diff --git a/README.md b/README.md
index a0d95e98d3..ea6c06adf5 100644
--- a/README.md
+++ b/README.md
@@ -64,7 +64,7 @@ used from the different projects of Kubeflow:
| Component | Local Manifests Path | Upstream Revision |
| - | - | - |
-| Istio | common/istio-1-16 | [1.16.0](https://github.com/istio/istio/releases/tag/1.16.0) |
+| Istio | common/istio-1-17 | [1.17.3](https://github.com/istio/istio/releases/tag/1.17.3) |
| Knative | common/knative/knative-serving
common/knative/knative-eventing | [1.8.1](https://github.com/knative/serving/releases/tag/knative-v1.8.1)
[1.8.1](https://github.com/knative/eventing/releases/tag/knative-v1.8.1) |
| Cert Manager | common/cert-manager | [1.12.2](https://github.com/cert-manager/cert-manager/releases/tag/v1.12.2) |
@@ -162,9 +162,9 @@ network authorization and implement routing policies.
Install Istio:
```sh
-kustomize build common/istio-1-16/istio-crds/base | kubectl apply -f -
-kustomize build common/istio-1-16/istio-namespace/base | kubectl apply -f -
-kustomize build common/istio-1-16/istio-install/base | kubectl apply -f -
+kustomize build common/istio-1-17/istio-crds/base | kubectl apply -f -
+kustomize build common/istio-1-17/istio-namespace/base | kubectl apply -f -
+kustomize build common/istio-1-17/istio-install/base | kubectl apply -f -
```
#### Dex
@@ -193,7 +193,7 @@ Install Knative Serving:
```sh
kustomize build common/knative/knative-serving/overlays/gateways | kubectl apply -f -
-kustomize build common/istio-1-16/cluster-local-gateway/base | kubectl apply -f -
+kustomize build common/istio-1-17/cluster-local-gateway/base | kubectl apply -f -
```
Optionally, you can install Knative Eventing which can be used for inference request logging:
@@ -235,7 +235,7 @@ well.
Install istio resources:
```sh
-kustomize build common/istio-1-16/kubeflow-istio-resources/base | kubectl apply -f -
+kustomize build common/istio-1-17/kubeflow-istio-resources/base | kubectl apply -f -
```
#### Kubeflow Pipelines
diff --git a/common/istio-1-16/README.md b/common/istio-1-16/README.md
index 6506c37a29..b8746d7cb3 100644
--- a/common/istio-1-16/README.md
+++ b/common/istio-1-16/README.md
@@ -27,7 +27,7 @@ old version is `X1.Y1.Z1`:
CustomResource used to describe the Istio Control Plane:
$ cd $ISTIO_NEW
- $ istioctl profile dump demo > profile.yaml
+ $ istioctl profile dump default > profile.yaml
---
**NOTE**
@@ -94,10 +94,10 @@ old version is `X1.Y1.Z1`:
### Changes to the upstream IstioOperator profile
-Changes to Istio's upstream profile `demo` are the following:
+Changes to Istio's upstream profile `default` are the following:
- Add a `cluster-local-gateway` component for KFServing.
-- Disable the EgressGateway component. We don\'t use it and it adds
+- Disable the EgressGateway component. We don't use it and it adds
unnecessary complexity.
Those changes are captured in the [profile-overlay.yaml](profile-overlay.yaml)
diff --git a/common/istio-1-17/README.md b/common/istio-1-17/README.md
new file mode 100644
index 0000000000..88e82efe72
--- /dev/null
+++ b/common/istio-1-17/README.md
@@ -0,0 +1,122 @@
+# Istio
+
+## Upgrade Istio Manifests
+
+Istio ships with an installer called `istioctl`, which is a deployment /
+debugging / configuration management tool for Istio all in one package.
+In this section, we explain how to upgrade our istio kustomize packages
+by leveraging `istioctl`. Assuming the new version is `X.Y.Z` and the
+old version is `X1.Y1.Z1`:
+
+1. Make a copy of the old istio manifests tree, which will become the
+ kustomization for the new Istio version:
+
+ $ export MANIFESTS_SRC=
+ $ export ISTIO_OLD=$MANIFESTS_SRC/common/istio-X1-Y1
+ $ export ISTIO_NEW=$MANIFESTS_SRC/common/istio-X-Y
+ $ cp -a $ISTIO_OLD $ISTIO_NEW
+
+2. Download `istioctl` for version `X.Y.Z`:
+
+ $ ISTIO_VERSION="X.Y.Z"
+ $ wget "https://github.com/istio/istio/releases/download/${ISTIO_VERSION}/istio-${ISTIO_VERSION}-linux-amd64.tar.gz"
+ $ tar xvfz istio-${ISTIO_VERSION}-linux-amd64.tar.gz
+ # sudo mv istio-${ISTIO_VERSION}/bin/istioctl /usr/local/bin/istioctl
+
+3. Use `istioctl` to generate an `IstioOperator` resource, the
+ CustomResource used to describe the Istio Control Plane:
+
+ $ cd $ISTIO_NEW
+ $ istioctl profile dump default > profile.yaml
+
+ ---
+ **NOTE**
+
+ `istioctl` comes with a bunch of [predefined
+ profiles](https://istio.io/v1.9/docs/setup/additional-setup/config-profiles/)
+ (`default`, `demo`, `minimal`, etc.). The `default` profile is installed by default.
+
+ ---
+
+4. Generate manifests and add them to their respective packages. We
+ will generate manifests using `istioctl`, the
+ `profile.yaml` file from upstream and the
+ `profile-overlay.yaml` file that contains our desired
+ changes:
+
+ $ export PATH="$MANIFESTS_SRC/scripts:$PATH"
+ $ cd $ISTIO_NEW
+ $ istioctl manifest generate --cluster-specific -f profile.yaml -f profile-overlay.yaml > dump.yaml
+ $ split-istio-packages -f dump.yaml
+ $ mv $ISTIO_NEW/crd.yaml $ISTIO_NEW/istio-crds/base
+ $ mv $ISTIO_NEW/install.yaml $ISTIO_NEW/istio-install/base
+ $ mv $ISTIO_NEW/cluster-local-gateway.yaml $ISTIO_NEW/cluster-local-gateway/base
+
+ ---
+ **NOTE**
+
+ `split-istio-packages` is a python script in the same folder as this file.
+ The `ruamel.yaml` version used is 0.16.12.
+
+ `--cluster-specific` is a flag that determines if a current K8s cluster context will be used to dynamically
+ detect default settings. Ensure you have a target cluster ready before running the above commands.
+ We set this flag because `istioctl manifest generate` generates manifest files with resources that are no
+ longer supported in Kubernetes 1.25 (`policy/v1beta1`). See: https://github.com/istio/istio/issues/41220
+
+ ---
+
+5. Remove PodDisruptionBudget from `istio-install` and `cluster-local-gateway` kustomizations.
+ See https://github.com/istio/istio/issues/12602 and https://github.com/istio/istio/issues/24000
+
+ Until now we have used two patches:
+ - `common/istio-1-17/istio-install/base/patches/remove-pdb.yaml`
+ - `common/istio-1-17/cluster-local-gateway/base/patches/remove-pdb.yaml`
+
+ The above patches do not work with kustomize v3.2.0 as it doesn't have the appropriate
+ openapi schemas for the policy/v1 API version resources. This is fixed in kustomize v4+.
+ See https://github.com/kubernetes-sigs/kustomize/issues/3694#issuecomment-799700607 and
+ https://github.com/kubernetes-sigs/kustomize/issues/4495
+
+ A temporary workaround is to use the following instructions to manually delete the PodDisruptionBudget resources with `yq`:
+
+ $ yq eval -i 'select((.kind == "PodDisruptionBudget" and .metadata.name == "cluster-local-gateway") | not)' common/istio-1-17/cluster-local-gateway/base/cluster-local-gateway.yaml
+ $ yq eval -i 'select((.kind == "PodDisruptionBudget" and .metadata.name == "istio-ingressgateway") | not)' common/istio-1-17/istio-install/base/install.yaml
+ $ yq eval -i 'select((.kind == "PodDisruptionBudget" and .metadata.name == "istiod") | not)' common/istio-1-17/istio-install/base/install.yaml
+
+ ---
+ **NOTE**
+
+ NOTE: Make sure to remove a redundant {} at the end of the `common/istio-1-17/istio-install/base/install.yaml` and `common/istio-1-17/cluster-local-gateway/base/cluster-local-gateway.yaml` files.
+
+ ---
+
+6. Remove `dump.yaml`
+
+## Changes to Istio's upstream manifests
+
+### Changes to the upstream IstioOperator profile
+
+Changes to Istio's upstream profile `default` are the following:
+
+- Add a `cluster-local-gateway` component for KFServing.
+- Disable the EgressGateway component. We don't use it and it adds
+ unnecessary complexity.
+
+Those changes are captured in the [profile-overlay.yaml](profile-overlay.yaml)
+file.
+
+### Changes to the upstream manifests using kustomize
+
+The Istio kustomizations make the following changes:
+
+- Remove PodDisruptionBudget from `istio-install` and `cluster-local-gateway` kustomizations. See:
+ - https://github.com/istio/istio/issues/12602
+ - https://github.com/istio/istio/issues/24000
+- Add EnvoyFilter for adding an `X-Forwarded-For` header in requests passing through the Istio Ingressgateway, inside the `istio-install` kustomization.
+- Add Istio AuthorizationPolicy to allow all requests to the Istio Ingressgateway and the Istio cluster-local gateway.
+- Add Istio AuthorizationPolicy in Istio's root namespace, so that sidecars deny traffic by default (explicit deny-by-default authorization model).
+- Add Gateway CRs for the Istio Ingressgateway and the Istio cluster-local gateway, as `istioctl` stopped generating them in later versions.
+- Add the istio-system namespace object to `istio-namespace`, as `istioctl` stopped generating it in later versions.
+- Configure TCP KeepAlives.
+- Disable tracing as it causes DNS breakdown. See:
+ https://github.com/istio/istio/issues/29898
diff --git a/common/istio-1-17/cluster-local-gateway/base/cluster-local-gateway.yaml b/common/istio-1-17/cluster-local-gateway/base/cluster-local-gateway.yaml
new file mode 100644
index 0000000000..515f38a61d
--- /dev/null
+++ b/common/istio-1-17/cluster-local-gateway/base/cluster-local-gateway.yaml
@@ -0,0 +1,317 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: cluster-local-gateway-service-account
+ namespace: istio-system
+ labels:
+ app: cluster-local-gateway
+ istio: cluster-local-gateway
+ release: istio
+ istio.io/rev: default
+ install.operator.istio.io/owning-resource: unknown
+ operator.istio.io/component: IngressGateways
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ labels:
+ app: cluster-local-gateway
+ install.operator.istio.io/owning-resource: unknown
+ istio: cluster-local-gateway
+ istio.io/rev: default
+ operator.istio.io/component: IngressGateways
+ release: istio
+ name: cluster-local-gateway
+ namespace: istio-system
+spec:
+ selector:
+ matchLabels:
+ app: cluster-local-gateway
+ istio: cluster-local-gateway
+ strategy:
+ rollingUpdate:
+ maxSurge: 100%
+ maxUnavailable: 25%
+ template:
+ metadata:
+ annotations:
+ prometheus.io/path: /stats/prometheus
+ prometheus.io/port: '15020'
+ prometheus.io/scrape: 'true'
+ sidecar.istio.io/inject: 'false'
+ labels:
+ app: cluster-local-gateway
+ chart: gateways
+ heritage: Tiller
+ install.operator.istio.io/owning-resource: unknown
+ istio: cluster-local-gateway
+ istio.io/rev: default
+ operator.istio.io/component: IngressGateways
+ release: istio
+ service.istio.io/canonical-name: cluster-local-gateway
+ service.istio.io/canonical-revision: latest
+ sidecar.istio.io/inject: 'false'
+ spec:
+ affinity:
+ nodeAffinity:
+ preferredDuringSchedulingIgnoredDuringExecution:
+ requiredDuringSchedulingIgnoredDuringExecution:
+ containers:
+ - args:
+ - proxy
+ - router
+ - --domain
+ - $(POD_NAMESPACE).svc.cluster.local
+ - --proxyLogLevel=warning
+ - --proxyComponentLogLevel=misc:error
+ - --log_output_level=default:info
+ env:
+ - name: ISTIO_META_ROUTER_MODE
+ value: sni-dnat
+ - name: JWT_POLICY
+ value: third-party-jwt
+ - name: PILOT_CERT_PROVIDER
+ value: istiod
+ - name: CA_ADDR
+ value: istiod.istio-system.svc:15012
+ - name: NODE_NAME
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: spec.nodeName
+ - name: POD_NAME
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.name
+ - name: POD_NAMESPACE
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.namespace
+ - name: INSTANCE_IP
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: status.podIP
+ - name: HOST_IP
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: status.hostIP
+ - name: SERVICE_ACCOUNT
+ valueFrom:
+ fieldRef:
+ fieldPath: spec.serviceAccountName
+ - name: ISTIO_META_WORKLOAD_NAME
+ value: cluster-local-gateway
+ - name: ISTIO_META_OWNER
+ value: kubernetes://apis/apps/v1/namespaces/istio-system/deployments/cluster-local-gateway
+ - name: ISTIO_META_MESH_ID
+ value: cluster.local
+ - name: TRUST_DOMAIN
+ value: cluster.local
+ - name: ISTIO_META_UNPRIVILEGED_POD
+ value: 'true'
+ - name: ISTIO_META_CLUSTER_ID
+ value: Kubernetes
+ - name: ISTIO_META_NODE_NAME
+ valueFrom:
+ fieldRef:
+ fieldPath: spec.nodeName
+ image: docker.io/istio/proxyv2:1.17.3
+ name: istio-proxy
+ ports:
+ - containerPort: 15020
+ protocol: TCP
+ - containerPort: 8080
+ protocol: TCP
+ - containerPort: 15090
+ name: http-envoy-prom
+ protocol: TCP
+ readinessProbe:
+ failureThreshold: 30
+ httpGet:
+ path: /healthz/ready
+ port: 15021
+ scheme: HTTP
+ initialDelaySeconds: 1
+ periodSeconds: 2
+ successThreshold: 1
+ timeoutSeconds: 1
+ resources:
+ limits:
+ cpu: 2000m
+ memory: 1024Mi
+ requests:
+ cpu: 100m
+ memory: 128Mi
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ privileged: false
+ readOnlyRootFilesystem: true
+ volumeMounts:
+ - mountPath: /var/run/secrets/workload-spiffe-uds
+ name: workload-socket
+ - mountPath: /var/run/secrets/credential-uds
+ name: credential-socket
+ - mountPath: /var/run/secrets/workload-spiffe-credentials
+ name: workload-certs
+ - mountPath: /etc/istio/proxy
+ name: istio-envoy
+ - mountPath: /etc/istio/config
+ name: config-volume
+ - mountPath: /var/run/secrets/istio
+ name: istiod-ca-cert
+ - mountPath: /var/run/secrets/tokens
+ name: istio-token
+ readOnly: true
+ - mountPath: /var/lib/istio/data
+ name: istio-data
+ - mountPath: /etc/istio/pod
+ name: podinfo
+ - mountPath: /etc/istio/ingressgateway-certs
+ name: ingressgateway-certs
+ readOnly: true
+ - mountPath: /etc/istio/ingressgateway-ca-certs
+ name: ingressgateway-ca-certs
+ readOnly: true
+ securityContext:
+ fsGroup: 1337
+ runAsGroup: 1337
+ runAsNonRoot: true
+ runAsUser: 1337
+ serviceAccountName: cluster-local-gateway-service-account
+ volumes:
+ - emptyDir: {}
+ name: workload-socket
+ - emptyDir: {}
+ name: credential-socket
+ - emptyDir: {}
+ name: workload-certs
+ - configMap:
+ name: istio-ca-root-cert
+ name: istiod-ca-cert
+ - downwardAPI:
+ items:
+ - fieldRef:
+ fieldPath: metadata.labels
+ path: labels
+ - fieldRef:
+ fieldPath: metadata.annotations
+ path: annotations
+ name: podinfo
+ - emptyDir: {}
+ name: istio-envoy
+ - emptyDir: {}
+ name: istio-data
+ - name: istio-token
+ projected:
+ sources:
+ - serviceAccountToken:
+ audience: istio-ca
+ expirationSeconds: 43200
+ path: istio-token
+ - configMap:
+ name: istio
+ optional: true
+ name: config-volume
+ - name: ingressgateway-certs
+ secret:
+ optional: true
+ secretName: istio-ingressgateway-certs
+ - name: ingressgateway-ca-certs
+ secret:
+ optional: true
+ secretName: istio-ingressgateway-ca-certs
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: cluster-local-gateway-sds
+ namespace: istio-system
+ labels:
+ release: istio
+ istio.io/rev: default
+ install.operator.istio.io/owning-resource: unknown
+ operator.istio.io/component: IngressGateways
+rules:
+ - apiGroups: ['']
+ resources: [secrets]
+ verbs: [get, watch, list]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: cluster-local-gateway-sds
+ namespace: istio-system
+ labels:
+ release: istio
+ istio.io/rev: default
+ install.operator.istio.io/owning-resource: unknown
+ operator.istio.io/component: IngressGateways
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: cluster-local-gateway-sds
+subjects:
+ - kind: ServiceAccount
+ name: cluster-local-gateway-service-account
+---
+apiVersion: autoscaling/v2
+kind: HorizontalPodAutoscaler
+metadata:
+ labels:
+ app: cluster-local-gateway
+ install.operator.istio.io/owning-resource: unknown
+ istio: cluster-local-gateway
+ istio.io/rev: default
+ operator.istio.io/component: IngressGateways
+ release: istio
+ name: cluster-local-gateway
+ namespace: istio-system
+spec:
+ maxReplicas: 5
+ metrics:
+ - resource:
+ name: cpu
+ target:
+ averageUtilization: 80
+ type: Utilization
+ type: Resource
+ minReplicas: 1
+ scaleTargetRef:
+ apiVersion: apps/v1
+ kind: Deployment
+ name: cluster-local-gateway
+---
+apiVersion: v1
+kind: Service
+metadata:
+ annotations:
+ labels:
+ app: cluster-local-gateway
+ install.operator.istio.io/owning-resource: unknown
+ istio: cluster-local-gateway
+ istio.io/rev: default
+ operator.istio.io/component: IngressGateways
+ release: istio
+ name: cluster-local-gateway
+ namespace: istio-system
+spec:
+ ports:
+ - name: status-port
+ port: 15020
+ protocol: TCP
+ targetPort: 15020
+ - name: http2
+ port: 80
+ protocol: TCP
+ targetPort: 8080
+ selector:
+ app: cluster-local-gateway
+ istio: cluster-local-gateway
+ type: ClusterIP
diff --git a/common/istio-1-17/cluster-local-gateway/base/gateway-authorizationpolicy.yaml b/common/istio-1-17/cluster-local-gateway/base/gateway-authorizationpolicy.yaml
new file mode 100644
index 0000000000..4a45b0a1e0
--- /dev/null
+++ b/common/istio-1-17/cluster-local-gateway/base/gateway-authorizationpolicy.yaml
@@ -0,0 +1,14 @@
+# Allow all traffic to the cluster-local-gateway
+apiVersion: security.istio.io/v1beta1
+kind: AuthorizationPolicy
+metadata:
+ name: cluster-local-gateway
+spec:
+ action: ALLOW
+ selector:
+ # Same as the cluster-local-gateway Service selector
+ matchLabels:
+ app: cluster-local-gateway
+ istio: cluster-local-gateway
+ rules:
+ - {}
\ No newline at end of file
diff --git a/common/istio-1-17/cluster-local-gateway/base/gateway.yaml b/common/istio-1-17/cluster-local-gateway/base/gateway.yaml
new file mode 100644
index 0000000000..a5db160087
--- /dev/null
+++ b/common/istio-1-17/cluster-local-gateway/base/gateway.yaml
@@ -0,0 +1,17 @@
+apiVersion: networking.istio.io/v1alpha3
+kind: Gateway
+metadata:
+ name: cluster-local-gateway
+ labels:
+ release: istio
+spec:
+ selector:
+ app: cluster-local-gateway
+ istio: cluster-local-gateway
+ servers:
+ - port:
+ number: 80
+ name: http
+ protocol: HTTP
+ hosts:
+ - '*'
diff --git a/common/istio-1-17/cluster-local-gateway/base/kustomization.yaml b/common/istio-1-17/cluster-local-gateway/base/kustomization.yaml
new file mode 100644
index 0000000000..b01420e648
--- /dev/null
+++ b/common/istio-1-17/cluster-local-gateway/base/kustomization.yaml
@@ -0,0 +1,18 @@
+#
+# Copyright © 2020 Arrikto Inc. All Rights Reserved.
+#
+
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+namespace: istio-system
+
+resources:
+- cluster-local-gateway.yaml
+- gateway-authorizationpolicy.yaml
+- gateway.yaml
+
+# Disable this patch until we upgrade to kustomize to v4+
+# see https://github.com/kubeflow/manifests/issues/2325#issuecomment-1323909056
+# patchesStrategicMerge:
+# - patches/remove-pdb.yaml
diff --git a/common/istio-1-17/cluster-local-gateway/base/patches/remove-pdb.yaml b/common/istio-1-17/cluster-local-gateway/base/patches/remove-pdb.yaml
new file mode 100644
index 0000000000..7453e086c5
--- /dev/null
+++ b/common/istio-1-17/cluster-local-gateway/base/patches/remove-pdb.yaml
@@ -0,0 +1,6 @@
+$patch: delete
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+ name: cluster-local-gateway
+ namespace: istio-system
\ No newline at end of file
diff --git a/common/istio-1-17/istio-crds/base/crd.yaml b/common/istio-1-17/istio-crds/base/crd.yaml
new file mode 100644
index 0000000000..25dc3dce98
--- /dev/null
+++ b/common/istio-1-17/istio-crds/base/crd.yaml
@@ -0,0 +1,7230 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ helm.sh/resource-policy: keep
+ labels:
+ app: istio-pilot
+ chart: istio
+ heritage: Tiller
+ istio: security
+ release: istio
+ name: authorizationpolicies.security.istio.io
+spec:
+ group: security.istio.io
+ names:
+ categories:
+ - istio-io
+ - security-istio-io
+ kind: AuthorizationPolicy
+ listKind: AuthorizationPolicyList
+ plural: authorizationpolicies
+ singular: authorizationpolicy
+ scope: Namespaced
+ versions:
+ - name: v1
+ schema:
+ openAPIV3Schema:
+ properties:
+ spec:
+ description: 'Configuration for access control on workloads. See more
+ details at: https://istio.io/docs/reference/config/security/authorization-policy.html'
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - provider
+ - required:
+ - provider
+ properties:
+ action:
+ description: Optional.
+ enum:
+ - ALLOW
+ - DENY
+ - AUDIT
+ - CUSTOM
+ type: string
+ provider:
+ description: Specifies detailed configuration of the CUSTOM action.
+ properties:
+ name:
+ description: Specifies the name of the extension provider.
+ type: string
+ type: object
+ rules:
+ description: Optional.
+ items:
+ properties:
+ from:
+ description: Optional.
+ items:
+ properties:
+ source:
+ description: Source specifies the source of a request.
+ properties:
+ ipBlocks:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ namespaces:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ notIpBlocks:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ notNamespaces:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ notPrincipals:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ notRemoteIpBlocks:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ notRequestPrincipals:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ principals:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ remoteIpBlocks:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ requestPrincipals:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ type: object
+ type: object
+ type: array
+ to:
+ description: Optional.
+ items:
+ properties:
+ operation:
+ description: Operation specifies the operation of a request.
+ properties:
+ hosts:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ methods:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ notHosts:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ notMethods:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ notPaths:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ notPorts:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ paths:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ ports:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ type: object
+ type: object
+ type: array
+ when:
+ description: Optional.
+ items:
+ properties:
+ key:
+ description: The name of an Istio attribute.
+ type: string
+ notValues:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ values:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ type: object
+ type: array
+ type: object
+ type: array
+ selector:
+ description: Optional.
+ properties:
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ type: object
+ status:
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ served: true
+ storage: false
+ subresources:
+ status: {}
+ - name: v1beta1
+ schema:
+ openAPIV3Schema:
+ properties:
+ spec:
+ description: 'Configuration for access control on workloads. See more
+ details at: https://istio.io/docs/reference/config/security/authorization-policy.html'
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - provider
+ - required:
+ - provider
+ properties:
+ action:
+ description: Optional.
+ enum:
+ - ALLOW
+ - DENY
+ - AUDIT
+ - CUSTOM
+ type: string
+ provider:
+ description: Specifies detailed configuration of the CUSTOM action.
+ properties:
+ name:
+ description: Specifies the name of the extension provider.
+ type: string
+ type: object
+ rules:
+ description: Optional.
+ items:
+ properties:
+ from:
+ description: Optional.
+ items:
+ properties:
+ source:
+ description: Source specifies the source of a request.
+ properties:
+ ipBlocks:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ namespaces:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ notIpBlocks:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ notNamespaces:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ notPrincipals:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ notRemoteIpBlocks:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ notRequestPrincipals:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ principals:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ remoteIpBlocks:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ requestPrincipals:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ type: object
+ type: object
+ type: array
+ to:
+ description: Optional.
+ items:
+ properties:
+ operation:
+ description: Operation specifies the operation of a request.
+ properties:
+ hosts:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ methods:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ notHosts:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ notMethods:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ notPaths:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ notPorts:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ paths:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ ports:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ type: object
+ type: object
+ type: array
+ when:
+ description: Optional.
+ items:
+ properties:
+ key:
+ description: The name of an Istio attribute.
+ type: string
+ notValues:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ values:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ type: object
+ type: array
+ type: object
+ type: array
+ selector:
+ description: Optional.
+ properties:
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ type: object
+ status:
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ helm.sh/resource-policy: keep
+ labels:
+ app: istio-pilot
+ chart: istio
+ heritage: Tiller
+ release: istio
+ name: destinationrules.networking.istio.io
+spec:
+ group: networking.istio.io
+ names:
+ categories:
+ - istio-io
+ - networking-istio-io
+ kind: DestinationRule
+ listKind: DestinationRuleList
+ plural: destinationrules
+ shortNames:
+ - dr
+ singular: destinationrule
+ scope: Namespaced
+ versions:
+ - additionalPrinterColumns:
+ - description: The name of a service from the service registry
+ jsonPath: .spec.host
+ name: Host
+ type: string
+ - description: 'CreationTimestamp is a timestamp representing the server time
+ when this object was created. It is not guaranteed to be set in happens-before
+ order across separate operations. Clients may not set this value. It is represented
+ in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
+ lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
+ jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1alpha3
+ schema:
+ openAPIV3Schema:
+ properties:
+ spec:
+ description: 'Configuration affecting load balancing, outlier detection,
+ etc. See more details at: https://istio.io/docs/reference/config/networking/destination-rule.html'
+ properties:
+ exportTo:
+ description: A list of namespaces to which this destination rule is
+ exported.
+ items:
+ type: string
+ type: array
+ host:
+ description: The name of a service from the service registry.
+ type: string
+ subsets:
+ items:
+ properties:
+ labels:
+ additionalProperties:
+ type: string
+ type: object
+ name:
+ description: Name of the subset.
+ type: string
+ trafficPolicy:
+ description: Traffic policies that apply to this subset.
+ properties:
+ connectionPool:
+ properties:
+ http:
+ description: HTTP connection pool settings.
+ properties:
+ h2UpgradePolicy:
+ description: Specify if http1.1 connection should
+ be upgraded to http2 for the associated destination.
+ enum:
+ - DEFAULT
+ - DO_NOT_UPGRADE
+ - UPGRADE
+ type: string
+ http1MaxPendingRequests:
+ format: int32
+ type: integer
+ http2MaxRequests:
+ description: Maximum number of active requests to
+ a destination.
+ format: int32
+ type: integer
+ idleTimeout:
+ description: The idle timeout for upstream connection
+ pool connections.
+ type: string
+ maxRequestsPerConnection:
+ description: Maximum number of requests per connection
+ to a backend.
+ format: int32
+ type: integer
+ maxRetries:
+ format: int32
+ type: integer
+ useClientProtocol:
+ description: If set to true, client protocol will
+ be preserved while initiating connection to backend.
+ type: boolean
+ type: object
+ tcp:
+ description: Settings common to both HTTP and TCP upstream
+ connections.
+ properties:
+ connectTimeout:
+ description: TCP connection timeout.
+ type: string
+ maxConnectionDuration:
+ description: The maximum duration of a connection.
+ type: string
+ maxConnections:
+ description: Maximum number of HTTP1 /TCP connections
+ to a destination host.
+ format: int32
+ type: integer
+ tcpKeepalive:
+ description: If set then set SO_KEEPALIVE on the
+ socket to enable TCP Keepalives.
+ properties:
+ interval:
+ description: The time duration between keep-alive
+ probes.
+ type: string
+ probes:
+ type: integer
+ time:
+ type: string
+ type: object
+ type: object
+ type: object
+ loadBalancer:
+ description: Settings controlling the load balancer algorithms.
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - simple
+ - properties:
+ consistentHash:
+ allOf:
+ - oneOf:
+ - not:
+ anyOf:
+ - required:
+ - httpHeaderName
+ - required:
+ - httpCookie
+ - required:
+ - useSourceIp
+ - required:
+ - httpQueryParameterName
+ - required:
+ - httpHeaderName
+ - required:
+ - httpCookie
+ - required:
+ - useSourceIp
+ - required:
+ - httpQueryParameterName
+ - oneOf:
+ - not:
+ anyOf:
+ - required:
+ - ringHash
+ - required:
+ - maglev
+ - required:
+ - ringHash
+ - required:
+ - maglev
+ properties:
+ minimumRingSize: {}
+ required:
+ - consistentHash
+ - required:
+ - simple
+ - properties:
+ consistentHash:
+ allOf:
+ - oneOf:
+ - not:
+ anyOf:
+ - required:
+ - httpHeaderName
+ - required:
+ - httpCookie
+ - required:
+ - useSourceIp
+ - required:
+ - httpQueryParameterName
+ - required:
+ - httpHeaderName
+ - required:
+ - httpCookie
+ - required:
+ - useSourceIp
+ - required:
+ - httpQueryParameterName
+ - oneOf:
+ - not:
+ anyOf:
+ - required:
+ - ringHash
+ - required:
+ - maglev
+ - required:
+ - ringHash
+ - required:
+ - maglev
+ properties:
+ minimumRingSize: {}
+ required:
+ - consistentHash
+ properties:
+ consistentHash:
+ properties:
+ httpCookie:
+ description: Hash based on HTTP cookie.
+ properties:
+ name:
+ description: Name of the cookie.
+ type: string
+ path:
+ description: Path to set for the cookie.
+ type: string
+ ttl:
+ description: Lifetime of the cookie.
+ type: string
+ type: object
+ httpHeaderName:
+ description: Hash based on a specific HTTP header.
+ type: string
+ httpQueryParameterName:
+ description: Hash based on a specific HTTP query
+ parameter.
+ type: string
+ maglev:
+ description: The Maglev load balancer implements
+ consistent hashing to backend hosts.
+ properties:
+ tableSize:
+ description: The table size for Maglev hashing.
+ type: integer
+ type: object
+ minimumRingSize:
+ description: Deprecated.
+ type: integer
+ ringHash:
+ description: The ring/modulo hash load balancer
+ implements consistent hashing to backend hosts.
+ properties:
+ minimumRingSize:
+ type: integer
+ type: object
+ useSourceIp:
+ description: Hash based on the source IP address.
+ type: boolean
+ type: object
+ localityLbSetting:
+ properties:
+ distribute:
+ description: 'Optional: only one of distribute,
+ failover or failoverPriority can be set.'
+ items:
+ properties:
+ from:
+ description: Originating locality, '/' separated,
+ e.g.
+ type: string
+ to:
+ additionalProperties:
+ type: integer
+ description: Map of upstream localities to
+ traffic distribution weights.
+ type: object
+ type: object
+ type: array
+ enabled:
+ description: enable locality load balancing, this
+ is DestinationRule-level and will override mesh
+ wide settings in entirety.
+ nullable: true
+ type: boolean
+ failover:
+ description: 'Optional: only one of distribute,
+ failover or failoverPriority can be set.'
+ items:
+ properties:
+ from:
+ description: Originating region.
+ type: string
+ to:
+ type: string
+ type: object
+ type: array
+ failoverPriority:
+ description: failoverPriority is an ordered list
+ of labels used to sort endpoints to do priority
+ based load balancing.
+ items:
+ type: string
+ type: array
+ type: object
+ simple:
+ enum:
+ - UNSPECIFIED
+ - LEAST_CONN
+ - RANDOM
+ - PASSTHROUGH
+ - ROUND_ROBIN
+ - LEAST_REQUEST
+ type: string
+ warmupDurationSecs:
+ description: Represents the warmup duration of Service.
+ type: string
+ type: object
+ outlierDetection:
+ properties:
+ baseEjectionTime:
+ description: Minimum ejection duration.
+ type: string
+ consecutive5xxErrors:
+ description: Number of 5xx errors before a host is ejected
+ from the connection pool.
+ nullable: true
+ type: integer
+ consecutiveErrors:
+ format: int32
+ type: integer
+ consecutiveGatewayErrors:
+ description: Number of gateway errors before a host
+ is ejected from the connection pool.
+ nullable: true
+ type: integer
+ consecutiveLocalOriginFailures:
+ nullable: true
+ type: integer
+ interval:
+ description: Time interval between ejection sweep analysis.
+ type: string
+ maxEjectionPercent:
+ format: int32
+ type: integer
+ minHealthPercent:
+ format: int32
+ type: integer
+ splitExternalLocalOriginErrors:
+ description: Determines whether to distinguish local
+ origin failures from external errors.
+ type: boolean
+ type: object
+ portLevelSettings:
+ description: Traffic policies specific to individual ports.
+ items:
+ properties:
+ connectionPool:
+ properties:
+ http:
+ description: HTTP connection pool settings.
+ properties:
+ h2UpgradePolicy:
+ description: Specify if http1.1 connection
+ should be upgraded to http2 for the associated
+ destination.
+ enum:
+ - DEFAULT
+ - DO_NOT_UPGRADE
+ - UPGRADE
+ type: string
+ http1MaxPendingRequests:
+ format: int32
+ type: integer
+ http2MaxRequests:
+ description: Maximum number of active requests
+ to a destination.
+ format: int32
+ type: integer
+ idleTimeout:
+ description: The idle timeout for upstream
+ connection pool connections.
+ type: string
+ maxRequestsPerConnection:
+ description: Maximum number of requests per
+ connection to a backend.
+ format: int32
+ type: integer
+ maxRetries:
+ format: int32
+ type: integer
+ useClientProtocol:
+ description: If set to true, client protocol
+ will be preserved while initiating connection
+ to backend.
+ type: boolean
+ type: object
+ tcp:
+ description: Settings common to both HTTP and
+ TCP upstream connections.
+ properties:
+ connectTimeout:
+ description: TCP connection timeout.
+ type: string
+ maxConnectionDuration:
+ description: The maximum duration of a connection.
+ type: string
+ maxConnections:
+ description: Maximum number of HTTP1 /TCP
+ connections to a destination host.
+ format: int32
+ type: integer
+ tcpKeepalive:
+ description: If set then set SO_KEEPALIVE
+ on the socket to enable TCP Keepalives.
+ properties:
+ interval:
+ description: The time duration between
+ keep-alive probes.
+ type: string
+ probes:
+ type: integer
+ time:
+ type: string
+ type: object
+ type: object
+ type: object
+ loadBalancer:
+ description: Settings controlling the load balancer
+ algorithms.
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - simple
+ - properties:
+ consistentHash:
+ allOf:
+ - oneOf:
+ - not:
+ anyOf:
+ - required:
+ - httpHeaderName
+ - required:
+ - httpCookie
+ - required:
+ - useSourceIp
+ - required:
+ - httpQueryParameterName
+ - required:
+ - httpHeaderName
+ - required:
+ - httpCookie
+ - required:
+ - useSourceIp
+ - required:
+ - httpQueryParameterName
+ - oneOf:
+ - not:
+ anyOf:
+ - required:
+ - ringHash
+ - required:
+ - maglev
+ - required:
+ - ringHash
+ - required:
+ - maglev
+ properties:
+ minimumRingSize: {}
+ required:
+ - consistentHash
+ - required:
+ - simple
+ - properties:
+ consistentHash:
+ allOf:
+ - oneOf:
+ - not:
+ anyOf:
+ - required:
+ - httpHeaderName
+ - required:
+ - httpCookie
+ - required:
+ - useSourceIp
+ - required:
+ - httpQueryParameterName
+ - required:
+ - httpHeaderName
+ - required:
+ - httpCookie
+ - required:
+ - useSourceIp
+ - required:
+ - httpQueryParameterName
+ - oneOf:
+ - not:
+ anyOf:
+ - required:
+ - ringHash
+ - required:
+ - maglev
+ - required:
+ - ringHash
+ - required:
+ - maglev
+ properties:
+ minimumRingSize: {}
+ required:
+ - consistentHash
+ properties:
+ consistentHash:
+ properties:
+ httpCookie:
+ description: Hash based on HTTP cookie.
+ properties:
+ name:
+ description: Name of the cookie.
+ type: string
+ path:
+ description: Path to set for the cookie.
+ type: string
+ ttl:
+ description: Lifetime of the cookie.
+ type: string
+ type: object
+ httpHeaderName:
+ description: Hash based on a specific HTTP
+ header.
+ type: string
+ httpQueryParameterName:
+ description: Hash based on a specific HTTP
+ query parameter.
+ type: string
+ maglev:
+ description: The Maglev load balancer implements
+ consistent hashing to backend hosts.
+ properties:
+ tableSize:
+ description: The table size for Maglev
+ hashing.
+ type: integer
+ type: object
+ minimumRingSize:
+ description: Deprecated.
+ type: integer
+ ringHash:
+ description: The ring/modulo hash load balancer
+ implements consistent hashing to backend
+ hosts.
+ properties:
+ minimumRingSize:
+ type: integer
+ type: object
+ useSourceIp:
+ description: Hash based on the source IP address.
+ type: boolean
+ type: object
+ localityLbSetting:
+ properties:
+ distribute:
+ description: 'Optional: only one of distribute,
+ failover or failoverPriority can be set.'
+ items:
+ properties:
+ from:
+ description: Originating locality, '/'
+ separated, e.g.
+ type: string
+ to:
+ additionalProperties:
+ type: integer
+ description: Map of upstream localities
+ to traffic distribution weights.
+ type: object
+ type: object
+ type: array
+ enabled:
+ description: enable locality load balancing,
+ this is DestinationRule-level and will override
+ mesh wide settings in entirety.
+ nullable: true
+ type: boolean
+ failover:
+ description: 'Optional: only one of distribute,
+ failover or failoverPriority can be set.'
+ items:
+ properties:
+ from:
+ description: Originating region.
+ type: string
+ to:
+ type: string
+ type: object
+ type: array
+ failoverPriority:
+ description: failoverPriority is an ordered
+ list of labels used to sort endpoints to
+ do priority based load balancing.
+ items:
+ type: string
+ type: array
+ type: object
+ simple:
+ enum:
+ - UNSPECIFIED
+ - LEAST_CONN
+ - RANDOM
+ - PASSTHROUGH
+ - ROUND_ROBIN
+ - LEAST_REQUEST
+ type: string
+ warmupDurationSecs:
+ description: Represents the warmup duration of
+ Service.
+ type: string
+ type: object
+ outlierDetection:
+ properties:
+ baseEjectionTime:
+ description: Minimum ejection duration.
+ type: string
+ consecutive5xxErrors:
+ description: Number of 5xx errors before a host
+ is ejected from the connection pool.
+ nullable: true
+ type: integer
+ consecutiveErrors:
+ format: int32
+ type: integer
+ consecutiveGatewayErrors:
+ description: Number of gateway errors before a
+ host is ejected from the connection pool.
+ nullable: true
+ type: integer
+ consecutiveLocalOriginFailures:
+ nullable: true
+ type: integer
+ interval:
+ description: Time interval between ejection sweep
+ analysis.
+ type: string
+ maxEjectionPercent:
+ format: int32
+ type: integer
+ minHealthPercent:
+ format: int32
+ type: integer
+ splitExternalLocalOriginErrors:
+ description: Determines whether to distinguish
+ local origin failures from external errors.
+ type: boolean
+ type: object
+ port:
+ properties:
+ number:
+ type: integer
+ type: object
+ tls:
+ description: TLS related settings for connections
+ to the upstream service.
+ properties:
+ caCertificates:
+ type: string
+ clientCertificate:
+ description: REQUIRED if mode is `MUTUAL`.
+ type: string
+ credentialName:
+ type: string
+ insecureSkipVerify:
+ nullable: true
+ type: boolean
+ mode:
+ enum:
+ - DISABLE
+ - SIMPLE
+ - MUTUAL
+ - ISTIO_MUTUAL
+ type: string
+ privateKey:
+ description: REQUIRED if mode is `MUTUAL`.
+ type: string
+ sni:
+ description: SNI string to present to the server
+ during TLS handshake.
+ type: string
+ subjectAltNames:
+ items:
+ type: string
+ type: array
+ type: object
+ type: object
+ type: array
+ tls:
+ description: TLS related settings for connections to the
+ upstream service.
+ properties:
+ caCertificates:
+ type: string
+ clientCertificate:
+ description: REQUIRED if mode is `MUTUAL`.
+ type: string
+ credentialName:
+ type: string
+ insecureSkipVerify:
+ nullable: true
+ type: boolean
+ mode:
+ enum:
+ - DISABLE
+ - SIMPLE
+ - MUTUAL
+ - ISTIO_MUTUAL
+ type: string
+ privateKey:
+ description: REQUIRED if mode is `MUTUAL`.
+ type: string
+ sni:
+ description: SNI string to present to the server during
+ TLS handshake.
+ type: string
+ subjectAltNames:
+ items:
+ type: string
+ type: array
+ type: object
+ tunnel:
+ properties:
+ protocol:
+ description: Specifies which protocol to use for tunneling
+ the downstream connection.
+ type: string
+ targetHost:
+ description: Specifies a host to which the downstream
+ connection is tunneled.
+ type: string
+ targetPort:
+ description: Specifies a port to which the downstream
+ connection is tunneled.
+ type: integer
+ type: object
+ type: object
+ type: object
+ type: array
+ trafficPolicy:
+ properties:
+ connectionPool:
+ properties:
+ http:
+ description: HTTP connection pool settings.
+ properties:
+ h2UpgradePolicy:
+ description: Specify if http1.1 connection should be upgraded
+ to http2 for the associated destination.
+ enum:
+ - DEFAULT
+ - DO_NOT_UPGRADE
+ - UPGRADE
+ type: string
+ http1MaxPendingRequests:
+ format: int32
+ type: integer
+ http2MaxRequests:
+ description: Maximum number of active requests to a destination.
+ format: int32
+ type: integer
+ idleTimeout:
+ description: The idle timeout for upstream connection
+ pool connections.
+ type: string
+ maxRequestsPerConnection:
+ description: Maximum number of requests per connection
+ to a backend.
+ format: int32
+ type: integer
+ maxRetries:
+ format: int32
+ type: integer
+ useClientProtocol:
+ description: If set to true, client protocol will be preserved
+ while initiating connection to backend.
+ type: boolean
+ type: object
+ tcp:
+ description: Settings common to both HTTP and TCP upstream
+ connections.
+ properties:
+ connectTimeout:
+ description: TCP connection timeout.
+ type: string
+ maxConnectionDuration:
+ description: The maximum duration of a connection.
+ type: string
+ maxConnections:
+ description: Maximum number of HTTP1 /TCP connections
+ to a destination host.
+ format: int32
+ type: integer
+ tcpKeepalive:
+ description: If set then set SO_KEEPALIVE on the socket
+ to enable TCP Keepalives.
+ properties:
+ interval:
+ description: The time duration between keep-alive
+ probes.
+ type: string
+ probes:
+ type: integer
+ time:
+ type: string
+ type: object
+ type: object
+ type: object
+ loadBalancer:
+ description: Settings controlling the load balancer algorithms.
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - simple
+ - properties:
+ consistentHash:
+ allOf:
+ - oneOf:
+ - not:
+ anyOf:
+ - required:
+ - httpHeaderName
+ - required:
+ - httpCookie
+ - required:
+ - useSourceIp
+ - required:
+ - httpQueryParameterName
+ - required:
+ - httpHeaderName
+ - required:
+ - httpCookie
+ - required:
+ - useSourceIp
+ - required:
+ - httpQueryParameterName
+ - oneOf:
+ - not:
+ anyOf:
+ - required:
+ - ringHash
+ - required:
+ - maglev
+ - required:
+ - ringHash
+ - required:
+ - maglev
+ properties:
+ minimumRingSize: {}
+ required:
+ - consistentHash
+ - required:
+ - simple
+ - properties:
+ consistentHash:
+ allOf:
+ - oneOf:
+ - not:
+ anyOf:
+ - required:
+ - httpHeaderName
+ - required:
+ - httpCookie
+ - required:
+ - useSourceIp
+ - required:
+ - httpQueryParameterName
+ - required:
+ - httpHeaderName
+ - required:
+ - httpCookie
+ - required:
+ - useSourceIp
+ - required:
+ - httpQueryParameterName
+ - oneOf:
+ - not:
+ anyOf:
+ - required:
+ - ringHash
+ - required:
+ - maglev
+ - required:
+ - ringHash
+ - required:
+ - maglev
+ properties:
+ minimumRingSize: {}
+ required:
+ - consistentHash
+ properties:
+ consistentHash:
+ properties:
+ httpCookie:
+ description: Hash based on HTTP cookie.
+ properties:
+ name:
+ description: Name of the cookie.
+ type: string
+ path:
+ description: Path to set for the cookie.
+ type: string
+ ttl:
+ description: Lifetime of the cookie.
+ type: string
+ type: object
+ httpHeaderName:
+ description: Hash based on a specific HTTP header.
+ type: string
+ httpQueryParameterName:
+ description: Hash based on a specific HTTP query parameter.
+ type: string
+ maglev:
+ description: The Maglev load balancer implements consistent
+ hashing to backend hosts.
+ properties:
+ tableSize:
+ description: The table size for Maglev hashing.
+ type: integer
+ type: object
+ minimumRingSize:
+ description: Deprecated.
+ type: integer
+ ringHash:
+ description: The ring/modulo hash load balancer implements
+ consistent hashing to backend hosts.
+ properties:
+ minimumRingSize:
+ type: integer
+ type: object
+ useSourceIp:
+ description: Hash based on the source IP address.
+ type: boolean
+ type: object
+ localityLbSetting:
+ properties:
+ distribute:
+ description: 'Optional: only one of distribute, failover
+ or failoverPriority can be set.'
+ items:
+ properties:
+ from:
+ description: Originating locality, '/' separated,
+ e.g.
+ type: string
+ to:
+ additionalProperties:
+ type: integer
+ description: Map of upstream localities to traffic
+ distribution weights.
+ type: object
+ type: object
+ type: array
+ enabled:
+ description: enable locality load balancing, this is DestinationRule-level
+ and will override mesh wide settings in entirety.
+ nullable: true
+ type: boolean
+ failover:
+ description: 'Optional: only one of distribute, failover
+ or failoverPriority can be set.'
+ items:
+ properties:
+ from:
+ description: Originating region.
+ type: string
+ to:
+ type: string
+ type: object
+ type: array
+ failoverPriority:
+ description: failoverPriority is an ordered list of labels
+ used to sort endpoints to do priority based load balancing.
+ items:
+ type: string
+ type: array
+ type: object
+ simple:
+ enum:
+ - UNSPECIFIED
+ - LEAST_CONN
+ - RANDOM
+ - PASSTHROUGH
+ - ROUND_ROBIN
+ - LEAST_REQUEST
+ type: string
+ warmupDurationSecs:
+ description: Represents the warmup duration of Service.
+ type: string
+ type: object
+ outlierDetection:
+ properties:
+ baseEjectionTime:
+ description: Minimum ejection duration.
+ type: string
+ consecutive5xxErrors:
+ description: Number of 5xx errors before a host is ejected
+ from the connection pool.
+ nullable: true
+ type: integer
+ consecutiveErrors:
+ format: int32
+ type: integer
+ consecutiveGatewayErrors:
+ description: Number of gateway errors before a host is ejected
+ from the connection pool.
+ nullable: true
+ type: integer
+ consecutiveLocalOriginFailures:
+ nullable: true
+ type: integer
+ interval:
+ description: Time interval between ejection sweep analysis.
+ type: string
+ maxEjectionPercent:
+ format: int32
+ type: integer
+ minHealthPercent:
+ format: int32
+ type: integer
+ splitExternalLocalOriginErrors:
+ description: Determines whether to distinguish local origin
+ failures from external errors.
+ type: boolean
+ type: object
+ portLevelSettings:
+ description: Traffic policies specific to individual ports.
+ items:
+ properties:
+ connectionPool:
+ properties:
+ http:
+ description: HTTP connection pool settings.
+ properties:
+ h2UpgradePolicy:
+ description: Specify if http1.1 connection should
+ be upgraded to http2 for the associated destination.
+ enum:
+ - DEFAULT
+ - DO_NOT_UPGRADE
+ - UPGRADE
+ type: string
+ http1MaxPendingRequests:
+ format: int32
+ type: integer
+ http2MaxRequests:
+ description: Maximum number of active requests to
+ a destination.
+ format: int32
+ type: integer
+ idleTimeout:
+ description: The idle timeout for upstream connection
+ pool connections.
+ type: string
+ maxRequestsPerConnection:
+ description: Maximum number of requests per connection
+ to a backend.
+ format: int32
+ type: integer
+ maxRetries:
+ format: int32
+ type: integer
+ useClientProtocol:
+ description: If set to true, client protocol will
+ be preserved while initiating connection to backend.
+ type: boolean
+ type: object
+ tcp:
+ description: Settings common to both HTTP and TCP upstream
+ connections.
+ properties:
+ connectTimeout:
+ description: TCP connection timeout.
+ type: string
+ maxConnectionDuration:
+ description: The maximum duration of a connection.
+ type: string
+ maxConnections:
+ description: Maximum number of HTTP1 /TCP connections
+ to a destination host.
+ format: int32
+ type: integer
+ tcpKeepalive:
+ description: If set then set SO_KEEPALIVE on the
+ socket to enable TCP Keepalives.
+ properties:
+ interval:
+ description: The time duration between keep-alive
+ probes.
+ type: string
+ probes:
+ type: integer
+ time:
+ type: string
+ type: object
+ type: object
+ type: object
+ loadBalancer:
+ description: Settings controlling the load balancer algorithms.
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - simple
+ - properties:
+ consistentHash:
+ allOf:
+ - oneOf:
+ - not:
+ anyOf:
+ - required:
+ - httpHeaderName
+ - required:
+ - httpCookie
+ - required:
+ - useSourceIp
+ - required:
+ - httpQueryParameterName
+ - required:
+ - httpHeaderName
+ - required:
+ - httpCookie
+ - required:
+ - useSourceIp
+ - required:
+ - httpQueryParameterName
+ - oneOf:
+ - not:
+ anyOf:
+ - required:
+ - ringHash
+ - required:
+ - maglev
+ - required:
+ - ringHash
+ - required:
+ - maglev
+ properties:
+ minimumRingSize: {}
+ required:
+ - consistentHash
+ - required:
+ - simple
+ - properties:
+ consistentHash:
+ allOf:
+ - oneOf:
+ - not:
+ anyOf:
+ - required:
+ - httpHeaderName
+ - required:
+ - httpCookie
+ - required:
+ - useSourceIp
+ - required:
+ - httpQueryParameterName
+ - required:
+ - httpHeaderName
+ - required:
+ - httpCookie
+ - required:
+ - useSourceIp
+ - required:
+ - httpQueryParameterName
+ - oneOf:
+ - not:
+ anyOf:
+ - required:
+ - ringHash
+ - required:
+ - maglev
+ - required:
+ - ringHash
+ - required:
+ - maglev
+ properties:
+ minimumRingSize: {}
+ required:
+ - consistentHash
+ properties:
+ consistentHash:
+ properties:
+ httpCookie:
+ description: Hash based on HTTP cookie.
+ properties:
+ name:
+ description: Name of the cookie.
+ type: string
+ path:
+ description: Path to set for the cookie.
+ type: string
+ ttl:
+ description: Lifetime of the cookie.
+ type: string
+ type: object
+ httpHeaderName:
+ description: Hash based on a specific HTTP header.
+ type: string
+ httpQueryParameterName:
+ description: Hash based on a specific HTTP query
+ parameter.
+ type: string
+ maglev:
+ description: The Maglev load balancer implements
+ consistent hashing to backend hosts.
+ properties:
+ tableSize:
+ description: The table size for Maglev hashing.
+ type: integer
+ type: object
+ minimumRingSize:
+ description: Deprecated.
+ type: integer
+ ringHash:
+ description: The ring/modulo hash load balancer
+ implements consistent hashing to backend hosts.
+ properties:
+ minimumRingSize:
+ type: integer
+ type: object
+ useSourceIp:
+ description: Hash based on the source IP address.
+ type: boolean
+ type: object
+ localityLbSetting:
+ properties:
+ distribute:
+ description: 'Optional: only one of distribute,
+ failover or failoverPriority can be set.'
+ items:
+ properties:
+ from:
+ description: Originating locality, '/' separated,
+ e.g.
+ type: string
+ to:
+ additionalProperties:
+ type: integer
+ description: Map of upstream localities to
+ traffic distribution weights.
+ type: object
+ type: object
+ type: array
+ enabled:
+ description: enable locality load balancing, this
+ is DestinationRule-level and will override mesh
+ wide settings in entirety.
+ nullable: true
+ type: boolean
+ failover:
+ description: 'Optional: only one of distribute,
+ failover or failoverPriority can be set.'
+ items:
+ properties:
+ from:
+ description: Originating region.
+ type: string
+ to:
+ type: string
+ type: object
+ type: array
+ failoverPriority:
+ description: failoverPriority is an ordered list
+ of labels used to sort endpoints to do priority
+ based load balancing.
+ items:
+ type: string
+ type: array
+ type: object
+ simple:
+ enum:
+ - UNSPECIFIED
+ - LEAST_CONN
+ - RANDOM
+ - PASSTHROUGH
+ - ROUND_ROBIN
+ - LEAST_REQUEST
+ type: string
+ warmupDurationSecs:
+ description: Represents the warmup duration of Service.
+ type: string
+ type: object
+ outlierDetection:
+ properties:
+ baseEjectionTime:
+ description: Minimum ejection duration.
+ type: string
+ consecutive5xxErrors:
+ description: Number of 5xx errors before a host is ejected
+ from the connection pool.
+ nullable: true
+ type: integer
+ consecutiveErrors:
+ format: int32
+ type: integer
+ consecutiveGatewayErrors:
+ description: Number of gateway errors before a host
+ is ejected from the connection pool.
+ nullable: true
+ type: integer
+ consecutiveLocalOriginFailures:
+ nullable: true
+ type: integer
+ interval:
+ description: Time interval between ejection sweep analysis.
+ type: string
+ maxEjectionPercent:
+ format: int32
+ type: integer
+ minHealthPercent:
+ format: int32
+ type: integer
+ splitExternalLocalOriginErrors:
+ description: Determines whether to distinguish local
+ origin failures from external errors.
+ type: boolean
+ type: object
+ port:
+ properties:
+ number:
+ type: integer
+ type: object
+ tls:
+ description: TLS related settings for connections to the
+ upstream service.
+ properties:
+ caCertificates:
+ type: string
+ clientCertificate:
+ description: REQUIRED if mode is `MUTUAL`.
+ type: string
+ credentialName:
+ type: string
+ insecureSkipVerify:
+ nullable: true
+ type: boolean
+ mode:
+ enum:
+ - DISABLE
+ - SIMPLE
+ - MUTUAL
+ - ISTIO_MUTUAL
+ type: string
+ privateKey:
+ description: REQUIRED if mode is `MUTUAL`.
+ type: string
+ sni:
+ description: SNI string to present to the server during
+ TLS handshake.
+ type: string
+ subjectAltNames:
+ items:
+ type: string
+ type: array
+ type: object
+ type: object
+ type: array
+ tls:
+ description: TLS related settings for connections to the upstream
+ service.
+ properties:
+ caCertificates:
+ type: string
+ clientCertificate:
+ description: REQUIRED if mode is `MUTUAL`.
+ type: string
+ credentialName:
+ type: string
+ insecureSkipVerify:
+ nullable: true
+ type: boolean
+ mode:
+ enum:
+ - DISABLE
+ - SIMPLE
+ - MUTUAL
+ - ISTIO_MUTUAL
+ type: string
+ privateKey:
+ description: REQUIRED if mode is `MUTUAL`.
+ type: string
+ sni:
+ description: SNI string to present to the server during TLS
+ handshake.
+ type: string
+ subjectAltNames:
+ items:
+ type: string
+ type: array
+ type: object
+ tunnel:
+ properties:
+ protocol:
+ description: Specifies which protocol to use for tunneling
+ the downstream connection.
+ type: string
+ targetHost:
+ description: Specifies a host to which the downstream connection
+ is tunneled.
+ type: string
+ targetPort:
+ description: Specifies a port to which the downstream connection
+ is tunneled.
+ type: integer
+ type: object
+ type: object
+ workloadSelector:
+ properties:
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ type: object
+ status:
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
+ - additionalPrinterColumns:
+ - description: The name of a service from the service registry
+ jsonPath: .spec.host
+ name: Host
+ type: string
+ - description: 'CreationTimestamp is a timestamp representing the server time
+ when this object was created. It is not guaranteed to be set in happens-before
+ order across separate operations. Clients may not set this value. It is represented
+ in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
+ lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
+ jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1beta1
+ schema:
+ openAPIV3Schema:
+ properties:
+ spec:
+ description: 'Configuration affecting load balancing, outlier detection,
+ etc. See more details at: https://istio.io/docs/reference/config/networking/destination-rule.html'
+ properties:
+ exportTo:
+ description: A list of namespaces to which this destination rule is
+ exported.
+ items:
+ type: string
+ type: array
+ host:
+ description: The name of a service from the service registry.
+ type: string
+ subsets:
+ items:
+ properties:
+ labels:
+ additionalProperties:
+ type: string
+ type: object
+ name:
+ description: Name of the subset.
+ type: string
+ trafficPolicy:
+ description: Traffic policies that apply to this subset.
+ properties:
+ connectionPool:
+ properties:
+ http:
+ description: HTTP connection pool settings.
+ properties:
+ h2UpgradePolicy:
+ description: Specify if http1.1 connection should
+ be upgraded to http2 for the associated destination.
+ enum:
+ - DEFAULT
+ - DO_NOT_UPGRADE
+ - UPGRADE
+ type: string
+ http1MaxPendingRequests:
+ format: int32
+ type: integer
+ http2MaxRequests:
+ description: Maximum number of active requests to
+ a destination.
+ format: int32
+ type: integer
+ idleTimeout:
+ description: The idle timeout for upstream connection
+ pool connections.
+ type: string
+ maxRequestsPerConnection:
+ description: Maximum number of requests per connection
+ to a backend.
+ format: int32
+ type: integer
+ maxRetries:
+ format: int32
+ type: integer
+ useClientProtocol:
+ description: If set to true, client protocol will
+ be preserved while initiating connection to backend.
+ type: boolean
+ type: object
+ tcp:
+ description: Settings common to both HTTP and TCP upstream
+ connections.
+ properties:
+ connectTimeout:
+ description: TCP connection timeout.
+ type: string
+ maxConnectionDuration:
+ description: The maximum duration of a connection.
+ type: string
+ maxConnections:
+ description: Maximum number of HTTP1 /TCP connections
+ to a destination host.
+ format: int32
+ type: integer
+ tcpKeepalive:
+ description: If set then set SO_KEEPALIVE on the
+ socket to enable TCP Keepalives.
+ properties:
+ interval:
+ description: The time duration between keep-alive
+ probes.
+ type: string
+ probes:
+ type: integer
+ time:
+ type: string
+ type: object
+ type: object
+ type: object
+ loadBalancer:
+ description: Settings controlling the load balancer algorithms.
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - simple
+ - properties:
+ consistentHash:
+ allOf:
+ - oneOf:
+ - not:
+ anyOf:
+ - required:
+ - httpHeaderName
+ - required:
+ - httpCookie
+ - required:
+ - useSourceIp
+ - required:
+ - httpQueryParameterName
+ - required:
+ - httpHeaderName
+ - required:
+ - httpCookie
+ - required:
+ - useSourceIp
+ - required:
+ - httpQueryParameterName
+ - oneOf:
+ - not:
+ anyOf:
+ - required:
+ - ringHash
+ - required:
+ - maglev
+ - required:
+ - ringHash
+ - required:
+ - maglev
+ properties:
+ minimumRingSize: {}
+ required:
+ - consistentHash
+ - required:
+ - simple
+ - properties:
+ consistentHash:
+ allOf:
+ - oneOf:
+ - not:
+ anyOf:
+ - required:
+ - httpHeaderName
+ - required:
+ - httpCookie
+ - required:
+ - useSourceIp
+ - required:
+ - httpQueryParameterName
+ - required:
+ - httpHeaderName
+ - required:
+ - httpCookie
+ - required:
+ - useSourceIp
+ - required:
+ - httpQueryParameterName
+ - oneOf:
+ - not:
+ anyOf:
+ - required:
+ - ringHash
+ - required:
+ - maglev
+ - required:
+ - ringHash
+ - required:
+ - maglev
+ properties:
+ minimumRingSize: {}
+ required:
+ - consistentHash
+ properties:
+ consistentHash:
+ properties:
+ httpCookie:
+ description: Hash based on HTTP cookie.
+ properties:
+ name:
+ description: Name of the cookie.
+ type: string
+ path:
+ description: Path to set for the cookie.
+ type: string
+ ttl:
+ description: Lifetime of the cookie.
+ type: string
+ type: object
+ httpHeaderName:
+ description: Hash based on a specific HTTP header.
+ type: string
+ httpQueryParameterName:
+ description: Hash based on a specific HTTP query
+ parameter.
+ type: string
+ maglev:
+ description: The Maglev load balancer implements
+ consistent hashing to backend hosts.
+ properties:
+ tableSize:
+ description: The table size for Maglev hashing.
+ type: integer
+ type: object
+ minimumRingSize:
+ description: Deprecated.
+ type: integer
+ ringHash:
+ description: The ring/modulo hash load balancer
+ implements consistent hashing to backend hosts.
+ properties:
+ minimumRingSize:
+ type: integer
+ type: object
+ useSourceIp:
+ description: Hash based on the source IP address.
+ type: boolean
+ type: object
+ localityLbSetting:
+ properties:
+ distribute:
+ description: 'Optional: only one of distribute,
+ failover or failoverPriority can be set.'
+ items:
+ properties:
+ from:
+ description: Originating locality, '/' separated,
+ e.g.
+ type: string
+ to:
+ additionalProperties:
+ type: integer
+ description: Map of upstream localities to
+ traffic distribution weights.
+ type: object
+ type: object
+ type: array
+ enabled:
+ description: enable locality load balancing, this
+ is DestinationRule-level and will override mesh
+ wide settings in entirety.
+ nullable: true
+ type: boolean
+ failover:
+ description: 'Optional: only one of distribute,
+ failover or failoverPriority can be set.'
+ items:
+ properties:
+ from:
+ description: Originating region.
+ type: string
+ to:
+ type: string
+ type: object
+ type: array
+ failoverPriority:
+ description: failoverPriority is an ordered list
+ of labels used to sort endpoints to do priority
+ based load balancing.
+ items:
+ type: string
+ type: array
+ type: object
+ simple:
+ enum:
+ - UNSPECIFIED
+ - LEAST_CONN
+ - RANDOM
+ - PASSTHROUGH
+ - ROUND_ROBIN
+ - LEAST_REQUEST
+ type: string
+ warmupDurationSecs:
+ description: Represents the warmup duration of Service.
+ type: string
+ type: object
+ outlierDetection:
+ properties:
+ baseEjectionTime:
+ description: Minimum ejection duration.
+ type: string
+ consecutive5xxErrors:
+ description: Number of 5xx errors before a host is ejected
+ from the connection pool.
+ nullable: true
+ type: integer
+ consecutiveErrors:
+ format: int32
+ type: integer
+ consecutiveGatewayErrors:
+ description: Number of gateway errors before a host
+ is ejected from the connection pool.
+ nullable: true
+ type: integer
+ consecutiveLocalOriginFailures:
+ nullable: true
+ type: integer
+ interval:
+ description: Time interval between ejection sweep analysis.
+ type: string
+ maxEjectionPercent:
+ format: int32
+ type: integer
+ minHealthPercent:
+ format: int32
+ type: integer
+ splitExternalLocalOriginErrors:
+ description: Determines whether to distinguish local
+ origin failures from external errors.
+ type: boolean
+ type: object
+ portLevelSettings:
+ description: Traffic policies specific to individual ports.
+ items:
+ properties:
+ connectionPool:
+ properties:
+ http:
+ description: HTTP connection pool settings.
+ properties:
+ h2UpgradePolicy:
+ description: Specify if http1.1 connection
+ should be upgraded to http2 for the associated
+ destination.
+ enum:
+ - DEFAULT
+ - DO_NOT_UPGRADE
+ - UPGRADE
+ type: string
+ http1MaxPendingRequests:
+ format: int32
+ type: integer
+ http2MaxRequests:
+ description: Maximum number of active requests
+ to a destination.
+ format: int32
+ type: integer
+ idleTimeout:
+ description: The idle timeout for upstream
+ connection pool connections.
+ type: string
+ maxRequestsPerConnection:
+ description: Maximum number of requests per
+ connection to a backend.
+ format: int32
+ type: integer
+ maxRetries:
+ format: int32
+ type: integer
+ useClientProtocol:
+ description: If set to true, client protocol
+ will be preserved while initiating connection
+ to backend.
+ type: boolean
+ type: object
+ tcp:
+ description: Settings common to both HTTP and
+ TCP upstream connections.
+ properties:
+ connectTimeout:
+ description: TCP connection timeout.
+ type: string
+ maxConnectionDuration:
+ description: The maximum duration of a connection.
+ type: string
+ maxConnections:
+ description: Maximum number of HTTP1 /TCP
+ connections to a destination host.
+ format: int32
+ type: integer
+ tcpKeepalive:
+ description: If set then set SO_KEEPALIVE
+ on the socket to enable TCP Keepalives.
+ properties:
+ interval:
+ description: The time duration between
+ keep-alive probes.
+ type: string
+ probes:
+ type: integer
+ time:
+ type: string
+ type: object
+ type: object
+ type: object
+ loadBalancer:
+ description: Settings controlling the load balancer
+ algorithms.
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - simple
+ - properties:
+ consistentHash:
+ allOf:
+ - oneOf:
+ - not:
+ anyOf:
+ - required:
+ - httpHeaderName
+ - required:
+ - httpCookie
+ - required:
+ - useSourceIp
+ - required:
+ - httpQueryParameterName
+ - required:
+ - httpHeaderName
+ - required:
+ - httpCookie
+ - required:
+ - useSourceIp
+ - required:
+ - httpQueryParameterName
+ - oneOf:
+ - not:
+ anyOf:
+ - required:
+ - ringHash
+ - required:
+ - maglev
+ - required:
+ - ringHash
+ - required:
+ - maglev
+ properties:
+ minimumRingSize: {}
+ required:
+ - consistentHash
+ - required:
+ - simple
+ - properties:
+ consistentHash:
+ allOf:
+ - oneOf:
+ - not:
+ anyOf:
+ - required:
+ - httpHeaderName
+ - required:
+ - httpCookie
+ - required:
+ - useSourceIp
+ - required:
+ - httpQueryParameterName
+ - required:
+ - httpHeaderName
+ - required:
+ - httpCookie
+ - required:
+ - useSourceIp
+ - required:
+ - httpQueryParameterName
+ - oneOf:
+ - not:
+ anyOf:
+ - required:
+ - ringHash
+ - required:
+ - maglev
+ - required:
+ - ringHash
+ - required:
+ - maglev
+ properties:
+ minimumRingSize: {}
+ required:
+ - consistentHash
+ properties:
+ consistentHash:
+ properties:
+ httpCookie:
+ description: Hash based on HTTP cookie.
+ properties:
+ name:
+ description: Name of the cookie.
+ type: string
+ path:
+ description: Path to set for the cookie.
+ type: string
+ ttl:
+ description: Lifetime of the cookie.
+ type: string
+ type: object
+ httpHeaderName:
+ description: Hash based on a specific HTTP
+ header.
+ type: string
+ httpQueryParameterName:
+ description: Hash based on a specific HTTP
+ query parameter.
+ type: string
+ maglev:
+ description: The Maglev load balancer implements
+ consistent hashing to backend hosts.
+ properties:
+ tableSize:
+ description: The table size for Maglev
+ hashing.
+ type: integer
+ type: object
+ minimumRingSize:
+ description: Deprecated.
+ type: integer
+ ringHash:
+ description: The ring/modulo hash load balancer
+ implements consistent hashing to backend
+ hosts.
+ properties:
+ minimumRingSize:
+ type: integer
+ type: object
+ useSourceIp:
+ description: Hash based on the source IP address.
+ type: boolean
+ type: object
+ localityLbSetting:
+ properties:
+ distribute:
+ description: 'Optional: only one of distribute,
+ failover or failoverPriority can be set.'
+ items:
+ properties:
+ from:
+ description: Originating locality, '/'
+ separated, e.g.
+ type: string
+ to:
+ additionalProperties:
+ type: integer
+ description: Map of upstream localities
+ to traffic distribution weights.
+ type: object
+ type: object
+ type: array
+ enabled:
+ description: enable locality load balancing,
+ this is DestinationRule-level and will override
+ mesh wide settings in entirety.
+ nullable: true
+ type: boolean
+ failover:
+ description: 'Optional: only one of distribute,
+ failover or failoverPriority can be set.'
+ items:
+ properties:
+ from:
+ description: Originating region.
+ type: string
+ to:
+ type: string
+ type: object
+ type: array
+ failoverPriority:
+ description: failoverPriority is an ordered
+ list of labels used to sort endpoints to
+ do priority based load balancing.
+ items:
+ type: string
+ type: array
+ type: object
+ simple:
+ enum:
+ - UNSPECIFIED
+ - LEAST_CONN
+ - RANDOM
+ - PASSTHROUGH
+ - ROUND_ROBIN
+ - LEAST_REQUEST
+ type: string
+ warmupDurationSecs:
+ description: Represents the warmup duration of
+ Service.
+ type: string
+ type: object
+ outlierDetection:
+ properties:
+ baseEjectionTime:
+ description: Minimum ejection duration.
+ type: string
+ consecutive5xxErrors:
+ description: Number of 5xx errors before a host
+ is ejected from the connection pool.
+ nullable: true
+ type: integer
+ consecutiveErrors:
+ format: int32
+ type: integer
+ consecutiveGatewayErrors:
+ description: Number of gateway errors before a
+ host is ejected from the connection pool.
+ nullable: true
+ type: integer
+ consecutiveLocalOriginFailures:
+ nullable: true
+ type: integer
+ interval:
+ description: Time interval between ejection sweep
+ analysis.
+ type: string
+ maxEjectionPercent:
+ format: int32
+ type: integer
+ minHealthPercent:
+ format: int32
+ type: integer
+ splitExternalLocalOriginErrors:
+ description: Determines whether to distinguish
+ local origin failures from external errors.
+ type: boolean
+ type: object
+ port:
+ properties:
+ number:
+ type: integer
+ type: object
+ tls:
+ description: TLS related settings for connections
+ to the upstream service.
+ properties:
+ caCertificates:
+ type: string
+ clientCertificate:
+ description: REQUIRED if mode is `MUTUAL`.
+ type: string
+ credentialName:
+ type: string
+ insecureSkipVerify:
+ nullable: true
+ type: boolean
+ mode:
+ enum:
+ - DISABLE
+ - SIMPLE
+ - MUTUAL
+ - ISTIO_MUTUAL
+ type: string
+ privateKey:
+ description: REQUIRED if mode is `MUTUAL`.
+ type: string
+ sni:
+ description: SNI string to present to the server
+ during TLS handshake.
+ type: string
+ subjectAltNames:
+ items:
+ type: string
+ type: array
+ type: object
+ type: object
+ type: array
+ tls:
+ description: TLS related settings for connections to the
+ upstream service.
+ properties:
+ caCertificates:
+ type: string
+ clientCertificate:
+ description: REQUIRED if mode is `MUTUAL`.
+ type: string
+ credentialName:
+ type: string
+ insecureSkipVerify:
+ nullable: true
+ type: boolean
+ mode:
+ enum:
+ - DISABLE
+ - SIMPLE
+ - MUTUAL
+ - ISTIO_MUTUAL
+ type: string
+ privateKey:
+ description: REQUIRED if mode is `MUTUAL`.
+ type: string
+ sni:
+ description: SNI string to present to the server during
+ TLS handshake.
+ type: string
+ subjectAltNames:
+ items:
+ type: string
+ type: array
+ type: object
+ tunnel:
+ properties:
+ protocol:
+ description: Specifies which protocol to use for tunneling
+ the downstream connection.
+ type: string
+ targetHost:
+ description: Specifies a host to which the downstream
+ connection is tunneled.
+ type: string
+ targetPort:
+ description: Specifies a port to which the downstream
+ connection is tunneled.
+ type: integer
+ type: object
+ type: object
+ type: object
+ type: array
+ trafficPolicy:
+ properties:
+ connectionPool:
+ properties:
+ http:
+ description: HTTP connection pool settings.
+ properties:
+ h2UpgradePolicy:
+ description: Specify if http1.1 connection should be upgraded
+ to http2 for the associated destination.
+ enum:
+ - DEFAULT
+ - DO_NOT_UPGRADE
+ - UPGRADE
+ type: string
+ http1MaxPendingRequests:
+ format: int32
+ type: integer
+ http2MaxRequests:
+ description: Maximum number of active requests to a destination.
+ format: int32
+ type: integer
+ idleTimeout:
+ description: The idle timeout for upstream connection
+ pool connections.
+ type: string
+ maxRequestsPerConnection:
+ description: Maximum number of requests per connection
+ to a backend.
+ format: int32
+ type: integer
+ maxRetries:
+ format: int32
+ type: integer
+ useClientProtocol:
+ description: If set to true, client protocol will be preserved
+ while initiating connection to backend.
+ type: boolean
+ type: object
+ tcp:
+ description: Settings common to both HTTP and TCP upstream
+ connections.
+ properties:
+ connectTimeout:
+ description: TCP connection timeout.
+ type: string
+ maxConnectionDuration:
+ description: The maximum duration of a connection.
+ type: string
+ maxConnections:
+ description: Maximum number of HTTP1 /TCP connections
+ to a destination host.
+ format: int32
+ type: integer
+ tcpKeepalive:
+ description: If set then set SO_KEEPALIVE on the socket
+ to enable TCP Keepalives.
+ properties:
+ interval:
+ description: The time duration between keep-alive
+ probes.
+ type: string
+ probes:
+ type: integer
+ time:
+ type: string
+ type: object
+ type: object
+ type: object
+ loadBalancer:
+ description: Settings controlling the load balancer algorithms.
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - simple
+ - properties:
+ consistentHash:
+ allOf:
+ - oneOf:
+ - not:
+ anyOf:
+ - required:
+ - httpHeaderName
+ - required:
+ - httpCookie
+ - required:
+ - useSourceIp
+ - required:
+ - httpQueryParameterName
+ - required:
+ - httpHeaderName
+ - required:
+ - httpCookie
+ - required:
+ - useSourceIp
+ - required:
+ - httpQueryParameterName
+ - oneOf:
+ - not:
+ anyOf:
+ - required:
+ - ringHash
+ - required:
+ - maglev
+ - required:
+ - ringHash
+ - required:
+ - maglev
+ properties:
+ minimumRingSize: {}
+ required:
+ - consistentHash
+ - required:
+ - simple
+ - properties:
+ consistentHash:
+ allOf:
+ - oneOf:
+ - not:
+ anyOf:
+ - required:
+ - httpHeaderName
+ - required:
+ - httpCookie
+ - required:
+ - useSourceIp
+ - required:
+ - httpQueryParameterName
+ - required:
+ - httpHeaderName
+ - required:
+ - httpCookie
+ - required:
+ - useSourceIp
+ - required:
+ - httpQueryParameterName
+ - oneOf:
+ - not:
+ anyOf:
+ - required:
+ - ringHash
+ - required:
+ - maglev
+ - required:
+ - ringHash
+ - required:
+ - maglev
+ properties:
+ minimumRingSize: {}
+ required:
+ - consistentHash
+ properties:
+ consistentHash:
+ properties:
+ httpCookie:
+ description: Hash based on HTTP cookie.
+ properties:
+ name:
+ description: Name of the cookie.
+ type: string
+ path:
+ description: Path to set for the cookie.
+ type: string
+ ttl:
+ description: Lifetime of the cookie.
+ type: string
+ type: object
+ httpHeaderName:
+ description: Hash based on a specific HTTP header.
+ type: string
+ httpQueryParameterName:
+ description: Hash based on a specific HTTP query parameter.
+ type: string
+ maglev:
+ description: The Maglev load balancer implements consistent
+ hashing to backend hosts.
+ properties:
+ tableSize:
+ description: The table size for Maglev hashing.
+ type: integer
+ type: object
+ minimumRingSize:
+ description: Deprecated.
+ type: integer
+ ringHash:
+ description: The ring/modulo hash load balancer implements
+ consistent hashing to backend hosts.
+ properties:
+ minimumRingSize:
+ type: integer
+ type: object
+ useSourceIp:
+ description: Hash based on the source IP address.
+ type: boolean
+ type: object
+ localityLbSetting:
+ properties:
+ distribute:
+ description: 'Optional: only one of distribute, failover
+ or failoverPriority can be set.'
+ items:
+ properties:
+ from:
+ description: Originating locality, '/' separated,
+ e.g.
+ type: string
+ to:
+ additionalProperties:
+ type: integer
+ description: Map of upstream localities to traffic
+ distribution weights.
+ type: object
+ type: object
+ type: array
+ enabled:
+ description: enable locality load balancing, this is DestinationRule-level
+ and will override mesh wide settings in entirety.
+ nullable: true
+ type: boolean
+ failover:
+ description: 'Optional: only one of distribute, failover
+ or failoverPriority can be set.'
+ items:
+ properties:
+ from:
+ description: Originating region.
+ type: string
+ to:
+ type: string
+ type: object
+ type: array
+ failoverPriority:
+ description: failoverPriority is an ordered list of labels
+ used to sort endpoints to do priority based load balancing.
+ items:
+ type: string
+ type: array
+ type: object
+ simple:
+ enum:
+ - UNSPECIFIED
+ - LEAST_CONN
+ - RANDOM
+ - PASSTHROUGH
+ - ROUND_ROBIN
+ - LEAST_REQUEST
+ type: string
+ warmupDurationSecs:
+ description: Represents the warmup duration of Service.
+ type: string
+ type: object
+ outlierDetection:
+ properties:
+ baseEjectionTime:
+ description: Minimum ejection duration.
+ type: string
+ consecutive5xxErrors:
+ description: Number of 5xx errors before a host is ejected
+ from the connection pool.
+ nullable: true
+ type: integer
+ consecutiveErrors:
+ format: int32
+ type: integer
+ consecutiveGatewayErrors:
+ description: Number of gateway errors before a host is ejected
+ from the connection pool.
+ nullable: true
+ type: integer
+ consecutiveLocalOriginFailures:
+ nullable: true
+ type: integer
+ interval:
+ description: Time interval between ejection sweep analysis.
+ type: string
+ maxEjectionPercent:
+ format: int32
+ type: integer
+ minHealthPercent:
+ format: int32
+ type: integer
+ splitExternalLocalOriginErrors:
+ description: Determines whether to distinguish local origin
+ failures from external errors.
+ type: boolean
+ type: object
+ portLevelSettings:
+ description: Traffic policies specific to individual ports.
+ items:
+ properties:
+ connectionPool:
+ properties:
+ http:
+ description: HTTP connection pool settings.
+ properties:
+ h2UpgradePolicy:
+ description: Specify if http1.1 connection should
+ be upgraded to http2 for the associated destination.
+ enum:
+ - DEFAULT
+ - DO_NOT_UPGRADE
+ - UPGRADE
+ type: string
+ http1MaxPendingRequests:
+ format: int32
+ type: integer
+ http2MaxRequests:
+ description: Maximum number of active requests to
+ a destination.
+ format: int32
+ type: integer
+ idleTimeout:
+ description: The idle timeout for upstream connection
+ pool connections.
+ type: string
+ maxRequestsPerConnection:
+ description: Maximum number of requests per connection
+ to a backend.
+ format: int32
+ type: integer
+ maxRetries:
+ format: int32
+ type: integer
+ useClientProtocol:
+ description: If set to true, client protocol will
+ be preserved while initiating connection to backend.
+ type: boolean
+ type: object
+ tcp:
+ description: Settings common to both HTTP and TCP upstream
+ connections.
+ properties:
+ connectTimeout:
+ description: TCP connection timeout.
+ type: string
+ maxConnectionDuration:
+ description: The maximum duration of a connection.
+ type: string
+ maxConnections:
+ description: Maximum number of HTTP1 /TCP connections
+ to a destination host.
+ format: int32
+ type: integer
+ tcpKeepalive:
+ description: If set then set SO_KEEPALIVE on the
+ socket to enable TCP Keepalives.
+ properties:
+ interval:
+ description: The time duration between keep-alive
+ probes.
+ type: string
+ probes:
+ type: integer
+ time:
+ type: string
+ type: object
+ type: object
+ type: object
+ loadBalancer:
+ description: Settings controlling the load balancer algorithms.
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - simple
+ - properties:
+ consistentHash:
+ allOf:
+ - oneOf:
+ - not:
+ anyOf:
+ - required:
+ - httpHeaderName
+ - required:
+ - httpCookie
+ - required:
+ - useSourceIp
+ - required:
+ - httpQueryParameterName
+ - required:
+ - httpHeaderName
+ - required:
+ - httpCookie
+ - required:
+ - useSourceIp
+ - required:
+ - httpQueryParameterName
+ - oneOf:
+ - not:
+ anyOf:
+ - required:
+ - ringHash
+ - required:
+ - maglev
+ - required:
+ - ringHash
+ - required:
+ - maglev
+ properties:
+ minimumRingSize: {}
+ required:
+ - consistentHash
+ - required:
+ - simple
+ - properties:
+ consistentHash:
+ allOf:
+ - oneOf:
+ - not:
+ anyOf:
+ - required:
+ - httpHeaderName
+ - required:
+ - httpCookie
+ - required:
+ - useSourceIp
+ - required:
+ - httpQueryParameterName
+ - required:
+ - httpHeaderName
+ - required:
+ - httpCookie
+ - required:
+ - useSourceIp
+ - required:
+ - httpQueryParameterName
+ - oneOf:
+ - not:
+ anyOf:
+ - required:
+ - ringHash
+ - required:
+ - maglev
+ - required:
+ - ringHash
+ - required:
+ - maglev
+ properties:
+ minimumRingSize: {}
+ required:
+ - consistentHash
+ properties:
+ consistentHash:
+ properties:
+ httpCookie:
+ description: Hash based on HTTP cookie.
+ properties:
+ name:
+ description: Name of the cookie.
+ type: string
+ path:
+ description: Path to set for the cookie.
+ type: string
+ ttl:
+ description: Lifetime of the cookie.
+ type: string
+ type: object
+ httpHeaderName:
+ description: Hash based on a specific HTTP header.
+ type: string
+ httpQueryParameterName:
+ description: Hash based on a specific HTTP query
+ parameter.
+ type: string
+ maglev:
+ description: The Maglev load balancer implements
+ consistent hashing to backend hosts.
+ properties:
+ tableSize:
+ description: The table size for Maglev hashing.
+ type: integer
+ type: object
+ minimumRingSize:
+ description: Deprecated.
+ type: integer
+ ringHash:
+ description: The ring/modulo hash load balancer
+ implements consistent hashing to backend hosts.
+ properties:
+ minimumRingSize:
+ type: integer
+ type: object
+ useSourceIp:
+ description: Hash based on the source IP address.
+ type: boolean
+ type: object
+ localityLbSetting:
+ properties:
+ distribute:
+ description: 'Optional: only one of distribute,
+ failover or failoverPriority can be set.'
+ items:
+ properties:
+ from:
+ description: Originating locality, '/' separated,
+ e.g.
+ type: string
+ to:
+ additionalProperties:
+ type: integer
+ description: Map of upstream localities to
+ traffic distribution weights.
+ type: object
+ type: object
+ type: array
+ enabled:
+ description: enable locality load balancing, this
+ is DestinationRule-level and will override mesh
+ wide settings in entirety.
+ nullable: true
+ type: boolean
+ failover:
+ description: 'Optional: only one of distribute,
+ failover or failoverPriority can be set.'
+ items:
+ properties:
+ from:
+ description: Originating region.
+ type: string
+ to:
+ type: string
+ type: object
+ type: array
+ failoverPriority:
+ description: failoverPriority is an ordered list
+ of labels used to sort endpoints to do priority
+ based load balancing.
+ items:
+ type: string
+ type: array
+ type: object
+ simple:
+ enum:
+ - UNSPECIFIED
+ - LEAST_CONN
+ - RANDOM
+ - PASSTHROUGH
+ - ROUND_ROBIN
+ - LEAST_REQUEST
+ type: string
+ warmupDurationSecs:
+ description: Represents the warmup duration of Service.
+ type: string
+ type: object
+ outlierDetection:
+ properties:
+ baseEjectionTime:
+ description: Minimum ejection duration.
+ type: string
+ consecutive5xxErrors:
+ description: Number of 5xx errors before a host is ejected
+ from the connection pool.
+ nullable: true
+ type: integer
+ consecutiveErrors:
+ format: int32
+ type: integer
+ consecutiveGatewayErrors:
+ description: Number of gateway errors before a host
+ is ejected from the connection pool.
+ nullable: true
+ type: integer
+ consecutiveLocalOriginFailures:
+ nullable: true
+ type: integer
+ interval:
+ description: Time interval between ejection sweep analysis.
+ type: string
+ maxEjectionPercent:
+ format: int32
+ type: integer
+ minHealthPercent:
+ format: int32
+ type: integer
+ splitExternalLocalOriginErrors:
+ description: Determines whether to distinguish local
+ origin failures from external errors.
+ type: boolean
+ type: object
+ port:
+ properties:
+ number:
+ type: integer
+ type: object
+ tls:
+ description: TLS related settings for connections to the
+ upstream service.
+ properties:
+ caCertificates:
+ type: string
+ clientCertificate:
+ description: REQUIRED if mode is `MUTUAL`.
+ type: string
+ credentialName:
+ type: string
+ insecureSkipVerify:
+ nullable: true
+ type: boolean
+ mode:
+ enum:
+ - DISABLE
+ - SIMPLE
+ - MUTUAL
+ - ISTIO_MUTUAL
+ type: string
+ privateKey:
+ description: REQUIRED if mode is `MUTUAL`.
+ type: string
+ sni:
+ description: SNI string to present to the server during
+ TLS handshake.
+ type: string
+ subjectAltNames:
+ items:
+ type: string
+ type: array
+ type: object
+ type: object
+ type: array
+ tls:
+ description: TLS related settings for connections to the upstream
+ service.
+ properties:
+ caCertificates:
+ type: string
+ clientCertificate:
+ description: REQUIRED if mode is `MUTUAL`.
+ type: string
+ credentialName:
+ type: string
+ insecureSkipVerify:
+ nullable: true
+ type: boolean
+ mode:
+ enum:
+ - DISABLE
+ - SIMPLE
+ - MUTUAL
+ - ISTIO_MUTUAL
+ type: string
+ privateKey:
+ description: REQUIRED if mode is `MUTUAL`.
+ type: string
+ sni:
+ description: SNI string to present to the server during TLS
+ handshake.
+ type: string
+ subjectAltNames:
+ items:
+ type: string
+ type: array
+ type: object
+ tunnel:
+ properties:
+ protocol:
+ description: Specifies which protocol to use for tunneling
+ the downstream connection.
+ type: string
+ targetHost:
+ description: Specifies a host to which the downstream connection
+ is tunneled.
+ type: string
+ targetPort:
+ description: Specifies a port to which the downstream connection
+ is tunneled.
+ type: integer
+ type: object
+ type: object
+ workloadSelector:
+ properties:
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ type: object
+ status:
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ served: true
+ storage: false
+ subresources:
+ status: {}
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ helm.sh/resource-policy: keep
+ labels:
+ app: istio-pilot
+ chart: istio
+ heritage: Tiller
+ release: istio
+ name: envoyfilters.networking.istio.io
+spec:
+ group: networking.istio.io
+ names:
+ categories:
+ - istio-io
+ - networking-istio-io
+ kind: EnvoyFilter
+ listKind: EnvoyFilterList
+ plural: envoyfilters
+ singular: envoyfilter
+ scope: Namespaced
+ versions:
+ - name: v1alpha3
+ schema:
+ openAPIV3Schema:
+ properties:
+ spec:
+ description: 'Customizing Envoy configuration generated by Istio. See
+ more details at: https://istio.io/docs/reference/config/networking/envoy-filter.html'
+ properties:
+ configPatches:
+ description: One or more patches with match conditions.
+ items:
+ properties:
+ applyTo:
+ enum:
+ - INVALID
+ - LISTENER
+ - FILTER_CHAIN
+ - NETWORK_FILTER
+ - HTTP_FILTER
+ - ROUTE_CONFIGURATION
+ - VIRTUAL_HOST
+ - HTTP_ROUTE
+ - CLUSTER
+ - EXTENSION_CONFIG
+ - BOOTSTRAP
+ - LISTENER_FILTER
+ type: string
+ match:
+ description: Match on listener/route configuration/cluster.
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - listener
+ - required:
+ - routeConfiguration
+ - required:
+ - cluster
+ - required:
+ - listener
+ - required:
+ - routeConfiguration
+ - required:
+ - cluster
+ properties:
+ cluster:
+ description: Match on envoy cluster attributes.
+ properties:
+ name:
+ description: The exact name of the cluster to match.
+ type: string
+ portNumber:
+ description: The service port for which this cluster
+ was generated.
+ type: integer
+ service:
+ description: The fully qualified service name for this
+ cluster.
+ type: string
+ subset:
+ description: The subset associated with the service.
+ type: string
+ type: object
+ context:
+ description: The specific config generation context to match
+ on.
+ enum:
+ - ANY
+ - SIDECAR_INBOUND
+ - SIDECAR_OUTBOUND
+ - GATEWAY
+ type: string
+ listener:
+ description: Match on envoy listener attributes.
+ properties:
+ filterChain:
+ description: Match a specific filter chain in a listener.
+ properties:
+ applicationProtocols:
+ description: Applies only to sidecars.
+ type: string
+ destinationPort:
+ description: The destination_port value used by
+ a filter chain's match condition.
+ type: integer
+ filter:
+ description: The name of a specific filter to apply
+ the patch to.
+ properties:
+ name:
+ description: The filter name to match on.
+ type: string
+ subFilter:
+ properties:
+ name:
+ description: The filter name to match on.
+ type: string
+ type: object
+ type: object
+ name:
+ description: The name assigned to the filter chain.
+ type: string
+ sni:
+ description: The SNI value used by a filter chain's
+ match condition.
+ type: string
+ transportProtocol:
+ description: Applies only to `SIDECAR_INBOUND` context.
+ type: string
+ type: object
+ listenerFilter:
+ description: Match a specific listener filter.
+ type: string
+ name:
+ description: Match a specific listener by its name.
+ type: string
+ portName:
+ type: string
+ portNumber:
+ type: integer
+ type: object
+ proxy:
+ description: Match on properties associated with a proxy.
+ properties:
+ metadata:
+ additionalProperties:
+ type: string
+ type: object
+ proxyVersion:
+ type: string
+ type: object
+ routeConfiguration:
+ description: Match on envoy HTTP route configuration attributes.
+ properties:
+ gateway:
+ type: string
+ name:
+ description: Route configuration name to match on.
+ type: string
+ portName:
+ description: Applicable only for GATEWAY context.
+ type: string
+ portNumber:
+ type: integer
+ vhost:
+ properties:
+ name:
+ type: string
+ route:
+ description: Match a specific route within the virtual
+ host.
+ properties:
+ action:
+ description: Match a route with specific action
+ type.
+ enum:
+ - ANY
+ - ROUTE
+ - REDIRECT
+ - DIRECT_RESPONSE
+ type: string
+ name:
+ type: string
+ type: object
+ type: object
+ type: object
+ type: object
+ patch:
+ description: The patch to apply along with the operation.
+ properties:
+ filterClass:
+ description: Determines the filter insertion order.
+ enum:
+ - UNSPECIFIED
+ - AUTHN
+ - AUTHZ
+ - STATS
+ type: string
+ operation:
+ description: Determines how the patch should be applied.
+ enum:
+ - INVALID
+ - MERGE
+ - ADD
+ - REMOVE
+ - INSERT_BEFORE
+ - INSERT_AFTER
+ - INSERT_FIRST
+ - REPLACE
+ type: string
+ value:
+ description: The JSON config of the object being patched.
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ type: object
+ type: array
+ priority:
+ description: Priority defines the order in which patch sets are applied
+ within a context.
+ format: int32
+ type: integer
+ workloadSelector:
+ properties:
+ labels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ type: object
+ status:
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ helm.sh/resource-policy: keep
+ labels:
+ app: istio-pilot
+ chart: istio
+ heritage: Tiller
+ release: istio
+ name: gateways.networking.istio.io
+spec:
+ group: networking.istio.io
+ names:
+ categories:
+ - istio-io
+ - networking-istio-io
+ kind: Gateway
+ listKind: GatewayList
+ plural: gateways
+ shortNames:
+ - gw
+ singular: gateway
+ scope: Namespaced
+ versions:
+ - name: v1alpha3
+ schema:
+ openAPIV3Schema:
+ properties:
+ spec:
+ description: 'Configuration affecting edge load balancer. See more details
+ at: https://istio.io/docs/reference/config/networking/gateway.html'
+ properties:
+ selector:
+ additionalProperties:
+ type: string
+ type: object
+ servers:
+ description: A list of server specifications.
+ items:
+ properties:
+ bind:
+ type: string
+ defaultEndpoint:
+ type: string
+ hosts:
+ description: One or more hosts exposed by this gateway.
+ items:
+ type: string
+ type: array
+ name:
+ description: An optional name of the server, when set must be
+ unique across all servers.
+ type: string
+ port:
+ properties:
+ name:
+ description: Label assigned to the port.
+ type: string
+ number:
+ description: A valid non-negative integer port number.
+ type: integer
+ protocol:
+ description: The protocol exposed on the port.
+ type: string
+ targetPort:
+ type: integer
+ type: object
+ tls:
+ description: Set of TLS related options that govern the server's
+ behavior.
+ properties:
+ caCertificates:
+ description: REQUIRED if mode is `MUTUAL`.
+ type: string
+ cipherSuites:
+ description: 'Optional: If specified, only support the specified
+ cipher list.'
+ items:
+ type: string
+ type: array
+ credentialName:
+ type: string
+ httpsRedirect:
+ type: boolean
+ maxProtocolVersion:
+ description: 'Optional: Maximum TLS protocol version.'
+ enum:
+ - TLS_AUTO
+ - TLSV1_0
+ - TLSV1_1
+ - TLSV1_2
+ - TLSV1_3
+ type: string
+ minProtocolVersion:
+ description: 'Optional: Minimum TLS protocol version.'
+ enum:
+ - TLS_AUTO
+ - TLSV1_0
+ - TLSV1_1
+ - TLSV1_2
+ - TLSV1_3
+ type: string
+ mode:
+ enum:
+ - PASSTHROUGH
+ - SIMPLE
+ - MUTUAL
+ - AUTO_PASSTHROUGH
+ - ISTIO_MUTUAL
+ type: string
+ privateKey:
+ description: REQUIRED if mode is `SIMPLE` or `MUTUAL`.
+ type: string
+ serverCertificate:
+ description: REQUIRED if mode is `SIMPLE` or `MUTUAL`.
+ type: string
+ subjectAltNames:
+ items:
+ type: string
+ type: array
+ verifyCertificateHash:
+ items:
+ type: string
+ type: array
+ verifyCertificateSpki:
+ items:
+ type: string
+ type: array
+ type: object
+ type: object
+ type: array
+ type: object
+ status:
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
+ - name: v1beta1
+ schema:
+ openAPIV3Schema:
+ properties:
+ spec:
+ description: 'Configuration affecting edge load balancer. See more details
+ at: https://istio.io/docs/reference/config/networking/gateway.html'
+ properties:
+ selector:
+ additionalProperties:
+ type: string
+ type: object
+ servers:
+ description: A list of server specifications.
+ items:
+ properties:
+ bind:
+ type: string
+ defaultEndpoint:
+ type: string
+ hosts:
+ description: One or more hosts exposed by this gateway.
+ items:
+ type: string
+ type: array
+ name:
+ description: An optional name of the server, when set must be
+ unique across all servers.
+ type: string
+ port:
+ properties:
+ name:
+ description: Label assigned to the port.
+ type: string
+ number:
+ description: A valid non-negative integer port number.
+ type: integer
+ protocol:
+ description: The protocol exposed on the port.
+ type: string
+ targetPort:
+ type: integer
+ type: object
+ tls:
+ description: Set of TLS related options that govern the server's
+ behavior.
+ properties:
+ caCertificates:
+ description: REQUIRED if mode is `MUTUAL`.
+ type: string
+ cipherSuites:
+ description: 'Optional: If specified, only support the specified
+ cipher list.'
+ items:
+ type: string
+ type: array
+ credentialName:
+ type: string
+ httpsRedirect:
+ type: boolean
+ maxProtocolVersion:
+ description: 'Optional: Maximum TLS protocol version.'
+ enum:
+ - TLS_AUTO
+ - TLSV1_0
+ - TLSV1_1
+ - TLSV1_2
+ - TLSV1_3
+ type: string
+ minProtocolVersion:
+ description: 'Optional: Minimum TLS protocol version.'
+ enum:
+ - TLS_AUTO
+ - TLSV1_0
+ - TLSV1_1
+ - TLSV1_2
+ - TLSV1_3
+ type: string
+ mode:
+ enum:
+ - PASSTHROUGH
+ - SIMPLE
+ - MUTUAL
+ - AUTO_PASSTHROUGH
+ - ISTIO_MUTUAL
+ type: string
+ privateKey:
+ description: REQUIRED if mode is `SIMPLE` or `MUTUAL`.
+ type: string
+ serverCertificate:
+ description: REQUIRED if mode is `SIMPLE` or `MUTUAL`.
+ type: string
+ subjectAltNames:
+ items:
+ type: string
+ type: array
+ verifyCertificateHash:
+ items:
+ type: string
+ type: array
+ verifyCertificateSpki:
+ items:
+ type: string
+ type: array
+ type: object
+ type: object
+ type: array
+ type: object
+ status:
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ served: true
+ storage: false
+ subresources:
+ status: {}
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ name: istiooperators.install.istio.io
+ labels:
+ release: istio
+spec:
+ conversion:
+ strategy: None
+ group: install.istio.io
+ names:
+ kind: IstioOperator
+ listKind: IstioOperatorList
+ plural: istiooperators
+ singular: istiooperator
+ shortNames:
+ - iop
+ - io
+ scope: Namespaced
+ versions:
+ - additionalPrinterColumns:
+ - description: Istio control plane revision
+ jsonPath: .spec.revision
+ name: Revision
+ type: string
+ - description: IOP current state
+ jsonPath: .status.status
+ name: Status
+ type: string
+ - description: 'CreationTimestamp is a timestamp representing the server time
+ when this object was created. It is not guaranteed to be set in happens-before
+ order across separate operations. Clients may not set this value. It is represented
+ in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
+ lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
+ jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ subresources:
+ status: {}
+ name: v1alpha1
+ schema:
+ openAPIV3Schema:
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ served: true
+ storage: true
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ helm.sh/resource-policy: keep
+ labels:
+ app: istio-pilot
+ chart: istio
+ heritage: Tiller
+ istio: security
+ release: istio
+ name: peerauthentications.security.istio.io
+spec:
+ group: security.istio.io
+ names:
+ categories:
+ - istio-io
+ - security-istio-io
+ kind: PeerAuthentication
+ listKind: PeerAuthenticationList
+ plural: peerauthentications
+ shortNames:
+ - pa
+ singular: peerauthentication
+ scope: Namespaced
+ versions:
+ - additionalPrinterColumns:
+ - description: Defines the mTLS mode used for peer authentication.
+ jsonPath: .spec.mtls.mode
+ name: Mode
+ type: string
+ - description: 'CreationTimestamp is a timestamp representing the server time
+ when this object was created. It is not guaranteed to be set in happens-before
+ order across separate operations. Clients may not set this value. It is represented
+ in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
+ lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
+ jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1beta1
+ schema:
+ openAPIV3Schema:
+ properties:
+ spec:
+ description: PeerAuthentication defines how traffic will be tunneled (or
+ not) to the sidecar.
+ properties:
+ mtls:
+ description: Mutual TLS settings for workload.
+ properties:
+ mode:
+ description: Defines the mTLS mode used for peer authentication.
+ enum:
+ - UNSET
+ - DISABLE
+ - PERMISSIVE
+ - STRICT
+ type: string
+ type: object
+ portLevelMtls:
+ additionalProperties:
+ properties:
+ mode:
+ description: Defines the mTLS mode used for peer authentication.
+ enum:
+ - UNSET
+ - DISABLE
+ - PERMISSIVE
+ - STRICT
+ type: string
+ type: object
+ description: Port specific mutual TLS settings.
+ type: object
+ selector:
+ description: The selector determines the workloads to apply the ChannelAuthentication
+ on.
+ properties:
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ type: object
+ status:
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ helm.sh/resource-policy: keep
+ labels:
+ app: istio-pilot
+ chart: istio
+ heritage: Tiller
+ release: istio
+ name: proxyconfigs.networking.istio.io
+spec:
+ group: networking.istio.io
+ names:
+ categories:
+ - istio-io
+ - networking-istio-io
+ kind: ProxyConfig
+ listKind: ProxyConfigList
+ plural: proxyconfigs
+ singular: proxyconfig
+ scope: Namespaced
+ versions:
+ - name: v1beta1
+ schema:
+ openAPIV3Schema:
+ properties:
+ spec:
+ description: 'Provides configuration for individual workloads. See more
+ details at: https://istio.io/docs/reference/config/networking/proxy-config.html'
+ properties:
+ concurrency:
+ description: The number of worker threads to run.
+ nullable: true
+ type: integer
+ environmentVariables:
+ additionalProperties:
+ type: string
+ description: Additional environment variables for the proxy.
+ type: object
+ image:
+ description: Specifies the details of the proxy image.
+ properties:
+ imageType:
+ description: The image type of the image.
+ type: string
+ type: object
+ selector:
+ description: Optional.
+ properties:
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ type: object
+ status:
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ helm.sh/resource-policy: keep
+ labels:
+ app: istio-pilot
+ chart: istio
+ heritage: Tiller
+ istio: security
+ release: istio
+ name: requestauthentications.security.istio.io
+spec:
+ group: security.istio.io
+ names:
+ categories:
+ - istio-io
+ - security-istio-io
+ kind: RequestAuthentication
+ listKind: RequestAuthenticationList
+ plural: requestauthentications
+ shortNames:
+ - ra
+ singular: requestauthentication
+ scope: Namespaced
+ versions:
+ - name: v1
+ schema:
+ openAPIV3Schema:
+ properties:
+ spec:
+ description: RequestAuthentication defines what request authentication
+ methods are supported by a workload.
+ properties:
+ jwtRules:
+ description: Define the list of JWTs that can be validated at the
+ selected workloads' proxy.
+ items:
+ properties:
+ audiences:
+ items:
+ type: string
+ type: array
+ forwardOriginalToken:
+ description: If set to true, the original token will be kept
+ for the upstream request.
+ type: boolean
+ fromHeaders:
+ description: List of header locations from which JWT is expected.
+ items:
+ properties:
+ name:
+ description: The HTTP header name.
+ type: string
+ prefix:
+ description: The prefix that should be stripped before
+ decoding the token.
+ type: string
+ type: object
+ type: array
+ fromParams:
+ description: List of query parameters from which JWT is expected.
+ items:
+ type: string
+ type: array
+ issuer:
+ description: Identifies the issuer that issued the JWT.
+ type: string
+ jwks:
+ description: JSON Web Key Set of public keys to validate signature
+ of the JWT.
+ type: string
+ jwks_uri:
+ type: string
+ jwksUri:
+ type: string
+ outputClaimToHeaders:
+ description: This field specifies a list of operations to copy
+ the claim to HTTP headers on a successfully verified token.
+ items:
+ properties:
+ claim:
+ description: The name of the claim to be copied from.
+ type: string
+ header:
+ description: The name of the header to be created.
+ type: string
+ type: object
+ type: array
+ outputPayloadToHeader:
+ type: string
+ type: object
+ type: array
+ selector:
+ description: Optional.
+ properties:
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ type: object
+ status:
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ served: true
+ storage: false
+ subresources:
+ status: {}
+ - name: v1beta1
+ schema:
+ openAPIV3Schema:
+ properties:
+ spec:
+ description: RequestAuthentication defines what request authentication
+ methods are supported by a workload.
+ properties:
+ jwtRules:
+ description: Define the list of JWTs that can be validated at the
+ selected workloads' proxy.
+ items:
+ properties:
+ audiences:
+ items:
+ type: string
+ type: array
+ forwardOriginalToken:
+ description: If set to true, the original token will be kept
+ for the upstream request.
+ type: boolean
+ fromHeaders:
+ description: List of header locations from which JWT is expected.
+ items:
+ properties:
+ name:
+ description: The HTTP header name.
+ type: string
+ prefix:
+ description: The prefix that should be stripped before
+ decoding the token.
+ type: string
+ type: object
+ type: array
+ fromParams:
+ description: List of query parameters from which JWT is expected.
+ items:
+ type: string
+ type: array
+ issuer:
+ description: Identifies the issuer that issued the JWT.
+ type: string
+ jwks:
+ description: JSON Web Key Set of public keys to validate signature
+ of the JWT.
+ type: string
+ jwks_uri:
+ type: string
+ jwksUri:
+ type: string
+ outputClaimToHeaders:
+ description: This field specifies a list of operations to copy
+ the claim to HTTP headers on a successfully verified token.
+ items:
+ properties:
+ claim:
+ description: The name of the claim to be copied from.
+ type: string
+ header:
+ description: The name of the header to be created.
+ type: string
+ type: object
+ type: array
+ outputPayloadToHeader:
+ type: string
+ type: object
+ type: array
+ selector:
+ description: Optional.
+ properties:
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ type: object
+ status:
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ helm.sh/resource-policy: keep
+ labels:
+ app: istio-pilot
+ chart: istio
+ heritage: Tiller
+ release: istio
+ name: serviceentries.networking.istio.io
+spec:
+ group: networking.istio.io
+ names:
+ categories:
+ - istio-io
+ - networking-istio-io
+ kind: ServiceEntry
+ listKind: ServiceEntryList
+ plural: serviceentries
+ shortNames:
+ - se
+ singular: serviceentry
+ scope: Namespaced
+ versions:
+ - additionalPrinterColumns:
+ - description: The hosts associated with the ServiceEntry
+ jsonPath: .spec.hosts
+ name: Hosts
+ type: string
+ - description: Whether the service is external to the mesh or part of the mesh
+ (MESH_EXTERNAL or MESH_INTERNAL)
+ jsonPath: .spec.location
+ name: Location
+ type: string
+ - description: Service resolution mode for the hosts (NONE, STATIC, or DNS)
+ jsonPath: .spec.resolution
+ name: Resolution
+ type: string
+ - description: 'CreationTimestamp is a timestamp representing the server time
+ when this object was created. It is not guaranteed to be set in happens-before
+ order across separate operations. Clients may not set this value. It is represented
+ in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
+ lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
+ jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1alpha3
+ schema:
+ openAPIV3Schema:
+ properties:
+ spec:
+ description: 'Configuration affecting service registry. See more details
+ at: https://istio.io/docs/reference/config/networking/service-entry.html'
+ properties:
+ addresses:
+ description: The virtual IP addresses associated with the service.
+ items:
+ type: string
+ type: array
+ endpoints:
+ description: One or more endpoints associated with the service.
+ items:
+ properties:
+ address:
+ type: string
+ labels:
+ additionalProperties:
+ type: string
+ description: One or more labels associated with the endpoint.
+ type: object
+ locality:
+ description: The locality associated with the endpoint.
+ type: string
+ network:
+ type: string
+ ports:
+ additionalProperties:
+ type: integer
+ description: Set of ports associated with the endpoint.
+ type: object
+ serviceAccount:
+ type: string
+ weight:
+ description: The load balancing weight associated with the endpoint.
+ type: integer
+ type: object
+ type: array
+ exportTo:
+ description: A list of namespaces to which this service is exported.
+ items:
+ type: string
+ type: array
+ hosts:
+ description: The hosts associated with the ServiceEntry.
+ items:
+ type: string
+ type: array
+ location:
+ enum:
+ - MESH_EXTERNAL
+ - MESH_INTERNAL
+ type: string
+ ports:
+ description: The ports associated with the external service.
+ items:
+ properties:
+ name:
+ description: Label assigned to the port.
+ type: string
+ number:
+ description: A valid non-negative integer port number.
+ type: integer
+ protocol:
+ description: The protocol exposed on the port.
+ type: string
+ targetPort:
+ type: integer
+ type: object
+ type: array
+ resolution:
+ description: Service resolution mode for the hosts.
+ enum:
+ - NONE
+ - STATIC
+ - DNS
+ - DNS_ROUND_ROBIN
+ type: string
+ subjectAltNames:
+ items:
+ type: string
+ type: array
+ workloadSelector:
+ description: Applicable only for MESH_INTERNAL services.
+ properties:
+ labels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ type: object
+ status:
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
+ - additionalPrinterColumns:
+ - description: The hosts associated with the ServiceEntry
+ jsonPath: .spec.hosts
+ name: Hosts
+ type: string
+ - description: Whether the service is external to the mesh or part of the mesh
+ (MESH_EXTERNAL or MESH_INTERNAL)
+ jsonPath: .spec.location
+ name: Location
+ type: string
+ - description: Service resolution mode for the hosts (NONE, STATIC, or DNS)
+ jsonPath: .spec.resolution
+ name: Resolution
+ type: string
+ - description: 'CreationTimestamp is a timestamp representing the server time
+ when this object was created. It is not guaranteed to be set in happens-before
+ order across separate operations. Clients may not set this value. It is represented
+ in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
+ lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
+ jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1beta1
+ schema:
+ openAPIV3Schema:
+ properties:
+ spec:
+ description: 'Configuration affecting service registry. See more details
+ at: https://istio.io/docs/reference/config/networking/service-entry.html'
+ properties:
+ addresses:
+ description: The virtual IP addresses associated with the service.
+ items:
+ type: string
+ type: array
+ endpoints:
+ description: One or more endpoints associated with the service.
+ items:
+ properties:
+ address:
+ type: string
+ labels:
+ additionalProperties:
+ type: string
+ description: One or more labels associated with the endpoint.
+ type: object
+ locality:
+ description: The locality associated with the endpoint.
+ type: string
+ network:
+ type: string
+ ports:
+ additionalProperties:
+ type: integer
+ description: Set of ports associated with the endpoint.
+ type: object
+ serviceAccount:
+ type: string
+ weight:
+ description: The load balancing weight associated with the endpoint.
+ type: integer
+ type: object
+ type: array
+ exportTo:
+ description: A list of namespaces to which this service is exported.
+ items:
+ type: string
+ type: array
+ hosts:
+ description: The hosts associated with the ServiceEntry.
+ items:
+ type: string
+ type: array
+ location:
+ enum:
+ - MESH_EXTERNAL
+ - MESH_INTERNAL
+ type: string
+ ports:
+ description: The ports associated with the external service.
+ items:
+ properties:
+ name:
+ description: Label assigned to the port.
+ type: string
+ number:
+ description: A valid non-negative integer port number.
+ type: integer
+ protocol:
+ description: The protocol exposed on the port.
+ type: string
+ targetPort:
+ type: integer
+ type: object
+ type: array
+ resolution:
+ description: Service resolution mode for the hosts.
+ enum:
+ - NONE
+ - STATIC
+ - DNS
+ - DNS_ROUND_ROBIN
+ type: string
+ subjectAltNames:
+ items:
+ type: string
+ type: array
+ workloadSelector:
+ description: Applicable only for MESH_INTERNAL services.
+ properties:
+ labels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ type: object
+ status:
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ served: true
+ storage: false
+ subresources:
+ status: {}
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ helm.sh/resource-policy: keep
+ labels:
+ app: istio-pilot
+ chart: istio
+ heritage: Tiller
+ release: istio
+ name: sidecars.networking.istio.io
+spec:
+ group: networking.istio.io
+ names:
+ categories:
+ - istio-io
+ - networking-istio-io
+ kind: Sidecar
+ listKind: SidecarList
+ plural: sidecars
+ singular: sidecar
+ scope: Namespaced
+ versions:
+ - name: v1alpha3
+ schema:
+ openAPIV3Schema:
+ properties:
+ spec:
+ description: 'Configuration affecting network reachability of a sidecar.
+ See more details at: https://istio.io/docs/reference/config/networking/sidecar.html'
+ properties:
+ egress:
+ items:
+ properties:
+ bind:
+ type: string
+ captureMode:
+ enum:
+ - DEFAULT
+ - IPTABLES
+ - NONE
+ type: string
+ hosts:
+ items:
+ type: string
+ type: array
+ port:
+ description: The port associated with the listener.
+ properties:
+ name:
+ description: Label assigned to the port.
+ type: string
+ number:
+ description: A valid non-negative integer port number.
+ type: integer
+ protocol:
+ description: The protocol exposed on the port.
+ type: string
+ targetPort:
+ type: integer
+ type: object
+ type: object
+ type: array
+ ingress:
+ items:
+ properties:
+ bind:
+ description: The IP(IPv4 or IPv6) to which the listener should
+ be bound.
+ type: string
+ captureMode:
+ enum:
+ - DEFAULT
+ - IPTABLES
+ - NONE
+ type: string
+ defaultEndpoint:
+ type: string
+ port:
+ description: The port associated with the listener.
+ properties:
+ name:
+ description: Label assigned to the port.
+ type: string
+ number:
+ description: A valid non-negative integer port number.
+ type: integer
+ protocol:
+ description: The protocol exposed on the port.
+ type: string
+ targetPort:
+ type: integer
+ type: object
+ tls:
+ properties:
+ caCertificates:
+ description: REQUIRED if mode is `MUTUAL`.
+ type: string
+ cipherSuites:
+ description: 'Optional: If specified, only support the specified
+ cipher list.'
+ items:
+ type: string
+ type: array
+ credentialName:
+ type: string
+ httpsRedirect:
+ type: boolean
+ maxProtocolVersion:
+ description: 'Optional: Maximum TLS protocol version.'
+ enum:
+ - TLS_AUTO
+ - TLSV1_0
+ - TLSV1_1
+ - TLSV1_2
+ - TLSV1_3
+ type: string
+ minProtocolVersion:
+ description: 'Optional: Minimum TLS protocol version.'
+ enum:
+ - TLS_AUTO
+ - TLSV1_0
+ - TLSV1_1
+ - TLSV1_2
+ - TLSV1_3
+ type: string
+ mode:
+ enum:
+ - PASSTHROUGH
+ - SIMPLE
+ - MUTUAL
+ - AUTO_PASSTHROUGH
+ - ISTIO_MUTUAL
+ type: string
+ privateKey:
+ description: REQUIRED if mode is `SIMPLE` or `MUTUAL`.
+ type: string
+ serverCertificate:
+ description: REQUIRED if mode is `SIMPLE` or `MUTUAL`.
+ type: string
+ subjectAltNames:
+ items:
+ type: string
+ type: array
+ verifyCertificateHash:
+ items:
+ type: string
+ type: array
+ verifyCertificateSpki:
+ items:
+ type: string
+ type: array
+ type: object
+ type: object
+ type: array
+ outboundTrafficPolicy:
+ description: Configuration for the outbound traffic policy.
+ properties:
+ egressProxy:
+ properties:
+ host:
+ description: The name of a service from the service registry.
+ type: string
+ port:
+ description: Specifies the port on the host that is being
+ addressed.
+ properties:
+ number:
+ type: integer
+ type: object
+ subset:
+ description: The name of a subset within the service.
+ type: string
+ type: object
+ mode:
+ enum:
+ - REGISTRY_ONLY
+ - ALLOW_ANY
+ type: string
+ type: object
+ workloadSelector:
+ properties:
+ labels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ type: object
+ status:
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
+ - name: v1beta1
+ schema:
+ openAPIV3Schema:
+ properties:
+ spec:
+ description: 'Configuration affecting network reachability of a sidecar.
+ See more details at: https://istio.io/docs/reference/config/networking/sidecar.html'
+ properties:
+ egress:
+ items:
+ properties:
+ bind:
+ type: string
+ captureMode:
+ enum:
+ - DEFAULT
+ - IPTABLES
+ - NONE
+ type: string
+ hosts:
+ items:
+ type: string
+ type: array
+ port:
+ description: The port associated with the listener.
+ properties:
+ name:
+ description: Label assigned to the port.
+ type: string
+ number:
+ description: A valid non-negative integer port number.
+ type: integer
+ protocol:
+ description: The protocol exposed on the port.
+ type: string
+ targetPort:
+ type: integer
+ type: object
+ type: object
+ type: array
+ ingress:
+ items:
+ properties:
+ bind:
+ description: The IP(IPv4 or IPv6) to which the listener should
+ be bound.
+ type: string
+ captureMode:
+ enum:
+ - DEFAULT
+ - IPTABLES
+ - NONE
+ type: string
+ defaultEndpoint:
+ type: string
+ port:
+ description: The port associated with the listener.
+ properties:
+ name:
+ description: Label assigned to the port.
+ type: string
+ number:
+ description: A valid non-negative integer port number.
+ type: integer
+ protocol:
+ description: The protocol exposed on the port.
+ type: string
+ targetPort:
+ type: integer
+ type: object
+ tls:
+ properties:
+ caCertificates:
+ description: REQUIRED if mode is `MUTUAL`.
+ type: string
+ cipherSuites:
+ description: 'Optional: If specified, only support the specified
+ cipher list.'
+ items:
+ type: string
+ type: array
+ credentialName:
+ type: string
+ httpsRedirect:
+ type: boolean
+ maxProtocolVersion:
+ description: 'Optional: Maximum TLS protocol version.'
+ enum:
+ - TLS_AUTO
+ - TLSV1_0
+ - TLSV1_1
+ - TLSV1_2
+ - TLSV1_3
+ type: string
+ minProtocolVersion:
+ description: 'Optional: Minimum TLS protocol version.'
+ enum:
+ - TLS_AUTO
+ - TLSV1_0
+ - TLSV1_1
+ - TLSV1_2
+ - TLSV1_3
+ type: string
+ mode:
+ enum:
+ - PASSTHROUGH
+ - SIMPLE
+ - MUTUAL
+ - AUTO_PASSTHROUGH
+ - ISTIO_MUTUAL
+ type: string
+ privateKey:
+ description: REQUIRED if mode is `SIMPLE` or `MUTUAL`.
+ type: string
+ serverCertificate:
+ description: REQUIRED if mode is `SIMPLE` or `MUTUAL`.
+ type: string
+ subjectAltNames:
+ items:
+ type: string
+ type: array
+ verifyCertificateHash:
+ items:
+ type: string
+ type: array
+ verifyCertificateSpki:
+ items:
+ type: string
+ type: array
+ type: object
+ type: object
+ type: array
+ outboundTrafficPolicy:
+ description: Configuration for the outbound traffic policy.
+ properties:
+ egressProxy:
+ properties:
+ host:
+ description: The name of a service from the service registry.
+ type: string
+ port:
+ description: Specifies the port on the host that is being
+ addressed.
+ properties:
+ number:
+ type: integer
+ type: object
+ subset:
+ description: The name of a subset within the service.
+ type: string
+ type: object
+ mode:
+ enum:
+ - REGISTRY_ONLY
+ - ALLOW_ANY
+ type: string
+ type: object
+ workloadSelector:
+ properties:
+ labels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ type: object
+ status:
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ served: true
+ storage: false
+ subresources:
+ status: {}
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ helm.sh/resource-policy: keep
+ labels:
+ app: istio-pilot
+ chart: istio
+ heritage: Tiller
+ istio: telemetry
+ release: istio
+ name: telemetries.telemetry.istio.io
+spec:
+ group: telemetry.istio.io
+ names:
+ categories:
+ - istio-io
+ - telemetry-istio-io
+ kind: Telemetry
+ listKind: TelemetryList
+ plural: telemetries
+ shortNames:
+ - telemetry
+ singular: telemetry
+ scope: Namespaced
+ versions:
+ - additionalPrinterColumns:
+ - description: 'CreationTimestamp is a timestamp representing the server time
+ when this object was created. It is not guaranteed to be set in happens-before
+ order across separate operations. Clients may not set this value. It is represented
+ in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
+ lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
+ jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1alpha1
+ schema:
+ openAPIV3Schema:
+ properties:
+ spec:
+ description: 'Telemetry configuration for workloads. See more details
+ at: https://istio.io/docs/reference/config/telemetry.html'
+ properties:
+ accessLogging:
+ description: Optional.
+ items:
+ properties:
+ disabled:
+ description: Controls logging.
+ nullable: true
+ type: boolean
+ filter:
+ description: Optional.
+ properties:
+ expression:
+ description: CEL expression for selecting when requests/connections
+ should be logged.
+ type: string
+ type: object
+ match:
+ description: Allows tailoring of logging behavior to specific
+ conditions.
+ properties:
+ mode:
+ enum:
+ - CLIENT_AND_SERVER
+ - CLIENT
+ - SERVER
+ type: string
+ type: object
+ providers:
+ description: Optional.
+ items:
+ properties:
+ name:
+ description: Required.
+ type: string
+ type: object
+ type: array
+ type: object
+ type: array
+ metrics:
+ description: Optional.
+ items:
+ properties:
+ overrides:
+ description: Optional.
+ items:
+ properties:
+ disabled:
+ description: Optional.
+ nullable: true
+ type: boolean
+ match:
+ description: Match allows provides the scope of the override.
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - metric
+ - required:
+ - customMetric
+ - required:
+ - metric
+ - required:
+ - customMetric
+ properties:
+ customMetric:
+ description: Allows free-form specification of a metric.
+ type: string
+ metric:
+ description: One of the well-known Istio Standard
+ Metrics.
+ enum:
+ - ALL_METRICS
+ - REQUEST_COUNT
+ - REQUEST_DURATION
+ - REQUEST_SIZE
+ - RESPONSE_SIZE
+ - TCP_OPENED_CONNECTIONS
+ - TCP_CLOSED_CONNECTIONS
+ - TCP_SENT_BYTES
+ - TCP_RECEIVED_BYTES
+ - GRPC_REQUEST_MESSAGES
+ - GRPC_RESPONSE_MESSAGES
+ type: string
+ mode:
+ enum:
+ - CLIENT_AND_SERVER
+ - CLIENT
+ - SERVER
+ type: string
+ type: object
+ tagOverrides:
+ additionalProperties:
+ properties:
+ operation:
+ description: Operation controls whether or not to
+ update/add a tag, or to remove it.
+ enum:
+ - UPSERT
+ - REMOVE
+ type: string
+ value:
+ description: Value is only considered if the operation
+ is `UPSERT`.
+ type: string
+ type: object
+ description: Optional.
+ type: object
+ type: object
+ type: array
+ providers:
+ description: Optional.
+ items:
+ properties:
+ name:
+ description: Required.
+ type: string
+ type: object
+ type: array
+ reportingInterval:
+ description: Optional.
+ type: string
+ type: object
+ type: array
+ selector:
+ description: Optional.
+ properties:
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ tracing:
+ description: Optional.
+ items:
+ properties:
+ customTags:
+ additionalProperties:
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - literal
+ - required:
+ - environment
+ - required:
+ - header
+ - required:
+ - literal
+ - required:
+ - environment
+ - required:
+ - header
+ properties:
+ environment:
+ description: Environment adds the value of an environment
+ variable to each span.
+ properties:
+ defaultValue:
+ description: Optional.
+ type: string
+ name:
+ description: Name of the environment variable from
+ which to extract the tag value.
+ type: string
+ type: object
+ header:
+ properties:
+ defaultValue:
+ description: Optional.
+ type: string
+ name:
+ description: Name of the header from which to extract
+ the tag value.
+ type: string
+ type: object
+ literal:
+ description: Literal adds the same, hard-coded value to
+ each span.
+ properties:
+ value:
+ description: The tag value to use.
+ type: string
+ type: object
+ type: object
+ description: Optional.
+ type: object
+ disableSpanReporting:
+ description: Controls span reporting.
+ nullable: true
+ type: boolean
+ match:
+ description: Allows tailoring of behavior to specific conditions.
+ properties:
+ mode:
+ enum:
+ - CLIENT_AND_SERVER
+ - CLIENT
+ - SERVER
+ type: string
+ type: object
+ providers:
+ description: Optional.
+ items:
+ properties:
+ name:
+ description: Required.
+ type: string
+ type: object
+ type: array
+ randomSamplingPercentage:
+ nullable: true
+ type: number
+ useRequestIdForTraceSampling:
+ nullable: true
+ type: boolean
+ type: object
+ type: array
+ type: object
+ status:
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ helm.sh/resource-policy: keep
+ labels:
+ app: istio-pilot
+ chart: istio
+ heritage: Tiller
+ release: istio
+ name: virtualservices.networking.istio.io
+spec:
+ group: networking.istio.io
+ names:
+ categories:
+ - istio-io
+ - networking-istio-io
+ kind: VirtualService
+ listKind: VirtualServiceList
+ plural: virtualservices
+ shortNames:
+ - vs
+ singular: virtualservice
+ scope: Namespaced
+ versions:
+ - additionalPrinterColumns:
+ - description: The names of gateways and sidecars that should apply these routes
+ jsonPath: .spec.gateways
+ name: Gateways
+ type: string
+ - description: The destination hosts to which traffic is being sent
+ jsonPath: .spec.hosts
+ name: Hosts
+ type: string
+ - description: 'CreationTimestamp is a timestamp representing the server time
+ when this object was created. It is not guaranteed to be set in happens-before
+ order across separate operations. Clients may not set this value. It is represented
+ in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
+ lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
+ jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1alpha3
+ schema:
+ openAPIV3Schema:
+ properties:
+ spec:
+ description: 'Configuration affecting label/content routing, sni routing,
+ etc. See more details at: https://istio.io/docs/reference/config/networking/virtual-service.html'
+ properties:
+ exportTo:
+ description: A list of namespaces to which this virtual service is
+ exported.
+ items:
+ type: string
+ type: array
+ gateways:
+ description: The names of gateways and sidecars that should apply
+ these routes.
+ items:
+ type: string
+ type: array
+ hosts:
+ description: The destination hosts to which traffic is being sent.
+ items:
+ type: string
+ type: array
+ http:
+ description: An ordered list of route rules for HTTP traffic.
+ items:
+ properties:
+ corsPolicy:
+ description: Cross-Origin Resource Sharing policy (CORS).
+ properties:
+ allowCredentials:
+ nullable: true
+ type: boolean
+ allowHeaders:
+ items:
+ type: string
+ type: array
+ allowMethods:
+ description: List of HTTP methods allowed to access the
+ resource.
+ items:
+ type: string
+ type: array
+ allowOrigin:
+ description: The list of origins that are allowed to perform
+ CORS requests.
+ items:
+ type: string
+ type: array
+ allowOrigins:
+ description: String patterns that match allowed origins.
+ items:
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - exact
+ - required:
+ - prefix
+ - required:
+ - regex
+ - required:
+ - exact
+ - required:
+ - prefix
+ - required:
+ - regex
+ properties:
+ exact:
+ type: string
+ prefix:
+ type: string
+ regex:
+ description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
+ type: string
+ type: object
+ type: array
+ exposeHeaders:
+ items:
+ type: string
+ type: array
+ maxAge:
+ type: string
+ type: object
+ delegate:
+ properties:
+ name:
+ description: Name specifies the name of the delegate VirtualService.
+ type: string
+ namespace:
+ description: Namespace specifies the namespace where the
+ delegate VirtualService resides.
+ type: string
+ type: object
+ directResponse:
+ description: A HTTP rule can either return a direct_response,
+ redirect or forward (default) traffic.
+ properties:
+ body:
+ description: Specifies the content of the response body.
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - string
+ - required:
+ - bytes
+ - required:
+ - string
+ - required:
+ - bytes
+ properties:
+ bytes:
+ description: response body as base64 encoded bytes.
+ format: binary
+ type: string
+ string:
+ type: string
+ type: object
+ status:
+ description: Specifies the HTTP response status to be returned.
+ type: integer
+ type: object
+ fault:
+ description: Fault injection policy to apply on HTTP traffic
+ at the client side.
+ properties:
+ abort:
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - httpStatus
+ - required:
+ - grpcStatus
+ - required:
+ - http2Error
+ - required:
+ - httpStatus
+ - required:
+ - grpcStatus
+ - required:
+ - http2Error
+ properties:
+ grpcStatus:
+ description: GRPC status code to use to abort the request.
+ type: string
+ http2Error:
+ type: string
+ httpStatus:
+ description: HTTP status code to use to abort the Http
+ request.
+ format: int32
+ type: integer
+ percentage:
+ description: Percentage of requests to be aborted with
+ the error code provided.
+ properties:
+ value:
+ format: double
+ type: number
+ type: object
+ type: object
+ delay:
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - fixedDelay
+ - required:
+ - exponentialDelay
+ - required:
+ - fixedDelay
+ - required:
+ - exponentialDelay
+ properties:
+ exponentialDelay:
+ type: string
+ fixedDelay:
+ description: Add a fixed delay before forwarding the
+ request.
+ type: string
+ percent:
+ description: Percentage of requests on which the delay
+ will be injected (0-100).
+ format: int32
+ type: integer
+ percentage:
+ description: Percentage of requests on which the delay
+ will be injected.
+ properties:
+ value:
+ format: double
+ type: number
+ type: object
+ type: object
+ type: object
+ headers:
+ properties:
+ request:
+ properties:
+ add:
+ additionalProperties:
+ type: string
+ type: object
+ remove:
+ items:
+ type: string
+ type: array
+ set:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ response:
+ properties:
+ add:
+ additionalProperties:
+ type: string
+ type: object
+ remove:
+ items:
+ type: string
+ type: array
+ set:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ type: object
+ match:
+ items:
+ properties:
+ authority:
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - exact
+ - required:
+ - prefix
+ - required:
+ - regex
+ - required:
+ - exact
+ - required:
+ - prefix
+ - required:
+ - regex
+ properties:
+ exact:
+ type: string
+ prefix:
+ type: string
+ regex:
+ description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
+ type: string
+ type: object
+ gateways:
+ description: Names of gateways where the rule should be
+ applied.
+ items:
+ type: string
+ type: array
+ headers:
+ additionalProperties:
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - exact
+ - required:
+ - prefix
+ - required:
+ - regex
+ - required:
+ - exact
+ - required:
+ - prefix
+ - required:
+ - regex
+ properties:
+ exact:
+ type: string
+ prefix:
+ type: string
+ regex:
+ description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
+ type: string
+ type: object
+ type: object
+ ignoreUriCase:
+ description: Flag to specify whether the URI matching
+ should be case-insensitive.
+ type: boolean
+ method:
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - exact
+ - required:
+ - prefix
+ - required:
+ - regex
+ - required:
+ - exact
+ - required:
+ - prefix
+ - required:
+ - regex
+ properties:
+ exact:
+ type: string
+ prefix:
+ type: string
+ regex:
+ description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
+ type: string
+ type: object
+ name:
+ description: The name assigned to a match.
+ type: string
+ port:
+ description: Specifies the ports on the host that is being
+ addressed.
+ type: integer
+ queryParams:
+ additionalProperties:
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - exact
+ - required:
+ - prefix
+ - required:
+ - regex
+ - required:
+ - exact
+ - required:
+ - prefix
+ - required:
+ - regex
+ properties:
+ exact:
+ type: string
+ prefix:
+ type: string
+ regex:
+ description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
+ type: string
+ type: object
+ description: Query parameters for matching.
+ type: object
+ scheme:
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - exact
+ - required:
+ - prefix
+ - required:
+ - regex
+ - required:
+ - exact
+ - required:
+ - prefix
+ - required:
+ - regex
+ properties:
+ exact:
+ type: string
+ prefix:
+ type: string
+ regex:
+ description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
+ type: string
+ type: object
+ sourceLabels:
+ additionalProperties:
+ type: string
+ type: object
+ sourceNamespace:
+ description: Source namespace constraining the applicability
+ of a rule to workloads in that namespace.
+ type: string
+ statPrefix:
+ description: The human readable prefix to use when emitting
+ statistics for this route.
+ type: string
+ uri:
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - exact
+ - required:
+ - prefix
+ - required:
+ - regex
+ - required:
+ - exact
+ - required:
+ - prefix
+ - required:
+ - regex
+ properties:
+ exact:
+ type: string
+ prefix:
+ type: string
+ regex:
+ description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
+ type: string
+ type: object
+ withoutHeaders:
+ additionalProperties:
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - exact
+ - required:
+ - prefix
+ - required:
+ - regex
+ - required:
+ - exact
+ - required:
+ - prefix
+ - required:
+ - regex
+ properties:
+ exact:
+ type: string
+ prefix:
+ type: string
+ regex:
+ description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
+ type: string
+ type: object
+ description: withoutHeader has the same syntax with the
+ header, but has opposite meaning.
+ type: object
+ type: object
+ type: array
+ mirror:
+ properties:
+ host:
+ description: The name of a service from the service registry.
+ type: string
+ port:
+ description: Specifies the port on the host that is being
+ addressed.
+ properties:
+ number:
+ type: integer
+ type: object
+ subset:
+ description: The name of a subset within the service.
+ type: string
+ type: object
+ mirror_percent:
+ description: Percentage of the traffic to be mirrored by the
+ `mirror` field.
+ nullable: true
+ type: integer
+ mirrorPercent:
+ description: Percentage of the traffic to be mirrored by the
+ `mirror` field.
+ nullable: true
+ type: integer
+ mirrorPercentage:
+ description: Percentage of the traffic to be mirrored by the
+ `mirror` field.
+ properties:
+ value:
+ format: double
+ type: number
+ type: object
+ name:
+ description: The name assigned to the route for debugging purposes.
+ type: string
+ redirect:
+ description: A HTTP rule can either return a direct_response,
+ redirect or forward (default) traffic.
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - port
+ - required:
+ - derivePort
+ - required:
+ - port
+ - required:
+ - derivePort
+ properties:
+ authority:
+ type: string
+ derivePort:
+ enum:
+ - FROM_PROTOCOL_DEFAULT
+ - FROM_REQUEST_PORT
+ type: string
+ port:
+ description: On a redirect, overwrite the port portion of
+ the URL with this value.
+ type: integer
+ redirectCode:
+ type: integer
+ scheme:
+ description: On a redirect, overwrite the scheme portion
+ of the URL with this value.
+ type: string
+ uri:
+ type: string
+ type: object
+ retries:
+ description: Retry policy for HTTP requests.
+ properties:
+ attempts:
+ description: Number of retries to be allowed for a given
+ request.
+ format: int32
+ type: integer
+ perTryTimeout:
+ description: Timeout per attempt for a given request, including
+ the initial call and any retries.
+ type: string
+ retryOn:
+ description: Specifies the conditions under which retry
+ takes place.
+ type: string
+ retryRemoteLocalities:
+ description: Flag to specify whether the retries should
+ retry to other localities.
+ nullable: true
+ type: boolean
+ type: object
+ rewrite:
+ description: Rewrite HTTP URIs and Authority headers.
+ properties:
+ authority:
+ description: rewrite the Authority/Host header with this
+ value.
+ type: string
+ uri:
+ type: string
+ type: object
+ route:
+ description: A HTTP rule can either return a direct_response,
+ redirect or forward (default) traffic.
+ items:
+ properties:
+ destination:
+ properties:
+ host:
+ description: The name of a service from the service
+ registry.
+ type: string
+ port:
+ description: Specifies the port on the host that is
+ being addressed.
+ properties:
+ number:
+ type: integer
+ type: object
+ subset:
+ description: The name of a subset within the service.
+ type: string
+ type: object
+ headers:
+ properties:
+ request:
+ properties:
+ add:
+ additionalProperties:
+ type: string
+ type: object
+ remove:
+ items:
+ type: string
+ type: array
+ set:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ response:
+ properties:
+ add:
+ additionalProperties:
+ type: string
+ type: object
+ remove:
+ items:
+ type: string
+ type: array
+ set:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ type: object
+ weight:
+ description: Weight specifies the relative proportion
+ of traffic to be forwarded to the destination.
+ format: int32
+ type: integer
+ type: object
+ type: array
+ timeout:
+ description: Timeout for HTTP requests, default is disabled.
+ type: string
+ type: object
+ type: array
+ tcp:
+ description: An ordered list of route rules for opaque TCP traffic.
+ items:
+ properties:
+ match:
+ items:
+ properties:
+ destinationSubnets:
+ description: IPv4 or IPv6 ip addresses of destination
+ with optional subnet.
+ items:
+ type: string
+ type: array
+ gateways:
+ description: Names of gateways where the rule should be
+ applied.
+ items:
+ type: string
+ type: array
+ port:
+ description: Specifies the port on the host that is being
+ addressed.
+ type: integer
+ sourceLabels:
+ additionalProperties:
+ type: string
+ type: object
+ sourceNamespace:
+ description: Source namespace constraining the applicability
+ of a rule to workloads in that namespace.
+ type: string
+ sourceSubnet:
+ description: IPv4 or IPv6 ip address of source with optional
+ subnet.
+ type: string
+ type: object
+ type: array
+ route:
+ description: The destination to which the connection should
+ be forwarded to.
+ items:
+ properties:
+ destination:
+ properties:
+ host:
+ description: The name of a service from the service
+ registry.
+ type: string
+ port:
+ description: Specifies the port on the host that is
+ being addressed.
+ properties:
+ number:
+ type: integer
+ type: object
+ subset:
+ description: The name of a subset within the service.
+ type: string
+ type: object
+ weight:
+ description: Weight specifies the relative proportion
+ of traffic to be forwarded to the destination.
+ format: int32
+ type: integer
+ type: object
+ type: array
+ type: object
+ type: array
+ tls:
+ items:
+ properties:
+ match:
+ items:
+ properties:
+ destinationSubnets:
+ description: IPv4 or IPv6 ip addresses of destination
+ with optional subnet.
+ items:
+ type: string
+ type: array
+ gateways:
+ description: Names of gateways where the rule should be
+ applied.
+ items:
+ type: string
+ type: array
+ port:
+ description: Specifies the port on the host that is being
+ addressed.
+ type: integer
+ sniHosts:
+ description: SNI (server name indicator) to match on.
+ items:
+ type: string
+ type: array
+ sourceLabels:
+ additionalProperties:
+ type: string
+ type: object
+ sourceNamespace:
+ description: Source namespace constraining the applicability
+ of a rule to workloads in that namespace.
+ type: string
+ type: object
+ type: array
+ route:
+ description: The destination to which the connection should
+ be forwarded to.
+ items:
+ properties:
+ destination:
+ properties:
+ host:
+ description: The name of a service from the service
+ registry.
+ type: string
+ port:
+ description: Specifies the port on the host that is
+ being addressed.
+ properties:
+ number:
+ type: integer
+ type: object
+ subset:
+ description: The name of a subset within the service.
+ type: string
+ type: object
+ weight:
+ description: Weight specifies the relative proportion
+ of traffic to be forwarded to the destination.
+ format: int32
+ type: integer
+ type: object
+ type: array
+ type: object
+ type: array
+ type: object
+ status:
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
+ - additionalPrinterColumns:
+ - description: The names of gateways and sidecars that should apply these routes
+ jsonPath: .spec.gateways
+ name: Gateways
+ type: string
+ - description: The destination hosts to which traffic is being sent
+ jsonPath: .spec.hosts
+ name: Hosts
+ type: string
+ - description: 'CreationTimestamp is a timestamp representing the server time
+ when this object was created. It is not guaranteed to be set in happens-before
+ order across separate operations. Clients may not set this value. It is represented
+ in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
+ lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
+ jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1beta1
+ schema:
+ openAPIV3Schema:
+ properties:
+ spec:
+ description: 'Configuration affecting label/content routing, sni routing,
+ etc. See more details at: https://istio.io/docs/reference/config/networking/virtual-service.html'
+ properties:
+ exportTo:
+ description: A list of namespaces to which this virtual service is
+ exported.
+ items:
+ type: string
+ type: array
+ gateways:
+ description: The names of gateways and sidecars that should apply
+ these routes.
+ items:
+ type: string
+ type: array
+ hosts:
+ description: The destination hosts to which traffic is being sent.
+ items:
+ type: string
+ type: array
+ http:
+ description: An ordered list of route rules for HTTP traffic.
+ items:
+ properties:
+ corsPolicy:
+ description: Cross-Origin Resource Sharing policy (CORS).
+ properties:
+ allowCredentials:
+ nullable: true
+ type: boolean
+ allowHeaders:
+ items:
+ type: string
+ type: array
+ allowMethods:
+ description: List of HTTP methods allowed to access the
+ resource.
+ items:
+ type: string
+ type: array
+ allowOrigin:
+ description: The list of origins that are allowed to perform
+ CORS requests.
+ items:
+ type: string
+ type: array
+ allowOrigins:
+ description: String patterns that match allowed origins.
+ items:
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - exact
+ - required:
+ - prefix
+ - required:
+ - regex
+ - required:
+ - exact
+ - required:
+ - prefix
+ - required:
+ - regex
+ properties:
+ exact:
+ type: string
+ prefix:
+ type: string
+ regex:
+ description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
+ type: string
+ type: object
+ type: array
+ exposeHeaders:
+ items:
+ type: string
+ type: array
+ maxAge:
+ type: string
+ type: object
+ delegate:
+ properties:
+ name:
+ description: Name specifies the name of the delegate VirtualService.
+ type: string
+ namespace:
+ description: Namespace specifies the namespace where the
+ delegate VirtualService resides.
+ type: string
+ type: object
+ directResponse:
+ description: A HTTP rule can either return a direct_response,
+ redirect or forward (default) traffic.
+ properties:
+ body:
+ description: Specifies the content of the response body.
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - string
+ - required:
+ - bytes
+ - required:
+ - string
+ - required:
+ - bytes
+ properties:
+ bytes:
+ description: response body as base64 encoded bytes.
+ format: binary
+ type: string
+ string:
+ type: string
+ type: object
+ status:
+ description: Specifies the HTTP response status to be returned.
+ type: integer
+ type: object
+ fault:
+ description: Fault injection policy to apply on HTTP traffic
+ at the client side.
+ properties:
+ abort:
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - httpStatus
+ - required:
+ - grpcStatus
+ - required:
+ - http2Error
+ - required:
+ - httpStatus
+ - required:
+ - grpcStatus
+ - required:
+ - http2Error
+ properties:
+ grpcStatus:
+ description: GRPC status code to use to abort the request.
+ type: string
+ http2Error:
+ type: string
+ httpStatus:
+ description: HTTP status code to use to abort the Http
+ request.
+ format: int32
+ type: integer
+ percentage:
+ description: Percentage of requests to be aborted with
+ the error code provided.
+ properties:
+ value:
+ format: double
+ type: number
+ type: object
+ type: object
+ delay:
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - fixedDelay
+ - required:
+ - exponentialDelay
+ - required:
+ - fixedDelay
+ - required:
+ - exponentialDelay
+ properties:
+ exponentialDelay:
+ type: string
+ fixedDelay:
+ description: Add a fixed delay before forwarding the
+ request.
+ type: string
+ percent:
+ description: Percentage of requests on which the delay
+ will be injected (0-100).
+ format: int32
+ type: integer
+ percentage:
+ description: Percentage of requests on which the delay
+ will be injected.
+ properties:
+ value:
+ format: double
+ type: number
+ type: object
+ type: object
+ type: object
+ headers:
+ properties:
+ request:
+ properties:
+ add:
+ additionalProperties:
+ type: string
+ type: object
+ remove:
+ items:
+ type: string
+ type: array
+ set:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ response:
+ properties:
+ add:
+ additionalProperties:
+ type: string
+ type: object
+ remove:
+ items:
+ type: string
+ type: array
+ set:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ type: object
+ match:
+ items:
+ properties:
+ authority:
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - exact
+ - required:
+ - prefix
+ - required:
+ - regex
+ - required:
+ - exact
+ - required:
+ - prefix
+ - required:
+ - regex
+ properties:
+ exact:
+ type: string
+ prefix:
+ type: string
+ regex:
+ description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
+ type: string
+ type: object
+ gateways:
+ description: Names of gateways where the rule should be
+ applied.
+ items:
+ type: string
+ type: array
+ headers:
+ additionalProperties:
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - exact
+ - required:
+ - prefix
+ - required:
+ - regex
+ - required:
+ - exact
+ - required:
+ - prefix
+ - required:
+ - regex
+ properties:
+ exact:
+ type: string
+ prefix:
+ type: string
+ regex:
+ description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
+ type: string
+ type: object
+ type: object
+ ignoreUriCase:
+ description: Flag to specify whether the URI matching
+ should be case-insensitive.
+ type: boolean
+ method:
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - exact
+ - required:
+ - prefix
+ - required:
+ - regex
+ - required:
+ - exact
+ - required:
+ - prefix
+ - required:
+ - regex
+ properties:
+ exact:
+ type: string
+ prefix:
+ type: string
+ regex:
+ description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
+ type: string
+ type: object
+ name:
+ description: The name assigned to a match.
+ type: string
+ port:
+ description: Specifies the ports on the host that is being
+ addressed.
+ type: integer
+ queryParams:
+ additionalProperties:
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - exact
+ - required:
+ - prefix
+ - required:
+ - regex
+ - required:
+ - exact
+ - required:
+ - prefix
+ - required:
+ - regex
+ properties:
+ exact:
+ type: string
+ prefix:
+ type: string
+ regex:
+ description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
+ type: string
+ type: object
+ description: Query parameters for matching.
+ type: object
+ scheme:
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - exact
+ - required:
+ - prefix
+ - required:
+ - regex
+ - required:
+ - exact
+ - required:
+ - prefix
+ - required:
+ - regex
+ properties:
+ exact:
+ type: string
+ prefix:
+ type: string
+ regex:
+ description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
+ type: string
+ type: object
+ sourceLabels:
+ additionalProperties:
+ type: string
+ type: object
+ sourceNamespace:
+ description: Source namespace constraining the applicability
+ of a rule to workloads in that namespace.
+ type: string
+ statPrefix:
+ description: The human readable prefix to use when emitting
+ statistics for this route.
+ type: string
+ uri:
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - exact
+ - required:
+ - prefix
+ - required:
+ - regex
+ - required:
+ - exact
+ - required:
+ - prefix
+ - required:
+ - regex
+ properties:
+ exact:
+ type: string
+ prefix:
+ type: string
+ regex:
+ description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
+ type: string
+ type: object
+ withoutHeaders:
+ additionalProperties:
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - exact
+ - required:
+ - prefix
+ - required:
+ - regex
+ - required:
+ - exact
+ - required:
+ - prefix
+ - required:
+ - regex
+ properties:
+ exact:
+ type: string
+ prefix:
+ type: string
+ regex:
+ description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
+ type: string
+ type: object
+ description: withoutHeader has the same syntax with the
+ header, but has opposite meaning.
+ type: object
+ type: object
+ type: array
+ mirror:
+ properties:
+ host:
+ description: The name of a service from the service registry.
+ type: string
+ port:
+ description: Specifies the port on the host that is being
+ addressed.
+ properties:
+ number:
+ type: integer
+ type: object
+ subset:
+ description: The name of a subset within the service.
+ type: string
+ type: object
+ mirror_percent:
+ description: Percentage of the traffic to be mirrored by the
+ `mirror` field.
+ nullable: true
+ type: integer
+ mirrorPercent:
+ description: Percentage of the traffic to be mirrored by the
+ `mirror` field.
+ nullable: true
+ type: integer
+ mirrorPercentage:
+ description: Percentage of the traffic to be mirrored by the
+ `mirror` field.
+ properties:
+ value:
+ format: double
+ type: number
+ type: object
+ name:
+ description: The name assigned to the route for debugging purposes.
+ type: string
+ redirect:
+ description: A HTTP rule can either return a direct_response,
+ redirect or forward (default) traffic.
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - port
+ - required:
+ - derivePort
+ - required:
+ - port
+ - required:
+ - derivePort
+ properties:
+ authority:
+ type: string
+ derivePort:
+ enum:
+ - FROM_PROTOCOL_DEFAULT
+ - FROM_REQUEST_PORT
+ type: string
+ port:
+ description: On a redirect, overwrite the port portion of
+ the URL with this value.
+ type: integer
+ redirectCode:
+ type: integer
+ scheme:
+ description: On a redirect, overwrite the scheme portion
+ of the URL with this value.
+ type: string
+ uri:
+ type: string
+ type: object
+ retries:
+ description: Retry policy for HTTP requests.
+ properties:
+ attempts:
+ description: Number of retries to be allowed for a given
+ request.
+ format: int32
+ type: integer
+ perTryTimeout:
+ description: Timeout per attempt for a given request, including
+ the initial call and any retries.
+ type: string
+ retryOn:
+ description: Specifies the conditions under which retry
+ takes place.
+ type: string
+ retryRemoteLocalities:
+ description: Flag to specify whether the retries should
+ retry to other localities.
+ nullable: true
+ type: boolean
+ type: object
+ rewrite:
+ description: Rewrite HTTP URIs and Authority headers.
+ properties:
+ authority:
+ description: rewrite the Authority/Host header with this
+ value.
+ type: string
+ uri:
+ type: string
+ type: object
+ route:
+ description: A HTTP rule can either return a direct_response,
+ redirect or forward (default) traffic.
+ items:
+ properties:
+ destination:
+ properties:
+ host:
+ description: The name of a service from the service
+ registry.
+ type: string
+ port:
+ description: Specifies the port on the host that is
+ being addressed.
+ properties:
+ number:
+ type: integer
+ type: object
+ subset:
+ description: The name of a subset within the service.
+ type: string
+ type: object
+ headers:
+ properties:
+ request:
+ properties:
+ add:
+ additionalProperties:
+ type: string
+ type: object
+ remove:
+ items:
+ type: string
+ type: array
+ set:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ response:
+ properties:
+ add:
+ additionalProperties:
+ type: string
+ type: object
+ remove:
+ items:
+ type: string
+ type: array
+ set:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ type: object
+ weight:
+ description: Weight specifies the relative proportion
+ of traffic to be forwarded to the destination.
+ format: int32
+ type: integer
+ type: object
+ type: array
+ timeout:
+ description: Timeout for HTTP requests, default is disabled.
+ type: string
+ type: object
+ type: array
+ tcp:
+ description: An ordered list of route rules for opaque TCP traffic.
+ items:
+ properties:
+ match:
+ items:
+ properties:
+ destinationSubnets:
+ description: IPv4 or IPv6 ip addresses of destination
+ with optional subnet.
+ items:
+ type: string
+ type: array
+ gateways:
+ description: Names of gateways where the rule should be
+ applied.
+ items:
+ type: string
+ type: array
+ port:
+ description: Specifies the port on the host that is being
+ addressed.
+ type: integer
+ sourceLabels:
+ additionalProperties:
+ type: string
+ type: object
+ sourceNamespace:
+ description: Source namespace constraining the applicability
+ of a rule to workloads in that namespace.
+ type: string
+ sourceSubnet:
+ description: IPv4 or IPv6 ip address of source with optional
+ subnet.
+ type: string
+ type: object
+ type: array
+ route:
+ description: The destination to which the connection should
+ be forwarded to.
+ items:
+ properties:
+ destination:
+ properties:
+ host:
+ description: The name of a service from the service
+ registry.
+ type: string
+ port:
+ description: Specifies the port on the host that is
+ being addressed.
+ properties:
+ number:
+ type: integer
+ type: object
+ subset:
+ description: The name of a subset within the service.
+ type: string
+ type: object
+ weight:
+ description: Weight specifies the relative proportion
+ of traffic to be forwarded to the destination.
+ format: int32
+ type: integer
+ type: object
+ type: array
+ type: object
+ type: array
+ tls:
+ items:
+ properties:
+ match:
+ items:
+ properties:
+ destinationSubnets:
+ description: IPv4 or IPv6 ip addresses of destination
+ with optional subnet.
+ items:
+ type: string
+ type: array
+ gateways:
+ description: Names of gateways where the rule should be
+ applied.
+ items:
+ type: string
+ type: array
+ port:
+ description: Specifies the port on the host that is being
+ addressed.
+ type: integer
+ sniHosts:
+ description: SNI (server name indicator) to match on.
+ items:
+ type: string
+ type: array
+ sourceLabels:
+ additionalProperties:
+ type: string
+ type: object
+ sourceNamespace:
+ description: Source namespace constraining the applicability
+ of a rule to workloads in that namespace.
+ type: string
+ type: object
+ type: array
+ route:
+ description: The destination to which the connection should
+ be forwarded to.
+ items:
+ properties:
+ destination:
+ properties:
+ host:
+ description: The name of a service from the service
+ registry.
+ type: string
+ port:
+ description: Specifies the port on the host that is
+ being addressed.
+ properties:
+ number:
+ type: integer
+ type: object
+ subset:
+ description: The name of a subset within the service.
+ type: string
+ type: object
+ weight:
+ description: Weight specifies the relative proportion
+ of traffic to be forwarded to the destination.
+ format: int32
+ type: integer
+ type: object
+ type: array
+ type: object
+ type: array
+ type: object
+ status:
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ served: true
+ storage: false
+ subresources:
+ status: {}
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ helm.sh/resource-policy: keep
+ labels:
+ app: istio-pilot
+ chart: istio
+ heritage: Tiller
+ release: istio
+ name: wasmplugins.extensions.istio.io
+spec:
+ group: extensions.istio.io
+ names:
+ categories:
+ - istio-io
+ - extensions-istio-io
+ kind: WasmPlugin
+ listKind: WasmPluginList
+ plural: wasmplugins
+ singular: wasmplugin
+ scope: Namespaced
+ versions:
+ - additionalPrinterColumns:
+ - description: 'CreationTimestamp is a timestamp representing the server time
+ when this object was created. It is not guaranteed to be set in happens-before
+ order across separate operations. Clients may not set this value. It is represented
+ in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
+ lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
+ jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1alpha1
+ schema:
+ openAPIV3Schema:
+ properties:
+ spec:
+ description: 'Extend the functionality provided by the Istio proxy through
+ WebAssembly filters. See more details at: https://istio.io/docs/reference/config/proxy_extensions/wasm-plugin.html'
+ properties:
+ imagePullPolicy:
+ enum:
+ - UNSPECIFIED_POLICY
+ - IfNotPresent
+ - Always
+ type: string
+ imagePullSecret:
+ description: Credentials to use for OCI image pulling.
+ type: string
+ match:
+ description: Specifies the criteria to determine which traffic is
+ passed to WasmPlugin.
+ items:
+ properties:
+ mode:
+ description: Criteria for selecting traffic by their direction.
+ enum:
+ - UNDEFINED
+ - CLIENT
+ - SERVER
+ - CLIENT_AND_SERVER
+ type: string
+ ports:
+ description: Criteria for selecting traffic by their destination
+ port.
+ items:
+ properties:
+ number:
+ type: integer
+ type: object
+ type: array
+ type: object
+ type: array
+ phase:
+ description: Determines where in the filter chain this `WasmPlugin`
+ is to be injected.
+ enum:
+ - UNSPECIFIED_PHASE
+ - AUTHN
+ - AUTHZ
+ - STATS
+ type: string
+ pluginConfig:
+ description: The configuration that will be passed on to the plugin.
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ pluginName:
+ type: string
+ priority:
+ description: Determines ordering of `WasmPlugins` in the same `phase`.
+ nullable: true
+ type: integer
+ selector:
+ properties:
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ sha256:
+ description: SHA256 checksum that will be used to verify Wasm module
+ or OCI container.
+ type: string
+ url:
+ description: URL of a Wasm module or OCI container.
+ type: string
+ verificationKey:
+ type: string
+ vmConfig:
+ description: Configuration for a Wasm VM.
+ properties:
+ env:
+ description: Specifies environment variables to be injected to
+ this VM.
+ items:
+ properties:
+ name:
+ type: string
+ value:
+ description: Value for the environment variable.
+ type: string
+ valueFrom:
+ enum:
+ - INLINE
+ - HOST
+ type: string
+ type: object
+ type: array
+ type: object
+ type: object
+ status:
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ helm.sh/resource-policy: keep
+ labels:
+ app: istio-pilot
+ chart: istio
+ heritage: Tiller
+ release: istio
+ name: workloadentries.networking.istio.io
+spec:
+ group: networking.istio.io
+ names:
+ categories:
+ - istio-io
+ - networking-istio-io
+ kind: WorkloadEntry
+ listKind: WorkloadEntryList
+ plural: workloadentries
+ shortNames:
+ - we
+ singular: workloadentry
+ scope: Namespaced
+ versions:
+ - additionalPrinterColumns:
+ - description: 'CreationTimestamp is a timestamp representing the server time
+ when this object was created. It is not guaranteed to be set in happens-before
+ order across separate operations. Clients may not set this value. It is represented
+ in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
+ lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
+ jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ - description: Address associated with the network endpoint.
+ jsonPath: .spec.address
+ name: Address
+ type: string
+ name: v1alpha3
+ schema:
+ openAPIV3Schema:
+ properties:
+ spec:
+ description: 'Configuration affecting VMs onboarded into the mesh. See
+ more details at: https://istio.io/docs/reference/config/networking/workload-entry.html'
+ properties:
+ address:
+ type: string
+ labels:
+ additionalProperties:
+ type: string
+ description: One or more labels associated with the endpoint.
+ type: object
+ locality:
+ description: The locality associated with the endpoint.
+ type: string
+ network:
+ type: string
+ ports:
+ additionalProperties:
+ type: integer
+ description: Set of ports associated with the endpoint.
+ type: object
+ serviceAccount:
+ type: string
+ weight:
+ description: The load balancing weight associated with the endpoint.
+ type: integer
+ type: object
+ status:
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
+ - additionalPrinterColumns:
+ - description: 'CreationTimestamp is a timestamp representing the server time
+ when this object was created. It is not guaranteed to be set in happens-before
+ order across separate operations. Clients may not set this value. It is represented
+ in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
+ lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
+ jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ - description: Address associated with the network endpoint.
+ jsonPath: .spec.address
+ name: Address
+ type: string
+ name: v1beta1
+ schema:
+ openAPIV3Schema:
+ properties:
+ spec:
+ description: 'Configuration affecting VMs onboarded into the mesh. See
+ more details at: https://istio.io/docs/reference/config/networking/workload-entry.html'
+ properties:
+ address:
+ type: string
+ labels:
+ additionalProperties:
+ type: string
+ description: One or more labels associated with the endpoint.
+ type: object
+ locality:
+ description: The locality associated with the endpoint.
+ type: string
+ network:
+ type: string
+ ports:
+ additionalProperties:
+ type: integer
+ description: Set of ports associated with the endpoint.
+ type: object
+ serviceAccount:
+ type: string
+ weight:
+ description: The load balancing weight associated with the endpoint.
+ type: integer
+ type: object
+ status:
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ served: true
+ storage: false
+ subresources:
+ status: {}
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ labels:
+ app: istio-pilot
+ chart: istio
+ heritage: Tiller
+ release: istio
+ name: workloadgroups.networking.istio.io
+spec:
+ group: networking.istio.io
+ names:
+ categories:
+ - istio-io
+ - networking-istio-io
+ kind: WorkloadGroup
+ listKind: WorkloadGroupList
+ plural: workloadgroups
+ shortNames:
+ - wg
+ singular: workloadgroup
+ scope: Namespaced
+ versions:
+ - additionalPrinterColumns:
+ - description: 'CreationTimestamp is a timestamp representing the server time
+ when this object was created. It is not guaranteed to be set in happens-before
+ order across separate operations. Clients may not set this value. It is represented
+ in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
+ lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
+ jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1alpha3
+ schema:
+ openAPIV3Schema:
+ properties:
+ spec:
+ description: 'Describes a collection of workload instances. See more details
+ at: https://istio.io/docs/reference/config/networking/workload-group.html'
+ properties:
+ metadata:
+ description: Metadata that will be used for all corresponding `WorkloadEntries`.
+ properties:
+ annotations:
+ additionalProperties:
+ type: string
+ type: object
+ labels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ probe:
+ description: '`ReadinessProbe` describes the configuration the user
+ must provide for healthchecking on their workload.'
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - httpGet
+ - required:
+ - tcpSocket
+ - required:
+ - exec
+ - required:
+ - httpGet
+ - required:
+ - tcpSocket
+ - required:
+ - exec
+ properties:
+ exec:
+ description: Health is determined by how the command that is executed
+ exited.
+ properties:
+ command:
+ description: Command to run.
+ items:
+ type: string
+ type: array
+ type: object
+ failureThreshold:
+ description: Minimum consecutive failures for the probe to be
+ considered failed after having succeeded.
+ format: int32
+ type: integer
+ httpGet:
+ properties:
+ host:
+ description: Host name to connect to, defaults to the pod
+ IP.
+ type: string
+ httpHeaders:
+ description: Headers the proxy will pass on to make the request.
+ items:
+ properties:
+ name:
+ type: string
+ value:
+ type: string
+ type: object
+ type: array
+ path:
+ description: Path to access on the HTTP server.
+ type: string
+ port:
+ description: Port on which the endpoint lives.
+ type: integer
+ scheme:
+ type: string
+ type: object
+ initialDelaySeconds:
+ description: Number of seconds after the container has started
+ before readiness probes are initiated.
+ format: int32
+ type: integer
+ periodSeconds:
+ description: How often (in seconds) to perform the probe.
+ format: int32
+ type: integer
+ successThreshold:
+ description: Minimum consecutive successes for the probe to be
+ considered successful after having failed.
+ format: int32
+ type: integer
+ tcpSocket:
+ description: Health is determined by if the proxy is able to connect.
+ properties:
+ host:
+ type: string
+ port:
+ type: integer
+ type: object
+ timeoutSeconds:
+ description: Number of seconds after which the probe times out.
+ format: int32
+ type: integer
+ type: object
+ template:
+ description: Template to be used for the generation of `WorkloadEntry`
+ resources that belong to this `WorkloadGroup`.
+ properties:
+ address:
+ type: string
+ labels:
+ additionalProperties:
+ type: string
+ description: One or more labels associated with the endpoint.
+ type: object
+ locality:
+ description: The locality associated with the endpoint.
+ type: string
+ network:
+ type: string
+ ports:
+ additionalProperties:
+ type: integer
+ description: Set of ports associated with the endpoint.
+ type: object
+ serviceAccount:
+ type: string
+ weight:
+ description: The load balancing weight associated with the endpoint.
+ type: integer
+ type: object
+ type: object
+ status:
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
+ - additionalPrinterColumns:
+ - description: 'CreationTimestamp is a timestamp representing the server time
+ when this object was created. It is not guaranteed to be set in happens-before
+ order across separate operations. Clients may not set this value. It is represented
+ in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
+ lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
+ jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1beta1
+ schema:
+ openAPIV3Schema:
+ properties:
+ spec:
+ properties:
+ metadata:
+ description: Metadata that will be used for all corresponding `WorkloadEntries`.
+ properties:
+ annotations:
+ additionalProperties:
+ type: string
+ type: object
+ labels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ probe:
+ description: '`ReadinessProbe` describes the configuration the user
+ must provide for healthchecking on their workload.'
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - httpGet
+ - required:
+ - tcpSocket
+ - required:
+ - exec
+ - required:
+ - httpGet
+ - required:
+ - tcpSocket
+ - required:
+ - exec
+ properties:
+ exec:
+ description: Health is determined by how the command that is executed
+ exited.
+ properties:
+ command:
+ description: Command to run.
+ items:
+ type: string
+ type: array
+ type: object
+ failureThreshold:
+ description: Minimum consecutive failures for the probe to be
+ considered failed after having succeeded.
+ format: int32
+ type: integer
+ httpGet:
+ properties:
+ host:
+ description: Host name to connect to, defaults to the pod
+ IP.
+ type: string
+ httpHeaders:
+ description: Headers the proxy will pass on to make the request.
+ items:
+ properties:
+ name:
+ type: string
+ value:
+ type: string
+ type: object
+ type: array
+ path:
+ description: Path to access on the HTTP server.
+ type: string
+ port:
+ description: Port on which the endpoint lives.
+ type: integer
+ scheme:
+ type: string
+ type: object
+ initialDelaySeconds:
+ description: Number of seconds after the container has started
+ before readiness probes are initiated.
+ format: int32
+ type: integer
+ periodSeconds:
+ description: How often (in seconds) to perform the probe.
+ format: int32
+ type: integer
+ successThreshold:
+ description: Minimum consecutive successes for the probe to be
+ considered successful after having failed.
+ format: int32
+ type: integer
+ tcpSocket:
+ description: Health is determined by if the proxy is able to connect.
+ properties:
+ host:
+ type: string
+ port:
+ type: integer
+ type: object
+ timeoutSeconds:
+ description: Number of seconds after which the probe times out.
+ format: int32
+ type: integer
+ type: object
+ template:
+ description: Template to be used for the generation of `WorkloadEntry`
+ resources that belong to this `WorkloadGroup`.
+ properties:
+ address:
+ type: string
+ labels:
+ additionalProperties:
+ type: string
+ description: One or more labels associated with the endpoint.
+ type: object
+ locality:
+ description: The locality associated with the endpoint.
+ type: string
+ network:
+ type: string
+ ports:
+ additionalProperties:
+ type: integer
+ description: Set of ports associated with the endpoint.
+ type: object
+ serviceAccount:
+ type: string
+ weight:
+ description: The load balancing weight associated with the endpoint.
+ type: integer
+ type: object
+ type: object
+ status:
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ served: true
+ storage: false
+ subresources:
+ status: {}
diff --git a/common/istio-1-17/istio-crds/base/kustomization.yaml b/common/istio-1-17/istio-crds/base/kustomization.yaml
new file mode 100644
index 0000000000..3dd2d3cace
--- /dev/null
+++ b/common/istio-1-17/istio-crds/base/kustomization.yaml
@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- crd.yaml
+namespace: istio-system
diff --git a/common/istio-1-17/istio-install/base/deny_all_authorizationpolicy.yaml b/common/istio-1-17/istio-install/base/deny_all_authorizationpolicy.yaml
new file mode 100644
index 0000000000..390f153d38
--- /dev/null
+++ b/common/istio-1-17/istio-install/base/deny_all_authorizationpolicy.yaml
@@ -0,0 +1,9 @@
+# Enforce an explicit deny-by-default authorization model, similar to
+# the deprecated Istio RBAC
+apiVersion: security.istio.io/v1beta1
+kind: AuthorizationPolicy
+metadata:
+ name: global-deny-all
+ namespace: istio-system
+spec:
+ {}
diff --git a/common/istio-1-17/istio-install/base/gateway.yaml b/common/istio-1-17/istio-install/base/gateway.yaml
new file mode 100644
index 0000000000..28ae654e1b
--- /dev/null
+++ b/common/istio-1-17/istio-install/base/gateway.yaml
@@ -0,0 +1,17 @@
+apiVersion: networking.istio.io/v1alpha3
+kind: Gateway
+metadata:
+ name: istio-ingressgateway
+ labels:
+ release: istio
+spec:
+ selector:
+ app: istio-ingressgateway
+ istio: ingressgateway
+ servers:
+ - port:
+ number: 80
+ name: http
+ protocol: HTTP
+ hosts:
+ - '*'
diff --git a/common/istio-1-17/istio-install/base/gateway_authorizationpolicy.yaml b/common/istio-1-17/istio-install/base/gateway_authorizationpolicy.yaml
new file mode 100644
index 0000000000..e315e37241
--- /dev/null
+++ b/common/istio-1-17/istio-install/base/gateway_authorizationpolicy.yaml
@@ -0,0 +1,15 @@
+# Allow all traffic to the istio-ingressgateway
+apiVersion: security.istio.io/v1beta1
+kind: AuthorizationPolicy
+metadata:
+ name: istio-ingressgateway
+ namespace: istio-system
+spec:
+ action: ALLOW
+ selector:
+ # Same as the istio-ingressgateway Service selector
+ matchLabels:
+ app: istio-ingressgateway
+ istio: ingressgateway
+ rules:
+ - {}
diff --git a/common/istio-1-17/istio-install/base/install.yaml b/common/istio-1-17/istio-install/base/install.yaml
new file mode 100644
index 0000000000..bad180c3cc
--- /dev/null
+++ b/common/istio-1-17/istio-install/base/install.yaml
@@ -0,0 +1,3530 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: istio-ingressgateway-service-account
+ namespace: istio-system
+ labels:
+ app: istio-ingressgateway
+ istio: ingressgateway
+ release: istio
+ istio.io/rev: default
+ install.operator.istio.io/owning-resource: unknown
+ operator.istio.io/component: IngressGateways
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: istio-reader-service-account
+ namespace: istio-system
+ labels:
+ app: istio-reader
+ release: istio
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: istiod
+ namespace: istio-system
+ labels:
+ app: istiod
+ release: istio
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: istiod-service-account
+ namespace: istio-system
+ labels:
+ app: istiod
+ release: istio
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: istio-reader-clusterrole-istio-system
+ labels:
+ app: istio-reader
+ release: istio
+rules:
+ - apiGroups:
+ - config.istio.io
+ - security.istio.io
+ - networking.istio.io
+ - authentication.istio.io
+ - rbac.istio.io
+ resources: ['*']
+ verbs: [get, list, watch]
+ - apiGroups: ['']
+ resources: [endpoints, pods, services, nodes, replicationcontrollers, namespaces, secrets]
+ verbs: [get, list, watch]
+ - apiGroups: [networking.istio.io]
+ verbs: [get, watch, list]
+ resources: [workloadentries]
+ - apiGroups: [apiextensions.k8s.io]
+ resources: [customresourcedefinitions]
+ verbs: [get, list, watch]
+ - apiGroups: [discovery.k8s.io]
+ resources: [endpointslices]
+ verbs: [get, list, watch]
+ - apiGroups: [multicluster.x-k8s.io]
+ resources: [serviceexports]
+ verbs: [get, list, watch, create, delete]
+ - apiGroups: [multicluster.x-k8s.io]
+ resources: [serviceimports]
+ verbs: [get, list, watch]
+ - apiGroups: [apps]
+ resources: [replicasets]
+ verbs: [get, list, watch]
+ - apiGroups: [authentication.k8s.io]
+ resources: [tokenreviews]
+ verbs: [create]
+ - apiGroups: [authorization.k8s.io]
+ resources: [subjectaccessreviews]
+ verbs: [create]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: istio-reader-istio-system
+ labels:
+ app: istio-reader
+ release: istio
+rules:
+ - apiGroups:
+ - config.istio.io
+ - security.istio.io
+ - networking.istio.io
+ - authentication.istio.io
+ - rbac.istio.io
+ resources: ['*']
+ verbs: [get, list, watch]
+ - apiGroups: ['']
+ resources: [endpoints, pods, services, nodes, replicationcontrollers, namespaces, secrets]
+ verbs: [get, list, watch]
+ - apiGroups: [networking.istio.io]
+ verbs: [get, watch, list]
+ resources: [workloadentries]
+ - apiGroups: [apiextensions.k8s.io]
+ resources: [customresourcedefinitions]
+ verbs: [get, list, watch]
+ - apiGroups: [discovery.k8s.io]
+ resources: [endpointslices]
+ verbs: [get, list, watch]
+ - apiGroups: [apps]
+ resources: [replicasets]
+ verbs: [get, list, watch]
+ - apiGroups: [authentication.k8s.io]
+ resources: [tokenreviews]
+ verbs: [create]
+ - apiGroups: [authorization.k8s.io]
+ resources: [subjectaccessreviews]
+ verbs: [create]
+ - apiGroups: [multicluster.x-k8s.io]
+ resources: [serviceexports]
+ verbs: [get, watch, list]
+ - apiGroups: [multicluster.x-k8s.io]
+ resources: [serviceimports]
+ verbs: [get, watch, list]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: istiod-clusterrole-istio-system
+ labels:
+ app: istiod
+ release: istio
+rules:
+ # sidecar injection controller
+ - apiGroups: [admissionregistration.k8s.io]
+ resources: [mutatingwebhookconfigurations]
+ verbs: [get, list, watch, update, patch]
+ # configuration validation webhook controller
+ - apiGroups: [admissionregistration.k8s.io]
+ resources: [validatingwebhookconfigurations]
+ verbs: [get, list, watch, update]
+ # istio configuration
+ # removing CRD permissions can break older versions of Istio running alongside this control plane (https://github.com/istio/istio/issues/29382)
+ # please proceed with caution
+ - apiGroups: [config.istio.io, security.istio.io, networking.istio.io, authentication.istio.io, rbac.istio.io, telemetry.istio.io, extensions.istio.io]
+ verbs: [get, watch, list]
+ resources: ['*']
+ - apiGroups: [networking.istio.io]
+ verbs: [get, watch, list, update, patch, create, delete]
+ resources: [workloadentries]
+ - apiGroups: [networking.istio.io]
+ verbs: [get, watch, list, update, patch, create, delete]
+ resources: [workloadentries/status]
+ # auto-detect installed CRD definitions
+ - apiGroups: [apiextensions.k8s.io]
+ resources: [customresourcedefinitions]
+ verbs: [get, list, watch]
+ # discovery and routing
+ - apiGroups: ['']
+ resources: [pods, nodes, services, namespaces, endpoints]
+ verbs: [get, list, watch]
+ - apiGroups: [discovery.k8s.io]
+ resources: [endpointslices]
+ verbs: [get, list, watch]
+ # ingress controller
+ - apiGroups: [networking.k8s.io]
+ resources: [ingresses, ingressclasses]
+ verbs: [get, list, watch]
+ - apiGroups: [networking.k8s.io]
+ resources: [ingresses/status]
+ verbs: ['*']
+ # required for CA's namespace controller
+ - apiGroups: ['']
+ resources: [configmaps]
+ verbs: [create, get, list, watch, update]
+ # Istiod and bootstrap.
+ - apiGroups: [certificates.k8s.io]
+ resources:
+ - certificatesigningrequests
+ - certificatesigningrequests/approval
+ - certificatesigningrequests/status
+ verbs: [update, create, get, delete, watch]
+ - apiGroups: [certificates.k8s.io]
+ resources:
+ - signers
+ resourceNames:
+ - kubernetes.io/legacy-unknown
+ verbs: [approve]
+ # Used by Istiod to verify the JWT tokens
+ - apiGroups: [authentication.k8s.io]
+ resources: [tokenreviews]
+ verbs: [create]
+ # Used by Istiod to verify gateway SDS
+ - apiGroups: [authorization.k8s.io]
+ resources: [subjectaccessreviews]
+ verbs: [create]
+ # Use for Kubernetes Service APIs
+ - apiGroups: [networking.x-k8s.io, gateway.networking.k8s.io]
+ resources: ['*']
+ verbs: [get, watch, list]
+ - apiGroups: [networking.x-k8s.io, gateway.networking.k8s.io]
+ resources: ['*'] # TODO: should be on just */status but wildcard is not supported
+ verbs: [update, patch]
+ - apiGroups: [gateway.networking.k8s.io]
+ resources: [gatewayclasses]
+ verbs: [create, update, patch, delete]
+ # Needed for multicluster secret reading, possibly ingress certs in the future
+ - apiGroups: ['']
+ resources: [secrets]
+ verbs: [get, watch, list]
+ # Used for MCS serviceexport management
+ - apiGroups: [multicluster.x-k8s.io]
+ resources: [serviceexports]
+ verbs: [get, watch, list, create, delete]
+ # Used for MCS serviceimport management
+ - apiGroups: [multicluster.x-k8s.io]
+ resources: [serviceimports]
+ verbs: [get, watch, list]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: istiod-gateway-controller-istio-system
+ labels:
+ app: istiod
+ release: istio
+rules:
+ - apiGroups: [apps]
+ verbs: [get, watch, list, update, patch, create, delete]
+ resources: [deployments]
+ - apiGroups: ['']
+ verbs: [get, watch, list, update, patch, create, delete]
+ resources: [services]
+ - apiGroups: ['']
+ verbs: [get, watch, list, update, patch, create, delete]
+ resources: [serviceaccounts]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: istiod-istio-system
+ labels:
+ app: istiod
+ release: istio
+rules:
+ # sidecar injection controller
+ - apiGroups: [admissionregistration.k8s.io]
+ resources: [mutatingwebhookconfigurations]
+ verbs: [get, list, watch, update, patch]
+ # configuration validation webhook controller
+ - apiGroups: [admissionregistration.k8s.io]
+ resources: [validatingwebhookconfigurations]
+ verbs: [get, list, watch, update]
+ # istio configuration
+ # removing CRD permissions can break older versions of Istio running alongside this control plane (https://github.com/istio/istio/issues/29382)
+ # please proceed with caution
+ - apiGroups: [config.istio.io, security.istio.io, networking.istio.io, authentication.istio.io, rbac.istio.io, telemetry.istio.io]
+ verbs: [get, watch, list]
+ resources: ['*']
+ - apiGroups: [networking.istio.io]
+ verbs: [get, watch, list, update, patch, create, delete]
+ resources: [workloadentries]
+ - apiGroups: [networking.istio.io]
+ verbs: [get, watch, list, update, patch, create, delete]
+ resources: [workloadentries/status]
+ # auto-detect installed CRD definitions
+ - apiGroups: [apiextensions.k8s.io]
+ resources: [customresourcedefinitions]
+ verbs: [get, list, watch]
+ # discovery and routing
+ - apiGroups: ['']
+ resources: [pods, nodes, services, namespaces, endpoints]
+ verbs: [get, list, watch]
+ - apiGroups: [discovery.k8s.io]
+ resources: [endpointslices]
+ verbs: [get, list, watch]
+ # ingress controller
+ - apiGroups: [networking.k8s.io]
+ resources: [ingresses, ingressclasses]
+ verbs: [get, list, watch]
+ - apiGroups: [networking.k8s.io]
+ resources: [ingresses/status]
+ verbs: ['*']
+ # required for CA's namespace controller
+ - apiGroups: ['']
+ resources: [configmaps]
+ verbs: [create, get, list, watch, update]
+ # Istiod and bootstrap.
+ - apiGroups: [certificates.k8s.io]
+ resources:
+ - certificatesigningrequests
+ - certificatesigningrequests/approval
+ - certificatesigningrequests/status
+ verbs: [update, create, get, delete, watch]
+ - apiGroups: [certificates.k8s.io]
+ resources:
+ - signers
+ resourceNames:
+ - kubernetes.io/legacy-unknown
+ verbs: [approve]
+ # Used by Istiod to verify the JWT tokens
+ - apiGroups: [authentication.k8s.io]
+ resources: [tokenreviews]
+ verbs: [create]
+ # Used by Istiod to verify gateway SDS
+ - apiGroups: [authorization.k8s.io]
+ resources: [subjectaccessreviews]
+ verbs: [create]
+ # Use for Kubernetes Service APIs
+ - apiGroups: [networking.x-k8s.io, gateway.networking.k8s.io]
+ resources: ['*']
+ verbs: [get, watch, list]
+ - apiGroups: [networking.x-k8s.io, gateway.networking.k8s.io]
+ resources: ['*'] # TODO: should be on just */status but wildcard is not supported
+ verbs: [update]
+ - apiGroups: [gateway.networking.k8s.io]
+ resources: [gatewayclasses]
+ verbs: [create, update, patch, delete]
+ # Needed for multicluster secret reading, possibly ingress certs in the future
+ - apiGroups: ['']
+ resources: [secrets]
+ verbs: [get, watch, list]
+ # Used for MCS serviceexport management
+ - apiGroups: [multicluster.x-k8s.io]
+ resources: [serviceexports]
+ verbs: [get, watch, list, create, delete]
+ # Used for MCS serviceimport management
+ - apiGroups: [multicluster.x-k8s.io]
+ resources: [serviceimports]
+ verbs: [get, watch, list]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: istio-reader-clusterrole-istio-system
+ labels:
+ app: istio-reader
+ release: istio
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: istio-reader-clusterrole-istio-system
+subjects:
+ - kind: ServiceAccount
+ name: istio-reader-service-account
+ namespace: istio-system
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: istio-reader-istio-system
+ labels:
+ app: istio-reader
+ release: istio
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: istio-reader-istio-system
+subjects:
+ - kind: ServiceAccount
+ name: istio-reader-service-account
+ namespace: istio-system
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: istiod-clusterrole-istio-system
+ labels:
+ app: istiod
+ release: istio
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: istiod-clusterrole-istio-system
+subjects:
+ - kind: ServiceAccount
+ name: istiod
+ namespace: istio-system
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: istiod-gateway-controller-istio-system
+ labels:
+ app: istiod
+ release: istio
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: istiod-gateway-controller-istio-system
+subjects:
+ - kind: ServiceAccount
+ name: istiod
+ namespace: istio-system
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: istiod-istio-system
+ labels:
+ app: istiod
+ release: istio
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: istiod-istio-system
+subjects:
+ - kind: ServiceAccount
+ name: istiod-service-account
+ namespace: istio-system
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+ name: istio-validator-istio-system
+ labels:
+ app: istiod
+ release: istio
+ istio: istiod
+ istio.io/rev: default
+webhooks:
+ # Webhook handling per-revision validation. Mostly here so we can determine whether webhooks
+ # are rejecting invalid configs on a per-revision basis.
+ - name: rev.validation.istio.io
+ clientConfig:
+ # Should change from base but cannot for API compat
+ service:
+ name: istiod
+ namespace: istio-system
+ path: /validate
+ rules:
+ - operations:
+ - CREATE
+ - UPDATE
+ apiGroups:
+ - security.istio.io
+ - networking.istio.io
+ - telemetry.istio.io
+ - extensions.istio.io
+ apiVersions:
+ - '*'
+ resources:
+ - '*'
+ # Fail open until the validation webhook is ready. The webhook controller
+ # will update this to `Fail` and patch in the `caBundle` when the webhook
+ # endpoint is ready.
+ failurePolicy: Ignore
+ sideEffects: None
+ admissionReviewVersions: [v1beta1, v1]
+ objectSelector:
+ matchExpressions:
+ - key: istio.io/rev
+ operator: In
+ values:
+ - default
+---
+apiVersion: networking.istio.io/v1alpha3
+kind: EnvoyFilter
+metadata:
+ name: stats-filter-1.13
+ namespace: istio-system
+ labels:
+ istio.io/rev: default
+spec:
+ priority: -1
+ configPatches:
+ - applyTo: HTTP_FILTER
+ match:
+ context: SIDECAR_OUTBOUND
+ proxy:
+ proxyVersion: ^1\.13.*
+ listener:
+ filterChain:
+ filter:
+ name: envoy.filters.network.http_connection_manager
+ subFilter:
+ name: envoy.filters.http.router
+ patch:
+ operation: INSERT_BEFORE
+ value:
+ name: istio.stats
+ typed_config:
+ '@type': type.googleapis.com/udpa.type.v1.TypedStruct
+ type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
+ value:
+ config:
+ root_id: stats_outbound
+ configuration:
+ '@type': type.googleapis.com/google.protobuf.StringValue
+ value: |
+ {
+ "debug": "false",
+ "stat_prefix": "istio"
+ }
+ vm_config:
+ vm_id: stats_outbound
+ runtime: envoy.wasm.runtime.null
+ code:
+ local:
+ inline_string: envoy.wasm.stats
+ - applyTo: HTTP_FILTER
+ match:
+ context: SIDECAR_INBOUND
+ proxy:
+ proxyVersion: ^1\.13.*
+ listener:
+ filterChain:
+ filter:
+ name: envoy.filters.network.http_connection_manager
+ subFilter:
+ name: envoy.filters.http.router
+ patch:
+ operation: INSERT_BEFORE
+ value:
+ name: istio.stats
+ typed_config:
+ '@type': type.googleapis.com/udpa.type.v1.TypedStruct
+ type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
+ value:
+ config:
+ root_id: stats_inbound
+ configuration:
+ '@type': type.googleapis.com/google.protobuf.StringValue
+ value: |
+ {
+ "debug": "false",
+ "stat_prefix": "istio",
+ "disable_host_header_fallback": true
+ }
+ vm_config:
+ vm_id: stats_inbound
+ runtime: envoy.wasm.runtime.null
+ code:
+ local:
+ inline_string: envoy.wasm.stats
+ - applyTo: HTTP_FILTER
+ match:
+ context: GATEWAY
+ proxy:
+ proxyVersion: ^1\.13.*
+ listener:
+ filterChain:
+ filter:
+ name: envoy.filters.network.http_connection_manager
+ subFilter:
+ name: envoy.filters.http.router
+ patch:
+ operation: INSERT_BEFORE
+ value:
+ name: istio.stats
+ typed_config:
+ '@type': type.googleapis.com/udpa.type.v1.TypedStruct
+ type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
+ value:
+ config:
+ root_id: stats_outbound
+ configuration:
+ '@type': type.googleapis.com/google.protobuf.StringValue
+ value: |
+ {
+ "debug": "false",
+ "stat_prefix": "istio",
+ "disable_host_header_fallback": true
+ }
+ vm_config:
+ vm_id: stats_outbound
+ runtime: envoy.wasm.runtime.null
+ code:
+ local:
+ inline_string: envoy.wasm.stats
+---
+apiVersion: networking.istio.io/v1alpha3
+kind: EnvoyFilter
+metadata:
+ name: stats-filter-1.14
+ namespace: istio-system
+ labels:
+ istio.io/rev: default
+spec:
+ priority: -1
+ configPatches:
+ - applyTo: HTTP_FILTER
+ match:
+ context: SIDECAR_OUTBOUND
+ proxy:
+ proxyVersion: ^1\.14.*
+ listener:
+ filterChain:
+ filter:
+ name: envoy.filters.network.http_connection_manager
+ subFilter:
+ name: envoy.filters.http.router
+ patch:
+ operation: INSERT_BEFORE
+ value:
+ name: istio.stats
+ typed_config:
+ '@type': type.googleapis.com/udpa.type.v1.TypedStruct
+ type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
+ value:
+ config:
+ root_id: stats_outbound
+ configuration:
+ '@type': type.googleapis.com/google.protobuf.StringValue
+ value: |
+ {
+ "debug": "false",
+ "stat_prefix": "istio"
+ }
+ vm_config:
+ vm_id: stats_outbound
+ runtime: envoy.wasm.runtime.null
+ code:
+ local:
+ inline_string: envoy.wasm.stats
+ - applyTo: HTTP_FILTER
+ match:
+ context: SIDECAR_INBOUND
+ proxy:
+ proxyVersion: ^1\.14.*
+ listener:
+ filterChain:
+ filter:
+ name: envoy.filters.network.http_connection_manager
+ subFilter:
+ name: envoy.filters.http.router
+ patch:
+ operation: INSERT_BEFORE
+ value:
+ name: istio.stats
+ typed_config:
+ '@type': type.googleapis.com/udpa.type.v1.TypedStruct
+ type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
+ value:
+ config:
+ root_id: stats_inbound
+ configuration:
+ '@type': type.googleapis.com/google.protobuf.StringValue
+ value: |
+ {
+ "debug": "false",
+ "stat_prefix": "istio",
+ "disable_host_header_fallback": true
+ }
+ vm_config:
+ vm_id: stats_inbound
+ runtime: envoy.wasm.runtime.null
+ code:
+ local:
+ inline_string: envoy.wasm.stats
+ - applyTo: HTTP_FILTER
+ match:
+ context: GATEWAY
+ proxy:
+ proxyVersion: ^1\.14.*
+ listener:
+ filterChain:
+ filter:
+ name: envoy.filters.network.http_connection_manager
+ subFilter:
+ name: envoy.filters.http.router
+ patch:
+ operation: INSERT_BEFORE
+ value:
+ name: istio.stats
+ typed_config:
+ '@type': type.googleapis.com/udpa.type.v1.TypedStruct
+ type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
+ value:
+ config:
+ root_id: stats_outbound
+ configuration:
+ '@type': type.googleapis.com/google.protobuf.StringValue
+ value: |
+ {
+ "debug": "false",
+ "stat_prefix": "istio",
+ "disable_host_header_fallback": true
+ }
+ vm_config:
+ vm_id: stats_outbound
+ runtime: envoy.wasm.runtime.null
+ code:
+ local:
+ inline_string: envoy.wasm.stats
+---
+apiVersion: networking.istio.io/v1alpha3
+kind: EnvoyFilter
+metadata:
+ name: stats-filter-1.15
+ namespace: istio-system
+ labels:
+ istio.io/rev: default
+spec:
+ priority: -1
+ configPatches:
+ - applyTo: HTTP_FILTER
+ match:
+ context: SIDECAR_OUTBOUND
+ proxy:
+ proxyVersion: ^1\.15.*
+ listener:
+ filterChain:
+ filter:
+ name: envoy.filters.network.http_connection_manager
+ subFilter:
+ name: envoy.filters.http.router
+ patch:
+ operation: INSERT_BEFORE
+ value:
+ name: istio.stats
+ typed_config:
+ '@type': type.googleapis.com/udpa.type.v1.TypedStruct
+ type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
+ value:
+ config:
+ root_id: stats_outbound
+ configuration:
+ '@type': type.googleapis.com/google.protobuf.StringValue
+ value: |
+ {
+ "debug": "false",
+ "stat_prefix": "istio"
+ }
+ vm_config:
+ vm_id: stats_outbound
+ runtime: envoy.wasm.runtime.null
+ code:
+ local:
+ inline_string: envoy.wasm.stats
+ - applyTo: HTTP_FILTER
+ match:
+ context: SIDECAR_INBOUND
+ proxy:
+ proxyVersion: ^1\.15.*
+ listener:
+ filterChain:
+ filter:
+ name: envoy.filters.network.http_connection_manager
+ subFilter:
+ name: envoy.filters.http.router
+ patch:
+ operation: INSERT_BEFORE
+ value:
+ name: istio.stats
+ typed_config:
+ '@type': type.googleapis.com/udpa.type.v1.TypedStruct
+ type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
+ value:
+ config:
+ root_id: stats_inbound
+ configuration:
+ '@type': type.googleapis.com/google.protobuf.StringValue
+ value: |
+ {
+ "debug": "false",
+ "stat_prefix": "istio",
+ "disable_host_header_fallback": true
+ }
+ vm_config:
+ vm_id: stats_inbound
+ runtime: envoy.wasm.runtime.null
+ code:
+ local:
+ inline_string: envoy.wasm.stats
+ - applyTo: HTTP_FILTER
+ match:
+ context: GATEWAY
+ proxy:
+ proxyVersion: ^1\.15.*
+ listener:
+ filterChain:
+ filter:
+ name: envoy.filters.network.http_connection_manager
+ subFilter:
+ name: envoy.filters.http.router
+ patch:
+ operation: INSERT_BEFORE
+ value:
+ name: istio.stats
+ typed_config:
+ '@type': type.googleapis.com/udpa.type.v1.TypedStruct
+ type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
+ value:
+ config:
+ root_id: stats_outbound
+ configuration:
+ '@type': type.googleapis.com/google.protobuf.StringValue
+ value: |
+ {
+ "debug": "false",
+ "stat_prefix": "istio",
+ "disable_host_header_fallback": true
+ }
+ vm_config:
+ vm_id: stats_outbound
+ runtime: envoy.wasm.runtime.null
+ code:
+ local:
+ inline_string: envoy.wasm.stats
+---
+apiVersion: networking.istio.io/v1alpha3
+kind: EnvoyFilter
+metadata:
+ name: stats-filter-1.16
+ namespace: istio-system
+ labels:
+ istio.io/rev: default
+spec:
+ priority: -1
+ configPatches:
+ - applyTo: HTTP_FILTER
+ match:
+ context: SIDECAR_OUTBOUND
+ proxy:
+ proxyVersion: ^1\.16.*
+ listener:
+ filterChain:
+ filter:
+ name: envoy.filters.network.http_connection_manager
+ subFilter:
+ name: envoy.filters.http.router
+ patch:
+ operation: INSERT_BEFORE
+ value:
+ name: istio.stats
+ typed_config:
+ '@type': type.googleapis.com/udpa.type.v1.TypedStruct
+ type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
+ value:
+ config:
+ root_id: stats_outbound
+ configuration:
+ '@type': type.googleapis.com/google.protobuf.StringValue
+ value: |
+ {
+ "debug": "false",
+ "stat_prefix": "istio"
+ }
+ vm_config:
+ vm_id: stats_outbound
+ runtime: envoy.wasm.runtime.null
+ code:
+ local:
+ inline_string: envoy.wasm.stats
+ - applyTo: HTTP_FILTER
+ match:
+ context: SIDECAR_INBOUND
+ proxy:
+ proxyVersion: ^1\.16.*
+ listener:
+ filterChain:
+ filter:
+ name: envoy.filters.network.http_connection_manager
+ subFilter:
+ name: envoy.filters.http.router
+ patch:
+ operation: INSERT_BEFORE
+ value:
+ name: istio.stats
+ typed_config:
+ '@type': type.googleapis.com/udpa.type.v1.TypedStruct
+ type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
+ value:
+ config:
+ root_id: stats_inbound
+ configuration:
+ '@type': type.googleapis.com/google.protobuf.StringValue
+ value: |
+ {
+ "debug": "false",
+ "stat_prefix": "istio",
+ "disable_host_header_fallback": true
+ }
+ vm_config:
+ vm_id: stats_inbound
+ runtime: envoy.wasm.runtime.null
+ code:
+ local:
+ inline_string: envoy.wasm.stats
+ - applyTo: HTTP_FILTER
+ match:
+ context: GATEWAY
+ proxy:
+ proxyVersion: ^1\.16.*
+ listener:
+ filterChain:
+ filter:
+ name: envoy.filters.network.http_connection_manager
+ subFilter:
+ name: envoy.filters.http.router
+ patch:
+ operation: INSERT_BEFORE
+ value:
+ name: istio.stats
+ typed_config:
+ '@type': type.googleapis.com/udpa.type.v1.TypedStruct
+ type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
+ value:
+ config:
+ root_id: stats_outbound
+ configuration:
+ '@type': type.googleapis.com/google.protobuf.StringValue
+ value: |
+ {
+ "debug": "false",
+ "stat_prefix": "istio",
+ "disable_host_header_fallback": true
+ }
+ vm_config:
+ vm_id: stats_outbound
+ runtime: envoy.wasm.runtime.null
+ code:
+ local:
+ inline_string: envoy.wasm.stats
+---
+apiVersion: networking.istio.io/v1alpha3
+kind: EnvoyFilter
+metadata:
+ name: stats-filter-1.17
+ namespace: istio-system
+ labels:
+ istio.io/rev: default
+spec:
+ priority: -1
+ configPatches:
+ - applyTo: HTTP_FILTER
+ match:
+ context: SIDECAR_OUTBOUND
+ proxy:
+ proxyVersion: ^1\.17.*
+ listener:
+ filterChain:
+ filter:
+ name: envoy.filters.network.http_connection_manager
+ subFilter:
+ name: envoy.filters.http.router
+ patch:
+ operation: INSERT_BEFORE
+ value:
+ name: istio.stats
+ typed_config:
+ '@type': type.googleapis.com/udpa.type.v1.TypedStruct
+ type_url: type.googleapis.com/stats.PluginConfig
+ value: {}
+ - applyTo: HTTP_FILTER
+ match:
+ context: SIDECAR_INBOUND
+ proxy:
+ proxyVersion: ^1\.17.*
+ listener:
+ filterChain:
+ filter:
+ name: envoy.filters.network.http_connection_manager
+ subFilter:
+ name: envoy.filters.http.router
+ patch:
+ operation: INSERT_BEFORE
+ value:
+ name: istio.stats
+ typed_config:
+ '@type': type.googleapis.com/udpa.type.v1.TypedStruct
+ type_url: type.googleapis.com/stats.PluginConfig
+ value: {disable_host_header_fallback: true}
+ - applyTo: HTTP_FILTER
+ match:
+ context: GATEWAY
+ proxy:
+ proxyVersion: ^1\.17.*
+ listener:
+ filterChain:
+ filter:
+ name: envoy.filters.network.http_connection_manager
+ subFilter:
+ name: envoy.filters.http.router
+ patch:
+ operation: INSERT_BEFORE
+ value:
+ name: istio.stats
+ typed_config:
+ '@type': type.googleapis.com/udpa.type.v1.TypedStruct
+ type_url: type.googleapis.com/stats.PluginConfig
+ value: {disable_host_header_fallback: true}
+---
+apiVersion: networking.istio.io/v1alpha3
+kind: EnvoyFilter
+metadata:
+ name: tcp-stats-filter-1.13
+ namespace: istio-system
+ labels:
+ istio.io/rev: default
+spec:
+ priority: -1
+ configPatches:
+ - applyTo: NETWORK_FILTER
+ match:
+ context: SIDECAR_INBOUND
+ proxy:
+ proxyVersion: ^1\.13.*
+ listener:
+ filterChain:
+ filter:
+ name: envoy.filters.network.tcp_proxy
+ patch:
+ operation: INSERT_BEFORE
+ value:
+ name: istio.stats
+ typed_config:
+ '@type': type.googleapis.com/udpa.type.v1.TypedStruct
+ type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm
+ value:
+ config:
+ root_id: stats_inbound
+ configuration:
+ '@type': type.googleapis.com/google.protobuf.StringValue
+ value: |
+ {
+ "debug": "false",
+ "stat_prefix": "istio"
+ }
+ vm_config:
+ vm_id: tcp_stats_inbound
+ runtime: envoy.wasm.runtime.null
+ code:
+ local:
+ inline_string: envoy.wasm.stats
+ - applyTo: NETWORK_FILTER
+ match:
+ context: SIDECAR_OUTBOUND
+ proxy:
+ proxyVersion: ^1\.13.*
+ listener:
+ filterChain:
+ filter:
+ name: envoy.filters.network.tcp_proxy
+ patch:
+ operation: INSERT_BEFORE
+ value:
+ name: istio.stats
+ typed_config:
+ '@type': type.googleapis.com/udpa.type.v1.TypedStruct
+ type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm
+ value:
+ config:
+ root_id: stats_outbound
+ configuration:
+ '@type': type.googleapis.com/google.protobuf.StringValue
+ value: |
+ {
+ "debug": "false",
+ "stat_prefix": "istio"
+ }
+ vm_config:
+ vm_id: tcp_stats_outbound
+ runtime: envoy.wasm.runtime.null
+ code:
+ local:
+ inline_string: envoy.wasm.stats
+ - applyTo: NETWORK_FILTER
+ match:
+ context: GATEWAY
+ proxy:
+ proxyVersion: ^1\.13.*
+ listener:
+ filterChain:
+ filter:
+ name: envoy.filters.network.tcp_proxy
+ patch:
+ operation: INSERT_BEFORE
+ value:
+ name: istio.stats
+ typed_config:
+ '@type': type.googleapis.com/udpa.type.v1.TypedStruct
+ type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm
+ value:
+ config:
+ root_id: stats_outbound
+ configuration:
+ '@type': type.googleapis.com/google.protobuf.StringValue
+ value: |
+ {
+ "debug": "false",
+ "stat_prefix": "istio"
+ }
+ vm_config:
+ vm_id: tcp_stats_outbound
+ runtime: envoy.wasm.runtime.null
+ code:
+ local:
+ inline_string: envoy.wasm.stats
+---
+apiVersion: networking.istio.io/v1alpha3
+kind: EnvoyFilter
+metadata:
+ name: tcp-stats-filter-1.14
+ namespace: istio-system
+ labels:
+ istio.io/rev: default
+spec:
+ priority: -1
+ configPatches:
+ - applyTo: NETWORK_FILTER
+ match:
+ context: SIDECAR_INBOUND
+ proxy:
+ proxyVersion: ^1\.14.*
+ listener:
+ filterChain:
+ filter:
+ name: envoy.filters.network.tcp_proxy
+ patch:
+ operation: INSERT_BEFORE
+ value:
+ name: istio.stats
+ typed_config:
+ '@type': type.googleapis.com/udpa.type.v1.TypedStruct
+ type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm
+ value:
+ config:
+ root_id: stats_inbound
+ configuration:
+ '@type': type.googleapis.com/google.protobuf.StringValue
+ value: |
+ {
+ "debug": "false",
+ "stat_prefix": "istio"
+ }
+ vm_config:
+ vm_id: tcp_stats_inbound
+ runtime: envoy.wasm.runtime.null
+ code:
+ local:
+ inline_string: envoy.wasm.stats
+ - applyTo: NETWORK_FILTER
+ match:
+ context: SIDECAR_OUTBOUND
+ proxy:
+ proxyVersion: ^1\.14.*
+ listener:
+ filterChain:
+ filter:
+ name: envoy.filters.network.tcp_proxy
+ patch:
+ operation: INSERT_BEFORE
+ value:
+ name: istio.stats
+ typed_config:
+ '@type': type.googleapis.com/udpa.type.v1.TypedStruct
+ type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm
+ value:
+ config:
+ root_id: stats_outbound
+ configuration:
+ '@type': type.googleapis.com/google.protobuf.StringValue
+ value: |
+ {
+ "debug": "false",
+ "stat_prefix": "istio"
+ }
+ vm_config:
+ vm_id: tcp_stats_outbound
+ runtime: envoy.wasm.runtime.null
+ code:
+ local:
+ inline_string: envoy.wasm.stats
+ - applyTo: NETWORK_FILTER
+ match:
+ context: GATEWAY
+ proxy:
+ proxyVersion: ^1\.14.*
+ listener:
+ filterChain:
+ filter:
+ name: envoy.filters.network.tcp_proxy
+ patch:
+ operation: INSERT_BEFORE
+ value:
+ name: istio.stats
+ typed_config:
+ '@type': type.googleapis.com/udpa.type.v1.TypedStruct
+ type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm
+ value:
+ config:
+ root_id: stats_outbound
+ configuration:
+ '@type': type.googleapis.com/google.protobuf.StringValue
+ value: |
+ {
+ "debug": "false",
+ "stat_prefix": "istio"
+ }
+ vm_config:
+ vm_id: tcp_stats_outbound
+ runtime: envoy.wasm.runtime.null
+ code:
+ local:
+ inline_string: envoy.wasm.stats
+---
+apiVersion: networking.istio.io/v1alpha3
+kind: EnvoyFilter
+metadata:
+ name: tcp-stats-filter-1.15
+ namespace: istio-system
+ labels:
+ istio.io/rev: default
+spec:
+ priority: -1
+ configPatches:
+ - applyTo: NETWORK_FILTER
+ match:
+ context: SIDECAR_INBOUND
+ proxy:
+ proxyVersion: ^1\.15.*
+ listener:
+ filterChain:
+ filter:
+ name: envoy.filters.network.tcp_proxy
+ patch:
+ operation: INSERT_BEFORE
+ value:
+ name: istio.stats
+ typed_config:
+ '@type': type.googleapis.com/udpa.type.v1.TypedStruct
+ type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm
+ value:
+ config:
+ root_id: stats_inbound
+ configuration:
+ '@type': type.googleapis.com/google.protobuf.StringValue
+ value: |
+ {
+ "debug": "false",
+ "stat_prefix": "istio"
+ }
+ vm_config:
+ vm_id: tcp_stats_inbound
+ runtime: envoy.wasm.runtime.null
+ code:
+ local:
+ inline_string: envoy.wasm.stats
+ - applyTo: NETWORK_FILTER
+ match:
+ context: SIDECAR_OUTBOUND
+ proxy:
+ proxyVersion: ^1\.15.*
+ listener:
+ filterChain:
+ filter:
+ name: envoy.filters.network.tcp_proxy
+ patch:
+ operation: INSERT_BEFORE
+ value:
+ name: istio.stats
+ typed_config:
+ '@type': type.googleapis.com/udpa.type.v1.TypedStruct
+ type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm
+ value:
+ config:
+ root_id: stats_outbound
+ configuration:
+ '@type': type.googleapis.com/google.protobuf.StringValue
+ value: |
+ {
+ "debug": "false",
+ "stat_prefix": "istio"
+ }
+ vm_config:
+ vm_id: tcp_stats_outbound
+ runtime: envoy.wasm.runtime.null
+ code:
+ local:
+ inline_string: envoy.wasm.stats
+ - applyTo: NETWORK_FILTER
+ match:
+ context: GATEWAY
+ proxy:
+ proxyVersion: ^1\.15.*
+ listener:
+ filterChain:
+ filter:
+ name: envoy.filters.network.tcp_proxy
+ patch:
+ operation: INSERT_BEFORE
+ value:
+ name: istio.stats
+ typed_config:
+ '@type': type.googleapis.com/udpa.type.v1.TypedStruct
+ type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm
+ value:
+ config:
+ root_id: stats_outbound
+ configuration:
+ '@type': type.googleapis.com/google.protobuf.StringValue
+ value: |
+ {
+ "debug": "false",
+ "stat_prefix": "istio"
+ }
+ vm_config:
+ vm_id: tcp_stats_outbound
+ runtime: envoy.wasm.runtime.null
+ code:
+ local:
+ inline_string: envoy.wasm.stats
+---
+apiVersion: networking.istio.io/v1alpha3
+kind: EnvoyFilter
+metadata:
+ name: tcp-stats-filter-1.16
+ namespace: istio-system
+ labels:
+ istio.io/rev: default
+spec:
+ priority: -1
+ configPatches:
+ - applyTo: NETWORK_FILTER
+ match:
+ context: SIDECAR_INBOUND
+ proxy:
+ proxyVersion: ^1\.16.*
+ listener:
+ filterChain:
+ filter:
+ name: envoy.filters.network.tcp_proxy
+ patch:
+ operation: INSERT_BEFORE
+ value:
+ name: istio.stats
+ typed_config:
+ '@type': type.googleapis.com/udpa.type.v1.TypedStruct
+ type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm
+ value:
+ config:
+ root_id: stats_inbound
+ configuration:
+ '@type': type.googleapis.com/google.protobuf.StringValue
+ value: |
+ {
+ "debug": "false",
+ "stat_prefix": "istio"
+ }
+ vm_config:
+ vm_id: tcp_stats_inbound
+ runtime: envoy.wasm.runtime.null
+ code:
+ local:
+ inline_string: envoy.wasm.stats
+ - applyTo: NETWORK_FILTER
+ match:
+ context: SIDECAR_OUTBOUND
+ proxy:
+ proxyVersion: ^1\.16.*
+ listener:
+ filterChain:
+ filter:
+ name: envoy.filters.network.tcp_proxy
+ patch:
+ operation: INSERT_BEFORE
+ value:
+ name: istio.stats
+ typed_config:
+ '@type': type.googleapis.com/udpa.type.v1.TypedStruct
+ type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm
+ value:
+ config:
+ root_id: stats_outbound
+ configuration:
+ '@type': type.googleapis.com/google.protobuf.StringValue
+ value: |
+ {
+ "debug": "false",
+ "stat_prefix": "istio"
+ }
+ vm_config:
+ vm_id: tcp_stats_outbound
+ runtime: envoy.wasm.runtime.null
+ code:
+ local:
+ inline_string: envoy.wasm.stats
+ - applyTo: NETWORK_FILTER
+ match:
+ context: GATEWAY
+ proxy:
+ proxyVersion: ^1\.16.*
+ listener:
+ filterChain:
+ filter:
+ name: envoy.filters.network.tcp_proxy
+ patch:
+ operation: INSERT_BEFORE
+ value:
+ name: istio.stats
+ typed_config:
+ '@type': type.googleapis.com/udpa.type.v1.TypedStruct
+ type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm
+ value:
+ config:
+ root_id: stats_outbound
+ configuration:
+ '@type': type.googleapis.com/google.protobuf.StringValue
+ value: |
+ {
+ "debug": "false",
+ "stat_prefix": "istio"
+ }
+ vm_config:
+ vm_id: tcp_stats_outbound
+ runtime: envoy.wasm.runtime.null
+ code:
+ local:
+ inline_string: envoy.wasm.stats
+---
+apiVersion: networking.istio.io/v1alpha3
+kind: EnvoyFilter
+metadata:
+ name: tcp-stats-filter-1.17
+ namespace: istio-system
+ labels:
+ istio.io/rev: default
+spec:
+ priority: -1
+ configPatches:
+ - applyTo: NETWORK_FILTER
+ match:
+ context: SIDECAR_INBOUND
+ proxy:
+ proxyVersion: ^1\.17.*
+ listener:
+ filterChain:
+ filter:
+ name: envoy.filters.network.tcp_proxy
+ patch:
+ operation: INSERT_BEFORE
+ value:
+ name: istio.stats
+ typed_config:
+ '@type': type.googleapis.com/udpa.type.v1.TypedStruct
+ type_url: type.googleapis.com/stats.PluginConfig
+ value: {}
+ - applyTo: NETWORK_FILTER
+ match:
+ context: SIDECAR_OUTBOUND
+ proxy:
+ proxyVersion: ^1\.17.*
+ listener:
+ filterChain:
+ filter:
+ name: envoy.filters.network.tcp_proxy
+ patch:
+ operation: INSERT_BEFORE
+ value:
+ name: istio.stats
+ typed_config:
+ '@type': type.googleapis.com/udpa.type.v1.TypedStruct
+ type_url: type.googleapis.com/stats.PluginConfig
+ value: {}
+ - applyTo: NETWORK_FILTER
+ match:
+ context: GATEWAY
+ proxy:
+ proxyVersion: ^1\.17.*
+ listener:
+ filterChain:
+ filter:
+ name: envoy.filters.network.tcp_proxy
+ patch:
+ operation: INSERT_BEFORE
+ value:
+ name: istio.stats
+ typed_config:
+ '@type': type.googleapis.com/udpa.type.v1.TypedStruct
+ type_url: type.googleapis.com/stats.PluginConfig
+ value: {}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: istio
+ namespace: istio-system
+ labels:
+ istio.io/rev: default
+ install.operator.istio.io/owning-resource: unknown
+ operator.istio.io/component: Pilot
+ release: istio
+data:
+ # Configuration file for the mesh networks to be used by the Split Horizon EDS.
+ meshNetworks: |-
+ networks: {}
+ mesh: |-
+ defaultConfig:
+ discoveryAddress: istiod.istio-system.svc:15012
+ proxyMetadata: {}
+ tracing:
+ zipkin:
+ address: zipkin.istio-system:9411
+ enablePrometheusMerge: true
+ rootNamespace: istio-system
+ tcpKeepalive:
+ interval: 5s
+ probes: 3
+ time: 10s
+ trustDomain: cluster.local
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: istio-sidecar-injector
+ namespace: istio-system
+ labels:
+ istio.io/rev: default
+ install.operator.istio.io/owning-resource: unknown
+ operator.istio.io/component: Pilot
+ release: istio
+data:
+ values: |-
+ {
+ "global": {
+ "autoscalingv2API": true,
+ "caAddress": "",
+ "caName": "",
+ "certSigners": [],
+ "configCluster": false,
+ "configValidation": true,
+ "defaultNodeSelector": {},
+ "defaultPodDisruptionBudget": {
+ "enabled": true
+ },
+ "defaultResources": {
+ "requests": {
+ "cpu": "10m"
+ }
+ },
+ "enabled": true,
+ "externalIstiod": false,
+ "hub": "docker.io/istio",
+ "imagePullPolicy": "",
+ "imagePullSecrets": [],
+ "istioNamespace": "istio-system",
+ "istiod": {
+ "enableAnalysis": false
+ },
+ "jwtPolicy": "third-party-jwt",
+ "logAsJson": false,
+ "logging": {
+ "level": "default:info"
+ },
+ "meshID": "",
+ "meshNetworks": {},
+ "mountMtlsCerts": false,
+ "multiCluster": {
+ "clusterName": "",
+ "enabled": false
+ },
+ "namespace": "istio-system",
+ "network": "",
+ "omitSidecarInjectorConfigMap": false,
+ "oneNamespace": false,
+ "operatorManageWebhooks": false,
+ "pilotCertProvider": "istiod",
+ "priorityClassName": "",
+ "proxy": {
+ "autoInject": "enabled",
+ "clusterDomain": "cluster.local",
+ "componentLogLevel": "misc:error",
+ "enableCoreDump": false,
+ "excludeIPRanges": "",
+ "excludeInboundPorts": "",
+ "excludeOutboundPorts": "",
+ "holdApplicationUntilProxyStarts": false,
+ "image": "proxyv2",
+ "includeIPRanges": "*",
+ "includeInboundPorts": "*",
+ "includeOutboundPorts": "",
+ "logLevel": "warning",
+ "privileged": false,
+ "readinessFailureThreshold": 30,
+ "readinessInitialDelaySeconds": 1,
+ "readinessPeriodSeconds": 2,
+ "resources": {
+ "limits": {
+ "cpu": "2000m",
+ "memory": "1024Mi"
+ },
+ "requests": {
+ "cpu": "100m",
+ "memory": "128Mi"
+ }
+ },
+ "statusPort": 15020,
+ "tracer": "zipkin"
+ },
+ "proxy_init": {
+ "image": "proxyv2",
+ "resources": {
+ "limits": {
+ "cpu": "2000m",
+ "memory": "1024Mi"
+ },
+ "requests": {
+ "cpu": "10m",
+ "memory": "10Mi"
+ }
+ }
+ },
+ "remotePilotAddress": "",
+ "sds": {
+ "token": {
+ "aud": "istio-ca"
+ }
+ },
+ "sts": {
+ "servicePort": 0
+ },
+ "tag": "1.17.3",
+ "tracer": {
+ "datadog": {
+ "address": "$(HOST_IP):8126"
+ },
+ "lightstep": {
+ "accessToken": "",
+ "address": ""
+ },
+ "stackdriver": {
+ "debug": false,
+ "maxNumberOfAnnotations": 200,
+ "maxNumberOfAttributes": 200,
+ "maxNumberOfMessageEvents": 200
+ },
+ "zipkin": {
+ "address": ""
+ }
+ },
+ "useMCP": false,
+ "variant": ""
+ },
+ "istio_cni": {
+ "enabled": false
+ },
+ "revision": "",
+ "sidecarInjectorWebhook": {
+ "alwaysInjectSelector": [],
+ "defaultTemplates": [],
+ "enableNamespacesByDefault": false,
+ "injectedAnnotations": {},
+ "neverInjectSelector": [],
+ "rewriteAppHTTPProbe": true,
+ "templates": {}
+ }
+ }
+ # To disable injection: use omitSidecarInjectorConfigMap, which disables the webhook patching
+ # and istiod webhook functionality.
+ #
+ # New fields should not use Values - it is a 'primary' config object, users should be able
+ # to fine tune it or use it with kube-inject.
+ config: |-
+ # defaultTemplates defines the default template to use for pods that do not explicitly specify a template
+ defaultTemplates: [sidecar]
+ policy: enabled
+ alwaysInjectSelector:
+ []
+ neverInjectSelector:
+ []
+ injectedAnnotations:
+ template: "{{ Template_Version_And_Istio_Version_Mismatched_Check_Installation }}"
+ templates:
+ sidecar: |
+ {{- define "resources" }}
+ {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }}
+ {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }}
+ requests:
+ {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}}
+ cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}"
+ {{ end }}
+ {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}}
+ memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}"
+ {{ end }}
+ {{- end }}
+ {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }}
+ limits:
+ {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}}
+ cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}"
+ {{ end }}
+ {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}}
+ memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}"
+ {{ end }}
+ {{- end }}
+ {{- else }}
+ {{- if .Values.global.proxy.resources }}
+ {{ toYaml .Values.global.proxy.resources | indent 6 }}
+ {{- end }}
+ {{- end }}
+ {{- end }}
+ {{- $containers := list }}
+ {{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}}
+ metadata:
+ labels:
+ security.istio.io/tlsMode: {{ index .ObjectMeta.Labels `security.istio.io/tlsMode` | default "istio" | quote }}
+ {{- if eq (index .ProxyConfig.ProxyMetadata "ISTIO_META_ENABLE_HBONE") "true" }}
+ networking.istio.io/tunnel: {{ index .ObjectMeta.Labels `networking.istio.io/tunnel` | default "http" | quote }}
+ {{- end }}
+ service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }}
+ service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }}
+ annotations: {
+ {{- if ge (len $containers) 1 }}
+ {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }}
+ kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}",
+ {{- end }}
+ {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-container`) }}
+ kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}",
+ {{- end }}
+ {{- end }}
+ {{- if .Values.istio_cni.enabled }}
+ {{- if not .Values.istio_cni.chained }}
+ k8s.v1.cni.cncf.io/networks: '{{ appendMultusNetwork (index .ObjectMeta.Annotations `k8s.v1.cni.cncf.io/networks`) `istio-cni` }}',
+ {{- end }}
+ sidecar.istio.io/interceptionMode: "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}",
+ {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}traffic.sidecar.istio.io/includeOutboundIPRanges: "{{.}}",{{ end }}
+ {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}traffic.sidecar.istio.io/excludeOutboundIPRanges: "{{.}}",{{ end }}
+ {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` .Values.global.proxy.includeInboundPorts }}traffic.sidecar.istio.io/includeInboundPorts: "{{.}}",{{ end }}
+ traffic.sidecar.istio.io/excludeInboundPorts: "{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}",
+ {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") }}
+ traffic.sidecar.istio.io/includeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}",
+ {{- end }}
+ {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne .Values.global.proxy.excludeOutboundPorts "") }}
+ traffic.sidecar.istio.io/excludeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}",
+ {{- end }}
+ {{ with index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}traffic.sidecar.istio.io/kubevirtInterfaces: "{{.}}",{{ end }}
+ {{ with index .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces` }}traffic.sidecar.istio.io/excludeInterfaces: "{{.}}",{{ end }}
+ {{- end }}
+ }
+ spec:
+ {{- $holdProxy := or .ProxyConfig.HoldApplicationUntilProxyStarts.GetValue .Values.global.proxy.holdApplicationUntilProxyStarts }}
+ initContainers:
+ {{ if ne (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE` }}
+ {{ if .Values.istio_cni.enabled -}}
+ - name: istio-validation
+ {{ else -}}
+ - name: istio-init
+ {{ end -}}
+ {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image) }}
+ image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image }}"
+ {{- else }}
+ image: "{{ .ProxyImage }}"
+ {{- end }}
+ args:
+ - istio-iptables
+ - "-p"
+ - {{ .MeshConfig.ProxyListenPort | default "15001" | quote }}
+ - "-z"
+ - "15006"
+ - "-u"
+ - "1337"
+ - "-m"
+ - "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}"
+ - "-i"
+ - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}"
+ - "-x"
+ - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}"
+ - "-b"
+ - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` .Values.global.proxy.includeInboundPorts }}"
+ - "-d"
+ {{- if excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}
+ - "15090,15021,{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}"
+ {{- else }}
+ - "15090,15021"
+ {{- end }}
+ {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") -}}
+ - "-q"
+ - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}"
+ {{ end -}}
+ {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.excludeOutboundPorts "") "") -}}
+ - "-o"
+ - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}"
+ {{ end -}}
+ {{ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces`) -}}
+ - "-k"
+ - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}"
+ {{ end -}}
+ {{ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces`) -}}
+ - "-c"
+ - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces` }}"
+ {{ end -}}
+ - "--log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }}"
+ {{ if .Values.global.logAsJson -}}
+ - "--log_as_json"
+ {{ end -}}
+ {{ if .Values.istio_cni.enabled -}}
+ - "--run-validation"
+ - "--skip-rule-apply"
+ {{ end -}}
+ {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
+ {{- if .ProxyConfig.ProxyMetadata }}
+ env:
+ {{- range $key, $value := .ProxyConfig.ProxyMetadata }}
+ - name: {{ $key }}
+ value: "{{ $value }}"
+ {{- end }}
+ {{- end }}
+ resources:
+ {{ template "resources" . }}
+ securityContext:
+ allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }}
+ privileged: {{ .Values.global.proxy.privileged }}
+ capabilities:
+ {{- if not .Values.istio_cni.enabled }}
+ add:
+ - NET_ADMIN
+ - NET_RAW
+ {{- end }}
+ drop:
+ - ALL
+ {{- if not .Values.istio_cni.enabled }}
+ readOnlyRootFilesystem: false
+ runAsGroup: 0
+ runAsNonRoot: false
+ runAsUser: 0
+ {{- else }}
+ readOnlyRootFilesystem: true
+ runAsGroup: 1337
+ runAsUser: 1337
+ runAsNonRoot: true
+ {{- end }}
+ {{ end -}}
+ {{- if eq (annotation .ObjectMeta `sidecar.istio.io/enableCoreDump` .Values.global.proxy.enableCoreDump) "true" }}
+ - name: enable-core-dump
+ args:
+ - -c
+ - sysctl -w kernel.core_pattern=/var/lib/istio/data/core.proxy && ulimit -c unlimited
+ command:
+ - /bin/sh
+ {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image) }}
+ image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image }}"
+ {{- else }}
+ image: "{{ .ProxyImage }}"
+ {{- end }}
+ {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
+ resources:
+ {{ template "resources" . }}
+ securityContext:
+ allowPrivilegeEscalation: true
+ capabilities:
+ add:
+ - SYS_ADMIN
+ drop:
+ - ALL
+ privileged: true
+ readOnlyRootFilesystem: false
+ runAsGroup: 0
+ runAsNonRoot: false
+ runAsUser: 0
+ {{ end }}
+ containers:
+ - name: istio-proxy
+ {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }}
+ image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}"
+ {{- else }}
+ image: "{{ .ProxyImage }}"
+ {{- end }}
+ ports:
+ - containerPort: 15090
+ protocol: TCP
+ name: http-envoy-prom
+ args:
+ - proxy
+ - sidecar
+ - --domain
+ - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }}
+ - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }}
+ - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }}
+ - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }}
+ {{- if .Values.global.sts.servicePort }}
+ - --stsPort={{ .Values.global.sts.servicePort }}
+ {{- end }}
+ {{- if .Values.global.logAsJson }}
+ - --log_as_json
+ {{- end }}
+ {{- if gt .EstimatedConcurrency 0 }}
+ - --concurrency
+ - "{{ .EstimatedConcurrency }}"
+ {{- end -}}
+ {{- if .Values.global.proxy.lifecycle }}
+ lifecycle:
+ {{ toYaml .Values.global.proxy.lifecycle | indent 6 }}
+ {{- else if $holdProxy }}
+ lifecycle:
+ postStart:
+ exec:
+ command:
+ - pilot-agent
+ - wait
+ {{- end }}
+ env:
+ {{- if eq (env "PILOT_ENABLE_INBOUND_PASSTHROUGH" "true") "false" }}
+ - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION
+ value: "true"
+ {{- end }}
+ - name: JWT_POLICY
+ value: {{ .Values.global.jwtPolicy }}
+ - name: PILOT_CERT_PROVIDER
+ value: {{ .Values.global.pilotCertProvider }}
+ - name: CA_ADDR
+ {{- if .Values.global.caAddress }}
+ value: {{ .Values.global.caAddress }}
+ {{- else }}
+ value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012
+ {{- end }}
+ - name: POD_NAME
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.name
+ - name: POD_NAMESPACE
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.namespace
+ - name: INSTANCE_IP
+ valueFrom:
+ fieldRef:
+ fieldPath: status.podIP
+ - name: SERVICE_ACCOUNT
+ valueFrom:
+ fieldRef:
+ fieldPath: spec.serviceAccountName
+ - name: HOST_IP
+ valueFrom:
+ fieldRef:
+ fieldPath: status.hostIP
+ - name: PROXY_CONFIG
+ value: |
+ {{ protoToJSON .ProxyConfig }}
+ - name: ISTIO_META_POD_PORTS
+ value: |-
+ [
+ {{- $first := true }}
+ {{- range $index1, $c := .Spec.Containers }}
+ {{- range $index2, $p := $c.Ports }}
+ {{- if (structToJSON $p) }}
+ {{if not $first}},{{end}}{{ structToJSON $p }}
+ {{- $first = false }}
+ {{- end }}
+ {{- end}}
+ {{- end}}
+ ]
+ - name: ISTIO_META_APP_CONTAINERS
+ value: "{{ $containers | join "," }}"
+ - name: ISTIO_META_CLUSTER_ID
+ value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}"
+ - name: ISTIO_META_NODE_NAME
+ valueFrom:
+ fieldRef:
+ fieldPath: spec.nodeName
+ - name: ISTIO_META_INTERCEPTION_MODE
+ value: "{{ or (index .ObjectMeta.Annotations `sidecar.istio.io/interceptionMode`) .ProxyConfig.InterceptionMode.String }}"
+ {{- if .Values.global.network }}
+ - name: ISTIO_META_NETWORK
+ value: "{{ .Values.global.network }}"
+ {{- end }}
+ {{- if .DeploymentMeta.Name }}
+ - name: ISTIO_META_WORKLOAD_NAME
+ value: "{{ .DeploymentMeta.Name }}"
+ {{ end }}
+ {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }}
+ - name: ISTIO_META_OWNER
+ value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }}
+ {{- end}}
+ {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }}
+ - name: ISTIO_BOOTSTRAP_OVERRIDE
+ value: "/etc/istio/custom-bootstrap/custom_bootstrap.json"
+ {{- end }}
+ {{- if .Values.global.meshID }}
+ - name: ISTIO_META_MESH_ID
+ value: "{{ .Values.global.meshID }}"
+ {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
+ - name: ISTIO_META_MESH_ID
+ value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}"
+ {{- end }}
+ {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
+ - name: TRUST_DOMAIN
+ value: "{{ . }}"
+ {{- end }}
+ {{- if and (eq .Values.global.proxy.tracer "datadog") (isset .ObjectMeta.Annotations `apm.datadoghq.com/env`) }}
+ {{- range $key, $value := fromJSON (index .ObjectMeta.Annotations `apm.datadoghq.com/env`) }}
+ - name: {{ $key }}
+ value: "{{ $value }}"
+ {{- end }}
+ {{- end }}
+ {{- range $key, $value := .ProxyConfig.ProxyMetadata }}
+ - name: {{ $key }}
+ value: "{{ $value }}"
+ {{- end }}
+ {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
+ {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }}
+ readinessProbe:
+ httpGet:
+ path: /healthz/ready
+ port: 15021
+ initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }}
+ periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }}
+ timeoutSeconds: 3
+ failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }}
+ {{ end -}}
+ securityContext:
+ {{- if eq (index .ProxyConfig.ProxyMetadata "IPTABLES_TRACE_LOGGING") "true" }}
+ allowPrivilegeEscalation: true
+ capabilities:
+ add:
+ - NET_ADMIN
+ drop:
+ - ALL
+ privileged: true
+ readOnlyRootFilesystem: {{ ne (annotation .ObjectMeta `sidecar.istio.io/enableCoreDump` .Values.global.proxy.enableCoreDump) "true" }}
+ runAsGroup: 1337
+ runAsNonRoot: false
+ runAsUser: 0
+ {{- else }}
+ allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }}
+ capabilities:
+ {{ if or (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}}
+ add:
+ {{ if eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY` -}}
+ - NET_ADMIN
+ {{- end }}
+ {{ if eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true` -}}
+ - NET_BIND_SERVICE
+ {{- end }}
+ {{- end }}
+ drop:
+ - ALL
+ privileged: {{ .Values.global.proxy.privileged }}
+ readOnlyRootFilesystem: {{ ne (annotation .ObjectMeta `sidecar.istio.io/enableCoreDump` .Values.global.proxy.enableCoreDump) "true" }}
+ runAsGroup: 1337
+ {{ if or (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}}
+ runAsNonRoot: false
+ runAsUser: 0
+ {{- else -}}
+ runAsNonRoot: true
+ runAsUser: 1337
+ {{- end }}
+ {{- end }}
+ resources:
+ {{ template "resources" . }}
+ volumeMounts:
+ - name: workload-socket
+ mountPath: /var/run/secrets/workload-spiffe-uds
+ - name: credential-socket
+ mountPath: /var/run/secrets/credential-uds
+ {{- if eq .Values.global.caName "GkeWorkloadCertificate" }}
+ - name: gke-workload-certificate
+ mountPath: /var/run/secrets/workload-spiffe-credentials
+ readOnly: true
+ {{- else }}
+ - name: workload-certs
+ mountPath: /var/run/secrets/workload-spiffe-credentials
+ {{- end }}
+ {{- if eq .Values.global.pilotCertProvider "istiod" }}
+ - mountPath: /var/run/secrets/istio
+ name: istiod-ca-cert
+ {{- end }}
+ {{- if eq .Values.global.pilotCertProvider "kubernetes" }}
+ - mountPath: /var/run/secrets/istio/kubernetes
+ name: kube-ca-cert
+ {{- end }}
+ - mountPath: /var/lib/istio/data
+ name: istio-data
+ {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }}
+ - mountPath: /etc/istio/custom-bootstrap
+ name: custom-bootstrap-volume
+ {{- end }}
+ # SDS channel between istioagent and Envoy
+ - mountPath: /etc/istio/proxy
+ name: istio-envoy
+ {{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
+ - mountPath: /var/run/secrets/tokens
+ name: istio-token
+ {{- end }}
+ {{- if .Values.global.mountMtlsCerts }}
+ # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
+ - mountPath: /etc/certs/
+ name: istio-certs
+ readOnly: true
+ {{- end }}
+ - name: istio-podinfo
+ mountPath: /etc/istio/pod
+ {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }}
+ - mountPath: {{ directory .ProxyConfig.GetTracing.GetTlsSettings.GetCaCertificates }}
+ name: lightstep-certs
+ readOnly: true
+ {{- end }}
+ {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }}
+ {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }}
+ - name: "{{ $index }}"
+ {{ toYaml $value | indent 6 }}
+ {{ end }}
+ {{- end }}
+ volumes:
+ - emptyDir:
+ name: workload-socket
+ - emptyDir:
+ name: credential-socket
+ {{- if eq .Values.global.caName "GkeWorkloadCertificate" }}
+ - name: gke-workload-certificate
+ csi:
+ driver: workloadcertificates.security.cloud.google.com
+ {{- else }}
+ - emptyDir:
+ name: workload-certs
+ {{- end }}
+ {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }}
+ - name: custom-bootstrap-volume
+ configMap:
+ name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }}
+ {{- end }}
+ # SDS channel between istioagent and Envoy
+ - emptyDir:
+ medium: Memory
+ name: istio-envoy
+ - name: istio-data
+ emptyDir: {}
+ - name: istio-podinfo
+ downwardAPI:
+ items:
+ - path: "labels"
+ fieldRef:
+ fieldPath: metadata.labels
+ - path: "annotations"
+ fieldRef:
+ fieldPath: metadata.annotations
+ {{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
+ - name: istio-token
+ projected:
+ sources:
+ - serviceAccountToken:
+ path: istio-token
+ expirationSeconds: 43200
+ audience: {{ .Values.global.sds.token.aud }}
+ {{- end }}
+ {{- if eq .Values.global.pilotCertProvider "istiod" }}
+ - name: istiod-ca-cert
+ configMap:
+ name: istio-ca-root-cert
+ {{- end }}
+ {{- if eq .Values.global.pilotCertProvider "kubernetes" }}
+ - name: kube-ca-cert
+ configMap:
+ name: kube-root-ca.crt
+ {{- end }}
+ {{- if .Values.global.mountMtlsCerts }}
+ # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
+ - name: istio-certs
+ secret:
+ optional: true
+ {{ if eq .Spec.ServiceAccountName "" }}
+ secretName: istio.default
+ {{ else -}}
+ secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }}
+ {{ end -}}
+ {{- end }}
+ {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }}
+ {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }}
+ - name: "{{ $index }}"
+ {{ toYaml $value | indent 4 }}
+ {{ end }}
+ {{ end }}
+ {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }}
+ - name: lightstep-certs
+ secret:
+ optional: true
+ secretName: lightstep.cacert
+ {{- end }}
+ {{- if .Values.global.imagePullSecrets }}
+ imagePullSecrets:
+ {{- range .Values.global.imagePullSecrets }}
+ - name: {{ . }}
+ {{- end }}
+ {{- end }}
+ {{- if eq (env "ENABLE_LEGACY_FSGROUP_INJECTION" "false") "true" }}
+ securityContext:
+ fsGroup: 1337
+ {{- end }}
+ gateway: |
+ {{- $containers := list }}
+ {{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}}
+ metadata:
+ labels:
+ service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }}
+ service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }}
+ istio.io/rev: {{ index .ObjectMeta.Labels `istio.io/rev` | default .Revision | default "default" | quote }}
+ annotations: {
+ {{- if eq (len $containers) 1 }}
+ kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}",
+ kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}",
+ {{ end }}
+ }
+ spec:
+ containers:
+ - name: istio-proxy
+ {{- if contains "/" .Values.global.proxy.image }}
+ image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}"
+ {{- else }}
+ image: "{{ .ProxyImage }}"
+ {{- end }}
+ ports:
+ - containerPort: 15090
+ protocol: TCP
+ name: http-envoy-prom
+ args:
+ - proxy
+ - router
+ - --domain
+ - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }}
+ - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }}
+ - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }}
+ - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }}
+ {{- if .Values.global.sts.servicePort }}
+ - --stsPort={{ .Values.global.sts.servicePort }}
+ {{- end }}
+ {{- if .Values.global.logAsJson }}
+ - --log_as_json
+ {{- end }}
+ {{- if .Values.global.proxy.lifecycle }}
+ lifecycle:
+ {{ toYaml .Values.global.proxy.lifecycle | indent 6 }}
+ {{- end }}
+ env:
+ - name: JWT_POLICY
+ value: {{ .Values.global.jwtPolicy }}
+ - name: PILOT_CERT_PROVIDER
+ value: {{ .Values.global.pilotCertProvider }}
+ - name: CA_ADDR
+ {{- if .Values.global.caAddress }}
+ value: {{ .Values.global.caAddress }}
+ {{- else }}
+ value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012
+ {{- end }}
+ - name: POD_NAME
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.name
+ - name: POD_NAMESPACE
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.namespace
+ - name: INSTANCE_IP
+ valueFrom:
+ fieldRef:
+ fieldPath: status.podIP
+ - name: SERVICE_ACCOUNT
+ valueFrom:
+ fieldRef:
+ fieldPath: spec.serviceAccountName
+ - name: HOST_IP
+ valueFrom:
+ fieldRef:
+ fieldPath: status.hostIP
+ - name: PROXY_CONFIG
+ value: |
+ {{ protoToJSON .ProxyConfig }}
+ - name: ISTIO_META_POD_PORTS
+ value: |-
+ [
+ {{- $first := true }}
+ {{- range $index1, $c := .Spec.Containers }}
+ {{- range $index2, $p := $c.Ports }}
+ {{- if (structToJSON $p) }}
+ {{if not $first}},{{end}}{{ structToJSON $p }}
+ {{- $first = false }}
+ {{- end }}
+ {{- end}}
+ {{- end}}
+ ]
+ - name: ISTIO_META_APP_CONTAINERS
+ value: "{{ $containers | join "," }}"
+ - name: ISTIO_META_CLUSTER_ID
+ value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}"
+ - name: ISTIO_META_NODE_NAME
+ valueFrom:
+ fieldRef:
+ fieldPath: spec.nodeName
+ - name: ISTIO_META_INTERCEPTION_MODE
+ value: "{{ .ProxyConfig.InterceptionMode.String }}"
+ {{- if .Values.global.network }}
+ - name: ISTIO_META_NETWORK
+ value: "{{ .Values.global.network }}"
+ {{- end }}
+ {{- if .DeploymentMeta.Name }}
+ - name: ISTIO_META_WORKLOAD_NAME
+ value: "{{ .DeploymentMeta.Name }}"
+ {{ end }}
+ {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }}
+ - name: ISTIO_META_OWNER
+ value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }}
+ {{- end}}
+ {{- if .Values.global.meshID }}
+ - name: ISTIO_META_MESH_ID
+ value: "{{ .Values.global.meshID }}"
+ {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
+ - name: ISTIO_META_MESH_ID
+ value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}"
+ {{- end }}
+ {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
+ - name: TRUST_DOMAIN
+ value: "{{ . }}"
+ {{- end }}
+ {{- range $key, $value := .ProxyConfig.ProxyMetadata }}
+ - name: {{ $key }}
+ value: "{{ $value }}"
+ {{- end }}
+ {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
+ readinessProbe:
+ httpGet:
+ path: /healthz/ready
+ port: 15021
+ initialDelaySeconds: {{.Values.global.proxy.readinessInitialDelaySeconds }}
+ periodSeconds: {{ .Values.global.proxy.readinessPeriodSeconds }}
+ timeoutSeconds: 3
+ failureThreshold: {{ .Values.global.proxy.readinessFailureThreshold }}
+ volumeMounts:
+ - name: workload-socket
+ mountPath: /var/run/secrets/workload-spiffe-uds
+ - name: credential-socket
+ mountPath: /var/run/secrets/credential-uds
+ {{- if eq .Values.global.caName "GkeWorkloadCertificate" }}
+ - name: gke-workload-certificate
+ mountPath: /var/run/secrets/workload-spiffe-credentials
+ readOnly: true
+ {{- else }}
+ - name: workload-certs
+ mountPath: /var/run/secrets/workload-spiffe-credentials
+ {{- end }}
+ {{- if eq .Values.global.pilotCertProvider "istiod" }}
+ - mountPath: /var/run/secrets/istio
+ name: istiod-ca-cert
+ {{- end }}
+ - mountPath: /var/lib/istio/data
+ name: istio-data
+ # SDS channel between istioagent and Envoy
+ - mountPath: /etc/istio/proxy
+ name: istio-envoy
+ {{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
+ - mountPath: /var/run/secrets/tokens
+ name: istio-token
+ {{- end }}
+ {{- if .Values.global.mountMtlsCerts }}
+ # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
+ - mountPath: /etc/certs/
+ name: istio-certs
+ readOnly: true
+ {{- end }}
+ - name: istio-podinfo
+ mountPath: /etc/istio/pod
+ volumes:
+ - emptyDir: {}
+ name: workload-socket
+ - emptyDir: {}
+ name: credential-socket
+ {{- if eq .Values.global.caName "GkeWorkloadCertificate" }}
+ - name: gke-workload-certificate
+ csi:
+ driver: workloadcertificates.security.cloud.google.com
+ {{- else}}
+ - emptyDir: {}
+ name: workload-certs
+ {{- end }}
+ # SDS channel between istioagent and Envoy
+ - emptyDir:
+ medium: Memory
+ name: istio-envoy
+ - name: istio-data
+ emptyDir: {}
+ - name: istio-podinfo
+ downwardAPI:
+ items:
+ - path: "labels"
+ fieldRef:
+ fieldPath: metadata.labels
+ - path: "annotations"
+ fieldRef:
+ fieldPath: metadata.annotations
+ {{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
+ - name: istio-token
+ projected:
+ sources:
+ - serviceAccountToken:
+ path: istio-token
+ expirationSeconds: 43200
+ audience: {{ .Values.global.sds.token.aud }}
+ {{- end }}
+ {{- if eq .Values.global.pilotCertProvider "istiod" }}
+ - name: istiod-ca-cert
+ configMap:
+ name: istio-ca-root-cert
+ {{- end }}
+ {{- if .Values.global.mountMtlsCerts }}
+ # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
+ - name: istio-certs
+ secret:
+ optional: true
+ {{ if eq .Spec.ServiceAccountName "" }}
+ secretName: istio.default
+ {{ else -}}
+ secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }}
+ {{ end -}}
+ {{- end }}
+ {{- if .Values.global.imagePullSecrets }}
+ imagePullSecrets:
+ {{- range .Values.global.imagePullSecrets }}
+ - name: {{ . }}
+ {{- end }}
+ {{- end }}
+ {{- if eq (env "ENABLE_LEGACY_FSGROUP_INJECTION" "false") "true" }}
+ securityContext:
+ fsGroup: 1337
+ {{- end }}
+ grpc-simple: |
+ metadata:
+ annotations:
+ sidecar.istio.io/rewriteAppHTTPProbers: "false"
+ spec:
+ initContainers:
+ - name: grpc-bootstrap-init
+ image: busybox:1.28
+ volumeMounts:
+ - mountPath: /var/lib/grpc/data/
+ name: grpc-io-proxyless-bootstrap
+ env:
+ - name: INSTANCE_IP
+ valueFrom:
+ fieldRef:
+ fieldPath: status.podIP
+ - name: POD_NAME
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.name
+ - name: POD_NAMESPACE
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.namespace
+ - name: ISTIO_NAMESPACE
+ value: |
+ {{ .Values.global.istioNamespace }}
+ command:
+ - sh
+ - "-c"
+ - |-
+ NODE_ID="sidecar~${INSTANCE_IP}~${POD_NAME}.${POD_NAMESPACE}~cluster.local"
+ SERVER_URI="dns:///istiod.${ISTIO_NAMESPACE}.svc:15010"
+ echo '
+ {
+ "xds_servers": [
+ {
+ "server_uri": "'${SERVER_URI}'",
+ "channel_creds": [{"type": "insecure"}],
+ "server_features" : ["xds_v3"]
+ }
+ ],
+ "node": {
+ "id": "'${NODE_ID}'",
+ "metadata": {
+ "GENERATOR": "grpc"
+ }
+ }
+ }' > /var/lib/grpc/data/bootstrap.json
+ containers:
+ {{- range $index, $container := .Spec.Containers }}
+ - name: {{ $container.Name }}
+ env:
+ - name: GRPC_XDS_BOOTSTRAP
+ value: /var/lib/grpc/data/bootstrap.json
+ - name: GRPC_GO_LOG_VERBOSITY_LEVEL
+ value: "99"
+ - name: GRPC_GO_LOG_SEVERITY_LEVEL
+ value: info
+ volumeMounts:
+ - mountPath: /var/lib/grpc/data/
+ name: grpc-io-proxyless-bootstrap
+ {{- end }}
+ volumes:
+ - name: grpc-io-proxyless-bootstrap
+ emptyDir: {}
+ grpc-agent: |
+ {{- define "resources" }}
+ {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }}
+ {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }}
+ requests:
+ {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}}
+ cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}"
+ {{ end }}
+ {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}}
+ memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}"
+ {{ end }}
+ {{- end }}
+ {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }}
+ limits:
+ {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}}
+ cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}"
+ {{ end }}
+ {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}}
+ memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}"
+ {{ end }}
+ {{- end }}
+ {{- else }}
+ {{- if .Values.global.proxy.resources }}
+ {{ toYaml .Values.global.proxy.resources | indent 6 }}
+ {{- end }}
+ {{- end }}
+ {{- end }}
+ {{- $containers := list }}
+ {{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}}
+ metadata:
+ labels:
+ {{/* security.istio.io/tlsMode: istio must be set by user, if gRPC is using mTLS initialization code. We can't set it automatically. */}}
+ service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }}
+ service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }}
+ annotations: {
+ {{- if ge (len $containers) 1 }}
+ {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }}
+ kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}",
+ {{- end }}
+ {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-container`) }}
+ kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}",
+ {{- end }}
+ {{- end }}
+ sidecar.istio.io/rewriteAppHTTPProbers: "false",
+ }
+ spec:
+ containers:
+ - name: istio-proxy
+ {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }}
+ image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}"
+ {{- else }}
+ image: "{{ .ProxyImage }}"
+ {{- end }}
+ ports:
+ - containerPort: 15020
+ protocol: TCP
+ name: mesh-metrics
+ args:
+ - proxy
+ - sidecar
+ - --domain
+ - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }}
+ - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }}
+ - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }}
+ - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }}
+ {{- if .Values.global.sts.servicePort }}
+ - --stsPort={{ .Values.global.sts.servicePort }}
+ {{- end }}
+ {{- if .Values.global.logAsJson }}
+ - --log_as_json
+ {{- end }}
+ lifecycle:
+ postStart:
+ exec:
+ command:
+ - pilot-agent
+ - wait
+ - --url=http://localhost:15020/healthz/ready
+ env:
+ - name: ISTIO_META_GENERATOR
+ value: grpc
+ - name: OUTPUT_CERTS
+ value: /var/lib/istio/data
+ {{- if eq (env "PILOT_ENABLE_INBOUND_PASSTHROUGH" "true") "false" }}
+ - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION
+ value: "true"
+ {{- end }}
+ - name: JWT_POLICY
+ value: {{ .Values.global.jwtPolicy }}
+ - name: PILOT_CERT_PROVIDER
+ value: {{ .Values.global.pilotCertProvider }}
+ - name: CA_ADDR
+ {{- if .Values.global.caAddress }}
+ value: {{ .Values.global.caAddress }}
+ {{- else }}
+ value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012
+ {{- end }}
+ - name: POD_NAME
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.name
+ - name: POD_NAMESPACE
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.namespace
+ - name: INSTANCE_IP
+ valueFrom:
+ fieldRef:
+ fieldPath: status.podIP
+ - name: SERVICE_ACCOUNT
+ valueFrom:
+ fieldRef:
+ fieldPath: spec.serviceAccountName
+ - name: HOST_IP
+ valueFrom:
+ fieldRef:
+ fieldPath: status.hostIP
+ - name: PROXY_CONFIG
+ value: |
+ {{ protoToJSON .ProxyConfig }}
+ - name: ISTIO_META_POD_PORTS
+ value: |-
+ [
+ {{- $first := true }}
+ {{- range $index1, $c := .Spec.Containers }}
+ {{- range $index2, $p := $c.Ports }}
+ {{- if (structToJSON $p) }}
+ {{if not $first}},{{end}}{{ structToJSON $p }}
+ {{- $first = false }}
+ {{- end }}
+ {{- end}}
+ {{- end}}
+ ]
+ - name: ISTIO_META_APP_CONTAINERS
+ value: "{{ $containers | join "," }}"
+ - name: ISTIO_META_CLUSTER_ID
+ value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}"
+ - name: ISTIO_META_NODE_NAME
+ valueFrom:
+ fieldRef:
+ fieldPath: spec.nodeName
+ {{- if .Values.global.network }}
+ - name: ISTIO_META_NETWORK
+ value: "{{ .Values.global.network }}"
+ {{- end }}
+ {{- if .DeploymentMeta.Name }}
+ - name: ISTIO_META_WORKLOAD_NAME
+ value: "{{ .DeploymentMeta.Name }}"
+ {{ end }}
+ {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }}
+ - name: ISTIO_META_OWNER
+ value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }}
+ {{- end}}
+ {{- if .Values.global.meshID }}
+ - name: ISTIO_META_MESH_ID
+ value: "{{ .Values.global.meshID }}"
+ {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
+ - name: ISTIO_META_MESH_ID
+ value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}"
+ {{- end }}
+ {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
+ - name: TRUST_DOMAIN
+ value: "{{ . }}"
+ {{- end }}
+ {{- range $key, $value := .ProxyConfig.ProxyMetadata }}
+ - name: {{ $key }}
+ value: "{{ $value }}"
+ {{- end }}
+ # grpc uses xds:/// to resolve – no need to resolve VIP
+ - name: ISTIO_META_DNS_CAPTURE
+ value: "false"
+ - name: DISABLE_ENVOY
+ value: "true"
+ {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
+ {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }}
+ readinessProbe:
+ httpGet:
+ path: /healthz/ready
+ port: 15020
+ initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }}
+ periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }}
+ timeoutSeconds: 3
+ failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }}
+ resources:
+ {{ template "resources" . }}
+ volumeMounts:
+ - name: workload-socket
+ mountPath: /var/run/secrets/workload-spiffe-uds
+ {{- if eq .Values.global.caName "GkeWorkloadCertificate" }}
+ - name: gke-workload-certificate
+ mountPath: /var/run/secrets/workload-spiffe-credentials
+ readOnly: true
+ {{- else }}
+ - name: workload-certs
+ mountPath: /var/run/secrets/workload-spiffe-credentials
+ {{- end }}
+ {{- if eq .Values.global.pilotCertProvider "istiod" }}
+ - mountPath: /var/run/secrets/istio
+ name: istiod-ca-cert
+ {{- end }}
+ - mountPath: /var/lib/istio/data
+ name: istio-data
+ # UDS channel between istioagent and gRPC client for XDS/SDS
+ - mountPath: /etc/istio/proxy
+ name: istio-xds
+ {{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
+ - mountPath: /var/run/secrets/tokens
+ name: istio-token
+ {{- end }}
+ {{- if .Values.global.mountMtlsCerts }}
+ # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
+ - mountPath: /etc/certs/
+ name: istio-certs
+ readOnly: true
+ {{- end }}
+ - name: istio-podinfo
+ mountPath: /etc/istio/pod
+ {{- end }}
+ {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }}
+ {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }}
+ - name: "{{ $index }}"
+ {{ toYaml $value | indent 6 }}
+ {{ end }}
+ {{- end }}
+ {{- range $index, $container := .Spec.Containers }}
+ {{ if not (eq $container.Name "istio-proxy") }}
+ - name: {{ $container.Name }}
+ env:
+ - name: "GRPC_XDS_EXPERIMENTAL_SECURITY_SUPPORT"
+ value: "true"
+ - name: "GRPC_XDS_BOOTSTRAP"
+ value: "/etc/istio/proxy/grpc-bootstrap.json"
+ volumeMounts:
+ - mountPath: /var/lib/istio/data
+ name: istio-data
+ # UDS channel between istioagent and gRPC client for XDS/SDS
+ - mountPath: /etc/istio/proxy
+ name: istio-xds
+ {{- if eq $.Values.global.caName "GkeWorkloadCertificate" }}
+ - name: gke-workload-certificate
+ mountPath: /var/run/secrets/workload-spiffe-credentials
+ readOnly: true
+ {{- else }}
+ - name: workload-certs
+ mountPath: /var/run/secrets/workload-spiffe-credentials
+ {{- end }}
+ {{- end }}
+ {{- end }}
+ volumes:
+ - emptyDir:
+ name: workload-socket
+ {{- if eq .Values.global.caName "GkeWorkloadCertificate" }}
+ - name: gke-workload-certificate
+ csi:
+ driver: workloadcertificates.security.cloud.google.com
+ {{- else }}
+ - emptyDir:
+ name: workload-certs
+ {{- end }}
+ {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }}
+ - name: custom-bootstrap-volume
+ configMap:
+ name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }}
+ {{- end }}
+ # SDS channel between istioagent and Envoy
+ - emptyDir:
+ medium: Memory
+ name: istio-xds
+ - name: istio-data
+ emptyDir: {}
+ - name: istio-podinfo
+ downwardAPI:
+ items:
+ - path: "labels"
+ fieldRef:
+ fieldPath: metadata.labels
+ - path: "annotations"
+ fieldRef:
+ fieldPath: metadata.annotations
+ {{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
+ - name: istio-token
+ projected:
+ sources:
+ - serviceAccountToken:
+ path: istio-token
+ expirationSeconds: 43200
+ audience: {{ .Values.global.sds.token.aud }}
+ {{- end }}
+ {{- if eq .Values.global.pilotCertProvider "istiod" }}
+ - name: istiod-ca-cert
+ configMap:
+ name: istio-ca-root-cert
+ {{- end }}
+ {{- if .Values.global.mountMtlsCerts }}
+ # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
+ - name: istio-certs
+ secret:
+ optional: true
+ {{ if eq .Spec.ServiceAccountName "" }}
+ secretName: istio.default
+ {{ else -}}
+ secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }}
+ {{ end -}}
+ {{- end }}
+ {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }}
+ {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }}
+ - name: "{{ $index }}"
+ {{ toYaml $value | indent 4 }}
+ {{ end }}
+ {{ end }}
+ {{- if .Values.global.imagePullSecrets }}
+ imagePullSecrets:
+ {{- range .Values.global.imagePullSecrets }}
+ - name: {{ . }}
+ {{- end }}
+ {{- end }}
+ {{- if eq (env "ENABLE_LEGACY_FSGROUP_INJECTION" "false") "true" }}
+ securityContext:
+ fsGroup: 1337
+ {{- end }}
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+ name: istio-sidecar-injector
+ labels:
+ istio.io/rev: default
+ install.operator.istio.io/owning-resource: unknown
+ operator.istio.io/component: Pilot
+ app: sidecar-injector
+ release: istio
+webhooks:
+ - name: rev.namespace.sidecar-injector.istio.io
+ clientConfig:
+ service:
+ name: istiod
+ namespace: istio-system
+ path: /inject
+ port: 443
+ sideEffects: None
+ rules:
+ - operations: [CREATE]
+ apiGroups: ['']
+ apiVersions: [v1]
+ resources: [pods]
+ failurePolicy: Fail
+ admissionReviewVersions: [v1beta1, v1]
+ namespaceSelector:
+ matchExpressions:
+ - key: istio.io/rev
+ operator: In
+ values:
+ - default
+ - key: istio-injection
+ operator: DoesNotExist
+ objectSelector:
+ matchExpressions:
+ - key: sidecar.istio.io/inject
+ operator: NotIn
+ values:
+ - 'false'
+ - name: rev.object.sidecar-injector.istio.io
+ clientConfig:
+ service:
+ name: istiod
+ namespace: istio-system
+ path: /inject
+ port: 443
+ sideEffects: None
+ rules:
+ - operations: [CREATE]
+ apiGroups: ['']
+ apiVersions: [v1]
+ resources: [pods]
+ failurePolicy: Fail
+ admissionReviewVersions: [v1beta1, v1]
+ namespaceSelector:
+ matchExpressions:
+ - key: istio.io/rev
+ operator: DoesNotExist
+ - key: istio-injection
+ operator: DoesNotExist
+ objectSelector:
+ matchExpressions:
+ - key: sidecar.istio.io/inject
+ operator: NotIn
+ values:
+ - 'false'
+ - key: istio.io/rev
+ operator: In
+ values:
+ - default
+ - name: namespace.sidecar-injector.istio.io
+ clientConfig:
+ service:
+ name: istiod
+ namespace: istio-system
+ path: /inject
+ port: 443
+ sideEffects: None
+ rules:
+ - operations: [CREATE]
+ apiGroups: ['']
+ apiVersions: [v1]
+ resources: [pods]
+ failurePolicy: Fail
+ admissionReviewVersions: [v1beta1, v1]
+ namespaceSelector:
+ matchExpressions:
+ - key: istio-injection
+ operator: In
+ values:
+ - enabled
+ objectSelector:
+ matchExpressions:
+ - key: sidecar.istio.io/inject
+ operator: NotIn
+ values:
+ - 'false'
+ - name: object.sidecar-injector.istio.io
+ clientConfig:
+ service:
+ name: istiod
+ namespace: istio-system
+ path: /inject
+ port: 443
+ sideEffects: None
+ rules:
+ - operations: [CREATE]
+ apiGroups: ['']
+ apiVersions: [v1]
+ resources: [pods]
+ failurePolicy: Fail
+ admissionReviewVersions: [v1beta1, v1]
+ namespaceSelector:
+ matchExpressions:
+ - key: istio-injection
+ operator: DoesNotExist
+ - key: istio.io/rev
+ operator: DoesNotExist
+ objectSelector:
+ matchExpressions:
+ - key: sidecar.istio.io/inject
+ operator: In
+ values:
+ - 'true'
+ - key: istio.io/rev
+ operator: DoesNotExist
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: istio-ingressgateway
+ namespace: istio-system
+ labels:
+ app: istio-ingressgateway
+ istio: ingressgateway
+ release: istio
+ istio.io/rev: default
+ install.operator.istio.io/owning-resource: unknown
+ operator.istio.io/component: IngressGateways
+spec:
+ selector:
+ matchLabels:
+ app: istio-ingressgateway
+ istio: ingressgateway
+ strategy:
+ rollingUpdate:
+ maxSurge: 100%
+ maxUnavailable: 25%
+ template:
+ metadata:
+ labels:
+ app: istio-ingressgateway
+ istio: ingressgateway
+ heritage: Tiller
+ release: istio
+ chart: gateways
+ service.istio.io/canonical-name: istio-ingressgateway
+ service.istio.io/canonical-revision: latest
+ istio.io/rev: default
+ install.operator.istio.io/owning-resource: unknown
+ operator.istio.io/component: IngressGateways
+ sidecar.istio.io/inject: 'false'
+ annotations:
+ prometheus.io/port: '15020'
+ prometheus.io/scrape: 'true'
+ prometheus.io/path: /stats/prometheus
+ sidecar.istio.io/inject: 'false'
+ spec:
+ securityContext:
+ runAsUser: 1337
+ runAsGroup: 1337
+ runAsNonRoot: true
+ fsGroup: 1337
+ serviceAccountName: istio-ingressgateway-service-account
+ containers:
+ - name: istio-proxy
+ image: docker.io/istio/proxyv2:1.17.3
+ ports:
+ - containerPort: 15021
+ protocol: TCP
+ - containerPort: 8080
+ protocol: TCP
+ - containerPort: 8443
+ protocol: TCP
+ - containerPort: 15090
+ protocol: TCP
+ name: http-envoy-prom
+ args:
+ - proxy
+ - router
+ - --domain
+ - $(POD_NAMESPACE).svc.cluster.local
+ - --proxyLogLevel=warning
+ - --proxyComponentLogLevel=misc:error
+ - --log_output_level=default:info
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ privileged: false
+ readOnlyRootFilesystem: true
+ readinessProbe:
+ failureThreshold: 30
+ httpGet:
+ path: /healthz/ready
+ port: 15021
+ scheme: HTTP
+ initialDelaySeconds: 1
+ periodSeconds: 2
+ successThreshold: 1
+ timeoutSeconds: 1
+ resources:
+ limits:
+ cpu: 2000m
+ memory: 1024Mi
+ requests:
+ cpu: 100m
+ memory: 128Mi
+ env:
+ - name: JWT_POLICY
+ value: third-party-jwt
+ - name: PILOT_CERT_PROVIDER
+ value: istiod
+ - name: CA_ADDR
+ value: istiod.istio-system.svc:15012
+ - name: NODE_NAME
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: spec.nodeName
+ - name: POD_NAME
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.name
+ - name: POD_NAMESPACE
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.namespace
+ - name: INSTANCE_IP
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: status.podIP
+ - name: HOST_IP
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: status.hostIP
+ - name: SERVICE_ACCOUNT
+ valueFrom:
+ fieldRef:
+ fieldPath: spec.serviceAccountName
+ - name: ISTIO_META_WORKLOAD_NAME
+ value: istio-ingressgateway
+ - name: ISTIO_META_OWNER
+ value: kubernetes://apis/apps/v1/namespaces/istio-system/deployments/istio-ingressgateway
+ - name: ISTIO_META_MESH_ID
+ value: cluster.local
+ - name: TRUST_DOMAIN
+ value: cluster.local
+ - name: ISTIO_META_UNPRIVILEGED_POD
+ value: 'true'
+ - name: ISTIO_META_CLUSTER_ID
+ value: Kubernetes
+ - name: ISTIO_META_NODE_NAME
+ valueFrom:
+ fieldRef:
+ fieldPath: spec.nodeName
+ volumeMounts:
+ - name: workload-socket
+ mountPath: /var/run/secrets/workload-spiffe-uds
+ - name: credential-socket
+ mountPath: /var/run/secrets/credential-uds
+ - name: workload-certs
+ mountPath: /var/run/secrets/workload-spiffe-credentials
+ - name: istio-envoy
+ mountPath: /etc/istio/proxy
+ - name: config-volume
+ mountPath: /etc/istio/config
+ - mountPath: /var/run/secrets/istio
+ name: istiod-ca-cert
+ - name: istio-token
+ mountPath: /var/run/secrets/tokens
+ readOnly: true
+ - mountPath: /var/lib/istio/data
+ name: istio-data
+ - name: podinfo
+ mountPath: /etc/istio/pod
+ - name: ingressgateway-certs
+ mountPath: /etc/istio/ingressgateway-certs
+ readOnly: true
+ - name: ingressgateway-ca-certs
+ mountPath: /etc/istio/ingressgateway-ca-certs
+ readOnly: true
+ volumes:
+ - emptyDir: {}
+ name: workload-socket
+ - emptyDir: {}
+ name: credential-socket
+ - emptyDir: {}
+ name: workload-certs
+ - name: istiod-ca-cert
+ configMap:
+ name: istio-ca-root-cert
+ - name: podinfo
+ downwardAPI:
+ items:
+ - path: labels
+ fieldRef:
+ fieldPath: metadata.labels
+ - path: annotations
+ fieldRef:
+ fieldPath: metadata.annotations
+ - name: istio-envoy
+ emptyDir: {}
+ - name: istio-data
+ emptyDir: {}
+ - name: istio-token
+ projected:
+ sources:
+ - serviceAccountToken:
+ path: istio-token
+ expirationSeconds: 43200
+ audience: istio-ca
+ - name: config-volume
+ configMap:
+ name: istio
+ optional: true
+ - name: ingressgateway-certs
+ secret:
+ secretName: istio-ingressgateway-certs
+ optional: true
+ - name: ingressgateway-ca-certs
+ secret:
+ secretName: istio-ingressgateway-ca-certs
+ optional: true
+ affinity:
+ nodeAffinity:
+ requiredDuringSchedulingIgnoredDuringExecution:
+ preferredDuringSchedulingIgnoredDuringExecution:
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: istiod
+ namespace: istio-system
+ labels:
+ app: istiod
+ istio.io/rev: default
+ install.operator.istio.io/owning-resource: unknown
+ operator.istio.io/component: Pilot
+ istio: pilot
+ release: istio
+spec:
+ strategy:
+ rollingUpdate:
+ maxSurge: 100%
+ maxUnavailable: 25%
+ selector:
+ matchLabels:
+ istio: pilot
+ template:
+ metadata:
+ labels:
+ app: istiod
+ istio.io/rev: default
+ install.operator.istio.io/owning-resource: unknown
+ sidecar.istio.io/inject: 'false'
+ operator.istio.io/component: Pilot
+ istio: pilot
+ annotations:
+ prometheus.io/port: '15014'
+ prometheus.io/scrape: 'true'
+ sidecar.istio.io/inject: 'false'
+ spec:
+ serviceAccountName: istiod
+ securityContext:
+ fsGroup: 1337
+ containers:
+ - name: discovery
+ image: docker.io/istio/pilot:1.17.3
+ args:
+ - discovery
+ - --monitoringAddr=:15014
+ - --log_output_level=default:info
+ - --domain
+ - cluster.local
+ - --keepaliveMaxServerConnectionAge
+ - 30m
+ ports:
+ - containerPort: 8080
+ protocol: TCP
+ - containerPort: 15010
+ protocol: TCP
+ - containerPort: 15017
+ protocol: TCP
+ readinessProbe:
+ httpGet:
+ path: /ready
+ port: 8080
+ initialDelaySeconds: 1
+ periodSeconds: 3
+ timeoutSeconds: 5
+ env:
+ - name: REVISION
+ value: default
+ - name: JWT_POLICY
+ value: third-party-jwt
+ - name: PILOT_CERT_PROVIDER
+ value: istiod
+ - name: POD_NAME
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.name
+ - name: POD_NAMESPACE
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.namespace
+ - name: SERVICE_ACCOUNT
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: spec.serviceAccountName
+ - name: KUBECONFIG
+ value: /var/run/secrets/remote/config
+ - name: PILOT_TRACE_SAMPLING
+ value: '1'
+ - name: PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_OUTBOUND
+ value: 'true'
+ - name: PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_INBOUND
+ value: 'true'
+ - name: ISTIOD_ADDR
+ value: istiod.istio-system.svc:15012
+ - name: PILOT_ENABLE_ANALYSIS
+ value: 'false'
+ - name: CLUSTER_ID
+ value: Kubernetes
+ resources:
+ requests:
+ cpu: 500m
+ memory: 2048Mi
+ securityContext:
+ allowPrivilegeEscalation: false
+ readOnlyRootFilesystem: true
+ runAsUser: 1337
+ runAsGroup: 1337
+ runAsNonRoot: true
+ capabilities:
+ drop:
+ - ALL
+ volumeMounts:
+ - name: istio-token
+ mountPath: /var/run/secrets/tokens
+ readOnly: true
+ - name: local-certs
+ mountPath: /var/run/secrets/istio-dns
+ - name: cacerts
+ mountPath: /etc/cacerts
+ readOnly: true
+ - name: istio-kubeconfig
+ mountPath: /var/run/secrets/remote
+ readOnly: true
+ - name: istio-csr-dns-cert
+ mountPath: /var/run/secrets/istiod/tls
+ readOnly: true
+ - name: istio-csr-ca-configmap
+ mountPath: /var/run/secrets/istiod/ca
+ readOnly: true
+ volumes:
+ # Technically not needed on this pod - but it helps debugging/testing SDS
+ # Should be removed after everything works.
+ - emptyDir:
+ medium: Memory
+ name: local-certs
+ - name: istio-token
+ projected:
+ sources:
+ - serviceAccountToken:
+ audience: istio-ca
+ expirationSeconds: 43200
+ path: istio-token
+ # Optional: user-generated root
+ - name: cacerts
+ secret:
+ secretName: cacerts
+ optional: true
+ - name: istio-kubeconfig
+ secret:
+ secretName: istio-kubeconfig
+ optional: true
+ # Optional: istio-csr dns pilot certs
+ - name: istio-csr-dns-cert
+ secret:
+ secretName: istiod-tls
+ optional: true
+ - name: istio-csr-ca-configmap
+ configMap:
+ name: istio-ca-root-cert
+ defaultMode: 420
+ optional: true
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: istio-ingressgateway-sds
+ namespace: istio-system
+ labels:
+ release: istio
+ istio.io/rev: default
+ install.operator.istio.io/owning-resource: unknown
+ operator.istio.io/component: IngressGateways
+rules:
+ - apiGroups: ['']
+ resources: [secrets]
+ verbs: [get, watch, list]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: istiod
+ namespace: istio-system
+ labels:
+ app: istiod
+ release: istio
+rules:
+ - apiGroups: [networking.istio.io]
+ verbs: [create]
+ resources: [gateways]
+ - apiGroups: ['']
+ resources: [secrets]
+ # TODO lock this down to istio-ca-cert if not using the DNS cert mesh config
+ verbs: [create, get, watch, list, update, delete]
+ - apiGroups: ['']
+ resources: [configmaps]
+ verbs: [delete]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: istiod-istio-system
+ namespace: istio-system
+ labels:
+ app: istiod
+ release: istio
+rules:
+ - apiGroups: [networking.istio.io]
+ verbs: [create]
+ resources: [gateways]
+ - apiGroups: ['']
+ resources: [secrets]
+ # TODO lock this down to istio-ca-cert if not using the DNS cert mesh config
+ verbs: [create, get, watch, list, update, delete]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: istio-ingressgateway-sds
+ namespace: istio-system
+ labels:
+ release: istio
+ istio.io/rev: default
+ install.operator.istio.io/owning-resource: unknown
+ operator.istio.io/component: IngressGateways
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: istio-ingressgateway-sds
+subjects:
+ - kind: ServiceAccount
+ name: istio-ingressgateway-service-account
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: istiod
+ namespace: istio-system
+ labels:
+ app: istiod
+ release: istio
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: istiod
+subjects:
+ - kind: ServiceAccount
+ name: istiod
+ namespace: istio-system
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: istiod-istio-system
+ namespace: istio-system
+ labels:
+ app: istiod
+ release: istio
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: istiod-istio-system
+subjects:
+ - kind: ServiceAccount
+ name: istiod-service-account
+ namespace: istio-system
+---
+apiVersion: autoscaling/v2
+kind: HorizontalPodAutoscaler
+metadata:
+ name: istio-ingressgateway
+ namespace: istio-system
+ labels:
+ app: istio-ingressgateway
+ istio: ingressgateway
+ release: istio
+ istio.io/rev: default
+ install.operator.istio.io/owning-resource: unknown
+ operator.istio.io/component: IngressGateways
+spec:
+ maxReplicas: 5
+ minReplicas: 1
+ scaleTargetRef:
+ apiVersion: apps/v1
+ kind: Deployment
+ name: istio-ingressgateway
+ metrics:
+ - type: Resource
+ resource:
+ name: cpu
+ target:
+ type: Utilization
+ averageUtilization: 80
+---
+apiVersion: autoscaling/v2
+kind: HorizontalPodAutoscaler
+metadata:
+ name: istiod
+ namespace: istio-system
+ labels:
+ app: istiod
+ release: istio
+ istio.io/rev: default
+ install.operator.istio.io/owning-resource: unknown
+ operator.istio.io/component: Pilot
+spec:
+ maxReplicas: 5
+ minReplicas: 1
+ scaleTargetRef:
+ apiVersion: apps/v1
+ kind: Deployment
+ name: istiod
+ metrics:
+ - type: Resource
+ resource:
+ name: cpu
+ target:
+ type: Utilization
+ averageUtilization: 80
+---
+apiVersion: v1
+kind: Service
+metadata:
+ name: istio-ingressgateway
+ namespace: istio-system
+ annotations:
+ labels:
+ app: istio-ingressgateway
+ istio: ingressgateway
+ release: istio
+ istio.io/rev: default
+ install.operator.istio.io/owning-resource: unknown
+ operator.istio.io/component: IngressGateways
+spec:
+ type: LoadBalancer
+ selector:
+ app: istio-ingressgateway
+ istio: ingressgateway
+ ports:
+ - name: status-port
+ port: 15021
+ protocol: TCP
+ targetPort: 15021
+ - name: http2
+ port: 80
+ protocol: TCP
+ targetPort: 8080
+ - name: https
+ port: 443
+ protocol: TCP
+ targetPort: 8443
+---
+apiVersion: v1
+kind: Service
+metadata:
+ name: istiod
+ namespace: istio-system
+ labels:
+ istio.io/rev: default
+ install.operator.istio.io/owning-resource: unknown
+ operator.istio.io/component: Pilot
+ app: istiod
+ istio: pilot
+ release: istio
+spec:
+ ports:
+ - port: 15010
+ name: grpc-xds # plaintext
+ protocol: TCP
+ - port: 15012
+ name: https-dns # mTLS with k8s-signed cert
+ protocol: TCP
+ - port: 443
+ name: https-webhook # validation and injection
+ targetPort: 15017
+ protocol: TCP
+ - port: 15014
+ name: http-monitoring # prometheus stats
+ protocol: TCP
+ selector:
+ app: istiod
+ # Label used by the 'default' service. For versioned deployments we match with app and version.
+ # This avoids default deployment picking the canary
+ istio: pilot
diff --git a/common/istio-1-17/istio-install/base/kustomization.yaml b/common/istio-1-17/istio-install/base/kustomization.yaml
new file mode 100644
index 0000000000..647755c6a2
--- /dev/null
+++ b/common/istio-1-17/istio-install/base/kustomization.yaml
@@ -0,0 +1,20 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+namespace: istio-system
+
+resources:
+- install.yaml
+- gateway_authorizationpolicy.yaml
+- deny_all_authorizationpolicy.yaml
+- gateway.yaml
+- x-forwarded-host.yaml
+
+patchesStrategicMerge:
+- patches/service.yaml
+- patches/istio-configmap-disable-tracing.yaml
+- patches/disable-debugging.yaml
+# Disable this patch until we upgrade to kustomize to v4+
+# see https://github.com/kubeflow/manifests/issues/2325#issuecomment-1323909056
+# - patches/remove-pdb.yaml
+
diff --git a/common/istio-1-17/istio-install/base/patches/disable-debugging.yaml b/common/istio-1-17/istio-install/base/patches/disable-debugging.yaml
new file mode 100644
index 0000000000..2b3f43dd1d
--- /dev/null
+++ b/common/istio-1-17/istio-install/base/patches/disable-debugging.yaml
@@ -0,0 +1,17 @@
+# Penetration test enahncement: check port 15010 & 8080 in istiod: According to https://istio.io/latest/docs/ops/best-practices/security/#control-plane port 15010
+# is not that problematic (only resource discovery). Other parts of the documentation also say| 15010 | GRPC | XDS and CA services (Plaintext, only for secure networks) |
+# We have a secure network layer and only XDS is served.
+# Port 8080 is not listed in the service and even if it would be somehow reachable by IP it only "offers read access".
+# Nevertheless we set ENABLE_DEBUG_ON_HTTP=false do disable it entirely.
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: istiod
+ namespace: istio-system
+spec:
+ template:
+ spec:
+ containers:
+ - name: discovery
+ env:
+ - name: ENABLE_DEBUG_ON_HTTP
diff --git a/common/istio-1-17/istio-install/base/patches/istio-configmap-disable-tracing.yaml b/common/istio-1-17/istio-install/base/patches/istio-configmap-disable-tracing.yaml
new file mode 100644
index 0000000000..4db376d17e
--- /dev/null
+++ b/common/istio-1-17/istio-install/base/patches/istio-configmap-disable-tracing.yaml
@@ -0,0 +1,20 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: istio
+ namespace: istio-system
+data:
+ # Configuration file for the mesh networks to be used by the Split Horizon EDS.
+ mesh: |-
+ accessLogFile: /dev/stdout
+ defaultConfig:
+ discoveryAddress: istiod.istio-system.svc:15012
+ proxyMetadata: {}
+ tracing: {}
+ enablePrometheusMerge: true
+ rootNamespace: istio-system
+ tcpKeepalive:
+ interval: 5s
+ probes: 3
+ time: 10s
+ trustDomain: cluster.local
diff --git a/common/istio-1-17/istio-install/base/patches/remove-pdb.yaml b/common/istio-1-17/istio-install/base/patches/remove-pdb.yaml
new file mode 100644
index 0000000000..94b555efd6
--- /dev/null
+++ b/common/istio-1-17/istio-install/base/patches/remove-pdb.yaml
@@ -0,0 +1,14 @@
+---
+$patch: delete
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+ name: istio-ingressgateway
+ namespace: istio-system
+---
+$patch: delete
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+ name: istiod
+ namespace: istio-system
diff --git a/common/istio-1-17/istio-install/base/patches/service.yaml b/common/istio-1-17/istio-install/base/patches/service.yaml
new file mode 100644
index 0000000000..5d2faff985
--- /dev/null
+++ b/common/istio-1-17/istio-install/base/patches/service.yaml
@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: Service
+metadata:
+ name: istio-ingressgateway
+ namespace: istio-system
+spec:
+ type: ClusterIP
diff --git a/common/istio-1-17/istio-install/base/x-forwarded-host.yaml b/common/istio-1-17/istio-install/base/x-forwarded-host.yaml
new file mode 100644
index 0000000000..4bae262aa6
--- /dev/null
+++ b/common/istio-1-17/istio-install/base/x-forwarded-host.yaml
@@ -0,0 +1,42 @@
+# EnvoyFilter for adding the X-Forwarded-Host header.
+# Needed for the Rok GW to work correctly.
+# Older manifests used an Istio rule, but that relies on Mixer which
+# is deprecated. This way is more performant and up-to-date.
+#
+# TODO: X-Forwarded-Host needs to be applied in two steps:
+# 1. Put old host in `X-Forwarded-Host`
+# 2. Update Host in request
+#
+# This filter only does (1). It can't do (2) because it doesn't know the new
+# host yet. See if we can add an EnvoyFilter for (2). We currently have to do
+# this per VirtualService, in each app that needs it.
+apiVersion: networking.istio.io/v1alpha3
+kind: EnvoyFilter
+metadata:
+ name: x-forwarded-host
+spec:
+ workloadSelector:
+ labels:
+ istio: ingressgateway
+ configPatches:
+ # The first patch adds the lua filter to the listener/http connection manager
+ - applyTo: HTTP_FILTER
+ match:
+ context: GATEWAY
+ listener:
+ filterChain:
+ filter:
+ name: "envoy.http_connection_manager"
+ subFilter:
+ name: "envoy.router"
+ patch:
+ operation: INSERT_BEFORE
+ value:
+ name: envoy.filters.http.lua
+ typed_config:
+ "@type": "type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua"
+ inlineCode: |
+ function envoy_on_request(request_handle)
+ local host = request_handle:headers():get(":authority")
+ request_handle:headers():add("x-forwarded-host", host)
+ end
diff --git a/common/istio-1-17/istio-namespace/base/kustomization.yaml b/common/istio-1-17/istio-namespace/base/kustomization.yaml
new file mode 100644
index 0000000000..a8cfd5774a
--- /dev/null
+++ b/common/istio-1-17/istio-namespace/base/kustomization.yaml
@@ -0,0 +1,10 @@
+#
+# Copyright © 2020 Arrikto Inc. All Rights Reserved.
+#
+
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+- namespace.yaml
+namespace: istio-system
diff --git a/common/istio-1-17/istio-namespace/base/namespace.yaml b/common/istio-1-17/istio-namespace/base/namespace.yaml
new file mode 100644
index 0000000000..355352bbb2
--- /dev/null
+++ b/common/istio-1-17/istio-namespace/base/namespace.yaml
@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+ name: istio-system
+ labels:
+ istio-operator-managed: Reconcile
+ istio-injection: disabled
diff --git a/common/istio-1-17/kubeflow-istio-resources/base/cluster-roles.yaml b/common/istio-1-17/kubeflow-istio-resources/base/cluster-roles.yaml
new file mode 100644
index 0000000000..d60d4e9cd2
--- /dev/null
+++ b/common/istio-1-17/kubeflow-istio-resources/base/cluster-roles.yaml
@@ -0,0 +1,55 @@
+---
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: kubeflow-istio-admin
+ labels:
+ rbac.authorization.kubeflow.org/aggregate-to-kubeflow-admin: "true"
+aggregationRule:
+ clusterRoleSelectors:
+ - matchLabels:
+ rbac.authorization.kubeflow.org/aggregate-to-kubeflow-istio-admin: "true"
+rules: []
+
+---
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: kubeflow-istio-edit
+ labels:
+ rbac.authorization.kubeflow.org/aggregate-to-kubeflow-edit: "true"
+ rbac.authorization.kubeflow.org/aggregate-to-kubeflow-istio-admin: "true"
+rules:
+- apiGroups:
+ - istio.io
+ - networking.istio.io
+ resources: ["*"]
+ verbs:
+ - get
+ - list
+ - watch
+ - create
+ - delete
+ - deletecollection
+ - patch
+ - update
+
+---
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: kubeflow-istio-view
+ labels:
+ rbac.authorization.kubeflow.org/aggregate-to-kubeflow-view: "true"
+rules:
+- apiGroups:
+ - istio.io
+ - networking.istio.io
+ resources: ["*"]
+ verbs:
+ - get
+ - list
+ - watch
diff --git a/common/istio-1-17/kubeflow-istio-resources/base/kf-istio-resources.yaml b/common/istio-1-17/kubeflow-istio-resources/base/kf-istio-resources.yaml
new file mode 100644
index 0000000000..720ff97dd3
--- /dev/null
+++ b/common/istio-1-17/kubeflow-istio-resources/base/kf-istio-resources.yaml
@@ -0,0 +1,14 @@
+apiVersion: networking.istio.io/v1alpha3
+kind: Gateway
+metadata:
+ name: kubeflow-gateway
+spec:
+ selector:
+ istio: ingressgateway
+ servers:
+ - port:
+ number: 80
+ name: http
+ protocol: HTTP
+ hosts:
+ - "*"
diff --git a/common/istio-1-17/kubeflow-istio-resources/base/kustomization.yaml b/common/istio-1-17/kubeflow-istio-resources/base/kustomization.yaml
new file mode 100644
index 0000000000..75669a18a5
--- /dev/null
+++ b/common/istio-1-17/kubeflow-istio-resources/base/kustomization.yaml
@@ -0,0 +1,6 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- kf-istio-resources.yaml
+- cluster-roles.yaml
+namespace: kubeflow
diff --git a/common/istio-1-17/profile-overlay.yaml b/common/istio-1-17/profile-overlay.yaml
new file mode 100644
index 0000000000..1ab0a58576
--- /dev/null
+++ b/common/istio-1-17/profile-overlay.yaml
@@ -0,0 +1,56 @@
+apiVersion: install.istio.io/v1alpha1
+kind: IstioOperator
+spec:
+ meshConfig:
+ tcpKeepalive:
+ time: 10s
+ interval: 5s
+ probes: 3
+ components:
+ ingressGateways:
+ # Cluster-local gateway for KFServing
+ - enabled: true
+ name: cluster-local-gateway
+ # https://github.com/istio/istio/issues/19263#issuecomment-615833092
+ label:
+ app: cluster-local-gateway
+ istio: cluster-local-gateway
+ k8s:
+ env:
+ - name: ISTIO_META_ROUTER_MODE
+ value: sni-dnat
+ hpaSpec:
+ maxReplicas: 5
+ metrics:
+ - resource:
+ name: cpu
+ target:
+ type: Utilization
+ averageUtilization: 80
+ type: Resource
+ minReplicas: 1
+ scaleTargetRef:
+ apiVersion: apps/v1
+ kind: Deployment
+ name: cluster-local-gateway
+ resources:
+ limits:
+ cpu: 2000m
+ memory: 1024Mi
+ requests:
+ cpu: 100m
+ memory: 128Mi
+ service:
+ type: ClusterIP
+ ports:
+ - name: status-port
+ port: 15020
+ targetPort: 15020
+ - name: http2
+ port: 80
+ targetPort: 8080
+
+ # Disable EgressGateway
+ egressGateways:
+ - enabled: false
+ name: istio-egressgateway
diff --git a/common/istio-1-17/profile.yaml b/common/istio-1-17/profile.yaml
new file mode 100644
index 0000000000..e812efccdb
--- /dev/null
+++ b/common/istio-1-17/profile.yaml
@@ -0,0 +1,161 @@
+apiVersion: install.istio.io/v1alpha1
+kind: IstioOperator
+spec:
+ components:
+ base:
+ enabled: true
+ cni:
+ enabled: false
+ egressGateways:
+ - enabled: false
+ name: istio-egressgateway
+ ingressGateways:
+ - enabled: true
+ name: istio-ingressgateway
+ istiodRemote:
+ enabled: false
+ pilot:
+ enabled: true
+ hub: docker.io/istio
+ meshConfig:
+ defaultConfig:
+ proxyMetadata: {}
+ enablePrometheusMerge: true
+ profile: default
+ tag: 1.17.3
+ values:
+ base:
+ enableCRDTemplates: false
+ validationURL: ""
+ defaultRevision: ""
+ gateways:
+ istio-egressgateway:
+ autoscaleEnabled: true
+ env: {}
+ name: istio-egressgateway
+ secretVolumes:
+ - mountPath: /etc/istio/egressgateway-certs
+ name: egressgateway-certs
+ secretName: istio-egressgateway-certs
+ - mountPath: /etc/istio/egressgateway-ca-certs
+ name: egressgateway-ca-certs
+ secretName: istio-egressgateway-ca-certs
+ type: ClusterIP
+ istio-ingressgateway:
+ autoscaleEnabled: true
+ env: {}
+ name: istio-ingressgateway
+ secretVolumes:
+ - mountPath: /etc/istio/ingressgateway-certs
+ name: ingressgateway-certs
+ secretName: istio-ingressgateway-certs
+ - mountPath: /etc/istio/ingressgateway-ca-certs
+ name: ingressgateway-ca-certs
+ secretName: istio-ingressgateway-ca-certs
+ type: LoadBalancer
+ global:
+ configValidation: true
+ defaultNodeSelector: {}
+ defaultPodDisruptionBudget:
+ enabled: true
+ defaultResources:
+ requests:
+ cpu: 10m
+ imagePullPolicy: ""
+ imagePullSecrets: []
+ istioNamespace: istio-system
+ istiod:
+ enableAnalysis: false
+ jwtPolicy: third-party-jwt
+ logAsJson: false
+ logging:
+ level: default:info
+ meshNetworks: {}
+ mountMtlsCerts: false
+ multiCluster:
+ clusterName: ""
+ enabled: false
+ network: ""
+ omitSidecarInjectorConfigMap: false
+ oneNamespace: false
+ operatorManageWebhooks: false
+ pilotCertProvider: istiod
+ priorityClassName: ""
+ proxy:
+ autoInject: enabled
+ clusterDomain: cluster.local
+ componentLogLevel: misc:error
+ enableCoreDump: false
+ excludeIPRanges: ""
+ excludeInboundPorts: ""
+ excludeOutboundPorts: ""
+ image: proxyv2
+ includeIPRanges: '*'
+ logLevel: warning
+ privileged: false
+ readinessFailureThreshold: 30
+ readinessInitialDelaySeconds: 1
+ readinessPeriodSeconds: 2
+ resources:
+ limits:
+ cpu: 2000m
+ memory: 1024Mi
+ requests:
+ cpu: 100m
+ memory: 128Mi
+ statusPort: 15020
+ tracer: zipkin
+ proxy_init:
+ image: proxyv2
+ resources:
+ limits:
+ cpu: 2000m
+ memory: 1024Mi
+ requests:
+ cpu: 10m
+ memory: 10Mi
+ sds:
+ token:
+ aud: istio-ca
+ sts:
+ servicePort: 0
+ tracer:
+ datadog: {}
+ lightstep: {}
+ stackdriver: {}
+ zipkin: {}
+ useMCP: false
+ istiodRemote:
+ injectionURL: ""
+ pilot:
+ autoscaleEnabled: true
+ autoscaleMax: 5
+ autoscaleMin: 1
+ configMap: true
+ cpu:
+ targetAverageUtilization: 80
+ enableProtocolSniffingForInbound: true
+ enableProtocolSniffingForOutbound: true
+ env: {}
+ image: pilot
+ keepaliveMaxServerConnectionAge: 30m
+ nodeSelector: {}
+ podLabels: {}
+ replicaCount: 1
+ traceSampling: 1
+ telemetry:
+ enabled: true
+ v2:
+ enabled: true
+ metadataExchange:
+ wasmEnabled: false
+ prometheus:
+ enabled: true
+ wasmEnabled: false
+ stackdriver:
+ configOverride: {}
+ enabled: false
+ logging: false
+ monitoring: false
+ topology: false
+
diff --git a/common/istio-1-17/split-istio-packages b/common/istio-1-17/split-istio-packages
new file mode 100755
index 0000000000..bc119aeea5
--- /dev/null
+++ b/common/istio-1-17/split-istio-packages
@@ -0,0 +1,72 @@
+#!/usr/bin/env python3
+
+import sys
+import argparse
+import ruamel.yaml
+
+
+DESCRIPTION = """ Separate Istio YAML into separate components.
+
+Separate Istio YAML definitions into four separate components: crds, install
+and cluster-local-gateway.
+"""
+
+
+class YAMLEmitterNoVersionDirective(ruamel.yaml.emitter.Emitter):
+ """YAML Emitter that doesn't emit the YAML version directive."""
+
+ def write_version_directive(self, version_text):
+ """Disable emitting version directive, i.e., %YAML 1.1."""
+ pass
+
+
+class YAML(ruamel.yaml.YAML):
+ """Wrapper of the ruamel.yaml.YAML class with our custom settings."""
+
+ def __init__(self, *args, **kwargs):
+ super(YAML, self).__init__(*args, **kwargs)
+ # XXX: Explicitly set version for producing K8s compatible manifests.
+ # https://yaml.readthedocs.io/en/latest/detail.html#document-version-support
+ self.version = (1, 1)
+ # XXX: Do not emit version directive since tools might fail to
+ # parse manifests.
+ self.Emitter = YAMLEmitterNoVersionDirective
+
+
+yaml = YAML()
+
+
+def parse_args():
+ parser = argparse.ArgumentParser(
+ description=DESCRIPTION,
+ formatter_class=argparse.ArgumentDefaultsHelpFormatter)
+ parser.add_argument("-f", "--manifest-file", type=str, required=True,
+ dest="manifest_file",
+ help="Istio YAML, generated by istioctl.")
+ return parser.parse_args()
+
+
+def main():
+ args = parse_args()
+ with open(args.manifest_file, "r") as f:
+ objects = [obj for obj in list(yaml.load_all(f)) if obj]
+ crds, install, cluster_local = [], [], []
+ for obj in objects:
+ if obj.get("kind") == "CustomResourceDefinition":
+ crds.append(obj)
+ elif (obj.get("metadata", {}).get("name", "").
+ startswith("cluster-local-gateway")):
+ cluster_local.append(obj)
+ else:
+ install.append(obj)
+
+ with open("crd.yaml", "w") as f:
+ yaml.dump_all(crds, f)
+ with open("install.yaml", "w") as f:
+ yaml.dump_all(install, f)
+ with open("cluster-local-gateway.yaml", "w") as f:
+ yaml.dump_all(cluster_local, f)
+
+
+if __name__ == "__main__":
+ sys.exit(main())
diff --git a/example/kustomization.yaml b/example/kustomization.yaml
index 3ba71d71e5..2657b0cb50 100644
--- a/example/kustomization.yaml
+++ b/example/kustomization.yaml
@@ -36,9 +36,9 @@ resources:
- ../common/cert-manager/cert-manager/base
- ../common/cert-manager/kubeflow-issuer/base
# Istio
-- ../common/istio-1-16/istio-crds/base
-- ../common/istio-1-16/istio-namespace/base
-- ../common/istio-1-16/istio-install/base
+- ../common/istio-1-17/istio-crds/base
+- ../common/istio-1-17/istio-namespace/base
+- ../common/istio-1-17/istio-install/base
# OIDC Authservice
- ../common/oidc-authservice/base
# Dex
@@ -46,13 +46,13 @@ resources:
# KNative
- ../common/knative/knative-serving/overlays/gateways
- ../common/knative/knative-eventing/base
-- ../common/istio-1-16/cluster-local-gateway/base
+- ../common/istio-1-17/cluster-local-gateway/base
# Kubeflow namespace
- ../common/kubeflow-namespace/base
# Kubeflow Roles
- ../common/kubeflow-roles/base
# Kubeflow Istio Resources
-- ../common/istio-1-16/kubeflow-istio-resources/base
+- ../common/istio-1-17/kubeflow-istio-resources/base
# Kubeflow Pipelines
diff --git a/hack/setup-kubeflow-light.sh b/hack/setup-kubeflow-light.sh
index 65785e079a..2f526f4381 100755
--- a/hack/setup-kubeflow-light.sh
+++ b/hack/setup-kubeflow-light.sh
@@ -30,9 +30,9 @@ sleep 5
kubectl wait --timeout=${TIMEOUT} -n cert-manager --all --for=condition=Ready pod
echo "Deploying Istio."
-kustomize build common/istio-1-16/istio-crds/base | kubectl apply -f -
-kustomize build common/istio-1-16/istio-namespace/base | kubectl apply -f -
-kustomize build common/istio-1-16/istio-install/base | kubectl apply -f -
+kustomize build common/istio-1-17/istio-crds/base | kubectl apply -f -
+kustomize build common/istio-1-17/istio-namespace/base | kubectl apply -f -
+kustomize build common/istio-1-17/istio-install/base | kubectl apply -f -
echo "Waiting for istio-system Pods to become ready..."
sleep 5
@@ -50,7 +50,7 @@ do
done
kustomize build common/knative/knative-eventing/base | kubectl apply -f -
-kustomize build common/istio-1-16/cluster-local-gateway/base | kubectl apply -f -
+kustomize build common/istio-1-17/cluster-local-gateway/base | kubectl apply -f -
echo "Waiting for knative-serving Pods to become ready..."
sleep 5
diff --git a/tests/gh-actions/install_istio.sh b/tests/gh-actions/install_istio.sh
index eb817a9bc0..e6cac8aba3 100755
--- a/tests/gh-actions/install_istio.sh
+++ b/tests/gh-actions/install_istio.sh
@@ -1,7 +1,7 @@
#!/bin/bash
set -e
echo "Installing Istio ..."
-cd common/istio-1-16
+cd common/istio-1-17
kustomize build istio-crds/base | kubectl apply -f -
kustomize build istio-namespace/base | kubectl apply -f -
kustomize build istio-install/base | kubectl apply -f -
\ No newline at end of file
diff --git a/tests/gh-actions/install_knative.sh b/tests/gh-actions/install_knative.sh
index 5063704962..cf409a64c9 100755
--- a/tests/gh-actions/install_knative.sh
+++ b/tests/gh-actions/install_knative.sh
@@ -6,8 +6,8 @@ kustomize build common/knative/knative-serving/base | kubectl apply -f -
set -e
kustomize build common/knative/knative-serving/base | kubectl apply -f -
-kustomize build common/istio-1-16/cluster-local-gateway/base | kubectl apply -f -
-kustomize build common/istio-1-16/kubeflow-istio-resources/base | kubectl apply -f -
+kustomize build common/istio-1-17/cluster-local-gateway/base | kubectl apply -f -
+kustomize build common/istio-1-17/kubeflow-istio-resources/base | kubectl apply -f -
kubectl wait --for=condition=Ready pods --all --all-namespaces --timeout 600s
kubectl patch cm config-domain --patch '{"data":{"example.com":""}}' -n knative-serving