istio.io/istio@v0.0.0-20240520182934-d79c90f27776/pilot/pkg/features/pilot.go (about) 1 // Copyright Istio Authors 2 // 3 // Licensed under the Apache License, Version 2.0 (the "License"); 4 // you may not use this file except in compliance with the License. 5 // You may obtain a copy of the License at 6 // 7 // http://www.apache.org/licenses/LICENSE-2.0 8 // 9 // Unless required by applicable law or agreed to in writing, software 10 // distributed under the License is distributed on an "AS IS" BASIS, 11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 // See the License for the specific language governing permissions and 13 // limitations under the License. 14 15 package features 16 17 import ( 18 "strings" 19 "time" 20 21 "istio.io/istio/pkg/config/constants" 22 "istio.io/istio/pkg/env" 23 "istio.io/istio/pkg/jwt" 24 "istio.io/istio/pkg/util/sets" 25 ) 26 27 var ( 28 // HTTP10 will add "accept_http_10" to http outbound listeners. Can also be set only for specific sidecars via meta. 29 HTTP10 = env.Register( 30 "PILOT_HTTP10", 31 false, 32 "Enables the use of HTTP 1.0 in the outbound HTTP listeners, to support legacy applications.", 33 ).Get() 34 35 ScopeGatewayToNamespace = env.Register( 36 "PILOT_SCOPE_GATEWAY_TO_NAMESPACE", 37 false, 38 "If enabled, a gateway workload can only select gateway resources in the same namespace. "+ 39 "Gateways with same selectors in different namespaces will not be applicable.", 40 ).Get() 41 42 JwksFetchMode = func() jwt.JwksFetchMode { 43 v := env.Register( 44 "PILOT_JWT_ENABLE_REMOTE_JWKS", 45 "false", 46 "Mode of fetching JWKs from JwksUri in RequestAuthentication. Supported value: "+ 47 "istiod, false, hybrid, true, envoy. The client fetching JWKs is as following: "+ 48 "istiod/false - Istiod; hybrid/true - Envoy and fallback to Istiod if JWKs server is external; "+ 49 "envoy - Envoy.", 50 ).Get() 51 return jwt.ConvertToJwksFetchMode(v) 52 }() 53 54 // IstiodServiceCustomHost allow user to bring a custom address or multiple custom addresses for istiod server 55 // for examples: 1. istiod.mycompany.com 2. istiod.mycompany.com,istiod-canary.mycompany.com 56 IstiodServiceCustomHost = env.Register("ISTIOD_CUSTOM_HOST", "", 57 "Custom host name of istiod that istiod signs the server cert. "+ 58 "Multiple custom host names are supported, and multiple values are separated by commas.").Get() 59 60 PilotCertProvider = env.Register("PILOT_CERT_PROVIDER", constants.CertProviderIstiod, 61 "The provider of Pilot DNS certificate.").Get() 62 63 ClusterName = env.Register("CLUSTER_ID", constants.DefaultClusterName, 64 "Defines the cluster and service registry that this Istiod instance belongs to").Get() 65 66 ExternalIstiod = env.Register("EXTERNAL_ISTIOD", false, 67 "If this is set to true, one Istiod will control remote clusters including CA.").Get() 68 69 EnableCAServer = env.Register("ENABLE_CA_SERVER", true, 70 "If this is set to false, will not create CA server in istiod.").Get() 71 72 EnableDebugOnHTTP = env.Register("ENABLE_DEBUG_ON_HTTP", true, 73 "If this is set to false, the debug interface will not be enabled, recommended for production").Get() 74 75 EnableUnsafeAdminEndpoints = env.Register("UNSAFE_ENABLE_ADMIN_ENDPOINTS", false, 76 "If this is set to true, dangerous admin endpoints will be exposed on the debug interface. Not recommended for production.").Get() 77 78 EnableServiceEntrySelectPods = env.Register("PILOT_ENABLE_SERVICEENTRY_SELECT_PODS", true, 79 "If enabled, service entries with selectors will select pods from the cluster. "+ 80 "It is safe to disable it if you are quite sure you don't need this feature").Get() 81 82 EnableK8SServiceSelectWorkloadEntries = env.RegisterBoolVar("PILOT_ENABLE_K8S_SELECT_WORKLOAD_ENTRIES", true, 83 "If enabled, Kubernetes services with selectors will select workload entries with matching labels. "+ 84 "It is safe to disable it if you are quite sure you don't need this feature").Get() 85 86 InjectionWebhookConfigName = env.Register("INJECTION_WEBHOOK_CONFIG_NAME", "istio-sidecar-injector", 87 "Name of the mutatingwebhookconfiguration to patch, if istioctl is not used.").Get() 88 89 ValidationWebhookConfigName = env.Register("VALIDATION_WEBHOOK_CONFIG_NAME", "istio-istio-system", 90 "If not empty, the controller will automatically patch validatingwebhookconfiguration when the CA certificate changes. "+ 91 "Only works in kubernetes environment.").Get() 92 93 RemoteClusterTimeout = env.Register( 94 "PILOT_REMOTE_CLUSTER_TIMEOUT", 95 30*time.Second, 96 "After this timeout expires, pilot can become ready without syncing data from clusters added via remote-secrets. "+ 97 "Setting the timeout to 0 disables this behavior.", 98 ).Get() 99 100 DisableMxALPN = env.Register("PILOT_DISABLE_MX_ALPN", false, 101 "If true, pilot will not put istio-peer-exchange ALPN into TLS handshake configuration.", 102 ).Get() 103 104 ALPNFilter = env.Register("PILOT_ENABLE_ALPN_FILTER", true, 105 "If true, pilot will add Istio ALPN filters, required for proper protocol sniffing.", 106 ).Get() 107 108 WorkloadEntryAutoRegistration = env.Register("PILOT_ENABLE_WORKLOAD_ENTRY_AUTOREGISTRATION", true, 109 "Enables auto-registering WorkloadEntries based on associated WorkloadGroups upon XDS connection by the workload.").Get() 110 111 WorkloadEntryCleanupGracePeriod = env.Register("PILOT_WORKLOAD_ENTRY_GRACE_PERIOD", 10*time.Second, 112 "The amount of time an auto-registered workload can remain disconnected from all Pilot instances before the "+ 113 "associated WorkloadEntry is cleaned up.").Get() 114 115 WorkloadEntryHealthChecks = env.Register("PILOT_ENABLE_WORKLOAD_ENTRY_HEALTHCHECKS", true, 116 "Enables automatic health checks of WorkloadEntries based on the config provided in the associated WorkloadGroup").Get() 117 118 WorkloadEntryCrossCluster = env.Register("PILOT_ENABLE_CROSS_CLUSTER_WORKLOAD_ENTRY", true, 119 "If enabled, pilot will read WorkloadEntry from other clusters, selectable by Services in that cluster.").Get() 120 121 WasmRemoteLoadConversion = env.Register("ISTIO_AGENT_ENABLE_WASM_REMOTE_LOAD_CONVERSION", true, 122 "If enabled, Istio agent will intercept ECDS resource update, downloads Wasm module, "+ 123 "and replaces Wasm module remote load with downloaded local module file.").Get() 124 125 PilotJwtPubKeyRefreshInterval = env.Register( 126 "PILOT_JWT_PUB_KEY_REFRESH_INTERVAL", 127 20*time.Minute, 128 "The interval for istiod to fetch the jwks_uri for the jwks public key.", 129 ).Get() 130 131 EnableNodeUntaintControllers = env.Register( 132 "PILOT_ENABLE_NODE_UNTAINT_CONTROLLERS", 133 false, 134 "If enabled, controller that untaints nodes with cni pods ready will run. This should be enabled if you disabled ambient init containers.").Get() 135 136 // EnableUnsafeAssertions enables runtime checks to test assertions in our code. This should never be enabled in 137 // production; when assertions fail Istio will panic. 138 EnableUnsafeAssertions = env.Register( 139 "UNSAFE_PILOT_ENABLE_RUNTIME_ASSERTIONS", 140 false, 141 "If enabled, addition runtime asserts will be performed. "+ 142 "These checks are both expensive and panic on failure. As a result, this should be used only for testing.", 143 ).Get() 144 145 // EnableUnsafeDeltaTest enables runtime checks to test Delta XDS efficiency. This should never be enabled in 146 // production. 147 EnableUnsafeDeltaTest = env.Register( 148 "UNSAFE_PILOT_ENABLE_DELTA_TEST", 149 false, 150 "If enabled, addition runtime tests for Delta XDS efficiency are added. "+ 151 "These checks are extremely expensive, so this should be used only for testing, not production.", 152 ).Get() 153 154 SharedMeshConfig = env.Register("SHARED_MESH_CONFIG", "", 155 "Additional config map to load for shared MeshConfig settings. The standard mesh config will take precedence.").Get() 156 157 MultiRootMesh = env.Register("ISTIO_MULTIROOT_MESH", false, 158 "If enabled, mesh will support certificates signed by more than one trustAnchor for ISTIO_MUTUAL mTLS").Get() 159 160 EnableEnvoyFilterMetrics = env.Register("PILOT_ENVOY_FILTER_STATS", false, 161 "If true, Pilot will collect metrics for envoy filter operations.").Get() 162 163 EnableRouteCollapse = env.Register("PILOT_ENABLE_ROUTE_COLLAPSE_OPTIMIZATION", true, 164 "If true, Pilot will merge virtual hosts with the same routes into a single virtual host, as an optimization.").Get() 165 166 MulticlusterHeadlessEnabled = env.Register("ENABLE_MULTICLUSTER_HEADLESS", true, 167 "If true, the DNS name table for a headless service will resolve to same-network endpoints in any cluster.").Get() 168 169 ResolveHostnameGateways = env.Register("RESOLVE_HOSTNAME_GATEWAYS", true, 170 "If true, hostnames in the LoadBalancer addresses of a Service will be resolved at the control plane for use in cross-network gateways.").Get() 171 172 MultiNetworkGatewayAPI = env.Register("PILOT_MULTI_NETWORK_DISCOVER_GATEWAY_API", false, 173 "If true, Pilot will discover labeled Kubernetes gateway objects as multi-network gateways.").Get() 174 175 InsecureKubeConfigOptions = func() sets.String { 176 v := env.Register( 177 "PILOT_INSECURE_MULTICLUSTER_KUBECONFIG_OPTIONS", 178 "", 179 "Comma separated list of potentially insecure kubeconfig authentication options that are allowed for multicluster authentication."+ 180 "Support values: all authProviders (`gcp`, `azure`, `exec`, `openstack`), "+ 181 "`clientKey`, `clientCertificate`, `tokenFile`, and `exec`.").Get() 182 return sets.New(strings.Split(v, ",")...) 183 }() 184 185 CanonicalServiceForMeshExternalServiceEntry = env.Register("LABEL_CANONICAL_SERVICES_FOR_MESH_EXTERNAL_SERVICE_ENTRIES", false, 186 "If enabled, metadata representing canonical services for ServiceEntry resources with a location of mesh_external will be populated"+ 187 "in the cluster metadata for those endpoints.").Get() 188 189 LocalClusterSecretWatcher = env.Register("LOCAL_CLUSTER_SECRET_WATCHER", false, 190 "If enabled, the cluster secret watcher will watch the namespace of the external cluster instead of config cluster").Get() 191 192 InformerWatchNamespace = env.Register("ISTIO_WATCH_NAMESPACE", "", 193 "If set, limit Kubernetes watches to a single namespace. "+ 194 "Warning: only a single namespace can be set.").Get() 195 196 // This is a feature flag, can be removed if protobuf proves universally better. 197 KubernetesClientContentType = env.Register("ISTIO_KUBE_CLIENT_CONTENT_TYPE", "protobuf", 198 "The content type to use for Kubernetes clients. Defaults to protobuf. Valid options: [protobuf, json]").Get() 199 200 EnableExternalNameAlias = env.Register("ENABLE_EXTERNAL_NAME_ALIAS", true, 201 "If enabled, ExternalName Services will be treated as simple aliases: anywhere where we would match the concrete service, "+ 202 "we also match the ExternalName. In general, this mirrors Kubernetes behavior more closely. However, it means that policies (routes and DestinationRule) "+ 203 "cannot be applied to the ExternalName service. "+ 204 "If disabled, ExternalName behaves in fairly unexpected manner. Port matters, while it does not in Kubernetes. If it is a TCP port, "+ 205 "all traffic on that port will be matched, which can have disastrous consequences. Additionally, the destination is seen as an opaque destination; "+ 206 "even if it is another service in the mesh, policies such as mTLS and load balancing will not be used when connecting to it.").Get() 207 208 ValidateWorkloadEntryIdentity = env.Register("ISTIO_WORKLOAD_ENTRY_VALIDATE_IDENTITY", true, 209 "If enabled, will validate the identity of a workload matches the identity of the "+ 210 "WorkloadEntry it is associating with for health checks and auto registration. "+ 211 "This flag is added for backwards compatibility only and will be removed in future releases").Get() 212 213 JwksResolverInsecureSkipVerify = env.Register("JWKS_RESOLVER_INSECURE_SKIP_VERIFY", false, 214 "If enabled, istiod will skip verifying the certificate of the JWKS server.").Get() 215 216 EnableSelectorBasedK8sGatewayPolicy = env.Register("ENABLE_SELECTOR_BASED_K8S_GATEWAY_POLICY", true, 217 "If disabled, Gateway API gateways will ignore workloadSelector policies, only"+ 218 "applying policies that select the gateway with a targetRef.").Get() 219 220 // Useful for IPv6-only EKS clusters. See https://aws.github.io/aws-eks-best-practices/networking/ipv6/ why it assigns an additional IPv4 NAT address. 221 // Also see https://github.com/istio/istio/issues/46719 why this flag is required 222 EnableAdditionalIpv4OutboundListenerForIpv6Only = env.RegisterBoolVar("ISTIO_ENABLE_IPV4_OUTBOUND_LISTENER_FOR_IPV6_CLUSTERS", false, 223 "If true, pilot will configure an additional IPv4 listener for outbound traffic in IPv6 only clusters, e.g. AWS EKS IPv6 only clusters.").Get() 224 225 EnableAutoSni = env.Register("ENABLE_AUTO_SNI", true, 226 "If enabled, automatically set SNI when `DestinationRules` do not specify the same").Get() 227 228 VerifyCertAtClient = env.Register("VERIFY_CERTIFICATE_AT_CLIENT", true, 229 "If enabled, certificates received by the proxy will be verified against the OS CA certificate bundle.").Get() 230 231 EnableVtprotobuf = env.Register("ENABLE_VTPROTOBUF", true, 232 "If true, will use optimized vtprotobuf based marshaling. Requires a build with -tags=vtprotobuf.").Get() 233 234 GatewayAPIDefaultGatewayClass = env.Register("PILOT_GATEWAY_API_DEFAULT_GATEWAYCLASS_NAME", "istio", 235 "Name of the default GatewayClass").Get() 236 237 ManagedGatewayController = env.Register("PILOT_GATEWAY_API_CONTROLLER_NAME", "istio.io/gateway-controller", 238 "Gateway API controller name. istiod will only reconcile Gateway API resources referencing a GatewayClass with this controller name").Get() 239 ) 240 241 // UnsafeFeaturesEnabled returns true if any unsafe features are enabled. 242 func UnsafeFeaturesEnabled() bool { 243 return EnableUnsafeAdminEndpoints || EnableUnsafeAssertions || EnableUnsafeDeltaTest 244 }