English

Service Mesh Operator API

Istio

sailoperator.io group

Istio represents an Istio Service Mesh deployment consisting of one or more control plane instances (represented by one or more IstioRevision objects). To deploy an Istio Service Mesh, a user creates an Istio object with the desired Istio version and configuration. The operator then creates an IstioRevision object, which in turn creates the underlying Deployment objects for istiod and other control plane components, similar to how a Deployment object in Kubernetes creates ReplicaSets that create the Pods.

v1 version

spec object

IstioSpec defines the desired state of Istio

namespace string required

Namespace to which the Istio components should be installed. Note that this field is immutable.

profile string

The built-in installation configuration profile to use. The 'default' profile is always applied. On OpenShift, the 'openshift' profile is also applied on top of 'default'. Must be one of: ambient, default, demo, empty, openshift, openshift-ambient, preview, remote, stable.

updateStrategy object

Defines the update strategy to use when the version in the Istio CR is updated.

inactiveRevisionDeletionGracePeriodSeconds integer

Defines how many seconds the operator should wait before removing a non-active revision after all the workloads have stopped using it. You may want to set this value on the order of minutes. The minimum is 0 and the default value is 30.

type string

Type of strategy to use. Can be "InPlace" or "RevisionBased". When the "InPlace" strategy is used, the existing Istio control plane is updated in-place. The workloads therefore don't need to be moved from one control plane instance to another. When the "RevisionBased" strategy is used, a new Istio control plane instance is created for every change to the Istio.spec.version field. The old control plane remains in place until all workloads have been moved to the new control plane instance.

The "InPlace" strategy is the default. TODO: change default to "RevisionBased"

updateWorkloads boolean

Defines whether the workloads should be moved from one control plane instance to another automatically. If updateWorkloads is true, the operator moves the workloads from the old control plane instance to the new one after the new control plane is ready. If updateWorkloads is false, the user must move the workloads manually by updating the istio.io/rev labels on the namespace and/or the pods. Defaults to false.

values object

Defines the values to be passed to the Helm charts when installing Istio.

base object

Configuration for the base component.

excludedCRDs []string

CRDs to exclude. Requires enableCRDTemplates

validationCABundle string

validation webhook CA bundle

validationURL string

URL to use for validating webhook.

compatibilityVersion string

Specifies the compatibility version to use. When this is set, the control plane will be configured with the same defaults as the specified version.

defaultRevision string

The name of the default revision in the cluster. Deprecated: This field is ignored. The default revision is expected to be configurable elsewhere.

experimental

Specifies experimental helm fields that could be removed or changed in the future

gatewayClasses string

Configuration for Gateway Classes

global object

Global configuration for Istio components.

arch object

Specifies pod scheduling arch(amd64, ppc64le, s390x, arm64) and weight as follows:

0 - Never scheduled
1 - Least preferred
2 - No preference
3 - Most preferred

Deprecated: replaced by the affinity k8s settings which allows architecture nodeAffinity configuration of this behavior.

Deprecated: Marked as deprecated in pkg/apis/values_types.proto.

amd64 integer

Sets pod scheduling weight for amd64 arch

arm64 integer

Sets pod scheduling weight for arm64 arch.

ppc64le integer

Sets pod scheduling weight for ppc64le arch.

s390x integer

Sets pod scheduling weight for s390x arch.

caAddress string

The address of the CA for CSR.

caName string

The name of the CA for workloads. For example, when caName=GkeWorkloadCertificate, GKE workload certificates will be used as the certificates for workloads. The default value is "" and when caName="", the CA will be configured by other mechanisms (e.g., environmental variable CA_PROVIDER).

certSigners []string

List of certSigners to allow "approve" action in the ClusterRole

configCluster boolean

Controls whether a remote cluster is the config cluster for an external istiod

configValidation boolean

Controls whether the server-side validation is enabled.

defaultNodeSelector object

Default k8s node selector for all the Istio control plane components

See https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector

Deprecated: Marked as deprecated in pkg/apis/values_types.proto.

defaultPodDisruptionBudget object

Specifies the default pod disruption budget configuration.

enabled boolean

Controls whether a PodDisruptionBudget with a default minAvailable value of 1 is created for each deployment.

defaultResources object

Default k8s resources settings for all Istio control plane components.

See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container

Deprecated: Marked as deprecated in pkg/apis/values_types.proto.

claims []object

ResourceClaim references one entry in PodSpec.ResourceClaims.

name string required

Name must match the name of one entry in pod.spec.resourceClaims of the Pod where this field is used. It makes that resource available inside a container.

request string

Request is the name chosen for a request in the referenced claim. If empty, everything from the claim is made available, otherwise only the result of this request.

limits object

Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/

requests object

Requests describes the minimum amount of compute resources required. If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value. Requests cannot exceed Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/

defaultTolerations []object

The pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator .

effect string

Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.

key string

Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.

operator string

Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.

tolerationSeconds integer

TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.

value string

Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.

externalIstiod boolean

Controls whether one external istiod is enabled.

hub string

Specifies the docker hub for Istio images.

imagePullPolicy string

Specifies the image pull policy for the Istio images. one of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. Cannot be updated.

More info: https://kubernetes.io/docs/concepts/containers/images#updating-images

imagePullSecrets []string

ImagePullSecrets for the control plane ServiceAccount, list of secrets in the same namespace to use for pulling any images in pods that reference this ServiceAccount. Must be set for any cluster configured with private docker registry.

ipFamilies []string

Defines which IP family to use for single stack or the order of IP families for dual-stack. Valid list items are "IPv4", "IPv6". More info: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services

ipFamilyPolicy string

Controls whether Services are configured to use IPv4, IPv6, or both. Valid options are PreferDualStack, RequireDualStack, and SingleStack. More info: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services

istioNamespace string

Specifies the default namespace for the Istio control plane components.

istiod object

Specifies the configution of istiod

enableAnalysis boolean

If enabled, istiod will perform config analysis

jwtPolicy string

Configure the policy for validating JWT. This is deprecated and has no effect.

Deprecated: Marked as deprecated in pkg/apis/values_types.proto.

logAsJson boolean

Specifies whether istio components should output logs in json format by adding --log_as_json argument to each container.

logging object

Specifies the global logging level settings for the Istio control plane components.

level string

Comma-separated minimum per-scope logging level of messages to output, in the form of :,: The control plane has different scopes depending on component, but can configure default log level across all components If empty, default scope and level will be used as configured in code

meshID string

The Mesh Identifier. It should be unique within the scope where meshes will interact with each other, but it is not required to be globally/universally unique. For example, if any of the following are true, then two meshes must have different Mesh IDs:

Meshes will have their telemetry aggregated in one place
Meshes will be federated together
Policy will be written referencing one mesh from the other

If an administrator expects that any of these conditions may become true in the future, they should ensure their meshes have different Mesh IDs assigned.

Within a multicluster mesh, each cluster must be (manually or auto) configured to have the same Mesh ID value. If an existing cluster 'joins' a multicluster mesh, it will need to be migrated to the new mesh ID. Details of migration TBD, and it may be a disruptive operation to change the Mesh ID post-install.

If the mesh admin does not specify a value, Istio will use the value of the mesh's Trust Domain. The best practice is to select a proper Trust Domain value.

meshNetworks object

Configure the mesh networks to be used by the Split Horizon EDS.

The following example defines two networks with different endpoints association methods. For network1 all endpoints that their IP belongs to the provided CIDR range will be mapped to network1. The gateway for this network example is specified by its public IP address and port. The second network, network2, in this example is defined differently with all endpoints retrieved through the specified Multi-Cluster registry being mapped to network2. The gateway is also defined differently with the name of the gateway service on the remote cluster. The public IP for the gateway will be determined from that remote service (only LoadBalancer gateway service type is currently supported, for a NodePort type gateway service, it still need to be configured manually).

meshNetworks:

network1:
endpoints:
- fromCidr: "192.168.0.1/24"
gateways:
- address: 1.1.1.1
port: 80
network2:
endpoints:
- fromRegistry: reg1
gateways:
- registryServiceName: istio-ingressgateway.istio-system.svc.cluster.local
port: 443

mountMtlsCerts boolean

Controls whether the in-cluster MTLS key and certs are loaded from the secret volume mounts.

multiCluster object

Specifies the Configuration for Istio mesh across multiple clusters through Istio gateways.

clusterName string

The name of the cluster this installation will run in. This is required for sidecar injection to properly label proxies

enabled boolean

Enables the connection between two kubernetes clusters via their respective ingressgateway services. Use if the pods in each cluster cannot directly talk to one another.

globalDomainSuffix string

The suffix for global service names.

includeEnvoyFilter boolean

Enable envoy filter to translate globalDomainSuffix to cluster local suffix for cross cluster communication.

nativeNftables boolean

Specifies whether native nftables rules should be used instead of iptables rules for traffic redirection.

network string

Network defines the network this cluster belong to. This name corresponds to the networks in the map of mesh networks.

networkPolicy object

Settings related to Kubernetes NetworkPolicy.

enabled boolean

Controls whether default NetworkPolicy resources will be created.

omitSidecarInjectorConfigMap boolean

Controls whether the creation of the sidecar injector ConfigMap should be skipped. Defaults to false. When set to true, the sidecar injector ConfigMap will not be created.

operatorManageWebhooks boolean

Controls whether the WebhookConfiguration resource(s) should be created. The current behavior of Istiod is to manage its own webhook configurations. When this option is set to true, Istio Operator, instead of webhooks, manages the webhook configurations. When this option is set as false, webhooks manage their own webhook configurations.

pilotCertProvider string

Configure the Pilot certificate provider. Currently, four providers are supported: "kubernetes", "istiod", "custom" and "none".

platform string

Platform in which Istio is deployed. Possible values are: "openshift" and "gcp" An empty value means it is a vanilla Kubernetes distribution, therefore no special treatment will be considered.

podDNSSearchNamespaces []string

Custom DNS config for the pod to resolve names of services in other clusters. Use this to add additional search domains, and other settings. see https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#dns-config This does not apply to gateway pods as they typically need a different set of DNS settings than the normal application pods (e.g. in multicluster scenarios).

priorityClassName string

Specifies the k8s priorityClassName for the istio control plane components.

See https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass

Deprecated: Marked as deprecated in pkg/apis/values_types.proto.

proxy object

Specifies how proxies are configured within Istio.

autoInject string

Controls the 'policy' in the sidecar injector.

clusterDomain string

Domain for the cluster, default: "cluster.local".

K8s allows this to be customized, see https://kubernetes.io/docs/tasks/administer-cluster/dns-custom-nameservers/

componentLogLevel string

Per Component log level for proxy, applies to gateways and sidecars.

If a component level is not set, then the global "logLevel" will be used. If left empty, "misc:error" is used.

enableCoreDump boolean

Enables core dumps for newly injected sidecars.

If set, newly injected sidecars will have core dumps enabled.

Deprecated: Marked as deprecated in pkg/apis/values_types.proto.

excludeIPRanges string

Lists the excluded IP ranges of Istio egress traffic that the sidecar captures.

excludeInboundPorts string

Specifies the Istio ingress ports not to capture.

excludeOutboundPorts string

A comma separated list of outbound ports to be excluded from redirection to Envoy.

holdApplicationUntilProxyStarts boolean

Controls if sidecar is injected at the front of the container list and blocks the start of the other containers until the proxy is ready

Deprecated: replaced by ProxyConfig setting which allows per-pod configuration of this behavior.

Deprecated: Marked as deprecated in pkg/apis/values_types.proto.

image string

Image name or path for the proxy, default: "proxyv2".

If registry or tag are not specified, global.hub and global.tag are used.

Examples: my-proxy (uses global.hub/tag), docker.io/myrepo/my-proxy:v1.0.0

includeIPRanges string

Lists the IP ranges of Istio egress traffic that the sidecar captures.

Example: "172.30.0.0/16,172.20.0.0/16" This would only capture egress traffic on those two IP Ranges, all other outbound traffic would # be allowed by the sidecar."

includeInboundPorts string

A comma separated list of inbound ports for which traffic is to be redirected to Envoy. The wildcard character '*' can be used to configure redirection for all ports.

includeOutboundPorts string

A comma separated list of outbound ports for which traffic is to be redirected to Envoy, regardless of the destination IP.

lifecycle object

The k8s lifecycle hooks definition (pod.spec.containers.lifecycle) for the proxy container. More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks

postStart object

PostStart is called immediately after a container is created. If the handler fails, the container is terminated and restarted according to its restart policy. Other management of the container blocks until the hook completes. More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks

exec object

Exec specifies a command to execute in the container.

command []string

Command is the command line to execute inside the container, the working directory for the command is root ('/') in the container's filesystem. The command is simply exec'd, it is not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use a shell, you need to explicitly call out to that shell. Exit status of 0 is treated as live/healthy and non-zero is unhealthy.

httpGet object

HTTPGet specifies an HTTP GET request to perform.

host string

Host name to connect to, defaults to the pod IP. You probably want to set "Host" in httpHeaders instead.

httpHeaders []object

HTTPHeader describes a custom header to be used in HTTP probes

name string required

The header field name. This will be canonicalized upon output, so case-variant names will be understood as the same header.

value string required

The header field value

path string

Path to access on the HTTP server.

port required

Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME.

scheme string

Scheme to use for connecting to the host. Defaults to HTTP.

sleep object

Sleep represents a duration that the container should sleep.

seconds integer required

Seconds is the number of seconds to sleep.

tcpSocket object

Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept for backward compatibility. There is no validation of this field and lifecycle hooks will fail at runtime when it is specified.

host string

Optional: Host name to connect to, defaults to the pod IP.

port required

Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME.

preStop object

PreStop is called immediately before a container is terminated due to an API request or management event such as liveness/startup probe failure, preemption, resource contention, etc. The handler is not called if the container crashes or exits. The Pod's termination grace period countdown begins before the PreStop hook is executed. Regardless of the outcome of the handler, the container will eventually terminate within the Pod's termination grace period (unless delayed by finalizers). Other management of the container blocks until the hook completes or until the termination grace period is reached. More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks

exec object

Exec specifies a command to execute in the container.

command []string

httpGet object

HTTPGet specifies an HTTP GET request to perform.

host string

Host name to connect to, defaults to the pod IP. You probably want to set "Host" in httpHeaders instead.

httpHeaders []object

HTTPHeader describes a custom header to be used in HTTP probes

name string required

The header field name. This will be canonicalized upon output, so case-variant names will be understood as the same header.

value string required

The header field value

path string

Path to access on the HTTP server.

port required

Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME.

scheme string

Scheme to use for connecting to the host. Defaults to HTTP.

sleep object

Sleep represents a duration that the container should sleep.

seconds integer required

Seconds is the number of seconds to sleep.

tcpSocket object

Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept for backward compatibility. There is no validation of this field and lifecycle hooks will fail at runtime when it is specified.

host string

Optional: Host name to connect to, defaults to the pod IP.

port required

Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME.

stopSignal string

StopSignal defines which signal will be sent to a container when it is being stopped. If not specified, the default is defined by the container runtime in use. StopSignal can only be set for Pods with a non-empty .spec.os.name

logLevel string

outlierLogPath string

Path to the file to which the proxy will write outlier detection logs.

Example: "/dev/stdout" This would write the logs to standard output.

privileged boolean

Enables privileged securityContext for the istio-proxy container.

See https://kubernetes.io/docs/tasks/configure-pod-container/security-context/

readinessFailureThreshold integer

Sets the number of successive failed probes before indicating readiness failure.

readinessInitialDelaySeconds integer

Sets the initial delay for readiness probes in seconds.

readinessPeriodSeconds integer

Sets the interval between readiness probes in seconds.

resources object

K8s resources settings.

See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container

Deprecated: Marked as deprecated in pkg/apis/values_types.proto.

claims []object

ResourceClaim references one entry in PodSpec.ResourceClaims.

name string required

Name must match the name of one entry in pod.spec.resourceClaims of the Pod where this field is used. It makes that resource available inside a container.

request string

Request is the name chosen for a request in the referenced claim. If empty, everything from the claim is made available, otherwise only the result of this request.

limits object

Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/

requests object

startupProbe object

Configures the startup probe for the istio-proxy container.

enabled boolean

Enables or disables a startup probe. For optimal startup times, changing this should be tied to the readiness probe values.

If the probe is enabled, it is recommended to have delay=0s,period=15s,failureThreshold=4. This ensures the pod is marked ready immediately after the startup probe passes (which has a 1s poll interval), and doesn't spam the readiness endpoint too much

If the probe is disabled, it is recommended to have delay=1s,period=2s,failureThreshold=30. This ensures the startup is reasonable fast (polling every 2s). 1s delay is used since the startup is not often ready instantly.

failureThreshold integer

Minimum consecutive failures for the probe to be considered failed after having succeeded.

statusPort integer

Default port used for the Pilot agent's health checks.

tracer string

Specify which tracer to use. One of: zipkin, lightstep, datadog, stackdriver. If using stackdriver tracer outside GCP, set env GOOGLE_APPLICATION_CREDENTIALS to the GCP credential file.

proxy_init object

Specifies the Configuration for proxy_init container which sets the pods' networking to intercept the inbound/outbound traffic.

image string

Specifies the image for the proxy_init container.

resources object

K8s resources settings.

See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container

Deprecated: Marked as deprecated in pkg/apis/values_types.proto.

claims []object

ResourceClaim references one entry in PodSpec.ResourceClaims.

name string required

Name must match the name of one entry in pod.spec.resourceClaims of the Pod where this field is used. It makes that resource available inside a container.

request string

Request is the name chosen for a request in the referenced claim. If empty, everything from the claim is made available, otherwise only the result of this request.

limits object

Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/

requests object

remotePilotAddress string

Specifies the Istio control plane’s pilot Pod IP address or remote cluster DNS resolvable hostname.

revision string

Configures the revision this control plane is a part of

sds object

Specifies the Configuration for the SecretDiscoveryService instead of using K8S secrets to mount the certificates.

token object

Deprecated: Marked as deprecated in pkg/apis/values_types.proto.

aud string

sts object

Specifies the configuration for Security Token Service.

servicePort integer

tag string

Specifies the tag for the Istio docker images.

tracer object

Specifies the Configuration for each of the supported tracers.

datadog object

Configuration for the datadog tracing service.

address string

Address in host:port format for reporting trace data to the Datadog agent.

lightstep object

Configuration for the lightstep tracing service.

accessToken string

Sets the lightstep access token.

address string

Sets the lightstep satellite pool address in host:port format for reporting trace data.

stackdriver object

Configuration for the stackdriver tracing service.

debug boolean

enables trace output to stdout.

maxNumberOfAnnotations integer

The global default max number of annotation events per span.

maxNumberOfAttributes integer

The global default max number of attributes per span.

maxNumberOfMessageEvents integer

The global default max number of message events per span.

zipkin object

Configuration for the zipkin tracing service.

address string

Address of zipkin instance in host:port format for reporting trace data.

Example: .:941

trustBundleName string

Select a custom name for istiod's CA Root Cert ConfigMap.

variant string

The variant of the Istio container images to use. Options are "debug" or "distroless". Unset will use the default for the given version.

waypoint object

Specifies how waypoints are configured within Istio.

affinity object

K8s affinity settings for waypoint pods.

See https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity

nodeAffinity object

Describes node affinity scheduling rules for the pod.

preferredDuringSchedulingIgnoredDuringExecution []object

An empty preferred scheduling term matches all objects with implicit weight 0 (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).

preference object required

A node selector term, associated with the corresponding weight.

matchExpressions []object

A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.

key string required

The label key that the selector applies to.

operator string required

Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.

values []string

An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.

matchFields []object

A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.

key string required

The label key that the selector applies to.

operator string required

Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.

values []string

weight integer required

Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.

requiredDuringSchedulingIgnoredDuringExecution object

If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to an update), the system may or may not try to eventually evict the pod from its node.

nodeSelectorTerms []object required

A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.

matchExpressions []object

A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.

key string required

The label key that the selector applies to.

operator string required

Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.

values []string

matchFields []object

A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.

key string required

The label key that the selector applies to.

operator string required

Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.

values []string

podAffinity object

Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).

preferredDuringSchedulingIgnoredDuringExecution []object

The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)

podAffinityTerm object required

Required. A pod affinity term, associated with the corresponding weight.

labelSelector object

A label query over a set of resources, in this case pods. If it's null, this PodAffinityTerm matches with no Pods.

matchExpressions []object

A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.

key string required

key is the label key that the selector applies to.

operator string required

operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.

values []string

values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.

matchLabels object

matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.

matchLabelKeys []string

MatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with labelSelector as key in (value) to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both matchLabelKeys and labelSelector. Also, matchLabelKeys cannot be set when labelSelector isn't set.

mismatchLabelKeys []string

MismatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with labelSelector as key notin (value) to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. Also, mismatchLabelKeys cannot be set when labelSelector isn't set.

namespaceSelector object

A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces.

matchExpressions []object

A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.

key string required

key is the label key that the selector applies to.

operator string required

operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.

values []string

matchLabels object

namespaces []string

namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace".

topologyKey string required

This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.

weight integer required

weight associated with matching the corresponding podAffinityTerm, in the range 1-100.

requiredDuringSchedulingIgnoredDuringExecution []object

Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key matches that of any node on which a pod of the set of pods is running

labelSelector object

A label query over a set of resources, in this case pods. If it's null, this PodAffinityTerm matches with no Pods.

matchExpressions []object

A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.

key string required

key is the label key that the selector applies to.

operator string required

operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.

values []string

matchLabels object

matchLabelKeys []string

mismatchLabelKeys []string

namespaceSelector object

matchExpressions []object

A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.

key string required

key is the label key that the selector applies to.

operator string required

operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.

values []string

matchLabels object

namespaces []string

topologyKey string required

podAntiAffinity object

Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).

preferredDuringSchedulingIgnoredDuringExecution []object

The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)

podAffinityTerm object required

Required. A pod affinity term, associated with the corresponding weight.

labelSelector object

A label query over a set of resources, in this case pods. If it's null, this PodAffinityTerm matches with no Pods.

matchExpressions []object

A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.

key string required

key is the label key that the selector applies to.

operator string required

operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.

values []string

matchLabels object

matchLabelKeys []string

mismatchLabelKeys []string

namespaceSelector object

matchExpressions []object

A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.

key string required

key is the label key that the selector applies to.

operator string required

operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.

values []string

matchLabels object

namespaces []string

topologyKey string required

weight integer required

weight associated with matching the corresponding podAffinityTerm, in the range 1-100.

requiredDuringSchedulingIgnoredDuringExecution []object

labelSelector object

A label query over a set of resources, in this case pods. If it's null, this PodAffinityTerm matches with no Pods.

matchExpressions []object

A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.

key string required

key is the label key that the selector applies to.

operator string required

operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.

values []string

matchLabels object

matchLabelKeys []string

mismatchLabelKeys []string

namespaceSelector object

matchExpressions []object

A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.

key string required

key is the label key that the selector applies to.

operator string required

operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.

values []string

matchLabels object

namespaces []string

topologyKey string required

nodeSelector object

K8s node labels settings.

See https://kubernetes.io/docs/user-guide/node-selection/

nodeSelectorTerms []object required

A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.

matchExpressions []object

A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.

key string required

The label key that the selector applies to.

operator string required

Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.

values []string

matchFields []object

A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.

key string required

The label key that the selector applies to.

operator string required

Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.

values []string

resources object

K8s resource settings.

See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container

claims []object

ResourceClaim references one entry in PodSpec.ResourceClaims.

name string required

Name must match the name of one entry in pod.spec.resourceClaims of the Pod where this field is used. It makes that resource available inside a container.

request string

Request is the name chosen for a request in the referenced claim. If empty, everything from the claim is made available, otherwise only the result of this request.

limits object

Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/

requests object

toleration []object

The pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator .

effect string

Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.

key string

Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.

operator string

tolerationSeconds integer

value string

Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.

topologySpreadConstraints []object

TopologySpreadConstraint specifies how to spread matching pods among the given topology.

labelSelector object

LabelSelector is used to find matching pods. Pods that match this label selector are counted to determine the number of pods in their corresponding topology domain.

matchExpressions []object

A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.

key string required

key is the label key that the selector applies to.

operator string required

operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.

values []string

matchLabels object

matchLabelKeys []string

MatchLabelKeys is a set of pod label keys to select the pods over which spreading will be calculated. The keys are used to lookup values from the incoming pod labels, those key-value labels are ANDed with labelSelector to select the group of existing pods over which spreading will be calculated for the incoming pod. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. MatchLabelKeys cannot be set when LabelSelector isn't set. Keys that don't exist in the incoming pod labels will be ignored. A null or empty list means only match against labelSelector.

This is a beta field and requires the MatchLabelKeysInPodTopologySpread feature gate to be enabled (enabled by default).

maxSkew integer required

MaxSkew describes the degree to which pods may be unevenly distributed. When whenUnsatisfiable=DoNotSchedule, it is the maximum permitted difference between the number of matching pods in the target topology and the global minimum. The global minimum is the minimum number of matching pods in an eligible domain or zero if the number of eligible domains is less than MinDomains. For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same labelSelector spread as 2/2/1: In this case, the global minimum is 1. | zone1 | zone2 | zone3 | | P P | P P | P |

if MaxSkew is 1, incoming pod can only be scheduled to zone3 to become 2/2/2; scheduling it onto zone1(zone2) would make the ActualSkew(3-1) on zone1(zone2) violate MaxSkew(1).
if MaxSkew is 2, incoming pod can be scheduled onto any zone. When whenUnsatisfiable=ScheduleAnyway, it is used to give higher precedence to topologies that satisfy it. It's a required field. Default value is 1 and 0 is not allowed.

minDomains integer

MinDomains indicates a minimum number of eligible domains. When the number of eligible domains with matching topology keys is less than minDomains, Pod Topology Spread treats "global minimum" as 0, and then the calculation of Skew is performed. And when the number of eligible domains with matching topology keys equals or greater than minDomains, this value has no effect on scheduling. As a result, when the number of eligible domains is less than minDomains, scheduler won't schedule more than maxSkew Pods to those domains. If value is nil, the constraint behaves as if MinDomains is equal to 1. Valid values are integers greater than 0. When value is not nil, WhenUnsatisfiable must be DoNotSchedule.

For example, in a 3-zone cluster, MaxSkew is set to 2, MinDomains is set to 5 and pods with the same labelSelector spread as 2/2/2: | zone1 | zone2 | zone3 | | P P | P P | P P | The number of domains is less than 5(MinDomains), so "global minimum" is treated as 0. In this situation, new pod with the same labelSelector cannot be scheduled, because computed skew will be 3(3 - 0) if new Pod is scheduled to any of the three zones, it will violate MaxSkew.

nodeAffinityPolicy string

NodeAffinityPolicy indicates how we will treat Pod's nodeAffinity/nodeSelector when calculating pod topology spread skew. Options are:

Honor: only nodes matching nodeAffinity/nodeSelector are included in the calculations.
Ignore: nodeAffinity/nodeSelector are ignored. All nodes are included in the calculations.

If this value is nil, the behavior is equivalent to the Honor policy.

nodeTaintsPolicy string

NodeTaintsPolicy indicates how we will treat node taints when calculating pod topology spread skew. Options are:

Honor: nodes without taints, along with tainted nodes for which the incoming pod has a toleration, are included.
Ignore: node taints are ignored. All nodes are included.

If this value is nil, the behavior is equivalent to the Ignore policy.

topologyKey string required

TopologyKey is the key of node labels. Nodes that have a label with this key and identical values are considered to be in the same topology. We consider each <key, value> as a "bucket", and try to put balanced number of pods into each bucket. We define a domain as a particular instance of a topology. Also, we define an eligible domain as a domain whose nodes meet the requirements of nodeAffinityPolicy and nodeTaintsPolicy. e.g. If TopologyKey is "kubernetes.io/hostname", each Node is a domain of that topology. And, if TopologyKey is "topology.kubernetes.io/zone", each zone is a domain of that topology. It's a required field.

whenUnsatisfiable string required

WhenUnsatisfiable indicates how to deal with a pod if it doesn't satisfy the spread constraint.

DoNotSchedule (default) tells the scheduler not to schedule it.
ScheduleAnyway tells the scheduler to schedule the pod in any location, but giving higher precedence to topologies that would help reduce the skew. A constraint is considered "Unsatisfiable" for an incoming pod if and only if every possible node assignment for that pod would violate "MaxSkew" on some topology. For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same labelSelector spread as 3/1/1: | zone1 | zone2 | zone3 | | P P P | P | P | If WhenUnsatisfiable is set to DoNotSchedule, incoming pod can only be scheduled to zone2(zone3) to become 3/2/1(3/1/2) as ActualSkew(2-1) on zone2(zone3) satisfies MaxSkew(1). In other words, the cluster can still be imbalanced, but scheduler won't make it more imbalanced. It's a required field.

istiodRemote object

Configuration for istiod-remote. DEPRECATED - istiod-remote chart is removed and replaced with istio-discovery --set values.istiodRemote.enabled=true

Deprecated: Marked as deprecated in pkg/apis/values_types.proto.

enabled boolean

Indicates if this cluster/install should consume a "remote" istiod instance,

enabledLocalInjectorIstiod boolean

If true, indicates that this cluster/install should consume a "local istiod" installation, local istiod inject sidecars

injectionCABundle string

injector ca bundle

injectionPath string

Path to use for the sidecar injector webhook service.

injectionURL string

URL to use for sidecar injector webhook.

meshConfig object

Defines runtime configuration of components, including Istiod and istio-agent behavior. See https://istio.io/docs/reference/config/istio.mesh.v1alpha1/ for all available options.

accessLogEncoding string

Encoding for the proxy access log (TEXT or JSON). Default value is TEXT.

accessLogFile string

File address for the proxy access log (e.g. /dev/stdout). Empty value disables access logging.

accessLogFormat string

Format for the proxy access log Empty value results in proxy's default access log format

ca object

If specified, Istiod will authorize and forward the CSRs from the workloads to the specified external CA using the Istio CA gRPC API.

address string required

REQUIRED. Address of the CA server implementing the Istio CA gRPC API. Can be IP address or a fully qualified DNS name with port Eg: custom-ca.default.svc.cluster.local:8932, 192.168.23.2:9000

istiodSide boolean

Use istiodSide to specify CA Server integrate to Istiod side or Agent side Default: true

requestTimeout string

timeout for forward CSR requests from Istiod to External CA Default: 10s

tlsSettings object

Use the tlsSettings to specify the tls mode to use. Regarding tlsSettings:

DISABLE MODE is legitimate for the case Istiod is making the request via an Envoy sidecar. DISABLE MODE can also be used for testing
TLS MUTUAL MODE be on by default. If the CA certificates (cert bundle to verify the CA server's certificate) is omitted, Istiod will use the system root certs to verify the CA server's certificate.

caCertificates string

OPTIONAL: The path to the file containing certificate authority certificates to use in verifying a presented server certificate. If omitted, the proxy will verify the server's certificate using the OS CA certificates. Should be empty if mode is ISTIO_MUTUAL.

caCrl string

OPTIONAL: The path to the file containing the certificate revocation list (CRL) to use in verifying a presented server certificate. CRL is a list of certificates that have been revoked by the CA (Certificate Authority) before their scheduled expiration date. If specified, the proxy will verify if the presented certificate is part of the revoked list of certificates. If omitted, the proxy will not verify the certificate against the crl. Note that if credentialName is set, CRL cannot be specified using caCrl, rather it has to be specified inside the credential.

clientCertificate string

REQUIRED if mode is MUTUAL. The path to the file holding the client-side TLS certificate to use. Should be empty if mode is ISTIO_MUTUAL.

credentialName string

The name of the secret that holds the TLS certs for the client including the CA certificates. This secret must exist in the namespace of the proxy using the certificates. An Opaque secret should contain the following keys and values: key: <privateKey>, cert: <clientCert>, cacert: <CACertificate>, crl: <certificateRevocationList> Here CACertificate is used to verify the server certificate. For mutual TLS, cacert: <CACertificate> can be provided in the same secret or a separate secret named <secret>-cacert. A TLS secret for client certificates with an additional ca.crt key for CA certificates and ca.crl key for certificate revocation list(CRL) is also supported. Only one of client certificates and CA certificate or credentialName can be specified.

NOTE: This field is applicable at sidecars only if DestinationRule has a workloadSelector specified. Otherwise the field will be applicable only at gateways, and sidecars will continue to use the certificate paths.

insecureSkipVerify boolean

insecureSkipVerify specifies whether the proxy should skip verifying the CA signature and SAN for the server certificate corresponding to the host. The default value of this field is false.

mode string

Indicates whether connections to this port should be secured using TLS. The value of this field determines how TLS is enforced.

privateKey string

REQUIRED if mode is MUTUAL. The path to the file holding the client's private key. Should be empty if mode is ISTIO_MUTUAL.

sni string

SNI string to present to the server during TLS handshake. If unspecified, SNI will be automatically set based on downstream HTTP host/authority header for SIMPLE and MUTUAL TLS modes.

subjectAltNames []string

A list of alternate names to verify the subject identity in the certificate. If specified, the proxy will verify that the server certificate's subject alt name matches one of the specified values. If specified, this list overrides the value of subjectAltNames from the ServiceEntry. If unspecified, automatic validation of upstream presented certificate for new upstream connections will be done based on the downstream HTTP host/authority header.

caCertificates []object

certSigners []string

when Istiod is acting as RA(registration authority) If set, they are used for these signers. Otherwise, this trustAnchor is used for all signers.

pem string

The PEM data of the certificate.

spiffeBundleUrl string

The SPIFFE bundle endpoint URL that complies to: https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE_Trust_Domain_and_Bundle.md#the-spiffe-trust-domain-and-bundle The endpoint should support authentication based on Web PKI: https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE_Trust_Domain_and_Bundle.md#521-web-pki The certificate is retrieved from the endpoint.

trustDomains []string

Optional. Specify the list of trust domains to which this trustAnchor data belongs. If set, they are used for these trust domains. Otherwise, this trustAnchor is used for default trust domain and its aliases. Note that we can have multiple trustAnchor data for a same trustDomain. In that case, trustAnchors with a same trust domain will be merged and used together to verify peer certificates. If neither certSigners nor trustDomains is set, this trustAnchor is used for all trust domains and all signers. If only trustDomains is set, this trustAnchor is used for these trustDomains and all signers. If only certSigners is set, this trustAnchor is used for these certSigners and all trust domains. If both certSigners and trustDomains is set, this trustAnchor is only used for these signers and trust domains.

certificates []object

Certificate configures the provision of a certificate and its key. Example 1: key and cert stored in a secret

{ secretName: galley-cert
secretNamespace: istio-system
dnsNames:
- galley.istio-system.svc
- galley.mydomain.com
}

Example 2: key and cert stored in a directory

{ dnsNames:
- pilot.istio-system
- pilot.istio-system.svc
- pilot.mydomain.com
}

dnsNames []string

The DNS names for the certificate. A certificate may contain multiple DNS names.

secretName string

Name of the secret the certificate and its key will be stored into. If it is empty, it will not be stored into a secret. Instead, the certificate and its key will be stored into a hard-coded directory.

configSources []object

ConfigSource describes information about a configuration store inside a mesh. A single control plane instance can interact with one or more data sources.

address string

Address of the server implementing the Istio Mesh Configuration protocol (MCP). Can be IP address or a fully qualified DNS name. Use xds:// to specify a grpc-based xds backend, k8s:// to specify a k8s controller or fs:/// to specify a file-based backend with absolute path to the directory.

subscribedResources []string

Describes the source of configuration, if nothing is specified default is MCP

tlsSettings object

Use the tlsSettings to specify the tls mode to use. If the MCP server uses Istio mutual TLS and shares the root CA with istiod, specify the TLS mode as ISTIO_MUTUAL.

caCertificates string

caCrl string

clientCertificate string

REQUIRED if mode is MUTUAL. The path to the file holding the client-side TLS certificate to use. Should be empty if mode is ISTIO_MUTUAL.

credentialName string

insecureSkipVerify boolean

insecureSkipVerify specifies whether the proxy should skip verifying the CA signature and SAN for the server certificate corresponding to the host. The default value of this field is false.

mode string

Indicates whether connections to this port should be secured using TLS. The value of this field determines how TLS is enforced.

privateKey string

REQUIRED if mode is MUTUAL. The path to the file holding the client's private key. Should be empty if mode is ISTIO_MUTUAL.

sni string

SNI string to present to the server during TLS handshake. If unspecified, SNI will be automatically set based on downstream HTTP host/authority header for SIMPLE and MUTUAL TLS modes.

subjectAltNames []string

connectTimeout string

Connection timeout used by Envoy. (MUST be >=1ms) Default timeout is 10s.

defaultConfig object

Default proxy config used by gateway and sidecars. In case of Kubernetes, the proxy config is applied once during the injection process, and remain constant for the duration of the pod. The rest of the mesh config can be changed at runtime and config gets distributed dynamically. On Kubernetes, this can be overridden on individual pods with the proxy.istio.io/config annotation.

availabilityZone string

Deprecated: Marked as deprecated in mesh/v1alpha1/proxy.proto.

binaryPath string

Path to the proxy binary

caCertificatesPem []string

The PEM data of the extra root certificates for workload-to-workload communication. This includes the certificates defined in MeshConfig and any other certificates that Istiod uses as CA. The plugin certificates (the 'cacerts' secret), self-signed certificates (the 'istio-ca-secret' secret) are added automatically by Istiod.

concurrency integer

The number of worker threads to run. If unset, which is recommended, this will be automatically determined based on CPU requests/limits. If set to 0, all cores on the machine will be used, ignoring CPU requests or limits. This can lead to major performance issues if CPU limits are also set.

configPath string

Path to the generated configuration file directory. Proxy agent generates the actual configuration and stores it in this directory.

controlPlaneAuthPolicy string

AuthenticationPolicy defines how the proxy is authenticated when it connects to the control plane. Default is set to MUTUAL_TLS.

customConfigFile string

File path of custom proxy configuration, currently used by proxies in front of istiod.

discoveryAddress string

Address of the discovery service exposing xDS with mTLS connection. The inject configuration may override this value.

discoveryRefreshDelay string

Deprecated: Marked as deprecated in mesh/v1alpha1/proxy.proto.

drainDuration string

restart. MUST be >=1s (e.g., 1s/1m/1h) Default drain duration is 45s.

envoyAccessLogService object

Address of the service to which access logs from Envoys should be sent. (e.g. accesslog-service:15000). See Access Log Service for details about Envoy's gRPC Access Log Service API.

address string

Address of a remove service used for various purposes (access log receiver, metrics receiver, etc.). Can be IP address or a fully qualified DNS name.

tcpKeepalive object

If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives.

interval string

The time duration between keep-alive probes. Default is to use the OS level configuration (unless overridden, Linux defaults to 75s.)

probes integer

Maximum number of keepalive probes to send without response before deciding the connection is dead. Default is to use the OS level configuration (unless overridden, Linux defaults to 9.)

time string

The time duration a connection needs to be idle before keep-alive probes start being sent. Default is to use the OS level configuration (unless overridden, Linux defaults to 7200s (ie 2 hours.)

tlsSettings object

Use the tlsSettings to specify the tls mode to use. If the remote service uses Istio mutual TLS and shares the root CA with istiod, specify the TLS mode as ISTIO_MUTUAL.

caCertificates string

caCrl string

clientCertificate string

REQUIRED if mode is MUTUAL. The path to the file holding the client-side TLS certificate to use. Should be empty if mode is ISTIO_MUTUAL.

credentialName string

insecureSkipVerify boolean

insecureSkipVerify specifies whether the proxy should skip verifying the CA signature and SAN for the server certificate corresponding to the host. The default value of this field is false.

mode string

Indicates whether connections to this port should be secured using TLS. The value of this field determines how TLS is enforced.

privateKey string

REQUIRED if mode is MUTUAL. The path to the file holding the client's private key. Should be empty if mode is ISTIO_MUTUAL.

sni string

SNI string to present to the server during TLS handshake. If unspecified, SNI will be automatically set based on downstream HTTP host/authority header for SIMPLE and MUTUAL TLS modes.

subjectAltNames []string

envoyMetricsService object

Address of the Envoy Metrics Service implementation (e.g. metrics-service:15000). See Metric Service for details about Envoy's Metrics Service API.

address string

Address of a remove service used for various purposes (access log receiver, metrics receiver, etc.). Can be IP address or a fully qualified DNS name.

tcpKeepalive object

If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives.

interval string

The time duration between keep-alive probes. Default is to use the OS level configuration (unless overridden, Linux defaults to 75s.)

probes integer

Maximum number of keepalive probes to send without response before deciding the connection is dead. Default is to use the OS level configuration (unless overridden, Linux defaults to 9.)

time string

The time duration a connection needs to be idle before keep-alive probes start being sent. Default is to use the OS level configuration (unless overridden, Linux defaults to 7200s (ie 2 hours.)

tlsSettings object

Use the tlsSettings to specify the tls mode to use. If the remote service uses Istio mutual TLS and shares the root CA with istiod, specify the TLS mode as ISTIO_MUTUAL.

caCertificates string

caCrl string

clientCertificate string

REQUIRED if mode is MUTUAL. The path to the file holding the client-side TLS certificate to use. Should be empty if mode is ISTIO_MUTUAL.

credentialName string

insecureSkipVerify boolean

insecureSkipVerify specifies whether the proxy should skip verifying the CA signature and SAN for the server certificate corresponding to the host. The default value of this field is false.

mode string

Indicates whether connections to this port should be secured using TLS. The value of this field determines how TLS is enforced.

privateKey string

REQUIRED if mode is MUTUAL. The path to the file holding the client's private key. Should be empty if mode is ISTIO_MUTUAL.

sni string

SNI string to present to the server during TLS handshake. If unspecified, SNI will be automatically set based on downstream HTTP host/authority header for SIMPLE and MUTUAL TLS modes.

subjectAltNames []string

envoyMetricsServiceAddress string

Deprecated: Marked as deprecated in mesh/v1alpha1/proxy.proto.

extraStatTags []string

An additional list of tags to extract from the in-proxy Istio telemetry. These extra tags can be added by configuring the telemetry extension. Each additional tag needs to be present in this list. Extra tags emitted by the telemetry extensions must be listed here so that they can be processed and exposed as Prometheus metrics. Deprecated: istio.stats is a native filter now, this field is no longer needed.

gatewayTopology object

Topology encapsulates the configuration which describes where the proxy is located i.e. behind a (or N) trusted proxy (proxies) or directly exposed to the internet. This configuration only effects gateways and is applied to all the gateways in the cluster unless overridden via annotations of the gateway workloads.

forwardClientCertDetails string

Configures how the gateway proxy handles x-forwarded-client-cert (XFCC) header in the incoming request.

numTrustedProxies integer

Number of trusted proxies deployed in front of the Istio gateway proxy. When this option is set to value N greater than zero, the trusted client address is assumed to be the Nth address from the right end of the X-Forwarded-For (XFF) header from the incoming request. If the X-Forwarded-For (XFF) header is missing or has fewer than N addresses, the gateway proxy falls back to using the immediate downstream connection's source address as the trusted client address. Note that the gateway proxy will append the downstream connection's source address to the X-Forwarded-For (XFF) address and set the X-Envoy-External-Address header to the trusted client address before forwarding it to the upstream services in the cluster. The default value of numTrustedProxies is 0. See Envoy XFF header handling for more details.

proxyProtocol object

Enables PROXY protocol for downstream connections on a gateway.

holdApplicationUntilProxyStarts boolean

Boolean flag for enabling/disabling the holdApplicationUntilProxyStarts behavior. This feature adds hooks to delay application startup until the pod proxy is ready to accept traffic, mitigating some startup race conditions. Default value is 'false'.

image object

Specifies the details of the proxy image.

imageType string

The image type of the image. Istio publishes default, debug, and distroless images. Other values are allowed if those image types (example: centos) are published to the specified hub. supported values: default, debug, distroless.

interceptionMode string

The mode used to redirect inbound traffic to Envoy.

meshId string

The unique identifier for the service mesh All control planes running in the same service mesh should specify the same mesh ID. Mesh ID is used to label telemetry reports for cases where telemetry from multiple meshes is mixed together.

privateKeyProvider object

Specifies the details of the Private Key Provider configuration for gateway and sidecar proxies.

cryptomb object

Use CryptoMb private key provider

fallback boolean

If the private key provider isn’t available (eg. the required hardware capability doesn’t existed) Envoy will fallback to the BoringSSL default implementation when the fallback is true. The default value is false.

pollDelay string

How long to wait until the per-thread processing queue should be processed. If the processing queue gets full (eight sign or decrypt requests are received) it is processed immediately. However, if the queue is not filled before the delay has expired, the requests already in the queue are processed, even if the queue is not full. In effect, this value controls the balance between latency and throughput. The duration needs to be set to a value greater than or equal to 1 millisecond.

qat object

Use QAT private key provider

fallback boolean

pollDelay string

How long to wait before polling the hardware accelerator after a request has been submitted there. Having a small value leads to quicker answers from the hardware but causes more polling loop spins, leading to potentially larger CPU usage. The duration needs to be set to a value greater than or equal to 1 millisecond.

proxyAdminPort integer

Port on which Envoy should listen for administrative commands. Default port is 15000.

proxyBootstrapTemplatePath string

Path to the proxy bootstrap template file

proxyHeaders object

Define the set of headers to add/modify for HTTP request/responses.

To enable an optional header, simply set the field. If no specific configuration is required, an empty object ({}) will enable it. Note: currently all headers are enabled by default.

Below shows an example of customizing the server header and disabling the X-Envoy-Attempt-Count header:

proxyHeaders:
server:
value: "my-custom-server"
# Explicitly enable Request IDs.
# As this is the default, this has no effect.
requestId: {}
attemptCount:
disabled: true

Below shows an example of preserving the header case for HTTP 1.x requests

proxyHeaders:
preserveHttp1HeaderCase: true

Some headers are enabled by default, and require explicitly disabling. See below for an example of disabling all default-enabled headers:

proxyHeaders:
forwardedClientCert: SANITIZE
server:
disabled: true
requestId:
disabled: true
attemptCount:
disabled: true
envoyDebugHeaders:
disabled: true
metadataExchangeHeaders:
mode: IN_MESH

attemptCount object

Controls the X-Envoy-Attempt-Count header. If enabled, this header will be added on outbound request headers (including gateways) that have retries configured. If disabled, this header will not be set. If it is already present, it will be preserved. This header is enabled by default if not configured.

disabled boolean

envoyDebugHeaders object

Controls various X-Envoy-* headers, such as X-Envoy-Overloaded and X-Envoy-Upstream-Service-Time. If enabled, these headers will be included. If disabled, these headers will not be set. If they are already present, they will be preserved. See the Envoy documentation for more details. These headers are enabled by default if not configured.

disabled boolean

forwardedClientCert string

Controls the X-Forwarded-Client-Cert header for inbound sidecar requests. To set this on gateways, use the Topology setting. To disable the header, configure either SANITIZE (to always remove the header, if present) or FORWARD_ONLY (to leave the header as-is). By default, APPEND_FORWARD will be used.

metadataExchangeHeaders object

Controls Istio metadata exchange headers X-Envoy-Peer-Metadata and X-Envoy-Peer-Metadata-Id. By default, the behavior is unspecified. If IN_MESH, these headers will not be appended to outbound requests from sidecars to services not in-mesh.

mode string

preserveHttp1HeaderCase boolean

When true, the original case of HTTP/1.x headers will be preserved as they pass through the proxy, rather than normalizing them to lowercase. This field is particularly useful for applications that require case-sensitive headers for interoperability with downstream systems or APIs that expect specific casing. The preserve_http1_header_case option only applies to HTTP/1.x traffic, as HTTP/2 requires all headers to be lowercase per the protocol specification. Envoy will ignore this field for HTTP/2 requests and automatically normalize headers to lowercase, ensuring compliance with HTTP/2 standards.

requestId object

Controls the X-Request-Id header. If enabled, a request ID is generated for each request if one is not already set. This applies to all types of traffic (inbound, outbound, and gateways). If disabled, no request ID will be generate for the request. If it is already present, it will be preserved. Warning: request IDs are a critical component to mesh tracing and logging, so disabling this is not recommended. This header is enabled by default if not configured.

disabled boolean

server object

Controls the server header. If enabled, the Server: istio-envoy header is set in response headers for inbound traffic (including gateways). If disabled, the Server header is not modified. If it is already present, it will be preserved.

disabled boolean

value string

If set, and the server header is enabled, this value will be set as the server header. By default, istio-envoy will be used.

setCurrentClientCertDetails object

This field is valid only when forward_client_cert_details is APPEND_FORWARD or SANITIZE_SET and the client connection is mTLS. It specifies the fields in the client certificate to be forwarded. Note that Hash is always set, and By is always set when the client certificate presents the URI type Subject Alternative Name value.

cert boolean

Whether to forward the entire client cert in URL encoded PEM format. This will appear in the XFCC header comma separated from other values with the value Cert="PEM". Defaults to false.

chain boolean

Whether to forward the entire client cert chain (including the leaf cert) in URL encoded PEM format. This will appear in the XFCC header comma separated from other values with the value Chain="PEM". Defaults to false.

dns boolean

Whether to forward the DNS type Subject Alternative Names of the client cert. Defaults to true.

subject boolean

Whether to forward the subject of the client cert. Defaults to true.

uri boolean

Whether to forward the URI type Subject Alternative Name of the client cert. Defaults to true.

xForwardedHost object

Controls the X-Forwarded-Host header. If enabled, the X-Forwarded-Host header is appended with the original host when it is rewritten. This header is disabled by default.

enabled boolean

xForwardedPort object

Controls the X-Forwarded-Port header. If enabled, the X-Forwarded-Port header is header with the port value client used to connect to Envoy. It will be ignored if the “x-forwarded-port“ header has been set by any trusted proxy in front of Envoy. This header is disabled by default.

enabled boolean

proxyMetadata object

Additional environment variables for the proxy. Names starting with ISTIO_META_ will be included in the generated bootstrap and sent to the XDS server.

proxyStatsMatcher object

Proxy stats matcher defines configuration for reporting custom Envoy stats. To reduce memory and CPU overhead from Envoy stats system, Istio proxies by default create and expose only a subset of Envoy stats. This option is to control creation of additional Envoy stats with prefix, suffix, and regex expressions match on the name of the stats. This replaces the stats inclusion annotations (sidecar.istio.io/statsInclusionPrefixes, sidecar.istio.io/statsInclusionRegexps, and sidecar.istio.io/statsInclusionSuffixes). For example, to enable stats for circuit breakers, request retries, upstream connections, and request timeouts, you can specify stats matcher as follows:

proxyStatsMatcher:
inclusionRegexps:
- .*outlier_detection.*
- .*upstream_rq_retry.*
- .*upstream_cx_.*
inclusionSuffixes:
- upstream_rq_timeout

Note including more Envoy stats might increase number of time series collected by prometheus significantly. Care needs to be taken on Prometheus resource provision and configuration to reduce cardinality.

inclusionPrefixes []string

Proxy stats name prefix matcher for inclusion.

inclusionRegexps []string

Proxy stats name regexps matcher for inclusion.

inclusionSuffixes []string

Proxy stats name suffix matcher for inclusion.

readinessProbe object

VM Health Checking readiness probe. This health check config exactly mirrors the kubernetes readiness probe configuration both in schema and logic. Only one health check method of 3 can be set at a time.

exec object

Exec specifies a command to execute in the container.

command []string

failureThreshold integer

Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1.

grpc object

GRPC specifies a GRPC HealthCheckRequest.

port integer required

Port number of the gRPC service. Number must be in the range 1 to 65535.

service string

Service is the name of the service to place in the gRPC HealthCheckRequest (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).

If this is not specified, the default behavior is defined by gRPC.

httpGet object

HTTPGet specifies an HTTP GET request to perform.

host string

Host name to connect to, defaults to the pod IP. You probably want to set "Host" in httpHeaders instead.

httpHeaders []object

HTTPHeader describes a custom header to be used in HTTP probes

name string required

The header field name. This will be canonicalized upon output, so case-variant names will be understood as the same header.

value string required

The header field value

path string

Path to access on the HTTP server.

port required

Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME.

scheme string

Scheme to use for connecting to the host. Defaults to HTTP.

initialDelaySeconds integer

Number of seconds after the container has started before liveness probes are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes

periodSeconds integer

How often (in seconds) to perform the probe. Default to 10 seconds. Minimum value is 1.

successThreshold integer

Minimum consecutive successes for the probe to be considered successful after having failed. Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1.

tcpSocket object

TCPSocket specifies a connection to a TCP port.

host string

Optional: Host name to connect to, defaults to the pod IP.

port required

Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME.

terminationGracePeriodSeconds integer

Optional duration in seconds the pod needs to terminate gracefully upon probe failure. The grace period is the duration in seconds after the processes running in the pod are sent a termination signal and the time when the processes are forcibly halted with a kill signal. Set this value longer than the expected cleanup time for your process. If this value is nil, the pod's terminationGracePeriodSeconds will be used. Otherwise, this value overrides the value provided by the pod spec. Value must be non-negative integer. The value zero indicates stop immediately via the kill signal (no opportunity to shut down). This is a beta field and requires enabling ProbeTerminationGracePeriod feature gate. Minimum value is 1. spec.terminationGracePeriodSeconds is used if unset.

timeoutSeconds integer

Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes

runtimeValues object

Envoy runtime configuration to set during bootstrapping. This enables setting experimental, unsafe, unsupported, and deprecated features that should be used with extreme caution.

sds object

Secret Discovery Service(SDS) configuration to be used by the proxy.

Deprecated: Marked as deprecated in mesh/v1alpha1/proxy.proto.

enabled boolean

True if SDS is enabled.

k8sSaJwtPath string

Path of k8s service account JWT path.

serviceCluster string

Service cluster defines the name for the service_cluster that is shared by all Envoy instances. This setting corresponds to --service-cluster flag in Envoy. In a typical Envoy deployment, the service-cluster flag is used to identify the caller, for source-based routing scenarios.

Since Istio does not assign a local service/service version to each Envoy instance, the name is same for all of them. However, the source/caller's identity (e.g., IP address) is encoded in the --service-node flag when launching Envoy. When the RDS service receives API calls from Envoy, it uses the value of the service-node flag to compute routes that are relative to the service instances located at that IP address.

statNameLength integer

Maximum length of name field in Envoy's metrics. The length of the name field is determined by the length of a name field in a service and the set of labels that comprise a particular version of the service. The default value is set to 189 characters. Envoy's internal metrics take up 67 characters, for a total of 256 character name per metric. Increase the value of this field if you find that the metrics from Envoys are truncated.

statsdUdpAddress string

IP Address and Port of a statsd UDP listener (e.g. 10.75.241.127:9125).

statusPort integer

Port on which the agent should listen for administrative commands such as readiness probe. Default is set to port 15020.

terminationDrainDuration string

The amount of time allowed for connections to complete on proxy shutdown. On receiving SIGTERM or SIGINT, istio-agent tells the active Envoy to start gracefully draining, discouraging any new connections and allowing existing connections to complete. It then sleeps for the terminationDrainDuration and then kills any remaining active Envoy processes. If not set, a default of 5s will be applied.

tracing object

Tracing configuration to be used by the proxy.

customTags object

and gateways). The key represents the name of the tag. Ex:

custom_tags:
new_tag_name:
header:
name: custom-http-header-name
default_value: defaulted-value-from-custom-header

datadog object

Use a Datadog tracer.

address string

Address of the Datadog Agent.

enableIstioTags boolean

Determines whether or not trace spans generated by Envoy will include Istio specific tags. By default Istio specific tags are included in the trace spans.

lightstep object

Use a Lightstep tracer. NOTE: For Istio 1.15+, this configuration option will result in using OpenTelemetry-based Lightstep integration.

accessToken string

The Lightstep access token.

address string

Address of the Lightstep Satellite pool.

maxPathTagLength integer

Configures the maximum length of the request path to extract and include in the HttpUrl tag. Used to truncate length request paths to meet the needs of tracing backend. If not set, then a length of 256 will be used.

openCensusAgent object

Use an OpenCensus tracer exporting to an OpenCensus agent.

address string

gRPC address for the OpenCensus agent (e.g. dns://authority/host:port or unix:path). See gRPC naming docs for details.

context []string

Specifies the set of context propagation headers used for distributed tracing. Default is ["W3C_TRACE_CONTEXT"]. If multiple values are specified, the proxy will attempt to read each header for each request and will write all headers.

sampling number

The percentage of requests (0.0 - 100.0) that will be randomly selected for trace generation, if not requested by the client or not forced. Default is 1.0.

stackdriver object

Use a Stackdriver tracer.

debug boolean

debug enables trace output to stdout.

maxNumberOfAnnotations integer

The global default max number of annotation events per span. default is 200.

maxNumberOfAttributes integer

The global default max number of attributes per span. default is 200.

maxNumberOfMessageEvents integer

The global default max number of message events per span. default is 200.

tlsSettings object

Use the tlsSettings to specify the tls mode to use. If the remote tracing service uses Istio mutual TLS and shares the root CA with istiod, specify the TLS mode as ISTIO_MUTUAL.

caCertificates string

caCrl string

clientCertificate string

REQUIRED if mode is MUTUAL. The path to the file holding the client-side TLS certificate to use. Should be empty if mode is ISTIO_MUTUAL.

credentialName string

insecureSkipVerify boolean

insecureSkipVerify specifies whether the proxy should skip verifying the CA signature and SAN for the server certificate corresponding to the host. The default value of this field is false.

mode string

Indicates whether connections to this port should be secured using TLS. The value of this field determines how TLS is enforced.

privateKey string

REQUIRED if mode is MUTUAL. The path to the file holding the client's private key. Should be empty if mode is ISTIO_MUTUAL.

sni string

SNI string to present to the server during TLS handshake. If unspecified, SNI will be automatically set based on downstream HTTP host/authority header for SIMPLE and MUTUAL TLS modes.

subjectAltNames []string

zipkin object

Use a Zipkin tracer.

address string

Address of the Zipkin service (e.g. zipkin:9411).

tracingServiceName string

Used by Envoy proxies to assign the values for the service names in trace spans.

zipkinAddress string

Address of the Zipkin service (e.g. zipkin:9411). DEPRECATED: Use [tracing][istio.mesh.v1alpha1.ProxyConfig.tracing] instead.

Deprecated: Marked as deprecated in mesh/v1alpha1/proxy.proto.

defaultDestinationRuleExportTo []string

The default value for the DestinationRule.exportTo field. Has the same syntax as defaultServiceExportTo.

If not set the system will use "*" as the default value which implies that destination rules are exported to all namespaces

defaultHttpRetryPolicy object

Configure the default HTTP retry policy. The default number of retry attempts is set at 2 for these errors:

"connect-failure,refused-stream,unavailable,cancelled,retriable-status-codes".

Setting the number of attempts to 0 disables retry policy globally. This setting can be overridden on a per-host basis using the Virtual Service API. All settings in the retry policy except perTryTimeout can currently be configured globally via this field.

attempts integer

Number of retries to be allowed for a given request. The interval between retries will be determined automatically (25ms+). When request timeout of the HTTP route or per_try_timeout is configured, the actual number of retries attempted also depends on the specified request timeout and per_try_timeout values. MUST be >= 0. If 0, retries will be disabled. The maximum possible number of requests made will be 1 + attempts.

backoff string

Specifies the minimum duration between retry attempts. If unset, default minimum duration of 25ms is used as base interval for exponetial backoff. This has an impact on the total number of retries that will be attempted based on the attempts field and route timeout. For example, with attempts is set to 3, backoff to 2s and timeout to 3s, the request will be retried only once.

perTryTimeout string

Timeout per attempt for a given request, including the initial call and any retries. Format: 1h/1m/1s/1ms. MUST be >=1ms. Default is same value as request timeout of the HTTP route, which means no timeout.

retryIgnorePreviousHosts boolean

Flag to specify whether the retries should ignore previously tried hosts during retry. Defaults to true.

retryOn string

Specifies the conditions under which retry takes place. One or more policies can be specified using a ‘,’ delimited list. See the retry policies and gRPC retry policies for more details.

In addition to the policies specified above, a list of HTTP status codes can be passed, such as retryOn: "503,reset". Note these status codes refer to the actual responses received from the destination. For example, if a connection is reset, Istio will translate this to 503 for it's response. However, the destination did not return a 503 error, so this would not match "503" (it would, however, match "reset").

If not specified, this defaults to connect-failure,refused-stream,unavailable,cancelled.

retryRemoteLocalities boolean

Flag to specify whether the retries should retry to other localities. See the retry plugin configuration for more details.

defaultProviders object

Specifies extension providers to use by default in Istio configuration resources.

accessLogging []string

Name of the default provider(s) for access logging.

metrics []string

Name of the default provider(s) for metrics.

tracing []string

Name of the default provider(s) for tracing.

defaultServiceExportTo []string

The default value for the ServiceEntry.exportTo field and services imported through container registry integrations, e.g. this applies to Kubernetes Service resources. The value is a list of namespace names and reserved namespace aliases. The allowed namespace aliases are:

* - All Namespaces
. - Current Namespace
~ - No Namespace

If not set the system will use "*" as the default value which implies that services are exported to all namespaces.

All namespaces is a reasonable default for implementations that don't need to restrict access or visibility of services across namespace boundaries. If that requirement is present it is generally good practice to make the default Current namespace so that services are only visible within their own namespaces by default. Operators can then expand the visibility of services to other namespaces as needed. Use of No Namespace is expected to be rare but can have utility for deployments where dependency management needs to be precise even within the scope of a single namespace.

For further discussion see the reference documentation for ServiceEntry, Sidecar, and Gateway.

defaultVirtualServiceExportTo []string

The default value for the VirtualService.exportTo field. Has the same syntax as defaultServiceExportTo.

If not set the system will use "*" as the default value which implies that virtual services are exported to all namespaces

disableEnvoyListenerLog boolean

This flag disables Envoy Listener logs. See Listener Access Log Istio Enables Envoy's listener access logs on "NoRoute" response flag. Default value is false.

discoverySelectors []object

A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all objects. A null label selector matches no objects.

matchExpressions []object

A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.

key string required

key is the label key that the selector applies to.

operator string required

operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.

values []string

matchLabels object

dnsRefreshRate string

Configures DNS refresh rate for Envoy clusters of type STRICT_DNS Default refresh rate is 60s.

enableAutoMtls boolean

This flag is used to enable mutual TLS automatically for service to service communication within the mesh, default true. If set to true, and a given service does not have a corresponding DestinationRule configured, or its DestinationRule does not have ClientTLSSettings specified, Istio configures client side TLS configuration appropriately. More specifically, If the upstream authentication policy is in STRICT mode, use Istio provisioned certificate for mutual TLS to connect to upstream. If upstream service is in plain text mode, use plain text. If the upstream authentication policy is in PERMISSIVE mode, Istio configures clients to use mutual TLS when server sides are capable of accepting mutual TLS traffic. If service DestinationRule exists and has ClientTLSSettings specified, that is always used instead.

enableEnvoyAccessLogService boolean

This flag enables Envoy's gRPC Access Log Service. See Access Log Service for details about Envoy's gRPC Access Log Service API. Default value is false.

enablePrometheusMerge boolean

If enabled, Istio agent will merge metrics exposed by the application with metrics from Envoy and Istio agent. The sidecar injection will replace prometheus.io annotations present on the pod and redirect them towards Istio agent, which will then merge metrics of from the application with Istio metrics. This relies on the annotations prometheus.io/scrape, prometheus.io/port, and prometheus.io/path annotations. If you are running a separately managed Envoy with an Istio sidecar, this may cause issues, as the metrics will collide. In this case, it is recommended to disable aggregation on that deployment with the prometheus.istio.io/merge-metrics: "false" annotation. If not specified, this will be enabled by default.

enableTracing boolean

Flag to control generation of trace spans and request IDs. Requires a trace span collector defined in the proxy configuration.

extensionProviders []object

datadog object

Configures a Datadog tracing provider.

maxTagLength integer

Optional. Controls the overall path length allowed in a reported span. NOTE: currently only controls max length of the path tag.

port integer required

REQUIRED. Specifies the port of the service.

service string required

REQUIRED. Specifies the service for the Datadog agent. The format is [<Namespace>/]<Hostname>. The specification of <Namespace> is required only when it is insufficient to unambiguously resolve a service in the service registry. The <Hostname> is a fully qualified host name of a service defined by the Kubernetes service or ServiceEntry.

Example: "datadog.default.svc.cluster.local" or "bar/datadog.example.com".

envoyExtAuthzGrpc object

Configures an external authorizer that implements the Envoy ext_authz filter authorization check service using the gRPC API.

clearRouteCache boolean

If true, clears route cache in order to allow the external authorization service to correctly affect routing decisions. If true, recalculate routes with the new ExtAuthZ added/removed headers. Default is false

failOpen boolean

If true, the HTTP request or TCP connection will be allowed even if the communication with the authorization service has failed, or if the authorization service has returned a HTTP 5xx error. Default is false. For HTTP request, it will be rejected with 403 (HTTP Forbidden). For TCP connection, it will be closed immediately.

includeRequestBodyInCheck object

If set, the client request body will be included in the authorization request sent to the authorization service.

allowPartialMessage boolean

When this field is true, ext-authz filter will buffer the message until maxRequestBytes is reached. The authorization request will be dispatched and no 413 HTTP error will be returned by the filter. A "x-envoy-auth-partial-body: false|true" metadata header will be added to the authorization request message indicating if the body data is partial.

maxRequestBytes integer

Sets the maximum size of a message body that the ext-authz filter will hold in memory. If maxRequestBytes is reached, and allowPartialMessage is false, Envoy will return a 413 (Payload Too Large). Otherwise the request will be sent to the provider with a partial message. Note that this setting will have precedence over the failOpen field, the 413 will be returned even when the failOpen is set to true.

packAsBytes boolean

If true, the body sent to the external authorization service in the gRPC authorization request is set with raw bytes in the raw_body field. Otherwise, it will be filled with UTF-8 string in the body field. This field only works with the envoyExtAuthzGrpc provider and has no effect for the envoyExtAuthzHttp provider.

port integer required

REQUIRED. Specifies the port of the service.

service string required

REQUIRED. Specifies the service that implements the Envoy ext_authz gRPC authorization service. The format is [<Namespace>/]<Hostname>. The specification of <Namespace> is required only when it is insufficient to unambiguously resolve a service in the service registry. The <Hostname> is a fully qualified host name of a service defined by the Kubernetes service or ServiceEntry.

Example: "my-ext-authz.foo.svc.cluster.local" or "bar/my-ext-authz.example.com".

statusOnError string

Sets the HTTP status that is returned to the client when there is a network error to the authorization service. The default status is "403" (HTTP Forbidden).

timeout string

The maximum duration that the proxy will wait for a response from the provider, this is the timeout for a specific request (default timeout: 600s). When this timeout condition is met, the proxy marks the communication to the authorization service as failure. In this situation, the response sent back to the client will depend on the configured failOpen field.

envoyExtAuthzHttp object

Configures an external authorizer that implements the Envoy ext_authz filter authorization check service using the HTTP API.

clearRouteCache boolean

failOpen boolean

If true, the user request will be allowed even if the communication with the authorization service has failed, or if the authorization service has returned a HTTP 5xx error. Default is false and the request will be rejected with "Forbidden" response.

headersToDownstreamOnAllow []string

List of headers from the authorization service that should be forwarded to downstream when the authorization check result is allowed (HTTP code 200). If not specified, the original response will not be modified and forwarded to downstream as-is. Note, any existing headers will be overridden.

Exact, prefix and suffix matches are supported (similar to the authorization policy rule syntax except the presence match):

Exact match: "abc" will match on value "abc".
Prefix match: "abc*" will match on value "abc" and "abcd".
Suffix match: "*abc" will match on value "abc" and "xabc".

headersToDownstreamOnDeny []string

List of headers from the authorization service that should be forwarded to downstream when the authorization check result is not allowed (HTTP code other than 200). If not specified, all the authorization response headers, except Authority (Host) will be in the response to the downstream. When a header is included in this list, Path, Status, Content-Length, WWWAuthenticate and Location are automatically added. Note, the body from the authorization service is always included in the response to downstream.

Exact, prefix and suffix matches are supported (similar to the authorization policy rule syntax except the presence match):

Exact match: "abc" will match on value "abc".
Prefix match: "abc*" will match on value "abc" and "abcd".
Suffix match: "*abc" will match on value "abc" and "xabc".

headersToUpstreamOnAllow []string

List of headers from the authorization service that should be added or overridden in the original request and forwarded to the upstream when the authorization check result is allowed (HTTP code 200). If not specified, the original request will not be modified and forwarded to backend as-is. Note, any existing headers will be overridden.

Exact, prefix and suffix matches are supported (similar to the authorization policy rule syntax except the presence match):

Exact match: "abc" will match on value "abc".
Prefix match: "abc*" will match on value "abc" and "abcd".
Suffix match: "*abc" will match on value "abc" and "xabc".

includeAdditionalHeadersInCheck object

Set of additional fixed headers that should be included in the authorization request sent to the authorization service. Key is the header name and value is the header value. Note that client request of the same key or headers specified in includeRequestHeadersInCheck will be overridden.

includeHeadersInCheck []string

DEPRECATED. Use includeRequestHeadersInCheck instead.

Deprecated: Marked as deprecated in mesh/v1alpha1/config.proto.

includeRequestBodyInCheck object

If set, the client request body will be included in the authorization request sent to the authorization service.

allowPartialMessage boolean

maxRequestBytes integer

packAsBytes boolean

includeRequestHeadersInCheck []string

List of client request headers that should be included in the authorization request sent to the authorization service. Note that in addition to the headers specified here following headers are included by default:

Host, Method, Path and Content-Length are automatically sent.
Content-Length will be set to 0 and the request will not have a message body. However, the authorization request can include the buffered client request body (controlled by includeRequestBodyInCheck setting), consequently the value of Content-Length of the authorization request reflects the size of its payload size.

Exact, prefix and suffix matches are supported (similar to the authorization policy rule syntax except the presence match):

Exact match: "abc" will match on value "abc".
Prefix match: "abc*" will match on value "abc" and "abcd".
Suffix match: "*abc" will match on value "abc" and "xabc".

pathPrefix string

Sets a prefix to the value of authorization request header Path. For example, setting this to "/check" for an original user request at path "/admin" will cause the authorization check request to be sent to the authorization service at the path "/check/admin" instead of "/admin".

port integer required

REQUIRED. Specifies the port of the service.

service string required

REQUIRED. Specifies the service that implements the Envoy ext_authz HTTP authorization service. The format is [<Namespace>/]<Hostname>. The specification of <Namespace> is required only when it is insufficient to unambiguously resolve a service in the service registry. The <Hostname> is a fully qualified host name of a service defined by the Kubernetes service or ServiceEntry.

Example: "my-ext-authz.foo.svc.cluster.local" or "bar/my-ext-authz.example.com".

statusOnError string

Sets the HTTP status that is returned to the client when there is a network error to the authorization service. The default status is "403" (HTTP Forbidden).

timeout string

The maximum duration that the proxy will wait for a response from the provider (default timeout: 600s). When this timeout condition is met, the proxy marks the communication to the authorization service as failure. In this situation, the response sent back to the client will depend on the configured failOpen field.

envoyFileAccessLog object

Configures an Envoy File Access Log provider.

logFormat object

Optional. Allows overriding of the default access log format.

labels object

JSON structured format for the envoy access logs. Envoy command operators can be used as values for fields within the Struct. Values are rendered as strings, numbers, or boolean values, as appropriate (see: format dictionaries). Nested JSON is supported for some command operators (e.g. FILTER_STATE or DYNAMIC_METADATA). Use labels: {} for default envoy JSON log format.

Example:

labels:
status: "%RESPONSE_CODE%"
message: "%LOCAL_REPLY_BODY%"

text string

Textual format for the envoy access logs. Envoy command operators may be used in the format. The format string documentation provides more information.

NOTE: Istio will insert a newline ('\n') on all formats (if missing).

Example: text: "%LOCAL_REPLY_BODY%:%RESPONSE_CODE%:path=%REQ(:path)%"

omitEmptyValues boolean

Optional. If set to true, when command operators are evaluated to null, For text format, the output of the empty operator is changed from "-" to an empty string. For json format, the keys with null values are omitted in the output structure.

path string

Path to a local file to write the access log entries. This may be used to write to streams, via /dev/stderr and /dev/stdout If unspecified, defaults to /dev/stdout.

envoyHttpAls object

Configures an Envoy Access Logging Service provider for HTTP traffic.

additionalRequestHeadersToLog []string

Optional. Additional request headers to log.

additionalResponseHeadersToLog []string

Optional. Additional response headers to log.

additionalResponseTrailersToLog []string

Optional. Additional response trailers to log.

filterStateObjectsToLog []string

Optional. Additional filter state objects to log.

logName string

Optional. The friendly name of the access log. Defaults:

"http_envoy_accesslog"
"listener_envoy_accesslog"

port integer required

REQUIRED. Specifies the port of the service.

service string required

REQUIRED. Specifies the service that implements the Envoy ALS gRPC authorization service. The format is [<Namespace>/]<Hostname>. The specification of <Namespace> is required only when it is insufficient to unambiguously resolve a service in the service registry. The <Hostname> is a fully qualified host name of a service defined by the Kubernetes service or ServiceEntry.

Example: "envoy-als.foo.svc.cluster.local" or "bar/envoy-als.example.com".

envoyOtelAls object

Configures an Envoy Open Telemetry Access Logging Service provider.

logFormat object

Optional. Format for the proxy access log Empty value results in proxy's default access log format, following Envoy access logging formatting.

labels object

Optional. Additional attributes that describe the specific event occurrence. Structured format for the envoy access logs. Envoy command operators can be used as values for fields within the Struct. Values are rendered as strings, numbers, or boolean values, as appropriate (see: format dictionaries). Nested JSON is supported for some command operators (e.g. FILTER_STATE or DYNAMIC_METADATA). Alias to attributes field in Open Telemetry

Example:

labels:
status: "%RESPONSE_CODE%"
message: "%LOCAL_REPLY_BODY%"

text string

Textual format for the envoy access logs. Envoy command operators may be used in the format. The format string documentation provides more information. Alias to body field in Open Telemetry Example: text: "%LOCAL_REPLY_BODY%:%RESPONSE_CODE%:path=%REQ(:path)%"

logName string

Optional. The friendly name of the access log. Defaults:

"otel_envoy_accesslog"

port integer required

REQUIRED. Specifies the port of the service.

service string required

Example: "envoy-als.foo.svc.cluster.local" or "bar/envoy-als.example.com".

envoyTcpAls object

Configures an Envoy Access Logging Service provider for TCP traffic.

filterStateObjectsToLog []string

Optional. Additional filter state objects to log.

logName string

Optional. The friendly name of the access log. Defaults:

"tcp_envoy_accesslog"
"listener_envoy_accesslog"

port integer required

REQUIRED. Specifies the port of the service.

service string required

Example: "envoy-als.foo.svc.cluster.local" or "bar/envoy-als.example.com".

lightstep object

Configures a Lightstep tracing provider. Deprecated: For Istio 1.15+, please use an OpenTelemetryTracingProvider instead, more details can be found at https://github.com/istio/istio/issues/40027

Deprecated: Marked as deprecated in mesh/v1alpha1/config.proto.

accessToken string

The Lightstep access token.

maxTagLength integer

Optional. Controls the overall path length allowed in a reported span. NOTE: currently only controls max length of the path tag.

port integer required

REQUIRED. Specifies the port of the service.

service string required

REQUIRED. Specifies the service for the Lightstep collector. The format is [<Namespace>/]<Hostname>. The specification of <Namespace> is required only when it is insufficient to unambiguously resolve a service in the service registry. The <Hostname> is a fully qualified host name of a service defined by the Kubernetes service or ServiceEntry.

Example: "lightstep.default.svc.cluster.local" or "bar/lightstep.example.com".

name string required

REQUIRED. A unique name identifying the extension provider.

opencensus object

Configures an OpenCensusAgent tracing provider. Deprecated: OpenCensus is deprecated, more details can be found at https://opentelemetry.io/blog/2023/sunsetting-opencensus/

Deprecated: Marked as deprecated in mesh/v1alpha1/config.proto.

context []string

maxTagLength integer

Optional. Controls the overall path length allowed in a reported span. NOTE: currently only controls max length of the path tag.

port integer required

REQUIRED. Specifies the port of the service.

service string required

REQUIRED. Specifies the service for the OpenCensusAgent. The format is [<Namespace>/]<Hostname>. The specification of <Namespace> is required only when it is insufficient to unambiguously resolve a service in the service registry. The <Hostname> is a fully qualified host name of a service defined by the Kubernetes service or ServiceEntry.

Example: "ocagent.default.svc.cluster.local" or "bar/ocagent.example.com".

opentelemetry object

Configures an OpenTelemetry tracing provider.

dynatraceSampler object

The Dynatrace adaptive traffic management (ATM) sampler.

Example configuration:

  - name: otel-tracing
opentelemetry:
port: 443
service: "{your-environment-id}.live.dynatrace.com"
http:
path: "/api/v2/otlp/v1/traces"
timeout: 10s
headers:
- name: "Authorization"
value: "Api-Token dt0c01."
resourceDetectors:
dynatrace: {}
dynatraceSampler:
tenant: "{your-environment-id}"
clusterId: 1234

clusterId integer required

REQUIRED. The identifier of the cluster in the Dynatrace platform. The cluster here is Dynatrace-specific concept and not related to the cluster concept in Istio/Envoy.

The value can be obtained from the Istio deployment page in Dynatrace.

httpService object

Optional. Dynatrace HTTP API to obtain sampling configuration.

When not provided, the Dynatrace Sampler will re-use the configuration from the OpenTelemetryTracingProvider HTTP Exporter (service, port and http), including the access token.

http object required

REQUIRED. Specifies sampling configuration URI.

headers []object

envName string

The HTTP header value from the environment variable.

Warning:

The environment variable must be set in the istiod pod spec.
This is not a end-to-end secure.

name string required

REQUIRED. The HTTP header name.

value string

The HTTP header value.

path string required

REQUIRED. Specifies the path on the service.

timeout string

Optional. Specifies the timeout for the HTTP request. If not specified, the default is 3s.

port integer required

REQUIRED. Specifies the port of the service.

service string required

REQUIRED. Specifies the Dynatrace environment to obtain the sampling configuration. The format is <Hostname>, where <Hostname> is the fully qualified Dynatrace environment host name defined in the ServiceEntry.

Example: "{your-environment-id}.live.dynatrace.com".

rootSpansPerMinute integer

Optional. Number of sampled spans per minute to be used when the adaptive value cannot be obtained from the Dynatrace API.

A default value of 1000 is used when:

rootSpansPerMinute is unset
rootSpansPerMinute is set to 0

tenant string required

REQUIRED. The Dynatrace customer's tenant identifier.

The value can be obtained from the Istio deployment page in Dynatrace.

grpc object

Optional. Specifies the configuration for exporting OTLP traces via GRPC. When empty, traces will check whether HTTP is set. If not, traces will use default GRPC configurations.

The following example shows how to configure the OpenTelemetry ExtensionProvider to export via GRPC:

Add/change the OpenTelemetry extension provider in MeshConfig

  - name: opentelemetry
opentelemetry:
port: 8090
service: tracing.example.com
grpc:
timeout: 10s
initialMetadata:
- name: "Authentication"
value: "token-xxxxx"

Deploy a ServiceEntry for the observability back-end

apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: tracing-grpc
spec:
hosts:
- tracing.example.com
ports:
- number: 8090
name: grpc-port
protocol: GRPC
resolution: DNS
location: MESH_EXTERNAL

initialMetadata []object

envName string

The HTTP header value from the environment variable.

Warning:

The environment variable must be set in the istiod pod spec.
This is not a end-to-end secure.

name string required

REQUIRED. The HTTP header name.

value string

The HTTP header value.

timeout string

Optional. Specifies the timeout for the GRPC request.

http object

Optional. Specifies the configuration for exporting OTLP traces via HTTP. When empty, traces will be exported via gRPC.

The following example shows how to configure the OpenTelemetry ExtensionProvider to export via HTTP:

Add/change the OpenTelemetry extension provider in MeshConfig

  - name: otel-tracing
opentelemetry:
port: 443
service: my.olly-backend.com
http:
path: "/api/otlp/traces"
timeout: 10s
headers:
- name: "my-custom-header"
value: "some value"

Deploy a ServiceEntry for the observability back-end

apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: my-olly-backend
spec:
hosts:
- my.olly-backend.com
ports:
- number: 443
name: https-port
protocol: HTTPS
resolution: DNS
location: MESH_EXTERNAL
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: my-olly-backend
spec:
host: my.olly-backend.com
trafficPolicy:
portLevelSettings:
- port:
number: 443
tls:
mode: SIMPLE

headers []object

envName string

The HTTP header value from the environment variable.

Warning:

The environment variable must be set in the istiod pod spec.
This is not a end-to-end secure.

name string required

REQUIRED. The HTTP header name.

value string

The HTTP header value.

path string required

REQUIRED. Specifies the path on the service.

timeout string

Optional. Specifies the timeout for the HTTP request. If not specified, the default is 3s.

maxTagLength integer

Optional. Controls the overall path length allowed in a reported span. NOTE: currently only controls max length of the path tag.

port integer required

REQUIRED. Specifies the port of the service.

resourceDetectors object

Optional. Specifies Resource Detectors to be used by the OpenTelemetry Tracer. When multiple resources are provided, they are merged according to the OpenTelemetry Resource specification.

The following example shows how to configure the Environment Resource Detector, that will read the attributes from the environment variable OTEL_RESOURCE_ATTRIBUTES:

  - name: otel-tracing
opentelemetry:
port: 443
service: my.olly-backend.com
resourceDetectors:
environment: {}

dynatrace object

Dynatrace Resource Detector. The resource detector reads from the Dynatrace enrichment files and adds host/process related attributes to the OpenTelemetry resource.

See: Enrich ingested data with Dynatrace-specific dimensions

environment object

OpenTelemetry Environment Resource Detector. The resource detector reads attributes from the environment variable OTEL_RESOURCE_ATTRIBUTES and adds them to the OpenTelemetry resource.

See: Resource specification

service string required

REQUIRED. Specifies the OpenTelemetry endpoint that will receive OTLP traces. The format is [<Namespace>/]<Hostname>. The specification of <Namespace> is required only when it is insufficient to unambiguously resolve a service in the service registry. The <Hostname> is a fully qualified host name of a service defined by the Kubernetes service or ServiceEntry.

Example: "otlp.default.svc.cluster.local" or "bar/otlp.example.com".

prometheus object

Configures a Prometheus metrics provider.

sds object

Configures an Extension Provider for SDS. This can be used to configure an external SDS service to supply secrets for certain Gateways for example. This is useful for scenarios where the secrets are stored in an external secret store like Vault. The secret should be configured with sds://provider-name format.

name string required

REQUIRED. Specifies the name of the provider. This should be used to configure the Gateway SDS.

port integer required

REQUIRED. Specifies the port of the service.

service string required

REQUIRED. Specifies the service that implements the SDS service. The format is [<Namespace>/]<Hostname>. The specification of <Namespace> is required only when it is insufficient to unambiguously resolve a service in the service registry. The <Hostname> is a fully qualified host name of a service defined by the Kubernetes service or ServiceEntry.

Example: "gateway-sds.foo.svc.cluster.local" or "bar/gateway-sds.example.com".

skywalking object

Configures a Apache SkyWalking provider.

accessToken string

Optional. The SkyWalking OAP access token.

port integer required

REQUIRED. Specifies the port of the service.

service string required

REQUIRED. Specifies the service for the SkyWalking receiver. The format is [<Namespace>/]<Hostname>. The specification of <Namespace> is required only when it is insufficient to unambiguously resolve a service in the service registry. The <Hostname> is a fully qualified host name of a service defined by the Kubernetes service or ServiceEntry.

Example: "skywalking.default.svc.cluster.local" or "bar/skywalking.example.com".

stackdriver object

Configures a Stackdriver provider.

debug boolean

debug enables trace output to stdout.

Deprecated: Marked as deprecated in mesh/v1alpha1/config.proto.

logging object

Optional. Controls Stackdriver logging behavior.

labels object

Collection of tag names and tag expressions to include in the log entry. Conflicts are resolved by the tag name by overriding previously supplied values.

Example:

labels:
path: request.url_path
foo: request.headers['x-foo']

maxNumberOfAnnotations integer

The global default max number of annotation events per span. default is 200.

Deprecated: Marked as deprecated in mesh/v1alpha1/config.proto.

maxNumberOfAttributes integer

The global default max number of attributes per span. default is 200.

Deprecated: Marked as deprecated in mesh/v1alpha1/config.proto.

maxNumberOfMessageEvents integer

The global default max number of message events per span. default is 200.

Deprecated: Marked as deprecated in mesh/v1alpha1/config.proto.

maxTagLength integer

Optional. Controls the overall path length allowed in a reported span. NOTE: currently only controls max length of the path tag.

zipkin object

Configures a tracing provider that uses the Zipkin API.

enable64bitTraceId boolean

Optional. A 128 bit trace id will be used in Istio. If true, will result in a 64 bit trace id being used.

maxTagLength integer

Optional. Controls the overall path length allowed in a reported span. NOTE: currently only controls max length of the path tag.

path string

Optional. Specifies the endpoint of Zipkin API. The default value is "/api/v2/spans".

port integer required

REQUIRED. Specifies the port of the service.

service string required

REQUIRED. Specifies the service that the Zipkin API. The format is [<Namespace>/]<Hostname>. The specification of <Namespace> is required only when it is insufficient to unambiguously resolve a service in the service registry. The <Hostname> is a fully qualified host name of a service defined by the Kubernetes service or ServiceEntry.

Example: "zipkin.default.svc.cluster.local" or "bar/zipkin.example.com".

h2UpgradePolicy string

Specify if http1.1 connections should be upgraded to http2 by default. if sidecar is installed on all pods in the mesh, then this should be set to UPGRADE. If one or more services or namespaces do not have sidecar(s), then this should be set to DO_NOT_UPGRADE. It can be enabled by destination using the destinationRule.trafficPolicy.connectionPool.http.h2UpgradePolicy override.

inboundClusterStatName string

Name to be used while emitting statistics for inbound clusters. The same pattern is used while computing stat prefix for network filters like TCP and Redis. By default, Istio emits statistics with the pattern inbound|<port>|<port-name>|<service-FQDN>. For example inbound|7443|grpc-reviews|reviews.prod.svc.cluster.local. This can be used to override that pattern.

A Pattern can be composed of various pre-defined variables. The following variables are supported.

%SERVICE% - Will be substituted with short hostname of the service.
%SERVICE_NAME% - Will be substituted with name of the service.
%SERVICE_FQDN% - Will be substituted with FQDN of the service.
%SERVICE_PORT% - Will be substituted with port of the service.
%TARGET_PORT% - Will be substituted with the target port of the service.
%SERVICE_PORT_NAME% - Will be substituted with port name of the service.

Following are some examples of supported patterns for reviews:

%SERVICE_FQDN%_%SERVICE_PORT% will use reviews.prod.svc.cluster.local_7443 as the stats name.
%SERVICE% will use reviews.prod as the stats name.

inboundTrafficPolicy object

Set the default behavior of the sidecar for handling inbound traffic to the application. If your application listens on localhost, you will need to set this to LOCALHOST.

mode string

ingressClass string

Class of ingress resources to be processed by Istio ingress controller. This corresponds to the value of kubernetes.io/ingress.class annotation.

ingressControllerMode string

Defines whether to use Istio ingress controller for annotated or all ingress resources. Default mode is STRICT.

ingressSelector string

Defines which gateway deployment to use as the Ingress controller. This field corresponds to the Gateway.selector field, and will be set as istio: INGRESS_SELECTOR. By default, ingressgateway is used, which will select the default IngressGateway as it has the istio: ingressgateway labels. It is recommended that this is the same value as ingressService.

ingressService string

Name of the Kubernetes service used for the istio ingress controller. If no ingress controller is specified, the default value istio-ingressgateway is used.

localityLbSetting object

Locality based load balancing distribution or failover settings. If unspecified, locality based load balancing will be enabled by default. However, this requires outlierDetection to actually take effect for a particular service, see https://istio.io/latest/docs/tasks/traffic-management/locality-load-balancing/failover/

distribute []object

Describes how traffic originating in the 'from' zone or sub-zone is distributed over a set of 'to' zones. Syntax for specifying a zone is {region}/{zone}/{sub-zone} and terminal wildcards are allowed on any segment of the specification. Examples:

* - matches all localities

us-west/* - all zones and sub-zones within the us-west region

us-west/zone-1/* - all sub-zones within us-west/zone-1

from string

Originating locality, '/' separated, e.g. 'region/zone/sub_zone'.

to object

Map of upstream localities to traffic distribution weights. The sum of all weights should be 100. Any locality not present will receive no traffic.

enabled boolean

Enable locality load balancing. This is DestinationRule-level and will override mesh-wide settings in entirety. e.g. true means that turn on locality load balancing for this DestinationRule no matter what mesh-wide settings is.

failover []object

Specify the traffic failover policy across regions. Since zone and sub-zone failover is supported by default this only needs to be specified for regions when the operator needs to constrain traffic failover so that the default behavior of failing over to any endpoint globally does not apply. This is useful when failing over traffic across regions would not improve service health or may need to be restricted for other reasons like regulatory controls.

from string

Originating region.

to string

Destination region the traffic will fail over to when endpoints in the 'from' region becomes unhealthy.

failoverPriority []string

failoverPriority is an ordered list of labels used to sort endpoints to do priority based load balancing. This is to support traffic failover across different groups of endpoints. Two kinds of labels can be specified:

Specify only label keys [key1, key2, key3], istio would compare the label values of client with endpoints. Suppose there are total N label keys [key1, key2, key3, ...keyN] specified:
1. Endpoints matching all N labels with the client proxy have priority P(0) i.e. the highest priority.
2. Endpoints matching the first N-1 labels with the client proxy have priority P(1) i.e. second highest priority.
3. By extension of this logic, endpoints matching only the first label with the client proxy has priority P(N-1) i.e. second lowest priority.
4. All the other endpoints have priority P(N) i.e. lowest priority.
Specify labels with key and value [key1=value1, key2=value2, key3=value3], istio would compare the labels with endpoints. Suppose there are total N labels [key1=value1, key2=value2, key3=value3, ...keyN=valueN] specified:
1. Endpoints matching all N labels have priority P(0) i.e. the highest priority.
2. Endpoints matching the first N-1 labels have priority P(1) i.e. second highest priority.
3. By extension of this logic, endpoints matching only the first label has priority P(N-1) i.e. second lowest priority.
4. All the other endpoints have priority P(N) i.e. lowest priority.

Note: For a label to be considered for match, the previous labels must match, i.e. nth label would be considered matched only if first n-1 labels match.

It can be any label specified on both client and server workloads. The following labels which have special semantic meaning are also supported:

topology.istio.io/network is used to match the network metadata of an endpoint, which can be specified by pod/namespace label topology.istio.io/network, sidecar env ISTIO_META_NETWORK or MeshNetworks.
topology.istio.io/cluster is used to match the clusterID of an endpoint, which can be specified by pod label topology.istio.io/cluster or pod env ISTIO_META_CLUSTER_ID.
topology.kubernetes.io/region is used to match the region metadata of an endpoint, which maps to Kubernetes node label topology.kubernetes.io/region or the deprecated label failure-domain.beta.kubernetes.io/region.
topology.kubernetes.io/zone is used to match the zone metadata of an endpoint, which maps to Kubernetes node label topology.kubernetes.io/zone or the deprecated label failure-domain.beta.kubernetes.io/zone.
topology.istio.io/subzone is used to match the subzone metadata of an endpoint, which maps to Istio node label topology.istio.io/subzone.
kubernetes.io/hostname is used to match the current node of an endpoint, which maps to Kubernetes node label kubernetes.io/hostname.

The below topology config indicates the following priority levels:

failoverPriority:
- "topology.istio.io/network"
- "topology.kubernetes.io/region"
- "topology.kubernetes.io/zone"
- "topology.istio.io/subzone"

endpoints match same [network, region, zone, subzone] label with the client proxy have the highest priority.
endpoints have same [network, region, zone] label but different [subzone] label with the client proxy have the second highest priority.
endpoints have same [network, region] label but different [zone] label with the client proxy have the third highest priority.
endpoints have same [network] but different [region] labels with the client proxy have the fourth highest priority.
all the other endpoints have the same lowest priority.

Suppose a service associated endpoints reside in multi clusters, the below example represents:

endpoints in clusterA and has version=v1 label have P(0) priority.
endpoints not in clusterA but has version=v1 label have P(1) priority.
all the other endpoints have P(2) priority.

failoverPriority:
- "version=v1"
- "topology.istio.io/cluster=clusterA"

Optional: only one of distribute, failover or failoverPriority can be set. And it should be used together with OutlierDetection to detect unhealthy endpoints, otherwise has no effect.

meshMTLS object

The below configuration parameters can be used to specify TLSConfig for mesh traffic. For example, a user could enable min TLS version for ISTIO_MUTUAL traffic and specify a curve for non ISTIO_MUTUAL traffic like below:

meshConfig:
meshMTLS:
minProtocolVersion: TLSV1_3
tlsDefaults:
Note: applicable only for non ISTIO_MUTUAL scenarios
ecdhCurves:
- P-256
- P-512

Configuration of mTLS for traffic between workloads with ISTIO_MUTUAL TLS traffic.

Note: Mesh mTLS does not respect ECDH curves.

cipherSuites []string

Optional: If specified, the TLS connection will only support the specified cipher list when negotiating TLS 1.0-1.2. If not specified, the following cipher suites will be used:

ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-RSA-AES128-GCM-SHA256
AES256-GCM-SHA384
AES128-GCM-SHA256

ecdhCurves []string

Optional: If specified, the TLS connection will only support the specified ECDH curves for the DH key exchange. If not specified, the default curves enforced by Envoy will be used. For details about the default curves, refer to Ecdh Curves.

minProtocolVersion string

Optional: the minimum TLS protocol version. The default minimum TLS version will be TLS 1.2. As servers may not be Envoy and be set to TLS 1.2 (e.g., workloads using mTLS without sidecars), the minimum TLS version for clients may also be TLS 1.2. In the current Istio implementation, the maximum TLS protocol version is TLS 1.3.

outboundClusterStatName string

Name to be used while emitting statistics for outbound clusters. The same pattern is used while computing stat prefix for network filters like TCP and Redis. By default, Istio emits statistics with the pattern outbound|<port>|<subsetname>|<service-FQDN>. For example outbound|8080|v2|reviews.prod.svc.cluster.local. This can be used to override that pattern.

A Pattern can be composed of various pre-defined variables. The following variables are supported.

%SERVICE% - Will be substituted with short hostname of the service.
%SERVICE_NAME% - Will be substituted with name of the service.
%SERVICE_FQDN% - Will be substituted with FQDN of the service.
%SERVICE_PORT% - Will be substituted with port of the service.
%SERVICE_PORT_NAME% - Will be substituted with port name of the service.
%SUBSET_NAME% - Will be substituted with subset.

Following are some examples of supported patterns for reviews:

%SERVICE_FQDN%_%SERVICE_PORT% will use reviews.prod.svc.cluster.local_7443 as the stats name.
%SERVICE% will use reviews.prod as the stats name.

outboundTrafficPolicy object

Set the default behavior of the sidecar for handling outbound traffic from the application.

Can be overridden at a Sidecar level by setting the OutboundTrafficPolicy in the Sidecar API.

Default mode is ALLOW_ANY, which means outbound traffic to unknown destinations will be allowed.

mode string

pathNormalization object

ProxyPathNormalization configures how URL paths in incoming and outgoing HTTP requests are normalized by the sidecars and gateways. The normalized paths will be used in all aspects through the requests' lifetime on the sidecars and gateways, which includes routing decisions in outbound direction (client proxy), authorization policy match and enforcement in inbound direction (server proxy), and the URL path proxied to the upstream service. If not set, the NormalizationType.DEFAULT configuration will be used.

normalization string

protocolDetectionTimeout string

Automatic protocol detection uses a set of heuristics to determine whether the connection is using TLS or not (on the server side), as well as the application protocol being used (e.g., http vs tcp). These heuristics rely on the client sending the first bits of data. For server first protocols like MySQL, MongoDB, etc. Envoy will timeout on the protocol detection after the specified period, defaulting to non mTLS plain TCP traffic. Set this field to tweak the period that Envoy will wait for the client to send the first bits of data. (MUST be >=1ms or 0s to disable). Default detection timeout is 0s (no timeout).

Setting a timeout is not recommended nor safe. Even high timeouts (>5s) will be hit occasionally, and when they occur the result is typically broken traffic that may not recover on its own. Exceptionally high values might solve this, but injecting 60s delays onto new connections is generally not tenable anyways.

proxyHttpPort integer

Port on which Envoy should listen for HTTP PROXY requests if set.

proxyInboundListenPort integer

Port on which Envoy should listen for all inbound traffic to the pod/vm will be captured to. Default port is 15006.

proxyListenPort integer

Port on which Envoy should listen for all outbound traffic to other services. Default port is 15001.

rootNamespace string

The namespace to treat as the administrative root namespace for Istio configuration. When processing a leaf namespace Istio will search for declarations in that namespace first and if none are found it will search in the root namespace. Any matching declaration found in the root namespace is processed as if it were declared in the leaf namespace.

The precise semantics of this processing are documented on each resource type.

serviceScopeConfigs []object

Configuration for ambient mode multicluster service scope. This setting allows mesh administrators to define the criteria by which the cluster's control plane determines which services in other clusters in the mesh are treated as global (accessible across multiple clusters) versus local (restricted to a single cluster). The configuration can be applied to services based on namespace and/or other matching criteria. This is particularly useful in multicluster service mesh deployments to control service visibility and access across clusters. This API is not intended to enforce security policies. Resources like DestinationRules should be used to enforce authorization policies. If a service matches a global service scope selector, the service's endpoints will be globally exposed. If a service is locally scoped, its endpoints will only be exposed to local cluster services.

For example, the following configures the scope of all services with the "istio.io/global" label in matching namespaces to be available globally:

serviceScopeConfigs:
- namespacesSelector:
matchExpressions:
- key: istio.io/global
operator: In
values: [true]
servicesSelector:
matchExpressions:
- key: istio.io/global
operator: Exists
scope: GLOBAL

namespaceSelector object

Match expression for namespaces.

matchExpressions []object

A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.

key string required

key is the label key that the selector applies to.

operator string required

operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.

values []string

matchLabels object

scope string

Specifics the available scope for matching services.

servicesSelector object

Match expression for serivces.

matchExpressions []object

A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.

key string required

key is the label key that the selector applies to.

operator string required

operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.

values []string

matchLabels object

serviceSettings []object

Settings to be applied to select services.

For example, the following configures all services in namespace "foo" as well as the "bar" service in namespace "baz" to be considered cluster-local:

serviceSettings:
- settings:
clusterLocal: true
hosts:
- "*.foo.svc.cluster.local"
- "bar.baz.svc.cluster.local"

When in ambient mode, if ServiceSettings are defined they will be considered in addition to the ServiceScopeConfigs. If a service is defined by ServiceSetting to be cluster local and matches a global service scope selector, the service will be considered cluster local. If a service is considered global by ServiceSettings and does not match a global service scope selector the serive will be considered local. Local scope takes precedence over global scope. Since ServiceScopeConfigs is local by default, all services are considered local unless it is considered global by ServiceSettings AND ServiceScopeConfigs.

hosts []string

The services to which the Settings should be applied. Services are selected using the hostname matching rules used by DestinationRule.

For example: foo.bar.svc.cluster.local, *.baz.svc.cluster.local

settings object

The settings to apply to the selected services.

clusterLocal boolean

If true, specifies that the client and service endpoints must reside in the same cluster. By default, in multi-cluster deployments, the Istio control plane assumes all service endpoints to be reachable from any client in any of the clusters which are part of the mesh. This configuration option limits the set of service endpoints visible to a client to be cluster scoped.

There are some common scenarios when this can be useful:

A service (or group of services) is inherently local to the cluster and has local storage for that cluster. For example, the kube-system namespace (e.g. the Kube API Server).
A mesh administrator wants to slowly migrate services to Istio. They might start by first having services cluster-local and then slowly transition them to mesh-wide. They could do this service-by-service (e.g. mysvc.myns.svc.cluster.local) or as a group (e.g. *.myns.svc.cluster.local).

By default Istio will consider kubernetes.default.svc (i.e. the API Server) as well as all services in the kube-system namespace to be cluster-local, unless explicitly overridden here.

tcpKeepalive object

If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives.

interval string

The time duration between keep-alive probes. Default is to use the OS level configuration (unless overridden, Linux defaults to 75s.)

probes integer

Maximum number of keepalive probes to send without response before deciding the connection is dead. Default is to use the OS level configuration (unless overridden, Linux defaults to 9.)

time string

The time duration a connection needs to be idle before keep-alive probes start being sent. Default is to use the OS level configuration (unless overridden, Linux defaults to 7200s (ie 2 hours.)

tlsDefaults object

Configuration of TLS for all traffic except for ISTIO_MUTUAL mode. Currently, this supports configuration of ecdhCurves and cipherSuites only. For ISTIO_MUTUAL TLS settings, use meshMTLS configuration.

cipherSuites []string

Optional: If specified, the TLS connection will only support the specified cipher list when negotiating TLS 1.0-1.2. If not specified, the following cipher suites will be used:

ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-RSA-AES128-GCM-SHA256
AES256-GCM-SHA384
AES128-GCM-SHA256

ecdhCurves []string

minProtocolVersion string

trustDomain string

The trust domain corresponds to the trust root of a system. Refer to SPIFFE-ID

trustDomainAliases []string

The trust domain aliases represent the aliases of trustDomain. For example, if we have

trustDomain: td1
trustDomainAliases: ["td2", "td3"]

Any service with the identity td1/ns/foo/sa/a-service-account, td2/ns/foo/sa/a-service-account, or td3/ns/foo/sa/a-service-account will be treated the same in the Istio mesh.

verifyCertificateAtClient boolean

VerifyCertificateAtClient sets the mesh global default for peer certificate validation at the client-side proxy when SIMPLE TLS or MUTUAL TLS (non ISTIO_MUTUAL) origination modes are used. This setting can be overridden at the host level via DestinationRule API. By default, VerifyCertificateAtClient is true.

CaCertificates: If set, proxy verifies CA signature based on given CaCertificates. If unset, and VerifyCertificateAtClient is true, proxy uses default System CA bundle. If unset and VerifyCertificateAtClient is false, proxy will not verify the CA.

SubjectAltNames: If set, proxy verifies subject alt names are present in the SAN. If unset, and VerifyCertificateAtClient is true, proxy uses host in destination rule to verify the SANs. If unset, and VerifyCertificateAtClient is false, proxy does not verify SANs.

For SAN, client-side proxy will exact match host in DestinationRule as well as one level wildcard if the specified host in DestinationRule doesn't contain a wildcard. For example, if the host in DestinationRule is x.y.com, client-side proxy will match either x.y.com or *.y.com for the SAN in the presented server certificate. For wildcard host name in DestinationRule, client-side proxy will do a suffix match. For example, if host is *.x.y.com, client-side proxy will verify the presented server certificate SAN matches .x.y.com suffix.

Deprecated: Marked as deprecated in mesh/v1alpha1/config.proto.

pilot object

Configuration for the Pilot component.

affinity object

K8s affinity to set on the Pilot Pods.

nodeAffinity object

Describes node affinity scheduling rules for the pod.

preferredDuringSchedulingIgnoredDuringExecution []object

An empty preferred scheduling term matches all objects with implicit weight 0 (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).

preference object required

A node selector term, associated with the corresponding weight.

matchExpressions []object

A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.

key string required

The label key that the selector applies to.

operator string required

Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.

values []string

matchFields []object

A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.

key string required

The label key that the selector applies to.

operator string required

Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.

values []string

weight integer required

Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.

requiredDuringSchedulingIgnoredDuringExecution object

nodeSelectorTerms []object required

A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.

matchExpressions []object

A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.

key string required

The label key that the selector applies to.

operator string required

Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.

values []string

matchFields []object

A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.

key string required

The label key that the selector applies to.

operator string required

Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.

values []string

podAffinity object

Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).

preferredDuringSchedulingIgnoredDuringExecution []object

The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)

podAffinityTerm object required

Required. A pod affinity term, associated with the corresponding weight.

labelSelector object

A label query over a set of resources, in this case pods. If it's null, this PodAffinityTerm matches with no Pods.

matchExpressions []object

A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.

key string required

key is the label key that the selector applies to.

operator string required

operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.

values []string

matchLabels object

matchLabelKeys []string

mismatchLabelKeys []string

namespaceSelector object

matchExpressions []object

A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.

key string required

key is the label key that the selector applies to.

operator string required

operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.

values []string

matchLabels object

namespaces []string

topologyKey string required

weight integer required

weight associated with matching the corresponding podAffinityTerm, in the range 1-100.

requiredDuringSchedulingIgnoredDuringExecution []object

labelSelector object

A label query over a set of resources, in this case pods. If it's null, this PodAffinityTerm matches with no Pods.

matchExpressions []object

A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.

key string required

key is the label key that the selector applies to.

operator string required

operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.

values []string

matchLabels object

matchLabelKeys []string

mismatchLabelKeys []string

namespaceSelector object

matchExpressions []object

A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.

key string required

key is the label key that the selector applies to.

operator string required

operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.

values []string

matchLabels object

namespaces []string

topologyKey string required

podAntiAffinity object

Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).

preferredDuringSchedulingIgnoredDuringExecution []object

The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)

podAffinityTerm object required

Required. A pod affinity term, associated with the corresponding weight.

labelSelector object

A label query over a set of resources, in this case pods. If it's null, this PodAffinityTerm matches with no Pods.

matchExpressions []object

A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.

key string required

key is the label key that the selector applies to.

operator string required

operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.

values []string

matchLabels object

matchLabelKeys []string

mismatchLabelKeys []string

namespaceSelector object

matchExpressions []object

A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.

key string required

key is the label key that the selector applies to.

operator string required

operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.

values []string

matchLabels object

namespaces []string

topologyKey string required

weight integer required

weight associated with matching the corresponding podAffinityTerm, in the range 1-100.

requiredDuringSchedulingIgnoredDuringExecution []object

labelSelector object

A label query over a set of resources, in this case pods. If it's null, this PodAffinityTerm matches with no Pods.

matchExpressions []object

A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.

key string required

key is the label key that the selector applies to.

operator string required

operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.

values []string

matchLabels object

matchLabelKeys []string

mismatchLabelKeys []string

namespaceSelector object

matchExpressions []object

A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.

key string required

key is the label key that the selector applies to.

operator string required

operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.

values []string

matchLabels object

namespaces []string

topologyKey string required

autoscaleBehavior object

See https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/#configurable-scaling-behavior

scaleDown object

scaleDown is scaling policy for scaling Down. If not set, the default value is to allow to scale down to minReplicas pods, with a 300 second stabilization window (i.e., the highest recommendation for the last 300sec is used).

policies []object

HPAScalingPolicy is a single policy which must hold true for a specified past interval.

periodSeconds integer required

periodSeconds specifies the window of time for which the policy should hold true. PeriodSeconds must be greater than zero and less than or equal to 1800 (30 min).

type string required

type is used to specify the scaling policy.

value integer required

value contains the amount of change which is permitted by the policy. It must be greater than zero

selectPolicy string

selectPolicy is used to specify which policy should be used. If not set, the default value Max is used.

stabilizationWindowSeconds integer

stabilizationWindowSeconds is the number of seconds for which past recommendations should be considered while scaling up or scaling down. StabilizationWindowSeconds must be greater than or equal to zero and less than or equal to 3600 (one hour). If not set, use the default values:

For scale up: 0 (i.e. no stabilization is done).
For scale down: 300 (i.e. the stabilization window is 300 seconds long).

tolerance

tolerance is the tolerance on the ratio between the current and desired metric value under which no updates are made to the desired number of replicas (e.g. 0.01 for 1%). Must be greater than or equal to zero. If not set, the default cluster-wide tolerance is applied (by default 10%).

For example, if autoscaling is configured with a memory consumption target of 100Mi, and scale-down and scale-up tolerances of 5% and 1% respectively, scaling will be triggered when the actual consumption falls below 95Mi or exceeds 101Mi.

This is an alpha field and requires enabling the HPAConfigurableTolerance feature gate.

scaleUp object

scaleUp is scaling policy for scaling Up. If not set, the default value is the higher of:

increase no more than 4 pods per 60 seconds
double the number of pods per 60 seconds No stabilization is used.

policies []object

HPAScalingPolicy is a single policy which must hold true for a specified past interval.

periodSeconds integer required

periodSeconds specifies the window of time for which the policy should hold true. PeriodSeconds must be greater than zero and less than or equal to 1800 (30 min).

type string required

type is used to specify the scaling policy.

value integer required

value contains the amount of change which is permitted by the policy. It must be greater than zero

selectPolicy string

selectPolicy is used to specify which policy should be used. If not set, the default value Max is used.

stabilizationWindowSeconds integer

For scale up: 0 (i.e. no stabilization is done).
For scale down: 300 (i.e. the stabilization window is 300 seconds long).

tolerance

This is an alpha field and requires enabling the HPAConfigurableTolerance feature gate.

autoscaleEnabled boolean

Controls whether a HorizontalPodAutoscaler is installed for Pilot.

autoscaleMax integer

Maximum number of replicas in the HorizontalPodAutoscaler for Pilot.

autoscaleMin integer

Minimum number of replicas in the HorizontalPodAutoscaler for Pilot.

cni object

Configures whether to use an existing CNI installation for workloads

enabled boolean

Controls whether CNI should be used.

provider string

Specifies the CNI provider. Can be either "default" or "multus". When set to "multus", an annotation k8s.v1.cni.cncf.io/networks is set on injected pods to point to a NetworkAttachmentDefinition

configMap boolean

Configuration settings passed to Pilot as a ConfigMap.

This controls whether the mesh config map, generated from values.yaml is generated. If false, pilot wil use default values or user-supplied values, in that order of preference.

cpu object

Target CPU utilization used in HorizontalPodAutoscaler.

See https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/

Deprecated: Marked as deprecated in pkg/apis/values_types.proto.

targetAverageUtilization integer

K8s utilization setting for HorizontalPodAutoscaler target.

See https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/

deploymentLabels object

Labels that are added to Pilot deployment.

See https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/

enabled boolean

Controls whether Pilot is enabled.

env object

Environment variables passed to the Pilot container.

Examples: env:

ENV_VAR_1: value1
ENV_VAR_2: value2

envVarFrom []object

EnvFromSource represents the source of a set of ConfigMaps or Secrets

configMapRef object

The ConfigMap to select from

name string

Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names

optional boolean

Specify whether the ConfigMap must be defined

prefix string

Optional text to prepend to the name of each environment variable. Must be a C_IDENTIFIER.

secretRef object

The Secret to select from

name string

optional boolean

Specify whether the Secret must be defined

extraContainerArgs []string

Additional container arguments for the Pilot container.

hub string

Hub to pull the container image from. Image will be Hub/Image:Tag-Variant.

image string

Image name used for Pilot.

This can be set either to image name if hub is also set, or can be set to the full hub:name string.

Examples: custom-pilot, docker.io/someuser:custom-pilot

ipFamilies []string

ipFamilyPolicy string

istiodRemote object

Configuration for the istio-discovery chart when istiod is running in a remote cluster (e.g. "remote control plane").

enabled boolean

Indicates if this cluster/install should consume a "remote" istiod instance,

enabledLocalInjectorIstiod boolean

If true, indicates that this cluster/install should consume a "local istiod" installation, local istiod inject sidecars

injectionCABundle string

injector ca bundle

injectionPath string

Path to use for the sidecar injector webhook service.

injectionURL string

URL to use for sidecar injector webhook.

jwksResolverExtraRootCA string

Specifies an extra root certificate in PEM format. This certificate will be trusted by pilot when resolving JWKS URIs.

keepaliveMaxServerConnectionAge string

Maximum duration that a sidecar can be connected to a pilot.

This setting balances out load across pilot instances, but adds some resource overhead.

Examples: 300s, 30m, 1h

memory object

Target memory utilization used in HorizontalPodAutoscaler.

See https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/

Deprecated: Marked as deprecated in pkg/apis/values_types.proto.

targetAverageUtilization integer

K8s utilization setting for HorizontalPodAutoscaler target.

See https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/

nodeSelector object

K8s node selector.

See https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector

Deprecated: Marked as deprecated in pkg/apis/values_types.proto.

podAnnotations object

K8s annotations for pods.

See: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/

Deprecated: Marked as deprecated in pkg/apis/values_types.proto.

podLabels object

Labels that are added to Pilot pods.

See https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/

replicaCount integer

Number of replicas in the Pilot Deployment.

Deprecated: Marked as deprecated in pkg/apis/values_types.proto.

resources object

K8s resources settings.

See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container

Deprecated: Marked as deprecated in pkg/apis/values_types.proto.

claims []object

ResourceClaim references one entry in PodSpec.ResourceClaims.

name string required

Name must match the name of one entry in pod.spec.resourceClaims of the Pod where this field is used. It makes that resource available inside a container.

request string

Request is the name chosen for a request in the referenced claim. If empty, everything from the claim is made available, otherwise only the result of this request.

limits object

Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/

requests object

rollingMaxSurge

K8s rolling update strategy

Deprecated: Marked as deprecated in pkg/apis/values_types.proto.

rollingMaxUnavailable

The number of pods that can be unavailable during a rolling update (see strategy.rollingUpdate.maxUnavailable here: https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/deployment-v1/#DeploymentSpec). May be specified as a number of pods or as a percent of the total number of pods at the start of the update.

Deprecated: Marked as deprecated in pkg/apis/values_types.proto.

seccompProfile object

The seccompProfile for the Pilot container.

See: https://kubernetes.io/docs/tutorials/security/seccomp/

localhostProfile string

localhostProfile indicates a profile defined in a file on the node should be used. The profile must be preconfigured on the node to work. Must be a descending path, relative to the kubelet's configured seccomp profile location. Must be set if type is "Localhost". Must NOT be set for any other type.

type string required

type indicates which kind of seccomp profile will be applied. Valid options are:

Localhost - a profile defined in a file on the node should be used. RuntimeDefault - the container runtime default profile should be used. Unconfined - no profile should be applied.

serviceAccountAnnotations object

K8s annotations for the service account

serviceAnnotations object

K8s annotations for the Service.

See: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/

tag string

The container image tag to pull. Image will be Hub/Image:Tag-Variant.

taint object

enabled boolean

Enable the untaint controller for new nodes. This aims to solve a race for CNI installation on new nodes. For this to work, the newly added nodes need to have the istio CNI taint as they are added to the cluster. This is usually done by configuring the cluster infra provider.

namespace string

The namespace of the CNI daemonset, incase it's not the same as istiod.

tolerations []object

The pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator .

effect string

Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.

key string

Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.

operator string

tolerationSeconds integer

value string

Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.

topologySpreadConstraints []object

TopologySpreadConstraint specifies how to spread matching pods among the given topology.

labelSelector object

LabelSelector is used to find matching pods. Pods that match this label selector are counted to determine the number of pods in their corresponding topology domain.

matchExpressions []object

A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.

key string required

key is the label key that the selector applies to.

operator string required

operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.

values []string

matchLabels object

matchLabelKeys []string

This is a beta field and requires the MatchLabelKeysInPodTopologySpread feature gate to be enabled (enabled by default).

maxSkew integer required

if MaxSkew is 1, incoming pod can only be scheduled to zone3 to become 2/2/2; scheduling it onto zone1(zone2) would make the ActualSkew(3-1) on zone1(zone2) violate MaxSkew(1).
if MaxSkew is 2, incoming pod can be scheduled onto any zone. When whenUnsatisfiable=ScheduleAnyway, it is used to give higher precedence to topologies that satisfy it. It's a required field. Default value is 1 and 0 is not allowed.

minDomains integer

nodeAffinityPolicy string

NodeAffinityPolicy indicates how we will treat Pod's nodeAffinity/nodeSelector when calculating pod topology spread skew. Options are:

Honor: only nodes matching nodeAffinity/nodeSelector are included in the calculations.
Ignore: nodeAffinity/nodeSelector are ignored. All nodes are included in the calculations.

If this value is nil, the behavior is equivalent to the Honor policy.

nodeTaintsPolicy string

NodeTaintsPolicy indicates how we will treat node taints when calculating pod topology spread skew. Options are:

Honor: nodes without taints, along with tainted nodes for which the incoming pod has a toleration, are included.
Ignore: node taints are ignored. All nodes are included.

If this value is nil, the behavior is equivalent to the Ignore policy.

topologyKey string required

whenUnsatisfiable string required

WhenUnsatisfiable indicates how to deal with a pod if it doesn't satisfy the spread constraint.

DoNotSchedule (default) tells the scheduler not to schedule it.
ScheduleAnyway tells the scheduler to schedule the pod in any location, but giving higher precedence to topologies that would help reduce the skew. A constraint is considered "Unsatisfiable" for an incoming pod if and only if every possible node assignment for that pod would violate "MaxSkew" on some topology. For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same labelSelector spread as 3/1/1: | zone1 | zone2 | zone3 | | P P P | P | P | If WhenUnsatisfiable is set to DoNotSchedule, incoming pod can only be scheduled to zone2(zone3) to become 3/2/1(3/1/2) as ActualSkew(2-1) on zone2(zone3) satisfies MaxSkew(1). In other words, the cluster can still be imbalanced, but scheduler won't make it more imbalanced. It's a required field.

traceSampling number

Trace sampling fraction.

Used to set the fraction of time that traces are sampled. Higher values are more accurate but add CPU overhead.

Allowed values: 0.0 to 1.0

trustedZtunnelNamespace string

If set, istiod will allow connections from trusted node proxy ztunnels in the provided namespace.

variant string

The container image variant to pull. Options are "debug" or "distroless". Unset will use the default for the given version.

volumeMounts []object

VolumeMount describes a mounting of a Volume within a container.

mountPath string required

Path within the container at which the volume should be mounted. Must not contain ':'.

mountPropagation string

mountPropagation determines how mounts are propagated from the host to container and the other way around. When not set, MountPropagationNone is used. This field is beta in 1.10. When RecursiveReadOnly is set to IfPossible or to Enabled, MountPropagation must be None or unspecified (which defaults to None).

name string required

This must match the Name of a Volume.

readOnly boolean

Mounted read-only if true, read-write otherwise (false or unspecified). Defaults to false.

recursiveReadOnly string

RecursiveReadOnly specifies whether read-only mounts should be handled recursively.

If ReadOnly is false, this field has no meaning and must be unspecified.

If ReadOnly is true, and this field is set to Disabled, the mount is not made recursively read-only. If this field is set to IfPossible, the mount is made recursively read-only, if it is supported by the container runtime. If this field is set to Enabled, the mount is made recursively read-only if it is supported by the container runtime, otherwise the pod will not be started and an error will be generated to indicate the reason.

If this field is set to IfPossible or Enabled, MountPropagation must be set to None (or be unspecified, which defaults to None).

If this field is not specified, it is treated as an equivalent of Disabled.

subPath string

Path within the volume from which the container's volume should be mounted. Defaults to "" (volume's root).

subPathExpr string

Expanded path within the volume from which the container's volume should be mounted. Behaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment. Defaults to "" (volume's root). SubPathExpr and SubPath are mutually exclusive.

volumes []object

Volume represents a named volume in a pod that may be accessed by any container in the pod.

awsElasticBlockStore object

awsElasticBlockStore represents an AWS Disk resource that is attached to a kubelet's host machine and then exposed to the pod. Deprecated: AWSElasticBlockStore is deprecated. All operations for the in-tree awsElasticBlockStore type are redirected to the ebs.csi.aws.com CSI driver. More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore

fsType string

fsType is the filesystem type of the volume that you want to mount. Tip: Ensure that the filesystem type is supported by the host operating system. Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore

partition integer

partition is the partition in the volume that you want to mount. If omitted, the default is to mount by volume name. Examples: For volume /dev/sda1, you specify the partition as "1". Similarly, the volume partition for /dev/sda is "0" (or you can leave the property empty).

readOnly boolean

readOnly value true will force the readOnly setting in VolumeMounts. More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore

volumeID string required

volumeID is unique ID of the persistent disk resource in AWS (Amazon EBS volume). More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore

azureDisk object

azureDisk represents an Azure Data Disk mount on the host and bind mount to the pod. Deprecated: AzureDisk is deprecated. All operations for the in-tree azureDisk type are redirected to the disk.csi.azure.com CSI driver.

cachingMode string

cachingMode is the Host Caching mode: None, Read Only, Read Write.

diskName string required

diskName is the Name of the data disk in the blob storage

diskURI string required

diskURI is the URI of data disk in the blob storage

fsType string

fsType is Filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.

kind string

kind expected values are Shared: multiple blob disks per storage account Dedicated: single blob disk per storage account Managed: azure managed data disk (only in managed availability set). defaults to shared

readOnly boolean

readOnly Defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts.

azureFile object

azureFile represents an Azure File Service mount on the host and bind mount to the pod. Deprecated: AzureFile is deprecated. All operations for the in-tree azureFile type are redirected to the file.csi.azure.com CSI driver.

readOnly boolean

readOnly defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts.

secretName string required

secretName is the name of secret that contains Azure Storage Account Name and Key

shareName string required

shareName is the azure share Name

cephfs object

cephFS represents a Ceph FS mount on the host that shares a pod's lifetime. Deprecated: CephFS is deprecated and the in-tree cephfs type is no longer supported.

monitors []string required

monitors is Required: Monitors is a collection of Ceph monitors More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it

path string

path is Optional: Used as the mounted root, rather than the full Ceph tree, default is /

readOnly boolean

readOnly is Optional: Defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts. More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it

secretFile string

secretFile is Optional: SecretFile is the path to key ring for User, default is /etc/ceph/user.secret More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it

secretRef object

secretRef is Optional: SecretRef is reference to the authentication secret for User, default is empty. More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it

name string

user string

user is optional: User is the rados user name, default is admin More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it

cinder object

cinder represents a cinder volume attached and mounted on kubelets host machine. Deprecated: Cinder is deprecated. All operations for the in-tree cinder type are redirected to the cinder.csi.openstack.org CSI driver. More info: https://examples.k8s.io/mysql-cinder-pd/README.md

fsType string

fsType is the filesystem type to mount. Must be a filesystem type supported by the host operating system. Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. More info: https://examples.k8s.io/mysql-cinder-pd/README.md

readOnly boolean

readOnly defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts. More info: https://examples.k8s.io/mysql-cinder-pd/README.md

secretRef object

secretRef is optional: points to a secret object containing parameters used to connect to OpenStack.

name string

volumeID string required

volumeID used to identify the volume in cinder. More info: https://examples.k8s.io/mysql-cinder-pd/README.md

configMap object

configMap represents a configMap that should populate this volume

defaultMode integer

defaultMode is optional: mode bits used to set permissions on created files by default. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. Defaults to 0644. Directories within the path are not affected by this setting. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.

items []object

Maps a string key to a path within a volume.

key string required

key is the key to project.

mode integer

mode is Optional: mode bits used to set permissions on this file. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. If not specified, the volume defaultMode will be used. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.

path string required

path is the relative path of the file to map the key to. May not be an absolute path. May not contain the path element '..'. May not start with the string '..'.

name string

optional boolean

optional specify whether the ConfigMap or its keys must be defined

csi object

csi (Container Storage Interface) represents ephemeral storage that is handled by certain external CSI drivers.

driver string required

driver is the name of the CSI driver that handles this volume. Consult with your admin for the correct name as registered in the cluster.

fsType string

fsType to mount. Ex. "ext4", "xfs", "ntfs". If not provided, the empty value is passed to the associated CSI driver which will determine the default filesystem to apply.

nodePublishSecretRef object

nodePublishSecretRef is a reference to the secret object containing sensitive information to pass to the CSI driver to complete the CSI NodePublishVolume and NodeUnpublishVolume calls. This field is optional, and may be empty if no secret is required. If the secret object contains more than one secret, all secret references are passed.

name string

readOnly boolean

readOnly specifies a read-only configuration for the volume. Defaults to false (read/write).

volumeAttributes object

volumeAttributes stores driver-specific properties that are passed to the CSI driver. Consult your driver's documentation for supported values.

downwardAPI object

downwardAPI represents downward API about the pod that should populate this volume

defaultMode integer

Optional: mode bits to use on created files by default. Must be a Optional: mode bits used to set permissions on created files by default. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. Defaults to 0644. Directories within the path are not affected by this setting. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.

items []object

DownwardAPIVolumeFile represents information to create the file containing the pod field

fieldRef object

Required: Selects a field of the pod: only annotations, labels, name, namespace and uid are supported.

apiVersion string

Version of the schema the FieldPath is written in terms of, defaults to "v1".

fieldPath string required

Path of the field to select in the specified API version.

mode integer

Optional: mode bits used to set permissions on this file, must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. If not specified, the volume defaultMode will be used. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.

path string required

Required: Path is the relative path name of the file to be created. Must not be absolute or contain the '..' path. Must be utf-8 encoded. The first item of the relative path must not start with '..'

resourceFieldRef object

Selects a resource of the container: only resources limits and requests (limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported.

containerName string

Container name: required for volumes, optional for env vars

divisor

Specifies the output format of the exposed resources, defaults to "1"

resource string required

Required: resource to select

emptyDir object

emptyDir represents a temporary directory that shares a pod's lifetime. More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir

medium string

medium represents what type of storage medium should back this directory. The default is "" which means to use the node's default medium. Must be an empty string (default) or Memory. More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir

sizeLimit

sizeLimit is the total amount of local storage required for this EmptyDir volume. The size limit is also applicable for memory medium. The maximum usage on memory medium EmptyDir would be the minimum value between the SizeLimit specified here and the sum of memory limits of all containers in a pod. The default is nil which means that the limit is undefined. More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir

ephemeral object

ephemeral represents a volume that is handled by a cluster storage driver. The volume's lifecycle is tied to the pod that defines it - it will be created before the pod starts, and deleted when the pod is removed.

Use this if: a) the volume is only needed while the pod runs, b) features of normal volumes like restoring from snapshot or capacity tracking are needed, c) the storage driver is specified through a storage class, and d) the storage driver supports dynamic volume provisioning through a PersistentVolumeClaim (see EphemeralVolumeSource for more information on the connection between this volume type and PersistentVolumeClaim).

Use PersistentVolumeClaim or one of the vendor-specific APIs for volumes that persist for longer than the lifecycle of an individual pod.

Use CSI for light-weight local ephemeral volumes if the CSI driver is meant to be used that way - see the documentation of the driver for more information.

A pod can use both types of ephemeral volumes and persistent volumes at the same time.

volumeClaimTemplate object

Will be used to create a stand-alone PVC to provision the volume. The pod in which this EphemeralVolumeSource is embedded will be the owner of the PVC, i.e. the PVC will be deleted together with the pod. The name of the PVC will be <pod name>-<volume name> where <volume name> is the name from the PodSpec.Volumes array entry. Pod validation will reject the pod if the concatenated name is not valid for a PVC (for example, too long).

An existing PVC with that name that is not owned by the pod will not be used for the pod to avoid using an unrelated volume by mistake. Starting the pod is then blocked until the unrelated PVC is removed. If such a pre-created PVC is meant to be used by the pod, the PVC has to updated with an owner reference to the pod once the pod exists. Normally this should not be necessary, but it may be useful when manually reconstructing a broken cluster.

This field is read-only and no changes will be made by Kubernetes to the PVC after it has been created.

Required, must not be nil.

metadata object

May contain labels and annotations that will be copied into the PVC when creating it. No other fields are allowed and will be rejected during validation.

spec object required

The specification for the PersistentVolumeClaim. The entire content is copied unchanged into the PVC that gets created from this template. The same fields as in a PersistentVolumeClaim are also valid here.

accessModes []string

accessModes contains the desired access modes the volume should have. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1

dataSource object

dataSource field can be used to specify either:

An existing VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot)
An existing PVC (PersistentVolumeClaim) If the provisioner or an external controller can support the specified data source, it will create a new volume based on the contents of the specified data source. When the AnyVolumeDataSource feature gate is enabled, dataSource contents will be copied to dataSourceRef, and dataSourceRef contents will be copied to dataSource when dataSourceRef.namespace is not specified. If the namespace is specified, then dataSourceRef will not be copied to dataSource.

apiGroup string

APIGroup is the group for the resource being referenced. If APIGroup is not specified, the specified Kind must be in the core API group. For any other third-party types, APIGroup is required.

kind string required

Kind is the type of resource being referenced

name string required

Name is the name of resource being referenced

dataSourceRef object

dataSourceRef specifies the object from which to populate the volume with data, if a non-empty volume is desired. This may be any object from a non-empty API group (non core object) or a PersistentVolumeClaim object. When this field is specified, volume binding will only succeed if the type of the specified object matches some installed volume populator or dynamic provisioner. This field will replace the functionality of the dataSource field and as such if both fields are non-empty, they must have the same value. For backwards compatibility, when namespace isn't specified in dataSourceRef, both fields (dataSource and dataSourceRef) will be set to the same value automatically if one of them is empty and the other is non-empty. When namespace is specified in dataSourceRef, dataSource isn't set to the same value and must be empty. There are three important differences between dataSource and dataSourceRef:

While dataSource only allows two specific types of objects, dataSourceRef allows any non-core object, as well as PersistentVolumeClaim objects.
While dataSource ignores disallowed values (dropping them), dataSourceRef preserves all values, and generates an error if a disallowed value is specified.
While dataSource only allows local objects, dataSourceRef allows objects in any namespaces. (Beta) Using this field requires the AnyVolumeDataSource feature gate to be enabled. (Alpha) Using the namespace field of dataSourceRef requires the CrossNamespaceVolumeDataSource feature gate to be enabled.

apiGroup string

APIGroup is the group for the resource being referenced. If APIGroup is not specified, the specified Kind must be in the core API group. For any other third-party types, APIGroup is required.

kind string required

Kind is the type of resource being referenced

name string required

Name is the name of resource being referenced

namespace string

Namespace is the namespace of resource being referenced Note that when a namespace is specified, a gateway.networking.k8s.io/ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. (Alpha) This field requires the CrossNamespaceVolumeDataSource feature gate to be enabled.

resources object

resources represents the minimum resources the volume should have. If RecoverVolumeExpansionFailure feature is enabled users are allowed to specify resource requirements that are lower than previous value but must still be higher than capacity recorded in the status field of the claim. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources

limits object

Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/

requests object

selector object

selector is a label query over volumes to consider for binding.

matchExpressions []object

A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.

key string required

key is the label key that the selector applies to.

operator string required

operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.

values []string

matchLabels object

storageClassName string

storageClassName is the name of the StorageClass required by the claim. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1

volumeAttributesClassName string

volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim. If specified, the CSI driver will create or update the volume with the attributes defined in the corresponding VolumeAttributesClass. This has a different purpose than storageClassName, it can be changed after the claim is created. An empty string value means that no VolumeAttributesClass will be applied to the claim but it's not allowed to reset this field to empty string once it is set. If unspecified and the PersistentVolumeClaim is unbound, the default VolumeAttributesClass will be set by the persistentvolume controller if it exists. If the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource exists. More info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/ (Beta) Using this field requires the VolumeAttributesClass feature gate to be enabled (off by default).

volumeMode string

volumeMode defines what type of volume is required by the claim. Value of Filesystem is implied when not included in claim spec.

volumeName string

volumeName is the binding reference to the PersistentVolume backing this claim.

fc object

fc represents a Fibre Channel resource that is attached to a kubelet's host machine and then exposed to the pod.

fsType string

fsType is the filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.

lun integer

lun is Optional: FC target lun number

readOnly boolean

readOnly is Optional: Defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts.

targetWWNs []string

targetWWNs is Optional: FC target worldwide names (WWNs)

wwids []string

wwids Optional: FC volume world wide identifiers (wwids) Either wwids or combination of targetWWNs and lun must be set, but not both simultaneously.

flexVolume object

flexVolume represents a generic volume resource that is provisioned/attached using an exec based plugin. Deprecated: FlexVolume is deprecated. Consider using a CSIDriver instead.

driver string required

driver is the name of the driver to use for this volume.

fsType string

fsType is the filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. "ext4", "xfs", "ntfs". The default filesystem depends on FlexVolume script.

options object

options is Optional: this field holds extra command options if any.

readOnly boolean

readOnly is Optional: defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts.

secretRef object

secretRef is Optional: secretRef is reference to the secret object containing sensitive information to pass to the plugin scripts. This may be empty if no secret object is specified. If the secret object contains more than one secret, all secrets are passed to the plugin scripts.

name string

flocker object

flocker represents a Flocker volume attached to a kubelet's host machine. This depends on the Flocker control service being running. Deprecated: Flocker is deprecated and the in-tree flocker type is no longer supported.

datasetName string

datasetName is Name of the dataset stored as metadata -> name on the dataset for Flocker should be considered as deprecated

datasetUUID string

datasetUUID is the UUID of the dataset. This is unique identifier of a Flocker dataset

gcePersistentDisk object

gcePersistentDisk represents a GCE Disk resource that is attached to a kubelet's host machine and then exposed to the pod. Deprecated: GCEPersistentDisk is deprecated. All operations for the in-tree gcePersistentDisk type are redirected to the pd.csi.storage.gke.io CSI driver. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk

fsType string

fsType is filesystem type of the volume that you want to mount. Tip: Ensure that the filesystem type is supported by the host operating system. Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk

partition integer

pdName string required

pdName is unique name of the PD resource in GCE. Used to identify the disk in GCE. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk

readOnly boolean

readOnly here will force the ReadOnly setting in VolumeMounts. Defaults to false. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk

gitRepo object

gitRepo represents a git repository at a particular revision. Deprecated: GitRepo is deprecated. To provision a container with a git repo, mount an EmptyDir into an InitContainer that clones the repo using git, then mount the EmptyDir into the Pod's container.

directory string

directory is the target directory name. Must not contain or start with '..'. If '.' is supplied, the volume directory will be the git repository. Otherwise, if specified, the volume will contain the git repository in the subdirectory with the given name.

repository string required

repository is the URL

revision string

revision is the commit hash for the specified revision.

glusterfs object

glusterfs represents a Glusterfs mount on the host that shares a pod's lifetime. Deprecated: Glusterfs is deprecated and the in-tree glusterfs type is no longer supported. More info: https://examples.k8s.io/volumes/glusterfs/README.md

endpoints string required

endpoints is the endpoint name that details Glusterfs topology. More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod

path string required

path is the Glusterfs volume path. More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod

readOnly boolean

readOnly here will force the Glusterfs volume to be mounted with read-only permissions. Defaults to false. More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod

hostPath object

hostPath represents a pre-existing file or directory on the host machine that is directly exposed to the container. This is generally used for system agents or other privileged things that are allowed to see the host machine. Most containers will NOT need this. More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath

path string required

path of the directory on the host. If the path is a symlink, it will follow the link to the real path. More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath

type string

type for HostPath Volume Defaults to "" More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath

image object

image represents an OCI object (a container image or artifact) pulled and mounted on the kubelet's host machine. The volume is resolved at pod startup depending on which PullPolicy value is provided:

Always: the kubelet always attempts to pull the reference. Container creation will fail If the pull fails.
Never: the kubelet never pulls the reference and only uses a local image or artifact. Container creation will fail if the reference isn't present.
IfNotPresent: the kubelet pulls if the reference isn't already present on disk. Container creation will fail if the reference isn't present and the pull fails.

The volume gets re-resolved if the pod gets deleted and recreated, which means that new remote content will become available on pod recreation. A failure to resolve or pull the image during pod startup will block containers from starting and may add significant latency. Failures will be retried using normal volume backoff and will be reported on the pod reason and message. The types of objects that may be mounted by this volume are defined by the container runtime implementation on a host machine and at minimum must include all valid types supported by the container image field. The OCI object gets mounted in a single directory (spec.containers[].volumeMounts.mountPath) by merging the manifest layers in the same way as for container images. The volume will be mounted read-only (ro) and non-executable files (noexec). Sub path mounts for containers are not supported (spec.containers[].volumeMounts.subpath) before 1.33. The field spec.securityContext.fsGroupChangePolicy has no effect on this volume type.

pullPolicy string

Policy for pulling OCI objects. Possible values are: Always: the kubelet always attempts to pull the reference. Container creation will fail If the pull fails. Never: the kubelet never pulls the reference and only uses a local image or artifact. Container creation will fail if the reference isn't present. IfNotPresent: the kubelet pulls if the reference isn't already present on disk. Container creation will fail if the reference isn't present and the pull fails. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise.

reference string

Required: Image or artifact reference to be used. Behaves in the same way as pod.spec.containers[*].image. Pull secrets will be assembled in the same way as for the container image by looking up node credentials, SA image pull secrets, and pod spec image pull secrets. More info: https://kubernetes.io/docs/concepts/containers/images This field is optional to allow higher level config management to default or override container images in workload controllers like Deployments and StatefulSets.

iscsi object

iscsi represents an ISCSI Disk resource that is attached to a kubelet's host machine and then exposed to the pod. More info: https://examples.k8s.io/volumes/iscsi/README.md

chapAuthDiscovery boolean

chapAuthDiscovery defines whether support iSCSI Discovery CHAP authentication

chapAuthSession boolean

chapAuthSession defines whether support iSCSI Session CHAP authentication

fsType string

initiatorName string

initiatorName is the custom iSCSI Initiator Name. If initiatorName is specified with iscsiInterface simultaneously, new iSCSI interface : will be created for the connection.

iqn string required

iqn is the target iSCSI Qualified Name.

iscsiInterface string

iscsiInterface is the interface Name that uses an iSCSI transport. Defaults to 'default' (tcp).

lun integer required

lun represents iSCSI Target Lun number.

portals []string

portals is the iSCSI Target Portal List. The portal is either an IP or ip_addr:port if the port is other than default (typically TCP ports 860 and 3260).

readOnly boolean

readOnly here will force the ReadOnly setting in VolumeMounts. Defaults to false.

secretRef object

secretRef is the CHAP Secret for iSCSI target and initiator authentication

name string

targetPortal string required

targetPortal is iSCSI Target Portal. The Portal is either an IP or ip_addr:port if the port is other than default (typically TCP ports 860 and 3260).

name string required

name of the volume. Must be a DNS_LABEL and unique within the pod. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names

nfs object

nfs represents an NFS mount on the host that shares a pod's lifetime More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs

path string required

path that is exported by the NFS server. More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs

readOnly boolean

readOnly here will force the NFS export to be mounted with read-only permissions. Defaults to false. More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs

server string required

server is the hostname or IP address of the NFS server. More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs

persistentVolumeClaim object

persistentVolumeClaimVolumeSource represents a reference to a PersistentVolumeClaim in the same namespace. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims

claimName string required

claimName is the name of a PersistentVolumeClaim in the same namespace as the pod using this volume. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims

readOnly boolean

readOnly Will force the ReadOnly setting in VolumeMounts. Default false.

photonPersistentDisk object

photonPersistentDisk represents a PhotonController persistent disk attached and mounted on kubelets host machine. Deprecated: PhotonPersistentDisk is deprecated and the in-tree photonPersistentDisk type is no longer supported.

fsType string

fsType is the filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.

pdID string required

pdID is the ID that identifies Photon Controller persistent disk

portworxVolume object

portworxVolume represents a portworx volume attached and mounted on kubelets host machine. Deprecated: PortworxVolume is deprecated. All operations for the in-tree portworxVolume type are redirected to the pxd.portworx.com CSI driver when the CSIMigrationPortworx feature-gate is on.

fsType string

fSType represents the filesystem type to mount Must be a filesystem type supported by the host operating system. Ex. "ext4", "xfs". Implicitly inferred to be "ext4" if unspecified.

readOnly boolean

readOnly defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts.

volumeID string required

volumeID uniquely identifies a Portworx volume

projected object

projected items for all in one resources secrets, configmaps, and downward API

defaultMode integer

defaultMode are the mode bits used to set permissions on created files by default. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. Directories within the path are not affected by this setting. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.

sources []object

Projection that may be projected along with other supported volume types. Exactly one of these fields must be set.

clusterTrustBundle object

ClusterTrustBundle allows a pod to access the .spec.trustBundle field of ClusterTrustBundle objects in an auto-updating file.

Alpha, gated by the ClusterTrustBundleProjection feature gate.

ClusterTrustBundle objects can either be selected by name, or by the combination of signer name and a label selector.

Kubelet performs aggressive normalization of the PEM contents written into the pod filesystem. Esoteric PEM features such as inter-block comments and block headers are stripped. Certificates are deduplicated. The ordering of certificates within the file is arbitrary, and Kubelet may change the order over time.

labelSelector object

Select all ClusterTrustBundles that match this label selector. Only has effect if signerName is set. Mutually-exclusive with name. If unset, interpreted as "match nothing". If set but empty, interpreted as "match everything".

matchExpressions []object

A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.

key string required

key is the label key that the selector applies to.

operator string required

operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.

values []string

matchLabels object

name string

Select a single ClusterTrustBundle by object name. Mutually-exclusive with signerName and labelSelector.

optional boolean

If true, don't block pod startup if the referenced ClusterTrustBundle(s) aren't available. If using name, then the named ClusterTrustBundle is allowed not to exist. If using signerName, then the combination of signerName and labelSelector is allowed to match zero ClusterTrustBundles.

path string required

Relative path from the volume root to write the bundle.

signerName string

Select all ClusterTrustBundles that match this signer name. Mutually-exclusive with name. The contents of all selected ClusterTrustBundles will be unified and deduplicated.

configMap object

configMap information about the configMap data to project

items []object

Maps a string key to a path within a volume.

key string required

key is the key to project.

mode integer

path string required

path is the relative path of the file to map the key to. May not be an absolute path. May not contain the path element '..'. May not start with the string '..'.

name string

optional boolean

optional specify whether the ConfigMap or its keys must be defined

downwardAPI object

downwardAPI information about the downwardAPI data to project

items []object

DownwardAPIVolumeFile represents information to create the file containing the pod field

fieldRef object

Required: Selects a field of the pod: only annotations, labels, name, namespace and uid are supported.

apiVersion string

Version of the schema the FieldPath is written in terms of, defaults to "v1".

fieldPath string required

Path of the field to select in the specified API version.

mode integer

path string required

Required: Path is the relative path name of the file to be created. Must not be absolute or contain the '..' path. Must be utf-8 encoded. The first item of the relative path must not start with '..'

resourceFieldRef object

Selects a resource of the container: only resources limits and requests (limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported.

containerName string

Container name: required for volumes, optional for env vars

divisor

Specifies the output format of the exposed resources, defaults to "1"

resource string required

Required: resource to select

secret object

secret information about the secret data to project

items []object

Maps a string key to a path within a volume.

key string required

key is the key to project.

mode integer

path string required

path is the relative path of the file to map the key to. May not be an absolute path. May not contain the path element '..'. May not start with the string '..'.

name string

optional boolean

optional field specify whether the Secret or its key must be defined

serviceAccountToken object

serviceAccountToken is information about the serviceAccountToken data to project

audience string

audience is the intended audience of the token. A recipient of a token must identify itself with an identifier specified in the audience of the token, and otherwise should reject the token. The audience defaults to the identifier of the apiserver.

expirationSeconds integer

expirationSeconds is the requested duration of validity of the service account token. As the token approaches expiration, the kubelet volume plugin will proactively rotate the service account token. The kubelet will start trying to rotate the token if the token is older than 80 percent of its time to live or if the token is older than 24 hours.Defaults to 1 hour and must be at least 10 minutes.

path string required

path is the path relative to the mount point of the file to project the token into.

quobyte object

quobyte represents a Quobyte mount on the host that shares a pod's lifetime. Deprecated: Quobyte is deprecated and the in-tree quobyte type is no longer supported.

group string

group to map volume access to Default is no group

readOnly boolean

readOnly here will force the Quobyte volume to be mounted with read-only permissions. Defaults to false.

registry string required

registry represents a single or multiple Quobyte Registry services specified as a string as host:port pair (multiple entries are separated with commas) which acts as the central registry for volumes

tenant string

tenant owning the given Quobyte volume in the Backend Used with dynamically provisioned Quobyte volumes, value is set by the plugin

user string

user to map volume access to Defaults to serivceaccount user

volume string required

volume is a string that references an already created Quobyte volume by name.

rbd object

rbd represents a Rados Block Device mount on the host that shares a pod's lifetime. Deprecated: RBD is deprecated and the in-tree rbd type is no longer supported. More info: https://examples.k8s.io/volumes/rbd/README.md

fsType string

image string required

image is the rados image name. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it

keyring string

keyring is the path to key ring for RBDUser. Default is /etc/ceph/keyring. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it

monitors []string required

monitors is a collection of Ceph monitors. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it

pool string

pool is the rados pool name. Default is rbd. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it

readOnly boolean

readOnly here will force the ReadOnly setting in VolumeMounts. Defaults to false. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it

secretRef object

secretRef is name of the authentication secret for RBDUser. If provided overrides keyring. Default is nil. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it

name string

user string

user is the rados user name. Default is admin. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it

scaleIO object

scaleIO represents a ScaleIO persistent volume attached and mounted on Kubernetes nodes. Deprecated: ScaleIO is deprecated and the in-tree scaleIO type is no longer supported.

fsType string

fsType is the filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. "ext4", "xfs", "ntfs". Default is "xfs".

gateway string required

gateway is the host address of the ScaleIO API Gateway.

protectionDomain string

protectionDomain is the name of the ScaleIO Protection Domain for the configured storage.

readOnly boolean

readOnly Defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts.

secretRef object required

secretRef references to the secret for ScaleIO user and other sensitive information. If this is not provided, Login operation will fail.

name string

sslEnabled boolean

sslEnabled Flag enable/disable SSL communication with Gateway, default false

storageMode string

storageMode indicates whether the storage for a volume should be ThickProvisioned or ThinProvisioned. Default is ThinProvisioned.

storagePool string

storagePool is the ScaleIO Storage Pool associated with the protection domain.

system string required

system is the name of the storage system as configured in ScaleIO.

volumeName string

volumeName is the name of a volume already created in the ScaleIO system that is associated with this volume source.

secret object

secret represents a secret that should populate this volume. More info: https://kubernetes.io/docs/concepts/storage/volumes#secret

defaultMode integer

defaultMode is Optional: mode bits used to set permissions on created files by default. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. Defaults to 0644. Directories within the path are not affected by this setting. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.

items []object

Maps a string key to a path within a volume.

key string required

key is the key to project.

mode integer

path string required

path is the relative path of the file to map the key to. May not be an absolute path. May not contain the path element '..'. May not start with the string '..'.

optional boolean

optional field specify whether the Secret or its keys must be defined

secretName string

secretName is the name of the secret in the pod's namespace to use. More info: https://kubernetes.io/docs/concepts/storage/volumes#secret

storageos object

storageOS represents a StorageOS volume attached and mounted on Kubernetes nodes. Deprecated: StorageOS is deprecated and the in-tree storageos type is no longer supported.

fsType string

fsType is the filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.

readOnly boolean

readOnly defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts.

secretRef object

secretRef specifies the secret to use for obtaining the StorageOS API credentials. If not specified, default values will be attempted.

name string

volumeName string

volumeName is the human-readable name of the StorageOS volume. Volume names are only unique within a namespace.

volumeNamespace string

volumeNamespace specifies the scope of the volume within StorageOS. If no namespace is specified then the Pod's namespace will be used. This allows the Kubernetes name scoping to be mirrored within StorageOS for tighter integration. Set VolumeName to any name to override the default behaviour. Set to "default" if you are not using namespaces within StorageOS. Namespaces that do not pre-exist within StorageOS will be created.

vsphereVolume object

vsphereVolume represents a vSphere volume attached and mounted on kubelets host machine. Deprecated: VsphereVolume is deprecated. All operations for the in-tree vsphereVolume type are redirected to the csi.vsphere.vmware.com CSI driver.

fsType string

fsType is filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.

storagePolicyID string

storagePolicyID is the storage Policy Based Management (SPBM) profile ID associated with the StoragePolicyName.

storagePolicyName string

storagePolicyName is the storage Policy Based Management (SPBM) profile name.

volumePath string required

volumePath is the path that identifies vSphere volume vmdk

profile string

Specifies which installation configuration profile to apply.

revision string

Identifies the revision this installation is associated with.

sidecarInjectorWebhook object

Configuration for the sidecar injector webhook.

alwaysInjectSelector []object

matchExpressions []object

A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.

key string required

key is the label key that the selector applies to.

operator string required

operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.

values []string

matchLabels object

defaultTemplates []string

defaultTemplates: ["sidecar", "hello"]

enableNamespacesByDefault boolean

Enables sidecar auto-injection in namespaces by default.

injectedAnnotations object

injectedAnnotations are additional annotations that will be added to the pod spec after injection This is primarily to support PSP annotations.

injectionURL string

Configure the injection url for sidecar injector webhook

neverInjectSelector []object

matchExpressions []object

A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.

key string required

key is the label key that the selector applies to.

operator string required

operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.

values []string

matchLabels object

reinvocationPolicy string

Setting this to IfNeeded will result in the sidecar injector being run again if additional mutations occur. Default: Never

rewriteAppHTTPProbe boolean

If true, webhook or istioctl injector will rewrite PodSpec for liveness health check to redirect request to sidecar. This makes liveness check work even when mTLS is enabled.

templates object

Templates defines a set of custom injection templates that can be used. For example, defining:

templates:

hello: |
metadata:
labels:
hello: world

Then starting a pod with the inject.istio.io/templates: hello annotation, will result in the pod being injected with the hello=world labels. This is intended for advanced configuration only; most users should use the built in template

telemetry object

Controls whether telemetry is exported for Pilot.

enabled boolean

Controls whether telemetry is exported for Pilot.

v2 object

Configuration for Telemetry v2.

enabled boolean

Controls whether pilot will configure telemetry v2.

prometheus object

Telemetry v2 settings for prometheus.

enabled boolean

Controls whether stats envoyfilter would be enabled or not.

stackdriver object

Telemetry v2 settings for stackdriver.

enabled boolean

version string required

Defines the version of Istio to install. Must be one of: v1.26-latest, v1.26.3, v1.24-latest, v1.24.6.

status object

IstioStatus defines the observed state of Istio

activeRevisionName string

The name of the active revision.

conditions []object

IstioCondition represents a specific observation of the IstioCondition object's state.

lastTransitionTime string

Last time the condition transitioned from one status to another.

message string

Human-readable message indicating details about the last transition.

reason string

Unique, single-word, CamelCase reason for the condition's last transition.

status string

The status of this condition. Can be True, False or Unknown.

type string

The type of this condition.

observedGeneration integer

ObservedGeneration is the most recent generation observed for this Istio object. It corresponds to the object's generation, which is updated on mutation by the API Server. The information in the status pertains to this particular generation of the object.

revisions object

Reports information about the underlying IstioRevisions.

inUse integer required

Number of IstioRevisions that are currently in use.

ready integer required

Number of IstioRevisions that are Ready.

total integer required

Total number of IstioRevisions currently associated with this Istio.

state string

Reports the current state of the object.

IstioCNI

sailoperator.io group

IstioCNI represents a deployment of the Istio CNI component.

v1 version

spec object

IstioCNISpec defines the desired state of IstioCNI

namespace string required

Namespace to which the Istio CNI component should be installed. Note that this field is immutable.

profile string

values object

Defines the values to be passed to the Helm charts when installing Istio CNI.

cni object

Configuration for the Istio CNI plugin.

affinity object

K8s affinity to set on the istio-cni Pods. Can be used to exclude istio-cni from being scheduled on specified nodes.

nodeAffinity object

Describes node affinity scheduling rules for the pod.

preferredDuringSchedulingIgnoredDuringExecution []object

An empty preferred scheduling term matches all objects with implicit weight 0 (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).

preference object required

A node selector term, associated with the corresponding weight.

matchExpressions []object

A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.

key string required

The label key that the selector applies to.

operator string required

Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.

values []string

matchFields []object

A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.

key string required

The label key that the selector applies to.

operator string required

Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.

values []string

weight integer required

Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.

requiredDuringSchedulingIgnoredDuringExecution object

nodeSelectorTerms []object required

A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.

matchExpressions []object

A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.

key string required

The label key that the selector applies to.

operator string required

Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.

values []string

matchFields []object

A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.

key string required

The label key that the selector applies to.

operator string required

Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.

values []string

podAffinity object

Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).

preferredDuringSchedulingIgnoredDuringExecution []object

The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)

podAffinityTerm object required

Required. A pod affinity term, associated with the corresponding weight.

labelSelector object

A label query over a set of resources, in this case pods. If it's null, this PodAffinityTerm matches with no Pods.

matchExpressions []object

A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.

key string required

key is the label key that the selector applies to.

operator string required

operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.

values []string

matchLabels object

matchLabelKeys []string

mismatchLabelKeys []string

namespaceSelector object

matchExpressions []object

A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.

key string required

key is the label key that the selector applies to.

operator string required

operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.

values []string

matchLabels object

namespaces []string

topologyKey string required

weight integer required

weight associated with matching the corresponding podAffinityTerm, in the range 1-100.

requiredDuringSchedulingIgnoredDuringExecution []object

labelSelector object

A label query over a set of resources, in this case pods. If it's null, this PodAffinityTerm matches with no Pods.

matchExpressions []object

A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.

key string required

key is the label key that the selector applies to.

operator string required

operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.

values []string

matchLabels object

matchLabelKeys []string

mismatchLabelKeys []string

namespaceSelector object

matchExpressions []object

A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.

key string required

key is the label key that the selector applies to.

operator string required

operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.

values []string

matchLabels object

namespaces []string

topologyKey string required

podAntiAffinity object

Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).

preferredDuringSchedulingIgnoredDuringExecution []object

The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)

podAffinityTerm object required

Required. A pod affinity term, associated with the corresponding weight.

labelSelector object

A label query over a set of resources, in this case pods. If it's null, this PodAffinityTerm matches with no Pods.

matchExpressions []object

A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.

key string required

key is the label key that the selector applies to.

operator string required

operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.

values []string

matchLabels object

matchLabelKeys []string

mismatchLabelKeys []string

namespaceSelector object

matchExpressions []object

A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.

key string required

key is the label key that the selector applies to.

operator string required

operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.

values []string

matchLabels object

namespaces []string

topologyKey string required

weight integer required

weight associated with matching the corresponding podAffinityTerm, in the range 1-100.

requiredDuringSchedulingIgnoredDuringExecution []object

labelSelector object

A label query over a set of resources, in this case pods. If it's null, this PodAffinityTerm matches with no Pods.

matchExpressions []object

A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.

key string required

key is the label key that the selector applies to.

operator string required

operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.

values []string

matchLabels object

matchLabelKeys []string

mismatchLabelKeys []string

namespaceSelector object

matchExpressions []object

A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.

key string required

key is the label key that the selector applies to.

operator string required

operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.

values []string

matchLabels object

namespaces []string

topologyKey string required

ambient object

Configuration for Istio Ambient.

configDir string

The directory path containing the configuration files for Ambient. Defaults to /etc/ambient-config.

dnsCapture boolean

If enabled, and ambient is enabled, DNS redirection will be enabled.

enabled boolean

Controls whether ambient redirection is enabled

ipv6 boolean

UNSTABLE: If enabled, and ambient is enabled, enables ipv6 support

reconcileIptablesOnStartup boolean

If enabled, and ambient is enabled, iptables reconciliation will be enabled.

chained boolean

Configure the plugin as a chained CNI plugin. When true, the configuration is added to the CNI chain; when false, the configuration is added as a standalone file in the CNI configuration directory.

cniBinDir string

The directory path within the cluster node's filesystem where the CNI binaries are to be installed. Typically /var/lib/cni/bin.

cniConfDir string

The directory path within the cluster node's filesystem where the CNI configuration files are to be installed. Typically /etc/cni/net.d.

cniConfFileName string

The name of the CNI plugin configuration file. Defaults to istio-cni.conf.

cniNetnsDir string

The directory path within the cluster node's filesystem where network namespaces are located. Defaults to '/var/run/netns', in minikube/docker/others can be '/var/run/docker/netns'.

daemonSetLabels object

Additional labels to apply to the istio-cni DaemonSet.

env object

Environment variables passed to the CNI container.

Examples: env:

ENV_VAR_1: value1
ENV_VAR_2: value2

excludeNamespaces []string

List of namespaces that should be ignored by the CNI plugin.

hub string

Hub to pull the container image from. Image will be Hub/Image:Tag-Variant.

image string

Image name to pull from. Image will be Hub/Image:Tag-Variant. If Image contains a "/", it will replace the entire image in the pod.

logging object

Same as global.logging.level, but will override it if set

level string

podAnnotations object

Additional annotations to apply to the istio-cni Pods.

Deprecated: Marked as deprecated in pkg/apis/values_types.proto.

podLabels object

Additional labels to apply to the istio-cni Pods.

privileged boolean

No longer used for CNI. See: https://github.com/istio/istio/issues/49004

Deprecated: Marked as deprecated in pkg/apis/values_types.proto.

provider string

Specifies the CNI provider. Can be either "default" or "multus". When set to "multus", an additional NetworkAttachmentDefinition resource is deployed to the cluster to allow the istio-cni plugin to be invoked in a cluster using the Multus CNI plugin.

psp_cluster_role string

PodSecurityPolicy cluster role. No longer used anywhere.

pullPolicy string

Specifies the image pull policy. one of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. Cannot be updated.

More info: https://kubernetes.io/docs/concepts/containers/images#updating-images

repair object

Configuration for the CNI Repair controller.

brokenPodLabelKey string

The label key to apply to a broken pod when the controller is in labelPods mode.

brokenPodLabelValue string

The label value to apply to a broken pod when the controller is in labelPods mode.

createEvents string

No longer used.

Deprecated: Marked as deprecated in pkg/apis/values_types.proto.

deletePods boolean

The Repair controller has 3 modes (labelPods, deletePods, and repairPods). Pick which one meets your use cases. Note only one may be used. The mode defines the action the controller will take when a pod is detected as broken. If deletePods is true, the controller will delete the broken pod. The pod will then be rescheduled, hopefully onto a node that is fully ready. Note this gives the DaemonSet a relatively high privilege, as it can delete any Pod.

enabled boolean

Controls whether repair behavior is enabled.

hub string

Hub to pull the container image from. Image will be Hub/Image:Tag-Variant.

image string

Image name to pull from. Image will be Hub/Image:Tag-Variant. If Image contains a "/", it will replace the entire image in the pod.

initContainerName string

The name of the init container to use for the repairPods mode.

labelPods boolean

The Repair controller has 3 modes (labelPods, deletePods, and repairPods). Pick which one meets your use cases. Note only one may be used. The mode defines the action the controller will take when a pod is detected as broken. If labelPods is true, the controller will label all broken pods with =. This is only capable of identifying broken pods; the user is responsible for fixing them (generally, by deleting them). Note this gives the DaemonSet a relatively high privilege, as modifying pod metadata/status can have wider impacts.

repairPods boolean

The Repair controller has 3 modes (labelPods, deletePods, and repairPods). Pick which one meets your use cases. Note only one may be used. The mode defines the action the controller will take when a pod is detected as broken. If repairPods is true, the controller will dynamically repair any broken pod by setting up the pod networking configuration even after it has started. Note the pod will be crashlooping, so this may take a few minutes to become fully functional based on when the retry occurs. This requires no RBAC privilege, but will require the CNI agent to run as a privileged pod.

tag string

The container image tag to pull. Image will be Hub/Image:Tag-Variant.

resource_quotas object

The resource quotas configration for the CNI DaemonSet.

enabled boolean

Controls whether to create resource quotas or not for the CNI DaemonSet.

pods integer

The hard limit on the number of pods in the namespace where the CNI DaemonSet is deployed.

resources object

The k8s resource requests and limits for the istio-cni Pods.

claims []object

ResourceClaim references one entry in PodSpec.ResourceClaims.

name string required

Name must match the name of one entry in pod.spec.resourceClaims of the Pod where this field is used. It makes that resource available inside a container.

request string

Request is the name chosen for a request in the referenced claim. If empty, everything from the claim is made available, otherwise only the result of this request.

limits object

Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/

requests object

rollingMaxUnavailable

The number of pods that can be unavailable during a rolling update of the CNI DaemonSet (see updateStrategy.rollingUpdate.maxUnavailable here: https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/daemon-set-v1/#DaemonSetSpec). May be specified as a number of pods or as a percent of the total number of pods at the start of the update.

seccompProfile object

The Container seccompProfile

See: https://kubernetes.io/docs/tutorials/security/seccomp/

localhostProfile string

type string required

type indicates which kind of seccomp profile will be applied. Valid options are:

Localhost - a profile defined in a file on the node should be used. RuntimeDefault - the container runtime default profile should be used. Unconfined - no profile should be applied.

tag string

The container image tag to pull. Image will be Hub/Image:Tag-Variant.

variant string

The container image variant to pull. Options are "debug" or "distroless". Unset will use the default for the given version.

global object

Part of the global configuration applicable to the Istio CNI component.

defaultResources object

See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container

Deprecated: Marked as deprecated in pkg/apis/values_types.proto.

claims []object

ResourceClaim references one entry in PodSpec.ResourceClaims.

name string required

Name must match the name of one entry in pod.spec.resourceClaims of the Pod where this field is used. It makes that resource available inside a container.

request string

Request is the name chosen for a request in the referenced claim. If empty, everything from the claim is made available, otherwise only the result of this request.

limits object

Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/

requests object

hub string

Specifies the docker hub for Istio images.

imagePullPolicy string

Specifies the image pull policy for the Istio images. one of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. Cannot be updated.

More info: https://kubernetes.io/docs/concepts/containers/images#updating-images

imagePullSecrets []string

logAsJson boolean

Specifies whether istio components should output logs in json format by adding --log_as_json argument to each container.

logging object

Specifies the global logging level settings for the Istio control plane components.

level string

platform string

Platform in which Istio is deployed. Possible values are: "openshift" and "gcp" An empty value means it is a vanilla Kubernetes distribution, therefore no special treatment will be considered.

tag string

Specifies the tag for the Istio docker images.

variant string

The variant of the Istio container images to use. Options are "debug" or "distroless". Unset will use the default for the given version.

version string required

Defines the version of Istio to install. Must be one of: v1.26-latest, v1.26.3, v1.24-latest, v1.24.6.

status object

IstioCNIStatus defines the observed state of IstioCNI

conditions []object

IstioCNICondition represents a specific observation of the IstioCNI object's state.

lastTransitionTime string

Last time the condition transitioned from one status to another.

message string

Human-readable message indicating details about the last transition.

reason string

Unique, single-word, CamelCase reason for the condition's last transition.

status string

The status of this condition. Can be True, False or Unknown.

type string

The type of this condition.

observedGeneration integer

ObservedGeneration is the most recent generation observed for this IstioCNI object. It corresponds to the object's generation, which is updated on mutation by the API Server. The information in the status pertains to this particular generation of the object.

state string

Reports the current state of the object.

IstioRevisionTag

sailoperator.io group

IstioRevisionTag references an Istio or IstioRevision object and serves as an alias for sidecar injection. It can be used to manage stable revision tags without having to use istioctl or helm directly. See https://istio.io/latest/docs/setup/upgrade/canary/#stable-revision-labels for more information on the concept.

v1 version

spec object

IstioRevisionTagSpec defines the desired state of IstioRevisionTag

targetRef object required

IstioRevisionTagTargetReference can reference either Istio or IstioRevision objects in the cluster. In the case of referencing an Istio object, the Sail Operator will automatically update the reference to the Istio object's Active Revision.

kind string required

Kind is the kind of the target resource.

name string required

Name is the name of the target resource.

status object

IstioRevisionStatus defines the observed state of IstioRevision

conditions []object

IstioRevisionCondition represents a specific observation of the IstioRevision object's state.

lastTransitionTime string

Last time the condition transitioned from one status to another.

message string

Human-readable message indicating details about the last transition.

reason string

Unique, single-word, CamelCase reason for the condition's last transition.

status string

The status of this condition. Can be True, False or Unknown.

type string

The type of this condition.

istioRevision string required

IstioRevision stores the name of the referenced IstioRevision

istiodNamespace string required

IstiodNamespace stores the namespace of the corresponding Istiod instance

observedGeneration integer

ObservedGeneration is the most recent generation observed for this IstioRevisionTag object. It corresponds to the object's generation, which is updated on mutation by the API Server. The information in the status pertains to this particular generation of the object.

state string

Reports the current state of the object.

ZTunnel

sailoperator.io group

ZTunnel represents a deployment of the Istio ztunnel component.

v1alpha1 version

spec object

ZTunnelSpec defines the desired state of ZTunnel

namespace string required

Namespace to which the Istio ztunnel component should be installed.

profile string

The built-in installation configuration profile to use. The 'default' profile is 'ambient' and it is always applied. Must be one of: ambient, default, demo, empty, external, preview, remote, stable.

values object

Defines the values to be passed to the Helm charts when installing Istio ztunnel.

global object

Part of the global configuration applicable to the Istio ztunnel component.

defaultResources object

See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container

Deprecated: Marked as deprecated in pkg/apis/values_types.proto.

claims []object

ResourceClaim references one entry in PodSpec.ResourceClaims.

name string required

Name must match the name of one entry in pod.spec.resourceClaims of the Pod where this field is used. It makes that resource available inside a container.

request string

Request is the name chosen for a request in the referenced claim. If empty, everything from the claim is made available, otherwise only the result of this request.

limits object

Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/

requests object

hub string

Specifies the docker hub for Istio images.

imagePullPolicy string

Specifies the image pull policy for the Istio images. one of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. Cannot be updated.

More info: https://kubernetes.io/docs/concepts/containers/images#updating-images

imagePullSecrets []string

logAsJson boolean

Specifies whether istio components should output logs in json format by adding --log_as_json argument to each container.

logging object

Specifies the global logging level settings for the Istio control plane components.

level string

platform string

Platform in which Istio is deployed. Possible values are: "openshift" and "gcp" An empty value means it is a vanilla Kubernetes distribution, therefore no special treatment will be considered.

tag string

Specifies the tag for the Istio docker images.

variant string

The variant of the Istio container images to use. Options are "debug" or "distroless". Unset will use the default for the given version.

ztunnel object

Configuration for the Istio ztunnel plugin.

Annotations object

Annotations to apply to all top level resources

Labels object

Labels to apply to all top level resources

caAddress string

The address of the CA for CSR.

env object

A key: value mapping of environment variables to add to the pod

hub string

Hub to pull the container image from. Image will be Hub/Image:Tag-Variant.

image string

Image name to pull from. Image will be Hub/Image:Tag-Variant. If Image contains a "/", it will replace the entire image in the pod.

imagePullPolicy string

Specifies the image pull policy for the Istio images. one of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. Cannot be updated.

More info: https://kubernetes.io/docs/concepts/containers/images#updating-images

imagePullSecrets []string

List of secret names to add to the service account as image pull secrets to use for pulling any images in pods that reference this ServiceAccount. Must be set for any cluster configured with private docker registry.

istioNamespace string

Specifies the default namespace for the Istio control plane components.

logAsJson boolean

Specifies whether istio components should output logs in json format by adding --log_as_json argument to each container.

logLevel string

Configuration log level of ztunnel binary, default is info. Valid values are: trace, debug, info, warn, error.

meshConfig object

meshConfig defines runtime configuration of components. For ztunnel, only defaultConfig is used, but this is nested under meshConfig for consistency with other components.

accessLogEncoding string

Encoding for the proxy access log (TEXT or JSON). Default value is TEXT.

accessLogFile string

File address for the proxy access log (e.g. /dev/stdout). Empty value disables access logging.

accessLogFormat string

Format for the proxy access log Empty value results in proxy's default access log format

ca object

If specified, Istiod will authorize and forward the CSRs from the workloads to the specified external CA using the Istio CA gRPC API.

address string required

REQUIRED. Address of the CA server implementing the Istio CA gRPC API. Can be IP address or a fully qualified DNS name with port Eg: custom-ca.default.svc.cluster.local:8932, 192.168.23.2:9000

istiodSide boolean

Use istiodSide to specify CA Server integrate to Istiod side or Agent side Default: true

requestTimeout string

timeout for forward CSR requests from Istiod to External CA Default: 10s

tlsSettings object

Use the tlsSettings to specify the tls mode to use. Regarding tlsSettings:

DISABLE MODE is legitimate for the case Istiod is making the request via an Envoy sidecar. DISABLE MODE can also be used for testing
TLS MUTUAL MODE be on by default. If the CA certificates (cert bundle to verify the CA server's certificate) is omitted, Istiod will use the system root certs to verify the CA server's certificate.

caCertificates string

caCrl string

clientCertificate string

REQUIRED if mode is MUTUAL. The path to the file holding the client-side TLS certificate to use. Should be empty if mode is ISTIO_MUTUAL.

credentialName string

insecureSkipVerify boolean

insecureSkipVerify specifies whether the proxy should skip verifying the CA signature and SAN for the server certificate corresponding to the host. The default value of this field is false.

mode string

Indicates whether connections to this port should be secured using TLS. The value of this field determines how TLS is enforced.

privateKey string

REQUIRED if mode is MUTUAL. The path to the file holding the client's private key. Should be empty if mode is ISTIO_MUTUAL.

sni string

SNI string to present to the server during TLS handshake. If unspecified, SNI will be automatically set based on downstream HTTP host/authority header for SIMPLE and MUTUAL TLS modes.

subjectAltNames []string

caCertificates []object

certSigners []string

when Istiod is acting as RA(registration authority) If set, they are used for these signers. Otherwise, this trustAnchor is used for all signers.

pem string

The PEM data of the certificate.

spiffeBundleUrl string

trustDomains []string

certificates []object

Certificate configures the provision of a certificate and its key. Example 1: key and cert stored in a secret

{ secretName: galley-cert
secretNamespace: istio-system
dnsNames:
- galley.istio-system.svc
- galley.mydomain.com
}

Example 2: key and cert stored in a directory

{ dnsNames:
- pilot.istio-system
- pilot.istio-system.svc
- pilot.mydomain.com
}

dnsNames []string

The DNS names for the certificate. A certificate may contain multiple DNS names.

secretName string

configSources []object

ConfigSource describes information about a configuration store inside a mesh. A single control plane instance can interact with one or more data sources.

address string

subscribedResources []string

Describes the source of configuration, if nothing is specified default is MCP

tlsSettings object

Use the tlsSettings to specify the tls mode to use. If the MCP server uses Istio mutual TLS and shares the root CA with istiod, specify the TLS mode as ISTIO_MUTUAL.

caCertificates string

caCrl string

clientCertificate string

REQUIRED if mode is MUTUAL. The path to the file holding the client-side TLS certificate to use. Should be empty if mode is ISTIO_MUTUAL.

credentialName string

insecureSkipVerify boolean

insecureSkipVerify specifies whether the proxy should skip verifying the CA signature and SAN for the server certificate corresponding to the host. The default value of this field is false.

mode string

Indicates whether connections to this port should be secured using TLS. The value of this field determines how TLS is enforced.

privateKey string

REQUIRED if mode is MUTUAL. The path to the file holding the client's private key. Should be empty if mode is ISTIO_MUTUAL.

sni string

SNI string to present to the server during TLS handshake. If unspecified, SNI will be automatically set based on downstream HTTP host/authority header for SIMPLE and MUTUAL TLS modes.

subjectAltNames []string

connectTimeout string

Connection timeout used by Envoy. (MUST be >=1ms) Default timeout is 10s.

defaultConfig object

availabilityZone string

Deprecated: Marked as deprecated in mesh/v1alpha1/proxy.proto.

binaryPath string

Path to the proxy binary

caCertificatesPem []string

concurrency integer

configPath string

Path to the generated configuration file directory. Proxy agent generates the actual configuration and stores it in this directory.

controlPlaneAuthPolicy string

AuthenticationPolicy defines how the proxy is authenticated when it connects to the control plane. Default is set to MUTUAL_TLS.

customConfigFile string

File path of custom proxy configuration, currently used by proxies in front of istiod.

discoveryAddress string

Address of the discovery service exposing xDS with mTLS connection. The inject configuration may override this value.

discoveryRefreshDelay string

Deprecated: Marked as deprecated in mesh/v1alpha1/proxy.proto.

drainDuration string

restart. MUST be >=1s (e.g., 1s/1m/1h) Default drain duration is 45s.

envoyAccessLogService object

Address of the service to which access logs from Envoys should be sent. (e.g. accesslog-service:15000). See Access Log Service for details about Envoy's gRPC Access Log Service API.

address string

Address of a remove service used for various purposes (access log receiver, metrics receiver, etc.). Can be IP address or a fully qualified DNS name.

tcpKeepalive object

If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives.

interval string

The time duration between keep-alive probes. Default is to use the OS level configuration (unless overridden, Linux defaults to 75s.)

probes integer

Maximum number of keepalive probes to send without response before deciding the connection is dead. Default is to use the OS level configuration (unless overridden, Linux defaults to 9.)

time string

The time duration a connection needs to be idle before keep-alive probes start being sent. Default is to use the OS level configuration (unless overridden, Linux defaults to 7200s (ie 2 hours.)

tlsSettings object

Use the tlsSettings to specify the tls mode to use. If the remote service uses Istio mutual TLS and shares the root CA with istiod, specify the TLS mode as ISTIO_MUTUAL.

caCertificates string

caCrl string

clientCertificate string

REQUIRED if mode is MUTUAL. The path to the file holding the client-side TLS certificate to use. Should be empty if mode is ISTIO_MUTUAL.

credentialName string

insecureSkipVerify boolean

insecureSkipVerify specifies whether the proxy should skip verifying the CA signature and SAN for the server certificate corresponding to the host. The default value of this field is false.

mode string

Indicates whether connections to this port should be secured using TLS. The value of this field determines how TLS is enforced.

privateKey string

REQUIRED if mode is MUTUAL. The path to the file holding the client's private key. Should be empty if mode is ISTIO_MUTUAL.

sni string

SNI string to present to the server during TLS handshake. If unspecified, SNI will be automatically set based on downstream HTTP host/authority header for SIMPLE and MUTUAL TLS modes.

subjectAltNames []string

envoyMetricsService object

Address of the Envoy Metrics Service implementation (e.g. metrics-service:15000). See Metric Service for details about Envoy's Metrics Service API.

address string

Address of a remove service used for various purposes (access log receiver, metrics receiver, etc.). Can be IP address or a fully qualified DNS name.

tcpKeepalive object

If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives.

interval string

The time duration between keep-alive probes. Default is to use the OS level configuration (unless overridden, Linux defaults to 75s.)

probes integer

Maximum number of keepalive probes to send without response before deciding the connection is dead. Default is to use the OS level configuration (unless overridden, Linux defaults to 9.)

time string

The time duration a connection needs to be idle before keep-alive probes start being sent. Default is to use the OS level configuration (unless overridden, Linux defaults to 7200s (ie 2 hours.)

tlsSettings object

Use the tlsSettings to specify the tls mode to use. If the remote service uses Istio mutual TLS and shares the root CA with istiod, specify the TLS mode as ISTIO_MUTUAL.

caCertificates string

caCrl string

clientCertificate string

REQUIRED if mode is MUTUAL. The path to the file holding the client-side TLS certificate to use. Should be empty if mode is ISTIO_MUTUAL.

credentialName string

insecureSkipVerify boolean

insecureSkipVerify specifies whether the proxy should skip verifying the CA signature and SAN for the server certificate corresponding to the host. The default value of this field is false.

mode string

Indicates whether connections to this port should be secured using TLS. The value of this field determines how TLS is enforced.

privateKey string

REQUIRED if mode is MUTUAL. The path to the file holding the client's private key. Should be empty if mode is ISTIO_MUTUAL.

sni string

SNI string to present to the server during TLS handshake. If unspecified, SNI will be automatically set based on downstream HTTP host/authority header for SIMPLE and MUTUAL TLS modes.

subjectAltNames []string

envoyMetricsServiceAddress string

Deprecated: Marked as deprecated in mesh/v1alpha1/proxy.proto.

extraStatTags []string

gatewayTopology object

forwardClientCertDetails string

Configures how the gateway proxy handles x-forwarded-client-cert (XFCC) header in the incoming request.

numTrustedProxies integer

proxyProtocol object

Enables PROXY protocol for downstream connections on a gateway.

holdApplicationUntilProxyStarts boolean

image object

Specifies the details of the proxy image.

imageType string

interceptionMode string

The mode used to redirect inbound traffic to Envoy.

meshId string

privateKeyProvider object

Specifies the details of the Private Key Provider configuration for gateway and sidecar proxies.

cryptomb object

Use CryptoMb private key provider

fallback boolean

pollDelay string

qat object

Use QAT private key provider

fallback boolean

pollDelay string

proxyAdminPort integer

Port on which Envoy should listen for administrative commands. Default port is 15000.

proxyBootstrapTemplatePath string

Path to the proxy bootstrap template file

proxyHeaders object

Define the set of headers to add/modify for HTTP request/responses.

To enable an optional header, simply set the field. If no specific configuration is required, an empty object ({}) will enable it. Note: currently all headers are enabled by default.

Below shows an example of customizing the server header and disabling the X-Envoy-Attempt-Count header:

proxyHeaders:
server:
value: "my-custom-server"
# Explicitly enable Request IDs.
# As this is the default, this has no effect.
requestId: {}
attemptCount:
disabled: true

Below shows an example of preserving the header case for HTTP 1.x requests

proxyHeaders:
preserveHttp1HeaderCase: true

Some headers are enabled by default, and require explicitly disabling. See below for an example of disabling all default-enabled headers:

proxyHeaders:
forwardedClientCert: SANITIZE
server:
disabled: true
requestId:
disabled: true
attemptCount:
disabled: true
envoyDebugHeaders:
disabled: true
metadataExchangeHeaders:
mode: IN_MESH

attemptCount object

disabled boolean

envoyDebugHeaders object

disabled boolean

forwardedClientCert string

metadataExchangeHeaders object

mode string

preserveHttp1HeaderCase boolean

requestId object

disabled boolean

server object

disabled boolean

value string

If set, and the server header is enabled, this value will be set as the server header. By default, istio-envoy will be used.

setCurrentClientCertDetails object

cert boolean

Whether to forward the entire client cert in URL encoded PEM format. This will appear in the XFCC header comma separated from other values with the value Cert="PEM". Defaults to false.

chain boolean

dns boolean

Whether to forward the DNS type Subject Alternative Names of the client cert. Defaults to true.

subject boolean

Whether to forward the subject of the client cert. Defaults to true.

uri boolean

Whether to forward the URI type Subject Alternative Name of the client cert. Defaults to true.

xForwardedHost object

Controls the X-Forwarded-Host header. If enabled, the X-Forwarded-Host header is appended with the original host when it is rewritten. This header is disabled by default.

enabled boolean

xForwardedPort object

enabled boolean

proxyMetadata object

Additional environment variables for the proxy. Names starting with ISTIO_META_ will be included in the generated bootstrap and sent to the XDS server.

proxyStatsMatcher object

proxyStatsMatcher:
inclusionRegexps:
- .*outlier_detection.*
- .*upstream_rq_retry.*
- .*upstream_cx_.*
inclusionSuffixes:
- upstream_rq_timeout

inclusionPrefixes []string

Proxy stats name prefix matcher for inclusion.

inclusionRegexps []string

Proxy stats name regexps matcher for inclusion.

inclusionSuffixes []string

Proxy stats name suffix matcher for inclusion.

readinessProbe object

exec object

Exec specifies a command to execute in the container.

command []string

failureThreshold integer

Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1.

grpc object

GRPC specifies a GRPC HealthCheckRequest.

port integer required

Port number of the gRPC service. Number must be in the range 1 to 65535.

service string

Service is the name of the service to place in the gRPC HealthCheckRequest (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).

If this is not specified, the default behavior is defined by gRPC.

httpGet object

HTTPGet specifies an HTTP GET request to perform.

host string

Host name to connect to, defaults to the pod IP. You probably want to set "Host" in httpHeaders instead.

httpHeaders []object

HTTPHeader describes a custom header to be used in HTTP probes

name string required

The header field name. This will be canonicalized upon output, so case-variant names will be understood as the same header.

value string required

The header field value

path string

Path to access on the HTTP server.

port required

Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME.

scheme string

Scheme to use for connecting to the host. Defaults to HTTP.

initialDelaySeconds integer

Number of seconds after the container has started before liveness probes are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes

periodSeconds integer

How often (in seconds) to perform the probe. Default to 10 seconds. Minimum value is 1.

successThreshold integer

Minimum consecutive successes for the probe to be considered successful after having failed. Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1.

tcpSocket object

TCPSocket specifies a connection to a TCP port.

host string

Optional: Host name to connect to, defaults to the pod IP.

port required

Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME.

terminationGracePeriodSeconds integer

timeoutSeconds integer

Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes

runtimeValues object

Envoy runtime configuration to set during bootstrapping. This enables setting experimental, unsafe, unsupported, and deprecated features that should be used with extreme caution.

sds object

Secret Discovery Service(SDS) configuration to be used by the proxy.

Deprecated: Marked as deprecated in mesh/v1alpha1/proxy.proto.

enabled boolean

True if SDS is enabled.

k8sSaJwtPath string

Path of k8s service account JWT path.

serviceCluster string

statNameLength integer

statsdUdpAddress string

IP Address and Port of a statsd UDP listener (e.g. 10.75.241.127:9125).

statusPort integer

Port on which the agent should listen for administrative commands such as readiness probe. Default is set to port 15020.

terminationDrainDuration string

tracing object

Tracing configuration to be used by the proxy.

customTags object

and gateways). The key represents the name of the tag. Ex:

custom_tags:
new_tag_name:
header:
name: custom-http-header-name
default_value: defaulted-value-from-custom-header

datadog object

Use a Datadog tracer.

address string

Address of the Datadog Agent.

enableIstioTags boolean

Determines whether or not trace spans generated by Envoy will include Istio specific tags. By default Istio specific tags are included in the trace spans.

lightstep object

Use a Lightstep tracer. NOTE: For Istio 1.15+, this configuration option will result in using OpenTelemetry-based Lightstep integration.

accessToken string

The Lightstep access token.

address string

Address of the Lightstep Satellite pool.

maxPathTagLength integer

openCensusAgent object

Use an OpenCensus tracer exporting to an OpenCensus agent.

address string

gRPC address for the OpenCensus agent (e.g. dns://authority/host:port or unix:path). See gRPC naming docs for details.

context []string

sampling number

The percentage of requests (0.0 - 100.0) that will be randomly selected for trace generation, if not requested by the client or not forced. Default is 1.0.

stackdriver object

Use a Stackdriver tracer.

debug boolean

debug enables trace output to stdout.

maxNumberOfAnnotations integer

The global default max number of annotation events per span. default is 200.

maxNumberOfAttributes integer

The global default max number of attributes per span. default is 200.

maxNumberOfMessageEvents integer

The global default max number of message events per span. default is 200.

tlsSettings object

Use the tlsSettings to specify the tls mode to use. If the remote tracing service uses Istio mutual TLS and shares the root CA with istiod, specify the TLS mode as ISTIO_MUTUAL.

caCertificates string

caCrl string

clientCertificate string

REQUIRED if mode is MUTUAL. The path to the file holding the client-side TLS certificate to use. Should be empty if mode is ISTIO_MUTUAL.

credentialName string

insecureSkipVerify boolean

insecureSkipVerify specifies whether the proxy should skip verifying the CA signature and SAN for the server certificate corresponding to the host. The default value of this field is false.

mode string

Indicates whether connections to this port should be secured using TLS. The value of this field determines how TLS is enforced.

privateKey string

REQUIRED if mode is MUTUAL. The path to the file holding the client's private key. Should be empty if mode is ISTIO_MUTUAL.

sni string

SNI string to present to the server during TLS handshake. If unspecified, SNI will be automatically set based on downstream HTTP host/authority header for SIMPLE and MUTUAL TLS modes.

subjectAltNames []string

zipkin object

Use a Zipkin tracer.

address string

Address of the Zipkin service (e.g. zipkin:9411).

tracingServiceName string

Used by Envoy proxies to assign the values for the service names in trace spans.

zipkinAddress string

Address of the Zipkin service (e.g. zipkin:9411). DEPRECATED: Use [tracing][istio.mesh.v1alpha1.ProxyConfig.tracing] instead.

Deprecated: Marked as deprecated in mesh/v1alpha1/proxy.proto.

defaultDestinationRuleExportTo []string

The default value for the DestinationRule.exportTo field. Has the same syntax as defaultServiceExportTo.

If not set the system will use "*" as the default value which implies that destination rules are exported to all namespaces

defaultHttpRetryPolicy object

Configure the default HTTP retry policy. The default number of retry attempts is set at 2 for these errors:

"connect-failure,refused-stream,unavailable,cancelled,retriable-status-codes".

attempts integer

backoff string

perTryTimeout string

retryIgnorePreviousHosts boolean

Flag to specify whether the retries should ignore previously tried hosts during retry. Defaults to true.

retryOn string

Specifies the conditions under which retry takes place. One or more policies can be specified using a ‘,’ delimited list. See the retry policies and gRPC retry policies for more details.

If not specified, this defaults to connect-failure,refused-stream,unavailable,cancelled.

retryRemoteLocalities boolean

Flag to specify whether the retries should retry to other localities. See the retry plugin configuration for more details.

defaultProviders object

Specifies extension providers to use by default in Istio configuration resources.

accessLogging []string

Name of the default provider(s) for access logging.

metrics []string

Name of the default provider(s) for metrics.

tracing []string

Name of the default provider(s) for tracing.

defaultServiceExportTo []string

* - All Namespaces
. - Current Namespace
~ - No Namespace

If not set the system will use "*" as the default value which implies that services are exported to all namespaces.

For further discussion see the reference documentation for ServiceEntry, Sidecar, and Gateway.

defaultVirtualServiceExportTo []string

The default value for the VirtualService.exportTo field. Has the same syntax as defaultServiceExportTo.

If not set the system will use "*" as the default value which implies that virtual services are exported to all namespaces

disableEnvoyListenerLog boolean

This flag disables Envoy Listener logs. See Listener Access Log Istio Enables Envoy's listener access logs on "NoRoute" response flag. Default value is false.

discoverySelectors []object

matchExpressions []object

A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.

key string required

key is the label key that the selector applies to.

operator string required

operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.

values []string

matchLabels object

dnsRefreshRate string

Configures DNS refresh rate for Envoy clusters of type STRICT_DNS Default refresh rate is 60s.

enableAutoMtls boolean

enableEnvoyAccessLogService boolean

This flag enables Envoy's gRPC Access Log Service. See Access Log Service for details about Envoy's gRPC Access Log Service API. Default value is false.

enablePrometheusMerge boolean

enableTracing boolean

Flag to control generation of trace spans and request IDs. Requires a trace span collector defined in the proxy configuration.

extensionProviders []object

datadog object

Configures a Datadog tracing provider.

maxTagLength integer

Optional. Controls the overall path length allowed in a reported span. NOTE: currently only controls max length of the path tag.

port integer required

REQUIRED. Specifies the port of the service.

service string required

Example: "datadog.default.svc.cluster.local" or "bar/datadog.example.com".

envoyExtAuthzGrpc object

Configures an external authorizer that implements the Envoy ext_authz filter authorization check service using the gRPC API.

clearRouteCache boolean

failOpen boolean

includeRequestBodyInCheck object

If set, the client request body will be included in the authorization request sent to the authorization service.

allowPartialMessage boolean

maxRequestBytes integer

packAsBytes boolean

port integer required

REQUIRED. Specifies the port of the service.

service string required

Example: "my-ext-authz.foo.svc.cluster.local" or "bar/my-ext-authz.example.com".

statusOnError string

Sets the HTTP status that is returned to the client when there is a network error to the authorization service. The default status is "403" (HTTP Forbidden).

timeout string

envoyExtAuthzHttp object

Configures an external authorizer that implements the Envoy ext_authz filter authorization check service using the HTTP API.

clearRouteCache boolean

failOpen boolean

headersToDownstreamOnAllow []string

Exact, prefix and suffix matches are supported (similar to the authorization policy rule syntax except the presence match):

Exact match: "abc" will match on value "abc".
Prefix match: "abc*" will match on value "abc" and "abcd".
Suffix match: "*abc" will match on value "abc" and "xabc".

headersToDownstreamOnDeny []string

Exact, prefix and suffix matches are supported (similar to the authorization policy rule syntax except the presence match):

Exact match: "abc" will match on value "abc".
Prefix match: "abc*" will match on value "abc" and "abcd".
Suffix match: "*abc" will match on value "abc" and "xabc".

headersToUpstreamOnAllow []string

Exact, prefix and suffix matches are supported (similar to the authorization policy rule syntax except the presence match):

Exact match: "abc" will match on value "abc".
Prefix match: "abc*" will match on value "abc" and "abcd".
Suffix match: "*abc" will match on value "abc" and "xabc".

includeAdditionalHeadersInCheck object

includeHeadersInCheck []string

DEPRECATED. Use includeRequestHeadersInCheck instead.

Deprecated: Marked as deprecated in mesh/v1alpha1/config.proto.

includeRequestBodyInCheck object

If set, the client request body will be included in the authorization request sent to the authorization service.

allowPartialMessage boolean

maxRequestBytes integer

packAsBytes boolean

includeRequestHeadersInCheck []string

Host, Method, Path and Content-Length are automatically sent.
Content-Length will be set to 0 and the request will not have a message body. However, the authorization request can include the buffered client request body (controlled by includeRequestBodyInCheck setting), consequently the value of Content-Length of the authorization request reflects the size of its payload size.

Exact, prefix and suffix matches are supported (similar to the authorization policy rule syntax except the presence match):

Exact match: "abc" will match on value "abc".
Prefix match: "abc*" will match on value "abc" and "abcd".
Suffix match: "*abc" will match on value "abc" and "xabc".

pathPrefix string

port integer required

REQUIRED. Specifies the port of the service.

service string required

Example: "my-ext-authz.foo.svc.cluster.local" or "bar/my-ext-authz.example.com".

statusOnError string

Sets the HTTP status that is returned to the client when there is a network error to the authorization service. The default status is "403" (HTTP Forbidden).

timeout string

envoyFileAccessLog object

Configures an Envoy File Access Log provider.

logFormat object

Optional. Allows overriding of the default access log format.

labels object

Example:

labels:
status: "%RESPONSE_CODE%"
message: "%LOCAL_REPLY_BODY%"

text string

Textual format for the envoy access logs. Envoy command operators may be used in the format. The format string documentation provides more information.

NOTE: Istio will insert a newline ('\n') on all formats (if missing).

Example: text: "%LOCAL_REPLY_BODY%:%RESPONSE_CODE%:path=%REQ(:path)%"

omitEmptyValues boolean

path string

Path to a local file to write the access log entries. This may be used to write to streams, via /dev/stderr and /dev/stdout If unspecified, defaults to /dev/stdout.

envoyHttpAls object

Configures an Envoy Access Logging Service provider for HTTP traffic.

additionalRequestHeadersToLog []string

Optional. Additional request headers to log.

additionalResponseHeadersToLog []string

Optional. Additional response headers to log.

additionalResponseTrailersToLog []string

Optional. Additional response trailers to log.

filterStateObjectsToLog []string

Optional. Additional filter state objects to log.

logName string

Optional. The friendly name of the access log. Defaults:

"http_envoy_accesslog"
"listener_envoy_accesslog"

port integer required

REQUIRED. Specifies the port of the service.

service string required

Example: "envoy-als.foo.svc.cluster.local" or "bar/envoy-als.example.com".

envoyOtelAls object

Configures an Envoy Open Telemetry Access Logging Service provider.

logFormat object

Optional. Format for the proxy access log Empty value results in proxy's default access log format, following Envoy access logging formatting.

labels object

Example:

labels:
status: "%RESPONSE_CODE%"
message: "%LOCAL_REPLY_BODY%"

text string

logName string

Optional. The friendly name of the access log. Defaults:

"otel_envoy_accesslog"

port integer required

REQUIRED. Specifies the port of the service.

service string required

Example: "envoy-als.foo.svc.cluster.local" or "bar/envoy-als.example.com".

envoyTcpAls object

Configures an Envoy Access Logging Service provider for TCP traffic.

filterStateObjectsToLog []string

Optional. Additional filter state objects to log.

logName string

Optional. The friendly name of the access log. Defaults:

"tcp_envoy_accesslog"
"listener_envoy_accesslog"

port integer required

REQUIRED. Specifies the port of the service.

service string required

Example: "envoy-als.foo.svc.cluster.local" or "bar/envoy-als.example.com".

lightstep object

Configures a Lightstep tracing provider. Deprecated: For Istio 1.15+, please use an OpenTelemetryTracingProvider instead, more details can be found at https://github.com/istio/istio/issues/40027

Deprecated: Marked as deprecated in mesh/v1alpha1/config.proto.

accessToken string

The Lightstep access token.

maxTagLength integer

Optional. Controls the overall path length allowed in a reported span. NOTE: currently only controls max length of the path tag.

port integer required

REQUIRED. Specifies the port of the service.

service string required

Example: "lightstep.default.svc.cluster.local" or "bar/lightstep.example.com".

name string required

REQUIRED. A unique name identifying the extension provider.

opencensus object

Configures an OpenCensusAgent tracing provider. Deprecated: OpenCensus is deprecated, more details can be found at https://opentelemetry.io/blog/2023/sunsetting-opencensus/

Deprecated: Marked as deprecated in mesh/v1alpha1/config.proto.

context []string

maxTagLength integer

Optional. Controls the overall path length allowed in a reported span. NOTE: currently only controls max length of the path tag.

port integer required

REQUIRED. Specifies the port of the service.

service string required

Example: "ocagent.default.svc.cluster.local" or "bar/ocagent.example.com".

opentelemetry object

Configures an OpenTelemetry tracing provider.

dynatraceSampler object

The Dynatrace adaptive traffic management (ATM) sampler.

Example configuration:

  - name: otel-tracing
opentelemetry:
port: 443
service: "{your-environment-id}.live.dynatrace.com"
http:
path: "/api/v2/otlp/v1/traces"
timeout: 10s
headers:
- name: "Authorization"
value: "Api-Token dt0c01."
resourceDetectors:
dynatrace: {}
dynatraceSampler:
tenant: "{your-environment-id}"
clusterId: 1234

clusterId integer required

REQUIRED. The identifier of the cluster in the Dynatrace platform. The cluster here is Dynatrace-specific concept and not related to the cluster concept in Istio/Envoy.

The value can be obtained from the Istio deployment page in Dynatrace.

httpService object

Optional. Dynatrace HTTP API to obtain sampling configuration.

When not provided, the Dynatrace Sampler will re-use the configuration from the OpenTelemetryTracingProvider HTTP Exporter (service, port and http), including the access token.

http object required

REQUIRED. Specifies sampling configuration URI.

headers []object

envName string

The HTTP header value from the environment variable.

Warning:

The environment variable must be set in the istiod pod spec.
This is not a end-to-end secure.

name string required

REQUIRED. The HTTP header name.

value string

The HTTP header value.

path string required

REQUIRED. Specifies the path on the service.

timeout string

Optional. Specifies the timeout for the HTTP request. If not specified, the default is 3s.

port integer required

REQUIRED. Specifies the port of the service.

service string required

Example: "{your-environment-id}.live.dynatrace.com".

rootSpansPerMinute integer

Optional. Number of sampled spans per minute to be used when the adaptive value cannot be obtained from the Dynatrace API.

A default value of 1000 is used when:

rootSpansPerMinute is unset
rootSpansPerMinute is set to 0

tenant string required

REQUIRED. The Dynatrace customer's tenant identifier.

The value can be obtained from the Istio deployment page in Dynatrace.

grpc object

Optional. Specifies the configuration for exporting OTLP traces via GRPC. When empty, traces will check whether HTTP is set. If not, traces will use default GRPC configurations.

The following example shows how to configure the OpenTelemetry ExtensionProvider to export via GRPC:

Add/change the OpenTelemetry extension provider in MeshConfig

  - name: opentelemetry
opentelemetry:
port: 8090
service: tracing.example.com
grpc:
timeout: 10s
initialMetadata:
- name: "Authentication"
value: "token-xxxxx"

Deploy a ServiceEntry for the observability back-end

apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: tracing-grpc
spec:
hosts:
- tracing.example.com
ports:
- number: 8090
name: grpc-port
protocol: GRPC
resolution: DNS
location: MESH_EXTERNAL

initialMetadata []object

envName string

The HTTP header value from the environment variable.

Warning:

The environment variable must be set in the istiod pod spec.
This is not a end-to-end secure.

name string required

REQUIRED. The HTTP header name.

value string

The HTTP header value.

timeout string

Optional. Specifies the timeout for the GRPC request.

http object

Optional. Specifies the configuration for exporting OTLP traces via HTTP. When empty, traces will be exported via gRPC.

The following example shows how to configure the OpenTelemetry ExtensionProvider to export via HTTP:

Add/change the OpenTelemetry extension provider in MeshConfig

  - name: otel-tracing
opentelemetry:
port: 443
service: my.olly-backend.com
http:
path: "/api/otlp/traces"
timeout: 10s
headers:
- name: "my-custom-header"
value: "some value"

Deploy a ServiceEntry for the observability back-end

apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: my-olly-backend
spec:
hosts:
- my.olly-backend.com
ports:
- number: 443
name: https-port
protocol: HTTPS
resolution: DNS
location: MESH_EXTERNAL
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: my-olly-backend
spec:
host: my.olly-backend.com
trafficPolicy:
portLevelSettings:
- port:
number: 443
tls:
mode: SIMPLE

headers []object

envName string

The HTTP header value from the environment variable.

Warning:

The environment variable must be set in the istiod pod spec.
This is not a end-to-end secure.

name string required

REQUIRED. The HTTP header name.

value string

The HTTP header value.

path string required

REQUIRED. Specifies the path on the service.

timeout string

Optional. Specifies the timeout for the HTTP request. If not specified, the default is 3s.

maxTagLength integer

Optional. Controls the overall path length allowed in a reported span. NOTE: currently only controls max length of the path tag.

port integer required

REQUIRED. Specifies the port of the service.

resourceDetectors object

Optional. Specifies Resource Detectors to be used by the OpenTelemetry Tracer. When multiple resources are provided, they are merged according to the OpenTelemetry Resource specification.

The following example shows how to configure the Environment Resource Detector, that will read the attributes from the environment variable OTEL_RESOURCE_ATTRIBUTES:

  - name: otel-tracing
opentelemetry:
port: 443
service: my.olly-backend.com
resourceDetectors:
environment: {}

dynatrace object

Dynatrace Resource Detector. The resource detector reads from the Dynatrace enrichment files and adds host/process related attributes to the OpenTelemetry resource.

See: Enrich ingested data with Dynatrace-specific dimensions

environment object

OpenTelemetry Environment Resource Detector. The resource detector reads attributes from the environment variable OTEL_RESOURCE_ATTRIBUTES and adds them to the OpenTelemetry resource.

See: Resource specification

service string required

Example: "otlp.default.svc.cluster.local" or "bar/otlp.example.com".

prometheus object

Configures a Prometheus metrics provider.

sds object

name string required

REQUIRED. Specifies the name of the provider. This should be used to configure the Gateway SDS.

port integer required

REQUIRED. Specifies the port of the service.

service string required

Example: "gateway-sds.foo.svc.cluster.local" or "bar/gateway-sds.example.com".

skywalking object

Configures a Apache SkyWalking provider.

accessToken string

Optional. The SkyWalking OAP access token.

port integer required

REQUIRED. Specifies the port of the service.

service string required

Example: "skywalking.default.svc.cluster.local" or "bar/skywalking.example.com".

stackdriver object

Configures a Stackdriver provider.

debug boolean

debug enables trace output to stdout.

Deprecated: Marked as deprecated in mesh/v1alpha1/config.proto.

logging object

Optional. Controls Stackdriver logging behavior.

labels object

Collection of tag names and tag expressions to include in the log entry. Conflicts are resolved by the tag name by overriding previously supplied values.

Example:

labels:
path: request.url_path
foo: request.headers['x-foo']

maxNumberOfAnnotations integer

The global default max number of annotation events per span. default is 200.

Deprecated: Marked as deprecated in mesh/v1alpha1/config.proto.

maxNumberOfAttributes integer

The global default max number of attributes per span. default is 200.

Deprecated: Marked as deprecated in mesh/v1alpha1/config.proto.

maxNumberOfMessageEvents integer

The global default max number of message events per span. default is 200.

Deprecated: Marked as deprecated in mesh/v1alpha1/config.proto.

maxTagLength integer

Optional. Controls the overall path length allowed in a reported span. NOTE: currently only controls max length of the path tag.

zipkin object

Configures a tracing provider that uses the Zipkin API.

enable64bitTraceId boolean

Optional. A 128 bit trace id will be used in Istio. If true, will result in a 64 bit trace id being used.

maxTagLength integer

Optional. Controls the overall path length allowed in a reported span. NOTE: currently only controls max length of the path tag.

path string

Optional. Specifies the endpoint of Zipkin API. The default value is "/api/v2/spans".

port integer required

REQUIRED. Specifies the port of the service.

service string required

Example: "zipkin.default.svc.cluster.local" or "bar/zipkin.example.com".

h2UpgradePolicy string

inboundClusterStatName string

A Pattern can be composed of various pre-defined variables. The following variables are supported.

%SERVICE% - Will be substituted with short hostname of the service.
%SERVICE_NAME% - Will be substituted with name of the service.
%SERVICE_FQDN% - Will be substituted with FQDN of the service.
%SERVICE_PORT% - Will be substituted with port of the service.
%TARGET_PORT% - Will be substituted with the target port of the service.
%SERVICE_PORT_NAME% - Will be substituted with port name of the service.

Following are some examples of supported patterns for reviews:

%SERVICE_FQDN%_%SERVICE_PORT% will use reviews.prod.svc.cluster.local_7443 as the stats name.
%SERVICE% will use reviews.prod as the stats name.

inboundTrafficPolicy object

Set the default behavior of the sidecar for handling inbound traffic to the application. If your application listens on localhost, you will need to set this to LOCALHOST.

mode string

ingressClass string

Class of ingress resources to be processed by Istio ingress controller. This corresponds to the value of kubernetes.io/ingress.class annotation.

ingressControllerMode string

Defines whether to use Istio ingress controller for annotated or all ingress resources. Default mode is STRICT.

ingressSelector string

ingressService string

Name of the Kubernetes service used for the istio ingress controller. If no ingress controller is specified, the default value istio-ingressgateway is used.

localityLbSetting object

distribute []object

* - matches all localities

us-west/* - all zones and sub-zones within the us-west region

us-west/zone-1/* - all sub-zones within us-west/zone-1

from string

Originating locality, '/' separated, e.g. 'region/zone/sub_zone'.

to object

Map of upstream localities to traffic distribution weights. The sum of all weights should be 100. Any locality not present will receive no traffic.

enabled boolean

failover []object

from string

Originating region.

to string

Destination region the traffic will fail over to when endpoints in the 'from' region becomes unhealthy.

failoverPriority []string

Specify only label keys [key1, key2, key3], istio would compare the label values of client with endpoints. Suppose there are total N label keys [key1, key2, key3, ...keyN] specified:
1. Endpoints matching all N labels with the client proxy have priority P(0) i.e. the highest priority.
2. Endpoints matching the first N-1 labels with the client proxy have priority P(1) i.e. second highest priority.
3. By extension of this logic, endpoints matching only the first label with the client proxy has priority P(N-1) i.e. second lowest priority.
4. All the other endpoints have priority P(N) i.e. lowest priority.
Specify labels with key and value [key1=value1, key2=value2, key3=value3], istio would compare the labels with endpoints. Suppose there are total N labels [key1=value1, key2=value2, key3=value3, ...keyN=valueN] specified:
1. Endpoints matching all N labels have priority P(0) i.e. the highest priority.
2. Endpoints matching the first N-1 labels have priority P(1) i.e. second highest priority.
3. By extension of this logic, endpoints matching only the first label has priority P(N-1) i.e. second lowest priority.
4. All the other endpoints have priority P(N) i.e. lowest priority.

Note: For a label to be considered for match, the previous labels must match, i.e. nth label would be considered matched only if first n-1 labels match.

It can be any label specified on both client and server workloads. The following labels which have special semantic meaning are also supported:

topology.istio.io/network is used to match the network metadata of an endpoint, which can be specified by pod/namespace label topology.istio.io/network, sidecar env ISTIO_META_NETWORK or MeshNetworks.
topology.istio.io/cluster is used to match the clusterID of an endpoint, which can be specified by pod label topology.istio.io/cluster or pod env ISTIO_META_CLUSTER_ID.
topology.kubernetes.io/region is used to match the region metadata of an endpoint, which maps to Kubernetes node label topology.kubernetes.io/region or the deprecated label failure-domain.beta.kubernetes.io/region.
topology.kubernetes.io/zone is used to match the zone metadata of an endpoint, which maps to Kubernetes node label topology.kubernetes.io/zone or the deprecated label failure-domain.beta.kubernetes.io/zone.
topology.istio.io/subzone is used to match the subzone metadata of an endpoint, which maps to Istio node label topology.istio.io/subzone.
kubernetes.io/hostname is used to match the current node of an endpoint, which maps to Kubernetes node label kubernetes.io/hostname.

The below topology config indicates the following priority levels:

failoverPriority:
- "topology.istio.io/network"
- "topology.kubernetes.io/region"
- "topology.kubernetes.io/zone"
- "topology.istio.io/subzone"

endpoints match same [network, region, zone, subzone] label with the client proxy have the highest priority.
endpoints have same [network, region, zone] label but different [subzone] label with the client proxy have the second highest priority.
endpoints have same [network, region] label but different [zone] label with the client proxy have the third highest priority.
endpoints have same [network] but different [region] labels with the client proxy have the fourth highest priority.
all the other endpoints have the same lowest priority.

Suppose a service associated endpoints reside in multi clusters, the below example represents:

endpoints in clusterA and has version=v1 label have P(0) priority.
endpoints not in clusterA but has version=v1 label have P(1) priority.
all the other endpoints have P(2) priority.

failoverPriority:
- "version=v1"
- "topology.istio.io/cluster=clusterA"

Optional: only one of distribute, failover or failoverPriority can be set. And it should be used together with OutlierDetection to detect unhealthy endpoints, otherwise has no effect.

meshMTLS object

meshConfig:
meshMTLS:
minProtocolVersion: TLSV1_3
tlsDefaults:
Note: applicable only for non ISTIO_MUTUAL scenarios
ecdhCurves:
- P-256
- P-512

Configuration of mTLS for traffic between workloads with ISTIO_MUTUAL TLS traffic.

Note: Mesh mTLS does not respect ECDH curves.

cipherSuites []string

Optional: If specified, the TLS connection will only support the specified cipher list when negotiating TLS 1.0-1.2. If not specified, the following cipher suites will be used:

ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-RSA-AES128-GCM-SHA256
AES256-GCM-SHA384
AES128-GCM-SHA256

ecdhCurves []string

minProtocolVersion string

outboundClusterStatName string

A Pattern can be composed of various pre-defined variables. The following variables are supported.

%SERVICE% - Will be substituted with short hostname of the service.
%SERVICE_NAME% - Will be substituted with name of the service.
%SERVICE_FQDN% - Will be substituted with FQDN of the service.
%SERVICE_PORT% - Will be substituted with port of the service.
%SERVICE_PORT_NAME% - Will be substituted with port name of the service.
%SUBSET_NAME% - Will be substituted with subset.

Following are some examples of supported patterns for reviews:

%SERVICE_FQDN%_%SERVICE_PORT% will use reviews.prod.svc.cluster.local_7443 as the stats name.
%SERVICE% will use reviews.prod as the stats name.

outboundTrafficPolicy object

Set the default behavior of the sidecar for handling outbound traffic from the application.

Can be overridden at a Sidecar level by setting the OutboundTrafficPolicy in the Sidecar API.

Default mode is ALLOW_ANY, which means outbound traffic to unknown destinations will be allowed.

mode string

pathNormalization object

normalization string

protocolDetectionTimeout string

proxyHttpPort integer

Port on which Envoy should listen for HTTP PROXY requests if set.

proxyInboundListenPort integer

Port on which Envoy should listen for all inbound traffic to the pod/vm will be captured to. Default port is 15006.

proxyListenPort integer

Port on which Envoy should listen for all outbound traffic to other services. Default port is 15001.

rootNamespace string

The precise semantics of this processing are documented on each resource type.

serviceScopeConfigs []object

For example, the following configures the scope of all services with the "istio.io/global" label in matching namespaces to be available globally:

serviceScopeConfigs:
- namespacesSelector:
matchExpressions:
- key: istio.io/global
operator: In
values: [true]
servicesSelector:
matchExpressions:
- key: istio.io/global
operator: Exists
scope: GLOBAL

namespaceSelector object

Match expression for namespaces.

matchExpressions []object

A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.

key string required

key is the label key that the selector applies to.

operator string required

operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.

values []string

matchLabels object

scope string

Specifics the available scope for matching services.

servicesSelector object

Match expression for serivces.

matchExpressions []object

A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.

key string required

key is the label key that the selector applies to.

operator string required

operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.

values []string

matchLabels object

serviceSettings []object

Settings to be applied to select services.

For example, the following configures all services in namespace "foo" as well as the "bar" service in namespace "baz" to be considered cluster-local:

serviceSettings:
- settings:
clusterLocal: true
hosts:
- "*.foo.svc.cluster.local"
- "bar.baz.svc.cluster.local"

hosts []string

The services to which the Settings should be applied. Services are selected using the hostname matching rules used by DestinationRule.

For example: foo.bar.svc.cluster.local, *.baz.svc.cluster.local

settings object

The settings to apply to the selected services.

clusterLocal boolean

There are some common scenarios when this can be useful:

A service (or group of services) is inherently local to the cluster and has local storage for that cluster. For example, the kube-system namespace (e.g. the Kube API Server).
A mesh administrator wants to slowly migrate services to Istio. They might start by first having services cluster-local and then slowly transition them to mesh-wide. They could do this service-by-service (e.g. mysvc.myns.svc.cluster.local) or as a group (e.g. *.myns.svc.cluster.local).

By default Istio will consider kubernetes.default.svc (i.e. the API Server) as well as all services in the kube-system namespace to be cluster-local, unless explicitly overridden here.

tcpKeepalive object

If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives.

interval string

The time duration between keep-alive probes. Default is to use the OS level configuration (unless overridden, Linux defaults to 75s.)

probes integer

Maximum number of keepalive probes to send without response before deciding the connection is dead. Default is to use the OS level configuration (unless overridden, Linux defaults to 9.)

time string

The time duration a connection needs to be idle before keep-alive probes start being sent. Default is to use the OS level configuration (unless overridden, Linux defaults to 7200s (ie 2 hours.)

tlsDefaults object

cipherSuites []string

Optional: If specified, the TLS connection will only support the specified cipher list when negotiating TLS 1.0-1.2. If not specified, the following cipher suites will be used:

ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-RSA-AES128-GCM-SHA256
AES256-GCM-SHA384
AES128-GCM-SHA256

ecdhCurves []string

minProtocolVersion string

trustDomain string

The trust domain corresponds to the trust root of a system. Refer to SPIFFE-ID

trustDomainAliases []string

The trust domain aliases represent the aliases of trustDomain. For example, if we have

trustDomain: td1
trustDomainAliases: ["td2", "td3"]

Any service with the identity td1/ns/foo/sa/a-service-account, td2/ns/foo/sa/a-service-account, or td3/ns/foo/sa/a-service-account will be treated the same in the Istio mesh.

verifyCertificateAtClient boolean

Deprecated: Marked as deprecated in mesh/v1alpha1/config.proto.

multiCluster object

Settings for multicluster. The name of the cluster we are installing in. Note this is a user-defined name, which must be consistent with Istiod configuration.

clusterName string

The name of the cluster this installation will run in. This is required for sidecar injection to properly label proxies

enabled boolean

Enables the connection between two kubernetes clusters via their respective ingressgateway services. Use if the pods in each cluster cannot directly talk to one another.

globalDomainSuffix string

The suffix for global service names.

includeEnvoyFilter boolean

Enable envoy filter to translate globalDomainSuffix to cluster local suffix for cross cluster communication.

podAnnotations object

Annotations added to each pod. The default annotations are required for scraping prometheus (in most environments).

podLabels object

Additional labels to apply on the pod level.

resourceName string

resourceName, if set, will override the naming of resources. If not set, will default to the release name. It is recommended to not set this; this is primarily for backwards compatibility.

resources object

The k8s resource requests and limits for the ztunnel Pods.

claims []object

ResourceClaim references one entry in PodSpec.ResourceClaims.

name string required

Name must match the name of one entry in pod.spec.resourceClaims of the Pod where this field is used. It makes that resource available inside a container.

request string

Request is the name chosen for a request in the referenced claim. If empty, everything from the claim is made available, otherwise only the result of this request.

limits object

Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/

requests object

revision string

Configures the revision this control plane is a part of

tag string

The container image tag to pull. Image will be Hub/Image:Tag-Variant.

terminationGracePeriodSeconds integer

This value defines:

how many seconds kube waits for ztunnel pod to gracefully exit before forcibly terminating it (this value)
how many seconds ztunnel waits to drain its own connections (this value - 1 sec)

variant string

The container image variant to pull. Options are "debug" or "distroless". Unset will use the default for the given version.

volumeMounts []object

VolumeMount describes a mounting of a Volume within a container.

mountPath string required

Path within the container at which the volume should be mounted. Must not contain ':'.

mountPropagation string

name string required

This must match the Name of a Volume.

readOnly boolean

Mounted read-only if true, read-write otherwise (false or unspecified). Defaults to false.

recursiveReadOnly string

RecursiveReadOnly specifies whether read-only mounts should be handled recursively.

If ReadOnly is false, this field has no meaning and must be unspecified.

If this field is set to IfPossible or Enabled, MountPropagation must be set to None (or be unspecified, which defaults to None).

If this field is not specified, it is treated as an equivalent of Disabled.

subPath string

Path within the volume from which the container's volume should be mounted. Defaults to "" (volume's root).

subPathExpr string

volumes []object

Volume represents a named volume in a pod that may be accessed by any container in the pod.

awsElasticBlockStore object

fsType string

partition integer

readOnly boolean

readOnly value true will force the readOnly setting in VolumeMounts. More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore

volumeID string required

volumeID is unique ID of the persistent disk resource in AWS (Amazon EBS volume). More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore

azureDisk object

cachingMode string

cachingMode is the Host Caching mode: None, Read Only, Read Write.

diskName string required

diskName is the Name of the data disk in the blob storage

diskURI string required

diskURI is the URI of data disk in the blob storage

fsType string

fsType is Filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.

kind string

readOnly boolean

readOnly Defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts.

azureFile object

readOnly boolean

readOnly defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts.

secretName string required

secretName is the name of secret that contains Azure Storage Account Name and Key

shareName string required

shareName is the azure share Name

cephfs object

cephFS represents a Ceph FS mount on the host that shares a pod's lifetime. Deprecated: CephFS is deprecated and the in-tree cephfs type is no longer supported.

monitors []string required

monitors is Required: Monitors is a collection of Ceph monitors More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it

path string

path is Optional: Used as the mounted root, rather than the full Ceph tree, default is /

readOnly boolean

readOnly is Optional: Defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts. More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it

secretFile string

secretFile is Optional: SecretFile is the path to key ring for User, default is /etc/ceph/user.secret More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it

secretRef object

secretRef is Optional: SecretRef is reference to the authentication secret for User, default is empty. More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it

name string

user string

user is optional: User is the rados user name, default is admin More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it

cinder object

fsType string

readOnly boolean

readOnly defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts. More info: https://examples.k8s.io/mysql-cinder-pd/README.md

secretRef object

secretRef is optional: points to a secret object containing parameters used to connect to OpenStack.

name string

volumeID string required

volumeID used to identify the volume in cinder. More info: https://examples.k8s.io/mysql-cinder-pd/README.md

configMap object

configMap represents a configMap that should populate this volume

defaultMode integer

items []object

Maps a string key to a path within a volume.

key string required

key is the key to project.

mode integer

path string required

path is the relative path of the file to map the key to. May not be an absolute path. May not contain the path element '..'. May not start with the string '..'.

name string

optional boolean

optional specify whether the ConfigMap or its keys must be defined

csi object

csi (Container Storage Interface) represents ephemeral storage that is handled by certain external CSI drivers.

driver string required

driver is the name of the CSI driver that handles this volume. Consult with your admin for the correct name as registered in the cluster.

fsType string

fsType to mount. Ex. "ext4", "xfs", "ntfs". If not provided, the empty value is passed to the associated CSI driver which will determine the default filesystem to apply.

nodePublishSecretRef object

name string

readOnly boolean

readOnly specifies a read-only configuration for the volume. Defaults to false (read/write).

volumeAttributes object

volumeAttributes stores driver-specific properties that are passed to the CSI driver. Consult your driver's documentation for supported values.

downwardAPI object

downwardAPI represents downward API about the pod that should populate this volume

defaultMode integer

items []object

DownwardAPIVolumeFile represents information to create the file containing the pod field

fieldRef object

Required: Selects a field of the pod: only annotations, labels, name, namespace and uid are supported.

apiVersion string

Version of the schema the FieldPath is written in terms of, defaults to "v1".

fieldPath string required

Path of the field to select in the specified API version.

mode integer

path string required

Required: Path is the relative path name of the file to be created. Must not be absolute or contain the '..' path. Must be utf-8 encoded. The first item of the relative path must not start with '..'

resourceFieldRef object

Selects a resource of the container: only resources limits and requests (limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported.

containerName string

Container name: required for volumes, optional for env vars

divisor

Specifies the output format of the exposed resources, defaults to "1"

resource string required

Required: resource to select

emptyDir object

emptyDir represents a temporary directory that shares a pod's lifetime. More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir

medium string

sizeLimit

ephemeral object

Use PersistentVolumeClaim or one of the vendor-specific APIs for volumes that persist for longer than the lifecycle of an individual pod.

Use CSI for light-weight local ephemeral volumes if the CSI driver is meant to be used that way - see the documentation of the driver for more information.

A pod can use both types of ephemeral volumes and persistent volumes at the same time.

volumeClaimTemplate object

This field is read-only and no changes will be made by Kubernetes to the PVC after it has been created.

Required, must not be nil.

metadata object

May contain labels and annotations that will be copied into the PVC when creating it. No other fields are allowed and will be rejected during validation.

spec object required

accessModes []string

accessModes contains the desired access modes the volume should have. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1

dataSource object

dataSource field can be used to specify either:

An existing VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot)
An existing PVC (PersistentVolumeClaim) If the provisioner or an external controller can support the specified data source, it will create a new volume based on the contents of the specified data source. When the AnyVolumeDataSource feature gate is enabled, dataSource contents will be copied to dataSourceRef, and dataSourceRef contents will be copied to dataSource when dataSourceRef.namespace is not specified. If the namespace is specified, then dataSourceRef will not be copied to dataSource.

apiGroup string

APIGroup is the group for the resource being referenced. If APIGroup is not specified, the specified Kind must be in the core API group. For any other third-party types, APIGroup is required.

kind string required

Kind is the type of resource being referenced

name string required

Name is the name of resource being referenced

dataSourceRef object

While dataSource only allows two specific types of objects, dataSourceRef allows any non-core object, as well as PersistentVolumeClaim objects.
While dataSource ignores disallowed values (dropping them), dataSourceRef preserves all values, and generates an error if a disallowed value is specified.
While dataSource only allows local objects, dataSourceRef allows objects in any namespaces. (Beta) Using this field requires the AnyVolumeDataSource feature gate to be enabled. (Alpha) Using the namespace field of dataSourceRef requires the CrossNamespaceVolumeDataSource feature gate to be enabled.

apiGroup string

APIGroup is the group for the resource being referenced. If APIGroup is not specified, the specified Kind must be in the core API group. For any other third-party types, APIGroup is required.

kind string required

Kind is the type of resource being referenced

name string required

Name is the name of resource being referenced

namespace string

resources object

limits object

Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/

requests object

selector object

selector is a label query over volumes to consider for binding.

matchExpressions []object

A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.

key string required

key is the label key that the selector applies to.

operator string required

operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.

values []string

matchLabels object

storageClassName string

storageClassName is the name of the StorageClass required by the claim. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1

volumeAttributesClassName string

volumeMode string

volumeMode defines what type of volume is required by the claim. Value of Filesystem is implied when not included in claim spec.

volumeName string

volumeName is the binding reference to the PersistentVolume backing this claim.

fc object

fc represents a Fibre Channel resource that is attached to a kubelet's host machine and then exposed to the pod.

fsType string

fsType is the filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.

lun integer

lun is Optional: FC target lun number

readOnly boolean

readOnly is Optional: Defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts.

targetWWNs []string

targetWWNs is Optional: FC target worldwide names (WWNs)

wwids []string

wwids Optional: FC volume world wide identifiers (wwids) Either wwids or combination of targetWWNs and lun must be set, but not both simultaneously.

flexVolume object

flexVolume represents a generic volume resource that is provisioned/attached using an exec based plugin. Deprecated: FlexVolume is deprecated. Consider using a CSIDriver instead.

driver string required

driver is the name of the driver to use for this volume.

fsType string

fsType is the filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. "ext4", "xfs", "ntfs". The default filesystem depends on FlexVolume script.

options object

options is Optional: this field holds extra command options if any.

readOnly boolean

readOnly is Optional: defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts.

secretRef object

name string

flocker object

datasetName string

datasetName is Name of the dataset stored as metadata -> name on the dataset for Flocker should be considered as deprecated

datasetUUID string

datasetUUID is the UUID of the dataset. This is unique identifier of a Flocker dataset

gcePersistentDisk object

fsType string

partition integer

pdName string required

pdName is unique name of the PD resource in GCE. Used to identify the disk in GCE. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk

readOnly boolean

readOnly here will force the ReadOnly setting in VolumeMounts. Defaults to false. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk

gitRepo object

directory string

repository string required

repository is the URL

revision string

revision is the commit hash for the specified revision.

glusterfs object

endpoints string required

endpoints is the endpoint name that details Glusterfs topology. More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod

path string required

path is the Glusterfs volume path. More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod

readOnly boolean

readOnly here will force the Glusterfs volume to be mounted with read-only permissions. Defaults to false. More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod

hostPath object

path string required

path of the directory on the host. If the path is a symlink, it will follow the link to the real path. More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath

type string

type for HostPath Volume Defaults to "" More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath

image object

image represents an OCI object (a container image or artifact) pulled and mounted on the kubelet's host machine. The volume is resolved at pod startup depending on which PullPolicy value is provided:

Always: the kubelet always attempts to pull the reference. Container creation will fail If the pull fails.
Never: the kubelet never pulls the reference and only uses a local image or artifact. Container creation will fail if the reference isn't present.
IfNotPresent: the kubelet pulls if the reference isn't already present on disk. Container creation will fail if the reference isn't present and the pull fails.

pullPolicy string

reference string

iscsi object

iscsi represents an ISCSI Disk resource that is attached to a kubelet's host machine and then exposed to the pod. More info: https://examples.k8s.io/volumes/iscsi/README.md

chapAuthDiscovery boolean

chapAuthDiscovery defines whether support iSCSI Discovery CHAP authentication

chapAuthSession boolean

chapAuthSession defines whether support iSCSI Session CHAP authentication

fsType string

initiatorName string

initiatorName is the custom iSCSI Initiator Name. If initiatorName is specified with iscsiInterface simultaneously, new iSCSI interface : will be created for the connection.

iqn string required

iqn is the target iSCSI Qualified Name.

iscsiInterface string

iscsiInterface is the interface Name that uses an iSCSI transport. Defaults to 'default' (tcp).

lun integer required

lun represents iSCSI Target Lun number.

portals []string

portals is the iSCSI Target Portal List. The portal is either an IP or ip_addr:port if the port is other than default (typically TCP ports 860 and 3260).

readOnly boolean

readOnly here will force the ReadOnly setting in VolumeMounts. Defaults to false.

secretRef object

secretRef is the CHAP Secret for iSCSI target and initiator authentication

name string

targetPortal string required

targetPortal is iSCSI Target Portal. The Portal is either an IP or ip_addr:port if the port is other than default (typically TCP ports 860 and 3260).

name string required

name of the volume. Must be a DNS_LABEL and unique within the pod. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names

nfs object

nfs represents an NFS mount on the host that shares a pod's lifetime More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs

path string required

path that is exported by the NFS server. More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs

readOnly boolean

readOnly here will force the NFS export to be mounted with read-only permissions. Defaults to false. More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs

server string required

server is the hostname or IP address of the NFS server. More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs

persistentVolumeClaim object

claimName string required

claimName is the name of a PersistentVolumeClaim in the same namespace as the pod using this volume. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims

readOnly boolean

readOnly Will force the ReadOnly setting in VolumeMounts. Default false.

photonPersistentDisk object

fsType string

fsType is the filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.

pdID string required

pdID is the ID that identifies Photon Controller persistent disk

portworxVolume object

fsType string

fSType represents the filesystem type to mount Must be a filesystem type supported by the host operating system. Ex. "ext4", "xfs". Implicitly inferred to be "ext4" if unspecified.

readOnly boolean

readOnly defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts.

volumeID string required

volumeID uniquely identifies a Portworx volume

projected object

projected items for all in one resources secrets, configmaps, and downward API

defaultMode integer

sources []object

Projection that may be projected along with other supported volume types. Exactly one of these fields must be set.

clusterTrustBundle object

ClusterTrustBundle allows a pod to access the .spec.trustBundle field of ClusterTrustBundle objects in an auto-updating file.

Alpha, gated by the ClusterTrustBundleProjection feature gate.

ClusterTrustBundle objects can either be selected by name, or by the combination of signer name and a label selector.

labelSelector object

matchExpressions []object

A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.

key string required

key is the label key that the selector applies to.

operator string required

operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.

values []string

matchLabels object

name string

Select a single ClusterTrustBundle by object name. Mutually-exclusive with signerName and labelSelector.

optional boolean

path string required

Relative path from the volume root to write the bundle.

signerName string

Select all ClusterTrustBundles that match this signer name. Mutually-exclusive with name. The contents of all selected ClusterTrustBundles will be unified and deduplicated.

configMap object

configMap information about the configMap data to project

items []object

Maps a string key to a path within a volume.

key string required

key is the key to project.

mode integer

path string required

path is the relative path of the file to map the key to. May not be an absolute path. May not contain the path element '..'. May not start with the string '..'.

name string

optional boolean

optional specify whether the ConfigMap or its keys must be defined

downwardAPI object

downwardAPI information about the downwardAPI data to project

items []object

DownwardAPIVolumeFile represents information to create the file containing the pod field

fieldRef object

Required: Selects a field of the pod: only annotations, labels, name, namespace and uid are supported.

apiVersion string

Version of the schema the FieldPath is written in terms of, defaults to "v1".

fieldPath string required

Path of the field to select in the specified API version.

mode integer

path string required

Required: Path is the relative path name of the file to be created. Must not be absolute or contain the '..' path. Must be utf-8 encoded. The first item of the relative path must not start with '..'

resourceFieldRef object

Selects a resource of the container: only resources limits and requests (limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported.

containerName string

Container name: required for volumes, optional for env vars

divisor

Specifies the output format of the exposed resources, defaults to "1"

resource string required

Required: resource to select

secret object

secret information about the secret data to project

items []object

Maps a string key to a path within a volume.

key string required

key is the key to project.

mode integer

path string required

path is the relative path of the file to map the key to. May not be an absolute path. May not contain the path element '..'. May not start with the string '..'.

name string

optional boolean

optional field specify whether the Secret or its key must be defined

serviceAccountToken object

serviceAccountToken is information about the serviceAccountToken data to project

audience string

expirationSeconds integer

path string required

path is the path relative to the mount point of the file to project the token into.

quobyte object

quobyte represents a Quobyte mount on the host that shares a pod's lifetime. Deprecated: Quobyte is deprecated and the in-tree quobyte type is no longer supported.

group string

group to map volume access to Default is no group

readOnly boolean

readOnly here will force the Quobyte volume to be mounted with read-only permissions. Defaults to false.

registry string required

registry represents a single or multiple Quobyte Registry services specified as a string as host:port pair (multiple entries are separated with commas) which acts as the central registry for volumes

tenant string

tenant owning the given Quobyte volume in the Backend Used with dynamically provisioned Quobyte volumes, value is set by the plugin

user string

user to map volume access to Defaults to serivceaccount user

volume string required

volume is a string that references an already created Quobyte volume by name.

rbd object

fsType string

image string required

image is the rados image name. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it

keyring string

keyring is the path to key ring for RBDUser. Default is /etc/ceph/keyring. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it

monitors []string required

monitors is a collection of Ceph monitors. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it

pool string

pool is the rados pool name. Default is rbd. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it

readOnly boolean

readOnly here will force the ReadOnly setting in VolumeMounts. Defaults to false. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it

secretRef object

secretRef is name of the authentication secret for RBDUser. If provided overrides keyring. Default is nil. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it

name string

user string

user is the rados user name. Default is admin. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it

scaleIO object

scaleIO represents a ScaleIO persistent volume attached and mounted on Kubernetes nodes. Deprecated: ScaleIO is deprecated and the in-tree scaleIO type is no longer supported.

fsType string

fsType is the filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. "ext4", "xfs", "ntfs". Default is "xfs".

gateway string required

gateway is the host address of the ScaleIO API Gateway.

protectionDomain string

protectionDomain is the name of the ScaleIO Protection Domain for the configured storage.

readOnly boolean

readOnly Defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts.

secretRef object required

secretRef references to the secret for ScaleIO user and other sensitive information. If this is not provided, Login operation will fail.

name string

sslEnabled boolean

sslEnabled Flag enable/disable SSL communication with Gateway, default false

storageMode string

storageMode indicates whether the storage for a volume should be ThickProvisioned or ThinProvisioned. Default is ThinProvisioned.

storagePool string

storagePool is the ScaleIO Storage Pool associated with the protection domain.

system string required

system is the name of the storage system as configured in ScaleIO.

volumeName string

volumeName is the name of a volume already created in the ScaleIO system that is associated with this volume source.

secret object

secret represents a secret that should populate this volume. More info: https://kubernetes.io/docs/concepts/storage/volumes#secret

defaultMode integer

items []object

Maps a string key to a path within a volume.

key string required

key is the key to project.

mode integer

path string required

path is the relative path of the file to map the key to. May not be an absolute path. May not contain the path element '..'. May not start with the string '..'.

optional boolean

optional field specify whether the Secret or its keys must be defined

secretName string

secretName is the name of the secret in the pod's namespace to use. More info: https://kubernetes.io/docs/concepts/storage/volumes#secret

storageos object

storageOS represents a StorageOS volume attached and mounted on Kubernetes nodes. Deprecated: StorageOS is deprecated and the in-tree storageos type is no longer supported.

fsType string

fsType is the filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.

readOnly boolean

readOnly defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts.

secretRef object

secretRef specifies the secret to use for obtaining the StorageOS API credentials. If not specified, default values will be attempted.

name string

volumeName string

volumeName is the human-readable name of the StorageOS volume. Volume names are only unique within a namespace.

volumeNamespace string

vsphereVolume object

fsType string

fsType is filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.

storagePolicyID string

storagePolicyID is the storage Policy Based Management (SPBM) profile ID associated with the StoragePolicyName.

storagePolicyName string

storagePolicyName is the storage Policy Based Management (SPBM) profile name.

volumePath string required

volumePath is the path that identifies vSphere volume vmdk

xdsAddress string

The customized XDS address to retrieve configuration.

version string required

Defines the version of Istio to install. Must be one of: v1.26-latest, v1.26.3, v1.24-latest, v1.24.6.

status object

ZTunnelStatus defines the observed state of ZTunnel

conditions []object

ZTunnelCondition represents a specific observation of the ZTunnel object's state.

lastTransitionTime string

Last time the condition transitioned from one status to another.

message string

Human-readable message indicating details about the last transition.

reason string

Unique, single-word, CamelCase reason for the condition's last transition.

status string

The status of this condition. Can be True, False or Unknown.

type string

The type of this condition.

observedGeneration integer

ObservedGeneration is the most recent generation observed for this ZTunnel object. It corresponds to the object's generation, which is updated on mutation by the API Server. The information in the status pertains to this particular generation of the object.

state string

Reports the current state of the object.

#Service Mesh Operator API

#TOC

#Istio

Below shows an example of preserving the header case for HTTP 1.x requests

#IstioCNI

#IstioRevisionTag

#ZTunnel

Below shows an example of preserving the header case for HTTP 1.x requests

Service Mesh Operator API

TOC

Istio

IstioCNI

IstioRevisionTag

ZTunnel