- Global Mesh Options
- MeshConfig
- ConfigSource
- Certificate
- MeshConfig.OutboundTrafficPolicy
- MeshConfig.CertificateData
- MeshConfig.ThriftConfig
- MeshConfig.CA
- MeshConfig.ExtensionProvider
- MeshConfig.DefaultProviders
- MeshConfig.ProxyPathNormalization
- MeshConfig.TLSConfig
- MeshConfig.ServiceSettings.Settings
- MeshConfig.ExtensionProvider.EnvoyExternalAuthorizationRequestBody
- MeshConfig.ExtensionProvider.EnvoyExternalAuthorizationHttpProvider
- MeshConfig.ExtensionProvider.EnvoyExternalAuthorizationGrpcProvider
- MeshConfig.ExtensionProvider.ZipkinTracingProvider
- MeshConfig.ExtensionProvider.LightstepTracingProvider
- MeshConfig.ExtensionProvider.DatadogTracingProvider
- MeshConfig.ExtensionProvider.SkyWalkingTracingProvider
- MeshConfig.ExtensionProvider.StackdriverProvider
- MeshConfig.ExtensionProvider.OpenCensusAgentTracingProvider
- MeshConfig.ExtensionProvider.PrometheusMetricsProvider
- MeshConfig.ExtensionProvider.EnvoyFileAccessLogProvider
- MeshConfig.ExtensionProvider.EnvoyHttpGrpcV3LogProvider
- MeshConfig.ExtensionProvider.EnvoyTcpGrpcV3LogProvider
- MeshConfig.ExtensionProvider.EnvoyOpenTelemetryLogProvider
- MeshConfig.ExtensionProvider.StackdriverProvider.Logging
- MeshConfig.ExtensionProvider.EnvoyFileAccessLogProvider.LogFormat
- MeshConfig.ExtensionProvider.EnvoyOpenTelemetryLogProvider.LogFormat
- k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelector
- Tracing
- PrivateKeyProvider
- ProxyConfig
- RemoteService
- Tracing.Zipkin
- Tracing.Lightstep
- Tracing.Datadog
- Tracing.Stackdriver
- Tracing.OpenCensusAgent
- PrivateKeyProvider.CryptoMb
- ProxyConfig.ProxyStatsMatcher
- Network
- MeshNetworks
- Network.NetworkEndpoints
- Network.IstioNetworkGateway
- MeshConfig.OutboundTrafficPolicy.Mode
- MeshConfig.ExtensionProvider.OpenCensusAgentTracingProvider.TraceContext
- MeshConfig.ProxyPathNormalization.NormalizationType
- MeshConfig.TLSConfig.TLSProtocol
- MeshConfig.IngressControllerMode
- MeshConfig.AccessLogEncoding
- MeshConfig.H2UpgradePolicy
- Resource
- Tracing.OpenCensusAgent.TraceContext
- ProxyConfig.TracingServiceName
- ProxyConfig.InboundInterceptionMode
- AuthenticationPolicy
Global Mesh Options
Configuration affecting the service mesh as a whole.
MeshConfig
MeshConfig defines mesh-wide settings for the Istio service mesh.
Field | Type | Description | Required |
---|---|---|---|
proxyListenPort | int32 | Port on which Envoy should listen for incoming connections from other services. Default port is 15001. | No |
proxyHttpPort | int32 | Port on which Envoy should listen for HTTP PROXY requests if set. | No |
connectTimeout | Duration | Connection timeout used by Envoy. (MUST BE >=1ms) Default timeout is 10s. | No |
protocolDetectionTimeout | Duration | Automatic protocol detection uses a set of heuristics to determine whether the connection is using TLS or not (on the server side), as well as the application protocol being used (e.g., http vs tcp). These heuristics rely on the client sending the first bits of data. For server first protocols like MySQL, MongoDB, etc. Envoy will timeout on the protocol detection after the specified period, defaulting to non mTLS plain TCP traffic. Set this field to tweak the period that Envoy will wait for the client to send the first bits of data. (MUST BE >=1ms or 0s to disable). Default detection timeout is 0s (no timeout). | No |
tcpKeepalive | TcpKeepalive | If set then set | No |
ingressClass | string | Class of ingress resources to be processed by Istio ingress controller. This corresponds to the value of | No |
ingressService | string | Name of the Kubernetes service used for the istio ingress controller. If no ingress controller is specified, the default value | No |
ingressControllerMode | IngressControllerMode | Defines whether to use Istio ingress controller for annotated or all ingress resources. Default mode is | No |
ingressSelector | string | Defines which gateway deployment to use as the Ingress controller. This field corresponds to the Gateway.selector field, and will be set as | No |
enableTracing | bool | Flag to control generation of trace spans and request IDs. Requires a trace span collector defined in the proxy configuration. | No |
accessLogFile | string | File address for the proxy access log (e.g. /dev/stdout). Empty value disables access logging. | No |
accessLogFormat | string | Format for the proxy access log Empty value results in proxy’s default access log format | No |
accessLogEncoding | AccessLogEncoding | Encoding for the proxy access log ( | No |
enableEnvoyAccessLogService | bool | This flag enables Envoy’s gRPC Access Log Service. See Access Log Service for details about Envoy’s gRPC Access Log Service API. Default value is | No |
disableEnvoyListenerLog | bool | This flag disables Envoy Listener logs. See Listener Access Log Istio Enables Envoy’s listener access logs on “NoRoute” response flag. Default value is | No |
defaultConfig | ProxyConfig | Default proxy config used by gateway and sidecars. In case of Kubernetes, the proxy config is applied once during the injection process, and remain constant for the duration of the pod. The rest of the mesh config can be changed at runtime and config gets distributed dynamically. On Kubernetes, this can be overridden on individual pods with the | No |
outboundTrafficPolicy | OutboundTrafficPolicy | Set the default behavior of the sidecar for handling outbound traffic from the application. If your application uses one or more external services that are not known apriori, setting the policy to | No |
configSources | ConfigSource[] | ConfigSource describes a source of configuration data for networking rules, and other Istio configuration artifacts. Multiple data sources can be configured for a single control plane. | No |
enableAutoMtls | BoolValue | This flag is used to enable mutual | No |
trustDomain | string | The trust domain corresponds to the trust root of a system. Refer to SPIFFE-ID | No |
trustDomainAliases | string[] | The trust domain aliases represent the aliases of
Any service with the identity | No |
caCertificates | CertificateData[] | The extra root certificates for workload-to-workload communication. The plugin certificates (the ‘cacerts’ secret) or self-signed certificates (the ‘istio-ca-secret’ secret) are automatically added by Istiod. The CA certificate that signs the workload certificates is automatically added by Istio Agent. | No |
defaultServiceExportTo | string[] | The default value for the ServiceEntry.export_to field and services imported through container registry integrations, e.g. this applies to Kubernetes Service resources. The value is a list of namespace names and reserved namespace aliases. The allowed namespace aliases are:
If not set the system will use “” as the default value which implies that services are exported to all namespaces.
For further discussion see the reference documentation for | No |
defaultVirtualServiceExportTo | string[] | The default value for the VirtualService.export_to field. Has the same syntax as If not set the system will use “” as the default value which implies that virtual services are exported to all namespaces | No |
defaultDestinationRuleExportTo | string[] | The default value for the If not set the system will use “” as the default value which implies that destination rules are exported to all namespaces | No |
rootNamespace | string | The namespace to treat as the administrative root namespace for Istio configuration. When processing a leaf namespace Istio will search for declarations in that namespace first and if none are found it will search in the root namespace. Any matching declaration found in the root namespace is processed as if it were declared in the leaf namespace. The precise semantics of this processing are documented on each resource type. | No |
localityLbSetting | LocalityLoadBalancerSetting | Locality based load balancing distribution or failover settings. | No |
dnsRefreshRate | Duration | Configures DNS refresh rate for Envoy clusters of type | No |
h2UpgradePolicy | H2UpgradePolicy | Specify if http1.1 connections should be upgraded to http2 by default. if sidecar is installed on all pods in the mesh, then this should be set to | No |
inboundClusterStatName | string | Name to be used while emitting statistics for inbound clusters. The same pattern is used while computing stat prefix for network filters like TCP and Redis. By default, Istio emits statistics with the pattern A Pattern can be composed of various pre-defined variables. The following variables are supported.
Following are some examples of supported patterns for reviews:
| No |
outboundClusterStatName | string | Name to be used while emitting statistics for outbound clusters. The same pattern is used while computing stat prefix for network filters like TCP and Redis. By default, Istio emits statistics with the pattern A Pattern can be composed of various pre-defined variables. The following variables are supported.
Following are some examples of supported patterns for reviews:
| No |
certificates | Certificate[] | Configure the provision of certificates. | No |
thriftConfig | ThriftConfig | Set configuration for Thrift protocol | No |
enablePrometheusMerge | BoolValue | If enabled, Istio agent will merge metrics exposed by the application with metrics from Envoy and Istio agent. The sidecar injection will replace | No |
extensionProviders | ExtensionProvider[] | Defines a list of extension providers that extend Istio’s functionality. For example, the AuthorizationPolicy can be used with an extension provider to delegate the authorization decision to a custom authorization system. | No |
defaultProviders | DefaultProviders | Specifies extension providers to use by default in Istio configuration resources. | No |
discoverySelectors | LabelSelector[] | A list of Kubernetes selectors that specify the set of namespaces that Istio considers when computing configuration updates for sidecars. This can be used to reduce Istio’s computational load by limiting the number of entities (including services, pods, and endpoints) that are watched and processed. If omitted, Istio will use the default behavior of processing all namespaces in the cluster. Elements in the list are disjunctive (OR semantics), i.e. a namespace will be included if it matches any selector. The following example selects any namespace that matches either below: 1. The namespace has both of these labels:
Refer to the kubernetes selector docs for additional detail on selector semantics. | No |
pathNormalization | ProxyPathNormalization | ProxyPathNormalization configures how URL paths in incoming and outgoing HTTP requests are normalized by the sidecars and gateways. The normalized paths will be used in all aspects through the requests’ lifetime on the sidecars and gateways, which includes routing decisions in outbound direction (client proxy), authorization policy match and enforcement in inbound direction (server proxy), and the URL path proxied to the upstream service. If not set, the NormalizationType.DEFAULT configuration will be used. | No |
defaultHttpRetryPolicy | HTTPRetry | Configure the default HTTP retry policy. The default number of retry attempts is set at 2 for these errors: “connect-failure,refused-stream,unavailable,cancelled,retriable-status-codes”. Setting the number of attempts to 0 disables retry policy globally. This setting can be overriden on a per-host basis using the Virtual Service API. All settings in the retry policy except | No |
meshMTLS | TLSConfig | Configuration of mTLS for traffic between workloads within the mesh. | No |
ConfigSource
ConfigSource describes information about a configuration store inside a mesh. A single control plane instance can interact with one or more data sources.
Field | Type | Description | Required |
---|---|---|---|
address | string | Address of the server implementing the Istio Mesh Configuration protocol (MCP). Can be IP address or a fully qualified DNS name. Use fs:/// to specify a file-based backend with absolute path to the directory. | No |
tlsSettings | ClientTLSSettings | Use the tls_settings to specify the tls mode to use. If the MCP server uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS mode as | No |
subscribedResources | Resource[] | Describes the source of configuration, if nothing is specified default is MCP | No |
Certificate
Certificate configures the provision of a certificate and its key. Example 1: key and cert stored in a secret
{ secretName: galley-cert
secretNamespace: istio-system
dnsNames:
- galley.istio-system.svc
- galley.mydomain.com
}
Example 2: key and cert stored in a directory
{ dnsNames:
- pilot.istio-system
- pilot.istio-system.svc
- pilot.mydomain.com
}
Field | Type | Description | Required |
---|---|---|---|
secretName | string | Name of the secret the certificate and its key will be stored into. If it is empty, it will not be stored into a secret. Instead, the certificate and its key will be stored into a hard-coded directory. | No |
dnsNames | string[] | The DNS names for the certificate. A certificate may contain multiple DNS names. | No |
MeshConfig.OutboundTrafficPolicy
Field | Type | Description | Required |
---|---|---|---|
mode | Mode | No |
MeshConfig.CertificateData
Field | Type | Description | Required |
---|---|---|---|
pem | string (oneof) | The PEM data of the certificate. | No |
spiffeBundleUrl | string (oneof) | The SPIFFE bundle endpoint URL that complies to: https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE_Trust_Domain_and_Bundle.md#the-spiffe-trust-domain-and-bundle The endpoint should support authentication based on Web PKI: https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE_Trust_Domain_and_Bundle.md#521-web-pki The certificate is retrieved from the endpoint. | No |
certSigners | string[] | Optional. Specify the kubernetes signers (External CA) that use this trustAnchor when Istiod is acting as RA(registration authority) If set, they are used for these signers. Otherwise, this trustAnchor is used for all signers. | No |
trustDomains | string[] | Optional. Specify the list of trust domains to which this trustAnchor data belongs. If set, they are used for these trust domains. Otherwise, this trustAnchor is used for default trust domain and its aliases. Note that we can have multiple trustAnchor data for a same trust_domain. In that case, trustAnchors with a same trust domain will be merged and used together to verify peer certificates. If neither cert_signers nor trust_domains is set, this trustAnchor is used for all trust domains and all signers. If only trust_domains is set, this trustAnchor is used for these trust_domains and all signers. If only cert_signers is set, this trustAnchor is used for these cert_signers and all trust domains. If both cert_signers and trust_domains is set, this trustAnchor is only used for these signers and trust domains. | No |
MeshConfig.ThriftConfig
Field | Type | Description | Required |
---|---|---|---|
rateLimitUrl | string | Specify thrift rate limit service URL. If pilot has thrift protocol support enabled, this will enable the rate limit service for destinations that have matching rate limit configurations. | No |
rateLimitTimeout | Duration | Specify thrift rate limit service timeout, in milliseconds. Default is | No |
MeshConfig.CA
Field | Type | Description | Required |
---|---|---|---|
address | string | REQUIRED. Address of the CA server implementing the Istio CA gRPC API. Can be IP address or a fully qualified DNS name with port Eg: custom-ca.default.svc.cluster.local:8932, 192.168.23.2:9000 | No |
tlsSettings | ClientTLSSettings | Use the tls_settings to specify the tls mode to use. Regarding tls_settings: - DISABLE MODE is legitimate for the case Istiod is making the request via an Envoy sidecar. DISABLE MODE can also be used for testing - TLS MUTUAL MODE be on by default. If the CA certificates (cert bundle to verify the CA server’s certificate) is omitted, Istiod will use the system root certs to verify the CA server’s certificate. | No |
requestTimeout | Duration | timeout for forward CSR requests from Istiod to External CA Default: 10s | No |
istiodSide | bool | Use istiod_side to specify CA Server integrate to Istiod side or Agent side Default: true | No |
MeshConfig.ExtensionProvider
Field | Type | Description | Required |
---|---|---|---|
name | string | REQUIRED. A unique name identifying the extension provider. | No |
envoyExtAuthzHttp | EnvoyExternalAuthorizationHttpProvider (oneof) | Configures an external authorizer that implements the Envoy ext_authz filter authorization check service using the HTTP API. | No |
envoyExtAuthzGrpc | EnvoyExternalAuthorizationGrpcProvider (oneof) | Configures an external authorizer that implements the Envoy ext_authz filter authorization check service using the gRPC API. | No |
zipkin | ZipkinTracingProvider (oneof) | Configures a tracing provider that uses the Zipkin API. | No |
lightstep | LightstepTracingProvider (oneof) | Configures a Lightstep tracing provider. | No |
datadog | DatadogTracingProvider (oneof) | Configures a Datadog tracing provider. | No |
stackdriver | StackdriverProvider (oneof) | Configures a Stackdriver provider. | No |
opencensus | OpenCensusAgentTracingProvider (oneof) | Configures an OpenCensusAgent tracing provider. | No |
skywalking | SkyWalkingTracingProvider (oneof) | Configures a Apache SkyWalking provider. | No |
prometheus | PrometheusMetricsProvider (oneof) | Configures a Prometheus metrics provider. | No |
envoyFileAccessLog | EnvoyFileAccessLogProvider (oneof) | Configures an Envoy File Access Log provider. | No |
envoyHttpAls | EnvoyHttpGrpcV3LogProvider (oneof) | Configures an Envoy Access Logging Service provider for HTTP traffic. | No |
envoyTcpAls | EnvoyTcpGrpcV3LogProvider (oneof) | Configures an Envoy Access Logging Service provider for TCP traffic. | No |
envoyOtelAls | EnvoyOpenTelemetryLogProvider (oneof) | Configures an Envoy Open Telemetry Access Logging Service provider. | No |
MeshConfig.DefaultProviders
Holds the name references to the providers that will be used by default in other Istio configuration resources if the provider is not specified.
These names must match a provider defined in extension_providers
that is one of the supported tracing providers.
Field | Type | Description | Required |
---|---|---|---|
tracing | string[] | Name of the default provider(s) for tracing. | No |
metrics | string[] | Name of the default provider(s) for metrics. | No |
accessLogging | string[] | Name of the default provider(s) for access logging. | No |
MeshConfig.ProxyPathNormalization
Field | Type | Description | Required |
---|---|---|---|
normalization | NormalizationType | No |
MeshConfig.TLSConfig
Field | Type | Description | Required |
---|---|---|---|
minProtocolVersion | TLSProtocol | Optional: the minimum TLS protocol version. The default minimum TLS version will be TLS 1.2. As servers may not be Envoy and be set to TLS 1.2 (e.g., workloads using mTLS without sidecars), the minimum TLS version for clients may also be TLS 1.2. In the current Istio implementation, the maximum TLS protocol version is TLS 1.3. | No |
MeshConfig.ServiceSettings.Settings
Settings for the selected services.
Field | Type | Description | Required |
---|---|---|---|
clusterLocal | bool | If true, specifies that the client and service endpoints must reside in the same cluster. By default, in multi-cluster deployments, the Istio control plane assumes all service endpoints to be reachable from any client in any of the clusters which are part of the mesh. This configuration option limits the set of service endpoints visible to a client to be cluster scoped. There are some common scenarios when this can be useful:
By default Istio will consider kubernetes.default.svc (i.e. the API Server) as well as all services in the kube-system namespace to be cluster-local, unless explicitly overridden here. | No |
MeshConfig.ExtensionProvider.EnvoyExternalAuthorizationRequestBody
Field | Type | Description | Required |
---|---|---|---|
maxRequestBytes | uint32 | Sets the maximum size of a message body that the ext-authz filter will hold in memory. If max_request_bytes is reached, and allow_partial_message is false, Envoy will return a 413 (Payload Too Large). Otherwise the request will be sent to the provider with a partial message. Note that this setting will have precedence over the fail_open field, the 413 will be returned even when the fail_open is set to true. | No |
allowPartialMessage | bool | When this field is true, ext-authz filter will buffer the message until max_request_bytes is reached. The authorization request will be dispatched and no 413 HTTP error will be returned by the filter. A “x-envoy-auth-partial-body: false|true” metadata header will be added to the authorization request message indicating if the body data is partial. | No |
packAsBytes | bool | If true, the body sent to the external authorization service in the gRPC authorization request is set with raw bytes in the raw_body field (https://github.com/envoyproxy/envoy/blame/cffb095d59d7935abda12b9509bcd136808367bb/api/envoy/service/auth/v3/attribute_context.proto#L153). Otherwise, it will be filled with UTF-8 string in the body field (https://github.com/envoyproxy/envoy/blame/cffb095d59d7935abda12b9509bcd136808367bb/api/envoy/service/auth/v3/attribute_context.proto#L147). This field only works with the envoy_ext_authz_grpc provider and has no effect for the envoy_ext_authz_http provider. | No |
MeshConfig.ExtensionProvider.EnvoyExternalAuthorizationHttpProvider
Field | Type | Description | Required |
---|---|---|---|
service | string | REQUIRED. Specifies the service that implements the Envoy ext_authz HTTP authorization service. The format is Example: “my-ext-authz.foo.svc.cluster.local” or “bar/my-ext-authz.example.com”. | No |
port | uint32 | REQUIRED. Specifies the port of the service. | No |
timeout | Duration | The maximum duration that the proxy will wait for a response from the provider (default timeout: 600s). When this timeout condition is met, the proxy marks the communication to the authorization service as failure. In this situation, the response sent back to the client will depend on the configured | No |
pathPrefix | string | Sets a prefix to the value of authorization request header Path. For example, setting this to “/check” for an original user request at path “/admin” will cause the authorization check request to be sent to the authorization service at the path “/check/admin” instead of “/admin”. | No |
failOpen | bool | If true, the user request will be allowed even if the communication with the authorization service has failed, or if the authorization service has returned a HTTP 5xx error. Default is false and the request will be rejected with “Forbidden” response. | No |
statusOnError | string | Sets the HTTP status that is returned to the client when there is a network error to the authorization service. The default status is “403” (HTTP Forbidden). | No |
includeHeadersInCheck | string[] | DEPRECATED. Use include_request_headers_in_check instead. | No |
includeRequestHeadersInCheck | string[] | List of client request headers that should be included in the authorization request sent to the authorization service. Note that in addition to the headers specified here following headers are included by default: 1. Host, Method, Path and Content-Length are automatically sent. 2. Content-Length will be set to 0 and the request will not have a message body. However, the authorization request can include the buffered client request body (controlled by include_request_body_in_check setting), consequently the value of Content-Length of the authorization request reflects the size of its payload size. Exact, prefix and suffix matches are supported (similar to the authorization policy rule syntax except the presence match https://istio.io/latest/docs/reference/config/security/authorization-policy/#Rule): - Exact match: “abc” will match on value “abc”. - Prefix match: “abc” will match on value “abc” and “abcd”. - Suffix match: “abc” will match on value “abc” and “xabc”. | No |
includeAdditionalHeadersInCheck | map<string, string> | Set of additional fixed headers that should be included in the authorization request sent to the authorization service. Key is the header name and value is the header value. Note that client request of the same key or headers specified in include_request_headers_in_check will be overridden. | No |
includeRequestBodyInCheck | EnvoyExternalAuthorizationRequestBody | If set, the client request body will be included in the authorization request sent to the authorization service. | No |
headersToUpstreamOnAllow | string[] | List of headers from the authorization service that should be added or overridden in the original request and forwarded to the upstream when the authorization check result is allowed (HTTP code 200). If not specified, the original request will not be modified and forwarded to backend as-is. Note, any existing headers will be overridden. Exact, prefix and suffix matches are supported (similar to the authorization policy rule syntax except the presence match https://istio.io/latest/docs/reference/config/security/authorization-policy/#Rule): - Exact match: “abc” will match on value “abc”. - Prefix match: “abc” will match on value “abc” and “abcd”. - Suffix match: “abc” will match on value “abc” and “xabc”. | No |
headersToDownstreamOnDeny | string[] | List of headers from the authorization service that should be forwarded to downstream when the authorization check result is not allowed (HTTP code other than 200). If not specified, all the authorization response headers, except Authority (Host) will be in the response to the downstream. When a header is included in this list, Path, Status, Content-Length, WWWAuthenticate and Location are automatically added. Note, the body from the authorization service is always included in the response to downstream. Exact, prefix and suffix matches are supported (similar to the authorization policy rule syntax except the presence match https://istio.io/latest/docs/reference/config/security/authorization-policy/#Rule): - Exact match: “abc” will match on value “abc”. - Prefix match: “abc” will match on value “abc” and “abcd”. - Suffix match: “abc” will match on value “abc” and “xabc”. | No |
headersToDownstreamOnAllow | string[] | List of headers from the authorization service that should be forwarded to downstream when the authorization check result is allowed (HTTP code 200). If not specified, the original response will not be modified and forwarded to downstream as-is. Note, any existing headers will be overridden. Exact, prefix and suffix matches are supported (similar to the authorization policy rule syntax except the presence match https://istio.io/latest/docs/reference/config/security/authorization-policy/#Rule): - Exact match: “abc” will match on value “abc”. - Prefix match: “abc” will match on value “abc” and “abcd”. - Suffix match: “abc” will match on value “abc” and “xabc”. | No |
MeshConfig.ExtensionProvider.EnvoyExternalAuthorizationGrpcProvider
Field | Type | Description | Required |
---|---|---|---|
service | string | REQUIRED. Specifies the service that implements the Envoy ext_authz gRPC authorization service. The format is Example: “my-ext-authz.foo.svc.cluster.local” or “bar/my-ext-authz.example.com”. | No |
port | uint32 | REQUIRED. Specifies the port of the service. | No |
timeout | Duration | The maximum duration that the proxy will wait for a response from the provider, this is the timeout for a specific request (default timeout: 600s). When this timeout condition is met, the proxy marks the communication to the authorization service as failure. In this situation, the response sent back to the client will depend on the configured | No |
failOpen | bool | If true, the HTTP request or TCP connection will be allowed even if the communication with the authorization service has failed, or if the authorization service has returned a HTTP 5xx error. Default is false. For HTTP request, it will be rejected with 403 (HTTP Forbidden). For TCP connection, it will be closed immediately. | No |
statusOnError | string | Sets the HTTP status that is returned to the client when there is a network error to the authorization service. The default status is “403” (HTTP Forbidden). | No |
includeRequestBodyInCheck | EnvoyExternalAuthorizationRequestBody | If set, the client request body will be included in the authorization request sent to the authorization service. | No |
MeshConfig.ExtensionProvider.ZipkinTracingProvider
Defines configuration for a Zipkin tracer.
Field | Type | Description | Required |
---|---|---|---|
service | string | REQUIRED. Specifies the service that the Zipkin API. The format is Example: “zipkin.default.svc.cluster.local” or “bar/zipkin.example.com”. | No |
port | uint32 | REQUIRED. Specifies the port of the service. | No |
maxTagLength | uint32 | Optional. Controls the overall path length allowed in a reported span. NOTE: currently only controls max length of the path tag. | No |
MeshConfig.ExtensionProvider.LightstepTracingProvider
Defines configuration for a Lightstep tracer.
Field | Type | Description | Required |
---|---|---|---|
service | string | REQUIRED. Specifies the service for the Lightstep collector. The format is Example: “lightstep.default.svc.cluster.local” or “bar/lightstep.example.com”. | No |
port | uint32 | REQUIRED. Specifies the port of the service. | No |
accessToken | string | The Lightstep access token. | No |
maxTagLength | uint32 | Optional. Controls the overall path length allowed in a reported span. NOTE: currently only controls max length of the path tag. | No |
MeshConfig.ExtensionProvider.DatadogTracingProvider
Defines configuration for a Datadog tracer.
Field | Type | Description | Required |
---|---|---|---|
service | string | REQUIRED. Specifies the service for the Datadog agent. The format is Example: “datadog.default.svc.cluster.local” or “bar/datadog.example.com”. | No |
port | uint32 | REQUIRED. Specifies the port of the service. | No |
maxTagLength | uint32 | Optional. Controls the overall path length allowed in a reported span. NOTE: currently only controls max length of the path tag. | No |
MeshConfig.ExtensionProvider.SkyWalkingTracingProvider
Defines configuration for a SkyWalking tracer.
Field | Type | Description | Required |
---|---|---|---|
service | string | REQUIRED. Specifies the service for the SkyWalking receiver. The format is Example: “skywalking.default.svc.cluster.local” or “bar/skywalking.example.com”. | No |
port | uint32 | REQUIRED. Specifies the port of the service. | No |
accessToken | string | Optional. The SkyWalking OAP access token. | No |
MeshConfig.ExtensionProvider.StackdriverProvider
Defines configuration for Stackdriver.
Field | Type | Description | Required |
---|---|---|---|
maxTagLength | uint32 | Optional. Controls the overall path length allowed in a reported span. NOTE: currently only controls max length of the path tag. | No |
logging | Logging | Optional. Controls Stackdriver logging behavior. | No |
MeshConfig.ExtensionProvider.OpenCensusAgentTracingProvider
Defines configuration for an OpenCensus tracer writing to an OpenCensus backend.
Field | Type | Description | Required |
---|---|---|---|
service | string | REQUIRED. Specifies the service for the OpenCensusAgent. The format is Example: “ocagent.default.svc.cluster.local” or “bar/ocagent.example.com”. | No |
port | uint32 | REQUIRED. Specifies the port of the service. | No |
context | TraceContext[] | Specifies the set of context propagation headers used for distributed tracing. Default is | No |
maxTagLength | uint32 | Optional. Controls the overall path length allowed in a reported span. NOTE: currently only controls max length of the path tag. | No |
MeshConfig.ExtensionProvider.PrometheusMetricsProvider
MeshConfig.ExtensionProvider.EnvoyFileAccessLogProvider
Defines configuration for Envoy-based access logging that writes to local files (and/or standard streams).
Field | Type | Description | Required |
---|---|---|---|
path | string | Path to a local file to write the access log entries. This may be used to write to streams, via | No |
logFormat | LogFormat | Optional. Allows overriding of the default access log format. | No |
MeshConfig.ExtensionProvider.EnvoyHttpGrpcV3LogProvider
Defines configuration for an Envoy Access Logging Service integration for HTTP traffic.
Field | Type | Description | Required |
---|---|---|---|
service | string | REQUIRED. Specifies the service that implements the Envoy ALS gRPC authorization service. The format is Example: “envoy-als.foo.svc.cluster.local” or “bar/envoy-als.example.com”. | No |
port | uint32 | REQUIRED. Specifies the port of the service. | No |
logName | string | Optional. The friendly name of the access log. Defaults: - “http_envoy_accesslog” - “listener_envoy_accesslog” | No |
filterStateObjectsToLog | string[] | Optional. Additional filter state objects to log. | No |
additionalRequestHeadersToLog | string[] | Optional. Additional request headers to log. | No |
additionalResponseHeadersToLog | string[] | Optional. Additional response headers to log. | No |
additionalResponseTrailersToLog | string[] | Optional. Additional response trailers to log. | No |
MeshConfig.ExtensionProvider.EnvoyTcpGrpcV3LogProvider
Defines configuration for an Envoy Access Logging Service integration for TCP traffic.
Field | Type | Description | Required |
---|---|---|---|
service | string | REQUIRED. Specifies the service that implements the Envoy ALS gRPC authorization service. The format is Example: “envoy-als.foo.svc.cluster.local” or “bar/envoy-als.example.com”. | No |
port | uint32 | REQUIRED. Specifies the port of the service. | No |
logName | string | Optional. The friendly name of the access log. Defaults: - “tcp_envoy_accesslog” - “listener_envoy_accesslog” | No |
filterStateObjectsToLog | string[] | Optional. Additional filter state objects to log. | No |
MeshConfig.ExtensionProvider.EnvoyOpenTelemetryLogProvider
Defines configuration for an Envoy OpenTelemetry (gRPC) Access Log
Field | Type | Description | Required |
---|---|---|---|
service | string | REQUIRED. Specifies the service that implements the Envoy ALS gRPC authorization service. The format is Example: “envoy-als.foo.svc.cluster.local” or “bar/envoy-als.example.com”. | No |
port | uint32 | REQUIRED. Specifies the port of the service. | No |
logName | string | Optional. The friendly name of the access log. Defaults: - “otel_envoy_accesslog” | No |
logFormat | LogFormat | Optional. Format for the proxy access log Empty value results in proxy’s default access log format, following Envoy access logging formatting. | No |
MeshConfig.ExtensionProvider.StackdriverProvider.Logging
Field | Type | Description | Required |
---|---|---|---|
labels | map<string, string> | Collection of tag names and tag expressions to include in the log entry. Conflicts are resolved by the tag name by overriding previously supplied values. Example: labels: path: request.url_path foo: request.headers[‘x-foo’] | No |
MeshConfig.ExtensionProvider.EnvoyFileAccessLogProvider.LogFormat
Field | Type | Description | Required |
---|---|---|---|
text | string (oneof) | Textual format for the envoy access logs. Envoy command operators may be used in the format. The format string documentation provides more information. NOTE: Istio will insert a newline (‘\n’) on all formats (if missing). Example: | No |
labels | Struct (oneof) | Structured format for the envoy access logs. Envoy command operators can be used as values for fields within the Struct. Values are rendered as strings, numbers, or boolean values, as appropriate (see: format dictionaries). Nested JSON is supported for some command operators (e.g. FILTER_STATE or DYNAMIC_METADATA). Example:
| No |
MeshConfig.ExtensionProvider.EnvoyOpenTelemetryLogProvider.LogFormat
Field | Type | Description | Required |
---|---|---|---|
text | string | Textual format for the envoy access logs. Envoy command operators may be used in the format. The format string documentation provides more information. Alias to | No |
labels | Struct | Optional. Additional attributes that describe the specific event occurrence. Structured format for the envoy access logs. Envoy command operators can be used as values for fields within the Struct. Values are rendered as strings, numbers, or boolean values, as appropriate (see: format dictionaries). Nested JSON is supported for some command operators (e.g. FILTER_STATE or DYNAMIC_METADATA). Alias to Example:
| No |
k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelector
A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all objects. A null label selector matches no objects. +structType=atomic
Field | Type | Description | Required |
---|---|---|---|
matchLabels | map<string, string> | matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is “key”, the operator is “In”, and the values array contains only “value”. The requirements are ANDed. +optional | No |
matchExpressions | LabelSelectorRequirement[] | matchExpressions is a list of label selector requirements. The requirements are ANDed. +optional | No |
Tracing
Tracing defines configuration for the tracing performed by Envoy instances.
Field | Type | Description | Required |
---|---|---|---|
zipkin | Zipkin (oneof) | Use a Zipkin tracer. | No |
lightstep | Lightstep (oneof) | Use a Lightstep tracer. | No |
datadog | Datadog (oneof) | Use a Datadog tracer. | No |
stackdriver | Stackdriver (oneof) | Use a Stackdriver tracer. | No |
openCensusAgent | OpenCensusAgent (oneof) | Use an OpenCensus tracer exporting to an OpenCensus agent. | No |
sampling | double | The percentage of requests (0.0 - 100.0) that will be randomly selected for trace generation, if not requested by the client or not forced. Default is 1.0. | No |
tlsSettings | ClientTLSSettings | Use the tls_settings to specify the tls mode to use. If the remote tracing service uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS mode as | No |
PrivateKeyProvider
PrivateKeyProvider defines private key configuration for gateways and sidecars. This can be configured mesh wide or individual per-workload basis.
Field | Type | Description | Required |
---|---|---|---|
cryptomb | CryptoMb (oneof) | No |
ProxyConfig
ProxyConfig defines variables for individual Envoy instances. This can be configured on a per-workload basis as well as by the mesh-wide defaults. To set the mesh wide defaults, configure the defaultConfig
section of meshConfig
. For example:
meshConfig:
defaultConfig:
discoveryAddress: istiod:15012
This can also be configured on a per-workload basis by configuring the proxy.istio.io/config
annotation on the pod. For example:
annotations:
proxy.istio.io/config: |
discoveryAddress: istiod:15012
If both are configured, the two are merged with per field semantics; the field set in annotation will fully replace the field from mesh config defaults. This is different than a deep merge provided by protobuf. For example, "tracing": { "sampling": 5 }
would completely override a setting configuring a tracing provider such as "tracing": { "zipkin": { "address": "..." } }
.
Note: fields in ProxyConfig are not dynamically configured; changes will require restart of workloads to take effect.
Field | Type | Description | Required |
---|---|---|---|
configPath | string | Path to the generated configuration file directory. Proxy agent generates the actual configuration and stores it in this directory. | No |
binaryPath | string | Path to the proxy binary | No |
serviceCluster | string (oneof) | Service cluster defines the name for the Since Istio does not assign a local | No |
tracingServiceName | TracingServiceName (oneof) | Used by Envoy proxies to assign the values for the service names in trace spans. | No |
drainDuration | Duration | The time in seconds that Envoy will drain connections during a hot restart. MUST be >=1s (e.g., 1s/1m/1h) Default drain duration is | No |
parentShutdownDuration | Duration | The time in seconds that Envoy will wait before shutting down the parent process during a hot restart. MUST be >=1s (e.g., | No |
discoveryAddress | string | Address of the discovery service exposing xDS with mTLS connection. The inject configuration may override this value. | No |
statsdUdpAddress | string | IP Address and Port of a statsd UDP listener (e.g. | No |
proxyAdminPort | int32 | Port on which Envoy should listen for administrative commands. Default port is | No |
controlPlaneAuthPolicy | AuthenticationPolicy | AuthenticationPolicy defines how the proxy is authenticated when it connects to the control plane. Default is set to | No |
customConfigFile | string | File path of custom proxy configuration, currently used by proxies in front of Mixer and Pilot. | No |
statNameLength | int32 | Maximum length of name field in Envoy’s metrics. The length of the name field is determined by the length of a name field in a service and the set of labels that comprise a particular version of the service. The default value is set to 189 characters. Envoy’s internal metrics take up 67 characters, for a total of 256 character name per metric. Increase the value of this field if you find that the metrics from Envoys are truncated. | No |
concurrency | Int32Value | The number of worker threads to run. If unset, this will be automatically determined based on CPU requests/limits. If set to 0, all cores on the machine will be used. Default is 2 worker threads. | No |
proxyBootstrapTemplatePath | string | Path to the proxy bootstrap template file | No |
interceptionMode | InboundInterceptionMode | The mode used to redirect inbound traffic to Envoy. | No |
tracing | Tracing | Tracing configuration to be used by the proxy. | No |
envoyAccessLogService | RemoteService | Address of the service to which access logs from Envoys should be sent. (e.g. | No |
envoyMetricsService | RemoteService | Address of the Envoy Metrics Service implementation (e.g. | No |
proxyMetadata | map<string, string> | Additional environment variables for the proxy. Names starting with | No |
runtimeValues | map<string, string> | Envoy runtime configuration to set during bootstrapping. This enables setting experimental, unsafe, unsupported, and deprecated features that should be used with extreme caution. | No |
statusPort | int32 | Port on which the agent should listen for administrative commands such as readiness probe. Default is set to port | No |
extraStatTags | string[] | An additional list of tags to extract from the in-proxy Istio telemetry. These extra tags can be added by configuring the telemetry extension. Each additional tag needs to be present in this list. Extra tags emitted by the telemetry extensions must be listed here so that they can be processed and exposed as Prometheus metrics. | No |
terminationDrainDuration | Duration | The amount of time allowed for connections to complete on proxy shutdown. On receiving | No |
meshId | string | The unique identifier for the service mesh All control planes running in the same service mesh should specify the same mesh ID. Mesh ID is used to label telemetry reports for cases where telemetry from multiple meshes is mixed together. | No |
readinessProbe | ReadinessProbe | VM Health Checking readiness probe. This health check config exactly mirrors the kubernetes readiness probe configuration both in schema and logic. Only one health check method of 3 can be set at a time. | No |
proxyStatsMatcher | ProxyStatsMatcher | Proxy stats matcher defines configuration for reporting custom Envoy stats. To reduce memory and CPU overhead from Envoy stats system, Istio proxies by default create and expose only a subset of Envoy stats. This option is to control creation of additional Envoy stats with prefix, suffix, and regex expressions match on the name of the stats. This replaces the stats inclusion annotations (
Note including more Envoy stats might increase number of time series collected by prometheus significantly. Care needs to be taken on Prometheus resource provision and configuration to reduce cardinality. | No |
holdApplicationUntilProxyStarts | BoolValue | Boolean flag for enabling/disabling the holdApplicationUntilProxyStarts behavior. This feature adds hooks to delay application startup until the pod proxy is ready to accept traffic, mitigating some startup race conditions. Default value is ‘false’. | No |
caCertificatesPem | string[] | The PEM data of the extra root certificates for workload-to-workload communication. This includes the certificates defined in MeshConfig and any other certificates that Istiod uses as CA. The plugin certificates (the ‘cacerts’ secret), self-signed certificates (the ‘istio-ca-secret’ secret) are added automatically by Istiod. | No |
image | ProxyImage | Specifies the details of the proxy image. | No |
privateKeyProvider | PrivateKeyProvider | Specifies the details of the Private Key Provider configuration for gateway and sidecar proxies. | No |
zipkinAddress | string | Address of the Zipkin service (e.g. zipkin:9411). DEPRECATED: Use tracing instead. | No |
RemoteService
Field | Type | Description | Required |
---|---|---|---|
address | string | Address of a remove service used for various purposes (access log receiver, metrics receiver, etc.). Can be IP address or a fully qualified DNS name. | No |
tlsSettings | ClientTLSSettings | Use the | No |
tcpKeepalive | TcpKeepalive | If set then set | No |
Tracing.Zipkin
Zipkin defines configuration for a Zipkin tracer.
Field | Type | Description | Required |
---|---|---|---|
address | string | Address of the Zipkin service (e.g. zipkin:9411). | No |
Tracing.Lightstep
Defines configuration for a Lightstep tracer.
Field | Type | Description | Required |
---|---|---|---|
address | string | Address of the Lightstep Satellite pool. | No |
accessToken | string | The Lightstep access token. | No |
Tracing.Datadog
Datadog defines configuration for a Datadog tracer.
Field | Type | Description | Required |
---|---|---|---|
address | string | Address of the Datadog Agent. | No |
Tracing.Stackdriver
Stackdriver defines configuration for a Stackdriver tracer. See Envoy’s OpenCensus trace configuration and OpenCensus trace config for details.
Field | Type | Description | Required |
---|
Tracing.OpenCensusAgent
OpenCensusAgent defines configuration for an OpenCensus tracer writing to an OpenCensus agent backend. See Envoy’s OpenCensus trace configuration and OpenCensus trace config for details.
Field | Type | Description | Required |
---|---|---|---|
address | string | gRPC address for the OpenCensus agent (e.g. dns://authority/host:port or unix:path). See gRPC naming docs for details. | No |
context | TraceContext[] | Specifies the set of context propagation headers used for distributed tracing. Default is | No |
PrivateKeyProvider.CryptoMb
CryptoMb PrivateKeyProvider configuration
Field | Type | Description | Required |
---|---|---|---|
pollDelay | Duration | How long to wait until the per-thread processing queue should be processed. If the processing queue gets full (eight sign or decrypt requests are received) it is processed immediately. However, if the queue is not filled before the delay has expired, the requests already in the queue are processed, even if the queue is not full. In effect, this value controls the balance between latency and throughput. The duration needs to be set to a non-zero value. | No |
ProxyConfig.ProxyStatsMatcher
Proxy stats name matchers for stats creation. Note this is in addition to the minimum Envoy stats that Istio generates by default.
Field | Type | Description | Required |
---|---|---|---|
inclusionPrefixes | string[] | Proxy stats name prefix matcher for inclusion. | No |
inclusionSuffixes | string[] | Proxy stats name suffix matcher for inclusion. | No |
inclusionRegexps | string[] | Proxy stats name regexps matcher for inclusion. | No |
Network
Network provides information about the endpoints in a routable L3 network. A single routable L3 network can have one or more service registries. Note that the network has no relation to the locality of the endpoint. The endpoint locality will be obtained from the service registry.
Field | Type | Description | Required |
---|---|---|---|
endpoints | NetworkEndpoints[] | The list of endpoints in the network (obtained through the constituent service registries or from CIDR ranges). All endpoints in the network are directly accessible to one another. | Yes |
gateways | IstioNetworkGateway[] | Set of gateways associated with the network. | Yes |
MeshNetworks
MeshNetworks (config map) provides information about the set of networks inside a mesh and how to route to endpoints in each network. For example
MeshNetworks(file/config map):
networks:
network1:
endpoints:
- fromRegistry: registry1 #must match kubeconfig name in Kubernetes secret
- fromCidr: 192.168.100.0/22 #a VM network for example
gateways:
- registryServiceName: istio-ingressgateway.istio-system.svc.cluster.local
port: 15443
locality: us-east-1a
- address: 192.168.100.1
port: 15443
locality: us-east-1a
Field | Type | Description | Required |
---|---|---|---|
networks | map<string, Network> | The set of networks inside this mesh. Each network should have a unique name and information about how to infer the endpoints in the network as well as the gateways associated with the network. | Yes |
Network.NetworkEndpoints
NetworkEndpoints describes how the network associated with an endpoint should be inferred. An endpoint will be assigned to a network based on the following rules:
Implicitly: If the registry explicitly provides information about the network to which the endpoint belongs to. In some cases, its possible to indicate the network associated with the endpoint by adding the
ISTIO_META_NETWORK
environment variable to the sidecar.Explicitly:
a. By matching the registry name with one of the “fromRegistry” in the mesh config. A “from_registry” can only be assigned to a single network.
b. By matching the IP against one of the CIDR ranges in a mesh config network. The CIDR ranges must not overlap and be assigned to a single network.
(2) will override (1) if both are present.
Field | Type | Description | Required |
---|---|---|---|
fromCidr | string (oneof) | A CIDR range for the set of endpoints in this network. The CIDR ranges for endpoints from different networks must not overlap. | No |
fromRegistry | string (oneof) | Add all endpoints from the specified registry into this network. The names of the registries should correspond to the kubeconfig file name inside the secret that was used to configure the registry (Kubernetes multicluster) or supplied by MCP server. | No |
Network.IstioNetworkGateway
The gateway associated with this network. Traffic from remote networks will arrive at the specified gateway:port. All incoming traffic must use mTLS.
Field | Type | Description | Required |
---|---|---|---|
registryServiceName | string (oneof) | A fully qualified domain name of the gateway service. Pilot will lookup the service from the service registries in the network and obtain the endpoint IPs of the gateway from the service registry. Note that while the service name is a fully qualified domain name, it need not be resolvable outside the orchestration platform for the registry. e.g., this could be istio-ingressgateway.istio-system.svc.cluster.local. | No |
address | string (oneof) | IP address or externally resolvable DNS address associated with the gateway. | No |
port | uint32 | The port associated with the gateway. | Yes |
locality | string | The locality associated with an explicitly specified gateway (i.e. ip) | No |
MeshConfig.OutboundTrafficPolicy.Mode
Name | Description |
---|---|
REGISTRY_ONLY | outbound traffic will be restricted to services defined in the service registry as well as those defined through ServiceEntries |
ALLOW_ANY | outbound traffic to unknown destinations will be allowed, in case there are no services or ServiceEntries for the destination port |
MeshConfig.ExtensionProvider.OpenCensusAgentTracingProvider.TraceContext
TraceContext selects the context propagation headers used for distributed tracing.
Name | Description |
---|---|
W3C_TRACE_CONTEXT | Use W3C Trace Context propagation using the |
GRPC_BIN | Use gRPC binary context propagation using the |
CLOUD_TRACE_CONTEXT | Use Cloud Trace context propagation using the |
B3 | Use multi-header B3 context propagation using the |
MeshConfig.ProxyPathNormalization.NormalizationType
Name | Description |
---|---|
DEFAULT | Apply default normalizations. Currently, this is BASE. |
NONE | No normalization, paths are used as is. |
BASE | Normalize according to RFC 3986. For Envoy proxies, this is the normalize_path option. For example, |
MERGE_SLASHES | In addition to the |
DECODE_AND_MERGE_SLASHES | In addition to normalization in |
MeshConfig.TLSConfig.TLSProtocol
TLS protocol versions.
Name | Description |
---|---|
TLS_AUTO | Automatically choose the optimal TLS version. |
TLSV1_2 | TLS version 1.2 |
TLSV1_3 | TLS version 1.3 |
MeshConfig.IngressControllerMode
Name | Description |
---|---|
UNSPECIFIED | Unspecified Istio ingress controller. |
OFF | Disables Istio ingress controller. |
DEFAULT | Istio ingress controller will act on ingress resources that do not contain any annotation or whose annotations match the value specified in the ingress_class parameter described earlier. Use this mode if Istio ingress controller will be the default ingress controller for the entire Kubernetes cluster. |
STRICT | Istio ingress controller will only act on ingress resources whose annotations match the value specified in the ingress_class parameter described earlier. Use this mode if Istio ingress controller will be a secondary ingress controller (e.g., in addition to a cloud-provided ingress controller). |
MeshConfig.AccessLogEncoding
Name | Description |
---|---|
TEXT | text encoding for the proxy access log |
JSON | json encoding for the proxy access log |
MeshConfig.H2UpgradePolicy
Default Policy for upgrading http1.1 connections to http2.
Name | Description |
---|---|
DO_NOT_UPGRADE | Do not upgrade connections to http2. |
UPGRADE | Upgrade the connections to http2. |
Resource
Resource describes the source of configuration
Name | Description |
---|---|
SERVICE_REGISTRY | Set to only receive service entries that are generated by the platform. These auto generated service entries are combination of services and endpoints that are generated by a specific platform e.g. k8 |
Tracing.OpenCensusAgent.TraceContext
TraceContext selects the context propagation headers used for distributed tracing.
Name | Description |
---|---|
W3C_TRACE_CONTEXT | Use W3C Trace Context propagation using the |
GRPC_BIN | Use gRPC binary context propagation using the |
CLOUD_TRACE_CONTEXT | Use Cloud Trace context propagation using the |
B3 | Use multi-header B3 context propagation using the |
ProxyConfig.TracingServiceName
Allows specification of various Istio-supported naming schemes for the Envoy service_cluster
value. The servce_cluster
value is primarily used by Envoys to provide service names for tracing spans.
Name | Description |
---|---|
APP_LABEL_AND_NAMESPACE | Default scheme. Uses the |
CANONICAL_NAME_ONLY | Uses the canonical name for a workload (excluding namespace). |
CANONICAL_NAME_AND_NAMESPACE | Uses the canonical name and namespace for a workload. |
ProxyConfig.InboundInterceptionMode
The mode used to redirect inbound traffic to Envoy. This setting has no effect on outbound traffic: iptables REDIRECT
is always used for outbound connections.
Name | Description |
---|---|
REDIRECT | The |
TPROXY | The |
NONE | The |
AuthenticationPolicy
AuthenticationPolicy defines how the proxy is authenticated when it connects to the control plane. It can be set for two different scopes, mesh-wide or set on a per-pod basis using the ProxyConfig annotation. Mesh policy cannot be INHERIT.
Name | Description |
---|---|
NONE | Do not encrypt proxy to control plane traffic. |
MUTUAL_TLS | Proxy to control plane traffic is wrapped into mutual TLS connections. |
INHERIT | Use the policy defined by the parent scope. Should not be used for mesh policy. |