---
title: v1alpha1
layout: protoc-gen-docs
generator: protoc-gen-docs
number_of_entries: 60
---
ArchConfig
ArchConfig specifies the pod scheduling target architecture(amd64, ppc64le, s390x) for all the Istio control plane components.
| Field |
Type |
Description |
Required |
amd64 |
uint32 |
Sets pod scheduling weight for amd64 arch
|
No
|
ppc64le |
uint32 |
Sets pod scheduling weight for ppc64le arch.
|
No
|
s390x |
uint32 |
Sets pod scheduling weight for s390x arch.
|
No
|
CNIConfig
Configuration for CNI.
| Field |
Type |
Description |
Required |
enabled |
BoolValue |
Controls whether CNI is enabled.
|
No
|
hub |
string |
|
No
|
tag |
TypeInterface |
|
No
|
image |
string |
|
No
|
pullPolicy |
string |
|
No
|
cniBinDir |
string |
|
No
|
cniConfDir |
string |
|
No
|
cniConfFileName |
string |
|
No
|
excludeNamespaces |
string[] |
|
No
|
pspClusterRole |
string |
|
No
|
logLevel |
string |
|
No
|
repair |
CNIRepairConfig |
|
No
|
chained |
BoolValue |
|
No
|
taint |
CNITaintConfig |
|
No
|
podAnnotations |
TypeMapStringInterface |
|
No
|
CNITaintConfig
| Field |
Type |
Description |
Required |
enabled |
BoolValue |
Controls whether taint behavior is enabled.
|
No
|
CNIRepairConfig
| Field |
Type |
Description |
Required |
enabled |
BoolValue |
Controls whether repair behavior is enabled.
|
No
|
hub |
string |
|
No
|
tag |
TypeInterface |
|
No
|
image |
string |
|
No
|
labelPods |
bool |
Controls whether various repair behaviors are enabled.
|
No
|
deletePods |
bool |
|
No
|
brokenPodLabelKey |
string |
|
No
|
brokenPodLabelValue |
string |
|
No
|
initContainerName |
string |
|
No
|
createEvents |
string |
|
No
|
CPUTargetUtilizationConfig
Configuration for CPU target utilization for HorizontalPodAutoscaler target.
| Field |
Type |
Description |
Required |
targetAverageUtilization |
int32 |
K8s utilization setting for HorizontalPodAutoscaler target.
See https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/
|
No
|
Resources
Mirrors Resources for unmarshaling.
| Field |
Type |
Description |
Required |
limits |
map<string, string> |
|
No
|
requests |
map<string, string> |
|
No
|
DefaultPodDisruptionBudgetConfig
DefaultPodDisruptionBudgetConfig specifies the default pod disruption budget configuration.
See https://kubernetes.io/docs/concepts/workloads/pods/disruptions/
| Field |
Type |
Description |
Required |
enabled |
BoolValue |
Controls whether a PodDisruptionBudget with a default minAvailable value of 1 is created for each deployment.
|
No
|
DefaultResourcesConfig
DefaultResourcesConfig specifies the default k8s resources settings for all Istio control plane components.
| Field |
Type |
Description |
Required |
requests |
ResourcesRequestsConfig |
k8s resources settings.
See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container
|
No
|
EgressGatewayConfig
Configuration for an egress gateway.
| Field |
Type |
Description |
Required |
autoscaleEnabled |
BoolValue |
Controls whether auto scaling with a HorizontalPodAutoscaler is enabled.
|
No
|
autoscaleMax |
uint32 |
maxReplicas setting for HorizontalPodAutoscaler.
|
No
|
autoscaleMin |
uint32 |
minReplicas setting for HorizontalPodAutoscaler.
|
No
|
enabled |
BoolValue |
Controls whether an egress gateway is enabled.
|
No
|
env |
TypeMapStringInterface |
Environment variables passed to the proxy container.
|
No
|
labels |
map<string, string> |
|
No
|
name |
string |
|
No
|
ports |
PortsConfig[] |
Ports Configuration for the egress gateway service.
|
No
|
secretVolumes |
SecretVolume[] |
Config for secret volume mounts.
|
No
|
serviceAnnotations |
TypeMapStringInterface |
Annotations to add to the egress gateway service.
|
No
|
type |
string |
Service type.
See https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types
|
No
|
zvpn |
ZeroVPNConfig |
Enables cross-cluster access using SNI matching.
|
No
|
configVolumes |
TypeSliceOfMapStringInterface |
|
No
|
additionalContainers |
TypeSliceOfMapStringInterface |
|
No
|
runAsRoot |
BoolValue |
|
No
|
cpu |
CPUTargetUtilizationConfig |
K8s utilization setting for HorizontalPodAutoscaler target.
See https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/
|
No
|
nodeSelector |
TypeMapStringInterface |
K8s node selector.
See https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
|
No
|
podAnnotations |
TypeMapStringInterface |
K8s annotations for pods.
See: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
|
No
|
podAntiAffinityLabelSelector |
TypeSliceOfMapStringInterface |
Pod anti-affinity label selector.
Specify the pod anti-affinity that allows you to constrain which nodes
your pod is eligible to be scheduled based on labels on pods that are
already running on the node rather than based on labels on nodes.
There are currently two types of anti-affinity:
“requiredDuringSchedulingIgnoredDuringExecution”
“preferredDuringSchedulingIgnoredDuringExecution”
which denote “hard” vs. “soft” requirements, you can define your values
in “podAntiAffinityLabelSelector” and “podAntiAffinityTermLabelSelector”
correspondingly.
See https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
Examples:
podAntiAffinityLabelSelector:
- key: security
operator: In
values: S1,S2
topologyKey: “kubernetes.io/hostname”
This pod anti-affinity rule says that the pod requires not to be scheduled
onto a node if that node is already running a pod with label having key
“security” and value “S1”.
|
No
|
podAntiAffinityTermLabelSelector |
TypeSliceOfMapStringInterface |
See PodAntiAffinityLabelSelector.
|
No
|
resources |
Resources |
K8s resources settings.
See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container
|
No
|
tolerations |
TypeSliceOfMapStringInterface |
|
No
|
rollingMaxSurge |
TypeIntOrStringForPB |
K8s rolling update strategy
|
No
|
rollingMaxUnavailable |
TypeIntOrStringForPB |
K8s rolling update strategy
|
No
|
GatewaysConfig
Configuration for gateways.
| Field |
Type |
Description |
Required |
istioEgressgateway |
EgressGatewayConfig |
Configuration for an egress gateway.
|
No
|
enabled |
BoolValue |
Controls whether any gateways are enabled.
|
No
|
istioIngressgateway |
IngressGatewayConfig |
Configuration for an ingress gateway.
|
No
|
GlobalConfig
Global Configuration for Istio components.
| Field |
Type |
Description |
Required |
arch |
ArchConfig |
Specifies pod scheduling arch(amd64, ppc64le, s390x) and weight as follows:
0 - Never scheduled
1 - Least preferred
2 - No preference
3 - Most preferred
|
No
|
configRootNamespace |
string |
|
No
|
configValidation |
BoolValue |
Controls whether the server-side validation is enabled.
|
No
|
defaultConfigVisibilitySettings |
string[] |
|
No
|
hub |
string |
Specifies the docker hub for Istio images.
|
No
|
imagePullPolicy |
string |
Specifies the image pull policy for the Istio images. one of Always, Never, IfNotPresent.
Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. Cannot be updated.
More info: https://kubernetes.io/docs/concepts/containers/images#updating-images
|
No
|
imagePullSecrets |
string[] |
|
No
|
istioNamespace |
string |
Specifies the default namespace for the Istio control plane components.
|
No
|
logAsJson |
BoolValue |
|
No
|
logging |
GlobalLoggingConfig |
Specifies the global logging level settings for the Istio control plane components.
|
No
|
meshID |
string |
|
No
|
meshNetworks |
TypeMapStringInterface |
Configure the mesh networks to be used by the Split Horizon EDS.
The following example defines two networks with different endpoints association methods.
For network1 all endpoints that their IP belongs to the provided CIDR range will be
mapped to network1. The gateway for this network example is specified by its public IP
address and port.
The second network, network2, in this example is defined differently with all endpoints
retrieved through the specified Multi-Cluster registry being mapped to network2. The
gateway is also defined differently with the name of the gateway service on the remote
cluster. The public IP for the gateway will be determined from that remote service (only
LoadBalancer gateway service type is currently supported, for a NodePort type gateway service,
it still need to be configured manually).
meshNetworks:
network1:
endpoints:
- fromCidr: “192.168.0.1⁄24”
gateways:
- address: 1.1.1.1
port: 80
network2:
endpoints:
- fromRegistry: reg1
gateways:
- registryServiceName: istio-ingressgateway.istio-system.svc.cluster.local
port: 443
|
No
|
multiCluster |
MultiClusterConfig |
Specifies the Configuration for Istio mesh across multiple clusters through Istio gateways.
|
No
|
network |
string |
|
No
|
podDNSSearchNamespaces |
string[] |
Custom DNS config for the pod to resolve names of services in other
clusters. Use this to add additional search domains, and other settings.
see https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#dns-config
This does not apply to gateway pods as they typically need a different
set of DNS settings than the normal application pods (e.g. in multicluster scenarios).
|
No
|
omitSidecarInjectorConfigMap |
BoolValue |
|
No
|
oneNamespace |
BoolValue |
Controls whether to restrict the applications namespace the controller manages;
If set it to false, the controller watches all namespaces.
|
No
|
operatorManageWebhooks |
BoolValue |
|
No
|
proxy |
ProxyConfig |
Specifies how proxies are configured within Istio.
|
No
|
proxyInit |
ProxyInitConfig |
Specifies the Configuration for proxy_init container which sets the pods’ networking to intercept the inbound/outbound traffic.
|
No
|
sds |
SDSConfig |
Specifies the Configuration for the SecretDiscoveryService instead of using K8S secrets to mount the certificates.
|
No
|
tag |
TypeInterface |
Specifies the tag for the Istio docker images.
|
No
|
tracer |
TracerConfig |
Specifies the Configuration for each of the supported tracers.
|
No
|
useMCP |
BoolValue |
Controls whether to use of Mesh Configuration Protocol to distribute configuration.
|
No
|
remotePilotAddress |
string |
Specifies the Istio control plane’s pilot Pod IP address or remote cluster DNS resolvable hostname.
|
No
|
istiod |
IstiodConfig |
Specifies the configution of istiod
|
No
|
pilotCertProvider |
string |
Configure the Pilot certificate provider.
Currently, two providers are supported: “kubernetes” and “citadel”.
|
No
|
jwtPolicy |
string |
Configure the policy for validating JWT.
Currently, two options are supported: “third-party-jwt” and “first-party-jwt”.
|
No
|
sts |
STSConfig |
Specifies the configuration for Security Token Service.
|
No
|
revision |
string |
Configures the revision this control plane is a part of
|
No
|
mountMtlsCerts |
BoolValue |
Controls whether the in-cluster MTLS key and certs are loaded from the secret volume mounts.
|
No
|
caAddress |
string |
The address of the CA for CSR.
|
No
|
externalIstiod |
BoolValue |
Controls whether one external istiod is enabled.
|
No
|
defaultNodeSelector |
TypeMapStringInterface |
Default k8s node selector for all the Istio control plane components
See https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
|
No
|
defaultPodDisruptionBudget |
DefaultPodDisruptionBudgetConfig |
Specifies the default pod disruption budget configuration.
|
No
|
defaultResources |
DefaultResourcesConfig |
Default k8s resources settings for all Istio control plane components.
See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container
|
No
|
defaultTolerations |
TypeSliceOfMapStringInterface |
|
No
|
priorityClassName |
string |
Specifies the k8s priorityClassName for the istio control plane components.
See https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass
|
No
|
STSConfig
Configuration for Security Token Service (STS) server.
See https://tools.ietf.org/html/draft-ietf-oauth-token-exchange-16
| Field |
Type |
Description |
Required |
servicePort |
uint32 |
|
No
|
IstiodConfig
| Field |
Type |
Description |
Required |
enableAnalysis |
BoolValue |
If enabled, istiod will perform config analysis
|
No
|
GlobalLoggingConfig
GlobalLoggingConfig specifies the global logging level settings for the Istio control plane components.
| Field |
Type |
Description |
Required |
level |
string |
Comma-separated minimum per-scope logging level of messages to output, in the form of :,:
The control plane has different scopes depending on component, but can configure default log level across all components
If empty, default scope and level will be used as configured in code
|
No
|
IngressGatewayConfig
Configuration for an ingress gateway.
| Field |
Type |
Description |
Required |
autoscaleEnabled |
BoolValue |
Controls whether auto scaling with a HorizontalPodAutoscaler is enabled.
|
No
|
autoscaleMax |
uint32 |
maxReplicas setting for HorizontalPodAutoscaler.
|
No
|
autoscaleMin |
uint32 |
minReplicas setting for HorizontalPodAutoscaler.
|
No
|
customService |
BoolValue |
|
No
|
enabled |
BoolValue |
Controls whether an ingress gateway is enabled.
|
No
|
env |
TypeMapStringInterface |
Environment variables passed to the proxy container.
|
No
|
labels |
map<string, string> |
|
No
|
loadBalancerIP |
string |
|
No
|
loadBalancerSourceRanges |
string[] |
|
No
|
name |
string |
|
No
|
ports |
PortsConfig[] |
Port Configuration for the ingress gateway.
|
No
|
secretVolumes |
SecretVolume[] |
Config for secret volume mounts.
|
No
|
serviceAnnotations |
TypeMapStringInterface |
Annotations to add to the egress gateway service.
|
No
|
type |
string |
Service type.
See https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types
|
No
|
zvpn |
IngressGatewayZvpnConfig |
Enables cross-cluster access using SNI matching.
|
No
|
externalTrafficPolicy |
string |
|
No
|
ingressPorts |
TypeSliceOfMapStringInterface |
|
No
|
additionalContainers |
TypeSliceOfMapStringInterface |
|
No
|
configVolumes |
TypeSliceOfMapStringInterface |
|
No
|
runAsRoot |
BoolValue |
|
No
|
cpu |
CPUTargetUtilizationConfig |
K8s utilization setting for HorizontalPodAutoscaler target.
See https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/
|
No
|
nodeSelector |
TypeMapStringInterface |
K8s node selector.
See https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
|
No
|
podAnnotations |
TypeMapStringInterface |
K8s annotations for pods.
See: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
|
No
|
podAntiAffinityLabelSelector |
TypeSliceOfMapStringInterface |
See EgressGatewayConfig.
|
No
|
podAntiAffinityTermLabelSelector |
TypeSliceOfMapStringInterface |
See EgressGatewayConfig.
|
No
|
replicaCount |
uint32 |
Number of replicas for the ingress gateway Deployment.
|
No
|
resources |
TypeMapStringInterface |
K8s resources settings.
See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container
|
No
|
rollingMaxSurge |
TypeIntOrStringForPB |
K8s rolling update strategy
|
No
|
rollingMaxUnavailable |
TypeIntOrStringForPB |
K8s rolling update strategy
|
No
|
tolerations |
TypeSliceOfMapStringInterface |
|
No
|
IngressGatewayZvpnConfig
IngressGatewayZvpnConfig enables cross-cluster access using SNI matching.
| Field |
Type |
Description |
Required |
enabled |
BoolValue |
Controls whether ZeroVPN is enabled.
|
No
|
suffix |
string |
|
No
|
MultiClusterConfig
MultiClusterConfig specifies the Configuration for Istio mesh across multiple clusters through the istio gateways.
| Field |
Type |
Description |
Required |
enabled |
BoolValue |
Enables the connection between two kubernetes clusters via their respective ingressgateway services.
Use if the pods in each cluster cannot directly talk to one another.
|
No
|
clusterName |
string |
|
No
|
globalDomainSuffix |
string |
|
No
|
includeEnvoyFilter |
BoolValue |
|
No
|
OutboundTrafficPolicyConfig
OutboundTrafficPolicyConfig controls the default behavior of the sidecar for handling outbound traffic from the application.
| Field |
Type |
Description |
Required |
mode |
Mode |
|
No
|
PilotConfig
Configuration for Pilot.
| Field |
Type |
Description |
Required |
enabled |
BoolValue |
Controls whether Pilot is enabled.
|
No
|
autoscaleEnabled |
BoolValue |
Controls whether a HorizontalPodAutoscaler is installed for Pilot.
|
No
|
autoscaleMin |
uint32 |
Minimum number of replicas in the HorizontalPodAutoscaler for Pilot.
|
No
|
autoscaleMax |
uint32 |
Maximum number of replicas in the HorizontalPodAutoscaler for Pilot.
|
No
|
image |
string |
Image name used for Pilot.
This can be set either to image name if hub is also set, or can be set to the full hub:name string.
Examples: custom-pilot, docker.io/someuser:custom-pilot
|
No
|
traceSampling |
double |
Trace sampling fraction.
Used to set the fraction of time that traces are sampled. Higher values are more accurate but add CPU overhead.
Allowed values: 0.0 to 1.0
|
No
|
configNamespace |
string |
Namespace that the configuration management feature is installed into, if different from Pilot namespace.
|
No
|
keepaliveMaxServerConnectionAge |
Duration |
Maximum duration that a sidecar can be connected to a pilot.
This setting balances out load across pilot instances, but adds some resource overhead.
Examples: 300s, 30m, 1h
|
No
|
deploymentLabels |
TypeMapStringInterface |
Labels that are added to Pilot pods.
See https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
|
No
|
configMap |
BoolValue |
Configuration settings passed to Pilot as a ConfigMap.
This controls whether the mesh config map, generated from values.yaml is generated.
If false, pilot wil use default values or user-supplied values, in that order of preference.
|
No
|
useMCP |
BoolValue |
Controls whether Pilot is configured through the Mesh Control Protocol (MCP).
If set to true, Pilot requires an MCP server (like Galley) to be installed.
|
No
|
env |
TypeMapStringInterface |
Environment variables passed to the Pilot container.
Examples:
env:
ENVVAR1: value1
ENVVAR2: value2
|
No
|
enableProtocolSniffingForOutbound |
BoolValue |
if protocol sniffing is enabled for outbound
|
No
|
enableProtocolSniffingForInbound |
BoolValue |
if protocol sniffing is enabled for inbound
|
No
|
configSource |
PilotConfigSource |
ConfigSource describes a source of configuration data for networking
rules, and other Istio configuration artifacts. Multiple data sources
can be configured for a single control plane.
|
No
|
plugins |
TypeSliceString |
|
No
|
hub |
string |
|
No
|
tag |
TypeInterface |
|
No
|
replicaCount |
uint32 |
Number of replicas in the Pilot Deployment.
|
No
|
resources |
Resources |
K8s resources settings.
See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container
|
No
|
cpu |
CPUTargetUtilizationConfig |
Target CPU utilization used in HorizontalPodAutoscaler.
See https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/
|
No
|
nodeSelector |
TypeMapStringInterface |
K8s node selector.
See https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
|
No
|
rollingMaxSurge |
TypeIntOrStringForPB |
K8s rolling update strategy
|
No
|
rollingMaxUnavailable |
TypeIntOrStringForPB |
K8s rolling update strategy
|
No
|
tolerations |
TypeSliceOfMapStringInterface |
|
No
|
podAnnotations |
TypeMapStringInterface |
K8s annotations for pods.
See: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
|
No
|
PilotIngressConfig
Controls legacy k8s ingress. Only one pilot profile should enable ingress support.
| Field |
Type |
Description |
Required |
ingressService |
string |
Sets the type ingress service for Pilot.
If empty, node-port is assumed.
Allowed values: node-port, istio-ingressgateway, ingress
|
No
|
ingressControllerMode |
ingressControllerMode |
|
No
|
ingressClass |
string |
If mode is STRICT, this value must be set on “kubernetes.io/ingress.class” annotation to activate.
|
No
|
PilotPolicyConfig
Controls whether Istio policy is applied to Pilot.
| Field |
Type |
Description |
Required |
enabled |
BoolValue |
Controls whether Istio policy is applied to Pilot.
|
No
|
TelemetryConfig
Controls telemetry configuration
| Field |
Type |
Description |
Required |
enabled |
BoolValue |
Controls whether telemetry is exported for Pilot.
|
No
|
v2 |
TelemetryV2Config |
Use telemetry v2.
|
No
|
TelemetryV2Config
Controls whether pilot will configure telemetry v2.
| Field |
Type |
Description |
Required |
wasmEnabled |
BoolValue |
Controls whether enabled WebAssembly runtime for metadata exchange filter.
|
No
|
TelemetryV2PrometheusConfig
Conrols telemetry v2 prometheus settings.
| Field |
Type |
Description |
Required |
enabled |
BoolValue |
Controls whether stats envoyfilter would be enabled or not.
|
No
|
wasmEnabled |
BoolValue |
Controls whether enabled WebAssembly runtime for stats filter.
|
No
|
configOverride |
ConfigOverride |
Overrides default telemetry v2 filter configuration.
|
No
|
TelemetryV2StackDriverConfig
Conrols telemetry v2 stackdriver settings.
TelemetryV2AccessLogPolicyFilterConfig
Conrols telemetry v2 access log policy filter settings.
PilotConfigSource
PilotConfigSource describes information about a configuration store inside a
mesh. A single control plane instance can interact with one or more data
sources.
| Field |
Type |
Description |
Required |
subscribedResources |
string[] |
Describes the source of configuration, if nothing is specified default is MCP.
|
No
|
PortsConfig
Configuration for a port.
| Field |
Type |
Description |
Required |
name |
string |
Port name.
|
No
|
port |
int32 |
Port number.
|
No
|
nodePort |
int32 |
NodePort number.
|
No
|
targetPort |
int32 |
Target port number.
|
No
|
protocol |
string |
Protocol name.
|
No
|
ProxyConfig
Configuration for Proxy.
| Field |
Type |
Description |
Required |
autoInject |
string |
|
No
|
clusterDomain |
string |
Domain for the cluster, default: “cluster.local”.
K8s allows this to be customized, see https://kubernetes.io/docs/tasks/administer-cluster/dns-custom-nameservers/
|
No
|
componentLogLevel |
string |
Per Component log level for proxy, applies to gateways and sidecars.
If a component level is not set, then the global “logLevel” will be used. If left empty, “misc:error” is used.
|
No
|
enableCoreDump |
BoolValue |
Enables core dumps for newly injected sidecars.
If set, newly injected sidecars will have core dumps enabled.
|
No
|
excludeInboundPorts |
string |
Specifies the Istio ingress ports not to capture.
|
No
|
excludeIPRanges |
string |
Lists the excluded IP ranges of Istio egress traffic that the sidecar captures.
|
No
|
image |
string |
Image name or path for the proxy, default: “proxyv2”.
If registry or tag are not specified, global.hub and global.tag are used.
Examples: my-proxy (uses global.hub/tag), docker.io/myrepo/my-proxy:v1.0.0
|
No
|
includeIPRanges |
string |
Lists the IP ranges of Istio egress traffic that the sidecar captures.
Example: “172.30.0.0/16,172.20.0.0/16”
This would only capture egress traffic on those two IP Ranges, all other outbound traffic would # be allowed by the sidecar.”
|
No
|
logLevel |
string |
Log level for proxy, applies to gateways and sidecars. If left empty, “warning” is used. Expected values are: trace|debug|info|warning|error|critical|off
|
No
|
privileged |
BoolValue |
Enables privileged securityContext for the istio-proxy container.
See https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
|
No
|
readinessInitialDelaySeconds |
uint32 |
Sets the initial delay for readiness probes in seconds.
|
No
|
readinessPeriodSeconds |
uint32 |
Sets the interval between readiness probes in seconds.
|
No
|
readinessFailureThreshold |
uint32 |
Sets the number of successive failed probes before indicating readiness failure.
|
No
|
statusPort |
uint32 |
Default port used for the Pilot agent’s health checks.
|
No
|
tracer |
tracer |
|
No
|
excludeOutboundPorts |
string |
|
No
|
lifecycle |
TypeMapStringInterface |
|
No
|
resources |
Resources |
K8s resources settings.
See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container
|
No
|
holdApplicationUntilProxyStarts |
BoolValue |
Controls if sidecar is injected at the front of the container list and blocks the start of the other containers until the proxy is ready
Deprecated: replaced by ProxyConfig setting which allows per-pod configuration of this behavior.
|
No
|
ProxyInitConfig
Configuration for proxy_init container which sets the pods’ networking to intercept the inbound/outbound traffic.
| Field |
Type |
Description |
Required |
image |
string |
Specifies the image for the proxy_init container.
|
No
|
resources |
Resources |
K8s resources settings.
See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container
|
No
|
ResourcesRequestsConfig
Configuration for K8s resource requests.
| Field |
Type |
Description |
Required |
cpu |
string |
|
No
|
memory |
string |
|
No
|
SDSConfig
Configuration for the SecretDiscoveryService instead of using K8S secrets to mount the certificates.
SecretVolume
Configuration for secret volume mounts.
See https://kubernetes.io/docs/concepts/configuration/secret/#using-secrets.
| Field |
Type |
Description |
Required |
mountPath |
string |
|
No
|
name |
string |
|
No
|
secretName |
string |
|
No
|
ServiceConfig
ServiceConfig is described in istio.io documentation.
| Field |
Type |
Description |
Required |
annotations |
TypeMapStringInterface |
|
No
|
externalPort |
uint32 |
|
No
|
name |
string |
|
No
|
type |
string |
|
No
|
SidecarInjectorConfig
SidecarInjectorConfig is described in istio.io documentation.
| Field |
Type |
Description |
Required |
enableNamespacesByDefault |
BoolValue |
Enables sidecar auto-injection in namespaces by default.
|
No
|
neverInjectSelector |
TypeSliceOfMapStringInterface |
Instructs Istio to not inject the sidecar on those pods, based on labels that are present in those pods.
Annotations in the pods have higher precedence than the label selectors.
Order of evaluation: Pod Annotations → NeverInjectSelector → AlwaysInjectSelector → Default Policy.
See https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#more-control-adding-exceptions
|
No
|
alwaysInjectSelector |
TypeSliceOfMapStringInterface |
See NeverInjectSelector.
|
No
|
rewriteAppHTTPProbe |
BoolValue |
If true, webhook or istioctl injector will rewrite PodSpec for liveness health check to redirect request to sidecar. This makes liveness check work even when mTLS is enabled.
|
No
|
injectedAnnotations |
TypeMapStringInterface |
injectedAnnotations are additional annotations that will be added to the pod spec after injection
This is primarily to support PSP annotations.
|
No
|
objectSelector |
TypeMapStringInterface |
Enable objectSelector to filter out pods with no need for sidecar before calling istio-sidecar-injector.
|
No
|
injectionURL |
string |
Configure the injection url for sidecar injector webhook
|
No
|
templates |
TypeMapStringInterface |
Templates defines a set of custom injection templates that can be used. For example, defining:
templates:
hello:
metadata
labels:
hello: world
Then starting a pod with the inject.istio.io/templates: hello annotation, will result in the pod
being injected with the hello=world labels.
This is intended for advanced configuration only; most users should use the built in template
|
No
|
defaultTemplates |
string[] |
defaultTemplates: [“sidecar”, “hello”]
|
No
|
TracerConfig
Configuration for each of the supported tracers.
TracerDatadogConfig
Configuration for the datadog tracing service.
| Field |
Type |
Description |
Required |
address |
string |
Address in host:port format for reporting trace data to the Datadog agent.
|
No
|
TracerLightStepConfig
Configuration for the lightstep tracing service.
| Field |
Type |
Description |
Required |
address |
string |
Sets the lightstep satellite pool address in host:port format for reporting trace data.
|
No
|
accessToken |
string |
Sets the lightstep access token.
|
No
|
TracerZipkinConfig
Configuration for the zipkin tracing service.
| Field |
Type |
Description |
Required |
address |
string |
Address of zipkin instance in host:port format for reporting trace data.
Example: .:941
|
No
|
TracerStackdriverConfig
Configuration for the stackdriver tracing service.
| Field |
Type |
Description |
Required |
debug |
BoolValue |
enables trace output to stdout.
|
No
|
maxNumberOfAttributes |
uint32 |
The global default max number of attributes per span.
|
No
|
maxNumberOfAnnotations |
uint32 |
The global default max number of annotation events per span.
|
No
|
maxNumberOfMessageEvents |
uint32 |
The global default max number of message events per span.
|
No
|
BaseConfig
| Field |
Type |
Description |
Required |
enableCRDTemplates |
BoolValue |
For Helm2 use, adds the CRDs to templates.
|
No
|
validationURL |
string |
URL to use for validating webhook.
|
No
|
enableIstioConfigCRDs |
BoolValue |
For istioctl usage to disable istio config crds in base
|
No
|
IstiodRemoteConfig
| Field |
Type |
Description |
Required |
injectionURL |
string |
URL to use for sidecar injector webhook.
|
No
|
Values
TypeMapStringInterface
GOTYPE: map[string]interface{}
TypeSliceOfMapStringInterface
GOTYPE: []map[string]interface{}
TypeIntOrStringForPB
GOTYPE: *IntOrStringForPB
TypeSliceString
ZeroVPNConfig
ZeroVPNConfig enables cross-cluster access using SNI matching.
| Field |
Type |
Description |
Required |
enabled |
BoolValue |
Controls whether ZeroVPN is enabled.
|
No
|
suffix |
string |
|
No
|
TypeInterface
TelemetryV2PrometheusConfig.ConfigOverride
OutboundTrafficPolicyConfig.Mode
Specifies the sidecar’s default behavior when handling outbound traffic from the application.
| Name |
Description |
ALLOW_ANY |
Outbound traffic to unknown destinations will be allowed, in case there are no services or ServiceEntries for the destination port
|
REGISTRY_ONLY |
Restrict outbound traffic to services defined in the service registry as well as those defined through ServiceEntries
|
TelemetryV2StackDriverConfig.AccessLogging
Types of Access logs to export.
| Name |
Description |
NONE |
No Logs.
|
FULL |
All logs including both success and error logs.
|
ERRORS_ONLY |
All error logs. This is currently only available for outbound/client side
logs. A request is classified as error when status>=400 or
response_flag != "-"
|
ingressControllerMode
Mode for the ingress controller.
| Name |
Description |
UNSPECIFIED |
Unspecified Istio ingress controller.
|
DEFAULT |
Selects all Ingress resources, with or without Istio annotation.
|
STRICT |
Selects only resources with istio annotation.
|
OFF |
No ingress or sync.
|
tracer
Specifies which tracer to use.
| Name |
Description |
zipkin |
|
lightstep |
|
datadog |
|
stackdriver |
|
openCensusAgent |
|
OutboundTrafficPolicyConfig.Mode
Specifies the sidecar’s default behavior when handling outbound traffic from the application.
| Name |
Description |
ALLOW_ANY |
Outbound traffic to unknown destinations will be allowed, in case there are no services or ServiceEntries for the destination port
|
REGISTRY_ONLY |
Restrict outbound traffic to services defined in the service registry as well as those defined through ServiceEntries
|
ingressControllerMode
Mode for the ingress controller.
| Name |
Description |
UNSPECIFIED |
Unspecified Istio ingress controller.
|
DEFAULT |
Selects all Ingress resources, with or without Istio annotation.
|
STRICT |
Selects only resources with istio annotation.
|
OFF |
No ingress or sync.
|
TelemetryV2StackDriverConfig.AccessLogging
Types of Access logs to export.
| Name |
Description |
NONE |
No Logs.
|
FULL |
All logs including both success and error logs.
|
ERRORS_ONLY |
All error logs. This is currently only available for outbound/client side
logs. A request is classified as error when status>=400 or
response_flag != "-"
|
TelemetryV2StackDriverConfig.AccessLogging
Types of Access logs to export.
| Name |
Description |
NONE |
No Logs.
|
FULL |
All logs including both success and error logs.
|
ERRORS_ONLY |
All error logs. This is currently only available for outbound/client side
logs. A request is classified as error when status>=400 or
response_flag != "-"
|
tracer
Specifies which tracer to use.
| Name |
Description |
zipkin |
|
lightstep |
|
datadog |
|
stackdriver |
|
openCensusAgent |
|