1# AddonComponents grafana component is disabled. 2 3--- 4# Resources for AddonComponents istiocoredns component 5 6apiVersion: rbac.authorization.k8s.io/v1 7kind: ClusterRole 8metadata: 9 name: istiocoredns 10 labels: 11 app: istiocoredns 12 release: istio 13rules: 14- apiGroups: ["networking.istio.io"] 15 resources: ["*"] 16 verbs: ["get", "watch", "list"] 17--- 18 19 20apiVersion: rbac.authorization.k8s.io/v1 21kind: ClusterRoleBinding 22metadata: 23 name: istio-istiocoredns-role-binding-istio-system 24 labels: 25 app: istiocoredns 26 release: istio 27roleRef: 28 apiGroup: rbac.authorization.k8s.io 29 kind: ClusterRole 30 name: istiocoredns 31subjects: 32- kind: ServiceAccount 33 name: istiocoredns-service-account 34 namespace: istio-system 35--- 36 37 38apiVersion: v1 39kind: ConfigMap 40metadata: 41 name: coredns 42 namespace: istio-system 43 labels: 44 app: istiocoredns 45 release: istio 46data: 47 Corefile: | 48 .:53 { 49 errors 50 health 51 52 # Removed support for the proxy plugin: https://coredns.io/2019/03/03/coredns-1.4.0-release/ 53 grpc global 127.0.0.1:8053 54 forward . /etc/resolv.conf { 55 except global 56 } 57 58 prometheus :9153 59 cache 30 60 reload 61 } 62--- 63 64 65apiVersion: apps/v1 66kind: Deployment 67metadata: 68 name: istiocoredns 69 namespace: istio-system 70 labels: 71 app: istiocoredns 72 release: istio 73spec: 74 replicas: 1 75 selector: 76 matchLabels: 77 app: istiocoredns 78 strategy: 79 rollingUpdate: 80 maxSurge: 100% 81 maxUnavailable: 25% 82 template: 83 metadata: 84 name: istiocoredns 85 labels: 86 app: istiocoredns 87 release: istio 88 annotations: 89 sidecar.istio.io/inject: "false" 90 spec: 91 serviceAccountName: istiocoredns-service-account 92 containers: 93 - name: coredns 94 image: coredns/coredns:1.6.2 95 args: [ "-conf", "/etc/coredns/Corefile" ] 96 volumeMounts: 97 - name: config-volume 98 mountPath: /etc/coredns 99 ports: 100 - containerPort: 53 101 name: dns 102 protocol: UDP 103 - containerPort: 53 104 name: dns-tcp 105 protocol: TCP 106 - containerPort: 9153 107 name: metrics 108 protocol: TCP 109 livenessProbe: 110 httpGet: 111 path: /health 112 port: 8080 113 scheme: HTTP 114 initialDelaySeconds: 60 115 timeoutSeconds: 5 116 successThreshold: 1 117 failureThreshold: 5 118 resources: 119 requests: 120 cpu: 10m 121 - name: istio-coredns-plugin 122 command: 123 - /usr/local/bin/plugin 124 image: istio/coredns-plugin:0.2-istio-1.1 125 ports: 126 - containerPort: 8053 127 name: dns-grpc 128 protocol: TCP 129 resources: 130 requests: 131 cpu: 10m 132 dnsPolicy: Default 133 volumes: 134 - name: config-volume 135 configMap: 136 name: coredns 137 items: 138 - key: Corefile 139 path: Corefile 140 affinity: 141 nodeAffinity: 142 requiredDuringSchedulingIgnoredDuringExecution: 143 nodeSelectorTerms: 144 - matchExpressions: 145 - key: beta.kubernetes.io/arch 146 operator: In 147 values: 148 - "amd64" 149 - "ppc64le" 150 - "s390x" 151 preferredDuringSchedulingIgnoredDuringExecution: 152 - weight: 2 153 preference: 154 matchExpressions: 155 - key: beta.kubernetes.io/arch 156 operator: In 157 values: 158 - "amd64" 159 - weight: 2 160 preference: 161 matchExpressions: 162 - key: beta.kubernetes.io/arch 163 operator: In 164 values: 165 - "ppc64le" 166 - weight: 2 167 preference: 168 matchExpressions: 169 - key: beta.kubernetes.io/arch 170 operator: In 171 values: 172 - "s390x" 173--- 174 175 176apiVersion: v1 177kind: Service 178metadata: 179 name: istiocoredns 180 namespace: istio-system 181 labels: 182 app: istiocoredns 183 release: istio 184spec: 185 selector: 186 app: istiocoredns 187 ports: 188 - name: dns 189 port: 53 190 protocol: UDP 191 - name: dns-tcp 192 port: 53 193 protocol: TCP 194--- 195 196 197apiVersion: v1 198kind: ServiceAccount 199metadata: 200 name: istiocoredns-service-account 201 namespace: istio-system 202 labels: 203 app: istiocoredns 204 release: istio 205--- 206 207--- 208# AddonComponents kiali component is disabled. 209 210--- 211# Resources for AddonComponents prometheus component 212 213apiVersion: rbac.authorization.k8s.io/v1 214kind: ClusterRole 215metadata: 216 name: prometheus-istio-system 217 labels: 218 app: prometheus 219 release: istio 220rules: 221- apiGroups: [""] 222 resources: 223 - nodes 224 - services 225 - endpoints 226 - pods 227 - nodes/proxy 228 verbs: ["get", "list", "watch"] 229- apiGroups: [""] 230 resources: 231 - configmaps 232 verbs: ["get"] 233- nonResourceURLs: ["/metrics"] 234 verbs: ["get"] 235--- 236 237 238apiVersion: rbac.authorization.k8s.io/v1 239kind: ClusterRoleBinding 240metadata: 241 name: prometheus-istio-system 242 labels: 243 app: prometheus 244 release: istio 245roleRef: 246 apiGroup: rbac.authorization.k8s.io 247 kind: ClusterRole 248 name: prometheus-istio-system 249subjects: 250- kind: ServiceAccount 251 name: prometheus 252 namespace: istio-system 253--- 254 255 256apiVersion: v1 257kind: ConfigMap 258metadata: 259 name: prometheus 260 namespace: istio-system 261 labels: 262 app: prometheus 263 release: istio 264data: 265 prometheus.yml: |- 266 global: 267 scrape_interval: 15s 268 scrape_configs: 269 # Mixer scrapping. Defaults to Prometheus and mixer on same namespace. 270 - job_name: 'istio-mesh' 271 kubernetes_sd_configs: 272 - role: endpoints 273 namespaces: 274 names: 275 - istio-system 276 relabel_configs: 277 - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name] 278 action: keep 279 regex: istio-telemetry;prometheus 280 281 # Scrape config for envoy stats 282 - job_name: 'envoy-stats' 283 metrics_path: /stats/prometheus 284 kubernetes_sd_configs: 285 - role: pod 286 287 relabel_configs: 288 - source_labels: [__meta_kubernetes_pod_container_port_name] 289 action: keep 290 regex: '.*-envoy-prom' 291 - source_labels: [__address__, __meta_kubernetes_pod_annotation_prometheus_io_port] 292 action: replace 293 regex: ([^:]+)(?::\d+)?;(\d+) 294 replacement: $1:15090 295 target_label: __address__ 296 - action: labeldrop 297 regex: __meta_kubernetes_pod_label_(.+) 298 - source_labels: [__meta_kubernetes_namespace] 299 action: replace 300 target_label: namespace 301 - source_labels: [__meta_kubernetes_pod_name] 302 action: replace 303 target_label: pod_name 304 305 - job_name: 'istio-policy' 306 kubernetes_sd_configs: 307 - role: endpoints 308 namespaces: 309 names: 310 - istio-system 311 312 313 relabel_configs: 314 - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name] 315 action: keep 316 regex: istio-policy;http-policy-monitoring 317 318 - job_name: 'istio-telemetry' 319 kubernetes_sd_configs: 320 - role: endpoints 321 namespaces: 322 names: 323 - istio-system 324 325 relabel_configs: 326 - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name] 327 action: keep 328 regex: istio-telemetry;http-monitoring 329 330 - job_name: 'pilot' 331 kubernetes_sd_configs: 332 - role: endpoints 333 namespaces: 334 names: 335 - istio-system 336 337 relabel_configs: 338 - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name] 339 action: keep 340 regex: istiod;http-monitoring 341 - source_labels: [__meta_kubernetes_service_label_app] 342 target_label: app 343 - job_name: 'galley' 344 kubernetes_sd_configs: 345 - role: endpoints 346 namespaces: 347 names: 348 - istio-system 349 350 relabel_configs: 351 - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name] 352 action: keep 353 regex: istio-galley;http-monitoring 354 355 - job_name: 'citadel' 356 kubernetes_sd_configs: 357 - role: endpoints 358 namespaces: 359 names: 360 - istio-system 361 362 relabel_configs: 363 - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name] 364 action: keep 365 regex: istio-citadel;http-monitoring 366 367 - job_name: 'sidecar-injector' 368 369 kubernetes_sd_configs: 370 - role: endpoints 371 namespaces: 372 names: 373 - istio-system 374 375 relabel_configs: 376 - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name] 377 action: keep 378 regex: istio-sidecar-injector;http-monitoring 379 380 # scrape config for API servers 381 - job_name: 'kubernetes-apiservers' 382 kubernetes_sd_configs: 383 - role: endpoints 384 namespaces: 385 names: 386 - default 387 scheme: https 388 tls_config: 389 ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt 390 bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token 391 relabel_configs: 392 - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name] 393 action: keep 394 regex: kubernetes;https 395 396 # scrape config for nodes (kubelet) 397 - job_name: 'kubernetes-nodes' 398 scheme: https 399 tls_config: 400 ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt 401 bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token 402 kubernetes_sd_configs: 403 - role: node 404 relabel_configs: 405 - action: labelmap 406 regex: __meta_kubernetes_node_label_(.+) 407 - target_label: __address__ 408 replacement: kubernetes.default.svc:443 409 - source_labels: [__meta_kubernetes_node_name] 410 regex: (.+) 411 target_label: __metrics_path__ 412 replacement: /api/v1/nodes/${1}/proxy/metrics 413 414 # Scrape config for Kubelet cAdvisor. 415 # 416 # This is required for Kubernetes 1.7.3 and later, where cAdvisor metrics 417 # (those whose names begin with 'container_') have been removed from the 418 # Kubelet metrics endpoint. This job scrapes the cAdvisor endpoint to 419 # retrieve those metrics. 420 # 421 # In Kubernetes 1.7.0-1.7.2, these metrics are only exposed on the cAdvisor 422 # HTTP endpoint; use "replacement: /api/v1/nodes/${1}:4194/proxy/metrics" 423 # in that case (and ensure cAdvisor's HTTP server hasn't been disabled with 424 # the --cadvisor-port=0 Kubelet flag). 425 # 426 # This job is not necessary and should be removed in Kubernetes 1.6 and 427 # earlier versions, or it will cause the metrics to be scraped twice. 428 - job_name: 'kubernetes-cadvisor' 429 scheme: https 430 tls_config: 431 ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt 432 bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token 433 kubernetes_sd_configs: 434 - role: node 435 relabel_configs: 436 - action: labelmap 437 regex: __meta_kubernetes_node_label_(.+) 438 - target_label: __address__ 439 replacement: kubernetes.default.svc:443 440 - source_labels: [__meta_kubernetes_node_name] 441 regex: (.+) 442 target_label: __metrics_path__ 443 replacement: /api/v1/nodes/${1}/proxy/metrics/cadvisor 444 445 # scrape config for service endpoints. 446 - job_name: 'kubernetes-service-endpoints' 447 kubernetes_sd_configs: 448 - role: endpoints 449 relabel_configs: 450 - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_scrape] 451 action: keep 452 regex: true 453 - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_scheme] 454 action: replace 455 target_label: __scheme__ 456 regex: (https?) 457 - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_path] 458 action: replace 459 target_label: __metrics_path__ 460 regex: (.+) 461 - source_labels: [__address__, __meta_kubernetes_service_annotation_prometheus_io_port] 462 action: replace 463 target_label: __address__ 464 regex: ([^:]+)(?::\d+)?;(\d+) 465 replacement: $1:$2 466 - action: labelmap 467 regex: __meta_kubernetes_service_label_(.+) 468 - source_labels: [__meta_kubernetes_namespace] 469 action: replace 470 target_label: kubernetes_namespace 471 - source_labels: [__meta_kubernetes_service_name] 472 action: replace 473 target_label: kubernetes_name 474 475 - job_name: 'kubernetes-pods' 476 kubernetes_sd_configs: 477 - role: pod 478 relabel_configs: # If first two labels are present, pod should be scraped by the istio-secure job. 479 - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_scrape] 480 action: keep 481 regex: true 482 - source_labels: [__meta_kubernetes_pod_annotation_sidecar_istio_io_status] 483 action: drop 484 regex: (.+) 485 - source_labels: [__meta_kubernetes_pod_annotation_istio_mtls] 486 action: drop 487 regex: (true) 488 - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_path] 489 action: replace 490 target_label: __metrics_path__ 491 regex: (.+) 492 - source_labels: [__address__, __meta_kubernetes_pod_annotation_prometheus_io_port] 493 action: replace 494 regex: ([^:]+)(?::\d+)?;(\d+) 495 replacement: $1:$2 496 target_label: __address__ 497 - action: labelmap 498 regex: __meta_kubernetes_pod_label_(.+) 499 - source_labels: [__meta_kubernetes_namespace] 500 action: replace 501 target_label: namespace 502 - source_labels: [__meta_kubernetes_pod_name] 503 action: replace 504 target_label: pod_name 505 - job_name: 'kubernetes-pods-istio-secure' 506 scheme: https 507 tls_config: 508 ca_file: /etc/istio-certs/root-cert.pem 509 cert_file: /etc/istio-certs/cert-chain.pem 510 key_file: /etc/istio-certs/key.pem 511 insecure_skip_verify: true # prometheus does not support secure naming. 512 kubernetes_sd_configs: 513 - role: pod 514 relabel_configs: 515 - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_scrape] 516 action: keep 517 regex: true 518 # sidecar status annotation is added by sidecar injector and 519 # istio_workload_mtls_ability can be specifically placed on a pod to indicate its ability to receive mtls traffic. 520 - source_labels: [__meta_kubernetes_pod_annotation_sidecar_istio_io_status, __meta_kubernetes_pod_annotation_istio_mtls] 521 action: keep 522 regex: (([^;]+);([^;]*))|(([^;]*);(true)) 523 - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_path] 524 action: replace 525 target_label: __metrics_path__ 526 regex: (.+) 527 - source_labels: [__address__] # Only keep address that is host:port 528 action: keep # otherwise an extra target with ':443' is added for https scheme 529 regex: ([^:]+):(\d+) 530 - source_labels: [__address__, __meta_kubernetes_pod_annotation_prometheus_io_port] 531 action: replace 532 regex: ([^:]+)(?::\d+)?;(\d+) 533 replacement: $1:$2 534 target_label: __address__ 535 - action: labelmap 536 regex: __meta_kubernetes_pod_label_(.+) 537 - source_labels: [__meta_kubernetes_namespace] 538 action: replace 539 target_label: namespace 540 - source_labels: [__meta_kubernetes_pod_name] 541 action: replace 542 target_label: pod_name 543--- 544 545 546apiVersion: apps/v1 547kind: Deployment 548metadata: 549 labels: 550 app: prometheus 551 release: istio 552 name: prometheus 553 namespace: istio-system 554spec: 555 replicas: 1 556 selector: 557 matchLabels: 558 app: prometheus 559 template: 560 metadata: 561 annotations: 562 sidecar.istio.io/inject: "false" 563 labels: 564 app: prometheus 565 release: istio 566 spec: 567 affinity: 568 nodeAffinity: 569 preferredDuringSchedulingIgnoredDuringExecution: 570 - preference: 571 matchExpressions: 572 - key: beta.kubernetes.io/arch 573 operator: In 574 values: 575 - amd64 576 weight: 2 577 - preference: 578 matchExpressions: 579 - key: beta.kubernetes.io/arch 580 operator: In 581 values: 582 - ppc64le 583 weight: 2 584 - preference: 585 matchExpressions: 586 - key: beta.kubernetes.io/arch 587 operator: In 588 values: 589 - s390x 590 weight: 2 591 requiredDuringSchedulingIgnoredDuringExecution: 592 nodeSelectorTerms: 593 - matchExpressions: 594 - key: beta.kubernetes.io/arch 595 operator: In 596 values: 597 - amd64 598 - ppc64le 599 - s390x 600 containers: 601 - args: 602 - --storage.tsdb.retention=6h 603 - --config.file=/etc/prometheus/prometheus.yml 604 image: docker.io/prom/prometheus:v2.15.1 605 livenessProbe: 606 httpGet: 607 path: /-/healthy 608 port: 9090 609 name: prometheus 610 ports: 611 - containerPort: 9090 612 name: http 613 readinessProbe: 614 httpGet: 615 path: /-/ready 616 port: 9090 617 resources: 618 requests: 619 cpu: 10m 620 volumeMounts: 621 - mountPath: /etc/prometheus 622 name: config-volume 623 - mountPath: /etc/istio-certs 624 name: istio-certs 625 - args: 626 - proxy 627 - sidecar 628 - --domain 629 - $(POD_NAMESPACE).svc.cluster.local 630 - istio-proxy-prometheus 631 - --proxyLogLevel=warning 632 - --proxyComponentLogLevel=misc:error 633 - --controlPlaneAuthPolicy 634 - NONE 635 - --trust-domain=cluster.local 636 env: 637 - name: OUTPUT_CERTS 638 value: /etc/istio-certs 639 - name: JWT_POLICY 640 value: third-party-jwt 641 - name: PILOT_CERT_PROVIDER 642 value: istiod 643 - name: CA_ADDR 644 value: istiod.istio-system.svc:15012 645 - name: POD_NAME 646 valueFrom: 647 fieldRef: 648 fieldPath: metadata.name 649 - name: POD_NAMESPACE 650 valueFrom: 651 fieldRef: 652 fieldPath: metadata.namespace 653 - name: INSTANCE_IP 654 valueFrom: 655 fieldRef: 656 fieldPath: status.podIP 657 - name: SERVICE_ACCOUNT 658 valueFrom: 659 fieldRef: 660 fieldPath: spec.serviceAccountName 661 - name: HOST_IP 662 valueFrom: 663 fieldRef: 664 fieldPath: status.hostIP 665 - name: ISTIO_META_MESH_ID 666 value: cluster.local 667 - name: ISTIO_META_CLUSTER_ID 668 value: Kubernetes 669 image: gcr.io/istio-testing/proxyv2:latest 670 imagePullPolicy: Always 671 name: istio-proxy 672 ports: 673 - containerPort: 15090 674 name: http-envoy-prom 675 protocol: TCP 676 readinessProbe: 677 failureThreshold: 30 678 httpGet: 679 path: /healthz/ready 680 port: 15020 681 scheme: HTTP 682 initialDelaySeconds: 1 683 periodSeconds: 2 684 successThreshold: 1 685 timeoutSeconds: 1 686 volumeMounts: 687 - mountPath: /var/run/secrets/istio 688 name: istiod-ca-cert 689 - mountPath: /etc/istio/proxy 690 name: istio-envoy 691 - mountPath: /var/run/secrets/tokens 692 name: istio-token 693 - mountPath: /etc/istio-certs/ 694 name: istio-certs 695 - mountPath: /etc/istio/config 696 name: istio-config-volume 697 serviceAccountName: prometheus 698 volumes: 699 - configMap: 700 name: istio 701 optional: true 702 name: istio-config-volume 703 - configMap: 704 name: prometheus 705 name: config-volume 706 - emptyDir: 707 medium: Memory 708 name: istio-certs 709 - emptyDir: 710 medium: Memory 711 name: istio-envoy 712 - name: istio-token 713 projected: 714 defaultMode: 420 715 sources: 716 - serviceAccountToken: 717 audience: istio-ca 718 expirationSeconds: 43200 719 path: istio-token 720 - configMap: 721 defaultMode: 420 722 name: istio-ca-root-cert 723 name: istiod-ca-cert 724 725--- 726 727 728apiVersion: v1 729kind: Service 730metadata: 731 name: prometheus 732 namespace: istio-system 733 annotations: 734 prometheus.io/scrape: 'true' 735 labels: 736 app: prometheus 737 release: istio 738spec: 739 selector: 740 app: prometheus 741 ports: 742 - name: http-prometheus 743 protocol: TCP 744 port: 9090 745--- 746 747 748apiVersion: v1 749kind: ServiceAccount 750metadata: 751 name: prometheus 752 namespace: istio-system 753 labels: 754 app: prometheus 755 release: istio 756--- 757 758--- 759# AddonComponents istio-tracing component is disabled. 760 761# Resources for Base component 762 763apiVersion: rbac.authorization.k8s.io/v1 764kind: ClusterRole 765metadata: 766 name: istiod-istio-system 767 labels: 768 app: istiod 769 release: istio 770rules: 771 # sidecar injection controller 772 - apiGroups: ["admissionregistration.k8s.io"] 773 resources: ["mutatingwebhookconfigurations"] 774 verbs: ["get", "list", "watch", "patch"] 775 776 # configuration validation webhook controller 777 - apiGroups: ["admissionregistration.k8s.io"] 778 resources: ["validatingwebhookconfigurations"] 779 verbs: ["get", "list", "watch", "update"] 780 781 # permissions to verify the webhook is ready and rejecting 782 # invalid config. We use --server-dry-run so no config is persisted. 783 - apiGroups: ["networking.istio.io"] 784 verbs: ["create"] 785 resources: ["gateways"] 786 787 # istio configuration 788 - apiGroups: ["config.istio.io", "rbac.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io"] 789 verbs: ["get", "watch", "list"] 790 resources: ["*"] 791 792 # auto-detect installed CRD definitions 793 - apiGroups: ["apiextensions.k8s.io"] 794 resources: ["customresourcedefinitions"] 795 verbs: ["get", "list", "watch"] 796 797 # discovery and routing 798 - apiGroups: ["extensions","apps"] 799 resources: ["deployments"] 800 verbs: ["get", "list", "watch"] 801 - apiGroups: [""] 802 resources: ["pods", "nodes", "services", "namespaces", "endpoints"] 803 verbs: ["get", "list", "watch"] 804 - apiGroups: ["discovery.k8s.io"] 805 resources: ["endpointslices"] 806 verbs: ["get", "list", "watch"] 807 808 # ingress controller 809 - apiGroups: ["networking.k8s.io"] 810 resources: ["ingresses", "ingressclasses"] 811 verbs: ["get", "list", "watch"] 812 - apiGroups: ["networking.k8s.io"] 813 resources: ["ingresses/status"] 814 verbs: ["*"] 815 816 # required for CA's namespace controller 817 - apiGroups: [""] 818 resources: ["configmaps"] 819 verbs: ["create", "get", "list", "watch", "update"] 820 821 # Istiod and bootstrap. 822 - apiGroups: ["certificates.k8s.io"] 823 resources: 824 - "certificatesigningrequests" 825 - "certificatesigningrequests/approval" 826 - "certificatesigningrequests/status" 827 verbs: ["update", "create", "get", "delete", "watch"] 828 - apiGroups: ["certificates.k8s.io"] 829 resources: 830 - "signers" 831 resourceNames: 832 - "kubernetes.io/legacy-unknown" 833 verbs: ["approve"] 834 835 # Used by Istiod to verify the JWT tokens 836 - apiGroups: ["authentication.k8s.io"] 837 resources: ["tokenreviews"] 838 verbs: ["create"] 839 840 # TODO: remove, no longer needed at cluster 841 - apiGroups: [""] 842 resources: ["secrets"] 843 verbs: ["create", "get", "watch", "list", "update", "delete"] 844 - apiGroups: [""] 845 resources: ["serviceaccounts"] 846 verbs: ["get", "watch", "list"] 847 848 # Use for Kubernetes Service APIs 849 - apiGroups: ["networking.x.k8s.io"] 850 resources: ["*"] 851 verbs: ["get", "watch", "list"] 852--- 853 854 855apiVersion: rbac.authorization.k8s.io/v1 856kind: ClusterRole 857metadata: 858 name: istio-reader-istio-system 859 labels: 860 app: istio-reader 861 release: istio 862rules: 863 - apiGroups: 864 - "config.istio.io" 865 - "rbac.istio.io" 866 - "security.istio.io" 867 - "networking.istio.io" 868 - "authentication.istio.io" 869 resources: ["*"] 870 verbs: ["get", "list", "watch"] 871 - apiGroups: [""] 872 resources: ["endpoints", "pods", "services", "nodes", "replicationcontrollers"] 873 verbs: ["get", "list", "watch"] 874 - apiGroups: ["apps"] 875 resources: ["replicasets"] 876 verbs: ["get", "list", "watch"] 877--- 878 879 880apiVersion: rbac.authorization.k8s.io/v1 881kind: ClusterRoleBinding 882metadata: 883 name: istio-reader-istio-system 884 labels: 885 app: istio-reader 886 release: istio 887roleRef: 888 apiGroup: rbac.authorization.k8s.io 889 kind: ClusterRole 890 name: istio-reader-istio-system 891subjects: 892 - kind: ServiceAccount 893 name: istio-reader-service-account 894 namespace: istio-system 895--- 896 897 898apiVersion: rbac.authorization.k8s.io/v1 899kind: ClusterRoleBinding 900metadata: 901 name: istiod-pilot-istio-system 902 labels: 903 app: pilot 904 release: istio 905roleRef: 906 apiGroup: rbac.authorization.k8s.io 907 kind: ClusterRole 908 name: istiod-istio-system 909subjects: 910 - kind: ServiceAccount 911 name: istio-pilot-service-account 912 namespace: istio-system 913--- 914 915 916apiVersion: apiextensions.k8s.io/v1beta1 917kind: CustomResourceDefinition 918metadata: 919 annotations: 920 "helm.sh/resource-policy": keep 921 labels: 922 app: istio-citadel 923 chart: istio 924 heritage: Tiller 925 release: istio 926 name: meshpolicies.authentication.istio.io 927spec: 928 group: authentication.istio.io 929 names: 930 categories: 931 - istio-io 932 - authentication-istio-io 933 kind: MeshPolicy 934 listKind: MeshPolicyList 935 plural: meshpolicies 936 singular: meshpolicy 937 scope: Cluster 938 subresources: 939 status: {} 940 validation: 941 openAPIV3Schema: 942 properties: 943 spec: 944 description: 'See more details at:' 945 properties: 946 originIsOptional: 947 description: Deprecated. 948 type: boolean 949 origins: 950 description: Deprecated. 951 items: 952 properties: 953 jwt: 954 description: Jwt params for the method. 955 properties: 956 audiences: 957 items: 958 format: string 959 type: string 960 type: array 961 issuer: 962 description: Identifies the issuer that issued the JWT. 963 format: string 964 type: string 965 jwks: 966 description: JSON Web Key Set of public keys to validate signature 967 of the JWT. 968 format: string 969 type: string 970 jwks_uri: 971 format: string 972 type: string 973 jwksUri: 974 format: string 975 type: string 976 jwt_headers: 977 description: JWT is sent in a request header. 978 items: 979 format: string 980 type: string 981 type: array 982 jwtHeaders: 983 description: JWT is sent in a request header. 984 items: 985 format: string 986 type: string 987 type: array 988 jwtParams: 989 description: JWT is sent in a query parameter. 990 items: 991 format: string 992 type: string 993 type: array 994 trigger_rules: 995 items: 996 properties: 997 excluded_paths: 998 description: List of paths to be excluded from the request. 999 items: 1000 oneOf: 1001 - not: 1002 anyOf: 1003 - required: 1004 - exact 1005 - required: 1006 - prefix 1007 - required: 1008 - suffix 1009 - required: 1010 - regex 1011 - required: 1012 - exact 1013 - required: 1014 - prefix 1015 - required: 1016 - suffix 1017 - required: 1018 - regex 1019 properties: 1020 exact: 1021 description: exact string match. 1022 format: string 1023 type: string 1024 prefix: 1025 description: prefix-based match. 1026 format: string 1027 type: string 1028 regex: 1029 description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). 1030 format: string 1031 type: string 1032 suffix: 1033 description: suffix-based match. 1034 format: string 1035 type: string 1036 type: object 1037 type: array 1038 excludedPaths: 1039 description: List of paths to be excluded from the request. 1040 items: 1041 oneOf: 1042 - not: 1043 anyOf: 1044 - required: 1045 - exact 1046 - required: 1047 - prefix 1048 - required: 1049 - suffix 1050 - required: 1051 - regex 1052 - required: 1053 - exact 1054 - required: 1055 - prefix 1056 - required: 1057 - suffix 1058 - required: 1059 - regex 1060 properties: 1061 exact: 1062 description: exact string match. 1063 format: string 1064 type: string 1065 prefix: 1066 description: prefix-based match. 1067 format: string 1068 type: string 1069 regex: 1070 description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). 1071 format: string 1072 type: string 1073 suffix: 1074 description: suffix-based match. 1075 format: string 1076 type: string 1077 type: object 1078 type: array 1079 included_paths: 1080 description: List of paths that the request must include. 1081 items: 1082 oneOf: 1083 - not: 1084 anyOf: 1085 - required: 1086 - exact 1087 - required: 1088 - prefix 1089 - required: 1090 - suffix 1091 - required: 1092 - regex 1093 - required: 1094 - exact 1095 - required: 1096 - prefix 1097 - required: 1098 - suffix 1099 - required: 1100 - regex 1101 properties: 1102 exact: 1103 description: exact string match. 1104 format: string 1105 type: string 1106 prefix: 1107 description: prefix-based match. 1108 format: string 1109 type: string 1110 regex: 1111 description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). 1112 format: string 1113 type: string 1114 suffix: 1115 description: suffix-based match. 1116 format: string 1117 type: string 1118 type: object 1119 type: array 1120 includedPaths: 1121 description: List of paths that the request must include. 1122 items: 1123 oneOf: 1124 - not: 1125 anyOf: 1126 - required: 1127 - exact 1128 - required: 1129 - prefix 1130 - required: 1131 - suffix 1132 - required: 1133 - regex 1134 - required: 1135 - exact 1136 - required: 1137 - prefix 1138 - required: 1139 - suffix 1140 - required: 1141 - regex 1142 properties: 1143 exact: 1144 description: exact string match. 1145 format: string 1146 type: string 1147 prefix: 1148 description: prefix-based match. 1149 format: string 1150 type: string 1151 regex: 1152 description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). 1153 format: string 1154 type: string 1155 suffix: 1156 description: suffix-based match. 1157 format: string 1158 type: string 1159 type: object 1160 type: array 1161 type: object 1162 type: array 1163 triggerRules: 1164 items: 1165 properties: 1166 excluded_paths: 1167 description: List of paths to be excluded from the request. 1168 items: 1169 oneOf: 1170 - not: 1171 anyOf: 1172 - required: 1173 - exact 1174 - required: 1175 - prefix 1176 - required: 1177 - suffix 1178 - required: 1179 - regex 1180 - required: 1181 - exact 1182 - required: 1183 - prefix 1184 - required: 1185 - suffix 1186 - required: 1187 - regex 1188 properties: 1189 exact: 1190 description: exact string match. 1191 format: string 1192 type: string 1193 prefix: 1194 description: prefix-based match. 1195 format: string 1196 type: string 1197 regex: 1198 description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). 1199 format: string 1200 type: string 1201 suffix: 1202 description: suffix-based match. 1203 format: string 1204 type: string 1205 type: object 1206 type: array 1207 excludedPaths: 1208 description: List of paths to be excluded from the request. 1209 items: 1210 oneOf: 1211 - not: 1212 anyOf: 1213 - required: 1214 - exact 1215 - required: 1216 - prefix 1217 - required: 1218 - suffix 1219 - required: 1220 - regex 1221 - required: 1222 - exact 1223 - required: 1224 - prefix 1225 - required: 1226 - suffix 1227 - required: 1228 - regex 1229 properties: 1230 exact: 1231 description: exact string match. 1232 format: string 1233 type: string 1234 prefix: 1235 description: prefix-based match. 1236 format: string 1237 type: string 1238 regex: 1239 description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). 1240 format: string 1241 type: string 1242 suffix: 1243 description: suffix-based match. 1244 format: string 1245 type: string 1246 type: object 1247 type: array 1248 included_paths: 1249 description: List of paths that the request must include. 1250 items: 1251 oneOf: 1252 - not: 1253 anyOf: 1254 - required: 1255 - exact 1256 - required: 1257 - prefix 1258 - required: 1259 - suffix 1260 - required: 1261 - regex 1262 - required: 1263 - exact 1264 - required: 1265 - prefix 1266 - required: 1267 - suffix 1268 - required: 1269 - regex 1270 properties: 1271 exact: 1272 description: exact string match. 1273 format: string 1274 type: string 1275 prefix: 1276 description: prefix-based match. 1277 format: string 1278 type: string 1279 regex: 1280 description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). 1281 format: string 1282 type: string 1283 suffix: 1284 description: suffix-based match. 1285 format: string 1286 type: string 1287 type: object 1288 type: array 1289 includedPaths: 1290 description: List of paths that the request must include. 1291 items: 1292 oneOf: 1293 - not: 1294 anyOf: 1295 - required: 1296 - exact 1297 - required: 1298 - prefix 1299 - required: 1300 - suffix 1301 - required: 1302 - regex 1303 - required: 1304 - exact 1305 - required: 1306 - prefix 1307 - required: 1308 - suffix 1309 - required: 1310 - regex 1311 properties: 1312 exact: 1313 description: exact string match. 1314 format: string 1315 type: string 1316 prefix: 1317 description: prefix-based match. 1318 format: string 1319 type: string 1320 regex: 1321 description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). 1322 format: string 1323 type: string 1324 suffix: 1325 description: suffix-based match. 1326 format: string 1327 type: string 1328 type: object 1329 type: array 1330 type: object 1331 type: array 1332 type: object 1333 type: object 1334 type: array 1335 peerIsOptional: 1336 description: Deprecated. 1337 type: boolean 1338 peers: 1339 items: 1340 oneOf: 1341 - not: 1342 anyOf: 1343 - required: 1344 - mtls 1345 - properties: 1346 jwt: {} 1347 required: 1348 - jwt 1349 - required: 1350 - mtls 1351 - properties: 1352 jwt: {} 1353 required: 1354 - jwt 1355 properties: 1356 jwt: 1357 properties: 1358 audiences: 1359 items: 1360 format: string 1361 type: string 1362 type: array 1363 issuer: 1364 description: Identifies the issuer that issued the JWT. 1365 format: string 1366 type: string 1367 jwks: 1368 description: JSON Web Key Set of public keys to validate signature 1369 of the JWT. 1370 format: string 1371 type: string 1372 jwks_uri: 1373 format: string 1374 type: string 1375 jwksUri: 1376 format: string 1377 type: string 1378 jwt_headers: 1379 description: JWT is sent in a request header. 1380 items: 1381 format: string 1382 type: string 1383 type: array 1384 jwtHeaders: 1385 description: JWT is sent in a request header. 1386 items: 1387 format: string 1388 type: string 1389 type: array 1390 jwtParams: 1391 description: JWT is sent in a query parameter. 1392 items: 1393 format: string 1394 type: string 1395 type: array 1396 trigger_rules: 1397 items: 1398 properties: 1399 excluded_paths: 1400 description: List of paths to be excluded from the request. 1401 items: 1402 oneOf: 1403 - not: 1404 anyOf: 1405 - required: 1406 - exact 1407 - required: 1408 - prefix 1409 - required: 1410 - suffix 1411 - required: 1412 - regex 1413 - required: 1414 - exact 1415 - required: 1416 - prefix 1417 - required: 1418 - suffix 1419 - required: 1420 - regex 1421 properties: 1422 exact: 1423 description: exact string match. 1424 format: string 1425 type: string 1426 prefix: 1427 description: prefix-based match. 1428 format: string 1429 type: string 1430 regex: 1431 description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). 1432 format: string 1433 type: string 1434 suffix: 1435 description: suffix-based match. 1436 format: string 1437 type: string 1438 type: object 1439 type: array 1440 excludedPaths: 1441 description: List of paths to be excluded from the request. 1442 items: 1443 oneOf: 1444 - not: 1445 anyOf: 1446 - required: 1447 - exact 1448 - required: 1449 - prefix 1450 - required: 1451 - suffix 1452 - required: 1453 - regex 1454 - required: 1455 - exact 1456 - required: 1457 - prefix 1458 - required: 1459 - suffix 1460 - required: 1461 - regex 1462 properties: 1463 exact: 1464 description: exact string match. 1465 format: string 1466 type: string 1467 prefix: 1468 description: prefix-based match. 1469 format: string 1470 type: string 1471 regex: 1472 description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). 1473 format: string 1474 type: string 1475 suffix: 1476 description: suffix-based match. 1477 format: string 1478 type: string 1479 type: object 1480 type: array 1481 included_paths: 1482 description: List of paths that the request must include. 1483 items: 1484 oneOf: 1485 - not: 1486 anyOf: 1487 - required: 1488 - exact 1489 - required: 1490 - prefix 1491 - required: 1492 - suffix 1493 - required: 1494 - regex 1495 - required: 1496 - exact 1497 - required: 1498 - prefix 1499 - required: 1500 - suffix 1501 - required: 1502 - regex 1503 properties: 1504 exact: 1505 description: exact string match. 1506 format: string 1507 type: string 1508 prefix: 1509 description: prefix-based match. 1510 format: string 1511 type: string 1512 regex: 1513 description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). 1514 format: string 1515 type: string 1516 suffix: 1517 description: suffix-based match. 1518 format: string 1519 type: string 1520 type: object 1521 type: array 1522 includedPaths: 1523 description: List of paths that the request must include. 1524 items: 1525 oneOf: 1526 - not: 1527 anyOf: 1528 - required: 1529 - exact 1530 - required: 1531 - prefix 1532 - required: 1533 - suffix 1534 - required: 1535 - regex 1536 - required: 1537 - exact 1538 - required: 1539 - prefix 1540 - required: 1541 - suffix 1542 - required: 1543 - regex 1544 properties: 1545 exact: 1546 description: exact string match. 1547 format: string 1548 type: string 1549 prefix: 1550 description: prefix-based match. 1551 format: string 1552 type: string 1553 regex: 1554 description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). 1555 format: string 1556 type: string 1557 suffix: 1558 description: suffix-based match. 1559 format: string 1560 type: string 1561 type: object 1562 type: array 1563 type: object 1564 type: array 1565 triggerRules: 1566 items: 1567 properties: 1568 excluded_paths: 1569 description: List of paths to be excluded from the request. 1570 items: 1571 oneOf: 1572 - not: 1573 anyOf: 1574 - required: 1575 - exact 1576 - required: 1577 - prefix 1578 - required: 1579 - suffix 1580 - required: 1581 - regex 1582 - required: 1583 - exact 1584 - required: 1585 - prefix 1586 - required: 1587 - suffix 1588 - required: 1589 - regex 1590 properties: 1591 exact: 1592 description: exact string match. 1593 format: string 1594 type: string 1595 prefix: 1596 description: prefix-based match. 1597 format: string 1598 type: string 1599 regex: 1600 description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). 1601 format: string 1602 type: string 1603 suffix: 1604 description: suffix-based match. 1605 format: string 1606 type: string 1607 type: object 1608 type: array 1609 excludedPaths: 1610 description: List of paths to be excluded from the request. 1611 items: 1612 oneOf: 1613 - not: 1614 anyOf: 1615 - required: 1616 - exact 1617 - required: 1618 - prefix 1619 - required: 1620 - suffix 1621 - required: 1622 - regex 1623 - required: 1624 - exact 1625 - required: 1626 - prefix 1627 - required: 1628 - suffix 1629 - required: 1630 - regex 1631 properties: 1632 exact: 1633 description: exact string match. 1634 format: string 1635 type: string 1636 prefix: 1637 description: prefix-based match. 1638 format: string 1639 type: string 1640 regex: 1641 description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). 1642 format: string 1643 type: string 1644 suffix: 1645 description: suffix-based match. 1646 format: string 1647 type: string 1648 type: object 1649 type: array 1650 included_paths: 1651 description: List of paths that the request must include. 1652 items: 1653 oneOf: 1654 - not: 1655 anyOf: 1656 - required: 1657 - exact 1658 - required: 1659 - prefix 1660 - required: 1661 - suffix 1662 - required: 1663 - regex 1664 - required: 1665 - exact 1666 - required: 1667 - prefix 1668 - required: 1669 - suffix 1670 - required: 1671 - regex 1672 properties: 1673 exact: 1674 description: exact string match. 1675 format: string 1676 type: string 1677 prefix: 1678 description: prefix-based match. 1679 format: string 1680 type: string 1681 regex: 1682 description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). 1683 format: string 1684 type: string 1685 suffix: 1686 description: suffix-based match. 1687 format: string 1688 type: string 1689 type: object 1690 type: array 1691 includedPaths: 1692 description: List of paths that the request must include. 1693 items: 1694 oneOf: 1695 - not: 1696 anyOf: 1697 - required: 1698 - exact 1699 - required: 1700 - prefix 1701 - required: 1702 - suffix 1703 - required: 1704 - regex 1705 - required: 1706 - exact 1707 - required: 1708 - prefix 1709 - required: 1710 - suffix 1711 - required: 1712 - regex 1713 properties: 1714 exact: 1715 description: exact string match. 1716 format: string 1717 type: string 1718 prefix: 1719 description: prefix-based match. 1720 format: string 1721 type: string 1722 regex: 1723 description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). 1724 format: string 1725 type: string 1726 suffix: 1727 description: suffix-based match. 1728 format: string 1729 type: string 1730 type: object 1731 type: array 1732 type: object 1733 type: array 1734 type: object 1735 mtls: 1736 description: Set if mTLS is used. 1737 properties: 1738 allowTls: 1739 description: Deprecated. 1740 type: boolean 1741 mode: 1742 description: Defines the mode of mTLS authentication. 1743 enum: 1744 - STRICT 1745 - PERMISSIVE 1746 type: string 1747 type: object 1748 type: object 1749 type: array 1750 principalBinding: 1751 description: Deprecated. 1752 enum: 1753 - USE_PEER 1754 - USE_ORIGIN 1755 type: string 1756 targets: 1757 description: Deprecated. 1758 items: 1759 properties: 1760 name: 1761 description: The name must be a short name from the service registry. 1762 format: string 1763 type: string 1764 ports: 1765 description: Specifies the ports. 1766 items: 1767 oneOf: 1768 - not: 1769 anyOf: 1770 - required: 1771 - number 1772 - required: 1773 - name 1774 - required: 1775 - number 1776 - required: 1777 - name 1778 properties: 1779 name: 1780 format: string 1781 type: string 1782 number: 1783 type: integer 1784 type: object 1785 type: array 1786 type: object 1787 type: array 1788 type: object 1789 type: object 1790 versions: 1791 - name: v1alpha1 1792 served: true 1793 storage: true 1794--- 1795 1796 1797apiVersion: apiextensions.k8s.io/v1beta1 1798kind: CustomResourceDefinition 1799metadata: 1800 annotations: 1801 "helm.sh/resource-policy": keep 1802 labels: 1803 app: istio-citadel 1804 chart: istio 1805 heritage: Tiller 1806 release: istio 1807 name: policies.authentication.istio.io 1808spec: 1809 group: authentication.istio.io 1810 names: 1811 categories: 1812 - istio-io 1813 - authentication-istio-io 1814 kind: Policy 1815 listKind: PolicyList 1816 plural: policies 1817 singular: policy 1818 scope: Namespaced 1819 subresources: 1820 status: {} 1821 validation: 1822 openAPIV3Schema: 1823 properties: 1824 spec: 1825 description: 'See more details at:' 1826 properties: 1827 originIsOptional: 1828 description: Deprecated. 1829 type: boolean 1830 origins: 1831 description: Deprecated. 1832 items: 1833 properties: 1834 jwt: 1835 description: Jwt params for the method. 1836 properties: 1837 audiences: 1838 items: 1839 format: string 1840 type: string 1841 type: array 1842 issuer: 1843 description: Identifies the issuer that issued the JWT. 1844 format: string 1845 type: string 1846 jwks: 1847 description: JSON Web Key Set of public keys to validate signature 1848 of the JWT. 1849 format: string 1850 type: string 1851 jwks_uri: 1852 format: string 1853 type: string 1854 jwksUri: 1855 format: string 1856 type: string 1857 jwt_headers: 1858 description: JWT is sent in a request header. 1859 items: 1860 format: string 1861 type: string 1862 type: array 1863 jwtHeaders: 1864 description: JWT is sent in a request header. 1865 items: 1866 format: string 1867 type: string 1868 type: array 1869 jwtParams: 1870 description: JWT is sent in a query parameter. 1871 items: 1872 format: string 1873 type: string 1874 type: array 1875 trigger_rules: 1876 items: 1877 properties: 1878 excluded_paths: 1879 description: List of paths to be excluded from the request. 1880 items: 1881 oneOf: 1882 - not: 1883 anyOf: 1884 - required: 1885 - exact 1886 - required: 1887 - prefix 1888 - required: 1889 - suffix 1890 - required: 1891 - regex 1892 - required: 1893 - exact 1894 - required: 1895 - prefix 1896 - required: 1897 - suffix 1898 - required: 1899 - regex 1900 properties: 1901 exact: 1902 description: exact string match. 1903 format: string 1904 type: string 1905 prefix: 1906 description: prefix-based match. 1907 format: string 1908 type: string 1909 regex: 1910 description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). 1911 format: string 1912 type: string 1913 suffix: 1914 description: suffix-based match. 1915 format: string 1916 type: string 1917 type: object 1918 type: array 1919 excludedPaths: 1920 description: List of paths to be excluded from the request. 1921 items: 1922 oneOf: 1923 - not: 1924 anyOf: 1925 - required: 1926 - exact 1927 - required: 1928 - prefix 1929 - required: 1930 - suffix 1931 - required: 1932 - regex 1933 - required: 1934 - exact 1935 - required: 1936 - prefix 1937 - required: 1938 - suffix 1939 - required: 1940 - regex 1941 properties: 1942 exact: 1943 description: exact string match. 1944 format: string 1945 type: string 1946 prefix: 1947 description: prefix-based match. 1948 format: string 1949 type: string 1950 regex: 1951 description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). 1952 format: string 1953 type: string 1954 suffix: 1955 description: suffix-based match. 1956 format: string 1957 type: string 1958 type: object 1959 type: array 1960 included_paths: 1961 description: List of paths that the request must include. 1962 items: 1963 oneOf: 1964 - not: 1965 anyOf: 1966 - required: 1967 - exact 1968 - required: 1969 - prefix 1970 - required: 1971 - suffix 1972 - required: 1973 - regex 1974 - required: 1975 - exact 1976 - required: 1977 - prefix 1978 - required: 1979 - suffix 1980 - required: 1981 - regex 1982 properties: 1983 exact: 1984 description: exact string match. 1985 format: string 1986 type: string 1987 prefix: 1988 description: prefix-based match. 1989 format: string 1990 type: string 1991 regex: 1992 description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). 1993 format: string 1994 type: string 1995 suffix: 1996 description: suffix-based match. 1997 format: string 1998 type: string 1999 type: object 2000 type: array 2001 includedPaths: 2002 description: List of paths that the request must include. 2003 items: 2004 oneOf: 2005 - not: 2006 anyOf: 2007 - required: 2008 - exact 2009 - required: 2010 - prefix 2011 - required: 2012 - suffix 2013 - required: 2014 - regex 2015 - required: 2016 - exact 2017 - required: 2018 - prefix 2019 - required: 2020 - suffix 2021 - required: 2022 - regex 2023 properties: 2024 exact: 2025 description: exact string match. 2026 format: string 2027 type: string 2028 prefix: 2029 description: prefix-based match. 2030 format: string 2031 type: string 2032 regex: 2033 description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). 2034 format: string 2035 type: string 2036 suffix: 2037 description: suffix-based match. 2038 format: string 2039 type: string 2040 type: object 2041 type: array 2042 type: object 2043 type: array 2044 triggerRules: 2045 items: 2046 properties: 2047 excluded_paths: 2048 description: List of paths to be excluded from the request. 2049 items: 2050 oneOf: 2051 - not: 2052 anyOf: 2053 - required: 2054 - exact 2055 - required: 2056 - prefix 2057 - required: 2058 - suffix 2059 - required: 2060 - regex 2061 - required: 2062 - exact 2063 - required: 2064 - prefix 2065 - required: 2066 - suffix 2067 - required: 2068 - regex 2069 properties: 2070 exact: 2071 description: exact string match. 2072 format: string 2073 type: string 2074 prefix: 2075 description: prefix-based match. 2076 format: string 2077 type: string 2078 regex: 2079 description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). 2080 format: string 2081 type: string 2082 suffix: 2083 description: suffix-based match. 2084 format: string 2085 type: string 2086 type: object 2087 type: array 2088 excludedPaths: 2089 description: List of paths to be excluded from the request. 2090 items: 2091 oneOf: 2092 - not: 2093 anyOf: 2094 - required: 2095 - exact 2096 - required: 2097 - prefix 2098 - required: 2099 - suffix 2100 - required: 2101 - regex 2102 - required: 2103 - exact 2104 - required: 2105 - prefix 2106 - required: 2107 - suffix 2108 - required: 2109 - regex 2110 properties: 2111 exact: 2112 description: exact string match. 2113 format: string 2114 type: string 2115 prefix: 2116 description: prefix-based match. 2117 format: string 2118 type: string 2119 regex: 2120 description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). 2121 format: string 2122 type: string 2123 suffix: 2124 description: suffix-based match. 2125 format: string 2126 type: string 2127 type: object 2128 type: array 2129 included_paths: 2130 description: List of paths that the request must include. 2131 items: 2132 oneOf: 2133 - not: 2134 anyOf: 2135 - required: 2136 - exact 2137 - required: 2138 - prefix 2139 - required: 2140 - suffix 2141 - required: 2142 - regex 2143 - required: 2144 - exact 2145 - required: 2146 - prefix 2147 - required: 2148 - suffix 2149 - required: 2150 - regex 2151 properties: 2152 exact: 2153 description: exact string match. 2154 format: string 2155 type: string 2156 prefix: 2157 description: prefix-based match. 2158 format: string 2159 type: string 2160 regex: 2161 description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). 2162 format: string 2163 type: string 2164 suffix: 2165 description: suffix-based match. 2166 format: string 2167 type: string 2168 type: object 2169 type: array 2170 includedPaths: 2171 description: List of paths that the request must include. 2172 items: 2173 oneOf: 2174 - not: 2175 anyOf: 2176 - required: 2177 - exact 2178 - required: 2179 - prefix 2180 - required: 2181 - suffix 2182 - required: 2183 - regex 2184 - required: 2185 - exact 2186 - required: 2187 - prefix 2188 - required: 2189 - suffix 2190 - required: 2191 - regex 2192 properties: 2193 exact: 2194 description: exact string match. 2195 format: string 2196 type: string 2197 prefix: 2198 description: prefix-based match. 2199 format: string 2200 type: string 2201 regex: 2202 description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). 2203 format: string 2204 type: string 2205 suffix: 2206 description: suffix-based match. 2207 format: string 2208 type: string 2209 type: object 2210 type: array 2211 type: object 2212 type: array 2213 type: object 2214 type: object 2215 type: array 2216 peerIsOptional: 2217 description: Deprecated. 2218 type: boolean 2219 peers: 2220 items: 2221 oneOf: 2222 - not: 2223 anyOf: 2224 - required: 2225 - mtls 2226 - properties: 2227 jwt: {} 2228 required: 2229 - jwt 2230 - required: 2231 - mtls 2232 - properties: 2233 jwt: {} 2234 required: 2235 - jwt 2236 properties: 2237 jwt: 2238 properties: 2239 audiences: 2240 items: 2241 format: string 2242 type: string 2243 type: array 2244 issuer: 2245 description: Identifies the issuer that issued the JWT. 2246 format: string 2247 type: string 2248 jwks: 2249 description: JSON Web Key Set of public keys to validate signature 2250 of the JWT. 2251 format: string 2252 type: string 2253 jwks_uri: 2254 format: string 2255 type: string 2256 jwksUri: 2257 format: string 2258 type: string 2259 jwt_headers: 2260 description: JWT is sent in a request header. 2261 items: 2262 format: string 2263 type: string 2264 type: array 2265 jwtHeaders: 2266 description: JWT is sent in a request header. 2267 items: 2268 format: string 2269 type: string 2270 type: array 2271 jwtParams: 2272 description: JWT is sent in a query parameter. 2273 items: 2274 format: string 2275 type: string 2276 type: array 2277 trigger_rules: 2278 items: 2279 properties: 2280 excluded_paths: 2281 description: List of paths to be excluded from the request. 2282 items: 2283 oneOf: 2284 - not: 2285 anyOf: 2286 - required: 2287 - exact 2288 - required: 2289 - prefix 2290 - required: 2291 - suffix 2292 - required: 2293 - regex 2294 - required: 2295 - exact 2296 - required: 2297 - prefix 2298 - required: 2299 - suffix 2300 - required: 2301 - regex 2302 properties: 2303 exact: 2304 description: exact string match. 2305 format: string 2306 type: string 2307 prefix: 2308 description: prefix-based match. 2309 format: string 2310 type: string 2311 regex: 2312 description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). 2313 format: string 2314 type: string 2315 suffix: 2316 description: suffix-based match. 2317 format: string 2318 type: string 2319 type: object 2320 type: array 2321 excludedPaths: 2322 description: List of paths to be excluded from the request. 2323 items: 2324 oneOf: 2325 - not: 2326 anyOf: 2327 - required: 2328 - exact 2329 - required: 2330 - prefix 2331 - required: 2332 - suffix 2333 - required: 2334 - regex 2335 - required: 2336 - exact 2337 - required: 2338 - prefix 2339 - required: 2340 - suffix 2341 - required: 2342 - regex 2343 properties: 2344 exact: 2345 description: exact string match. 2346 format: string 2347 type: string 2348 prefix: 2349 description: prefix-based match. 2350 format: string 2351 type: string 2352 regex: 2353 description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). 2354 format: string 2355 type: string 2356 suffix: 2357 description: suffix-based match. 2358 format: string 2359 type: string 2360 type: object 2361 type: array 2362 included_paths: 2363 description: List of paths that the request must include. 2364 items: 2365 oneOf: 2366 - not: 2367 anyOf: 2368 - required: 2369 - exact 2370 - required: 2371 - prefix 2372 - required: 2373 - suffix 2374 - required: 2375 - regex 2376 - required: 2377 - exact 2378 - required: 2379 - prefix 2380 - required: 2381 - suffix 2382 - required: 2383 - regex 2384 properties: 2385 exact: 2386 description: exact string match. 2387 format: string 2388 type: string 2389 prefix: 2390 description: prefix-based match. 2391 format: string 2392 type: string 2393 regex: 2394 description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). 2395 format: string 2396 type: string 2397 suffix: 2398 description: suffix-based match. 2399 format: string 2400 type: string 2401 type: object 2402 type: array 2403 includedPaths: 2404 description: List of paths that the request must include. 2405 items: 2406 oneOf: 2407 - not: 2408 anyOf: 2409 - required: 2410 - exact 2411 - required: 2412 - prefix 2413 - required: 2414 - suffix 2415 - required: 2416 - regex 2417 - required: 2418 - exact 2419 - required: 2420 - prefix 2421 - required: 2422 - suffix 2423 - required: 2424 - regex 2425 properties: 2426 exact: 2427 description: exact string match. 2428 format: string 2429 type: string 2430 prefix: 2431 description: prefix-based match. 2432 format: string 2433 type: string 2434 regex: 2435 description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). 2436 format: string 2437 type: string 2438 suffix: 2439 description: suffix-based match. 2440 format: string 2441 type: string 2442 type: object 2443 type: array 2444 type: object 2445 type: array 2446 triggerRules: 2447 items: 2448 properties: 2449 excluded_paths: 2450 description: List of paths to be excluded from the request. 2451 items: 2452 oneOf: 2453 - not: 2454 anyOf: 2455 - required: 2456 - exact 2457 - required: 2458 - prefix 2459 - required: 2460 - suffix 2461 - required: 2462 - regex 2463 - required: 2464 - exact 2465 - required: 2466 - prefix 2467 - required: 2468 - suffix 2469 - required: 2470 - regex 2471 properties: 2472 exact: 2473 description: exact string match. 2474 format: string 2475 type: string 2476 prefix: 2477 description: prefix-based match. 2478 format: string 2479 type: string 2480 regex: 2481 description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). 2482 format: string 2483 type: string 2484 suffix: 2485 description: suffix-based match. 2486 format: string 2487 type: string 2488 type: object 2489 type: array 2490 excludedPaths: 2491 description: List of paths to be excluded from the request. 2492 items: 2493 oneOf: 2494 - not: 2495 anyOf: 2496 - required: 2497 - exact 2498 - required: 2499 - prefix 2500 - required: 2501 - suffix 2502 - required: 2503 - regex 2504 - required: 2505 - exact 2506 - required: 2507 - prefix 2508 - required: 2509 - suffix 2510 - required: 2511 - regex 2512 properties: 2513 exact: 2514 description: exact string match. 2515 format: string 2516 type: string 2517 prefix: 2518 description: prefix-based match. 2519 format: string 2520 type: string 2521 regex: 2522 description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). 2523 format: string 2524 type: string 2525 suffix: 2526 description: suffix-based match. 2527 format: string 2528 type: string 2529 type: object 2530 type: array 2531 included_paths: 2532 description: List of paths that the request must include. 2533 items: 2534 oneOf: 2535 - not: 2536 anyOf: 2537 - required: 2538 - exact 2539 - required: 2540 - prefix 2541 - required: 2542 - suffix 2543 - required: 2544 - regex 2545 - required: 2546 - exact 2547 - required: 2548 - prefix 2549 - required: 2550 - suffix 2551 - required: 2552 - regex 2553 properties: 2554 exact: 2555 description: exact string match. 2556 format: string 2557 type: string 2558 prefix: 2559 description: prefix-based match. 2560 format: string 2561 type: string 2562 regex: 2563 description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). 2564 format: string 2565 type: string 2566 suffix: 2567 description: suffix-based match. 2568 format: string 2569 type: string 2570 type: object 2571 type: array 2572 includedPaths: 2573 description: List of paths that the request must include. 2574 items: 2575 oneOf: 2576 - not: 2577 anyOf: 2578 - required: 2579 - exact 2580 - required: 2581 - prefix 2582 - required: 2583 - suffix 2584 - required: 2585 - regex 2586 - required: 2587 - exact 2588 - required: 2589 - prefix 2590 - required: 2591 - suffix 2592 - required: 2593 - regex 2594 properties: 2595 exact: 2596 description: exact string match. 2597 format: string 2598 type: string 2599 prefix: 2600 description: prefix-based match. 2601 format: string 2602 type: string 2603 regex: 2604 description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). 2605 format: string 2606 type: string 2607 suffix: 2608 description: suffix-based match. 2609 format: string 2610 type: string 2611 type: object 2612 type: array 2613 type: object 2614 type: array 2615 type: object 2616 mtls: 2617 description: Set if mTLS is used. 2618 properties: 2619 allowTls: 2620 description: Deprecated. 2621 type: boolean 2622 mode: 2623 description: Defines the mode of mTLS authentication. 2624 enum: 2625 - STRICT 2626 - PERMISSIVE 2627 type: string 2628 type: object 2629 type: object 2630 type: array 2631 principalBinding: 2632 description: Deprecated. 2633 enum: 2634 - USE_PEER 2635 - USE_ORIGIN 2636 type: string 2637 targets: 2638 description: Deprecated. 2639 items: 2640 properties: 2641 name: 2642 description: The name must be a short name from the service registry. 2643 format: string 2644 type: string 2645 ports: 2646 description: Specifies the ports. 2647 items: 2648 oneOf: 2649 - not: 2650 anyOf: 2651 - required: 2652 - number 2653 - required: 2654 - name 2655 - required: 2656 - number 2657 - required: 2658 - name 2659 properties: 2660 name: 2661 format: string 2662 type: string 2663 number: 2664 type: integer 2665 type: object 2666 type: array 2667 type: object 2668 type: array 2669 type: object 2670 type: object 2671 versions: 2672 - name: v1alpha1 2673 served: true 2674 storage: true 2675--- 2676 2677 2678apiVersion: apiextensions.k8s.io/v1beta1 2679kind: CustomResourceDefinition 2680metadata: 2681 annotations: 2682 "helm.sh/resource-policy": keep 2683 labels: 2684 app: istio-mixer 2685 chart: istio 2686 heritage: Tiller 2687 release: istio 2688 name: httpapispecs.config.istio.io 2689spec: 2690 group: config.istio.io 2691 names: 2692 categories: 2693 - istio-io 2694 - apim-istio-io 2695 kind: HTTPAPISpec 2696 listKind: HTTPAPISpecList 2697 plural: httpapispecs 2698 singular: httpapispec 2699 scope: Namespaced 2700 subresources: 2701 status: {} 2702 validation: 2703 openAPIV3Schema: 2704 properties: 2705 spec: 2706 properties: 2707 api_keys: 2708 items: 2709 oneOf: 2710 - not: 2711 anyOf: 2712 - required: 2713 - query 2714 - required: 2715 - header 2716 - required: 2717 - cookie 2718 - required: 2719 - query 2720 - required: 2721 - header 2722 - required: 2723 - cookie 2724 properties: 2725 cookie: 2726 format: string 2727 type: string 2728 header: 2729 description: API key is sent in a request header. 2730 format: string 2731 type: string 2732 query: 2733 description: API Key is sent as a query parameter. 2734 format: string 2735 type: string 2736 type: object 2737 type: array 2738 apiKeys: 2739 items: 2740 oneOf: 2741 - not: 2742 anyOf: 2743 - required: 2744 - query 2745 - required: 2746 - header 2747 - required: 2748 - cookie 2749 - required: 2750 - query 2751 - required: 2752 - header 2753 - required: 2754 - cookie 2755 properties: 2756 cookie: 2757 format: string 2758 type: string 2759 header: 2760 description: API key is sent in a request header. 2761 format: string 2762 type: string 2763 query: 2764 description: API Key is sent as a query parameter. 2765 format: string 2766 type: string 2767 type: object 2768 type: array 2769 attributes: 2770 properties: 2771 attributes: 2772 additionalProperties: 2773 oneOf: 2774 - not: 2775 anyOf: 2776 - required: 2777 - stringValue 2778 - required: 2779 - int64Value 2780 - required: 2781 - doubleValue 2782 - required: 2783 - boolValue 2784 - required: 2785 - bytesValue 2786 - required: 2787 - timestampValue 2788 - required: 2789 - durationValue 2790 - required: 2791 - stringMapValue 2792 - required: 2793 - stringValue 2794 - required: 2795 - int64Value 2796 - required: 2797 - doubleValue 2798 - required: 2799 - boolValue 2800 - required: 2801 - bytesValue 2802 - required: 2803 - timestampValue 2804 - required: 2805 - durationValue 2806 - required: 2807 - stringMapValue 2808 properties: 2809 boolValue: 2810 type: boolean 2811 bytesValue: 2812 format: binary 2813 type: string 2814 doubleValue: 2815 format: double 2816 type: number 2817 durationValue: 2818 type: string 2819 int64Value: 2820 format: int64 2821 type: integer 2822 stringMapValue: 2823 properties: 2824 entries: 2825 additionalProperties: 2826 format: string 2827 type: string 2828 description: Holds a set of name/value pairs. 2829 type: object 2830 type: object 2831 stringValue: 2832 format: string 2833 type: string 2834 timestampValue: 2835 format: dateTime 2836 type: string 2837 type: object 2838 description: A map of attribute name to its value. 2839 type: object 2840 type: object 2841 patterns: 2842 description: List of HTTP patterns to match. 2843 items: 2844 oneOf: 2845 - not: 2846 anyOf: 2847 - required: 2848 - uriTemplate 2849 - required: 2850 - regex 2851 - required: 2852 - uriTemplate 2853 - required: 2854 - regex 2855 properties: 2856 attributes: 2857 properties: 2858 attributes: 2859 additionalProperties: 2860 oneOf: 2861 - not: 2862 anyOf: 2863 - required: 2864 - stringValue 2865 - required: 2866 - int64Value 2867 - required: 2868 - doubleValue 2869 - required: 2870 - boolValue 2871 - required: 2872 - bytesValue 2873 - required: 2874 - timestampValue 2875 - required: 2876 - durationValue 2877 - required: 2878 - stringMapValue 2879 - required: 2880 - stringValue 2881 - required: 2882 - int64Value 2883 - required: 2884 - doubleValue 2885 - required: 2886 - boolValue 2887 - required: 2888 - bytesValue 2889 - required: 2890 - timestampValue 2891 - required: 2892 - durationValue 2893 - required: 2894 - stringMapValue 2895 properties: 2896 boolValue: 2897 type: boolean 2898 bytesValue: 2899 format: binary 2900 type: string 2901 doubleValue: 2902 format: double 2903 type: number 2904 durationValue: 2905 type: string 2906 int64Value: 2907 format: int64 2908 type: integer 2909 stringMapValue: 2910 properties: 2911 entries: 2912 additionalProperties: 2913 format: string 2914 type: string 2915 description: Holds a set of name/value pairs. 2916 type: object 2917 type: object 2918 stringValue: 2919 format: string 2920 type: string 2921 timestampValue: 2922 format: dateTime 2923 type: string 2924 type: object 2925 description: A map of attribute name to its value. 2926 type: object 2927 type: object 2928 httpMethod: 2929 format: string 2930 type: string 2931 regex: 2932 format: string 2933 type: string 2934 uriTemplate: 2935 format: string 2936 type: string 2937 type: object 2938 type: array 2939 type: object 2940 type: object 2941 versions: 2942 - name: v1alpha2 2943 served: true 2944 storage: true 2945--- 2946 2947 2948apiVersion: apiextensions.k8s.io/v1beta1 2949kind: CustomResourceDefinition 2950metadata: 2951 annotations: 2952 "helm.sh/resource-policy": keep 2953 labels: 2954 app: istio-mixer 2955 chart: istio 2956 heritage: Tiller 2957 release: istio 2958 name: httpapispecbindings.config.istio.io 2959spec: 2960 group: config.istio.io 2961 names: 2962 categories: 2963 - istio-io 2964 - apim-istio-io 2965 kind: HTTPAPISpecBinding 2966 listKind: HTTPAPISpecBindingList 2967 plural: httpapispecbindings 2968 singular: httpapispecbinding 2969 scope: Namespaced 2970 subresources: 2971 status: {} 2972 validation: 2973 openAPIV3Schema: 2974 properties: 2975 spec: 2976 properties: 2977 api_specs: 2978 items: 2979 properties: 2980 name: 2981 description: The short name of the HTTPAPISpec. 2982 format: string 2983 type: string 2984 namespace: 2985 description: Optional namespace of the HTTPAPISpec. 2986 format: string 2987 type: string 2988 type: object 2989 type: array 2990 apiSpecs: 2991 items: 2992 properties: 2993 name: 2994 description: The short name of the HTTPAPISpec. 2995 format: string 2996 type: string 2997 namespace: 2998 description: Optional namespace of the HTTPAPISpec. 2999 format: string 3000 type: string 3001 type: object 3002 type: array 3003 services: 3004 description: One or more services to map the listed HTTPAPISpec onto. 3005 items: 3006 properties: 3007 domain: 3008 description: Domain suffix used to construct the service FQDN 3009 in implementations that support such specification. 3010 format: string 3011 type: string 3012 labels: 3013 additionalProperties: 3014 format: string 3015 type: string 3016 description: Optional one or more labels that uniquely identify 3017 the service version. 3018 type: object 3019 name: 3020 description: The short name of the service such as "foo". 3021 format: string 3022 type: string 3023 namespace: 3024 description: Optional namespace of the service. 3025 format: string 3026 type: string 3027 service: 3028 description: The service FQDN. 3029 format: string 3030 type: string 3031 type: object 3032 type: array 3033 type: object 3034 type: object 3035 versions: 3036 - name: v1alpha2 3037 served: true 3038 storage: true 3039--- 3040 3041 3042apiVersion: apiextensions.k8s.io/v1beta1 3043kind: CustomResourceDefinition 3044metadata: 3045 annotations: 3046 "helm.sh/resource-policy": keep 3047 labels: 3048 app: istio-mixer 3049 chart: istio 3050 heritage: Tiller 3051 release: istio 3052 name: quotaspecs.config.istio.io 3053spec: 3054 group: config.istio.io 3055 names: 3056 categories: 3057 - istio-io 3058 - apim-istio-io 3059 kind: QuotaSpec 3060 listKind: QuotaSpecList 3061 plural: quotaspecs 3062 singular: quotaspec 3063 scope: Namespaced 3064 subresources: 3065 status: {} 3066 validation: 3067 openAPIV3Schema: 3068 properties: 3069 spec: 3070 description: Determines the quotas used for individual requests. 3071 properties: 3072 rules: 3073 description: A list of Quota rules. 3074 items: 3075 properties: 3076 match: 3077 description: If empty, match all request. 3078 items: 3079 properties: 3080 clause: 3081 additionalProperties: 3082 oneOf: 3083 - not: 3084 anyOf: 3085 - required: 3086 - exact 3087 - required: 3088 - prefix 3089 - required: 3090 - regex 3091 - required: 3092 - exact 3093 - required: 3094 - prefix 3095 - required: 3096 - regex 3097 properties: 3098 exact: 3099 format: string 3100 type: string 3101 prefix: 3102 format: string 3103 type: string 3104 regex: 3105 description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). 3106 format: string 3107 type: string 3108 type: object 3109 description: Map of attribute names to StringMatch type. 3110 type: object 3111 type: object 3112 type: array 3113 quotas: 3114 description: The list of quotas to charge. 3115 items: 3116 properties: 3117 charge: 3118 format: int32 3119 type: integer 3120 quota: 3121 format: string 3122 type: string 3123 type: object 3124 type: array 3125 type: object 3126 type: array 3127 type: object 3128 type: object 3129 versions: 3130 - name: v1alpha2 3131 served: true 3132 storage: true 3133--- 3134 3135 3136apiVersion: apiextensions.k8s.io/v1beta1 3137kind: CustomResourceDefinition 3138metadata: 3139 annotations: 3140 "helm.sh/resource-policy": keep 3141 labels: 3142 app: istio-mixer 3143 chart: istio 3144 heritage: Tiller 3145 release: istio 3146 name: quotaspecbindings.config.istio.io 3147spec: 3148 group: config.istio.io 3149 names: 3150 categories: 3151 - istio-io 3152 - apim-istio-io 3153 kind: QuotaSpecBinding 3154 listKind: QuotaSpecBindingList 3155 plural: quotaspecbindings 3156 singular: quotaspecbinding 3157 scope: Namespaced 3158 subresources: 3159 status: {} 3160 validation: 3161 openAPIV3Schema: 3162 properties: 3163 spec: 3164 properties: 3165 quotaSpecs: 3166 items: 3167 properties: 3168 name: 3169 description: The short name of the QuotaSpec. 3170 format: string 3171 type: string 3172 namespace: 3173 description: Optional namespace of the QuotaSpec. 3174 format: string 3175 type: string 3176 type: object 3177 type: array 3178 services: 3179 description: One or more services to map the listed QuotaSpec onto. 3180 items: 3181 properties: 3182 domain: 3183 description: Domain suffix used to construct the service FQDN 3184 in implementations that support such specification. 3185 format: string 3186 type: string 3187 labels: 3188 additionalProperties: 3189 format: string 3190 type: string 3191 description: Optional one or more labels that uniquely identify 3192 the service version. 3193 type: object 3194 name: 3195 description: The short name of the service such as "foo". 3196 format: string 3197 type: string 3198 namespace: 3199 description: Optional namespace of the service. 3200 format: string 3201 type: string 3202 service: 3203 description: The service FQDN. 3204 format: string 3205 type: string 3206 type: object 3207 type: array 3208 type: object 3209 type: object 3210 versions: 3211 - name: v1alpha2 3212 served: true 3213 storage: true 3214--- 3215 3216 3217apiVersion: apiextensions.k8s.io/v1beta1 3218kind: CustomResourceDefinition 3219metadata: 3220 annotations: 3221 "helm.sh/resource-policy": keep 3222 labels: 3223 app: istio-pilot 3224 chart: istio 3225 heritage: Tiller 3226 release: istio 3227 name: destinationrules.networking.istio.io 3228spec: 3229 additionalPrinterColumns: 3230 - JSONPath: .spec.host 3231 description: The name of a service from the service registry 3232 name: Host 3233 type: string 3234 - JSONPath: .metadata.creationTimestamp 3235 description: 'CreationTimestamp is a timestamp representing the server time when 3236 this object was created. It is not guaranteed to be set in happens-before order 3237 across separate operations. Clients may not set this value. It is represented 3238 in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for 3239 lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' 3240 name: Age 3241 type: date 3242 group: networking.istio.io 3243 names: 3244 categories: 3245 - istio-io 3246 - networking-istio-io 3247 kind: DestinationRule 3248 listKind: DestinationRuleList 3249 plural: destinationrules 3250 shortNames: 3251 - dr 3252 singular: destinationrule 3253 scope: Namespaced 3254 subresources: 3255 status: {} 3256 validation: 3257 openAPIV3Schema: 3258 properties: 3259 spec: 3260 description: 'Configuration affecting load balancing, outlier detection, 3261 etc. See more details at: https://istio.io/docs/reference/config/networking/destination-rule.html' 3262 properties: 3263 exportTo: 3264 description: A list of namespaces to which this destination rule is 3265 exported. 3266 items: 3267 format: string 3268 type: string 3269 type: array 3270 host: 3271 description: The name of a service from the service registry. 3272 format: string 3273 type: string 3274 subsets: 3275 items: 3276 properties: 3277 labels: 3278 additionalProperties: 3279 format: string 3280 type: string 3281 type: object 3282 name: 3283 description: Name of the subset. 3284 format: string 3285 type: string 3286 trafficPolicy: 3287 description: Traffic policies that apply to this subset. 3288 properties: 3289 connectionPool: 3290 properties: 3291 http: 3292 description: HTTP connection pool settings. 3293 properties: 3294 h2UpgradePolicy: 3295 description: Specify if http1.1 connection should 3296 be upgraded to http2 for the associated destination. 3297 enum: 3298 - DEFAULT 3299 - DO_NOT_UPGRADE 3300 - UPGRADE 3301 type: string 3302 http1MaxPendingRequests: 3303 description: Maximum number of pending HTTP requests 3304 to a destination. 3305 format: int32 3306 type: integer 3307 http2MaxRequests: 3308 description: Maximum number of requests to a backend. 3309 format: int32 3310 type: integer 3311 idleTimeout: 3312 description: The idle timeout for upstream connection 3313 pool connections. 3314 type: string 3315 maxRequestsPerConnection: 3316 description: Maximum number of requests per connection 3317 to a backend. 3318 format: int32 3319 type: integer 3320 maxRetries: 3321 format: int32 3322 type: integer 3323 type: object 3324 tcp: 3325 description: Settings common to both HTTP and TCP upstream 3326 connections. 3327 properties: 3328 connectTimeout: 3329 description: TCP connection timeout. 3330 type: string 3331 maxConnections: 3332 description: Maximum number of HTTP1 /TCP connections 3333 to a destination host. 3334 format: int32 3335 type: integer 3336 tcpKeepalive: 3337 description: If set then set SO_KEEPALIVE on the socket 3338 to enable TCP Keepalives. 3339 properties: 3340 interval: 3341 description: The time duration between keep-alive 3342 probes. 3343 type: string 3344 probes: 3345 type: integer 3346 time: 3347 type: string 3348 type: object 3349 type: object 3350 type: object 3351 loadBalancer: 3352 description: Settings controlling the load balancer algorithms. 3353 oneOf: 3354 - not: 3355 anyOf: 3356 - required: 3357 - simple 3358 - properties: 3359 consistentHash: 3360 oneOf: 3361 - not: 3362 anyOf: 3363 - required: 3364 - httpHeaderName 3365 - required: 3366 - httpCookie 3367 - required: 3368 - useSourceIp 3369 - required: 3370 - httpQueryParameterName 3371 - required: 3372 - httpHeaderName 3373 - required: 3374 - httpCookie 3375 - required: 3376 - useSourceIp 3377 - required: 3378 - httpQueryParameterName 3379 required: 3380 - consistentHash 3381 - required: 3382 - simple 3383 - properties: 3384 consistentHash: 3385 oneOf: 3386 - not: 3387 anyOf: 3388 - required: 3389 - httpHeaderName 3390 - required: 3391 - httpCookie 3392 - required: 3393 - useSourceIp 3394 - required: 3395 - httpQueryParameterName 3396 - required: 3397 - httpHeaderName 3398 - required: 3399 - httpCookie 3400 - required: 3401 - useSourceIp 3402 - required: 3403 - httpQueryParameterName 3404 required: 3405 - consistentHash 3406 properties: 3407 consistentHash: 3408 properties: 3409 httpCookie: 3410 description: Hash based on HTTP cookie. 3411 properties: 3412 name: 3413 description: Name of the cookie. 3414 format: string 3415 type: string 3416 path: 3417 description: Path to set for the cookie. 3418 format: string 3419 type: string 3420 ttl: 3421 description: Lifetime of the cookie. 3422 type: string 3423 type: object 3424 httpHeaderName: 3425 description: Hash based on a specific HTTP header. 3426 format: string 3427 type: string 3428 httpQueryParameterName: 3429 description: Hash based on a specific HTTP query parameter. 3430 format: string 3431 type: string 3432 minimumRingSize: 3433 type: integer 3434 useSourceIp: 3435 description: Hash based on the source IP address. 3436 type: boolean 3437 type: object 3438 localityLbSetting: 3439 properties: 3440 distribute: 3441 description: 'Optional: only one of distribute or 3442 failover can be set.' 3443 items: 3444 properties: 3445 from: 3446 description: Originating locality, '/' separated, 3447 e.g. 3448 format: string 3449 type: string 3450 to: 3451 additionalProperties: 3452 type: integer 3453 description: Map of upstream localities to traffic 3454 distribution weights. 3455 type: object 3456 type: object 3457 type: array 3458 enabled: 3459 description: enable locality load balancing, this 3460 is DestinationRule-level and will override mesh 3461 wide settings in entirety. 3462 type: boolean 3463 failover: 3464 description: 'Optional: only failover or distribute 3465 can be set.' 3466 items: 3467 properties: 3468 from: 3469 description: Originating region. 3470 format: string 3471 type: string 3472 to: 3473 format: string 3474 type: string 3475 type: object 3476 type: array 3477 type: object 3478 simple: 3479 enum: 3480 - ROUND_ROBIN 3481 - LEAST_CONN 3482 - RANDOM 3483 - PASSTHROUGH 3484 type: string 3485 type: object 3486 outlierDetection: 3487 properties: 3488 baseEjectionTime: 3489 description: Minimum ejection duration. 3490 type: string 3491 consecutive5xxErrors: 3492 description: Number of 5xx errors before a host is ejected 3493 from the connection pool. 3494 type: integer 3495 consecutiveErrors: 3496 format: int32 3497 type: integer 3498 consecutiveGatewayErrors: 3499 description: Number of gateway errors before a host is 3500 ejected from the connection pool. 3501 type: integer 3502 interval: 3503 description: Time interval between ejection sweep analysis. 3504 type: string 3505 maxEjectionPercent: 3506 format: int32 3507 type: integer 3508 minHealthPercent: 3509 format: int32 3510 type: integer 3511 type: object 3512 portLevelSettings: 3513 description: Traffic policies specific to individual ports. 3514 items: 3515 properties: 3516 connectionPool: 3517 properties: 3518 http: 3519 description: HTTP connection pool settings. 3520 properties: 3521 h2UpgradePolicy: 3522 description: Specify if http1.1 connection should 3523 be upgraded to http2 for the associated destination. 3524 enum: 3525 - DEFAULT 3526 - DO_NOT_UPGRADE 3527 - UPGRADE 3528 type: string 3529 http1MaxPendingRequests: 3530 description: Maximum number of pending HTTP 3531 requests to a destination. 3532 format: int32 3533 type: integer 3534 http2MaxRequests: 3535 description: Maximum number of requests to a 3536 backend. 3537 format: int32 3538 type: integer 3539 idleTimeout: 3540 description: The idle timeout for upstream connection 3541 pool connections. 3542 type: string 3543 maxRequestsPerConnection: 3544 description: Maximum number of requests per 3545 connection to a backend. 3546 format: int32 3547 type: integer 3548 maxRetries: 3549 format: int32 3550 type: integer 3551 type: object 3552 tcp: 3553 description: Settings common to both HTTP and TCP 3554 upstream connections. 3555 properties: 3556 connectTimeout: 3557 description: TCP connection timeout. 3558 type: string 3559 maxConnections: 3560 description: Maximum number of HTTP1 /TCP connections 3561 to a destination host. 3562 format: int32 3563 type: integer 3564 tcpKeepalive: 3565 description: If set then set SO_KEEPALIVE on 3566 the socket to enable TCP Keepalives. 3567 properties: 3568 interval: 3569 description: The time duration between keep-alive 3570 probes. 3571 type: string 3572 probes: 3573 type: integer 3574 time: 3575 type: string 3576 type: object 3577 type: object 3578 type: object 3579 loadBalancer: 3580 description: Settings controlling the load balancer 3581 algorithms. 3582 oneOf: 3583 - not: 3584 anyOf: 3585 - required: 3586 - simple 3587 - properties: 3588 consistentHash: 3589 oneOf: 3590 - not: 3591 anyOf: 3592 - required: 3593 - httpHeaderName 3594 - required: 3595 - httpCookie 3596 - required: 3597 - useSourceIp 3598 - required: 3599 - httpQueryParameterName 3600 - required: 3601 - httpHeaderName 3602 - required: 3603 - httpCookie 3604 - required: 3605 - useSourceIp 3606 - required: 3607 - httpQueryParameterName 3608 required: 3609 - consistentHash 3610 - required: 3611 - simple 3612 - properties: 3613 consistentHash: 3614 oneOf: 3615 - not: 3616 anyOf: 3617 - required: 3618 - httpHeaderName 3619 - required: 3620 - httpCookie 3621 - required: 3622 - useSourceIp 3623 - required: 3624 - httpQueryParameterName 3625 - required: 3626 - httpHeaderName 3627 - required: 3628 - httpCookie 3629 - required: 3630 - useSourceIp 3631 - required: 3632 - httpQueryParameterName 3633 required: 3634 - consistentHash 3635 properties: 3636 consistentHash: 3637 properties: 3638 httpCookie: 3639 description: Hash based on HTTP cookie. 3640 properties: 3641 name: 3642 description: Name of the cookie. 3643 format: string 3644 type: string 3645 path: 3646 description: Path to set for the cookie. 3647 format: string 3648 type: string 3649 ttl: 3650 description: Lifetime of the cookie. 3651 type: string 3652 type: object 3653 httpHeaderName: 3654 description: Hash based on a specific HTTP header. 3655 format: string 3656 type: string 3657 httpQueryParameterName: 3658 description: Hash based on a specific HTTP query 3659 parameter. 3660 format: string 3661 type: string 3662 minimumRingSize: 3663 type: integer 3664 useSourceIp: 3665 description: Hash based on the source IP address. 3666 type: boolean 3667 type: object 3668 localityLbSetting: 3669 properties: 3670 distribute: 3671 description: 'Optional: only one of distribute 3672 or failover can be set.' 3673 items: 3674 properties: 3675 from: 3676 description: Originating locality, '/' 3677 separated, e.g. 3678 format: string 3679 type: string 3680 to: 3681 additionalProperties: 3682 type: integer 3683 description: Map of upstream localities 3684 to traffic distribution weights. 3685 type: object 3686 type: object 3687 type: array 3688 enabled: 3689 description: enable locality load balancing, 3690 this is DestinationRule-level and will override 3691 mesh wide settings in entirety. 3692 type: boolean 3693 failover: 3694 description: 'Optional: only failover or distribute 3695 can be set.' 3696 items: 3697 properties: 3698 from: 3699 description: Originating region. 3700 format: string 3701 type: string 3702 to: 3703 format: string 3704 type: string 3705 type: object 3706 type: array 3707 type: object 3708 simple: 3709 enum: 3710 - ROUND_ROBIN 3711 - LEAST_CONN 3712 - RANDOM 3713 - PASSTHROUGH 3714 type: string 3715 type: object 3716 outlierDetection: 3717 properties: 3718 baseEjectionTime: 3719 description: Minimum ejection duration. 3720 type: string 3721 consecutive5xxErrors: 3722 description: Number of 5xx errors before a host 3723 is ejected from the connection pool. 3724 type: integer 3725 consecutiveErrors: 3726 format: int32 3727 type: integer 3728 consecutiveGatewayErrors: 3729 description: Number of gateway errors before a host 3730 is ejected from the connection pool. 3731 type: integer 3732 interval: 3733 description: Time interval between ejection sweep 3734 analysis. 3735 type: string 3736 maxEjectionPercent: 3737 format: int32 3738 type: integer 3739 minHealthPercent: 3740 format: int32 3741 type: integer 3742 type: object 3743 port: 3744 properties: 3745 number: 3746 type: integer 3747 type: object 3748 tls: 3749 description: TLS related settings for connections to 3750 the upstream service. 3751 properties: 3752 caCertificates: 3753 format: string 3754 type: string 3755 clientCertificate: 3756 description: REQUIRED if mode is `MUTUAL`. 3757 format: string 3758 type: string 3759 mode: 3760 enum: 3761 - DISABLE 3762 - SIMPLE 3763 - MUTUAL 3764 - ISTIO_MUTUAL 3765 type: string 3766 privateKey: 3767 description: REQUIRED if mode is `MUTUAL`. 3768 format: string 3769 type: string 3770 sni: 3771 description: SNI string to present to the server 3772 during TLS handshake. 3773 format: string 3774 type: string 3775 subjectAltNames: 3776 items: 3777 format: string 3778 type: string 3779 type: array 3780 type: object 3781 type: object 3782 type: array 3783 tls: 3784 description: TLS related settings for connections to the upstream 3785 service. 3786 properties: 3787 caCertificates: 3788 format: string 3789 type: string 3790 clientCertificate: 3791 description: REQUIRED if mode is `MUTUAL`. 3792 format: string 3793 type: string 3794 mode: 3795 enum: 3796 - DISABLE 3797 - SIMPLE 3798 - MUTUAL 3799 - ISTIO_MUTUAL 3800 type: string 3801 privateKey: 3802 description: REQUIRED if mode is `MUTUAL`. 3803 format: string 3804 type: string 3805 sni: 3806 description: SNI string to present to the server during 3807 TLS handshake. 3808 format: string 3809 type: string 3810 subjectAltNames: 3811 items: 3812 format: string 3813 type: string 3814 type: array 3815 type: object 3816 type: object 3817 type: object 3818 type: array 3819 trafficPolicy: 3820 properties: 3821 connectionPool: 3822 properties: 3823 http: 3824 description: HTTP connection pool settings. 3825 properties: 3826 h2UpgradePolicy: 3827 description: Specify if http1.1 connection should be upgraded 3828 to http2 for the associated destination. 3829 enum: 3830 - DEFAULT 3831 - DO_NOT_UPGRADE 3832 - UPGRADE 3833 type: string 3834 http1MaxPendingRequests: 3835 description: Maximum number of pending HTTP requests to 3836 a destination. 3837 format: int32 3838 type: integer 3839 http2MaxRequests: 3840 description: Maximum number of requests to a backend. 3841 format: int32 3842 type: integer 3843 idleTimeout: 3844 description: The idle timeout for upstream connection pool 3845 connections. 3846 type: string 3847 maxRequestsPerConnection: 3848 description: Maximum number of requests per connection to 3849 a backend. 3850 format: int32 3851 type: integer 3852 maxRetries: 3853 format: int32 3854 type: integer 3855 type: object 3856 tcp: 3857 description: Settings common to both HTTP and TCP upstream connections. 3858 properties: 3859 connectTimeout: 3860 description: TCP connection timeout. 3861 type: string 3862 maxConnections: 3863 description: Maximum number of HTTP1 /TCP connections to 3864 a destination host. 3865 format: int32 3866 type: integer 3867 tcpKeepalive: 3868 description: If set then set SO_KEEPALIVE on the socket 3869 to enable TCP Keepalives. 3870 properties: 3871 interval: 3872 description: The time duration between keep-alive probes. 3873 type: string 3874 probes: 3875 type: integer 3876 time: 3877 type: string 3878 type: object 3879 type: object 3880 type: object 3881 loadBalancer: 3882 description: Settings controlling the load balancer algorithms. 3883 oneOf: 3884 - not: 3885 anyOf: 3886 - required: 3887 - simple 3888 - properties: 3889 consistentHash: 3890 oneOf: 3891 - not: 3892 anyOf: 3893 - required: 3894 - httpHeaderName 3895 - required: 3896 - httpCookie 3897 - required: 3898 - useSourceIp 3899 - required: 3900 - httpQueryParameterName 3901 - required: 3902 - httpHeaderName 3903 - required: 3904 - httpCookie 3905 - required: 3906 - useSourceIp 3907 - required: 3908 - httpQueryParameterName 3909 required: 3910 - consistentHash 3911 - required: 3912 - simple 3913 - properties: 3914 consistentHash: 3915 oneOf: 3916 - not: 3917 anyOf: 3918 - required: 3919 - httpHeaderName 3920 - required: 3921 - httpCookie 3922 - required: 3923 - useSourceIp 3924 - required: 3925 - httpQueryParameterName 3926 - required: 3927 - httpHeaderName 3928 - required: 3929 - httpCookie 3930 - required: 3931 - useSourceIp 3932 - required: 3933 - httpQueryParameterName 3934 required: 3935 - consistentHash 3936 properties: 3937 consistentHash: 3938 properties: 3939 httpCookie: 3940 description: Hash based on HTTP cookie. 3941 properties: 3942 name: 3943 description: Name of the cookie. 3944 format: string 3945 type: string 3946 path: 3947 description: Path to set for the cookie. 3948 format: string 3949 type: string 3950 ttl: 3951 description: Lifetime of the cookie. 3952 type: string 3953 type: object 3954 httpHeaderName: 3955 description: Hash based on a specific HTTP header. 3956 format: string 3957 type: string 3958 httpQueryParameterName: 3959 description: Hash based on a specific HTTP query parameter. 3960 format: string 3961 type: string 3962 minimumRingSize: 3963 type: integer 3964 useSourceIp: 3965 description: Hash based on the source IP address. 3966 type: boolean 3967 type: object 3968 localityLbSetting: 3969 properties: 3970 distribute: 3971 description: 'Optional: only one of distribute or failover 3972 can be set.' 3973 items: 3974 properties: 3975 from: 3976 description: Originating locality, '/' separated, 3977 e.g. 3978 format: string 3979 type: string 3980 to: 3981 additionalProperties: 3982 type: integer 3983 description: Map of upstream localities to traffic 3984 distribution weights. 3985 type: object 3986 type: object 3987 type: array 3988 enabled: 3989 description: enable locality load balancing, this is DestinationRule-level 3990 and will override mesh wide settings in entirety. 3991 type: boolean 3992 failover: 3993 description: 'Optional: only failover or distribute can 3994 be set.' 3995 items: 3996 properties: 3997 from: 3998 description: Originating region. 3999 format: string 4000 type: string 4001 to: 4002 format: string 4003 type: string 4004 type: object 4005 type: array 4006 type: object 4007 simple: 4008 enum: 4009 - ROUND_ROBIN 4010 - LEAST_CONN 4011 - RANDOM 4012 - PASSTHROUGH 4013 type: string 4014 type: object 4015 outlierDetection: 4016 properties: 4017 baseEjectionTime: 4018 description: Minimum ejection duration. 4019 type: string 4020 consecutive5xxErrors: 4021 description: Number of 5xx errors before a host is ejected from 4022 the connection pool. 4023 type: integer 4024 consecutiveErrors: 4025 format: int32 4026 type: integer 4027 consecutiveGatewayErrors: 4028 description: Number of gateway errors before a host is ejected 4029 from the connection pool. 4030 type: integer 4031 interval: 4032 description: Time interval between ejection sweep analysis. 4033 type: string 4034 maxEjectionPercent: 4035 format: int32 4036 type: integer 4037 minHealthPercent: 4038 format: int32 4039 type: integer 4040 type: object 4041 portLevelSettings: 4042 description: Traffic policies specific to individual ports. 4043 items: 4044 properties: 4045 connectionPool: 4046 properties: 4047 http: 4048 description: HTTP connection pool settings. 4049 properties: 4050 h2UpgradePolicy: 4051 description: Specify if http1.1 connection should 4052 be upgraded to http2 for the associated destination. 4053 enum: 4054 - DEFAULT 4055 - DO_NOT_UPGRADE 4056 - UPGRADE 4057 type: string 4058 http1MaxPendingRequests: 4059 description: Maximum number of pending HTTP requests 4060 to a destination. 4061 format: int32 4062 type: integer 4063 http2MaxRequests: 4064 description: Maximum number of requests to a backend. 4065 format: int32 4066 type: integer 4067 idleTimeout: 4068 description: The idle timeout for upstream connection 4069 pool connections. 4070 type: string 4071 maxRequestsPerConnection: 4072 description: Maximum number of requests per connection 4073 to a backend. 4074 format: int32 4075 type: integer 4076 maxRetries: 4077 format: int32 4078 type: integer 4079 type: object 4080 tcp: 4081 description: Settings common to both HTTP and TCP upstream 4082 connections. 4083 properties: 4084 connectTimeout: 4085 description: TCP connection timeout. 4086 type: string 4087 maxConnections: 4088 description: Maximum number of HTTP1 /TCP connections 4089 to a destination host. 4090 format: int32 4091 type: integer 4092 tcpKeepalive: 4093 description: If set then set SO_KEEPALIVE on the socket 4094 to enable TCP Keepalives. 4095 properties: 4096 interval: 4097 description: The time duration between keep-alive 4098 probes. 4099 type: string 4100 probes: 4101 type: integer 4102 time: 4103 type: string 4104 type: object 4105 type: object 4106 type: object 4107 loadBalancer: 4108 description: Settings controlling the load balancer algorithms. 4109 oneOf: 4110 - not: 4111 anyOf: 4112 - required: 4113 - simple 4114 - properties: 4115 consistentHash: 4116 oneOf: 4117 - not: 4118 anyOf: 4119 - required: 4120 - httpHeaderName 4121 - required: 4122 - httpCookie 4123 - required: 4124 - useSourceIp 4125 - required: 4126 - httpQueryParameterName 4127 - required: 4128 - httpHeaderName 4129 - required: 4130 - httpCookie 4131 - required: 4132 - useSourceIp 4133 - required: 4134 - httpQueryParameterName 4135 required: 4136 - consistentHash 4137 - required: 4138 - simple 4139 - properties: 4140 consistentHash: 4141 oneOf: 4142 - not: 4143 anyOf: 4144 - required: 4145 - httpHeaderName 4146 - required: 4147 - httpCookie 4148 - required: 4149 - useSourceIp 4150 - required: 4151 - httpQueryParameterName 4152 - required: 4153 - httpHeaderName 4154 - required: 4155 - httpCookie 4156 - required: 4157 - useSourceIp 4158 - required: 4159 - httpQueryParameterName 4160 required: 4161 - consistentHash 4162 properties: 4163 consistentHash: 4164 properties: 4165 httpCookie: 4166 description: Hash based on HTTP cookie. 4167 properties: 4168 name: 4169 description: Name of the cookie. 4170 format: string 4171 type: string 4172 path: 4173 description: Path to set for the cookie. 4174 format: string 4175 type: string 4176 ttl: 4177 description: Lifetime of the cookie. 4178 type: string 4179 type: object 4180 httpHeaderName: 4181 description: Hash based on a specific HTTP header. 4182 format: string 4183 type: string 4184 httpQueryParameterName: 4185 description: Hash based on a specific HTTP query parameter. 4186 format: string 4187 type: string 4188 minimumRingSize: 4189 type: integer 4190 useSourceIp: 4191 description: Hash based on the source IP address. 4192 type: boolean 4193 type: object 4194 localityLbSetting: 4195 properties: 4196 distribute: 4197 description: 'Optional: only one of distribute or 4198 failover can be set.' 4199 items: 4200 properties: 4201 from: 4202 description: Originating locality, '/' separated, 4203 e.g. 4204 format: string 4205 type: string 4206 to: 4207 additionalProperties: 4208 type: integer 4209 description: Map of upstream localities to traffic 4210 distribution weights. 4211 type: object 4212 type: object 4213 type: array 4214 enabled: 4215 description: enable locality load balancing, this 4216 is DestinationRule-level and will override mesh 4217 wide settings in entirety. 4218 type: boolean 4219 failover: 4220 description: 'Optional: only failover or distribute 4221 can be set.' 4222 items: 4223 properties: 4224 from: 4225 description: Originating region. 4226 format: string 4227 type: string 4228 to: 4229 format: string 4230 type: string 4231 type: object 4232 type: array 4233 type: object 4234 simple: 4235 enum: 4236 - ROUND_ROBIN 4237 - LEAST_CONN 4238 - RANDOM 4239 - PASSTHROUGH 4240 type: string 4241 type: object 4242 outlierDetection: 4243 properties: 4244 baseEjectionTime: 4245 description: Minimum ejection duration. 4246 type: string 4247 consecutive5xxErrors: 4248 description: Number of 5xx errors before a host is ejected 4249 from the connection pool. 4250 type: integer 4251 consecutiveErrors: 4252 format: int32 4253 type: integer 4254 consecutiveGatewayErrors: 4255 description: Number of gateway errors before a host is 4256 ejected from the connection pool. 4257 type: integer 4258 interval: 4259 description: Time interval between ejection sweep analysis. 4260 type: string 4261 maxEjectionPercent: 4262 format: int32 4263 type: integer 4264 minHealthPercent: 4265 format: int32 4266 type: integer 4267 type: object 4268 port: 4269 properties: 4270 number: 4271 type: integer 4272 type: object 4273 tls: 4274 description: TLS related settings for connections to the upstream 4275 service. 4276 properties: 4277 caCertificates: 4278 format: string 4279 type: string 4280 clientCertificate: 4281 description: REQUIRED if mode is `MUTUAL`. 4282 format: string 4283 type: string 4284 mode: 4285 enum: 4286 - DISABLE 4287 - SIMPLE 4288 - MUTUAL 4289 - ISTIO_MUTUAL 4290 type: string 4291 privateKey: 4292 description: REQUIRED if mode is `MUTUAL`. 4293 format: string 4294 type: string 4295 sni: 4296 description: SNI string to present to the server during 4297 TLS handshake. 4298 format: string 4299 type: string 4300 subjectAltNames: 4301 items: 4302 format: string 4303 type: string 4304 type: array 4305 type: object 4306 type: object 4307 type: array 4308 tls: 4309 description: TLS related settings for connections to the upstream 4310 service. 4311 properties: 4312 caCertificates: 4313 format: string 4314 type: string 4315 clientCertificate: 4316 description: REQUIRED if mode is `MUTUAL`. 4317 format: string 4318 type: string 4319 mode: 4320 enum: 4321 - DISABLE 4322 - SIMPLE 4323 - MUTUAL 4324 - ISTIO_MUTUAL 4325 type: string 4326 privateKey: 4327 description: REQUIRED if mode is `MUTUAL`. 4328 format: string 4329 type: string 4330 sni: 4331 description: SNI string to present to the server during TLS 4332 handshake. 4333 format: string 4334 type: string 4335 subjectAltNames: 4336 items: 4337 format: string 4338 type: string 4339 type: array 4340 type: object 4341 type: object 4342 type: object 4343 type: object 4344 versions: 4345 - name: v1alpha3 4346 served: true 4347 storage: true 4348 - name: v1beta1 4349 served: true 4350 storage: false 4351--- 4352 4353 4354apiVersion: apiextensions.k8s.io/v1beta1 4355kind: CustomResourceDefinition 4356metadata: 4357 annotations: 4358 "helm.sh/resource-policy": keep 4359 labels: 4360 app: istio-pilot 4361 chart: istio 4362 heritage: Tiller 4363 release: istio 4364 name: envoyfilters.networking.istio.io 4365spec: 4366 group: networking.istio.io 4367 names: 4368 categories: 4369 - istio-io 4370 - networking-istio-io 4371 kind: EnvoyFilter 4372 listKind: EnvoyFilterList 4373 plural: envoyfilters 4374 singular: envoyfilter 4375 scope: Namespaced 4376 subresources: 4377 status: {} 4378 validation: 4379 openAPIV3Schema: 4380 properties: 4381 spec: 4382 description: 'Customizing Envoy configuration generated by Istio. See more 4383 details at: https://istio.io/docs/reference/config/networking/envoy-filter.html' 4384 properties: 4385 configPatches: 4386 description: One or more patches with match conditions. 4387 items: 4388 properties: 4389 applyTo: 4390 enum: 4391 - INVALID 4392 - LISTENER 4393 - FILTER_CHAIN 4394 - NETWORK_FILTER 4395 - HTTP_FILTER 4396 - ROUTE_CONFIGURATION 4397 - VIRTUAL_HOST 4398 - HTTP_ROUTE 4399 - CLUSTER 4400 type: string 4401 match: 4402 description: Match on listener/route configuration/cluster. 4403 oneOf: 4404 - not: 4405 anyOf: 4406 - required: 4407 - listener 4408 - required: 4409 - routeConfiguration 4410 - required: 4411 - cluster 4412 - required: 4413 - listener 4414 - required: 4415 - routeConfiguration 4416 - required: 4417 - cluster 4418 properties: 4419 cluster: 4420 description: Match on envoy cluster attributes. 4421 properties: 4422 name: 4423 description: The exact name of the cluster to match. 4424 format: string 4425 type: string 4426 portNumber: 4427 description: The service port for which this cluster was 4428 generated. 4429 type: integer 4430 service: 4431 description: The fully qualified service name for this 4432 cluster. 4433 format: string 4434 type: string 4435 subset: 4436 description: The subset associated with the service. 4437 format: string 4438 type: string 4439 type: object 4440 context: 4441 description: The specific config generation context to match 4442 on. 4443 enum: 4444 - ANY 4445 - SIDECAR_INBOUND 4446 - SIDECAR_OUTBOUND 4447 - GATEWAY 4448 type: string 4449 listener: 4450 description: Match on envoy listener attributes. 4451 properties: 4452 filterChain: 4453 description: Match a specific filter chain in a listener. 4454 properties: 4455 applicationProtocols: 4456 description: Applies only to sidecars. 4457 format: string 4458 type: string 4459 filter: 4460 description: The name of a specific filter to apply 4461 the patch to. 4462 properties: 4463 name: 4464 description: The filter name to match on. 4465 format: string 4466 type: string 4467 subFilter: 4468 properties: 4469 name: 4470 description: The filter name to match on. 4471 format: string 4472 type: string 4473 type: object 4474 type: object 4475 name: 4476 description: The name assigned to the filter chain. 4477 format: string 4478 type: string 4479 sni: 4480 description: The SNI value used by a filter chain's 4481 match condition. 4482 format: string 4483 type: string 4484 transportProtocol: 4485 description: Applies only to SIDECAR_INBOUND context. 4486 format: string 4487 type: string 4488 type: object 4489 name: 4490 description: Match a specific listener by its name. 4491 format: string 4492 type: string 4493 portName: 4494 format: string 4495 type: string 4496 portNumber: 4497 type: integer 4498 type: object 4499 proxy: 4500 description: Match on properties associated with a proxy. 4501 properties: 4502 metadata: 4503 additionalProperties: 4504 format: string 4505 type: string 4506 type: object 4507 proxyVersion: 4508 format: string 4509 type: string 4510 type: object 4511 routeConfiguration: 4512 description: Match on envoy HTTP route configuration attributes. 4513 properties: 4514 gateway: 4515 format: string 4516 type: string 4517 name: 4518 description: Route configuration name to match on. 4519 format: string 4520 type: string 4521 portName: 4522 description: Applicable only for GATEWAY context. 4523 format: string 4524 type: string 4525 portNumber: 4526 type: integer 4527 vhost: 4528 properties: 4529 name: 4530 format: string 4531 type: string 4532 route: 4533 description: Match a specific route within the virtual 4534 host. 4535 properties: 4536 action: 4537 description: Match a route with specific action 4538 type. 4539 enum: 4540 - ANY 4541 - ROUTE 4542 - REDIRECT 4543 - DIRECT_RESPONSE 4544 type: string 4545 name: 4546 format: string 4547 type: string 4548 type: object 4549 type: object 4550 type: object 4551 type: object 4552 patch: 4553 description: The patch to apply along with the operation. 4554 properties: 4555 operation: 4556 description: Determines how the patch should be applied. 4557 enum: 4558 - INVALID 4559 - MERGE 4560 - ADD 4561 - REMOVE 4562 - INSERT_BEFORE 4563 - INSERT_AFTER 4564 - INSERT_FIRST 4565 type: string 4566 value: 4567 description: The JSON config of the object being patched. 4568 type: object 4569 type: object 4570 type: object 4571 type: array 4572 workloadSelector: 4573 properties: 4574 labels: 4575 additionalProperties: 4576 format: string 4577 type: string 4578 type: object 4579 type: object 4580 type: object 4581 type: object 4582 versions: 4583 - name: v1alpha3 4584 served: true 4585 storage: true 4586--- 4587 4588 4589apiVersion: apiextensions.k8s.io/v1beta1 4590kind: CustomResourceDefinition 4591metadata: 4592 annotations: 4593 "helm.sh/resource-policy": keep 4594 labels: 4595 app: istio-pilot 4596 chart: istio 4597 heritage: Tiller 4598 release: istio 4599 name: gateways.networking.istio.io 4600spec: 4601 group: networking.istio.io 4602 names: 4603 categories: 4604 - istio-io 4605 - networking-istio-io 4606 kind: Gateway 4607 listKind: GatewayList 4608 plural: gateways 4609 shortNames: 4610 - gw 4611 singular: gateway 4612 scope: Namespaced 4613 subresources: 4614 status: {} 4615 validation: 4616 openAPIV3Schema: 4617 properties: 4618 spec: 4619 description: 'Configuration affecting edge load balancer. See more details 4620 at: https://istio.io/docs/reference/config/networking/gateway.html' 4621 properties: 4622 selector: 4623 additionalProperties: 4624 format: string 4625 type: string 4626 type: object 4627 servers: 4628 description: A list of server specifications. 4629 items: 4630 properties: 4631 bind: 4632 format: string 4633 type: string 4634 defaultEndpoint: 4635 format: string 4636 type: string 4637 hosts: 4638 description: One or more hosts exposed by this gateway. 4639 items: 4640 format: string 4641 type: string 4642 type: array 4643 port: 4644 properties: 4645 name: 4646 description: Label assigned to the port. 4647 format: string 4648 type: string 4649 number: 4650 description: A valid non-negative integer port number. 4651 type: integer 4652 protocol: 4653 description: The protocol exposed on the port. 4654 format: string 4655 type: string 4656 type: object 4657 tls: 4658 description: Set of TLS related options that govern the server's 4659 behavior. 4660 properties: 4661 caCertificates: 4662 description: REQUIRED if mode is `MUTUAL`. 4663 format: string 4664 type: string 4665 cipherSuites: 4666 description: 'Optional: If specified, only support the specified 4667 cipher list.' 4668 items: 4669 format: string 4670 type: string 4671 type: array 4672 credentialName: 4673 format: string 4674 type: string 4675 httpsRedirect: 4676 type: boolean 4677 maxProtocolVersion: 4678 description: 'Optional: Maximum TLS protocol version.' 4679 enum: 4680 - TLS_AUTO 4681 - TLSV1_0 4682 - TLSV1_1 4683 - TLSV1_2 4684 - TLSV1_3 4685 type: string 4686 minProtocolVersion: 4687 description: 'Optional: Minimum TLS protocol version.' 4688 enum: 4689 - TLS_AUTO 4690 - TLSV1_0 4691 - TLSV1_1 4692 - TLSV1_2 4693 - TLSV1_3 4694 type: string 4695 mode: 4696 enum: 4697 - PASSTHROUGH 4698 - SIMPLE 4699 - MUTUAL 4700 - AUTO_PASSTHROUGH 4701 - ISTIO_MUTUAL 4702 type: string 4703 privateKey: 4704 description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. 4705 format: string 4706 type: string 4707 serverCertificate: 4708 description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. 4709 format: string 4710 type: string 4711 subjectAltNames: 4712 items: 4713 format: string 4714 type: string 4715 type: array 4716 verifyCertificateHash: 4717 items: 4718 format: string 4719 type: string 4720 type: array 4721 verifyCertificateSpki: 4722 items: 4723 format: string 4724 type: string 4725 type: array 4726 type: object 4727 type: object 4728 type: array 4729 type: object 4730 type: object 4731 versions: 4732 - name: v1alpha3 4733 served: true 4734 storage: true 4735 - name: v1beta1 4736 served: true 4737 storage: false 4738--- 4739 4740 4741apiVersion: apiextensions.k8s.io/v1beta1 4742kind: CustomResourceDefinition 4743metadata: 4744 annotations: 4745 "helm.sh/resource-policy": keep 4746 labels: 4747 app: istio-pilot 4748 chart: istio 4749 heritage: Tiller 4750 release: istio 4751 name: serviceentries.networking.istio.io 4752spec: 4753 additionalPrinterColumns: 4754 - JSONPath: .spec.hosts 4755 description: The hosts associated with the ServiceEntry 4756 name: Hosts 4757 type: string 4758 - JSONPath: .spec.location 4759 description: Whether the service is external to the mesh or part of the mesh (MESH_EXTERNAL 4760 or MESH_INTERNAL) 4761 name: Location 4762 type: string 4763 - JSONPath: .spec.resolution 4764 description: Service discovery mode for the hosts (NONE, STATIC, or DNS) 4765 name: Resolution 4766 type: string 4767 - JSONPath: .metadata.creationTimestamp 4768 description: 'CreationTimestamp is a timestamp representing the server time when 4769 this object was created. It is not guaranteed to be set in happens-before order 4770 across separate operations. Clients may not set this value. It is represented 4771 in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for 4772 lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' 4773 name: Age 4774 type: date 4775 group: networking.istio.io 4776 names: 4777 categories: 4778 - istio-io 4779 - networking-istio-io 4780 kind: ServiceEntry 4781 listKind: ServiceEntryList 4782 plural: serviceentries 4783 shortNames: 4784 - se 4785 singular: serviceentry 4786 scope: Namespaced 4787 subresources: 4788 status: {} 4789 validation: 4790 openAPIV3Schema: 4791 properties: 4792 spec: 4793 description: 'Configuration affecting service registry. See more details 4794 at: https://istio.io/docs/reference/config/networking/service-entry.html' 4795 properties: 4796 addresses: 4797 description: The virtual IP addresses associated with the service. 4798 items: 4799 format: string 4800 type: string 4801 type: array 4802 endpoints: 4803 description: One or more endpoints associated with the service. 4804 items: 4805 properties: 4806 address: 4807 format: string 4808 type: string 4809 labels: 4810 additionalProperties: 4811 format: string 4812 type: string 4813 description: One or more labels associated with the endpoint. 4814 type: object 4815 locality: 4816 description: The locality associated with the endpoint. 4817 format: string 4818 type: string 4819 network: 4820 format: string 4821 type: string 4822 ports: 4823 additionalProperties: 4824 type: integer 4825 description: Set of ports associated with the endpoint. 4826 type: object 4827 serviceAccount: 4828 format: string 4829 type: string 4830 weight: 4831 description: The load balancing weight associated with the endpoint. 4832 type: integer 4833 type: object 4834 type: array 4835 exportTo: 4836 description: A list of namespaces to which this service is exported. 4837 items: 4838 format: string 4839 type: string 4840 type: array 4841 hosts: 4842 description: The hosts associated with the ServiceEntry. 4843 items: 4844 format: string 4845 type: string 4846 type: array 4847 location: 4848 enum: 4849 - MESH_EXTERNAL 4850 - MESH_INTERNAL 4851 type: string 4852 ports: 4853 description: The ports associated with the external service. 4854 items: 4855 properties: 4856 name: 4857 description: Label assigned to the port. 4858 format: string 4859 type: string 4860 number: 4861 description: A valid non-negative integer port number. 4862 type: integer 4863 protocol: 4864 description: The protocol exposed on the port. 4865 format: string 4866 type: string 4867 type: object 4868 type: array 4869 resolution: 4870 description: Service discovery mode for the hosts. 4871 enum: 4872 - NONE 4873 - STATIC 4874 - DNS 4875 type: string 4876 subjectAltNames: 4877 items: 4878 format: string 4879 type: string 4880 type: array 4881 workloadSelector: 4882 description: Applicable only for MESH_INTERNAL services. 4883 properties: 4884 labels: 4885 additionalProperties: 4886 format: string 4887 type: string 4888 type: object 4889 type: object 4890 type: object 4891 type: object 4892 versions: 4893 - name: v1alpha3 4894 served: true 4895 storage: true 4896 - name: v1beta1 4897 served: true 4898 storage: false 4899--- 4900 4901 4902apiVersion: apiextensions.k8s.io/v1beta1 4903kind: CustomResourceDefinition 4904metadata: 4905 annotations: 4906 "helm.sh/resource-policy": keep 4907 labels: 4908 app: istio-pilot 4909 chart: istio 4910 heritage: Tiller 4911 release: istio 4912 name: sidecars.networking.istio.io 4913spec: 4914 group: networking.istio.io 4915 names: 4916 categories: 4917 - istio-io 4918 - networking-istio-io 4919 kind: Sidecar 4920 listKind: SidecarList 4921 plural: sidecars 4922 singular: sidecar 4923 scope: Namespaced 4924 subresources: 4925 status: {} 4926 validation: 4927 openAPIV3Schema: 4928 properties: 4929 spec: 4930 description: 'Configuration affecting network reachability of a sidecar. 4931 See more details at: https://istio.io/docs/reference/config/networking/sidecar.html' 4932 properties: 4933 egress: 4934 items: 4935 properties: 4936 bind: 4937 format: string 4938 type: string 4939 captureMode: 4940 enum: 4941 - DEFAULT 4942 - IPTABLES 4943 - NONE 4944 type: string 4945 hosts: 4946 items: 4947 format: string 4948 type: string 4949 type: array 4950 localhostServerTls: 4951 properties: 4952 caCertificates: 4953 description: REQUIRED if mode is `MUTUAL`. 4954 format: string 4955 type: string 4956 cipherSuites: 4957 description: 'Optional: If specified, only support the specified 4958 cipher list.' 4959 items: 4960 format: string 4961 type: string 4962 type: array 4963 credentialName: 4964 format: string 4965 type: string 4966 httpsRedirect: 4967 type: boolean 4968 maxProtocolVersion: 4969 description: 'Optional: Maximum TLS protocol version.' 4970 enum: 4971 - TLS_AUTO 4972 - TLSV1_0 4973 - TLSV1_1 4974 - TLSV1_2 4975 - TLSV1_3 4976 type: string 4977 minProtocolVersion: 4978 description: 'Optional: Minimum TLS protocol version.' 4979 enum: 4980 - TLS_AUTO 4981 - TLSV1_0 4982 - TLSV1_1 4983 - TLSV1_2 4984 - TLSV1_3 4985 type: string 4986 mode: 4987 enum: 4988 - PASSTHROUGH 4989 - SIMPLE 4990 - MUTUAL 4991 - AUTO_PASSTHROUGH 4992 - ISTIO_MUTUAL 4993 type: string 4994 privateKey: 4995 description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. 4996 format: string 4997 type: string 4998 serverCertificate: 4999 description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. 5000 format: string 5001 type: string 5002 subjectAltNames: 5003 items: 5004 format: string 5005 type: string 5006 type: array 5007 verifyCertificateHash: 5008 items: 5009 format: string 5010 type: string 5011 type: array 5012 verifyCertificateSpki: 5013 items: 5014 format: string 5015 type: string 5016 type: array 5017 type: object 5018 port: 5019 description: The port associated with the listener. 5020 properties: 5021 name: 5022 description: Label assigned to the port. 5023 format: string 5024 type: string 5025 number: 5026 description: A valid non-negative integer port number. 5027 type: integer 5028 protocol: 5029 description: The protocol exposed on the port. 5030 format: string 5031 type: string 5032 type: object 5033 type: object 5034 type: array 5035 ingress: 5036 items: 5037 properties: 5038 bind: 5039 description: The IP to which the listener should be bound. 5040 format: string 5041 type: string 5042 captureMode: 5043 enum: 5044 - DEFAULT 5045 - IPTABLES 5046 - NONE 5047 type: string 5048 defaultEndpoint: 5049 format: string 5050 type: string 5051 localhostClientTls: 5052 properties: 5053 caCertificates: 5054 format: string 5055 type: string 5056 clientCertificate: 5057 description: REQUIRED if mode is `MUTUAL`. 5058 format: string 5059 type: string 5060 mode: 5061 enum: 5062 - DISABLE 5063 - SIMPLE 5064 - MUTUAL 5065 - ISTIO_MUTUAL 5066 type: string 5067 privateKey: 5068 description: REQUIRED if mode is `MUTUAL`. 5069 format: string 5070 type: string 5071 sni: 5072 description: SNI string to present to the server during TLS 5073 handshake. 5074 format: string 5075 type: string 5076 subjectAltNames: 5077 items: 5078 format: string 5079 type: string 5080 type: array 5081 type: object 5082 port: 5083 description: The port associated with the listener. 5084 properties: 5085 name: 5086 description: Label assigned to the port. 5087 format: string 5088 type: string 5089 number: 5090 description: A valid non-negative integer port number. 5091 type: integer 5092 protocol: 5093 description: The protocol exposed on the port. 5094 format: string 5095 type: string 5096 type: object 5097 type: object 5098 type: array 5099 localhost: 5100 properties: 5101 clientTls: 5102 properties: 5103 caCertificates: 5104 format: string 5105 type: string 5106 clientCertificate: 5107 description: REQUIRED if mode is `MUTUAL`. 5108 format: string 5109 type: string 5110 mode: 5111 enum: 5112 - DISABLE 5113 - SIMPLE 5114 - MUTUAL 5115 - ISTIO_MUTUAL 5116 type: string 5117 privateKey: 5118 description: REQUIRED if mode is `MUTUAL`. 5119 format: string 5120 type: string 5121 sni: 5122 description: SNI string to present to the server during TLS 5123 handshake. 5124 format: string 5125 type: string 5126 subjectAltNames: 5127 items: 5128 format: string 5129 type: string 5130 type: array 5131 type: object 5132 serverTls: 5133 properties: 5134 caCertificates: 5135 description: REQUIRED if mode is `MUTUAL`. 5136 format: string 5137 type: string 5138 cipherSuites: 5139 description: 'Optional: If specified, only support the specified 5140 cipher list.' 5141 items: 5142 format: string 5143 type: string 5144 type: array 5145 credentialName: 5146 format: string 5147 type: string 5148 httpsRedirect: 5149 type: boolean 5150 maxProtocolVersion: 5151 description: 'Optional: Maximum TLS protocol version.' 5152 enum: 5153 - TLS_AUTO 5154 - TLSV1_0 5155 - TLSV1_1 5156 - TLSV1_2 5157 - TLSV1_3 5158 type: string 5159 minProtocolVersion: 5160 description: 'Optional: Minimum TLS protocol version.' 5161 enum: 5162 - TLS_AUTO 5163 - TLSV1_0 5164 - TLSV1_1 5165 - TLSV1_2 5166 - TLSV1_3 5167 type: string 5168 mode: 5169 enum: 5170 - PASSTHROUGH 5171 - SIMPLE 5172 - MUTUAL 5173 - AUTO_PASSTHROUGH 5174 - ISTIO_MUTUAL 5175 type: string 5176 privateKey: 5177 description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. 5178 format: string 5179 type: string 5180 serverCertificate: 5181 description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. 5182 format: string 5183 type: string 5184 subjectAltNames: 5185 items: 5186 format: string 5187 type: string 5188 type: array 5189 verifyCertificateHash: 5190 items: 5191 format: string 5192 type: string 5193 type: array 5194 verifyCertificateSpki: 5195 items: 5196 format: string 5197 type: string 5198 type: array 5199 type: object 5200 type: object 5201 outboundTrafficPolicy: 5202 description: Configuration for the outbound traffic policy. 5203 properties: 5204 egressProxy: 5205 properties: 5206 host: 5207 description: The name of a service from the service registry. 5208 format: string 5209 type: string 5210 port: 5211 description: Specifies the port on the host that is being addressed. 5212 properties: 5213 number: 5214 type: integer 5215 type: object 5216 subset: 5217 description: The name of a subset within the service. 5218 format: string 5219 type: string 5220 type: object 5221 mode: 5222 enum: 5223 - REGISTRY_ONLY 5224 - ALLOW_ANY 5225 type: string 5226 type: object 5227 workloadSelector: 5228 properties: 5229 labels: 5230 additionalProperties: 5231 format: string 5232 type: string 5233 type: object 5234 type: object 5235 type: object 5236 type: object 5237 versions: 5238 - name: v1alpha3 5239 served: true 5240 storage: true 5241 - name: v1beta1 5242 served: true 5243 storage: false 5244--- 5245 5246 5247apiVersion: apiextensions.k8s.io/v1beta1 5248kind: CustomResourceDefinition 5249metadata: 5250 annotations: 5251 "helm.sh/resource-policy": keep 5252 labels: 5253 app: istio-pilot 5254 chart: istio 5255 heritage: Tiller 5256 release: istio 5257 name: virtualservices.networking.istio.io 5258spec: 5259 additionalPrinterColumns: 5260 - JSONPath: .spec.gateways 5261 description: The names of gateways and sidecars that should apply these routes 5262 name: Gateways 5263 type: string 5264 - JSONPath: .spec.hosts 5265 description: The destination hosts to which traffic is being sent 5266 name: Hosts 5267 type: string 5268 - JSONPath: .metadata.creationTimestamp 5269 description: 'CreationTimestamp is a timestamp representing the server time when 5270 this object was created. It is not guaranteed to be set in happens-before order 5271 across separate operations. Clients may not set this value. It is represented 5272 in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for 5273 lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' 5274 name: Age 5275 type: date 5276 group: networking.istio.io 5277 names: 5278 categories: 5279 - istio-io 5280 - networking-istio-io 5281 kind: VirtualService 5282 listKind: VirtualServiceList 5283 plural: virtualservices 5284 shortNames: 5285 - vs 5286 singular: virtualservice 5287 scope: Namespaced 5288 subresources: 5289 status: {} 5290 validation: 5291 openAPIV3Schema: 5292 properties: 5293 spec: 5294 description: 'Configuration affecting label/content routing, sni routing, 5295 etc. See more details at: https://istio.io/docs/reference/config/networking/virtual-service.html' 5296 properties: 5297 exportTo: 5298 description: A list of namespaces to which this virtual service is exported. 5299 items: 5300 format: string 5301 type: string 5302 type: array 5303 gateways: 5304 description: The names of gateways and sidecars that should apply these 5305 routes. 5306 items: 5307 format: string 5308 type: string 5309 type: array 5310 hosts: 5311 description: The destination hosts to which traffic is being sent. 5312 items: 5313 format: string 5314 type: string 5315 type: array 5316 http: 5317 description: An ordered list of route rules for HTTP traffic. 5318 items: 5319 properties: 5320 corsPolicy: 5321 description: Cross-Origin Resource Sharing policy (CORS). 5322 properties: 5323 allowCredentials: 5324 type: boolean 5325 allowHeaders: 5326 items: 5327 format: string 5328 type: string 5329 type: array 5330 allowMethods: 5331 description: List of HTTP methods allowed to access the resource. 5332 items: 5333 format: string 5334 type: string 5335 type: array 5336 allowOrigin: 5337 description: The list of origins that are allowed to perform 5338 CORS requests. 5339 items: 5340 format: string 5341 type: string 5342 type: array 5343 allowOrigins: 5344 description: String patterns that match allowed origins. 5345 items: 5346 oneOf: 5347 - not: 5348 anyOf: 5349 - required: 5350 - exact 5351 - required: 5352 - prefix 5353 - required: 5354 - regex 5355 - required: 5356 - exact 5357 - required: 5358 - prefix 5359 - required: 5360 - regex 5361 properties: 5362 exact: 5363 format: string 5364 type: string 5365 prefix: 5366 format: string 5367 type: string 5368 regex: 5369 description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). 5370 format: string 5371 type: string 5372 type: object 5373 type: array 5374 exposeHeaders: 5375 items: 5376 format: string 5377 type: string 5378 type: array 5379 maxAge: 5380 type: string 5381 type: object 5382 delegate: 5383 properties: 5384 name: 5385 description: Name specifies the name of the delegate VirtualService. 5386 format: string 5387 type: string 5388 namespace: 5389 description: Namespace specifies the namespace where the delegate 5390 VirtualService resides. 5391 format: string 5392 type: string 5393 type: object 5394 fault: 5395 description: Fault injection policy to apply on HTTP traffic at 5396 the client side. 5397 properties: 5398 abort: 5399 oneOf: 5400 - not: 5401 anyOf: 5402 - required: 5403 - httpStatus 5404 - required: 5405 - grpcStatus 5406 - required: 5407 - http2Error 5408 - required: 5409 - httpStatus 5410 - required: 5411 - grpcStatus 5412 - required: 5413 - http2Error 5414 properties: 5415 grpcStatus: 5416 format: string 5417 type: string 5418 http2Error: 5419 format: string 5420 type: string 5421 httpStatus: 5422 description: HTTP status code to use to abort the Http 5423 request. 5424 format: int32 5425 type: integer 5426 percentage: 5427 description: Percentage of requests to be aborted with 5428 the error code provided. 5429 properties: 5430 value: 5431 format: double 5432 type: number 5433 type: object 5434 type: object 5435 delay: 5436 oneOf: 5437 - not: 5438 anyOf: 5439 - required: 5440 - fixedDelay 5441 - required: 5442 - exponentialDelay 5443 - required: 5444 - fixedDelay 5445 - required: 5446 - exponentialDelay 5447 properties: 5448 exponentialDelay: 5449 type: string 5450 fixedDelay: 5451 description: Add a fixed delay before forwarding the request. 5452 type: string 5453 percent: 5454 description: Percentage of requests on which the delay 5455 will be injected (0-100). 5456 format: int32 5457 type: integer 5458 percentage: 5459 description: Percentage of requests on which the delay 5460 will be injected. 5461 properties: 5462 value: 5463 format: double 5464 type: number 5465 type: object 5466 type: object 5467 type: object 5468 headers: 5469 properties: 5470 request: 5471 properties: 5472 add: 5473 additionalProperties: 5474 format: string 5475 type: string 5476 type: object 5477 remove: 5478 items: 5479 format: string 5480 type: string 5481 type: array 5482 set: 5483 additionalProperties: 5484 format: string 5485 type: string 5486 type: object 5487 type: object 5488 response: 5489 properties: 5490 add: 5491 additionalProperties: 5492 format: string 5493 type: string 5494 type: object 5495 remove: 5496 items: 5497 format: string 5498 type: string 5499 type: array 5500 set: 5501 additionalProperties: 5502 format: string 5503 type: string 5504 type: object 5505 type: object 5506 type: object 5507 match: 5508 items: 5509 properties: 5510 authority: 5511 oneOf: 5512 - not: 5513 anyOf: 5514 - required: 5515 - exact 5516 - required: 5517 - prefix 5518 - required: 5519 - regex 5520 - required: 5521 - exact 5522 - required: 5523 - prefix 5524 - required: 5525 - regex 5526 properties: 5527 exact: 5528 format: string 5529 type: string 5530 prefix: 5531 format: string 5532 type: string 5533 regex: 5534 description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). 5535 format: string 5536 type: string 5537 type: object 5538 gateways: 5539 description: Names of gateways where the rule should be 5540 applied. 5541 items: 5542 format: string 5543 type: string 5544 type: array 5545 headers: 5546 additionalProperties: 5547 oneOf: 5548 - not: 5549 anyOf: 5550 - required: 5551 - exact 5552 - required: 5553 - prefix 5554 - required: 5555 - regex 5556 - required: 5557 - exact 5558 - required: 5559 - prefix 5560 - required: 5561 - regex 5562 properties: 5563 exact: 5564 format: string 5565 type: string 5566 prefix: 5567 format: string 5568 type: string 5569 regex: 5570 description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). 5571 format: string 5572 type: string 5573 type: object 5574 type: object 5575 ignoreUriCase: 5576 description: Flag to specify whether the URI matching should 5577 be case-insensitive. 5578 type: boolean 5579 method: 5580 oneOf: 5581 - not: 5582 anyOf: 5583 - required: 5584 - exact 5585 - required: 5586 - prefix 5587 - required: 5588 - regex 5589 - required: 5590 - exact 5591 - required: 5592 - prefix 5593 - required: 5594 - regex 5595 properties: 5596 exact: 5597 format: string 5598 type: string 5599 prefix: 5600 format: string 5601 type: string 5602 regex: 5603 description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). 5604 format: string 5605 type: string 5606 type: object 5607 name: 5608 description: The name assigned to a match. 5609 format: string 5610 type: string 5611 port: 5612 description: Specifies the ports on the host that is being 5613 addressed. 5614 type: integer 5615 queryParams: 5616 additionalProperties: 5617 oneOf: 5618 - not: 5619 anyOf: 5620 - required: 5621 - exact 5622 - required: 5623 - prefix 5624 - required: 5625 - regex 5626 - required: 5627 - exact 5628 - required: 5629 - prefix 5630 - required: 5631 - regex 5632 properties: 5633 exact: 5634 format: string 5635 type: string 5636 prefix: 5637 format: string 5638 type: string 5639 regex: 5640 description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). 5641 format: string 5642 type: string 5643 type: object 5644 description: Query parameters for matching. 5645 type: object 5646 scheme: 5647 oneOf: 5648 - not: 5649 anyOf: 5650 - required: 5651 - exact 5652 - required: 5653 - prefix 5654 - required: 5655 - regex 5656 - required: 5657 - exact 5658 - required: 5659 - prefix 5660 - required: 5661 - regex 5662 properties: 5663 exact: 5664 format: string 5665 type: string 5666 prefix: 5667 format: string 5668 type: string 5669 regex: 5670 description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). 5671 format: string 5672 type: string 5673 type: object 5674 sourceLabels: 5675 additionalProperties: 5676 format: string 5677 type: string 5678 type: object 5679 sourceNamespace: 5680 description: Source namespace constraining the applicability 5681 of a rule to workloads in that namespace. 5682 format: string 5683 type: string 5684 uri: 5685 oneOf: 5686 - not: 5687 anyOf: 5688 - required: 5689 - exact 5690 - required: 5691 - prefix 5692 - required: 5693 - regex 5694 - required: 5695 - exact 5696 - required: 5697 - prefix 5698 - required: 5699 - regex 5700 properties: 5701 exact: 5702 format: string 5703 type: string 5704 prefix: 5705 format: string 5706 type: string 5707 regex: 5708 description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). 5709 format: string 5710 type: string 5711 type: object 5712 withoutHeaders: 5713 additionalProperties: 5714 oneOf: 5715 - not: 5716 anyOf: 5717 - required: 5718 - exact 5719 - required: 5720 - prefix 5721 - required: 5722 - regex 5723 - required: 5724 - exact 5725 - required: 5726 - prefix 5727 - required: 5728 - regex 5729 properties: 5730 exact: 5731 format: string 5732 type: string 5733 prefix: 5734 format: string 5735 type: string 5736 regex: 5737 description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). 5738 format: string 5739 type: string 5740 type: object 5741 description: withoutHeader has the same syntax with the 5742 header, but has opposite meaning. 5743 type: object 5744 type: object 5745 type: array 5746 mirror: 5747 properties: 5748 host: 5749 description: The name of a service from the service registry. 5750 format: string 5751 type: string 5752 port: 5753 description: Specifies the port on the host that is being 5754 addressed. 5755 properties: 5756 number: 5757 type: integer 5758 type: object 5759 subset: 5760 description: The name of a subset within the service. 5761 format: string 5762 type: string 5763 type: object 5764 mirror_percent: 5765 description: Percentage of the traffic to be mirrored by the `mirror` 5766 field. 5767 type: integer 5768 mirrorPercent: 5769 description: Percentage of the traffic to be mirrored by the `mirror` 5770 field. 5771 type: integer 5772 mirrorPercentage: 5773 description: Percentage of the traffic to be mirrored by the `mirror` 5774 field. 5775 properties: 5776 value: 5777 format: double 5778 type: number 5779 type: object 5780 name: 5781 description: The name assigned to the route for debugging purposes. 5782 format: string 5783 type: string 5784 redirect: 5785 description: A HTTP rule can either redirect or forward (default) 5786 traffic. 5787 properties: 5788 authority: 5789 format: string 5790 type: string 5791 redirectCode: 5792 type: integer 5793 uri: 5794 format: string 5795 type: string 5796 type: object 5797 retries: 5798 description: Retry policy for HTTP requests. 5799 properties: 5800 attempts: 5801 description: Number of retries for a given request. 5802 format: int32 5803 type: integer 5804 perTryTimeout: 5805 description: Timeout per retry attempt for a given request. 5806 type: string 5807 retryOn: 5808 description: Specifies the conditions under which retry takes 5809 place. 5810 format: string 5811 type: string 5812 retryRemoteLocalities: 5813 description: Flag to specify whether the retries should retry 5814 to other localities. 5815 type: boolean 5816 type: object 5817 rewrite: 5818 description: Rewrite HTTP URIs and Authority headers. 5819 properties: 5820 authority: 5821 description: rewrite the Authority/Host header with this value. 5822 format: string 5823 type: string 5824 uri: 5825 format: string 5826 type: string 5827 type: object 5828 route: 5829 description: A HTTP rule can either redirect or forward (default) 5830 traffic. 5831 items: 5832 properties: 5833 destination: 5834 properties: 5835 host: 5836 description: The name of a service from the service 5837 registry. 5838 format: string 5839 type: string 5840 port: 5841 description: Specifies the port on the host that is 5842 being addressed. 5843 properties: 5844 number: 5845 type: integer 5846 type: object 5847 subset: 5848 description: The name of a subset within the service. 5849 format: string 5850 type: string 5851 type: object 5852 headers: 5853 properties: 5854 request: 5855 properties: 5856 add: 5857 additionalProperties: 5858 format: string 5859 type: string 5860 type: object 5861 remove: 5862 items: 5863 format: string 5864 type: string 5865 type: array 5866 set: 5867 additionalProperties: 5868 format: string 5869 type: string 5870 type: object 5871 type: object 5872 response: 5873 properties: 5874 add: 5875 additionalProperties: 5876 format: string 5877 type: string 5878 type: object 5879 remove: 5880 items: 5881 format: string 5882 type: string 5883 type: array 5884 set: 5885 additionalProperties: 5886 format: string 5887 type: string 5888 type: object 5889 type: object 5890 type: object 5891 weight: 5892 format: int32 5893 type: integer 5894 type: object 5895 type: array 5896 timeout: 5897 description: Timeout for HTTP requests. 5898 type: string 5899 type: object 5900 type: array 5901 tcp: 5902 description: An ordered list of route rules for opaque TCP traffic. 5903 items: 5904 properties: 5905 match: 5906 items: 5907 properties: 5908 destinationSubnets: 5909 description: IPv4 or IPv6 ip addresses of destination with 5910 optional subnet. 5911 items: 5912 format: string 5913 type: string 5914 type: array 5915 gateways: 5916 description: Names of gateways where the rule should be 5917 applied. 5918 items: 5919 format: string 5920 type: string 5921 type: array 5922 port: 5923 description: Specifies the port on the host that is being 5924 addressed. 5925 type: integer 5926 sourceLabels: 5927 additionalProperties: 5928 format: string 5929 type: string 5930 type: object 5931 sourceNamespace: 5932 description: Source namespace constraining the applicability 5933 of a rule to workloads in that namespace. 5934 format: string 5935 type: string 5936 sourceSubnet: 5937 description: IPv4 or IPv6 ip address of source with optional 5938 subnet. 5939 format: string 5940 type: string 5941 type: object 5942 type: array 5943 route: 5944 description: The destination to which the connection should be 5945 forwarded to. 5946 items: 5947 properties: 5948 destination: 5949 properties: 5950 host: 5951 description: The name of a service from the service 5952 registry. 5953 format: string 5954 type: string 5955 port: 5956 description: Specifies the port on the host that is 5957 being addressed. 5958 properties: 5959 number: 5960 type: integer 5961 type: object 5962 subset: 5963 description: The name of a subset within the service. 5964 format: string 5965 type: string 5966 type: object 5967 weight: 5968 format: int32 5969 type: integer 5970 type: object 5971 type: array 5972 type: object 5973 type: array 5974 tls: 5975 items: 5976 properties: 5977 match: 5978 items: 5979 properties: 5980 destinationSubnets: 5981 description: IPv4 or IPv6 ip addresses of destination with 5982 optional subnet. 5983 items: 5984 format: string 5985 type: string 5986 type: array 5987 gateways: 5988 description: Names of gateways where the rule should be 5989 applied. 5990 items: 5991 format: string 5992 type: string 5993 type: array 5994 port: 5995 description: Specifies the port on the host that is being 5996 addressed. 5997 type: integer 5998 sniHosts: 5999 description: SNI (server name indicator) to match on. 6000 items: 6001 format: string 6002 type: string 6003 type: array 6004 sourceLabels: 6005 additionalProperties: 6006 format: string 6007 type: string 6008 type: object 6009 sourceNamespace: 6010 description: Source namespace constraining the applicability 6011 of a rule to workloads in that namespace. 6012 format: string 6013 type: string 6014 type: object 6015 type: array 6016 route: 6017 description: The destination to which the connection should be 6018 forwarded to. 6019 items: 6020 properties: 6021 destination: 6022 properties: 6023 host: 6024 description: The name of a service from the service 6025 registry. 6026 format: string 6027 type: string 6028 port: 6029 description: Specifies the port on the host that is 6030 being addressed. 6031 properties: 6032 number: 6033 type: integer 6034 type: object 6035 subset: 6036 description: The name of a subset within the service. 6037 format: string 6038 type: string 6039 type: object 6040 weight: 6041 format: int32 6042 type: integer 6043 type: object 6044 type: array 6045 type: object 6046 type: array 6047 type: object 6048 type: object 6049 versions: 6050 - name: v1alpha3 6051 served: true 6052 storage: true 6053 - name: v1beta1 6054 served: true 6055 storage: false 6056--- 6057 6058 6059apiVersion: apiextensions.k8s.io/v1beta1 6060kind: CustomResourceDefinition 6061metadata: 6062 annotations: 6063 "helm.sh/resource-policy": keep 6064 labels: 6065 app: istio-pilot 6066 chart: istio 6067 heritage: Tiller 6068 release: istio 6069 name: workloadentries.networking.istio.io 6070spec: 6071 additionalPrinterColumns: 6072 - JSONPath: .metadata.creationTimestamp 6073 description: 'CreationTimestamp is a timestamp representing the server time when 6074 this object was created. It is not guaranteed to be set in happens-before order 6075 across separate operations. Clients may not set this value. It is represented 6076 in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for 6077 lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' 6078 name: Age 6079 type: date 6080 - JSONPath: .spec.address 6081 description: Address associated with the network endpoint. 6082 name: Address 6083 type: string 6084 group: networking.istio.io 6085 names: 6086 categories: 6087 - istio-io 6088 - networking-istio-io 6089 kind: WorkloadEntry 6090 listKind: WorkloadEntryList 6091 plural: workloadentries 6092 shortNames: 6093 - we 6094 singular: workloadentry 6095 scope: Namespaced 6096 subresources: 6097 status: {} 6098 validation: 6099 openAPIV3Schema: 6100 properties: 6101 spec: 6102 description: 'Configuration affecting VMs onboarded into the mesh. See more 6103 details at: https://istio.io/docs/reference/config/networking/workload-entry.html' 6104 properties: 6105 address: 6106 format: string 6107 type: string 6108 labels: 6109 additionalProperties: 6110 format: string 6111 type: string 6112 description: One or more labels associated with the endpoint. 6113 type: object 6114 locality: 6115 description: The locality associated with the endpoint. 6116 format: string 6117 type: string 6118 network: 6119 format: string 6120 type: string 6121 ports: 6122 additionalProperties: 6123 type: integer 6124 description: Set of ports associated with the endpoint. 6125 type: object 6126 serviceAccount: 6127 format: string 6128 type: string 6129 weight: 6130 description: The load balancing weight associated with the endpoint. 6131 type: integer 6132 type: object 6133 type: object 6134 versions: 6135 - name: v1alpha3 6136 served: true 6137 storage: true 6138 - name: v1beta1 6139 served: true 6140 storage: false 6141--- 6142 6143 6144apiVersion: apiextensions.k8s.io/v1beta1 6145kind: CustomResourceDefinition 6146metadata: 6147 annotations: 6148 "helm.sh/resource-policy": keep 6149 labels: 6150 app: mixer 6151 chart: istio 6152 heritage: Tiller 6153 istio: core 6154 package: istio.io.mixer 6155 release: istio 6156 name: attributemanifests.config.istio.io 6157spec: 6158 group: config.istio.io 6159 names: 6160 categories: 6161 - istio-io 6162 - policy-istio-io 6163 kind: attributemanifest 6164 listKind: attributemanifestList 6165 plural: attributemanifests 6166 singular: attributemanifest 6167 scope: Namespaced 6168 subresources: 6169 status: {} 6170 validation: 6171 openAPIV3Schema: 6172 properties: 6173 spec: 6174 description: 'Describes the rules used to configure Mixer''s policy and 6175 telemetry features. See more details at: https://istio.io/docs/reference/config/policy-and-telemetry/istio.policy.v1beta1.html' 6176 properties: 6177 attributes: 6178 additionalProperties: 6179 properties: 6180 description: 6181 description: A human-readable description of the attribute's purpose. 6182 format: string 6183 type: string 6184 valueType: 6185 description: The type of data carried by this attribute. 6186 enum: 6187 - VALUE_TYPE_UNSPECIFIED 6188 - STRING 6189 - INT64 6190 - DOUBLE 6191 - BOOL 6192 - TIMESTAMP 6193 - IP_ADDRESS 6194 - EMAIL_ADDRESS 6195 - URI 6196 - DNS_NAME 6197 - DURATION 6198 - STRING_MAP 6199 type: string 6200 type: object 6201 description: The set of attributes this Istio component will be responsible 6202 for producing at runtime. 6203 type: object 6204 name: 6205 description: Name of the component producing these attributes. 6206 format: string 6207 type: string 6208 revision: 6209 description: The revision of this document. 6210 format: string 6211 type: string 6212 type: object 6213 type: object 6214 versions: 6215 - name: v1alpha2 6216 served: true 6217 storage: true 6218--- 6219 6220 6221apiVersion: apiextensions.k8s.io/v1beta1 6222kind: CustomResourceDefinition 6223metadata: 6224 annotations: 6225 "helm.sh/resource-policy": keep 6226 labels: 6227 app: mixer 6228 chart: istio 6229 heritage: Tiller 6230 istio: mixer-handler 6231 package: handler 6232 release: istio 6233 name: handlers.config.istio.io 6234spec: 6235 group: config.istio.io 6236 names: 6237 categories: 6238 - istio-io 6239 - policy-istio-io 6240 kind: handler 6241 listKind: handlerList 6242 plural: handlers 6243 singular: handler 6244 scope: Namespaced 6245 subresources: 6246 status: {} 6247 validation: 6248 openAPIV3Schema: 6249 properties: 6250 spec: 6251 description: Handler allows the operator to configure a specific adapter 6252 implementation. 6253 properties: 6254 adapter: 6255 description: The name of a specific adapter implementation. 6256 format: string 6257 type: string 6258 compiledAdapter: 6259 description: The name of the compiled in adapter this handler instantiates. 6260 format: string 6261 type: string 6262 connection: 6263 description: Information on how to connect to the out-of-process adapter. 6264 properties: 6265 address: 6266 description: The address of the backend. 6267 format: string 6268 type: string 6269 authentication: 6270 description: Auth config for the connection to the backend. 6271 oneOf: 6272 - not: 6273 anyOf: 6274 - properties: 6275 tls: 6276 allOf: 6277 - oneOf: 6278 - not: 6279 anyOf: 6280 - required: 6281 - tokenPath 6282 - required: 6283 - oauth 6284 - required: 6285 - tokenPath 6286 - required: 6287 - oauth 6288 - oneOf: 6289 - not: 6290 anyOf: 6291 - required: 6292 - authHeader 6293 - required: 6294 - customHeader 6295 - required: 6296 - authHeader 6297 - required: 6298 - customHeader 6299 required: 6300 - tls 6301 - required: 6302 - mutual 6303 - properties: 6304 tls: 6305 allOf: 6306 - oneOf: 6307 - not: 6308 anyOf: 6309 - required: 6310 - tokenPath 6311 - required: 6312 - oauth 6313 - required: 6314 - tokenPath 6315 - required: 6316 - oauth 6317 - oneOf: 6318 - not: 6319 anyOf: 6320 - required: 6321 - authHeader 6322 - required: 6323 - customHeader 6324 - required: 6325 - authHeader 6326 - required: 6327 - customHeader 6328 required: 6329 - tls 6330 - required: 6331 - mutual 6332 properties: 6333 mutual: 6334 properties: 6335 caCertificates: 6336 format: string 6337 type: string 6338 clientCertificate: 6339 description: The path to the file holding client certificate 6340 for mutual TLS. 6341 format: string 6342 type: string 6343 privateKey: 6344 description: The path to the file holding the private key 6345 for mutual TLS. 6346 format: string 6347 type: string 6348 serverName: 6349 description: Used to configure mixer mutual TLS client to 6350 supply server name for SNI. 6351 format: string 6352 type: string 6353 type: object 6354 tls: 6355 properties: 6356 authHeader: 6357 description: Access token is passed as authorization header. 6358 enum: 6359 - PLAIN 6360 - BEARER 6361 type: string 6362 caCertificates: 6363 format: string 6364 type: string 6365 customHeader: 6366 description: Customized header key to hold access token, 6367 e.g. 6368 format: string 6369 type: string 6370 oauth: 6371 description: Oauth config to fetch access token from auth 6372 provider. 6373 properties: 6374 clientId: 6375 description: OAuth client id for mixer. 6376 format: string 6377 type: string 6378 clientSecret: 6379 description: The path to the file holding the client 6380 secret for oauth. 6381 format: string 6382 type: string 6383 endpointParams: 6384 additionalProperties: 6385 format: string 6386 type: string 6387 description: Additional parameters for requests to the 6388 token endpoint. 6389 type: object 6390 scopes: 6391 description: List of requested permissions. 6392 items: 6393 format: string 6394 type: string 6395 type: array 6396 tokenUrl: 6397 description: The Resource server's token endpoint URL. 6398 format: string 6399 type: string 6400 type: object 6401 serverName: 6402 format: string 6403 type: string 6404 tokenPath: 6405 format: string 6406 type: string 6407 type: object 6408 type: object 6409 timeout: 6410 description: Timeout for remote calls to the backend. 6411 type: string 6412 type: object 6413 name: 6414 description: Must be unique in the entire Mixer configuration. 6415 format: string 6416 type: string 6417 params: 6418 description: Depends on adapter implementation. 6419 type: object 6420 type: object 6421 type: object 6422 versions: 6423 - name: v1alpha2 6424 served: true 6425 storage: true 6426--- 6427 6428 6429apiVersion: apiextensions.k8s.io/v1beta1 6430kind: CustomResourceDefinition 6431metadata: 6432 annotations: 6433 "helm.sh/resource-policy": keep 6434 labels: 6435 app: mixer 6436 chart: istio 6437 heritage: Tiller 6438 istio: mixer-instance 6439 package: instance 6440 release: istio 6441 name: instances.config.istio.io 6442spec: 6443 group: config.istio.io 6444 names: 6445 categories: 6446 - istio-io 6447 - policy-istio-io 6448 kind: instance 6449 listKind: instanceList 6450 plural: instances 6451 singular: instance 6452 scope: Namespaced 6453 subresources: 6454 status: {} 6455 validation: 6456 openAPIV3Schema: 6457 properties: 6458 spec: 6459 description: An Instance tells Mixer how to create instances for particular 6460 template. 6461 properties: 6462 attributeBindings: 6463 additionalProperties: 6464 format: string 6465 type: string 6466 type: object 6467 compiledTemplate: 6468 description: The name of the compiled in template this instance creates 6469 instances for. 6470 format: string 6471 type: string 6472 name: 6473 format: string 6474 type: string 6475 params: 6476 description: Depends on referenced template. 6477 type: object 6478 template: 6479 description: The name of the template this instance creates instances 6480 for. 6481 format: string 6482 type: string 6483 type: object 6484 type: object 6485 versions: 6486 - name: v1alpha2 6487 served: true 6488 storage: true 6489--- 6490 6491 6492apiVersion: apiextensions.k8s.io/v1beta1 6493kind: CustomResourceDefinition 6494metadata: 6495 annotations: 6496 "helm.sh/resource-policy": keep 6497 labels: 6498 app: mixer 6499 chart: istio 6500 heritage: Tiller 6501 istio: core 6502 package: istio.io.mixer 6503 release: istio 6504 name: rules.config.istio.io 6505spec: 6506 group: config.istio.io 6507 names: 6508 categories: 6509 - istio-io 6510 - policy-istio-io 6511 kind: rule 6512 listKind: ruleList 6513 plural: rules 6514 singular: rule 6515 scope: Namespaced 6516 subresources: 6517 status: {} 6518 validation: 6519 openAPIV3Schema: 6520 properties: 6521 spec: 6522 description: 'Describes the rules used to configure Mixer''s policy and 6523 telemetry features. See more details at: https://istio.io/docs/reference/config/policy-and-telemetry/istio.policy.v1beta1.html' 6524 properties: 6525 actions: 6526 description: The actions that will be executed when match evaluates 6527 to `true`. 6528 items: 6529 properties: 6530 handler: 6531 description: Fully qualified name of the handler to invoke. 6532 format: string 6533 type: string 6534 instances: 6535 items: 6536 format: string 6537 type: string 6538 type: array 6539 name: 6540 description: A handle to refer to the results of the action. 6541 format: string 6542 type: string 6543 type: object 6544 type: array 6545 match: 6546 description: Match is an attribute based predicate. 6547 format: string 6548 type: string 6549 requestHeaderOperations: 6550 items: 6551 properties: 6552 name: 6553 description: Header name literal value. 6554 format: string 6555 type: string 6556 operation: 6557 description: Header operation type. 6558 enum: 6559 - REPLACE 6560 - REMOVE 6561 - APPEND 6562 type: string 6563 values: 6564 description: Header value expressions. 6565 items: 6566 format: string 6567 type: string 6568 type: array 6569 type: object 6570 type: array 6571 responseHeaderOperations: 6572 items: 6573 properties: 6574 name: 6575 description: Header name literal value. 6576 format: string 6577 type: string 6578 operation: 6579 description: Header operation type. 6580 enum: 6581 - REPLACE 6582 - REMOVE 6583 - APPEND 6584 type: string 6585 values: 6586 description: Header value expressions. 6587 items: 6588 format: string 6589 type: string 6590 type: array 6591 type: object 6592 type: array 6593 sampling: 6594 properties: 6595 random: 6596 description: Provides filtering of actions based on random selection 6597 per request. 6598 properties: 6599 attributeExpression: 6600 description: Specifies an attribute expression to use to override 6601 the numerator in the `percent_sampled` field. 6602 format: string 6603 type: string 6604 percentSampled: 6605 description: The default sampling rate, expressed as a percentage. 6606 properties: 6607 denominator: 6608 description: Specifies the denominator. 6609 enum: 6610 - HUNDRED 6611 - TEN_THOUSAND 6612 type: string 6613 numerator: 6614 description: Specifies the numerator. 6615 type: integer 6616 type: object 6617 useIndependentRandomness: 6618 description: By default sampling will be based on the value 6619 of the request header `x-request-id`. 6620 type: boolean 6621 type: object 6622 rateLimit: 6623 properties: 6624 maxUnsampledEntries: 6625 description: Number of entries to allow during the `sampling_duration` 6626 before sampling is enforced. 6627 format: int64 6628 type: integer 6629 samplingDuration: 6630 description: Window in which to enforce the sampling rate. 6631 type: string 6632 samplingRate: 6633 description: The rate at which to sample entries once the unsampled 6634 limit has been reached. 6635 format: int64 6636 type: integer 6637 type: object 6638 type: object 6639 type: object 6640 type: object 6641 versions: 6642 - name: v1alpha2 6643 served: true 6644 storage: true 6645--- 6646 6647 6648apiVersion: apiextensions.k8s.io/v1beta1 6649kind: CustomResourceDefinition 6650metadata: 6651 annotations: 6652 "helm.sh/resource-policy": keep 6653 labels: 6654 app: istio-pilot 6655 chart: istio 6656 heritage: Tiller 6657 istio: rbac 6658 release: istio 6659 name: clusterrbacconfigs.rbac.istio.io 6660spec: 6661 group: rbac.istio.io 6662 names: 6663 categories: 6664 - istio-io 6665 - rbac-istio-io 6666 kind: ClusterRbacConfig 6667 listKind: ClusterRbacConfigList 6668 plural: clusterrbacconfigs 6669 singular: clusterrbacconfig 6670 scope: Cluster 6671 subresources: 6672 status: {} 6673 validation: 6674 openAPIV3Schema: 6675 properties: 6676 spec: 6677 description: 'See more details at:' 6678 properties: 6679 enforcementMode: 6680 enum: 6681 - ENFORCED 6682 - PERMISSIVE 6683 type: string 6684 exclusion: 6685 description: A list of services or namespaces that should not be enforced 6686 by Istio RBAC policies. 6687 properties: 6688 namespaces: 6689 description: A list of namespaces. 6690 items: 6691 format: string 6692 type: string 6693 type: array 6694 services: 6695 description: A list of services. 6696 items: 6697 format: string 6698 type: string 6699 type: array 6700 type: object 6701 inclusion: 6702 description: A list of services or namespaces that should be enforced 6703 by Istio RBAC policies. 6704 properties: 6705 namespaces: 6706 description: A list of namespaces. 6707 items: 6708 format: string 6709 type: string 6710 type: array 6711 services: 6712 description: A list of services. 6713 items: 6714 format: string 6715 type: string 6716 type: array 6717 type: object 6718 mode: 6719 description: Istio RBAC mode. 6720 enum: 6721 - "OFF" 6722 - "ON" 6723 - ON_WITH_INCLUSION 6724 - ON_WITH_EXCLUSION 6725 type: string 6726 type: object 6727 type: object 6728 versions: 6729 - name: v1alpha1 6730 served: true 6731 storage: true 6732--- 6733 6734 6735apiVersion: apiextensions.k8s.io/v1beta1 6736kind: CustomResourceDefinition 6737metadata: 6738 annotations: 6739 "helm.sh/resource-policy": keep 6740 labels: 6741 app: mixer 6742 chart: istio 6743 heritage: Tiller 6744 istio: rbac 6745 package: istio.io.mixer 6746 release: istio 6747 name: rbacconfigs.rbac.istio.io 6748spec: 6749 group: rbac.istio.io 6750 names: 6751 categories: 6752 - istio-io 6753 - rbac-istio-io 6754 kind: RbacConfig 6755 listKind: RbacConfigList 6756 plural: rbacconfigs 6757 singular: rbacconfig 6758 scope: Namespaced 6759 subresources: 6760 status: {} 6761 validation: 6762 openAPIV3Schema: 6763 properties: 6764 spec: 6765 description: 'See more details at:' 6766 properties: 6767 enforcementMode: 6768 enum: 6769 - ENFORCED 6770 - PERMISSIVE 6771 type: string 6772 exclusion: 6773 description: A list of services or namespaces that should not be enforced 6774 by Istio RBAC policies. 6775 properties: 6776 namespaces: 6777 description: A list of namespaces. 6778 items: 6779 format: string 6780 type: string 6781 type: array 6782 services: 6783 description: A list of services. 6784 items: 6785 format: string 6786 type: string 6787 type: array 6788 type: object 6789 inclusion: 6790 description: A list of services or namespaces that should be enforced 6791 by Istio RBAC policies. 6792 properties: 6793 namespaces: 6794 description: A list of namespaces. 6795 items: 6796 format: string 6797 type: string 6798 type: array 6799 services: 6800 description: A list of services. 6801 items: 6802 format: string 6803 type: string 6804 type: array 6805 type: object 6806 mode: 6807 description: Istio RBAC mode. 6808 enum: 6809 - "OFF" 6810 - "ON" 6811 - ON_WITH_INCLUSION 6812 - ON_WITH_EXCLUSION 6813 type: string 6814 type: object 6815 type: object 6816 versions: 6817 - name: v1alpha1 6818 served: true 6819 storage: true 6820--- 6821 6822 6823apiVersion: apiextensions.k8s.io/v1beta1 6824kind: CustomResourceDefinition 6825metadata: 6826 annotations: 6827 "helm.sh/resource-policy": keep 6828 labels: 6829 app: mixer 6830 chart: istio 6831 heritage: Tiller 6832 istio: rbac 6833 package: istio.io.mixer 6834 release: istio 6835 name: serviceroles.rbac.istio.io 6836spec: 6837 group: rbac.istio.io 6838 names: 6839 categories: 6840 - istio-io 6841 - rbac-istio-io 6842 kind: ServiceRole 6843 listKind: ServiceRoleList 6844 plural: serviceroles 6845 singular: servicerole 6846 scope: Namespaced 6847 subresources: 6848 status: {} 6849 validation: 6850 openAPIV3Schema: 6851 properties: 6852 spec: 6853 description: 'See more details at:' 6854 properties: 6855 rules: 6856 description: The set of access rules (permissions) that the role has. 6857 items: 6858 properties: 6859 constraints: 6860 description: Optional. 6861 items: 6862 properties: 6863 key: 6864 description: Key of the constraint. 6865 format: string 6866 type: string 6867 values: 6868 description: List of valid values for the constraint. 6869 items: 6870 format: string 6871 type: string 6872 type: array 6873 type: object 6874 type: array 6875 hosts: 6876 items: 6877 format: string 6878 type: string 6879 type: array 6880 methods: 6881 description: Optional. 6882 items: 6883 format: string 6884 type: string 6885 type: array 6886 notHosts: 6887 items: 6888 format: string 6889 type: string 6890 type: array 6891 notMethods: 6892 items: 6893 format: string 6894 type: string 6895 type: array 6896 notPaths: 6897 items: 6898 format: string 6899 type: string 6900 type: array 6901 notPorts: 6902 items: 6903 format: int32 6904 type: integer 6905 type: array 6906 paths: 6907 description: Optional. 6908 items: 6909 format: string 6910 type: string 6911 type: array 6912 ports: 6913 items: 6914 format: int32 6915 type: integer 6916 type: array 6917 services: 6918 description: A list of service names. 6919 items: 6920 format: string 6921 type: string 6922 type: array 6923 type: object 6924 type: array 6925 type: object 6926 type: object 6927 versions: 6928 - name: v1alpha1 6929 served: true 6930 storage: true 6931--- 6932 6933 6934apiVersion: apiextensions.k8s.io/v1beta1 6935kind: CustomResourceDefinition 6936metadata: 6937 annotations: 6938 "helm.sh/resource-policy": keep 6939 labels: 6940 app: mixer 6941 chart: istio 6942 heritage: Tiller 6943 istio: rbac 6944 package: istio.io.mixer 6945 release: istio 6946 name: servicerolebindings.rbac.istio.io 6947spec: 6948 additionalPrinterColumns: 6949 - JSONPath: .spec.roleRef.name 6950 description: The name of the ServiceRole object being referenced 6951 name: Reference 6952 type: string 6953 - JSONPath: .metadata.creationTimestamp 6954 description: 'CreationTimestamp is a timestamp representing the server time when 6955 this object was created. It is not guaranteed to be set in happens-before order 6956 across separate operations. Clients may not set this value. It is represented 6957 in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for 6958 lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' 6959 name: Age 6960 type: date 6961 group: rbac.istio.io 6962 names: 6963 categories: 6964 - istio-io 6965 - rbac-istio-io 6966 kind: ServiceRoleBinding 6967 listKind: ServiceRoleBindingList 6968 plural: servicerolebindings 6969 singular: servicerolebinding 6970 scope: Namespaced 6971 subresources: 6972 status: {} 6973 validation: 6974 openAPIV3Schema: 6975 properties: 6976 spec: 6977 description: 'See more details at:' 6978 properties: 6979 actions: 6980 items: 6981 properties: 6982 constraints: 6983 description: Optional. 6984 items: 6985 properties: 6986 key: 6987 description: Key of the constraint. 6988 format: string 6989 type: string 6990 values: 6991 description: List of valid values for the constraint. 6992 items: 6993 format: string 6994 type: string 6995 type: array 6996 type: object 6997 type: array 6998 hosts: 6999 items: 7000 format: string 7001 type: string 7002 type: array 7003 methods: 7004 description: Optional. 7005 items: 7006 format: string 7007 type: string 7008 type: array 7009 notHosts: 7010 items: 7011 format: string 7012 type: string 7013 type: array 7014 notMethods: 7015 items: 7016 format: string 7017 type: string 7018 type: array 7019 notPaths: 7020 items: 7021 format: string 7022 type: string 7023 type: array 7024 notPorts: 7025 items: 7026 format: int32 7027 type: integer 7028 type: array 7029 paths: 7030 description: Optional. 7031 items: 7032 format: string 7033 type: string 7034 type: array 7035 ports: 7036 items: 7037 format: int32 7038 type: integer 7039 type: array 7040 services: 7041 description: A list of service names. 7042 items: 7043 format: string 7044 type: string 7045 type: array 7046 type: object 7047 type: array 7048 mode: 7049 enum: 7050 - ENFORCED 7051 - PERMISSIVE 7052 type: string 7053 role: 7054 format: string 7055 type: string 7056 roleRef: 7057 description: Reference to the ServiceRole object. 7058 properties: 7059 kind: 7060 description: The type of the role being referenced. 7061 format: string 7062 type: string 7063 name: 7064 description: The name of the ServiceRole object being referenced. 7065 format: string 7066 type: string 7067 type: object 7068 subjects: 7069 description: List of subjects that are assigned the ServiceRole object. 7070 items: 7071 properties: 7072 group: 7073 format: string 7074 type: string 7075 groups: 7076 items: 7077 format: string 7078 type: string 7079 type: array 7080 ips: 7081 items: 7082 format: string 7083 type: string 7084 type: array 7085 names: 7086 items: 7087 format: string 7088 type: string 7089 type: array 7090 namespaces: 7091 items: 7092 format: string 7093 type: string 7094 type: array 7095 notGroups: 7096 items: 7097 format: string 7098 type: string 7099 type: array 7100 notIps: 7101 items: 7102 format: string 7103 type: string 7104 type: array 7105 notNames: 7106 items: 7107 format: string 7108 type: string 7109 type: array 7110 notNamespaces: 7111 items: 7112 format: string 7113 type: string 7114 type: array 7115 properties: 7116 additionalProperties: 7117 format: string 7118 type: string 7119 description: Optional. 7120 type: object 7121 user: 7122 description: Optional. 7123 format: string 7124 type: string 7125 type: object 7126 type: array 7127 type: object 7128 type: object 7129 versions: 7130 - name: v1alpha1 7131 served: true 7132 storage: true 7133--- 7134 7135 7136apiVersion: apiextensions.k8s.io/v1beta1 7137kind: CustomResourceDefinition 7138metadata: 7139 annotations: 7140 "helm.sh/resource-policy": keep 7141 labels: 7142 app: istio-pilot 7143 chart: istio 7144 heritage: Tiller 7145 istio: security 7146 release: istio 7147 name: authorizationpolicies.security.istio.io 7148spec: 7149 group: security.istio.io 7150 names: 7151 categories: 7152 - istio-io 7153 - security-istio-io 7154 kind: AuthorizationPolicy 7155 listKind: AuthorizationPolicyList 7156 plural: authorizationpolicies 7157 singular: authorizationpolicy 7158 scope: Namespaced 7159 subresources: 7160 status: {} 7161 validation: 7162 openAPIV3Schema: 7163 properties: 7164 spec: 7165 description: 'Configuration for access control on workloads. See more details 7166 at: https://istio.io/docs/reference/config/security/authorization-policy.html' 7167 properties: 7168 action: 7169 description: Optional. 7170 enum: 7171 - ALLOW 7172 - DENY 7173 type: string 7174 rules: 7175 description: Optional. 7176 items: 7177 properties: 7178 from: 7179 description: Optional. 7180 items: 7181 properties: 7182 source: 7183 description: Source specifies the source of a request. 7184 properties: 7185 ipBlocks: 7186 description: Optional. 7187 items: 7188 format: string 7189 type: string 7190 type: array 7191 namespaces: 7192 description: Optional. 7193 items: 7194 format: string 7195 type: string 7196 type: array 7197 notIpBlocks: 7198 description: Optional. 7199 items: 7200 format: string 7201 type: string 7202 type: array 7203 notNamespaces: 7204 description: Optional. 7205 items: 7206 format: string 7207 type: string 7208 type: array 7209 notPrincipals: 7210 description: Optional. 7211 items: 7212 format: string 7213 type: string 7214 type: array 7215 notRequestPrincipals: 7216 description: Optional. 7217 items: 7218 format: string 7219 type: string 7220 type: array 7221 principals: 7222 description: Optional. 7223 items: 7224 format: string 7225 type: string 7226 type: array 7227 requestPrincipals: 7228 description: Optional. 7229 items: 7230 format: string 7231 type: string 7232 type: array 7233 type: object 7234 type: object 7235 type: array 7236 to: 7237 description: Optional. 7238 items: 7239 properties: 7240 operation: 7241 description: Operation specifies the operation of a request. 7242 properties: 7243 hosts: 7244 description: Optional. 7245 items: 7246 format: string 7247 type: string 7248 type: array 7249 methods: 7250 description: Optional. 7251 items: 7252 format: string 7253 type: string 7254 type: array 7255 notHosts: 7256 description: Optional. 7257 items: 7258 format: string 7259 type: string 7260 type: array 7261 notMethods: 7262 description: Optional. 7263 items: 7264 format: string 7265 type: string 7266 type: array 7267 notPaths: 7268 description: Optional. 7269 items: 7270 format: string 7271 type: string 7272 type: array 7273 notPorts: 7274 description: Optional. 7275 items: 7276 format: string 7277 type: string 7278 type: array 7279 paths: 7280 description: Optional. 7281 items: 7282 format: string 7283 type: string 7284 type: array 7285 ports: 7286 description: Optional. 7287 items: 7288 format: string 7289 type: string 7290 type: array 7291 type: object 7292 type: object 7293 type: array 7294 when: 7295 description: Optional. 7296 items: 7297 properties: 7298 key: 7299 description: The name of an Istio attribute. 7300 format: string 7301 type: string 7302 notValues: 7303 description: Optional. 7304 items: 7305 format: string 7306 type: string 7307 type: array 7308 values: 7309 description: Optional. 7310 items: 7311 format: string 7312 type: string 7313 type: array 7314 type: object 7315 type: array 7316 type: object 7317 type: array 7318 selector: 7319 description: Optional. 7320 properties: 7321 matchLabels: 7322 additionalProperties: 7323 format: string 7324 type: string 7325 type: object 7326 type: object 7327 type: object 7328 type: object 7329 versions: 7330 - name: v1beta1 7331 served: true 7332 storage: true 7333--- 7334 7335 7336apiVersion: apiextensions.k8s.io/v1beta1 7337kind: CustomResourceDefinition 7338metadata: 7339 annotations: 7340 "helm.sh/resource-policy": keep 7341 labels: 7342 app: istio-pilot 7343 chart: istio 7344 heritage: Tiller 7345 istio: security 7346 release: istio 7347 name: peerauthentications.security.istio.io 7348spec: 7349 group: security.istio.io 7350 names: 7351 categories: 7352 - istio-io 7353 - security-istio-io 7354 kind: PeerAuthentication 7355 listKind: PeerAuthenticationList 7356 plural: peerauthentications 7357 shortNames: 7358 - pa 7359 singular: peerauthentication 7360 scope: Namespaced 7361 subresources: 7362 status: {} 7363 validation: 7364 openAPIV3Schema: 7365 properties: 7366 spec: 7367 description: PeerAuthentication defines how traffic will be tunneled (or 7368 not) to the sidecar. 7369 properties: 7370 mtls: 7371 description: Mutual TLS settings for workload. 7372 properties: 7373 mode: 7374 description: Defines the mTLS mode used for peer authentication. 7375 enum: 7376 - UNSET 7377 - DISABLE 7378 - PERMISSIVE 7379 - STRICT 7380 type: string 7381 type: object 7382 portLevelMtls: 7383 additionalProperties: 7384 properties: 7385 mode: 7386 description: Defines the mTLS mode used for peer authentication. 7387 enum: 7388 - UNSET 7389 - DISABLE 7390 - PERMISSIVE 7391 - STRICT 7392 type: string 7393 type: object 7394 description: Port specific mutual TLS settings. 7395 type: object 7396 selector: 7397 description: The selector determines the workloads to apply the ChannelAuthentication 7398 on. 7399 properties: 7400 matchLabels: 7401 additionalProperties: 7402 format: string 7403 type: string 7404 type: object 7405 type: object 7406 type: object 7407 type: object 7408 versions: 7409 - name: v1beta1 7410 served: true 7411 storage: true 7412--- 7413 7414 7415apiVersion: apiextensions.k8s.io/v1beta1 7416kind: CustomResourceDefinition 7417metadata: 7418 annotations: 7419 "helm.sh/resource-policy": keep 7420 labels: 7421 app: istio-pilot 7422 chart: istio 7423 heritage: Tiller 7424 istio: security 7425 release: istio 7426 name: requestauthentications.security.istio.io 7427spec: 7428 group: security.istio.io 7429 names: 7430 categories: 7431 - istio-io 7432 - security-istio-io 7433 kind: RequestAuthentication 7434 listKind: RequestAuthenticationList 7435 plural: requestauthentications 7436 shortNames: 7437 - ra 7438 singular: requestauthentication 7439 scope: Namespaced 7440 subresources: 7441 status: {} 7442 validation: 7443 openAPIV3Schema: 7444 properties: 7445 spec: 7446 description: RequestAuthentication defines what request authentication methods 7447 are supported by a workload. 7448 properties: 7449 jwtRules: 7450 description: Define the list of JWTs that can be validated at the selected 7451 workloads' proxy. 7452 items: 7453 properties: 7454 audiences: 7455 items: 7456 format: string 7457 type: string 7458 type: array 7459 forwardOriginalToken: 7460 description: If set to true, the orginal token will be kept for 7461 the ustream request. 7462 type: boolean 7463 fromHeaders: 7464 description: List of header locations from which JWT is expected. 7465 items: 7466 properties: 7467 name: 7468 description: The HTTP header name. 7469 format: string 7470 type: string 7471 prefix: 7472 description: The prefix that should be stripped before decoding 7473 the token. 7474 format: string 7475 type: string 7476 type: object 7477 type: array 7478 fromParams: 7479 description: List of query parameters from which JWT is expected. 7480 items: 7481 format: string 7482 type: string 7483 type: array 7484 issuer: 7485 description: Identifies the issuer that issued the JWT. 7486 format: string 7487 type: string 7488 jwks: 7489 description: JSON Web Key Set of public keys to validate signature 7490 of the JWT. 7491 format: string 7492 type: string 7493 jwks_uri: 7494 format: string 7495 type: string 7496 jwksUri: 7497 format: string 7498 type: string 7499 outputPayloadToHeader: 7500 format: string 7501 type: string 7502 type: object 7503 type: array 7504 selector: 7505 description: The selector determines the workloads to apply the RequestAuthentication 7506 on. 7507 properties: 7508 matchLabels: 7509 additionalProperties: 7510 format: string 7511 type: string 7512 type: object 7513 type: object 7514 type: object 7515 type: object 7516 versions: 7517 - name: v1beta1 7518 served: true 7519 storage: true 7520--- 7521 7522 7523kind: CustomResourceDefinition 7524apiVersion: apiextensions.k8s.io/v1beta1 7525metadata: 7526 name: adapters.config.istio.io 7527 labels: 7528 app: mixer 7529 package: adapter 7530 istio: mixer-adapter 7531 chart: istio 7532 heritage: Tiller 7533 release: istio 7534 annotations: 7535 "helm.sh/resource-policy": keep 7536spec: 7537 group: config.istio.io 7538 names: 7539 kind: adapter 7540 plural: adapters 7541 singular: adapter 7542 categories: 7543 - istio-io 7544 - policy-istio-io 7545 scope: Namespaced 7546 subresources: 7547 status: {} 7548 versions: 7549 - name: v1alpha2 7550 served: true 7551 storage: true 7552--- 7553 7554 7555kind: CustomResourceDefinition 7556apiVersion: apiextensions.k8s.io/v1beta1 7557metadata: 7558 name: templates.config.istio.io 7559 labels: 7560 app: mixer 7561 package: template 7562 istio: mixer-template 7563 chart: istio 7564 heritage: Tiller 7565 release: istio 7566 annotations: 7567 "helm.sh/resource-policy": keep 7568spec: 7569 group: config.istio.io 7570 names: 7571 kind: template 7572 plural: templates 7573 singular: template 7574 categories: 7575 - istio-io 7576 - policy-istio-io 7577 scope: Namespaced 7578 subresources: 7579 status: {} 7580 versions: 7581 - name: v1alpha2 7582 served: true 7583 storage: true 7584--- 7585 7586 7587apiVersion: apiextensions.k8s.io/v1beta1 7588kind: CustomResourceDefinition 7589metadata: 7590 name: istiooperators.install.istio.io 7591 labels: 7592 release: istio 7593spec: 7594 additionalPrinterColumns: 7595 - JSONPath: .spec.revision 7596 description: Istio control plane revision 7597 name: Revision 7598 type: string 7599 - JSONPath: .metadata.creationTimestamp 7600 description: 'CreationTimestamp is a timestamp representing the server time when 7601 this object was created. It is not guaranteed to be set in happens-before order 7602 across separate operations. Clients may not set this value. It is represented 7603 in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for 7604 lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' 7605 name: Age 7606 type: date 7607 group: install.istio.io 7608 names: 7609 kind: IstioOperator 7610 plural: istiooperators 7611 singular: istiooperator 7612 shortNames: 7613 - iop 7614 scope: Namespaced 7615 subresources: 7616 status: {} 7617 validation: 7618 openAPIV3Schema: 7619 properties: 7620 apiVersion: 7621 description: 'APIVersion defines the versioned schema of this representation 7622 of an object. Servers should convert recognized schemas to the latest 7623 internal value, and may reject unrecognized values. 7624 More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#resources' 7625 type: string 7626 kind: 7627 description: 'Kind is a string value representing the REST resource this 7628 object represents. Servers may infer this from the endpoint the client 7629 submits requests to. Cannot be updated. In CamelCase. 7630 More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 7631 type: string 7632 spec: 7633 description: 'Specification of the desired state of the istio control plane resource. 7634 More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status' 7635 type: object 7636 status: 7637 description: 'Status describes each of istio control plane component status at the current time. 7638 0 means NONE, 1 means UPDATING, 2 means HEALTHY, 3 means ERROR, 4 means RECONCILING. 7639 More info: https://github.com/istio/api/blob/master/operator/v1alpha1/istio.operator.v1alpha1.pb.html & 7640 https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status' 7641 type: object 7642 versions: 7643 - name: v1alpha1 7644 served: true 7645 storage: true 7646--- 7647 7648 7649apiVersion: v1 7650kind: ServiceAccount 7651metadata: 7652 name: istio-reader-service-account 7653 namespace: istio-system 7654 labels: 7655 app: istio-reader 7656 release: istio 7657--- 7658 7659 7660apiVersion: v1 7661kind: ServiceAccount 7662metadata: 7663 name: istio-pilot-service-account 7664 namespace: istio-system 7665 labels: 7666 app: pilot 7667 release: istio 7668--- 7669 7670 7671apiVersion: admissionregistration.k8s.io/v1beta1 7672kind: ValidatingWebhookConfiguration 7673metadata: 7674 name: istiod-istio-system 7675 labels: 7676 app: istiod 7677 release: istio 7678 istio: istiod 7679webhooks: 7680 - name: validation.istio.io 7681 clientConfig: 7682 service: 7683 name: istiod 7684 namespace: istio-system 7685 path: "/validate" 7686 caBundle: "" # patched at runtime when the webhook is ready. 7687 rules: 7688 - operations: 7689 - CREATE 7690 - UPDATE 7691 apiGroups: 7692 - config.istio.io 7693 - rbac.istio.io 7694 - security.istio.io 7695 - authentication.istio.io 7696 - networking.istio.io 7697 apiVersions: 7698 - "*" 7699 resources: 7700 - "*" 7701 # Fail open until the validation webhook is ready. The webhook controller 7702 # will update this to `Fail` and patch in the `caBundle` when the webhook 7703 # endpoint is ready. 7704 failurePolicy: Ignore 7705 sideEffects: None 7706--- 7707 7708# Cni component is disabled. 7709 7710# Resources for EgressGateways component 7711 7712apiVersion: autoscaling/v2beta1 7713kind: HorizontalPodAutoscaler 7714metadata: 7715 name: istio-egressgateway 7716 namespace: istio-system 7717 labels: 7718 app: istio-egressgateway 7719 istio: egressgateway 7720 release: istio 7721spec: 7722 maxReplicas: 5 7723 minReplicas: 1 7724 scaleTargetRef: 7725 apiVersion: apps/v1 7726 kind: Deployment 7727 name: istio-egressgateway 7728 metrics: 7729 - type: Resource 7730 resource: 7731 name: cpu 7732 targetAverageUtilization: 80 7733--- 7734 7735 7736apiVersion: apps/v1 7737kind: Deployment 7738metadata: 7739 name: istio-egressgateway 7740 namespace: istio-system 7741 labels: 7742 app: istio-egressgateway 7743 istio: egressgateway 7744 release: istio 7745spec: 7746 selector: 7747 matchLabels: 7748 app: istio-egressgateway 7749 istio: egressgateway 7750 strategy: 7751 rollingUpdate: 7752 maxSurge: 100% 7753 maxUnavailable: 25% 7754 template: 7755 metadata: 7756 labels: 7757 app: istio-egressgateway 7758 istio: egressgateway 7759 heritage: Tiller 7760 release: istio 7761 chart: gateways 7762 service.istio.io/canonical-name: istio-egressgateway 7763 service.istio.io/canonical-revision: latest 7764 annotations: 7765 sidecar.istio.io/inject: "false" 7766 spec: 7767 serviceAccountName: istio-egressgateway-service-account 7768 containers: 7769 - name: istio-proxy 7770 image: "gcr.io/istio-testing/proxyv2:latest" 7771 ports: 7772 - containerPort: 80 7773 - containerPort: 443 7774 - containerPort: 15443 7775 - containerPort: 15090 7776 protocol: TCP 7777 name: http-envoy-prom 7778 args: 7779 - proxy 7780 - router 7781 - --domain 7782 - $(POD_NAMESPACE).svc.cluster.local 7783 - --proxyLogLevel=warning 7784 - --proxyComponentLogLevel=misc:error 7785 - --log_output_level=default:info 7786 - --serviceCluster 7787 - istio-egressgateway 7788 - --trust-domain=cluster.local 7789 readinessProbe: 7790 failureThreshold: 30 7791 httpGet: 7792 path: /healthz/ready 7793 port: 15020 7794 scheme: HTTP 7795 initialDelaySeconds: 1 7796 periodSeconds: 2 7797 successThreshold: 1 7798 timeoutSeconds: 1 7799 resources: 7800 limits: 7801 cpu: 2000m 7802 memory: 1024Mi 7803 requests: 7804 cpu: 100m 7805 memory: 128Mi 7806 env: 7807 - name: JWT_POLICY 7808 value: third-party-jwt 7809 - name: PILOT_CERT_PROVIDER 7810 value: istiod 7811 - name: NODE_NAME 7812 valueFrom: 7813 fieldRef: 7814 apiVersion: v1 7815 fieldPath: spec.nodeName 7816 - name: POD_NAME 7817 valueFrom: 7818 fieldRef: 7819 apiVersion: v1 7820 fieldPath: metadata.name 7821 - name: POD_NAMESPACE 7822 valueFrom: 7823 fieldRef: 7824 apiVersion: v1 7825 fieldPath: metadata.namespace 7826 - name: INSTANCE_IP 7827 valueFrom: 7828 fieldRef: 7829 apiVersion: v1 7830 fieldPath: status.podIP 7831 - name: HOST_IP 7832 valueFrom: 7833 fieldRef: 7834 apiVersion: v1 7835 fieldPath: status.hostIP 7836 - name: SERVICE_ACCOUNT 7837 valueFrom: 7838 fieldRef: 7839 fieldPath: spec.serviceAccountName 7840 - name: ISTIO_META_WORKLOAD_NAME 7841 value: istio-egressgateway 7842 - name: ISTIO_META_OWNER 7843 value: kubernetes://apis/apps/v1/namespaces/istio-system/deployments/istio-egressgateway 7844 - name: ISTIO_META_MESH_ID 7845 value: "cluster.local" 7846 - name: ISTIO_META_ROUTER_MODE 7847 value: sni-dnat 7848 7849 - name: ISTIO_META_CLUSTER_ID 7850 value: "Kubernetes" 7851 volumeMounts: 7852 - name: config-volume 7853 mountPath: /etc/istio/config 7854 - mountPath: /var/run/secrets/istio 7855 name: istiod-ca-cert 7856 - name: istio-token 7857 mountPath: /var/run/secrets/tokens 7858 readOnly: true 7859 - name: podinfo 7860 mountPath: /etc/istio/pod 7861 - name: egressgateway-certs 7862 mountPath: "/etc/istio/egressgateway-certs" 7863 readOnly: true 7864 - name: egressgateway-ca-certs 7865 mountPath: "/etc/istio/egressgateway-ca-certs" 7866 readOnly: true 7867 volumes: 7868 - name: istiod-ca-cert 7869 configMap: 7870 name: istio-ca-root-cert 7871 - name: podinfo 7872 downwardAPI: 7873 items: 7874 - path: "labels" 7875 fieldRef: 7876 fieldPath: metadata.labels 7877 - path: "annotations" 7878 fieldRef: 7879 fieldPath: metadata.annotations 7880 - name: istio-token 7881 projected: 7882 sources: 7883 - serviceAccountToken: 7884 path: istio-token 7885 expirationSeconds: 43200 7886 audience: istio-ca 7887 - name: config-volume 7888 configMap: 7889 name: istio 7890 optional: true 7891 - name: egressgateway-certs 7892 secret: 7893 secretName: "istio-egressgateway-certs" 7894 optional: true 7895 - name: egressgateway-ca-certs 7896 secret: 7897 secretName: "istio-egressgateway-ca-certs" 7898 optional: true 7899 affinity: 7900 nodeAffinity: 7901 requiredDuringSchedulingIgnoredDuringExecution: 7902 nodeSelectorTerms: 7903 - matchExpressions: 7904 - key: beta.kubernetes.io/arch 7905 operator: In 7906 values: 7907 - "amd64" 7908 - "ppc64le" 7909 - "s390x" 7910 preferredDuringSchedulingIgnoredDuringExecution: 7911 - weight: 2 7912 preference: 7913 matchExpressions: 7914 - key: beta.kubernetes.io/arch 7915 operator: In 7916 values: 7917 - "amd64" 7918 - weight: 2 7919 preference: 7920 matchExpressions: 7921 - key: beta.kubernetes.io/arch 7922 operator: In 7923 values: 7924 - "ppc64le" 7925 - weight: 2 7926 preference: 7927 matchExpressions: 7928 - key: beta.kubernetes.io/arch 7929 operator: In 7930 values: 7931 - "s390x" 7932--- 7933 7934 7935apiVersion: policy/v1beta1 7936kind: PodDisruptionBudget 7937metadata: 7938 name: istio-egressgateway 7939 namespace: istio-system 7940 labels: 7941 app: istio-egressgateway 7942 istio: egressgateway 7943 release: istio 7944spec: 7945 minAvailable: 1 7946 selector: 7947 matchLabels: 7948 app: istio-egressgateway 7949 istio: egressgateway 7950 release: istio 7951--- 7952 7953 7954apiVersion: v1 7955kind: Service 7956metadata: 7957 name: istio-egressgateway 7958 namespace: istio-system 7959 annotations: 7960 labels: 7961 app: istio-egressgateway 7962 istio: egressgateway 7963 release: istio 7964spec: 7965 type: ClusterIP 7966 selector: 7967 app: istio-egressgateway 7968 istio: egressgateway 7969 ports: 7970 - 7971 name: http2 7972 port: 80 7973 - 7974 name: https 7975 port: 443 7976 - 7977 name: tls 7978 port: 15443 7979 targetPort: 15443 7980--- 7981 7982 7983apiVersion: v1 7984kind: ServiceAccount 7985metadata: 7986 name: istio-egressgateway-service-account 7987 namespace: istio-system 7988 labels: 7989 app: istio-egressgateway 7990 istio: egressgateway 7991 release: istio 7992--- 7993 7994# Resources for IngressGateways component 7995 7996apiVersion: autoscaling/v2beta1 7997kind: HorizontalPodAutoscaler 7998metadata: 7999 name: istio-ingressgateway 8000 namespace: istio-system 8001 labels: 8002 app: istio-ingressgateway 8003 istio: ingressgateway 8004 release: istio 8005spec: 8006 maxReplicas: 5 8007 minReplicas: 1 8008 scaleTargetRef: 8009 apiVersion: apps/v1 8010 kind: Deployment 8011 name: istio-ingressgateway 8012 metrics: 8013 - type: Resource 8014 resource: 8015 name: cpu 8016 targetAverageUtilization: 80 8017--- 8018 8019 8020apiVersion: apps/v1 8021kind: Deployment 8022metadata: 8023 name: istio-ingressgateway 8024 namespace: istio-system 8025 labels: 8026 app: istio-ingressgateway 8027 istio: ingressgateway 8028 release: istio 8029spec: 8030 selector: 8031 matchLabels: 8032 app: istio-ingressgateway 8033 istio: ingressgateway 8034 strategy: 8035 rollingUpdate: 8036 maxSurge: 100% 8037 maxUnavailable: 25% 8038 template: 8039 metadata: 8040 labels: 8041 app: istio-ingressgateway 8042 istio: ingressgateway 8043 heritage: Tiller 8044 release: istio 8045 chart: gateways 8046 service.istio.io/canonical-name: istio-ingressgateway 8047 service.istio.io/canonical-revision: latest 8048 annotations: 8049 sidecar.istio.io/inject: "false" 8050 spec: 8051 serviceAccountName: istio-ingressgateway-service-account 8052 containers: 8053 - name: istio-proxy 8054 image: "gcr.io/istio-testing/proxyv2:latest" 8055 ports: 8056 - containerPort: 15020 8057 - containerPort: 8080 8058 - containerPort: 8443 8059 - containerPort: 15443 8060 - containerPort: 15011 8061 - containerPort: 15012 8062 - containerPort: 8060 8063 - containerPort: 853 8064 - containerPort: 15090 8065 protocol: TCP 8066 name: http-envoy-prom 8067 args: 8068 - proxy 8069 - router 8070 - --domain 8071 - $(POD_NAMESPACE).svc.cluster.local 8072 - --proxyLogLevel=warning 8073 - --proxyComponentLogLevel=misc:error 8074 - --log_output_level=default:info 8075 - --serviceCluster 8076 - istio-ingressgateway 8077 - --trust-domain=cluster.local 8078 readinessProbe: 8079 failureThreshold: 30 8080 httpGet: 8081 path: /healthz/ready 8082 port: 15020 8083 scheme: HTTP 8084 initialDelaySeconds: 1 8085 periodSeconds: 2 8086 successThreshold: 1 8087 timeoutSeconds: 1 8088 resources: 8089 limits: 8090 cpu: 2000m 8091 memory: 1024Mi 8092 requests: 8093 cpu: 100m 8094 memory: 128Mi 8095 env: 8096 - name: JWT_POLICY 8097 value: third-party-jwt 8098 - name: PILOT_CERT_PROVIDER 8099 value: istiod 8100 - name: CA_ADDR 8101 value: istiod.istio-system.svc:15012 8102 - name: NODE_NAME 8103 valueFrom: 8104 fieldRef: 8105 apiVersion: v1 8106 fieldPath: spec.nodeName 8107 - name: POD_NAME 8108 valueFrom: 8109 fieldRef: 8110 apiVersion: v1 8111 fieldPath: metadata.name 8112 - name: POD_NAMESPACE 8113 valueFrom: 8114 fieldRef: 8115 apiVersion: v1 8116 fieldPath: metadata.namespace 8117 - name: INSTANCE_IP 8118 valueFrom: 8119 fieldRef: 8120 apiVersion: v1 8121 fieldPath: status.podIP 8122 - name: HOST_IP 8123 valueFrom: 8124 fieldRef: 8125 apiVersion: v1 8126 fieldPath: status.hostIP 8127 - name: SERVICE_ACCOUNT 8128 valueFrom: 8129 fieldRef: 8130 fieldPath: spec.serviceAccountName 8131 - name: ISTIO_META_WORKLOAD_NAME 8132 value: istio-ingressgateway 8133 - name: ISTIO_META_OWNER 8134 value: kubernetes://apis/apps/v1/namespaces/istio-system/deployments/istio-ingressgateway 8135 - name: ISTIO_META_MESH_ID 8136 value: "cluster.local" 8137 - name: ISTIO_META_ROUTER_MODE 8138 value: sni-dnat 8139 8140 - name: ISTIO_META_CLUSTER_ID 8141 value: "Kubernetes" 8142 volumeMounts: 8143 - name: config-volume 8144 mountPath: /etc/istio/config 8145 - mountPath: /var/run/secrets/istio 8146 name: istiod-ca-cert 8147 - name: istio-token 8148 mountPath: /var/run/secrets/tokens 8149 readOnly: true 8150 - name: ingressgatewaysdsudspath 8151 mountPath: /var/run/ingress_gateway 8152 - name: podinfo 8153 mountPath: /etc/istio/pod 8154 - name: ingressgateway-certs 8155 mountPath: "/etc/istio/ingressgateway-certs" 8156 readOnly: true 8157 - name: ingressgateway-ca-certs 8158 mountPath: "/etc/istio/ingressgateway-ca-certs" 8159 readOnly: true 8160 volumes: 8161 - name: istiod-ca-cert 8162 configMap: 8163 name: istio-ca-root-cert 8164 - name: podinfo 8165 downwardAPI: 8166 items: 8167 - path: "labels" 8168 fieldRef: 8169 fieldPath: metadata.labels 8170 - path: "annotations" 8171 fieldRef: 8172 fieldPath: metadata.annotations 8173 - name: ingressgatewaysdsudspath 8174 emptyDir: {} 8175 - name: istio-token 8176 projected: 8177 sources: 8178 - serviceAccountToken: 8179 path: istio-token 8180 expirationSeconds: 43200 8181 audience: istio-ca 8182 - name: config-volume 8183 configMap: 8184 name: istio 8185 optional: true 8186 - name: ingressgateway-certs 8187 secret: 8188 secretName: "istio-ingressgateway-certs" 8189 optional: true 8190 - name: ingressgateway-ca-certs 8191 secret: 8192 secretName: "istio-ingressgateway-ca-certs" 8193 optional: true 8194 affinity: 8195 nodeAffinity: 8196 requiredDuringSchedulingIgnoredDuringExecution: 8197 nodeSelectorTerms: 8198 - matchExpressions: 8199 - key: beta.kubernetes.io/arch 8200 operator: In 8201 values: 8202 - "amd64" 8203 - "ppc64le" 8204 - "s390x" 8205 preferredDuringSchedulingIgnoredDuringExecution: 8206 - weight: 2 8207 preference: 8208 matchExpressions: 8209 - key: beta.kubernetes.io/arch 8210 operator: In 8211 values: 8212 - "amd64" 8213 - weight: 2 8214 preference: 8215 matchExpressions: 8216 - key: beta.kubernetes.io/arch 8217 operator: In 8218 values: 8219 - "ppc64le" 8220 - weight: 2 8221 preference: 8222 matchExpressions: 8223 - key: beta.kubernetes.io/arch 8224 operator: In 8225 values: 8226 - "s390x" 8227--- 8228 8229 8230apiVersion: policy/v1beta1 8231kind: PodDisruptionBudget 8232metadata: 8233 name: istio-ingressgateway 8234 namespace: istio-system 8235 labels: 8236 app: istio-ingressgateway 8237 istio: ingressgateway 8238 release: istio 8239spec: 8240 minAvailable: 1 8241 selector: 8242 matchLabels: 8243 app: istio-ingressgateway 8244 istio: ingressgateway 8245 release: istio 8246--- 8247 8248 8249apiVersion: rbac.authorization.k8s.io/v1 8250kind: Role 8251metadata: 8252 name: istio-ingressgateway-sds 8253 namespace: istio-system 8254 labels: 8255 release: istio 8256rules: 8257- apiGroups: [""] 8258 resources: ["secrets"] 8259 verbs: ["get", "watch", "list"] 8260--- 8261 8262 8263apiVersion: rbac.authorization.k8s.io/v1 8264kind: RoleBinding 8265metadata: 8266 name: istio-ingressgateway-sds 8267 namespace: istio-system 8268 labels: 8269 release: istio 8270roleRef: 8271 apiGroup: rbac.authorization.k8s.io 8272 kind: Role 8273 name: istio-ingressgateway-sds 8274subjects: 8275- kind: ServiceAccount 8276 name: istio-ingressgateway-service-account 8277--- 8278 8279 8280apiVersion: v1 8281kind: Service 8282metadata: 8283 name: istio-ingressgateway 8284 namespace: istio-system 8285 annotations: 8286 labels: 8287 app: istio-ingressgateway 8288 istio: ingressgateway 8289 release: istio 8290spec: 8291 type: LoadBalancer 8292 selector: 8293 app: istio-ingressgateway 8294 istio: ingressgateway 8295 ports: 8296 - 8297 name: status-port 8298 port: 15020 8299 targetPort: 15020 8300 - 8301 name: http2 8302 port: 80 8303 targetPort: 8080 8304 - 8305 name: https 8306 port: 443 8307 targetPort: 8443 8308 - 8309 name: tls 8310 port: 15443 8311 targetPort: 15443 8312--- 8313 8314 8315apiVersion: v1 8316kind: ServiceAccount 8317metadata: 8318 name: istio-ingressgateway-service-account 8319 namespace: istio-system 8320 labels: 8321 app: istio-ingressgateway 8322 istio: ingressgateway 8323 release: istio 8324--- 8325 8326# IstiodRemote component is disabled. 8327 8328# Resources for Pilot component 8329 8330apiVersion: autoscaling/v2beta1 8331kind: HorizontalPodAutoscaler 8332metadata: 8333 name: istiod 8334 namespace: istio-system 8335 labels: 8336 app: istiod 8337 release: istio 8338 istio.io/rev: default 8339spec: 8340 maxReplicas: 5 8341 minReplicas: 1 8342 scaleTargetRef: 8343 apiVersion: apps/v1 8344 kind: Deployment 8345 name: istiod 8346 metrics: 8347 - type: Resource 8348 resource: 8349 name: cpu 8350 targetAverageUtilization: 80 8351--- 8352 8353 8354apiVersion: v1 8355kind: ConfigMap 8356metadata: 8357 name: istio 8358 namespace: istio-system 8359 labels: 8360 istio.io/rev: default 8361 release: istio 8362data: 8363 8364 # Configuration file for the mesh networks to be used by the Split Horizon EDS. 8365 meshNetworks: |- 8366 networks: {} 8367 8368 mesh: |- 8369 accessLogEncoding: TEXT 8370 accessLogFile: "" 8371 accessLogFormat: "" 8372 defaultConfig: 8373 concurrency: 2 8374 configPath: ./etc/istio/proxy 8375 connectTimeout: 10s 8376 controlPlaneAuthPolicy: NONE 8377 discoveryAddress: istiod.istio-system.svc:15012 8378 drainDuration: 45s 8379 parentShutdownDuration: 1m0s 8380 proxyAdminPort: 15000 8381 proxyMetadata: 8382 DNS_AGENT: "" 8383 serviceCluster: istio-proxy 8384 tracing: 8385 zipkin: 8386 address: zipkin.istio-system:9411 8387 disableMixerHttpReports: true 8388 disablePolicyChecks: true 8389 enableAutoMtls: true 8390 enablePrometheusMerge: false 8391 enableTracing: true 8392 ingressClass: istio 8393 ingressControllerMode: STRICT 8394 ingressService: istio-ingressgateway 8395 localityLbSetting: 8396 enabled: true 8397 mixerCheckServer: istio-policy.istio-system.svc.cluster.local:15004 8398 outboundTrafficPolicy: 8399 mode: ALLOW_ANY 8400 policyCheckFailOpen: false 8401 protocolDetectionTimeout: 100ms 8402 reportBatchMaxEntries: 100 8403 reportBatchMaxTime: 1s 8404 sdsUdsPath: unix:/etc/istio/proxy/SDS 8405 trustDomain: cluster.local 8406 trustDomainAliases: null 8407--- 8408 8409 8410apiVersion: apps/v1 8411kind: Deployment 8412metadata: 8413 labels: 8414 app: istiod 8415 istio: pilot 8416 istio.io/rev: default 8417 release: istio 8418 name: istiod 8419 namespace: istio-system 8420spec: 8421 selector: 8422 matchLabels: 8423 istio: pilot 8424 strategy: 8425 rollingUpdate: 8426 maxSurge: 100% 8427 maxUnavailable: 25% 8428 template: 8429 metadata: 8430 annotations: 8431 sidecar.istio.io/inject: "false" 8432 labels: 8433 app: istiod 8434 istio: pilot 8435 istio.io/rev: default 8436 spec: 8437 containers: 8438 - args: 8439 - discovery 8440 - --monitoringAddr=:15014 8441 - --log_output_level=default:info 8442 - --domain 8443 - cluster.local 8444 - --trust-domain=cluster.local 8445 - --keepaliveMaxServerConnectionAge 8446 - 30m 8447 env: 8448 - name: REVISION 8449 value: default 8450 - name: JWT_POLICY 8451 value: third-party-jwt 8452 - name: PILOT_CERT_PROVIDER 8453 value: istiod 8454 - name: POD_NAME 8455 valueFrom: 8456 fieldRef: 8457 apiVersion: v1 8458 fieldPath: metadata.name 8459 - name: POD_NAMESPACE 8460 valueFrom: 8461 fieldRef: 8462 apiVersion: v1 8463 fieldPath: metadata.namespace 8464 - name: SERVICE_ACCOUNT 8465 valueFrom: 8466 fieldRef: 8467 apiVersion: v1 8468 fieldPath: spec.serviceAccountName 8469 - name: PILOT_TRACE_SAMPLING 8470 value: "1" 8471 - name: PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_OUTBOUND 8472 value: "true" 8473 - name: PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_INBOUND 8474 value: "true" 8475 - name: INJECTION_WEBHOOK_CONFIG_NAME 8476 value: istio-sidecar-injector 8477 - name: ISTIOD_ADDR 8478 value: istiod.istio-system.svc:15012 8479 - name: PILOT_ENABLE_ANALYSIS 8480 value: "false" 8481 - name: CLUSTER_ID 8482 value: Kubernetes 8483 image: gcr.io/istio-testing/pilot:latest 8484 name: discovery 8485 ports: 8486 - containerPort: 8080 8487 - containerPort: 15010 8488 - containerPort: 15017 8489 - containerPort: 15053 8490 readinessProbe: 8491 httpGet: 8492 path: /ready 8493 port: 8080 8494 initialDelaySeconds: 1 8495 periodSeconds: 3 8496 timeoutSeconds: 5 8497 resources: 8498 requests: 8499 cpu: 500m 8500 memory: 2048Mi 8501 securityContext: 8502 capabilities: 8503 drop: 8504 - ALL 8505 runAsGroup: 1337 8506 runAsNonRoot: true 8507 runAsUser: 1337 8508 volumeMounts: 8509 - mountPath: /etc/istio/config 8510 name: config-volume 8511 - mountPath: /var/run/secrets/tokens 8512 name: istio-token 8513 readOnly: true 8514 - mountPath: /var/run/secrets/istio-dns 8515 name: local-certs 8516 - mountPath: /etc/cacerts 8517 name: cacerts 8518 readOnly: true 8519 - mountPath: /var/lib/istio/inject 8520 name: inject 8521 readOnly: true 8522 securityContext: 8523 fsGroup: 1337 8524 serviceAccountName: istio-pilot-service-account 8525 volumes: 8526 - emptyDir: 8527 medium: Memory 8528 name: local-certs 8529 - name: istio-token 8530 projected: 8531 sources: 8532 - serviceAccountToken: 8533 audience: istio-ca 8534 expirationSeconds: 43200 8535 path: istio-token 8536 - name: cacerts 8537 secret: 8538 optional: true 8539 secretName: cacerts 8540 - configMap: 8541 name: istio-sidecar-injector 8542 optional: true 8543 name: inject 8544 - configMap: 8545 name: istio 8546 name: config-volume 8547 8548--- 8549 8550 8551apiVersion: v1 8552kind: ConfigMap 8553metadata: 8554 name: istio-sidecar-injector 8555 namespace: istio-system 8556 labels: 8557 istio.io/rev: default 8558 release: istio 8559data: 8560 8561 values: |- 8562 { 8563 "global": { 8564 "arch": { 8565 "amd64": 2, 8566 "ppc64le": 2, 8567 "s390x": 2 8568 }, 8569 "configNamespace": "istio-system", 8570 "configValidation": true, 8571 "controlPlaneSecurityEnabled": true, 8572 "defaultNodeSelector": {}, 8573 "defaultPodDisruptionBudget": { 8574 "enabled": true 8575 }, 8576 "defaultResources": { 8577 "requests": { 8578 "cpu": "10m" 8579 } 8580 }, 8581 "enableHelmTest": false, 8582 "enableTracing": true, 8583 "enabled": true, 8584 "hub": "gcr.io/istio-testing", 8585 "imagePullPolicy": "", 8586 "imagePullSecrets": [], 8587 "istioNamespace": "istio-system", 8588 "istiod": { 8589 "enableAnalysis": false, 8590 "enabled": true 8591 }, 8592 "jwtPolicy": "third-party-jwt", 8593 "localityLbSetting": { 8594 "enabled": true 8595 }, 8596 "logAsJson": false, 8597 "logging": { 8598 "level": "default:info" 8599 }, 8600 "meshExpansion": { 8601 "enabled": false, 8602 "useILB": false 8603 }, 8604 "meshNetworks": {}, 8605 "mountMtlsCerts": false, 8606 "mtls": { 8607 "auto": true 8608 }, 8609 "multiCluster": { 8610 "clusterName": "", 8611 "enabled": false 8612 }, 8613 "namespace": "istio-system", 8614 "network": "", 8615 "omitSidecarInjectorConfigMap": false, 8616 "oneNamespace": false, 8617 "operatorManageWebhooks": false, 8618 "outboundTrafficPolicy": { 8619 "mode": "ALLOW_ANY" 8620 }, 8621 "pilotCertProvider": "istiod", 8622 "policyCheckFailOpen": false, 8623 "policyNamespace": "istio-system", 8624 "priorityClassName": "", 8625 "prometheusNamespace": "istio-system", 8626 "proxy": { 8627 "autoInject": "enabled", 8628 "clusterDomain": "cluster.local", 8629 "componentLogLevel": "misc:error", 8630 "enableCoreDump": false, 8631 "envoyStatsd": { 8632 "enabled": false 8633 }, 8634 "excludeIPRanges": "", 8635 "excludeInboundPorts": "", 8636 "excludeOutboundPorts": "", 8637 "image": "proxyv2", 8638 "includeIPRanges": "*", 8639 "logLevel": "warning", 8640 "privileged": false, 8641 "readinessFailureThreshold": 30, 8642 "readinessInitialDelaySeconds": 1, 8643 "readinessPeriodSeconds": 2, 8644 "resources": { 8645 "limits": { 8646 "cpu": "2000m", 8647 "memory": "1024Mi" 8648 }, 8649 "requests": { 8650 "cpu": "100m", 8651 "memory": "128Mi" 8652 } 8653 }, 8654 "statusPort": 15020, 8655 "tracer": "zipkin" 8656 }, 8657 "proxy_init": { 8658 "image": "proxyv2", 8659 "resources": { 8660 "limits": { 8661 "cpu": "100m", 8662 "memory": "50Mi" 8663 }, 8664 "requests": { 8665 "cpu": "10m", 8666 "memory": "10Mi" 8667 } 8668 } 8669 }, 8670 "sds": { 8671 "token": { 8672 "aud": "istio-ca" 8673 } 8674 }, 8675 "securityNamespace": "istio-system", 8676 "sts": { 8677 "servicePort": 0 8678 }, 8679 "tag": "latest", 8680 "telemetryNamespace": "istio-system", 8681 "tracer": { 8682 "datadog": { 8683 "address": "$(HOST_IP):8126" 8684 }, 8685 "lightstep": { 8686 "accessToken": "", 8687 "address": "" 8688 }, 8689 "stackdriver": { 8690 "debug": false, 8691 "maxNumberOfAnnotations": 200, 8692 "maxNumberOfAttributes": 200, 8693 "maxNumberOfMessageEvents": 200 8694 }, 8695 "zipkin": { 8696 "address": "" 8697 } 8698 }, 8699 "trustDomain": "cluster.local", 8700 "useMCP": false 8701 }, 8702 "istio_cni": { 8703 "enabled": false 8704 }, 8705 "revision": "", 8706 "sidecarInjectorWebhook": { 8707 "alwaysInjectSelector": [], 8708 "enableNamespacesByDefault": false, 8709 "enabled": false, 8710 "injectLabel": "istio-injection", 8711 "injectedAnnotations": {}, 8712 "namespace": "istio-system", 8713 "neverInjectSelector": [], 8714 "objectSelector": { 8715 "autoInject": true, 8716 "enabled": false 8717 }, 8718 "rewriteAppHTTPProbe": true 8719 } 8720 } 8721 8722 # To disable injection: use omitSidecarInjectorConfigMap, which disables the webhook patching 8723 # and istiod webhook functionality. 8724 # 8725 # New fields should not use Values - it is a 'primary' config object, users should be able 8726 # to fine tune it or use it with kube-inject. 8727 config: |- 8728 policy: enabled 8729 alwaysInjectSelector: 8730 [] 8731 neverInjectSelector: 8732 [] 8733 injectedAnnotations: 8734 8735 template: | 8736 rewriteAppHTTPProbe: {{ valueOrDefault .Values.sidecarInjectorWebhook.rewriteAppHTTPProbe false }} 8737 initContainers: 8738 {{ if ne (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE` }} 8739 {{ if .Values.istio_cni.enabled -}} 8740 - name: istio-validation 8741 {{ else -}} 8742 - name: istio-init 8743 {{ end -}} 8744 {{- if contains "/" .Values.global.proxy_init.image }} 8745 image: "{{ .Values.global.proxy_init.image }}" 8746 {{- else }} 8747 image: "{{ .Values.global.hub }}/{{ .Values.global.proxy_init.image }}:{{ .Values.global.tag }}" 8748 {{- end }} 8749 args: 8750 - istio-iptables 8751 - "-p" 8752 - 15001 8753 - "-z" 8754 - "15006" 8755 - "-u" 8756 - 1337 8757 - "-m" 8758 - "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}" 8759 - "-i" 8760 - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}" 8761 - "-x" 8762 - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}" 8763 - "-b" 8764 - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` `*` }}" 8765 - "-d" 8766 - "15090,{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}" 8767 {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.excludeOutboundPorts "") "") -}} 8768 - "-o" 8769 - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}" 8770 {{ end -}} 8771 {{ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces`) -}} 8772 - "-k" 8773 - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}" 8774 {{ end -}} 8775 {{ if .Values.istio_cni.enabled -}} 8776 - "--run-validation" 8777 - "--skip-rule-apply" 8778 {{ end -}} 8779 imagePullPolicy: "{{ valueOrDefault .Values.global.imagePullPolicy `Always` }}" 8780 {{- if .Values.global.proxy_init.resources }} 8781 env: 8782 {{- range $key, $value := .ProxyConfig.ProxyMetadata }} 8783 - name: {{ $key }} 8784 value: "{{ $value }}" 8785 {{- end }} 8786 resources: 8787 {{ toYaml .Values.global.proxy_init.resources | indent 4 }} 8788 {{- else }} 8789 resources: {} 8790 {{- end }} 8791 securityContext: 8792 allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} 8793 privileged: {{ .Values.global.proxy.privileged }} 8794 capabilities: 8795 {{- if not .Values.istio_cni.enabled }} 8796 add: 8797 - NET_ADMIN 8798 - NET_RAW 8799 {{- end }} 8800 drop: 8801 - ALL 8802 {{- if not .Values.istio_cni.enabled }} 8803 readOnlyRootFilesystem: false 8804 runAsGroup: 0 8805 runAsNonRoot: false 8806 runAsUser: 0 8807 {{- else }} 8808 readOnlyRootFilesystem: true 8809 runAsGroup: 1337 8810 runAsUser: 1337 8811 runAsNonRoot: true 8812 {{- end }} 8813 restartPolicy: Always 8814 {{ end -}} 8815 {{- if eq .Values.global.proxy.enableCoreDump true }} 8816 - name: enable-core-dump 8817 args: 8818 - -c 8819 - sysctl -w kernel.core_pattern=/var/lib/istio/core.proxy && ulimit -c unlimited 8820 command: 8821 - /bin/sh 8822 {{- if contains "/" .Values.global.proxy_init.image }} 8823 image: "{{ .Values.global.proxy_init.image }}" 8824 {{- else }} 8825 image: "{{ .Values.global.hub }}/{{ .Values.global.proxy_init.image }}:{{ .Values.global.tag }}" 8826 {{- end }} 8827 imagePullPolicy: "{{ valueOrDefault .Values.global.imagePullPolicy `Always` }}" 8828 resources: {} 8829 securityContext: 8830 allowPrivilegeEscalation: true 8831 capabilities: 8832 add: 8833 - SYS_ADMIN 8834 drop: 8835 - ALL 8836 privileged: true 8837 readOnlyRootFilesystem: false 8838 runAsGroup: 0 8839 runAsNonRoot: false 8840 runAsUser: 0 8841 {{ end }} 8842 containers: 8843 - name: istio-proxy 8844 {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} 8845 image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" 8846 {{- else }} 8847 image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image }}:{{ .Values.global.tag }}" 8848 {{- end }} 8849 ports: 8850 - containerPort: 15090 8851 protocol: TCP 8852 name: http-envoy-prom 8853 args: 8854 - proxy 8855 - sidecar 8856 - --domain 8857 - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} 8858 - --serviceCluster 8859 {{ if ne "" (index .ObjectMeta.Labels "app") -}} 8860 - "{{ index .ObjectMeta.Labels `app` }}.$(POD_NAMESPACE)" 8861 {{ else -}} 8862 - "{{ valueOrDefault .DeploymentMeta.Name `istio-proxy` }}.{{ valueOrDefault .DeploymentMeta.Namespace `default` }}" 8863 {{ end -}} 8864 - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel}} 8865 - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel}} 8866 {{- if .Values.global.sts.servicePort }} 8867 - --stsPort={{ .Values.global.sts.servicePort }} 8868 {{- end }} 8869 {{- if .Values.global.trustDomain }} 8870 - --trust-domain={{ .Values.global.trustDomain }} 8871 {{- end }} 8872 {{- if .Values.global.logAsJson }} 8873 - --log_as_json 8874 {{- end }} 8875 {{- if gt .ProxyConfig.Concurrency 0 }} 8876 - --concurrency 8877 - "{{ .ProxyConfig.Concurrency }}" 8878 {{- end -}} 8879 {{- if .Values.global.proxy.lifecycle }} 8880 lifecycle: 8881 {{ toYaml .Values.global.proxy.lifecycle | indent 4 }} 8882 {{- end }} 8883 env: 8884 - name: JWT_POLICY 8885 value: {{ .Values.global.jwtPolicy }} 8886 - name: PILOT_CERT_PROVIDER 8887 value: {{ .Values.global.pilotCertProvider }} 8888 # Temp, pending PR to make it default or based on the istiodAddr env 8889 - name: CA_ADDR 8890 {{- if .Values.global.caAddress }} 8891 value: {{ .Values.global.caAddress }} 8892 {{- else }} 8893 value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 8894 {{- end }} 8895 - name: POD_NAME 8896 valueFrom: 8897 fieldRef: 8898 fieldPath: metadata.name 8899 - name: POD_NAMESPACE 8900 valueFrom: 8901 fieldRef: 8902 fieldPath: metadata.namespace 8903 - name: INSTANCE_IP 8904 valueFrom: 8905 fieldRef: 8906 fieldPath: status.podIP 8907 - name: SERVICE_ACCOUNT 8908 valueFrom: 8909 fieldRef: 8910 fieldPath: spec.serviceAccountName 8911 - name: HOST_IP 8912 valueFrom: 8913 fieldRef: 8914 fieldPath: status.hostIP 8915 - name: PROXY_CONFIG 8916 value: | 8917 {{ protoToJSON .ProxyConfig }} 8918 - name: ISTIO_META_POD_PORTS 8919 value: |- 8920 [ 8921 {{- $first := true }} 8922 {{- range $index1, $c := .Spec.Containers }} 8923 {{- range $index2, $p := $c.Ports }} 8924 {{- if (structToJSON $p) }} 8925 {{if not $first}},{{end}}{{ structToJSON $p }} 8926 {{- $first = false }} 8927 {{- end }} 8928 {{- end}} 8929 {{- end}} 8930 ] 8931 - name: ISTIO_META_APP_CONTAINERS 8932 value: |- 8933 [ 8934 {{- range $index, $container := .Spec.Containers }} 8935 {{- if ne $index 0}},{{- end}} 8936 {{ $container.Name }} 8937 {{- end}} 8938 ] 8939 - name: ISTIO_META_CLUSTER_ID 8940 value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" 8941 - name: ISTIO_META_INTERCEPTION_MODE 8942 value: "{{ or (index .ObjectMeta.Annotations `sidecar.istio.io/interceptionMode`) .ProxyConfig.InterceptionMode.String }}" 8943 {{- if .Values.global.network }} 8944 - name: ISTIO_META_NETWORK 8945 value: "{{ .Values.global.network }}" 8946 {{- end }} 8947 {{ if .ObjectMeta.Annotations }} 8948 - name: ISTIO_METAJSON_ANNOTATIONS 8949 value: | 8950 {{ toJSON .ObjectMeta.Annotations }} 8951 {{ end }} 8952 {{- if .DeploymentMeta.Name }} 8953 - name: ISTIO_META_WORKLOAD_NAME 8954 value: {{ .DeploymentMeta.Name }} 8955 {{ end }} 8956 {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} 8957 - name: ISTIO_META_OWNER 8958 value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} 8959 {{- end}} 8960 {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} 8961 - name: ISTIO_BOOTSTRAP_OVERRIDE 8962 value: "/etc/istio/custom-bootstrap/custom_bootstrap.json" 8963 {{- end }} 8964 {{- if .Values.global.meshID }} 8965 - name: ISTIO_META_MESH_ID 8966 value: "{{ .Values.global.meshID }}" 8967 {{- else if .Values.global.trustDomain }} 8968 - name: ISTIO_META_MESH_ID 8969 value: "{{ .Values.global.trustDomain }}" 8970 {{- end }} 8971 {{- if and (eq .Values.global.proxy.tracer "datadog") (isset .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} 8972 {{- range $key, $value := fromJSON (index .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} 8973 - name: {{ $key }} 8974 value: "{{ $value }}" 8975 {{- end }} 8976 {{- end }} 8977 {{- range $key, $value := .ProxyConfig.ProxyMetadata }} 8978 - name: {{ $key }} 8979 value: "{{ $value }}" 8980 {{- end }} 8981 imagePullPolicy: "{{ valueOrDefault .Values.global.imagePullPolicy `Always` }}" 8982 {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }} 8983 readinessProbe: 8984 httpGet: 8985 path: /healthz/ready 8986 port: 15090 8987 initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }} 8988 periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }} 8989 failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }} 8990 {{ end -}} 8991 securityContext: 8992 allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} 8993 capabilities: 8994 {{ if or (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}} 8995 add: 8996 {{ if eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY` -}} 8997 - NET_ADMIN 8998 {{- end }} 8999 {{ if eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true` -}} 9000 - NET_BIND_SERVICE 9001 {{- end }} 9002 {{- end }} 9003 drop: 9004 - ALL 9005 privileged: {{ .Values.global.proxy.privileged }} 9006 readOnlyRootFilesystem: {{ not .Values.global.proxy.enableCoreDump }} 9007 runAsGroup: 1337 9008 fsGroup: 1337 9009 {{ if or (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}} 9010 runAsNonRoot: false 9011 runAsUser: 0 9012 {{- else -}} 9013 runAsNonRoot: true 9014 runAsUser: 1337 9015 {{- end }} 9016 resources: 9017 {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} 9018 {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }} 9019 requests: 9020 {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}} 9021 cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}" 9022 {{ end }} 9023 {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}} 9024 memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}" 9025 {{ end }} 9026 {{- end }} 9027 {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} 9028 limits: 9029 {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}} 9030 cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}" 9031 {{ end }} 9032 {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}} 9033 memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}" 9034 {{ end }} 9035 {{- end }} 9036 {{- else }} 9037 {{- if .Values.global.proxy.resources }} 9038 {{ toYaml .Values.global.proxy.resources | indent 4 }} 9039 {{- end }} 9040 {{- end }} 9041 volumeMounts: 9042 {{- if eq .Values.global.pilotCertProvider "istiod" }} 9043 - mountPath: /var/run/secrets/istio 9044 name: istiod-ca-cert 9045 {{- end }} 9046 {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} 9047 - mountPath: /etc/istio/custom-bootstrap 9048 name: custom-bootstrap-volume 9049 {{- end }} 9050 # SDS channel between istioagent and Envoy 9051 - mountPath: /etc/istio/proxy 9052 name: istio-envoy 9053 {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} 9054 - mountPath: /var/run/secrets/tokens 9055 name: istio-token 9056 {{- end }} 9057 {{- if .Values.global.mountMtlsCerts }} 9058 # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. 9059 - mountPath: /etc/certs/ 9060 name: istio-certs 9061 readOnly: true 9062 {{- end }} 9063 - name: istio-podinfo 9064 mountPath: /etc/istio/pod 9065 {{- if and (eq .Values.global.proxy.tracer "lightstep") .Values.global.tracer.lightstep.cacertPath }} 9066 - mountPath: {{ directory .ProxyConfig.GetTracing.GetLightstep.GetCacertPath }} 9067 name: lightstep-certs 9068 readOnly: true 9069 {{- end }} 9070 {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }} 9071 {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }} 9072 - name: "{{ $index }}" 9073 {{ toYaml $value | indent 4 }} 9074 {{ end }} 9075 {{- end }} 9076 volumes: 9077 {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} 9078 - name: custom-bootstrap-volume 9079 configMap: 9080 name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }} 9081 {{- end }} 9082 # SDS channel between istioagent and Envoy 9083 - emptyDir: 9084 medium: Memory 9085 name: istio-envoy 9086 - name: istio-podinfo 9087 downwardAPI: 9088 items: 9089 - path: "labels" 9090 fieldRef: 9091 fieldPath: metadata.labels 9092 - path: "annotations" 9093 fieldRef: 9094 fieldPath: metadata.annotations 9095 {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} 9096 - name: istio-token 9097 projected: 9098 sources: 9099 - serviceAccountToken: 9100 path: istio-token 9101 expirationSeconds: 43200 9102 audience: {{ .Values.global.sds.token.aud }} 9103 {{- end }} 9104 {{- if eq .Values.global.pilotCertProvider "istiod" }} 9105 - name: istiod-ca-cert 9106 configMap: 9107 name: istio-ca-root-cert 9108 {{- end }} 9109 {{- if .Values.global.mountMtlsCerts }} 9110 # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. 9111 - name: istio-certs 9112 secret: 9113 optional: true 9114 {{ if eq .Spec.ServiceAccountName "" }} 9115 secretName: istio.default 9116 {{ else -}} 9117 secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} 9118 {{ end -}} 9119 {{- end }} 9120 {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }} 9121 {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }} 9122 - name: "{{ $index }}" 9123 {{ toYaml $value | indent 2 }} 9124 {{ end }} 9125 {{ end }} 9126 {{- if and (eq .Values.global.proxy.tracer "lightstep") .Values.global.tracer.lightstep.cacertPath }} 9127 - name: lightstep-certs 9128 secret: 9129 optional: true 9130 secretName: lightstep.cacert 9131 {{- end }} 9132 {{- if .Values.global.podDNSSearchNamespaces }} 9133 dnsConfig: 9134 searches: 9135 {{- range .Values.global.podDNSSearchNamespaces }} 9136 - {{ render . }} 9137 {{- end }} 9138 {{- end }} 9139 podRedirectAnnot: 9140 {{- if and (.Values.istio_cni.enabled) (not .Values.istio_cni.chained) }} 9141 {{ if isset .ObjectMeta.Annotations `k8s.v1.cni.cncf.io/networks` }} 9142 k8s.v1.cni.cncf.io/networks: "{{ index .ObjectMeta.Annotations `k8s.v1.cni.cncf.io/networks`}}, istio-cni" 9143 {{- else }} 9144 k8s.v1.cni.cncf.io/networks: "istio-cni" 9145 {{- end }} 9146 {{- end }} 9147 sidecar.istio.io/interceptionMode: "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}" 9148 traffic.sidecar.istio.io/includeOutboundIPRanges: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}" 9149 traffic.sidecar.istio.io/excludeOutboundIPRanges: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}" 9150 traffic.sidecar.istio.io/includeInboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` (includeInboundPorts .Spec.Containers) }}" 9151 traffic.sidecar.istio.io/excludeInboundPorts: "{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}" 9152 {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne .Values.global.proxy.excludeOutboundPorts "") }} 9153 traffic.sidecar.istio.io/excludeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}" 9154 {{- end }} 9155 traffic.sidecar.istio.io/kubevirtInterfaces: "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}" 9156 {{- if .Values.global.imagePullSecrets }} 9157 imagePullSecrets: 9158 {{- range .Values.global.imagePullSecrets }} 9159 - name: {{ . }} 9160 {{- end }} 9161 {{- end }} 9162--- 9163 9164 9165apiVersion: admissionregistration.k8s.io/v1beta1 9166kind: MutatingWebhookConfiguration 9167metadata: 9168 name: istio-sidecar-injector 9169 9170 labels: 9171 istio.io/rev: default 9172 app: sidecar-injector 9173 release: istio 9174webhooks: 9175 - name: sidecar-injector.istio.io 9176 clientConfig: 9177 service: 9178 name: istiod 9179 namespace: istio-system 9180 path: "/inject" 9181 caBundle: "" 9182 rules: 9183 - operations: [ "CREATE" ] 9184 apiGroups: [""] 9185 apiVersions: ["v1"] 9186 resources: ["pods"] 9187 failurePolicy: Fail 9188 namespaceSelector: 9189 matchLabels: 9190 istio-injection: enabled 9191--- 9192 9193 9194apiVersion: policy/v1beta1 9195kind: PodDisruptionBudget 9196metadata: 9197 name: istiod 9198 namespace: istio-system 9199 labels: 9200 app: istiod 9201 istio.io/rev: default 9202 release: istio 9203 istio: pilot 9204spec: 9205 minAvailable: 1 9206 selector: 9207 matchLabels: 9208 app: istiod 9209 istio: pilot 9210--- 9211 9212 9213apiVersion: v1 9214kind: Service 9215metadata: 9216 name: istiod 9217 namespace: istio-system 9218 labels: 9219 istio.io/rev: default 9220 app: istiod 9221 istio: pilot 9222 release: istio 9223spec: 9224 ports: 9225 - port: 15010 9226 name: grpc-xds # plaintext 9227 - port: 15012 9228 name: https-dns # mTLS with k8s-signed cert 9229 - port: 443 9230 name: https-webhook # validation and injection 9231 targetPort: 15017 9232 - port: 15014 9233 name: http-monitoring # prometheus stats 9234 - name: dns 9235 port: 53 9236 targetPort: 15053 9237 protocol: UDP 9238 - name: dns-tls 9239 port: 853 9240 targetPort: 15053 9241 protocol: TCP 9242 selector: 9243 app: istiod 9244 # Label used by the 'default' service. For versioned deployments we match with app and version. 9245 # This avoids default deployment picking the canary 9246 istio: pilot 9247--- 9248 9249 9250apiVersion: networking.istio.io/v1alpha3 9251kind: EnvoyFilter 9252metadata: 9253 name: metadata-exchange-1.4 9254 namespace: istio-system 9255 labels: 9256 istio.io/rev: default 9257spec: 9258 configPatches: 9259 - applyTo: HTTP_FILTER 9260 match: 9261 context: ANY # inbound, outbound, and gateway 9262 proxy: 9263 proxyVersion: '^1\.4.*' 9264 listener: 9265 filterChain: 9266 filter: 9267 name: "envoy.http_connection_manager" 9268 patch: 9269 operation: INSERT_BEFORE 9270 value: 9271 name: envoy.filters.http.wasm 9272 config: 9273 config: 9274 configuration: envoy.wasm.metadata_exchange 9275 vm_config: 9276 runtime: envoy.wasm.runtime.null 9277 code: 9278 inline_string: envoy.wasm.metadata_exchange 9279--- 9280 9281 9282apiVersion: networking.istio.io/v1alpha3 9283kind: EnvoyFilter 9284metadata: 9285 name: stats-filter-1.4 9286 namespace: istio-system 9287 labels: 9288 istio.io/rev: default 9289spec: 9290 configPatches: 9291 - applyTo: HTTP_FILTER 9292 match: 9293 context: SIDECAR_OUTBOUND 9294 proxy: 9295 proxyVersion: '^1\.4.*' 9296 listener: 9297 filterChain: 9298 filter: 9299 name: "envoy.http_connection_manager" 9300 subFilter: 9301 name: "envoy.router" 9302 patch: 9303 operation: INSERT_BEFORE 9304 value: 9305 name: envoy.filters.http.wasm 9306 config: 9307 config: 9308 root_id: stats_outbound 9309 configuration: | 9310 { 9311 "debug": "false", 9312 "stat_prefix": "istio", 9313 } 9314 vm_config: 9315 vm_id: stats_outbound 9316 runtime: envoy.wasm.runtime.null 9317 code: 9318 inline_string: envoy.wasm.stats 9319 - applyTo: HTTP_FILTER 9320 match: 9321 context: SIDECAR_INBOUND 9322 proxy: 9323 proxyVersion: '^1\.4.*' 9324 listener: 9325 filterChain: 9326 filter: 9327 name: "envoy.http_connection_manager" 9328 subFilter: 9329 name: "envoy.router" 9330 patch: 9331 operation: INSERT_BEFORE 9332 value: 9333 name: envoy.filters.http.wasm 9334 config: 9335 config: 9336 root_id: stats_inbound 9337 configuration: | 9338 { 9339 "debug": "false", 9340 "stat_prefix": "istio", 9341 } 9342 vm_config: 9343 vm_id: stats_inbound 9344 runtime: envoy.wasm.runtime.null 9345 code: 9346 inline_string: envoy.wasm.stats 9347 - applyTo: HTTP_FILTER 9348 match: 9349 context: GATEWAY 9350 proxy: 9351 proxyVersion: '^1\.4.*' 9352 listener: 9353 filterChain: 9354 filter: 9355 name: "envoy.http_connection_manager" 9356 subFilter: 9357 name: "envoy.router" 9358 patch: 9359 operation: INSERT_BEFORE 9360 value: 9361 name: envoy.filters.http.wasm 9362 config: 9363 config: 9364 root_id: stats_outbound 9365 configuration: | 9366 { 9367 "debug": "false", 9368 "stat_prefix": "istio", 9369 "disable_host_header_fallback": true, 9370 } 9371 vm_config: 9372 vm_id: stats_outbound 9373 runtime: envoy.wasm.runtime.null 9374 code: 9375 inline_string: envoy.wasm.stats 9376--- 9377 9378 9379apiVersion: networking.istio.io/v1alpha3 9380kind: EnvoyFilter 9381metadata: 9382 name: metadata-exchange-1.5 9383 namespace: istio-system 9384 labels: 9385 istio.io/rev: default 9386spec: 9387 configPatches: 9388 - applyTo: HTTP_FILTER 9389 match: 9390 context: ANY # inbound, outbound, and gateway 9391 proxy: 9392 proxyVersion: '^1\.5.*' 9393 listener: 9394 filterChain: 9395 filter: 9396 name: "envoy.http_connection_manager" 9397 patch: 9398 operation: INSERT_BEFORE 9399 value: 9400 name: envoy.filters.http.wasm 9401 typed_config: 9402 "@type": type.googleapis.com/udpa.type.v1.TypedStruct 9403 type_url: type.googleapis.com/envoy.config.filter.http.wasm.v2.Wasm 9404 value: 9405 config: 9406 configuration: envoy.wasm.metadata_exchange 9407 vm_config: 9408 runtime: envoy.wasm.runtime.null 9409 code: 9410 local: 9411 inline_string: envoy.wasm.metadata_exchange 9412--- 9413 9414 9415apiVersion: networking.istio.io/v1alpha3 9416kind: EnvoyFilter 9417metadata: 9418 name: tcp-metadata-exchange-1.5 9419 namespace: istio-system 9420 labels: 9421 istio.io/rev: default 9422spec: 9423 configPatches: 9424 - applyTo: NETWORK_FILTER 9425 match: 9426 context: SIDECAR_INBOUND 9427 proxy: 9428 proxyVersion: '^1\.5.*' 9429 listener: {} 9430 patch: 9431 operation: INSERT_BEFORE 9432 value: 9433 name: envoy.filters.network.metadata_exchange 9434 config: 9435 protocol: istio-peer-exchange 9436 - applyTo: CLUSTER 9437 match: 9438 context: SIDECAR_OUTBOUND 9439 proxy: 9440 proxyVersion: '^1\.5.*' 9441 cluster: {} 9442 patch: 9443 operation: MERGE 9444 value: 9445 filters: 9446 - name: envoy.filters.network.upstream.metadata_exchange 9447 typed_config: 9448 "@type": type.googleapis.com/udpa.type.v1.TypedStruct 9449 type_url: type.googleapis.com/envoy.tcp.metadataexchange.config.MetadataExchange 9450 value: 9451 protocol: istio-peer-exchange 9452 - applyTo: CLUSTER 9453 match: 9454 context: GATEWAY 9455 proxy: 9456 proxyVersion: '^1\.5.*' 9457 cluster: {} 9458 patch: 9459 operation: MERGE 9460 value: 9461 filters: 9462 - name: envoy.filters.network.upstream.metadata_exchange 9463 typed_config: 9464 "@type": type.googleapis.com/udpa.type.v1.TypedStruct 9465 type_url: type.googleapis.com/envoy.tcp.metadataexchange.config.MetadataExchange 9466 value: 9467 protocol: istio-peer-exchange 9468--- 9469 9470 9471apiVersion: networking.istio.io/v1alpha3 9472kind: EnvoyFilter 9473metadata: 9474 name: stats-filter-1.5 9475 namespace: istio-system 9476 labels: 9477 istio.io/rev: default 9478spec: 9479 configPatches: 9480 - applyTo: HTTP_FILTER 9481 match: 9482 context: SIDECAR_OUTBOUND 9483 proxy: 9484 proxyVersion: '^1\.5.*' 9485 listener: 9486 filterChain: 9487 filter: 9488 name: "envoy.http_connection_manager" 9489 subFilter: 9490 name: "envoy.router" 9491 patch: 9492 operation: INSERT_BEFORE 9493 value: 9494 name: envoy.filters.http.wasm 9495 typed_config: 9496 "@type": type.googleapis.com/udpa.type.v1.TypedStruct 9497 type_url: type.googleapis.com/envoy.config.filter.http.wasm.v2.Wasm 9498 value: 9499 config: 9500 root_id: stats_outbound 9501 configuration: | 9502 { 9503 "debug": "false", 9504 "stat_prefix": "istio", 9505 } 9506 vm_config: 9507 vm_id: stats_outbound 9508 runtime: envoy.wasm.runtime.null 9509 code: 9510 local: 9511 inline_string: envoy.wasm.stats 9512 - applyTo: HTTP_FILTER 9513 match: 9514 context: SIDECAR_INBOUND 9515 proxy: 9516 proxyVersion: '^1\.5.*' 9517 listener: 9518 filterChain: 9519 filter: 9520 name: "envoy.http_connection_manager" 9521 subFilter: 9522 name: "envoy.router" 9523 patch: 9524 operation: INSERT_BEFORE 9525 value: 9526 name: envoy.filters.http.wasm 9527 typed_config: 9528 "@type": type.googleapis.com/udpa.type.v1.TypedStruct 9529 type_url: type.googleapis.com/envoy.config.filter.http.wasm.v2.Wasm 9530 value: 9531 config: 9532 root_id: stats_inbound 9533 configuration: | 9534 { 9535 "debug": "false", 9536 "stat_prefix": "istio", 9537 } 9538 vm_config: 9539 vm_id: stats_inbound 9540 runtime: envoy.wasm.runtime.null 9541 code: 9542 local: 9543 inline_string: envoy.wasm.stats 9544 - applyTo: HTTP_FILTER 9545 match: 9546 context: GATEWAY 9547 proxy: 9548 proxyVersion: '^1\.5.*' 9549 listener: 9550 filterChain: 9551 filter: 9552 name: "envoy.http_connection_manager" 9553 subFilter: 9554 name: "envoy.router" 9555 patch: 9556 operation: INSERT_BEFORE 9557 value: 9558 name: envoy.filters.http.wasm 9559 typed_config: 9560 "@type": type.googleapis.com/udpa.type.v1.TypedStruct 9561 type_url: type.googleapis.com/envoy.config.filter.http.wasm.v2.Wasm 9562 value: 9563 config: 9564 root_id: stats_outbound 9565 configuration: | 9566 { 9567 "debug": "false", 9568 "stat_prefix": "istio", 9569 "disable_host_header_fallback": true, 9570 } 9571 vm_config: 9572 vm_id: stats_outbound 9573 runtime: envoy.wasm.runtime.null 9574 code: 9575 local: 9576 inline_string: envoy.wasm.stats 9577--- 9578 9579 9580apiVersion: networking.istio.io/v1alpha3 9581kind: EnvoyFilter 9582metadata: 9583 name: tcp-stats-filter-1.5 9584 namespace: istio-system 9585 labels: 9586 istio.io/rev: default 9587spec: 9588 configPatches: 9589 - applyTo: NETWORK_FILTER 9590 match: 9591 context: SIDECAR_INBOUND 9592 proxy: 9593 proxyVersion: '^1\.5.*' 9594 listener: 9595 filterChain: 9596 filter: 9597 name: "envoy.tcp_proxy" 9598 patch: 9599 operation: INSERT_BEFORE 9600 value: 9601 name: envoy.filters.network.wasm 9602 typed_config: 9603 "@type": type.googleapis.com/udpa.type.v1.TypedStruct 9604 type_url: type.googleapis.com/envoy.config.filter.network.wasm.v2.Wasm 9605 value: 9606 config: 9607 root_id: stats_inbound 9608 configuration: | 9609 { 9610 "debug": "false", 9611 "stat_prefix": "istio", 9612 } 9613 vm_config: 9614 vm_id: stats_inbound 9615 runtime: envoy.wasm.runtime.null 9616 code: 9617 local: 9618 inline_string: "envoy.wasm.stats" 9619 - applyTo: NETWORK_FILTER 9620 match: 9621 context: SIDECAR_OUTBOUND 9622 proxy: 9623 proxyVersion: '^1\.5.*' 9624 listener: 9625 filterChain: 9626 filter: 9627 name: "envoy.tcp_proxy" 9628 patch: 9629 operation: INSERT_BEFORE 9630 value: 9631 name: envoy.filters.network.wasm 9632 typed_config: 9633 "@type": type.googleapis.com/udpa.type.v1.TypedStruct 9634 type_url: type.googleapis.com/envoy.config.filter.network.wasm.v2.Wasm 9635 value: 9636 config: 9637 root_id: stats_outbound 9638 configuration: | 9639 { 9640 "debug": "false", 9641 "stat_prefix": "istio", 9642 } 9643 vm_config: 9644 vm_id: stats_outbound 9645 runtime: envoy.wasm.runtime.null 9646 code: 9647 local: 9648 inline_string: "envoy.wasm.stats" 9649 - applyTo: NETWORK_FILTER 9650 match: 9651 context: GATEWAY 9652 proxy: 9653 proxyVersion: '^1\.5.*' 9654 listener: 9655 filterChain: 9656 filter: 9657 name: "envoy.tcp_proxy" 9658 patch: 9659 operation: INSERT_BEFORE 9660 value: 9661 name: envoy.filters.network.wasm 9662 typed_config: 9663 "@type": type.googleapis.com/udpa.type.v1.TypedStruct 9664 type_url: type.googleapis.com/envoy.config.filter.network.wasm.v2.Wasm 9665 value: 9666 config: 9667 root_id: stats_outbound 9668 configuration: | 9669 { 9670 "debug": "false", 9671 "stat_prefix": "istio", 9672 } 9673 vm_config: 9674 vm_id: stats_outbound 9675 runtime: envoy.wasm.runtime.null 9676 code: 9677 local: 9678 inline_string: "envoy.wasm.stats" 9679--- 9680 9681 9682apiVersion: networking.istio.io/v1alpha3 9683kind: EnvoyFilter 9684metadata: 9685 name: metadata-exchange-1.6 9686 namespace: istio-system 9687 labels: 9688 istio.io/rev: default 9689spec: 9690 configPatches: 9691 - applyTo: HTTP_FILTER 9692 match: 9693 context: ANY # inbound, outbound, and gateway 9694 proxy: 9695 proxyVersion: '^1\.6.*' 9696 listener: 9697 filterChain: 9698 filter: 9699 name: "envoy.http_connection_manager" 9700 patch: 9701 operation: INSERT_BEFORE 9702 value: 9703 name: istio.metadata_exchange 9704 typed_config: 9705 "@type": type.googleapis.com/udpa.type.v1.TypedStruct 9706 type_url: type.googleapis.com/envoy.config.filter.http.wasm.v2.Wasm 9707 value: 9708 config: 9709 configuration: envoy.wasm.metadata_exchange 9710 vm_config: 9711 runtime: envoy.wasm.runtime.null 9712 code: 9713 local: 9714 inline_string: envoy.wasm.metadata_exchange 9715--- 9716 9717 9718apiVersion: networking.istio.io/v1alpha3 9719kind: EnvoyFilter 9720metadata: 9721 name: tcp-metadata-exchange-1.6 9722 namespace: istio-system 9723 labels: 9724 istio.io/rev: default 9725spec: 9726 configPatches: 9727 - applyTo: NETWORK_FILTER 9728 match: 9729 context: SIDECAR_INBOUND 9730 proxy: 9731 proxyVersion: '^1\.6.*' 9732 listener: {} 9733 patch: 9734 operation: INSERT_BEFORE 9735 value: 9736 name: istio.metadata_exchange 9737 typed_config: 9738 "@type": type.googleapis.com/udpa.type.v1.TypedStruct 9739 type_url: type.googleapis.com/envoy.tcp.metadataexchange.config.MetadataExchange 9740 value: 9741 protocol: istio-peer-exchange 9742 - applyTo: CLUSTER 9743 match: 9744 context: SIDECAR_OUTBOUND 9745 proxy: 9746 proxyVersion: '^1\.6.*' 9747 cluster: {} 9748 patch: 9749 operation: MERGE 9750 value: 9751 filters: 9752 - name: istio.metadata_exchange 9753 typed_config: 9754 "@type": type.googleapis.com/udpa.type.v1.TypedStruct 9755 type_url: type.googleapis.com/envoy.tcp.metadataexchange.config.MetadataExchange 9756 value: 9757 protocol: istio-peer-exchange 9758 - applyTo: CLUSTER 9759 match: 9760 context: GATEWAY 9761 proxy: 9762 proxyVersion: '^1\.6.*' 9763 cluster: {} 9764 patch: 9765 operation: MERGE 9766 value: 9767 filters: 9768 - name: istio.metadata_exchange 9769 typed_config: 9770 "@type": type.googleapis.com/udpa.type.v1.TypedStruct 9771 type_url: type.googleapis.com/envoy.tcp.metadataexchange.config.MetadataExchange 9772 value: 9773 protocol: istio-peer-exchange 9774--- 9775 9776 9777apiVersion: networking.istio.io/v1alpha3 9778kind: EnvoyFilter 9779metadata: 9780 name: stats-filter-1.6 9781 namespace: istio-system 9782 labels: 9783 istio.io/rev: default 9784spec: 9785 configPatches: 9786 - applyTo: HTTP_FILTER 9787 match: 9788 context: SIDECAR_OUTBOUND 9789 proxy: 9790 proxyVersion: '^1\.6.*' 9791 listener: 9792 filterChain: 9793 filter: 9794 name: "envoy.http_connection_manager" 9795 subFilter: 9796 name: "envoy.router" 9797 patch: 9798 operation: INSERT_BEFORE 9799 value: 9800 name: istio.stats 9801 typed_config: 9802 "@type": type.googleapis.com/udpa.type.v1.TypedStruct 9803 type_url: type.googleapis.com/envoy.config.filter.http.wasm.v2.Wasm 9804 value: 9805 config: 9806 root_id: stats_outbound 9807 configuration: | 9808 { 9809 "debug": "false", 9810 "stat_prefix": "istio", 9811 } 9812 vm_config: 9813 vm_id: stats_outbound 9814 runtime: envoy.wasm.runtime.null 9815 code: 9816 local: 9817 inline_string: envoy.wasm.stats 9818 - applyTo: HTTP_FILTER 9819 match: 9820 context: SIDECAR_INBOUND 9821 proxy: 9822 proxyVersion: '^1\.6.*' 9823 listener: 9824 filterChain: 9825 filter: 9826 name: "envoy.http_connection_manager" 9827 subFilter: 9828 name: "envoy.router" 9829 patch: 9830 operation: INSERT_BEFORE 9831 value: 9832 name: istio.stats 9833 typed_config: 9834 "@type": type.googleapis.com/udpa.type.v1.TypedStruct 9835 type_url: type.googleapis.com/envoy.config.filter.http.wasm.v2.Wasm 9836 value: 9837 config: 9838 root_id: stats_inbound 9839 configuration: | 9840 { 9841 "debug": "false", 9842 "stat_prefix": "istio", 9843 } 9844 vm_config: 9845 vm_id: stats_inbound 9846 runtime: envoy.wasm.runtime.null 9847 code: 9848 local: 9849 inline_string: envoy.wasm.stats 9850 - applyTo: HTTP_FILTER 9851 match: 9852 context: GATEWAY 9853 proxy: 9854 proxyVersion: '^1\.6.*' 9855 listener: 9856 filterChain: 9857 filter: 9858 name: "envoy.http_connection_manager" 9859 subFilter: 9860 name: "envoy.router" 9861 patch: 9862 operation: INSERT_BEFORE 9863 value: 9864 name: istio.stats 9865 typed_config: 9866 "@type": type.googleapis.com/udpa.type.v1.TypedStruct 9867 type_url: type.googleapis.com/envoy.config.filter.http.wasm.v2.Wasm 9868 value: 9869 config: 9870 root_id: stats_outbound 9871 configuration: | 9872 { 9873 "debug": "false", 9874 "stat_prefix": "istio", 9875 "disable_host_header_fallback": true, 9876 } 9877 vm_config: 9878 vm_id: stats_outbound 9879 runtime: envoy.wasm.runtime.null 9880 code: 9881 local: 9882 inline_string: envoy.wasm.stats 9883--- 9884 9885 9886apiVersion: networking.istio.io/v1alpha3 9887kind: EnvoyFilter 9888metadata: 9889 name: tcp-stats-filter-1.6 9890 namespace: istio-system 9891 labels: 9892 istio.io/rev: default 9893spec: 9894 configPatches: 9895 - applyTo: NETWORK_FILTER 9896 match: 9897 context: SIDECAR_INBOUND 9898 proxy: 9899 proxyVersion: '^1\.6.*' 9900 listener: 9901 filterChain: 9902 filter: 9903 name: "envoy.tcp_proxy" 9904 patch: 9905 operation: INSERT_BEFORE 9906 value: 9907 name: istio.stats 9908 typed_config: 9909 "@type": type.googleapis.com/udpa.type.v1.TypedStruct 9910 type_url: type.googleapis.com/envoy.config.filter.network.wasm.v2.Wasm 9911 value: 9912 config: 9913 root_id: stats_inbound 9914 configuration: | 9915 { 9916 "debug": "false", 9917 "stat_prefix": "istio", 9918 } 9919 vm_config: 9920 vm_id: stats_inbound 9921 runtime: envoy.wasm.runtime.null 9922 code: 9923 local: 9924 inline_string: "envoy.wasm.stats" 9925 - applyTo: NETWORK_FILTER 9926 match: 9927 context: SIDECAR_OUTBOUND 9928 proxy: 9929 proxyVersion: '^1\.6.*' 9930 listener: 9931 filterChain: 9932 filter: 9933 name: "envoy.tcp_proxy" 9934 patch: 9935 operation: INSERT_BEFORE 9936 value: 9937 name: istio.stats 9938 typed_config: 9939 "@type": type.googleapis.com/udpa.type.v1.TypedStruct 9940 type_url: type.googleapis.com/envoy.config.filter.network.wasm.v2.Wasm 9941 value: 9942 config: 9943 root_id: stats_outbound 9944 configuration: | 9945 { 9946 "debug": "false", 9947 "stat_prefix": "istio", 9948 } 9949 vm_config: 9950 vm_id: stats_outbound 9951 runtime: envoy.wasm.runtime.null 9952 code: 9953 local: 9954 inline_string: "envoy.wasm.stats" 9955 - applyTo: NETWORK_FILTER 9956 match: 9957 context: GATEWAY 9958 proxy: 9959 proxyVersion: '^1\.6.*' 9960 listener: 9961 filterChain: 9962 filter: 9963 name: "envoy.tcp_proxy" 9964 patch: 9965 operation: INSERT_BEFORE 9966 value: 9967 name: istio.stats 9968 typed_config: 9969 "@type": type.googleapis.com/udpa.type.v1.TypedStruct 9970 type_url: type.googleapis.com/envoy.config.filter.network.wasm.v2.Wasm 9971 value: 9972 config: 9973 root_id: stats_outbound 9974 configuration: | 9975 { 9976 "debug": "false", 9977 "stat_prefix": "istio", 9978 } 9979 vm_config: 9980 vm_id: stats_outbound 9981 runtime: envoy.wasm.runtime.null 9982 code: 9983 local: 9984 inline_string: "envoy.wasm.stats" 9985--- 9986 9987# Resources for Policy component 9988 9989apiVersion: autoscaling/v2beta1 9990kind: HorizontalPodAutoscaler 9991metadata: 9992 labels: 9993 app: mixer 9994 release: istio 9995 name: istio-policy 9996 namespace: istio-system 9997spec: 9998 maxReplicas: 5 9999 metrics: 10000 - resource: 10001 name: cpu 10002 targetAverageUtilization: 80 10003 type: Resource 10004 minReplicas: 1 10005 scaleTargetRef: 10006 apiVersion: apps/v1 10007 kind: Deployment 10008 name: istio-policy 10009 10010--- 10011 10012 10013apiVersion: rbac.authorization.k8s.io/v1 10014kind: ClusterRole 10015metadata: 10016 name: istio-policy 10017 labels: 10018 release: istio 10019 app: istio-policy 10020rules: 10021- apiGroups: ["config.istio.io"] # istio CRD watcher 10022 resources: ["*"] 10023 verbs: ["create", "get", "list", "watch", "patch"] 10024- apiGroups: ["apiextensions.k8s.io"] 10025 resources: ["customresourcedefinitions"] 10026 verbs: ["get", "list", "watch"] 10027- apiGroups: [""] 10028 resources: ["configmaps", "endpoints", "pods", "services", "namespaces", "secrets", "replicationcontrollers"] 10029 verbs: ["get", "list", "watch"] 10030- apiGroups: ["extensions", "apps"] 10031 resources: ["replicasets"] 10032 verbs: ["get", "list", "watch"] 10033--- 10034 10035 10036apiVersion: rbac.authorization.k8s.io/v1 10037kind: ClusterRoleBinding 10038metadata: 10039 name: istio-policy-admin-role-binding-istio-system 10040 labels: 10041 app: istio-policy 10042 release: istio 10043roleRef: 10044 apiGroup: rbac.authorization.k8s.io 10045 kind: ClusterRole 10046 name: istio-policy 10047subjects: 10048 - kind: ServiceAccount 10049 name: istio-policy-service-account 10050 namespace: istio-system 10051--- 10052 10053 10054apiVersion: networking.istio.io/v1alpha3 10055kind: DestinationRule 10056metadata: 10057 name: istio-policy 10058 namespace: istio-system 10059 labels: 10060 app: istio-policy 10061 release: istio 10062spec: 10063 host: istio-policy.istio-system.svc.cluster.local 10064 trafficPolicy: 10065 portLevelSettings: 10066 - port: 10067 number: 15004 # grpc-mixer-mtls 10068 tls: 10069 mode: ISTIO_MUTUAL 10070 - port: 10071 number: 9091 # grpc-mixer 10072 tls: 10073 mode: DISABLE 10074 connectionPool: 10075 http: 10076 http2MaxRequests: 10000 10077 maxRequestsPerConnection: 10000 10078--- 10079 10080 10081apiVersion: apps/v1 10082kind: Deployment 10083metadata: 10084 labels: 10085 app: istio-policy 10086 istio: mixer 10087 release: istio 10088 name: istio-policy 10089 namespace: istio-system 10090spec: 10091 selector: 10092 matchLabels: 10093 istio: mixer 10094 istio-mixer-type: policy 10095 strategy: 10096 rollingUpdate: 10097 maxSurge: 100% 10098 maxUnavailable: 25% 10099 template: 10100 metadata: 10101 annotations: 10102 sidecar.istio.io/inject: "false" 10103 labels: 10104 app: policy 10105 istio: mixer 10106 istio-mixer-type: policy 10107 spec: 10108 affinity: 10109 nodeAffinity: 10110 preferredDuringSchedulingIgnoredDuringExecution: 10111 - preference: 10112 matchExpressions: 10113 - key: beta.kubernetes.io/arch 10114 operator: In 10115 values: 10116 - amd64 10117 weight: 2 10118 - preference: 10119 matchExpressions: 10120 - key: beta.kubernetes.io/arch 10121 operator: In 10122 values: 10123 - ppc64le 10124 weight: 2 10125 - preference: 10126 matchExpressions: 10127 - key: beta.kubernetes.io/arch 10128 operator: In 10129 values: 10130 - s390x 10131 weight: 2 10132 requiredDuringSchedulingIgnoredDuringExecution: 10133 nodeSelectorTerms: 10134 - matchExpressions: 10135 - key: beta.kubernetes.io/arch 10136 operator: In 10137 values: 10138 - amd64 10139 - ppc64le 10140 - s390x 10141 containers: 10142 - args: 10143 - --monitoringPort=15014 10144 - --address 10145 - unix:///sock/mixer.socket 10146 - --log_output_level=default:info 10147 - --configStoreURL=k8s:// 10148 - --configDefaultNamespace=istio-system 10149 - --useAdapterCRDs=false 10150 - --useTemplateCRDs=false 10151 - --trace_zipkin_url=http://zipkin.istio-system:9411/api/v1/spans 10152 env: 10153 - name: POD_NAMESPACE 10154 valueFrom: 10155 fieldRef: 10156 apiVersion: v1 10157 fieldPath: metadata.namespace 10158 image: gcr.io/istio-testing/mixer:latest 10159 livenessProbe: 10160 httpGet: 10161 path: /version 10162 port: 15014 10163 initialDelaySeconds: 5 10164 periodSeconds: 5 10165 name: mixer 10166 ports: 10167 - containerPort: 9091 10168 - containerPort: 15014 10169 - containerPort: 42422 10170 resources: 10171 requests: 10172 cpu: 10m 10173 securityContext: 10174 capabilities: 10175 drop: 10176 - ALL 10177 runAsGroup: 1337 10178 runAsNonRoot: true 10179 runAsUser: 1337 10180 volumeMounts: 10181 - mountPath: /sock 10182 name: uds-socket 10183 - mountPath: /var/run/secrets/istio.io/policy/adapter 10184 name: policy-adapter-secret 10185 readOnly: true 10186 - args: 10187 - proxy 10188 - --domain 10189 - $(POD_NAMESPACE).svc.cluster.local 10190 - --serviceCluster 10191 - istio-policy 10192 - --templateFile 10193 - /var/lib/istio/envoy/envoy_policy.yaml.tmpl 10194 - --controlPlaneAuthPolicy 10195 - MUTUAL_TLS 10196 - --trust-domain=cluster.local 10197 env: 10198 - name: POD_NAME 10199 valueFrom: 10200 fieldRef: 10201 apiVersion: v1 10202 fieldPath: metadata.name 10203 - name: POD_NAMESPACE 10204 valueFrom: 10205 fieldRef: 10206 apiVersion: v1 10207 fieldPath: metadata.namespace 10208 - name: INSTANCE_IP 10209 valueFrom: 10210 fieldRef: 10211 apiVersion: v1 10212 fieldPath: status.podIP 10213 - name: JWT_POLICY 10214 value: third-party-jwt 10215 - name: PILOT_CERT_PROVIDER 10216 value: istiod 10217 - name: ISTIO_META_USER_SDS 10218 value: "true" 10219 - name: CA_ADDR 10220 value: istiod.istio-system.svc:15012 10221 image: gcr.io/istio-testing/proxyv2:latest 10222 name: istio-proxy 10223 ports: 10224 - containerPort: 15004 10225 - containerPort: 15090 10226 name: http-envoy-prom 10227 protocol: TCP 10228 resources: 10229 limits: 10230 cpu: 2000m 10231 memory: 1024Mi 10232 requests: 10233 cpu: 100m 10234 memory: 128Mi 10235 volumeMounts: 10236 - mountPath: /etc/istio/config 10237 name: config-volume 10238 - mountPath: /var/run/secrets/istio 10239 name: istiod-ca-cert 10240 - mountPath: /var/run/secrets/tokens 10241 name: istio-token 10242 readOnly: true 10243 - mountPath: /sock 10244 name: uds-socket 10245 securityContext: 10246 fsGroup: 1337 10247 serviceAccountName: istio-policy-service-account 10248 volumes: 10249 - configMap: 10250 name: istio 10251 optional: true 10252 name: config-volume 10253 - configMap: 10254 name: istio-ca-root-cert 10255 name: istiod-ca-cert 10256 - name: istio-token 10257 projected: 10258 sources: 10259 - serviceAccountToken: 10260 audience: istio-ca 10261 expirationSeconds: 43200 10262 path: istio-token 10263 - name: istio-certs 10264 secret: 10265 optional: true 10266 secretName: istio.istio-policy-service-account 10267 - emptyDir: {} 10268 name: uds-socket 10269 - name: policy-adapter-secret 10270 secret: 10271 optional: true 10272 secretName: policy-adapter-secret 10273 10274--- 10275 10276 10277apiVersion: policy/v1beta1 10278kind: PodDisruptionBudget 10279metadata: 10280 name: istio-policy 10281 namespace: istio-system 10282 labels: 10283 app: policy 10284 release: istio 10285 istio: mixer 10286 istio-mixer-type: policy 10287spec: 10288 minAvailable: 1 10289 selector: 10290 matchLabels: 10291 app: policy 10292 istio: mixer 10293 istio-mixer-type: policy 10294--- 10295 10296 10297apiVersion: v1 10298kind: Service 10299metadata: 10300 name: istio-policy 10301 namespace: istio-system 10302 labels: 10303 app: mixer 10304 istio: mixer 10305 release: istio 10306spec: 10307 ports: 10308 - name: grpc-mixer 10309 port: 9091 10310 - name: grpc-mixer-mtls 10311 port: 15004 10312 - name: http-policy-monitoring 10313 port: 15014 10314 selector: 10315 istio: mixer 10316 istio-mixer-type: policy 10317--- 10318 10319 10320apiVersion: v1 10321kind: ServiceAccount 10322metadata: 10323 name: istio-policy-service-account 10324 namespace: istio-system 10325 labels: 10326 app: istio-policy 10327 release: istio 10328--- 10329 10330# Resources for Telemetry component 10331 10332apiVersion: autoscaling/v2beta1 10333kind: HorizontalPodAutoscaler 10334metadata: 10335 labels: 10336 app: mixer 10337 release: istio 10338 name: istio-telemetry 10339 namespace: istio-system 10340spec: 10341 maxReplicas: 5 10342 metrics: 10343 - resource: 10344 name: cpu 10345 targetAverageUtilization: 80 10346 type: Resource 10347 minReplicas: 1 10348 scaleTargetRef: 10349 apiVersion: apps/v1 10350 kind: Deployment 10351 name: istio-telemetry 10352 10353--- 10354 10355 10356apiVersion: rbac.authorization.k8s.io/v1 10357kind: ClusterRole 10358metadata: 10359 name: istio-mixer-istio-system 10360 labels: 10361 app: istio-telemetry 10362 release: istio 10363rules: 10364- apiGroups: ["config.istio.io"] # istio CRD watcher 10365 resources: ["*"] 10366 verbs: ["create", "get", "list", "watch", "patch"] 10367- apiGroups: ["apiextensions.k8s.io"] 10368 resources: ["customresourcedefinitions"] 10369 verbs: ["get", "list", "watch"] 10370- apiGroups: [""] 10371 resources: ["configmaps", "endpoints", "pods", "services", "namespaces", "secrets", "replicationcontrollers"] 10372 verbs: ["get", "list", "watch"] 10373- apiGroups: ["extensions", "apps"] 10374 resources: ["replicasets"] 10375 verbs: ["get", "list", "watch"] 10376--- 10377 10378 10379apiVersion: rbac.authorization.k8s.io/v1 10380kind: ClusterRoleBinding 10381metadata: 10382 name: istio-mixer-admin-role-binding-istio-system 10383 labels: 10384 app: istio-telemetry 10385 release: istio 10386roleRef: 10387 apiGroup: rbac.authorization.k8s.io 10388 kind: ClusterRole 10389 name: istio-mixer-istio-system 10390subjects: 10391 - kind: ServiceAccount 10392 name: istio-mixer-service-account 10393 namespace: istio-system 10394--- 10395 10396 10397apiVersion: "config.istio.io/v1alpha2" 10398kind: attributemanifest 10399metadata: 10400 name: istioproxy 10401 namespace: istio-system 10402 labels: 10403 app: istio-telemetry 10404 release: istio 10405spec: 10406 attributes: 10407 origin.ip: 10408 valueType: IP_ADDRESS 10409 origin.uid: 10410 valueType: STRING 10411 origin.user: 10412 valueType: STRING 10413 request.headers: 10414 valueType: STRING_MAP 10415 request.id: 10416 valueType: STRING 10417 request.host: 10418 valueType: STRING 10419 request.method: 10420 valueType: STRING 10421 request.path: 10422 valueType: STRING 10423 request.url_path: 10424 valueType: STRING 10425 request.query_params: 10426 valueType: STRING_MAP 10427 request.reason: 10428 valueType: STRING 10429 request.referer: 10430 valueType: STRING 10431 request.scheme: 10432 valueType: STRING 10433 request.total_size: 10434 valueType: INT64 10435 request.size: 10436 valueType: INT64 10437 request.time: 10438 valueType: TIMESTAMP 10439 request.useragent: 10440 valueType: STRING 10441 response.code: 10442 valueType: INT64 10443 response.duration: 10444 valueType: DURATION 10445 response.headers: 10446 valueType: STRING_MAP 10447 response.total_size: 10448 valueType: INT64 10449 response.size: 10450 valueType: INT64 10451 response.time: 10452 valueType: TIMESTAMP 10453 response.grpc_status: 10454 valueType: STRING 10455 response.grpc_message: 10456 valueType: STRING 10457 source.uid: 10458 valueType: STRING 10459 source.user: # DEPRECATED 10460 valueType: STRING 10461 source.principal: 10462 valueType: STRING 10463 destination.uid: 10464 valueType: STRING 10465 destination.principal: 10466 valueType: STRING 10467 destination.port: 10468 valueType: INT64 10469 connection.event: 10470 valueType: STRING 10471 connection.id: 10472 valueType: STRING 10473 connection.received.bytes: 10474 valueType: INT64 10475 connection.received.bytes_total: 10476 valueType: INT64 10477 connection.sent.bytes: 10478 valueType: INT64 10479 connection.sent.bytes_total: 10480 valueType: INT64 10481 connection.duration: 10482 valueType: DURATION 10483 connection.mtls: 10484 valueType: BOOL 10485 connection.requested_server_name: 10486 valueType: STRING 10487 context.protocol: 10488 valueType: STRING 10489 context.proxy_error_code: 10490 valueType: STRING 10491 context.timestamp: 10492 valueType: TIMESTAMP 10493 context.time: 10494 valueType: TIMESTAMP 10495 # Deprecated, kept for compatibility 10496 context.reporter.local: 10497 valueType: BOOL 10498 context.reporter.kind: 10499 valueType: STRING 10500 context.reporter.uid: 10501 valueType: STRING 10502 context.proxy_version: 10503 valueType: STRING 10504 api.service: 10505 valueType: STRING 10506 api.version: 10507 valueType: STRING 10508 api.operation: 10509 valueType: STRING 10510 api.protocol: 10511 valueType: STRING 10512 request.auth.principal: 10513 valueType: STRING 10514 request.auth.audiences: 10515 valueType: STRING 10516 request.auth.presenter: 10517 valueType: STRING 10518 request.auth.claims: 10519 valueType: STRING_MAP 10520 request.auth.raw_claims: 10521 valueType: STRING 10522 request.api_key: 10523 valueType: STRING 10524 rbac.permissive.response_code: 10525 valueType: STRING 10526 rbac.permissive.effective_policy_id: 10527 valueType: STRING 10528 check.error_code: 10529 valueType: INT64 10530 check.error_message: 10531 valueType: STRING 10532 check.cache_hit: 10533 valueType: BOOL 10534 quota.cache_hit: 10535 valueType: BOOL 10536--- 10537 10538 10539apiVersion: "config.istio.io/v1alpha2" 10540kind: attributemanifest 10541metadata: 10542 name: kubernetes 10543 namespace: istio-system 10544 labels: 10545 app: istio-telemetry 10546 release: istio 10547spec: 10548 attributes: 10549 source.ip: 10550 valueType: IP_ADDRESS 10551 source.labels: 10552 valueType: STRING_MAP 10553 source.metadata: 10554 valueType: STRING_MAP 10555 source.name: 10556 valueType: STRING 10557 source.namespace: 10558 valueType: STRING 10559 source.owner: 10560 valueType: STRING 10561 source.serviceAccount: 10562 valueType: STRING 10563 source.services: 10564 valueType: STRING 10565 source.workload.uid: 10566 valueType: STRING 10567 source.workload.name: 10568 valueType: STRING 10569 source.workload.namespace: 10570 valueType: STRING 10571 destination.ip: 10572 valueType: IP_ADDRESS 10573 destination.labels: 10574 valueType: STRING_MAP 10575 destination.metadata: 10576 valueType: STRING_MAP 10577 destination.owner: 10578 valueType: STRING 10579 destination.name: 10580 valueType: STRING 10581 destination.container.name: 10582 valueType: STRING 10583 destination.namespace: 10584 valueType: STRING 10585 destination.service.uid: 10586 valueType: STRING 10587 destination.service.name: 10588 valueType: STRING 10589 destination.service.namespace: 10590 valueType: STRING 10591 destination.service.host: 10592 valueType: STRING 10593 destination.serviceAccount: 10594 valueType: STRING 10595 destination.workload.uid: 10596 valueType: STRING 10597 destination.workload.name: 10598 valueType: STRING 10599 destination.workload.namespace: 10600 valueType: STRING 10601--- 10602 10603 10604apiVersion: "config.istio.io/v1alpha2" 10605kind: instance 10606metadata: 10607 name: requestcount 10608 namespace: istio-system 10609 labels: 10610 app: istio-telemetry 10611 release: istio 10612spec: 10613 compiledTemplate: metric 10614 params: 10615 value: "1" 10616 dimensions: 10617 reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") 10618 source_workload: source.workload.name | "unknown" 10619 source_workload_namespace: source.workload.namespace | "unknown" 10620 source_principal: source.principal | "unknown" 10621 source_app: source.labels["app"] | "unknown" 10622 source_version: source.labels["version"] | "unknown" 10623 destination_workload: destination.workload.name | "unknown" 10624 destination_workload_namespace: destination.workload.namespace | "unknown" 10625 destination_principal: destination.principal | "unknown" 10626 destination_app: destination.labels["app"] | "unknown" 10627 destination_version: destination.labels["version"] | "unknown" 10628 destination_service: destination.service.host | conditional((destination.service.name | "unknown") == "unknown", "unknown", request.host) 10629 destination_service_name: destination.service.name | "unknown" 10630 destination_service_namespace: destination.service.namespace | "unknown" 10631 request_protocol: api.protocol | context.protocol | "unknown" 10632 response_code: response.code | 200 10633 grpc_response_status: response.grpc_status | "" 10634 response_flags: context.proxy_error_code | "-" 10635 connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) 10636 monitored_resource_type: '"UNSPECIFIED"' 10637--- 10638 10639 10640apiVersion: "config.istio.io/v1alpha2" 10641kind: instance 10642metadata: 10643 name: requestduration 10644 namespace: istio-system 10645 labels: 10646 app: istio-telemetry 10647 release: istio 10648spec: 10649 compiledTemplate: metric 10650 params: 10651 value: response.duration | "0ms" 10652 dimensions: 10653 reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") 10654 source_workload: source.workload.name | "unknown" 10655 source_workload_namespace: source.workload.namespace | "unknown" 10656 source_principal: source.principal | "unknown" 10657 source_app: source.labels["app"] | "unknown" 10658 source_version: source.labels["version"] | "unknown" 10659 destination_workload: destination.workload.name | "unknown" 10660 destination_workload_namespace: destination.workload.namespace | "unknown" 10661 destination_principal: destination.principal | "unknown" 10662 destination_app: destination.labels["app"] | "unknown" 10663 destination_version: destination.labels["version"] | "unknown" 10664 destination_service: destination.service.host | conditional((destination.service.name | "unknown") == "unknown", "unknown", request.host) 10665 destination_service_name: destination.service.name | "unknown" 10666 destination_service_namespace: destination.service.namespace | "unknown" 10667 request_protocol: api.protocol | context.protocol | "unknown" 10668 response_code: response.code | 200 10669 grpc_response_status: response.grpc_status | "" 10670 response_flags: context.proxy_error_code | "-" 10671 connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) 10672 monitored_resource_type: '"UNSPECIFIED"' 10673--- 10674 10675 10676apiVersion: "config.istio.io/v1alpha2" 10677kind: instance 10678metadata: 10679 name: requestsize 10680 namespace: istio-system 10681 labels: 10682 app: istio-telemetry 10683 release: istio 10684spec: 10685 compiledTemplate: metric 10686 params: 10687 value: request.size | 0 10688 dimensions: 10689 reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") 10690 source_workload: source.workload.name | "unknown" 10691 source_workload_namespace: source.workload.namespace | "unknown" 10692 source_principal: source.principal | "unknown" 10693 source_app: source.labels["app"] | "unknown" 10694 source_version: source.labels["version"] | "unknown" 10695 destination_workload: destination.workload.name | "unknown" 10696 destination_workload_namespace: destination.workload.namespace | "unknown" 10697 destination_principal: destination.principal | "unknown" 10698 destination_app: destination.labels["app"] | "unknown" 10699 destination_version: destination.labels["version"] | "unknown" 10700 destination_service: destination.service.host | conditional((destination.service.name | "unknown") == "unknown", "unknown", request.host) 10701 destination_service_name: destination.service.name | "unknown" 10702 destination_service_namespace: destination.service.namespace | "unknown" 10703 request_protocol: api.protocol | context.protocol | "unknown" 10704 response_code: response.code | 200 10705 grpc_response_status: response.grpc_status | "" 10706 response_flags: context.proxy_error_code | "-" 10707 connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) 10708 monitored_resource_type: '"UNSPECIFIED"' 10709--- 10710 10711 10712apiVersion: "config.istio.io/v1alpha2" 10713kind: instance 10714metadata: 10715 name: responsesize 10716 namespace: istio-system 10717 labels: 10718 app: istio-telemetry 10719 release: istio 10720spec: 10721 compiledTemplate: metric 10722 params: 10723 value: response.size | 0 10724 dimensions: 10725 reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") 10726 source_workload: source.workload.name | "unknown" 10727 source_workload_namespace: source.workload.namespace | "unknown" 10728 source_principal: source.principal | "unknown" 10729 source_app: source.labels["app"] | "unknown" 10730 source_version: source.labels["version"] | "unknown" 10731 destination_workload: destination.workload.name | "unknown" 10732 destination_workload_namespace: destination.workload.namespace | "unknown" 10733 destination_principal: destination.principal | "unknown" 10734 destination_app: destination.labels["app"] | "unknown" 10735 destination_version: destination.labels["version"] | "unknown" 10736 destination_service: destination.service.host | conditional((destination.service.name | "unknown") == "unknown", "unknown", request.host) 10737 destination_service_name: destination.service.name | "unknown" 10738 destination_service_namespace: destination.service.namespace | "unknown" 10739 request_protocol: api.protocol | context.protocol | "unknown" 10740 response_code: response.code | 200 10741 grpc_response_status: response.grpc_status | "" 10742 response_flags: context.proxy_error_code | "-" 10743 connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) 10744 monitored_resource_type: '"UNSPECIFIED"' 10745--- 10746 10747 10748apiVersion: "config.istio.io/v1alpha2" 10749kind: instance 10750metadata: 10751 name: tcpbytesent 10752 namespace: istio-system 10753 labels: 10754 app: istio-telemetry 10755 release: istio 10756spec: 10757 compiledTemplate: metric 10758 params: 10759 value: connection.sent.bytes | 0 10760 dimensions: 10761 reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") 10762 source_workload: source.workload.name | "unknown" 10763 source_workload_namespace: source.workload.namespace | "unknown" 10764 source_principal: source.principal | "unknown" 10765 source_app: source.labels["app"] | "unknown" 10766 source_version: source.labels["version"] | "unknown" 10767 destination_workload: destination.workload.name | "unknown" 10768 destination_workload_namespace: destination.workload.namespace | "unknown" 10769 destination_principal: destination.principal | "unknown" 10770 destination_app: destination.labels["app"] | "unknown" 10771 destination_version: destination.labels["version"] | "unknown" 10772 destination_service: destination.service.host | "unknown" 10773 destination_service_name: destination.service.name | "unknown" 10774 destination_service_namespace: destination.service.namespace | "unknown" 10775 connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) 10776 response_flags: context.proxy_error_code | "-" 10777 monitored_resource_type: '"UNSPECIFIED"' 10778--- 10779 10780 10781apiVersion: "config.istio.io/v1alpha2" 10782kind: instance 10783metadata: 10784 name: tcpbytereceived 10785 namespace: istio-system 10786 labels: 10787 app: istio-telemetry 10788 release: istio 10789spec: 10790 compiledTemplate: metric 10791 params: 10792 value: connection.received.bytes | 0 10793 dimensions: 10794 reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") 10795 source_workload: source.workload.name | "unknown" 10796 source_workload_namespace: source.workload.namespace | "unknown" 10797 source_principal: source.principal | "unknown" 10798 source_app: source.labels["app"] | "unknown" 10799 source_version: source.labels["version"] | "unknown" 10800 destination_workload: destination.workload.name | "unknown" 10801 destination_workload_namespace: destination.workload.namespace | "unknown" 10802 destination_principal: destination.principal | "unknown" 10803 destination_app: destination.labels["app"] | "unknown" 10804 destination_version: destination.labels["version"] | "unknown" 10805 destination_service: destination.service.host | "unknown" 10806 destination_service_name: destination.service.name | "unknown" 10807 destination_service_namespace: destination.service.namespace | "unknown" 10808 connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) 10809 response_flags: context.proxy_error_code | "-" 10810 monitored_resource_type: '"UNSPECIFIED"' 10811--- 10812 10813 10814apiVersion: "config.istio.io/v1alpha2" 10815kind: instance 10816metadata: 10817 name: tcpconnectionsopened 10818 namespace: istio-system 10819 labels: 10820 app: istio-telemetry 10821 release: istio 10822spec: 10823 compiledTemplate: metric 10824 params: 10825 value: "1" 10826 dimensions: 10827 reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") 10828 source_workload: source.workload.name | "unknown" 10829 source_workload_namespace: source.workload.namespace | "unknown" 10830 source_principal: source.principal | "unknown" 10831 source_app: source.labels["app"] | "unknown" 10832 source_version: source.labels["version"] | "unknown" 10833 destination_workload: destination.workload.name | "unknown" 10834 destination_workload_namespace: destination.workload.namespace | "unknown" 10835 destination_principal: destination.principal | "unknown" 10836 destination_app: destination.labels["app"] | "unknown" 10837 destination_version: destination.labels["version"] | "unknown" 10838 destination_service: destination.service.host | "unknown" 10839 destination_service_name: destination.service.name | "unknown" 10840 destination_service_namespace: destination.service.namespace | "unknown" 10841 connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) 10842 response_flags: context.proxy_error_code | "-" 10843 monitored_resource_type: '"UNSPECIFIED"' 10844--- 10845 10846 10847apiVersion: "config.istio.io/v1alpha2" 10848kind: instance 10849metadata: 10850 name: tcpconnectionsclosed 10851 namespace: istio-system 10852 labels: 10853 app: istio-telemetry 10854 release: istio 10855spec: 10856 compiledTemplate: metric 10857 params: 10858 value: "1" 10859 dimensions: 10860 reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") 10861 source_workload: source.workload.name | "unknown" 10862 source_workload_namespace: source.workload.namespace | "unknown" 10863 source_principal: source.principal | "unknown" 10864 source_app: source.labels["app"] | "unknown" 10865 source_version: source.labels["version"] | "unknown" 10866 destination_workload: destination.workload.name | "unknown" 10867 destination_workload_namespace: destination.workload.namespace | "unknown" 10868 destination_principal: destination.principal | "unknown" 10869 destination_app: destination.labels["app"] | "unknown" 10870 destination_version: destination.labels["version"] | "unknown" 10871 destination_service: destination.service.host | "unknown" 10872 destination_service_name: destination.service.name | "unknown" 10873 destination_service_namespace: destination.service.namespace | "unknown" 10874 connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) 10875 response_flags: context.proxy_error_code | "-" 10876 monitored_resource_type: '"UNSPECIFIED"' 10877--- 10878 10879 10880apiVersion: "config.istio.io/v1alpha2" 10881kind: handler 10882metadata: 10883 name: prometheus 10884 namespace: istio-system 10885 labels: 10886 app: istio-telemetry 10887 release: istio 10888spec: 10889 compiledAdapter: prometheus 10890 params: 10891 metricsExpirationPolicy: 10892 metricsExpiryDuration: "10m" 10893 metrics: 10894 - name: requests_total 10895 instance_name: requestcount.instance.istio-system 10896 kind: COUNTER 10897 label_names: 10898 - reporter 10899 - source_app 10900 - source_principal 10901 - source_workload 10902 - source_workload_namespace 10903 - source_version 10904 - destination_app 10905 - destination_principal 10906 - destination_workload 10907 - destination_workload_namespace 10908 - destination_version 10909 - destination_service 10910 - destination_service_name 10911 - destination_service_namespace 10912 - request_protocol 10913 - grpc_response_status 10914 - response_code 10915 - response_flags 10916 - connection_security_policy 10917 - name: request_duration_seconds 10918 instance_name: requestduration.instance.istio-system 10919 kind: DISTRIBUTION 10920 label_names: 10921 - reporter 10922 - source_app 10923 - source_principal 10924 - source_workload 10925 - source_workload_namespace 10926 - source_version 10927 - destination_app 10928 - destination_principal 10929 - destination_workload 10930 - destination_workload_namespace 10931 - destination_version 10932 - destination_service 10933 - destination_service_name 10934 - destination_service_namespace 10935 - request_protocol 10936 - response_code 10937 - grpc_response_status 10938 - response_flags 10939 - connection_security_policy 10940 buckets: 10941 explicit_buckets: 10942 bounds: [0.005, 0.01, 0.025, 0.05, 0.1, 0.25, 0.5, 1, 2.5, 5, 10] 10943 - name: request_bytes 10944 instance_name: requestsize.instance.istio-system 10945 kind: DISTRIBUTION 10946 label_names: 10947 - reporter 10948 - source_app 10949 - source_principal 10950 - source_workload 10951 - source_workload_namespace 10952 - source_version 10953 - destination_app 10954 - destination_principal 10955 - destination_workload 10956 - destination_workload_namespace 10957 - destination_version 10958 - destination_service 10959 - destination_service_name 10960 - destination_service_namespace 10961 - request_protocol 10962 - response_code 10963 - grpc_response_status 10964 - response_flags 10965 - connection_security_policy 10966 buckets: 10967 exponentialBuckets: 10968 numFiniteBuckets: 8 10969 scale: 1 10970 growthFactor: 10 10971 - name: response_bytes 10972 instance_name: responsesize.instance.istio-system 10973 kind: DISTRIBUTION 10974 label_names: 10975 - reporter 10976 - source_app 10977 - source_principal 10978 - source_workload 10979 - source_workload_namespace 10980 - source_version 10981 - destination_app 10982 - destination_principal 10983 - destination_workload 10984 - destination_workload_namespace 10985 - destination_version 10986 - destination_service 10987 - destination_service_name 10988 - destination_service_namespace 10989 - request_protocol 10990 - response_code 10991 - grpc_response_status 10992 - response_flags 10993 - connection_security_policy 10994 buckets: 10995 exponentialBuckets: 10996 numFiniteBuckets: 8 10997 scale: 1 10998 growthFactor: 10 10999 - name: tcp_sent_bytes_total 11000 instance_name: tcpbytesent.instance.istio-system 11001 kind: COUNTER 11002 label_names: 11003 - reporter 11004 - source_app 11005 - source_principal 11006 - source_workload 11007 - source_workload_namespace 11008 - source_version 11009 - destination_app 11010 - destination_principal 11011 - destination_workload 11012 - destination_workload_namespace 11013 - destination_version 11014 - destination_service 11015 - destination_service_name 11016 - destination_service_namespace 11017 - connection_security_policy 11018 - response_flags 11019 - name: tcp_received_bytes_total 11020 instance_name: tcpbytereceived.instance.istio-system 11021 kind: COUNTER 11022 label_names: 11023 - reporter 11024 - source_app 11025 - source_principal 11026 - source_workload 11027 - source_workload_namespace 11028 - source_version 11029 - destination_app 11030 - destination_principal 11031 - destination_workload 11032 - destination_workload_namespace 11033 - destination_version 11034 - destination_service 11035 - destination_service_name 11036 - destination_service_namespace 11037 - connection_security_policy 11038 - response_flags 11039 - name: tcp_connections_opened_total 11040 instance_name: tcpconnectionsopened.instance.istio-system 11041 kind: COUNTER 11042 label_names: 11043 - reporter 11044 - source_app 11045 - source_principal 11046 - source_workload 11047 - source_workload_namespace 11048 - source_version 11049 - destination_app 11050 - destination_principal 11051 - destination_workload 11052 - destination_workload_namespace 11053 - destination_version 11054 - destination_service 11055 - destination_service_name 11056 - destination_service_namespace 11057 - connection_security_policy 11058 - response_flags 11059 - name: tcp_connections_closed_total 11060 instance_name: tcpconnectionsclosed.instance.istio-system 11061 kind: COUNTER 11062 label_names: 11063 - reporter 11064 - source_app 11065 - source_principal 11066 - source_workload 11067 - source_workload_namespace 11068 - source_version 11069 - destination_app 11070 - destination_principal 11071 - destination_workload 11072 - destination_workload_namespace 11073 - destination_version 11074 - destination_service 11075 - destination_service_name 11076 - destination_service_namespace 11077 - connection_security_policy 11078 - response_flags 11079--- 11080 11081 11082apiVersion: "config.istio.io/v1alpha2" 11083kind: rule 11084metadata: 11085 name: promhttp 11086 namespace: istio-system 11087 labels: 11088 app: istio-telemetry 11089 release: istio 11090spec: 11091 match: (context.protocol == "http" || context.protocol == "grpc") && (match((request.useragent | "-"), "kube-probe*") == false) && (match((request.useragent | "-"), "Prometheus*") == false) 11092 actions: 11093 - handler: prometheus 11094 instances: 11095 - requestcount 11096 - requestduration 11097 - requestsize 11098 - responsesize 11099--- 11100 11101 11102apiVersion: "config.istio.io/v1alpha2" 11103kind: rule 11104metadata: 11105 name: promtcp 11106 namespace: istio-system 11107 labels: 11108 app: istio-telemetry 11109 release: istio 11110spec: 11111 match: context.protocol == "tcp" 11112 actions: 11113 - handler: prometheus 11114 instances: 11115 - tcpbytesent 11116 - tcpbytereceived 11117--- 11118 11119 11120apiVersion: "config.istio.io/v1alpha2" 11121kind: rule 11122metadata: 11123 name: promtcpconnectionopen 11124 namespace: istio-system 11125 labels: 11126 app: istio-telemetry 11127 release: istio 11128spec: 11129 match: context.protocol == "tcp" && ((connection.event | "na") == "open") 11130 actions: 11131 - handler: prometheus 11132 instances: 11133 - tcpconnectionsopened 11134--- 11135 11136 11137apiVersion: "config.istio.io/v1alpha2" 11138kind: rule 11139metadata: 11140 name: promtcpconnectionclosed 11141 namespace: istio-system 11142 labels: 11143 app: istio-telemetry 11144 release: istio 11145spec: 11146 match: context.protocol == "tcp" && ((connection.event | "na") == "close") 11147 actions: 11148 - handler: prometheus 11149 instances: 11150 - tcpconnectionsclosed 11151--- 11152 11153 11154apiVersion: "config.istio.io/v1alpha2" 11155kind: handler 11156metadata: 11157 name: kubernetesenv 11158 namespace: istio-system 11159 labels: 11160 app: istio-telemetry 11161 release: istio 11162spec: 11163 compiledAdapter: kubernetesenv 11164 params: {} 11165 # when running from mixer root, use the following config after adding a 11166 # symbolic link to a kubernetes config file via: 11167 # 11168 # $ ln -s ~/.kube/config mixer/adapter/kubernetes/kubeconfig 11169 # 11170 # kubeconfig_path: "mixer/adapter/kubernetes/kubeconfig" 11171--- 11172 11173 11174apiVersion: "config.istio.io/v1alpha2" 11175kind: rule 11176metadata: 11177 name: kubeattrgenrulerule 11178 namespace: istio-system 11179 labels: 11180 app: istio-telemetry 11181 release: istio 11182spec: 11183 actions: 11184 - handler: kubernetesenv 11185 instances: 11186 - attributes 11187--- 11188 11189 11190apiVersion: "config.istio.io/v1alpha2" 11191kind: rule 11192metadata: 11193 name: tcpkubeattrgenrulerule 11194 namespace: istio-system 11195 labels: 11196 app: istio-telemetry 11197 release: istio 11198spec: 11199 match: context.protocol == "tcp" 11200 actions: 11201 - handler: kubernetesenv 11202 instances: 11203 - attributes 11204--- 11205 11206 11207apiVersion: "config.istio.io/v1alpha2" 11208kind: instance 11209metadata: 11210 name: attributes 11211 namespace: istio-system 11212 labels: 11213 app: istio-telemetry 11214 release: istio 11215spec: 11216 compiledTemplate: kubernetes 11217 params: 11218 # Pass the required attribute data to the adapter 11219 source_uid: source.uid | "" 11220 source_ip: source.ip | ip("0.0.0.0") # default to unspecified ip addr 11221 destination_uid: destination.uid | "" 11222 destination_port: destination.port | 0 11223 attributeBindings: 11224 # Fill the new attributes from the adapter produced output. 11225 # $out refers to an instance of OutputTemplate message 11226 source.ip: $out.source_pod_ip | ip("0.0.0.0") 11227 source.uid: $out.source_pod_uid | "unknown" 11228 source.labels: $out.source_labels | emptyStringMap() 11229 source.name: $out.source_pod_name | "unknown" 11230 source.namespace: $out.source_namespace | "default" 11231 source.owner: $out.source_owner | "unknown" 11232 source.serviceAccount: $out.source_service_account_name | "unknown" 11233 source.workload.uid: $out.source_workload_uid | "unknown" 11234 source.workload.name: $out.source_workload_name | "unknown" 11235 source.workload.namespace: $out.source_workload_namespace | "unknown" 11236 destination.ip: $out.destination_pod_ip | ip("0.0.0.0") 11237 destination.uid: $out.destination_pod_uid | "unknown" 11238 destination.labels: $out.destination_labels | emptyStringMap() 11239 destination.name: $out.destination_pod_name | "unknown" 11240 destination.container.name: $out.destination_container_name | "unknown" 11241 destination.namespace: $out.destination_namespace | "default" 11242 destination.owner: $out.destination_owner | "unknown" 11243 destination.serviceAccount: $out.destination_service_account_name | "unknown" 11244 destination.workload.uid: $out.destination_workload_uid | "unknown" 11245 destination.workload.name: $out.destination_workload_name | "unknown" 11246 destination.workload.namespace: $out.destination_workload_namespace | "unknown" 11247--- 11248 11249 11250apiVersion: networking.istio.io/v1alpha3 11251kind: DestinationRule 11252metadata: 11253 name: istio-telemetry 11254 namespace: istio-system 11255 labels: 11256 app: istio-telemetry 11257 release: istio 11258spec: 11259 host: istio-telemetry.istio-system.svc.cluster.local 11260 trafficPolicy: 11261 portLevelSettings: 11262 - port: 11263 number: 15004 # grpc-mixer-mtls 11264 tls: 11265 mode: ISTIO_MUTUAL 11266 - port: 11267 number: 9091 # grpc-mixer 11268 tls: 11269 mode: DISABLE 11270 connectionPool: 11271 http: 11272 http2MaxRequests: 10000 11273 maxRequestsPerConnection: 10000 11274--- 11275 11276 11277apiVersion: v1 11278kind: ConfigMap 11279metadata: 11280 namespace: istio-system 11281 name: telemetry-envoy-config 11282 labels: 11283 release: istio 11284data: 11285 # Explicitly defined - moved from istio/istio/pilot/docker. 11286 envoy.yaml.tmpl: |- 11287 admin: 11288 access_log_path: /dev/null 11289 address: 11290 socket_address: 11291 address: 127.0.0.1 11292 port_value: 15000 11293 stats_config: 11294 use_all_default_tags: false 11295 stats_tags: 11296 - tag_name: cluster_name 11297 regex: '^cluster\.((.+?(\..+?\.svc\.cluster\.local)?)\.)' 11298 - tag_name: tcp_prefix 11299 regex: '^tcp\.((.*?)\.)\w+?$' 11300 - tag_name: response_code 11301 regex: '_rq(_(\d{3}))$' 11302 - tag_name: response_code_class 11303 regex: '_rq(_(\dxx))$' 11304 - tag_name: http_conn_manager_listener_prefix 11305 regex: '^listener(?=\.).*?\.http\.(((?:[_.[:digit:]]*|[_\[\]aAbBcCdDeEfF[:digit:]]*))\.)' 11306 - tag_name: http_conn_manager_prefix 11307 regex: '^http\.(((?:[_.[:digit:]]*|[_\[\]aAbBcCdDeEfF[:digit:]]*))\.)' 11308 - tag_name: listener_address 11309 regex: '^listener\.(((?:[_.[:digit:]]*|[_\[\]aAbBcCdDeEfF[:digit:]]*))\.)' 11310 11311 static_resources: 11312 clusters: 11313 - name: prometheus_stats 11314 type: STATIC 11315 connect_timeout: 0.250s 11316 lb_policy: ROUND_ROBIN 11317 hosts: 11318 - socket_address: 11319 protocol: TCP 11320 address: 127.0.0.1 11321 port_value: 15000 11322 11323 - name: sds-grpc 11324 type: STATIC 11325 http2_protocol_options: {} 11326 connect_timeout: 0.250s 11327 lb_policy: ROUND_ROBIN 11328 hosts: 11329 - pipe: 11330 path: "/etc/istio/proxy/SDS" 11331 11332 - name: inbound_9092 11333 circuit_breakers: 11334 thresholds: 11335 - max_connections: 100000 11336 max_pending_requests: 100000 11337 max_requests: 100000 11338 max_retries: 3 11339 connect_timeout: 1.000s 11340 hosts: 11341 - pipe: 11342 path: /sock/mixer.socket 11343 http2_protocol_options: {} 11344 11345 - name: out.galley.15019 11346 http2_protocol_options: {} 11347 connect_timeout: 1.000s 11348 type: STRICT_DNS 11349 11350 circuit_breakers: 11351 thresholds: 11352 - max_connections: 100000 11353 max_pending_requests: 100000 11354 max_requests: 100000 11355 max_retries: 3 11356 11357 tls_context: 11358 common_tls_context: 11359 tls_certificate_sds_secret_configs: 11360 - name: default 11361 sds_config: 11362 api_config_source: 11363 api_type: GRPC 11364 grpc_services: 11365 - envoy_grpc: 11366 cluster_name: sds-grpc 11367 combined_validation_context: 11368 default_validation_context: 11369 verify_subject_alt_name: 11370 - spiffe://cluster.local/ns/istio-system/sa/istio-galley-service-account 11371 validation_context_sds_secret_config: 11372 name: ROOTCA 11373 sds_config: 11374 api_config_source: 11375 api_type: GRPC 11376 grpc_services: 11377 - envoy_grpc: 11378 cluster_name: sds-grpc 11379 hosts: 11380 - socket_address: 11381 address: istio-galley.istio-system 11382 port_value: 15019 11383 11384 11385 listeners: 11386 - name: "15090" 11387 address: 11388 socket_address: 11389 protocol: TCP 11390 address: 0.0.0.0 11391 port_value: 15090 11392 filter_chains: 11393 - filters: 11394 - name: envoy.http_connection_manager 11395 config: 11396 codec_type: AUTO 11397 stat_prefix: stats 11398 route_config: 11399 virtual_hosts: 11400 - name: backend 11401 domains: 11402 - '*' 11403 routes: 11404 - match: 11405 prefix: /stats/prometheus 11406 route: 11407 cluster: prometheus_stats 11408 http_filters: 11409 - name: envoy.router 11410 11411 - name: "15004" 11412 address: 11413 socket_address: 11414 address: 0.0.0.0 11415 port_value: 15004 11416 filter_chains: 11417 - filters: 11418 - config: 11419 codec_type: HTTP2 11420 http2_protocol_options: 11421 max_concurrent_streams: 1073741824 11422 generate_request_id: true 11423 http_filters: 11424 - config: 11425 default_destination_service: istio-telemetry.istio-system.svc.cluster.local 11426 service_configs: 11427 istio-telemetry.istio-system.svc.cluster.local: 11428 disable_check_calls: true 11429 {{- if .DisableReportCalls }} 11430 disable_report_calls: true 11431 {{- end }} 11432 mixer_attributes: 11433 attributes: 11434 destination.service.host: 11435 string_value: istio-telemetry.istio-system.svc.cluster.local 11436 destination.service.uid: 11437 string_value: istio://istio-system/services/istio-telemetry 11438 destination.service.name: 11439 string_value: istio-telemetry 11440 destination.service.namespace: 11441 string_value: istio-system 11442 destination.uid: 11443 string_value: kubernetes://{{ .PodName }}.istio-system 11444 destination.namespace: 11445 string_value: istio-system 11446 destination.ip: 11447 bytes_value: {{ .PodIP }} 11448 destination.port: 11449 int64_value: 15004 11450 context.reporter.kind: 11451 string_value: inbound 11452 context.reporter.uid: 11453 string_value: kubernetes://{{ .PodName }}.istio-system 11454 transport: 11455 check_cluster: mixer_check_server 11456 report_cluster: inbound_9092 11457 name: mixer 11458 - name: envoy.router 11459 route_config: 11460 name: "15004" 11461 virtual_hosts: 11462 - domains: 11463 - '*' 11464 name: istio-telemetry.istio-system.svc.cluster.local 11465 routes: 11466 - decorator: 11467 operation: Report 11468 match: 11469 prefix: / 11470 route: 11471 cluster: inbound_9092 11472 timeout: 0.000s 11473 stat_prefix: "15004" 11474 name: envoy.http_connection_manager 11475 tls_context: 11476 require_client_certificate: true 11477 common_tls_context: 11478 alpn_protocols: 11479 - h2 11480 tls_certificate_sds_secret_configs: 11481 - name: default 11482 sds_config: 11483 api_config_source: 11484 api_type: GRPC 11485 grpc_services: 11486 - envoy_grpc: 11487 cluster_name: sds-grpc 11488 validation_context_sds_secret_config: 11489 name: ROOTCA 11490 sds_config: 11491 api_config_source: 11492 api_type: GRPC 11493 grpc_services: 11494 - envoy_grpc: 11495 cluster_name: sds-grpc 11496 11497 - name: "9091" 11498 address: 11499 socket_address: 11500 address: 0.0.0.0 11501 port_value: 9091 11502 filter_chains: 11503 - filters: 11504 - config: 11505 codec_type: HTTP2 11506 http2_protocol_options: 11507 max_concurrent_streams: 1073741824 11508 generate_request_id: true 11509 http_filters: 11510 - config: 11511 default_destination_service: istio-telemetry.istio-system.svc.cluster.local 11512 service_configs: 11513 istio-telemetry.istio-system.svc.cluster.local: 11514 disable_check_calls: true 11515 {{- if .DisableReportCalls }} 11516 disable_report_calls: true 11517 {{- end }} 11518 mixer_attributes: 11519 attributes: 11520 destination.service.host: 11521 string_value: istio-telemetry.istio-system.svc.cluster.local 11522 destination.service.uid: 11523 string_value: istio://istio-system/services/istio-telemetry 11524 destination.service.name: 11525 string_value: istio-telemetry 11526 destination.service.namespace: 11527 string_value: istio-system 11528 destination.uid: 11529 string_value: kubernetes://{{ .PodName }}.istio-system 11530 destination.namespace: 11531 string_value: istio-system 11532 destination.ip: 11533 bytes_value: {{ .PodIP }} 11534 destination.port: 11535 int64_value: 9091 11536 context.reporter.kind: 11537 string_value: inbound 11538 context.reporter.uid: 11539 string_value: kubernetes://{{ .PodName }}.istio-system 11540 transport: 11541 check_cluster: mixer_check_server 11542 report_cluster: inbound_9092 11543 name: mixer 11544 - name: envoy.router 11545 route_config: 11546 name: "9091" 11547 virtual_hosts: 11548 - domains: 11549 - '*' 11550 name: istio-telemetry.istio-system.svc.cluster.local 11551 routes: 11552 - decorator: 11553 operation: Report 11554 match: 11555 prefix: / 11556 route: 11557 cluster: inbound_9092 11558 timeout: 0.000s 11559 stat_prefix: "9091" 11560 name: envoy.http_connection_manager 11561 11562 - name: "local.15019" 11563 address: 11564 socket_address: 11565 address: 127.0.0.1 11566 port_value: 15019 11567 filter_chains: 11568 - filters: 11569 - name: envoy.http_connection_manager 11570 config: 11571 codec_type: HTTP2 11572 stat_prefix: "15019" 11573 stream_idle_timeout: 0s 11574 http2_protocol_options: 11575 max_concurrent_streams: 1073741824 11576 11577 access_log: 11578 - name: envoy.file_access_log 11579 config: 11580 path: /dev/stdout 11581 11582 http_filters: 11583 - name: envoy.router 11584 11585 route_config: 11586 name: "15019" 11587 11588 virtual_hosts: 11589 - name: istio-galley 11590 11591 domains: 11592 - '*' 11593 11594 routes: 11595 - match: 11596 prefix: / 11597 route: 11598 cluster: out.galley.15019 11599 timeout: 0.000s 11600--- 11601 11602 11603apiVersion: apps/v1 11604kind: Deployment 11605metadata: 11606 labels: 11607 app: istio-mixer 11608 istio: mixer 11609 release: istio 11610 name: istio-telemetry 11611 namespace: istio-system 11612spec: 11613 replicas: 1 11614 selector: 11615 matchLabels: 11616 istio: mixer 11617 istio-mixer-type: telemetry 11618 strategy: 11619 rollingUpdate: 11620 maxSurge: 100% 11621 maxUnavailable: 25% 11622 template: 11623 metadata: 11624 annotations: 11625 sidecar.istio.io/inject: "false" 11626 labels: 11627 app: telemetry 11628 istio: mixer 11629 istio-mixer-type: telemetry 11630 spec: 11631 affinity: 11632 nodeAffinity: 11633 preferredDuringSchedulingIgnoredDuringExecution: 11634 - preference: 11635 matchExpressions: 11636 - key: beta.kubernetes.io/arch 11637 operator: In 11638 values: 11639 - amd64 11640 weight: 2 11641 - preference: 11642 matchExpressions: 11643 - key: beta.kubernetes.io/arch 11644 operator: In 11645 values: 11646 - ppc64le 11647 weight: 2 11648 - preference: 11649 matchExpressions: 11650 - key: beta.kubernetes.io/arch 11651 operator: In 11652 values: 11653 - s390x 11654 weight: 2 11655 requiredDuringSchedulingIgnoredDuringExecution: 11656 nodeSelectorTerms: 11657 - matchExpressions: 11658 - key: beta.kubernetes.io/arch 11659 operator: In 11660 values: 11661 - amd64 11662 - ppc64le 11663 - s390x 11664 containers: 11665 - args: 11666 - --monitoringPort=15014 11667 - --address 11668 - unix:///sock/mixer.socket 11669 - --log_output_level=default:info 11670 - --configStoreURL=k8s:// 11671 - --configDefaultNamespace=istio-system 11672 - --useAdapterCRDs=false 11673 - --useTemplateCRDs=false 11674 - --trace_zipkin_url=http://zipkin.istio-system:9411/api/v1/spans 11675 env: 11676 - name: POD_NAMESPACE 11677 valueFrom: 11678 fieldRef: 11679 apiVersion: v1 11680 fieldPath: metadata.namespace 11681 - name: GOMAXPROCS 11682 value: "6" 11683 image: gcr.io/istio-testing/mixer:latest 11684 livenessProbe: 11685 httpGet: 11686 path: /version 11687 port: 15014 11688 initialDelaySeconds: 5 11689 periodSeconds: 5 11690 name: mixer 11691 ports: 11692 - containerPort: 9091 11693 - containerPort: 15014 11694 - containerPort: 42422 11695 resources: 11696 limits: 11697 cpu: 4800m 11698 memory: 4G 11699 requests: 11700 cpu: 1000m 11701 memory: 1G 11702 securityContext: 11703 capabilities: 11704 drop: 11705 - ALL 11706 runAsGroup: 1337 11707 runAsNonRoot: true 11708 runAsUser: 1337 11709 volumeMounts: 11710 - mountPath: /sock 11711 name: uds-socket 11712 - mountPath: /var/run/secrets/istio.io/telemetry/adapter 11713 name: telemetry-adapter-secret 11714 readOnly: true 11715 - args: 11716 - proxy 11717 - --domain 11718 - $(POD_NAMESPACE).svc.cluster.local 11719 - --serviceCluster 11720 - istio-telemetry 11721 - --templateFile 11722 - /var/lib/envoy/envoy.yaml.tmpl 11723 - --controlPlaneAuthPolicy 11724 - MUTUAL_TLS 11725 - --trust-domain=cluster.local 11726 env: 11727 - name: POD_NAME 11728 valueFrom: 11729 fieldRef: 11730 apiVersion: v1 11731 fieldPath: metadata.name 11732 - name: POD_NAMESPACE 11733 valueFrom: 11734 fieldRef: 11735 apiVersion: v1 11736 fieldPath: metadata.namespace 11737 - name: INSTANCE_IP 11738 valueFrom: 11739 fieldRef: 11740 apiVersion: v1 11741 fieldPath: status.podIP 11742 - name: JWT_POLICY 11743 value: third-party-jwt 11744 - name: PILOT_CERT_PROVIDER 11745 value: istiod 11746 - name: ISTIO_META_USER_SDS 11747 value: "true" 11748 - name: CA_ADDR 11749 value: istiod.istio-system.svc:15012 11750 image: gcr.io/istio-testing/proxyv2:latest 11751 name: istio-proxy 11752 ports: 11753 - containerPort: 15004 11754 - containerPort: 15090 11755 name: http-envoy-prom 11756 protocol: TCP 11757 resources: 11758 limits: 11759 cpu: 2000m 11760 memory: 1024Mi 11761 requests: 11762 cpu: 100m 11763 memory: 128Mi 11764 volumeMounts: 11765 - mountPath: /etc/istio/config 11766 name: config-volume 11767 - mountPath: /var/run/secrets/istio 11768 name: istiod-ca-cert 11769 - mountPath: /var/run/secrets/tokens 11770 name: istio-token 11771 readOnly: true 11772 - mountPath: /var/lib/envoy 11773 name: telemetry-envoy-config 11774 - mountPath: /sock 11775 name: uds-socket 11776 securityContext: 11777 fsGroup: 1337 11778 serviceAccountName: istio-mixer-service-account 11779 volumes: 11780 - configMap: 11781 name: istio 11782 optional: true 11783 name: config-volume 11784 - configMap: 11785 name: istio-ca-root-cert 11786 name: istiod-ca-cert 11787 - name: istio-token 11788 projected: 11789 sources: 11790 - serviceAccountToken: 11791 audience: istio-ca 11792 expirationSeconds: 43200 11793 path: istio-token 11794 - name: istio-certs 11795 secret: 11796 optional: true 11797 secretName: istio.istio-mixer-service-account 11798 - emptyDir: {} 11799 name: uds-socket 11800 - name: telemetry-adapter-secret 11801 secret: 11802 optional: true 11803 secretName: telemetry-adapter-secret 11804 - configMap: 11805 name: telemetry-envoy-config 11806 name: telemetry-envoy-config 11807 11808--- 11809 11810 11811apiVersion: policy/v1beta1 11812kind: PodDisruptionBudget 11813metadata: 11814 name: istio-telemetry 11815 namespace: istio-system 11816 labels: 11817 app: telemetry 11818 release: istio 11819 istio: mixer 11820 istio-mixer-type: telemetry 11821spec: 11822 minAvailable: 1 11823 selector: 11824 matchLabels: 11825 app: telemetry 11826 istio: mixer 11827 istio-mixer-type: telemetry 11828--- 11829 11830 11831apiVersion: v1 11832kind: Service 11833metadata: 11834 name: istio-telemetry 11835 namespace: istio-system 11836 labels: 11837 app: mixer 11838 istio: mixer 11839 release: istio 11840spec: 11841 ports: 11842 - name: grpc-mixer 11843 port: 9091 11844 - name: grpc-mixer-mtls 11845 port: 15004 11846 - name: http-monitoring 11847 port: 15014 11848 - name: prometheus 11849 port: 42422 11850 selector: 11851 istio: mixer 11852 istio-mixer-type: telemetry 11853--- 11854 11855 11856apiVersion: v1 11857kind: ServiceAccount 11858metadata: 11859 name: istio-mixer-service-account 11860 namespace: istio-system 11861 labels: 11862 app: istio-telemetry 11863 release: istio 11864--- 11865 11866