diff --git a/common/istio-1-16/README.md b/common/istio-1-16/README.md index 4619ebb116..80d1774791 100644 --- a/common/istio-1-16/README.md +++ b/common/istio-1-16/README.md @@ -63,6 +63,33 @@ old version is `X1.Y1.Z1`: --- +5. Remove PodDisruptionBudget from `istio-install` and `cluster-local-gateway` kustomizations. + See: + - https://github.com/istio/istio/issues/12602 + - https://github.com/istio/istio/issues/24000 + + Until now we have used two patches: + - `common/istio-1-16/istio-install/base/patches/remove-pdb.yaml` + - `common/istio-1-16/cluster-local-gateway/base/patches/remove-pdb.yaml` + + The above patches do not work with kustomize v3.2.0 as it doesn't have the appropriate + openapi schemas for the policy/v1 API version resources. This is fixed in kustomize v4+. + See: + - https://github.com/kubernetes-sigs/kustomize/issues/3694#issuecomment-799700607 + - https://github.com/kubernetes-sigs/kustomize/issues/4495 + + A temporary workaround is to delete these resources manually with `yq`: + + $ yq eval -i 'select((.kind == "PodDisruptionBudget" and .metadata.name == "cluster-local-gateway") | not)' common/istio-1-16/cluster-local-gateway/base/cluster-local-gateway.yaml + $ yq eval -i 'select((.kind == "PodDisruptionBudget" and .metadata.name == "istio-ingressgateway") | not)' common/istio-1-16/istio-install/base/install.yaml + $ yq eval -i 'select((.kind == "PodDisruptionBudget" and .metadata.name == "istiod") | not)' common/istio-1-16/istio-install/base/install.yaml + + --- + **NOTE** + + NOTE: Make sure to remove a redundant {} at the end of the `common/istio-1-16/istio-install/base/install.yaml` and `common/istio-1-16/cluster-local-gateway/base/cluster-local-gateway.yaml` files. + --- + ## Changes to Istio's upstream manifests ### Changes to the upstream IstioOperator profile diff --git a/common/istio-1-16/cluster-local-gateway/base/cluster-local-gateway.yaml b/common/istio-1-16/cluster-local-gateway/base/cluster-local-gateway.yaml index c5810e75a5..5e699dc5f9 100644 --- a/common/istio-1-16/cluster-local-gateway/base/cluster-local-gateway.yaml +++ b/common/istio-1-16/cluster-local-gateway/base/cluster-local-gateway.yaml @@ -57,124 +57,124 @@ spec: preferredDuringSchedulingIgnoredDuringExecution: requiredDuringSchedulingIgnoredDuringExecution: containers: - - args: - - proxy - - router - - --domain - - $(POD_NAMESPACE).svc.cluster.local - - --proxyLogLevel=warning - - --proxyComponentLogLevel=misc:error - - --log_output_level=default:info - env: - - name: ISTIO_META_ROUTER_MODE - value: sni-dnat - - name: JWT_POLICY - value: third-party-jwt - - name: PILOT_CERT_PROVIDER - value: istiod - - name: CA_ADDR - value: istiod.istio-system.svc:15012 - - name: NODE_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: spec.nodeName - - name: POD_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - - name: INSTANCE_IP - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: status.podIP - - name: HOST_IP - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: status.hostIP - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: ISTIO_META_WORKLOAD_NAME - value: cluster-local-gateway - - name: ISTIO_META_OWNER - value: kubernetes://apis/apps/v1/namespaces/istio-system/deployments/cluster-local-gateway - - name: ISTIO_META_MESH_ID - value: cluster.local - - name: TRUST_DOMAIN - value: cluster.local - - name: ISTIO_META_UNPRIVILEGED_POD - value: 'true' - - name: ISTIO_META_CLUSTER_ID - value: Kubernetes - image: docker.io/istio/proxyv2:1.16.0 - name: istio-proxy - ports: - - containerPort: 15020 - protocol: TCP - - containerPort: 8080 - protocol: TCP - - containerPort: 15090 - name: http-envoy-prom - protocol: TCP - readinessProbe: - failureThreshold: 30 - httpGet: - path: /healthz/ready - port: 15021 - scheme: HTTP - initialDelaySeconds: 1 - periodSeconds: 2 - successThreshold: 1 - timeoutSeconds: 1 - resources: - limits: - cpu: 2000m - memory: 1024Mi - requests: - cpu: 100m - memory: 128Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - privileged: false - readOnlyRootFilesystem: true - volumeMounts: - - mountPath: /var/run/secrets/workload-spiffe-uds - name: workload-socket - - mountPath: /var/run/secrets/credential-uds - name: credential-socket - - mountPath: /var/run/secrets/workload-spiffe-credentials - name: workload-certs - - mountPath: /etc/istio/proxy - name: istio-envoy - - mountPath: /etc/istio/config - name: config-volume - - mountPath: /var/run/secrets/istio - name: istiod-ca-cert - - mountPath: /var/run/secrets/tokens - name: istio-token - readOnly: true - - mountPath: /var/lib/istio/data - name: istio-data - - mountPath: /etc/istio/pod - name: podinfo - - mountPath: /etc/istio/ingressgateway-certs - name: ingressgateway-certs - readOnly: true - - mountPath: /etc/istio/ingressgateway-ca-certs - name: ingressgateway-ca-certs - readOnly: true + - args: + - proxy + - router + - --domain + - $(POD_NAMESPACE).svc.cluster.local + - --proxyLogLevel=warning + - --proxyComponentLogLevel=misc:error + - --log_output_level=default:info + env: + - name: ISTIO_META_ROUTER_MODE + value: sni-dnat + - name: JWT_POLICY + value: third-party-jwt + - name: PILOT_CERT_PROVIDER + value: istiod + - name: CA_ADDR + value: istiod.istio-system.svc:15012 + - name: NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.podIP + - name: HOST_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.hostIP + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: ISTIO_META_WORKLOAD_NAME + value: cluster-local-gateway + - name: ISTIO_META_OWNER + value: kubernetes://apis/apps/v1/namespaces/istio-system/deployments/cluster-local-gateway + - name: ISTIO_META_MESH_ID + value: cluster.local + - name: TRUST_DOMAIN + value: cluster.local + - name: ISTIO_META_UNPRIVILEGED_POD + value: 'true' + - name: ISTIO_META_CLUSTER_ID + value: Kubernetes + image: docker.io/istio/proxyv2:1.16.0 + name: istio-proxy + ports: + - containerPort: 15020 + protocol: TCP + - containerPort: 8080 + protocol: TCP + - containerPort: 15090 + name: http-envoy-prom + protocol: TCP + readinessProbe: + failureThreshold: 30 + httpGet: + path: /healthz/ready + port: 15021 + scheme: HTTP + initialDelaySeconds: 1 + periodSeconds: 2 + successThreshold: 1 + timeoutSeconds: 1 + resources: + limits: + cpu: 2000m + memory: 1024Mi + requests: + cpu: 100m + memory: 128Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + volumeMounts: + - mountPath: /var/run/secrets/workload-spiffe-uds + name: workload-socket + - mountPath: /var/run/secrets/credential-uds + name: credential-socket + - mountPath: /var/run/secrets/workload-spiffe-credentials + name: workload-certs + - mountPath: /etc/istio/proxy + name: istio-envoy + - mountPath: /etc/istio/config + name: config-volume + - mountPath: /var/run/secrets/istio + name: istiod-ca-cert + - mountPath: /var/run/secrets/tokens + name: istio-token + readOnly: true + - mountPath: /var/lib/istio/data + name: istio-data + - mountPath: /etc/istio/pod + name: podinfo + - mountPath: /etc/istio/ingressgateway-certs + name: ingressgateway-certs + readOnly: true + - mountPath: /etc/istio/ingressgateway-ca-certs + name: ingressgateway-ca-certs + readOnly: true securityContext: fsGroup: 1337 runAsGroup: 1337 @@ -182,66 +182,47 @@ spec: runAsUser: 1337 serviceAccountName: cluster-local-gateway-service-account volumes: - - emptyDir: {} - name: workload-socket - - emptyDir: {} - name: credential-socket - - emptyDir: {} - name: workload-certs - - configMap: - name: istio-ca-root-cert - name: istiod-ca-cert - - downwardAPI: - items: - - fieldRef: - fieldPath: metadata.labels - path: labels - - fieldRef: - fieldPath: metadata.annotations - path: annotations - name: podinfo - - emptyDir: {} - name: istio-envoy - - emptyDir: {} - name: istio-data - - name: istio-token - projected: - sources: - - serviceAccountToken: - audience: istio-ca - expirationSeconds: 43200 - path: istio-token - - configMap: - name: istio - optional: true - name: config-volume - - name: ingressgateway-certs - secret: - optional: true - secretName: istio-ingressgateway-certs - - name: ingressgateway-ca-certs - secret: - optional: true - secretName: istio-ingressgateway-ca-certs ---- -apiVersion: policy/v1beta1 -kind: PodDisruptionBudget -metadata: - name: cluster-local-gateway - namespace: istio-system - labels: - app: cluster-local-gateway - istio: cluster-local-gateway - release: istio - istio.io/rev: default - install.operator.istio.io/owning-resource: unknown - operator.istio.io/component: IngressGateways -spec: - minAvailable: 1 - selector: - matchLabels: - app: cluster-local-gateway - istio: cluster-local-gateway + - emptyDir: {} + name: workload-socket + - emptyDir: {} + name: credential-socket + - emptyDir: {} + name: workload-certs + - configMap: + name: istio-ca-root-cert + name: istiod-ca-cert + - downwardAPI: + items: + - fieldRef: + fieldPath: metadata.labels + path: labels + - fieldRef: + fieldPath: metadata.annotations + path: annotations + name: podinfo + - emptyDir: {} + name: istio-envoy + - emptyDir: {} + name: istio-data + - name: istio-token + projected: + sources: + - serviceAccountToken: + audience: istio-ca + expirationSeconds: 43200 + path: istio-token + - configMap: + name: istio + optional: true + name: config-volume + - name: ingressgateway-certs + secret: + optional: true + secretName: istio-ingressgateway-certs + - name: ingressgateway-ca-certs + secret: + optional: true + secretName: istio-ingressgateway-ca-certs --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role @@ -254,9 +235,9 @@ metadata: install.operator.istio.io/owning-resource: unknown operator.istio.io/component: IngressGateways rules: -- apiGroups: [''] - resources: [secrets] - verbs: [get, watch, list] + - apiGroups: [''] + resources: [secrets] + verbs: [get, watch, list] --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding @@ -273,8 +254,8 @@ roleRef: kind: Role name: cluster-local-gateway-sds subjects: -- kind: ServiceAccount - name: cluster-local-gateway-service-account + - kind: ServiceAccount + name: cluster-local-gateway-service-account --- apiVersion: v1 kind: Service @@ -291,14 +272,14 @@ metadata: namespace: istio-system spec: ports: - - name: status-port - port: 15020 - protocol: TCP - targetPort: 15020 - - name: http2 - port: 80 - protocol: TCP - targetPort: 8080 + - name: status-port + port: 15020 + protocol: TCP + targetPort: 15020 + - name: http2 + port: 80 + protocol: TCP + targetPort: 8080 selector: app: cluster-local-gateway istio: cluster-local-gateway diff --git a/common/istio-1-16/cluster-local-gateway/base/kustomization.yaml b/common/istio-1-16/cluster-local-gateway/base/kustomization.yaml index 00d9d84f0e..03d0cc2038 100644 --- a/common/istio-1-16/cluster-local-gateway/base/kustomization.yaml +++ b/common/istio-1-16/cluster-local-gateway/base/kustomization.yaml @@ -12,5 +12,10 @@ resources: - gateway-authorizationpolicy.yaml - gateway.yaml -patchesStrategicMerge: -- patches/remove-pdb.yaml +# Disable this patch until we upgrade to kustomize to v4+ +# see https://github.com/kubeflow/manifests/issues/1797 and +# https://github.com/kubernetes-sigs/kustomize/issues/3694#issuecomment-799700607 +# Currently this patch doesn't work with kutomize 3.2.0 +# - patches/remove-pdb.yaml +# patchesStrategicMerge: +# - patches/remove-pdb.yaml diff --git a/common/istio-1-16/cluster-local-gateway/base/patches/remove-pdb.yaml b/common/istio-1-16/cluster-local-gateway/base/patches/remove-pdb.yaml index fc675a6493..7453e086c5 100644 --- a/common/istio-1-16/cluster-local-gateway/base/patches/remove-pdb.yaml +++ b/common/istio-1-16/cluster-local-gateway/base/patches/remove-pdb.yaml @@ -1,6 +1,6 @@ $patch: delete -apiVersion: policy/v1beta1 +apiVersion: policy/v1 kind: PodDisruptionBudget metadata: name: cluster-local-gateway - namespace: istio-system + namespace: istio-system \ No newline at end of file diff --git a/common/istio-1-16/istio-install/base/install.yaml b/common/istio-1-16/istio-install/base/install.yaml index 148bbff8ad..72207c7dd3 100644 --- a/common/istio-1-16/istio-install/base/install.yaml +++ b/common/istio-1-16/istio-install/base/install.yaml @@ -46,42 +46,41 @@ metadata: app: istio-reader release: istio rules: -- apiGroups: - - config.istio.io - - security.istio.io - - networking.istio.io - - authentication.istio.io - - rbac.istio.io - resources: ['*'] - verbs: [get, list, watch] -- apiGroups: [''] - resources: [endpoints, pods, services, nodes, replicationcontrollers, namespaces, - secrets] - verbs: [get, list, watch] -- apiGroups: [networking.istio.io] - verbs: [get, watch, list] - resources: [workloadentries] -- apiGroups: [apiextensions.k8s.io] - resources: [customresourcedefinitions] - verbs: [get, list, watch] -- apiGroups: [discovery.k8s.io] - resources: [endpointslices] - verbs: [get, list, watch] -- apiGroups: [multicluster.x-k8s.io] - resources: [serviceexports] - verbs: [get, list, watch, create, delete] -- apiGroups: [multicluster.x-k8s.io] - resources: [serviceimports] - verbs: [get, list, watch] -- apiGroups: [apps] - resources: [replicasets] - verbs: [get, list, watch] -- apiGroups: [authentication.k8s.io] - resources: [tokenreviews] - verbs: [create] -- apiGroups: [authorization.k8s.io] - resources: [subjectaccessreviews] - verbs: [create] + - apiGroups: + - config.istio.io + - security.istio.io + - networking.istio.io + - authentication.istio.io + - rbac.istio.io + resources: ['*'] + verbs: [get, list, watch] + - apiGroups: [''] + resources: [endpoints, pods, services, nodes, replicationcontrollers, namespaces, secrets] + verbs: [get, list, watch] + - apiGroups: [networking.istio.io] + verbs: [get, watch, list] + resources: [workloadentries] + - apiGroups: [apiextensions.k8s.io] + resources: [customresourcedefinitions] + verbs: [get, list, watch] + - apiGroups: [discovery.k8s.io] + resources: [endpointslices] + verbs: [get, list, watch] + - apiGroups: [multicluster.x-k8s.io] + resources: [serviceexports] + verbs: [get, list, watch, create, delete] + - apiGroups: [multicluster.x-k8s.io] + resources: [serviceimports] + verbs: [get, list, watch] + - apiGroups: [apps] + resources: [replicasets] + verbs: [get, list, watch] + - apiGroups: [authentication.k8s.io] + resources: [tokenreviews] + verbs: [create] + - apiGroups: [authorization.k8s.io] + resources: [subjectaccessreviews] + verbs: [create] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole @@ -91,42 +90,41 @@ metadata: app: istio-reader release: istio rules: -- apiGroups: - - config.istio.io - - security.istio.io - - networking.istio.io - - authentication.istio.io - - rbac.istio.io - resources: ['*'] - verbs: [get, list, watch] -- apiGroups: [''] - resources: [endpoints, pods, services, nodes, replicationcontrollers, namespaces, - secrets] - verbs: [get, list, watch] -- apiGroups: [networking.istio.io] - verbs: [get, watch, list] - resources: [workloadentries] -- apiGroups: [apiextensions.k8s.io] - resources: [customresourcedefinitions] - verbs: [get, list, watch] -- apiGroups: [discovery.k8s.io] - resources: [endpointslices] - verbs: [get, list, watch] -- apiGroups: [apps] - resources: [replicasets] - verbs: [get, list, watch] -- apiGroups: [authentication.k8s.io] - resources: [tokenreviews] - verbs: [create] -- apiGroups: [authorization.k8s.io] - resources: [subjectaccessreviews] - verbs: [create] -- apiGroups: [multicluster.x-k8s.io] - resources: [serviceexports] - verbs: [get, watch, list] -- apiGroups: [multicluster.x-k8s.io] - resources: [serviceimports] - verbs: [get, watch, list] + - apiGroups: + - config.istio.io + - security.istio.io + - networking.istio.io + - authentication.istio.io + - rbac.istio.io + resources: ['*'] + verbs: [get, list, watch] + - apiGroups: [''] + resources: [endpoints, pods, services, nodes, replicationcontrollers, namespaces, secrets] + verbs: [get, list, watch] + - apiGroups: [networking.istio.io] + verbs: [get, watch, list] + resources: [workloadentries] + - apiGroups: [apiextensions.k8s.io] + resources: [customresourcedefinitions] + verbs: [get, list, watch] + - apiGroups: [discovery.k8s.io] + resources: [endpointslices] + verbs: [get, list, watch] + - apiGroups: [apps] + resources: [replicasets] + verbs: [get, list, watch] + - apiGroups: [authentication.k8s.io] + resources: [tokenreviews] + verbs: [create] + - apiGroups: [authorization.k8s.io] + resources: [subjectaccessreviews] + verbs: [create] + - apiGroups: [multicluster.x-k8s.io] + resources: [serviceexports] + verbs: [get, watch, list] + - apiGroups: [multicluster.x-k8s.io] + resources: [serviceimports] + verbs: [get, watch, list] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole @@ -137,104 +135,90 @@ metadata: release: istio rules: # sidecar injection controller -- apiGroups: [admissionregistration.k8s.io] - resources: [mutatingwebhookconfigurations] - verbs: [get, list, watch, update, patch] - - # configuration validation webhook controller -- apiGroups: [admissionregistration.k8s.io] - resources: [validatingwebhookconfigurations] - verbs: [get, list, watch, update] - - # istio configuration - # removing CRD permissions can break older versions of Istio running alongside this control plane (https://github.com/istio/istio/issues/29382) - # please proceed with caution -- apiGroups: [config.istio.io, security.istio.io, networking.istio.io, authentication.istio.io, - rbac.istio.io, telemetry.istio.io, extensions.istio.io] - verbs: [get, watch, list] - resources: ['*'] -- apiGroups: [networking.istio.io] - verbs: [get, watch, list, update, patch, create, delete] - resources: [workloadentries] -- apiGroups: [networking.istio.io] - verbs: [get, watch, list, update, patch, create, delete] - resources: [workloadentries/status] - - # auto-detect installed CRD definitions -- apiGroups: [apiextensions.k8s.io] - resources: [customresourcedefinitions] - verbs: [get, list, watch] - - # discovery and routing -- apiGroups: [''] - resources: [pods, nodes, services, namespaces, endpoints] - verbs: [get, list, watch] -- apiGroups: [discovery.k8s.io] - resources: [endpointslices] - verbs: [get, list, watch] - - # ingress controller -- apiGroups: [networking.k8s.io] - resources: [ingresses, ingressclasses] - verbs: [get, list, watch] -- apiGroups: [networking.k8s.io] - resources: [ingresses/status] - verbs: ['*'] - - # required for CA's namespace controller -- apiGroups: [''] - resources: [configmaps] - verbs: [create, get, list, watch, update] - - # Istiod and bootstrap. -- apiGroups: [certificates.k8s.io] - resources: - - certificatesigningrequests - - certificatesigningrequests/approval - - certificatesigningrequests/status - verbs: [update, create, get, delete, watch] -- apiGroups: [certificates.k8s.io] - resources: - - signers - resourceNames: - - kubernetes.io/legacy-unknown - verbs: [approve] - - # Used by Istiod to verify the JWT tokens -- apiGroups: [authentication.k8s.io] - resources: [tokenreviews] - verbs: [create] - - # Used by Istiod to verify gateway SDS -- apiGroups: [authorization.k8s.io] - resources: [subjectaccessreviews] - verbs: [create] - - # Use for Kubernetes Service APIs -- apiGroups: [networking.x-k8s.io, gateway.networking.k8s.io] - resources: ['*'] - verbs: [get, watch, list] -- apiGroups: [networking.x-k8s.io, gateway.networking.k8s.io] - resources: ['*'] # TODO: should be on just */status but wildcard is not supported - verbs: [update, patch] -- apiGroups: [gateway.networking.k8s.io] - resources: [gatewayclasses] - verbs: [create, update, patch, delete] - - # Needed for multicluster secret reading, possibly ingress certs in the future -- apiGroups: [''] - resources: [secrets] - verbs: [get, watch, list] - - # Used for MCS serviceexport management -- apiGroups: [multicluster.x-k8s.io] - resources: [serviceexports] - verbs: [get, watch, list, create, delete] - - # Used for MCS serviceimport management -- apiGroups: [multicluster.x-k8s.io] - resources: [serviceimports] - verbs: [get, watch, list] + - apiGroups: [admissionregistration.k8s.io] + resources: [mutatingwebhookconfigurations] + verbs: [get, list, watch, update, patch] + # configuration validation webhook controller + - apiGroups: [admissionregistration.k8s.io] + resources: [validatingwebhookconfigurations] + verbs: [get, list, watch, update] + # istio configuration + # removing CRD permissions can break older versions of Istio running alongside this control plane (https://github.com/istio/istio/issues/29382) + # please proceed with caution + - apiGroups: [config.istio.io, security.istio.io, networking.istio.io, authentication.istio.io, rbac.istio.io, telemetry.istio.io, extensions.istio.io] + verbs: [get, watch, list] + resources: ['*'] + - apiGroups: [networking.istio.io] + verbs: [get, watch, list, update, patch, create, delete] + resources: [workloadentries] + - apiGroups: [networking.istio.io] + verbs: [get, watch, list, update, patch, create, delete] + resources: [workloadentries/status] + # auto-detect installed CRD definitions + - apiGroups: [apiextensions.k8s.io] + resources: [customresourcedefinitions] + verbs: [get, list, watch] + # discovery and routing + - apiGroups: [''] + resources: [pods, nodes, services, namespaces, endpoints] + verbs: [get, list, watch] + - apiGroups: [discovery.k8s.io] + resources: [endpointslices] + verbs: [get, list, watch] + # ingress controller + - apiGroups: [networking.k8s.io] + resources: [ingresses, ingressclasses] + verbs: [get, list, watch] + - apiGroups: [networking.k8s.io] + resources: [ingresses/status] + verbs: ['*'] + # required for CA's namespace controller + - apiGroups: [''] + resources: [configmaps] + verbs: [create, get, list, watch, update] + # Istiod and bootstrap. + - apiGroups: [certificates.k8s.io] + resources: + - certificatesigningrequests + - certificatesigningrequests/approval + - certificatesigningrequests/status + verbs: [update, create, get, delete, watch] + - apiGroups: [certificates.k8s.io] + resources: + - signers + resourceNames: + - kubernetes.io/legacy-unknown + verbs: [approve] + # Used by Istiod to verify the JWT tokens + - apiGroups: [authentication.k8s.io] + resources: [tokenreviews] + verbs: [create] + # Used by Istiod to verify gateway SDS + - apiGroups: [authorization.k8s.io] + resources: [subjectaccessreviews] + verbs: [create] + # Use for Kubernetes Service APIs + - apiGroups: [networking.x-k8s.io, gateway.networking.k8s.io] + resources: ['*'] + verbs: [get, watch, list] + - apiGroups: [networking.x-k8s.io, gateway.networking.k8s.io] + resources: ['*'] # TODO: should be on just */status but wildcard is not supported + verbs: [update, patch] + - apiGroups: [gateway.networking.k8s.io] + resources: [gatewayclasses] + verbs: [create, update, patch, delete] + # Needed for multicluster secret reading, possibly ingress certs in the future + - apiGroups: [''] + resources: [secrets] + verbs: [get, watch, list] + # Used for MCS serviceexport management + - apiGroups: [multicluster.x-k8s.io] + resources: [serviceexports] + verbs: [get, watch, list, create, delete] + # Used for MCS serviceimport management + - apiGroups: [multicluster.x-k8s.io] + resources: [serviceimports] + verbs: [get, watch, list] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole @@ -244,12 +228,12 @@ metadata: app: istiod release: istio rules: -- apiGroups: [apps] - verbs: [get, watch, list, update, patch, create, delete] - resources: [deployments] -- apiGroups: [''] - verbs: [get, watch, list, update, patch, create, delete] - resources: [services] + - apiGroups: [apps] + verbs: [get, watch, list, update, patch, create, delete] + resources: [deployments] + - apiGroups: [''] + verbs: [get, watch, list, update, patch, create, delete] + resources: [services] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole @@ -260,104 +244,90 @@ metadata: release: istio rules: # sidecar injection controller -- apiGroups: [admissionregistration.k8s.io] - resources: [mutatingwebhookconfigurations] - verbs: [get, list, watch, update, patch] - - # configuration validation webhook controller -- apiGroups: [admissionregistration.k8s.io] - resources: [validatingwebhookconfigurations] - verbs: [get, list, watch, update] - - # istio configuration - # removing CRD permissions can break older versions of Istio running alongside this control plane (https://github.com/istio/istio/issues/29382) - # please proceed with caution -- apiGroups: [config.istio.io, security.istio.io, networking.istio.io, authentication.istio.io, - rbac.istio.io, telemetry.istio.io] - verbs: [get, watch, list] - resources: ['*'] -- apiGroups: [networking.istio.io] - verbs: [get, watch, list, update, patch, create, delete] - resources: [workloadentries] -- apiGroups: [networking.istio.io] - verbs: [get, watch, list, update, patch, create, delete] - resources: [workloadentries/status] - - # auto-detect installed CRD definitions -- apiGroups: [apiextensions.k8s.io] - resources: [customresourcedefinitions] - verbs: [get, list, watch] - - # discovery and routing -- apiGroups: [''] - resources: [pods, nodes, services, namespaces, endpoints] - verbs: [get, list, watch] -- apiGroups: [discovery.k8s.io] - resources: [endpointslices] - verbs: [get, list, watch] - - # ingress controller -- apiGroups: [networking.k8s.io] - resources: [ingresses, ingressclasses] - verbs: [get, list, watch] -- apiGroups: [networking.k8s.io] - resources: [ingresses/status] - verbs: ['*'] - - # required for CA's namespace controller -- apiGroups: [''] - resources: [configmaps] - verbs: [create, get, list, watch, update] - - # Istiod and bootstrap. -- apiGroups: [certificates.k8s.io] - resources: - - certificatesigningrequests - - certificatesigningrequests/approval - - certificatesigningrequests/status - verbs: [update, create, get, delete, watch] -- apiGroups: [certificates.k8s.io] - resources: - - signers - resourceNames: - - kubernetes.io/legacy-unknown - verbs: [approve] - - # Used by Istiod to verify the JWT tokens -- apiGroups: [authentication.k8s.io] - resources: [tokenreviews] - verbs: [create] - - # Used by Istiod to verify gateway SDS -- apiGroups: [authorization.k8s.io] - resources: [subjectaccessreviews] - verbs: [create] - - # Use for Kubernetes Service APIs -- apiGroups: [networking.x-k8s.io, gateway.networking.k8s.io] - resources: ['*'] - verbs: [get, watch, list] -- apiGroups: [networking.x-k8s.io, gateway.networking.k8s.io] - resources: ['*'] # TODO: should be on just */status but wildcard is not supported - verbs: [update] -- apiGroups: [gateway.networking.k8s.io] - resources: [gatewayclasses] - verbs: [create, update, patch, delete] - - # Needed for multicluster secret reading, possibly ingress certs in the future -- apiGroups: [''] - resources: [secrets] - verbs: [get, watch, list] - - # Used for MCS serviceexport management -- apiGroups: [multicluster.x-k8s.io] - resources: [serviceexports] - verbs: [get, watch, list, create, delete] - - # Used for MCS serviceimport management -- apiGroups: [multicluster.x-k8s.io] - resources: [serviceimports] - verbs: [get, watch, list] + - apiGroups: [admissionregistration.k8s.io] + resources: [mutatingwebhookconfigurations] + verbs: [get, list, watch, update, patch] + # configuration validation webhook controller + - apiGroups: [admissionregistration.k8s.io] + resources: [validatingwebhookconfigurations] + verbs: [get, list, watch, update] + # istio configuration + # removing CRD permissions can break older versions of Istio running alongside this control plane (https://github.com/istio/istio/issues/29382) + # please proceed with caution + - apiGroups: [config.istio.io, security.istio.io, networking.istio.io, authentication.istio.io, rbac.istio.io, telemetry.istio.io] + verbs: [get, watch, list] + resources: ['*'] + - apiGroups: [networking.istio.io] + verbs: [get, watch, list, update, patch, create, delete] + resources: [workloadentries] + - apiGroups: [networking.istio.io] + verbs: [get, watch, list, update, patch, create, delete] + resources: [workloadentries/status] + # auto-detect installed CRD definitions + - apiGroups: [apiextensions.k8s.io] + resources: [customresourcedefinitions] + verbs: [get, list, watch] + # discovery and routing + - apiGroups: [''] + resources: [pods, nodes, services, namespaces, endpoints] + verbs: [get, list, watch] + - apiGroups: [discovery.k8s.io] + resources: [endpointslices] + verbs: [get, list, watch] + # ingress controller + - apiGroups: [networking.k8s.io] + resources: [ingresses, ingressclasses] + verbs: [get, list, watch] + - apiGroups: [networking.k8s.io] + resources: [ingresses/status] + verbs: ['*'] + # required for CA's namespace controller + - apiGroups: [''] + resources: [configmaps] + verbs: [create, get, list, watch, update] + # Istiod and bootstrap. + - apiGroups: [certificates.k8s.io] + resources: + - certificatesigningrequests + - certificatesigningrequests/approval + - certificatesigningrequests/status + verbs: [update, create, get, delete, watch] + - apiGroups: [certificates.k8s.io] + resources: + - signers + resourceNames: + - kubernetes.io/legacy-unknown + verbs: [approve] + # Used by Istiod to verify the JWT tokens + - apiGroups: [authentication.k8s.io] + resources: [tokenreviews] + verbs: [create] + # Used by Istiod to verify gateway SDS + - apiGroups: [authorization.k8s.io] + resources: [subjectaccessreviews] + verbs: [create] + # Use for Kubernetes Service APIs + - apiGroups: [networking.x-k8s.io, gateway.networking.k8s.io] + resources: ['*'] + verbs: [get, watch, list] + - apiGroups: [networking.x-k8s.io, gateway.networking.k8s.io] + resources: ['*'] # TODO: should be on just */status but wildcard is not supported + verbs: [update] + - apiGroups: [gateway.networking.k8s.io] + resources: [gatewayclasses] + verbs: [create, update, patch, delete] + # Needed for multicluster secret reading, possibly ingress certs in the future + - apiGroups: [''] + resources: [secrets] + verbs: [get, watch, list] + # Used for MCS serviceexport management + - apiGroups: [multicluster.x-k8s.io] + resources: [serviceexports] + verbs: [get, watch, list, create, delete] + # Used for MCS serviceimport management + - apiGroups: [multicluster.x-k8s.io] + resources: [serviceimports] + verbs: [get, watch, list] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding @@ -371,9 +341,9 @@ roleRef: kind: ClusterRole name: istio-reader-clusterrole-istio-system subjects: -- kind: ServiceAccount - name: istio-reader-service-account - namespace: istio-system + - kind: ServiceAccount + name: istio-reader-service-account + namespace: istio-system --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding @@ -387,9 +357,9 @@ roleRef: kind: ClusterRole name: istio-reader-istio-system subjects: -- kind: ServiceAccount - name: istio-reader-service-account - namespace: istio-system + - kind: ServiceAccount + name: istio-reader-service-account + namespace: istio-system --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding @@ -403,9 +373,9 @@ roleRef: kind: ClusterRole name: istiod-clusterrole-istio-system subjects: -- kind: ServiceAccount - name: istiod - namespace: istio-system + - kind: ServiceAccount + name: istiod + namespace: istio-system --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding @@ -419,9 +389,9 @@ roleRef: kind: ClusterRole name: istiod-gateway-controller-istio-system subjects: -- kind: ServiceAccount - name: istiod - namespace: istio-system + - kind: ServiceAccount + name: istiod + namespace: istio-system --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding @@ -435,9 +405,9 @@ roleRef: kind: ClusterRole name: istiod-istio-system subjects: -- kind: ServiceAccount - name: istiod-service-account - namespace: istio-system + - kind: ServiceAccount + name: istiod-service-account + namespace: istio-system --- apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingWebhookConfiguration @@ -451,38 +421,38 @@ metadata: webhooks: # Webhook handling per-revision validation. Mostly here so we can determine whether webhooks # are rejecting invalid configs on a per-revision basis. -- name: rev.validation.istio.io - clientConfig: + - name: rev.validation.istio.io + clientConfig: # Should change from base but cannot for API compat - service: - name: istiod - namespace: istio-system - path: /validate - rules: - - operations: - - CREATE - - UPDATE - apiGroups: - - security.istio.io - - networking.istio.io - - telemetry.istio.io - - extensions.istio.io - apiVersions: - - '*' - resources: - - '*' - # Fail open until the validation webhook is ready. The webhook controller - # will update this to `Fail` and patch in the `caBundle` when the webhook - # endpoint is ready. - failurePolicy: Ignore - sideEffects: None - admissionReviewVersions: [v1beta1, v1] - objectSelector: - matchExpressions: - - key: istio.io/rev - operator: In - values: - - default + service: + name: istiod + namespace: istio-system + path: /validate + rules: + - operations: + - CREATE + - UPDATE + apiGroups: + - security.istio.io + - networking.istio.io + - telemetry.istio.io + - extensions.istio.io + apiVersions: + - '*' + resources: + - '*' + # Fail open until the validation webhook is ready. The webhook controller + # will update this to `Fail` and patch in the `caBundle` when the webhook + # endpoint is ready. + failurePolicy: Ignore + sideEffects: None + admissionReviewVersions: [v1beta1, v1] + objectSelector: + matchExpressions: + - key: istio.io/rev + operator: In + values: + - default --- apiVersion: networking.istio.io/v1alpha3 kind: EnvoyFilter @@ -494,110 +464,110 @@ metadata: spec: priority: -1 configPatches: - - applyTo: HTTP_FILTER - match: - context: SIDECAR_OUTBOUND - proxy: - proxyVersion: ^1\.13.* - listener: - filterChain: - filter: - name: envoy.filters.network.http_connection_manager - subFilter: - name: envoy.filters.http.router - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - '@type': type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm - value: - config: - root_id: stats_outbound - configuration: - '@type': type.googleapis.com/google.protobuf.StringValue - value: | - { - "debug": "false", - "stat_prefix": "istio" - } - vm_config: - vm_id: stats_outbound - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: envoy.wasm.stats - - applyTo: HTTP_FILTER - match: - context: SIDECAR_INBOUND - proxy: - proxyVersion: ^1\.13.* - listener: - filterChain: - filter: - name: envoy.filters.network.http_connection_manager - subFilter: - name: envoy.filters.http.router - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - '@type': type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm - value: - config: - root_id: stats_inbound - configuration: - '@type': type.googleapis.com/google.protobuf.StringValue - value: | - { - "debug": "false", - "stat_prefix": "istio", - "disable_host_header_fallback": true - } - vm_config: - vm_id: stats_inbound - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: envoy.wasm.stats - - applyTo: HTTP_FILTER - match: - context: GATEWAY - proxy: - proxyVersion: ^1\.13.* - listener: - filterChain: - filter: - name: envoy.filters.network.http_connection_manager - subFilter: - name: envoy.filters.http.router - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - '@type': type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm - value: - config: - root_id: stats_outbound - configuration: - '@type': type.googleapis.com/google.protobuf.StringValue - value: | - { - "debug": "false", - "stat_prefix": "istio", - "disable_host_header_fallback": true - } - vm_config: - vm_id: stats_outbound - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: envoy.wasm.stats + - applyTo: HTTP_FILTER + match: + context: SIDECAR_OUTBOUND + proxy: + proxyVersion: ^1\.13.* + listener: + filterChain: + filter: + name: envoy.filters.network.http_connection_manager + subFilter: + name: envoy.filters.http.router + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + '@type': type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + root_id: stats_outbound + configuration: + '@type': type.googleapis.com/google.protobuf.StringValue + value: | + { + "debug": "false", + "stat_prefix": "istio" + } + vm_config: + vm_id: stats_outbound + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.stats + - applyTo: HTTP_FILTER + match: + context: SIDECAR_INBOUND + proxy: + proxyVersion: ^1\.13.* + listener: + filterChain: + filter: + name: envoy.filters.network.http_connection_manager + subFilter: + name: envoy.filters.http.router + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + '@type': type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + root_id: stats_inbound + configuration: + '@type': type.googleapis.com/google.protobuf.StringValue + value: | + { + "debug": "false", + "stat_prefix": "istio", + "disable_host_header_fallback": true + } + vm_config: + vm_id: stats_inbound + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.stats + - applyTo: HTTP_FILTER + match: + context: GATEWAY + proxy: + proxyVersion: ^1\.13.* + listener: + filterChain: + filter: + name: envoy.filters.network.http_connection_manager + subFilter: + name: envoy.filters.http.router + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + '@type': type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + root_id: stats_outbound + configuration: + '@type': type.googleapis.com/google.protobuf.StringValue + value: | + { + "debug": "false", + "stat_prefix": "istio", + "disable_host_header_fallback": true + } + vm_config: + vm_id: stats_outbound + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.stats --- apiVersion: networking.istio.io/v1alpha3 kind: EnvoyFilter @@ -609,110 +579,110 @@ metadata: spec: priority: -1 configPatches: - - applyTo: HTTP_FILTER - match: - context: SIDECAR_OUTBOUND - proxy: - proxyVersion: ^1\.14.* - listener: - filterChain: - filter: - name: envoy.filters.network.http_connection_manager - subFilter: - name: envoy.filters.http.router - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - '@type': type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm - value: - config: - root_id: stats_outbound - configuration: - '@type': type.googleapis.com/google.protobuf.StringValue - value: | - { - "debug": "false", - "stat_prefix": "istio" - } - vm_config: - vm_id: stats_outbound - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: envoy.wasm.stats - - applyTo: HTTP_FILTER - match: - context: SIDECAR_INBOUND - proxy: - proxyVersion: ^1\.14.* - listener: - filterChain: - filter: - name: envoy.filters.network.http_connection_manager - subFilter: - name: envoy.filters.http.router - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - '@type': type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm - value: - config: - root_id: stats_inbound - configuration: - '@type': type.googleapis.com/google.protobuf.StringValue - value: | - { - "debug": "false", - "stat_prefix": "istio", - "disable_host_header_fallback": true - } - vm_config: - vm_id: stats_inbound - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: envoy.wasm.stats - - applyTo: HTTP_FILTER - match: - context: GATEWAY - proxy: - proxyVersion: ^1\.14.* - listener: - filterChain: - filter: - name: envoy.filters.network.http_connection_manager - subFilter: - name: envoy.filters.http.router - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - '@type': type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm - value: - config: - root_id: stats_outbound - configuration: - '@type': type.googleapis.com/google.protobuf.StringValue - value: | - { - "debug": "false", - "stat_prefix": "istio", - "disable_host_header_fallback": true - } - vm_config: - vm_id: stats_outbound - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: envoy.wasm.stats + - applyTo: HTTP_FILTER + match: + context: SIDECAR_OUTBOUND + proxy: + proxyVersion: ^1\.14.* + listener: + filterChain: + filter: + name: envoy.filters.network.http_connection_manager + subFilter: + name: envoy.filters.http.router + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + '@type': type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + root_id: stats_outbound + configuration: + '@type': type.googleapis.com/google.protobuf.StringValue + value: | + { + "debug": "false", + "stat_prefix": "istio" + } + vm_config: + vm_id: stats_outbound + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.stats + - applyTo: HTTP_FILTER + match: + context: SIDECAR_INBOUND + proxy: + proxyVersion: ^1\.14.* + listener: + filterChain: + filter: + name: envoy.filters.network.http_connection_manager + subFilter: + name: envoy.filters.http.router + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + '@type': type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + root_id: stats_inbound + configuration: + '@type': type.googleapis.com/google.protobuf.StringValue + value: | + { + "debug": "false", + "stat_prefix": "istio", + "disable_host_header_fallback": true + } + vm_config: + vm_id: stats_inbound + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.stats + - applyTo: HTTP_FILTER + match: + context: GATEWAY + proxy: + proxyVersion: ^1\.14.* + listener: + filterChain: + filter: + name: envoy.filters.network.http_connection_manager + subFilter: + name: envoy.filters.http.router + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + '@type': type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + root_id: stats_outbound + configuration: + '@type': type.googleapis.com/google.protobuf.StringValue + value: | + { + "debug": "false", + "stat_prefix": "istio", + "disable_host_header_fallback": true + } + vm_config: + vm_id: stats_outbound + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.stats --- apiVersion: networking.istio.io/v1alpha3 kind: EnvoyFilter @@ -724,110 +694,110 @@ metadata: spec: priority: -1 configPatches: - - applyTo: HTTP_FILTER - match: - context: SIDECAR_OUTBOUND - proxy: - proxyVersion: ^1\.15.* - listener: - filterChain: - filter: - name: envoy.filters.network.http_connection_manager - subFilter: - name: envoy.filters.http.router - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - '@type': type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm - value: - config: - root_id: stats_outbound - configuration: - '@type': type.googleapis.com/google.protobuf.StringValue - value: | - { - "debug": "false", - "stat_prefix": "istio" - } - vm_config: - vm_id: stats_outbound - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: envoy.wasm.stats - - applyTo: HTTP_FILTER - match: - context: SIDECAR_INBOUND - proxy: - proxyVersion: ^1\.15.* - listener: - filterChain: - filter: - name: envoy.filters.network.http_connection_manager - subFilter: - name: envoy.filters.http.router - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - '@type': type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm - value: - config: - root_id: stats_inbound - configuration: - '@type': type.googleapis.com/google.protobuf.StringValue - value: | - { - "debug": "false", - "stat_prefix": "istio", - "disable_host_header_fallback": true - } - vm_config: - vm_id: stats_inbound - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: envoy.wasm.stats - - applyTo: HTTP_FILTER - match: - context: GATEWAY - proxy: - proxyVersion: ^1\.15.* - listener: - filterChain: - filter: - name: envoy.filters.network.http_connection_manager - subFilter: - name: envoy.filters.http.router - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - '@type': type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm - value: - config: - root_id: stats_outbound - configuration: - '@type': type.googleapis.com/google.protobuf.StringValue - value: | - { - "debug": "false", - "stat_prefix": "istio", - "disable_host_header_fallback": true - } - vm_config: - vm_id: stats_outbound - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: envoy.wasm.stats + - applyTo: HTTP_FILTER + match: + context: SIDECAR_OUTBOUND + proxy: + proxyVersion: ^1\.15.* + listener: + filterChain: + filter: + name: envoy.filters.network.http_connection_manager + subFilter: + name: envoy.filters.http.router + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + '@type': type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + root_id: stats_outbound + configuration: + '@type': type.googleapis.com/google.protobuf.StringValue + value: | + { + "debug": "false", + "stat_prefix": "istio" + } + vm_config: + vm_id: stats_outbound + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.stats + - applyTo: HTTP_FILTER + match: + context: SIDECAR_INBOUND + proxy: + proxyVersion: ^1\.15.* + listener: + filterChain: + filter: + name: envoy.filters.network.http_connection_manager + subFilter: + name: envoy.filters.http.router + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + '@type': type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + root_id: stats_inbound + configuration: + '@type': type.googleapis.com/google.protobuf.StringValue + value: | + { + "debug": "false", + "stat_prefix": "istio", + "disable_host_header_fallback": true + } + vm_config: + vm_id: stats_inbound + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.stats + - applyTo: HTTP_FILTER + match: + context: GATEWAY + proxy: + proxyVersion: ^1\.15.* + listener: + filterChain: + filter: + name: envoy.filters.network.http_connection_manager + subFilter: + name: envoy.filters.http.router + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + '@type': type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + root_id: stats_outbound + configuration: + '@type': type.googleapis.com/google.protobuf.StringValue + value: | + { + "debug": "false", + "stat_prefix": "istio", + "disable_host_header_fallback": true + } + vm_config: + vm_id: stats_outbound + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.stats --- apiVersion: networking.istio.io/v1alpha3 kind: EnvoyFilter @@ -839,110 +809,110 @@ metadata: spec: priority: -1 configPatches: - - applyTo: HTTP_FILTER - match: - context: SIDECAR_OUTBOUND - proxy: - proxyVersion: ^1\.16.* - listener: - filterChain: - filter: - name: envoy.filters.network.http_connection_manager - subFilter: - name: envoy.filters.http.router - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - '@type': type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm - value: - config: - root_id: stats_outbound - configuration: - '@type': type.googleapis.com/google.protobuf.StringValue - value: | - { - "debug": "false", - "stat_prefix": "istio" - } - vm_config: - vm_id: stats_outbound - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: envoy.wasm.stats - - applyTo: HTTP_FILTER - match: - context: SIDECAR_INBOUND - proxy: - proxyVersion: ^1\.16.* - listener: - filterChain: - filter: - name: envoy.filters.network.http_connection_manager - subFilter: - name: envoy.filters.http.router - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - '@type': type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm - value: - config: - root_id: stats_inbound - configuration: - '@type': type.googleapis.com/google.protobuf.StringValue - value: | - { - "debug": "false", - "stat_prefix": "istio", - "disable_host_header_fallback": true - } - vm_config: - vm_id: stats_inbound - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: envoy.wasm.stats - - applyTo: HTTP_FILTER - match: - context: GATEWAY - proxy: - proxyVersion: ^1\.16.* - listener: - filterChain: - filter: - name: envoy.filters.network.http_connection_manager - subFilter: - name: envoy.filters.http.router - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - '@type': type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm - value: - config: - root_id: stats_outbound - configuration: - '@type': type.googleapis.com/google.protobuf.StringValue - value: | - { - "debug": "false", - "stat_prefix": "istio", - "disable_host_header_fallback": true - } - vm_config: - vm_id: stats_outbound - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: envoy.wasm.stats + - applyTo: HTTP_FILTER + match: + context: SIDECAR_OUTBOUND + proxy: + proxyVersion: ^1\.16.* + listener: + filterChain: + filter: + name: envoy.filters.network.http_connection_manager + subFilter: + name: envoy.filters.http.router + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + '@type': type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + root_id: stats_outbound + configuration: + '@type': type.googleapis.com/google.protobuf.StringValue + value: | + { + "debug": "false", + "stat_prefix": "istio" + } + vm_config: + vm_id: stats_outbound + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.stats + - applyTo: HTTP_FILTER + match: + context: SIDECAR_INBOUND + proxy: + proxyVersion: ^1\.16.* + listener: + filterChain: + filter: + name: envoy.filters.network.http_connection_manager + subFilter: + name: envoy.filters.http.router + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + '@type': type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + root_id: stats_inbound + configuration: + '@type': type.googleapis.com/google.protobuf.StringValue + value: | + { + "debug": "false", + "stat_prefix": "istio", + "disable_host_header_fallback": true + } + vm_config: + vm_id: stats_inbound + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.stats + - applyTo: HTTP_FILTER + match: + context: GATEWAY + proxy: + proxyVersion: ^1\.16.* + listener: + filterChain: + filter: + name: envoy.filters.network.http_connection_manager + subFilter: + name: envoy.filters.http.router + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + '@type': type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + root_id: stats_outbound + configuration: + '@type': type.googleapis.com/google.protobuf.StringValue + value: | + { + "debug": "false", + "stat_prefix": "istio", + "disable_host_header_fallback": true + } + vm_config: + vm_id: stats_outbound + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.stats --- apiVersion: networking.istio.io/v1alpha3 kind: EnvoyFilter @@ -954,102 +924,102 @@ metadata: spec: priority: -1 configPatches: - - applyTo: NETWORK_FILTER - match: - context: SIDECAR_INBOUND - proxy: - proxyVersion: ^1\.13.* - listener: - filterChain: - filter: - name: envoy.filters.network.tcp_proxy - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - '@type': type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm - value: - config: - root_id: stats_inbound - configuration: - '@type': type.googleapis.com/google.protobuf.StringValue - value: | - { - "debug": "false", - "stat_prefix": "istio" - } - vm_config: - vm_id: tcp_stats_inbound - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: envoy.wasm.stats - - applyTo: NETWORK_FILTER - match: - context: SIDECAR_OUTBOUND - proxy: - proxyVersion: ^1\.13.* - listener: - filterChain: - filter: - name: envoy.filters.network.tcp_proxy - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - '@type': type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm - value: - config: - root_id: stats_outbound - configuration: - '@type': type.googleapis.com/google.protobuf.StringValue - value: | - { - "debug": "false", - "stat_prefix": "istio" - } - vm_config: - vm_id: tcp_stats_outbound - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: envoy.wasm.stats - - applyTo: NETWORK_FILTER - match: - context: GATEWAY - proxy: - proxyVersion: ^1\.13.* - listener: - filterChain: - filter: - name: envoy.filters.network.tcp_proxy - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - '@type': type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm - value: - config: - root_id: stats_outbound - configuration: - '@type': type.googleapis.com/google.protobuf.StringValue - value: | - { - "debug": "false", - "stat_prefix": "istio" - } - vm_config: - vm_id: tcp_stats_outbound - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: envoy.wasm.stats + - applyTo: NETWORK_FILTER + match: + context: SIDECAR_INBOUND + proxy: + proxyVersion: ^1\.13.* + listener: + filterChain: + filter: + name: envoy.filters.network.tcp_proxy + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + '@type': type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm + value: + config: + root_id: stats_inbound + configuration: + '@type': type.googleapis.com/google.protobuf.StringValue + value: | + { + "debug": "false", + "stat_prefix": "istio" + } + vm_config: + vm_id: tcp_stats_inbound + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.stats + - applyTo: NETWORK_FILTER + match: + context: SIDECAR_OUTBOUND + proxy: + proxyVersion: ^1\.13.* + listener: + filterChain: + filter: + name: envoy.filters.network.tcp_proxy + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + '@type': type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm + value: + config: + root_id: stats_outbound + configuration: + '@type': type.googleapis.com/google.protobuf.StringValue + value: | + { + "debug": "false", + "stat_prefix": "istio" + } + vm_config: + vm_id: tcp_stats_outbound + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.stats + - applyTo: NETWORK_FILTER + match: + context: GATEWAY + proxy: + proxyVersion: ^1\.13.* + listener: + filterChain: + filter: + name: envoy.filters.network.tcp_proxy + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + '@type': type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm + value: + config: + root_id: stats_outbound + configuration: + '@type': type.googleapis.com/google.protobuf.StringValue + value: | + { + "debug": "false", + "stat_prefix": "istio" + } + vm_config: + vm_id: tcp_stats_outbound + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.stats --- apiVersion: networking.istio.io/v1alpha3 kind: EnvoyFilter @@ -1061,102 +1031,102 @@ metadata: spec: priority: -1 configPatches: - - applyTo: NETWORK_FILTER - match: - context: SIDECAR_INBOUND - proxy: - proxyVersion: ^1\.14.* - listener: - filterChain: - filter: - name: envoy.filters.network.tcp_proxy - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - '@type': type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm - value: - config: - root_id: stats_inbound - configuration: - '@type': type.googleapis.com/google.protobuf.StringValue - value: | - { - "debug": "false", - "stat_prefix": "istio" - } - vm_config: - vm_id: tcp_stats_inbound - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: envoy.wasm.stats - - applyTo: NETWORK_FILTER - match: - context: SIDECAR_OUTBOUND - proxy: - proxyVersion: ^1\.14.* - listener: - filterChain: - filter: - name: envoy.filters.network.tcp_proxy - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - '@type': type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm - value: - config: - root_id: stats_outbound - configuration: - '@type': type.googleapis.com/google.protobuf.StringValue - value: | - { - "debug": "false", - "stat_prefix": "istio" - } - vm_config: - vm_id: tcp_stats_outbound - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: envoy.wasm.stats - - applyTo: NETWORK_FILTER - match: - context: GATEWAY - proxy: - proxyVersion: ^1\.14.* - listener: - filterChain: - filter: - name: envoy.filters.network.tcp_proxy - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - '@type': type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm - value: - config: - root_id: stats_outbound - configuration: - '@type': type.googleapis.com/google.protobuf.StringValue - value: | - { - "debug": "false", - "stat_prefix": "istio" - } - vm_config: - vm_id: tcp_stats_outbound - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: envoy.wasm.stats + - applyTo: NETWORK_FILTER + match: + context: SIDECAR_INBOUND + proxy: + proxyVersion: ^1\.14.* + listener: + filterChain: + filter: + name: envoy.filters.network.tcp_proxy + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + '@type': type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm + value: + config: + root_id: stats_inbound + configuration: + '@type': type.googleapis.com/google.protobuf.StringValue + value: | + { + "debug": "false", + "stat_prefix": "istio" + } + vm_config: + vm_id: tcp_stats_inbound + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.stats + - applyTo: NETWORK_FILTER + match: + context: SIDECAR_OUTBOUND + proxy: + proxyVersion: ^1\.14.* + listener: + filterChain: + filter: + name: envoy.filters.network.tcp_proxy + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + '@type': type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm + value: + config: + root_id: stats_outbound + configuration: + '@type': type.googleapis.com/google.protobuf.StringValue + value: | + { + "debug": "false", + "stat_prefix": "istio" + } + vm_config: + vm_id: tcp_stats_outbound + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.stats + - applyTo: NETWORK_FILTER + match: + context: GATEWAY + proxy: + proxyVersion: ^1\.14.* + listener: + filterChain: + filter: + name: envoy.filters.network.tcp_proxy + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + '@type': type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm + value: + config: + root_id: stats_outbound + configuration: + '@type': type.googleapis.com/google.protobuf.StringValue + value: | + { + "debug": "false", + "stat_prefix": "istio" + } + vm_config: + vm_id: tcp_stats_outbound + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.stats --- apiVersion: networking.istio.io/v1alpha3 kind: EnvoyFilter @@ -1168,102 +1138,102 @@ metadata: spec: priority: -1 configPatches: - - applyTo: NETWORK_FILTER - match: - context: SIDECAR_INBOUND - proxy: - proxyVersion: ^1\.15.* - listener: - filterChain: - filter: - name: envoy.filters.network.tcp_proxy - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - '@type': type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm - value: - config: - root_id: stats_inbound - configuration: - '@type': type.googleapis.com/google.protobuf.StringValue - value: | - { - "debug": "false", - "stat_prefix": "istio" - } - vm_config: - vm_id: tcp_stats_inbound - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: envoy.wasm.stats - - applyTo: NETWORK_FILTER - match: - context: SIDECAR_OUTBOUND - proxy: - proxyVersion: ^1\.15.* - listener: - filterChain: - filter: - name: envoy.filters.network.tcp_proxy - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - '@type': type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm - value: - config: - root_id: stats_outbound - configuration: - '@type': type.googleapis.com/google.protobuf.StringValue - value: | - { - "debug": "false", - "stat_prefix": "istio" - } - vm_config: - vm_id: tcp_stats_outbound - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: envoy.wasm.stats - - applyTo: NETWORK_FILTER - match: - context: GATEWAY - proxy: - proxyVersion: ^1\.15.* - listener: - filterChain: - filter: - name: envoy.filters.network.tcp_proxy - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - '@type': type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm - value: - config: - root_id: stats_outbound - configuration: - '@type': type.googleapis.com/google.protobuf.StringValue - value: | - { - "debug": "false", - "stat_prefix": "istio" - } - vm_config: - vm_id: tcp_stats_outbound - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: envoy.wasm.stats + - applyTo: NETWORK_FILTER + match: + context: SIDECAR_INBOUND + proxy: + proxyVersion: ^1\.15.* + listener: + filterChain: + filter: + name: envoy.filters.network.tcp_proxy + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + '@type': type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm + value: + config: + root_id: stats_inbound + configuration: + '@type': type.googleapis.com/google.protobuf.StringValue + value: | + { + "debug": "false", + "stat_prefix": "istio" + } + vm_config: + vm_id: tcp_stats_inbound + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.stats + - applyTo: NETWORK_FILTER + match: + context: SIDECAR_OUTBOUND + proxy: + proxyVersion: ^1\.15.* + listener: + filterChain: + filter: + name: envoy.filters.network.tcp_proxy + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + '@type': type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm + value: + config: + root_id: stats_outbound + configuration: + '@type': type.googleapis.com/google.protobuf.StringValue + value: | + { + "debug": "false", + "stat_prefix": "istio" + } + vm_config: + vm_id: tcp_stats_outbound + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.stats + - applyTo: NETWORK_FILTER + match: + context: GATEWAY + proxy: + proxyVersion: ^1\.15.* + listener: + filterChain: + filter: + name: envoy.filters.network.tcp_proxy + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + '@type': type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm + value: + config: + root_id: stats_outbound + configuration: + '@type': type.googleapis.com/google.protobuf.StringValue + value: | + { + "debug": "false", + "stat_prefix": "istio" + } + vm_config: + vm_id: tcp_stats_outbound + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.stats --- apiVersion: networking.istio.io/v1alpha3 kind: EnvoyFilter @@ -1275,102 +1245,102 @@ metadata: spec: priority: -1 configPatches: - - applyTo: NETWORK_FILTER - match: - context: SIDECAR_INBOUND - proxy: - proxyVersion: ^1\.16.* - listener: - filterChain: - filter: - name: envoy.filters.network.tcp_proxy - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - '@type': type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm - value: - config: - root_id: stats_inbound - configuration: - '@type': type.googleapis.com/google.protobuf.StringValue - value: | - { - "debug": "false", - "stat_prefix": "istio" - } - vm_config: - vm_id: tcp_stats_inbound - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: envoy.wasm.stats - - applyTo: NETWORK_FILTER - match: - context: SIDECAR_OUTBOUND - proxy: - proxyVersion: ^1\.16.* - listener: - filterChain: - filter: - name: envoy.filters.network.tcp_proxy - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - '@type': type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm - value: - config: - root_id: stats_outbound - configuration: - '@type': type.googleapis.com/google.protobuf.StringValue - value: | - { - "debug": "false", - "stat_prefix": "istio" - } - vm_config: - vm_id: tcp_stats_outbound - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: envoy.wasm.stats - - applyTo: NETWORK_FILTER - match: - context: GATEWAY - proxy: - proxyVersion: ^1\.16.* - listener: - filterChain: - filter: - name: envoy.filters.network.tcp_proxy - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - '@type': type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm - value: - config: - root_id: stats_outbound - configuration: - '@type': type.googleapis.com/google.protobuf.StringValue - value: | - { - "debug": "false", - "stat_prefix": "istio" - } - vm_config: - vm_id: tcp_stats_outbound - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: envoy.wasm.stats + - applyTo: NETWORK_FILTER + match: + context: SIDECAR_INBOUND + proxy: + proxyVersion: ^1\.16.* + listener: + filterChain: + filter: + name: envoy.filters.network.tcp_proxy + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + '@type': type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm + value: + config: + root_id: stats_inbound + configuration: + '@type': type.googleapis.com/google.protobuf.StringValue + value: | + { + "debug": "false", + "stat_prefix": "istio" + } + vm_config: + vm_id: tcp_stats_inbound + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.stats + - applyTo: NETWORK_FILTER + match: + context: SIDECAR_OUTBOUND + proxy: + proxyVersion: ^1\.16.* + listener: + filterChain: + filter: + name: envoy.filters.network.tcp_proxy + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + '@type': type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm + value: + config: + root_id: stats_outbound + configuration: + '@type': type.googleapis.com/google.protobuf.StringValue + value: | + { + "debug": "false", + "stat_prefix": "istio" + } + vm_config: + vm_id: tcp_stats_outbound + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.stats + - applyTo: NETWORK_FILTER + match: + context: GATEWAY + proxy: + proxyVersion: ^1\.16.* + listener: + filterChain: + filter: + name: envoy.filters.network.tcp_proxy + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + '@type': type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm + value: + config: + root_id: stats_outbound + configuration: + '@type': type.googleapis.com/google.protobuf.StringValue + value: | + { + "debug": "false", + "stat_prefix": "istio" + } + vm_config: + vm_id: tcp_stats_outbound + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.stats --- apiVersion: v1 kind: ConfigMap @@ -1383,11 +1353,9 @@ metadata: operator.istio.io/component: Pilot release: istio data: - # Configuration file for the mesh networks to be used by the Split Horizon EDS. meshNetworks: |- networks: {} - mesh: |- accessLogFile: /dev/stdout defaultConfig: @@ -1420,7 +1388,6 @@ metadata: operator.istio.io/component: Pilot release: istio data: - values: |- { "global": { @@ -1555,7 +1522,6 @@ data: "templates": {} } } - # To disable injection: use omitSidecarInjectorConfigMap, which disables the webhook patching # and istiod webhook functionality. # @@ -2698,122 +2664,122 @@ metadata: app: sidecar-injector release: istio webhooks: -- name: rev.namespace.sidecar-injector.istio.io - clientConfig: - service: - name: istiod - namespace: istio-system - path: /inject - port: 443 - sideEffects: None - rules: - - operations: [CREATE] - apiGroups: [''] - apiVersions: [v1] - resources: [pods] - failurePolicy: Fail - admissionReviewVersions: [v1beta1, v1] - namespaceSelector: - matchExpressions: - - key: istio.io/rev - operator: In - values: - - default - - key: istio-injection - operator: DoesNotExist - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: NotIn - values: - - 'false' -- name: rev.object.sidecar-injector.istio.io - clientConfig: - service: - name: istiod - namespace: istio-system - path: /inject - port: 443 - sideEffects: None - rules: - - operations: [CREATE] - apiGroups: [''] - apiVersions: [v1] - resources: [pods] - failurePolicy: Fail - admissionReviewVersions: [v1beta1, v1] - namespaceSelector: - matchExpressions: - - key: istio.io/rev - operator: DoesNotExist - - key: istio-injection - operator: DoesNotExist - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: NotIn - values: - - 'false' - - key: istio.io/rev - operator: In - values: - - default -- name: namespace.sidecar-injector.istio.io - clientConfig: - service: - name: istiod - namespace: istio-system - path: /inject - port: 443 - sideEffects: None - rules: - - operations: [CREATE] - apiGroups: [''] - apiVersions: [v1] - resources: [pods] - failurePolicy: Fail - admissionReviewVersions: [v1beta1, v1] - namespaceSelector: - matchExpressions: - - key: istio-injection - operator: In - values: - - enabled - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: NotIn - values: - - 'false' -- name: object.sidecar-injector.istio.io - clientConfig: - service: - name: istiod - namespace: istio-system - path: /inject - port: 443 - sideEffects: None - rules: - - operations: [CREATE] - apiGroups: [''] - apiVersions: [v1] - resources: [pods] - failurePolicy: Fail - admissionReviewVersions: [v1beta1, v1] - namespaceSelector: - matchExpressions: - - key: istio-injection - operator: DoesNotExist - - key: istio.io/rev - operator: DoesNotExist - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: In - values: - - 'true' - - key: istio.io/rev - operator: DoesNotExist + - name: rev.namespace.sidecar-injector.istio.io + clientConfig: + service: + name: istiod + namespace: istio-system + path: /inject + port: 443 + sideEffects: None + rules: + - operations: [CREATE] + apiGroups: [''] + apiVersions: [v1] + resources: [pods] + failurePolicy: Fail + admissionReviewVersions: [v1beta1, v1] + namespaceSelector: + matchExpressions: + - key: istio.io/rev + operator: In + values: + - default + - key: istio-injection + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - 'false' + - name: rev.object.sidecar-injector.istio.io + clientConfig: + service: + name: istiod + namespace: istio-system + path: /inject + port: 443 + sideEffects: None + rules: + - operations: [CREATE] + apiGroups: [''] + apiVersions: [v1] + resources: [pods] + failurePolicy: Fail + admissionReviewVersions: [v1beta1, v1] + namespaceSelector: + matchExpressions: + - key: istio.io/rev + operator: DoesNotExist + - key: istio-injection + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - 'false' + - key: istio.io/rev + operator: In + values: + - default + - name: namespace.sidecar-injector.istio.io + clientConfig: + service: + name: istiod + namespace: istio-system + path: /inject + port: 443 + sideEffects: None + rules: + - operations: [CREATE] + apiGroups: [''] + apiVersions: [v1] + resources: [pods] + failurePolicy: Fail + admissionReviewVersions: [v1beta1, v1] + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: In + values: + - enabled + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - 'false' + - name: object.sidecar-injector.istio.io + clientConfig: + service: + name: istiod + namespace: istio-system + path: /inject + port: 443 + sideEffects: None + rules: + - operations: [CREATE] + apiGroups: [''] + apiVersions: [v1] + resources: [pods] + failurePolicy: Fail + admissionReviewVersions: [v1beta1, v1] + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: In + values: + - 'true' + - key: istio.io/rev + operator: DoesNotExist --- apiVersion: apps/v1 kind: Deployment @@ -2861,128 +2827,128 @@ spec: preferredDuringSchedulingIgnoredDuringExecution: requiredDuringSchedulingIgnoredDuringExecution: containers: - - args: - - proxy - - router - - --domain - - $(POD_NAMESPACE).svc.cluster.local - - --proxyLogLevel=warning - - --proxyComponentLogLevel=misc:error - - --log_output_level=default:info - env: - - name: JWT_POLICY - value: third-party-jwt - - name: PILOT_CERT_PROVIDER - value: istiod - - name: CA_ADDR - value: istiod.istio-system.svc:15012 - - name: NODE_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: spec.nodeName - - name: POD_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - - name: INSTANCE_IP - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: status.podIP - - name: HOST_IP - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: status.hostIP - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: ISTIO_META_WORKLOAD_NAME - value: istio-ingressgateway - - name: ISTIO_META_OWNER - value: kubernetes://apis/apps/v1/namespaces/istio-system/deployments/istio-ingressgateway - - name: ISTIO_META_MESH_ID - value: cluster.local - - name: TRUST_DOMAIN - value: cluster.local - - name: ISTIO_META_UNPRIVILEGED_POD - value: 'true' - - name: ISTIO_META_CLUSTER_ID - value: Kubernetes - image: docker.io/istio/proxyv2:1.16.0 - name: istio-proxy - ports: - - containerPort: 15021 - protocol: TCP - - containerPort: 8080 - protocol: TCP - - containerPort: 8443 - protocol: TCP - - containerPort: 31400 - protocol: TCP - - containerPort: 15443 - protocol: TCP - - containerPort: 15090 - name: http-envoy-prom - protocol: TCP - readinessProbe: - failureThreshold: 30 - httpGet: - path: /healthz/ready - port: 15021 - scheme: HTTP - initialDelaySeconds: 1 - periodSeconds: 2 - successThreshold: 1 - timeoutSeconds: 1 - resources: - limits: - cpu: 2000m - memory: 1024Mi - requests: - cpu: 10m - memory: 40Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - privileged: false - readOnlyRootFilesystem: true - volumeMounts: - - mountPath: /var/run/secrets/workload-spiffe-uds - name: workload-socket - - mountPath: /var/run/secrets/credential-uds - name: credential-socket - - mountPath: /var/run/secrets/workload-spiffe-credentials - name: workload-certs - - mountPath: /etc/istio/proxy - name: istio-envoy - - mountPath: /etc/istio/config - name: config-volume - - mountPath: /var/run/secrets/istio - name: istiod-ca-cert - - mountPath: /var/run/secrets/tokens - name: istio-token - readOnly: true - - mountPath: /var/lib/istio/data - name: istio-data - - mountPath: /etc/istio/pod - name: podinfo - - mountPath: /etc/istio/ingressgateway-certs - name: ingressgateway-certs - readOnly: true - - mountPath: /etc/istio/ingressgateway-ca-certs - name: ingressgateway-ca-certs - readOnly: true + - args: + - proxy + - router + - --domain + - $(POD_NAMESPACE).svc.cluster.local + - --proxyLogLevel=warning + - --proxyComponentLogLevel=misc:error + - --log_output_level=default:info + env: + - name: JWT_POLICY + value: third-party-jwt + - name: PILOT_CERT_PROVIDER + value: istiod + - name: CA_ADDR + value: istiod.istio-system.svc:15012 + - name: NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.podIP + - name: HOST_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.hostIP + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: ISTIO_META_WORKLOAD_NAME + value: istio-ingressgateway + - name: ISTIO_META_OWNER + value: kubernetes://apis/apps/v1/namespaces/istio-system/deployments/istio-ingressgateway + - name: ISTIO_META_MESH_ID + value: cluster.local + - name: TRUST_DOMAIN + value: cluster.local + - name: ISTIO_META_UNPRIVILEGED_POD + value: 'true' + - name: ISTIO_META_CLUSTER_ID + value: Kubernetes + image: docker.io/istio/proxyv2:1.16.0 + name: istio-proxy + ports: + - containerPort: 15021 + protocol: TCP + - containerPort: 8080 + protocol: TCP + - containerPort: 8443 + protocol: TCP + - containerPort: 31400 + protocol: TCP + - containerPort: 15443 + protocol: TCP + - containerPort: 15090 + name: http-envoy-prom + protocol: TCP + readinessProbe: + failureThreshold: 30 + httpGet: + path: /healthz/ready + port: 15021 + scheme: HTTP + initialDelaySeconds: 1 + periodSeconds: 2 + successThreshold: 1 + timeoutSeconds: 1 + resources: + limits: + cpu: 2000m + memory: 1024Mi + requests: + cpu: 10m + memory: 40Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + volumeMounts: + - mountPath: /var/run/secrets/workload-spiffe-uds + name: workload-socket + - mountPath: /var/run/secrets/credential-uds + name: credential-socket + - mountPath: /var/run/secrets/workload-spiffe-credentials + name: workload-certs + - mountPath: /etc/istio/proxy + name: istio-envoy + - mountPath: /etc/istio/config + name: config-volume + - mountPath: /var/run/secrets/istio + name: istiod-ca-cert + - mountPath: /var/run/secrets/tokens + name: istio-token + readOnly: true + - mountPath: /var/lib/istio/data + name: istio-data + - mountPath: /etc/istio/pod + name: podinfo + - mountPath: /etc/istio/ingressgateway-certs + name: ingressgateway-certs + readOnly: true + - mountPath: /etc/istio/ingressgateway-ca-certs + name: ingressgateway-ca-certs + readOnly: true securityContext: fsGroup: 1337 runAsGroup: 1337 @@ -2990,47 +2956,47 @@ spec: runAsUser: 1337 serviceAccountName: istio-ingressgateway-service-account volumes: - - emptyDir: {} - name: workload-socket - - emptyDir: {} - name: credential-socket - - emptyDir: {} - name: workload-certs - - configMap: - name: istio-ca-root-cert - name: istiod-ca-cert - - downwardAPI: - items: - - fieldRef: - fieldPath: metadata.labels - path: labels - - fieldRef: - fieldPath: metadata.annotations - path: annotations - name: podinfo - - emptyDir: {} - name: istio-envoy - - emptyDir: {} - name: istio-data - - name: istio-token - projected: - sources: - - serviceAccountToken: - audience: istio-ca - expirationSeconds: 43200 - path: istio-token - - configMap: - name: istio - optional: true - name: config-volume - - name: ingressgateway-certs - secret: - optional: true - secretName: istio-ingressgateway-certs - - name: ingressgateway-ca-certs - secret: - optional: true - secretName: istio-ingressgateway-ca-certs + - emptyDir: {} + name: workload-socket + - emptyDir: {} + name: credential-socket + - emptyDir: {} + name: workload-certs + - configMap: + name: istio-ca-root-cert + name: istiod-ca-cert + - downwardAPI: + items: + - fieldRef: + fieldPath: metadata.labels + path: labels + - fieldRef: + fieldPath: metadata.annotations + path: annotations + name: podinfo + - emptyDir: {} + name: istio-envoy + - emptyDir: {} + name: istio-data + - name: istio-token + projected: + sources: + - serviceAccountToken: + audience: istio-ca + expirationSeconds: 43200 + path: istio-token + - configMap: + name: istio + optional: true + name: config-volume + - name: ingressgateway-certs + secret: + optional: true + secretName: istio-ingressgateway-certs + - name: ingressgateway-ca-certs + secret: + optional: true + secretName: istio-ingressgateway-ca-certs --- apiVersion: apps/v1 kind: Deployment @@ -3068,166 +3034,128 @@ spec: sidecar.istio.io/inject: 'false' spec: containers: - - args: - - discovery - - --monitoringAddr=:15014 - - --log_output_level=default:info - - --domain - - cluster.local - - --keepaliveMaxServerConnectionAge - - 30m - env: - - name: REVISION - value: default - - name: JWT_POLICY - value: third-party-jwt - - name: PILOT_CERT_PROVIDER - value: istiod - - name: POD_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: spec.serviceAccountName - - name: KUBECONFIG - value: /var/run/secrets/remote/config - - name: PILOT_TRACE_SAMPLING - value: '100' - - name: PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_OUTBOUND - value: 'true' - - name: PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_INBOUND - value: 'true' - - name: ISTIOD_ADDR - value: istiod.istio-system.svc:15012 - - name: PILOT_ENABLE_ANALYSIS - value: 'false' - - name: CLUSTER_ID - value: Kubernetes - image: docker.io/istio/pilot:1.16.0 - name: discovery - ports: - - containerPort: 8080 - protocol: TCP - - containerPort: 15010 - protocol: TCP - - containerPort: 15017 - protocol: TCP - readinessProbe: - httpGet: - path: /ready - port: 8080 - initialDelaySeconds: 1 - periodSeconds: 3 - timeoutSeconds: 5 - resources: - requests: - cpu: 10m - memory: 100Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsGroup: 1337 - runAsNonRoot: true - runAsUser: 1337 - volumeMounts: - - mountPath: /var/run/secrets/tokens - name: istio-token - readOnly: true - - mountPath: /var/run/secrets/istio-dns - name: local-certs - - mountPath: /etc/cacerts - name: cacerts - readOnly: true - - mountPath: /var/run/secrets/remote - name: istio-kubeconfig - readOnly: true - - mountPath: /var/run/secrets/istiod/tls - name: istio-csr-dns-cert - readOnly: true - - mountPath: /var/run/secrets/istiod/ca - name: istio-csr-ca-configmap - readOnly: true + - args: + - discovery + - --monitoringAddr=:15014 + - --log_output_level=default:info + - --domain + - cluster.local + - --keepaliveMaxServerConnectionAge + - 30m + env: + - name: REVISION + value: default + - name: JWT_POLICY + value: third-party-jwt + - name: PILOT_CERT_PROVIDER + value: istiod + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.serviceAccountName + - name: KUBECONFIG + value: /var/run/secrets/remote/config + - name: PILOT_TRACE_SAMPLING + value: '100' + - name: PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_OUTBOUND + value: 'true' + - name: PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_INBOUND + value: 'true' + - name: ISTIOD_ADDR + value: istiod.istio-system.svc:15012 + - name: PILOT_ENABLE_ANALYSIS + value: 'false' + - name: CLUSTER_ID + value: Kubernetes + image: docker.io/istio/pilot:1.16.0 + name: discovery + ports: + - containerPort: 8080 + protocol: TCP + - containerPort: 15010 + protocol: TCP + - containerPort: 15017 + protocol: TCP + readinessProbe: + httpGet: + path: /ready + port: 8080 + initialDelaySeconds: 1 + periodSeconds: 3 + timeoutSeconds: 5 + resources: + requests: + cpu: 10m + memory: 100Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsGroup: 1337 + runAsNonRoot: true + runAsUser: 1337 + volumeMounts: + - mountPath: /var/run/secrets/tokens + name: istio-token + readOnly: true + - mountPath: /var/run/secrets/istio-dns + name: local-certs + - mountPath: /etc/cacerts + name: cacerts + readOnly: true + - mountPath: /var/run/secrets/remote + name: istio-kubeconfig + readOnly: true + - mountPath: /var/run/secrets/istiod/tls + name: istio-csr-dns-cert + readOnly: true + - mountPath: /var/run/secrets/istiod/ca + name: istio-csr-ca-configmap + readOnly: true securityContext: fsGroup: 1337 serviceAccountName: istiod volumes: - - emptyDir: - medium: Memory - name: local-certs - - name: istio-token - projected: - sources: - - serviceAccountToken: - audience: istio-ca - expirationSeconds: 43200 - path: istio-token - - name: cacerts - secret: - optional: true - secretName: cacerts - - name: istio-kubeconfig - secret: - optional: true - secretName: istio-kubeconfig - - name: istio-csr-dns-cert - secret: - optional: true - secretName: istiod-tls - - configMap: - defaultMode: 420 - name: istio-ca-root-cert - optional: true - name: istio-csr-ca-configmap ---- -apiVersion: policy/v1beta1 -kind: PodDisruptionBudget -metadata: - name: istio-ingressgateway - namespace: istio-system - labels: - app: istio-ingressgateway - istio: ingressgateway - release: istio - istio.io/rev: default - install.operator.istio.io/owning-resource: unknown - operator.istio.io/component: IngressGateways -spec: - minAvailable: 1 - selector: - matchLabels: - app: istio-ingressgateway - istio: ingressgateway ---- -apiVersion: policy/v1beta1 -kind: PodDisruptionBudget -metadata: - name: istiod - namespace: istio-system - labels: - app: istiod - istio.io/rev: default - install.operator.istio.io/owning-resource: unknown - operator.istio.io/component: Pilot - release: istio - istio: pilot -spec: - minAvailable: 1 - selector: - matchLabels: - app: istiod - istio: pilot + - emptyDir: + medium: Memory + name: local-certs + - name: istio-token + projected: + sources: + - serviceAccountToken: + audience: istio-ca + expirationSeconds: 43200 + path: istio-token + - name: cacerts + secret: + optional: true + secretName: cacerts + - name: istio-kubeconfig + secret: + optional: true + secretName: istio-kubeconfig + - name: istio-csr-dns-cert + secret: + optional: true + secretName: istiod-tls + - configMap: + defaultMode: 420 + name: istio-ca-root-cert + optional: true + name: istio-csr-ca-configmap --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role @@ -3240,9 +3168,9 @@ metadata: install.operator.istio.io/owning-resource: unknown operator.istio.io/component: IngressGateways rules: -- apiGroups: [''] - resources: [secrets] - verbs: [get, watch, list] + - apiGroups: [''] + resources: [secrets] + verbs: [get, watch, list] --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role @@ -3253,18 +3181,16 @@ metadata: app: istiod release: istio rules: -- apiGroups: [networking.istio.io] - verbs: [create] - resources: [gateways] - -- apiGroups: [''] - resources: [secrets] - # TODO lock this down to istio-ca-cert if not using the DNS cert mesh config - verbs: [create, get, watch, list, update, delete] - -- apiGroups: [''] - resources: [configmaps] - verbs: [delete] + - apiGroups: [networking.istio.io] + verbs: [create] + resources: [gateways] + - apiGroups: [''] + resources: [secrets] + # TODO lock this down to istio-ca-cert if not using the DNS cert mesh config + verbs: [create, get, watch, list, update, delete] + - apiGroups: [''] + resources: [configmaps] + verbs: [delete] --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role @@ -3275,14 +3201,13 @@ metadata: app: istiod release: istio rules: -- apiGroups: [networking.istio.io] - verbs: [create] - resources: [gateways] - -- apiGroups: [''] - resources: [secrets] - # TODO lock this down to istio-ca-cert if not using the DNS cert mesh config - verbs: [create, get, watch, list, update, delete] + - apiGroups: [networking.istio.io] + verbs: [create] + resources: [gateways] + - apiGroups: [''] + resources: [secrets] + # TODO lock this down to istio-ca-cert if not using the DNS cert mesh config + verbs: [create, get, watch, list, update, delete] --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding @@ -3299,8 +3224,8 @@ roleRef: kind: Role name: istio-ingressgateway-sds subjects: -- kind: ServiceAccount - name: istio-ingressgateway-service-account + - kind: ServiceAccount + name: istio-ingressgateway-service-account --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding @@ -3315,9 +3240,9 @@ roleRef: kind: Role name: istiod subjects: -- kind: ServiceAccount - name: istiod - namespace: istio-system + - kind: ServiceAccount + name: istiod + namespace: istio-system --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding @@ -3332,9 +3257,9 @@ roleRef: kind: Role name: istiod-istio-system subjects: -- kind: ServiceAccount - name: istiod-service-account - namespace: istio-system + - kind: ServiceAccount + name: istiod-service-account + namespace: istio-system --- apiVersion: v1 kind: Service @@ -3351,26 +3276,26 @@ metadata: namespace: istio-system spec: ports: - - name: status-port - port: 15021 - protocol: TCP - targetPort: 15021 - - name: http2 - port: 80 - protocol: TCP - targetPort: 8080 - - name: https - port: 443 - protocol: TCP - targetPort: 8443 - - name: tcp - port: 31400 - protocol: TCP - targetPort: 31400 - - name: tls - port: 15443 - protocol: TCP - targetPort: 15443 + - name: status-port + port: 15021 + protocol: TCP + targetPort: 15021 + - name: http2 + port: 80 + protocol: TCP + targetPort: 8080 + - name: https + port: 443 + protocol: TCP + targetPort: 8443 + - name: tcp + port: 31400 + protocol: TCP + targetPort: 31400 + - name: tls + port: 15443 + protocol: TCP + targetPort: 15443 selector: app: istio-ingressgateway istio: ingressgateway @@ -3390,19 +3315,19 @@ metadata: release: istio spec: ports: - - port: 15010 - name: grpc-xds # plaintext - protocol: TCP - - port: 15012 - name: https-dns # mTLS with k8s-signed cert - protocol: TCP - - port: 443 - name: https-webhook # validation and injection - targetPort: 15017 - protocol: TCP - - port: 15014 - name: http-monitoring # prometheus stats - protocol: TCP + - port: 15010 + name: grpc-xds # plaintext + protocol: TCP + - port: 15012 + name: https-dns # mTLS with k8s-signed cert + protocol: TCP + - port: 443 + name: https-webhook # validation and injection + targetPort: 15017 + protocol: TCP + - port: 15014 + name: http-monitoring # prometheus stats + protocol: TCP selector: app: istiod # Label used by the 'default' service. For versioned deployments we match with app and version. diff --git a/common/istio-1-16/istio-install/base/kustomization.yaml b/common/istio-1-16/istio-install/base/kustomization.yaml index ebcc1cd804..aa459be42a 100644 --- a/common/istio-1-16/istio-install/base/kustomization.yaml +++ b/common/istio-1-16/istio-install/base/kustomization.yaml @@ -1,5 +1,8 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization + +namespace: istio-system + resources: - install.yaml - gateway_authorizationpolicy.yaml @@ -7,9 +10,12 @@ resources: - gateway.yaml - x-forwarded-host.yaml -namespace: istio-system - patchesStrategicMerge: - patches/service.yaml -- patches/remove-pdb.yaml -- patches/istio-configmap-disable-tracing.yaml \ No newline at end of file +- patches/istio-configmap-disable-tracing.yaml +# Disable this patch until we upgrade to kustomize to v4+ +# see https://github.com/kubeflow/manifests/issues/1797 and +# https://github.com/kubernetes-sigs/kustomize/issues/3694#issuecomment-799700607 +# This patch doesn't work with kutomize 3.2.0 . +# - patches/remove-pdb.yaml + diff --git a/common/istio-1-16/istio-install/base/patches/remove-pdb.yaml b/common/istio-1-16/istio-install/base/patches/remove-pdb.yaml index 2ee65a61a7..94b555efd6 100644 --- a/common/istio-1-16/istio-install/base/patches/remove-pdb.yaml +++ b/common/istio-1-16/istio-install/base/patches/remove-pdb.yaml @@ -1,12 +1,13 @@ +--- $patch: delete -apiVersion: policy/v1beta1 +apiVersion: policy/v1 kind: PodDisruptionBudget metadata: name: istio-ingressgateway namespace: istio-system --- $patch: delete -apiVersion: policy/v1beta1 +apiVersion: policy/v1 kind: PodDisruptionBudget metadata: name: istiod diff --git a/example/kustomization.yaml b/example/kustomization.yaml index 172e9bf9e1..5f0e352ccf 100644 --- a/example/kustomization.yaml +++ b/example/kustomization.yaml @@ -15,7 +15,7 @@ resources: - ../common/dex/overlays/istio # KNative - ../common/knative/knative-serving/overlays/gateways -- ../common/knative/knative-eventing/base +# - ../common/knative/knative-eventing/base - ../common/istio-1-16/cluster-local-gateway/base # Kubeflow namespace - ../common/kubeflow-namespace/base