- Telemetry
- Telemetry
- Tracing
- ProviderRef
- Metrics
- MetricSelector
- MetricsOverrides
- AccessLogging
- Tracing.TracingSelector
- Tracing.CustomTag
- Tracing.Literal
- Tracing.Environment
- Tracing.RequestHeader
- MetricsOverrides.TagOverride
- AccessLogging.LogSelector
- AccessLogging.Filter
- MetricSelector.IstioMetric
- MetricsOverrides.TagOverride.Operation
- WorkloadMode
Telemetry
Telemetry defines how the telemetry is generated for workloads within a mesh.
For mesh level configuration, put the resource in root configuration namespace for your Istio installation without a workload selector.
For any namespace, including the root configuration namespace, it is only valid to have a single workload selector-less Telemetry resource.
For resources with a workload selector, it is only valid to have one resource selecting any given workload.
The hierarchy of Telemetry configuration is as follows:
- Workload-specific configuration
- Namespace-specific configuration
- Root namespace configuration
Examples
Policy to enable random sampling for 10% of traffic:
apiVersion: telemetry.istio.io/v1
kind: Telemetry
metadata:
name: mesh-default
namespace: istio-system
spec:
# no selector specified, applies to all workloads
tracing:
- randomSamplingPercentage: 10.00
Policy to disable trace reporting for the foo
workload (note: tracing context will still be propagated):
apiVersion: telemetry.istio.io/v1
kind: Telemetry
metadata:
name: foo-tracing
namespace: bar
spec:
selector:
matchLabels:
service.istio.io/canonical-name: foo
tracing:
- disableSpanReporting: true
Policy to select the alternate zipkin provider for trace reporting:
apiVersion: telemetry.istio.io/v1
kind: Telemetry
metadata:
name: foo-tracing-alternate
namespace: baz
spec:
selector:
matchLabels:
service.istio.io/canonical-name: foo
tracing:
- providers:
- name: "zipkin-alternate"
randomSamplingPercentage: 10.00
Policy to tailor the zipkin provider to sample traces from Client workloads only:
apiVersion: telemetry.istio.io/v1
kind: Telemetry
metadata:
name: mesh-default
namespace: istio-system
spec:
# no selector specified, applies to all workloads
tracing:
- match: CLIENT
- providers:
- name: "zipkin"
Policy to add a custom tag from a literal value:
apiVersion: telemetry.istio.io/v1
kind: Telemetry
metadata:
name: mesh-default
namespace: istio-system
spec:
# no selector specified, applies to all workloads
tracing:
- randomSamplingPercentage: 10.00
customTags:
my_new_foo_tag:
literal:
value: "foo"
Policy to disable server-side metrics for Prometheus for an entire mesh:
apiVersion: telemetry.istio.io/v1
kind: Telemetry
metadata:
name: mesh-default
namespace: istio-system
spec:
# no selector specified, applies to all workloads
metrics:
- providers:
- name: prometheus
overrides:
- match:
metric: ALL_METRICS
mode: SERVER
disabled: true
Policy to add dimensions to all Prometheus metrics for the foo
namespace:
apiVersion: telemetry.istio.io/v1
kind: Telemetry
metadata:
name: namespace-metrics
namespace: foo
spec:
# no selector specified, applies to all workloads in the namespace
metrics:
- providers:
- name: prometheus
overrides:
# match clause left off matches all istio metrics, client and server
- tagOverrides:
request_method:
value: "request.method"
request_host:
value: "request.host"
Policy to remove the response_code
dimension on some Prometheus metrics for the bar.foo
workload:
apiVersion: telemetry.istio.io/v1
kind: Telemetry
metadata:
name: remove-response-code
namespace: foo
spec:
selector:
matchLabels:
service.istio.io/canonical-name: bar
metrics:
- providers:
- name: prometheus
overrides:
- match:
metric: REQUEST_COUNT
tagOverrides:
response_code:
operation: REMOVE
- match:
metric: REQUEST_DURATION
tagOverrides:
response_code:
operation: REMOVE
- match:
metric: REQUEST_SIZE
tagOverrides:
response_code:
operation: REMOVE
- match:
metric: RESPONSE_SIZE
tagOverrides:
response_code:
operation: REMOVE
Policy to enable access logging for the entire mesh:
apiVersion: telemetry.istio.io/v1
kind: Telemetry
metadata:
name: mesh-default
namespace: istio-system
spec:
# no selector specified, applies to all workloads
accessLogging:
- providers:
- name: envoy
# By default, this turns on access logging (no need to set `disabled: false`).
# Unspecified `disabled` will be treated as `disabled: false`, except in
# cases where a parent configuration has marked as `disabled: true`. In
# those cases, `disabled: false` must be set explicitly to override.
Policy to disable access logging for the foo
namespace:
apiVersion: telemetry.istio.io/v1
kind: Telemetry
metadata:
name: namespace-no-log
namespace: foo
spec:
# no selector specified, applies to all workloads in the namespace
accessLogging:
- disabled: true
Telemetry
Field | Type | Description | Required |
---|---|---|---|
selector | WorkloadSelector | Optional. The selector decides where to apply the policy. If not set, the policy will be applied to all workloads in the same namespace as the policy. At most one of | No |
targetRefs | PolicyTargetReference[] | Optional. The targetRefs specifies a list of resources the policy should be applied to. The targeted resources specified will determine which workloads the policy applies to. Currently, the following resource attachment types are supported:
If not set, the policy is applied as defined by the selector. At most one of the selector and targetRefs can be set. NOTE: If you are using the NOTE: Waypoint proxies are required to use this field for policies to apply; | No |
tracing | Tracing[] | Optional. Tracing configures the tracing behavior for all selected workloads. | No |
metrics | Metrics[] | Optional. Metrics configures the metrics behavior for all selected workloads. | No |
accessLogging | AccessLogging[] | Optional. Access logging configures the access logging behavior for all selected workloads. | No |
Tracing
Tracing configures tracing behavior for workloads within a mesh. It can be used to enable/disable tracing, as well as to set sampling rates and custom tag extraction.
Tracing configuration support overrides of the fields providers
, random_sampling_percentage
, disable_span_reporting
, and custom_tags
at each level in the configuration hierarchy, with missing values filled in from parent resources. However, when specified, custom_tags
will fully replace any values provided by parent configuration.
Field | Type | Description | Required |
---|---|---|---|
match | TracingSelector | Allows tailoring of behavior to specific conditions. | No |
providers | ProviderRef[] | Optional. Name of provider(s) to use for span reporting. If a provider is not specified, the default tracing provider will be used. NOTE: At the moment, only a single provider can be specified in a given Tracing rule. | No |
randomSamplingPercentage | DoubleValue | Controls the rate at which traffic will be selected for tracing if no prior sampling decision has been made. If a prior sampling decision has been made, that decision will be respected. However, if no sampling decision has been made (example: no Defaults to 0%. Valid values [0.00-100.00]. Can be specified in 0.01% increments. | No |
disableSpanReporting | BoolValue | Controls span reporting. If set to true, no spans will be reported for impacted workloads. This does NOT impact context propagation or trace sampling behavior. | No |
customTags | map<string, CustomTag> | Optional. Configures additional custom tags to the generated trace spans. | No |
ProviderRef
Used to bind Telemetry configuration to specific providers for targeted customization.
Field | Type | Description | Required |
---|---|---|---|
name | string | Required. Name of Telemetry provider in MeshConfig. | Yes |
Metrics
Metrics defines the workload-level overrides for metrics generation behavior within a mesh. It can be used to enable/disable metrics generation, as well as to customize the dimensions of the generated metrics.
Field | Type | Description | Required |
---|---|---|---|
providers | ProviderRef[] | Optional. Name of providers to which this configuration should apply. If a provider is not specified, the default metrics provider will be used. | No |
overrides | MetricsOverrides[] | Optional. Ordered list of overrides to metrics generation behavior. Specified overrides will be applied in order. They will be applied on top of inherited overrides from other resources in the hierarchy in the following order:
Because overrides are applied in order, users are advised to order their overrides from least specific to most specific matches. That is, it is a best practice to list any universal overrides first, with tailored overrides following them. | No |
reportingInterval | Duration | Optional. Reporting interval allows configuration of the time between calls out to for metrics reporting. This currently only supports TCP metrics but we may use this for long duration HTTP streams in the future. The default duration is | No |
MetricSelector
Provides a mechanism for matching metrics for the application of override behaviors.
Field | Type | Description | Required |
---|---|---|---|
metric | IstioMetric (oneof) | One of the well-known Istio Standard Metrics. | No |
customMetric | string (oneof) | Allows free-form specification of a metric. No validation of custom metrics is provided. | No |
mode | WorkloadMode | Controls which mode of metrics generation is selected: | No |
MetricsOverrides
MetricsOverrides defines custom metric generation behavior for an individual metric or the set of all standard metrics.
Field | Type | Description | Required |
---|---|---|---|
match | MetricSelector | Match allows providing the scope of the override. It can be used to select individual metrics, as well as the workload modes (server, client, or both) in which the metrics will be generated. If match is not specified, the overrides will apply to all metrics for both modes of operation (client and server). | No |
disabled | BoolValue | Optional. Must explicitly set this to | No |
tagOverrides | map<string, TagOverride> | Optional. Collection of tag names and tag expressions to override in the selected metric(s). The key in the map is the name of the tag. The value in the map is the operation to perform on the the tag. WARNING: some providers may not support adding/removing tags. See also: https://istio.io/latest/docs/reference/config/metrics/#labels | No |
AccessLogging
Access logging defines the workload-level overrides for access log generation. It can be used to select provider or enable/disable access log generation for a workload.
Field | Type | Description | Required |
---|---|---|---|
match | LogSelector | Allows tailoring of logging behavior to specific conditions. | No |
providers | ProviderRef[] | Optional. Name of providers to which this configuration should apply. If a provider is not specified, the default logging provider will be used. | No |
disabled | BoolValue | Controls logging. If set to true, no access logs will be generated for impacted workloads (for the specified providers). NOTE: currently default behavior will be controlled by the provider(s) selected above. Customization controls will be added to this API in future releases. | No |
filter | Filter | Optional. If specified, this filter will be used to select specific requests/connections for logging. | No |
Tracing.TracingSelector
TracingSelector provides a coarse-grained ability to configure tracing behavior based on certain traffic metadata (such as traffic direction).
Field | Type | Description | Required |
---|---|---|---|
mode | WorkloadMode | This determines whether or not to apply the tracing configuration based on the direction of traffic relative to the proxied workload. | No |
Tracing.CustomTag
CustomTag defines a tag to be added to a trace span that is based on an operator-supplied value. This value can either be a hard-coded value, a value taken from an environment variable known to the sidecar proxy, or from a request header.
NOTE: when specified, custom_tags
will fully replace any values provided by parent configuration.
Field | Type | Description | Required |
---|---|---|---|
literal | Literal (oneof) | Literal adds the same, hard-coded value to each span. | No |
environment | Environment (oneof) | Environment adds the value of an environment variable to each span. | No |
header | RequestHeader (oneof) | RequestHeader adds the value of an header from the request to each span. | No |
Tracing.Literal
Field | Type | Description | Required |
---|---|---|---|
value | string | The tag value to use. | Yes |
Tracing.Environment
Field | Type | Description | Required |
---|---|---|---|
name | string | Name of the environment variable from which to extract the tag value. | Yes |
defaultValue | string | Optional. If the environment variable is not found, this value will be used instead. | No |
Tracing.RequestHeader
Field | Type | Description | Required |
---|---|---|---|
name | string | Name of the header from which to extract the tag value. | Yes |
defaultValue | string | Optional. If the header is not found, this value will be used instead. | No |
MetricsOverrides.TagOverride
TagOverride specifies an operation to perform on a metric dimension (also known as a label
). Tags may be added, removed, or have their default values overridden.
Field | Type | Description | Required |
---|---|---|---|
operation | Operation | Operation controls whether or not to update/add a tag, or to remove it. | No |
value | string | Value is only considered if the operation is | No |
AccessLogging.LogSelector
LogSelector provides a coarse-grained ability to configure logging behavior based on certain traffic metadata (such as traffic direction). LogSelector applies to traffic metadata which is not represented in the attribute set currently supported by filters. It allows control planes to limit the configuration sent to individual workloads. Finer-grained logging behavior can be further configured via filter
.
Field | Type | Description | Required |
---|---|---|---|
mode | WorkloadMode | This determines whether or not to apply the access logging configuration based on the direction of traffic relative to the proxied workload. | No |
AccessLogging.Filter
Allows specification of an access log filter.
Field | Type | Description | Required |
---|---|---|---|
expression | string | CEL expression for selecting when requests/connections should be logged. Examples:
| No |
MetricSelector.IstioMetric
Curated list of known metric types that is supported by Istio metric providers. See also: https://istio.io/latest/docs/reference/config/metrics/#metrics
Name | Description |
---|---|
ALL_METRICS | Use of this enum indicates that the override should apply to all Istio default metrics. |
REQUEST_COUNT | Counter of requests to/from an application, generated for HTTP, HTTP/2, and GRPC traffic. The Prometheus provider exports this metric as: The Stackdriver provider exports this metric as:
|
REQUEST_DURATION | Histogram of request durations, generated for HTTP, HTTP/2, and GRPC traffic. The Prometheus provider exports this metric as: The Stackdriver provider exports this metric as:
|
REQUEST_SIZE | Histogram of request body sizes, generated for HTTP, HTTP/2, and GRPC traffic. The Prometheus provider exports this metric as: The Stackdriver provider exports this metric as:
|
RESPONSE_SIZE | Histogram of response body sizes, generated for HTTP, HTTP/2, and GRPC traffic. The Prometheus provider exports this metric as: The Stackdriver provider exports this metric as:
|
TCP_OPENED_CONNECTIONS | Counter of TCP connections opened over lifetime of workload. The Prometheus provider exports this metric as: The Stackdriver provider exports this metric as:
|
TCP_CLOSED_CONNECTIONS | Counter of TCP connections closed over lifetime of workload. The Prometheus provider exports this metric as: The Stackdriver provider exports this metric as:
|
TCP_SENT_BYTES | Counter of bytes sent during a response over a TCP connection. The Prometheus provider exports this metric as: The Stackdriver provider exports this metric as:
|
TCP_RECEIVED_BYTES | Counter of bytes received during a request over a TCP connection. The Prometheus provider exports this metric as: The Stackdriver provider exports this metric as:
|
GRPC_REQUEST_MESSAGES | Counter incremented for every gRPC messages sent from a client. The Prometheus provider exports this metric as: |
GRPC_RESPONSE_MESSAGES | Counter incremented for every gRPC messages sent from a server. The Prometheus provider exports this metric as: |
MetricsOverrides.TagOverride.Operation
Name | Description |
---|---|
UPSERT | Insert or Update the tag with the provided value expression. The |
REMOVE | Specifies that the tag should not be included in the metric when generated. |
WorkloadMode
WorkloadMode allows selection of the role of the underlying workload in network traffic. A workload is considered as acting as a SERVER
if it is the destination of the traffic (that is, traffic direction, from the perspective of the workload is inbound). If the workload is the source of the network traffic, it is considered to be in CLIENT
mode (traffic is outbound from the workload).
Name | Description |
---|---|
CLIENT_AND_SERVER | Selects for scenarios when the workload is either the source or destination of the network traffic. |
CLIENT | Selects for scenarios when the workload is the source of the network traffic. |
SERVER | Selects for scenarios when the workload is the destination of the network traffic. |