From 482c8e163a6e3dfb5e35d3b37c01b6ae78035162 Mon Sep 17 00:00:00 2001 From: my-git9 Date: Sun, 17 Apr 2022 22:10:37 +0800 Subject: [PATCH 1/3] zh-translation: docs/reference/config/networking/destination-rule/index.html --- .../networking/destination-rule/index.html | 2216 +++++++++++------ 1 file changed, 1411 insertions(+), 805 deletions(-) diff --git a/content/zh/docs/reference/config/networking/destination-rule/index.html b/content/zh/docs/reference/config/networking/destination-rule/index.html index 20a367d083a6..5e35f2c78e48 100644 --- a/content/zh/docs/reference/config/networking/destination-rule/index.html +++ b/content/zh/docs/reference/config/networking/destination-rule/index.html @@ -7,8 +7,8 @@ layout: protoc-gen-docs generator: protoc-gen-docs schema: istio.networking.v1alpha3.DestinationRule -aliases: [/zh/docs/reference/config/networking/v1alpha3/destination-rule.html] -number_of_entries: 19 +aliases: [/docs/reference/config/networking/v1alpha3/destination-rule] +number_of_entries: 20 ---

DestinationRule defines policies that apply to traffic intended for a service after routing has occurred. These rules specify configuration @@ -17,6 +17,9 @@ balancing pool. For example, a simple load balancing policy for the ratings service would look as follows:

+

{{}} +{{}}

+ 
apiVersion: networking.istio.io/v1alpha3
 kind: DestinationRule
 metadata:
@@ -25,15 +28,36 @@
   host: ratings.prod.svc.cluster.local
   trafficPolicy:
     loadBalancer:
-      simple: LEAST_CONN
+      simple: LEAST_REQUEST
+
+ +

{{}}

+ +

{{}}

+ +
apiVersion: networking.istio.io/v1beta1
+kind: DestinationRule
+metadata:
+  name: bookinfo-ratings
+spec:
+  host: ratings.prod.svc.cluster.local
+  trafficPolicy:
+    loadBalancer:
+      simple: LEAST_REQUEST
+

{{}} +{{}}

+

Version specific policies can be specified by defining a named subset and overriding the settings specified at the service level. The following rule uses a round robin load balancing policy for all traffic going to a subset named testversion that is composed of endpoints (e.g., pods) with labels (version:v3).

+

{{}} +{{}}

+ 
apiVersion: networking.istio.io/v1alpha3
 kind: DestinationRule
 metadata:
@@ -42,7 +66,29 @@
   host: ratings.prod.svc.cluster.local
   trafficPolicy:
     loadBalancer:
-      simple: LEAST_CONN
+      simple: LEAST_REQUEST
+  subsets:
+  - name: testversion
+    labels:
+      version: v3
+    trafficPolicy:
+      loadBalancer:
+        simple: ROUND_ROBIN
+
+ +

{{}}

+ +

{{}}

+ +
apiVersion: networking.istio.io/v1beta1
+kind: DestinationRule
+metadata:
+  name: bookinfo-ratings
+spec:
+  host: ratings.prod.svc.cluster.local
+  trafficPolicy:
+    loadBalancer:
+      simple: LEAST_REQUEST
   subsets:
   - name: testversion
     labels:
@@ -52,6 +98,9 @@
         simple: ROUND_ROBIN
+

{{}} +{{}}

+

Note: Policies specified for subsets will not take effect until a route rule explicitly sends traffic to this subset.

@@ -60,6 +109,9 @@ traffic to port 80, while uses a round robin load balancing setting for traffic to the port 9080.

+

{{}} +{{}}

+ 
apiVersion: networking.istio.io/v1alpha3
 kind: DestinationRule
 metadata:
@@ -71,40 +123,93 @@
     - port:
         number: 80
       loadBalancer:
-        simple: LEAST_CONN
+        simple: LEAST_REQUEST
     - port:
         number: 9080
       loadBalancer:
         simple: ROUND_ROBIN
-

ConnectionPoolSettings

-
-

Connection pool settings for an upstream host. The settings apply to -each individual host in the upstream service. See Envoy’s circuit -breaker -for more details. Connection pool settings can be applied at the TCP -level as well as at HTTP level.

+

{{}}

-

For example, the following rule sets a limit of 100 connections to redis -service called myredissrv with a connect timeout of 30ms

+

{{}}

-
apiVersion: networking.istio.io/v1alpha3
+
apiVersion: networking.istio.io/v1beta1
 kind: DestinationRule
 metadata:
-  name: bookinfo-redis
+  name: bookinfo-ratings-port
 spec:
-  host: myredissrv.prod.svc.cluster.local
-  trafficPolicy:
-    connectionPool:
-      tcp:
-        maxConnections: 100
-        connectTimeout: 30ms
-        tcpKeepalive:
-          time: 7200s
-          interval: 75s
+  host: ratings.prod.svc.cluster.local
+  trafficPolicy: # Apply to all ports
+    portLevelSettings:
+    - port:
+        number: 80
+      loadBalancer:
+        simple: LEAST_REQUEST
+    - port:
+        number: 9080
+      loadBalancer:
+        simple: ROUND_ROBIN
+

+
+
{{}}

+
+
Destination Rules can be customized to specific workloads as well.
+The following example shows how a destination rule can be applied to a
+specific workload using the workloadSelector configuration.

+
+
{{}}
+{{}}

+
+
apiVersion: networking.istio.io/v1alpha3
+kind: DestinationRule
+metadata:
+  name: configure-client-mtls-dr-with-workloadselector
+  spec:
+    workloadSelector:
+      matchLabels:
+        app: ratings
+    trafficPolicy:
+      loadBalancer:
+        simple: ROUND_ROBIN
+      portLevelSettings:
+        - port:
+            number: 31443
+          tls:
+            credentialName: client-credential
+            mode: MUTUAL
+

+
+
{{}}
+{{}}

+
+
apiVersion: networking.istio.io/v1beta1
+kind: DestinationRule
+metadata:
+  name: configure-client-mtls-dr-with-workloadselector
+  spec:
+    workloadSelector:
+      matchLabels:
+        app: ratings
+    trafficPolicy:
+      loadBalancer:
+        simple: ROUND_ROBIN
+      portLevelSettings:
+        - port:
+            number: 31443
+          tls:
+            credentialName: client-credential
+            mode: MUTUAL
 

 
+
{{}}
+{{}}

+
+
DestinationRule

+

+
DestinationRule defines policies that apply to traffic intended for a service
+after routing has occurred.

+
 
@@ -115,22 +220,92 @@ 
ConnectionPoolSettings

-
-
-
+
+
+
+
+
+
+
+
+
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+

 
 

 

 
 
tcpTCPSettings
hoststring
 
-
Settings common to both HTTP and TCP upstream connections.

+
The name of a service from the service registry. Service
+names are looked up from the platform’s service registry (e.g.,
+Kubernetes services, Consul services, etc.) and from the hosts
+declared by ServiceEntries. Rules defined for
+services that do not exist in the service registry will be ignored.

+
+
Note for Kubernetes users: When short names are used (e.g. “reviews”
+instead of “reviews.default.svc.cluster.local”), Istio will interpret
+the short name based on the namespace of the rule, not the service. A
+rule in the “default” namespace containing a host “reviews” will be
+interpreted as “reviews.default.svc.cluster.local”, irrespective of
+the actual namespace associated with the reviews service. To avoid
+potential misconfigurations, it is recommended to always use fully
+qualified domain names over short names.

+
+
Note that the host field applies to both HTTP and TCP services.

+
+		
+Yes
+
trafficPolicyTrafficPolicy
+
Traffic policies to apply (load balancing policy, connection pool
+sizes, outlier detection).

 
 		
 
 No
 
 
httpHTTPSettings
subsetsSubset[]
 
-
HTTP connection pool settings.

+
One or more named sets that represent individual versions of a
+service. Traffic policies can be overridden at subset level.

+
+		
+No
+
exportTostring[]
+
A list of namespaces to which this destination rule is exported.
+The resolution of a destination rule to apply to a service occurs in the
+context of a hierarchy of namespaces. Exporting a destination rule allows
+it to be included in the resolution hierarchy for services in
+other namespaces. This feature provides a mechanism for service owners
+and mesh administrators to control the visibility of destination rules
+across namespace boundaries.

+
+
If no namespaces are specified then the destination rule is exported to all
+namespaces by default.

+
+
The value “.” is reserved and defines an export to the same namespace that
+the destination rule is declared in. Similarly, the value “*” is reserved and
+defines an export to all namespaces.

+
+		
+No
+
workloadSelectorWorkloadSelector
+
Criteria used to select the specific set of pods/VMs on which this
+ DestinationRule configuration should be applied. If specified, the DestinationRule
+ configuration will be applied only to the workload instances matching the workload selector
+ label in the same namespace. Workload selectors do not apply across namespace boundaries.
+ If omitted, the DestinationRule falls back to its default behavior.
+ For example, if specific sidecars need to have egress TLS settings for services outside
+ of the mesh, instead of every sidecar in the mesh needing to have the
+ configuration (which is the default behaviour), a workload selector can be specified.

 
 		
 
@@ -140,9 +315,10 @@ 
ConnectionPoolSettings

 

 

 

-
ConnectionPoolSettings.HTTPSettings

+
TrafficPolicy

 

-
Settings applicable to HTTP1.1/HTTP2/GRPC connections.

+
Traffic policies to apply for a specific destination, across all
+destination ports. See DestinationRule for examples.

 
 
@@ -154,71 +330,59 @@ 
ConnectionPoolSettings.HTTPSettings
 
 

-
-
-
-
-
-
-
-
-
+
+
+
-
-
-
+
+
+
-
-
-
+
+
+
-
-
-
+
+
+
-
-
-
+
+
+

 
 
http1MaxPendingRequestsint32
-
Maximum number of pending HTTP requests to a destination. Default 2^32-1.

-
-		
-No
-
http2MaxRequestsint32
loadBalancerLoadBalancerSettings
 
-
Maximum number of requests to a backend. Default 2^32-1.

+
Settings controlling the load balancer algorithms.

 
 		
 
 No
 
 
maxRequestsPerConnectionint32
connectionPoolConnectionPoolSettings
 
-
Maximum number of requests per connection to a backend. Setting this
-parameter to 1 disables keep alive. Default 0, meaning “unlimited”,
-up to 2^29.

+
Settings controlling the volume of connections to an upstream service

 
 		
 
 No
 
 
maxRetriesint32
outlierDetectionOutlierDetection
 
-
Maximum number of retries that can be outstanding to all hosts in a
-cluster at a given time. Defaults to 2^32-1.

+
Settings controlling eviction of unhealthy hosts from the load balancing pool

 
 		
 
 No
 
 
idleTimeoutDuration
tlsClientTLSSettings
 
-
The idle timeout for upstream connection pool connections. The idle timeout is defined as the period in which there are no active requests.
-If not set, the default is 1 hour. When the idle timeout is reached the connection will be closed.
-Note that request based timeouts mean that HTTP/2 PINGs will not keep the connection alive. Applies to both HTTP1.1 and HTTP2 connections.

+
TLS related settings for connections to the upstream service.

 
 		
 
 No
 
 
h2UpgradePolicyH2UpgradePolicy
portLevelSettingsPortTrafficPolicy[]
 
-
Specify if http1.1 connection should be upgraded to http2 for the associated destination.

+
Traffic policies specific to individual ports. Note that port level
+settings will override the destination-level settings. Traffic
+settings specified at the destination-level will not be inherited when
+overridden by port-level settings, i.e. default values will be applied
+to fields omitted in port-level traffic policies.

 
 		
 
@@ -228,47 +392,680 @@ 
ConnectionPoolSettings.HTTPSettings
 

 

 

-
ConnectionPoolSettings.HTTPSettings.H2UpgradePolicy

+
Subset

 

-
Policy for upgrading http1.1 connections to http2.

-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
apiVersion: networking.istio.io/v1alpha3
+kind: DestinationRule
+metadata:
+  name: bookinfo-ratings
+spec:
+  host: ratings.prod.svc.cluster.local
+  trafficPolicy:
+    loadBalancer:
+      simple: LEAST_REQUEST
+  subsets:
+  - name: testversion
+    labels:
+      version: v3
+    trafficPolicy:
+      loadBalancer:
+        simple: ROUND_ROBIN
+

+
+
{{}}

+
+
{{}}

+
+
apiVersion: networking.istio.io/v1beta1
+kind: DestinationRule
+metadata:
+  name: bookinfo-ratings
+spec:
+  host: ratings.prod.svc.cluster.local
+  trafficPolicy:
+    loadBalancer:
+      simple: LEAST_REQUEST
+  subsets:
+  - name: testversion
+    labels:
+      version: v3
+    trafficPolicy:
+      loadBalancer:
+        simple: ROUND_ROBIN
+

+
+
{{}}
+{{}}

+
+
Note: Policies specified for subsets will not take effect until
+a route rule explicitly sends traffic to this subset.

+
+
One or more labels are typically required to identify the subset destination,
+however, when the corresponding DestinationRule represents a host that
+supports multiple SNI hosts (e.g., an egress gateway), a subset without labels
+may be meaningful. In this case a traffic policy with ClientTLSSettings
+can be used to identify a specific SNI host corresponding to the named subset.

+
+
NameDescription
DEFAULT
-
Use the global default.

+
A subset of endpoints of a service. Subsets can be used for scenarios
+like A/B testing, or routing to a specific version of a service. Refer
+to VirtualService documentation for examples of using
+subsets in these scenarios. In addition, traffic policies defined at the
+service-level can be overridden at a subset-level. The following rule
+uses a round robin load balancing policy for all traffic going to a
+subset named testversion that is composed of endpoints (e.g., pods) with
+labels (version:v3).

 
-
DO_NOT_UPGRADE
-
Do not upgrade the connection to http2.
-This opt-out option overrides the default.

+
{{}}
+{{}}

 
-

+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
FieldTypeDescriptionRequired
namestring
+
Name of the subset. The service name and the subset name can
+be used for traffic splitting in a route rule.

+
+		
+Yes
+
labelsmap<string, string>
+
Labels apply a filter over the endpoints of a service in the
+service registry. See route rules for examples of usage.

+
+		
+No
+
trafficPolicyTrafficPolicy
+
Traffic policies that apply to this subset. Subsets inherit the
+traffic policies specified at the DestinationRule level. Settings
+specified at the subset level will override the corresponding settings
+specified at the DestinationRule level.

+
+		
+No
+

+

+
LoadBalancerSettings

+

+
Load balancing policies to apply for a specific destination. See Envoy’s
+load balancing
+documentation
+for more details.

+
+
For example, the following rule uses a round robin load balancing policy
+for all traffic going to the ratings service.

+
+
{{}}
+{{}}

+
+
apiVersion: networking.istio.io/v1alpha3
+kind: DestinationRule
+metadata:
+  name: bookinfo-ratings
+spec:
+  host: ratings.prod.svc.cluster.local
+  trafficPolicy:
+    loadBalancer:
+      simple: ROUND_ROBIN
+

+
+
{{}}

+
+
{{}}

+
+
apiVersion: networking.istio.io/v1beta1
+kind: DestinationRule
+metadata:
+  name: bookinfo-ratings
+spec:
+  host: ratings.prod.svc.cluster.local
+  trafficPolicy:
+    loadBalancer:
+      simple: ROUND_ROBIN
+

+
+
{{}}
+{{}}

+
+
The following example sets up sticky sessions for the ratings service
+hashing-based load balancer for the same ratings service using the
+the User cookie as the hash key.

+
+
{{}}
+{{}}

+
+
apiVersion: networking.istio.io/v1alpha3
+kind: DestinationRule
+metadata:
+  name: bookinfo-ratings
+spec:
+  host: ratings.prod.svc.cluster.local
+  trafficPolicy:
+    loadBalancer:
+      consistentHash:
+        httpCookie:
+          name: user
+          ttl: 0s
+

+
+
{{}}

+
+
{{}}

+
+
apiVersion: networking.istio.io/v1beta1
+kind: DestinationRule
+metadata:
+  name: bookinfo-ratings
+spec:
+  host: ratings.prod.svc.cluster.local
+  trafficPolicy:
+    loadBalancer:
+      consistentHash:
+        httpCookie:
+          name: user
+          ttl: 0s
+

+
+
{{}}
+{{}}

+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
FieldTypeDescriptionRequired
simpleSimpleLB (oneof)
+
+No
+
consistentHashConsistentHashLB (oneof)
+
+No
+
localityLbSettingLocalityLoadBalancerSetting
+
Locality load balancer settings, this will override mesh wide settings in entirety, meaning no merging would be performed
+between this object and the object one in MeshConfig

+
+		
+No
+
warmupDurationSecsDuration
+
Represents the warmup duration of Service. If set, the newly created endpoint of service
+remains in warmup mode starting from its creation time for the duration of this window and
+Istio progressively increases amount of traffic for that endpoint instead of sending proportional amount of traffic.
+This should be enabled for services that require warm up time to serve full production load with reasonable latency.
+Currently this is only supported for ROUND_ROBIN and LEAST_CONN load balancers.

+
+		
+No
+

+

+
ConnectionPoolSettings

+

+
Connection pool settings for an upstream host. The settings apply to
+each individual host in the upstream service.  See Envoy’s circuit
+breaker
+for more details. Connection pool settings can be applied at the TCP
+level as well as at HTTP level.

+
+
For example, the following rule sets a limit of 100 connections to redis
+service called myredissrv with a connect timeout of 30ms

+
+
{{}}
+{{}}

+
+
apiVersion: networking.istio.io/v1alpha3
+kind: DestinationRule
+metadata:
+  name: bookinfo-redis
+spec:
+  host: myredissrv.prod.svc.cluster.local
+  trafficPolicy:
+    connectionPool:
+      tcp:
+        maxConnections: 100
+        connectTimeout: 30ms
+        tcpKeepalive:
+          time: 7200s
+          interval: 75s
+

+
+
{{}}

+
+
{{}}

+
+
apiVersion: networking.istio.io/v1beta1
+kind: DestinationRule
+metadata:
+  name: bookinfo-redis
+spec:
+  host: myredissrv.prod.svc.cluster.local
+  trafficPolicy:
+    connectionPool:
+      tcp:
+        maxConnections: 100
+        connectTimeout: 30ms
+        tcpKeepalive:
+          time: 7200s
+          interval: 75s
+

+
+
{{}}
+{{}}

+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
-
+
+
+
+
+
+
+
FieldTypeDescriptionRequired
tcpTCPSettings
+
Settings common to both HTTP and TCP upstream connections.

+
+		
+No
+
 
UPGRADE
httpHTTPSettings
 
-
Upgrade the connection to http2.
-This opt-in option overrides the default.

+
HTTP connection pool settings.

+
+		
+No
+

+

+
OutlierDetection

+

+
A Circuit breaker implementation that tracks the status of each
+individual host in the upstream service.  Applicable to both HTTP and
+TCP services.  For HTTP services, hosts that continually return 5xx
+errors for API calls are ejected from the pool for a pre-defined period
+of time. For TCP services, connection timeouts or connection
+failures to a given host counts as an error when measuring the
+consecutive errors metric. See Envoy’s outlier
+detection
+for more details.

+
+
The following rule sets a connection pool size of 100 HTTP1 connections
+with no more than 10 req/connection to the “reviews” service. In addition,
+it sets a limit of 1000 concurrent HTTP2 requests and configures upstream
+hosts to be scanned every 5 mins so that any host that fails 7 consecutive
+times with a 502, 503, or 504 error code will be ejected for 15 minutes.

+
+
{{}}
+{{}}

+
+
apiVersion: networking.istio.io/v1alpha3
+kind: DestinationRule
+metadata:
+  name: reviews-cb-policy
+spec:
+  host: reviews.prod.svc.cluster.local
+  trafficPolicy:
+    connectionPool:
+      tcp:
+        maxConnections: 100
+      http:
+        http2MaxRequests: 1000
+        maxRequestsPerConnection: 10
+    outlierDetection:
+      consecutive5xxErrors: 7
+      interval: 5m
+      baseEjectionTime: 15m
+

+
+
{{}}

+
+
{{}}

+
+
apiVersion: networking.istio.io/v1beta1
+kind: DestinationRule
+metadata:
+  name: reviews-cb-policy
+spec:
+  host: reviews.prod.svc.cluster.local
+  trafficPolicy:
+    connectionPool:
+      tcp:
+        maxConnections: 100
+      http:
+        http2MaxRequests: 1000
+        maxRequestsPerConnection: 10
+    outlierDetection:
+      consecutive5xxErrors: 7
+      interval: 5m
+      baseEjectionTime: 15m
+

+
+
{{}}
+{{}}

+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
FieldTypeDescriptionRequired
splitExternalLocalOriginErrorsbool
+
Determines whether to distinguish local origin failures from external errors. If set to true
+consecutive_local_origin_failure is taken into account for outlier detection calculations.
+This should be used when you want to derive the outlier detection status based on the errors
+seen locally such as failure to connect, timeout while connecting etc. rather than the status code
+retuned by upstream service. This is especially useful when the upstream service explicitly returns
+a 5xx for some requests and you want to ignore those responses from upstream service while determining
+the outlier detection status of a host.
+Defaults to false.

+
+		
+No
+
consecutiveLocalOriginFailuresUInt32Value
+
The number of consecutive locally originated failures before ejection
+occurs. Defaults to 5. Parameter takes effect only when split_external_local_origin_errors
+is set to true.

+
+		
+No
+
consecutiveGatewayErrorsUInt32Value
+
Number of gateway errors before a host is ejected from the connection pool.
+When the upstream host is accessed over HTTP, a 502, 503, or 504 return
+code qualifies as a gateway error. When the upstream host is accessed over
+an opaque TCP connection, connect timeouts and connection error/failure
+events qualify as a gateway error.
+This feature is disabled by default or when set to the value 0.

+
+
Note that consecutive_gateway_errors and consecutive_5xx_errors can be
+used separately or together. Because the errors counted by
+consecutive_gateway_errors are also included in consecutive_5xx_errors,
+if the value of consecutive_gateway_errors is greater than or equal to
+the value of consecutive_5xx_errors, consecutive_gateway_errors will have
+no effect.

+
+		
+No
+
consecutive5xxErrorsUInt32Value
+
Number of 5xx errors before a host is ejected from the connection pool.
+When the upstream host is accessed over an opaque TCP connection, connect
+timeouts, connection error/failure and request failure events qualify as a
+5xx error.
+This feature defaults to 5 but can be disabled by setting the value to 0.

+
+
Note that consecutive_gateway_errors and consecutive_5xx_errors can be
+used separately or together. Because the errors counted by
+consecutive_gateway_errors are also included in consecutive_5xx_errors,
+if the value of consecutive_gateway_errors is greater than or equal to
+the value of consecutive_5xx_errors, consecutive_gateway_errors will have
+no effect.

+
+		
+No
+
intervalDuration
+
Time interval between ejection sweep analysis. format:
+1h/1m/1s/1ms. MUST BE >=1ms. Default is 10s.

+
+		
+No
+
baseEjectionTimeDuration
+
Minimum ejection duration. A host will remain ejected for a period
+equal to the product of minimum ejection duration and the number of
+times the host has been ejected. This technique allows the system to
+automatically increase the ejection period for unhealthy upstream
+servers. format: 1h/1m/1s/1ms. MUST BE >=1ms. Default is 30s.

+
+		
+No
+
maxEjectionPercentint32
+
Maximum % of hosts in the load balancing pool for the upstream
+service that can be ejected. Defaults to 10%.

+
+		
+No
+
minHealthPercentint32
+
Outlier detection will be enabled as long as the associated load balancing
+pool has at least min_health_percent hosts in healthy mode. When the
+percentage of healthy hosts in the load balancing pool drops below this
+threshold, outlier detection will be disabled and the proxy will load balance
+across all hosts in the pool (healthy and unhealthy). The threshold can be
+disabled by setting it to 0%. The default is 0% as it’s not typically
+applicable in k8s environments with few pods per service.

+
+		
+No
+

+

+
ClientTLSSettings

+

+
SSL/TLS related settings for upstream connections. See Envoy’s TLS
+context
+for more details. These settings are common to both HTTP and TCP upstreams.

+
+
For example, the following rule configures a client to use mutual TLS
+for connections to upstream database cluster.

+
+
{{}}
+{{}}

+
+
apiVersion: networking.istio.io/v1alpha3
+kind: DestinationRule
+metadata:
+  name: db-mtls
+spec:
+  host: mydbserver.prod.svc.cluster.local
+  trafficPolicy:
+    tls:
+      mode: MUTUAL
+      clientCertificate: /etc/certs/myclientcert.pem
+      privateKey: /etc/certs/client_private_key.pem
+      caCertificates: /etc/certs/rootcacerts.pem
+

+
+
{{}}

+
+
{{}}

+
+
apiVersion: networking.istio.io/v1beta1
+kind: DestinationRule
+metadata:
+  name: db-mtls
+spec:
+  host: mydbserver.prod.svc.cluster.local
+  trafficPolicy:
+    tls:
+      mode: MUTUAL
+      clientCertificate: /etc/certs/myclientcert.pem
+      privateKey: /etc/certs/client_private_key.pem
+      caCertificates: /etc/certs/rootcacerts.pem
+

+
+
{{}}
+{{}}

+
+
The following rule configures a client to use TLS when talking to a
+foreign service whose domain matches *.foo.com.

+
+
{{}}
+{{}}

+
+
apiVersion: networking.istio.io/v1alpha3
+kind: DestinationRule
+metadata:
+  name: tls-foo
+spec:
+  host: "*.foo.com"
+  trafficPolicy:
+    tls:
+      mode: SIMPLE
+

+
+
{{}}

+
+
{{}}

+
+
apiVersion: networking.istio.io/v1beta1
+kind: DestinationRule
+metadata:
+  name: tls-foo
+spec:
+  host: "*.foo.com"
+  trafficPolicy:
+    tls:
+      mode: SIMPLE
+

+
+
{{}}
+{{}}

+
+
The following rule configures a client to use Istio mutual TLS when talking
+to rating services.

+
+
{{}}
+{{}}

+
+
apiVersion: networking.istio.io/v1alpha3
+kind: DestinationRule
+metadata:
+  name: ratings-istio-mtls
+spec:
+  host: ratings.prod.svc.cluster.local
+  trafficPolicy:
+    tls:
+      mode: ISTIO_MUTUAL
+

 
-
-
-
-
-

-
ConnectionPoolSettings.TCPSettings

-

-
Settings common to both HTTP and TCP upstream connections.

+
{{}}

+
+
{{}}

+
+
apiVersion: networking.istio.io/v1beta1
+kind: DestinationRule
+metadata:
+  name: ratings-istio-mtls
+spec:
+  host: ratings.prod.svc.cluster.local
+  trafficPolicy:
+    tls:
+      mode: ISTIO_MUTUAL
+

+
+
{{}}
+{{}}

 
 
@@ -280,89 +1077,126 @@ 
ConnectionPoolSettings.TCPSettings
 

-
-
-
+
+
+
+
+
+
+
+
+
-
-
-
+
+
+
-
-
-
+
+
+
-
-

 
 
maxConnectionsint32
modeTLSmode
 
-
Maximum number of HTTP1 /TCP connections to a destination host. Default 2^32-1.

+
Indicates whether connections to this port should be secured
+using TLS. The value of this field determines how TLS is enforced.

+
+		
+Yes
+
clientCertificatestring
+
REQUIRED if mode is MUTUAL. The path to the file holding the
+client-side TLS certificate to use.
+Should be empty if mode is ISTIO_MUTUAL.

 
 		
 
 No
 
 
connectTimeoutDuration
privateKeystring
 
-
TCP connection timeout.

+
REQUIRED if mode is MUTUAL. The path to the file holding the
+client’s private key.
+Should be empty if mode is ISTIO_MUTUAL.

 
 		
 
 No
 
 
tcpKeepaliveTcpKeepalive
caCertificatesstring
 
-
If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives.

+
OPTIONAL: The path to the file containing certificate authority
+certificates to use in verifying a presented server certificate. If
+omitted, the proxy will not verify the server’s certificate.
+Should be empty if mode is ISTIO_MUTUAL.

 
 		
 
 No
 
 

-

-
ConnectionPoolSettings.TCPSettings.TcpKeepalive

-

-
TCP keepalive.

+
+credentialName
+string
+
+
The name of the secret that holds the TLS certs for the
+client including the CA certificates. Secret must exist in the
+same namespace with the proxy using the certificates.
+The secret (of type generic)should contain the
+following keys and values: key: <privateKey>,
+cert: <clientCert>, cacert: <CACertificate>.
+Here CACertificate is used to verify the server certificate.
+Secret of type tls for client certificates along with
+ca.crt key for CA certificates is also supported.
+Only one of client certificates and CA certificate
+or credentialName can be specified.

 
-
-
-
-
-
-
-
+
NOTE: This field is applicable at sidecars only if
+DestinationRule has a workloadSelector specified.
+Otherwise the field will be applicable only at gateways, and
+sidecars will continue to use the certificate paths.

+
+
+
-
-
-
-
-
+
+
+
-
-
-
+
+
+
-
-
-
+
+
+
FieldTypeDescriptionRequired
+No
+
 
probesuint32
subjectAltNamesstring[]
 
-
Maximum number of keepalive probes to send without response before
-deciding the connection is dead. Default is to use the OS level configuration
-(unless overridden, Linux defaults to 9.)

+
A list of alternate names to verify the subject identity in the
+certificate. If specified, the proxy will verify that the server
+certificate’s subject alt name matches one of the specified values.
+If specified, this list overrides the value of subject_alt_names
+from the ServiceEntry.

 
 		
 
 No
 
 
timeDuration
snistring
 
-
The time duration a connection needs to be idle before keep-alive
-probes start being sent. Default is to use the OS level configuration
-(unless overridden, Linux defaults to 7200s (ie 2 hours.)

+
SNI string to present to the server during TLS handshake.

 
 		
 
 No
 
 
intervalDuration
insecureSkipVerifyBoolValue
 
-
The time duration between keep-alive probes.
-Default is to use the OS level configuration
-(unless overridden, Linux defaults to 75s.)

+
InsecureSkipVerify specifies whether the proxy should skip verifying the
+CA signature and SAN for the server certificate corresponding to the host.
+This flag should only be set if global CA signature verifcation is
+enabled, VerifyCertAtClient environmental variable is set to true,
+but no verification is desired for a specific host. If enabled with or
+without VerifyCertAtClient enabled, verification of the CA signature and
+SAN will be skipped.

+
+
InsecureSkipVerify is false by default.
+VerifyCertAtClient is false by default in Istio version 1.9 but will
+be true by default in a later version where, going forward, it will be
+enabled by default.

 
 		
 
@@ -372,10 +1206,54 @@ 
ConnectionPoolSettings.
 

 

 

-
DestinationRule

+
LocalityLoadBalancerSetting

 

-
DestinationRule defines policies that apply to traffic intended for a service
-after routing has occurred.

+
Locality-weighted load balancing allows administrators to control the
+distribution of traffic to endpoints based on the localities of where the
+traffic originates and where it will terminate. These localities are
+specified using arbitrary labels that designate a hierarchy of localities in
+{region}/{zone}/{sub-zone} form. For additional detail refer to
+Locality Weight
+The following example shows how to setup locality weights mesh-wide.

+
+
Given a mesh with workloads and their service deployed to “us-west/zone1/”
+and “us-west/zone2/”. This example specifies that when traffic accessing a
+service originates from workloads in “us-west/zone1/”, 80% of the traffic
+will be sent to endpoints in “us-west/zone1/”, i.e the same zone, and the
+remaining 20% will go to endpoints in “us-west/zone2/”. This setup is
+intended to favor routing traffic to endpoints in the same locality.
+A similar setting is specified for traffic originating in “us-west/zone2/”.

+
+
  distribute:
+    - from: us-west/zone1/*
+      to:
+        "us-west/zone1/*": 80
+        "us-west/zone2/*": 20
+    - from: us-west/zone2/*
+      to:
+        "us-west/zone1/*": 20
+        "us-west/zone2/*": 80
+

+
+
If the goal of the operator is not to distribute load across zones and
+regions but rather to restrict the regionality of failover to meet other
+operational requirements an operator can set a ‘failover’ policy instead of
+a ‘distribute’ policy.

+
+
The following example sets up a locality failover policy for regions.
+Assume a service resides in zones within us-east, us-west & eu-west
+this example specifies that when endpoints within us-east become unhealthy
+traffic should failover to endpoints in any zone or sub-zone within eu-west
+and similarly us-west should failover to us-east.

+
+
 failover:
+   - from: us-east
+     to: eu-west
+   - from: us-west
+     to: us-east
+

+
+
Locality load balancing settings.

 
 
@@ -387,124 +1265,105 @@ 
DestinationRule

-
-
-
-
-
-
-
-
-
+
+
+
-
-
-
+
+
+
-
-
+
+
-
-

 
 
 
 
hoststring
-
The name of a service from the service registry. Service
-names are looked up from the platform’s service registry (e.g.,
-Kubernetes services, Consul services, etc.) and from the hosts
-declared by ServiceEntries. Rules defined for
-services that do not exist in the service registry will be ignored.

-
-
Note for Kubernetes users: When short names are used (e.g. “reviews”
-instead of “reviews.default.svc.cluster.local”), Istio will interpret
-the short name based on the namespace of the rule, not the service. A
-rule in the “default” namespace containing a host “reviews” will be
-interpreted as “reviews.default.svc.cluster.local”, irrespective of
-the actual namespace associated with the reviews service. To avoid
-potential misconfigurations, it is recommended to always use fully
-qualified domain names over short names.

-
-
Note that the host field applies to both HTTP and TCP services.

-
-		
-Yes
-
trafficPolicyTrafficPolicy
distributeDistribute[]
 
-
Traffic policies to apply (load balancing policy, connection pool
-sizes, outlier detection).

+
Optional: only one of distribute, failover or failoverPriority can be set.
+Explicitly specify loadbalancing weight across different zones and geographical locations.
+Refer to Locality weighted load balancing
+If empty, the locality weight is set according to the endpoints number within it.

 
 		
 
 No
 
 
subsetsSubset[]
failoverFailover[]
 
-
One or more named sets that represent individual versions of a
-service. Traffic policies can be overridden at subset level.

+
Optional: only one of distribute, failover or failoverPriority can be set.
+Explicitly specify the region traffic will land on when endpoints in local region becomes unhealthy.
+Should be used together with OutlierDetection to detect unhealthy endpoints.
+Note: if no OutlierDetection specified, this will not take effect.

 
 		
 
 No
 
 
exportTo
failoverPriority
 string[]
 
-
A list of namespaces to which this destination rule is exported.
-The resolution of a destination rule to apply to a service occurs in the
-context of a hierarchy of namespaces. Exporting a destination rule allows
-it to be included in the resolution hierarchy for services in
-other namespaces. This feature provides a mechanism for service owners
-and mesh administrators to control the visibility of destination rules
-across namespace boundaries.

-
-
If no namespaces are specified then the destination rule is exported to all
-namespaces by default.

+
failoverPriority is an ordered list of labels used to sort endpoints to do priority based load balancing.
+This is to support traffic failover across different groups of endpoints.
+Suppose there are total N labels specified:

+
+
    
+
  1. Endpoints matching all N labels with the client proxy have priority P(0) i.e. the highest priority.
    2. 
+
  2. Endpoints matching the first N-1 labels with the client proxy have priority P(1) i.e. second highest priority.
    3. 
+
  3. By extension of this logic, endpoints matching only the first label with the client proxy has priority P(N-1) i.e. second lowest priority.
    4. 
+
  4. All the other endpoints have priority P(N) i.e. lowest priority.
    5. 
+

+
+
Note: For a label to be considered for match, the previous labels must match, i.e. nth label would be considered matched only if first n-1 labels match.

+
+
It can be any label specified on both client and server workloads.
+The following labels which have special semantic meaning are also supported:

+
+
    
+
  • topology.istio.io/network is used to match the network metadata of an endpoint, which can be specified by pod/namespace label topology.istio.io/network, sidecar env ISTIO_META_NETWORK or MeshNetworks.
    • 
+
  • topology.istio.io/cluster is used to match the clusterID of an endpoint, which can be specified by pod label topology.istio.io/cluster or pod env ISTIO_META_CLUSTER_ID.
    • 
+
  • topology.kubernetes.io/region is used to match the region metadata of an endpoint, which maps to Kubernetes node label topology.kubernetes.io/region or the deprecated label failure-domain.beta.kubernetes.io/region.
    • 
+
  • topology.kubernetes.io/zone is used to match the zone metadata of an endpoint, which maps to Kubernetes node label topology.kubernetes.io/zone or the deprecated label failure-domain.beta.kubernetes.io/zone.
    • 
+
  • topology.istio.io/subzone is used to match the subzone metadata of an endpoint, which maps to Istio node label topology.istio.io/subzone.
    • 
+

+
+
The below topology config indicates the following priority levels:

+
+
failoverPriority:
+- "topology.istio.io/network"
+- "topology.kubernetes.io/region"
+- "topology.kubernetes.io/zone"
+- "topology.istio.io/subzone"
+

 
-
The value “.” is reserved and defines an export to the same namespace that
-the destination rule is declared in. Similarly, the value “*” is reserved and
-defines an export to all namespaces.

+
    
+
  1. endpoints match same [network, region, zone, subzone] label with the client proxy have the highest priority.
    2. 
+
  2. endpoints have same [network, region, zone] label but different [subzone] label with the client proxy have the second highest priority.
    3. 
+
  3. endpoints have same [network, region] label but different [zone] label with the client proxy have the third highest priority.
    4. 
+
  4. endpoints have same [network] but different [region] labels with the client proxy have the fourth highest priority.
    5. 
+
  5. all the other endpoints have the same lowest priority.
    6. 
+

 
-
NOTE: in the current release, the exportTo value is restricted to
-“.” or “*” (i.e., the current namespace or all namespaces).

+
Optional: only one of distribute, failover or failoverPriority can be set.
+And it should be used together with OutlierDetection to detect unhealthy endpoints, otherwise has no effect.

 
 		
 
 No
 
 

-

-
LoadBalancerSettings

-

-
Load balancing policies to apply for a specific destination. See Envoy’s
-load balancing
-documentation
-for more details.

-
-
For example, the following rule uses a round robin load balancing policy
-for all traffic going to the ratings service.

-
-
apiVersion: networking.istio.io/v1alpha3
-kind: DestinationRule
-metadata:
-  name: bookinfo-ratings
-spec:
-  host: ratings.prod.svc.cluster.local
-  trafficPolicy:
-    loadBalancer:
-      simple: ROUND_ROBIN
-

-
-
The following example sets up sticky sessions for the ratings service
-hashing-based load balancer for the same ratings service using the
-the User cookie as the hash key.

+
+enabled
+BoolValue
+
+
enable locality load balancing, this is DestinationRule-level and will override mesh wide settings in entirety.
+e.g. true means that turn on locality load balancing for this DestinationRule no matter what mesh wide settings is.

 
-
 apiVersion: networking.istio.io/v1alpha3
- kind: DestinationRule
- metadata:
-   name: bookinfo-ratings
- spec:
-   host: ratings.prod.svc.cluster.local
-   trafficPolicy:
-     loadBalancer:
-       consistentHash:
-         httpCookie:
-           name: user
-           ttl: 0s
-

+
+
+No
+
+
+
+
+

+
TrafficPolicy.PortTrafficPolicy

+

+
Traffic policies that apply to specific ports of the service

 
 
@@ -516,30 +1375,56 @@ 
LoadBalancerSettings

-
-
-
+
+
+
-
-
-
+
+
+
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -587,18 +1471,30 @@ 
LoadBalancerSettings.ConsistentHa
 
 
 

+
+
+
+
+
+
@@ -671,203 +1567,9 @@ 
LoadBalancerSettings.C
 

 
 
 
 
simpleSimpleLB (oneof)
portPortSelector
 
+
Specifies the number of a port on the destination service
+on which this policy is being applied.

+
 		
 
-Yes
+No
 
 
consistentHashConsistentHashLB (oneof)
loadBalancerLoadBalancerSettings
 
+
Settings controlling the load balancer algorithms.

+
 		
 
-Yes
+No
 
 
localityLbSettingLocalityLoadBalancerSetting
connectionPoolConnectionPoolSettings
 
-
Locality load balancer settings, this will override mesh wide settings in entirety, meaning no merging would be performed
-between this object and the object one in MeshConfig

+
Settings controlling the volume of connections to an upstream service

+
+		
+No
+
outlierDetectionOutlierDetection
+
Settings controlling eviction of unhealthy hosts from the load balancing pool

+
+		
+No
+
tlsClientTLSSettings
+
TLS related settings for connections to the upstream service.

 
 		
 
@@ -553,8 +1438,7 @@ 
LoadBalancerSettings.ConsistentHa
 

 
Consistent Hash-based load balancing can be used to provide soft
 session affinity based on HTTP headers, cookies or other
-properties. This load balancing policy is applicable only for HTTP
-connections. The affinity to a particular destination host will be
+properties. The affinity to a particular destination host will be
 lost when one or more hosts are added/removed from the destination
 service.

 
@@ -576,7 +1460,7 @@ 
LoadBalancerSettings.ConsistentHa
 
 

 
-Yes
+No
 
 

 
 

 useSourceIp
 bool (oneof)
 
-
Hash based on the source IP address.

+
Hash based on the source IP address.
+This is applicable for both TCP and HTTP connections.

 
 		
 
-Yes
+No
+
httpQueryParameterNamestring (oneof)
+
Hash based on a specific HTTP query parameter.

+
+		
+No
 
 

 

 

 

-
LoadBalancerSettings.SimpleLB

-

-
Standard load balancing algorithms that require no tuning.

-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
NameDescription
ROUND_ROBIN
-
Round Robin policy. Default

-
-
LEAST_CONN
-
The least request load balancer uses an O(1) algorithm which selects
-two random healthy hosts and picks the host which has fewer active
-requests.

-
-
RANDOM
-
The random load balancer selects a random healthy host. The random
-load balancer generally performs better than round robin if no health
-checking policy is configured.

-
-
PASSTHROUGH
-
This option will forward the connection to the original IP address
-requested by the caller without doing any form of load
-balancing. This option must be used with care. It is meant for
-advanced use cases. Refer to Original Destination load balancer in
-Envoy for further details.

-
-

-

-
LocalityLoadBalancerSetting

-

-
Locality-weighted load balancing allows administrators to control the
-distribution of traffic to endpoints based on the localities of where the
-traffic originates and where it will terminate. These localities are
-specified using arbitrary labels that designate a hierarchy of localities in
-{region}/{zone}/{sub-zone} form. For additional detail refer to
-Locality Weight
-The following example shows how to setup locality weights mesh-wide.

-
-
Given a mesh with workloads and their service deployed to “us-west/zone1/”
-and “us-west/zone2/”. This example specifies that when traffic accessing a
-service originates from workloads in “us-west/zone1/”, 80% of the traffic
-will be sent to endpoints in “us-west/zone1/”, i.e the same zone, and the
-remaining 20% will go to endpoints in “us-west/zone2/”. This setup is
-intended to favor routing traffic to endpoints in the same locality.
-A similar setting is specified for traffic originating in “us-west/zone2/”.

-
-
  distribute:
-    - from: us-west/zone1/*
-      to:
-        "us-west/zone1/*": 80
-        "us-west/zone2/*": 20
-    - from: us-west/zone2/*
-      to:
-        "us-west/zone1/*": 20
-        "us-west/zone2/*": 80
-

-
-
If the goal of the operator is not to distribute load across zones and
-regions but rather to restrict the regionality of failover to meet other
-operational requirements an operator can set a ‘failover’ policy instead of
-a ‘distribute’ policy.

-
-
The following example sets up a locality failover policy for regions.
-Assume a service resides in zones within us-east, us-west & eu-west
-this example specifies that when endpoints within us-east become unhealthy
-traffic should failover to endpoints in any zone or sub-zone within eu-west
-and similarly us-west should failover to us-east.

-
-
 failover:
-   - from: us-east
-     to: eu-west
-   - from: us-west
-     to: us-east
-

-
-
Locality load balancing settings.

-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
FieldTypeDescriptionRequired
distributeDistribute[]
-
Optional: only one of distribute or failover can be set.
-Explicitly specify loadbalancing weight across different zones and geographical locations.
-Refer to Locality weighted load balancing
-If empty, the locality weight is set according to the endpoints number within it.

-
-		
-No
-
failoverFailover[]
-
Optional: only failover or distribute can be set.
-Explicitly specify the region traffic will land on when endpoints in local region becomes unhealthy.
-Should be used together with OutlierDetection to detect unhealthy endpoints.
-Note: if no OutlierDetection specified, this will not take effect.

-
-		
-No
-

-

-
LocalityLoadBalancerSetting.Distribute

-

-
Describes how traffic originating in the ‘from’ zone or sub-zone is
-distributed over a set of ‘to’ zones. Syntax for specifying a zone is
-{region}/{zone}/{sub-zone} and terminal wildcards are allowed on any
-segment of the specification. Examples:
-* - matches all localities
-us-west/* - all zones and sub-zones within the us-west region
-us-west/zone-1/* - all sub-zones within us-west/zone-1

-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
FieldTypeDescriptionRequired
fromstring
-
Originating locality, ‘/’ separated, e.g. ‘region/zone/sub_zone’.

-
-		
-No
-
tomap<string, uint32>
-
Map of upstream localities to traffic distribution weights. The sum of
-all weights should be == 100. Any locality not assigned a weight will
-receive no traffic.

-
-		
-No
-

-

-
LocalityLoadBalancerSetting.Failover

+
ConnectionPoolSettings.TCPSettings

 

-
Specify the traffic failover policy across regions. Since zone and sub-zone
-failover is supported by default this only needs to be specified for
-regions when the operator needs to constrain traffic failover so that
-the default behavior of failing over to any endpoint globally does not
-apply. This is useful when failing over traffic across regions would not
-improve service health or may need to be restricted for other reasons
-like regulatory controls.

+
Settings common to both HTTP and TCP upstream connections.

 
 
@@ -879,23 +1581,34 @@ 
LocalityLoadBalancerSetting.Failov
 
 

-
-
-
+
+
+
-
-
-
+
+
+
+
+
+
+
+
+

 
 
fromstring
maxConnectionsint32
 
-
Originating region.

+
Maximum number of HTTP1 /TCP connections to a destination host. Default 2^32-1.

 
 		
 
 No
 
 
tostring
connectTimeoutDuration
 
-
Destination region the traffic will fail over to when endpoints in
-the ‘from’ region becomes unhealthy.

+
TCP connection timeout. format:
+1h/1m/1s/1ms. MUST BE >=1ms. Default is 10s.

+
+		
+No
+
tcpKeepaliveTcpKeepalive
+
If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives.

 
 		
 
@@ -905,42 +1618,9 @@ 
LocalityLoadBalancerSetting.Failov
 

 

 

-
OutlierDetection

+
ConnectionPoolSettings.HTTPSettings

 

-
A Circuit breaker implementation that tracks the status of each
-individual host in the upstream service.  Applicable to both HTTP and
-TCP services.  For HTTP services, hosts that continually return 5xx
-errors for API calls are ejected from the pool for a pre-defined period
-of time. For TCP services, connection timeouts or connection
-failures to a given host counts as an error when measuring the
-consecutive errors metric. See Envoy’s outlier
-detection
-for more details.

-
-
The following rule sets a connection pool size of 100 HTTP1 connections
-with no more than 10 req/connection to the “reviews” service. In addition,
-it sets a limit of 1000 concurrent HTTP2 requests and configures upstream
-hosts to be scanned every 5 mins so that any host that fails 7 consecutive
-times with a 502, 503, or 504 error code will be ejected for 15 minutes.

-
-
apiVersion: networking.istio.io/v1alpha3
-kind: DestinationRule
-metadata:
-  name: reviews-cb-policy
-spec:
-  host: reviews.prod.svc.cluster.local
-  trafficPolicy:
-    connectionPool:
-      tcp:
-        maxConnections: 100
-      http:
-        http2MaxRequests: 1000
-        maxRequestsPerConnection: 10
-    outlierDetection:
-      consecutiveErrors: 7
-      interval: 5m
-      baseEjectionTime: 15m
-

+
Settings applicable to HTTP1.1/HTTP2/GRPC connections.

 
 
@@ -952,160 +1632,88 @@ 
OutlierDetection

-
-
+
+
-
-
-
-
-
-
-
-
-
+
+
+
-
-
+
+
-
-
+
+
-
-

 
 
 
 
consecutiveErrors
http1MaxPendingRequests
 int32
 
-
Number of errors before a host is ejected from the connection
-pool. Defaults to 5. When the upstream host is accessed over HTTP, a
-502, 503, or 504 return code qualifies as an error. When the upstream host
-is accessed over an opaque TCP connection, connect timeouts and
-connection error/failure events qualify as an error.

-
-		
-No
-
intervalDuration
-
Time interval between ejection sweep analysis. format:
-1h/1m/1s/1ms. MUST BE >=1ms. Default is 10s.

+
Maximum number of pending HTTP requests to a destination. Default 2^32-1.

 
 		
 
 No
 
 
baseEjectionTimeDuration
http2MaxRequestsint32
 
-
Minimum ejection duration. A host will remain ejected for a period
-equal to the product of minimum ejection duration and the number of
-times the host has been ejected. This technique allows the system to
-automatically increase the ejection period for unhealthy upstream
-servers. format: 1h/1m/1s/1ms. MUST BE >=1ms. Default is 30s.

+
Maximum number of requests to a backend. Default 2^32-1.

 
 		
 
 No
 
 
maxEjectionPercent
maxRequestsPerConnection
 int32
 
-
Maximum % of hosts in the load balancing pool for the upstream
-service that can be ejected. Defaults to 10%.

+
Maximum number of requests per connection to a backend. Setting this
+parameter to 1 disables keep alive. Default 0, meaning “unlimited”,
+up to 2^29.

 
 		
 
 No
 
 
minHealthPercent
maxRetries
 int32
 
-
Outlier detection will be enabled as long as the associated load balancing
-pool has at least minhealthpercent hosts in healthy mode. When the
-percentage of healthy hosts in the load balancing pool drops below this
-threshold, outlier detection will be disabled and the proxy will load balance
-across all hosts in the pool (healthy and unhealthy). The threshold can be
-disabled by setting it to 0%. The default is 0% as it’s not typically
-applicable in k8s environments with few pods per service.

+
Maximum number of retries that can be outstanding to all hosts in a
+cluster at a given time. Defaults to 2^32-1.

 
 		
 
 No
 
 

-

-
Subset

-

-
A subset of endpoints of a service. Subsets can be used for scenarios
-like A/B testing, or routing to a specific version of a service. Refer
-to VirtualService documentation for examples of using
-subsets in these scenarios. In addition, traffic policies defined at the
-service-level can be overridden at a subset-level. The following rule
-uses a round robin load balancing policy for all traffic going to a
-subset named testversion that is composed of endpoints (e.g., pods) with
-labels (version:v3).

-
-
apiVersion: networking.istio.io/v1alpha3
-kind: DestinationRule
-metadata:
-  name: bookinfo-ratings
-spec:
-  host: ratings.prod.svc.cluster.local
-  trafficPolicy:
-    loadBalancer:
-      simple: LEAST_CONN
-  subsets:
-  - name: testversion
-    labels:
-      version: v3
-    trafficPolicy:
-      loadBalancer:
-        simple: ROUND_ROBIN
-

-
-
Note: Policies specified for subsets will not take effect until
-a route rule explicitly sends traffic to this subset.

-
-
One or more labels are typically required to identify the subset destination,
-however, when the corresponding DestinationRule represents a host that
-supports multiple SNI hosts (e.g., an egress gateway), a subset without labels
-may be meaningful. In this case a traffic policy with TLSSettings
-can be used to identify a specific SNI host corresponding to the named subset.

-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
-
-
-
+
+
+
-
-
-
+
+
+
FieldTypeDescriptionRequired
namestring
idleTimeoutDuration
 
-
Name of the subset. The service name and the subset name can
-be used for traffic splitting in a route rule.

+
The idle timeout for upstream connection pool connections. The idle timeout
+is defined as the period in which there are no active requests.
+If not set, the default is 1 hour. When the idle timeout is reached,
+the connection will be closed. If the connection is an HTTP/2
+connection a drain sequence will occur prior to closing the connection.
+Note that request based timeouts mean that HTTP/2 PINGs will not
+keep the connection alive. Applies to both HTTP1.1 and HTTP2 connections.

 
 		
 
-Yes
+No
 
 
labelsmap<string, string>
h2UpgradePolicyH2UpgradePolicy
 
-
Labels apply a filter over the endpoints of a service in the
-service registry. See route rules for examples of usage.

+
Specify if http1.1 connection should be upgraded to http2 for the associated destination.

 
 		
 
 No
 
 
trafficPolicyTrafficPolicy
useClientProtocolbool
 
-
Traffic policies that apply to this subset. Subsets inherit the
-traffic policies specified at the DestinationRule level. Settings
-specified at the subset level will override the corresponding settings
-specified at the DestinationRule level.

+
If set to true, client protocol will be preserved while initiating connection to backend.
+Note that when this is set to true, h2_upgrade_policy will be ineffective i.e. the client
+connections will not be upgraded to http2.

 
 		
 
@@ -1115,56 +1723,9 @@ 
Subset

 

 

 

-
TLSSettings

+
ConnectionPoolSettings.TCPSettings.TcpKeepalive

 

-
SSL/TLS related settings for upstream connections. See Envoy’s TLS
-context
-for more details. These settings are common to both HTTP and TCP upstreams.

-
-
For example, the following rule configures a client to use mutual TLS
-for connections to upstream database cluster.

-
-
apiVersion: networking.istio.io/v1alpha3
-kind: DestinationRule
-metadata:
-  name: db-mtls
-spec:
-  host: mydbserver.prod.svc.cluster.local
-  trafficPolicy:
-    tls:
-      mode: MUTUAL
-      clientCertificate: /etc/certs/myclientcert.pem
-      privateKey: /etc/certs/client_private_key.pem
-      caCertificates: /etc/certs/rootcacerts.pem
-

-
-
The following rule configures a client to use TLS when talking to a
-foreign service whose domain matches *.foo.com.

-
-
apiVersion: networking.istio.io/v1alpha3
-kind: DestinationRule
-metadata:
-  name: tls-foo
-spec:
-  host: "*.foo.com"
-  trafficPolicy:
-    tls:
-      mode: SIMPLE
-

-
-
The following rule configures a client to use Istio mutual TLS when talking
-to rating services.

-
-
apiVersion: networking.istio.io/v1alpha3
-kind: DestinationRule
-metadata:
-  name: ratings-istio-mtls
-spec:
-  host: ratings.prod.svc.cluster.local
-  trafficPolicy:
-    tls:
-      mode: ISTIO_MUTUAL
-

+
TCP keepalive.

 
 
@@ -1176,78 +1737,89 @@ 
TLSSettings

-
-
-
-
-
-
-
-
-
+
+
+
-
-
-
+
+
+
-
-
-
+
+
+
-
-
-
+
+

 
 
 
 
modeTLSmode
-
Indicates whether connections to this port should be secured
-using TLS. The value of this field determines how TLS is enforced.

-
-		
-Yes
-
clientCertificatestring
probesuint32
 
-
REQUIRED if mode is MUTUAL. The path to the file holding the
-client-side TLS certificate to use.
-Should be empty if mode is ISTIO_MUTUAL.

+
Maximum number of keepalive probes to send without response before
+deciding the connection is dead. Default is to use the OS level configuration
+(unless overridden, Linux defaults to 9.)

 
 		
 
 No
 
 
privateKeystring
timeDuration
 
-
REQUIRED if mode is MUTUAL. The path to the file holding the
-client’s private key.
-Should be empty if mode is ISTIO_MUTUAL.

+
The time duration a connection needs to be idle before keep-alive
+probes start being sent. Default is to use the OS level configuration
+(unless overridden, Linux defaults to 7200s (ie 2 hours.)

 
 		
 
 No
 
 
caCertificatesstring
intervalDuration
 
-
OPTIONAL: The path to the file containing certificate authority
-certificates to use in verifying a presented server certificate. If
-omitted, the proxy will not verify the server’s certificate.
-Should be empty if mode is ISTIO_MUTUAL.

+
The time duration between keep-alive probes.
+Default is to use the OS level configuration
+(unless overridden, Linux defaults to 75s.)

 
 		
 
 No
 
 
subjectAltNamesstring[]

+

+
LocalityLoadBalancerSetting.Distribute

+

+
Describes how traffic originating in the ‘from’ zone or sub-zone is
+distributed over a set of ‘to’ zones. Syntax for specifying a zone is
+{region}/{zone}/{sub-zone} and terminal wildcards are allowed on any
+segment of the specification. Examples:

+
+
* - matches all localities

+
+
us-west/* - all zones and sub-zones within the us-west region

+
+
us-west/zone-1/* - all sub-zones within us-west/zone-1

+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
-
-
+
+
+
FieldTypeDescriptionRequired
fromstring
 
-
A list of alternate names to verify the subject identity in the
-certificate. If specified, the proxy will verify that the server
-certificate’s subject alt name matches one of the specified values.
-If specified, this list overrides the value of subjectaltnames
-from the ServiceEntry.

+
Originating locality, ‘/’ separated, e.g. ‘region/zone/sub_zone’.

 
 		
 
 No
 
 
snistring
tomap<string, uint32>
 
-
SNI string to present to the server during TLS handshake.

+
Map of upstream localities to traffic distribution weights. The sum of
+all weights should be 100. Any locality not present will
+receive no traffic.

 
 		
 
@@ -1257,58 +1829,57 @@ 
TLSSettings

 

 

 

-
TLSSettings.TLSmode

+
LocalityLoadBalancerSetting.Failover

 

-
TLS connection mode

+
Specify the traffic failover policy across regions. Since zone and sub-zone
+failover is supported by default this only needs to be specified for
+regions when the operator needs to constrain traffic failover so that
+the default behavior of failing over to any endpoint globally does not
+apply. This is useful when failing over traffic across regions would not
+improve service health or may need to be restricted for other reasons
+like regulatory controls.

 
-
+

-
+
+
+
-
-
+
+
+
-
-
-
-
-
+
+
+
-
-
-

 
 
NameFieldType
 DescriptionRequired
 

 
 
DISABLE
fromstring
 
-
Do not setup a TLS connection to the upstream endpoint.

+
Originating region.

 
 
SIMPLE
 
-
Originate a TLS connection to the upstream endpoint.

-
+No
 		
 
MUTUAL
tostring
 
-
Secure connections to the upstream using mutual TLS by presenting
-client certificates for authentication.

+
Destination region the traffic will fail over to when endpoints in
+the ‘from’ region becomes unhealthy.

 
 
ISTIO_MUTUAL
 
-
Secure connections to the upstream using mutual TLS by presenting
-client certificates for authentication.
-Compared to Mutual mode, this mode uses certificates generated
-automatically by Istio for mTLS authentication. When this mode is
-used, all other fields in TLSSettings should be empty.

-
+No
 		
 

 
 

 

-
TrafficPolicy

+
google.protobuf.UInt32Value

 

-
Traffic policies to apply for a specific destination, across all
-destination ports. See DestinationRule for examples.

+
Wrapper message for uint32.

+
+
The JSON representation for UInt32Value is JSON number.

 
 
@@ -1320,136 +1891,171 @@ 
TrafficPolicy

-
-
-
+
+
+
-
-
-
-
+

 
 
 
 
loadBalancerLoadBalancerSettings
valueuint32
 
-
Settings controlling the load balancer algorithms.

+
The uint32 value.

 
 		
 
 No
 
 
connectionPoolConnectionPoolSettings
-
Settings controlling the volume of connections to an upstream service

+

+

+
LoadBalancerSettings.SimpleLB

+

+
Standard load balancing algorithms that require no tuning.

 
-
-
-No
-
+
+
+
+
+
-
-
-
+
+
+
+
+
+
+
-
-
-
+
+
+
+
+
-
-
-
+
+
+
+
+
NameDescription
 
outlierDetectionOutlierDetection
UNSPECIFIED
 
-
Settings controlling eviction of unhealthy hosts from the load balancing pool

+
No load balancing algorithm has been specified by the user. Istio
+will select an appropriate default.

 
 
RANDOM
 
-No
+
The random load balancer selects a random healthy host. The random
+load balancer generally performs better than round robin if no health
+checking policy is configured.

+
 		
 
tlsTLSSettings
PASSTHROUGH
 
-
TLS related settings for connections to the upstream service.

+
This option will forward the connection to the original IP address
+requested by the caller without doing any form of load
+balancing. This option must be used with care. It is meant for
+advanced use cases. Refer to Original Destination load balancer in
+Envoy for further details.

 
 
ROUND_ROBIN
 
-No
+
A basic round robin load balancing policy. This is generally unsafe
+for many scenarios (e.g. when enpoint weighting is used) as it can
+overburden endpoints. In general, prefer to use LEAST_REQUEST as a
+drop-in replacement for ROUND_ROBIN.

+
 		
 
portLevelSettingsPortTrafficPolicy[]
LEAST_REQUEST
 
-
Traffic policies specific to individual ports. Note that port level
-settings will override the destination-level settings. Traffic
-settings specified at the destination-level will not be inherited when
-overridden by port-level settings, i.e. default values will be applied
-to fields omitted in port-level traffic policies.

+
The least request load balancer spreads load across endpoints, favoring
+endpoints with the least outstanding requests. This is generally safer
+and outperforms ROUND_ROBIN in nearly all cases. Prefer to use
+LEAST_REQUEST as a drop-in replacement for ROUND_ROBIN.

 
 
LEAST_CONN
 
-No
+
Deprecated. Use LEAST_REQUEST instead.

+
 		
 

 
 

 

-
TrafficPolicy.PortTrafficPolicy

+
ConnectionPoolSettings.HTTPSettings.H2UpgradePolicy

 

-
Traffic policies that apply to specific ports of the service

+
Policy for upgrading http1.1 connections to http2.

 
-
+

-
-
+
-
-
-
-
+
+
-
-
-
-
+
+
-
-
-
-
+
+
-
-
-
-
+
+

 
 
FieldTypeName
 DescriptionRequired
 

 
 
portPortSelector
DEFAULT
 
-
Specifies the number of a port on the destination service
-on which this policy is being applied.

+
Use the global default.

 
-		
-No
 
 
loadBalancerLoadBalancerSettings
DO_NOT_UPGRADE
 
-
Settings controlling the load balancer algorithms.

+
Do not upgrade the connection to http2.
+This opt-out option overrides the default.

 
-		
-No
 
 
connectionPoolConnectionPoolSettings
UPGRADE
 
-
Settings controlling the volume of connections to an upstream service

+
Upgrade the connection to http2.
+This opt-in option overrides the default.

 
-		
-No
 
 
outlierDetectionOutlierDetection

+

+
ClientTLSSettings.TLSmode

+

+
TLS connection mode

+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
-
-
+
+
+
+
+

From 988eab8a76c36f08a2f4c123dc0a5503ce811f65 Mon Sep 17 00:00:00 2001
From: my-git9 
Date: Sun, 17 Apr 2022 23:01:21 +0800
Subject: [PATCH 2/3] Update index.html

---
 .../reference/config/networking/destination-rule/index.html | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/content/zh/docs/reference/config/networking/destination-rule/index.html b/content/zh/docs/reference/config/networking/destination-rule/index.html
index 5e35f2c78e48..a39f7747902a 100644
--- a/content/zh/docs/reference/config/networking/destination-rule/index.html
+++ b/content/zh/docs/reference/config/networking/destination-rule/index.html
@@ -3,11 +3,11 @@
 source_repo: https://github.com/istio/api
 title: Destination Rule
 description: Configuration affecting load balancing, outlier detection, etc.
-location: https://istio.io/docs/reference/config/networking/destination-rule.html
+location: https://istio.io/zh/docs/reference/config/networking/destination-rule.html
 layout: protoc-gen-docs
 generator: protoc-gen-docs
 schema: istio.networking.v1alpha3.DestinationRule
-aliases: [/docs/reference/config/networking/v1alpha3/destination-rule]
+aliases: [/zh/docs/reference/config/networking/v1alpha3/destination-rule]
 number_of_entries: 20
 ---
 
DestinationRule defines policies that apply to traffic intended for a
@@ -1377,7 +1377,7 @@ 
TrafficPolicy.PortTrafficPolicy

 
-
+
-
+
NameDescription
DISABLE
 
-
Settings controlling eviction of unhealthy hosts from the load balancing pool

+
Do not setup a TLS connection to the upstream endpoint.

 
 
SIMPLE
 
-No
+
Originate a TLS connection to the upstream endpoint.

+
 		
 
tlsTLSSettings
MUTUAL
 
-
TLS related settings for connections to the upstream service.

+
Secure connections to the upstream using mutual TLS by presenting
+client certificates for authentication.

 
 
ISTIO_MUTUAL
 
-No
+
Secure connections to the upstream using mutual TLS by presenting
+client certificates for authentication.
+Compared to Mutual mode, this mode uses certificates generated
+automatically by Istio for mTLS authentication. When this mode is
+used, all other fields in ClientTLSSettings should be empty.

+
 		
 

 
 

 portPortSelectorPortSelector
 
 
Specifies the number of a port on the destination service
 on which this policy is being applied.


From 1e5592a709ec653f3ca180b1ee5c19f1ea1c438a Mon Sep 17 00:00:00 2001
From: my-git9 
Date: Sun, 17 Apr 2022 23:06:20 +0800
Subject: [PATCH 3/3] Update index.html

---
 .../config/networking/destination-rule/index.html         | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/content/zh/docs/reference/config/networking/destination-rule/index.html b/content/zh/docs/reference/config/networking/destination-rule/index.html
index a39f7747902a..e8f02448e3ee 100644
--- a/content/zh/docs/reference/config/networking/destination-rule/index.html
+++ b/content/zh/docs/reference/config/networking/destination-rule/index.html
@@ -3,7 +3,7 @@
 source_repo: https://github.com/istio/api
 title: Destination Rule
 description: Configuration affecting load balancing, outlier detection, etc.
-location: https://istio.io/zh/docs/reference/config/networking/destination-rule.html
+location: https://istio.io/docs/reference/config/networking/destination-rule.html
 layout: protoc-gen-docs
 generator: protoc-gen-docs
 schema: istio.networking.v1alpha3.DestinationRule
@@ -227,7 +227,7 @@ 
DestinationRule

 
The name of a service from the service registry. Service
 names are looked up from the platform’s service registry (e.g.,
 Kubernetes services, Consul services, etc.) and from the hosts
-declared by ServiceEntries. Rules defined for
+declared by ServiceEntries. Rules defined for
 services that do not exist in the service registry will be ignored.

 
 
Note for Kubernetes users: When short names are used (e.g. “reviews”
@@ -296,7 +296,7 @@ 
DestinationRule

 

 

 workloadSelectorWorkloadSelectorWorkloadSelector
 
 
Criteria used to select the specific set of pods/VMs on which this
  DestinationRule configuration should be applied. If specified, the DestinationRule
@@ -396,7 +396,7 @@ 
Subset

 

 
A subset of endpoints of a service. Subsets can be used for scenarios
 like A/B testing, or routing to a specific version of a service. Refer
-to VirtualService documentation for examples of using
+to VirtualService documentation for examples of using
 subsets in these scenarios. In addition, traffic policies defined at the
 service-level can be overridden at a subset-level. The following rule
 uses a round robin load balancing policy for all traffic going to a