Resource Annotations
This page presents the various resource annotations that Istio supports to control its behavior.
Annotation Name | Feature Status | Resource Types | Description |
---|---|---|---|
galley.istio.io/analyze-suppress | Alpha | [Any] | A comma separated list of configuration analysis message codes to suppress when Istio analyzers are run. For example, to suppress reporting of IST0103 (PodMissingProxy) and IST0108 (UnknownAnnotation) on a resource, apply the annotation ‘galley.istio.io/analyze-suppress=IST0108,IST0103’. If the value is ‘‘, then all configuration analysis messages are suppressed. |
inject.istio.io/templates | Alpha | [Pod] | The name of the inject template(s) to use, as a comma separate list. See https://istio.io/latest/docs/setup/additional-setup/sidecar-injection/#custom-templates-experimental for more information. |
install.operator.istio.io/chart-owner | Alpha | [Any] | Represents the name of the chart used to create this resource. |
install.operator.istio.io/owner-generation | Alpha | [Any] | Represents the generation to which the resource was last reconciled. |
install.operator.istio.io/version | Alpha | [Any] | Represents the Istio version associated with the resource |
istio.io/dry-run | Alpha | [AuthorizationPolicy] | Specifies whether or not the given resource is in dry-run mode. See https://istio.io/latest/docs/tasks/security/authorization/authz-dry-run/ for more information. |
istio.io/rev | Alpha | [Pod] | Specifies a control plane revision to which a given proxy is connected. This annotation is added automatically, not set by a user. In contrary to the label istio.io/rev, it represents the actual revision, not the requested revision. |
kubernetes.io/ingress.class | Stable | [Ingress] | Annotation on an Ingress resources denoting the class of controllers responsible for it. |
networking.istio.io/exportTo | Alpha | [Service] | Specifies the namespaces to which this service should be exported to. A value of ‘‘ indicates it is reachable within the mesh ‘.’ indicates it is reachable within its namespace. |
prometheus.istio.io/merge-metrics | Alpha | [Pod] | Specifies if application Prometheus metric will be merged with Envoy metrics for this workload. |
proxy.istio.io/config | Beta | [Pod] | Overrides for the proxy configuration for this specific proxy. Available options can be found at https://istio.io/docs/reference/config/istio.mesh.v1alpha1/#ProxyConfig. |
readiness.status.sidecar.istio.io/applicationPorts | Alpha | [Pod] | Specifies the list of ports exposed by the application container. Used by the Envoy sidecar readiness probe to determine that Envoy is configured and ready to receive traffic. |
readiness.status.sidecar.istio.io/failureThreshold | Alpha | [Pod] | Specifies the failure threshold for the Envoy sidecar readiness probe. |
readiness.status.sidecar.istio.io/initialDelaySeconds | Alpha | [Pod] | Specifies the initial delay (in seconds) for the Envoy sidecar readiness probe. |
readiness.status.sidecar.istio.io/periodSeconds | Alpha | [Pod] | Specifies the period (in seconds) for the Envoy sidecar readiness probe. |
sidecar.istio.io/agentLogLevel | Alpha | [Pod] | Specifies the log output level for pilot-agent. |
sidecar.istio.io/bootstrapOverride | Alpha | [Pod] | Specifies an alternative Envoy bootstrap configuration file. |
sidecar.istio.io/componentLogLevel | Alpha | [Pod] | Specifies the component log level for Envoy. |
sidecar.istio.io/controlPlaneAuthPolicy | Deprecated | [Pod] | Specifies the auth policy used by the Istio control plane. If NONE, traffic will not be encrypted. If MUTUAL_TLS, traffic between Envoy sidecar will be wrapped into mutual TLS connections. |
sidecar.istio.io/discoveryAddress | Deprecated | [Pod] | Specifies the XDS discovery address to be used by the Envoy sidecar. |
sidecar.istio.io/enableCoreDump | Alpha | [Pod] | Specifies whether or not an Envoy sidecar should enable core dump. |
sidecar.istio.io/extraStatTags | Alpha | [Pod] | An additional list of tags to extract from the in-proxy Istio telemetry. each additional tag needs to be present in this list. |
sidecar.istio.io/inject | Deprecated | [Pod] | Specifies whether or not an Envoy sidecar should be automatically injected into the workload. Deprecated in favor of sidecar.istio.io/inject label. |
sidecar.istio.io/interceptionMode | Alpha | [Pod] | Specifies the mode used to redirect inbound connections to Envoy (REDIRECT or TPROXY). |
sidecar.istio.io/logLevel | Alpha | [Pod] | Specifies the log level for Envoy. |
sidecar.istio.io/proxyCPU | Alpha | [Pod] | Specifies the requested CPU setting for the Envoy sidecar. |
sidecar.istio.io/proxyCPULimit | Alpha | [Pod] | Specifies the CPU limit for the Envoy sidecar. |
sidecar.istio.io/proxyImage | Alpha | [Pod] | Specifies the Docker image to be used by the Envoy sidecar. |
sidecar.istio.io/proxyImageType | Alpha | [Pod] | Specifies the Docker image type to be used by the Envoy sidecar. Istio publishes debug and distroless image types for every release tag. |
sidecar.istio.io/proxyMemory | Alpha | [Pod] | Specifies the requested memory setting for the Envoy sidecar. |
sidecar.istio.io/proxyMemoryLimit | Alpha | [Pod] | Specifies the memory limit for the Envoy sidecar. |
sidecar.istio.io/rewriteAppHTTPProbers | Alpha | [Pod] | Rewrite HTTP readiness and liveness probes to be redirected to the Envoy sidecar. |
sidecar.istio.io/statsInclusionPrefixes | Deprecated | [Pod] | Specifies the comma separated list of prefixes of the stats to be emitted by Envoy. |
sidecar.istio.io/statsInclusionRegexps | Deprecated | [Pod] | Specifies the comma separated list of regexes the stats should match to be emitted by Envoy. |
sidecar.istio.io/statsInclusionSuffixes | Deprecated | [Pod] | Specifies the comma separated list of suffixes of the stats to be emitted by Envoy. |
sidecar.istio.io/status | Alpha | [Pod] | Generated by Envoy sidecar injection that indicates the status of the operation. Includes a version hash of the executed template, as well as names of injected resources. |
sidecar.istio.io/userVolume | Alpha | [Pod] | Specifies one or more user volumes (as a JSON array) to be added to the Envoy sidecar. |
sidecar.istio.io/userVolumeMount | Alpha | [Pod] | Specifies one or more user volume mounts (as a JSON array) to be added to the Envoy sidecar. |
status.sidecar.istio.io/port | Alpha | [Pod] | Specifies the HTTP status Port for the Envoy sidecar. If zero, the sidecar will not provide status. |
topology.istio.io/controlPlaneClusters | Alpha | [Namespace] | A comma-separated list of clusters (or for any) running istiod that should attempt leader election for a remote cluster thats system namespace includes this annotation. Istiod will not attempt to lead unannotated remote clusters. |
traffic.istio.io/nodeSelector | Stable | [Service] | This annotation is a set of node-labels (key1=value,key2=value). If the annotated Service is of type NodePort and is a multi-network gateway (see topology.istio.io/network), the addresses for selected nodes will be used for cross-network communication. |
traffic.sidecar.istio.io/excludeInboundPorts | Alpha | [Pod] | A comma separated list of inbound ports to be excluded from redirection to Envoy. Only applies when all inbound traffic (i.e. ‘‘) is being redirected. |
traffic.sidecar.istio.io/excludeInterfaces | Alpha | [Pod] | A comma separated list of interfaces to be excluded from Istio traffic capture |
traffic.sidecar.istio.io/excludeOutboundIPRanges | Alpha | [Pod] | A comma separated list of IP ranges in CIDR form to be excluded from redirection. Only applies when all outbound traffic (i.e. ‘‘) is being redirected. |
traffic.sidecar.istio.io/excludeOutboundPorts | Alpha | [Pod] | A comma separated list of outbound ports to be excluded from redirection to Envoy. |
traffic.sidecar.istio.io/includeInboundPorts | Alpha | [Pod] | A comma separated list of inbound ports for which traffic is to be redirected to Envoy. The wildcard character ‘‘ can be used to configure redirection for all ports. An empty list will disable all inbound redirection. |
traffic.sidecar.istio.io/includeOutboundIPRanges | Alpha | [Pod] | A comma separated list of IP ranges in CIDR form to redirect to Envoy (optional). The wildcard character ‘*’ can be used to redirect all outbound traffic. An empty list will disable all outbound redirection. |
traffic.sidecar.istio.io/includeOutboundPorts | Alpha | [Pod] | A comma separated list of outbound ports for which traffic is to be redirected to Envoy, regardless of the destination IP. |
traffic.sidecar.istio.io/kubevirtInterfaces | Alpha | [Pod] | A comma separated list of virtual interfaces whose inbound traffic (from VM) will be treated as outbound. |