APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources

Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds

ObjectMeta is metadata that all persisted resources must have, which includes all objects users must create.

IstioSpec defines the desired state of Istio

IstioStatus defines the observed state of Istio

Namespace to which the Istio components should be installed. Note that this field is immutable.

The built-in installation configuration profile to use. The 'default' profile is always applied. On OpenShift, the 'openshift' profile is also applied on top of 'default'. Must be one of: ambient, default, demo, empty, openshift, openshift-ambient, preview, remote, stable.

Defines the update strategy to use when the version in the Istio CR is updated.

Defines the values to be passed to the Helm charts when installing Istio.

Defines the version of Istio to install. Must be one of: v1.26-latest, v1.26.3, v1.24-latest, v1.24.6.

Defines how many seconds the operator should wait before removing a non-active revision after all the workloads have stopped using it. You may want to set this value on the order of minutes. The minimum is 0 and the default value is 30.

Type of strategy to use. Can be "InPlace" or "RevisionBased". When the "InPlace" strategy is used, the existing Istio control plane is updated in-place. The workloads therefore don't need to be moved from one control plane instance to another. When the "RevisionBased" strategy is used, a new Istio control plane instance is created for every change to the Istio.spec.version field. The old control plane remains in place until all workloads have been moved to the new control plane instance.

The "InPlace" strategy is the default. TODO: change default to "RevisionBased"

Defines whether the workloads should be moved from one control plane instance to another automatically. If updateWorkloads is true, the operator moves the workloads from the old control plane instance to the new one after the new control plane is ready. If updateWorkloads is false, the user must move the workloads manually by updating the istio.io/rev labels on the namespace and/or the pods. Defaults to false.

Configuration for the base component.

Specifies the compatibility version to use. When this is set, the control plane will be configured with the same defaults as the specified version.

The name of the default revision in the cluster. Deprecated: This field is ignored. The default revision is expected to be configurable elsewhere.

Specifies experimental helm fields that could be removed or changed in the future

Configuration for Gateway Classes

Global configuration for Istio components.

Configuration for istiod-remote. DEPRECATED - istiod-remote chart is removed and replaced with istio-discovery --set values.istiodRemote.enabled=true

Deprecated: Marked as deprecated in pkg/apis/values_types.proto.

Defines runtime configuration of components, including Istiod and istio-agent behavior. See https://istio.io/docs/reference/config/istio.mesh.v1alpha1/ for all available options.

Configuration for the Pilot component.

Specifies which installation configuration profile to apply.

Identifies the revision this installation is associated with.

Configuration for the sidecar injector webhook.

Controls whether telemetry is exported for Pilot.

CRDs to exclude. Requires enableCRDTemplates

validation webhook CA bundle

URL to use for validating webhook.

Specifies pod scheduling arch(amd64, ppc64le, s390x, arm64) and weight as follows:

0 - Never scheduled
1 - Least preferred
2 - No preference
3 - Most preferred

Deprecated: replaced by the affinity k8s settings which allows architecture nodeAffinity configuration of this behavior.

Deprecated: Marked as deprecated in pkg/apis/values_types.proto.

The address of the CA for CSR.

The name of the CA for workloads. For example, when caName=GkeWorkloadCertificate, GKE workload certificates will be used as the certificates for workloads. The default value is "" and when caName="", the CA will be configured by other mechanisms (e.g., environmental variable CA_PROVIDER).

List of certSigners to allow "approve" action in the ClusterRole

Controls whether a remote cluster is the config cluster for an external istiod

Controls whether the server-side validation is enabled.

Default k8s node selector for all the Istio control plane components

See https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector

Deprecated: Marked as deprecated in pkg/apis/values_types.proto.

Specifies the default pod disruption budget configuration.

Default k8s resources settings for all Istio control plane components.

See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container

Deprecated: Marked as deprecated in pkg/apis/values_types.proto.

Default node tolerations to be applied to all deployments so that all pods can be scheduled to nodes with matching taints. Each component can overwrite these default values by adding its tolerations block in the relevant section below and setting the desired values. Configure this field in case that all pods of Istio control plane are expected to be scheduled to particular nodes with specified taints.

Deprecated: Marked as deprecated in pkg/apis/values_types.proto.

Controls whether one external istiod is enabled.

Specifies the docker hub for Istio images.

Specifies the image pull policy for the Istio images. one of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. Cannot be updated.

More info: https://kubernetes.io/docs/concepts/containers/images#updating-images

ImagePullSecrets for the control plane ServiceAccount, list of secrets in the same namespace to use for pulling any images in pods that reference this ServiceAccount. Must be set for any cluster configured with private docker registry.

Defines which IP family to use for single stack or the order of IP families for dual-stack. Valid list items are "IPv4", "IPv6". More info: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services

Controls whether Services are configured to use IPv4, IPv6, or both. Valid options are PreferDualStack, RequireDualStack, and SingleStack. More info: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services

Specifies the default namespace for the Istio control plane components.

Specifies the configution of istiod

Configure the policy for validating JWT. This is deprecated and has no effect.

Deprecated: Marked as deprecated in pkg/apis/values_types.proto.

Specifies whether istio components should output logs in json format by adding --log_as_json argument to each container.

Specifies the global logging level settings for the Istio control plane components.

The Mesh Identifier. It should be unique within the scope where meshes will interact with each other, but it is not required to be globally/universally unique. For example, if any of the following are true, then two meshes must have different Mesh IDs:

• Meshes will have their telemetry aggregated in one place
• Meshes will be federated together
• Policy will be written referencing one mesh from the other

If an administrator expects that any of these conditions may become true in the future, they should ensure their meshes have different Mesh IDs assigned.

Within a multicluster mesh, each cluster must be (manually or auto) configured to have the same Mesh ID value. If an existing cluster 'joins' a multicluster mesh, it will need to be migrated to the new mesh ID. Details of migration TBD, and it may be a disruptive operation to change the Mesh ID post-install.

If the mesh admin does not specify a value, Istio will use the value of the mesh's Trust Domain. The best practice is to select a proper Trust Domain value.

Configure the mesh networks to be used by the Split Horizon EDS.

The following example defines two networks with different endpoints association methods. For network1 all endpoints that their IP belongs to the provided CIDR range will be mapped to network1. The gateway for this network example is specified by its public IP address and port. The second network, network2, in this example is defined differently with all endpoints retrieved through the specified Multi-Cluster registry being mapped to network2. The gateway is also defined differently with the name of the gateway service on the remote cluster. The public IP for the gateway will be determined from that remote service (only LoadBalancer gateway service type is currently supported, for a NodePort type gateway service, it still need to be configured manually).

meshNetworks:

network1:
  endpoints:
  - fromCidr: "192.168.0.1/24"
  gateways:
  - address: 1.1.1.1
    port: 80
network2:
  endpoints:
  - fromRegistry: reg1
  gateways:
  - registryServiceName: istio-ingressgateway.istio-system.svc.cluster.local
    port: 443

Controls whether the in-cluster MTLS key and certs are loaded from the secret volume mounts.

Specifies the Configuration for Istio mesh across multiple clusters through Istio gateways.

Specifies whether native nftables rules should be used instead of iptables rules for traffic redirection.

Network defines the network this cluster belong to. This name corresponds to the networks in the map of mesh networks.

Settings related to Kubernetes NetworkPolicy.

Controls whether the creation of the sidecar injector ConfigMap should be skipped. Defaults to false. When set to true, the sidecar injector ConfigMap will not be created.

Controls whether the WebhookConfiguration resource(s) should be created. The current behavior of Istiod is to manage its own webhook configurations. When this option is set to true, Istio Operator, instead of webhooks, manages the webhook configurations. When this option is set as false, webhooks manage their own webhook configurations.

Configure the Pilot certificate provider. Currently, four providers are supported: "kubernetes", "istiod", "custom" and "none".

Platform in which Istio is deployed. Possible values are: "openshift" and "gcp" An empty value means it is a vanilla Kubernetes distribution, therefore no special treatment will be considered.

Custom DNS config for the pod to resolve names of services in other clusters. Use this to add additional search domains, and other settings. see https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#dns-config This does not apply to gateway pods as they typically need a different set of DNS settings than the normal application pods (e.g. in multicluster scenarios).

Specifies the k8s priorityClassName for the istio control plane components.

See https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass

Deprecated: Marked as deprecated in pkg/apis/values_types.proto.

Specifies how proxies are configured within Istio.

Specifies the Configuration for proxy_init container which sets the pods' networking to intercept the inbound/outbound traffic.

Specifies the Istio control plane’s pilot Pod IP address or remote cluster DNS resolvable hostname.

Configures the revision this control plane is a part of

Specifies the Configuration for the SecretDiscoveryService instead of using K8S secrets to mount the certificates.

Specifies the configuration for Security Token Service.

Specifies the tag for the Istio docker images.

Specifies the Configuration for each of the supported tracers.

Select a custom name for istiod's CA Root Cert ConfigMap.

The variant of the Istio container images to use. Options are "debug" or "distroless". Unset will use the default for the given version.

Specifies how waypoints are configured within Istio.

Sets pod scheduling weight for amd64 arch

Sets pod scheduling weight for arm64 arch.

Sets pod scheduling weight for ppc64le arch.

Sets pod scheduling weight for s390x arch.

Controls whether a PodDisruptionBudget with a default minAvailable value of 1 is created for each deployment.

Claims lists the names of resources, defined in spec.resourceClaims, that are used by this container.

This is an alpha field and requires enabling the DynamicResourceAllocation feature gate.

This field is immutable. It can only be set for containers.

Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/

Requests describes the minimum amount of compute resources required. If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value. Requests cannot exceed Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/

Name must match the name of one entry in pod.spec.resourceClaims of the Pod where this field is used. It makes that resource available inside a container.

Request is the name chosen for a request in the referenced claim. If empty, everything from the claim is made available, otherwise only the result of this request.

Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.

Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.

Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.

TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.

Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.

If enabled, istiod will perform config analysis

Comma-separated minimum per-scope logging level of messages to output, in the form of :,: The control plane has different scopes depending on component, but can configure default log level across all components If empty, default scope and level will be used as configured in code

The name of the cluster this installation will run in. This is required for sidecar injection to properly label proxies

Enables the connection between two kubernetes clusters via their respective ingressgateway services. Use if the pods in each cluster cannot directly talk to one another.

The suffix for global service names.

Enable envoy filter to translate globalDomainSuffix to cluster local suffix for cross cluster communication.

Controls whether default NetworkPolicy resources will be created.

Controls the 'policy' in the sidecar injector.

Domain for the cluster, default: "cluster.local".

K8s allows this to be customized, see https://kubernetes.io/docs/tasks/administer-cluster/dns-custom-nameservers/

Per Component log level for proxy, applies to gateways and sidecars.

If a component level is not set, then the global "logLevel" will be used. If left empty, "misc:error" is used.

Enables core dumps for newly injected sidecars.

If set, newly injected sidecars will have core dumps enabled.

Deprecated: Marked as deprecated in pkg/apis/values_types.proto.

Lists the excluded IP ranges of Istio egress traffic that the sidecar captures.

Specifies the Istio ingress ports not to capture.

A comma separated list of outbound ports to be excluded from redirection to Envoy.

Controls if sidecar is injected at the front of the container list and blocks the start of the other containers until the proxy is ready

Deprecated: replaced by ProxyConfig setting which allows per-pod configuration of this behavior.

Deprecated: Marked as deprecated in pkg/apis/values_types.proto.

Image name or path for the proxy, default: "proxyv2".

If registry or tag are not specified, global.hub and global.tag are used.

Examples: my-proxy (uses global.hub/tag), docker.io/myrepo/my-proxy:v1.0.0

Lists the IP ranges of Istio egress traffic that the sidecar captures.

Example: "172.30.0.0/16,172.20.0.0/16" This would only capture egress traffic on those two IP Ranges, all other outbound traffic would # be allowed by the sidecar."

A comma separated list of inbound ports for which traffic is to be redirected to Envoy. The wildcard character '*' can be used to configure redirection for all ports.

A comma separated list of outbound ports for which traffic is to be redirected to Envoy, regardless of the destination IP.

The k8s lifecycle hooks definition (pod.spec.containers.lifecycle) for the proxy container. More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks

Log level for proxy, applies to gateways and sidecars. If left empty, "warning" is used. Expected values are: trace|debug|info|warning|error|critical|off

Path to the file to which the proxy will write outlier detection logs.

Example: "/dev/stdout" This would write the logs to standard output.

Enables privileged securityContext for the istio-proxy container.

See https://kubernetes.io/docs/tasks/configure-pod-container/security-context/

Sets the number of successive failed probes before indicating readiness failure.

Sets the initial delay for readiness probes in seconds.

Sets the interval between readiness probes in seconds.

K8s resources settings.

See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container

Deprecated: Marked as deprecated in pkg/apis/values_types.proto.

Configures the startup probe for the istio-proxy container.

Default port used for the Pilot agent's health checks.

Specify which tracer to use. One of: zipkin, lightstep, datadog, stackdriver. If using stackdriver tracer outside GCP, set env GOOGLE_APPLICATION_CREDENTIALS to the GCP credential file.

PostStart is called immediately after a container is created. If the handler fails, the container is terminated and restarted according to its restart policy. Other management of the container blocks until the hook completes. More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks

PreStop is called immediately before a container is terminated due to an API request or management event such as liveness/startup probe failure, preemption, resource contention, etc. The handler is not called if the container crashes or exits. The Pod's termination grace period countdown begins before the PreStop hook is executed. Regardless of the outcome of the handler, the container will eventually terminate within the Pod's termination grace period (unless delayed by finalizers). Other management of the container blocks until the hook completes or until the termination grace period is reached. More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks

StopSignal defines which signal will be sent to a container when it is being stopped. If not specified, the default is defined by the container runtime in use. StopSignal can only be set for Pods with a non-empty .spec.os.name

Exec specifies a command to execute in the container.

HTTPGet specifies an HTTP GET request to perform.

Sleep represents a duration that the container should sleep.

Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept for backward compatibility. There is no validation of this field and lifecycle hooks will fail at runtime when it is specified.

Command is the command line to execute inside the container, the working directory for the command is root ('/') in the container's filesystem. The command is simply exec'd, it is not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use a shell, you need to explicitly call out to that shell. Exit status of 0 is treated as live/healthy and non-zero is unhealthy.

Host name to connect to, defaults to the pod IP. You probably want to set "Host" in httpHeaders instead.

Custom headers to set in the request. HTTP allows repeated headers.

Path to access on the HTTP server.

Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME.

Scheme to use for connecting to the host. Defaults to HTTP.

The header field name. This will be canonicalized upon output, so case-variant names will be understood as the same header.

The header field value

Seconds is the number of seconds to sleep.

Optional: Host name to connect to, defaults to the pod IP.

Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME.

Exec specifies a command to execute in the container.

HTTPGet specifies an HTTP GET request to perform.

Sleep represents a duration that the container should sleep.

Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept for backward compatibility. There is no validation of this field and lifecycle hooks will fail at runtime when it is specified.

Command is the command line to execute inside the container, the working directory for the command is root ('/') in the container's filesystem. The command is simply exec'd, it is not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use a shell, you need to explicitly call out to that shell. Exit status of 0 is treated as live/healthy and non-zero is unhealthy.

Host name to connect to, defaults to the pod IP. You probably want to set "Host" in httpHeaders instead.

Custom headers to set in the request. HTTP allows repeated headers.

Path to access on the HTTP server.

Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME.

Scheme to use for connecting to the host. Defaults to HTTP.

The header field name. This will be canonicalized upon output, so case-variant names will be understood as the same header.

The header field value

Seconds is the number of seconds to sleep.

Optional: Host name to connect to, defaults to the pod IP.

Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME.

Claims lists the names of resources, defined in spec.resourceClaims, that are used by this container.

This is an alpha field and requires enabling the DynamicResourceAllocation feature gate.

This field is immutable. It can only be set for containers.

Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/

Requests describes the minimum amount of compute resources required. If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value. Requests cannot exceed Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/

Name must match the name of one entry in pod.spec.resourceClaims of the Pod where this field is used. It makes that resource available inside a container.

Request is the name chosen for a request in the referenced claim. If empty, everything from the claim is made available, otherwise only the result of this request.

Enables or disables a startup probe. For optimal startup times, changing this should be tied to the readiness probe values.

If the probe is enabled, it is recommended to have delay=0s,period=15s,failureThreshold=4. This ensures the pod is marked ready immediately after the startup probe passes (which has a 1s poll interval), and doesn't spam the readiness endpoint too much

If the probe is disabled, it is recommended to have delay=1s,period=2s,failureThreshold=30. This ensures the startup is reasonable fast (polling every 2s). 1s delay is used since the startup is not often ready instantly.

Minimum consecutive failures for the probe to be considered failed after having succeeded.

Specifies the image for the proxy_init container.

K8s resources settings.

See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container

Deprecated: Marked as deprecated in pkg/apis/values_types.proto.

Claims lists the names of resources, defined in spec.resourceClaims, that are used by this container.

This is an alpha field and requires enabling the DynamicResourceAllocation feature gate.

This field is immutable. It can only be set for containers.

Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/

Requests describes the minimum amount of compute resources required. If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value. Requests cannot exceed Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/

Name must match the name of one entry in pod.spec.resourceClaims of the Pod where this field is used. It makes that resource available inside a container.

Request is the name chosen for a request in the referenced claim. If empty, everything from the claim is made available, otherwise only the result of this request.

Deprecated: Marked as deprecated in pkg/apis/values_types.proto.

Configuration for the datadog tracing service.

Configuration for the lightstep tracing service.

Configuration for the stackdriver tracing service.

Configuration for the zipkin tracing service.

Address in host:port format for reporting trace data to the Datadog agent.

Sets the lightstep access token.

Sets the lightstep satellite pool address in host:port format for reporting trace data.

enables trace output to stdout.

The global default max number of annotation events per span.

The global default max number of attributes per span.

The global default max number of message events per span.

Address of zipkin instance in host:port format for reporting trace data.

Example: .:941

K8s affinity settings for waypoint pods.

See https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity

K8s node labels settings.

See https://kubernetes.io/docs/user-guide/node-selection/

K8s resource settings.

See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container

K8s tolerations settings.

See https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/

K8s topology spread constraints settings.

See https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/

Describes node affinity scheduling rules for the pod.

Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).

Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).

The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node matches the corresponding matchExpressions; the node(s) with the highest sum are the most preferred.

If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to an update), the system may or may not try to eventually evict the pod from its node.

A node selector term, associated with the corresponding weight.

Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.

A list of node selector requirements by node's labels.

A list of node selector requirements by node's fields.

The label key that the selector applies to.

Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.

An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.

The label key that the selector applies to.

Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.

An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.

Required. A list of node selector terms. The terms are ORed.

A list of node selector requirements by node's labels.

A list of node selector requirements by node's fields.

The label key that the selector applies to.

Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.

An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.

The label key that the selector applies to.

Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.

An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.

The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.

If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.

Required. A pod affinity term, associated with the corresponding weight.

weight associated with matching the corresponding podAffinityTerm, in the range 1-100.

A label query over a set of resources, in this case pods. If it's null, this PodAffinityTerm matches with no Pods.

MatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with labelSelector as key in (value) to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both matchLabelKeys and labelSelector. Also, matchLabelKeys cannot be set when labelSelector isn't set.

MismatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with labelSelector as key notin (value) to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. Also, mismatchLabelKeys cannot be set when labelSelector isn't set.

A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces.

namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace".

This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.

matchExpressions is a list of label selector requirements. The requirements are ANDed.

matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.

key is the label key that the selector applies to.

operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.

values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.

matchExpressions is a list of label selector requirements. The requirements are ANDed.

matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.

key is the label key that the selector applies to.

operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.

values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.

A label query over a set of resources, in this case pods. If it's null, this PodAffinityTerm matches with no Pods.

MatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with labelSelector as key in (value) to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both matchLabelKeys and labelSelector. Also, matchLabelKeys cannot be set when labelSelector isn't set.

MismatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with labelSelector as key notin (value) to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. Also, mismatchLabelKeys cannot be set when labelSelector isn't set.

A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces.

namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace".

This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.

matchExpressions is a list of label selector requirements. The requirements are ANDed.

matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.

key is the label key that the selector applies to.

operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.

values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.

matchExpressions is a list of label selector requirements. The requirements are ANDed.

matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.

key is the label key that the selector applies to.

operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.

values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.

The scheduler will prefer to schedule pods to nodes that satisfy the anti-affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling anti-affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.

If the anti-affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the anti-affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.

Required. A pod affinity term, associated with the corresponding weight.

weight associated with matching the corresponding podAffinityTerm, in the range 1-100.

A label query over a set of resources, in this case pods. If it's null, this PodAffinityTerm matches with no Pods.

MatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with labelSelector as key in (value) to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both matchLabelKeys and labelSelector. Also, matchLabelKeys cannot be set when labelSelector isn't set.

MismatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with labelSelector as key notin (value) to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. Also, mismatchLabelKeys cannot be set when labelSelector isn't set.

A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces.

namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace".

This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.

matchExpressions is a list of label selector requirements. The requirements are ANDed.

matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.

key is the label key that the selector applies to.

operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.

values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.

matchExpressions is a list of label selector requirements. The requirements are ANDed.

matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.

key is the label key that the selector applies to.

operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.

values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.

A label query over a set of resources, in this case pods. If it's null, this PodAffinityTerm matches with no Pods.

MatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with labelSelector as key in (value) to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both matchLabelKeys and labelSelector. Also, matchLabelKeys cannot be set when labelSelector isn't set.

MismatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with labelSelector as key notin (value) to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. Also, mismatchLabelKeys cannot be set when labelSelector isn't set.

A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces.

namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace".

This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.

matchExpressions is a list of label selector requirements. The requirements are ANDed.

matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.

key is the label key that the selector applies to.

operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.

values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.

matchExpressions is a list of label selector requirements. The requirements are ANDed.

matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.

key is the label key that the selector applies to.

operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.

values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.

Required. A list of node selector terms. The terms are ORed.

A list of node selector requirements by node's labels.

A list of node selector requirements by node's fields.

The label key that the selector applies to.

Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.

An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.

The label key that the selector applies to.

Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.

An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.

Claims lists the names of resources, defined in spec.resourceClaims, that are used by this container.

This is an alpha field and requires enabling the DynamicResourceAllocation feature gate.

This field is immutable. It can only be set for containers.

Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/

Requests describes the minimum amount of compute resources required. If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value. Requests cannot exceed Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/

Name must match the name of one entry in pod.spec.resourceClaims of the Pod where this field is used. It makes that resource available inside a container.

Request is the name chosen for a request in the referenced claim. If empty, everything from the claim is made available, otherwise only the result of this request.

Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.

Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.

Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.

TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.

Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.

LabelSelector is used to find matching pods. Pods that match this label selector are counted to determine the number of pods in their corresponding topology domain.

MatchLabelKeys is a set of pod label keys to select the pods over which spreading will be calculated. The keys are used to lookup values from the incoming pod labels, those key-value labels are ANDed with labelSelector to select the group of existing pods over which spreading will be calculated for the incoming pod. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. MatchLabelKeys cannot be set when LabelSelector isn't set. Keys that don't exist in the incoming pod labels will be ignored. A null or empty list means only match against labelSelector.

This is a beta field and requires the MatchLabelKeysInPodTopologySpread feature gate to be enabled (enabled by default).

MaxSkew describes the degree to which pods may be unevenly distributed. When whenUnsatisfiable=DoNotSchedule, it is the maximum permitted difference between the number of matching pods in the target topology and the global minimum. The global minimum is the minimum number of matching pods in an eligible domain or zero if the number of eligible domains is less than MinDomains. For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same labelSelector spread as 2/2/1: In this case, the global minimum is 1. | zone1 | zone2 | zone3 | | P P | P P | P |

• if MaxSkew is 1, incoming pod can only be scheduled to zone3 to become 2/2/2; scheduling it onto zone1(zone2) would make the ActualSkew(3-1) on zone1(zone2) violate MaxSkew(1).
• if MaxSkew is 2, incoming pod can be scheduled onto any zone. When whenUnsatisfiable=ScheduleAnyway, it is used to give higher precedence to topologies that satisfy it. It's a required field. Default value is 1 and 0 is not allowed.

MinDomains indicates a minimum number of eligible domains. When the number of eligible domains with matching topology keys is less than minDomains, Pod Topology Spread treats "global minimum" as 0, and then the calculation of Skew is performed. And when the number of eligible domains with matching topology keys equals or greater than minDomains, this value has no effect on scheduling. As a result, when the number of eligible domains is less than minDomains, scheduler won't schedule more than maxSkew Pods to those domains. If value is nil, the constraint behaves as if MinDomains is equal to 1. Valid values are integers greater than 0. When value is not nil, WhenUnsatisfiable must be DoNotSchedule.

For example, in a 3-zone cluster, MaxSkew is set to 2, MinDomains is set to 5 and pods with the same labelSelector spread as 2/2/2: | zone1 | zone2 | zone3 | | P P | P P | P P | The number of domains is less than 5(MinDomains), so "global minimum" is treated as 0. In this situation, new pod with the same labelSelector cannot be scheduled, because computed skew will be 3(3 - 0) if new Pod is scheduled to any of the three zones, it will violate MaxSkew.

NodeAffinityPolicy indicates how we will treat Pod's nodeAffinity/nodeSelector when calculating pod topology spread skew. Options are:

• Honor: only nodes matching nodeAffinity/nodeSelector are included in the calculations.
• Ignore: nodeAffinity/nodeSelector are ignored. All nodes are included in the calculations.

If this value is nil, the behavior is equivalent to the Honor policy.

NodeTaintsPolicy indicates how we will treat node taints when calculating pod topology spread skew. Options are:

• Honor: nodes without taints, along with tainted nodes for which the incoming pod has a toleration, are included.
• Ignore: node taints are ignored. All nodes are included.

If this value is nil, the behavior is equivalent to the Ignore policy.

TopologyKey is the key of node labels. Nodes that have a label with this key and identical values are considered to be in the same topology. We consider each <key, value> as a "bucket", and try to put balanced number of pods into each bucket. We define a domain as a particular instance of a topology. Also, we define an eligible domain as a domain whose nodes meet the requirements of nodeAffinityPolicy and nodeTaintsPolicy. e.g. If TopologyKey is "kubernetes.io/hostname", each Node is a domain of that topology. And, if TopologyKey is "topology.kubernetes.io/zone", each zone is a domain of that topology. It's a required field.

WhenUnsatisfiable indicates how to deal with a pod if it doesn't satisfy the spread constraint.

• DoNotSchedule (default) tells the scheduler not to schedule it.
• ScheduleAnyway tells the scheduler to schedule the pod in any location, but giving higher precedence to topologies that would help reduce the skew. A constraint is considered "Unsatisfiable" for an incoming pod if and only if every possible node assignment for that pod would violate "MaxSkew" on some topology. For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same labelSelector spread as 3/1/1: | zone1 | zone2 | zone3 | | P P P | P | P | If WhenUnsatisfiable is set to DoNotSchedule, incoming pod can only be scheduled to zone2(zone3) to become 3/2/1(3/1/2) as ActualSkew(2-1) on zone2(zone3) satisfies MaxSkew(1). In other words, the cluster can still be imbalanced, but scheduler won't make it more imbalanced. It's a required field.

matchExpressions is a list of label selector requirements. The requirements are ANDed.

matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.

key is the label key that the selector applies to.

operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.

values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.

Indicates if this cluster/install should consume a "remote" istiod instance,

If true, indicates that this cluster/install should consume a "local istiod" installation, local istiod inject sidecars

injector ca bundle

Path to use for the sidecar injector webhook service.

URL to use for sidecar injector webhook.

Encoding for the proxy access log (TEXT or JSON). Default value is TEXT.

File address for the proxy access log (e.g. /dev/stdout). Empty value disables access logging.

Format for the proxy access log Empty value results in proxy's default access log format

If specified, Istiod will authorize and forward the CSRs from the workloads to the specified external CA using the Istio CA gRPC API.

The extra root certificates for workload-to-workload communication. The plugin certificates (the 'cacerts' secret) or self-signed certificates (the 'istio-ca-secret' secret) are automatically added by Istiod. The CA certificate that signs the workload certificates is automatically added by Istio Agent.

Configure the provision of certificates.

Note: Deprecated, please refer to Cert-Manager or other cert provisioning solutions to sign DNS certificates.

Deprecated: Marked as deprecated in mesh/v1alpha1/config.proto.

ConfigSource describes a source of configuration data for networking rules, and other Istio configuration artifacts. Multiple data sources can be configured for a single control plane.

Connection timeout used by Envoy. (MUST be >=1ms) Default timeout is 10s.

Default proxy config used by gateway and sidecars. In case of Kubernetes, the proxy config is applied once during the injection process, and remain constant for the duration of the pod. The rest of the mesh config can be changed at runtime and config gets distributed dynamically. On Kubernetes, this can be overridden on individual pods with the proxy.istio.io/config annotation.

The default value for the DestinationRule.exportTo field. Has the same syntax as defaultServiceExportTo.

If not set the system will use "*" as the default value which implies that destination rules are exported to all namespaces

Configure the default HTTP retry policy. The default number of retry attempts is set at 2 for these errors:

"connect-failure,refused-stream,unavailable,cancelled,retriable-status-codes".

Setting the number of attempts to 0 disables retry policy globally. This setting can be overridden on a per-host basis using the Virtual Service API. All settings in the retry policy except perTryTimeout can currently be configured globally via this field.

Specifies extension providers to use by default in Istio configuration resources.

The default value for the ServiceEntry.exportTo field and services imported through container registry integrations, e.g. this applies to Kubernetes Service resources. The value is a list of namespace names and reserved namespace aliases. The allowed namespace aliases are:

* - All Namespaces
. - Current Namespace
~ - No Namespace

If not set the system will use "*" as the default value which implies that services are exported to all namespaces.

All namespaces is a reasonable default for implementations that don't need to restrict access or visibility of services across namespace boundaries. If that requirement is present it is generally good practice to make the default Current namespace so that services are only visible within their own namespaces by default. Operators can then expand the visibility of services to other namespaces as needed. Use of No Namespace is expected to be rare but can have utility for deployments where dependency management needs to be precise even within the scope of a single namespace.

For further discussion see the reference documentation for ServiceEntry, Sidecar, and Gateway.

The default value for the VirtualService.exportTo field. Has the same syntax as defaultServiceExportTo.

If not set the system will use "*" as the default value which implies that virtual services are exported to all namespaces

This flag disables Envoy Listener logs. See Listener Access Log Istio Enables Envoy's listener access logs on "NoRoute" response flag. Default value is false.

A list of Kubernetes selectors that specify the set of namespaces that Istio considers when computing configuration updates for sidecars. This can be used to reduce Istio's computational load by limiting the number of entities (including services, pods, and endpoints) that are watched and processed. If omitted, Istio will use the default behavior of processing all namespaces in the cluster. Elements in the list are disjunctive (OR semantics), i.e. a namespace will be included if it matches any selector. The following example selects any namespace that matches either below:

1. The namespace has both of these labels: env: prod and region: us-east1
2. The namespace has label app equal to cassandra or spark.

discoverySelectors:
  - matchLabels:
    env: prod
    region: us-east1
  - matchExpressions:
  - key: app
    operator: In
    values:
  - cassandra
  - spark

Refer to the Kubernetes selector docs for additional detail on selector semantics.

Configures DNS refresh rate for Envoy clusters of type STRICT_DNS Default refresh rate is 60s.

This flag is used to enable mutual TLS automatically for service to service communication within the mesh, default true. If set to true, and a given service does not have a corresponding DestinationRule configured, or its DestinationRule does not have ClientTLSSettings specified, Istio configures client side TLS configuration appropriately. More specifically, If the upstream authentication policy is in STRICT mode, use Istio provisioned certificate for mutual TLS to connect to upstream. If upstream service is in plain text mode, use plain text. If the upstream authentication policy is in PERMISSIVE mode, Istio configures clients to use mutual TLS when server sides are capable of accepting mutual TLS traffic. If service DestinationRule exists and has ClientTLSSettings specified, that is always used instead.

This flag enables Envoy's gRPC Access Log Service. See Access Log Service for details about Envoy's gRPC Access Log Service API. Default value is false.

If enabled, Istio agent will merge metrics exposed by the application with metrics from Envoy and Istio agent. The sidecar injection will replace prometheus.io annotations present on the pod and redirect them towards Istio agent, which will then merge metrics of from the application with Istio metrics. This relies on the annotations prometheus.io/scrape, prometheus.io/port, and prometheus.io/path annotations. If you are running a separately managed Envoy with an Istio sidecar, this may cause issues, as the metrics will collide. In this case, it is recommended to disable aggregation on that deployment with the prometheus.istio.io/merge-metrics: "false" annotation. If not specified, this will be enabled by default.

Flag to control generation of trace spans and request IDs. Requires a trace span collector defined in the proxy configuration.

Defines a list of extension providers that extend Istio's functionality. For example, the AuthorizationPolicy can be used with an extension provider to delegate the authorization decision to a custom authorization system.

Specify if http1.1 connections should be upgraded to http2 by default. if sidecar is installed on all pods in the mesh, then this should be set to UPGRADE. If one or more services or namespaces do not have sidecar(s), then this should be set to DO_NOT_UPGRADE. It can be enabled by destination using the destinationRule.trafficPolicy.connectionPool.http.h2UpgradePolicy override.

Name to be used while emitting statistics for inbound clusters. The same pattern is used while computing stat prefix for network filters like TCP and Redis. By default, Istio emits statistics with the pattern inbound|<port>|<port-name>|<service-FQDN>. For example inbound|7443|grpc-reviews|reviews.prod.svc.cluster.local. This can be used to override that pattern.

A Pattern can be composed of various pre-defined variables. The following variables are supported.

• %SERVICE% - Will be substituted with short hostname of the service.
• %SERVICE_NAME% - Will be substituted with name of the service.
• %SERVICE_FQDN% - Will be substituted with FQDN of the service.
• %SERVICE_PORT% - Will be substituted with port of the service.
• %TARGET_PORT% - Will be substituted with the target port of the service.
• %SERVICE_PORT_NAME% - Will be substituted with port name of the service.

Following are some examples of supported patterns for reviews:

• %SERVICE_FQDN%_%SERVICE_PORT% will use reviews.prod.svc.cluster.local_7443 as the stats name.
• %SERVICE% will use reviews.prod as the stats name.

Set the default behavior of the sidecar for handling inbound traffic to the application. If your application listens on localhost, you will need to set this to LOCALHOST.

Class of ingress resources to be processed by Istio ingress controller. This corresponds to the value of kubernetes.io/ingress.class annotation.

Defines whether to use Istio ingress controller for annotated or all ingress resources. Default mode is STRICT.

Defines which gateway deployment to use as the Ingress controller. This field corresponds to the Gateway.selector field, and will be set as istio: INGRESS_SELECTOR. By default, ingressgateway is used, which will select the default IngressGateway as it has the istio: ingressgateway labels. It is recommended that this is the same value as ingressService.

Name of the Kubernetes service used for the istio ingress controller. If no ingress controller is specified, the default value istio-ingressgateway is used.

Locality based load balancing distribution or failover settings. If unspecified, locality based load balancing will be enabled by default. However, this requires outlierDetection to actually take effect for a particular service, see https://istio.io/latest/docs/tasks/traffic-management/locality-load-balancing/failover/

The below configuration parameters can be used to specify TLSConfig for mesh traffic. For example, a user could enable min TLS version for ISTIO_MUTUAL traffic and specify a curve for non ISTIO_MUTUAL traffic like below:

meshConfig:

	meshMTLS:
	  minProtocolVersion: TLSV1_3
	tlsDefaults:
	  Note: applicable only for non ISTIO_MUTUAL scenarios
	  ecdhCurves:
	    - P-256
	    - P-512

Configuration of mTLS for traffic between workloads with ISTIO_MUTUAL TLS traffic.

Note: Mesh mTLS does not respect ECDH curves.

Name to be used while emitting statistics for outbound clusters. The same pattern is used while computing stat prefix for network filters like TCP and Redis. By default, Istio emits statistics with the pattern outbound|<port>|<subsetname>|<service-FQDN>. For example outbound|8080|v2|reviews.prod.svc.cluster.local. This can be used to override that pattern.

A Pattern can be composed of various pre-defined variables. The following variables are supported.

• %SERVICE% - Will be substituted with short hostname of the service.
• %SERVICE_NAME% - Will be substituted with name of the service.
• %SERVICE_FQDN% - Will be substituted with FQDN of the service.
• %SERVICE_PORT% - Will be substituted with port of the service.
• %SERVICE_PORT_NAME% - Will be substituted with port name of the service.
• %SUBSET_NAME% - Will be substituted with subset.

Following are some examples of supported patterns for reviews:

• %SERVICE_FQDN%_%SERVICE_PORT% will use reviews.prod.svc.cluster.local_7443 as the stats name.
• %SERVICE% will use reviews.prod as the stats name.

Set the default behavior of the sidecar for handling outbound traffic from the application.

Can be overridden at a Sidecar level by setting the OutboundTrafficPolicy in the Sidecar API.

Default mode is ALLOW_ANY, which means outbound traffic to unknown destinations will be allowed.

ProxyPathNormalization configures how URL paths in incoming and outgoing HTTP requests are normalized by the sidecars and gateways. The normalized paths will be used in all aspects through the requests' lifetime on the sidecars and gateways, which includes routing decisions in outbound direction (client proxy), authorization policy match and enforcement in inbound direction (server proxy), and the URL path proxied to the upstream service. If not set, the NormalizationType.DEFAULT configuration will be used.

Automatic protocol detection uses a set of heuristics to determine whether the connection is using TLS or not (on the server side), as well as the application protocol being used (e.g., http vs tcp). These heuristics rely on the client sending the first bits of data. For server first protocols like MySQL, MongoDB, etc. Envoy will timeout on the protocol detection after the specified period, defaulting to non mTLS plain TCP traffic. Set this field to tweak the period that Envoy will wait for the client to send the first bits of data. (MUST be >=1ms or 0s to disable). Default detection timeout is 0s (no timeout).

Setting a timeout is not recommended nor safe. Even high timeouts (>5s) will be hit occasionally, and when they occur the result is typically broken traffic that may not recover on its own. Exceptionally high values might solve this, but injecting 60s delays onto new connections is generally not tenable anyways.

Port on which Envoy should listen for HTTP PROXY requests if set.

Port on which Envoy should listen for all inbound traffic to the pod/vm will be captured to. Default port is 15006.

Port on which Envoy should listen for all outbound traffic to other services. Default port is 15001.

The namespace to treat as the administrative root namespace for Istio configuration. When processing a leaf namespace Istio will search for declarations in that namespace first and if none are found it will search in the root namespace. Any matching declaration found in the root namespace is processed as if it were declared in the leaf namespace.

The precise semantics of this processing are documented on each resource type.

Scope to be applied to select services.

Settings to be applied to select services.

If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives.

Configuration of TLS for all traffic except for ISTIO_MUTUAL mode. Currently, this supports configuration of ecdhCurves and cipherSuites only. For ISTIO_MUTUAL TLS settings, use meshMTLS configuration.

The trust domain corresponds to the trust root of a system. Refer to SPIFFE-ID

The trust domain aliases represent the aliases of trustDomain. For example, if we have

trustDomain: td1
trustDomainAliases: ["td2", "td3"]

Any service with the identity td1/ns/foo/sa/a-service-account, td2/ns/foo/sa/a-service-account, or td3/ns/foo/sa/a-service-account will be treated the same in the Istio mesh.

VerifyCertificateAtClient sets the mesh global default for peer certificate validation at the client-side proxy when SIMPLE TLS or MUTUAL TLS (non ISTIO_MUTUAL) origination modes are used. This setting can be overridden at the host level via DestinationRule API. By default, VerifyCertificateAtClient is true.

CaCertificates: If set, proxy verifies CA signature based on given CaCertificates. If unset, and VerifyCertificateAtClient is true, proxy uses default System CA bundle. If unset and VerifyCertificateAtClient is false, proxy will not verify the CA.

SubjectAltNames: If set, proxy verifies subject alt names are present in the SAN. If unset, and VerifyCertificateAtClient is true, proxy uses host in destination rule to verify the SANs. If unset, and VerifyCertificateAtClient is false, proxy does not verify SANs.

For SAN, client-side proxy will exact match host in DestinationRule as well as one level wildcard if the specified host in DestinationRule doesn't contain a wildcard. For example, if the host in DestinationRule is x.y.com, client-side proxy will match either x.y.com or *.y.com for the SAN in the presented server certificate. For wildcard host name in DestinationRule, client-side proxy will do a suffix match. For example, if host is *.x.y.com, client-side proxy will verify the presented server certificate SAN matches .x.y.com suffix.

Deprecated: Marked as deprecated in mesh/v1alpha1/config.proto.

REQUIRED. Address of the CA server implementing the Istio CA gRPC API. Can be IP address or a fully qualified DNS name with port Eg: custom-ca.default.svc.cluster.local:8932, 192.168.23.2:9000

Use istiodSide to specify CA Server integrate to Istiod side or Agent side Default: true

timeout for forward CSR requests from Istiod to External CA Default: 10s

Use the tlsSettings to specify the tls mode to use. Regarding tlsSettings:

• DISABLE MODE is legitimate for the case Istiod is making the request via an Envoy sidecar. DISABLE MODE can also be used for testing
• TLS MUTUAL MODE be on by default. If the CA certificates (cert bundle to verify the CA server's certificate) is omitted, Istiod will use the system root certs to verify the CA server's certificate.

OPTIONAL: The path to the file containing certificate authority certificates to use in verifying a presented server certificate. If omitted, the proxy will verify the server's certificate using the OS CA certificates. Should be empty if mode is ISTIO_MUTUAL.

OPTIONAL: The path to the file containing the certificate revocation list (CRL) to use in verifying a presented server certificate. CRL is a list of certificates that have been revoked by the CA (Certificate Authority) before their scheduled expiration date. If specified, the proxy will verify if the presented certificate is part of the revoked list of certificates. If omitted, the proxy will not verify the certificate against the crl. Note that if credentialName is set, CRL cannot be specified using caCrl, rather it has to be specified inside the credential.

REQUIRED if mode is MUTUAL. The path to the file holding the client-side TLS certificate to use. Should be empty if mode is ISTIO_MUTUAL.

The name of the secret that holds the TLS certs for the client including the CA certificates. This secret must exist in the namespace of the proxy using the certificates. An Opaque secret should contain the following keys and values: key: <privateKey>, cert: <clientCert>, cacert: <CACertificate>, crl: <certificateRevocationList> Here CACertificate is used to verify the server certificate. For mutual TLS, cacert: <CACertificate> can be provided in the same secret or a separate secret named <secret>-cacert. A TLS secret for client certificates with an additional ca.crt key for CA certificates and ca.crl key for certificate revocation list(CRL) is also supported. Only one of client certificates and CA certificate or credentialName can be specified.

NOTE: This field is applicable at sidecars only if DestinationRule has a workloadSelector specified. Otherwise the field will be applicable only at gateways, and sidecars will continue to use the certificate paths.

insecureSkipVerify specifies whether the proxy should skip verifying the CA signature and SAN for the server certificate corresponding to the host. The default value of this field is false.

Indicates whether connections to this port should be secured using TLS. The value of this field determines how TLS is enforced.

REQUIRED if mode is MUTUAL. The path to the file holding the client's private key. Should be empty if mode is ISTIO_MUTUAL.

SNI string to present to the server during TLS handshake. If unspecified, SNI will be automatically set based on downstream HTTP host/authority header for SIMPLE and MUTUAL TLS modes.

A list of alternate names to verify the subject identity in the certificate. If specified, the proxy will verify that the server certificate's subject alt name matches one of the specified values. If specified, this list overrides the value of subjectAltNames from the ServiceEntry. If unspecified, automatic validation of upstream presented certificate for new upstream connections will be done based on the downstream HTTP host/authority header.

when Istiod is acting as RA(registration authority) If set, they are used for these signers. Otherwise, this trustAnchor is used for all signers.

The PEM data of the certificate.

The SPIFFE bundle endpoint URL that complies to: https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE_Trust_Domain_and_Bundle.md#the-spiffe-trust-domain-and-bundle The endpoint should support authentication based on Web PKI: https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE_Trust_Domain_and_Bundle.md#521-web-pki The certificate is retrieved from the endpoint.

Optional. Specify the list of trust domains to which this trustAnchor data belongs. If set, they are used for these trust domains. Otherwise, this trustAnchor is used for default trust domain and its aliases. Note that we can have multiple trustAnchor data for a same trustDomain. In that case, trustAnchors with a same trust domain will be merged and used together to verify peer certificates. If neither certSigners nor trustDomains is set, this trustAnchor is used for all trust domains and all signers. If only trustDomains is set, this trustAnchor is used for these trustDomains and all signers. If only certSigners is set, this trustAnchor is used for these certSigners and all trust domains. If both certSigners and trustDomains is set, this trustAnchor is only used for these signers and trust domains.

The DNS names for the certificate. A certificate may contain multiple DNS names.

Name of the secret the certificate and its key will be stored into. If it is empty, it will not be stored into a secret. Instead, the certificate and its key will be stored into a hard-coded directory.

Address of the server implementing the Istio Mesh Configuration protocol (MCP). Can be IP address or a fully qualified DNS name. Use xds:// to specify a grpc-based xds backend, k8s:// to specify a k8s controller or fs:/// to specify a file-based backend with absolute path to the directory.

Describes the source of configuration, if nothing is specified default is MCP

Use the tlsSettings to specify the tls mode to use. If the MCP server uses Istio mutual TLS and shares the root CA with istiod, specify the TLS mode as ISTIO_MUTUAL.

OPTIONAL: The path to the file containing certificate authority certificates to use in verifying a presented server certificate. If omitted, the proxy will verify the server's certificate using the OS CA certificates. Should be empty if mode is ISTIO_MUTUAL.

OPTIONAL: The path to the file containing the certificate revocation list (CRL) to use in verifying a presented server certificate. CRL is a list of certificates that have been revoked by the CA (Certificate Authority) before their scheduled expiration date. If specified, the proxy will verify if the presented certificate is part of the revoked list of certificates. If omitted, the proxy will not verify the certificate against the crl. Note that if credentialName is set, CRL cannot be specified using caCrl, rather it has to be specified inside the credential.

REQUIRED if mode is MUTUAL. The path to the file holding the client-side TLS certificate to use. Should be empty if mode is ISTIO_MUTUAL.

The name of the secret that holds the TLS certs for the client including the CA certificates. This secret must exist in the namespace of the proxy using the certificates. An Opaque secret should contain the following keys and values: key: <privateKey>, cert: <clientCert>, cacert: <CACertificate>, crl: <certificateRevocationList> Here CACertificate is used to verify the server certificate. For mutual TLS, cacert: <CACertificate> can be provided in the same secret or a separate secret named <secret>-cacert. A TLS secret for client certificates with an additional ca.crt key for CA certificates and ca.crl key for certificate revocation list(CRL) is also supported. Only one of client certificates and CA certificate or credentialName can be specified.

NOTE: This field is applicable at sidecars only if DestinationRule has a workloadSelector specified. Otherwise the field will be applicable only at gateways, and sidecars will continue to use the certificate paths.

insecureSkipVerify specifies whether the proxy should skip verifying the CA signature and SAN for the server certificate corresponding to the host. The default value of this field is false.

Indicates whether connections to this port should be secured using TLS. The value of this field determines how TLS is enforced.

REQUIRED if mode is MUTUAL. The path to the file holding the client's private key. Should be empty if mode is ISTIO_MUTUAL.

SNI string to present to the server during TLS handshake. If unspecified, SNI will be automatically set based on downstream HTTP host/authority header for SIMPLE and MUTUAL TLS modes.

A list of alternate names to verify the subject identity in the certificate. If specified, the proxy will verify that the server certificate's subject alt name matches one of the specified values. If specified, this list overrides the value of subjectAltNames from the ServiceEntry. If unspecified, automatic validation of upstream presented certificate for new upstream connections will be done based on the downstream HTTP host/authority header.

Deprecated: Marked as deprecated in mesh/v1alpha1/proxy.proto.

Path to the proxy binary

The PEM data of the extra root certificates for workload-to-workload communication. This includes the certificates defined in MeshConfig and any other certificates that Istiod uses as CA. The plugin certificates (the 'cacerts' secret), self-signed certificates (the 'istio-ca-secret' secret) are added automatically by Istiod.

The number of worker threads to run. If unset, which is recommended, this will be automatically determined based on CPU requests/limits. If set to 0, all cores on the machine will be used, ignoring CPU requests or limits. This can lead to major performance issues if CPU limits are also set.

Path to the generated configuration file directory. Proxy agent generates the actual configuration and stores it in this directory.

AuthenticationPolicy defines how the proxy is authenticated when it connects to the control plane. Default is set to MUTUAL_TLS.

File path of custom proxy configuration, currently used by proxies in front of istiod.

Address of the discovery service exposing xDS with mTLS connection. The inject configuration may override this value.

Deprecated: Marked as deprecated in mesh/v1alpha1/proxy.proto.

restart. MUST be >=1s (e.g., 1s/1m/1h) Default drain duration is 45s.

Address of the service to which access logs from Envoys should be sent. (e.g. accesslog-service:15000). See Access Log Service for details about Envoy's gRPC Access Log Service API.

Address of the Envoy Metrics Service implementation (e.g. metrics-service:15000). See Metric Service for details about Envoy's Metrics Service API.

Deprecated: Marked as deprecated in mesh/v1alpha1/proxy.proto.

An additional list of tags to extract from the in-proxy Istio telemetry. These extra tags can be added by configuring the telemetry extension. Each additional tag needs to be present in this list. Extra tags emitted by the telemetry extensions must be listed here so that they can be processed and exposed as Prometheus metrics. Deprecated: istio.stats is a native filter now, this field is no longer needed.

Topology encapsulates the configuration which describes where the proxy is located i.e. behind a (or N) trusted proxy (proxies) or directly exposed to the internet. This configuration only effects gateways and is applied to all the gateways in the cluster unless overridden via annotations of the gateway workloads.

Boolean flag for enabling/disabling the holdApplicationUntilProxyStarts behavior. This feature adds hooks to delay application startup until the pod proxy is ready to accept traffic, mitigating some startup race conditions. Default value is 'false'.

Specifies the details of the proxy image.

The mode used to redirect inbound traffic to Envoy.

The unique identifier for the service mesh All control planes running in the same service mesh should specify the same mesh ID. Mesh ID is used to label telemetry reports for cases where telemetry from multiple meshes is mixed together.

Specifies the details of the Private Key Provider configuration for gateway and sidecar proxies.

Port on which Envoy should listen for administrative commands. Default port is 15000.

Path to the proxy bootstrap template file

Define the set of headers to add/modify for HTTP request/responses.

To enable an optional header, simply set the field. If no specific configuration is required, an empty object ({}) will enable it. Note: currently all headers are enabled by default.

Below shows an example of customizing the server header and disabling the X-Envoy-Attempt-Count header:

proxyHeaders:

	server:
	  value: "my-custom-server"
	# Explicitly enable Request IDs.
	# As this is the default, this has no effect.
	requestId: {}
	attemptCount:
	  disabled: true

Below shows an example of preserving the header case for HTTP 1.x requests

proxyHeaders:

	preserveHttp1HeaderCase: true

Some headers are enabled by default, and require explicitly disabling. See below for an example of disabling all default-enabled headers:

proxyHeaders:

	forwardedClientCert: SANITIZE
	server:
	  disabled: true
	requestId:
	  disabled: true
	attemptCount:
	  disabled: true
	envoyDebugHeaders:
	  disabled: true
	metadataExchangeHeaders:
	  mode: IN_MESH

Additional environment variables for the proxy. Names starting with ISTIO_META_ will be included in the generated bootstrap and sent to the XDS server.

Proxy stats matcher defines configuration for reporting custom Envoy stats. To reduce memory and CPU overhead from Envoy stats system, Istio proxies by default create and expose only a subset of Envoy stats. This option is to control creation of additional Envoy stats with prefix, suffix, and regex expressions match on the name of the stats. This replaces the stats inclusion annotations (sidecar.istio.io/statsInclusionPrefixes, sidecar.istio.io/statsInclusionRegexps, and sidecar.istio.io/statsInclusionSuffixes). For example, to enable stats for circuit breakers, request retries, upstream connections, and request timeouts, you can specify stats matcher as follows:

proxyStatsMatcher:

	inclusionRegexps:
	  - .*outlier_detection.*
	  - .*upstream_rq_retry.*
	  - .*upstream_cx_.*
	inclusionSuffixes:
	  - upstream_rq_timeout

Note including more Envoy stats might increase number of time series collected by prometheus significantly. Care needs to be taken on Prometheus resource provision and configuration to reduce cardinality.

VM Health Checking readiness probe. This health check config exactly mirrors the kubernetes readiness probe configuration both in schema and logic. Only one health check method of 3 can be set at a time.

Envoy runtime configuration to set during bootstrapping. This enables setting experimental, unsafe, unsupported, and deprecated features that should be used with extreme caution.

Secret Discovery Service(SDS) configuration to be used by the proxy.

Deprecated: Marked as deprecated in mesh/v1alpha1/proxy.proto.

Service cluster defines the name for the service_cluster that is shared by all Envoy instances. This setting corresponds to --service-cluster flag in Envoy. In a typical Envoy deployment, the service-cluster flag is used to identify the caller, for source-based routing scenarios.

Since Istio does not assign a local service/service version to each Envoy instance, the name is same for all of them. However, the source/caller's identity (e.g., IP address) is encoded in the --service-node flag when launching Envoy. When the RDS service receives API calls from Envoy, it uses the value of the service-node flag to compute routes that are relative to the service instances located at that IP address.

Maximum length of name field in Envoy's metrics. The length of the name field is determined by the length of a name field in a service and the set of labels that comprise a particular version of the service. The default value is set to 189 characters. Envoy's internal metrics take up 67 characters, for a total of 256 character name per metric. Increase the value of this field if you find that the metrics from Envoys are truncated.

IP Address and Port of a statsd UDP listener (e.g. 10.75.241.127:9125).

Port on which the agent should listen for administrative commands such as readiness probe. Default is set to port 15020.

The amount of time allowed for connections to complete on proxy shutdown. On receiving SIGTERM or SIGINT, istio-agent tells the active Envoy to start gracefully draining, discouraging any new connections and allowing existing connections to complete. It then sleeps for the terminationDrainDuration and then kills any remaining active Envoy processes. If not set, a default of 5s will be applied.

Tracing configuration to be used by the proxy.

Used by Envoy proxies to assign the values for the service names in trace spans.

Address of the Zipkin service (e.g. zipkin:9411). DEPRECATED: Use [tracing][istio.mesh.v1alpha1.ProxyConfig.tracing] instead.

Deprecated: Marked as deprecated in mesh/v1alpha1/proxy.proto.

Address of a remove service used for various purposes (access log receiver, metrics receiver, etc.). Can be IP address or a fully qualified DNS name.

If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives.

Use the tlsSettings to specify the tls mode to use. If the remote service uses Istio mutual TLS and shares the root CA with istiod, specify the TLS mode as ISTIO_MUTUAL.

The time duration between keep-alive probes. Default is to use the OS level configuration (unless overridden, Linux defaults to 75s.)

Maximum number of keepalive probes to send without response before deciding the connection is dead. Default is to use the OS level configuration (unless overridden, Linux defaults to 9.)

The time duration a connection needs to be idle before keep-alive probes start being sent. Default is to use the OS level configuration (unless overridden, Linux defaults to 7200s (ie 2 hours.)

OPTIONAL: The path to the file containing certificate authority certificates to use in verifying a presented server certificate. If omitted, the proxy will verify the server's certificate using the OS CA certificates. Should be empty if mode is ISTIO_MUTUAL.

OPTIONAL: The path to the file containing the certificate revocation list (CRL) to use in verifying a presented server certificate. CRL is a list of certificates that have been revoked by the CA (Certificate Authority) before their scheduled expiration date. If specified, the proxy will verify if the presented certificate is part of the revoked list of certificates. If omitted, the proxy will not verify the certificate against the crl. Note that if credentialName is set, CRL cannot be specified using caCrl, rather it has to be specified inside the credential.

REQUIRED if mode is MUTUAL. The path to the file holding the client-side TLS certificate to use. Should be empty if mode is ISTIO_MUTUAL.

The name of the secret that holds the TLS certs for the client including the CA certificates. This secret must exist in the namespace of the proxy using the certificates. An Opaque secret should contain the following keys and values: key: <privateKey>, cert: <clientCert>, cacert: <CACertificate>, crl: <certificateRevocationList> Here CACertificate is used to verify the server certificate. For mutual TLS, cacert: <CACertificate> can be provided in the same secret or a separate secret named <secret>-cacert. A TLS secret for client certificates with an additional ca.crt key for CA certificates and ca.crl key for certificate revocation list(CRL) is also supported. Only one of client certificates and CA certificate or credentialName can be specified.

NOTE: This field is applicable at sidecars only if DestinationRule has a workloadSelector specified. Otherwise the field will be applicable only at gateways, and sidecars will continue to use the certificate paths.

insecureSkipVerify specifies whether the proxy should skip verifying the CA signature and SAN for the server certificate corresponding to the host. The default value of this field is false.

Indicates whether connections to this port should be secured using TLS. The value of this field determines how TLS is enforced.

REQUIRED if mode is MUTUAL. The path to the file holding the client's private key. Should be empty if mode is ISTIO_MUTUAL.

SNI string to present to the server during TLS handshake. If unspecified, SNI will be automatically set based on downstream HTTP host/authority header for SIMPLE and MUTUAL TLS modes.

A list of alternate names to verify the subject identity in the certificate. If specified, the proxy will verify that the server certificate's subject alt name matches one of the specified values. If specified, this list overrides the value of subjectAltNames from the ServiceEntry. If unspecified, automatic validation of upstream presented certificate for new upstream connections will be done based on the downstream HTTP host/authority header.

Address of a remove service used for various purposes (access log receiver, metrics receiver, etc.). Can be IP address or a fully qualified DNS name.

If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives.

Use the tlsSettings to specify the tls mode to use. If the remote service uses Istio mutual TLS and shares the root CA with istiod, specify the TLS mode as ISTIO_MUTUAL.

The time duration between keep-alive probes. Default is to use the OS level configuration (unless overridden, Linux defaults to 75s.)

Maximum number of keepalive probes to send without response before deciding the connection is dead. Default is to use the OS level configuration (unless overridden, Linux defaults to 9.)

The time duration a connection needs to be idle before keep-alive probes start being sent. Default is to use the OS level configuration (unless overridden, Linux defaults to 7200s (ie 2 hours.)

OPTIONAL: The path to the file containing certificate authority certificates to use in verifying a presented server certificate. If omitted, the proxy will verify the server's certificate using the OS CA certificates. Should be empty if mode is ISTIO_MUTUAL.

OPTIONAL: The path to the file containing the certificate revocation list (CRL) to use in verifying a presented server certificate. CRL is a list of certificates that have been revoked by the CA (Certificate Authority) before their scheduled expiration date. If specified, the proxy will verify if the presented certificate is part of the revoked list of certificates. If omitted, the proxy will not verify the certificate against the crl. Note that if credentialName is set, CRL cannot be specified using caCrl, rather it has to be specified inside the credential.

REQUIRED if mode is MUTUAL. The path to the file holding the client-side TLS certificate to use. Should be empty if mode is ISTIO_MUTUAL.

The name of the secret that holds the TLS certs for the client including the CA certificates. This secret must exist in the namespace of the proxy using the certificates. An Opaque secret should contain the following keys and values: key: <privateKey>, cert: <clientCert>, cacert: <CACertificate>, crl: <certificateRevocationList> Here CACertificate is used to verify the server certificate. For mutual TLS, cacert: <CACertificate> can be provided in the same secret or a separate secret named <secret>-cacert. A TLS secret for client certificates with an additional ca.crt key for CA certificates and ca.crl key for certificate revocation list(CRL) is also supported. Only one of client certificates and CA certificate or credentialName can be specified.

NOTE: This field is applicable at sidecars only if DestinationRule has a workloadSelector specified. Otherwise the field will be applicable only at gateways, and sidecars will continue to use the certificate paths.

insecureSkipVerify specifies whether the proxy should skip verifying the CA signature and SAN for the server certificate corresponding to the host. The default value of this field is false.

Indicates whether connections to this port should be secured using TLS. The value of this field determines how TLS is enforced.

REQUIRED if mode is MUTUAL. The path to the file holding the client's private key. Should be empty if mode is ISTIO_MUTUAL.

SNI string to present to the server during TLS handshake. If unspecified, SNI will be automatically set based on downstream HTTP host/authority header for SIMPLE and MUTUAL TLS modes.

A list of alternate names to verify the subject identity in the certificate. If specified, the proxy will verify that the server certificate's subject alt name matches one of the specified values. If specified, this list overrides the value of subjectAltNames from the ServiceEntry. If unspecified, automatic validation of upstream presented certificate for new upstream connections will be done based on the downstream HTTP host/authority header.

Configures how the gateway proxy handles x-forwarded-client-cert (XFCC) header in the incoming request.

Number of trusted proxies deployed in front of the Istio gateway proxy. When this option is set to value N greater than zero, the trusted client address is assumed to be the Nth address from the right end of the X-Forwarded-For (XFF) header from the incoming request. If the X-Forwarded-For (XFF) header is missing or has fewer than N addresses, the gateway proxy falls back to using the immediate downstream connection's source address as the trusted client address. Note that the gateway proxy will append the downstream connection's source address to the X-Forwarded-For (XFF) address and set the X-Envoy-External-Address header to the trusted client address before forwarding it to the upstream services in the cluster. The default value of numTrustedProxies is 0. See Envoy XFF header handling for more details.

Enables PROXY protocol for downstream connections on a gateway.

The image type of the image. Istio publishes default, debug, and distroless images. Other values are allowed if those image types (example: centos) are published to the specified hub. supported values: default, debug, distroless.

Use CryptoMb private key provider

Use QAT private key provider

If the private key provider isn’t available (eg. the required hardware capability doesn’t existed) Envoy will fallback to the BoringSSL default implementation when the fallback is true. The default value is false.

How long to wait until the per-thread processing queue should be processed. If the processing queue gets full (eight sign or decrypt requests are received) it is processed immediately. However, if the queue is not filled before the delay has expired, the requests already in the queue are processed, even if the queue is not full. In effect, this value controls the balance between latency and throughput. The duration needs to be set to a value greater than or equal to 1 millisecond.

If the private key provider isn’t available (eg. the required hardware capability doesn’t existed) Envoy will fallback to the BoringSSL default implementation when the fallback is true. The default value is false.

How long to wait before polling the hardware accelerator after a request has been submitted there. Having a small value leads to quicker answers from the hardware but causes more polling loop spins, leading to potentially larger CPU usage. The duration needs to be set to a value greater than or equal to 1 millisecond.

Controls the X-Envoy-Attempt-Count header. If enabled, this header will be added on outbound request headers (including gateways) that have retries configured. If disabled, this header will not be set. If it is already present, it will be preserved. This header is enabled by default if not configured.

Controls various X-Envoy-* headers, such as X-Envoy-Overloaded and X-Envoy-Upstream-Service-Time. If enabled, these headers will be included. If disabled, these headers will not be set. If they are already present, they will be preserved. See the Envoy documentation for more details. These headers are enabled by default if not configured.

Controls the X-Forwarded-Client-Cert header for inbound sidecar requests. To set this on gateways, use the Topology setting. To disable the header, configure either SANITIZE (to always remove the header, if present) or FORWARD_ONLY (to leave the header as-is). By default, APPEND_FORWARD will be used.

Controls Istio metadata exchange headers X-Envoy-Peer-Metadata and X-Envoy-Peer-Metadata-Id. By default, the behavior is unspecified. If IN_MESH, these headers will not be appended to outbound requests from sidecars to services not in-mesh.

When true, the original case of HTTP/1.x headers will be preserved as they pass through the proxy, rather than normalizing them to lowercase. This field is particularly useful for applications that require case-sensitive headers for interoperability with downstream systems or APIs that expect specific casing. The preserve_http1_header_case option only applies to HTTP/1.x traffic, as HTTP/2 requires all headers to be lowercase per the protocol specification. Envoy will ignore this field for HTTP/2 requests and automatically normalize headers to lowercase, ensuring compliance with HTTP/2 standards.

Controls the X-Request-Id header. If enabled, a request ID is generated for each request if one is not already set. This applies to all types of traffic (inbound, outbound, and gateways). If disabled, no request ID will be generate for the request. If it is already present, it will be preserved. Warning: request IDs are a critical component to mesh tracing and logging, so disabling this is not recommended. This header is enabled by default if not configured.

Controls the server header. If enabled, the Server: istio-envoy header is set in response headers for inbound traffic (including gateways). If disabled, the Server header is not modified. If it is already present, it will be preserved.

This field is valid only when forward_client_cert_details is APPEND_FORWARD or SANITIZE_SET and the client connection is mTLS. It specifies the fields in the client certificate to be forwarded. Note that Hash is always set, and By is always set when the client certificate presents the URI type Subject Alternative Name value.

Controls the X-Forwarded-Host header. If enabled, the X-Forwarded-Host header is appended with the original host when it is rewritten. This header is disabled by default.

Controls the X-Forwarded-Port header. If enabled, the X-Forwarded-Port header is header with the port value client used to connect to Envoy. It will be ignored if the “x-forwarded-port“ header has been set by any trusted proxy in front of Envoy. This header is disabled by default.

If set, and the server header is enabled, this value will be set as the server header. By default, istio-envoy will be used.

Whether to forward the entire client cert in URL encoded PEM format. This will appear in the XFCC header comma separated from other values with the value Cert="PEM". Defaults to false.

Whether to forward the entire client cert chain (including the leaf cert) in URL encoded PEM format. This will appear in the XFCC header comma separated from other values with the value Chain="PEM". Defaults to false.

Whether to forward the DNS type Subject Alternative Names of the client cert. Defaults to true.

Whether to forward the subject of the client cert. Defaults to true.

Whether to forward the URI type Subject Alternative Name of the client cert. Defaults to true.

Proxy stats name prefix matcher for inclusion.

Proxy stats name regexps matcher for inclusion.

Proxy stats name suffix matcher for inclusion.

Exec specifies a command to execute in the container.

Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1.

GRPC specifies a GRPC HealthCheckRequest.

HTTPGet specifies an HTTP GET request to perform.

Number of seconds after the container has started before liveness probes are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes

How often (in seconds) to perform the probe. Default to 10 seconds. Minimum value is 1.

Minimum consecutive successes for the probe to be considered successful after having failed. Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1.

TCPSocket specifies a connection to a TCP port.

Optional duration in seconds the pod needs to terminate gracefully upon probe failure. The grace period is the duration in seconds after the processes running in the pod are sent a termination signal and the time when the processes are forcibly halted with a kill signal. Set this value longer than the expected cleanup time for your process. If this value is nil, the pod's terminationGracePeriodSeconds will be used. Otherwise, this value overrides the value provided by the pod spec. Value must be non-negative integer. The value zero indicates stop immediately via the kill signal (no opportunity to shut down). This is a beta field and requires enabling ProbeTerminationGracePeriod feature gate. Minimum value is 1. spec.terminationGracePeriodSeconds is used if unset.

Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes

Command is the command line to execute inside the container, the working directory for the command is root ('/') in the container's filesystem. The command is simply exec'd, it is not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use a shell, you need to explicitly call out to that shell. Exit status of 0 is treated as live/healthy and non-zero is unhealthy.

Port number of the gRPC service. Number must be in the range 1 to 65535.

Service is the name of the service to place in the gRPC HealthCheckRequest (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).

If this is not specified, the default behavior is defined by gRPC.