istio.io/istio@v0.0.0-20240520182934-d79c90f27776/operator/cmd/mesh/testdata/manifest-generate/output/all_on.golden-show-in-gh-pull-request.yaml (about) 1 apiVersion: apiextensions.k8s.io/v1 2 kind: CustomResourceDefinition 3 metadata: 4 annotations: 5 helm.sh/resource-policy: keep 6 labels: 7 app: istio-pilot 8 chart: istio 9 heritage: Tiller 10 istio: security 11 release: istio 12 name: authorizationpolicies.security.istio.io 13 spec: 14 group: security.istio.io 15 names: 16 categories: 17 - istio-io 18 - security-istio-io 19 kind: AuthorizationPolicy 20 listKind: AuthorizationPolicyList 21 plural: authorizationpolicies 22 singular: authorizationpolicy 23 scope: Namespaced 24 versions: 25 - name: v1 26 schema: 27 openAPIV3Schema: 28 properties: 29 spec: 30 description: 'Configuration for access control on workloads. See more 31 details at: https://istio.io/docs/reference/config/security/authorization-policy.html' 32 oneOf: 33 - not: 34 anyOf: 35 - required: 36 - provider 37 - required: 38 - provider 39 properties: 40 action: 41 description: Optional. 42 enum: 43 - ALLOW 44 - DENY 45 - AUDIT 46 - CUSTOM 47 type: string 48 provider: 49 description: Specifies detailed configuration of the CUSTOM action. 50 properties: 51 name: 52 description: Specifies the name of the extension provider. 53 type: string 54 type: object 55 rules: 56 description: Optional. 57 items: 58 properties: 59 from: 60 description: Optional. 61 items: 62 properties: 63 source: 64 description: Source specifies the source of a request. 65 properties: 66 ipBlocks: 67 description: Optional. 68 items: 69 type: string 70 type: array 71 namespaces: 72 description: Optional. 73 items: 74 type: string 75 type: array 76 notIpBlocks: 77 description: Optional. 78 items: 79 type: string 80 type: array 81 notNamespaces: 82 description: Optional. 83 items: 84 type: string 85 type: array 86 notPrincipals: 87 description: Optional. 88 items: 89 type: string 90 type: array 91 notRemoteIpBlocks: 92 description: Optional. 93 items: 94 type: string 95 type: array 96 notRequestPrincipals: 97 description: Optional. 98 items: 99 type: string 100 type: array 101 principals: 102 description: Optional. 103 items: 104 type: string 105 type: array 106 remoteIpBlocks: 107 description: Optional. 108 items: 109 type: string 110 type: array 111 requestPrincipals: 112 description: Optional. 113 items: 114 type: string 115 type: array 116 type: object 117 type: object 118 type: array 119 to: 120 description: Optional. 121 items: 122 properties: 123 operation: 124 description: Operation specifies the operation of a request. 125 properties: 126 hosts: 127 description: Optional. 128 items: 129 type: string 130 type: array 131 methods: 132 description: Optional. 133 items: 134 type: string 135 type: array 136 notHosts: 137 description: Optional. 138 items: 139 type: string 140 type: array 141 notMethods: 142 description: Optional. 143 items: 144 type: string 145 type: array 146 notPaths: 147 description: Optional. 148 items: 149 type: string 150 type: array 151 notPorts: 152 description: Optional. 153 items: 154 type: string 155 type: array 156 paths: 157 description: Optional. 158 items: 159 type: string 160 type: array 161 ports: 162 description: Optional. 163 items: 164 type: string 165 type: array 166 type: object 167 type: object 168 type: array 169 when: 170 description: Optional. 171 items: 172 properties: 173 key: 174 description: The name of an Istio attribute. 175 type: string 176 notValues: 177 description: Optional. 178 items: 179 type: string 180 type: array 181 values: 182 description: Optional. 183 items: 184 type: string 185 type: array 186 required: 187 - key 188 type: object 189 type: array 190 type: object 191 type: array 192 selector: 193 description: Optional. 194 properties: 195 matchLabels: 196 additionalProperties: 197 type: string 198 description: One or more labels that indicate a specific set of 199 pods/VMs on which a policy should be applied. 200 type: object 201 type: object 202 targetRef: 203 description: Optional. 204 properties: 205 group: 206 description: group is the group of the target resource. 207 type: string 208 kind: 209 description: kind is kind of the target resource. 210 type: string 211 name: 212 description: name is the name of the target resource. 213 type: string 214 namespace: 215 description: namespace is the namespace of the referent. 216 type: string 217 type: object 218 type: object 219 status: 220 type: object 221 x-kubernetes-preserve-unknown-fields: true 222 type: object 223 served: true 224 storage: false 225 subresources: 226 status: {} 227 - name: v1beta1 228 schema: 229 openAPIV3Schema: 230 properties: 231 spec: 232 description: 'Configuration for access control on workloads. See more 233 details at: https://istio.io/docs/reference/config/security/authorization-policy.html' 234 oneOf: 235 - not: 236 anyOf: 237 - required: 238 - provider 239 - required: 240 - provider 241 properties: 242 action: 243 description: Optional. 244 enum: 245 - ALLOW 246 - DENY 247 - AUDIT 248 - CUSTOM 249 type: string 250 provider: 251 description: Specifies detailed configuration of the CUSTOM action. 252 properties: 253 name: 254 description: Specifies the name of the extension provider. 255 type: string 256 type: object 257 rules: 258 description: Optional. 259 items: 260 properties: 261 from: 262 description: Optional. 263 items: 264 properties: 265 source: 266 description: Source specifies the source of a request. 267 properties: 268 ipBlocks: 269 description: Optional. 270 items: 271 type: string 272 type: array 273 namespaces: 274 description: Optional. 275 items: 276 type: string 277 type: array 278 notIpBlocks: 279 description: Optional. 280 items: 281 type: string 282 type: array 283 notNamespaces: 284 description: Optional. 285 items: 286 type: string 287 type: array 288 notPrincipals: 289 description: Optional. 290 items: 291 type: string 292 type: array 293 notRemoteIpBlocks: 294 description: Optional. 295 items: 296 type: string 297 type: array 298 notRequestPrincipals: 299 description: Optional. 300 items: 301 type: string 302 type: array 303 principals: 304 description: Optional. 305 items: 306 type: string 307 type: array 308 remoteIpBlocks: 309 description: Optional. 310 items: 311 type: string 312 type: array 313 requestPrincipals: 314 description: Optional. 315 items: 316 type: string 317 type: array 318 type: object 319 type: object 320 type: array 321 to: 322 description: Optional. 323 items: 324 properties: 325 operation: 326 description: Operation specifies the operation of a request. 327 properties: 328 hosts: 329 description: Optional. 330 items: 331 type: string 332 type: array 333 methods: 334 description: Optional. 335 items: 336 type: string 337 type: array 338 notHosts: 339 description: Optional. 340 items: 341 type: string 342 type: array 343 notMethods: 344 description: Optional. 345 items: 346 type: string 347 type: array 348 notPaths: 349 description: Optional. 350 items: 351 type: string 352 type: array 353 notPorts: 354 description: Optional. 355 items: 356 type: string 357 type: array 358 paths: 359 description: Optional. 360 items: 361 type: string 362 type: array 363 ports: 364 description: Optional. 365 items: 366 type: string 367 type: array 368 type: object 369 type: object 370 type: array 371 when: 372 description: Optional. 373 items: 374 properties: 375 key: 376 description: The name of an Istio attribute. 377 type: string 378 notValues: 379 description: Optional. 380 items: 381 type: string 382 type: array 383 values: 384 description: Optional. 385 items: 386 type: string 387 type: array 388 required: 389 - key 390 type: object 391 type: array 392 type: object 393 type: array 394 selector: 395 description: Optional. 396 properties: 397 matchLabels: 398 additionalProperties: 399 type: string 400 description: One or more labels that indicate a specific set of 401 pods/VMs on which a policy should be applied. 402 type: object 403 type: object 404 targetRef: 405 description: Optional. 406 properties: 407 group: 408 description: group is the group of the target resource. 409 type: string 410 kind: 411 description: kind is kind of the target resource. 412 type: string 413 name: 414 description: name is the name of the target resource. 415 type: string 416 namespace: 417 description: namespace is the namespace of the referent. 418 type: string 419 type: object 420 type: object 421 status: 422 type: object 423 x-kubernetes-preserve-unknown-fields: true 424 type: object 425 served: true 426 storage: true 427 subresources: 428 status: {} 429 430 --- 431 apiVersion: apiextensions.k8s.io/v1 432 kind: CustomResourceDefinition 433 metadata: 434 annotations: 435 helm.sh/resource-policy: keep 436 labels: 437 app: istio-pilot 438 chart: istio 439 heritage: Tiller 440 release: istio 441 name: destinationrules.networking.istio.io 442 spec: 443 group: networking.istio.io 444 names: 445 categories: 446 - istio-io 447 - networking-istio-io 448 kind: DestinationRule 449 listKind: DestinationRuleList 450 plural: destinationrules 451 shortNames: 452 - dr 453 singular: destinationrule 454 scope: Namespaced 455 versions: 456 - additionalPrinterColumns: 457 - description: The name of a service from the service registry 458 jsonPath: .spec.host 459 name: Host 460 type: string 461 - description: 'CreationTimestamp is a timestamp representing the server time 462 when this object was created. It is not guaranteed to be set in happens-before 463 order across separate operations. Clients may not set this value. It is represented 464 in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for 465 lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' 466 jsonPath: .metadata.creationTimestamp 467 name: Age 468 type: date 469 name: v1alpha3 470 schema: 471 openAPIV3Schema: 472 properties: 473 spec: 474 description: 'Configuration affecting load balancing, outlier detection, 475 etc. See more details at: https://istio.io/docs/reference/config/networking/destination-rule.html' 476 properties: 477 exportTo: 478 description: A list of namespaces to which this destination rule is 479 exported. 480 items: 481 type: string 482 type: array 483 host: 484 description: The name of a service from the service registry. 485 type: string 486 subsets: 487 description: One or more named sets that represent individual versions 488 of a service. 489 items: 490 properties: 491 labels: 492 additionalProperties: 493 type: string 494 description: Labels apply a filter over the endpoints of a service 495 in the service registry. 496 type: object 497 name: 498 description: Name of the subset. 499 type: string 500 trafficPolicy: 501 description: Traffic policies that apply to this subset. 502 properties: 503 connectionPool: 504 properties: 505 http: 506 description: HTTP connection pool settings. 507 properties: 508 h2UpgradePolicy: 509 description: Specify if http1.1 connection should 510 be upgraded to http2 for the associated destination. 511 enum: 512 - DEFAULT 513 - DO_NOT_UPGRADE 514 - UPGRADE 515 type: string 516 http1MaxPendingRequests: 517 description: Maximum number of requests that will 518 be queued while waiting for a ready connection 519 pool connection. 520 format: int32 521 type: integer 522 http2MaxRequests: 523 description: Maximum number of active requests to 524 a destination. 525 format: int32 526 type: integer 527 idleTimeout: 528 description: The idle timeout for upstream connection 529 pool connections. 530 type: string 531 maxConcurrentStreams: 532 format: int32 533 type: integer 534 maxRequestsPerConnection: 535 description: Maximum number of requests per connection 536 to a backend. 537 format: int32 538 type: integer 539 maxRetries: 540 description: Maximum number of retries that can 541 be outstanding to all hosts in a cluster at a 542 given time. 543 format: int32 544 type: integer 545 useClientProtocol: 546 description: If set to true, client protocol will 547 be preserved while initiating connection to backend. 548 type: boolean 549 type: object 550 tcp: 551 description: Settings common to both HTTP and TCP upstream 552 connections. 553 properties: 554 connectTimeout: 555 description: TCP connection timeout. 556 type: string 557 maxConnectionDuration: 558 description: The maximum duration of a connection. 559 type: string 560 maxConnections: 561 description: Maximum number of HTTP1 /TCP connections 562 to a destination host. 563 format: int32 564 type: integer 565 tcpKeepalive: 566 description: If set then set SO_KEEPALIVE on the 567 socket to enable TCP Keepalives. 568 properties: 569 interval: 570 description: The time duration between keep-alive 571 probes. 572 type: string 573 probes: 574 description: Maximum number of keepalive probes 575 to send without response before deciding the 576 connection is dead. 577 type: integer 578 time: 579 description: The time duration a connection 580 needs to be idle before keep-alive probes 581 start being sent. 582 type: string 583 type: object 584 type: object 585 type: object 586 loadBalancer: 587 description: Settings controlling the load balancer algorithms. 588 oneOf: 589 - not: 590 anyOf: 591 - required: 592 - simple 593 - required: 594 - consistentHash 595 - required: 596 - simple 597 - required: 598 - consistentHash 599 properties: 600 consistentHash: 601 allOf: 602 - oneOf: 603 - not: 604 anyOf: 605 - required: 606 - httpHeaderName 607 - required: 608 - httpCookie 609 - required: 610 - useSourceIp 611 - required: 612 - httpQueryParameterName 613 - required: 614 - httpHeaderName 615 - required: 616 - httpCookie 617 - required: 618 - useSourceIp 619 - required: 620 - httpQueryParameterName 621 - oneOf: 622 - not: 623 anyOf: 624 - required: 625 - ringHash 626 - required: 627 - maglev 628 - required: 629 - ringHash 630 - required: 631 - maglev 632 properties: 633 httpCookie: 634 description: Hash based on HTTP cookie. 635 properties: 636 name: 637 description: Name of the cookie. 638 type: string 639 path: 640 description: Path to set for the cookie. 641 type: string 642 ttl: 643 description: Lifetime of the cookie. 644 type: string 645 required: 646 - name 647 type: object 648 httpHeaderName: 649 description: Hash based on a specific HTTP header. 650 type: string 651 httpQueryParameterName: 652 description: Hash based on a specific HTTP query 653 parameter. 654 type: string 655 maglev: 656 description: The Maglev load balancer implements 657 consistent hashing to backend hosts. 658 properties: 659 tableSize: 660 description: The table size for Maglev hashing. 661 type: integer 662 type: object 663 minimumRingSize: 664 description: Deprecated. 665 type: integer 666 ringHash: 667 description: The ring/modulo hash load balancer 668 implements consistent hashing to backend hosts. 669 properties: 670 minimumRingSize: 671 description: The minimum number of virtual nodes 672 to use for the hash ring. 673 type: integer 674 type: object 675 useSourceIp: 676 description: Hash based on the source IP address. 677 type: boolean 678 type: object 679 localityLbSetting: 680 properties: 681 distribute: 682 description: 'Optional: only one of distribute, 683 failover or failoverPriority can be set.' 684 items: 685 properties: 686 from: 687 description: Originating locality, '/' separated, 688 e.g. 689 type: string 690 to: 691 additionalProperties: 692 type: integer 693 description: Map of upstream localities to 694 traffic distribution weights. 695 type: object 696 type: object 697 type: array 698 enabled: 699 description: enable locality load balancing, this 700 is DestinationRule-level and will override mesh 701 wide settings in entirety. 702 nullable: true 703 type: boolean 704 failover: 705 description: 'Optional: only one of distribute, 706 failover or failoverPriority can be set.' 707 items: 708 properties: 709 from: 710 description: Originating region. 711 type: string 712 to: 713 description: Destination region the traffic 714 will fail over to when endpoints in the 715 'from' region becomes unhealthy. 716 type: string 717 type: object 718 type: array 719 failoverPriority: 720 description: failoverPriority is an ordered list 721 of labels used to sort endpoints to do priority 722 based load balancing. 723 items: 724 type: string 725 type: array 726 type: object 727 simple: 728 enum: 729 - UNSPECIFIED 730 - LEAST_CONN 731 - RANDOM 732 - PASSTHROUGH 733 - ROUND_ROBIN 734 - LEAST_REQUEST 735 type: string 736 warmupDurationSecs: 737 description: Represents the warmup duration of Service. 738 type: string 739 type: object 740 outlierDetection: 741 properties: 742 baseEjectionTime: 743 description: Minimum ejection duration. 744 type: string 745 consecutive5xxErrors: 746 description: Number of 5xx errors before a host is ejected 747 from the connection pool. 748 nullable: true 749 type: integer 750 consecutiveErrors: 751 format: int32 752 type: integer 753 consecutiveGatewayErrors: 754 description: Number of gateway errors before a host 755 is ejected from the connection pool. 756 nullable: true 757 type: integer 758 consecutiveLocalOriginFailures: 759 description: The number of consecutive locally originated 760 failures before ejection occurs. 761 nullable: true 762 type: integer 763 interval: 764 description: Time interval between ejection sweep analysis. 765 type: string 766 maxEjectionPercent: 767 description: Maximum % of hosts in the load balancing 768 pool for the upstream service that can be ejected. 769 format: int32 770 type: integer 771 minHealthPercent: 772 description: Outlier detection will be enabled as long 773 as the associated load balancing pool has at least 774 min_health_percent hosts in healthy mode. 775 format: int32 776 type: integer 777 splitExternalLocalOriginErrors: 778 description: Determines whether to distinguish local 779 origin failures from external errors. 780 type: boolean 781 type: object 782 portLevelSettings: 783 description: Traffic policies specific to individual ports. 784 items: 785 properties: 786 connectionPool: 787 properties: 788 http: 789 description: HTTP connection pool settings. 790 properties: 791 h2UpgradePolicy: 792 description: Specify if http1.1 connection 793 should be upgraded to http2 for the associated 794 destination. 795 enum: 796 - DEFAULT 797 - DO_NOT_UPGRADE 798 - UPGRADE 799 type: string 800 http1MaxPendingRequests: 801 description: Maximum number of requests that 802 will be queued while waiting for a ready 803 connection pool connection. 804 format: int32 805 type: integer 806 http2MaxRequests: 807 description: Maximum number of active requests 808 to a destination. 809 format: int32 810 type: integer 811 idleTimeout: 812 description: The idle timeout for upstream 813 connection pool connections. 814 type: string 815 maxConcurrentStreams: 816 format: int32 817 type: integer 818 maxRequestsPerConnection: 819 description: Maximum number of requests per 820 connection to a backend. 821 format: int32 822 type: integer 823 maxRetries: 824 description: Maximum number of retries that 825 can be outstanding to all hosts in a cluster 826 at a given time. 827 format: int32 828 type: integer 829 useClientProtocol: 830 description: If set to true, client protocol 831 will be preserved while initiating connection 832 to backend. 833 type: boolean 834 type: object 835 tcp: 836 description: Settings common to both HTTP and 837 TCP upstream connections. 838 properties: 839 connectTimeout: 840 description: TCP connection timeout. 841 type: string 842 maxConnectionDuration: 843 description: The maximum duration of a connection. 844 type: string 845 maxConnections: 846 description: Maximum number of HTTP1 /TCP 847 connections to a destination host. 848 format: int32 849 type: integer 850 tcpKeepalive: 851 description: If set then set SO_KEEPALIVE 852 on the socket to enable TCP Keepalives. 853 properties: 854 interval: 855 description: The time duration between 856 keep-alive probes. 857 type: string 858 probes: 859 description: Maximum number of keepalive 860 probes to send without response before 861 deciding the connection is dead. 862 type: integer 863 time: 864 description: The time duration a connection 865 needs to be idle before keep-alive probes 866 start being sent. 867 type: string 868 type: object 869 type: object 870 type: object 871 loadBalancer: 872 description: Settings controlling the load balancer 873 algorithms. 874 oneOf: 875 - not: 876 anyOf: 877 - required: 878 - simple 879 - required: 880 - consistentHash 881 - required: 882 - simple 883 - required: 884 - consistentHash 885 properties: 886 consistentHash: 887 allOf: 888 - oneOf: 889 - not: 890 anyOf: 891 - required: 892 - httpHeaderName 893 - required: 894 - httpCookie 895 - required: 896 - useSourceIp 897 - required: 898 - httpQueryParameterName 899 - required: 900 - httpHeaderName 901 - required: 902 - httpCookie 903 - required: 904 - useSourceIp 905 - required: 906 - httpQueryParameterName 907 - oneOf: 908 - not: 909 anyOf: 910 - required: 911 - ringHash 912 - required: 913 - maglev 914 - required: 915 - ringHash 916 - required: 917 - maglev 918 properties: 919 httpCookie: 920 description: Hash based on HTTP cookie. 921 properties: 922 name: 923 description: Name of the cookie. 924 type: string 925 path: 926 description: Path to set for the cookie. 927 type: string 928 ttl: 929 description: Lifetime of the cookie. 930 type: string 931 required: 932 - name 933 type: object 934 httpHeaderName: 935 description: Hash based on a specific HTTP 936 header. 937 type: string 938 httpQueryParameterName: 939 description: Hash based on a specific HTTP 940 query parameter. 941 type: string 942 maglev: 943 description: The Maglev load balancer implements 944 consistent hashing to backend hosts. 945 properties: 946 tableSize: 947 description: The table size for Maglev 948 hashing. 949 type: integer 950 type: object 951 minimumRingSize: 952 description: Deprecated. 953 type: integer 954 ringHash: 955 description: The ring/modulo hash load balancer 956 implements consistent hashing to backend 957 hosts. 958 properties: 959 minimumRingSize: 960 description: The minimum number of virtual 961 nodes to use for the hash ring. 962 type: integer 963 type: object 964 useSourceIp: 965 description: Hash based on the source IP address. 966 type: boolean 967 type: object 968 localityLbSetting: 969 properties: 970 distribute: 971 description: 'Optional: only one of distribute, 972 failover or failoverPriority can be set.' 973 items: 974 properties: 975 from: 976 description: Originating locality, '/' 977 separated, e.g. 978 type: string 979 to: 980 additionalProperties: 981 type: integer 982 description: Map of upstream localities 983 to traffic distribution weights. 984 type: object 985 type: object 986 type: array 987 enabled: 988 description: enable locality load balancing, 989 this is DestinationRule-level and will override 990 mesh wide settings in entirety. 991 nullable: true 992 type: boolean 993 failover: 994 description: 'Optional: only one of distribute, 995 failover or failoverPriority can be set.' 996 items: 997 properties: 998 from: 999 description: Originating region. 1000 type: string 1001 to: 1002 description: Destination region the 1003 traffic will fail over to when endpoints 1004 in the 'from' region becomes unhealthy. 1005 type: string 1006 type: object 1007 type: array 1008 failoverPriority: 1009 description: failoverPriority is an ordered 1010 list of labels used to sort endpoints to 1011 do priority based load balancing. 1012 items: 1013 type: string 1014 type: array 1015 type: object 1016 simple: 1017 enum: 1018 - UNSPECIFIED 1019 - LEAST_CONN 1020 - RANDOM 1021 - PASSTHROUGH 1022 - ROUND_ROBIN 1023 - LEAST_REQUEST 1024 type: string 1025 warmupDurationSecs: 1026 description: Represents the warmup duration of 1027 Service. 1028 type: string 1029 type: object 1030 outlierDetection: 1031 properties: 1032 baseEjectionTime: 1033 description: Minimum ejection duration. 1034 type: string 1035 consecutive5xxErrors: 1036 description: Number of 5xx errors before a host 1037 is ejected from the connection pool. 1038 nullable: true 1039 type: integer 1040 consecutiveErrors: 1041 format: int32 1042 type: integer 1043 consecutiveGatewayErrors: 1044 description: Number of gateway errors before a 1045 host is ejected from the connection pool. 1046 nullable: true 1047 type: integer 1048 consecutiveLocalOriginFailures: 1049 description: The number of consecutive locally 1050 originated failures before ejection occurs. 1051 nullable: true 1052 type: integer 1053 interval: 1054 description: Time interval between ejection sweep 1055 analysis. 1056 type: string 1057 maxEjectionPercent: 1058 description: Maximum % of hosts in the load balancing 1059 pool for the upstream service that can be ejected. 1060 format: int32 1061 type: integer 1062 minHealthPercent: 1063 description: Outlier detection will be enabled 1064 as long as the associated load balancing pool 1065 has at least min_health_percent hosts in healthy 1066 mode. 1067 format: int32 1068 type: integer 1069 splitExternalLocalOriginErrors: 1070 description: Determines whether to distinguish 1071 local origin failures from external errors. 1072 type: boolean 1073 type: object 1074 port: 1075 description: Specifies the number of a port on the 1076 destination service on which this policy is being 1077 applied. 1078 properties: 1079 number: 1080 type: integer 1081 type: object 1082 tls: 1083 description: TLS related settings for connections 1084 to the upstream service. 1085 properties: 1086 caCertificates: 1087 description: 'OPTIONAL: The path to the file containing 1088 certificate authority certificates to use in 1089 verifying a presented server certificate.' 1090 type: string 1091 clientCertificate: 1092 description: REQUIRED if mode is `MUTUAL`. 1093 type: string 1094 credentialName: 1095 description: The name of the secret that holds 1096 the TLS certs for the client including the CA 1097 certificates. 1098 type: string 1099 insecureSkipVerify: 1100 description: '`insecureSkipVerify` specifies whether 1101 the proxy should skip verifying the CA signature 1102 and SAN for the server certificate corresponding 1103 to the host.' 1104 nullable: true 1105 type: boolean 1106 mode: 1107 description: Indicates whether connections to 1108 this port should be secured using TLS. 1109 enum: 1110 - DISABLE 1111 - SIMPLE 1112 - MUTUAL 1113 - ISTIO_MUTUAL 1114 type: string 1115 privateKey: 1116 description: REQUIRED if mode is `MUTUAL`. 1117 type: string 1118 sni: 1119 description: SNI string to present to the server 1120 during TLS handshake. 1121 type: string 1122 subjectAltNames: 1123 description: A list of alternate names to verify 1124 the subject identity in the certificate. 1125 items: 1126 type: string 1127 type: array 1128 type: object 1129 type: object 1130 type: array 1131 proxyProtocol: 1132 description: The upstream PROXY protocol settings. 1133 properties: 1134 version: 1135 description: The PROXY protocol version to use. 1136 enum: 1137 - V1 1138 - V2 1139 type: string 1140 type: object 1141 tls: 1142 description: TLS related settings for connections to the 1143 upstream service. 1144 properties: 1145 caCertificates: 1146 description: 'OPTIONAL: The path to the file containing 1147 certificate authority certificates to use in verifying 1148 a presented server certificate.' 1149 type: string 1150 clientCertificate: 1151 description: REQUIRED if mode is `MUTUAL`. 1152 type: string 1153 credentialName: 1154 description: The name of the secret that holds the TLS 1155 certs for the client including the CA certificates. 1156 type: string 1157 insecureSkipVerify: 1158 description: '`insecureSkipVerify` specifies whether 1159 the proxy should skip verifying the CA signature and 1160 SAN for the server certificate corresponding to the 1161 host.' 1162 nullable: true 1163 type: boolean 1164 mode: 1165 description: Indicates whether connections to this port 1166 should be secured using TLS. 1167 enum: 1168 - DISABLE 1169 - SIMPLE 1170 - MUTUAL 1171 - ISTIO_MUTUAL 1172 type: string 1173 privateKey: 1174 description: REQUIRED if mode is `MUTUAL`. 1175 type: string 1176 sni: 1177 description: SNI string to present to the server during 1178 TLS handshake. 1179 type: string 1180 subjectAltNames: 1181 description: A list of alternate names to verify the 1182 subject identity in the certificate. 1183 items: 1184 type: string 1185 type: array 1186 type: object 1187 tunnel: 1188 description: Configuration of tunneling TCP over other transport 1189 or application layers for the host configured in the DestinationRule. 1190 properties: 1191 protocol: 1192 description: Specifies which protocol to use for tunneling 1193 the downstream connection. 1194 type: string 1195 targetHost: 1196 description: Specifies a host to which the downstream 1197 connection is tunneled. 1198 type: string 1199 targetPort: 1200 description: Specifies a port to which the downstream 1201 connection is tunneled. 1202 type: integer 1203 required: 1204 - targetHost 1205 - targetPort 1206 type: object 1207 type: object 1208 required: 1209 - name 1210 type: object 1211 type: array 1212 trafficPolicy: 1213 description: Traffic policies to apply (load balancing policy, connection 1214 pool sizes, outlier detection). 1215 properties: 1216 connectionPool: 1217 properties: 1218 http: 1219 description: HTTP connection pool settings. 1220 properties: 1221 h2UpgradePolicy: 1222 description: Specify if http1.1 connection should be upgraded 1223 to http2 for the associated destination. 1224 enum: 1225 - DEFAULT 1226 - DO_NOT_UPGRADE 1227 - UPGRADE 1228 type: string 1229 http1MaxPendingRequests: 1230 description: Maximum number of requests that will be queued 1231 while waiting for a ready connection pool connection. 1232 format: int32 1233 type: integer 1234 http2MaxRequests: 1235 description: Maximum number of active requests to a destination. 1236 format: int32 1237 type: integer 1238 idleTimeout: 1239 description: The idle timeout for upstream connection 1240 pool connections. 1241 type: string 1242 maxConcurrentStreams: 1243 format: int32 1244 type: integer 1245 maxRequestsPerConnection: 1246 description: Maximum number of requests per connection 1247 to a backend. 1248 format: int32 1249 type: integer 1250 maxRetries: 1251 description: Maximum number of retries that can be outstanding 1252 to all hosts in a cluster at a given time. 1253 format: int32 1254 type: integer 1255 useClientProtocol: 1256 description: If set to true, client protocol will be preserved 1257 while initiating connection to backend. 1258 type: boolean 1259 type: object 1260 tcp: 1261 description: Settings common to both HTTP and TCP upstream 1262 connections. 1263 properties: 1264 connectTimeout: 1265 description: TCP connection timeout. 1266 type: string 1267 maxConnectionDuration: 1268 description: The maximum duration of a connection. 1269 type: string 1270 maxConnections: 1271 description: Maximum number of HTTP1 /TCP connections 1272 to a destination host. 1273 format: int32 1274 type: integer 1275 tcpKeepalive: 1276 description: If set then set SO_KEEPALIVE on the socket 1277 to enable TCP Keepalives. 1278 properties: 1279 interval: 1280 description: The time duration between keep-alive 1281 probes. 1282 type: string 1283 probes: 1284 description: Maximum number of keepalive probes to 1285 send without response before deciding the connection 1286 is dead. 1287 type: integer 1288 time: 1289 description: The time duration a connection needs 1290 to be idle before keep-alive probes start being 1291 sent. 1292 type: string 1293 type: object 1294 type: object 1295 type: object 1296 loadBalancer: 1297 description: Settings controlling the load balancer algorithms. 1298 oneOf: 1299 - not: 1300 anyOf: 1301 - required: 1302 - simple 1303 - required: 1304 - consistentHash 1305 - required: 1306 - simple 1307 - required: 1308 - consistentHash 1309 properties: 1310 consistentHash: 1311 allOf: 1312 - oneOf: 1313 - not: 1314 anyOf: 1315 - required: 1316 - httpHeaderName 1317 - required: 1318 - httpCookie 1319 - required: 1320 - useSourceIp 1321 - required: 1322 - httpQueryParameterName 1323 - required: 1324 - httpHeaderName 1325 - required: 1326 - httpCookie 1327 - required: 1328 - useSourceIp 1329 - required: 1330 - httpQueryParameterName 1331 - oneOf: 1332 - not: 1333 anyOf: 1334 - required: 1335 - ringHash 1336 - required: 1337 - maglev 1338 - required: 1339 - ringHash 1340 - required: 1341 - maglev 1342 properties: 1343 httpCookie: 1344 description: Hash based on HTTP cookie. 1345 properties: 1346 name: 1347 description: Name of the cookie. 1348 type: string 1349 path: 1350 description: Path to set for the cookie. 1351 type: string 1352 ttl: 1353 description: Lifetime of the cookie. 1354 type: string 1355 required: 1356 - name 1357 type: object 1358 httpHeaderName: 1359 description: Hash based on a specific HTTP header. 1360 type: string 1361 httpQueryParameterName: 1362 description: Hash based on a specific HTTP query parameter. 1363 type: string 1364 maglev: 1365 description: The Maglev load balancer implements consistent 1366 hashing to backend hosts. 1367 properties: 1368 tableSize: 1369 description: The table size for Maglev hashing. 1370 type: integer 1371 type: object 1372 minimumRingSize: 1373 description: Deprecated. 1374 type: integer 1375 ringHash: 1376 description: The ring/modulo hash load balancer implements 1377 consistent hashing to backend hosts. 1378 properties: 1379 minimumRingSize: 1380 description: The minimum number of virtual nodes to 1381 use for the hash ring. 1382 type: integer 1383 type: object 1384 useSourceIp: 1385 description: Hash based on the source IP address. 1386 type: boolean 1387 type: object 1388 localityLbSetting: 1389 properties: 1390 distribute: 1391 description: 'Optional: only one of distribute, failover 1392 or failoverPriority can be set.' 1393 items: 1394 properties: 1395 from: 1396 description: Originating locality, '/' separated, 1397 e.g. 1398 type: string 1399 to: 1400 additionalProperties: 1401 type: integer 1402 description: Map of upstream localities to traffic 1403 distribution weights. 1404 type: object 1405 type: object 1406 type: array 1407 enabled: 1408 description: enable locality load balancing, this is DestinationRule-level 1409 and will override mesh wide settings in entirety. 1410 nullable: true 1411 type: boolean 1412 failover: 1413 description: 'Optional: only one of distribute, failover 1414 or failoverPriority can be set.' 1415 items: 1416 properties: 1417 from: 1418 description: Originating region. 1419 type: string 1420 to: 1421 description: Destination region the traffic will 1422 fail over to when endpoints in the 'from' region 1423 becomes unhealthy. 1424 type: string 1425 type: object 1426 type: array 1427 failoverPriority: 1428 description: failoverPriority is an ordered list of labels 1429 used to sort endpoints to do priority based load balancing. 1430 items: 1431 type: string 1432 type: array 1433 type: object 1434 simple: 1435 enum: 1436 - UNSPECIFIED 1437 - LEAST_CONN 1438 - RANDOM 1439 - PASSTHROUGH 1440 - ROUND_ROBIN 1441 - LEAST_REQUEST 1442 type: string 1443 warmupDurationSecs: 1444 description: Represents the warmup duration of Service. 1445 type: string 1446 type: object 1447 outlierDetection: 1448 properties: 1449 baseEjectionTime: 1450 description: Minimum ejection duration. 1451 type: string 1452 consecutive5xxErrors: 1453 description: Number of 5xx errors before a host is ejected 1454 from the connection pool. 1455 nullable: true 1456 type: integer 1457 consecutiveErrors: 1458 format: int32 1459 type: integer 1460 consecutiveGatewayErrors: 1461 description: Number of gateway errors before a host is ejected 1462 from the connection pool. 1463 nullable: true 1464 type: integer 1465 consecutiveLocalOriginFailures: 1466 description: The number of consecutive locally originated 1467 failures before ejection occurs. 1468 nullable: true 1469 type: integer 1470 interval: 1471 description: Time interval between ejection sweep analysis. 1472 type: string 1473 maxEjectionPercent: 1474 description: Maximum % of hosts in the load balancing pool 1475 for the upstream service that can be ejected. 1476 format: int32 1477 type: integer 1478 minHealthPercent: 1479 description: Outlier detection will be enabled as long as 1480 the associated load balancing pool has at least min_health_percent 1481 hosts in healthy mode. 1482 format: int32 1483 type: integer 1484 splitExternalLocalOriginErrors: 1485 description: Determines whether to distinguish local origin 1486 failures from external errors. 1487 type: boolean 1488 type: object 1489 portLevelSettings: 1490 description: Traffic policies specific to individual ports. 1491 items: 1492 properties: 1493 connectionPool: 1494 properties: 1495 http: 1496 description: HTTP connection pool settings. 1497 properties: 1498 h2UpgradePolicy: 1499 description: Specify if http1.1 connection should 1500 be upgraded to http2 for the associated destination. 1501 enum: 1502 - DEFAULT 1503 - DO_NOT_UPGRADE 1504 - UPGRADE 1505 type: string 1506 http1MaxPendingRequests: 1507 description: Maximum number of requests that will 1508 be queued while waiting for a ready connection 1509 pool connection. 1510 format: int32 1511 type: integer 1512 http2MaxRequests: 1513 description: Maximum number of active requests to 1514 a destination. 1515 format: int32 1516 type: integer 1517 idleTimeout: 1518 description: The idle timeout for upstream connection 1519 pool connections. 1520 type: string 1521 maxConcurrentStreams: 1522 format: int32 1523 type: integer 1524 maxRequestsPerConnection: 1525 description: Maximum number of requests per connection 1526 to a backend. 1527 format: int32 1528 type: integer 1529 maxRetries: 1530 description: Maximum number of retries that can 1531 be outstanding to all hosts in a cluster at a 1532 given time. 1533 format: int32 1534 type: integer 1535 useClientProtocol: 1536 description: If set to true, client protocol will 1537 be preserved while initiating connection to backend. 1538 type: boolean 1539 type: object 1540 tcp: 1541 description: Settings common to both HTTP and TCP upstream 1542 connections. 1543 properties: 1544 connectTimeout: 1545 description: TCP connection timeout. 1546 type: string 1547 maxConnectionDuration: 1548 description: The maximum duration of a connection. 1549 type: string 1550 maxConnections: 1551 description: Maximum number of HTTP1 /TCP connections 1552 to a destination host. 1553 format: int32 1554 type: integer 1555 tcpKeepalive: 1556 description: If set then set SO_KEEPALIVE on the 1557 socket to enable TCP Keepalives. 1558 properties: 1559 interval: 1560 description: The time duration between keep-alive 1561 probes. 1562 type: string 1563 probes: 1564 description: Maximum number of keepalive probes 1565 to send without response before deciding the 1566 connection is dead. 1567 type: integer 1568 time: 1569 description: The time duration a connection 1570 needs to be idle before keep-alive probes 1571 start being sent. 1572 type: string 1573 type: object 1574 type: object 1575 type: object 1576 loadBalancer: 1577 description: Settings controlling the load balancer algorithms. 1578 oneOf: 1579 - not: 1580 anyOf: 1581 - required: 1582 - simple 1583 - required: 1584 - consistentHash 1585 - required: 1586 - simple 1587 - required: 1588 - consistentHash 1589 properties: 1590 consistentHash: 1591 allOf: 1592 - oneOf: 1593 - not: 1594 anyOf: 1595 - required: 1596 - httpHeaderName 1597 - required: 1598 - httpCookie 1599 - required: 1600 - useSourceIp 1601 - required: 1602 - httpQueryParameterName 1603 - required: 1604 - httpHeaderName 1605 - required: 1606 - httpCookie 1607 - required: 1608 - useSourceIp 1609 - required: 1610 - httpQueryParameterName 1611 - oneOf: 1612 - not: 1613 anyOf: 1614 - required: 1615 - ringHash 1616 - required: 1617 - maglev 1618 - required: 1619 - ringHash 1620 - required: 1621 - maglev 1622 properties: 1623 httpCookie: 1624 description: Hash based on HTTP cookie. 1625 properties: 1626 name: 1627 description: Name of the cookie. 1628 type: string 1629 path: 1630 description: Path to set for the cookie. 1631 type: string 1632 ttl: 1633 description: Lifetime of the cookie. 1634 type: string 1635 required: 1636 - name 1637 type: object 1638 httpHeaderName: 1639 description: Hash based on a specific HTTP header. 1640 type: string 1641 httpQueryParameterName: 1642 description: Hash based on a specific HTTP query 1643 parameter. 1644 type: string 1645 maglev: 1646 description: The Maglev load balancer implements 1647 consistent hashing to backend hosts. 1648 properties: 1649 tableSize: 1650 description: The table size for Maglev hashing. 1651 type: integer 1652 type: object 1653 minimumRingSize: 1654 description: Deprecated. 1655 type: integer 1656 ringHash: 1657 description: The ring/modulo hash load balancer 1658 implements consistent hashing to backend hosts. 1659 properties: 1660 minimumRingSize: 1661 description: The minimum number of virtual nodes 1662 to use for the hash ring. 1663 type: integer 1664 type: object 1665 useSourceIp: 1666 description: Hash based on the source IP address. 1667 type: boolean 1668 type: object 1669 localityLbSetting: 1670 properties: 1671 distribute: 1672 description: 'Optional: only one of distribute, 1673 failover or failoverPriority can be set.' 1674 items: 1675 properties: 1676 from: 1677 description: Originating locality, '/' separated, 1678 e.g. 1679 type: string 1680 to: 1681 additionalProperties: 1682 type: integer 1683 description: Map of upstream localities to 1684 traffic distribution weights. 1685 type: object 1686 type: object 1687 type: array 1688 enabled: 1689 description: enable locality load balancing, this 1690 is DestinationRule-level and will override mesh 1691 wide settings in entirety. 1692 nullable: true 1693 type: boolean 1694 failover: 1695 description: 'Optional: only one of distribute, 1696 failover or failoverPriority can be set.' 1697 items: 1698 properties: 1699 from: 1700 description: Originating region. 1701 type: string 1702 to: 1703 description: Destination region the traffic 1704 will fail over to when endpoints in the 1705 'from' region becomes unhealthy. 1706 type: string 1707 type: object 1708 type: array 1709 failoverPriority: 1710 description: failoverPriority is an ordered list 1711 of labels used to sort endpoints to do priority 1712 based load balancing. 1713 items: 1714 type: string 1715 type: array 1716 type: object 1717 simple: 1718 enum: 1719 - UNSPECIFIED 1720 - LEAST_CONN 1721 - RANDOM 1722 - PASSTHROUGH 1723 - ROUND_ROBIN 1724 - LEAST_REQUEST 1725 type: string 1726 warmupDurationSecs: 1727 description: Represents the warmup duration of Service. 1728 type: string 1729 type: object 1730 outlierDetection: 1731 properties: 1732 baseEjectionTime: 1733 description: Minimum ejection duration. 1734 type: string 1735 consecutive5xxErrors: 1736 description: Number of 5xx errors before a host is ejected 1737 from the connection pool. 1738 nullable: true 1739 type: integer 1740 consecutiveErrors: 1741 format: int32 1742 type: integer 1743 consecutiveGatewayErrors: 1744 description: Number of gateway errors before a host 1745 is ejected from the connection pool. 1746 nullable: true 1747 type: integer 1748 consecutiveLocalOriginFailures: 1749 description: The number of consecutive locally originated 1750 failures before ejection occurs. 1751 nullable: true 1752 type: integer 1753 interval: 1754 description: Time interval between ejection sweep analysis. 1755 type: string 1756 maxEjectionPercent: 1757 description: Maximum % of hosts in the load balancing 1758 pool for the upstream service that can be ejected. 1759 format: int32 1760 type: integer 1761 minHealthPercent: 1762 description: Outlier detection will be enabled as long 1763 as the associated load balancing pool has at least 1764 min_health_percent hosts in healthy mode. 1765 format: int32 1766 type: integer 1767 splitExternalLocalOriginErrors: 1768 description: Determines whether to distinguish local 1769 origin failures from external errors. 1770 type: boolean 1771 type: object 1772 port: 1773 description: Specifies the number of a port on the destination 1774 service on which this policy is being applied. 1775 properties: 1776 number: 1777 type: integer 1778 type: object 1779 tls: 1780 description: TLS related settings for connections to the 1781 upstream service. 1782 properties: 1783 caCertificates: 1784 description: 'OPTIONAL: The path to the file containing 1785 certificate authority certificates to use in verifying 1786 a presented server certificate.' 1787 type: string 1788 clientCertificate: 1789 description: REQUIRED if mode is `MUTUAL`. 1790 type: string 1791 credentialName: 1792 description: The name of the secret that holds the TLS 1793 certs for the client including the CA certificates. 1794 type: string 1795 insecureSkipVerify: 1796 description: '`insecureSkipVerify` specifies whether 1797 the proxy should skip verifying the CA signature and 1798 SAN for the server certificate corresponding to the 1799 host.' 1800 nullable: true 1801 type: boolean 1802 mode: 1803 description: Indicates whether connections to this port 1804 should be secured using TLS. 1805 enum: 1806 - DISABLE 1807 - SIMPLE 1808 - MUTUAL 1809 - ISTIO_MUTUAL 1810 type: string 1811 privateKey: 1812 description: REQUIRED if mode is `MUTUAL`. 1813 type: string 1814 sni: 1815 description: SNI string to present to the server during 1816 TLS handshake. 1817 type: string 1818 subjectAltNames: 1819 description: A list of alternate names to verify the 1820 subject identity in the certificate. 1821 items: 1822 type: string 1823 type: array 1824 type: object 1825 type: object 1826 type: array 1827 proxyProtocol: 1828 description: The upstream PROXY protocol settings. 1829 properties: 1830 version: 1831 description: The PROXY protocol version to use. 1832 enum: 1833 - V1 1834 - V2 1835 type: string 1836 type: object 1837 tls: 1838 description: TLS related settings for connections to the upstream 1839 service. 1840 properties: 1841 caCertificates: 1842 description: 'OPTIONAL: The path to the file containing certificate 1843 authority certificates to use in verifying a presented server 1844 certificate.' 1845 type: string 1846 clientCertificate: 1847 description: REQUIRED if mode is `MUTUAL`. 1848 type: string 1849 credentialName: 1850 description: The name of the secret that holds the TLS certs 1851 for the client including the CA certificates. 1852 type: string 1853 insecureSkipVerify: 1854 description: '`insecureSkipVerify` specifies whether the proxy 1855 should skip verifying the CA signature and SAN for the server 1856 certificate corresponding to the host.' 1857 nullable: true 1858 type: boolean 1859 mode: 1860 description: Indicates whether connections to this port should 1861 be secured using TLS. 1862 enum: 1863 - DISABLE 1864 - SIMPLE 1865 - MUTUAL 1866 - ISTIO_MUTUAL 1867 type: string 1868 privateKey: 1869 description: REQUIRED if mode is `MUTUAL`. 1870 type: string 1871 sni: 1872 description: SNI string to present to the server during TLS 1873 handshake. 1874 type: string 1875 subjectAltNames: 1876 description: A list of alternate names to verify the subject 1877 identity in the certificate. 1878 items: 1879 type: string 1880 type: array 1881 type: object 1882 tunnel: 1883 description: Configuration of tunneling TCP over other transport 1884 or application layers for the host configured in the DestinationRule. 1885 properties: 1886 protocol: 1887 description: Specifies which protocol to use for tunneling 1888 the downstream connection. 1889 type: string 1890 targetHost: 1891 description: Specifies a host to which the downstream connection 1892 is tunneled. 1893 type: string 1894 targetPort: 1895 description: Specifies a port to which the downstream connection 1896 is tunneled. 1897 type: integer 1898 required: 1899 - targetHost 1900 - targetPort 1901 type: object 1902 type: object 1903 workloadSelector: 1904 description: Criteria used to select the specific set of pods/VMs 1905 on which this `DestinationRule` configuration should be applied. 1906 properties: 1907 matchLabels: 1908 additionalProperties: 1909 type: string 1910 description: One or more labels that indicate a specific set of 1911 pods/VMs on which a policy should be applied. 1912 type: object 1913 type: object 1914 required: 1915 - host 1916 type: object 1917 status: 1918 type: object 1919 x-kubernetes-preserve-unknown-fields: true 1920 type: object 1921 served: true 1922 storage: true 1923 subresources: 1924 status: {} 1925 - additionalPrinterColumns: 1926 - description: The name of a service from the service registry 1927 jsonPath: .spec.host 1928 name: Host 1929 type: string 1930 - description: 'CreationTimestamp is a timestamp representing the server time 1931 when this object was created. It is not guaranteed to be set in happens-before 1932 order across separate operations. Clients may not set this value. It is represented 1933 in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for 1934 lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' 1935 jsonPath: .metadata.creationTimestamp 1936 name: Age 1937 type: date 1938 name: v1beta1 1939 schema: 1940 openAPIV3Schema: 1941 properties: 1942 spec: 1943 description: 'Configuration affecting load balancing, outlier detection, 1944 etc. See more details at: https://istio.io/docs/reference/config/networking/destination-rule.html' 1945 properties: 1946 exportTo: 1947 description: A list of namespaces to which this destination rule is 1948 exported. 1949 items: 1950 type: string 1951 type: array 1952 host: 1953 description: The name of a service from the service registry. 1954 type: string 1955 subsets: 1956 description: One or more named sets that represent individual versions 1957 of a service. 1958 items: 1959 properties: 1960 labels: 1961 additionalProperties: 1962 type: string 1963 description: Labels apply a filter over the endpoints of a service 1964 in the service registry. 1965 type: object 1966 name: 1967 description: Name of the subset. 1968 type: string 1969 trafficPolicy: 1970 description: Traffic policies that apply to this subset. 1971 properties: 1972 connectionPool: 1973 properties: 1974 http: 1975 description: HTTP connection pool settings. 1976 properties: 1977 h2UpgradePolicy: 1978 description: Specify if http1.1 connection should 1979 be upgraded to http2 for the associated destination. 1980 enum: 1981 - DEFAULT 1982 - DO_NOT_UPGRADE 1983 - UPGRADE 1984 type: string 1985 http1MaxPendingRequests: 1986 description: Maximum number of requests that will 1987 be queued while waiting for a ready connection 1988 pool connection. 1989 format: int32 1990 type: integer 1991 http2MaxRequests: 1992 description: Maximum number of active requests to 1993 a destination. 1994 format: int32 1995 type: integer 1996 idleTimeout: 1997 description: The idle timeout for upstream connection 1998 pool connections. 1999 type: string 2000 maxConcurrentStreams: 2001 format: int32 2002 type: integer 2003 maxRequestsPerConnection: 2004 description: Maximum number of requests per connection 2005 to a backend. 2006 format: int32 2007 type: integer 2008 maxRetries: 2009 description: Maximum number of retries that can 2010 be outstanding to all hosts in a cluster at a 2011 given time. 2012 format: int32 2013 type: integer 2014 useClientProtocol: 2015 description: If set to true, client protocol will 2016 be preserved while initiating connection to backend. 2017 type: boolean 2018 type: object 2019 tcp: 2020 description: Settings common to both HTTP and TCP upstream 2021 connections. 2022 properties: 2023 connectTimeout: 2024 description: TCP connection timeout. 2025 type: string 2026 maxConnectionDuration: 2027 description: The maximum duration of a connection. 2028 type: string 2029 maxConnections: 2030 description: Maximum number of HTTP1 /TCP connections 2031 to a destination host. 2032 format: int32 2033 type: integer 2034 tcpKeepalive: 2035 description: If set then set SO_KEEPALIVE on the 2036 socket to enable TCP Keepalives. 2037 properties: 2038 interval: 2039 description: The time duration between keep-alive 2040 probes. 2041 type: string 2042 probes: 2043 description: Maximum number of keepalive probes 2044 to send without response before deciding the 2045 connection is dead. 2046 type: integer 2047 time: 2048 description: The time duration a connection 2049 needs to be idle before keep-alive probes 2050 start being sent. 2051 type: string 2052 type: object 2053 type: object 2054 type: object 2055 loadBalancer: 2056 description: Settings controlling the load balancer algorithms. 2057 oneOf: 2058 - not: 2059 anyOf: 2060 - required: 2061 - simple 2062 - required: 2063 - consistentHash 2064 - required: 2065 - simple 2066 - required: 2067 - consistentHash 2068 properties: 2069 consistentHash: 2070 allOf: 2071 - oneOf: 2072 - not: 2073 anyOf: 2074 - required: 2075 - httpHeaderName 2076 - required: 2077 - httpCookie 2078 - required: 2079 - useSourceIp 2080 - required: 2081 - httpQueryParameterName 2082 - required: 2083 - httpHeaderName 2084 - required: 2085 - httpCookie 2086 - required: 2087 - useSourceIp 2088 - required: 2089 - httpQueryParameterName 2090 - oneOf: 2091 - not: 2092 anyOf: 2093 - required: 2094 - ringHash 2095 - required: 2096 - maglev 2097 - required: 2098 - ringHash 2099 - required: 2100 - maglev 2101 properties: 2102 httpCookie: 2103 description: Hash based on HTTP cookie. 2104 properties: 2105 name: 2106 description: Name of the cookie. 2107 type: string 2108 path: 2109 description: Path to set for the cookie. 2110 type: string 2111 ttl: 2112 description: Lifetime of the cookie. 2113 type: string 2114 required: 2115 - name 2116 type: object 2117 httpHeaderName: 2118 description: Hash based on a specific HTTP header. 2119 type: string 2120 httpQueryParameterName: 2121 description: Hash based on a specific HTTP query 2122 parameter. 2123 type: string 2124 maglev: 2125 description: The Maglev load balancer implements 2126 consistent hashing to backend hosts. 2127 properties: 2128 tableSize: 2129 description: The table size for Maglev hashing. 2130 type: integer 2131 type: object 2132 minimumRingSize: 2133 description: Deprecated. 2134 type: integer 2135 ringHash: 2136 description: The ring/modulo hash load balancer 2137 implements consistent hashing to backend hosts. 2138 properties: 2139 minimumRingSize: 2140 description: The minimum number of virtual nodes 2141 to use for the hash ring. 2142 type: integer 2143 type: object 2144 useSourceIp: 2145 description: Hash based on the source IP address. 2146 type: boolean 2147 type: object 2148 localityLbSetting: 2149 properties: 2150 distribute: 2151 description: 'Optional: only one of distribute, 2152 failover or failoverPriority can be set.' 2153 items: 2154 properties: 2155 from: 2156 description: Originating locality, '/' separated, 2157 e.g. 2158 type: string 2159 to: 2160 additionalProperties: 2161 type: integer 2162 description: Map of upstream localities to 2163 traffic distribution weights. 2164 type: object 2165 type: object 2166 type: array 2167 enabled: 2168 description: enable locality load balancing, this 2169 is DestinationRule-level and will override mesh 2170 wide settings in entirety. 2171 nullable: true 2172 type: boolean 2173 failover: 2174 description: 'Optional: only one of distribute, 2175 failover or failoverPriority can be set.' 2176 items: 2177 properties: 2178 from: 2179 description: Originating region. 2180 type: string 2181 to: 2182 description: Destination region the traffic 2183 will fail over to when endpoints in the 2184 'from' region becomes unhealthy. 2185 type: string 2186 type: object 2187 type: array 2188 failoverPriority: 2189 description: failoverPriority is an ordered list 2190 of labels used to sort endpoints to do priority 2191 based load balancing. 2192 items: 2193 type: string 2194 type: array 2195 type: object 2196 simple: 2197 enum: 2198 - UNSPECIFIED 2199 - LEAST_CONN 2200 - RANDOM 2201 - PASSTHROUGH 2202 - ROUND_ROBIN 2203 - LEAST_REQUEST 2204 type: string 2205 warmupDurationSecs: 2206 description: Represents the warmup duration of Service. 2207 type: string 2208 type: object 2209 outlierDetection: 2210 properties: 2211 baseEjectionTime: 2212 description: Minimum ejection duration. 2213 type: string 2214 consecutive5xxErrors: 2215 description: Number of 5xx errors before a host is ejected 2216 from the connection pool. 2217 nullable: true 2218 type: integer 2219 consecutiveErrors: 2220 format: int32 2221 type: integer 2222 consecutiveGatewayErrors: 2223 description: Number of gateway errors before a host 2224 is ejected from the connection pool. 2225 nullable: true 2226 type: integer 2227 consecutiveLocalOriginFailures: 2228 description: The number of consecutive locally originated 2229 failures before ejection occurs. 2230 nullable: true 2231 type: integer 2232 interval: 2233 description: Time interval between ejection sweep analysis. 2234 type: string 2235 maxEjectionPercent: 2236 description: Maximum % of hosts in the load balancing 2237 pool for the upstream service that can be ejected. 2238 format: int32 2239 type: integer 2240 minHealthPercent: 2241 description: Outlier detection will be enabled as long 2242 as the associated load balancing pool has at least 2243 min_health_percent hosts in healthy mode. 2244 format: int32 2245 type: integer 2246 splitExternalLocalOriginErrors: 2247 description: Determines whether to distinguish local 2248 origin failures from external errors. 2249 type: boolean 2250 type: object 2251 portLevelSettings: 2252 description: Traffic policies specific to individual ports. 2253 items: 2254 properties: 2255 connectionPool: 2256 properties: 2257 http: 2258 description: HTTP connection pool settings. 2259 properties: 2260 h2UpgradePolicy: 2261 description: Specify if http1.1 connection 2262 should be upgraded to http2 for the associated 2263 destination. 2264 enum: 2265 - DEFAULT 2266 - DO_NOT_UPGRADE 2267 - UPGRADE 2268 type: string 2269 http1MaxPendingRequests: 2270 description: Maximum number of requests that 2271 will be queued while waiting for a ready 2272 connection pool connection. 2273 format: int32 2274 type: integer 2275 http2MaxRequests: 2276 description: Maximum number of active requests 2277 to a destination. 2278 format: int32 2279 type: integer 2280 idleTimeout: 2281 description: The idle timeout for upstream 2282 connection pool connections. 2283 type: string 2284 maxConcurrentStreams: 2285 format: int32 2286 type: integer 2287 maxRequestsPerConnection: 2288 description: Maximum number of requests per 2289 connection to a backend. 2290 format: int32 2291 type: integer 2292 maxRetries: 2293 description: Maximum number of retries that 2294 can be outstanding to all hosts in a cluster 2295 at a given time. 2296 format: int32 2297 type: integer 2298 useClientProtocol: 2299 description: If set to true, client protocol 2300 will be preserved while initiating connection 2301 to backend. 2302 type: boolean 2303 type: object 2304 tcp: 2305 description: Settings common to both HTTP and 2306 TCP upstream connections. 2307 properties: 2308 connectTimeout: 2309 description: TCP connection timeout. 2310 type: string 2311 maxConnectionDuration: 2312 description: The maximum duration of a connection. 2313 type: string 2314 maxConnections: 2315 description: Maximum number of HTTP1 /TCP 2316 connections to a destination host. 2317 format: int32 2318 type: integer 2319 tcpKeepalive: 2320 description: If set then set SO_KEEPALIVE 2321 on the socket to enable TCP Keepalives. 2322 properties: 2323 interval: 2324 description: The time duration between 2325 keep-alive probes. 2326 type: string 2327 probes: 2328 description: Maximum number of keepalive 2329 probes to send without response before 2330 deciding the connection is dead. 2331 type: integer 2332 time: 2333 description: The time duration a connection 2334 needs to be idle before keep-alive probes 2335 start being sent. 2336 type: string 2337 type: object 2338 type: object 2339 type: object 2340 loadBalancer: 2341 description: Settings controlling the load balancer 2342 algorithms. 2343 oneOf: 2344 - not: 2345 anyOf: 2346 - required: 2347 - simple 2348 - required: 2349 - consistentHash 2350 - required: 2351 - simple 2352 - required: 2353 - consistentHash 2354 properties: 2355 consistentHash: 2356 allOf: 2357 - oneOf: 2358 - not: 2359 anyOf: 2360 - required: 2361 - httpHeaderName 2362 - required: 2363 - httpCookie 2364 - required: 2365 - useSourceIp 2366 - required: 2367 - httpQueryParameterName 2368 - required: 2369 - httpHeaderName 2370 - required: 2371 - httpCookie 2372 - required: 2373 - useSourceIp 2374 - required: 2375 - httpQueryParameterName 2376 - oneOf: 2377 - not: 2378 anyOf: 2379 - required: 2380 - ringHash 2381 - required: 2382 - maglev 2383 - required: 2384 - ringHash 2385 - required: 2386 - maglev 2387 properties: 2388 httpCookie: 2389 description: Hash based on HTTP cookie. 2390 properties: 2391 name: 2392 description: Name of the cookie. 2393 type: string 2394 path: 2395 description: Path to set for the cookie. 2396 type: string 2397 ttl: 2398 description: Lifetime of the cookie. 2399 type: string 2400 required: 2401 - name 2402 type: object 2403 httpHeaderName: 2404 description: Hash based on a specific HTTP 2405 header. 2406 type: string 2407 httpQueryParameterName: 2408 description: Hash based on a specific HTTP 2409 query parameter. 2410 type: string 2411 maglev: 2412 description: The Maglev load balancer implements 2413 consistent hashing to backend hosts. 2414 properties: 2415 tableSize: 2416 description: The table size for Maglev 2417 hashing. 2418 type: integer 2419 type: object 2420 minimumRingSize: 2421 description: Deprecated. 2422 type: integer 2423 ringHash: 2424 description: The ring/modulo hash load balancer 2425 implements consistent hashing to backend 2426 hosts. 2427 properties: 2428 minimumRingSize: 2429 description: The minimum number of virtual 2430 nodes to use for the hash ring. 2431 type: integer 2432 type: object 2433 useSourceIp: 2434 description: Hash based on the source IP address. 2435 type: boolean 2436 type: object 2437 localityLbSetting: 2438 properties: 2439 distribute: 2440 description: 'Optional: only one of distribute, 2441 failover or failoverPriority can be set.' 2442 items: 2443 properties: 2444 from: 2445 description: Originating locality, '/' 2446 separated, e.g. 2447 type: string 2448 to: 2449 additionalProperties: 2450 type: integer 2451 description: Map of upstream localities 2452 to traffic distribution weights. 2453 type: object 2454 type: object 2455 type: array 2456 enabled: 2457 description: enable locality load balancing, 2458 this is DestinationRule-level and will override 2459 mesh wide settings in entirety. 2460 nullable: true 2461 type: boolean 2462 failover: 2463 description: 'Optional: only one of distribute, 2464 failover or failoverPriority can be set.' 2465 items: 2466 properties: 2467 from: 2468 description: Originating region. 2469 type: string 2470 to: 2471 description: Destination region the 2472 traffic will fail over to when endpoints 2473 in the 'from' region becomes unhealthy. 2474 type: string 2475 type: object 2476 type: array 2477 failoverPriority: 2478 description: failoverPriority is an ordered 2479 list of labels used to sort endpoints to 2480 do priority based load balancing. 2481 items: 2482 type: string 2483 type: array 2484 type: object 2485 simple: 2486 enum: 2487 - UNSPECIFIED 2488 - LEAST_CONN 2489 - RANDOM 2490 - PASSTHROUGH 2491 - ROUND_ROBIN 2492 - LEAST_REQUEST 2493 type: string 2494 warmupDurationSecs: 2495 description: Represents the warmup duration of 2496 Service. 2497 type: string 2498 type: object 2499 outlierDetection: 2500 properties: 2501 baseEjectionTime: 2502 description: Minimum ejection duration. 2503 type: string 2504 consecutive5xxErrors: 2505 description: Number of 5xx errors before a host 2506 is ejected from the connection pool. 2507 nullable: true 2508 type: integer 2509 consecutiveErrors: 2510 format: int32 2511 type: integer 2512 consecutiveGatewayErrors: 2513 description: Number of gateway errors before a 2514 host is ejected from the connection pool. 2515 nullable: true 2516 type: integer 2517 consecutiveLocalOriginFailures: 2518 description: The number of consecutive locally 2519 originated failures before ejection occurs. 2520 nullable: true 2521 type: integer 2522 interval: 2523 description: Time interval between ejection sweep 2524 analysis. 2525 type: string 2526 maxEjectionPercent: 2527 description: Maximum % of hosts in the load balancing 2528 pool for the upstream service that can be ejected. 2529 format: int32 2530 type: integer 2531 minHealthPercent: 2532 description: Outlier detection will be enabled 2533 as long as the associated load balancing pool 2534 has at least min_health_percent hosts in healthy 2535 mode. 2536 format: int32 2537 type: integer 2538 splitExternalLocalOriginErrors: 2539 description: Determines whether to distinguish 2540 local origin failures from external errors. 2541 type: boolean 2542 type: object 2543 port: 2544 description: Specifies the number of a port on the 2545 destination service on which this policy is being 2546 applied. 2547 properties: 2548 number: 2549 type: integer 2550 type: object 2551 tls: 2552 description: TLS related settings for connections 2553 to the upstream service. 2554 properties: 2555 caCertificates: 2556 description: 'OPTIONAL: The path to the file containing 2557 certificate authority certificates to use in 2558 verifying a presented server certificate.' 2559 type: string 2560 clientCertificate: 2561 description: REQUIRED if mode is `MUTUAL`. 2562 type: string 2563 credentialName: 2564 description: The name of the secret that holds 2565 the TLS certs for the client including the CA 2566 certificates. 2567 type: string 2568 insecureSkipVerify: 2569 description: '`insecureSkipVerify` specifies whether 2570 the proxy should skip verifying the CA signature 2571 and SAN for the server certificate corresponding 2572 to the host.' 2573 nullable: true 2574 type: boolean 2575 mode: 2576 description: Indicates whether connections to 2577 this port should be secured using TLS. 2578 enum: 2579 - DISABLE 2580 - SIMPLE 2581 - MUTUAL 2582 - ISTIO_MUTUAL 2583 type: string 2584 privateKey: 2585 description: REQUIRED if mode is `MUTUAL`. 2586 type: string 2587 sni: 2588 description: SNI string to present to the server 2589 during TLS handshake. 2590 type: string 2591 subjectAltNames: 2592 description: A list of alternate names to verify 2593 the subject identity in the certificate. 2594 items: 2595 type: string 2596 type: array 2597 type: object 2598 type: object 2599 type: array 2600 proxyProtocol: 2601 description: The upstream PROXY protocol settings. 2602 properties: 2603 version: 2604 description: The PROXY protocol version to use. 2605 enum: 2606 - V1 2607 - V2 2608 type: string 2609 type: object 2610 tls: 2611 description: TLS related settings for connections to the 2612 upstream service. 2613 properties: 2614 caCertificates: 2615 description: 'OPTIONAL: The path to the file containing 2616 certificate authority certificates to use in verifying 2617 a presented server certificate.' 2618 type: string 2619 clientCertificate: 2620 description: REQUIRED if mode is `MUTUAL`. 2621 type: string 2622 credentialName: 2623 description: The name of the secret that holds the TLS 2624 certs for the client including the CA certificates. 2625 type: string 2626 insecureSkipVerify: 2627 description: '`insecureSkipVerify` specifies whether 2628 the proxy should skip verifying the CA signature and 2629 SAN for the server certificate corresponding to the 2630 host.' 2631 nullable: true 2632 type: boolean 2633 mode: 2634 description: Indicates whether connections to this port 2635 should be secured using TLS. 2636 enum: 2637 - DISABLE 2638 - SIMPLE 2639 - MUTUAL 2640 - ISTIO_MUTUAL 2641 type: string 2642 privateKey: 2643 description: REQUIRED if mode is `MUTUAL`. 2644 type: string 2645 sni: 2646 description: SNI string to present to the server during 2647 TLS handshake. 2648 type: string 2649 subjectAltNames: 2650 description: A list of alternate names to verify the 2651 subject identity in the certificate. 2652 items: 2653 type: string 2654 type: array 2655 type: object 2656 tunnel: 2657 description: Configuration of tunneling TCP over other transport 2658 or application layers for the host configured in the DestinationRule. 2659 properties: 2660 protocol: 2661 description: Specifies which protocol to use for tunneling 2662 the downstream connection. 2663 type: string 2664 targetHost: 2665 description: Specifies a host to which the downstream 2666 connection is tunneled. 2667 type: string 2668 targetPort: 2669 description: Specifies a port to which the downstream 2670 connection is tunneled. 2671 type: integer 2672 required: 2673 - targetHost 2674 - targetPort 2675 type: object 2676 type: object 2677 required: 2678 - name 2679 type: object 2680 type: array 2681 trafficPolicy: 2682 description: Traffic policies to apply (load balancing policy, connection 2683 pool sizes, outlier detection). 2684 properties: 2685 connectionPool: 2686 properties: 2687 http: 2688 description: HTTP connection pool settings. 2689 properties: 2690 h2UpgradePolicy: 2691 description: Specify if http1.1 connection should be upgraded 2692 to http2 for the associated destination. 2693 enum: 2694 - DEFAULT 2695 - DO_NOT_UPGRADE 2696 - UPGRADE 2697 type: string 2698 http1MaxPendingRequests: 2699 description: Maximum number of requests that will be queued 2700 while waiting for a ready connection pool connection. 2701 format: int32 2702 type: integer 2703 http2MaxRequests: 2704 description: Maximum number of active requests to a destination. 2705 format: int32 2706 type: integer 2707 idleTimeout: 2708 description: The idle timeout for upstream connection 2709 pool connections. 2710 type: string 2711 maxConcurrentStreams: 2712 format: int32 2713 type: integer 2714 maxRequestsPerConnection: 2715 description: Maximum number of requests per connection 2716 to a backend. 2717 format: int32 2718 type: integer 2719 maxRetries: 2720 description: Maximum number of retries that can be outstanding 2721 to all hosts in a cluster at a given time. 2722 format: int32 2723 type: integer 2724 useClientProtocol: 2725 description: If set to true, client protocol will be preserved 2726 while initiating connection to backend. 2727 type: boolean 2728 type: object 2729 tcp: 2730 description: Settings common to both HTTP and TCP upstream 2731 connections. 2732 properties: 2733 connectTimeout: 2734 description: TCP connection timeout. 2735 type: string 2736 maxConnectionDuration: 2737 description: The maximum duration of a connection. 2738 type: string 2739 maxConnections: 2740 description: Maximum number of HTTP1 /TCP connections 2741 to a destination host. 2742 format: int32 2743 type: integer 2744 tcpKeepalive: 2745 description: If set then set SO_KEEPALIVE on the socket 2746 to enable TCP Keepalives. 2747 properties: 2748 interval: 2749 description: The time duration between keep-alive 2750 probes. 2751 type: string 2752 probes: 2753 description: Maximum number of keepalive probes to 2754 send without response before deciding the connection 2755 is dead. 2756 type: integer 2757 time: 2758 description: The time duration a connection needs 2759 to be idle before keep-alive probes start being 2760 sent. 2761 type: string 2762 type: object 2763 type: object 2764 type: object 2765 loadBalancer: 2766 description: Settings controlling the load balancer algorithms. 2767 oneOf: 2768 - not: 2769 anyOf: 2770 - required: 2771 - simple 2772 - required: 2773 - consistentHash 2774 - required: 2775 - simple 2776 - required: 2777 - consistentHash 2778 properties: 2779 consistentHash: 2780 allOf: 2781 - oneOf: 2782 - not: 2783 anyOf: 2784 - required: 2785 - httpHeaderName 2786 - required: 2787 - httpCookie 2788 - required: 2789 - useSourceIp 2790 - required: 2791 - httpQueryParameterName 2792 - required: 2793 - httpHeaderName 2794 - required: 2795 - httpCookie 2796 - required: 2797 - useSourceIp 2798 - required: 2799 - httpQueryParameterName 2800 - oneOf: 2801 - not: 2802 anyOf: 2803 - required: 2804 - ringHash 2805 - required: 2806 - maglev 2807 - required: 2808 - ringHash 2809 - required: 2810 - maglev 2811 properties: 2812 httpCookie: 2813 description: Hash based on HTTP cookie. 2814 properties: 2815 name: 2816 description: Name of the cookie. 2817 type: string 2818 path: 2819 description: Path to set for the cookie. 2820 type: string 2821 ttl: 2822 description: Lifetime of the cookie. 2823 type: string 2824 required: 2825 - name 2826 type: object 2827 httpHeaderName: 2828 description: Hash based on a specific HTTP header. 2829 type: string 2830 httpQueryParameterName: 2831 description: Hash based on a specific HTTP query parameter. 2832 type: string 2833 maglev: 2834 description: The Maglev load balancer implements consistent 2835 hashing to backend hosts. 2836 properties: 2837 tableSize: 2838 description: The table size for Maglev hashing. 2839 type: integer 2840 type: object 2841 minimumRingSize: 2842 description: Deprecated. 2843 type: integer 2844 ringHash: 2845 description: The ring/modulo hash load balancer implements 2846 consistent hashing to backend hosts. 2847 properties: 2848 minimumRingSize: 2849 description: The minimum number of virtual nodes to 2850 use for the hash ring. 2851 type: integer 2852 type: object 2853 useSourceIp: 2854 description: Hash based on the source IP address. 2855 type: boolean 2856 type: object 2857 localityLbSetting: 2858 properties: 2859 distribute: 2860 description: 'Optional: only one of distribute, failover 2861 or failoverPriority can be set.' 2862 items: 2863 properties: 2864 from: 2865 description: Originating locality, '/' separated, 2866 e.g. 2867 type: string 2868 to: 2869 additionalProperties: 2870 type: integer 2871 description: Map of upstream localities to traffic 2872 distribution weights. 2873 type: object 2874 type: object 2875 type: array 2876 enabled: 2877 description: enable locality load balancing, this is DestinationRule-level 2878 and will override mesh wide settings in entirety. 2879 nullable: true 2880 type: boolean 2881 failover: 2882 description: 'Optional: only one of distribute, failover 2883 or failoverPriority can be set.' 2884 items: 2885 properties: 2886 from: 2887 description: Originating region. 2888 type: string 2889 to: 2890 description: Destination region the traffic will 2891 fail over to when endpoints in the 'from' region 2892 becomes unhealthy. 2893 type: string 2894 type: object 2895 type: array 2896 failoverPriority: 2897 description: failoverPriority is an ordered list of labels 2898 used to sort endpoints to do priority based load balancing. 2899 items: 2900 type: string 2901 type: array 2902 type: object 2903 simple: 2904 enum: 2905 - UNSPECIFIED 2906 - LEAST_CONN 2907 - RANDOM 2908 - PASSTHROUGH 2909 - ROUND_ROBIN 2910 - LEAST_REQUEST 2911 type: string 2912 warmupDurationSecs: 2913 description: Represents the warmup duration of Service. 2914 type: string 2915 type: object 2916 outlierDetection: 2917 properties: 2918 baseEjectionTime: 2919 description: Minimum ejection duration. 2920 type: string 2921 consecutive5xxErrors: 2922 description: Number of 5xx errors before a host is ejected 2923 from the connection pool. 2924 nullable: true 2925 type: integer 2926 consecutiveErrors: 2927 format: int32 2928 type: integer 2929 consecutiveGatewayErrors: 2930 description: Number of gateway errors before a host is ejected 2931 from the connection pool. 2932 nullable: true 2933 type: integer 2934 consecutiveLocalOriginFailures: 2935 description: The number of consecutive locally originated 2936 failures before ejection occurs. 2937 nullable: true 2938 type: integer 2939 interval: 2940 description: Time interval between ejection sweep analysis. 2941 type: string 2942 maxEjectionPercent: 2943 description: Maximum % of hosts in the load balancing pool 2944 for the upstream service that can be ejected. 2945 format: int32 2946 type: integer 2947 minHealthPercent: 2948 description: Outlier detection will be enabled as long as 2949 the associated load balancing pool has at least min_health_percent 2950 hosts in healthy mode. 2951 format: int32 2952 type: integer 2953 splitExternalLocalOriginErrors: 2954 description: Determines whether to distinguish local origin 2955 failures from external errors. 2956 type: boolean 2957 type: object 2958 portLevelSettings: 2959 description: Traffic policies specific to individual ports. 2960 items: 2961 properties: 2962 connectionPool: 2963 properties: 2964 http: 2965 description: HTTP connection pool settings. 2966 properties: 2967 h2UpgradePolicy: 2968 description: Specify if http1.1 connection should 2969 be upgraded to http2 for the associated destination. 2970 enum: 2971 - DEFAULT 2972 - DO_NOT_UPGRADE 2973 - UPGRADE 2974 type: string 2975 http1MaxPendingRequests: 2976 description: Maximum number of requests that will 2977 be queued while waiting for a ready connection 2978 pool connection. 2979 format: int32 2980 type: integer 2981 http2MaxRequests: 2982 description: Maximum number of active requests to 2983 a destination. 2984 format: int32 2985 type: integer 2986 idleTimeout: 2987 description: The idle timeout for upstream connection 2988 pool connections. 2989 type: string 2990 maxConcurrentStreams: 2991 format: int32 2992 type: integer 2993 maxRequestsPerConnection: 2994 description: Maximum number of requests per connection 2995 to a backend. 2996 format: int32 2997 type: integer 2998 maxRetries: 2999 description: Maximum number of retries that can 3000 be outstanding to all hosts in a cluster at a 3001 given time. 3002 format: int32 3003 type: integer 3004 useClientProtocol: 3005 description: If set to true, client protocol will 3006 be preserved while initiating connection to backend. 3007 type: boolean 3008 type: object 3009 tcp: 3010 description: Settings common to both HTTP and TCP upstream 3011 connections. 3012 properties: 3013 connectTimeout: 3014 description: TCP connection timeout. 3015 type: string 3016 maxConnectionDuration: 3017 description: The maximum duration of a connection. 3018 type: string 3019 maxConnections: 3020 description: Maximum number of HTTP1 /TCP connections 3021 to a destination host. 3022 format: int32 3023 type: integer 3024 tcpKeepalive: 3025 description: If set then set SO_KEEPALIVE on the 3026 socket to enable TCP Keepalives. 3027 properties: 3028 interval: 3029 description: The time duration between keep-alive 3030 probes. 3031 type: string 3032 probes: 3033 description: Maximum number of keepalive probes 3034 to send without response before deciding the 3035 connection is dead. 3036 type: integer 3037 time: 3038 description: The time duration a connection 3039 needs to be idle before keep-alive probes 3040 start being sent. 3041 type: string 3042 type: object 3043 type: object 3044 type: object 3045 loadBalancer: 3046 description: Settings controlling the load balancer algorithms. 3047 oneOf: 3048 - not: 3049 anyOf: 3050 - required: 3051 - simple 3052 - required: 3053 - consistentHash 3054 - required: 3055 - simple 3056 - required: 3057 - consistentHash 3058 properties: 3059 consistentHash: 3060 allOf: 3061 - oneOf: 3062 - not: 3063 anyOf: 3064 - required: 3065 - httpHeaderName 3066 - required: 3067 - httpCookie 3068 - required: 3069 - useSourceIp 3070 - required: 3071 - httpQueryParameterName 3072 - required: 3073 - httpHeaderName 3074 - required: 3075 - httpCookie 3076 - required: 3077 - useSourceIp 3078 - required: 3079 - httpQueryParameterName 3080 - oneOf: 3081 - not: 3082 anyOf: 3083 - required: 3084 - ringHash 3085 - required: 3086 - maglev 3087 - required: 3088 - ringHash 3089 - required: 3090 - maglev 3091 properties: 3092 httpCookie: 3093 description: Hash based on HTTP cookie. 3094 properties: 3095 name: 3096 description: Name of the cookie. 3097 type: string 3098 path: 3099 description: Path to set for the cookie. 3100 type: string 3101 ttl: 3102 description: Lifetime of the cookie. 3103 type: string 3104 required: 3105 - name 3106 type: object 3107 httpHeaderName: 3108 description: Hash based on a specific HTTP header. 3109 type: string 3110 httpQueryParameterName: 3111 description: Hash based on a specific HTTP query 3112 parameter. 3113 type: string 3114 maglev: 3115 description: The Maglev load balancer implements 3116 consistent hashing to backend hosts. 3117 properties: 3118 tableSize: 3119 description: The table size for Maglev hashing. 3120 type: integer 3121 type: object 3122 minimumRingSize: 3123 description: Deprecated. 3124 type: integer 3125 ringHash: 3126 description: The ring/modulo hash load balancer 3127 implements consistent hashing to backend hosts. 3128 properties: 3129 minimumRingSize: 3130 description: The minimum number of virtual nodes 3131 to use for the hash ring. 3132 type: integer 3133 type: object 3134 useSourceIp: 3135 description: Hash based on the source IP address. 3136 type: boolean 3137 type: object 3138 localityLbSetting: 3139 properties: 3140 distribute: 3141 description: 'Optional: only one of distribute, 3142 failover or failoverPriority can be set.' 3143 items: 3144 properties: 3145 from: 3146 description: Originating locality, '/' separated, 3147 e.g. 3148 type: string 3149 to: 3150 additionalProperties: 3151 type: integer 3152 description: Map of upstream localities to 3153 traffic distribution weights. 3154 type: object 3155 type: object 3156 type: array 3157 enabled: 3158 description: enable locality load balancing, this 3159 is DestinationRule-level and will override mesh 3160 wide settings in entirety. 3161 nullable: true 3162 type: boolean 3163 failover: 3164 description: 'Optional: only one of distribute, 3165 failover or failoverPriority can be set.' 3166 items: 3167 properties: 3168 from: 3169 description: Originating region. 3170 type: string 3171 to: 3172 description: Destination region the traffic 3173 will fail over to when endpoints in the 3174 'from' region becomes unhealthy. 3175 type: string 3176 type: object 3177 type: array 3178 failoverPriority: 3179 description: failoverPriority is an ordered list 3180 of labels used to sort endpoints to do priority 3181 based load balancing. 3182 items: 3183 type: string 3184 type: array 3185 type: object 3186 simple: 3187 enum: 3188 - UNSPECIFIED 3189 - LEAST_CONN 3190 - RANDOM 3191 - PASSTHROUGH 3192 - ROUND_ROBIN 3193 - LEAST_REQUEST 3194 type: string 3195 warmupDurationSecs: 3196 description: Represents the warmup duration of Service. 3197 type: string 3198 type: object 3199 outlierDetection: 3200 properties: 3201 baseEjectionTime: 3202 description: Minimum ejection duration. 3203 type: string 3204 consecutive5xxErrors: 3205 description: Number of 5xx errors before a host is ejected 3206 from the connection pool. 3207 nullable: true 3208 type: integer 3209 consecutiveErrors: 3210 format: int32 3211 type: integer 3212 consecutiveGatewayErrors: 3213 description: Number of gateway errors before a host 3214 is ejected from the connection pool. 3215 nullable: true 3216 type: integer 3217 consecutiveLocalOriginFailures: 3218 description: The number of consecutive locally originated 3219 failures before ejection occurs. 3220 nullable: true 3221 type: integer 3222 interval: 3223 description: Time interval between ejection sweep analysis. 3224 type: string 3225 maxEjectionPercent: 3226 description: Maximum % of hosts in the load balancing 3227 pool for the upstream service that can be ejected. 3228 format: int32 3229 type: integer 3230 minHealthPercent: 3231 description: Outlier detection will be enabled as long 3232 as the associated load balancing pool has at least 3233 min_health_percent hosts in healthy mode. 3234 format: int32 3235 type: integer 3236 splitExternalLocalOriginErrors: 3237 description: Determines whether to distinguish local 3238 origin failures from external errors. 3239 type: boolean 3240 type: object 3241 port: 3242 description: Specifies the number of a port on the destination 3243 service on which this policy is being applied. 3244 properties: 3245 number: 3246 type: integer 3247 type: object 3248 tls: 3249 description: TLS related settings for connections to the 3250 upstream service. 3251 properties: 3252 caCertificates: 3253 description: 'OPTIONAL: The path to the file containing 3254 certificate authority certificates to use in verifying 3255 a presented server certificate.' 3256 type: string 3257 clientCertificate: 3258 description: REQUIRED if mode is `MUTUAL`. 3259 type: string 3260 credentialName: 3261 description: The name of the secret that holds the TLS 3262 certs for the client including the CA certificates. 3263 type: string 3264 insecureSkipVerify: 3265 description: '`insecureSkipVerify` specifies whether 3266 the proxy should skip verifying the CA signature and 3267 SAN for the server certificate corresponding to the 3268 host.' 3269 nullable: true 3270 type: boolean 3271 mode: 3272 description: Indicates whether connections to this port 3273 should be secured using TLS. 3274 enum: 3275 - DISABLE 3276 - SIMPLE 3277 - MUTUAL 3278 - ISTIO_MUTUAL 3279 type: string 3280 privateKey: 3281 description: REQUIRED if mode is `MUTUAL`. 3282 type: string 3283 sni: 3284 description: SNI string to present to the server during 3285 TLS handshake. 3286 type: string 3287 subjectAltNames: 3288 description: A list of alternate names to verify the 3289 subject identity in the certificate. 3290 items: 3291 type: string 3292 type: array 3293 type: object 3294 type: object 3295 type: array 3296 proxyProtocol: 3297 description: The upstream PROXY protocol settings. 3298 properties: 3299 version: 3300 description: The PROXY protocol version to use. 3301 enum: 3302 - V1 3303 - V2 3304 type: string 3305 type: object 3306 tls: 3307 description: TLS related settings for connections to the upstream 3308 service. 3309 properties: 3310 caCertificates: 3311 description: 'OPTIONAL: The path to the file containing certificate 3312 authority certificates to use in verifying a presented server 3313 certificate.' 3314 type: string 3315 clientCertificate: 3316 description: REQUIRED if mode is `MUTUAL`. 3317 type: string 3318 credentialName: 3319 description: The name of the secret that holds the TLS certs 3320 for the client including the CA certificates. 3321 type: string 3322 insecureSkipVerify: 3323 description: '`insecureSkipVerify` specifies whether the proxy 3324 should skip verifying the CA signature and SAN for the server 3325 certificate corresponding to the host.' 3326 nullable: true 3327 type: boolean 3328 mode: 3329 description: Indicates whether connections to this port should 3330 be secured using TLS. 3331 enum: 3332 - DISABLE 3333 - SIMPLE 3334 - MUTUAL 3335 - ISTIO_MUTUAL 3336 type: string 3337 privateKey: 3338 description: REQUIRED if mode is `MUTUAL`. 3339 type: string 3340 sni: 3341 description: SNI string to present to the server during TLS 3342 handshake. 3343 type: string 3344 subjectAltNames: 3345 description: A list of alternate names to verify the subject 3346 identity in the certificate. 3347 items: 3348 type: string 3349 type: array 3350 type: object 3351 tunnel: 3352 description: Configuration of tunneling TCP over other transport 3353 or application layers for the host configured in the DestinationRule. 3354 properties: 3355 protocol: 3356 description: Specifies which protocol to use for tunneling 3357 the downstream connection. 3358 type: string 3359 targetHost: 3360 description: Specifies a host to which the downstream connection 3361 is tunneled. 3362 type: string 3363 targetPort: 3364 description: Specifies a port to which the downstream connection 3365 is tunneled. 3366 type: integer 3367 required: 3368 - targetHost 3369 - targetPort 3370 type: object 3371 type: object 3372 workloadSelector: 3373 description: Criteria used to select the specific set of pods/VMs 3374 on which this `DestinationRule` configuration should be applied. 3375 properties: 3376 matchLabels: 3377 additionalProperties: 3378 type: string 3379 description: One or more labels that indicate a specific set of 3380 pods/VMs on which a policy should be applied. 3381 type: object 3382 type: object 3383 required: 3384 - host 3385 type: object 3386 status: 3387 type: object 3388 x-kubernetes-preserve-unknown-fields: true 3389 type: object 3390 served: true 3391 storage: false 3392 subresources: 3393 status: {} 3394 3395 --- 3396 apiVersion: apiextensions.k8s.io/v1 3397 kind: CustomResourceDefinition 3398 metadata: 3399 annotations: 3400 helm.sh/resource-policy: keep 3401 labels: 3402 app: istio-pilot 3403 chart: istio 3404 heritage: Tiller 3405 release: istio 3406 name: envoyfilters.networking.istio.io 3407 spec: 3408 group: networking.istio.io 3409 names: 3410 categories: 3411 - istio-io 3412 - networking-istio-io 3413 kind: EnvoyFilter 3414 listKind: EnvoyFilterList 3415 plural: envoyfilters 3416 singular: envoyfilter 3417 scope: Namespaced 3418 versions: 3419 - name: v1alpha3 3420 schema: 3421 openAPIV3Schema: 3422 properties: 3423 spec: 3424 description: 'Customizing Envoy configuration generated by Istio. See 3425 more details at: https://istio.io/docs/reference/config/networking/envoy-filter.html' 3426 properties: 3427 configPatches: 3428 description: One or more patches with match conditions. 3429 items: 3430 properties: 3431 applyTo: 3432 description: Specifies where in the Envoy configuration, the 3433 patch should be applied. 3434 enum: 3435 - INVALID 3436 - LISTENER 3437 - FILTER_CHAIN 3438 - NETWORK_FILTER 3439 - HTTP_FILTER 3440 - ROUTE_CONFIGURATION 3441 - VIRTUAL_HOST 3442 - HTTP_ROUTE 3443 - CLUSTER 3444 - EXTENSION_CONFIG 3445 - BOOTSTRAP 3446 - LISTENER_FILTER 3447 type: string 3448 match: 3449 description: Match on listener/route configuration/cluster. 3450 oneOf: 3451 - not: 3452 anyOf: 3453 - required: 3454 - listener 3455 - required: 3456 - routeConfiguration 3457 - required: 3458 - cluster 3459 - required: 3460 - listener 3461 - required: 3462 - routeConfiguration 3463 - required: 3464 - cluster 3465 properties: 3466 cluster: 3467 description: Match on envoy cluster attributes. 3468 properties: 3469 name: 3470 description: The exact name of the cluster to match. 3471 type: string 3472 portNumber: 3473 description: The service port for which this cluster 3474 was generated. 3475 type: integer 3476 service: 3477 description: The fully qualified service name for this 3478 cluster. 3479 type: string 3480 subset: 3481 description: The subset associated with the service. 3482 type: string 3483 type: object 3484 context: 3485 description: The specific config generation context to match 3486 on. 3487 enum: 3488 - ANY 3489 - SIDECAR_INBOUND 3490 - SIDECAR_OUTBOUND 3491 - GATEWAY 3492 type: string 3493 listener: 3494 description: Match on envoy listener attributes. 3495 properties: 3496 filterChain: 3497 description: Match a specific filter chain in a listener. 3498 properties: 3499 applicationProtocols: 3500 description: Applies only to sidecars. 3501 type: string 3502 destinationPort: 3503 description: The destination_port value used by 3504 a filter chain's match condition. 3505 type: integer 3506 filter: 3507 description: The name of a specific filter to apply 3508 the patch to. 3509 properties: 3510 name: 3511 description: The filter name to match on. 3512 type: string 3513 subFilter: 3514 description: The next level filter within this 3515 filter to match upon. 3516 properties: 3517 name: 3518 description: The filter name to match on. 3519 type: string 3520 type: object 3521 type: object 3522 name: 3523 description: The name assigned to the filter chain. 3524 type: string 3525 sni: 3526 description: The SNI value used by a filter chain's 3527 match condition. 3528 type: string 3529 transportProtocol: 3530 description: Applies only to `SIDECAR_INBOUND` context. 3531 type: string 3532 type: object 3533 listenerFilter: 3534 description: Match a specific listener filter. 3535 type: string 3536 name: 3537 description: Match a specific listener by its name. 3538 type: string 3539 portName: 3540 type: string 3541 portNumber: 3542 description: The service port/gateway port to which 3543 traffic is being sent/received. 3544 type: integer 3545 type: object 3546 proxy: 3547 description: Match on properties associated with a proxy. 3548 properties: 3549 metadata: 3550 additionalProperties: 3551 type: string 3552 description: Match on the node metadata supplied by 3553 a proxy when connecting to Istio Pilot. 3554 type: object 3555 proxyVersion: 3556 description: A regular expression in golang regex format 3557 (RE2) that can be used to select proxies using a specific 3558 version of istio proxy. 3559 type: string 3560 type: object 3561 routeConfiguration: 3562 description: Match on envoy HTTP route configuration attributes. 3563 properties: 3564 gateway: 3565 description: The Istio gateway config's namespace/name 3566 for which this route configuration was generated. 3567 type: string 3568 name: 3569 description: Route configuration name to match on. 3570 type: string 3571 portName: 3572 description: Applicable only for GATEWAY context. 3573 type: string 3574 portNumber: 3575 description: The service port number or gateway server 3576 port number for which this route configuration was 3577 generated. 3578 type: integer 3579 vhost: 3580 description: Match a specific virtual host in a route 3581 configuration and apply the patch to the virtual host. 3582 properties: 3583 name: 3584 description: The VirtualHosts objects generated 3585 by Istio are named as host:port, where the host 3586 typically corresponds to the VirtualService's 3587 host field or the hostname of a service in the 3588 registry. 3589 type: string 3590 route: 3591 description: Match a specific route within the virtual 3592 host. 3593 properties: 3594 action: 3595 description: Match a route with specific action 3596 type. 3597 enum: 3598 - ANY 3599 - ROUTE 3600 - REDIRECT 3601 - DIRECT_RESPONSE 3602 type: string 3603 name: 3604 description: The Route objects generated by 3605 default are named as default. 3606 type: string 3607 type: object 3608 type: object 3609 type: object 3610 type: object 3611 patch: 3612 description: The patch to apply along with the operation. 3613 properties: 3614 filterClass: 3615 description: Determines the filter insertion order. 3616 enum: 3617 - UNSPECIFIED 3618 - AUTHN 3619 - AUTHZ 3620 - STATS 3621 type: string 3622 operation: 3623 description: Determines how the patch should be applied. 3624 enum: 3625 - INVALID 3626 - MERGE 3627 - ADD 3628 - REMOVE 3629 - INSERT_BEFORE 3630 - INSERT_AFTER 3631 - INSERT_FIRST 3632 - REPLACE 3633 type: string 3634 value: 3635 description: The JSON config of the object being patched. 3636 type: object 3637 x-kubernetes-preserve-unknown-fields: true 3638 type: object 3639 type: object 3640 type: array 3641 priority: 3642 description: Priority defines the order in which patch sets are applied 3643 within a context. 3644 format: int32 3645 type: integer 3646 workloadSelector: 3647 description: Criteria used to select the specific set of pods/VMs 3648 on which this patch configuration should be applied. 3649 properties: 3650 labels: 3651 additionalProperties: 3652 type: string 3653 description: One or more labels that indicate a specific set of 3654 pods/VMs on which the configuration should be applied. 3655 type: object 3656 type: object 3657 type: object 3658 status: 3659 type: object 3660 x-kubernetes-preserve-unknown-fields: true 3661 type: object 3662 served: true 3663 storage: true 3664 subresources: 3665 status: {} 3666 3667 --- 3668 apiVersion: apiextensions.k8s.io/v1 3669 kind: CustomResourceDefinition 3670 metadata: 3671 annotations: 3672 helm.sh/resource-policy: keep 3673 labels: 3674 app: istio-pilot 3675 chart: istio 3676 heritage: Tiller 3677 release: istio 3678 name: gateways.networking.istio.io 3679 spec: 3680 group: networking.istio.io 3681 names: 3682 categories: 3683 - istio-io 3684 - networking-istio-io 3685 kind: Gateway 3686 listKind: GatewayList 3687 plural: gateways 3688 shortNames: 3689 - gw 3690 singular: gateway 3691 scope: Namespaced 3692 versions: 3693 - name: v1alpha3 3694 schema: 3695 openAPIV3Schema: 3696 properties: 3697 spec: 3698 description: 'Configuration affecting edge load balancer. See more details 3699 at: https://istio.io/docs/reference/config/networking/gateway.html' 3700 properties: 3701 selector: 3702 additionalProperties: 3703 type: string 3704 description: One or more labels that indicate a specific set of pods/VMs 3705 on which this gateway configuration should be applied. 3706 type: object 3707 servers: 3708 description: A list of server specifications. 3709 items: 3710 properties: 3711 bind: 3712 description: The ip or the Unix domain socket to which the listener 3713 should be bound to. 3714 type: string 3715 defaultEndpoint: 3716 type: string 3717 hosts: 3718 description: One or more hosts exposed by this gateway. 3719 items: 3720 type: string 3721 type: array 3722 name: 3723 description: An optional name of the server, when set must be 3724 unique across all servers. 3725 type: string 3726 port: 3727 description: The Port on which the proxy should listen for incoming 3728 connections. 3729 properties: 3730 name: 3731 description: Label assigned to the port. 3732 type: string 3733 number: 3734 description: A valid non-negative integer port number. 3735 type: integer 3736 protocol: 3737 description: The protocol exposed on the port. 3738 type: string 3739 targetPort: 3740 type: integer 3741 required: 3742 - number 3743 - protocol 3744 - name 3745 type: object 3746 tls: 3747 description: Set of TLS related options that govern the server's 3748 behavior. 3749 properties: 3750 caCertificates: 3751 description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`. 3752 type: string 3753 cipherSuites: 3754 description: 'Optional: If specified, only support the specified 3755 cipher list.' 3756 items: 3757 type: string 3758 type: array 3759 credentialName: 3760 description: For gateways running on Kubernetes, the name 3761 of the secret that holds the TLS certs including the CA 3762 certificates. 3763 type: string 3764 httpsRedirect: 3765 description: If set to true, the load balancer will send 3766 a 301 redirect for all http connections, asking the clients 3767 to use HTTPS. 3768 type: boolean 3769 maxProtocolVersion: 3770 description: 'Optional: Maximum TLS protocol version.' 3771 enum: 3772 - TLS_AUTO 3773 - TLSV1_0 3774 - TLSV1_1 3775 - TLSV1_2 3776 - TLSV1_3 3777 type: string 3778 minProtocolVersion: 3779 description: 'Optional: Minimum TLS protocol version.' 3780 enum: 3781 - TLS_AUTO 3782 - TLSV1_0 3783 - TLSV1_1 3784 - TLSV1_2 3785 - TLSV1_3 3786 type: string 3787 mode: 3788 description: 'Optional: Indicates whether connections to 3789 this port should be secured using TLS.' 3790 enum: 3791 - PASSTHROUGH 3792 - SIMPLE 3793 - MUTUAL 3794 - AUTO_PASSTHROUGH 3795 - ISTIO_MUTUAL 3796 - OPTIONAL_MUTUAL 3797 type: string 3798 privateKey: 3799 description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. 3800 type: string 3801 serverCertificate: 3802 description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. 3803 type: string 3804 subjectAltNames: 3805 description: A list of alternate names to verify the subject 3806 identity in the certificate presented by the client. 3807 items: 3808 type: string 3809 type: array 3810 verifyCertificateHash: 3811 description: An optional list of hex-encoded SHA-256 hashes 3812 of the authorized client certificates. 3813 items: 3814 type: string 3815 type: array 3816 verifyCertificateSpki: 3817 description: An optional list of base64-encoded SHA-256 3818 hashes of the SPKIs of authorized client certificates. 3819 items: 3820 type: string 3821 type: array 3822 type: object 3823 required: 3824 - port 3825 - hosts 3826 type: object 3827 type: array 3828 type: object 3829 status: 3830 type: object 3831 x-kubernetes-preserve-unknown-fields: true 3832 type: object 3833 served: true 3834 storage: true 3835 subresources: 3836 status: {} 3837 - name: v1beta1 3838 schema: 3839 openAPIV3Schema: 3840 properties: 3841 spec: 3842 description: 'Configuration affecting edge load balancer. See more details 3843 at: https://istio.io/docs/reference/config/networking/gateway.html' 3844 properties: 3845 selector: 3846 additionalProperties: 3847 type: string 3848 description: One or more labels that indicate a specific set of pods/VMs 3849 on which this gateway configuration should be applied. 3850 type: object 3851 servers: 3852 description: A list of server specifications. 3853 items: 3854 properties: 3855 bind: 3856 description: The ip or the Unix domain socket to which the listener 3857 should be bound to. 3858 type: string 3859 defaultEndpoint: 3860 type: string 3861 hosts: 3862 description: One or more hosts exposed by this gateway. 3863 items: 3864 type: string 3865 type: array 3866 name: 3867 description: An optional name of the server, when set must be 3868 unique across all servers. 3869 type: string 3870 port: 3871 description: The Port on which the proxy should listen for incoming 3872 connections. 3873 properties: 3874 name: 3875 description: Label assigned to the port. 3876 type: string 3877 number: 3878 description: A valid non-negative integer port number. 3879 type: integer 3880 protocol: 3881 description: The protocol exposed on the port. 3882 type: string 3883 targetPort: 3884 type: integer 3885 required: 3886 - number 3887 - protocol 3888 - name 3889 type: object 3890 tls: 3891 description: Set of TLS related options that govern the server's 3892 behavior. 3893 properties: 3894 caCertificates: 3895 description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`. 3896 type: string 3897 cipherSuites: 3898 description: 'Optional: If specified, only support the specified 3899 cipher list.' 3900 items: 3901 type: string 3902 type: array 3903 credentialName: 3904 description: For gateways running on Kubernetes, the name 3905 of the secret that holds the TLS certs including the CA 3906 certificates. 3907 type: string 3908 httpsRedirect: 3909 description: If set to true, the load balancer will send 3910 a 301 redirect for all http connections, asking the clients 3911 to use HTTPS. 3912 type: boolean 3913 maxProtocolVersion: 3914 description: 'Optional: Maximum TLS protocol version.' 3915 enum: 3916 - TLS_AUTO 3917 - TLSV1_0 3918 - TLSV1_1 3919 - TLSV1_2 3920 - TLSV1_3 3921 type: string 3922 minProtocolVersion: 3923 description: 'Optional: Minimum TLS protocol version.' 3924 enum: 3925 - TLS_AUTO 3926 - TLSV1_0 3927 - TLSV1_1 3928 - TLSV1_2 3929 - TLSV1_3 3930 type: string 3931 mode: 3932 description: 'Optional: Indicates whether connections to 3933 this port should be secured using TLS.' 3934 enum: 3935 - PASSTHROUGH 3936 - SIMPLE 3937 - MUTUAL 3938 - AUTO_PASSTHROUGH 3939 - ISTIO_MUTUAL 3940 - OPTIONAL_MUTUAL 3941 type: string 3942 privateKey: 3943 description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. 3944 type: string 3945 serverCertificate: 3946 description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. 3947 type: string 3948 subjectAltNames: 3949 description: A list of alternate names to verify the subject 3950 identity in the certificate presented by the client. 3951 items: 3952 type: string 3953 type: array 3954 verifyCertificateHash: 3955 description: An optional list of hex-encoded SHA-256 hashes 3956 of the authorized client certificates. 3957 items: 3958 type: string 3959 type: array 3960 verifyCertificateSpki: 3961 description: An optional list of base64-encoded SHA-256 3962 hashes of the SPKIs of authorized client certificates. 3963 items: 3964 type: string 3965 type: array 3966 type: object 3967 required: 3968 - port 3969 - hosts 3970 type: object 3971 type: array 3972 type: object 3973 status: 3974 type: object 3975 x-kubernetes-preserve-unknown-fields: true 3976 type: object 3977 served: true 3978 storage: false 3979 subresources: 3980 status: {} 3981 3982 --- 3983 apiVersion: apiextensions.k8s.io/v1 3984 kind: CustomResourceDefinition 3985 metadata: 3986 annotations: 3987 helm.sh/resource-policy: keep 3988 labels: 3989 app: istio-pilot 3990 chart: istio 3991 heritage: Tiller 3992 istio: security 3993 release: istio 3994 name: peerauthentications.security.istio.io 3995 spec: 3996 group: security.istio.io 3997 names: 3998 categories: 3999 - istio-io 4000 - security-istio-io 4001 kind: PeerAuthentication 4002 listKind: PeerAuthenticationList 4003 plural: peerauthentications 4004 shortNames: 4005 - pa 4006 singular: peerauthentication 4007 scope: Namespaced 4008 versions: 4009 - additionalPrinterColumns: 4010 - description: Defines the mTLS mode used for peer authentication. 4011 jsonPath: .spec.mtls.mode 4012 name: Mode 4013 type: string 4014 - description: 'CreationTimestamp is a timestamp representing the server time 4015 when this object was created. It is not guaranteed to be set in happens-before 4016 order across separate operations. Clients may not set this value. It is represented 4017 in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for 4018 lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' 4019 jsonPath: .metadata.creationTimestamp 4020 name: Age 4021 type: date 4022 name: v1beta1 4023 schema: 4024 openAPIV3Schema: 4025 properties: 4026 spec: 4027 description: 'Peer authentication configuration for workloads. See more 4028 details at: https://istio.io/docs/reference/config/security/peer_authentication.html' 4029 properties: 4030 mtls: 4031 description: Mutual TLS settings for workload. 4032 properties: 4033 mode: 4034 description: Defines the mTLS mode used for peer authentication. 4035 enum: 4036 - UNSET 4037 - DISABLE 4038 - PERMISSIVE 4039 - STRICT 4040 type: string 4041 type: object 4042 portLevelMtls: 4043 additionalProperties: 4044 properties: 4045 mode: 4046 description: Defines the mTLS mode used for peer authentication. 4047 enum: 4048 - UNSET 4049 - DISABLE 4050 - PERMISSIVE 4051 - STRICT 4052 type: string 4053 type: object 4054 description: Port specific mutual TLS settings. 4055 type: object 4056 selector: 4057 description: The selector determines the workloads to apply the ChannelAuthentication 4058 on. 4059 properties: 4060 matchLabels: 4061 additionalProperties: 4062 type: string 4063 description: One or more labels that indicate a specific set of 4064 pods/VMs on which a policy should be applied. 4065 type: object 4066 type: object 4067 type: object 4068 status: 4069 type: object 4070 x-kubernetes-preserve-unknown-fields: true 4071 type: object 4072 served: true 4073 storage: true 4074 subresources: 4075 status: {} 4076 4077 --- 4078 apiVersion: apiextensions.k8s.io/v1 4079 kind: CustomResourceDefinition 4080 metadata: 4081 annotations: 4082 helm.sh/resource-policy: keep 4083 labels: 4084 app: istio-pilot 4085 chart: istio 4086 heritage: Tiller 4087 release: istio 4088 name: proxyconfigs.networking.istio.io 4089 spec: 4090 group: networking.istio.io 4091 names: 4092 categories: 4093 - istio-io 4094 - networking-istio-io 4095 kind: ProxyConfig 4096 listKind: ProxyConfigList 4097 plural: proxyconfigs 4098 singular: proxyconfig 4099 scope: Namespaced 4100 versions: 4101 - name: v1beta1 4102 schema: 4103 openAPIV3Schema: 4104 properties: 4105 spec: 4106 description: 'Provides configuration for individual workloads. See more 4107 details at: https://istio.io/docs/reference/config/networking/proxy-config.html' 4108 properties: 4109 concurrency: 4110 description: The number of worker threads to run. 4111 nullable: true 4112 type: integer 4113 environmentVariables: 4114 additionalProperties: 4115 type: string 4116 description: Additional environment variables for the proxy. 4117 type: object 4118 image: 4119 description: Specifies the details of the proxy image. 4120 properties: 4121 imageType: 4122 description: The image type of the image. 4123 type: string 4124 type: object 4125 selector: 4126 description: Optional. 4127 properties: 4128 matchLabels: 4129 additionalProperties: 4130 type: string 4131 description: One or more labels that indicate a specific set of 4132 pods/VMs on which a policy should be applied. 4133 type: object 4134 type: object 4135 type: object 4136 status: 4137 type: object 4138 x-kubernetes-preserve-unknown-fields: true 4139 type: object 4140 served: true 4141 storage: true 4142 subresources: 4143 status: {} 4144 4145 --- 4146 apiVersion: apiextensions.k8s.io/v1 4147 kind: CustomResourceDefinition 4148 metadata: 4149 annotations: 4150 helm.sh/resource-policy: keep 4151 labels: 4152 app: istio-pilot 4153 chart: istio 4154 heritage: Tiller 4155 istio: security 4156 release: istio 4157 name: requestauthentications.security.istio.io 4158 spec: 4159 group: security.istio.io 4160 names: 4161 categories: 4162 - istio-io 4163 - security-istio-io 4164 kind: RequestAuthentication 4165 listKind: RequestAuthenticationList 4166 plural: requestauthentications 4167 shortNames: 4168 - ra 4169 singular: requestauthentication 4170 scope: Namespaced 4171 versions: 4172 - name: v1 4173 schema: 4174 openAPIV3Schema: 4175 properties: 4176 spec: 4177 description: 'Request authentication configuration for workloads. See 4178 more details at: https://istio.io/docs/reference/config/security/request_authentication.html' 4179 properties: 4180 jwtRules: 4181 description: Define the list of JWTs that can be validated at the 4182 selected workloads' proxy. 4183 items: 4184 properties: 4185 audiences: 4186 description: The list of JWT [audiences](https://tools.ietf.org/html/rfc7519#section-4.1.3) 4187 that are allowed to access. 4188 items: 4189 type: string 4190 type: array 4191 forwardOriginalToken: 4192 description: If set to true, the original token will be kept 4193 for the upstream request. 4194 type: boolean 4195 fromCookies: 4196 description: List of cookie names from which JWT is expected. 4197 items: 4198 type: string 4199 type: array 4200 fromHeaders: 4201 description: List of header locations from which JWT is expected. 4202 items: 4203 properties: 4204 name: 4205 description: The HTTP header name. 4206 type: string 4207 prefix: 4208 description: The prefix that should be stripped before 4209 decoding the token. 4210 type: string 4211 required: 4212 - name 4213 type: object 4214 type: array 4215 fromParams: 4216 description: List of query parameters from which JWT is expected. 4217 items: 4218 type: string 4219 type: array 4220 issuer: 4221 description: Identifies the issuer that issued the JWT. 4222 type: string 4223 jwks: 4224 description: JSON Web Key Set of public keys to validate signature 4225 of the JWT. 4226 type: string 4227 jwks_uri: 4228 description: URL of the provider's public key set to validate 4229 signature of the JWT. 4230 type: string 4231 jwksUri: 4232 description: URL of the provider's public key set to validate 4233 signature of the JWT. 4234 type: string 4235 outputClaimToHeaders: 4236 description: This field specifies a list of operations to copy 4237 the claim to HTTP headers on a successfully verified token. 4238 items: 4239 properties: 4240 claim: 4241 description: The name of the claim to be copied from. 4242 type: string 4243 header: 4244 description: The name of the header to be created. 4245 type: string 4246 type: object 4247 type: array 4248 outputPayloadToHeader: 4249 description: This field specifies the header name to output 4250 a successfully verified JWT payload to the backend. 4251 type: string 4252 required: 4253 - issuer 4254 type: object 4255 type: array 4256 selector: 4257 description: Optional. 4258 properties: 4259 matchLabels: 4260 additionalProperties: 4261 type: string 4262 description: One or more labels that indicate a specific set of 4263 pods/VMs on which a policy should be applied. 4264 type: object 4265 type: object 4266 targetRef: 4267 description: Optional. 4268 properties: 4269 group: 4270 description: group is the group of the target resource. 4271 type: string 4272 kind: 4273 description: kind is kind of the target resource. 4274 type: string 4275 name: 4276 description: name is the name of the target resource. 4277 type: string 4278 namespace: 4279 description: namespace is the namespace of the referent. 4280 type: string 4281 type: object 4282 type: object 4283 status: 4284 type: object 4285 x-kubernetes-preserve-unknown-fields: true 4286 type: object 4287 served: true 4288 storage: false 4289 subresources: 4290 status: {} 4291 - name: v1beta1 4292 schema: 4293 openAPIV3Schema: 4294 properties: 4295 spec: 4296 description: 'Request authentication configuration for workloads. See 4297 more details at: https://istio.io/docs/reference/config/security/request_authentication.html' 4298 properties: 4299 jwtRules: 4300 description: Define the list of JWTs that can be validated at the 4301 selected workloads' proxy. 4302 items: 4303 properties: 4304 audiences: 4305 description: The list of JWT [audiences](https://tools.ietf.org/html/rfc7519#section-4.1.3) 4306 that are allowed to access. 4307 items: 4308 type: string 4309 type: array 4310 forwardOriginalToken: 4311 description: If set to true, the original token will be kept 4312 for the upstream request. 4313 type: boolean 4314 fromCookies: 4315 description: List of cookie names from which JWT is expected. 4316 items: 4317 type: string 4318 type: array 4319 fromHeaders: 4320 description: List of header locations from which JWT is expected. 4321 items: 4322 properties: 4323 name: 4324 description: The HTTP header name. 4325 type: string 4326 prefix: 4327 description: The prefix that should be stripped before 4328 decoding the token. 4329 type: string 4330 required: 4331 - name 4332 type: object 4333 type: array 4334 fromParams: 4335 description: List of query parameters from which JWT is expected. 4336 items: 4337 type: string 4338 type: array 4339 issuer: 4340 description: Identifies the issuer that issued the JWT. 4341 type: string 4342 jwks: 4343 description: JSON Web Key Set of public keys to validate signature 4344 of the JWT. 4345 type: string 4346 jwks_uri: 4347 description: URL of the provider's public key set to validate 4348 signature of the JWT. 4349 type: string 4350 jwksUri: 4351 description: URL of the provider's public key set to validate 4352 signature of the JWT. 4353 type: string 4354 outputClaimToHeaders: 4355 description: This field specifies a list of operations to copy 4356 the claim to HTTP headers on a successfully verified token. 4357 items: 4358 properties: 4359 claim: 4360 description: The name of the claim to be copied from. 4361 type: string 4362 header: 4363 description: The name of the header to be created. 4364 type: string 4365 type: object 4366 type: array 4367 outputPayloadToHeader: 4368 description: This field specifies the header name to output 4369 a successfully verified JWT payload to the backend. 4370 type: string 4371 required: 4372 - issuer 4373 type: object 4374 type: array 4375 selector: 4376 description: Optional. 4377 properties: 4378 matchLabels: 4379 additionalProperties: 4380 type: string 4381 description: One or more labels that indicate a specific set of 4382 pods/VMs on which a policy should be applied. 4383 type: object 4384 type: object 4385 targetRef: 4386 description: Optional. 4387 properties: 4388 group: 4389 description: group is the group of the target resource. 4390 type: string 4391 kind: 4392 description: kind is kind of the target resource. 4393 type: string 4394 name: 4395 description: name is the name of the target resource. 4396 type: string 4397 namespace: 4398 description: namespace is the namespace of the referent. 4399 type: string 4400 type: object 4401 type: object 4402 status: 4403 type: object 4404 x-kubernetes-preserve-unknown-fields: true 4405 type: object 4406 served: true 4407 storage: true 4408 subresources: 4409 status: {} 4410 4411 --- 4412 apiVersion: apiextensions.k8s.io/v1 4413 kind: CustomResourceDefinition 4414 metadata: 4415 annotations: 4416 helm.sh/resource-policy: keep 4417 labels: 4418 app: istio-pilot 4419 chart: istio 4420 heritage: Tiller 4421 release: istio 4422 name: serviceentries.networking.istio.io 4423 spec: 4424 group: networking.istio.io 4425 names: 4426 categories: 4427 - istio-io 4428 - networking-istio-io 4429 kind: ServiceEntry 4430 listKind: ServiceEntryList 4431 plural: serviceentries 4432 shortNames: 4433 - se 4434 singular: serviceentry 4435 scope: Namespaced 4436 versions: 4437 - additionalPrinterColumns: 4438 - description: The hosts associated with the ServiceEntry 4439 jsonPath: .spec.hosts 4440 name: Hosts 4441 type: string 4442 - description: Whether the service is external to the mesh or part of the mesh 4443 (MESH_EXTERNAL or MESH_INTERNAL) 4444 jsonPath: .spec.location 4445 name: Location 4446 type: string 4447 - description: Service resolution mode for the hosts (NONE, STATIC, or DNS) 4448 jsonPath: .spec.resolution 4449 name: Resolution 4450 type: string 4451 - description: 'CreationTimestamp is a timestamp representing the server time 4452 when this object was created. It is not guaranteed to be set in happens-before 4453 order across separate operations. Clients may not set this value. It is represented 4454 in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for 4455 lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' 4456 jsonPath: .metadata.creationTimestamp 4457 name: Age 4458 type: date 4459 name: v1alpha3 4460 schema: 4461 openAPIV3Schema: 4462 properties: 4463 spec: 4464 description: 'Configuration affecting service registry. See more details 4465 at: https://istio.io/docs/reference/config/networking/service-entry.html' 4466 properties: 4467 addresses: 4468 description: The virtual IP addresses associated with the service. 4469 items: 4470 type: string 4471 type: array 4472 endpoints: 4473 description: One or more endpoints associated with the service. 4474 items: 4475 properties: 4476 address: 4477 description: Address associated with the network endpoint without 4478 the port. 4479 type: string 4480 labels: 4481 additionalProperties: 4482 type: string 4483 description: One or more labels associated with the endpoint. 4484 type: object 4485 locality: 4486 description: The locality associated with the endpoint. 4487 type: string 4488 network: 4489 description: Network enables Istio to group endpoints resident 4490 in the same L3 domain/network. 4491 type: string 4492 ports: 4493 additionalProperties: 4494 type: integer 4495 description: Set of ports associated with the endpoint. 4496 type: object 4497 serviceAccount: 4498 description: The service account associated with the workload 4499 if a sidecar is present in the workload. 4500 type: string 4501 weight: 4502 description: The load balancing weight associated with the endpoint. 4503 type: integer 4504 type: object 4505 type: array 4506 exportTo: 4507 description: A list of namespaces to which this service is exported. 4508 items: 4509 type: string 4510 type: array 4511 hosts: 4512 description: The hosts associated with the ServiceEntry. 4513 items: 4514 type: string 4515 type: array 4516 location: 4517 description: Specify whether the service should be considered external 4518 to the mesh or part of the mesh. 4519 enum: 4520 - MESH_EXTERNAL 4521 - MESH_INTERNAL 4522 type: string 4523 ports: 4524 description: The ports associated with the external service. 4525 items: 4526 properties: 4527 name: 4528 description: Label assigned to the port. 4529 type: string 4530 number: 4531 description: A valid non-negative integer port number. 4532 type: integer 4533 protocol: 4534 description: The protocol exposed on the port. 4535 type: string 4536 targetPort: 4537 description: The port number on the endpoint where the traffic 4538 will be received. 4539 type: integer 4540 required: 4541 - number 4542 - name 4543 type: object 4544 type: array 4545 resolution: 4546 description: Service resolution mode for the hosts. 4547 enum: 4548 - NONE 4549 - STATIC 4550 - DNS 4551 - DNS_ROUND_ROBIN 4552 type: string 4553 subjectAltNames: 4554 description: If specified, the proxy will verify that the server certificate's 4555 subject alternate name matches one of the specified values. 4556 items: 4557 type: string 4558 type: array 4559 workloadSelector: 4560 description: Applicable only for MESH_INTERNAL services. 4561 properties: 4562 labels: 4563 additionalProperties: 4564 type: string 4565 description: One or more labels that indicate a specific set of 4566 pods/VMs on which the configuration should be applied. 4567 type: object 4568 type: object 4569 required: 4570 - hosts 4571 type: object 4572 status: 4573 type: object 4574 x-kubernetes-preserve-unknown-fields: true 4575 type: object 4576 served: true 4577 storage: true 4578 subresources: 4579 status: {} 4580 - additionalPrinterColumns: 4581 - description: The hosts associated with the ServiceEntry 4582 jsonPath: .spec.hosts 4583 name: Hosts 4584 type: string 4585 - description: Whether the service is external to the mesh or part of the mesh 4586 (MESH_EXTERNAL or MESH_INTERNAL) 4587 jsonPath: .spec.location 4588 name: Location 4589 type: string 4590 - description: Service resolution mode for the hosts (NONE, STATIC, or DNS) 4591 jsonPath: .spec.resolution 4592 name: Resolution 4593 type: string 4594 - description: 'CreationTimestamp is a timestamp representing the server time 4595 when this object was created. It is not guaranteed to be set in happens-before 4596 order across separate operations. Clients may not set this value. It is represented 4597 in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for 4598 lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' 4599 jsonPath: .metadata.creationTimestamp 4600 name: Age 4601 type: date 4602 name: v1beta1 4603 schema: 4604 openAPIV3Schema: 4605 properties: 4606 spec: 4607 description: 'Configuration affecting service registry. See more details 4608 at: https://istio.io/docs/reference/config/networking/service-entry.html' 4609 properties: 4610 addresses: 4611 description: The virtual IP addresses associated with the service. 4612 items: 4613 type: string 4614 type: array 4615 endpoints: 4616 description: One or more endpoints associated with the service. 4617 items: 4618 properties: 4619 address: 4620 description: Address associated with the network endpoint without 4621 the port. 4622 type: string 4623 labels: 4624 additionalProperties: 4625 type: string 4626 description: One or more labels associated with the endpoint. 4627 type: object 4628 locality: 4629 description: The locality associated with the endpoint. 4630 type: string 4631 network: 4632 description: Network enables Istio to group endpoints resident 4633 in the same L3 domain/network. 4634 type: string 4635 ports: 4636 additionalProperties: 4637 type: integer 4638 description: Set of ports associated with the endpoint. 4639 type: object 4640 serviceAccount: 4641 description: The service account associated with the workload 4642 if a sidecar is present in the workload. 4643 type: string 4644 weight: 4645 description: The load balancing weight associated with the endpoint. 4646 type: integer 4647 type: object 4648 type: array 4649 exportTo: 4650 description: A list of namespaces to which this service is exported. 4651 items: 4652 type: string 4653 type: array 4654 hosts: 4655 description: The hosts associated with the ServiceEntry. 4656 items: 4657 type: string 4658 type: array 4659 location: 4660 description: Specify whether the service should be considered external 4661 to the mesh or part of the mesh. 4662 enum: 4663 - MESH_EXTERNAL 4664 - MESH_INTERNAL 4665 type: string 4666 ports: 4667 description: The ports associated with the external service. 4668 items: 4669 properties: 4670 name: 4671 description: Label assigned to the port. 4672 type: string 4673 number: 4674 description: A valid non-negative integer port number. 4675 type: integer 4676 protocol: 4677 description: The protocol exposed on the port. 4678 type: string 4679 targetPort: 4680 description: The port number on the endpoint where the traffic 4681 will be received. 4682 type: integer 4683 required: 4684 - number 4685 - name 4686 type: object 4687 type: array 4688 resolution: 4689 description: Service resolution mode for the hosts. 4690 enum: 4691 - NONE 4692 - STATIC 4693 - DNS 4694 - DNS_ROUND_ROBIN 4695 type: string 4696 subjectAltNames: 4697 description: If specified, the proxy will verify that the server certificate's 4698 subject alternate name matches one of the specified values. 4699 items: 4700 type: string 4701 type: array 4702 workloadSelector: 4703 description: Applicable only for MESH_INTERNAL services. 4704 properties: 4705 labels: 4706 additionalProperties: 4707 type: string 4708 description: One or more labels that indicate a specific set of 4709 pods/VMs on which the configuration should be applied. 4710 type: object 4711 type: object 4712 required: 4713 - hosts 4714 type: object 4715 status: 4716 type: object 4717 x-kubernetes-preserve-unknown-fields: true 4718 type: object 4719 served: true 4720 storage: false 4721 subresources: 4722 status: {} 4723 4724 --- 4725 apiVersion: apiextensions.k8s.io/v1 4726 kind: CustomResourceDefinition 4727 metadata: 4728 annotations: 4729 helm.sh/resource-policy: keep 4730 labels: 4731 app: istio-pilot 4732 chart: istio 4733 heritage: Tiller 4734 release: istio 4735 name: sidecars.networking.istio.io 4736 spec: 4737 group: networking.istio.io 4738 names: 4739 categories: 4740 - istio-io 4741 - networking-istio-io 4742 kind: Sidecar 4743 listKind: SidecarList 4744 plural: sidecars 4745 singular: sidecar 4746 scope: Namespaced 4747 versions: 4748 - name: v1alpha3 4749 schema: 4750 openAPIV3Schema: 4751 properties: 4752 spec: 4753 description: 'Configuration affecting network reachability of a sidecar. 4754 See more details at: https://istio.io/docs/reference/config/networking/sidecar.html' 4755 properties: 4756 egress: 4757 description: Egress specifies the configuration of the sidecar for 4758 processing outbound traffic from the attached workload instance 4759 to other services in the mesh. 4760 items: 4761 properties: 4762 bind: 4763 description: The IP(IPv4 or IPv6) or the Unix domain socket 4764 to which the listener should be bound to. 4765 type: string 4766 captureMode: 4767 description: When the bind address is an IP, the captureMode 4768 option dictates how traffic to the listener is expected to 4769 be captured (or not). 4770 enum: 4771 - DEFAULT 4772 - IPTABLES 4773 - NONE 4774 type: string 4775 hosts: 4776 description: One or more service hosts exposed by the listener 4777 in `namespace/dnsName` format. 4778 items: 4779 type: string 4780 type: array 4781 port: 4782 description: The port associated with the listener. 4783 properties: 4784 name: 4785 description: Label assigned to the port. 4786 type: string 4787 number: 4788 description: A valid non-negative integer port number. 4789 type: integer 4790 protocol: 4791 description: The protocol exposed on the port. 4792 type: string 4793 targetPort: 4794 type: integer 4795 type: object 4796 required: 4797 - hosts 4798 type: object 4799 type: array 4800 inboundConnectionPool: 4801 description: Settings controlling the volume of connections Envoy 4802 will accept from the network. 4803 properties: 4804 http: 4805 description: HTTP connection pool settings. 4806 properties: 4807 h2UpgradePolicy: 4808 description: Specify if http1.1 connection should be upgraded 4809 to http2 for the associated destination. 4810 enum: 4811 - DEFAULT 4812 - DO_NOT_UPGRADE 4813 - UPGRADE 4814 type: string 4815 http1MaxPendingRequests: 4816 description: Maximum number of requests that will be queued 4817 while waiting for a ready connection pool connection. 4818 format: int32 4819 type: integer 4820 http2MaxRequests: 4821 description: Maximum number of active requests to a destination. 4822 format: int32 4823 type: integer 4824 idleTimeout: 4825 description: The idle timeout for upstream connection pool 4826 connections. 4827 type: string 4828 maxConcurrentStreams: 4829 format: int32 4830 type: integer 4831 maxRequestsPerConnection: 4832 description: Maximum number of requests per connection to 4833 a backend. 4834 format: int32 4835 type: integer 4836 maxRetries: 4837 description: Maximum number of retries that can be outstanding 4838 to all hosts in a cluster at a given time. 4839 format: int32 4840 type: integer 4841 useClientProtocol: 4842 description: If set to true, client protocol will be preserved 4843 while initiating connection to backend. 4844 type: boolean 4845 type: object 4846 tcp: 4847 description: Settings common to both HTTP and TCP upstream connections. 4848 properties: 4849 connectTimeout: 4850 description: TCP connection timeout. 4851 type: string 4852 maxConnectionDuration: 4853 description: The maximum duration of a connection. 4854 type: string 4855 maxConnections: 4856 description: Maximum number of HTTP1 /TCP connections to a 4857 destination host. 4858 format: int32 4859 type: integer 4860 tcpKeepalive: 4861 description: If set then set SO_KEEPALIVE on the socket to 4862 enable TCP Keepalives. 4863 properties: 4864 interval: 4865 description: The time duration between keep-alive probes. 4866 type: string 4867 probes: 4868 description: Maximum number of keepalive probes to send 4869 without response before deciding the connection is dead. 4870 type: integer 4871 time: 4872 description: The time duration a connection needs to be 4873 idle before keep-alive probes start being sent. 4874 type: string 4875 type: object 4876 type: object 4877 type: object 4878 ingress: 4879 description: Ingress specifies the configuration of the sidecar for 4880 processing inbound traffic to the attached workload instance. 4881 items: 4882 properties: 4883 bind: 4884 description: The IP(IPv4 or IPv6) to which the listener should 4885 be bound. 4886 type: string 4887 captureMode: 4888 description: The captureMode option dictates how traffic to 4889 the listener is expected to be captured (or not). 4890 enum: 4891 - DEFAULT 4892 - IPTABLES 4893 - NONE 4894 type: string 4895 connectionPool: 4896 description: Settings controlling the volume of connections 4897 Envoy will accept from the network. 4898 properties: 4899 http: 4900 description: HTTP connection pool settings. 4901 properties: 4902 h2UpgradePolicy: 4903 description: Specify if http1.1 connection should be 4904 upgraded to http2 for the associated destination. 4905 enum: 4906 - DEFAULT 4907 - DO_NOT_UPGRADE 4908 - UPGRADE 4909 type: string 4910 http1MaxPendingRequests: 4911 description: Maximum number of requests that will be 4912 queued while waiting for a ready connection pool connection. 4913 format: int32 4914 type: integer 4915 http2MaxRequests: 4916 description: Maximum number of active requests to a 4917 destination. 4918 format: int32 4919 type: integer 4920 idleTimeout: 4921 description: The idle timeout for upstream connection 4922 pool connections. 4923 type: string 4924 maxConcurrentStreams: 4925 format: int32 4926 type: integer 4927 maxRequestsPerConnection: 4928 description: Maximum number of requests per connection 4929 to a backend. 4930 format: int32 4931 type: integer 4932 maxRetries: 4933 description: Maximum number of retries that can be outstanding 4934 to all hosts in a cluster at a given time. 4935 format: int32 4936 type: integer 4937 useClientProtocol: 4938 description: If set to true, client protocol will be 4939 preserved while initiating connection to backend. 4940 type: boolean 4941 type: object 4942 tcp: 4943 description: Settings common to both HTTP and TCP upstream 4944 connections. 4945 properties: 4946 connectTimeout: 4947 description: TCP connection timeout. 4948 type: string 4949 maxConnectionDuration: 4950 description: The maximum duration of a connection. 4951 type: string 4952 maxConnections: 4953 description: Maximum number of HTTP1 /TCP connections 4954 to a destination host. 4955 format: int32 4956 type: integer 4957 tcpKeepalive: 4958 description: If set then set SO_KEEPALIVE on the socket 4959 to enable TCP Keepalives. 4960 properties: 4961 interval: 4962 description: The time duration between keep-alive 4963 probes. 4964 type: string 4965 probes: 4966 description: Maximum number of keepalive probes 4967 to send without response before deciding the connection 4968 is dead. 4969 type: integer 4970 time: 4971 description: The time duration a connection needs 4972 to be idle before keep-alive probes start being 4973 sent. 4974 type: string 4975 type: object 4976 type: object 4977 type: object 4978 defaultEndpoint: 4979 description: The IP endpoint or Unix domain socket to which 4980 traffic should be forwarded to. 4981 type: string 4982 port: 4983 description: The port associated with the listener. 4984 properties: 4985 name: 4986 description: Label assigned to the port. 4987 type: string 4988 number: 4989 description: A valid non-negative integer port number. 4990 type: integer 4991 protocol: 4992 description: The protocol exposed on the port. 4993 type: string 4994 targetPort: 4995 type: integer 4996 type: object 4997 tls: 4998 description: Set of TLS related options that will enable TLS 4999 termination on the sidecar for requests originating from outside 5000 the mesh. 5001 properties: 5002 caCertificates: 5003 description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`. 5004 type: string 5005 cipherSuites: 5006 description: 'Optional: If specified, only support the specified 5007 cipher list.' 5008 items: 5009 type: string 5010 type: array 5011 credentialName: 5012 description: For gateways running on Kubernetes, the name 5013 of the secret that holds the TLS certs including the CA 5014 certificates. 5015 type: string 5016 httpsRedirect: 5017 description: If set to true, the load balancer will send 5018 a 301 redirect for all http connections, asking the clients 5019 to use HTTPS. 5020 type: boolean 5021 maxProtocolVersion: 5022 description: 'Optional: Maximum TLS protocol version.' 5023 enum: 5024 - TLS_AUTO 5025 - TLSV1_0 5026 - TLSV1_1 5027 - TLSV1_2 5028 - TLSV1_3 5029 type: string 5030 minProtocolVersion: 5031 description: 'Optional: Minimum TLS protocol version.' 5032 enum: 5033 - TLS_AUTO 5034 - TLSV1_0 5035 - TLSV1_1 5036 - TLSV1_2 5037 - TLSV1_3 5038 type: string 5039 mode: 5040 description: 'Optional: Indicates whether connections to 5041 this port should be secured using TLS.' 5042 enum: 5043 - PASSTHROUGH 5044 - SIMPLE 5045 - MUTUAL 5046 - AUTO_PASSTHROUGH 5047 - ISTIO_MUTUAL 5048 - OPTIONAL_MUTUAL 5049 type: string 5050 privateKey: 5051 description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. 5052 type: string 5053 serverCertificate: 5054 description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. 5055 type: string 5056 subjectAltNames: 5057 description: A list of alternate names to verify the subject 5058 identity in the certificate presented by the client. 5059 items: 5060 type: string 5061 type: array 5062 verifyCertificateHash: 5063 description: An optional list of hex-encoded SHA-256 hashes 5064 of the authorized client certificates. 5065 items: 5066 type: string 5067 type: array 5068 verifyCertificateSpki: 5069 description: An optional list of base64-encoded SHA-256 5070 hashes of the SPKIs of authorized client certificates. 5071 items: 5072 type: string 5073 type: array 5074 type: object 5075 required: 5076 - port 5077 type: object 5078 type: array 5079 outboundTrafficPolicy: 5080 description: Configuration for the outbound traffic policy. 5081 properties: 5082 egressProxy: 5083 properties: 5084 host: 5085 description: The name of a service from the service registry. 5086 type: string 5087 port: 5088 description: Specifies the port on the host that is being 5089 addressed. 5090 properties: 5091 number: 5092 type: integer 5093 type: object 5094 subset: 5095 description: The name of a subset within the service. 5096 type: string 5097 required: 5098 - host 5099 type: object 5100 mode: 5101 enum: 5102 - REGISTRY_ONLY 5103 - ALLOW_ANY 5104 type: string 5105 type: object 5106 workloadSelector: 5107 description: Criteria used to select the specific set of pods/VMs 5108 on which this `Sidecar` configuration should be applied. 5109 properties: 5110 labels: 5111 additionalProperties: 5112 type: string 5113 description: One or more labels that indicate a specific set of 5114 pods/VMs on which the configuration should be applied. 5115 type: object 5116 type: object 5117 type: object 5118 status: 5119 type: object 5120 x-kubernetes-preserve-unknown-fields: true 5121 type: object 5122 served: true 5123 storage: true 5124 subresources: 5125 status: {} 5126 - name: v1beta1 5127 schema: 5128 openAPIV3Schema: 5129 properties: 5130 spec: 5131 description: 'Configuration affecting network reachability of a sidecar. 5132 See more details at: https://istio.io/docs/reference/config/networking/sidecar.html' 5133 properties: 5134 egress: 5135 description: Egress specifies the configuration of the sidecar for 5136 processing outbound traffic from the attached workload instance 5137 to other services in the mesh. 5138 items: 5139 properties: 5140 bind: 5141 description: The IP(IPv4 or IPv6) or the Unix domain socket 5142 to which the listener should be bound to. 5143 type: string 5144 captureMode: 5145 description: When the bind address is an IP, the captureMode 5146 option dictates how traffic to the listener is expected to 5147 be captured (or not). 5148 enum: 5149 - DEFAULT 5150 - IPTABLES 5151 - NONE 5152 type: string 5153 hosts: 5154 description: One or more service hosts exposed by the listener 5155 in `namespace/dnsName` format. 5156 items: 5157 type: string 5158 type: array 5159 port: 5160 description: The port associated with the listener. 5161 properties: 5162 name: 5163 description: Label assigned to the port. 5164 type: string 5165 number: 5166 description: A valid non-negative integer port number. 5167 type: integer 5168 protocol: 5169 description: The protocol exposed on the port. 5170 type: string 5171 targetPort: 5172 type: integer 5173 type: object 5174 required: 5175 - hosts 5176 type: object 5177 type: array 5178 inboundConnectionPool: 5179 description: Settings controlling the volume of connections Envoy 5180 will accept from the network. 5181 properties: 5182 http: 5183 description: HTTP connection pool settings. 5184 properties: 5185 h2UpgradePolicy: 5186 description: Specify if http1.1 connection should be upgraded 5187 to http2 for the associated destination. 5188 enum: 5189 - DEFAULT 5190 - DO_NOT_UPGRADE 5191 - UPGRADE 5192 type: string 5193 http1MaxPendingRequests: 5194 description: Maximum number of requests that will be queued 5195 while waiting for a ready connection pool connection. 5196 format: int32 5197 type: integer 5198 http2MaxRequests: 5199 description: Maximum number of active requests to a destination. 5200 format: int32 5201 type: integer 5202 idleTimeout: 5203 description: The idle timeout for upstream connection pool 5204 connections. 5205 type: string 5206 maxConcurrentStreams: 5207 format: int32 5208 type: integer 5209 maxRequestsPerConnection: 5210 description: Maximum number of requests per connection to 5211 a backend. 5212 format: int32 5213 type: integer 5214 maxRetries: 5215 description: Maximum number of retries that can be outstanding 5216 to all hosts in a cluster at a given time. 5217 format: int32 5218 type: integer 5219 useClientProtocol: 5220 description: If set to true, client protocol will be preserved 5221 while initiating connection to backend. 5222 type: boolean 5223 type: object 5224 tcp: 5225 description: Settings common to both HTTP and TCP upstream connections. 5226 properties: 5227 connectTimeout: 5228 description: TCP connection timeout. 5229 type: string 5230 maxConnectionDuration: 5231 description: The maximum duration of a connection. 5232 type: string 5233 maxConnections: 5234 description: Maximum number of HTTP1 /TCP connections to a 5235 destination host. 5236 format: int32 5237 type: integer 5238 tcpKeepalive: 5239 description: If set then set SO_KEEPALIVE on the socket to 5240 enable TCP Keepalives. 5241 properties: 5242 interval: 5243 description: The time duration between keep-alive probes. 5244 type: string 5245 probes: 5246 description: Maximum number of keepalive probes to send 5247 without response before deciding the connection is dead. 5248 type: integer 5249 time: 5250 description: The time duration a connection needs to be 5251 idle before keep-alive probes start being sent. 5252 type: string 5253 type: object 5254 type: object 5255 type: object 5256 ingress: 5257 description: Ingress specifies the configuration of the sidecar for 5258 processing inbound traffic to the attached workload instance. 5259 items: 5260 properties: 5261 bind: 5262 description: The IP(IPv4 or IPv6) to which the listener should 5263 be bound. 5264 type: string 5265 captureMode: 5266 description: The captureMode option dictates how traffic to 5267 the listener is expected to be captured (or not). 5268 enum: 5269 - DEFAULT 5270 - IPTABLES 5271 - NONE 5272 type: string 5273 connectionPool: 5274 description: Settings controlling the volume of connections 5275 Envoy will accept from the network. 5276 properties: 5277 http: 5278 description: HTTP connection pool settings. 5279 properties: 5280 h2UpgradePolicy: 5281 description: Specify if http1.1 connection should be 5282 upgraded to http2 for the associated destination. 5283 enum: 5284 - DEFAULT 5285 - DO_NOT_UPGRADE 5286 - UPGRADE 5287 type: string 5288 http1MaxPendingRequests: 5289 description: Maximum number of requests that will be 5290 queued while waiting for a ready connection pool connection. 5291 format: int32 5292 type: integer 5293 http2MaxRequests: 5294 description: Maximum number of active requests to a 5295 destination. 5296 format: int32 5297 type: integer 5298 idleTimeout: 5299 description: The idle timeout for upstream connection 5300 pool connections. 5301 type: string 5302 maxConcurrentStreams: 5303 format: int32 5304 type: integer 5305 maxRequestsPerConnection: 5306 description: Maximum number of requests per connection 5307 to a backend. 5308 format: int32 5309 type: integer 5310 maxRetries: 5311 description: Maximum number of retries that can be outstanding 5312 to all hosts in a cluster at a given time. 5313 format: int32 5314 type: integer 5315 useClientProtocol: 5316 description: If set to true, client protocol will be 5317 preserved while initiating connection to backend. 5318 type: boolean 5319 type: object 5320 tcp: 5321 description: Settings common to both HTTP and TCP upstream 5322 connections. 5323 properties: 5324 connectTimeout: 5325 description: TCP connection timeout. 5326 type: string 5327 maxConnectionDuration: 5328 description: The maximum duration of a connection. 5329 type: string 5330 maxConnections: 5331 description: Maximum number of HTTP1 /TCP connections 5332 to a destination host. 5333 format: int32 5334 type: integer 5335 tcpKeepalive: 5336 description: If set then set SO_KEEPALIVE on the socket 5337 to enable TCP Keepalives. 5338 properties: 5339 interval: 5340 description: The time duration between keep-alive 5341 probes. 5342 type: string 5343 probes: 5344 description: Maximum number of keepalive probes 5345 to send without response before deciding the connection 5346 is dead. 5347 type: integer 5348 time: 5349 description: The time duration a connection needs 5350 to be idle before keep-alive probes start being 5351 sent. 5352 type: string 5353 type: object 5354 type: object 5355 type: object 5356 defaultEndpoint: 5357 description: The IP endpoint or Unix domain socket to which 5358 traffic should be forwarded to. 5359 type: string 5360 port: 5361 description: The port associated with the listener. 5362 properties: 5363 name: 5364 description: Label assigned to the port. 5365 type: string 5366 number: 5367 description: A valid non-negative integer port number. 5368 type: integer 5369 protocol: 5370 description: The protocol exposed on the port. 5371 type: string 5372 targetPort: 5373 type: integer 5374 type: object 5375 tls: 5376 description: Set of TLS related options that will enable TLS 5377 termination on the sidecar for requests originating from outside 5378 the mesh. 5379 properties: 5380 caCertificates: 5381 description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`. 5382 type: string 5383 cipherSuites: 5384 description: 'Optional: If specified, only support the specified 5385 cipher list.' 5386 items: 5387 type: string 5388 type: array 5389 credentialName: 5390 description: For gateways running on Kubernetes, the name 5391 of the secret that holds the TLS certs including the CA 5392 certificates. 5393 type: string 5394 httpsRedirect: 5395 description: If set to true, the load balancer will send 5396 a 301 redirect for all http connections, asking the clients 5397 to use HTTPS. 5398 type: boolean 5399 maxProtocolVersion: 5400 description: 'Optional: Maximum TLS protocol version.' 5401 enum: 5402 - TLS_AUTO 5403 - TLSV1_0 5404 - TLSV1_1 5405 - TLSV1_2 5406 - TLSV1_3 5407 type: string 5408 minProtocolVersion: 5409 description: 'Optional: Minimum TLS protocol version.' 5410 enum: 5411 - TLS_AUTO 5412 - TLSV1_0 5413 - TLSV1_1 5414 - TLSV1_2 5415 - TLSV1_3 5416 type: string 5417 mode: 5418 description: 'Optional: Indicates whether connections to 5419 this port should be secured using TLS.' 5420 enum: 5421 - PASSTHROUGH 5422 - SIMPLE 5423 - MUTUAL 5424 - AUTO_PASSTHROUGH 5425 - ISTIO_MUTUAL 5426 - OPTIONAL_MUTUAL 5427 type: string 5428 privateKey: 5429 description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. 5430 type: string 5431 serverCertificate: 5432 description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. 5433 type: string 5434 subjectAltNames: 5435 description: A list of alternate names to verify the subject 5436 identity in the certificate presented by the client. 5437 items: 5438 type: string 5439 type: array 5440 verifyCertificateHash: 5441 description: An optional list of hex-encoded SHA-256 hashes 5442 of the authorized client certificates. 5443 items: 5444 type: string 5445 type: array 5446 verifyCertificateSpki: 5447 description: An optional list of base64-encoded SHA-256 5448 hashes of the SPKIs of authorized client certificates. 5449 items: 5450 type: string 5451 type: array 5452 type: object 5453 required: 5454 - port 5455 type: object 5456 type: array 5457 outboundTrafficPolicy: 5458 description: Configuration for the outbound traffic policy. 5459 properties: 5460 egressProxy: 5461 properties: 5462 host: 5463 description: The name of a service from the service registry. 5464 type: string 5465 port: 5466 description: Specifies the port on the host that is being 5467 addressed. 5468 properties: 5469 number: 5470 type: integer 5471 type: object 5472 subset: 5473 description: The name of a subset within the service. 5474 type: string 5475 required: 5476 - host 5477 type: object 5478 mode: 5479 enum: 5480 - REGISTRY_ONLY 5481 - ALLOW_ANY 5482 type: string 5483 type: object 5484 workloadSelector: 5485 description: Criteria used to select the specific set of pods/VMs 5486 on which this `Sidecar` configuration should be applied. 5487 properties: 5488 labels: 5489 additionalProperties: 5490 type: string 5491 description: One or more labels that indicate a specific set of 5492 pods/VMs on which the configuration should be applied. 5493 type: object 5494 type: object 5495 type: object 5496 status: 5497 type: object 5498 x-kubernetes-preserve-unknown-fields: true 5499 type: object 5500 served: true 5501 storage: false 5502 subresources: 5503 status: {} 5504 5505 --- 5506 apiVersion: apiextensions.k8s.io/v1 5507 kind: CustomResourceDefinition 5508 metadata: 5509 annotations: 5510 helm.sh/resource-policy: keep 5511 labels: 5512 app: istio-pilot 5513 chart: istio 5514 heritage: Tiller 5515 istio: telemetry 5516 release: istio 5517 name: telemetries.telemetry.istio.io 5518 spec: 5519 group: telemetry.istio.io 5520 names: 5521 categories: 5522 - istio-io 5523 - telemetry-istio-io 5524 kind: Telemetry 5525 listKind: TelemetryList 5526 plural: telemetries 5527 shortNames: 5528 - telemetry 5529 singular: telemetry 5530 scope: Namespaced 5531 versions: 5532 - additionalPrinterColumns: 5533 - description: 'CreationTimestamp is a timestamp representing the server time 5534 when this object was created. It is not guaranteed to be set in happens-before 5535 order across separate operations. Clients may not set this value. It is represented 5536 in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for 5537 lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' 5538 jsonPath: .metadata.creationTimestamp 5539 name: Age 5540 type: date 5541 name: v1alpha1 5542 schema: 5543 openAPIV3Schema: 5544 properties: 5545 spec: 5546 description: 'Telemetry configuration for workloads. See more details 5547 at: https://istio.io/docs/reference/config/telemetry.html' 5548 properties: 5549 accessLogging: 5550 description: Optional. 5551 items: 5552 properties: 5553 disabled: 5554 description: Controls logging. 5555 nullable: true 5556 type: boolean 5557 filter: 5558 description: Optional. 5559 properties: 5560 expression: 5561 description: CEL expression for selecting when requests/connections 5562 should be logged. 5563 type: string 5564 type: object 5565 match: 5566 description: Allows tailoring of logging behavior to specific 5567 conditions. 5568 properties: 5569 mode: 5570 description: This determines whether or not to apply the 5571 access logging configuration based on the direction of 5572 traffic relative to the proxied workload. 5573 enum: 5574 - CLIENT_AND_SERVER 5575 - CLIENT 5576 - SERVER 5577 type: string 5578 type: object 5579 providers: 5580 description: Optional. 5581 items: 5582 properties: 5583 name: 5584 description: Required. 5585 minLength: 1 5586 type: string 5587 required: 5588 - name 5589 type: object 5590 type: array 5591 type: object 5592 type: array 5593 metrics: 5594 description: Optional. 5595 items: 5596 properties: 5597 overrides: 5598 description: Optional. 5599 items: 5600 properties: 5601 disabled: 5602 description: Optional. 5603 nullable: true 5604 type: boolean 5605 match: 5606 description: Match allows provides the scope of the override. 5607 oneOf: 5608 - not: 5609 anyOf: 5610 - required: 5611 - metric 5612 - required: 5613 - customMetric 5614 - required: 5615 - metric 5616 - required: 5617 - customMetric 5618 properties: 5619 customMetric: 5620 description: Allows free-form specification of a metric. 5621 minLength: 1 5622 type: string 5623 metric: 5624 description: One of the well-known Istio Standard 5625 Metrics. 5626 enum: 5627 - ALL_METRICS 5628 - REQUEST_COUNT 5629 - REQUEST_DURATION 5630 - REQUEST_SIZE 5631 - RESPONSE_SIZE 5632 - TCP_OPENED_CONNECTIONS 5633 - TCP_CLOSED_CONNECTIONS 5634 - TCP_SENT_BYTES 5635 - TCP_RECEIVED_BYTES 5636 - GRPC_REQUEST_MESSAGES 5637 - GRPC_RESPONSE_MESSAGES 5638 type: string 5639 mode: 5640 description: 'Controls which mode of metrics generation 5641 is selected: CLIENT and/or SERVER.' 5642 enum: 5643 - CLIENT_AND_SERVER 5644 - CLIENT 5645 - SERVER 5646 type: string 5647 type: object 5648 tagOverrides: 5649 additionalProperties: 5650 properties: 5651 operation: 5652 description: Operation controls whether or not to 5653 update/add a tag, or to remove it. 5654 enum: 5655 - UPSERT 5656 - REMOVE 5657 type: string 5658 value: 5659 description: Value is only considered if the operation 5660 is `UPSERT`. 5661 type: string 5662 type: object 5663 x-kubernetes-validations: 5664 - message: value must be set when operation is UPSERT 5665 rule: '((has(self.operation) ? self.operation : '''') 5666 == ''UPSERT'') ? self.value != '''' : true' 5667 - message: value must not be set when operation is REMOVE 5668 rule: '((has(self.operation) ? self.operation : '''') 5669 == ''REMOVE'') ? !has(self.value) : true' 5670 description: Optional. 5671 type: object 5672 type: object 5673 type: array 5674 providers: 5675 description: Optional. 5676 items: 5677 properties: 5678 name: 5679 description: Required. 5680 minLength: 1 5681 type: string 5682 required: 5683 - name 5684 type: object 5685 type: array 5686 reportingInterval: 5687 description: Optional. 5688 type: string 5689 type: object 5690 type: array 5691 selector: 5692 description: Optional. 5693 properties: 5694 matchLabels: 5695 additionalProperties: 5696 type: string 5697 description: One or more labels that indicate a specific set of 5698 pods/VMs on which a policy should be applied. 5699 type: object 5700 type: object 5701 targetRef: 5702 description: Optional. 5703 properties: 5704 group: 5705 description: group is the group of the target resource. 5706 type: string 5707 kind: 5708 description: kind is kind of the target resource. 5709 type: string 5710 name: 5711 description: name is the name of the target resource. 5712 type: string 5713 namespace: 5714 description: namespace is the namespace of the referent. 5715 type: string 5716 type: object 5717 tracing: 5718 description: Optional. 5719 items: 5720 properties: 5721 customTags: 5722 additionalProperties: 5723 oneOf: 5724 - not: 5725 anyOf: 5726 - required: 5727 - literal 5728 - required: 5729 - environment 5730 - required: 5731 - header 5732 - required: 5733 - literal 5734 - required: 5735 - environment 5736 - required: 5737 - header 5738 properties: 5739 environment: 5740 description: Environment adds the value of an environment 5741 variable to each span. 5742 properties: 5743 defaultValue: 5744 description: Optional. 5745 type: string 5746 name: 5747 description: Name of the environment variable from 5748 which to extract the tag value. 5749 minLength: 1 5750 type: string 5751 required: 5752 - name 5753 type: object 5754 header: 5755 description: RequestHeader adds the value of an header 5756 from the request to each span. 5757 properties: 5758 defaultValue: 5759 description: Optional. 5760 type: string 5761 name: 5762 description: Name of the header from which to extract 5763 the tag value. 5764 minLength: 1 5765 type: string 5766 required: 5767 - name 5768 type: object 5769 literal: 5770 description: Literal adds the same, hard-coded value to 5771 each span. 5772 properties: 5773 value: 5774 description: The tag value to use. 5775 minLength: 1 5776 type: string 5777 required: 5778 - value 5779 type: object 5780 type: object 5781 description: Optional. 5782 type: object 5783 disableSpanReporting: 5784 description: Controls span reporting. 5785 nullable: true 5786 type: boolean 5787 match: 5788 description: Allows tailoring of behavior to specific conditions. 5789 properties: 5790 mode: 5791 description: This determines whether or not to apply the 5792 tracing configuration based on the direction of traffic 5793 relative to the proxied workload. 5794 enum: 5795 - CLIENT_AND_SERVER 5796 - CLIENT 5797 - SERVER 5798 type: string 5799 type: object 5800 providers: 5801 description: Optional. 5802 items: 5803 properties: 5804 name: 5805 description: Required. 5806 minLength: 1 5807 type: string 5808 required: 5809 - name 5810 type: object 5811 type: array 5812 randomSamplingPercentage: 5813 description: Controls the rate at which traffic will be selected 5814 for tracing if no prior sampling decision has been made. 5815 maximum: 100 5816 minimum: 0 5817 nullable: true 5818 type: number 5819 useRequestIdForTraceSampling: 5820 nullable: true 5821 type: boolean 5822 type: object 5823 type: array 5824 type: object 5825 status: 5826 type: object 5827 x-kubernetes-preserve-unknown-fields: true 5828 type: object 5829 served: true 5830 storage: true 5831 subresources: 5832 status: {} 5833 5834 --- 5835 apiVersion: apiextensions.k8s.io/v1 5836 kind: CustomResourceDefinition 5837 metadata: 5838 annotations: 5839 helm.sh/resource-policy: keep 5840 labels: 5841 app: istio-pilot 5842 chart: istio 5843 heritage: Tiller 5844 release: istio 5845 name: virtualservices.networking.istio.io 5846 spec: 5847 group: networking.istio.io 5848 names: 5849 categories: 5850 - istio-io 5851 - networking-istio-io 5852 kind: VirtualService 5853 listKind: VirtualServiceList 5854 plural: virtualservices 5855 shortNames: 5856 - vs 5857 singular: virtualservice 5858 scope: Namespaced 5859 versions: 5860 - additionalPrinterColumns: 5861 - description: The names of gateways and sidecars that should apply these routes 5862 jsonPath: .spec.gateways 5863 name: Gateways 5864 type: string 5865 - description: The destination hosts to which traffic is being sent 5866 jsonPath: .spec.hosts 5867 name: Hosts 5868 type: string 5869 - description: 'CreationTimestamp is a timestamp representing the server time 5870 when this object was created. It is not guaranteed to be set in happens-before 5871 order across separate operations. Clients may not set this value. It is represented 5872 in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for 5873 lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' 5874 jsonPath: .metadata.creationTimestamp 5875 name: Age 5876 type: date 5877 name: v1alpha3 5878 schema: 5879 openAPIV3Schema: 5880 properties: 5881 spec: 5882 description: 'Configuration affecting label/content routing, sni routing, 5883 etc. See more details at: https://istio.io/docs/reference/config/networking/virtual-service.html' 5884 properties: 5885 exportTo: 5886 description: A list of namespaces to which this virtual service is 5887 exported. 5888 items: 5889 type: string 5890 type: array 5891 gateways: 5892 description: The names of gateways and sidecars that should apply 5893 these routes. 5894 items: 5895 type: string 5896 type: array 5897 hosts: 5898 description: The destination hosts to which traffic is being sent. 5899 items: 5900 type: string 5901 type: array 5902 http: 5903 description: An ordered list of route rules for HTTP traffic. 5904 items: 5905 properties: 5906 corsPolicy: 5907 description: Cross-Origin Resource Sharing policy (CORS). 5908 properties: 5909 allowCredentials: 5910 description: Indicates whether the caller is allowed to 5911 send the actual request (not the preflight) using credentials. 5912 nullable: true 5913 type: boolean 5914 allowHeaders: 5915 description: List of HTTP headers that can be used when 5916 requesting the resource. 5917 items: 5918 type: string 5919 type: array 5920 allowMethods: 5921 description: List of HTTP methods allowed to access the 5922 resource. 5923 items: 5924 type: string 5925 type: array 5926 allowOrigin: 5927 items: 5928 type: string 5929 type: array 5930 allowOrigins: 5931 description: String patterns that match allowed origins. 5932 items: 5933 oneOf: 5934 - not: 5935 anyOf: 5936 - required: 5937 - exact 5938 - required: 5939 - prefix 5940 - required: 5941 - regex 5942 - required: 5943 - exact 5944 - required: 5945 - prefix 5946 - required: 5947 - regex 5948 properties: 5949 exact: 5950 type: string 5951 prefix: 5952 type: string 5953 regex: 5954 description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). 5955 type: string 5956 type: object 5957 type: array 5958 exposeHeaders: 5959 description: A list of HTTP headers that the browsers are 5960 allowed to access. 5961 items: 5962 type: string 5963 type: array 5964 maxAge: 5965 description: Specifies how long the results of a preflight 5966 request can be cached. 5967 type: string 5968 type: object 5969 delegate: 5970 description: Delegate is used to specify the particular VirtualService 5971 which can be used to define delegate HTTPRoute. 5972 properties: 5973 name: 5974 description: Name specifies the name of the delegate VirtualService. 5975 type: string 5976 namespace: 5977 description: Namespace specifies the namespace where the 5978 delegate VirtualService resides. 5979 type: string 5980 type: object 5981 directResponse: 5982 description: A HTTP rule can either return a direct_response, 5983 redirect or forward (default) traffic. 5984 properties: 5985 body: 5986 description: Specifies the content of the response body. 5987 oneOf: 5988 - not: 5989 anyOf: 5990 - required: 5991 - string 5992 - required: 5993 - bytes 5994 - required: 5995 - string 5996 - required: 5997 - bytes 5998 properties: 5999 bytes: 6000 description: response body as base64 encoded bytes. 6001 format: binary 6002 type: string 6003 string: 6004 type: string 6005 type: object 6006 status: 6007 description: Specifies the HTTP response status to be returned. 6008 type: integer 6009 required: 6010 - status 6011 type: object 6012 fault: 6013 description: Fault injection policy to apply on HTTP traffic 6014 at the client side. 6015 properties: 6016 abort: 6017 description: Abort Http request attempts and return error 6018 codes back to downstream service, giving the impression 6019 that the upstream service is faulty. 6020 oneOf: 6021 - not: 6022 anyOf: 6023 - required: 6024 - httpStatus 6025 - required: 6026 - grpcStatus 6027 - required: 6028 - http2Error 6029 - required: 6030 - httpStatus 6031 - required: 6032 - grpcStatus 6033 - required: 6034 - http2Error 6035 properties: 6036 grpcStatus: 6037 description: GRPC status code to use to abort the request. 6038 type: string 6039 http2Error: 6040 type: string 6041 httpStatus: 6042 description: HTTP status code to use to abort the Http 6043 request. 6044 format: int32 6045 type: integer 6046 percentage: 6047 description: Percentage of requests to be aborted with 6048 the error code provided. 6049 properties: 6050 value: 6051 format: double 6052 type: number 6053 type: object 6054 type: object 6055 delay: 6056 description: Delay requests before forwarding, emulating 6057 various failures such as network issues, overloaded upstream 6058 service, etc. 6059 oneOf: 6060 - not: 6061 anyOf: 6062 - required: 6063 - fixedDelay 6064 - required: 6065 - exponentialDelay 6066 - required: 6067 - fixedDelay 6068 - required: 6069 - exponentialDelay 6070 properties: 6071 exponentialDelay: 6072 type: string 6073 fixedDelay: 6074 description: Add a fixed delay before forwarding the 6075 request. 6076 type: string 6077 percent: 6078 description: Percentage of requests on which the delay 6079 will be injected (0-100). 6080 format: int32 6081 type: integer 6082 percentage: 6083 description: Percentage of requests on which the delay 6084 will be injected. 6085 properties: 6086 value: 6087 format: double 6088 type: number 6089 type: object 6090 type: object 6091 type: object 6092 headers: 6093 properties: 6094 request: 6095 properties: 6096 add: 6097 additionalProperties: 6098 type: string 6099 type: object 6100 remove: 6101 items: 6102 type: string 6103 type: array 6104 set: 6105 additionalProperties: 6106 type: string 6107 type: object 6108 type: object 6109 response: 6110 properties: 6111 add: 6112 additionalProperties: 6113 type: string 6114 type: object 6115 remove: 6116 items: 6117 type: string 6118 type: array 6119 set: 6120 additionalProperties: 6121 type: string 6122 type: object 6123 type: object 6124 type: object 6125 match: 6126 description: Match conditions to be satisfied for the rule to 6127 be activated. 6128 items: 6129 properties: 6130 authority: 6131 description: 'HTTP Authority values are case-sensitive 6132 and formatted as follows: - `exact: "value"` for exact 6133 string match - `prefix: "value"` for prefix-based match 6134 - `regex: "value"` for RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).' 6135 oneOf: 6136 - not: 6137 anyOf: 6138 - required: 6139 - exact 6140 - required: 6141 - prefix 6142 - required: 6143 - regex 6144 - required: 6145 - exact 6146 - required: 6147 - prefix 6148 - required: 6149 - regex 6150 properties: 6151 exact: 6152 type: string 6153 prefix: 6154 type: string 6155 regex: 6156 description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). 6157 type: string 6158 type: object 6159 gateways: 6160 description: Names of gateways where the rule should be 6161 applied. 6162 items: 6163 type: string 6164 type: array 6165 headers: 6166 additionalProperties: 6167 oneOf: 6168 - not: 6169 anyOf: 6170 - required: 6171 - exact 6172 - required: 6173 - prefix 6174 - required: 6175 - regex 6176 - required: 6177 - exact 6178 - required: 6179 - prefix 6180 - required: 6181 - regex 6182 properties: 6183 exact: 6184 type: string 6185 prefix: 6186 type: string 6187 regex: 6188 description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). 6189 type: string 6190 type: object 6191 description: The header keys must be lowercase and use 6192 hyphen as the separator, e.g. 6193 type: object 6194 ignoreUriCase: 6195 description: Flag to specify whether the URI matching 6196 should be case-insensitive. 6197 type: boolean 6198 method: 6199 description: 'HTTP Method values are case-sensitive and 6200 formatted as follows: - `exact: "value"` for exact string 6201 match - `prefix: "value"` for prefix-based match - `regex: 6202 "value"` for RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).' 6203 oneOf: 6204 - not: 6205 anyOf: 6206 - required: 6207 - exact 6208 - required: 6209 - prefix 6210 - required: 6211 - regex 6212 - required: 6213 - exact 6214 - required: 6215 - prefix 6216 - required: 6217 - regex 6218 properties: 6219 exact: 6220 type: string 6221 prefix: 6222 type: string 6223 regex: 6224 description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). 6225 type: string 6226 type: object 6227 name: 6228 description: The name assigned to a match. 6229 type: string 6230 port: 6231 description: Specifies the ports on the host that is being 6232 addressed. 6233 type: integer 6234 queryParams: 6235 additionalProperties: 6236 oneOf: 6237 - not: 6238 anyOf: 6239 - required: 6240 - exact 6241 - required: 6242 - prefix 6243 - required: 6244 - regex 6245 - required: 6246 - exact 6247 - required: 6248 - prefix 6249 - required: 6250 - regex 6251 properties: 6252 exact: 6253 type: string 6254 prefix: 6255 type: string 6256 regex: 6257 description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). 6258 type: string 6259 type: object 6260 description: Query parameters for matching. 6261 type: object 6262 scheme: 6263 description: 'URI Scheme values are case-sensitive and 6264 formatted as follows: - `exact: "value"` for exact string 6265 match - `prefix: "value"` for prefix-based match - `regex: 6266 "value"` for RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).' 6267 oneOf: 6268 - not: 6269 anyOf: 6270 - required: 6271 - exact 6272 - required: 6273 - prefix 6274 - required: 6275 - regex 6276 - required: 6277 - exact 6278 - required: 6279 - prefix 6280 - required: 6281 - regex 6282 properties: 6283 exact: 6284 type: string 6285 prefix: 6286 type: string 6287 regex: 6288 description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). 6289 type: string 6290 type: object 6291 sourceLabels: 6292 additionalProperties: 6293 type: string 6294 description: One or more labels that constrain the applicability 6295 of a rule to source (client) workloads with the given 6296 labels. 6297 type: object 6298 sourceNamespace: 6299 description: Source namespace constraining the applicability 6300 of a rule to workloads in that namespace. 6301 type: string 6302 statPrefix: 6303 description: The human readable prefix to use when emitting 6304 statistics for this route. 6305 type: string 6306 uri: 6307 description: 'URI to match values are case-sensitive and 6308 formatted as follows: - `exact: "value"` for exact string 6309 match - `prefix: "value"` for prefix-based match - `regex: 6310 "value"` for RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).' 6311 oneOf: 6312 - not: 6313 anyOf: 6314 - required: 6315 - exact 6316 - required: 6317 - prefix 6318 - required: 6319 - regex 6320 - required: 6321 - exact 6322 - required: 6323 - prefix 6324 - required: 6325 - regex 6326 properties: 6327 exact: 6328 type: string 6329 prefix: 6330 type: string 6331 regex: 6332 description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). 6333 type: string 6334 type: object 6335 withoutHeaders: 6336 additionalProperties: 6337 oneOf: 6338 - not: 6339 anyOf: 6340 - required: 6341 - exact 6342 - required: 6343 - prefix 6344 - required: 6345 - regex 6346 - required: 6347 - exact 6348 - required: 6349 - prefix 6350 - required: 6351 - regex 6352 properties: 6353 exact: 6354 type: string 6355 prefix: 6356 type: string 6357 regex: 6358 description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). 6359 type: string 6360 type: object 6361 description: withoutHeader has the same syntax with the 6362 header, but has opposite meaning. 6363 type: object 6364 type: object 6365 type: array 6366 mirror: 6367 description: Mirror HTTP traffic to a another destination in 6368 addition to forwarding the requests to the intended destination. 6369 properties: 6370 host: 6371 description: The name of a service from the service registry. 6372 type: string 6373 port: 6374 description: Specifies the port on the host that is being 6375 addressed. 6376 properties: 6377 number: 6378 type: integer 6379 type: object 6380 subset: 6381 description: The name of a subset within the service. 6382 type: string 6383 required: 6384 - host 6385 type: object 6386 mirror_percent: 6387 nullable: true 6388 type: integer 6389 mirrorPercent: 6390 nullable: true 6391 type: integer 6392 mirrorPercentage: 6393 description: Percentage of the traffic to be mirrored by the 6394 `mirror` field. 6395 properties: 6396 value: 6397 format: double 6398 type: number 6399 type: object 6400 mirrors: 6401 description: Specifies the destinations to mirror HTTP traffic 6402 in addition to the original destination. 6403 items: 6404 properties: 6405 destination: 6406 description: Destination specifies the target of the mirror 6407 operation. 6408 properties: 6409 host: 6410 description: The name of a service from the service 6411 registry. 6412 type: string 6413 port: 6414 description: Specifies the port on the host that is 6415 being addressed. 6416 properties: 6417 number: 6418 type: integer 6419 type: object 6420 subset: 6421 description: The name of a subset within the service. 6422 type: string 6423 required: 6424 - host 6425 type: object 6426 percentage: 6427 description: Percentage of the traffic to be mirrored 6428 by the `destination` field. 6429 properties: 6430 value: 6431 format: double 6432 type: number 6433 type: object 6434 required: 6435 - destination 6436 type: object 6437 type: array 6438 name: 6439 description: The name assigned to the route for debugging purposes. 6440 type: string 6441 redirect: 6442 description: A HTTP rule can either return a direct_response, 6443 redirect or forward (default) traffic. 6444 oneOf: 6445 - not: 6446 anyOf: 6447 - required: 6448 - port 6449 - required: 6450 - derivePort 6451 - required: 6452 - port 6453 - required: 6454 - derivePort 6455 properties: 6456 authority: 6457 description: On a redirect, overwrite the Authority/Host 6458 portion of the URL with this value. 6459 type: string 6460 derivePort: 6461 description: 'On a redirect, dynamically set the port: * 6462 FROM_PROTOCOL_DEFAULT: automatically set to 80 for HTTP 6463 and 443 for HTTPS.' 6464 enum: 6465 - FROM_PROTOCOL_DEFAULT 6466 - FROM_REQUEST_PORT 6467 type: string 6468 port: 6469 description: On a redirect, overwrite the port portion of 6470 the URL with this value. 6471 type: integer 6472 redirectCode: 6473 description: On a redirect, Specifies the HTTP status code 6474 to use in the redirect response. 6475 type: integer 6476 scheme: 6477 description: On a redirect, overwrite the scheme portion 6478 of the URL with this value. 6479 type: string 6480 uri: 6481 description: On a redirect, overwrite the Path portion of 6482 the URL with this value. 6483 type: string 6484 type: object 6485 retries: 6486 description: Retry policy for HTTP requests. 6487 properties: 6488 attempts: 6489 description: Number of retries to be allowed for a given 6490 request. 6491 format: int32 6492 type: integer 6493 perTryTimeout: 6494 description: Timeout per attempt for a given request, including 6495 the initial call and any retries. 6496 type: string 6497 retryOn: 6498 description: Specifies the conditions under which retry 6499 takes place. 6500 type: string 6501 retryRemoteLocalities: 6502 description: Flag to specify whether the retries should 6503 retry to other localities. 6504 nullable: true 6505 type: boolean 6506 type: object 6507 rewrite: 6508 description: Rewrite HTTP URIs and Authority headers. 6509 properties: 6510 authority: 6511 description: rewrite the Authority/Host header with this 6512 value. 6513 type: string 6514 uri: 6515 description: rewrite the path (or the prefix) portion of 6516 the URI with this value. 6517 type: string 6518 uriRegexRewrite: 6519 description: rewrite the path portion of the URI with the 6520 specified regex. 6521 properties: 6522 match: 6523 description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). 6524 type: string 6525 rewrite: 6526 description: The string that should replace into matching 6527 portions of original URI. 6528 type: string 6529 type: object 6530 type: object 6531 route: 6532 description: A HTTP rule can either return a direct_response, 6533 redirect or forward (default) traffic. 6534 items: 6535 properties: 6536 destination: 6537 description: Destination uniquely identifies the instances 6538 of a service to which the request/connection should 6539 be forwarded to. 6540 properties: 6541 host: 6542 description: The name of a service from the service 6543 registry. 6544 type: string 6545 port: 6546 description: Specifies the port on the host that is 6547 being addressed. 6548 properties: 6549 number: 6550 type: integer 6551 type: object 6552 subset: 6553 description: The name of a subset within the service. 6554 type: string 6555 required: 6556 - host 6557 type: object 6558 headers: 6559 properties: 6560 request: 6561 properties: 6562 add: 6563 additionalProperties: 6564 type: string 6565 type: object 6566 remove: 6567 items: 6568 type: string 6569 type: array 6570 set: 6571 additionalProperties: 6572 type: string 6573 type: object 6574 type: object 6575 response: 6576 properties: 6577 add: 6578 additionalProperties: 6579 type: string 6580 type: object 6581 remove: 6582 items: 6583 type: string 6584 type: array 6585 set: 6586 additionalProperties: 6587 type: string 6588 type: object 6589 type: object 6590 type: object 6591 weight: 6592 description: Weight specifies the relative proportion 6593 of traffic to be forwarded to the destination. 6594 format: int32 6595 type: integer 6596 required: 6597 - destination 6598 type: object 6599 type: array 6600 timeout: 6601 description: Timeout for HTTP requests, default is disabled. 6602 type: string 6603 type: object 6604 type: array 6605 tcp: 6606 description: An ordered list of route rules for opaque TCP traffic. 6607 items: 6608 properties: 6609 match: 6610 description: Match conditions to be satisfied for the rule to 6611 be activated. 6612 items: 6613 properties: 6614 destinationSubnets: 6615 description: IPv4 or IPv6 ip addresses of destination 6616 with optional subnet. 6617 items: 6618 type: string 6619 type: array 6620 gateways: 6621 description: Names of gateways where the rule should be 6622 applied. 6623 items: 6624 type: string 6625 type: array 6626 port: 6627 description: Specifies the port on the host that is being 6628 addressed. 6629 type: integer 6630 sourceLabels: 6631 additionalProperties: 6632 type: string 6633 description: One or more labels that constrain the applicability 6634 of a rule to workloads with the given labels. 6635 type: object 6636 sourceNamespace: 6637 description: Source namespace constraining the applicability 6638 of a rule to workloads in that namespace. 6639 type: string 6640 sourceSubnet: 6641 type: string 6642 type: object 6643 type: array 6644 route: 6645 description: The destination to which the connection should 6646 be forwarded to. 6647 items: 6648 properties: 6649 destination: 6650 description: Destination uniquely identifies the instances 6651 of a service to which the request/connection should 6652 be forwarded to. 6653 properties: 6654 host: 6655 description: The name of a service from the service 6656 registry. 6657 type: string 6658 port: 6659 description: Specifies the port on the host that is 6660 being addressed. 6661 properties: 6662 number: 6663 type: integer 6664 type: object 6665 subset: 6666 description: The name of a subset within the service. 6667 type: string 6668 required: 6669 - host 6670 type: object 6671 weight: 6672 description: Weight specifies the relative proportion 6673 of traffic to be forwarded to the destination. 6674 format: int32 6675 type: integer 6676 required: 6677 - destination 6678 type: object 6679 type: array 6680 type: object 6681 type: array 6682 tls: 6683 description: An ordered list of route rule for non-terminated TLS 6684 & HTTPS traffic. 6685 items: 6686 properties: 6687 match: 6688 description: Match conditions to be satisfied for the rule to 6689 be activated. 6690 items: 6691 properties: 6692 destinationSubnets: 6693 description: IPv4 or IPv6 ip addresses of destination 6694 with optional subnet. 6695 items: 6696 type: string 6697 type: array 6698 gateways: 6699 description: Names of gateways where the rule should be 6700 applied. 6701 items: 6702 type: string 6703 type: array 6704 port: 6705 description: Specifies the port on the host that is being 6706 addressed. 6707 type: integer 6708 sniHosts: 6709 description: SNI (server name indicator) to match on. 6710 items: 6711 type: string 6712 type: array 6713 sourceLabels: 6714 additionalProperties: 6715 type: string 6716 description: One or more labels that constrain the applicability 6717 of a rule to workloads with the given labels. 6718 type: object 6719 sourceNamespace: 6720 description: Source namespace constraining the applicability 6721 of a rule to workloads in that namespace. 6722 type: string 6723 required: 6724 - sniHosts 6725 type: object 6726 type: array 6727 route: 6728 description: The destination to which the connection should 6729 be forwarded to. 6730 items: 6731 properties: 6732 destination: 6733 description: Destination uniquely identifies the instances 6734 of a service to which the request/connection should 6735 be forwarded to. 6736 properties: 6737 host: 6738 description: The name of a service from the service 6739 registry. 6740 type: string 6741 port: 6742 description: Specifies the port on the host that is 6743 being addressed. 6744 properties: 6745 number: 6746 type: integer 6747 type: object 6748 subset: 6749 description: The name of a subset within the service. 6750 type: string 6751 required: 6752 - host 6753 type: object 6754 weight: 6755 description: Weight specifies the relative proportion 6756 of traffic to be forwarded to the destination. 6757 format: int32 6758 type: integer 6759 required: 6760 - destination 6761 type: object 6762 type: array 6763 required: 6764 - match 6765 type: object 6766 type: array 6767 type: object 6768 status: 6769 type: object 6770 x-kubernetes-preserve-unknown-fields: true 6771 type: object 6772 served: true 6773 storage: true 6774 subresources: 6775 status: {} 6776 - additionalPrinterColumns: 6777 - description: The names of gateways and sidecars that should apply these routes 6778 jsonPath: .spec.gateways 6779 name: Gateways 6780 type: string 6781 - description: The destination hosts to which traffic is being sent 6782 jsonPath: .spec.hosts 6783 name: Hosts 6784 type: string 6785 - description: 'CreationTimestamp is a timestamp representing the server time 6786 when this object was created. It is not guaranteed to be set in happens-before 6787 order across separate operations. Clients may not set this value. It is represented 6788 in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for 6789 lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' 6790 jsonPath: .metadata.creationTimestamp 6791 name: Age 6792 type: date 6793 name: v1beta1 6794 schema: 6795 openAPIV3Schema: 6796 properties: 6797 spec: 6798 description: 'Configuration affecting label/content routing, sni routing, 6799 etc. See more details at: https://istio.io/docs/reference/config/networking/virtual-service.html' 6800 properties: 6801 exportTo: 6802 description: A list of namespaces to which this virtual service is 6803 exported. 6804 items: 6805 type: string 6806 type: array 6807 gateways: 6808 description: The names of gateways and sidecars that should apply 6809 these routes. 6810 items: 6811 type: string 6812 type: array 6813 hosts: 6814 description: The destination hosts to which traffic is being sent. 6815 items: 6816 type: string 6817 type: array 6818 http: 6819 description: An ordered list of route rules for HTTP traffic. 6820 items: 6821 properties: 6822 corsPolicy: 6823 description: Cross-Origin Resource Sharing policy (CORS). 6824 properties: 6825 allowCredentials: 6826 description: Indicates whether the caller is allowed to 6827 send the actual request (not the preflight) using credentials. 6828 nullable: true 6829 type: boolean 6830 allowHeaders: 6831 description: List of HTTP headers that can be used when 6832 requesting the resource. 6833 items: 6834 type: string 6835 type: array 6836 allowMethods: 6837 description: List of HTTP methods allowed to access the 6838 resource. 6839 items: 6840 type: string 6841 type: array 6842 allowOrigin: 6843 items: 6844 type: string 6845 type: array 6846 allowOrigins: 6847 description: String patterns that match allowed origins. 6848 items: 6849 oneOf: 6850 - not: 6851 anyOf: 6852 - required: 6853 - exact 6854 - required: 6855 - prefix 6856 - required: 6857 - regex 6858 - required: 6859 - exact 6860 - required: 6861 - prefix 6862 - required: 6863 - regex 6864 properties: 6865 exact: 6866 type: string 6867 prefix: 6868 type: string 6869 regex: 6870 description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). 6871 type: string 6872 type: object 6873 type: array 6874 exposeHeaders: 6875 description: A list of HTTP headers that the browsers are 6876 allowed to access. 6877 items: 6878 type: string 6879 type: array 6880 maxAge: 6881 description: Specifies how long the results of a preflight 6882 request can be cached. 6883 type: string 6884 type: object 6885 delegate: 6886 description: Delegate is used to specify the particular VirtualService 6887 which can be used to define delegate HTTPRoute. 6888 properties: 6889 name: 6890 description: Name specifies the name of the delegate VirtualService. 6891 type: string 6892 namespace: 6893 description: Namespace specifies the namespace where the 6894 delegate VirtualService resides. 6895 type: string 6896 type: object 6897 directResponse: 6898 description: A HTTP rule can either return a direct_response, 6899 redirect or forward (default) traffic. 6900 properties: 6901 body: 6902 description: Specifies the content of the response body. 6903 oneOf: 6904 - not: 6905 anyOf: 6906 - required: 6907 - string 6908 - required: 6909 - bytes 6910 - required: 6911 - string 6912 - required: 6913 - bytes 6914 properties: 6915 bytes: 6916 description: response body as base64 encoded bytes. 6917 format: binary 6918 type: string 6919 string: 6920 type: string 6921 type: object 6922 status: 6923 description: Specifies the HTTP response status to be returned. 6924 type: integer 6925 required: 6926 - status 6927 type: object 6928 fault: 6929 description: Fault injection policy to apply on HTTP traffic 6930 at the client side. 6931 properties: 6932 abort: 6933 description: Abort Http request attempts and return error 6934 codes back to downstream service, giving the impression 6935 that the upstream service is faulty. 6936 oneOf: 6937 - not: 6938 anyOf: 6939 - required: 6940 - httpStatus 6941 - required: 6942 - grpcStatus 6943 - required: 6944 - http2Error 6945 - required: 6946 - httpStatus 6947 - required: 6948 - grpcStatus 6949 - required: 6950 - http2Error 6951 properties: 6952 grpcStatus: 6953 description: GRPC status code to use to abort the request. 6954 type: string 6955 http2Error: 6956 type: string 6957 httpStatus: 6958 description: HTTP status code to use to abort the Http 6959 request. 6960 format: int32 6961 type: integer 6962 percentage: 6963 description: Percentage of requests to be aborted with 6964 the error code provided. 6965 properties: 6966 value: 6967 format: double 6968 type: number 6969 type: object 6970 type: object 6971 delay: 6972 description: Delay requests before forwarding, emulating 6973 various failures such as network issues, overloaded upstream 6974 service, etc. 6975 oneOf: 6976 - not: 6977 anyOf: 6978 - required: 6979 - fixedDelay 6980 - required: 6981 - exponentialDelay 6982 - required: 6983 - fixedDelay 6984 - required: 6985 - exponentialDelay 6986 properties: 6987 exponentialDelay: 6988 type: string 6989 fixedDelay: 6990 description: Add a fixed delay before forwarding the 6991 request. 6992 type: string 6993 percent: 6994 description: Percentage of requests on which the delay 6995 will be injected (0-100). 6996 format: int32 6997 type: integer 6998 percentage: 6999 description: Percentage of requests on which the delay 7000 will be injected. 7001 properties: 7002 value: 7003 format: double 7004 type: number 7005 type: object 7006 type: object 7007 type: object 7008 headers: 7009 properties: 7010 request: 7011 properties: 7012 add: 7013 additionalProperties: 7014 type: string 7015 type: object 7016 remove: 7017 items: 7018 type: string 7019 type: array 7020 set: 7021 additionalProperties: 7022 type: string 7023 type: object 7024 type: object 7025 response: 7026 properties: 7027 add: 7028 additionalProperties: 7029 type: string 7030 type: object 7031 remove: 7032 items: 7033 type: string 7034 type: array 7035 set: 7036 additionalProperties: 7037 type: string 7038 type: object 7039 type: object 7040 type: object 7041 match: 7042 description: Match conditions to be satisfied for the rule to 7043 be activated. 7044 items: 7045 properties: 7046 authority: 7047 description: 'HTTP Authority values are case-sensitive 7048 and formatted as follows: - `exact: "value"` for exact 7049 string match - `prefix: "value"` for prefix-based match 7050 - `regex: "value"` for RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).' 7051 oneOf: 7052 - not: 7053 anyOf: 7054 - required: 7055 - exact 7056 - required: 7057 - prefix 7058 - required: 7059 - regex 7060 - required: 7061 - exact 7062 - required: 7063 - prefix 7064 - required: 7065 - regex 7066 properties: 7067 exact: 7068 type: string 7069 prefix: 7070 type: string 7071 regex: 7072 description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). 7073 type: string 7074 type: object 7075 gateways: 7076 description: Names of gateways where the rule should be 7077 applied. 7078 items: 7079 type: string 7080 type: array 7081 headers: 7082 additionalProperties: 7083 oneOf: 7084 - not: 7085 anyOf: 7086 - required: 7087 - exact 7088 - required: 7089 - prefix 7090 - required: 7091 - regex 7092 - required: 7093 - exact 7094 - required: 7095 - prefix 7096 - required: 7097 - regex 7098 properties: 7099 exact: 7100 type: string 7101 prefix: 7102 type: string 7103 regex: 7104 description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). 7105 type: string 7106 type: object 7107 description: The header keys must be lowercase and use 7108 hyphen as the separator, e.g. 7109 type: object 7110 ignoreUriCase: 7111 description: Flag to specify whether the URI matching 7112 should be case-insensitive. 7113 type: boolean 7114 method: 7115 description: 'HTTP Method values are case-sensitive and 7116 formatted as follows: - `exact: "value"` for exact string 7117 match - `prefix: "value"` for prefix-based match - `regex: 7118 "value"` for RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).' 7119 oneOf: 7120 - not: 7121 anyOf: 7122 - required: 7123 - exact 7124 - required: 7125 - prefix 7126 - required: 7127 - regex 7128 - required: 7129 - exact 7130 - required: 7131 - prefix 7132 - required: 7133 - regex 7134 properties: 7135 exact: 7136 type: string 7137 prefix: 7138 type: string 7139 regex: 7140 description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). 7141 type: string 7142 type: object 7143 name: 7144 description: The name assigned to a match. 7145 type: string 7146 port: 7147 description: Specifies the ports on the host that is being 7148 addressed. 7149 type: integer 7150 queryParams: 7151 additionalProperties: 7152 oneOf: 7153 - not: 7154 anyOf: 7155 - required: 7156 - exact 7157 - required: 7158 - prefix 7159 - required: 7160 - regex 7161 - required: 7162 - exact 7163 - required: 7164 - prefix 7165 - required: 7166 - regex 7167 properties: 7168 exact: 7169 type: string 7170 prefix: 7171 type: string 7172 regex: 7173 description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). 7174 type: string 7175 type: object 7176 description: Query parameters for matching. 7177 type: object 7178 scheme: 7179 description: 'URI Scheme values are case-sensitive and 7180 formatted as follows: - `exact: "value"` for exact string 7181 match - `prefix: "value"` for prefix-based match - `regex: 7182 "value"` for RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).' 7183 oneOf: 7184 - not: 7185 anyOf: 7186 - required: 7187 - exact 7188 - required: 7189 - prefix 7190 - required: 7191 - regex 7192 - required: 7193 - exact 7194 - required: 7195 - prefix 7196 - required: 7197 - regex 7198 properties: 7199 exact: 7200 type: string 7201 prefix: 7202 type: string 7203 regex: 7204 description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). 7205 type: string 7206 type: object 7207 sourceLabels: 7208 additionalProperties: 7209 type: string 7210 description: One or more labels that constrain the applicability 7211 of a rule to source (client) workloads with the given 7212 labels. 7213 type: object 7214 sourceNamespace: 7215 description: Source namespace constraining the applicability 7216 of a rule to workloads in that namespace. 7217 type: string 7218 statPrefix: 7219 description: The human readable prefix to use when emitting 7220 statistics for this route. 7221 type: string 7222 uri: 7223 description: 'URI to match values are case-sensitive and 7224 formatted as follows: - `exact: "value"` for exact string 7225 match - `prefix: "value"` for prefix-based match - `regex: 7226 "value"` for RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).' 7227 oneOf: 7228 - not: 7229 anyOf: 7230 - required: 7231 - exact 7232 - required: 7233 - prefix 7234 - required: 7235 - regex 7236 - required: 7237 - exact 7238 - required: 7239 - prefix 7240 - required: 7241 - regex 7242 properties: 7243 exact: 7244 type: string 7245 prefix: 7246 type: string 7247 regex: 7248 description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). 7249 type: string 7250 type: object 7251 withoutHeaders: 7252 additionalProperties: 7253 oneOf: 7254 - not: 7255 anyOf: 7256 - required: 7257 - exact 7258 - required: 7259 - prefix 7260 - required: 7261 - regex 7262 - required: 7263 - exact 7264 - required: 7265 - prefix 7266 - required: 7267 - regex 7268 properties: 7269 exact: 7270 type: string 7271 prefix: 7272 type: string 7273 regex: 7274 description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). 7275 type: string 7276 type: object 7277 description: withoutHeader has the same syntax with the 7278 header, but has opposite meaning. 7279 type: object 7280 type: object 7281 type: array 7282 mirror: 7283 description: Mirror HTTP traffic to a another destination in 7284 addition to forwarding the requests to the intended destination. 7285 properties: 7286 host: 7287 description: The name of a service from the service registry. 7288 type: string 7289 port: 7290 description: Specifies the port on the host that is being 7291 addressed. 7292 properties: 7293 number: 7294 type: integer 7295 type: object 7296 subset: 7297 description: The name of a subset within the service. 7298 type: string 7299 required: 7300 - host 7301 type: object 7302 mirror_percent: 7303 nullable: true 7304 type: integer 7305 mirrorPercent: 7306 nullable: true 7307 type: integer 7308 mirrorPercentage: 7309 description: Percentage of the traffic to be mirrored by the 7310 `mirror` field. 7311 properties: 7312 value: 7313 format: double 7314 type: number 7315 type: object 7316 mirrors: 7317 description: Specifies the destinations to mirror HTTP traffic 7318 in addition to the original destination. 7319 items: 7320 properties: 7321 destination: 7322 description: Destination specifies the target of the mirror 7323 operation. 7324 properties: 7325 host: 7326 description: The name of a service from the service 7327 registry. 7328 type: string 7329 port: 7330 description: Specifies the port on the host that is 7331 being addressed. 7332 properties: 7333 number: 7334 type: integer 7335 type: object 7336 subset: 7337 description: The name of a subset within the service. 7338 type: string 7339 required: 7340 - host 7341 type: object 7342 percentage: 7343 description: Percentage of the traffic to be mirrored 7344 by the `destination` field. 7345 properties: 7346 value: 7347 format: double 7348 type: number 7349 type: object 7350 required: 7351 - destination 7352 type: object 7353 type: array 7354 name: 7355 description: The name assigned to the route for debugging purposes. 7356 type: string 7357 redirect: 7358 description: A HTTP rule can either return a direct_response, 7359 redirect or forward (default) traffic. 7360 oneOf: 7361 - not: 7362 anyOf: 7363 - required: 7364 - port 7365 - required: 7366 - derivePort 7367 - required: 7368 - port 7369 - required: 7370 - derivePort 7371 properties: 7372 authority: 7373 description: On a redirect, overwrite the Authority/Host 7374 portion of the URL with this value. 7375 type: string 7376 derivePort: 7377 description: 'On a redirect, dynamically set the port: * 7378 FROM_PROTOCOL_DEFAULT: automatically set to 80 for HTTP 7379 and 443 for HTTPS.' 7380 enum: 7381 - FROM_PROTOCOL_DEFAULT 7382 - FROM_REQUEST_PORT 7383 type: string 7384 port: 7385 description: On a redirect, overwrite the port portion of 7386 the URL with this value. 7387 type: integer 7388 redirectCode: 7389 description: On a redirect, Specifies the HTTP status code 7390 to use in the redirect response. 7391 type: integer 7392 scheme: 7393 description: On a redirect, overwrite the scheme portion 7394 of the URL with this value. 7395 type: string 7396 uri: 7397 description: On a redirect, overwrite the Path portion of 7398 the URL with this value. 7399 type: string 7400 type: object 7401 retries: 7402 description: Retry policy for HTTP requests. 7403 properties: 7404 attempts: 7405 description: Number of retries to be allowed for a given 7406 request. 7407 format: int32 7408 type: integer 7409 perTryTimeout: 7410 description: Timeout per attempt for a given request, including 7411 the initial call and any retries. 7412 type: string 7413 retryOn: 7414 description: Specifies the conditions under which retry 7415 takes place. 7416 type: string 7417 retryRemoteLocalities: 7418 description: Flag to specify whether the retries should 7419 retry to other localities. 7420 nullable: true 7421 type: boolean 7422 type: object 7423 rewrite: 7424 description: Rewrite HTTP URIs and Authority headers. 7425 properties: 7426 authority: 7427 description: rewrite the Authority/Host header with this 7428 value. 7429 type: string 7430 uri: 7431 description: rewrite the path (or the prefix) portion of 7432 the URI with this value. 7433 type: string 7434 uriRegexRewrite: 7435 description: rewrite the path portion of the URI with the 7436 specified regex. 7437 properties: 7438 match: 7439 description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). 7440 type: string 7441 rewrite: 7442 description: The string that should replace into matching 7443 portions of original URI. 7444 type: string 7445 type: object 7446 type: object 7447 route: 7448 description: A HTTP rule can either return a direct_response, 7449 redirect or forward (default) traffic. 7450 items: 7451 properties: 7452 destination: 7453 description: Destination uniquely identifies the instances 7454 of a service to which the request/connection should 7455 be forwarded to. 7456 properties: 7457 host: 7458 description: The name of a service from the service 7459 registry. 7460 type: string 7461 port: 7462 description: Specifies the port on the host that is 7463 being addressed. 7464 properties: 7465 number: 7466 type: integer 7467 type: object 7468 subset: 7469 description: The name of a subset within the service. 7470 type: string 7471 required: 7472 - host 7473 type: object 7474 headers: 7475 properties: 7476 request: 7477 properties: 7478 add: 7479 additionalProperties: 7480 type: string 7481 type: object 7482 remove: 7483 items: 7484 type: string 7485 type: array 7486 set: 7487 additionalProperties: 7488 type: string 7489 type: object 7490 type: object 7491 response: 7492 properties: 7493 add: 7494 additionalProperties: 7495 type: string 7496 type: object 7497 remove: 7498 items: 7499 type: string 7500 type: array 7501 set: 7502 additionalProperties: 7503 type: string 7504 type: object 7505 type: object 7506 type: object 7507 weight: 7508 description: Weight specifies the relative proportion 7509 of traffic to be forwarded to the destination. 7510 format: int32 7511 type: integer 7512 required: 7513 - destination 7514 type: object 7515 type: array 7516 timeout: 7517 description: Timeout for HTTP requests, default is disabled. 7518 type: string 7519 type: object 7520 type: array 7521 tcp: 7522 description: An ordered list of route rules for opaque TCP traffic. 7523 items: 7524 properties: 7525 match: 7526 description: Match conditions to be satisfied for the rule to 7527 be activated. 7528 items: 7529 properties: 7530 destinationSubnets: 7531 description: IPv4 or IPv6 ip addresses of destination 7532 with optional subnet. 7533 items: 7534 type: string 7535 type: array 7536 gateways: 7537 description: Names of gateways where the rule should be 7538 applied. 7539 items: 7540 type: string 7541 type: array 7542 port: 7543 description: Specifies the port on the host that is being 7544 addressed. 7545 type: integer 7546 sourceLabels: 7547 additionalProperties: 7548 type: string 7549 description: One or more labels that constrain the applicability 7550 of a rule to workloads with the given labels. 7551 type: object 7552 sourceNamespace: 7553 description: Source namespace constraining the applicability 7554 of a rule to workloads in that namespace. 7555 type: string 7556 sourceSubnet: 7557 type: string 7558 type: object 7559 type: array 7560 route: 7561 description: The destination to which the connection should 7562 be forwarded to. 7563 items: 7564 properties: 7565 destination: 7566 description: Destination uniquely identifies the instances 7567 of a service to which the request/connection should 7568 be forwarded to. 7569 properties: 7570 host: 7571 description: The name of a service from the service 7572 registry. 7573 type: string 7574 port: 7575 description: Specifies the port on the host that is 7576 being addressed. 7577 properties: 7578 number: 7579 type: integer 7580 type: object 7581 subset: 7582 description: The name of a subset within the service. 7583 type: string 7584 required: 7585 - host 7586 type: object 7587 weight: 7588 description: Weight specifies the relative proportion 7589 of traffic to be forwarded to the destination. 7590 format: int32 7591 type: integer 7592 required: 7593 - destination 7594 type: object 7595 type: array 7596 type: object 7597 type: array 7598 tls: 7599 description: An ordered list of route rule for non-terminated TLS 7600 & HTTPS traffic. 7601 items: 7602 properties: 7603 match: 7604 description: Match conditions to be satisfied for the rule to 7605 be activated. 7606 items: 7607 properties: 7608 destinationSubnets: 7609 description: IPv4 or IPv6 ip addresses of destination 7610 with optional subnet. 7611 items: 7612 type: string 7613 type: array 7614 gateways: 7615 description: Names of gateways where the rule should be 7616 applied. 7617 items: 7618 type: string 7619 type: array 7620 port: 7621 description: Specifies the port on the host that is being 7622 addressed. 7623 type: integer 7624 sniHosts: 7625 description: SNI (server name indicator) to match on. 7626 items: 7627 type: string 7628 type: array 7629 sourceLabels: 7630 additionalProperties: 7631 type: string 7632 description: One or more labels that constrain the applicability 7633 of a rule to workloads with the given labels. 7634 type: object 7635 sourceNamespace: 7636 description: Source namespace constraining the applicability 7637 of a rule to workloads in that namespace. 7638 type: string 7639 required: 7640 - sniHosts 7641 type: object 7642 type: array 7643 route: 7644 description: The destination to which the connection should 7645 be forwarded to. 7646 items: 7647 properties: 7648 destination: 7649 description: Destination uniquely identifies the instances 7650 of a service to which the request/connection should 7651 be forwarded to. 7652 properties: 7653 host: 7654 description: The name of a service from the service 7655 registry. 7656 type: string 7657 port: 7658 description: Specifies the port on the host that is 7659 being addressed. 7660 properties: 7661 number: 7662 type: integer 7663 type: object 7664 subset: 7665 description: The name of a subset within the service. 7666 type: string 7667 required: 7668 - host 7669 type: object 7670 weight: 7671 description: Weight specifies the relative proportion 7672 of traffic to be forwarded to the destination. 7673 format: int32 7674 type: integer 7675 required: 7676 - destination 7677 type: object 7678 type: array 7679 required: 7680 - match 7681 type: object 7682 type: array 7683 type: object 7684 status: 7685 type: object 7686 x-kubernetes-preserve-unknown-fields: true 7687 type: object 7688 served: true 7689 storage: false 7690 subresources: 7691 status: {} 7692 7693 --- 7694 apiVersion: apiextensions.k8s.io/v1 7695 kind: CustomResourceDefinition 7696 metadata: 7697 annotations: 7698 helm.sh/resource-policy: keep 7699 labels: 7700 app: istio-pilot 7701 chart: istio 7702 heritage: Tiller 7703 release: istio 7704 name: wasmplugins.extensions.istio.io 7705 spec: 7706 group: extensions.istio.io 7707 names: 7708 categories: 7709 - istio-io 7710 - extensions-istio-io 7711 kind: WasmPlugin 7712 listKind: WasmPluginList 7713 plural: wasmplugins 7714 singular: wasmplugin 7715 scope: Namespaced 7716 versions: 7717 - additionalPrinterColumns: 7718 - description: 'CreationTimestamp is a timestamp representing the server time 7719 when this object was created. It is not guaranteed to be set in happens-before 7720 order across separate operations. Clients may not set this value. It is represented 7721 in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for 7722 lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' 7723 jsonPath: .metadata.creationTimestamp 7724 name: Age 7725 type: date 7726 name: v1alpha1 7727 schema: 7728 openAPIV3Schema: 7729 properties: 7730 spec: 7731 description: 'Extend the functionality provided by the Istio proxy through 7732 WebAssembly filters. See more details at: https://istio.io/docs/reference/config/proxy_extensions/wasm-plugin.html' 7733 properties: 7734 failStrategy: 7735 description: Specifies the failure behavior for the plugin due to 7736 fatal errors. 7737 enum: 7738 - FAIL_CLOSE 7739 - FAIL_OPEN 7740 type: string 7741 imagePullPolicy: 7742 description: The pull behaviour to be applied when fetching Wasm module 7743 by either OCI image or http/https. 7744 enum: 7745 - UNSPECIFIED_POLICY 7746 - IfNotPresent 7747 - Always 7748 type: string 7749 imagePullSecret: 7750 description: Credentials to use for OCI image pulling. 7751 maxLength: 253 7752 minLength: 1 7753 type: string 7754 match: 7755 description: Specifies the criteria to determine which traffic is 7756 passed to WasmPlugin. 7757 items: 7758 properties: 7759 mode: 7760 description: Criteria for selecting traffic by their direction. 7761 enum: 7762 - UNDEFINED 7763 - CLIENT 7764 - SERVER 7765 - CLIENT_AND_SERVER 7766 type: string 7767 ports: 7768 description: Criteria for selecting traffic by their destination 7769 port. 7770 items: 7771 properties: 7772 number: 7773 maximum: 65535 7774 minimum: 1 7775 type: integer 7776 required: 7777 - number 7778 type: object 7779 type: array 7780 x-kubernetes-list-map-keys: 7781 - number 7782 x-kubernetes-list-type: map 7783 type: object 7784 type: array 7785 phase: 7786 description: Determines where in the filter chain this `WasmPlugin` 7787 is to be injected. 7788 enum: 7789 - UNSPECIFIED_PHASE 7790 - AUTHN 7791 - AUTHZ 7792 - STATS 7793 type: string 7794 pluginConfig: 7795 description: The configuration that will be passed on to the plugin. 7796 type: object 7797 x-kubernetes-preserve-unknown-fields: true 7798 pluginName: 7799 description: The plugin name to be used in the Envoy configuration 7800 (used to be called `rootID`). 7801 maxLength: 256 7802 minLength: 1 7803 type: string 7804 priority: 7805 description: Determines ordering of `WasmPlugins` in the same `phase`. 7806 nullable: true 7807 type: integer 7808 selector: 7809 description: Criteria used to select the specific set of pods/VMs 7810 on which this plugin configuration should be applied. 7811 properties: 7812 matchLabels: 7813 additionalProperties: 7814 type: string 7815 description: One or more labels that indicate a specific set of 7816 pods/VMs on which a policy should be applied. 7817 type: object 7818 type: object 7819 sha256: 7820 description: SHA256 checksum that will be used to verify Wasm module 7821 or OCI container. 7822 pattern: (^$|^[a-f0-9]{64}$) 7823 type: string 7824 targetRef: 7825 description: Optional. 7826 properties: 7827 group: 7828 description: group is the group of the target resource. 7829 type: string 7830 kind: 7831 description: kind is kind of the target resource. 7832 type: string 7833 name: 7834 description: name is the name of the target resource. 7835 type: string 7836 namespace: 7837 description: namespace is the namespace of the referent. 7838 type: string 7839 type: object 7840 type: 7841 description: Specifies the type of Wasm Extension to be used. 7842 enum: 7843 - UNSPECIFIED_PLUGIN_TYPE 7844 - HTTP 7845 - NETWORK 7846 type: string 7847 url: 7848 description: URL of a Wasm module or OCI container. 7849 minLength: 1 7850 type: string 7851 x-kubernetes-validations: 7852 - message: url must have schema one of [http, https, file, oci] 7853 rule: 'isURL(self) ? (url(self).getScheme() in ['''', ''http'', 7854 ''https'', ''oci'', ''file'']) : (isURL(''http://'' + self) && 7855 url(''http://'' +self).getScheme() in ['''', ''http'', ''https'', 7856 ''oci'', ''file''])' 7857 verificationKey: 7858 type: string 7859 vmConfig: 7860 description: Configuration for a Wasm VM. 7861 properties: 7862 env: 7863 description: Specifies environment variables to be injected to 7864 this VM. 7865 items: 7866 properties: 7867 name: 7868 description: Name of the environment variable. 7869 maxLength: 256 7870 minLength: 1 7871 type: string 7872 value: 7873 description: Value for the environment variable. 7874 maxLength: 2048 7875 type: string 7876 valueFrom: 7877 description: Source for the environment variable's value. 7878 enum: 7879 - INLINE 7880 - HOST 7881 type: string 7882 required: 7883 - name 7884 type: object 7885 x-kubernetes-validations: 7886 - message: value may only be set when valueFrom is INLINE 7887 rule: '(has(self.valueFrom) ? self.valueFrom : '''') != ''HOST'' 7888 || !has(self.value)' 7889 maxItems: 256 7890 type: array 7891 x-kubernetes-list-map-keys: 7892 - name 7893 x-kubernetes-list-type: map 7894 type: object 7895 required: 7896 - url 7897 type: object 7898 status: 7899 type: object 7900 x-kubernetes-preserve-unknown-fields: true 7901 required: 7902 - spec 7903 type: object 7904 served: true 7905 storage: true 7906 subresources: 7907 status: {} 7908 7909 --- 7910 apiVersion: apiextensions.k8s.io/v1 7911 kind: CustomResourceDefinition 7912 metadata: 7913 annotations: 7914 helm.sh/resource-policy: keep 7915 labels: 7916 app: istio-pilot 7917 chart: istio 7918 heritage: Tiller 7919 release: istio 7920 name: workloadentries.networking.istio.io 7921 spec: 7922 group: networking.istio.io 7923 names: 7924 categories: 7925 - istio-io 7926 - networking-istio-io 7927 kind: WorkloadEntry 7928 listKind: WorkloadEntryList 7929 plural: workloadentries 7930 shortNames: 7931 - we 7932 singular: workloadentry 7933 scope: Namespaced 7934 versions: 7935 - additionalPrinterColumns: 7936 - description: 'CreationTimestamp is a timestamp representing the server time 7937 when this object was created. It is not guaranteed to be set in happens-before 7938 order across separate operations. Clients may not set this value. It is represented 7939 in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for 7940 lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' 7941 jsonPath: .metadata.creationTimestamp 7942 name: Age 7943 type: date 7944 - description: Address associated with the network endpoint. 7945 jsonPath: .spec.address 7946 name: Address 7947 type: string 7948 name: v1alpha3 7949 schema: 7950 openAPIV3Schema: 7951 properties: 7952 spec: 7953 description: 'Configuration affecting VMs onboarded into the mesh. See 7954 more details at: https://istio.io/docs/reference/config/networking/workload-entry.html' 7955 properties: 7956 address: 7957 description: Address associated with the network endpoint without 7958 the port. 7959 type: string 7960 labels: 7961 additionalProperties: 7962 type: string 7963 description: One or more labels associated with the endpoint. 7964 type: object 7965 locality: 7966 description: The locality associated with the endpoint. 7967 type: string 7968 network: 7969 description: Network enables Istio to group endpoints resident in 7970 the same L3 domain/network. 7971 type: string 7972 ports: 7973 additionalProperties: 7974 type: integer 7975 description: Set of ports associated with the endpoint. 7976 type: object 7977 serviceAccount: 7978 description: The service account associated with the workload if a 7979 sidecar is present in the workload. 7980 type: string 7981 weight: 7982 description: The load balancing weight associated with the endpoint. 7983 type: integer 7984 type: object 7985 status: 7986 type: object 7987 x-kubernetes-preserve-unknown-fields: true 7988 type: object 7989 served: true 7990 storage: true 7991 subresources: 7992 status: {} 7993 - additionalPrinterColumns: 7994 - description: 'CreationTimestamp is a timestamp representing the server time 7995 when this object was created. It is not guaranteed to be set in happens-before 7996 order across separate operations. Clients may not set this value. It is represented 7997 in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for 7998 lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' 7999 jsonPath: .metadata.creationTimestamp 8000 name: Age 8001 type: date 8002 - description: Address associated with the network endpoint. 8003 jsonPath: .spec.address 8004 name: Address 8005 type: string 8006 name: v1beta1 8007 schema: 8008 openAPIV3Schema: 8009 properties: 8010 spec: 8011 description: 'Configuration affecting VMs onboarded into the mesh. See 8012 more details at: https://istio.io/docs/reference/config/networking/workload-entry.html' 8013 properties: 8014 address: 8015 description: Address associated with the network endpoint without 8016 the port. 8017 type: string 8018 labels: 8019 additionalProperties: 8020 type: string 8021 description: One or more labels associated with the endpoint. 8022 type: object 8023 locality: 8024 description: The locality associated with the endpoint. 8025 type: string 8026 network: 8027 description: Network enables Istio to group endpoints resident in 8028 the same L3 domain/network. 8029 type: string 8030 ports: 8031 additionalProperties: 8032 type: integer 8033 description: Set of ports associated with the endpoint. 8034 type: object 8035 serviceAccount: 8036 description: The service account associated with the workload if a 8037 sidecar is present in the workload. 8038 type: string 8039 weight: 8040 description: The load balancing weight associated with the endpoint. 8041 type: integer 8042 type: object 8043 status: 8044 type: object 8045 x-kubernetes-preserve-unknown-fields: true 8046 type: object 8047 served: true 8048 storage: false 8049 subresources: 8050 status: {} 8051 8052 --- 8053 apiVersion: apiextensions.k8s.io/v1 8054 kind: CustomResourceDefinition 8055 metadata: 8056 labels: 8057 app: istio-pilot 8058 chart: istio 8059 heritage: Tiller 8060 release: istio 8061 name: workloadgroups.networking.istio.io 8062 spec: 8063 group: networking.istio.io 8064 names: 8065 categories: 8066 - istio-io 8067 - networking-istio-io 8068 kind: WorkloadGroup 8069 listKind: WorkloadGroupList 8070 plural: workloadgroups 8071 shortNames: 8072 - wg 8073 singular: workloadgroup 8074 scope: Namespaced 8075 versions: 8076 - additionalPrinterColumns: 8077 - description: 'CreationTimestamp is a timestamp representing the server time 8078 when this object was created. It is not guaranteed to be set in happens-before 8079 order across separate operations. Clients may not set this value. It is represented 8080 in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for 8081 lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' 8082 jsonPath: .metadata.creationTimestamp 8083 name: Age 8084 type: date 8085 name: v1alpha3 8086 schema: 8087 openAPIV3Schema: 8088 properties: 8089 spec: 8090 description: 'Describes a collection of workload instances. See more details 8091 at: https://istio.io/docs/reference/config/networking/workload-group.html' 8092 properties: 8093 metadata: 8094 description: Metadata that will be used for all corresponding `WorkloadEntries`. 8095 properties: 8096 annotations: 8097 additionalProperties: 8098 type: string 8099 type: object 8100 labels: 8101 additionalProperties: 8102 type: string 8103 type: object 8104 type: object 8105 probe: 8106 description: '`ReadinessProbe` describes the configuration the user 8107 must provide for healthchecking on their workload.' 8108 oneOf: 8109 - not: 8110 anyOf: 8111 - required: 8112 - httpGet 8113 - required: 8114 - tcpSocket 8115 - required: 8116 - exec 8117 - required: 8118 - httpGet 8119 - required: 8120 - tcpSocket 8121 - required: 8122 - exec 8123 properties: 8124 exec: 8125 description: Health is determined by how the command that is executed 8126 exited. 8127 properties: 8128 command: 8129 description: Command to run. 8130 items: 8131 type: string 8132 type: array 8133 type: object 8134 failureThreshold: 8135 description: Minimum consecutive failures for the probe to be 8136 considered failed after having succeeded. 8137 format: int32 8138 type: integer 8139 httpGet: 8140 description: '`httpGet` is performed to a given endpoint and the 8141 status/able to connect determines health.' 8142 properties: 8143 host: 8144 description: Host name to connect to, defaults to the pod 8145 IP. 8146 type: string 8147 httpHeaders: 8148 description: Headers the proxy will pass on to make the request. 8149 items: 8150 properties: 8151 name: 8152 type: string 8153 value: 8154 type: string 8155 type: object 8156 type: array 8157 path: 8158 description: Path to access on the HTTP server. 8159 type: string 8160 port: 8161 description: Port on which the endpoint lives. 8162 type: integer 8163 scheme: 8164 type: string 8165 required: 8166 - port 8167 type: object 8168 initialDelaySeconds: 8169 description: Number of seconds after the container has started 8170 before readiness probes are initiated. 8171 format: int32 8172 type: integer 8173 periodSeconds: 8174 description: How often (in seconds) to perform the probe. 8175 format: int32 8176 type: integer 8177 successThreshold: 8178 description: Minimum consecutive successes for the probe to be 8179 considered successful after having failed. 8180 format: int32 8181 type: integer 8182 tcpSocket: 8183 description: Health is determined by if the proxy is able to connect. 8184 properties: 8185 host: 8186 type: string 8187 port: 8188 type: integer 8189 required: 8190 - port 8191 type: object 8192 timeoutSeconds: 8193 description: Number of seconds after which the probe times out. 8194 format: int32 8195 type: integer 8196 type: object 8197 template: 8198 description: Template to be used for the generation of `WorkloadEntry` 8199 resources that belong to this `WorkloadGroup`. 8200 properties: 8201 address: 8202 description: Address associated with the network endpoint without 8203 the port. 8204 type: string 8205 labels: 8206 additionalProperties: 8207 type: string 8208 description: One or more labels associated with the endpoint. 8209 type: object 8210 locality: 8211 description: The locality associated with the endpoint. 8212 type: string 8213 network: 8214 description: Network enables Istio to group endpoints resident 8215 in the same L3 domain/network. 8216 type: string 8217 ports: 8218 additionalProperties: 8219 type: integer 8220 description: Set of ports associated with the endpoint. 8221 type: object 8222 serviceAccount: 8223 description: The service account associated with the workload 8224 if a sidecar is present in the workload. 8225 type: string 8226 weight: 8227 description: The load balancing weight associated with the endpoint. 8228 type: integer 8229 type: object 8230 required: 8231 - template 8232 type: object 8233 status: 8234 type: object 8235 x-kubernetes-preserve-unknown-fields: true 8236 type: object 8237 served: true 8238 storage: true 8239 subresources: 8240 status: {} 8241 - additionalPrinterColumns: 8242 - description: 'CreationTimestamp is a timestamp representing the server time 8243 when this object was created. It is not guaranteed to be set in happens-before 8244 order across separate operations. Clients may not set this value. It is represented 8245 in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for 8246 lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' 8247 jsonPath: .metadata.creationTimestamp 8248 name: Age 8249 type: date 8250 name: v1beta1 8251 schema: 8252 openAPIV3Schema: 8253 properties: 8254 spec: 8255 description: '`WorkloadGroup` enables specifying the properties of a single 8256 workload for bootstrap and provides a template for `WorkloadEntry`, 8257 similar to how `Deployment` specifies properties of workloads via `Pod` 8258 templates.' 8259 properties: 8260 metadata: 8261 description: Metadata that will be used for all corresponding `WorkloadEntries`. 8262 properties: 8263 annotations: 8264 additionalProperties: 8265 type: string 8266 type: object 8267 labels: 8268 additionalProperties: 8269 type: string 8270 type: object 8271 type: object 8272 probe: 8273 description: '`ReadinessProbe` describes the configuration the user 8274 must provide for healthchecking on their workload.' 8275 oneOf: 8276 - not: 8277 anyOf: 8278 - required: 8279 - httpGet 8280 - required: 8281 - tcpSocket 8282 - required: 8283 - exec 8284 - required: 8285 - httpGet 8286 - required: 8287 - tcpSocket 8288 - required: 8289 - exec 8290 properties: 8291 exec: 8292 description: Health is determined by how the command that is executed 8293 exited. 8294 properties: 8295 command: 8296 description: Command to run. 8297 items: 8298 type: string 8299 type: array 8300 type: object 8301 failureThreshold: 8302 description: Minimum consecutive failures for the probe to be 8303 considered failed after having succeeded. 8304 format: int32 8305 type: integer 8306 httpGet: 8307 description: '`httpGet` is performed to a given endpoint and the 8308 status/able to connect determines health.' 8309 properties: 8310 host: 8311 description: Host name to connect to, defaults to the pod 8312 IP. 8313 type: string 8314 httpHeaders: 8315 description: Headers the proxy will pass on to make the request. 8316 items: 8317 properties: 8318 name: 8319 type: string 8320 value: 8321 type: string 8322 type: object 8323 type: array 8324 path: 8325 description: Path to access on the HTTP server. 8326 type: string 8327 port: 8328 description: Port on which the endpoint lives. 8329 type: integer 8330 scheme: 8331 type: string 8332 required: 8333 - port 8334 type: object 8335 initialDelaySeconds: 8336 description: Number of seconds after the container has started 8337 before readiness probes are initiated. 8338 format: int32 8339 type: integer 8340 periodSeconds: 8341 description: How often (in seconds) to perform the probe. 8342 format: int32 8343 type: integer 8344 successThreshold: 8345 description: Minimum consecutive successes for the probe to be 8346 considered successful after having failed. 8347 format: int32 8348 type: integer 8349 tcpSocket: 8350 description: Health is determined by if the proxy is able to connect. 8351 properties: 8352 host: 8353 type: string 8354 port: 8355 type: integer 8356 required: 8357 - port 8358 type: object 8359 timeoutSeconds: 8360 description: Number of seconds after which the probe times out. 8361 format: int32 8362 type: integer 8363 type: object 8364 template: 8365 description: Template to be used for the generation of `WorkloadEntry` 8366 resources that belong to this `WorkloadGroup`. 8367 properties: 8368 address: 8369 description: Address associated with the network endpoint without 8370 the port. 8371 type: string 8372 labels: 8373 additionalProperties: 8374 type: string 8375 description: One or more labels associated with the endpoint. 8376 type: object 8377 locality: 8378 description: The locality associated with the endpoint. 8379 type: string 8380 network: 8381 description: Network enables Istio to group endpoints resident 8382 in the same L3 domain/network. 8383 type: string 8384 ports: 8385 additionalProperties: 8386 type: integer 8387 description: Set of ports associated with the endpoint. 8388 type: object 8389 serviceAccount: 8390 description: The service account associated with the workload 8391 if a sidecar is present in the workload. 8392 type: string 8393 weight: 8394 description: The load balancing weight associated with the endpoint. 8395 type: integer 8396 type: object 8397 required: 8398 - template 8399 type: object 8400 status: 8401 type: object 8402 x-kubernetes-preserve-unknown-fields: true 8403 type: object 8404 served: true 8405 storage: false 8406 subresources: 8407 status: {} 8408 8409 --- 8410 apiVersion: v1 8411 kind: ServiceAccount 8412 metadata: 8413 labels: 8414 app: istio-egressgateway 8415 install.operator.istio.io/owning-resource: unknown 8416 istio: egressgateway 8417 istio.io/rev: default 8418 operator.istio.io/component: EgressGateways 8419 release: istio 8420 name: istio-egressgateway-service-account 8421 namespace: istio-system 8422 8423 --- 8424 apiVersion: v1 8425 kind: ServiceAccount 8426 metadata: 8427 labels: 8428 app: istio-ingressgateway 8429 install.operator.istio.io/owning-resource: unknown 8430 istio: ingressgateway 8431 istio.io/rev: default 8432 operator.istio.io/component: IngressGateways 8433 release: istio 8434 name: istio-ingressgateway-service-account 8435 namespace: istio-system 8436 8437 --- 8438 apiVersion: v1 8439 kind: ServiceAccount 8440 metadata: 8441 labels: 8442 app: istio-reader 8443 release: istio 8444 name: istio-reader-service-account 8445 namespace: istio-system 8446 8447 --- 8448 apiVersion: v1 8449 kind: ServiceAccount 8450 metadata: 8451 labels: 8452 app: istiod 8453 release: istio 8454 name: istiod 8455 namespace: istio-system 8456 8457 --- 8458 apiVersion: rbac.authorization.k8s.io/v1 8459 kind: ClusterRole 8460 metadata: 8461 labels: 8462 app: istio-reader 8463 release: istio 8464 name: istio-reader-clusterrole-istio-system 8465 rules: 8466 - apiGroups: 8467 - config.istio.io 8468 - security.istio.io 8469 - networking.istio.io 8470 - authentication.istio.io 8471 - rbac.istio.io 8472 resources: 8473 - '*' 8474 verbs: 8475 - get 8476 - list 8477 - watch 8478 - apiGroups: 8479 - "" 8480 resources: 8481 - endpoints 8482 - pods 8483 - services 8484 - nodes 8485 - replicationcontrollers 8486 - namespaces 8487 - secrets 8488 verbs: 8489 - get 8490 - list 8491 - watch 8492 - apiGroups: 8493 - networking.istio.io 8494 resources: 8495 - workloadentries 8496 verbs: 8497 - get 8498 - watch 8499 - list 8500 - apiGroups: 8501 - networking.x-k8s.io 8502 - gateway.networking.k8s.io 8503 resources: 8504 - gateways 8505 verbs: 8506 - get 8507 - watch 8508 - list 8509 - apiGroups: 8510 - apiextensions.k8s.io 8511 resources: 8512 - customresourcedefinitions 8513 verbs: 8514 - get 8515 - list 8516 - watch 8517 - apiGroups: 8518 - discovery.k8s.io 8519 resources: 8520 - endpointslices 8521 verbs: 8522 - get 8523 - list 8524 - watch 8525 - apiGroups: 8526 - multicluster.x-k8s.io 8527 resources: 8528 - serviceexports 8529 verbs: 8530 - get 8531 - list 8532 - watch 8533 - create 8534 - delete 8535 - apiGroups: 8536 - multicluster.x-k8s.io 8537 resources: 8538 - serviceimports 8539 verbs: 8540 - get 8541 - list 8542 - watch 8543 - apiGroups: 8544 - apps 8545 resources: 8546 - replicasets 8547 verbs: 8548 - get 8549 - list 8550 - watch 8551 - apiGroups: 8552 - authentication.k8s.io 8553 resources: 8554 - tokenreviews 8555 verbs: 8556 - create 8557 - apiGroups: 8558 - authorization.k8s.io 8559 resources: 8560 - subjectaccessreviews 8561 verbs: 8562 - create 8563 8564 --- 8565 apiVersion: rbac.authorization.k8s.io/v1 8566 kind: ClusterRole 8567 metadata: 8568 labels: 8569 app: istiod 8570 release: istio 8571 name: istiod-clusterrole-istio-system 8572 rules: 8573 - apiGroups: 8574 - admissionregistration.k8s.io 8575 resources: 8576 - mutatingwebhookconfigurations 8577 verbs: 8578 - get 8579 - list 8580 - watch 8581 - update 8582 - patch 8583 - apiGroups: 8584 - admissionregistration.k8s.io 8585 resources: 8586 - validatingwebhookconfigurations 8587 verbs: 8588 - get 8589 - list 8590 - watch 8591 - update 8592 - apiGroups: 8593 - config.istio.io 8594 - security.istio.io 8595 - networking.istio.io 8596 - authentication.istio.io 8597 - rbac.istio.io 8598 - telemetry.istio.io 8599 - extensions.istio.io 8600 resources: 8601 - '*' 8602 verbs: 8603 - get 8604 - watch 8605 - list 8606 - apiGroups: 8607 - networking.istio.io 8608 resources: 8609 - workloadentries 8610 verbs: 8611 - get 8612 - watch 8613 - list 8614 - update 8615 - patch 8616 - create 8617 - delete 8618 - apiGroups: 8619 - networking.istio.io 8620 resources: 8621 - workloadentries/status 8622 verbs: 8623 - get 8624 - watch 8625 - list 8626 - update 8627 - patch 8628 - create 8629 - delete 8630 - apiGroups: 8631 - apiextensions.k8s.io 8632 resources: 8633 - customresourcedefinitions 8634 verbs: 8635 - get 8636 - list 8637 - watch 8638 - apiGroups: 8639 - "" 8640 resources: 8641 - pods 8642 - nodes 8643 - services 8644 - namespaces 8645 - endpoints 8646 verbs: 8647 - get 8648 - list 8649 - watch 8650 - apiGroups: 8651 - discovery.k8s.io 8652 resources: 8653 - endpointslices 8654 verbs: 8655 - get 8656 - list 8657 - watch 8658 - apiGroups: 8659 - networking.k8s.io 8660 resources: 8661 - ingresses 8662 - ingressclasses 8663 verbs: 8664 - get 8665 - list 8666 - watch 8667 - apiGroups: 8668 - networking.k8s.io 8669 resources: 8670 - ingresses/status 8671 verbs: 8672 - '*' 8673 - apiGroups: 8674 - "" 8675 resources: 8676 - configmaps 8677 verbs: 8678 - create 8679 - get 8680 - list 8681 - watch 8682 - update 8683 - apiGroups: 8684 - authentication.k8s.io 8685 resources: 8686 - tokenreviews 8687 verbs: 8688 - create 8689 - apiGroups: 8690 - authorization.k8s.io 8691 resources: 8692 - subjectaccessreviews 8693 verbs: 8694 - create 8695 - apiGroups: 8696 - networking.x-k8s.io 8697 - gateway.networking.k8s.io 8698 resources: 8699 - '*' 8700 verbs: 8701 - get 8702 - watch 8703 - list 8704 - apiGroups: 8705 - networking.x-k8s.io 8706 - gateway.networking.k8s.io 8707 resources: 8708 - '*' 8709 verbs: 8710 - update 8711 - patch 8712 - apiGroups: 8713 - gateway.networking.k8s.io 8714 resources: 8715 - gatewayclasses 8716 verbs: 8717 - create 8718 - update 8719 - patch 8720 - delete 8721 - apiGroups: 8722 - "" 8723 resources: 8724 - secrets 8725 verbs: 8726 - get 8727 - watch 8728 - list 8729 - apiGroups: 8730 - multicluster.x-k8s.io 8731 resources: 8732 - serviceexports 8733 verbs: 8734 - get 8735 - watch 8736 - list 8737 - create 8738 - delete 8739 - apiGroups: 8740 - multicluster.x-k8s.io 8741 resources: 8742 - serviceimports 8743 verbs: 8744 - get 8745 - watch 8746 - list 8747 8748 --- 8749 apiVersion: rbac.authorization.k8s.io/v1 8750 kind: ClusterRole 8751 metadata: 8752 labels: 8753 app: istiod 8754 release: istio 8755 name: istiod-gateway-controller-istio-system 8756 rules: 8757 - apiGroups: 8758 - apps 8759 resources: 8760 - deployments 8761 verbs: 8762 - get 8763 - watch 8764 - list 8765 - update 8766 - patch 8767 - create 8768 - delete 8769 - apiGroups: 8770 - "" 8771 resources: 8772 - services 8773 verbs: 8774 - get 8775 - watch 8776 - list 8777 - update 8778 - patch 8779 - create 8780 - delete 8781 - apiGroups: 8782 - "" 8783 resources: 8784 - serviceaccounts 8785 verbs: 8786 - get 8787 - watch 8788 - list 8789 - update 8790 - patch 8791 - create 8792 - delete 8793 8794 --- 8795 apiVersion: rbac.authorization.k8s.io/v1 8796 kind: ClusterRoleBinding 8797 metadata: 8798 labels: 8799 app: istio-reader 8800 release: istio 8801 name: istio-reader-clusterrole-istio-system 8802 roleRef: 8803 apiGroup: rbac.authorization.k8s.io 8804 kind: ClusterRole 8805 name: istio-reader-clusterrole-istio-system 8806 subjects: 8807 - kind: ServiceAccount 8808 name: istio-reader-service-account 8809 namespace: istio-system 8810 8811 --- 8812 apiVersion: rbac.authorization.k8s.io/v1 8813 kind: ClusterRoleBinding 8814 metadata: 8815 labels: 8816 app: istiod 8817 release: istio 8818 name: istiod-clusterrole-istio-system 8819 roleRef: 8820 apiGroup: rbac.authorization.k8s.io 8821 kind: ClusterRole 8822 name: istiod-clusterrole-istio-system 8823 subjects: 8824 - kind: ServiceAccount 8825 name: istiod 8826 namespace: istio-system 8827 8828 --- 8829 apiVersion: rbac.authorization.k8s.io/v1 8830 kind: ClusterRoleBinding 8831 metadata: 8832 labels: 8833 app: istiod 8834 release: istio 8835 name: istiod-gateway-controller-istio-system 8836 roleRef: 8837 apiGroup: rbac.authorization.k8s.io 8838 kind: ClusterRole 8839 name: istiod-gateway-controller-istio-system 8840 subjects: 8841 - kind: ServiceAccount 8842 name: istiod 8843 namespace: istio-system 8844 8845 --- 8846 apiVersion: admissionregistration.k8s.io/v1 8847 kind: ValidatingWebhookConfiguration 8848 metadata: 8849 labels: 8850 app: istiod 8851 istio: istiod 8852 istio.io/rev: default 8853 release: istio 8854 name: istio-validator-istio-system 8855 webhooks: 8856 - admissionReviewVersions: 8857 - v1beta1 8858 - v1 8859 clientConfig: 8860 service: 8861 name: istiod 8862 namespace: istio-system 8863 path: /validate 8864 failurePolicy: Ignore 8865 name: rev.validation.istio.io 8866 objectSelector: 8867 matchExpressions: 8868 - key: istio.io/rev 8869 operator: In 8870 values: 8871 - default 8872 rules: 8873 - apiGroups: 8874 - security.istio.io 8875 - networking.istio.io 8876 - telemetry.istio.io 8877 - extensions.istio.io 8878 apiVersions: 8879 - '*' 8880 operations: 8881 - CREATE 8882 - UPDATE 8883 resources: 8884 - '*' 8885 sideEffects: None 8886 8887 --- 8888 apiVersion: v1 8889 data: 8890 mesh: |- 8891 defaultConfig: 8892 discoveryAddress: istiod.istio-system.svc:15012 8893 tracing: 8894 zipkin: 8895 address: zipkin.istio-system:9411 8896 defaultProviders: 8897 metrics: 8898 - prometheus 8899 enablePrometheusMerge: true 8900 rootNamespace: istio-system 8901 trustDomain: cluster.local 8902 meshNetworks: 'networks: {}' 8903 kind: ConfigMap 8904 metadata: 8905 labels: 8906 install.operator.istio.io/owning-resource: unknown 8907 istio.io/rev: default 8908 operator.istio.io/component: Pilot 8909 release: istio 8910 name: istio 8911 namespace: istio-system 8912 8913 --- 8914 apiVersion: v1 8915 data: 8916 config: |- 8917 # defaultTemplates defines the default template to use for pods that do not explicitly specify a template 8918 defaultTemplates: [sidecar] 8919 policy: enabled 8920 alwaysInjectSelector: 8921 [] 8922 neverInjectSelector: 8923 [] 8924 injectedAnnotations: 8925 template: "{{ Template_Version_And_Istio_Version_Mismatched_Check_Installation }}" 8926 templates: 8927 sidecar: | 8928 {{- define "resources" }} 8929 {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} 8930 {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }} 8931 requests: 8932 {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}} 8933 cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}" 8934 {{ end }} 8935 {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}} 8936 memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}" 8937 {{ end }} 8938 {{- end }} 8939 {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} 8940 limits: 8941 {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}} 8942 cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}" 8943 {{ end }} 8944 {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}} 8945 memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}" 8946 {{ end }} 8947 {{- end }} 8948 {{- else }} 8949 {{- if .Values.global.proxy.resources }} 8950 {{ toYaml .Values.global.proxy.resources | indent 6 }} 8951 {{- end }} 8952 {{- end }} 8953 {{- end }} 8954 {{ $nativeSidecar := (eq (env "ENABLE_NATIVE_SIDECARS" "false") "true") }} 8955 {{- $containers := list }} 8956 {{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} 8957 metadata: 8958 labels: 8959 security.istio.io/tlsMode: {{ index .ObjectMeta.Labels `security.istio.io/tlsMode` | default "istio" | quote }} 8960 {{- if eq (index .ProxyConfig.ProxyMetadata "ISTIO_META_ENABLE_HBONE") "true" }} 8961 networking.istio.io/tunnel: {{ index .ObjectMeta.Labels `networking.istio.io/tunnel` | default "http" | quote }} 8962 {{- end }} 8963 service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }} 8964 service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} 8965 annotations: { 8966 istio.io/rev: {{ .Revision | default "default" | quote }}, 8967 {{- if ge (len $containers) 1 }} 8968 {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }} 8969 kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", 8970 {{- end }} 8971 {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-container`) }} 8972 kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}", 8973 {{- end }} 8974 {{- end }} 8975 {{- if .Values.istio_cni.enabled }} 8976 {{- if not .Values.istio_cni.chained }} 8977 k8s.v1.cni.cncf.io/networks: '{{ appendMultusNetwork (index .ObjectMeta.Annotations `k8s.v1.cni.cncf.io/networks`) `default/istio-cni` }}', 8978 {{- end }} 8979 sidecar.istio.io/interceptionMode: "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}", 8980 {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}traffic.sidecar.istio.io/includeOutboundIPRanges: "{{.}}",{{ end }} 8981 {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}traffic.sidecar.istio.io/excludeOutboundIPRanges: "{{.}}",{{ end }} 8982 {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` .Values.global.proxy.includeInboundPorts }}traffic.sidecar.istio.io/includeInboundPorts: "{{.}}",{{ end }} 8983 traffic.sidecar.istio.io/excludeInboundPorts: "{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}", 8984 {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") }} 8985 traffic.sidecar.istio.io/includeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}", 8986 {{- end }} 8987 {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne .Values.global.proxy.excludeOutboundPorts "") }} 8988 traffic.sidecar.istio.io/excludeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}", 8989 {{- end }} 8990 {{ with index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}traffic.sidecar.istio.io/kubevirtInterfaces: "{{.}}",{{ end }} 8991 {{ with index .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces` }}traffic.sidecar.istio.io/excludeInterfaces: "{{.}}",{{ end }} 8992 {{- end }} 8993 } 8994 spec: 8995 {{- $holdProxy := and 8996 (or .ProxyConfig.HoldApplicationUntilProxyStarts.GetValue .Values.global.proxy.holdApplicationUntilProxyStarts) 8997 (not $nativeSidecar) }} 8998 initContainers: 8999 {{ if ne (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE` }} 9000 {{ if .Values.istio_cni.enabled -}} 9001 - name: istio-validation 9002 {{ else -}} 9003 - name: istio-init 9004 {{ end -}} 9005 {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image) }} 9006 image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image }}" 9007 {{- else }} 9008 image: "{{ .ProxyImage }}" 9009 {{- end }} 9010 args: 9011 - istio-iptables 9012 - "-p" 9013 - {{ .MeshConfig.ProxyListenPort | default "15001" | quote }} 9014 - "-z" 9015 - {{ .MeshConfig.ProxyInboundListenPort | default "15006" | quote }} 9016 - "-u" 9017 - {{ .ProxyUID | default "1337" | quote }} 9018 - "-m" 9019 - "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}" 9020 - "-i" 9021 - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}" 9022 - "-x" 9023 - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}" 9024 - "-b" 9025 - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` .Values.global.proxy.includeInboundPorts }}" 9026 - "-d" 9027 {{- if excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }} 9028 - "15090,15021,{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}" 9029 {{- else }} 9030 - "15090,15021" 9031 {{- end }} 9032 {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") -}} 9033 - "-q" 9034 - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}" 9035 {{ end -}} 9036 {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.excludeOutboundPorts "") "") -}} 9037 - "-o" 9038 - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}" 9039 {{ end -}} 9040 {{ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces`) -}} 9041 - "-k" 9042 - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}" 9043 {{ end -}} 9044 {{ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces`) -}} 9045 - "-c" 9046 - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces` }}" 9047 {{ end -}} 9048 - "--log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }}" 9049 {{ if .Values.global.logAsJson -}} 9050 - "--log_as_json" 9051 {{ end -}} 9052 {{ if .Values.istio_cni.enabled -}} 9053 - "--run-validation" 9054 - "--skip-rule-apply" 9055 {{ end -}} 9056 {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} 9057 {{- if .ProxyConfig.ProxyMetadata }} 9058 env: 9059 {{- range $key, $value := .ProxyConfig.ProxyMetadata }} 9060 - name: {{ $key }} 9061 value: "{{ $value }}" 9062 {{- end }} 9063 {{- end }} 9064 resources: 9065 {{ template "resources" . }} 9066 securityContext: 9067 allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} 9068 privileged: {{ .Values.global.proxy.privileged }} 9069 capabilities: 9070 {{- if not .Values.istio_cni.enabled }} 9071 add: 9072 - NET_ADMIN 9073 - NET_RAW 9074 {{- end }} 9075 drop: 9076 - ALL 9077 {{- if not .Values.istio_cni.enabled }} 9078 readOnlyRootFilesystem: false 9079 runAsGroup: 0 9080 runAsNonRoot: false 9081 runAsUser: 0 9082 {{- else }} 9083 readOnlyRootFilesystem: true 9084 runAsGroup: {{ .ProxyGID | default "1337" }} 9085 runAsUser: {{ .ProxyUID | default "1337" }} 9086 runAsNonRoot: true 9087 {{- end }} 9088 {{ end -}} 9089 {{- if eq (annotation .ObjectMeta `sidecar.istio.io/enableCoreDump` .Values.global.proxy.enableCoreDump) "true" }} 9090 - name: enable-core-dump 9091 args: 9092 - -c 9093 - sysctl -w kernel.core_pattern=/var/lib/istio/data/core.proxy && ulimit -c unlimited 9094 command: 9095 - /bin/sh 9096 {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image) }} 9097 image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image }}" 9098 {{- else }} 9099 image: "{{ .ProxyImage }}" 9100 {{- end }} 9101 {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} 9102 resources: 9103 {{ template "resources" . }} 9104 securityContext: 9105 allowPrivilegeEscalation: true 9106 capabilities: 9107 add: 9108 - SYS_ADMIN 9109 drop: 9110 - ALL 9111 privileged: true 9112 readOnlyRootFilesystem: false 9113 runAsGroup: 0 9114 runAsNonRoot: false 9115 runAsUser: 0 9116 {{ end }} 9117 {{ if not $nativeSidecar }} 9118 containers: 9119 {{ end }} 9120 - name: istio-proxy 9121 {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} 9122 image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" 9123 {{- else }} 9124 image: "{{ .ProxyImage }}" 9125 {{- end }} 9126 {{ if $nativeSidecar }}restartPolicy: Always{{end}} 9127 ports: 9128 - containerPort: 15090 9129 protocol: TCP 9130 name: http-envoy-prom 9131 args: 9132 - proxy 9133 - sidecar 9134 - --domain 9135 - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} 9136 - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} 9137 - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} 9138 - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} 9139 {{- if .Values.global.sts.servicePort }} 9140 - --stsPort={{ .Values.global.sts.servicePort }} 9141 {{- end }} 9142 {{- if .Values.global.logAsJson }} 9143 - --log_as_json 9144 {{- end }} 9145 {{- if .Values.global.proxy.lifecycle }} 9146 lifecycle: 9147 {{ toYaml .Values.global.proxy.lifecycle | indent 6 }} 9148 {{- else if $holdProxy }} 9149 lifecycle: 9150 postStart: 9151 exec: 9152 command: 9153 - pilot-agent 9154 - wait 9155 {{- else if $nativeSidecar }} 9156 {{- /* preStop is called when the pod starts shutdown. Initialize drain. We will get SIGTERM once applications are torn down. */}} 9157 lifecycle: 9158 preStop: 9159 exec: 9160 command: 9161 - pilot-agent 9162 - request 9163 - --debug-port={{(annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort)}} 9164 - POST 9165 - drain 9166 {{- end }} 9167 env: 9168 {{- if eq (env "PILOT_ENABLE_INBOUND_PASSTHROUGH" "true") "false" }} 9169 - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION 9170 value: "true" 9171 {{- end }} 9172 - name: JWT_POLICY 9173 value: {{ .Values.global.jwtPolicy }} 9174 - name: PILOT_CERT_PROVIDER 9175 value: {{ .Values.global.pilotCertProvider }} 9176 - name: CA_ADDR 9177 {{- if .Values.global.caAddress }} 9178 value: {{ .Values.global.caAddress }} 9179 {{- else }} 9180 value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 9181 {{- end }} 9182 - name: POD_NAME 9183 valueFrom: 9184 fieldRef: 9185 fieldPath: metadata.name 9186 - name: POD_NAMESPACE 9187 valueFrom: 9188 fieldRef: 9189 fieldPath: metadata.namespace 9190 - name: INSTANCE_IP 9191 valueFrom: 9192 fieldRef: 9193 fieldPath: status.podIP 9194 - name: SERVICE_ACCOUNT 9195 valueFrom: 9196 fieldRef: 9197 fieldPath: spec.serviceAccountName 9198 - name: HOST_IP 9199 valueFrom: 9200 fieldRef: 9201 fieldPath: status.hostIP 9202 - name: ISTIO_CPU_LIMIT 9203 valueFrom: 9204 resourceFieldRef: 9205 resource: limits.cpu 9206 - name: PROXY_CONFIG 9207 value: | 9208 {{ protoToJSON .ProxyConfig }} 9209 - name: ISTIO_META_POD_PORTS 9210 value: |- 9211 [ 9212 {{- $first := true }} 9213 {{- range $index1, $c := .Spec.Containers }} 9214 {{- range $index2, $p := $c.Ports }} 9215 {{- if (structToJSON $p) }} 9216 {{if not $first}},{{end}}{{ structToJSON $p }} 9217 {{- $first = false }} 9218 {{- end }} 9219 {{- end}} 9220 {{- end}} 9221 ] 9222 - name: ISTIO_META_APP_CONTAINERS 9223 value: "{{ $containers | join "," }}" 9224 - name: GOMEMLIMIT 9225 valueFrom: 9226 resourceFieldRef: 9227 resource: limits.memory 9228 - name: GOMAXPROCS 9229 valueFrom: 9230 resourceFieldRef: 9231 resource: limits.cpu 9232 - name: ISTIO_META_CLUSTER_ID 9233 value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" 9234 - name: ISTIO_META_NODE_NAME 9235 valueFrom: 9236 fieldRef: 9237 fieldPath: spec.nodeName 9238 - name: ISTIO_META_INTERCEPTION_MODE 9239 value: "{{ or (index .ObjectMeta.Annotations `sidecar.istio.io/interceptionMode`) .ProxyConfig.InterceptionMode.String }}" 9240 {{- if .Values.global.network }} 9241 - name: ISTIO_META_NETWORK 9242 value: "{{ .Values.global.network }}" 9243 {{- end }} 9244 {{- if .DeploymentMeta.Name }} 9245 - name: ISTIO_META_WORKLOAD_NAME 9246 value: "{{ .DeploymentMeta.Name }}" 9247 {{ end }} 9248 {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} 9249 - name: ISTIO_META_OWNER 9250 value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} 9251 {{- end}} 9252 {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} 9253 - name: ISTIO_BOOTSTRAP_OVERRIDE 9254 value: "/etc/istio/custom-bootstrap/custom_bootstrap.json" 9255 {{- end }} 9256 {{- if .Values.global.meshID }} 9257 - name: ISTIO_META_MESH_ID 9258 value: "{{ .Values.global.meshID }}" 9259 {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} 9260 - name: ISTIO_META_MESH_ID 9261 value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" 9262 {{- end }} 9263 {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} 9264 - name: TRUST_DOMAIN 9265 value: "{{ . }}" 9266 {{- end }} 9267 {{- if and (eq .Values.global.proxy.tracer "datadog") (isset .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} 9268 {{- range $key, $value := fromJSON (index .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} 9269 - name: {{ $key }} 9270 value: "{{ $value }}" 9271 {{- end }} 9272 {{- end }} 9273 {{- range $key, $value := .ProxyConfig.ProxyMetadata }} 9274 - name: {{ $key }} 9275 value: "{{ $value }}" 9276 {{- end }} 9277 {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} 9278 {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }} 9279 {{ if .Values.global.proxy.startupProbe.enabled }} 9280 startupProbe: 9281 httpGet: 9282 path: /healthz/ready 9283 port: 15021 9284 initialDelaySeconds: 0 9285 periodSeconds: 1 9286 timeoutSeconds: 3 9287 failureThreshold: {{ .Values.global.proxy.startupProbe.failureThreshold }} 9288 {{ end }} 9289 readinessProbe: 9290 httpGet: 9291 path: /healthz/ready 9292 port: 15021 9293 initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }} 9294 periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }} 9295 timeoutSeconds: 3 9296 failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }} 9297 {{ end -}} 9298 securityContext: 9299 {{- if eq (index .ProxyConfig.ProxyMetadata "IPTABLES_TRACE_LOGGING") "true" }} 9300 allowPrivilegeEscalation: true 9301 capabilities: 9302 add: 9303 - NET_ADMIN 9304 drop: 9305 - ALL 9306 privileged: true 9307 readOnlyRootFilesystem: {{ ne (annotation .ObjectMeta `sidecar.istio.io/enableCoreDump` .Values.global.proxy.enableCoreDump) "true" }} 9308 runAsGroup: {{ .ProxyGID | default "1337" }} 9309 runAsNonRoot: false 9310 runAsUser: 0 9311 {{- else }} 9312 allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} 9313 capabilities: 9314 {{ if or (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}} 9315 add: 9316 {{ if eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY` -}} 9317 - NET_ADMIN 9318 {{- end }} 9319 {{ if eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true` -}} 9320 - NET_BIND_SERVICE 9321 {{- end }} 9322 {{- end }} 9323 drop: 9324 - ALL 9325 privileged: {{ .Values.global.proxy.privileged }} 9326 readOnlyRootFilesystem: {{ ne (annotation .ObjectMeta `sidecar.istio.io/enableCoreDump` .Values.global.proxy.enableCoreDump) "true" }} 9327 runAsGroup: {{ .ProxyGID | default "1337" }} 9328 {{ if or (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}} 9329 runAsNonRoot: false 9330 runAsUser: 0 9331 {{- else -}} 9332 runAsNonRoot: true 9333 runAsUser: {{ .ProxyUID | default "1337" }} 9334 {{- end }} 9335 {{- end }} 9336 resources: 9337 {{ template "resources" . }} 9338 volumeMounts: 9339 - name: workload-socket 9340 mountPath: /var/run/secrets/workload-spiffe-uds 9341 - name: credential-socket 9342 mountPath: /var/run/secrets/credential-uds 9343 {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} 9344 - name: gke-workload-certificate 9345 mountPath: /var/run/secrets/workload-spiffe-credentials 9346 readOnly: true 9347 {{- else }} 9348 - name: workload-certs 9349 mountPath: /var/run/secrets/workload-spiffe-credentials 9350 {{- end }} 9351 {{- if eq .Values.global.pilotCertProvider "istiod" }} 9352 - mountPath: /var/run/secrets/istio 9353 name: istiod-ca-cert 9354 {{- end }} 9355 {{- if eq .Values.global.pilotCertProvider "kubernetes" }} 9356 - mountPath: /var/run/secrets/istio/kubernetes 9357 name: kube-ca-cert 9358 {{- end }} 9359 - mountPath: /var/lib/istio/data 9360 name: istio-data 9361 {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} 9362 - mountPath: /etc/istio/custom-bootstrap 9363 name: custom-bootstrap-volume 9364 {{- end }} 9365 # SDS channel between istioagent and Envoy 9366 - mountPath: /etc/istio/proxy 9367 name: istio-envoy 9368 {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} 9369 - mountPath: /var/run/secrets/tokens 9370 name: istio-token 9371 {{- end }} 9372 {{- if .Values.global.mountMtlsCerts }} 9373 # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. 9374 - mountPath: /etc/certs/ 9375 name: istio-certs 9376 readOnly: true 9377 {{- end }} 9378 - name: istio-podinfo 9379 mountPath: /etc/istio/pod 9380 {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }} 9381 - mountPath: {{ directory .ProxyConfig.GetTracing.GetTlsSettings.GetCaCertificates }} 9382 name: lightstep-certs 9383 readOnly: true 9384 {{- end }} 9385 {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }} 9386 {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }} 9387 - name: "{{ $index }}" 9388 {{ toYaml $value | indent 6 }} 9389 {{ end }} 9390 {{- end }} 9391 volumes: 9392 - emptyDir: 9393 name: workload-socket 9394 - emptyDir: 9395 name: credential-socket 9396 {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} 9397 - name: gke-workload-certificate 9398 csi: 9399 driver: workloadcertificates.security.cloud.google.com 9400 {{- else }} 9401 - emptyDir: 9402 name: workload-certs 9403 {{- end }} 9404 {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} 9405 - name: custom-bootstrap-volume 9406 configMap: 9407 name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }} 9408 {{- end }} 9409 # SDS channel between istioagent and Envoy 9410 - emptyDir: 9411 medium: Memory 9412 name: istio-envoy 9413 - name: istio-data 9414 emptyDir: {} 9415 - name: istio-podinfo 9416 downwardAPI: 9417 items: 9418 - path: "labels" 9419 fieldRef: 9420 fieldPath: metadata.labels 9421 - path: "annotations" 9422 fieldRef: 9423 fieldPath: metadata.annotations 9424 {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} 9425 - name: istio-token 9426 projected: 9427 sources: 9428 - serviceAccountToken: 9429 path: istio-token 9430 expirationSeconds: 43200 9431 audience: {{ .Values.global.sds.token.aud }} 9432 {{- end }} 9433 {{- if eq .Values.global.pilotCertProvider "istiod" }} 9434 - name: istiod-ca-cert 9435 configMap: 9436 name: istio-ca-root-cert 9437 {{- end }} 9438 {{- if eq .Values.global.pilotCertProvider "kubernetes" }} 9439 - name: kube-ca-cert 9440 configMap: 9441 name: kube-root-ca.crt 9442 {{- end }} 9443 {{- if .Values.global.mountMtlsCerts }} 9444 # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. 9445 - name: istio-certs 9446 secret: 9447 optional: true 9448 {{ if eq .Spec.ServiceAccountName "" }} 9449 secretName: istio.default 9450 {{ else -}} 9451 secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} 9452 {{ end -}} 9453 {{- end }} 9454 {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }} 9455 {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }} 9456 - name: "{{ $index }}" 9457 {{ toYaml $value | indent 4 }} 9458 {{ end }} 9459 {{ end }} 9460 {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }} 9461 - name: lightstep-certs 9462 secret: 9463 optional: true 9464 secretName: lightstep.cacert 9465 {{- end }} 9466 {{- if .Values.global.imagePullSecrets }} 9467 imagePullSecrets: 9468 {{- range .Values.global.imagePullSecrets }} 9469 - name: {{ . }} 9470 {{- end }} 9471 {{- end }} 9472 gateway: | 9473 {{- $containers := list }} 9474 {{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} 9475 metadata: 9476 labels: 9477 service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }} 9478 service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} 9479 annotations: { 9480 istio.io/rev: {{ .Revision | default "default" | quote }}, 9481 {{- if eq (len $containers) 1 }} 9482 kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", 9483 kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}", 9484 {{ end }} 9485 } 9486 spec: 9487 containers: 9488 - name: istio-proxy 9489 {{- if contains "/" .Values.global.proxy.image }} 9490 image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" 9491 {{- else }} 9492 image: "{{ .ProxyImage }}" 9493 {{- end }} 9494 ports: 9495 - containerPort: 15090 9496 protocol: TCP 9497 name: http-envoy-prom 9498 args: 9499 - proxy 9500 - router 9501 - --domain 9502 - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} 9503 - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} 9504 - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} 9505 - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} 9506 {{- if .Values.global.sts.servicePort }} 9507 - --stsPort={{ .Values.global.sts.servicePort }} 9508 {{- end }} 9509 {{- if .Values.global.logAsJson }} 9510 - --log_as_json 9511 {{- end }} 9512 {{- if .Values.global.proxy.lifecycle }} 9513 lifecycle: 9514 {{ toYaml .Values.global.proxy.lifecycle | indent 6 }} 9515 {{- end }} 9516 securityContext: 9517 runAsUser: {{ .ProxyUID | default "1337" }} 9518 runAsGroup: {{ .ProxyGID | default "1337" }} 9519 env: 9520 - name: JWT_POLICY 9521 value: {{ .Values.global.jwtPolicy }} 9522 - name: PILOT_CERT_PROVIDER 9523 value: {{ .Values.global.pilotCertProvider }} 9524 - name: CA_ADDR 9525 {{- if .Values.global.caAddress }} 9526 value: {{ .Values.global.caAddress }} 9527 {{- else }} 9528 value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 9529 {{- end }} 9530 - name: POD_NAME 9531 valueFrom: 9532 fieldRef: 9533 fieldPath: metadata.name 9534 - name: POD_NAMESPACE 9535 valueFrom: 9536 fieldRef: 9537 fieldPath: metadata.namespace 9538 - name: INSTANCE_IP 9539 valueFrom: 9540 fieldRef: 9541 fieldPath: status.podIP 9542 - name: SERVICE_ACCOUNT 9543 valueFrom: 9544 fieldRef: 9545 fieldPath: spec.serviceAccountName 9546 - name: HOST_IP 9547 valueFrom: 9548 fieldRef: 9549 fieldPath: status.hostIP 9550 - name: ISTIO_CPU_LIMIT 9551 valueFrom: 9552 resourceFieldRef: 9553 resource: limits.cpu 9554 - name: PROXY_CONFIG 9555 value: | 9556 {{ protoToJSON .ProxyConfig }} 9557 - name: ISTIO_META_POD_PORTS 9558 value: |- 9559 [ 9560 {{- $first := true }} 9561 {{- range $index1, $c := .Spec.Containers }} 9562 {{- range $index2, $p := $c.Ports }} 9563 {{- if (structToJSON $p) }} 9564 {{if not $first}},{{end}}{{ structToJSON $p }} 9565 {{- $first = false }} 9566 {{- end }} 9567 {{- end}} 9568 {{- end}} 9569 ] 9570 - name: GOMEMLIMIT 9571 valueFrom: 9572 resourceFieldRef: 9573 resource: limits.memory 9574 - name: GOMAXPROCS 9575 valueFrom: 9576 resourceFieldRef: 9577 resource: limits.cpu 9578 - name: ISTIO_META_APP_CONTAINERS 9579 value: "{{ $containers | join "," }}" 9580 - name: ISTIO_META_CLUSTER_ID 9581 value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" 9582 - name: ISTIO_META_NODE_NAME 9583 valueFrom: 9584 fieldRef: 9585 fieldPath: spec.nodeName 9586 - name: ISTIO_META_INTERCEPTION_MODE 9587 value: "{{ .ProxyConfig.InterceptionMode.String }}" 9588 {{- if .Values.global.network }} 9589 - name: ISTIO_META_NETWORK 9590 value: "{{ .Values.global.network }}" 9591 {{- end }} 9592 {{- if .DeploymentMeta.Name }} 9593 - name: ISTIO_META_WORKLOAD_NAME 9594 value: "{{ .DeploymentMeta.Name }}" 9595 {{ end }} 9596 {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} 9597 - name: ISTIO_META_OWNER 9598 value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} 9599 {{- end}} 9600 {{- if .Values.global.meshID }} 9601 - name: ISTIO_META_MESH_ID 9602 value: "{{ .Values.global.meshID }}" 9603 {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} 9604 - name: ISTIO_META_MESH_ID 9605 value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" 9606 {{- end }} 9607 {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} 9608 - name: TRUST_DOMAIN 9609 value: "{{ . }}" 9610 {{- end }} 9611 {{- range $key, $value := .ProxyConfig.ProxyMetadata }} 9612 - name: {{ $key }} 9613 value: "{{ $value }}" 9614 {{- end }} 9615 {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} 9616 readinessProbe: 9617 httpGet: 9618 path: /healthz/ready 9619 port: 15021 9620 initialDelaySeconds: {{.Values.global.proxy.readinessInitialDelaySeconds }} 9621 periodSeconds: {{ .Values.global.proxy.readinessPeriodSeconds }} 9622 timeoutSeconds: 3 9623 failureThreshold: {{ .Values.global.proxy.readinessFailureThreshold }} 9624 volumeMounts: 9625 - name: workload-socket 9626 mountPath: /var/run/secrets/workload-spiffe-uds 9627 - name: credential-socket 9628 mountPath: /var/run/secrets/credential-uds 9629 {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} 9630 - name: gke-workload-certificate 9631 mountPath: /var/run/secrets/workload-spiffe-credentials 9632 readOnly: true 9633 {{- else }} 9634 - name: workload-certs 9635 mountPath: /var/run/secrets/workload-spiffe-credentials 9636 {{- end }} 9637 {{- if eq .Values.global.pilotCertProvider "istiod" }} 9638 - mountPath: /var/run/secrets/istio 9639 name: istiod-ca-cert 9640 {{- end }} 9641 - mountPath: /var/lib/istio/data 9642 name: istio-data 9643 # SDS channel between istioagent and Envoy 9644 - mountPath: /etc/istio/proxy 9645 name: istio-envoy 9646 {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} 9647 - mountPath: /var/run/secrets/tokens 9648 name: istio-token 9649 {{- end }} 9650 {{- if .Values.global.mountMtlsCerts }} 9651 # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. 9652 - mountPath: /etc/certs/ 9653 name: istio-certs 9654 readOnly: true 9655 {{- end }} 9656 - name: istio-podinfo 9657 mountPath: /etc/istio/pod 9658 volumes: 9659 - emptyDir: {} 9660 name: workload-socket 9661 - emptyDir: {} 9662 name: credential-socket 9663 {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} 9664 - name: gke-workload-certificate 9665 csi: 9666 driver: workloadcertificates.security.cloud.google.com 9667 {{- else}} 9668 - emptyDir: {} 9669 name: workload-certs 9670 {{- end }} 9671 # SDS channel between istioagent and Envoy 9672 - emptyDir: 9673 medium: Memory 9674 name: istio-envoy 9675 - name: istio-data 9676 emptyDir: {} 9677 - name: istio-podinfo 9678 downwardAPI: 9679 items: 9680 - path: "labels" 9681 fieldRef: 9682 fieldPath: metadata.labels 9683 - path: "annotations" 9684 fieldRef: 9685 fieldPath: metadata.annotations 9686 {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} 9687 - name: istio-token 9688 projected: 9689 sources: 9690 - serviceAccountToken: 9691 path: istio-token 9692 expirationSeconds: 43200 9693 audience: {{ .Values.global.sds.token.aud }} 9694 {{- end }} 9695 {{- if eq .Values.global.pilotCertProvider "istiod" }} 9696 - name: istiod-ca-cert 9697 configMap: 9698 name: istio-ca-root-cert 9699 {{- end }} 9700 {{- if .Values.global.mountMtlsCerts }} 9701 # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. 9702 - name: istio-certs 9703 secret: 9704 optional: true 9705 {{ if eq .Spec.ServiceAccountName "" }} 9706 secretName: istio.default 9707 {{ else -}} 9708 secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} 9709 {{ end -}} 9710 {{- end }} 9711 {{- if .Values.global.imagePullSecrets }} 9712 imagePullSecrets: 9713 {{- range .Values.global.imagePullSecrets }} 9714 - name: {{ . }} 9715 {{- end }} 9716 {{- end }} 9717 grpc-simple: | 9718 metadata: 9719 annotations: 9720 sidecar.istio.io/rewriteAppHTTPProbers: "false" 9721 spec: 9722 initContainers: 9723 - name: grpc-bootstrap-init 9724 image: busybox:1.28 9725 volumeMounts: 9726 - mountPath: /var/lib/grpc/data/ 9727 name: grpc-io-proxyless-bootstrap 9728 env: 9729 - name: INSTANCE_IP 9730 valueFrom: 9731 fieldRef: 9732 fieldPath: status.podIP 9733 - name: POD_NAME 9734 valueFrom: 9735 fieldRef: 9736 fieldPath: metadata.name 9737 - name: POD_NAMESPACE 9738 valueFrom: 9739 fieldRef: 9740 fieldPath: metadata.namespace 9741 - name: ISTIO_NAMESPACE 9742 value: | 9743 {{ .Values.global.istioNamespace }} 9744 command: 9745 - sh 9746 - "-c" 9747 - |- 9748 NODE_ID="sidecar~${INSTANCE_IP}~${POD_NAME}.${POD_NAMESPACE}~cluster.local" 9749 SERVER_URI="dns:///istiod.${ISTIO_NAMESPACE}.svc:15010" 9750 echo ' 9751 { 9752 "xds_servers": [ 9753 { 9754 "server_uri": "'${SERVER_URI}'", 9755 "channel_creds": [{"type": "insecure"}], 9756 "server_features" : ["xds_v3"] 9757 } 9758 ], 9759 "node": { 9760 "id": "'${NODE_ID}'", 9761 "metadata": { 9762 "GENERATOR": "grpc" 9763 } 9764 } 9765 }' > /var/lib/grpc/data/bootstrap.json 9766 containers: 9767 {{- range $index, $container := .Spec.Containers }} 9768 - name: {{ $container.Name }} 9769 env: 9770 - name: GRPC_XDS_BOOTSTRAP 9771 value: /var/lib/grpc/data/bootstrap.json 9772 - name: GRPC_GO_LOG_VERBOSITY_LEVEL 9773 value: "99" 9774 - name: GRPC_GO_LOG_SEVERITY_LEVEL 9775 value: info 9776 volumeMounts: 9777 - mountPath: /var/lib/grpc/data/ 9778 name: grpc-io-proxyless-bootstrap 9779 {{- end }} 9780 volumes: 9781 - name: grpc-io-proxyless-bootstrap 9782 emptyDir: {} 9783 grpc-agent: | 9784 {{- define "resources" }} 9785 {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} 9786 {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }} 9787 requests: 9788 {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}} 9789 cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}" 9790 {{ end }} 9791 {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}} 9792 memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}" 9793 {{ end }} 9794 {{- end }} 9795 {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} 9796 limits: 9797 {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}} 9798 cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}" 9799 {{ end }} 9800 {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}} 9801 memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}" 9802 {{ end }} 9803 {{- end }} 9804 {{- else }} 9805 {{- if .Values.global.proxy.resources }} 9806 {{ toYaml .Values.global.proxy.resources | indent 6 }} 9807 {{- end }} 9808 {{- end }} 9809 {{- end }} 9810 {{- $containers := list }} 9811 {{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} 9812 metadata: 9813 labels: 9814 {{/* security.istio.io/tlsMode: istio must be set by user, if gRPC is using mTLS initialization code. We can't set it automatically. */}} 9815 service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }} 9816 service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} 9817 annotations: { 9818 istio.io/rev: {{ .Revision | default "default" }}, 9819 {{- if ge (len $containers) 1 }} 9820 {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }} 9821 kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", 9822 {{- end }} 9823 {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-container`) }} 9824 kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}", 9825 {{- end }} 9826 {{- end }} 9827 sidecar.istio.io/rewriteAppHTTPProbers: "false", 9828 } 9829 spec: 9830 containers: 9831 - name: istio-proxy 9832 {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} 9833 image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" 9834 {{- else }} 9835 image: "{{ .ProxyImage }}" 9836 {{- end }} 9837 ports: 9838 - containerPort: 15020 9839 protocol: TCP 9840 name: mesh-metrics 9841 args: 9842 - proxy 9843 - sidecar 9844 - --domain 9845 - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} 9846 - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} 9847 - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} 9848 - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} 9849 {{- if .Values.global.sts.servicePort }} 9850 - --stsPort={{ .Values.global.sts.servicePort }} 9851 {{- end }} 9852 {{- if .Values.global.logAsJson }} 9853 - --log_as_json 9854 {{- end }} 9855 lifecycle: 9856 postStart: 9857 exec: 9858 command: 9859 - pilot-agent 9860 - wait 9861 - --url=http://localhost:15020/healthz/ready 9862 env: 9863 - name: ISTIO_META_GENERATOR 9864 value: grpc 9865 - name: OUTPUT_CERTS 9866 value: /var/lib/istio/data 9867 {{- if eq (env "PILOT_ENABLE_INBOUND_PASSTHROUGH" "true") "false" }} 9868 - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION 9869 value: "true" 9870 {{- end }} 9871 - name: JWT_POLICY 9872 value: {{ .Values.global.jwtPolicy }} 9873 - name: PILOT_CERT_PROVIDER 9874 value: {{ .Values.global.pilotCertProvider }} 9875 - name: CA_ADDR 9876 {{- if .Values.global.caAddress }} 9877 value: {{ .Values.global.caAddress }} 9878 {{- else }} 9879 value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 9880 {{- end }} 9881 - name: POD_NAME 9882 valueFrom: 9883 fieldRef: 9884 fieldPath: metadata.name 9885 - name: POD_NAMESPACE 9886 valueFrom: 9887 fieldRef: 9888 fieldPath: metadata.namespace 9889 - name: INSTANCE_IP 9890 valueFrom: 9891 fieldRef: 9892 fieldPath: status.podIP 9893 - name: SERVICE_ACCOUNT 9894 valueFrom: 9895 fieldRef: 9896 fieldPath: spec.serviceAccountName 9897 - name: HOST_IP 9898 valueFrom: 9899 fieldRef: 9900 fieldPath: status.hostIP 9901 - name: PROXY_CONFIG 9902 value: | 9903 {{ protoToJSON .ProxyConfig }} 9904 - name: ISTIO_META_POD_PORTS 9905 value: |- 9906 [ 9907 {{- $first := true }} 9908 {{- range $index1, $c := .Spec.Containers }} 9909 {{- range $index2, $p := $c.Ports }} 9910 {{- if (structToJSON $p) }} 9911 {{if not $first}},{{end}}{{ structToJSON $p }} 9912 {{- $first = false }} 9913 {{- end }} 9914 {{- end}} 9915 {{- end}} 9916 ] 9917 - name: ISTIO_META_APP_CONTAINERS 9918 value: "{{ $containers | join "," }}" 9919 - name: ISTIO_META_CLUSTER_ID 9920 value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" 9921 - name: ISTIO_META_NODE_NAME 9922 valueFrom: 9923 fieldRef: 9924 fieldPath: spec.nodeName 9925 {{- if .Values.global.network }} 9926 - name: ISTIO_META_NETWORK 9927 value: "{{ .Values.global.network }}" 9928 {{- end }} 9929 {{- if .DeploymentMeta.Name }} 9930 - name: ISTIO_META_WORKLOAD_NAME 9931 value: "{{ .DeploymentMeta.Name }}" 9932 {{ end }} 9933 {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} 9934 - name: ISTIO_META_OWNER 9935 value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} 9936 {{- end}} 9937 {{- if .Values.global.meshID }} 9938 - name: ISTIO_META_MESH_ID 9939 value: "{{ .Values.global.meshID }}" 9940 {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} 9941 - name: ISTIO_META_MESH_ID 9942 value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" 9943 {{- end }} 9944 {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} 9945 - name: TRUST_DOMAIN 9946 value: "{{ . }}" 9947 {{- end }} 9948 {{- range $key, $value := .ProxyConfig.ProxyMetadata }} 9949 - name: {{ $key }} 9950 value: "{{ $value }}" 9951 {{- end }} 9952 # grpc uses xds:/// to resolve – no need to resolve VIP 9953 - name: ISTIO_META_DNS_CAPTURE 9954 value: "false" 9955 - name: DISABLE_ENVOY 9956 value: "true" 9957 {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} 9958 {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }} 9959 readinessProbe: 9960 httpGet: 9961 path: /healthz/ready 9962 port: 15020 9963 initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }} 9964 periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }} 9965 timeoutSeconds: 3 9966 failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }} 9967 resources: 9968 {{ template "resources" . }} 9969 volumeMounts: 9970 - name: workload-socket 9971 mountPath: /var/run/secrets/workload-spiffe-uds 9972 {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} 9973 - name: gke-workload-certificate 9974 mountPath: /var/run/secrets/workload-spiffe-credentials 9975 readOnly: true 9976 {{- else }} 9977 - name: workload-certs 9978 mountPath: /var/run/secrets/workload-spiffe-credentials 9979 {{- end }} 9980 {{- if eq .Values.global.pilotCertProvider "istiod" }} 9981 - mountPath: /var/run/secrets/istio 9982 name: istiod-ca-cert 9983 {{- end }} 9984 - mountPath: /var/lib/istio/data 9985 name: istio-data 9986 # UDS channel between istioagent and gRPC client for XDS/SDS 9987 - mountPath: /etc/istio/proxy 9988 name: istio-xds 9989 {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} 9990 - mountPath: /var/run/secrets/tokens 9991 name: istio-token 9992 {{- end }} 9993 {{- if .Values.global.mountMtlsCerts }} 9994 # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. 9995 - mountPath: /etc/certs/ 9996 name: istio-certs 9997 readOnly: true 9998 {{- end }} 9999 - name: istio-podinfo 10000 mountPath: /etc/istio/pod 10001 {{- end }} 10002 {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }} 10003 {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }} 10004 - name: "{{ $index }}" 10005 {{ toYaml $value | indent 6 }} 10006 {{ end }} 10007 {{- end }} 10008 {{- range $index, $container := .Spec.Containers }} 10009 {{ if not (eq $container.Name "istio-proxy") }} 10010 - name: {{ $container.Name }} 10011 env: 10012 - name: "GRPC_XDS_EXPERIMENTAL_SECURITY_SUPPORT" 10013 value: "true" 10014 - name: "GRPC_XDS_BOOTSTRAP" 10015 value: "/etc/istio/proxy/grpc-bootstrap.json" 10016 volumeMounts: 10017 - mountPath: /var/lib/istio/data 10018 name: istio-data 10019 # UDS channel between istioagent and gRPC client for XDS/SDS 10020 - mountPath: /etc/istio/proxy 10021 name: istio-xds 10022 {{- if eq $.Values.global.caName "GkeWorkloadCertificate" }} 10023 - name: gke-workload-certificate 10024 mountPath: /var/run/secrets/workload-spiffe-credentials 10025 readOnly: true 10026 {{- else }} 10027 - name: workload-certs 10028 mountPath: /var/run/secrets/workload-spiffe-credentials 10029 {{- end }} 10030 {{- end }} 10031 {{- end }} 10032 volumes: 10033 - emptyDir: 10034 name: workload-socket 10035 {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} 10036 - name: gke-workload-certificate 10037 csi: 10038 driver: workloadcertificates.security.cloud.google.com 10039 {{- else }} 10040 - emptyDir: 10041 name: workload-certs 10042 {{- end }} 10043 {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} 10044 - name: custom-bootstrap-volume 10045 configMap: 10046 name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }} 10047 {{- end }} 10048 # SDS channel between istioagent and Envoy 10049 - emptyDir: 10050 medium: Memory 10051 name: istio-xds 10052 - name: istio-data 10053 emptyDir: {} 10054 - name: istio-podinfo 10055 downwardAPI: 10056 items: 10057 - path: "labels" 10058 fieldRef: 10059 fieldPath: metadata.labels 10060 - path: "annotations" 10061 fieldRef: 10062 fieldPath: metadata.annotations 10063 {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} 10064 - name: istio-token 10065 projected: 10066 sources: 10067 - serviceAccountToken: 10068 path: istio-token 10069 expirationSeconds: 43200 10070 audience: {{ .Values.global.sds.token.aud }} 10071 {{- end }} 10072 {{- if eq .Values.global.pilotCertProvider "istiod" }} 10073 - name: istiod-ca-cert 10074 configMap: 10075 name: istio-ca-root-cert 10076 {{- end }} 10077 {{- if .Values.global.mountMtlsCerts }} 10078 # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. 10079 - name: istio-certs 10080 secret: 10081 optional: true 10082 {{ if eq .Spec.ServiceAccountName "" }} 10083 secretName: istio.default 10084 {{ else -}} 10085 secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} 10086 {{ end -}} 10087 {{- end }} 10088 {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }} 10089 {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }} 10090 - name: "{{ $index }}" 10091 {{ toYaml $value | indent 4 }} 10092 {{ end }} 10093 {{ end }} 10094 {{- if .Values.global.imagePullSecrets }} 10095 imagePullSecrets: 10096 {{- range .Values.global.imagePullSecrets }} 10097 - name: {{ . }} 10098 {{- end }} 10099 {{- end }} 10100 waypoint: | 10101 apiVersion: v1 10102 kind: ServiceAccount 10103 metadata: 10104 name: {{.ServiceAccount | quote}} 10105 namespace: {{.Namespace | quote}} 10106 annotations: 10107 {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} 10108 labels: 10109 {{- toJsonMap 10110 .InfrastructureLabels 10111 (strdict 10112 "gateway.networking.k8s.io/gateway-name" .Name 10113 "istio.io/gateway-name" .Name 10114 ) | nindent 4 }} 10115 --- 10116 apiVersion: apps/v1 10117 kind: Deployment 10118 metadata: 10119 name: {{.DeploymentName | quote}} 10120 namespace: {{.Namespace | quote}} 10121 annotations: 10122 {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} 10123 labels: 10124 {{- toJsonMap 10125 .InfrastructureLabels 10126 (strdict 10127 "gateway.networking.k8s.io/gateway-name" .Name 10128 "istio.io/gateway-name" .Name 10129 "gateway.istio.io/managed" "istio.io-mesh-controller" 10130 ) | nindent 4 }} 10131 ownerReferences: 10132 - apiVersion: gateway.networking.k8s.io/v1beta1 10133 kind: Gateway 10134 name: "{{.Name}}" 10135 uid: "{{.UID}}" 10136 spec: 10137 selector: 10138 matchLabels: 10139 "{{.GatewayNameLabel}}": "{{.Name}}" 10140 template: 10141 metadata: 10142 annotations: 10143 {{- toJsonMap 10144 (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") 10145 (strdict "istio.io/rev" (.Revision | default "default")) 10146 (strdict 10147 "ambient.istio.io/redirection" "disabled" 10148 "prometheus.io/path" "/stats/prometheus" 10149 "prometheus.io/port" "15020" 10150 "prometheus.io/scrape" "true" 10151 ) | nindent 8 }} 10152 labels: 10153 {{- toJsonMap 10154 (strdict 10155 "sidecar.istio.io/inject" "false" 10156 "service.istio.io/canonical-name" .DeploymentName 10157 "service.istio.io/canonical-revision" "latest" 10158 ) 10159 .InfrastructureLabels 10160 (strdict 10161 "gateway.networking.k8s.io/gateway-name" .Name 10162 "istio.io/gateway-name" .Name 10163 "gateway.istio.io/managed" "istio.io-mesh-controller" 10164 ) | nindent 8}} 10165 spec: 10166 terminationGracePeriodSeconds: 2 10167 serviceAccountName: {{.ServiceAccount | quote}} 10168 containers: 10169 - name: istio-proxy 10170 ports: 10171 - containerPort: 15021 10172 name: status-port 10173 protocol: TCP 10174 - containerPort: 15090 10175 protocol: TCP 10176 name: http-envoy-prom 10177 {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} 10178 image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" 10179 {{- else }} 10180 image: "{{ .ProxyImage }}" 10181 {{- end }} 10182 {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} 10183 args: 10184 - proxy 10185 - waypoint 10186 - --domain 10187 - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} 10188 - --serviceCluster 10189 - {{.ServiceAccount}}.$(POD_NAMESPACE) 10190 - --proxyLogLevel 10191 - {{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel | quote}} 10192 - --proxyComponentLogLevel 10193 - {{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel | quote}} 10194 - --log_output_level 10195 - {{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level | quote}} 10196 {{- if .Values.global.logAsJson }} 10197 - --log_as_json 10198 {{- end }} 10199 env: 10200 - name: ISTIO_META_SERVICE_ACCOUNT 10201 valueFrom: 10202 fieldRef: 10203 fieldPath: spec.serviceAccountName 10204 - name: ISTIO_META_NODE_NAME 10205 valueFrom: 10206 fieldRef: 10207 fieldPath: spec.nodeName 10208 - name: JWT_POLICY 10209 value: {{ .Values.global.jwtPolicy }} 10210 - name: PILOT_CERT_PROVIDER 10211 value: {{ .Values.global.pilotCertProvider }} 10212 - name: CA_ADDR 10213 {{- if .Values.global.caAddress }} 10214 value: {{ .Values.global.caAddress }} 10215 {{- else }} 10216 value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 10217 {{- end }} 10218 - name: POD_NAME 10219 valueFrom: 10220 fieldRef: 10221 fieldPath: metadata.name 10222 - name: POD_NAMESPACE 10223 valueFrom: 10224 fieldRef: 10225 fieldPath: metadata.namespace 10226 - name: INSTANCE_IP 10227 valueFrom: 10228 fieldRef: 10229 fieldPath: status.podIP 10230 - name: SERVICE_ACCOUNT 10231 valueFrom: 10232 fieldRef: 10233 fieldPath: spec.serviceAccountName 10234 - name: HOST_IP 10235 valueFrom: 10236 fieldRef: 10237 fieldPath: status.hostIP 10238 - name: ISTIO_CPU_LIMIT 10239 valueFrom: 10240 resourceFieldRef: 10241 resource: limits.cpu 10242 - name: PROXY_CONFIG 10243 value: | 10244 {{ protoToJSON .ProxyConfig }} 10245 {{- if .ProxyConfig.ProxyMetadata }} 10246 {{- range $key, $value := .ProxyConfig.ProxyMetadata }} 10247 - name: {{ $key }} 10248 value: "{{ $value }}" 10249 {{- end }} 10250 {{- end }} 10251 - name: GOMEMLIMIT 10252 valueFrom: 10253 resourceFieldRef: 10254 resource: limits.memory 10255 - name: GOMAXPROCS 10256 valueFrom: 10257 resourceFieldRef: 10258 resource: limits.cpu 10259 - name: ISTIO_META_CLUSTER_ID 10260 value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" 10261 {{- $network := valueOrDefault (index .InfrastructureLabels `topology.istio.io/network`) .Values.global.network }} 10262 {{- if $network }} 10263 - name: ISTIO_META_NETWORK 10264 value: "{{ $network }}" 10265 {{- end }} 10266 - name: ISTIO_META_INTERCEPTION_MODE 10267 value: REDIRECT 10268 - name: ISTIO_META_WORKLOAD_NAME 10269 value: {{.DeploymentName}} 10270 - name: ISTIO_META_OWNER 10271 value: kubernetes://apis/apps/v1/namespaces/{{.Namespace}}/deployments/{{.DeploymentName}} 10272 {{- if .Values.global.meshID }} 10273 - name: ISTIO_META_MESH_ID 10274 value: "{{ .Values.global.meshID }}" 10275 {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} 10276 - name: ISTIO_META_MESH_ID 10277 value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" 10278 {{- end }} 10279 resources: 10280 limits: 10281 cpu: "2" 10282 memory: 1Gi 10283 requests: 10284 cpu: 100m 10285 memory: 128Mi 10286 startupProbe: 10287 failureThreshold: 30 10288 httpGet: 10289 path: /healthz/ready 10290 port: 15021 10291 scheme: HTTP 10292 initialDelaySeconds: 1 10293 periodSeconds: 1 10294 successThreshold: 1 10295 timeoutSeconds: 1 10296 readinessProbe: 10297 failureThreshold: 4 10298 httpGet: 10299 path: /healthz/ready 10300 port: 15021 10301 scheme: HTTP 10302 initialDelaySeconds: 0 10303 periodSeconds: 15 10304 successThreshold: 1 10305 timeoutSeconds: 1 10306 securityContext: 10307 privileged: false 10308 runAsGroup: 1337 10309 runAsUser: 0 10310 capabilities: 10311 drop: 10312 - ALL 10313 volumeMounts: 10314 - name: workload-socket 10315 mountPath: /var/run/secrets/workload-spiffe-uds 10316 - mountPath: /var/run/secrets/istio 10317 name: istiod-ca-cert 10318 - mountPath: /var/lib/istio/data 10319 name: istio-data 10320 - mountPath: /etc/istio/proxy 10321 name: istio-envoy 10322 - mountPath: /var/run/secrets/tokens 10323 name: istio-token 10324 - mountPath: /etc/istio/pod 10325 name: istio-podinfo 10326 volumes: 10327 - emptyDir: {} 10328 name: workload-socket 10329 - emptyDir: 10330 medium: Memory 10331 name: istio-envoy 10332 - emptyDir: 10333 medium: Memory 10334 name: go-proxy-envoy 10335 - emptyDir: {} 10336 name: istio-data 10337 - emptyDir: {} 10338 name: go-proxy-data 10339 - downwardAPI: 10340 items: 10341 - fieldRef: 10342 fieldPath: metadata.labels 10343 path: labels 10344 - fieldRef: 10345 fieldPath: metadata.annotations 10346 path: annotations 10347 name: istio-podinfo 10348 - name: istio-token 10349 projected: 10350 sources: 10351 - serviceAccountToken: 10352 audience: istio-ca 10353 expirationSeconds: 43200 10354 path: istio-token 10355 - configMap: 10356 name: istio-ca-root-cert 10357 name: istiod-ca-cert 10358 {{- if .Values.global.imagePullSecrets }} 10359 imagePullSecrets: 10360 {{- range .Values.global.imagePullSecrets }} 10361 - name: {{ . }} 10362 {{- end }} 10363 {{- end }} 10364 --- 10365 apiVersion: v1 10366 kind: Service 10367 metadata: 10368 annotations: 10369 {{ toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} 10370 labels: 10371 {{- toJsonMap 10372 .InfrastructureLabels 10373 (strdict 10374 "gateway.networking.k8s.io/gateway-name" .Name 10375 "istio.io/gateway-name" .Name 10376 ) | nindent 4 }} 10377 name: {{.DeploymentName | quote}} 10378 namespace: {{.Namespace | quote}} 10379 ownerReferences: 10380 - apiVersion: gateway.networking.k8s.io/v1beta1 10381 kind: Gateway 10382 name: "{{.Name}}" 10383 uid: "{{.UID}}" 10384 spec: 10385 ports: 10386 {{- range $key, $val := .Ports }} 10387 - name: {{ $val.Name | quote }} 10388 port: {{ $val.Port }} 10389 protocol: TCP 10390 appProtocol: {{ $val.AppProtocol }} 10391 {{- end }} 10392 selector: 10393 "{{.GatewayNameLabel}}": "{{.Name}}" 10394 {{- if and (.Spec.Addresses) (eq .ServiceType "LoadBalancer") }} 10395 loadBalancerIP: {{ (index .Spec.Addresses 0).Value | quote}} 10396 {{- end }} 10397 type: {{ .ServiceType | quote }} 10398 --- 10399 kube-gateway: | 10400 apiVersion: v1 10401 kind: ServiceAccount 10402 metadata: 10403 name: {{.ServiceAccount | quote}} 10404 namespace: {{.Namespace | quote}} 10405 annotations: 10406 {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} 10407 labels: 10408 {{- toJsonMap 10409 .InfrastructureLabels 10410 (strdict 10411 "gateway.networking.k8s.io/gateway-name" .Name 10412 "istio.io/gateway-name" .Name 10413 ) | nindent 4 }} 10414 --- 10415 apiVersion: apps/v1 10416 kind: Deployment 10417 metadata: 10418 name: {{.DeploymentName | quote}} 10419 namespace: {{.Namespace | quote}} 10420 annotations: 10421 {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} 10422 labels: 10423 {{- toJsonMap 10424 .InfrastructureLabels 10425 (strdict 10426 "gateway.networking.k8s.io/gateway-name" .Name 10427 "istio.io/gateway-name" .Name 10428 ) | nindent 4 }} 10429 ownerReferences: 10430 - apiVersion: gateway.networking.k8s.io/v1beta1 10431 kind: Gateway 10432 name: {{.Name}} 10433 uid: "{{.UID}}" 10434 spec: 10435 selector: 10436 matchLabels: 10437 "{{.GatewayNameLabel}}": {{.Name}} 10438 template: 10439 metadata: 10440 annotations: 10441 {{- toJsonMap 10442 (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") 10443 (strdict "istio.io/rev" (.Revision | default "default")) 10444 (strdict 10445 "prometheus.io/path" "/stats/prometheus" 10446 "prometheus.io/port" "15020" 10447 "prometheus.io/scrape" "true" 10448 ) | nindent 8 }} 10449 labels: 10450 {{- toJsonMap 10451 (strdict 10452 "sidecar.istio.io/inject" "false" 10453 "service.istio.io/canonical-name" .DeploymentName 10454 "service.istio.io/canonical-revision" "latest" 10455 ) 10456 .InfrastructureLabels 10457 (strdict 10458 "gateway.networking.k8s.io/gateway-name" .Name 10459 "istio.io/gateway-name" .Name 10460 ) | nindent 8 }} 10461 spec: 10462 {{- if .KubeVersion122 }} 10463 {{/* safe since 1.22: https://github.com/kubernetes/kubernetes/pull/103326. */}} 10464 securityContext: 10465 sysctls: 10466 - name: net.ipv4.ip_unprivileged_port_start 10467 value: "0" 10468 {{- end }} 10469 serviceAccountName: {{.ServiceAccount | quote}} 10470 containers: 10471 - name: istio-proxy 10472 {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} 10473 image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" 10474 {{- else }} 10475 image: "{{ .ProxyImage }}" 10476 {{- end }} 10477 {{- if .Values.global.proxy.resources }} 10478 resources: 10479 {{- toYaml .Values.global.proxy.resources | nindent 10 }} 10480 {{- end }} 10481 {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} 10482 securityContext: 10483 {{- if .KubeVersion122 }} 10484 # Safe since 1.22: https://github.com/kubernetes/kubernetes/pull/103326 10485 capabilities: 10486 drop: 10487 - ALL 10488 allowPrivilegeEscalation: false 10489 privileged: false 10490 readOnlyRootFilesystem: true 10491 runAsUser: {{ .ProxyUID | default "1337" }} 10492 runAsGroup: {{ .ProxyGID | default "1337" }} 10493 runAsNonRoot: true 10494 {{- else }} 10495 capabilities: 10496 drop: 10497 - ALL 10498 add: 10499 - NET_BIND_SERVICE 10500 runAsUser: 0 10501 runAsGroup: 1337 10502 runAsNonRoot: false 10503 allowPrivilegeEscalation: true 10504 readOnlyRootFilesystem: true 10505 {{- end }} 10506 ports: 10507 - containerPort: 15021 10508 name: status-port 10509 protocol: TCP 10510 - containerPort: 15090 10511 protocol: TCP 10512 name: http-envoy-prom 10513 args: 10514 - proxy 10515 - router 10516 - --domain 10517 - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} 10518 - --proxyLogLevel 10519 - {{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel | quote}} 10520 - --proxyComponentLogLevel 10521 - {{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel | quote}} 10522 - --log_output_level 10523 - {{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level | quote}} 10524 {{- if .Values.global.sts.servicePort }} 10525 - --stsPort={{ .Values.global.sts.servicePort }} 10526 {{- end }} 10527 {{- if .Values.global.logAsJson }} 10528 - --log_as_json 10529 {{- end }} 10530 {{- if .Values.global.proxy.lifecycle }} 10531 lifecycle: 10532 {{ toYaml .Values.global.proxy.lifecycle | indent 6 }} 10533 {{- end }} 10534 env: 10535 - name: JWT_POLICY 10536 value: {{ .Values.global.jwtPolicy }} 10537 - name: PILOT_CERT_PROVIDER 10538 value: {{ .Values.global.pilotCertProvider }} 10539 - name: CA_ADDR 10540 {{- if .Values.global.caAddress }} 10541 value: {{ .Values.global.caAddress }} 10542 {{- else }} 10543 value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 10544 {{- end }} 10545 - name: POD_NAME 10546 valueFrom: 10547 fieldRef: 10548 fieldPath: metadata.name 10549 - name: POD_NAMESPACE 10550 valueFrom: 10551 fieldRef: 10552 fieldPath: metadata.namespace 10553 - name: INSTANCE_IP 10554 valueFrom: 10555 fieldRef: 10556 fieldPath: status.podIP 10557 - name: SERVICE_ACCOUNT 10558 valueFrom: 10559 fieldRef: 10560 fieldPath: spec.serviceAccountName 10561 - name: HOST_IP 10562 valueFrom: 10563 fieldRef: 10564 fieldPath: status.hostIP 10565 - name: ISTIO_CPU_LIMIT 10566 valueFrom: 10567 resourceFieldRef: 10568 resource: limits.cpu 10569 - name: PROXY_CONFIG 10570 value: | 10571 {{ protoToJSON .ProxyConfig }} 10572 - name: ISTIO_META_POD_PORTS 10573 value: "[]" 10574 - name: ISTIO_META_APP_CONTAINERS 10575 value: "" 10576 - name: GOMEMLIMIT 10577 valueFrom: 10578 resourceFieldRef: 10579 resource: limits.memory 10580 - name: GOMAXPROCS 10581 valueFrom: 10582 resourceFieldRef: 10583 resource: limits.cpu 10584 - name: ISTIO_META_CLUSTER_ID 10585 value: "{{ valueOrDefault .Values.global.multiCluster.clusterName .ClusterID }}" 10586 - name: ISTIO_META_NODE_NAME 10587 valueFrom: 10588 fieldRef: 10589 fieldPath: spec.nodeName 10590 - name: ISTIO_META_INTERCEPTION_MODE 10591 value: "{{ .ProxyConfig.InterceptionMode.String }}" 10592 {{- with (valueOrDefault (index .InfrastructureLabels "topology.istio.io/network") .Values.global.network) }} 10593 - name: ISTIO_META_NETWORK 10594 value: {{.|quote}} 10595 {{- end }} 10596 - name: ISTIO_META_WORKLOAD_NAME 10597 value: {{.DeploymentName|quote}} 10598 - name: ISTIO_META_OWNER 10599 value: "kubernetes://apis/apps/v1/namespaces/{{.Namespace}}/deployments/{{.DeploymentName}}" 10600 {{- if .Values.global.meshID }} 10601 - name: ISTIO_META_MESH_ID 10602 value: "{{ .Values.global.meshID }}" 10603 {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} 10604 - name: ISTIO_META_MESH_ID 10605 value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" 10606 {{- end }} 10607 {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} 10608 - name: TRUST_DOMAIN 10609 value: "{{ . }}" 10610 {{- end }} 10611 {{- range $key, $value := .ProxyConfig.ProxyMetadata }} 10612 - name: {{ $key }} 10613 value: "{{ $value }}" 10614 {{- end }} 10615 {{- with (index .InfrastructureLabels "topology.istio.io/network") }} 10616 - name: ISTIO_META_REQUESTED_NETWORK_VIEW 10617 value: {{.|quote}} 10618 {{- end }} 10619 startupProbe: 10620 failureThreshold: 30 10621 httpGet: 10622 path: /healthz/ready 10623 port: 15021 10624 scheme: HTTP 10625 initialDelaySeconds: 1 10626 periodSeconds: 1 10627 successThreshold: 1 10628 timeoutSeconds: 1 10629 readinessProbe: 10630 failureThreshold: 4 10631 httpGet: 10632 path: /healthz/ready 10633 port: 15021 10634 scheme: HTTP 10635 initialDelaySeconds: 0 10636 periodSeconds: 15 10637 successThreshold: 1 10638 timeoutSeconds: 1 10639 volumeMounts: 10640 - name: workload-socket 10641 mountPath: /var/run/secrets/workload-spiffe-uds 10642 - name: credential-socket 10643 mountPath: /var/run/secrets/credential-uds 10644 {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} 10645 - name: gke-workload-certificate 10646 mountPath: /var/run/secrets/workload-spiffe-credentials 10647 readOnly: true 10648 {{- else }} 10649 - name: workload-certs 10650 mountPath: /var/run/secrets/workload-spiffe-credentials 10651 {{- end }} 10652 {{- if eq .Values.global.pilotCertProvider "istiod" }} 10653 - mountPath: /var/run/secrets/istio 10654 name: istiod-ca-cert 10655 {{- end }} 10656 - mountPath: /var/lib/istio/data 10657 name: istio-data 10658 # SDS channel between istioagent and Envoy 10659 - mountPath: /etc/istio/proxy 10660 name: istio-envoy 10661 {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} 10662 - mountPath: /var/run/secrets/tokens 10663 name: istio-token 10664 {{- end }} 10665 - name: istio-podinfo 10666 mountPath: /etc/istio/pod 10667 volumes: 10668 - emptyDir: {} 10669 name: workload-socket 10670 - emptyDir: {} 10671 name: credential-socket 10672 {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} 10673 - name: gke-workload-certificate 10674 csi: 10675 driver: workloadcertificates.security.cloud.google.com 10676 {{- else}} 10677 - emptyDir: {} 10678 name: workload-certs 10679 {{- end }} 10680 # SDS channel between istioagent and Envoy 10681 - emptyDir: 10682 medium: Memory 10683 name: istio-envoy 10684 - name: istio-data 10685 emptyDir: {} 10686 - name: istio-podinfo 10687 downwardAPI: 10688 items: 10689 - path: "labels" 10690 fieldRef: 10691 fieldPath: metadata.labels 10692 - path: "annotations" 10693 fieldRef: 10694 fieldPath: metadata.annotations 10695 {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} 10696 - name: istio-token 10697 projected: 10698 sources: 10699 - serviceAccountToken: 10700 path: istio-token 10701 expirationSeconds: 43200 10702 audience: {{ .Values.global.sds.token.aud }} 10703 {{- end }} 10704 {{- if eq .Values.global.pilotCertProvider "istiod" }} 10705 - name: istiod-ca-cert 10706 configMap: 10707 name: istio-ca-root-cert 10708 {{- end }} 10709 {{- if .Values.global.imagePullSecrets }} 10710 imagePullSecrets: 10711 {{- range .Values.global.imagePullSecrets }} 10712 - name: {{ . }} 10713 {{- end }} 10714 {{- end }} 10715 --- 10716 apiVersion: v1 10717 kind: Service 10718 metadata: 10719 annotations: 10720 {{ toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} 10721 labels: 10722 {{- toJsonMap 10723 .InfrastructureLabels 10724 (strdict 10725 "gateway.networking.k8s.io/gateway-name" .Name 10726 "istio.io/gateway-name" .Name 10727 ) | nindent 4 }} 10728 name: {{.DeploymentName | quote}} 10729 namespace: {{.Namespace | quote}} 10730 ownerReferences: 10731 - apiVersion: gateway.networking.k8s.io/v1beta1 10732 kind: Gateway 10733 name: {{.Name}} 10734 uid: {{.UID}} 10735 spec: 10736 ports: 10737 {{- range $key, $val := .Ports }} 10738 - name: {{ $val.Name | quote }} 10739 port: {{ $val.Port }} 10740 protocol: TCP 10741 appProtocol: {{ $val.AppProtocol }} 10742 {{- end }} 10743 selector: 10744 "{{.GatewayNameLabel}}": {{.Name}} 10745 {{- if and (.Spec.Addresses) (eq .ServiceType "LoadBalancer") }} 10746 loadBalancerIP: {{ (index .Spec.Addresses 0).Value | quote}} 10747 {{- end }} 10748 type: {{ .ServiceType | quote }} 10749 --- 10750 values: |- 10751 { 10752 "global": { 10753 "autoscalingv2API": true, 10754 "caAddress": "", 10755 "caName": "", 10756 "certSigners": [], 10757 "configCluster": false, 10758 "configValidation": true, 10759 "defaultPodDisruptionBudget": { 10760 "enabled": true 10761 }, 10762 "defaultResources": { 10763 "requests": { 10764 "cpu": "10m" 10765 } 10766 }, 10767 "enabled": true, 10768 "externalIstiod": false, 10769 "hub": "gcr.io/istio-testing", 10770 "imagePullPolicy": "", 10771 "imagePullSecrets": [], 10772 "istioNamespace": "istio-system", 10773 "istiod": { 10774 "enableAnalysis": false 10775 }, 10776 "jwtPolicy": "third-party-jwt", 10777 "logAsJson": false, 10778 "logging": { 10779 "level": "default:info" 10780 }, 10781 "meshID": "", 10782 "meshNetworks": {}, 10783 "mountMtlsCerts": false, 10784 "multiCluster": { 10785 "clusterName": "", 10786 "enabled": false 10787 }, 10788 "namespace": "istio-system", 10789 "network": "", 10790 "omitSidecarInjectorConfigMap": false, 10791 "oneNamespace": false, 10792 "operatorManageWebhooks": false, 10793 "pilotCertProvider": "istiod", 10794 "priorityClassName": "", 10795 "proxy": { 10796 "autoInject": "enabled", 10797 "clusterDomain": "cluster.local", 10798 "componentLogLevel": "misc:error", 10799 "enableCoreDump": false, 10800 "excludeIPRanges": "", 10801 "excludeInboundPorts": "", 10802 "excludeOutboundPorts": "", 10803 "image": "proxyv2", 10804 "includeIPRanges": "*", 10805 "includeInboundPorts": "*", 10806 "includeOutboundPorts": "", 10807 "logLevel": "warning", 10808 "privileged": false, 10809 "readinessFailureThreshold": 4, 10810 "readinessInitialDelaySeconds": 0, 10811 "readinessPeriodSeconds": 15, 10812 "resources": { 10813 "limits": { 10814 "cpu": "2000m", 10815 "memory": "1024Mi" 10816 }, 10817 "requests": { 10818 "cpu": "100m", 10819 "memory": "128Mi" 10820 } 10821 }, 10822 "startupProbe": { 10823 "enabled": true, 10824 "failureThreshold": 600 10825 }, 10826 "statusPort": 15020, 10827 "tracer": "zipkin" 10828 }, 10829 "proxy_init": { 10830 "image": "proxyv2" 10831 }, 10832 "remotePilotAddress": "", 10833 "sds": { 10834 "token": { 10835 "aud": "istio-ca" 10836 } 10837 }, 10838 "sts": { 10839 "servicePort": 0 10840 }, 10841 "tag": "latest", 10842 "variant": "" 10843 }, 10844 "istio_cni": { 10845 "chained": true, 10846 "enabled": false 10847 }, 10848 "revision": "", 10849 "sidecarInjectorWebhook": { 10850 "alwaysInjectSelector": [], 10851 "defaultTemplates": [], 10852 "enableNamespacesByDefault": false, 10853 "injectedAnnotations": {}, 10854 "neverInjectSelector": [], 10855 "reinvocationPolicy": "Never", 10856 "rewriteAppHTTPProbe": true, 10857 "templates": {} 10858 } 10859 } 10860 kind: ConfigMap 10861 metadata: 10862 labels: 10863 install.operator.istio.io/owning-resource: unknown 10864 istio.io/rev: default 10865 operator.istio.io/component: Pilot 10866 release: istio 10867 name: istio-sidecar-injector 10868 namespace: istio-system 10869 10870 --- 10871 apiVersion: admissionregistration.k8s.io/v1 10872 kind: MutatingWebhookConfiguration 10873 metadata: 10874 labels: 10875 app: sidecar-injector 10876 install.operator.istio.io/owning-resource: unknown 10877 istio.io/rev: default 10878 operator.istio.io/component: Pilot 10879 release: istio 10880 name: istio-sidecar-injector 10881 webhooks: 10882 - admissionReviewVersions: 10883 - v1beta1 10884 - v1 10885 clientConfig: 10886 service: 10887 name: istiod 10888 namespace: istio-system 10889 path: /inject 10890 port: 443 10891 failurePolicy: Fail 10892 name: rev.namespace.sidecar-injector.istio.io 10893 namespaceSelector: 10894 matchExpressions: 10895 - key: istio.io/rev 10896 operator: In 10897 values: 10898 - default 10899 - key: istio-injection 10900 operator: DoesNotExist 10901 objectSelector: 10902 matchExpressions: 10903 - key: sidecar.istio.io/inject 10904 operator: NotIn 10905 values: 10906 - "false" 10907 reinvocationPolicy: Never 10908 rules: 10909 - apiGroups: 10910 - "" 10911 apiVersions: 10912 - v1 10913 operations: 10914 - CREATE 10915 resources: 10916 - pods 10917 sideEffects: None 10918 - admissionReviewVersions: 10919 - v1beta1 10920 - v1 10921 clientConfig: 10922 service: 10923 name: istiod 10924 namespace: istio-system 10925 path: /inject 10926 port: 443 10927 failurePolicy: Fail 10928 name: rev.object.sidecar-injector.istio.io 10929 namespaceSelector: 10930 matchExpressions: 10931 - key: istio.io/rev 10932 operator: DoesNotExist 10933 - key: istio-injection 10934 operator: DoesNotExist 10935 objectSelector: 10936 matchExpressions: 10937 - key: sidecar.istio.io/inject 10938 operator: NotIn 10939 values: 10940 - "false" 10941 - key: istio.io/rev 10942 operator: In 10943 values: 10944 - default 10945 reinvocationPolicy: Never 10946 rules: 10947 - apiGroups: 10948 - "" 10949 apiVersions: 10950 - v1 10951 operations: 10952 - CREATE 10953 resources: 10954 - pods 10955 sideEffects: None 10956 - admissionReviewVersions: 10957 - v1beta1 10958 - v1 10959 clientConfig: 10960 service: 10961 name: istiod 10962 namespace: istio-system 10963 path: /inject 10964 port: 443 10965 failurePolicy: Fail 10966 name: namespace.sidecar-injector.istio.io 10967 namespaceSelector: 10968 matchExpressions: 10969 - key: istio-injection 10970 operator: In 10971 values: 10972 - enabled 10973 objectSelector: 10974 matchExpressions: 10975 - key: sidecar.istio.io/inject 10976 operator: NotIn 10977 values: 10978 - "false" 10979 reinvocationPolicy: Never 10980 rules: 10981 - apiGroups: 10982 - "" 10983 apiVersions: 10984 - v1 10985 operations: 10986 - CREATE 10987 resources: 10988 - pods 10989 sideEffects: None 10990 - admissionReviewVersions: 10991 - v1beta1 10992 - v1 10993 clientConfig: 10994 service: 10995 name: istiod 10996 namespace: istio-system 10997 path: /inject 10998 port: 443 10999 failurePolicy: Fail 11000 name: object.sidecar-injector.istio.io 11001 namespaceSelector: 11002 matchExpressions: 11003 - key: istio-injection 11004 operator: DoesNotExist 11005 - key: istio.io/rev 11006 operator: DoesNotExist 11007 objectSelector: 11008 matchExpressions: 11009 - key: sidecar.istio.io/inject 11010 operator: In 11011 values: 11012 - "true" 11013 - key: istio.io/rev 11014 operator: DoesNotExist 11015 reinvocationPolicy: Never 11016 rules: 11017 - apiGroups: 11018 - "" 11019 apiVersions: 11020 - v1 11021 operations: 11022 - CREATE 11023 resources: 11024 - pods 11025 sideEffects: None 11026 11027 --- 11028 apiVersion: apps/v1 11029 kind: Deployment 11030 metadata: 11031 labels: 11032 app: istio-egressgateway 11033 install.operator.istio.io/owning-resource: unknown 11034 istio: egressgateway 11035 istio.io/rev: default 11036 operator.istio.io/component: EgressGateways 11037 release: istio 11038 name: istio-egressgateway 11039 namespace: istio-system 11040 spec: 11041 selector: 11042 matchLabels: 11043 app: istio-egressgateway 11044 istio: egressgateway 11045 strategy: 11046 rollingUpdate: 11047 maxSurge: 100% 11048 maxUnavailable: 25% 11049 template: 11050 metadata: 11051 annotations: 11052 istio.io/rev: default 11053 prometheus.io/path: /stats/prometheus 11054 prometheus.io/port: "15020" 11055 prometheus.io/scrape: "true" 11056 sidecar.istio.io/inject: "false" 11057 labels: 11058 app: istio-egressgateway 11059 chart: gateways 11060 heritage: Tiller 11061 install.operator.istio.io/owning-resource: unknown 11062 istio: egressgateway 11063 istio.io/rev: default 11064 operator.istio.io/component: EgressGateways 11065 release: istio 11066 service.istio.io/canonical-name: istio-egressgateway 11067 service.istio.io/canonical-revision: latest 11068 sidecar.istio.io/inject: "false" 11069 spec: 11070 affinity: 11071 nodeAffinity: 11072 preferredDuringSchedulingIgnoredDuringExecution: null 11073 requiredDuringSchedulingIgnoredDuringExecution: null 11074 containers: 11075 - args: 11076 - proxy 11077 - router 11078 - --domain 11079 - $(POD_NAMESPACE).svc.cluster.local 11080 - --proxyLogLevel=warning 11081 - --proxyComponentLogLevel=misc:error 11082 - --log_output_level=default:info 11083 env: 11084 - name: JWT_POLICY 11085 value: third-party-jwt 11086 - name: PILOT_CERT_PROVIDER 11087 value: istiod 11088 - name: CA_ADDR 11089 value: istiod.istio-system.svc:15012 11090 - name: NODE_NAME 11091 valueFrom: 11092 fieldRef: 11093 apiVersion: v1 11094 fieldPath: spec.nodeName 11095 - name: POD_NAME 11096 valueFrom: 11097 fieldRef: 11098 apiVersion: v1 11099 fieldPath: metadata.name 11100 - name: POD_NAMESPACE 11101 valueFrom: 11102 fieldRef: 11103 apiVersion: v1 11104 fieldPath: metadata.namespace 11105 - name: INSTANCE_IP 11106 valueFrom: 11107 fieldRef: 11108 apiVersion: v1 11109 fieldPath: status.podIP 11110 - name: HOST_IP 11111 valueFrom: 11112 fieldRef: 11113 apiVersion: v1 11114 fieldPath: status.hostIP 11115 - name: ISTIO_CPU_LIMIT 11116 valueFrom: 11117 resourceFieldRef: 11118 resource: limits.cpu 11119 - name: SERVICE_ACCOUNT 11120 valueFrom: 11121 fieldRef: 11122 fieldPath: spec.serviceAccountName 11123 - name: ISTIO_META_WORKLOAD_NAME 11124 value: istio-egressgateway 11125 - name: ISTIO_META_OWNER 11126 value: kubernetes://apis/apps/v1/namespaces/istio-system/deployments/istio-egressgateway 11127 - name: ISTIO_META_MESH_ID 11128 value: cluster.local 11129 - name: TRUST_DOMAIN 11130 value: cluster.local 11131 - name: ISTIO_META_UNPRIVILEGED_POD 11132 value: "true" 11133 - name: ISTIO_META_CLUSTER_ID 11134 value: Kubernetes 11135 - name: ISTIO_META_NODE_NAME 11136 valueFrom: 11137 fieldRef: 11138 fieldPath: spec.nodeName 11139 image: gcr.io/istio-testing/proxyv2:latest 11140 name: istio-proxy 11141 ports: 11142 - containerPort: 8080 11143 protocol: TCP 11144 - containerPort: 8443 11145 protocol: TCP 11146 - containerPort: 15090 11147 name: http-envoy-prom 11148 protocol: TCP 11149 readinessProbe: 11150 failureThreshold: 30 11151 httpGet: 11152 path: /healthz/ready 11153 port: 15021 11154 scheme: HTTP 11155 initialDelaySeconds: 1 11156 periodSeconds: 2 11157 successThreshold: 1 11158 timeoutSeconds: 1 11159 resources: 11160 limits: 11161 cpu: 2000m 11162 memory: 1024Mi 11163 requests: 11164 cpu: 100m 11165 memory: 128Mi 11166 securityContext: 11167 allowPrivilegeEscalation: false 11168 capabilities: 11169 drop: 11170 - ALL 11171 privileged: false 11172 readOnlyRootFilesystem: true 11173 volumeMounts: 11174 - mountPath: /var/run/secrets/workload-spiffe-uds 11175 name: workload-socket 11176 - mountPath: /var/run/secrets/credential-uds 11177 name: credential-socket 11178 - mountPath: /var/run/secrets/workload-spiffe-credentials 11179 name: workload-certs 11180 - mountPath: /etc/istio/proxy 11181 name: istio-envoy 11182 - mountPath: /etc/istio/config 11183 name: config-volume 11184 - mountPath: /var/run/secrets/istio 11185 name: istiod-ca-cert 11186 - mountPath: /var/run/secrets/tokens 11187 name: istio-token 11188 readOnly: true 11189 - mountPath: /var/lib/istio/data 11190 name: istio-data 11191 - mountPath: /etc/istio/pod 11192 name: podinfo 11193 - mountPath: /etc/istio/egressgateway-certs 11194 name: egressgateway-certs 11195 readOnly: true 11196 - mountPath: /etc/istio/egressgateway-ca-certs 11197 name: egressgateway-ca-certs 11198 readOnly: true 11199 securityContext: 11200 runAsGroup: 1337 11201 runAsNonRoot: true 11202 runAsUser: 1337 11203 serviceAccountName: istio-egressgateway-service-account 11204 volumes: 11205 - emptyDir: {} 11206 name: workload-socket 11207 - emptyDir: {} 11208 name: credential-socket 11209 - emptyDir: {} 11210 name: workload-certs 11211 - configMap: 11212 name: istio-ca-root-cert 11213 name: istiod-ca-cert 11214 - downwardAPI: 11215 items: 11216 - fieldRef: 11217 fieldPath: metadata.labels 11218 path: labels 11219 - fieldRef: 11220 fieldPath: metadata.annotations 11221 path: annotations 11222 name: podinfo 11223 - emptyDir: {} 11224 name: istio-envoy 11225 - emptyDir: {} 11226 name: istio-data 11227 - name: istio-token 11228 projected: 11229 sources: 11230 - serviceAccountToken: 11231 audience: istio-ca 11232 expirationSeconds: 43200 11233 path: istio-token 11234 - configMap: 11235 name: istio 11236 optional: true 11237 name: config-volume 11238 - name: egressgateway-certs 11239 secret: 11240 optional: true 11241 secretName: istio-egressgateway-certs 11242 - name: egressgateway-ca-certs 11243 secret: 11244 optional: true 11245 secretName: istio-egressgateway-ca-certs 11246 11247 --- 11248 apiVersion: apps/v1 11249 kind: Deployment 11250 metadata: 11251 labels: 11252 app: istio-ingressgateway 11253 install.operator.istio.io/owning-resource: unknown 11254 istio: ingressgateway 11255 istio.io/rev: default 11256 operator.istio.io/component: IngressGateways 11257 release: istio 11258 name: istio-ingressgateway 11259 namespace: istio-system 11260 spec: 11261 selector: 11262 matchLabels: 11263 app: istio-ingressgateway 11264 istio: ingressgateway 11265 strategy: 11266 rollingUpdate: 11267 maxSurge: 100% 11268 maxUnavailable: 25% 11269 template: 11270 metadata: 11271 annotations: 11272 istio.io/rev: default 11273 prometheus.io/path: /stats/prometheus 11274 prometheus.io/port: "15020" 11275 prometheus.io/scrape: "true" 11276 sidecar.istio.io/inject: "false" 11277 labels: 11278 app: istio-ingressgateway 11279 chart: gateways 11280 heritage: Tiller 11281 install.operator.istio.io/owning-resource: unknown 11282 istio: ingressgateway 11283 istio.io/rev: default 11284 operator.istio.io/component: IngressGateways 11285 release: istio 11286 service.istio.io/canonical-name: istio-ingressgateway 11287 service.istio.io/canonical-revision: latest 11288 sidecar.istio.io/inject: "false" 11289 spec: 11290 affinity: 11291 nodeAffinity: 11292 preferredDuringSchedulingIgnoredDuringExecution: null 11293 requiredDuringSchedulingIgnoredDuringExecution: null 11294 containers: 11295 - args: 11296 - proxy 11297 - router 11298 - --domain 11299 - $(POD_NAMESPACE).svc.cluster.local 11300 - --proxyLogLevel=warning 11301 - --proxyComponentLogLevel=misc:error 11302 - --log_output_level=default:info 11303 env: 11304 - name: JWT_POLICY 11305 value: third-party-jwt 11306 - name: PILOT_CERT_PROVIDER 11307 value: istiod 11308 - name: CA_ADDR 11309 value: istiod.istio-system.svc:15012 11310 - name: NODE_NAME 11311 valueFrom: 11312 fieldRef: 11313 apiVersion: v1 11314 fieldPath: spec.nodeName 11315 - name: POD_NAME 11316 valueFrom: 11317 fieldRef: 11318 apiVersion: v1 11319 fieldPath: metadata.name 11320 - name: POD_NAMESPACE 11321 valueFrom: 11322 fieldRef: 11323 apiVersion: v1 11324 fieldPath: metadata.namespace 11325 - name: INSTANCE_IP 11326 valueFrom: 11327 fieldRef: 11328 apiVersion: v1 11329 fieldPath: status.podIP 11330 - name: HOST_IP 11331 valueFrom: 11332 fieldRef: 11333 apiVersion: v1 11334 fieldPath: status.hostIP 11335 - name: ISTIO_CPU_LIMIT 11336 valueFrom: 11337 resourceFieldRef: 11338 resource: limits.cpu 11339 - name: SERVICE_ACCOUNT 11340 valueFrom: 11341 fieldRef: 11342 fieldPath: spec.serviceAccountName 11343 - name: ISTIO_META_WORKLOAD_NAME 11344 value: istio-ingressgateway 11345 - name: ISTIO_META_OWNER 11346 value: kubernetes://apis/apps/v1/namespaces/istio-system/deployments/istio-ingressgateway 11347 - name: ISTIO_META_MESH_ID 11348 value: cluster.local 11349 - name: TRUST_DOMAIN 11350 value: cluster.local 11351 - name: ISTIO_META_UNPRIVILEGED_POD 11352 value: "true" 11353 - name: ISTIO_META_CLUSTER_ID 11354 value: Kubernetes 11355 - name: ISTIO_META_NODE_NAME 11356 valueFrom: 11357 fieldRef: 11358 fieldPath: spec.nodeName 11359 image: gcr.io/istio-testing/proxyv2:latest 11360 name: istio-proxy 11361 ports: 11362 - containerPort: 15021 11363 protocol: TCP 11364 - containerPort: 8080 11365 protocol: TCP 11366 - containerPort: 8443 11367 protocol: TCP 11368 - containerPort: 15090 11369 name: http-envoy-prom 11370 protocol: TCP 11371 readinessProbe: 11372 failureThreshold: 30 11373 httpGet: 11374 path: /healthz/ready 11375 port: 15021 11376 scheme: HTTP 11377 initialDelaySeconds: 1 11378 periodSeconds: 2 11379 successThreshold: 1 11380 timeoutSeconds: 1 11381 resources: 11382 limits: 11383 cpu: 2000m 11384 memory: 1024Mi 11385 requests: 11386 cpu: 100m 11387 memory: 128Mi 11388 securityContext: 11389 allowPrivilegeEscalation: false 11390 capabilities: 11391 drop: 11392 - ALL 11393 privileged: false 11394 readOnlyRootFilesystem: true 11395 volumeMounts: 11396 - mountPath: /var/run/secrets/workload-spiffe-uds 11397 name: workload-socket 11398 - mountPath: /var/run/secrets/credential-uds 11399 name: credential-socket 11400 - mountPath: /var/run/secrets/workload-spiffe-credentials 11401 name: workload-certs 11402 - mountPath: /etc/istio/proxy 11403 name: istio-envoy 11404 - mountPath: /etc/istio/config 11405 name: config-volume 11406 - mountPath: /var/run/secrets/istio 11407 name: istiod-ca-cert 11408 - mountPath: /var/run/secrets/tokens 11409 name: istio-token 11410 readOnly: true 11411 - mountPath: /var/lib/istio/data 11412 name: istio-data 11413 - mountPath: /etc/istio/pod 11414 name: podinfo 11415 - mountPath: /etc/istio/ingressgateway-certs 11416 name: ingressgateway-certs 11417 readOnly: true 11418 - mountPath: /etc/istio/ingressgateway-ca-certs 11419 name: ingressgateway-ca-certs 11420 readOnly: true 11421 securityContext: 11422 runAsGroup: 1337 11423 runAsNonRoot: true 11424 runAsUser: 1337 11425 serviceAccountName: istio-ingressgateway-service-account 11426 volumes: 11427 - emptyDir: {} 11428 name: workload-socket 11429 - emptyDir: {} 11430 name: credential-socket 11431 - emptyDir: {} 11432 name: workload-certs 11433 - configMap: 11434 name: istio-ca-root-cert 11435 name: istiod-ca-cert 11436 - downwardAPI: 11437 items: 11438 - fieldRef: 11439 fieldPath: metadata.labels 11440 path: labels 11441 - fieldRef: 11442 fieldPath: metadata.annotations 11443 path: annotations 11444 name: podinfo 11445 - emptyDir: {} 11446 name: istio-envoy 11447 - emptyDir: {} 11448 name: istio-data 11449 - name: istio-token 11450 projected: 11451 sources: 11452 - serviceAccountToken: 11453 audience: istio-ca 11454 expirationSeconds: 43200 11455 path: istio-token 11456 - configMap: 11457 name: istio 11458 optional: true 11459 name: config-volume 11460 - name: ingressgateway-certs 11461 secret: 11462 optional: true 11463 secretName: istio-ingressgateway-certs 11464 - name: ingressgateway-ca-certs 11465 secret: 11466 optional: true 11467 secretName: istio-ingressgateway-ca-certs 11468 11469 --- 11470 apiVersion: apps/v1 11471 kind: Deployment 11472 metadata: 11473 labels: 11474 app: istiod 11475 install.operator.istio.io/owning-resource: unknown 11476 istio: pilot 11477 istio.io/rev: default 11478 operator.istio.io/component: Pilot 11479 release: istio 11480 name: istiod 11481 namespace: istio-system 11482 spec: 11483 selector: 11484 matchLabels: 11485 istio: pilot 11486 strategy: 11487 rollingUpdate: 11488 maxSurge: 100% 11489 maxUnavailable: 25% 11490 template: 11491 metadata: 11492 annotations: 11493 ambient.istio.io/redirection: disabled 11494 prometheus.io/port: "15014" 11495 prometheus.io/scrape: "true" 11496 sidecar.istio.io/inject: "false" 11497 labels: 11498 app: istiod 11499 install.operator.istio.io/owning-resource: unknown 11500 istio: pilot 11501 istio.io/rev: default 11502 operator.istio.io/component: Pilot 11503 sidecar.istio.io/inject: "false" 11504 spec: 11505 containers: 11506 - args: 11507 - discovery 11508 - --monitoringAddr=:15014 11509 - --log_output_level=default:info 11510 - --domain 11511 - cluster.local 11512 - --keepaliveMaxServerConnectionAge 11513 - 30m 11514 env: 11515 - name: REVISION 11516 value: default 11517 - name: JWT_POLICY 11518 value: third-party-jwt 11519 - name: PILOT_CERT_PROVIDER 11520 value: istiod 11521 - name: POD_NAME 11522 valueFrom: 11523 fieldRef: 11524 apiVersion: v1 11525 fieldPath: metadata.name 11526 - name: POD_NAMESPACE 11527 valueFrom: 11528 fieldRef: 11529 apiVersion: v1 11530 fieldPath: metadata.namespace 11531 - name: SERVICE_ACCOUNT 11532 valueFrom: 11533 fieldRef: 11534 apiVersion: v1 11535 fieldPath: spec.serviceAccountName 11536 - name: KUBECONFIG 11537 value: /var/run/secrets/remote/config 11538 - name: PILOT_TRACE_SAMPLING 11539 value: "1" 11540 - name: PILOT_ENABLE_ANALYSIS 11541 value: "false" 11542 - name: CLUSTER_ID 11543 value: Kubernetes 11544 - name: GOMEMLIMIT 11545 valueFrom: 11546 resourceFieldRef: 11547 resource: limits.memory 11548 - name: GOMAXPROCS 11549 valueFrom: 11550 resourceFieldRef: 11551 resource: limits.cpu 11552 - name: PLATFORM 11553 value: "" 11554 image: gcr.io/istio-testing/pilot:latest 11555 name: discovery 11556 ports: 11557 - containerPort: 8080 11558 protocol: TCP 11559 - containerPort: 15010 11560 protocol: TCP 11561 - containerPort: 15017 11562 protocol: TCP 11563 readinessProbe: 11564 httpGet: 11565 path: /ready 11566 port: 8080 11567 initialDelaySeconds: 1 11568 periodSeconds: 3 11569 timeoutSeconds: 5 11570 resources: 11571 requests: 11572 cpu: 500m 11573 memory: 2048Mi 11574 securityContext: 11575 allowPrivilegeEscalation: false 11576 capabilities: 11577 drop: 11578 - ALL 11579 readOnlyRootFilesystem: true 11580 runAsNonRoot: true 11581 volumeMounts: 11582 - mountPath: /var/run/secrets/tokens 11583 name: istio-token 11584 readOnly: true 11585 - mountPath: /var/run/secrets/istio-dns 11586 name: local-certs 11587 - mountPath: /etc/cacerts 11588 name: cacerts 11589 readOnly: true 11590 - mountPath: /var/run/secrets/remote 11591 name: istio-kubeconfig 11592 readOnly: true 11593 - mountPath: /var/run/secrets/istiod/tls 11594 name: istio-csr-dns-cert 11595 readOnly: true 11596 - mountPath: /var/run/secrets/istiod/ca 11597 name: istio-csr-ca-configmap 11598 readOnly: true 11599 serviceAccountName: istiod 11600 volumes: 11601 - emptyDir: 11602 medium: Memory 11603 name: local-certs 11604 - name: istio-token 11605 projected: 11606 sources: 11607 - serviceAccountToken: 11608 audience: istio-ca 11609 expirationSeconds: 43200 11610 path: istio-token 11611 - name: cacerts 11612 secret: 11613 optional: true 11614 secretName: cacerts 11615 - name: istio-kubeconfig 11616 secret: 11617 optional: true 11618 secretName: istio-kubeconfig 11619 - name: istio-csr-dns-cert 11620 secret: 11621 optional: true 11622 secretName: istiod-tls 11623 - configMap: 11624 defaultMode: 420 11625 name: istio-ca-root-cert 11626 optional: true 11627 name: istio-csr-ca-configmap 11628 11629 --- 11630 apiVersion: policy/v1 11631 kind: PodDisruptionBudget 11632 metadata: 11633 labels: 11634 app: istio-egressgateway 11635 install.operator.istio.io/owning-resource: unknown 11636 istio: egressgateway 11637 istio.io/rev: default 11638 operator.istio.io/component: EgressGateways 11639 release: istio 11640 name: istio-egressgateway 11641 namespace: istio-system 11642 spec: 11643 minAvailable: 1 11644 selector: 11645 matchLabels: 11646 app: istio-egressgateway 11647 istio: egressgateway 11648 11649 --- 11650 apiVersion: policy/v1 11651 kind: PodDisruptionBudget 11652 metadata: 11653 labels: 11654 app: istio-ingressgateway 11655 install.operator.istio.io/owning-resource: unknown 11656 istio: ingressgateway 11657 istio.io/rev: default 11658 operator.istio.io/component: IngressGateways 11659 release: istio 11660 name: istio-ingressgateway 11661 namespace: istio-system 11662 spec: 11663 minAvailable: 1 11664 selector: 11665 matchLabels: 11666 app: istio-ingressgateway 11667 istio: ingressgateway 11668 11669 --- 11670 apiVersion: policy/v1 11671 kind: PodDisruptionBudget 11672 metadata: 11673 labels: 11674 app: istiod 11675 install.operator.istio.io/owning-resource: unknown 11676 istio: pilot 11677 istio.io/rev: default 11678 operator.istio.io/component: Pilot 11679 release: istio 11680 name: istiod 11681 namespace: istio-system 11682 spec: 11683 minAvailable: 1 11684 selector: 11685 matchLabels: 11686 app: istiod 11687 istio: pilot 11688 11689 --- 11690 apiVersion: rbac.authorization.k8s.io/v1 11691 kind: Role 11692 metadata: 11693 labels: 11694 install.operator.istio.io/owning-resource: unknown 11695 istio.io/rev: default 11696 operator.istio.io/component: EgressGateways 11697 release: istio 11698 name: istio-egressgateway-sds 11699 namespace: istio-system 11700 rules: 11701 - apiGroups: 11702 - "" 11703 resources: 11704 - secrets 11705 verbs: 11706 - get 11707 - watch 11708 - list 11709 11710 --- 11711 apiVersion: rbac.authorization.k8s.io/v1 11712 kind: Role 11713 metadata: 11714 labels: 11715 install.operator.istio.io/owning-resource: unknown 11716 istio.io/rev: default 11717 operator.istio.io/component: IngressGateways 11718 release: istio 11719 name: istio-ingressgateway-sds 11720 namespace: istio-system 11721 rules: 11722 - apiGroups: 11723 - "" 11724 resources: 11725 - secrets 11726 verbs: 11727 - get 11728 - watch 11729 - list 11730 11731 --- 11732 apiVersion: rbac.authorization.k8s.io/v1 11733 kind: Role 11734 metadata: 11735 labels: 11736 app: istiod 11737 release: istio 11738 name: istiod 11739 namespace: istio-system 11740 rules: 11741 - apiGroups: 11742 - networking.istio.io 11743 resources: 11744 - gateways 11745 verbs: 11746 - create 11747 - apiGroups: 11748 - "" 11749 resources: 11750 - secrets 11751 verbs: 11752 - create 11753 - get 11754 - watch 11755 - list 11756 - update 11757 - delete 11758 - apiGroups: 11759 - "" 11760 resources: 11761 - configmaps 11762 verbs: 11763 - delete 11764 - apiGroups: 11765 - coordination.k8s.io 11766 resources: 11767 - leases 11768 verbs: 11769 - get 11770 - update 11771 - patch 11772 - create 11773 11774 --- 11775 apiVersion: rbac.authorization.k8s.io/v1 11776 kind: RoleBinding 11777 metadata: 11778 labels: 11779 install.operator.istio.io/owning-resource: unknown 11780 istio.io/rev: default 11781 operator.istio.io/component: EgressGateways 11782 release: istio 11783 name: istio-egressgateway-sds 11784 namespace: istio-system 11785 roleRef: 11786 apiGroup: rbac.authorization.k8s.io 11787 kind: Role 11788 name: istio-egressgateway-sds 11789 subjects: 11790 - kind: ServiceAccount 11791 name: istio-egressgateway-service-account 11792 11793 --- 11794 apiVersion: rbac.authorization.k8s.io/v1 11795 kind: RoleBinding 11796 metadata: 11797 labels: 11798 install.operator.istio.io/owning-resource: unknown 11799 istio.io/rev: default 11800 operator.istio.io/component: IngressGateways 11801 release: istio 11802 name: istio-ingressgateway-sds 11803 namespace: istio-system 11804 roleRef: 11805 apiGroup: rbac.authorization.k8s.io 11806 kind: Role 11807 name: istio-ingressgateway-sds 11808 subjects: 11809 - kind: ServiceAccount 11810 name: istio-ingressgateway-service-account 11811 11812 --- 11813 apiVersion: rbac.authorization.k8s.io/v1 11814 kind: RoleBinding 11815 metadata: 11816 labels: 11817 app: istiod 11818 release: istio 11819 name: istiod 11820 namespace: istio-system 11821 roleRef: 11822 apiGroup: rbac.authorization.k8s.io 11823 kind: Role 11824 name: istiod 11825 subjects: 11826 - kind: ServiceAccount 11827 name: istiod 11828 namespace: istio-system 11829 11830 --- 11831 apiVersion: autoscaling/v2 11832 kind: HorizontalPodAutoscaler 11833 metadata: 11834 labels: 11835 app: istio-egressgateway 11836 install.operator.istio.io/owning-resource: unknown 11837 istio: egressgateway 11838 istio.io/rev: default 11839 operator.istio.io/component: EgressGateways 11840 release: istio 11841 name: istio-egressgateway 11842 namespace: istio-system 11843 spec: 11844 maxReplicas: 5 11845 metrics: 11846 - resource: 11847 name: cpu 11848 target: 11849 averageUtilization: 80 11850 type: Utilization 11851 type: Resource 11852 minReplicas: 1 11853 scaleTargetRef: 11854 apiVersion: apps/v1 11855 kind: Deployment 11856 name: istio-egressgateway 11857 11858 --- 11859 apiVersion: autoscaling/v2 11860 kind: HorizontalPodAutoscaler 11861 metadata: 11862 labels: 11863 app: istio-ingressgateway 11864 install.operator.istio.io/owning-resource: unknown 11865 istio: ingressgateway 11866 istio.io/rev: default 11867 operator.istio.io/component: IngressGateways 11868 release: istio 11869 name: istio-ingressgateway 11870 namespace: istio-system 11871 spec: 11872 maxReplicas: 5 11873 metrics: 11874 - resource: 11875 name: cpu 11876 target: 11877 averageUtilization: 80 11878 type: Utilization 11879 type: Resource 11880 minReplicas: 1 11881 scaleTargetRef: 11882 apiVersion: apps/v1 11883 kind: Deployment 11884 name: istio-ingressgateway 11885 11886 --- 11887 apiVersion: autoscaling/v2 11888 kind: HorizontalPodAutoscaler 11889 metadata: 11890 labels: 11891 app: istiod 11892 install.operator.istio.io/owning-resource: unknown 11893 istio.io/rev: default 11894 operator.istio.io/component: Pilot 11895 release: istio 11896 name: istiod 11897 namespace: istio-system 11898 spec: 11899 maxReplicas: 5 11900 metrics: 11901 - resource: 11902 name: cpu 11903 target: 11904 averageUtilization: 80 11905 type: Utilization 11906 type: Resource 11907 minReplicas: 1 11908 scaleTargetRef: 11909 apiVersion: apps/v1 11910 kind: Deployment 11911 name: istiod 11912 11913 --- 11914 apiVersion: v1 11915 kind: Service 11916 metadata: 11917 annotations: null 11918 labels: 11919 app: istio-egressgateway 11920 install.operator.istio.io/owning-resource: unknown 11921 istio: egressgateway 11922 istio.io/rev: default 11923 operator.istio.io/component: EgressGateways 11924 release: istio 11925 name: istio-egressgateway 11926 namespace: istio-system 11927 spec: 11928 ports: 11929 - name: http2 11930 port: 80 11931 protocol: TCP 11932 targetPort: 8080 11933 - name: https 11934 port: 443 11935 protocol: TCP 11936 targetPort: 8443 11937 selector: 11938 app: istio-egressgateway 11939 istio: egressgateway 11940 type: ClusterIP 11941 11942 --- 11943 apiVersion: v1 11944 kind: Service 11945 metadata: 11946 annotations: null 11947 labels: 11948 app: istio-ingressgateway 11949 install.operator.istio.io/owning-resource: unknown 11950 istio: ingressgateway 11951 istio.io/rev: default 11952 operator.istio.io/component: IngressGateways 11953 release: istio 11954 name: istio-ingressgateway 11955 namespace: istio-system 11956 spec: 11957 ports: 11958 - name: status-port 11959 port: 15021 11960 protocol: TCP 11961 targetPort: 15021 11962 - name: http2 11963 port: 80 11964 protocol: TCP 11965 targetPort: 8080 11966 - name: https 11967 port: 443 11968 protocol: TCP 11969 targetPort: 8443 11970 selector: 11971 app: istio-ingressgateway 11972 istio: ingressgateway 11973 type: LoadBalancer 11974 11975 --- 11976 apiVersion: v1 11977 kind: Service 11978 metadata: 11979 labels: 11980 app: istiod 11981 install.operator.istio.io/owning-resource: unknown 11982 istio: pilot 11983 istio.io/rev: default 11984 operator.istio.io/component: Pilot 11985 release: istio 11986 name: istiod 11987 namespace: istio-system 11988 spec: 11989 ports: 11990 - name: grpc-xds 11991 port: 15010 11992 protocol: TCP 11993 - name: https-dns 11994 port: 15012 11995 protocol: TCP 11996 - name: https-webhook 11997 port: 443 11998 protocol: TCP 11999 targetPort: 15017 12000 - name: http-monitoring 12001 port: 15014 12002 protocol: TCP 12003 selector: 12004 app: istiod 12005 istio: pilot 12006 12007 ---