 monitored_resource_type: '"UNSPECIFIED"' 4580 value: response.size | 0 4581 --- 4582 apiVersion: config.istio.io/v1alpha2 4583 kind: metric 4584 metadata: 4585 labels: 4586 app: mixer 4587 chart: mixer 4588 heritage: Tiller 4589 release: istio 4590 name: tcpbytereceived 4591 namespace: default 4592 spec: 4593 dimensions: 4594 connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) 4595 destination_app: destination.labels["app"] | "unknown" 4596 destination_principal: destination.principal | "unknown" 4597 destination_service: destination.service.name | "unknown" 4598 destination_service_name: destination.service.name | "unknown" 4599 destination_service_namespace: destination.service.namespace | "unknown" 4600 destination_version: destination.labels["version"] | "unknown" 4601 destination_workload: destination.workload.name | "unknown" 4602 destination_workload_namespace: destination.workload.namespace | "unknown" 4603 reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") 4604 source_app: source.labels["app"] | "unknown" 4605 source_principal: source.principal | "unknown" 4606 source_version: source.labels["version"] | "unknown" 4607 source_workload: source.workload.name | "unknown" 4608 source_workload_namespace: source.workload.namespace | "unknown" 4609 monitored_resource_type: '"UNSPECIFIED"' 4610 value: connection.received.bytes | 0 4611 --- 4612 apiVersion: config.istio.io/v1alpha2 4613 kind: metric 4614 metadata: 4615 labels: 4616 app: mixer 4617 chart: mixer 4618 heritage: Tiller 4619 release: istio 4620 name: tcpbytesent 4621 namespace: default 4622 spec: 4623 dimensions: 4624 connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) 4625 destination_app: destination.labels["app"] | "unknown" 4626 destination_principal: destination.principal | "unknown" 4627 destination_service: destination.service.name | "unknown" 4628 destination_service_name: destination.service.name | "unknown" 4629 destination_service_namespace: destination.service.namespace | "unknown" 4630 destination_version: destination.labels["version"] | "unknown" 4631 destination_workload: destination.workload.name | "unknown" 4632 destination_workload_namespace: destination.workload.namespace | "unknown" 4633 reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") 4634 source_app: source.labels["app"] | "unknown" 4635 source_principal: source.principal | "unknown" 4636 source_version: source.labels["version"] | "unknown" 4637 source_workload: source.workload.name | "unknown" 4638 source_workload_namespace: source.workload.namespace | "unknown" 4639 monitored_resource_type: '"UNSPECIFIED"' 4640 value: connection.sent.bytes | 0 4641 --- 4642 apiVersion: config.istio.io/v1alpha2 4643 kind: rule 4644 metadata: 4645 labels: 4646 app: mixer 4647 chart: mixer 4648 heritage: Tiller 4649 release: istio 4650 name: kubeattrgenrulerule 4651 namespace: default 4652 spec: 4653 actions: 4654 - handler: kubernetesenv 4655 instances: 4656 - attributes.kubernetes 4657 --- 4658 apiVersion: config.istio.io/v1alpha2 4659 kind: rule 4660 metadata: 4661 labels: 4662 app: mixer 4663 chart: mixer 4664 heritage: Tiller 4665 release: istio 4666 name: promhttp 4667 namespace: default 4668 spec: 4669 actions: 4670 - handler: prometheus 4671 instances: 4672 - requestcount.metric 4673 - requestduration.metric 4674 - requestsize.metric 4675 - responsesize.metric 4676 match: context.protocol == "http" || context.protocol == "grpc" 4677 --- 4678 apiVersion: config.istio.io/v1alpha2 4679 kind: rule 4680 metadata: 4681 labels: 4682 app: mixer 4683 chart: mixer 4684 heritage: Tiller 4685 release: istio 4686 name: promtcp 4687 namespace: default 4688 spec: 4689 actions: 4690 - handler: prometheus 4691 instances: 4692 - tcpbytesent.metric 4693 - tcpbytereceived.metric 4694 match: context.protocol == "tcp" 4695 --- 4696 apiVersion: config.istio.io/v1alpha2 4697 kind: rule 4698 metadata: 4699 labels: 4700 app: mixer 4701 chart: mixer 4702 heritage: Tiller 4703 release: istio 4704 name: stdiotcp 4705 namespace: default 4706 spec: 4707 actions: 4708 - handler: stdio 4709 instances: 4710 - tcpaccesslog.logentry 4711 match: context.protocol == "tcp" 4712 --- 4713 apiVersion: config.istio.io/v1alpha2 4714 kind: rule 4715 metadata: 4716 labels: 4717 app: mixer 4718 chart: mixer 4719 heritage: Tiller 4720 release: istio 4721 name: stdio 4722 namespace: default 4723 spec: 4724 actions: 4725 - handler: stdio 4726 instances: 4727 - accesslog.logentry 4728 match: context.protocol == "http" || context.protocol == "grpc" 4729 --- 4730 apiVersion: config.istio.io/v1alpha2 4731 kind: rule 4732 metadata: 4733 labels: 4734 app: mixer 4735 chart: mixer 4736 heritage: Tiller 4737 release: istio 4738 name: tcpkubeattrgenrulerule 4739 namespace: default 4740 spec: 4741 actions: 4742 - handler: kubernetesenv 4743 instances: 4744 - attributes.kubernetes 4745 match: context.protocol == "tcp" 4746 --- 4747 apiVersion: networking.istio.io/v1alpha3 4748 kind: DestinationRule 4749 metadata: 4750 labels: 4751 app: mixer 4752 chart: mixer 4753 heritage: Tiller 4754 release: istio 4755 name: istio-policy 4756 namespace: default 4757 spec: 4758 host: istio-policy.default.svc.cluster.local 4759 trafficPolicy: 4760 connectionPool: 4761 http: 4762 http2MaxRequests: 10000 4763 maxRequestsPerConnection: 10000 4764 --- 4765 apiVersion: networking.istio.io/v1alpha3 4766 kind: DestinationRule 4767 metadata: 4768 labels: 4769 app: mixer 4770 chart: mixer 4771 heritage: Tiller 4772 release: istio 4773 name: istio-telemetry 4774 namespace: default 4775 spec: 4776 host: istio-telemetry.default.svc.cluster.local 4777 trafficPolicy: 4778 connectionPool: 4779 http: 4780 http2MaxRequests: 10000 4781 maxRequestsPerConnection: 10000