pilot-discovery

Istio Pilot provides fleet-wide traffic management capabilities in the Istio Service Mesh.

FlagsDescription
—ctrlz_address <string>The IP Address to listen on for the ControlZ introspection facility. Use ‘*’ to indicate all addresses. (default localhost)
—ctrlz_port <uint16>The IP port to use for the ControlZ introspection facility (default 9876)
—keepaliveInterval <duration>The time interval if no activity on the connection it pings the peer to see if the transport is alive (default 30s)
—keepaliveMaxServerConnectionAge <duration>Maximum duration a connection will be kept open on the server before a graceful close. (default 2562047h47m16.854775807s)
—keepaliveTimeout <duration>After having pinged for keepalive check, the client/server waits for a duration of keepaliveTimeout and if no activity is seen even after that the connection is closed. (default 10s)
—log_as_jsonWhether to format output as JSON or in plain console-friendly format
—log_caller <string>Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, adsc, all, analysis, authn, authorization, cache, default, klog, kube, mcp, model, pkica, processing, resource, rootcertrotator, secretcontroller, secretfetcher, serverca, source, spiffe, status, validation, validationController, validationServer] (default )</td></tr><tr><td><code>--log_output_level &lt;string&gt;</code></td><td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, adsc, all, analysis, authn, authorization, cache, default, klog, kube, mcp, model, pkica, processing, resource, rootcertrotator, secretcontroller, secretfetcher, serverca, source, spiffe, status, validation, validationController, validationServer] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td></tr><tr><td><code>--log_rotate &lt;string&gt;</code></td><td>The path for the optional rotating log file (default)
—log_rotate_max_age <int>The maximum age in days of a log file beyond which the file is rotated (0 indicates no limit) (default 30)
—log_rotate_max_backups <int>The maximum number of log file backups to keep before older files are deleted (0 indicates no limit) (default 1000)
—log_rotate_max_size <int>The maximum size in megabytes of a log file beyond which the file is rotated (default 104857600)
—log_stacktrace_level <string>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,… where scope can be one of [ads, adsc, all, analysis, authn, authorization, cache, default, klog, kube, mcp, model, pkica, processing, resource, rootcertrotator, secretcontroller, secretfetcher, serverca, source, spiffe, status, validation, validationController, validationServer] and level can be one of [debug, info, warn, error, fatal, none] (default default:none)
—log_target <stringArray>The set of paths where to output the log. This can be any path as well as the special values stdout and stderr (default [stdout])

pilot-discovery discovery

Start Istio proxy discovery service.

  1. pilot-discovery discovery [flags]
FlagsShorthandDescription
—appNamespace <string>-aSpecify the applications namespace list the controller manages, separated by comma; if not set, controller watches all namespaces (default )</td></tr><tr><td><code>--caCertFile &lt;string&gt;</code></td><td></td><td>File containing the x509 Server CA Certificate (default)
—clusterID <string>The ID of the cluster that this Istiod instance resides (default Kubernetes)
—clusterRegistriesNamespace <string>Namespace for ConfigMap which stores clusters configs (default istio-system)
—configDir <string>Directory to watch for updates to config yaml files. If specified, the files will be used as the source of config, rather than a CRD client. (default )</td></tr><tr><td><code>--ctrlz_address &lt;string&gt;</code></td><td></td><td>The IP Address to listen on for the ControlZ introspection facility. Use '*' to indicate all addresses. (default `localhost`)</td></tr><tr><td><code>--ctrlz_port &lt;uint16&gt;</code></td><td></td><td>The IP port to use for the ControlZ introspection facility (default `9876`)</td></tr><tr><td><code>--domain &lt;string&gt;</code></td><td></td><td>DNS domain suffix (default `cluster.local`)</td></tr><tr><td><code>--grpcAddr &lt;string&gt;</code></td><td></td><td>Discovery service gRPC address (default `:15010`)</td></tr><tr><td><code>--httpAddr &lt;string&gt;</code></td><td></td><td>Discovery service HTTP address (default `:8080`)</td></tr><tr><td><code>--httpsAddr &lt;string&gt;</code></td><td></td><td>Injection and validation service HTTPS address (default `:15017`)</td></tr><tr><td><code>--keepaliveInterval &lt;duration&gt;</code></td><td></td><td>The time interval if no activity on the connection it pings the peer to see if the transport is alive (default `30s`)</td></tr><tr><td><code>--keepaliveMaxServerConnectionAge &lt;duration&gt;</code></td><td></td><td>Maximum duration a connection will be kept open on the server before a graceful close. (default `2562047h47m16.854775807s`)</td></tr><tr><td><code>--keepaliveTimeout &lt;duration&gt;</code></td><td></td><td>After having pinged for keepalive check, the client/server waits for a duration of keepaliveTimeout and if no activity is seen even after that the connection is closed. (default `10s`)</td></tr><tr><td><code>--kubeconfig &lt;string&gt;</code></td><td></td><td>Use a Kubernetes configuration file instead of in-cluster configuration (default)
—kubernetesApiBurst <int>Maximum burst for throttle when communicating with the kubernetes API (default 40)
—kubernetesApiQPS <float32>Maximum QPS when communicating with the kubernetes API (default 20)
—log_as_jsonWhether to format output as JSON or in plain console-friendly format
—log_caller <string>Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, adsc, all, analysis, authn, authorization, cache, default, klog, kube, mcp, model, pkica, processing, resource, rootcertrotator, secretcontroller, secretfetcher, serverca, source, spiffe, status, validation, validationController, validationServer] (default )</td></tr><tr><td><code>--log_output_level &lt;string&gt;</code></td><td></td><td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, adsc, all, analysis, authn, authorization, cache, default, klog, kube, mcp, model, pkica, processing, resource, rootcertrotator, secretcontroller, secretfetcher, serverca, source, spiffe, status, validation, validationController, validationServer] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td></tr><tr><td><code>--log_rotate &lt;string&gt;</code></td><td></td><td>The path for the optional rotating log file (default)
—log_rotate_max_age <int>The maximum age in days of a log file beyond which the file is rotated (0 indicates no limit) (default 30)
—log_rotate_max_backups <int>The maximum number of log file backups to keep before older files are deleted (0 indicates no limit) (default 1000)
—log_rotate_max_size <int>The maximum size in megabytes of a log file beyond which the file is rotated (default 104857600)
—log_stacktrace_level <string>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,… where scope can be one of [ads, adsc, all, analysis, authn, authorization, cache, default, klog, kube, mcp, model, pkica, processing, resource, rootcertrotator, secretcontroller, secretfetcher, serverca, source, spiffe, status, validation, validationController, validationServer] and level can be one of [debug, info, warn, error, fatal, none] (default default:none)
—log_target <stringArray>The set of paths where to output the log. This can be any path as well as the special values stdout and stderr (default [stdout])
—mcpInitialConnWindowSize <int>Initial connection window size for MCP’s gRPC connection (default 1048576)
—mcpInitialWindowSize <int>Initial window size for MCP’s gRPC connection (default 1048576)
—mcpMaxMsgSize <int>Max message size received by MCP’s gRPC client (default 4194304)
—meshConfig <string>File name for Istio mesh configuration. If not specified, a default mesh will be used. (default ./etc/istio/config/mesh)
—monitoringAddr <string>HTTP address to use for pilot’s self-monitoring information (default :15014)
—namespace <string>-nSelect a namespace where the controller resides. If not set, uses ${POD_NAMESPACE} environment variable (default istio-system)
—networksConfig <string>File name for Istio mesh networks configuration. If not specified, a default mesh networks will be used. (default /etc/istio/config/meshNetworks)
—plugins <stringSlice>comma separated list of networking plugins to enable (default [authn,authz,health])
—profileEnable profiling via web interface host:port/debug/pprof
—registries <stringSlice>Comma separated list of platform service registries to read from (choose one or more from {Kubernetes, Mock}) (default [Kubernetes])
—resync <duration>Controller resync interval (default 1m0s)
—secureGRPCAddr <string>Discovery service secured gRPC address (default :15012)
—tlsCertFile <string>File containing the x509 Server Certificate (default )</td></tr><tr><td><code>--tlsKeyFile &lt;string&gt;</code></td><td></td><td>File containing the x509 private key matching --tlsCertFile (default)
—trust-domain <string>The domain serves to identify the system with spiffe (default ``)

pilot-discovery request

Makes an HTTP request to Pilot metrics/debug endpoint

  1. pilot-discovery request <method> <path> [<body>] [flags]
FlagsDescription
—ctrlz_address <string>The IP Address to listen on for the ControlZ introspection facility. Use ‘*’ to indicate all addresses. (default localhost)
—ctrlz_port <uint16>The IP port to use for the ControlZ introspection facility (default 9876)
—keepaliveInterval <duration>The time interval if no activity on the connection it pings the peer to see if the transport is alive (default 30s)
—keepaliveMaxServerConnectionAge <duration>Maximum duration a connection will be kept open on the server before a graceful close. (default 2562047h47m16.854775807s)
—keepaliveTimeout <duration>After having pinged for keepalive check, the client/server waits for a duration of keepaliveTimeout and if no activity is seen even after that the connection is closed. (default 10s)
—log_as_jsonWhether to format output as JSON or in plain console-friendly format
—log_caller <string>Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, adsc, all, analysis, authn, authorization, cache, default, klog, kube, mcp, model, pkica, processing, resource, rootcertrotator, secretcontroller, secretfetcher, serverca, source, spiffe, status, validation, validationController, validationServer] (default )</td></tr><tr><td><code>--log_output_level &lt;string&gt;</code></td><td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, adsc, all, analysis, authn, authorization, cache, default, klog, kube, mcp, model, pkica, processing, resource, rootcertrotator, secretcontroller, secretfetcher, serverca, source, spiffe, status, validation, validationController, validationServer] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td></tr><tr><td><code>--log_rotate &lt;string&gt;</code></td><td>The path for the optional rotating log file (default)
—log_rotate_max_age <int>The maximum age in days of a log file beyond which the file is rotated (0 indicates no limit) (default 30)
—log_rotate_max_backups <int>The maximum number of log file backups to keep before older files are deleted (0 indicates no limit) (default 1000)
—log_rotate_max_size <int>The maximum size in megabytes of a log file beyond which the file is rotated (default 104857600)
—log_stacktrace_level <string>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,… where scope can be one of [ads, adsc, all, analysis, authn, authorization, cache, default, klog, kube, mcp, model, pkica, processing, resource, rootcertrotator, secretcontroller, secretfetcher, serverca, source, spiffe, status, validation, validationController, validationServer] and level can be one of [debug, info, warn, error, fatal, none] (default default:none)
—log_target <stringArray>The set of paths where to output the log. This can be any path as well as the special values stdout and stderr (default [stdout])

pilot-discovery version

Prints out build version information

  1. pilot-discovery version [flags]
FlagsShorthandDescription
—ctrlz_address <string>The IP Address to listen on for the ControlZ introspection facility. Use ‘*’ to indicate all addresses. (default localhost)
—ctrlz_port <uint16>The IP port to use for the ControlZ introspection facility (default 9876)
—keepaliveInterval <duration>The time interval if no activity on the connection it pings the peer to see if the transport is alive (default 30s)
—keepaliveMaxServerConnectionAge <duration>Maximum duration a connection will be kept open on the server before a graceful close. (default 2562047h47m16.854775807s)
—keepaliveTimeout <duration>After having pinged for keepalive check, the client/server waits for a duration of keepaliveTimeout and if no activity is seen even after that the connection is closed. (default 10s)
—log_as_jsonWhether to format output as JSON or in plain console-friendly format
—log_caller <string>Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, adsc, all, analysis, authn, authorization, cache, default, klog, kube, mcp, model, pkica, processing, resource, rootcertrotator, secretcontroller, secretfetcher, serverca, source, spiffe, status, validation, validationController, validationServer] (default )</td></tr><tr><td><code>--log_output_level &lt;string&gt;</code></td><td></td><td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, adsc, all, analysis, authn, authorization, cache, default, klog, kube, mcp, model, pkica, processing, resource, rootcertrotator, secretcontroller, secretfetcher, serverca, source, spiffe, status, validation, validationController, validationServer] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td></tr><tr><td><code>--log_rotate &lt;string&gt;</code></td><td></td><td>The path for the optional rotating log file (default)
—log_rotate_max_age <int>The maximum age in days of a log file beyond which the file is rotated (0 indicates no limit) (default 30)
—log_rotate_max_backups <int>The maximum number of log file backups to keep before older files are deleted (0 indicates no limit) (default 1000)
—log_rotate_max_size <int>The maximum size in megabytes of a log file beyond which the file is rotated (default 104857600)
—log_stacktrace_level <string>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,… where scope can be one of [ads, adsc, all, analysis, authn, authorization, cache, default, klog, kube, mcp, model, pkica, processing, resource, rootcertrotator, secretcontroller, secretfetcher, serverca, source, spiffe, status, validation, validationController, validationServer] and level can be one of [debug, info, warn, error, fatal, none] (default default:none)
—log_target <stringArray>The set of paths where to output the log. This can be any path as well as the special values stdout and stderr (default [stdout])
—output <string>-oOne of ‘yaml’ or ‘json’. (default ``)
—short-sUse —short=false to generate full version information

Environment variables

These environment variables affect the behavior of the pilot-discovery command. Please use with caution as these environment variables are experimental and can change anytime.

Variable NameTypeDefault ValueDescription
AUDIENCEStringExpected audience in the tokens.
CENTRAL_ISTIODBooleanfalseIf this is set to true, one Istiod will control remote clusters including CA.
CITADEL_ENABLE_JITTER_FOR_ROOT_CERT_ROTATORBooleantrueIf true, set up a jitter to start root cert rotator. Jitter selects a backoff time in seconds to start root cert rotator, and the back off time is below root cert check interval.
CITADEL_SELF_SIGNED_CA_CERT_TTLTime Duration87600h0m0sThe TTL of self-signed CA root certificate.
CITADEL_SELF_SIGNED_CA_RSA_KEY_SIZEInteger2048Specify the RSA key size to use for self-signed Istio CA certificates.
CITADEL_SELF_SIGNED_ROOT_CERT_CHECK_INTERVALTime Duration1h0m0sThe interval that self-signed CA checks its root certificate expiration time and rotates root certificate. Setting this interval to zero or a negative value disables automated root cert check and rotation. This interval is suggested to be larger than 10 minutes.
CITADEL_SELF_SIGNED_ROOT_CERT_GRACE_PERIOD_PERCENTILEInteger20Grace period percentile for self-signed root cert.
CLUSTER_IDStringKubernetesDefines the cluster and service registry that this Istiod instance is belongs to
DEFAULT_WORKLOAD_CERT_TTLTime Duration24h0m0sThe default TTL of issued workload certificates. Applied when the client sets a non-positive TTL in the CSR.
ENABLE_ADMIN_ENDPOINTSBooleanfalseIf this is set to true, dangerous admin endpoins will be exposed on the debug interface. Not recommended for production.
ENABLE_CA_SERVERBooleantrueIf this is set to false, will not create CA server in istiod.
ENABLE_DEBUG_ON_HTTPBooleantrueIf this is set to false, the debug interface will not be ebabled on Http, recommended for production
ENABLE_LEGACY_FSGROUP_INJECTIONBooleantrueIf true, Istiod will set the pod fsGroup to 1337 on injection. This is required for Kubernetes 1.18 and older (see https://github.com/kubernetes/kubernetes/issues/57923 for details) unless JWT_POLICY is “first-party-jwt”.
EXTERNAL_CAStringExternal CA Integration Type. Permitted Values are ISTIOD_RA_KUBERNETES_API or ISTIOD_RA_ISTIO_API
EXTERNAL_ISTIODBooleanfalseIf this is set to true, one Istiod will control remote clusters including CA.
INGRESS_GATEWAY_NAMESPACEString
INJECTION_WEBHOOK_CONFIG_NAMEStringistio-sidecar-injectorName of the mutatingwebhookconfiguration to patch, if istioctl is not used.
INJECT_ENABLEDBooleantrueEnable mutating webhook handler.
ISTIOD_CUSTOM_HOSTStringCustom host name of istiod that istiod signs the server cert.
ISTIOD_ENABLE_SDS_SERVERBooleantrueIf enabled, Istiod will serve SDS for credentialName secrets (rather than in-proxy). To ensure proper security, PILOT_ENABLE_XDS_IDENTITY_CHECK=true is required as well.
ISTIO_DEFAULT_REQUEST_TIMEOUTTime Duration0sDefault Http and gRPC Request timeout
ISTIO_GPRC_MAXRECVMSGSIZEInteger4194304Sets the max receive buffer size of gRPC stream in bytes.
ISTIO_GPRC_MAXSTREAMSInteger100000Sets the maximum number of concurrent grpc streams.
ISTIO_PROMETHEUS_ANNOTATIONSString
JWT_POLICYStringthird-party-jwtThe JWT validation policy.
K8S_INGRESS_NSString
K8S_SIGNERStringKubernates CA Signer type. Valid from Kubernates 1.18
KUBERNETES_SERVICE_HOSTStringKuberenetes service host, set automatically when running in-cluster
MAX_WORKLOAD_CERT_TTLTime Duration2160h0m0sThe max TTL of issued workload certificates.
PILOT_ALLOW_METADATA_CERTS_DR_MUTUAL_TLSBooleanfalseIf true, Pilot will allow certs specified in Metadata to override DR certs in MUTUAL TLS mode. This is only enabled for migration and will be removed soon.
PILOT_CERT_PROVIDERStringistiodThe provider of Pilot DNS certificate.
PILOT_DEBOUNCE_AFTERTime Duration100msThe delay added to config/registry events for debouncing. This will delay the push by at least this internal. If no change is detected within this period, the push will happen, otherwise we’ll keep delaying until things settle, up to a max of PILOT_DEBOUNCE_MAX.
PILOT_DEBOUNCE_MAXTime Duration10sThe maximum amount of time to wait for events while debouncing. If events keep showing up with no breaks for this time, we’ll trigger a push.
PILOT_DISTRIBUTION_HISTORY_RETENTIONTime Duration1m0sIf enabled, Pilot will keep track of old versions of distributed config for this duration.
PILOT_ENABLED_SERVICE_APISBooleanfalseIf this is set to true, support for Kubernetes service-apis (github.com/kubernetes-sigs/service-apis) will be enabled. This feature is currently experimental, and is off by default.
PILOT_ENABLE_ANALYSISBooleanfalseIf enabled, pilot will run istio analyzers and write analysis errors to the Status field of any Istio Resources
PILOT_ENABLE_CONFIG_DISTRIBUTION_TRACKINGBooleantrueIf enabled, Pilot will assign meaningful nonces to each Envoy configuration message, and allow users to interrogate which envoy has which config from the debug interface.
PILOT_ENABLE_CRD_VALIDATIONBooleanfalseIf enabled, pilot will validate CRDs while retrieving CRDs from kubernetes cache.Use this flag to enable validation of CRDs in Pilot, especially in deployments that do not have galley installed.
PILOT_ENABLE_EDS_DEBOUNCEBooleantrueIf enabled, Pilot will include EDS pushes in the push debouncing, configured by PILOT_DEBOUNCE_AFTER and PILOT_DEBOUNCE_MAX. EDS pushes may be delayed, but there will be fewer pushes. By default this is enabled
PILOT_ENABLE_EDS_FOR_HEADLESS_SERVICESBooleanfalseIf enabled, for headless service in Kubernetes, pilot will send endpoints over EDS, allowing the sidecar to load balance among pods in the headless service. This feature should be enabled if applications access all services explicitly via a HTTP proxy port in the sidecar.
PILOT_ENABLE_HEADLESS_SERVICE_POD_LISTENERSBooleantrueIf enabled, for a headless service/stateful set in Kubernetes, pilot will generate an outbound listener for each pod in a headless service. This feature should be disabled if headless services have a large number of pods.
PILOT_ENABLE_INCREMENTAL_MCPBooleanfalseIf enabled, pilot will set the incremental flag of the options in the mcp controller to true, and then galley may push data incrementally, it depends on whether the resource supports incremental. By default, this is false.
PILOT_ENABLE_K8S_SELECT_WORKLOAD_ENTRIESBooleantrueIf enabled, Kubernetes services with selectors will select workload entries with matching labels. It is safe to disable it if you are quite sure you don’t need this feature
PILOT_ENABLE_LOOP_BLOCKERBooleantrueIf enabled, Envoy will be configured to prevent traffic directly the the inbound/outbound ports (15001/15006). This prevents traffic loops. This option will be removed, and considered always enabled, in 1.9.
PILOT_ENABLE_MYSQL_FILTERBooleanfalseEnableMysqlFilter enables injection of envoy.filters.network.mysql_proxy in the filter chain.
PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_INBOUNDBooleantrueIf enabled, protocol sniffing will be used for inbound listeners whose port protocol is not specified or unsupported
PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_OUTBOUNDBooleantrueIf enabled, protocol sniffing will be used for outbound listeners whose port protocol is not specified or unsupported
PILOT_ENABLE_REDIS_FILTERBooleanfalseEnableRedisFilter enables injection of envoy.filters.network.redis_proxy in the filter chain.
PILOT_ENABLE_SERVICEENTRY_SELECT_PODSBooleantrueIf enabled, service entries with selectors will select pods from the cluster. It is safe to disable it if you are quite sure you don’t need this feature
PILOT_ENABLE_STATUSBooleanfalseIf enabled, pilot will update the CRD Status field of all istio resources with reconciliation status.
PILOT_ENABLE_TCP_METADATA_EXCHANGEBooleantrueIf enabled, metadata exchange will be enabled for TCP using ALPN and Network Metadata Exchange filters in Envoy
PILOT_ENABLE_THRIFT_FILTERBooleanfalseEnableThriftFilter enables injection of envoy.filters.network.thrift_proxy in the filter chain.
PILOT_ENABLE_VIRTUAL_SERVICE_DELEGATEBooleantrueIf set to false, virtualService delegate will not be supported.
PILOT_ENABLE_WORKLOAD_ENTRY_AUTOREGISTRATIONBooleanfalseEnables auto-registering WorkloadEntries based on associated WorkloadGroups upon XDS connection by the workload.
PILOT_ENABLE_XDS_CACHEBooleantrueIf true, Pilot will cache XDS responses.
PILOT_ENABLE_XDS_IDENTITY_CHECKBooleantrueIf enabled, pilot will authorize XDS clients, to ensure they are acting only as namespaces they have permissions for.
PILOT_ENDPOINT_TELEMETRY_LABELBooleanfalseIf true, pilot will add telemetry related metadata to Endpoint resource, which will be consumed by telemetry filter.
PILOT_FILTER_GATEWAY_CLUSTER_CONFIGBooleantrue
PILOT_HTTP10BooleanfalseEnables the use of HTTP 1.0 in the outbound HTTP listeners, to support legacy applications.
PILOT_INBOUND_PROTOCOL_DETECTION_TIMEOUTTime Duration1sProtocol detection timeout for inbound listener
PILOT_INITIAL_FETCH_TIMEOUTTime Duration0sSpecifies the initial_fetch_timeout for config. If this time is reached without a response to the config requested by Envoy, the Envoy will move on with the init phase. This prevents envoy from getting stuck waiting on config during startup.
PILOT_PUSH_THROTTLEInteger100Limits the number of concurrent pushes allowed. On larger machines this can be increased for faster pushes
PILOT_SCOPE_GATEWAY_TO_NAMESPACEBooleanfalseIf enabled, a gateway workload can only select gateway resources in the same namespace. Gateways with same selectors in different namespaces will not be applicable.
PILOT_SIDECAR_ENABLE_INBOUND_TLS_V2BooleantrueIf true, Pilot will set the TLS version on server side as TLSv1_2 and also enforce strong cipher suites
PILOT_SIDECAR_USE_REMOTE_ADDRESSBooleanfalseUseRemoteAddress sets useRemoteAddress to true for side car outbound listeners.
PILOT_SKIP_VALIDATE_TRUST_DOMAINBooleanfalseSkip validating the peer is from the same trust domain when mTLS is enabled in authentication policy
PILOT_STATUS_BURSTInteger500If status is enabled, controls the Burst rate with which status will be updated. See https://godoc.org/k8s.io/client-go/rest#Config Burst
PILOT_STATUS_QPSFloating-Point100If status is enabled, controls the QPS with which status will be updated. See https://godoc.org/k8s.io/client-go/rest#Config QPS
PILOT_TRACE_SAMPLINGFloating-Point100Sets the mesh-wide trace sampling percentage. Should be 0.0 - 100.0. Precision to 0.01. Default is 100, not recommended for production use.
PILOT_USE_ENDPOINT_SLICEBooleanfalseIf enabled, Pilot will use EndpointSlices as the source of endpoints for Kubernetes services. By default, this is false, and Endpoints will be used. This requires the Kubernetes EndpointSlice controller to be enabled. Currently this is mutual exclusive - either Endpoints or EndpointSlices will be used
PILOT_WORKLOAD_ENTRY_GRACE_PERIODTime Duration10sThe amount of time an auto-registered workload can remain disconnected from all Pilot instances before the associated WorkloadEntry is cleaned up.
PILOT_XDS_CACHE_SIZEInteger20000The maximum number of cache entries for the XDS cache. If the size is <= 0, the cache will have no upper bound.
PILOT_XDS_CACHE_STATSBooleanfalseIf true, Pilot will collect metrics for XDS cache efficiency.
PILOT_XDS_SEND_TIMEOUTTime Duration5sThe timeout to send the XDS configuration to proxies. After this timeout is reached, Pilot will discard that push.
POD_NAMEString
POD_NAMESPACEStringistio-system
REQUIRE_3P_TOKENBooleanfalseReject k8s default tokens, without audience. If false, default K8S token will be accepted
REVISIONString
ROOT_CA_DIRString./etc/cacertsLocation of a local or mounted CA root
SECRET_WATCHER_RESYNC_PERIODString
SPIFFE_BUNDLE_ENDPOINTSStringThe SPIFFE bundle trust domain to endpoint mappings. Istiod retrieves the root certificate from each SPIFFE bundle endpoint and uses it to verify client certifiates from that trust domain. The endpoint must be compliant to the SPIFFE Bundle Endpoint standard. For details, please refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE_Trust_Domain_and_Bundle.md . No need to configure this for root certificates issued via Istiod or web-PKI based root certificates. Use || between <trustdomain, endpoint> tuples. Use | as delimiter between trust domain and endpoint in each tuple. For example: foo|https://url/for/foo||bar|https://url/for/bar
TERMINATION_DRAIN_DURATION_SECONDSInteger5The amount of time allowed for connections to complete on pilot-agent shutdown. On receiving SIGTERM or SIGINT, pilot-agent tells the active Envoy to start draining, preventing any new connections and allowing existing connections to complete. It then sleeps for the TerminationDrainDuration and then kills any remaining active Envoy processes.
TOKEN_AUDIENCESStringistio-caA list of comma separated audiences to check in the JWT token before issuing a certificate. The token is accepted if it matches with one of the audiences
TOKEN_ISSUERStringOIDC token issuer. If set, will be used to check the tokens.
USE_REMOTE_CERTSBooleanfalseWhether to try to load CA certs from a remote Kubernetes cluster. Used for external Istiod.
VALIDATION_ENABLEDBooleantrueEnable config validation handler.
VALIDATION_WEBHOOK_CONFIG_NAMEStringistiod-${namespace}Name of validatingwebhookconfiguration to patch. Empty will skip using cluster admin to patch.
XDS_AUTHBooleantrueIf true, will authenticate XDS clients.

Exported metrics

Metric NameTypeDescription
citadel_server_authentication_failure_countSumThe number of authentication failures.
citadel_server_cert_chain_expiry_timestampLastValueThe unix timestamp, in seconds, when Citadel cert chain will expire. A negative time indicates the cert is expired.
citadel_server_csr_countSumThe number of CSRs received by Citadel server.
citadel_server_csr_parsing_err_countSumThe number of errors occurred when parsing the CSR.
citadel_server_csr_sign_err_countSumThe number of errors occurred when signing the CSR.
citadel_server_id_extraction_err_countSumThe number of errors occurred when extracting the ID from CSR.
citadel_server_root_cert_expiry_timestampLastValueThe unix timestamp, in seconds, when Citadel root cert will expire. A negative time indicates the cert is expired.
citadel_server_success_cert_issuance_countSumThe number of certificates issuances that have succeeded.
endpoint_no_podLastValueEndpoints without an associated pod.
galley_runtime_processor_event_span_duration_millisecondsDistributionThe duration between each incoming event
galley_runtime_processor_events_processed_totalCountThe number of events that have been processed
galley_runtime_processor_snapshot_events_totalDistributionThe number of events per snapshot
galley_runtime_processor_snapshot_lifetime_duration_millisecondsDistributionThe duration of each snapshot
galley_runtime_processor_snapshots_published_totalCountThe number of snapshots that have been published
galley_runtime_state_type_instances_totalLastValueThe number of type instances per type URL
galley_runtime_strategy_on_change_totalCountThe number of times the strategy’s onChange has been called
galley_runtime_strategy_timer_max_time_reached_totalCountThe number of times the max time has been reached
galley_runtime_strategy_timer_quiesce_reached_totalCountThe number of times a quiesce has been reached
galley_runtime_strategy_timer_resets_totalCountThe number of times the timer has been reset
galley_source_kube_dynamic_converter_failure_totalCountThe number of times a dynamnic kubernetes source failed converting a resources
galley_source_kube_dynamic_converter_success_totalCountThe number of times a dynamic kubernetes source successfully converted a resource
galley_source_kube_event_error_totalCountThe number of times a kubernetes source encountered errored while handling an event
galley_source_kube_event_success_totalCountThe number of times a kubernetes source successfully handled an event
galley_validation_config_delete_errorCountk8s webhook configuration delete error
galley_validation_config_loadCountk8s webhook configuration (re)loads
galley_validation_config_load_errorCountk8s webhook configuration (re)load error
galley_validation_config_update_errorCountk8s webhook configuration update error
galley_validation_config_updatesCountk8s webhook configuration updates
galley_validation_failedSumResource validation failed
galley_validation_http_errorSumResource validation http serve errors
galley_validation_passedSumResource is valid
istio_buildLastValueIstio component build info
istio_mcp_clients_totalLastValueThe number of streams currently connected.
istio_mcp_message_sizes_bytesDistributionSize of messages received from clients.
istio_mcp_reconnectionsSumThe number of times the sink has reconnected.
istio_mcp_recv_failures_totalSumThe number of recv failures in the source.
istio_mcp_request_acks_totalSumThe number of request acks received by the source.
istio_mcp_request_nacks_totalSumThe number of request nacks received by the source.
istio_mcp_send_failures_totalSumThe number of send failures in the source.
num_failed_outgoing_requestsSumNumber of failed outgoing requests (e.g. to a token exchange server, CA, etc.)
num_outgoing_requestsSumNumber of total outgoing requests (e.g. to a token exchange server, CA, etc.)
num_outgoing_retriesSumNumber of outgoing retry requests (e.g. to a token exchange server, CA, etc.)
outgoing_latencySumThe latency of outgoing requests (e.g. to a token exchange server, CA, etc.) in milliseconds.
pilot_conflict_inbound_listenerLastValueNumber of conflicting inbound listeners.
pilot_conflict_outbound_listener_http_over_current_tcpLastValueNumber of conflicting wildcard http listeners with current wildcard tcp listener.
pilot_conflict_outbound_listener_tcp_over_current_httpLastValueNumber of conflicting wildcard tcp listeners with current wildcard http listener.
pilot_conflict_outbound_listener_tcp_over_current_tcpLastValueNumber of conflicting tcp listeners with current tcp listener.
pilot_destrule_subsetsLastValueDuplicate subsets across destination rules for same host
pilot_duplicate_envoy_clustersLastValueDuplicate envoy clusters caused by service entries with same hostname
pilot_eds_no_instancesLastValueNumber of clusters without instances.
pilot_endpoint_not_readyLastValueEndpoint found in unready state.
pilot_inbound_updatesSumTotal number of updates received by pilot.
pilot_invalid_out_listenersLastValueNumber of invalid outbound listeners.
pilot_jwks_resolver_network_fetch_fail_totalSumTotal number of failed network fetch by pilot jwks resolver
pilot_jwks_resolver_network_fetch_success_totalSumTotal number of successfully network fetch by pilot jwks resolver
pilot_k8s_cfg_eventsSumEvents from k8s config.
pilot_k8s_endpoints_pending_podLastValueNumber of endpoints that do not currently have any corresponding pods.
pilot_k8s_endpoints_with_no_podsSumEndpoints that does not have any corresponding pods.
pilot_k8s_object_errorsLastValueErrors converting k8s CRDs
pilot_k8s_reg_eventsSumEvents from k8s registry.
pilot_no_ipLastValuePods not found in the endpoint table, possibly invalid.
pilot_proxy_convergence_timeDistributionDelay in seconds between config change and a proxy receiving all required configuration.
pilot_proxy_queue_timeDistributionTime in seconds, a proxy is in the push queue before being dequeued.
pilot_push_triggersSumTotal number of times a push was triggered, labeled by reason for the push.
pilot_servicesLastValueTotal services known to pilot.
pilot_total_k8s_object_errorsSumTotal Errors converting k8s CRDs
pilot_total_rejected_configsSumTotal number of configs that Pilot had to reject or ignore.
pilot_total_xds_internal_errorsSumTotal number of internal XDS errors in pilot.
pilot_total_xds_rejectsSumTotal number of XDS responses from pilot rejected by proxy.
pilot_virt_servicesLastValueTotal virtual services known to pilot.
pilot_vservice_dup_domainLastValueVirtual services with dup domains.
pilot_xdsLastValueNumber of endpoints connected to this pilot using XDS.
pilot_xds_cds_rejectLastValuePilot rejected CDS configs.
pilot_xds_eds_rejectLastValuePilot rejected EDS.
pilot_xds_expired_nonceSumTotal number of XDS requests with an expired nonce.
pilot_xds_lds_rejectLastValuePilot rejected LDS.
pilot_xds_push_context_errorsSumNumber of errors (timeouts) initiating push context.
pilot_xds_push_timeDistributionTotal time in seconds Pilot takes to push lds, rds, cds and eds.
pilot_xds_pushesSumPilot build and send errors for lds, rds, cds and eds.
pilot_xds_rds_rejectLastValuePilot rejected RDS.
pilot_xds_send_timeDistributionTotal time in seconds Pilot takes to send generated configuration.
pilot_xds_write_timeoutSumPilot XDS response write timeouts.
scrape_failures_totalSumThe total number of failed scrapes.
scrapes_totalSumThe total number of scrapes.
sidecar_injection_failure_totalSumTotal number of failed sidecar injection requests.
sidecar_injection_requests_totalSumTotal number of sidecar injection requests.
sidecar_injection_skip_totalSumTotal number of skipped sidecar injection requests.
sidecar_injection_success_totalSumTotal number of successful sidecar injection requests.
startup_duration_secondsLastValueThe time from the process starting to being marked ready.
xds_cache_evictionsSumTotal number of xds cache evictions.
xds_cache_readsSumTotal number of xds cache xdsCacheReads.
xds_cache_sizeLastValueCurrent size of xds cache