-
Notifications
You must be signed in to change notification settings - Fork 0
/
annotations.yaml
337 lines (336 loc) · 11.8 KB
/
annotations.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
# Copyright 2019 Istio Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
annotations:
- name: alpha.istio.io/kubernetes-serviceaccounts
variableName: AlphaKubernetesServiceAccounts
description: Specifies the Kubernetes service accounts that are allowed to run this
service on the VMs.
NOTE This API is Alpha and has no stability guarantees.
deprecated: false
hidden: true
resources:
- Service
- name: alpha.istio.io/canonical-serviceaccounts
variableName: AlphaCanonicalServiceAccounts
description: Specifies the non-Kubernetes service accounts that are allowed to
run this service.
NOTE This API is Alpha and has no stability guarantees.
deprecated: false
hidden: true
resources:
- Service
- name: alpha.istio.io/identity
description: Identity for the workload.
NOTE This API is Alpha and has no stability guarantees.
deprecated: false
hidden: true
resources:
- Pod
- name: networking.istio.io/exportTo
description: Specifies the namespaces to which this service should be exported to.
A value of '*' indicates it is reachable within the mesh '.' indicates it is
reachable within its namespace.
deprecated: false
hidden: false
resources:
- Service
- name: security.istio.io/tlsMode
description: Specifies the TLS mode supported by a sidecar proxy. Valid values are 'istio', 'disabled'.
When injecting sidecars into Pods, the sidecar injector will set the value of this label to 'istio' indicating
that the sidecar is capable of supporting mTLS. Clients will opportunistically use this label to determine whether
or not to secure the traffic to this workload using Istio mutual TLS.
hidden: true
deprecated: false
resources:
- Pod
- name: sidecar.istio.io/inject
description: Specifies whether or not an Envoy sidecar should be automatically
injected into the workload.
deprecated: false
hidden: false
resources:
- Pod
- name: sidecar.istio.io/status
description: Generated by Envoy sidecar injection that indicates the status of
the operation. Includes a version hash of the executed template, as well as names of
injected resources.
deprecated: false
hidden: false
resources:
- Pod
- name: sidecar.istio.io/rewriteAppHTTPProbers
description: Rewrite HTTP readiness and liveness probes to be redirected to
the Envoy sidecar.
deprecated: false
hidden: false
resources:
- Pod
- name: sidecar.istio.io/controlPlaneAuthPolicy
description: Specifies the auth policy used by the Istio control plane. If NONE,
traffic will not be encrypted. If MUTUAL_TLS, traffic between Envoy sidecar
will be wrapped into mutual TLS connections.
deprecated: false
hidden: false
resources:
- Pod
- name: sidecar.istio.io/discoveryAddress
description: Specifies the XDS discovery address to be used by the Envoy
sidecar.
deprecated: false
hidden: false
resources:
- Pod
- name: sidecar.istio.io/proxyImage
description: Specifies the Docker image to be used by the Envoy sidecar.
deprecated: false
hidden: false
resources:
- Pod
- name: sidecar.istio.io/proxyCPU
description: Specifies the requested CPU setting for the Envoy sidecar.
deprecated: false
hidden: false
resources:
- Pod
- name: sidecar.istio.io/proxyCPULimit
description: Specifies the CPU limit for the Envoy sidecar.
deprecated: false
hidden: false
resources:
- Pod
- name: sidecar.istio.io/proxyMemory
description: Specifies the requested memory setting for the Envoy sidecar.
deprecated: false
hidden: false
resources:
- Pod
- name: sidecar.istio.io/proxyMemoryLimit
description: Specifies the memory limit for the Envoy sidecar.
deprecated: false
hidden: false
resources:
- Pod
- name: sidecar.istio.io/interceptionMode
description: Specifies the mode used to redirect inbound connections to Envoy
(REDIRECT or TPROXY).
deprecated: false
hidden: false
resources:
- Pod
- name: sidecar.istio.io/bootstrapOverride
description: Specifies an alternative Envoy bootstrap configuration file.
deprecated: false
hidden: false
resources:
- Pod
- name: sidecar.istio.io/statsInclusionPrefixes
description: Specifies the comma separated list of prefixes of the stats to be
emitted by Envoy.
deprecated: false
hidden: false
resources:
- Pod
- name: sidecar.istio.io/statsInclusionSuffixes
description: Specifies the comma separated list of suffixes of the stats to be
emitted by Envoy.
deprecated: false
hidden: false
resources:
- Pod
- name: sidecar.istio.io/statsInclusionRegexps
description: Specifies the comma separated list of regexes the stats should match
to be emitted by Envoy.
deprecated: false
hidden: false
resources:
- Pod
- name: sidecar.istio.io/userVolume
description: Specifies one or more user volumes (as a JSON array) to be added to
the Envoy sidecar.
deprecated: false
hidden: false
resources:
- Pod
- name: sidecar.istio.io/userVolumeMount
description: Specifies one or more user volume mounts (as a JSON array) to be added
to the Envoy sidecar.
deprecated: false
hidden: false
resources:
- Pod
- name: sidecar.istio.io/enableCoreDump
description: Specifies whether or not an Envoy sidecar should enable core dump.
deprecated: false
hidden: false
resources:
- Pod
- name: status.sidecar.istio.io/port
description: Specifies the HTTP status Port for the Envoy sidecar. If zero, the
sidecar will not provide status.
deprecated: false
hidden: false
resources:
- Pod
- name: sidecar.istio.io/logLevel
description: Specifies the log level for Envoy.
deprecated: false
hidden: false
resources:
- Pod
- name: sidecar.istio.io/componentLogLevel
description: Specifies the component log level for Envoy.
deprecated: false
hidden: false
resources:
- Pod
- name: readiness.status.sidecar.istio.io/initialDelaySeconds
description: Specifies the initial delay (in seconds) for the Envoy sidecar readiness
probe.
deprecated: false
hidden: false
resources:
- Pod
- name: readiness.status.sidecar.istio.io/periodSeconds
description: Specifies the period (in seconds) for the Envoy sidecar readiness probe.
deprecated: false
hidden: false
resources:
- Pod
- name: readiness.status.sidecar.istio.io/failureThreshold
description: Specifies the failure threshold for the Envoy sidecar readiness probe.
deprecated: false
hidden: false
resources:
- Pod
- name: readiness.status.sidecar.istio.io/applicationPorts
description: Specifies the list of ports exposed by the application container. Used
by the Envoy sidecar readiness probe to determine that Envoy is configured and ready
to receive traffic.
deprecated: false
hidden: false
resources:
- Pod
- name: traffic.sidecar.istio.io/includeOutboundIPRanges
description: A comma separated list of IP ranges in CIDR form to redirect to Envoy
(optional). The wildcard character '*' can be used to redirect all outbound traffic.
An empty list will disable all outbound redirection.
deprecated: false
hidden: false
resources:
- Pod
- name: traffic.sidecar.istio.io/excludeOutboundIPRanges
description: A comma separated list of IP ranges in CIDR form to be excluded from
redirection. Only applies when all outbound traffic (i.e. '*') is being redirected.
deprecated: false
hidden: false
resources:
- Pod
- name: traffic.sidecar.istio.io/includeInboundPorts
description: A comma separated list of inbound ports for which traffic is to be
redirected to Envoy. The wildcard character '*' can be used to configure redirection
for all ports. An empty list will disable all inbound redirection.
deprecated: false
hidden: false
resources:
- Pod
- name: traffic.sidecar.istio.io/excludeInboundPorts
description: A comma separated list of inbound ports to be excluded from redirection
to Envoy. Only applies when all inbound traffic (i.e. '*') is being redirected.
deprecated: false
hidden: false
resources:
- Pod
- name: traffic.sidecar.istio.io/excludeOutboundPorts
description: A comma separated list of outbound ports to be excluded from redirection
to Envoy.
deprecated: false
hidden: false
resources:
- Pod
- name: traffic.sidecar.istio.io/kubevirtInterfaces
description: A comma separated list of virtual interfaces whose inbound traffic
(from VM) will be treated as outbound.
deprecated: false
hidden: false
resources:
- Pod
- name: policy.istio.io/lang
description: Selects the attribute expression language runtime for Mixer.
deprecated: false
hidden: false
resources:
- Pod
- name: policy.istio.io/check
description: Determines the policy for behavior when unable to connect to Mixer. If
not set, FAIL_CLOSE is set, rejecting requests.
deprecated: false
hidden: false
resources:
- Pod
- name: policy.istio.io/checkRetries
description: The maximum number of retries on transport errors to Mixer. If not set,
this will be 0, indicating no retries.
deprecated: false
hidden: false
resources:
- Pod
- name: policy.istio.io/checkBaseRetryWaitTime
description: Base time to wait between retries, will be adjusted by backoff and jitter.
In duration format. If not set, this will be 80ms.
deprecated: false
hidden: false
resources:
- Pod
- name: policy.istio.io/checkMaxRetryWaitTime
description: Maximum time to wait between retries to Mixer. In duration format. If not
set, this will be 1000ms.
deprecated: false
hidden: false
resources:
- Pod
- name: kubernetes.io/ingress.class
description: Annotation on an Ingress resources denoting the class of controllers responsible for it.
deprecated: false
hidden: false
resources:
- Ingress
- name: install.operator.istio.io/chart-owner
description: Represents the name of the chart used to create this resource.
deprecated: false
hidden: false
resources:
- Any
- name: install.operator.istio.io/owner-generation
description: Represents the generation to which the resource was last reconciled.
deprecated: false
hidden: false
resources:
- Any
- name: install.operator.istio.io/version
description: Represents the Istio version associated with the resource
deprecated: false
hidden: false
resources:
- Any
- name: galley.istio.io/analyze-suppress
description: A comma separated list of configuration analysis message codes
to suppress when Istio analyzers are run. For example, to suppress
reporting of IST0103 (PodMissingProxy) and IST0108 (UnknownAnnotation) on
a resource, apply the annotation
'galley.istio.io/analyze-suppress=IST0108,IST0103'. If the value is '*',
then all configuration analysis messages are suppressed.
deprecated: false
hidden: false
resources:
- Any