From 480018551a18daf12fdb23c93d594c896cd41591 Mon Sep 17 00:00:00 2001 From: Eric Van Norman Date: Mon, 2 May 2022 08:42:23 -0500 Subject: [PATCH 1/2] Update reference docs in zh path --- .../docs/reference/commands/galley/index.html | 594 -- .../reference/commands/install-cni/index.html | 1463 ++++ .../reference/commands/istio_ca/index.html | 414 - .../reference/commands/istioctl/index.html | 6939 ++++++++++++----- .../docs/reference/commands/mixs/index.html | 411 - .../reference/commands/node_agent/index.html | 178 - .../reference/commands/operator/index.html | 10 +- .../reference/commands/pilot-agent/index.html | 1880 ++++- .../commands/pilot-discovery/index.html | 1176 ++- .../commands/sidecar-injector/index.html | 604 -- .../reference/config/annotations/index.html | 292 +- .../config/istio.analysis.v1alpha1/index.html | 355 + .../config/istio.mesh.v1alpha1/index.html | 4049 +++++++--- .../config/istio.operator.v1alpha1/index.html | 2734 ++++--- .../docs/reference/config/labels/index.html | 125 + .../meta/v1beta1/istio-status/index.html | 154 + .../networking/destination-rule/index.html | 2234 ++++-- .../config/networking/envoy-filter/index.html | 1159 +-- .../config/networking/gateway/index.html | 598 +- .../config/networking/proxy-config/index.html | 168 + .../networking/service-entry/index.html | 697 +- .../config/networking/sidecar/index.html | 685 +- .../networking/virtual-service/index.html | 2698 ++++--- .../networking/workload-entry/index.html | 362 + .../networking/workload-group/index.html | 443 ++ .../accesslogpolicy/index.html | 62 + .../proxy_extensions/attributegen/index.html | 283 + .../metadata_exchange/index.html | 38 +- .../proxy_extensions/stackdriver/index.html | 292 + .../config/proxy_extensions/stats/index.html | 283 + .../proxy_extensions/wasm-plugin/index.html | 526 ++ .../security/authorization-policy/index.html | 684 +- .../istio.authentication.v1alpha1/index.html | 743 -- .../security/istio.rbac.v1alpha1/index.html | 504 -- .../reference/config/security/jwt/index.html | 108 +- .../security/peer_authentication/index.html | 9 +- .../request_authentication/index.html | 242 +- .../reference/config/telemetry/index.html | 1198 +++ scripts/grab_reference_docs_zh.sh | 192 + 39 files changed, 24537 insertions(+), 11049 deletions(-) delete mode 100644 content/zh/docs/reference/commands/galley/index.html create mode 100644 content/zh/docs/reference/commands/install-cni/index.html delete mode 100644 content/zh/docs/reference/commands/istio_ca/index.html delete mode 100644 content/zh/docs/reference/commands/mixs/index.html delete mode 100644 content/zh/docs/reference/commands/node_agent/index.html delete mode 100644 content/zh/docs/reference/commands/sidecar-injector/index.html create mode 100644 content/zh/docs/reference/config/istio.analysis.v1alpha1/index.html create mode 100644 content/zh/docs/reference/config/labels/index.html create mode 100644 content/zh/docs/reference/config/meta/v1beta1/istio-status/index.html create mode 100644 content/zh/docs/reference/config/networking/proxy-config/index.html create mode 100644 content/zh/docs/reference/config/networking/workload-entry/index.html create mode 100644 content/zh/docs/reference/config/networking/workload-group/index.html create mode 100644 content/zh/docs/reference/config/proxy_extensions/accesslogpolicy/index.html create mode 100644 content/zh/docs/reference/config/proxy_extensions/attributegen/index.html create mode 100644 content/zh/docs/reference/config/proxy_extensions/stackdriver/index.html create mode 100644 content/zh/docs/reference/config/proxy_extensions/stats/index.html create mode 100644 content/zh/docs/reference/config/proxy_extensions/wasm-plugin/index.html delete mode 100644 content/zh/docs/reference/config/security/istio.authentication.v1alpha1/index.html delete mode 100644 content/zh/docs/reference/config/security/istio.rbac.v1alpha1/index.html create mode 100644 content/zh/docs/reference/config/telemetry/index.html create mode 100755 scripts/grab_reference_docs_zh.sh diff --git a/content/zh/docs/reference/commands/galley/index.html b/content/zh/docs/reference/commands/galley/index.html deleted file mode 100644 index d2bb047f1a5d1..0000000000000 --- a/content/zh/docs/reference/commands/galley/index.html +++ /dev/null @@ -1,594 +0,0 @@ ---- -WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL SOURCE IN THE 'https://github.com/istio/istio' REPO -source_repo: https://github.com/istio/istio -title: galley -description: Galley provides configuration management services for Istio. -generator: pkg-collateral-docs -number_of_entries: 5 -max_toc_level: 2 -remove_toc_prefix: 'galley ' ---- -

Galley provides configuration management services for Istio.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
FlagsShorthandDescription
--config <string>-cConfig file containing args (default ``)
--log_as_jsonWhether to format output as JSON or in plain console-friendly format
--log_caller <string>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, analysis, attributes, conversions, default, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, processing, rbac, resource, runtime, server, source, validation] (default ``)
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [all, analysis, attributes, conversions, default, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, processing, rbac, resource, runtime, server, source, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)
--log_rotate <string>The path for the optional rotating log file (default ``)
--log_rotate_max_age <int>The maximum age in days of a log file beyond which the file is rotated (0 indicates no limit) (default `30`)
--log_rotate_max_backups <int>The maximum number of log file backups to keep before older files are deleted (0 indicates no limit) (default `1000`)
--log_rotate_max_size <int>The maximum size in megabytes of a log file beyond which the file is rotated (default `104857600`)
--log_stacktrace_level <string>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [all, analysis, attributes, conversions, default, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, processing, rbac, resource, runtime, server, source, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)
--log_target <stringArray>The set of paths where to output the log. This can be any path as well as the special values stdout and stderr (default `[stdout]`)
-

galley probe

-

Check the liveness or readiness of a locally-running server

-
galley probe [flags]
-
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
FlagsShorthandDescription
--config <string>-cConfig file containing args (default ``)
--interval <duration>Duration used for checking the target file's last modified time. (default `0s`)
--log_as_jsonWhether to format output as JSON or in plain console-friendly format
--log_caller <string>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, analysis, attributes, conversions, default, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, processing, rbac, resource, runtime, server, source, validation] (default ``)
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [all, analysis, attributes, conversions, default, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, processing, rbac, resource, runtime, server, source, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)
--log_rotate <string>The path for the optional rotating log file (default ``)
--log_rotate_max_age <int>The maximum age in days of a log file beyond which the file is rotated (0 indicates no limit) (default `30`)
--log_rotate_max_backups <int>The maximum number of log file backups to keep before older files are deleted (0 indicates no limit) (default `1000`)
--log_rotate_max_size <int>The maximum size in megabytes of a log file beyond which the file is rotated (default `104857600`)
--log_stacktrace_level <string>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [all, analysis, attributes, conversions, default, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, processing, rbac, resource, runtime, server, source, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)
--log_target <stringArray>The set of paths where to output the log. This can be any path as well as the special values stdout and stderr (default `[stdout]`)
--probe-path <string>Path of the file for checking the availability. (default ``)
-

galley server

-

Starts Galley as a server

-
galley server [flags]
-
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
FlagsShorthandDescription
--accessListFile <string>The access list yaml file that contains the allowed mTLS peer ids. (default `/etc/config/accesslist.yaml`)
--caCertFile <string>File containing the caBundle that signed the cert/key specified by --tlsCertFile and --tlsKeyFile. (default `/etc/certs/root-cert.pem`)
--config <string>-cConfig file containing args (default ``)
--configPath <string>Istio config file path (default ``)
--ctrlz_address <string>The IP Address to listen on for the ControlZ introspection facility. Use '*' to indicate all addresses. (default `localhost`)
--ctrlz_port <uint16>The IP port to use for the ControlZ introspection facility (default `9876`)
--deployment-name <string>Name of the deployment for the validation pod (default `istio-galley`)
--deployment-namespace <string>Namespace of the deployment for the validation pod (default `istio-system`)
--disableResourceReadyCheckDisable resource readiness checks. This allows Galley to start if not all resource types are supported
--domain <string>DNS domain suffix (default `cluster.local`)
--enable-reconcileWebhookConfigurationEnable reconciliation for webhook configuration.
--enable-serverRun galley server mode
--enable-validationRun galley validation mode
--enableAnalysisEnable config analysis service
--enableProfilingEnable profiling for Galley
--enableServiceDiscoveryEnable service discovery processing in Galley
--excludedResourceKinds <stringSlice>Comma-separated list of resource kinds that should not generate source events (default `[Endpoints,Namespace,Node,Pod,Service]`)
--insecureUse insecure gRPC communication
--kubeconfig <string>Use a Kubernetes configuration file instead of in-cluster configuration (default ``)
--livenessProbeInterval <duration>Interval of updating file for the Galley liveness probe. (default `2s`)
--livenessProbePath <string>Path to the file for the Galley liveness probe. (default `/healthLiveness`)
--log_as_jsonWhether to format output as JSON or in plain console-friendly format
--log_caller <string>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, analysis, attributes, conversions, default, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, processing, rbac, resource, runtime, server, source, validation] (default ``)
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [all, analysis, attributes, conversions, default, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, processing, rbac, resource, runtime, server, source, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)
--log_rotate <string>The path for the optional rotating log file (default ``)
--log_rotate_max_age <int>The maximum age in days of a log file beyond which the file is rotated (0 indicates no limit) (default `30`)
--log_rotate_max_backups <int>The maximum number of log file backups to keep before older files are deleted (0 indicates no limit) (default `1000`)
--log_rotate_max_size <int>The maximum size in megabytes of a log file beyond which the file is rotated (default `104857600`)
--log_stacktrace_level <string>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [all, analysis, attributes, conversions, default, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, processing, rbac, resource, runtime, server, source, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)
--log_target <stringArray>The set of paths where to output the log. This can be any path as well as the special values stdout and stderr (default `[stdout]`)
--meshConfigFile <string>Path to the mesh config file (default `/etc/mesh-config/mesh`)
--monitoringPort <uint>Port to use for exposing self-monitoring information (default `15014`)
--pprofPort <uint>Port to use for exposing profiling (default `9094`)
--readinessProbeInterval <duration>Interval of updating file for the Galley readiness probe. (default `2s`)
--readinessProbePath <string>Path to the file for the Galley readiness probe. (default `/healthReadiness`)
--resyncPeriod <duration>Resync period for rescanning Kubernetes resources (default `0s`)
--server-address <string>Address to use for Galley's gRPC API, e.g. tcp://localhost:9092 or unix:///path/to/file (default `tcp://0.0.0.0:9901`)
--server-maxConcurrentStreams <uint>Maximum number of outstanding RPCs per connection (default `1024`)
--server-maxReceivedMessageSize <uint>Maximum size of individual gRPC messages (default `1048576`)
--service-name <string>Name of the validation service running in the same namespace as the deployment (default `istio-galley`)
--sinkAddress <string>Address of MCP Resource Sink server for Galley to connect to. Ex: 'foo.com:1234' (default ``)
--sinkAuthMode <string>Name of authentication plugin to use for connection to sink server. (default ``)
--sinkMeta <stringSlice>Comma-separated list of key=values to attach as metadata to outgoing sink connections. Ex: 'key=value,key2=value2' (default `[]`)
--tlsCertFile <string>File containing the x509 Certificate for HTTPS. (default `/etc/certs/cert-chain.pem`)
--tlsKeyFile <string>File containing the x509 private key matching --tlsCertFile. (default `/etc/certs/key.pem`)
--useOldProcessorUse the old processing pipeline for config processing
--validation-port <uint>HTTPS port of the validation service. (default `9443`)
--validation-webhook-config-file <string>File that contains k8s validatingwebhookconfiguration yaml. Required if enable-validation is true. (default ``)
--validation.tls.caCertificates <string>File containing the caBundle that signed the cert/key specified by --validation.tls.clientCertificate and --validation.tls.privateKey. (default ``)
--validation.tls.clientCertificate <string>File containing the x509 Certificate for HTTPS validation. (default ``)
--validation.tls.privateKey <string>File containing the x509 private key matching --validation.tls.clientCertificate. (default ``)
--watchConfigFilesEnable the Fsnotify for watching config source files on the disk and implicit signaling on a config change. Explicit signaling will still be enabled
--webhook-name <string>Name of the k8s validatingwebhookconfiguration (default `istio-galley`)
-

Accepts deep config files, like: -

general:
-  introspection:
-    address: --ctrlz_address
-    port: --ctrlz_port
-  kubeconfig: --kubeconfig
-processing:
-  domainsuffix: --domain
-  server:
-    address: --server-address
-    auth:
-      insecure: --insecure
-    enable: --enable-server
-validation:
-  deploymentname: --deployment-name
-  deploymentnamespace: --deployment-namespace
-  enable: --enable-validation
-  servicename: --service-name
-  tls:
-    caCertificates: --validation.tls.caCertificates
-    clientCertificate: --validation.tls.clientCertificate
-    privateKey: --validation.tls.privateKey
-  webhookconfigfile: --validation-webhook-config-file
-  webhookname: --webhook-name
-  webhookport: --validation-port
-
-
-

galley version

-

Prints out build version information

-
galley version [flags]
-
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
FlagsShorthandDescription
--config <string>-cConfig file containing args (default ``)
--log_as_jsonWhether to format output as JSON or in plain console-friendly format
--log_caller <string>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, analysis, attributes, conversions, default, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, processing, rbac, resource, runtime, server, source, validation] (default ``)
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [all, analysis, attributes, conversions, default, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, processing, rbac, resource, runtime, server, source, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)
--log_rotate <string>The path for the optional rotating log file (default ``)
--log_rotate_max_age <int>The maximum age in days of a log file beyond which the file is rotated (0 indicates no limit) (default `30`)
--log_rotate_max_backups <int>The maximum number of log file backups to keep before older files are deleted (0 indicates no limit) (default `1000`)
--log_rotate_max_size <int>The maximum size in megabytes of a log file beyond which the file is rotated (default `104857600`)
--log_stacktrace_level <string>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [all, analysis, attributes, conversions, default, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, processing, rbac, resource, runtime, server, source, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)
--log_target <stringArray>The set of paths where to output the log. This can be any path as well as the special values stdout and stderr (default `[stdout]`)
--output <string>-oOne of 'yaml' or 'json'. (default ``)
--short-sUse --short=false to generate full version information
-

Environment variables

-These environment variables affect the behavior of the galley command. - - - - - - - - - - - - - - - - - - - - - - - -
Variable NameTypeDefault ValueDescription
AUTHZ_FAILURE_LOG_BURST_SIZEInteger1
AUTHZ_FAILURE_LOG_FREQTime Duration1m0s
-

Exported metrics

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Metric NameTypeDescription
galley_runtime_processor_event_span_duration_millisecondsDistributionThe duration between each incoming event
galley_runtime_processor_events_processed_totalCountThe number of events that have been processed
galley_runtime_processor_snapshot_events_totalDistributionThe number of events per snapshot
galley_runtime_processor_snapshot_lifetime_duration_millisecondsDistributionThe duration of each snapshot
galley_runtime_processor_snapshots_published_totalCountThe number of snapshots that have been published
galley_runtime_state_type_instances_totalLastValueThe number of type instances per type URL
galley_runtime_strategy_on_change_totalCountThe number of times the strategy's onChange has been called
galley_runtime_strategy_timer_max_time_reached_totalCountThe number of times the max time has been reached
galley_runtime_strategy_timer_quiesce_reached_totalCountThe number of times a quiesce has been reached
galley_runtime_strategy_timer_resets_totalCountThe number of times the timer has been reset
galley_source_kube_dynamic_converter_failure_totalCountThe number of times a dynamnic kubernetes source failed converting a resources
galley_source_kube_dynamic_converter_success_totalCountThe number of times a dynamic kubernetes source successfully converted a resource
galley_source_kube_event_error_totalCountThe number of times a kubernetes source encountered errored while handling an event
galley_source_kube_event_success_totalCountThe number of times a kubernetes source successfully handled an event
galley_validation_cert_key_update_errorsCountGalley validation webhook certificate updates errors
galley_validation_cert_key_updatesCountGalley validation webhook certificate updates
galley_validation_config_loadCountk8s webhook configuration (re)loads
galley_validation_config_load_errorCountk8s webhook configuration (re)load error
galley_validation_config_update_errorCountk8s webhook configuration update error
galley_validation_config_updatesCountk8s webhook configuration updates
galley_validation_failedCountResource validation failed
galley_validation_http_errorCountResource validation http serve errors
galley_validation_passedCountResource is valid
istio_buildLastValueIstio component build info
istio_mcp_clients_totalLastValueThe number of streams currently connected.
istio_mcp_message_sizes_bytesDistributionSize of messages received from clients.
istio_mcp_reconnectionsSumThe number of times the sink has reconnected.
istio_mcp_recv_failures_totalSumThe number of recv failures in the source.
istio_mcp_request_acks_totalSumThe number of request acks received by the source.
istio_mcp_request_nacks_totalSumThe number of request nacks received by the source.
istio_mcp_send_failures_totalSumThe number of send failures in the source.
diff --git a/content/zh/docs/reference/commands/install-cni/index.html b/content/zh/docs/reference/commands/install-cni/index.html new file mode 100644 index 0000000000000..75b7386708b9a --- /dev/null +++ b/content/zh/docs/reference/commands/install-cni/index.html @@ -0,0 +1,1463 @@ +--- +WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL SOURCE IN THE 'https://github.com/istio/istio' REPO +source_repo: https://github.com/istio/istio +title: install-cni +description: Install and configure Istio CNI plugin on a node, detect and repair pod which is broken by race condition. +generator: pkg-collateral-docs +number_of_entries: 8 +max_toc_level: 2 +remove_toc_prefix: 'install-cni ' +--- +

Install and configure Istio CNI plugin on a node, detect and repair pod which is broken by race condition.

+
install-cni [flags]
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
FlagsDescription
--chained-cni-pluginWhether to install CNI plugin as a chained or standalone
--cni-conf-name <string>Name of the CNI configuration file (default ``)
--cni-enable-installWhether to install CNI configuration and binary files
--cni-enable-reinstallWhether to reinstall CNI configuration and binary files
--cni-net-dir <string>Directory on the host where CNI network plugins are installed (default `/etc/cni/net.d`)
--cni-network-config <string>CNI configuration template as a string (default ``)
--cni-network-config-file <string>CNI config template as a file (default ``)
--ctrlz_address <string>The IP Address to listen on for the ControlZ introspection facility. Use '*' to indicate all addresses. (default `localhost`)
--ctrlz_port <uint16>The IP port to use for the ControlZ introspection facility (default `9876`)
--kube-ca-file <string>CA file for kubeconfig. Defaults to the same as install-cni pod (default ``)
--kubecfg-file-name <string>Name of the kubeconfig file which CNI plugin will use when interacting with API server (default `ZZZ-istio-cni-kubeconfig`)
--kubeconfig-mode <int>File mode of the kubeconfig file (default `384`)
--log-level <string>Fallback value for log level in CNI config file, if not specified in helm template (default `warn`)
--log-uds-address <string>The UDS server address which CNI plugin will copy log ouptut to (default `/var/run/istio-cni/log.sock`)
--log_as_jsonWhether to format output as JSON or in plain console-friendly format
--log_caller <string>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, cni, default, install, klog, repair] (default ``)
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [all, cni, default, install, klog, repair] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)
--log_rotate <string>The path for the optional rotating log file (default ``)
--log_rotate_max_age <int>The maximum age in days of a log file beyond which the file is rotated (0 indicates no limit) (default `30`)
--log_rotate_max_backups <int>The maximum number of log file backups to keep before older files are deleted (0 indicates no limit) (default `1000`)
--log_rotate_max_size <int>The maximum size in megabytes of a log file beyond which the file is rotated (default `104857600`)
--log_stacktrace_level <string>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [all, cni, default, install, klog, repair] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)
--log_target <stringArray>The set of paths where to output the log. This can be any path as well as the special values stdout and stderr (default `[stdout]`)
--monitoring-port <int>HTTP port to serve prometheus metrics (default `15014`)
--mounted-cni-net-dir <string>Directory on the container where CNI networks are installed (default `/host/etc/cni/net.d`)
--repair-broken-pod-label-key <string>The key portion of the label which will be set by the ace repair if label pods is true (default `cni.istio.io/uninitialized`)
--repair-broken-pod-label-value <string>The value portion of the label which will be set by the race repair if label pods is true (default `true`)
--repair-delete-podsController will delete pods when detecting pod broken by race condition
--repair-enabledWhether to enable race condition repair or not
--repair-field-selectors <string>A set of field selectors in label=value format that will be added to the pod list filters (default ``)
--repair-init-container-exit-code <int>Expected exit code for the init container when crash-looping because of CNI misconfiguration (default `126`)
--repair-init-container-name <string>The name of the istio init container (will crash-loop if CNI is not configured for the pod) (default `istio-validation`)
--repair-init-container-termination-message <string>The expected termination message for the init container when crash-looping because of CNI misconfiguration (default ``)
--repair-label-podsController will label pods when detecting pod broken by race condition
--repair-label-selectors <string>A set of label selectors in label=value format that will be added to the pod list filters (default ``)
--repair-node-name <string>The name of the managed node (will manage all nodes if unset) (default ``)
--repair-run-as-daemonController will run in a loop
--repair-sidecar-annotation <string>An annotation key that indicates this pod contains an istio sidecar. All pods without this annotation will be ignored.The value of the annotation is ignored. (default `sidecar.istio.io/status`)
--skip-cni-binaries <istio-cni>Binaries that should not be installed. Currently Istio only installs one binary istio-cni (default `[]`)
--skip-tls-verifyWhether to use insecure TLS in kubeconfig file
--update-cni-binariesWhether to refresh existing binaries when installing CNI
+

install-cni completion

+

Generate the autocompletion script for install-cni for the specified shell. +See each sub-command's help for details on how to use the generated script. +

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
FlagsDescription
--ctrlz_address <string>The IP Address to listen on for the ControlZ introspection facility. Use '*' to indicate all addresses. (default `localhost`)
--ctrlz_port <uint16>The IP port to use for the ControlZ introspection facility (default `9876`)
--log_as_jsonWhether to format output as JSON or in plain console-friendly format
--log_caller <string>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, cni, default, install, klog, repair] (default ``)
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [all, cni, default, install, klog, repair] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)
--log_rotate <string>The path for the optional rotating log file (default ``)
--log_rotate_max_age <int>The maximum age in days of a log file beyond which the file is rotated (0 indicates no limit) (default `30`)
--log_rotate_max_backups <int>The maximum number of log file backups to keep before older files are deleted (0 indicates no limit) (default `1000`)
--log_rotate_max_size <int>The maximum size in megabytes of a log file beyond which the file is rotated (default `104857600`)
--log_stacktrace_level <string>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [all, cni, default, install, klog, repair] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)
--log_target <stringArray>The set of paths where to output the log. This can be any path as well as the special values stdout and stderr (default `[stdout]`)
+

install-cni completion bash

+

Generate the autocompletion script for the bash shell.

+

This script depends on the 'bash-completion' package. +If it is not installed already, you can install it via your OS's package manager.

+

To load completions in your current shell session:

+

source <(install-cni completion bash)

+

To load completions for every new session, execute once:

+

#### Linux:

+

install-cni completion bash > /etc/bash_completion.d/install-cni

+

#### macOS:

+

install-cni completion bash > /usr/local/etc/bash_completion.d/install-cni

+

You will need to start a new shell for this setup to take effect. +

+
install-cni completion bash
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
FlagsDescription
--ctrlz_address <string>The IP Address to listen on for the ControlZ introspection facility. Use '*' to indicate all addresses. (default `localhost`)
--ctrlz_port <uint16>The IP port to use for the ControlZ introspection facility (default `9876`)
--log_as_jsonWhether to format output as JSON or in plain console-friendly format
--log_caller <string>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, cni, default, install, klog, repair] (default ``)
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [all, cni, default, install, klog, repair] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)
--log_rotate <string>The path for the optional rotating log file (default ``)
--log_rotate_max_age <int>The maximum age in days of a log file beyond which the file is rotated (0 indicates no limit) (default `30`)
--log_rotate_max_backups <int>The maximum number of log file backups to keep before older files are deleted (0 indicates no limit) (default `1000`)
--log_rotate_max_size <int>The maximum size in megabytes of a log file beyond which the file is rotated (default `104857600`)
--log_stacktrace_level <string>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [all, cni, default, install, klog, repair] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)
--log_target <stringArray>The set of paths where to output the log. This can be any path as well as the special values stdout and stderr (default `[stdout]`)
--no-descriptionsdisable completion descriptions
+

install-cni completion fish

+

Generate the autocompletion script for the fish shell.

+

To load completions in your current shell session:

+

install-cni completion fish | source

+

To load completions for every new session, execute once:

+

install-cni completion fish > ~/.config/fish/completions/install-cni.fish

+

You will need to start a new shell for this setup to take effect. +

+
install-cni completion fish [flags]
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
FlagsDescription
--ctrlz_address <string>The IP Address to listen on for the ControlZ introspection facility. Use '*' to indicate all addresses. (default `localhost`)
--ctrlz_port <uint16>The IP port to use for the ControlZ introspection facility (default `9876`)
--log_as_jsonWhether to format output as JSON or in plain console-friendly format
--log_caller <string>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, cni, default, install, klog, repair] (default ``)
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [all, cni, default, install, klog, repair] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)
--log_rotate <string>The path for the optional rotating log file (default ``)
--log_rotate_max_age <int>The maximum age in days of a log file beyond which the file is rotated (0 indicates no limit) (default `30`)
--log_rotate_max_backups <int>The maximum number of log file backups to keep before older files are deleted (0 indicates no limit) (default `1000`)
--log_rotate_max_size <int>The maximum size in megabytes of a log file beyond which the file is rotated (default `104857600`)
--log_stacktrace_level <string>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [all, cni, default, install, klog, repair] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)
--log_target <stringArray>The set of paths where to output the log. This can be any path as well as the special values stdout and stderr (default `[stdout]`)
--no-descriptionsdisable completion descriptions
+

install-cni completion powershell

+

Generate the autocompletion script for powershell.

+

To load completions in your current shell session:

+

install-cni completion powershell | Out-String | Invoke-Expression

+

To load completions for every new session, add the output of the above command +to your powershell profile. +

+
install-cni completion powershell [flags]
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
FlagsDescription
--ctrlz_address <string>The IP Address to listen on for the ControlZ introspection facility. Use '*' to indicate all addresses. (default `localhost`)
--ctrlz_port <uint16>The IP port to use for the ControlZ introspection facility (default `9876`)
--log_as_jsonWhether to format output as JSON or in plain console-friendly format
--log_caller <string>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, cni, default, install, klog, repair] (default ``)
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [all, cni, default, install, klog, repair] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)
--log_rotate <string>The path for the optional rotating log file (default ``)
--log_rotate_max_age <int>The maximum age in days of a log file beyond which the file is rotated (0 indicates no limit) (default `30`)
--log_rotate_max_backups <int>The maximum number of log file backups to keep before older files are deleted (0 indicates no limit) (default `1000`)
--log_rotate_max_size <int>The maximum size in megabytes of a log file beyond which the file is rotated (default `104857600`)
--log_stacktrace_level <string>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [all, cni, default, install, klog, repair] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)
--log_target <stringArray>The set of paths where to output the log. This can be any path as well as the special values stdout and stderr (default `[stdout]`)
--no-descriptionsdisable completion descriptions
+

install-cni completion zsh

+

Generate the autocompletion script for the zsh shell.

+

If shell completion is not already enabled in your environment you will need +to enable it. You can execute the following once:

+

echo "autoload -U compinit; compinit" >> ~/.zshrc

+

To load completions for every new session, execute once:

+

#### Linux:

+

install-cni completion zsh > "${fpath[1]}/_install-cni"

+

#### macOS:

+

install-cni completion zsh > /usr/local/share/zsh/site-functions/_install-cni

+

You will need to start a new shell for this setup to take effect. +

+
install-cni completion zsh [flags]
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
FlagsDescription
--ctrlz_address <string>The IP Address to listen on for the ControlZ introspection facility. Use '*' to indicate all addresses. (default `localhost`)
--ctrlz_port <uint16>The IP port to use for the ControlZ introspection facility (default `9876`)
--log_as_jsonWhether to format output as JSON or in plain console-friendly format
--log_caller <string>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, cni, default, install, klog, repair] (default ``)
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [all, cni, default, install, klog, repair] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)
--log_rotate <string>The path for the optional rotating log file (default ``)
--log_rotate_max_age <int>The maximum age in days of a log file beyond which the file is rotated (0 indicates no limit) (default `30`)
--log_rotate_max_backups <int>The maximum number of log file backups to keep before older files are deleted (0 indicates no limit) (default `1000`)
--log_rotate_max_size <int>The maximum size in megabytes of a log file beyond which the file is rotated (default `104857600`)
--log_stacktrace_level <string>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [all, cni, default, install, klog, repair] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)
--log_target <stringArray>The set of paths where to output the log. This can be any path as well as the special values stdout and stderr (default `[stdout]`)
--no-descriptionsdisable completion descriptions
+

install-cni version

+

Prints out build version information

+
install-cni version [flags]
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
FlagsShorthandDescription
--ctrlz_address <string>The IP Address to listen on for the ControlZ introspection facility. Use '*' to indicate all addresses. (default `localhost`)
--ctrlz_port <uint16>The IP port to use for the ControlZ introspection facility (default `9876`)
--log_as_jsonWhether to format output as JSON or in plain console-friendly format
--log_caller <string>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, cni, default, install, klog, repair] (default ``)
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [all, cni, default, install, klog, repair] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)
--log_rotate <string>The path for the optional rotating log file (default ``)
--log_rotate_max_age <int>The maximum age in days of a log file beyond which the file is rotated (0 indicates no limit) (default `30`)
--log_rotate_max_backups <int>The maximum number of log file backups to keep before older files are deleted (0 indicates no limit) (default `1000`)
--log_rotate_max_size <int>The maximum size in megabytes of a log file beyond which the file is rotated (default `104857600`)
--log_stacktrace_level <string>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [all, cni, default, install, klog, repair] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)
--log_target <stringArray>The set of paths where to output the log. This can be any path as well as the special values stdout and stderr (default `[stdout]`)
--output <string>-oOne of 'yaml' or 'json'. (default ``)
--short-sUse --short=false to generate full version information
+

Environment variables

+These environment variables affect the behavior of the install-cni command. Please use with caution as these environment variables are experimental and can change anytime. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Variable NameTypeDefault ValueDescription
AUTO_RELOAD_PLUGIN_CERTSBooleanfalseIf enabled, if user introduces new intermediate plug-in CA, user need not to restart istiod to pick up certs.Istiod picks newly added intermediate plug-in CA certs and updates it. Plug-in new Root-CA not supported.
CERT_SIGNER_DOMAINStringThe cert signer domain info
CHAINED_CNI_PLUGINBooleantrueWhether to install CNI plugin as a chained or standalone
CLUSTER_IDStringKubernetesDefines the cluster and service registry that this Istiod instance is belongs to
CNI_CONF_NAMEStringName of the CNI configuration file
CNI_ENABLE_INSTALLBooleantrueWhether to install CNI configuration and binary files
CNI_ENABLE_REINSTALLBooleantrueWhether to reinstall CNI configuration and binary files
CNI_NETWORK_CONFIGStringCNI configuration template as a string
CNI_NETWORK_CONFIG_FILEStringCNI config template as a file
CNI_NET_DIRString/etc/cni/net.dDirectory on the host where CNI network plugins are installed
ENABLE_AUTO_MTLS_CHECK_POLICIESBooleantrueEnable the auto mTLS EDS output to consult the PeerAuthentication Policy, only set the {tlsMode: istio} when server side policy enables mTLS PERMISSIVE or STRICT.
ENABLE_AUTO_SNIBooleanfalseIf enabled, automatically set SNI when `DestinationRules` do not specify the same
ENABLE_CA_SERVERBooleantrueIf this is set to false, will not create CA server in istiod.
ENABLE_DEBUG_ON_HTTPBooleantrueIf this is set to false, the debug interface will not be enabled, recommended for production
ENABLE_LEGACY_FSGROUP_INJECTIONBooleantrueIf true, Istiod will set the pod fsGroup to 1337 on injection. This is required for Kubernetes 1.18 and older (see https://github.com/kubernetes/kubernetes/issues/57923 for details) unless JWT_POLICY is "first-party-jwt".
ENABLE_LEGACY_LB_ALGORITHM_DEFAULTBooleanfalseIf enabled, destinations for which no LB algorithm is specified will use the legacy default, ROUND_ROBIN. Care should be taken when using ROUND_ROBIN in general as it can overburden endpoints, especially when weights are used.
ENABLE_MCS_AUTO_EXPORTBooleanfalseIf enabled, istiod will automatically generate Kubernetes Multi-Cluster Services (MCS) ServiceExport resources for every service in the mesh. Services defined to be cluster-local in MeshConfig are excluded.
ENABLE_MCS_CLUSTER_LOCALBooleanfalseIf enabled, istiod will treat the host `<svc>.<namespace>.svc.cluster.local` as defined by the Kubernetes Multi-Cluster Services (MCS) spec. In this mode, requests to `cluster.local` will be routed to only those endpoints residing within the same cluster as the client. Requires that both ENABLE_MCS_SERVICE_DISCOVERY and ENABLE_MCS_HOST also be enabled.
ENABLE_MCS_HOSTBooleanfalseIf enabled, istiod will configure a Kubernetes Multi-Cluster Services (MCS) host (<svc>.<namespace>.svc.clusterset.local) for each service exported (via ServiceExport) in at least one cluster. Clients must, however, be able to successfully lookup these DNS hosts. That means that either Istio DNS interception must be enabled or an MCS controller must be used. Requires that ENABLE_MCS_SERVICE_DISCOVERY also be enabled.
ENABLE_MCS_SERVICE_DISCOVERYBooleanfalseIf enabled, istiod will enable Kubernetes Multi-Cluster Services (MCS) service discovery mode. In this mode, service endpoints in a cluster will only be discoverable within the same cluster unless explicitly exported via ServiceExport.
ENABLE_MULTICLUSTER_HEADLESSBooleantrueIf true, the DNS name table for a headless service will resolve to same-network endpoints in any cluster.
ENABLE_TLS_ON_SIDECAR_INGRESSBooleanfalseIf enabled, the TLS configuration on Sidecar.ingress will take effect
ENABLE_WASM_TELEMETRYBooleanfalseIf enabled, Wasm-based telemetry will be enabled.
EXTERNAL_ISTIODBooleanfalseIf this is set to true, one Istiod will control remote clusters including CA.
INJECTION_WEBHOOK_CONFIG_NAMEStringistio-sidecar-injectorName of the mutatingwebhookconfiguration to patch, if istioctl is not used.
ISTIOD_CUSTOM_HOSTStringCustom host name of istiod that istiod signs the server cert. Multiple custom host names are supported, and multiple values are separated by commas.
ISTIO_AGENT_ENABLE_WASM_REMOTE_LOAD_CONVERSIONBooleantrueIf enabled, Istio agent will intercept ECDS resource update, downloads Wasm module, and replaces Wasm module remote load with downloaded local module file.
ISTIO_DEFAULT_REQUEST_TIMEOUTTime Duration0sDefault Http and gRPC Request timeout
ISTIO_DELTA_XDSBooleanfalseIf enabled, pilot will only send the delta configs as opposed to the state of the world on a Resource Request. This feature uses the delta xds api, but does not currently send the actual deltas.
ISTIO_GATEWAY_STRIP_HOST_PORTBooleanfalseIf enabled, Gateway will remove any port from host/authority header before any processing of request by HTTP filters or routing.
ISTIO_GPRC_MAXRECVMSGSIZEInteger4194304Sets the max receive buffer size of gRPC stream in bytes.
ISTIO_GPRC_MAXSTREAMSInteger100000Sets the maximum number of concurrent grpc streams.
ISTIO_MULTIROOT_MESHBooleanfalseIf enabled, mesh will support certificates signed by more than one trustAnchor for ISTIO_MUTUAL mTLS
ISTIO_OUTBOUND_OWNER_GROUPSString*Comma separated list of groups whose outgoing traffic is to be redirected to Envoy. +A group can be specified either by name or by a numeric GID. +The wildcard character "*" can be used to configure redirection of traffic from all groups.
ISTIO_OUTBOUND_OWNER_GROUPS_EXCLUDEStringComma separated list of groups whose outgoing traffic is to be excluded from redirection to Envoy. +A group can be specified either by name or by a numeric GID. +Only applies when traffic from all groups (i.e. "*") is being redirected to Envoy.
JWT_POLICYStringthird-party-jwtThe JWT validation policy.
KUBECFG_FILE_NAMEStringZZZ-istio-cni-kubeconfigName of the kubeconfig file which CNI plugin will use when interacting with API server
KUBECONFIG_MODEInteger384File mode of the kubeconfig file
KUBE_CA_FILEStringCA file for kubeconfig. Defaults to the same as install-cni pod
LOG_LEVELStringwarnFallback value for log level in CNI config file, if not specified in helm template
LOG_UDS_ADDRESSString/var/run/istio-cni/log.sockThe UDS server address which CNI plugin will copy log ouptut to
MCS_API_GROUPStringmulticluster.x-k8s.ioThe group to be used for the Kubernetes Multi-Cluster Services (MCS) API.
MCS_API_VERSIONStringv1alpha1The version to be used for the Kubernets Multi-Cluster Services (MCS) API.
MONITORING_PORTInteger15014HTTP port to serve prometheus metrics
MOUNTED_CNI_NET_DIRString/host/etc/cni/net.dDirectory on the container where CNI networks are installed
PILOT_ANALYSIS_INTERVALTime Duration10sIf analysis is enabled, pilot will run istio analyzers using this value as interval in seconds Istio Resources
PILOT_CERT_PROVIDERStringistiodThe provider of Pilot DNS certificate.
PILOT_DEBOUNCE_AFTERTime Duration100msThe delay added to config/registry events for debouncing. This will delay the push by at least this interval. If no change is detected within this period, the push will happen, otherwise we'll keep delaying until things settle, up to a max of PILOT_DEBOUNCE_MAX.
PILOT_DEBOUNCE_MAXTime Duration10sThe maximum amount of time to wait for events while debouncing. If events keep showing up with no breaks for this time, we'll trigger a push.
PILOT_DISTRIBUTION_HISTORY_RETENTIONTime Duration1m0sIf enabled, Pilot will keep track of old versions of distributed config for this duration.
PILOT_ENABLE_ALPN_FILTERBooleantrueIf true, pilot will add Istio ALPN filters, required for proper protocol sniffing.
PILOT_ENABLE_ANALYSISBooleanfalseIf enabled, pilot will run istio analyzers and write analysis errors to the Status field of any Istio Resources
PILOT_ENABLE_CDS_CACHEBooleantrueIf true, Pilot will cache CDS responses. Note: this depends on PILOT_ENABLE_XDS_CACHE.
PILOT_ENABLE_CONFIG_DISTRIBUTION_TRACKINGBooleantrueIf enabled, Pilot will assign meaningful nonces to each Envoy configuration message, and allow users to interrogate which envoy has which config from the debug interface.
PILOT_ENABLE_CROSS_CLUSTER_WORKLOAD_ENTRYBooleantrueIf enabled, pilot will read WorkloadEntry from other clusters, selectable by Services in that cluster.
PILOT_ENABLE_DESTINATION_RULE_INHERITANCEBooleanfalseIf set, workload specific DestinationRules will inherit configurations settings from mesh and namespace level rules
PILOT_ENABLE_EDS_DEBOUNCEBooleantrueIf enabled, Pilot will include EDS pushes in the push debouncing, configured by PILOT_DEBOUNCE_AFTER and PILOT_DEBOUNCE_MAX. EDS pushes may be delayed, but there will be fewer pushes. By default this is enabled
PILOT_ENABLE_EDS_FOR_HEADLESS_SERVICESBooleanfalseIf enabled, for headless service in Kubernetes, pilot will send endpoints over EDS, allowing the sidecar to load balance among pods in the headless service. This feature should be enabled if applications access all services explicitly via a HTTP proxy port in the sidecar.
PILOT_ENABLE_GATEWAY_APIBooleantrueIf this is set to true, support for Kubernetes gateway-api (github.com/kubernetes-sigs/gateway-api) will be enabled. In addition to this being enabled, the gateway-api CRDs need to be installed.
PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLERBooleantrueIf this is set to true, gateway-api resources will automatically provision in cluster deployment, services, etc
PILOT_ENABLE_GATEWAY_API_STATUSBooleantrueIf this is set to true, gateway-api resources will have status written to them
PILOT_ENABLE_HEADLESS_SERVICE_POD_LISTENERSBooleantrueIf enabled, for a headless service/stateful set in Kubernetes, pilot will generate an outbound listener for each pod in a headless service. This feature should be disabled if headless services have a large number of pods.
PILOT_ENABLE_INBOUND_PASSTHROUGHBooleantrueIf enabled, inbound clusters will be configured as ORIGINAL_DST clusters. When disabled, requests are always sent to localhost. The primary implication of this is that when enabled, binding to POD_IP will work while localhost will not; when disable, bind to POD_IP will not work, while localhost will. The enabled behavior matches the behavior without Istio enabled at all; this flag exists only for backwards compatibility. Regardless of this setting, the configuration can be overridden with the Sidecar.Ingress.DefaultEndpoint configuration.
PILOT_ENABLE_ISTIO_TAGSBooleantrueDetermines whether or not trace spans generated by Envoy will include Istio-specific tags.
PILOT_ENABLE_LEGACY_AUTO_PASSTHROUGHBooleanfalseIf enabled, pilot will allow any upstream cluster to be used with AUTO_PASSTHROUGH. This option is intended for backwards compatibility only and is not secure with untrusted downstreams; it will be removed in the future.
PILOT_ENABLE_LEGACY_ISTIO_MUTUAL_CREDENTIAL_NAMEBooleanfalseIf enabled, Gateway's with ISTIO_MUTUAL mode and credentialName configured will use simple TLS. This is to retain legacy behavior only and not recommended for use beyond migration.
PILOT_ENABLE_METADATA_EXCHANGEBooleantrueIf true, pilot will add metadata exchange filters, which will be consumed by telemetry filter.
PILOT_ENABLE_MONGO_FILTERBooleantrueEnableMongoFilter enables injection of `envoy.filters.network.mongo_proxy` in the filter chain.
PILOT_ENABLE_MYSQL_FILTERBooleanfalseEnableMysqlFilter enables injection of `envoy.filters.network.mysql_proxy` in the filter chain.
PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_INBOUNDBooleantrueIf enabled, protocol sniffing will be used for inbound listeners whose port protocol is not specified or unsupported
PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_OUTBOUNDBooleantrueIf enabled, protocol sniffing will be used for outbound listeners whose port protocol is not specified or unsupported
PILOT_ENABLE_QUIC_LISTENERSBooleanfalseIf true, QUIC listeners will be generated wherever there are listeners terminating TLS on gateways if the gateway service exposes a UDP port with the same number (for example 443/TCP and 443/UDP)
PILOT_ENABLE_RDS_CACHEBooleantrueIf true, Pilot will cache RDS responses. Note: this depends on PILOT_ENABLE_XDS_CACHE.
PILOT_ENABLE_REDIS_FILTERBooleanfalseEnableRedisFilter enables injection of `envoy.filters.network.redis_proxy` in the filter chain.
PILOT_ENABLE_ROUTE_COLLAPSE_OPTIMIZATIONBooleantrueIf true, Pilot will merge virtual hosts with the same routes into a single virtual host, as an optimization.
PILOT_ENABLE_SERVICEENTRY_SELECT_PODSBooleantrueIf enabled, service entries with selectors will select pods from the cluster. It is safe to disable it if you are quite sure you don't need this feature
PILOT_ENABLE_STATUSBooleanfalseIf enabled, pilot will update the CRD Status field of all istio resources with reconciliation status.
PILOT_ENABLE_TELEMETRY_LABELBooleantrueIf true, pilot will add telemetry related metadata to cluster and endpoint resources, which will be consumed by telemetry filter.
PILOT_ENABLE_WORKLOAD_ENTRY_AUTOREGISTRATIONBooleantrueEnables auto-registering WorkloadEntries based on associated WorkloadGroups upon XDS connection by the workload.
PILOT_ENABLE_WORKLOAD_ENTRY_HEALTHCHECKSBooleantrueEnables automatic health checks of WorkloadEntries based on the config provided in the associated WorkloadGroup
PILOT_ENABLE_XDS_CACHEBooleantrueIf true, Pilot will cache XDS responses.
PILOT_ENABLE_XDS_IDENTITY_CHECKBooleantrueIf enabled, pilot will authorize XDS clients, to ensure they are acting only as namespaces they have permissions for.
PILOT_ENDPOINT_TELEMETRY_LABELBooleantrueIf true, pilot will add telemetry related metadata to Endpoint resource, which will be consumed by telemetry filter.
PILOT_ENVOY_FILTER_STATSBooleanfalseIf true, Pilot will collect metrics for envoy filter operations.
PILOT_FILTER_GATEWAY_CLUSTER_CONFIGBooleanfalseIf enabled, Pilot will send only clusters that referenced in gateway virtual services attached to gateway
PILOT_FLOW_CONTROL_TIMEOUTTime Duration15sIf set, the max amount of time to delay a push by. Depends on PILOT_ENABLE_FLOW_CONTROL.
PILOT_HTTP10BooleanfalseEnables the use of HTTP 1.0 in the outbound HTTP listeners, to support legacy applications.
PILOT_INBOUND_PROTOCOL_DETECTION_TIMEOUTTime Duration1sProtocol detection timeout for inbound listener
PILOT_INSECURE_MULTICLUSTER_KUBECONFIG_OPTIONSStringComma separated list of potentially insecure kubeconfig authentication options that are allowed for multicluster authentication.Support values: all authProviders (`gcp`, `azure`, `exec`, `openstack`), `clientKey`, `clientCertificate`, `tokenFile`, and `exec`.
PILOT_JWT_ENABLE_REMOTE_JWKSBooleanfalseIf enabled, checks to see if the configured JwksUri in RequestAuthentication is a mesh cluster URL and configures remote Jwks to let Envoy fetch the Jwks instead of Istiod.
PILOT_JWT_PUB_KEY_REFRESH_INTERVALTime Duration20m0sThe interval for istiod to fetch the jwks_uri for the jwks public key.
PILOT_LEGACY_INGRESS_BEHAVIORBooleanfalseIf this is set to true, istio ingress will perform the legacy behavior, which does not meet https://kubernetes.io/docs/concepts/services-networking/ingress/#multiple-matches.
PILOT_MAX_REQUESTS_PER_SECONDFloating-Point25Limits the number of incoming XDS requests per second. On larger machines this can be increased to handle more proxies concurrently.
PILOT_PARTIAL_FULL_PUSHESBooleantrueIf enabled, pilot will send partial pushes in for child resources (RDS, EDS, etc) when possible. This occurs for EDS in many cases regardless of this setting.
PILOT_PUSH_THROTTLEInteger100Limits the number of concurrent pushes allowed. On larger machines this can be increased for faster pushes
PILOT_REMOTE_CLUSTER_TIMEOUTTime Duration30sAfter this timeout expires, pilot can become ready without syncing data from clusters added via remote-secrets. Setting the timeout to 0 disables this behavior.
PILOT_SCOPE_GATEWAY_TO_NAMESPACEBooleanfalseIf enabled, a gateway workload can only select gateway resources in the same namespace. Gateways with same selectors in different namespaces will not be applicable.
PILOT_SEND_UNHEALTHY_ENDPOINTSBooleantrueIf enabled, Pilot will include unhealthy endpoints in EDS pushes and even if they are sent Envoy does not use them for load balancing.
PILOT_SIDECAR_USE_REMOTE_ADDRESSBooleanfalseUseRemoteAddress sets useRemoteAddress to true for side car outbound listeners.
PILOT_SKIP_VALIDATE_TRUST_DOMAINBooleanfalseSkip validating the peer is from the same trust domain when mTLS is enabled in authentication policy
PILOT_STATUS_BURSTInteger500If status is enabled, controls the Burst rate with which status will be updated. See https://godoc.org/k8s.io/client-go/rest#Config Burst
PILOT_STATUS_MAX_WORKERSInteger100The maximum number of workers Pilot will use to keep configuration status up to date. Smaller numbers will result in higher status latency, but larger numbers may impact CPU in high scale environments.
PILOT_STATUS_QPSFloating-Point100If status is enabled, controls the QPS with which status will be updated. See https://godoc.org/k8s.io/client-go/rest#Config QPS
PILOT_STATUS_UPDATE_INTERVALTime Duration500msInterval to update the XDS distribution status.
PILOT_TRACE_SAMPLINGFloating-Point1Sets the mesh-wide trace sampling percentage. Should be 0.0 - 100.0. Precision to 0.01. Default is 1.0.
PILOT_USE_ENDPOINT_SLICEBooleanfalseIf enabled, Pilot will use EndpointSlices as the source of endpoints for Kubernetes services. By default, this is false, and Endpoints will be used. This requires the Kubernetes EndpointSlice controller to be enabled. Currently this is mutual exclusive - either Endpoints or EndpointSlices will be used
PILOT_WORKLOAD_ENTRY_GRACE_PERIODTime Duration10sThe amount of time an auto-registered workload can remain disconnected from all Pilot instances before the associated WorkloadEntry is cleaned up.
PILOT_XDS_CACHE_SIZEInteger60000The maximum number of cache entries for the XDS cache.
PILOT_XDS_CACHE_STATSBooleanfalseIf true, Pilot will collect metrics for XDS cache efficiency.
PILOT_XDS_SEND_TIMEOUTTime Duration0sThe timeout to send the XDS configuration to proxies. After this timeout is reached, Pilot will discard that push.
PRIORITIZED_LEADER_ELECTIONBooleantrueIf enabled, the default revision will steal leader locks from non-default revisions
REPAIR_BROKEN_POD_LABEL_KEYStringcni.istio.io/uninitializedThe key portion of the label which will be set by the ace repair if label pods is true
REPAIR_BROKEN_POD_LABEL_VALUEStringtrueThe value portion of the label which will be set by the race repair if label pods is true
REPAIR_DELETE_PODSBooleanfalseController will delete pods when detecting pod broken by race condition
REPAIR_ENABLEDBooleantrueWhether to enable race condition repair or not
REPAIR_FIELD_SELECTORSStringA set of field selectors in label=value format that will be added to the pod list filters
REPAIR_INIT_CONTAINER_EXIT_CODEInteger126Expected exit code for the init container when crash-looping because of CNI misconfiguration
REPAIR_INIT_CONTAINER_NAMEStringistio-validationThe name of the istio init container (will crash-loop if CNI is not configured for the pod)
REPAIR_INIT_CONTAINER_TERMINATION_MESSAGEStringThe expected termination message for the init container when crash-looping because of CNI misconfiguration
REPAIR_LABEL_PODSBooleanfalseController will label pods when detecting pod broken by race condition
REPAIR_LABEL_SELECTORSStringA set of label selectors in label=value format that will be added to the pod list filters
REPAIR_NODE_NAMEStringThe name of the managed node (will manage all nodes if unset)
REPAIR_RUN_AS_DAEMONBooleanfalseController will run in a loop
REPAIR_SIDECAR_ANNOTATIONStringsidecar.istio.io/statusAn annotation key that indicates this pod contains an istio sidecar. All pods without this annotation will be ignored.The value of the annotation is ignored.
RESOLVE_HOSTNAME_GATEWAYSBooleantrueIf true, hostnames in the LoadBalancer addresses of a Service will be resolved at the control plane for use in cross-network gateways.
REWRITE_TCP_PROBESBooleantrueIf false, TCP probes will not be rewritten and therefor always succeed when a sidecar is used.
SHARED_MESH_CONFIGStringAdditional config map to load for shared MeshConfig settings. The standard mesh config will take precedence.
SKIP_CNI_BINARIESStringBinaries that should not be installed. Currently Istio only installs one binary `istio-cni`
SKIP_TLS_VERIFYBooleanfalseWhether to use insecure TLS in kubeconfig file
SPIFFE_BUNDLE_ENDPOINTSStringThe SPIFFE bundle trust domain to endpoint mappings. Istiod retrieves the root certificate from each SPIFFE bundle endpoint and uses it to verify client certifiates from that trust domain. The endpoint must be compliant to the SPIFFE Bundle Endpoint standard. For details, please refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE_Trust_Domain_and_Bundle.md . No need to configure this for root certificates issued via Istiod or web-PKI based root certificates. Use || between <trustdomain, endpoint> tuples. Use | as delimiter between trust domain and endpoint in each tuple. For example: foo|https://url/for/foo||bar|https://url/for/bar
UNSAFE_ENABLE_ADMIN_ENDPOINTSBooleanfalseIf this is set to true, dangerous admin endpoints will be exposed on the debug interface. Not recommended for production.
UNSAFE_PILOT_ENABLE_DELTA_TESTBooleanfalseIf enabled, addition runtime tests for Delta XDS efficiency are added. These checks are extremely expensive, so this should be used only for testing, not production.
UNSAFE_PILOT_ENABLE_RUNTIME_ASSERTIONSBooleanfalseIf enabled, addition runtime asserts will be performed. These checks are both expensive and panic on failure. As a result, this should be used only for testing.
UPDATE_CNI_BINARIESBooleantrueWhether to refresh existing binaries when installing CNI
VALIDATION_WEBHOOK_CONFIG_NAMEStringistio-istio-systemName of the validatingwebhookconfiguration to patch. Empty will skip using cluster admin to patch.
VERIFY_CERTIFICATE_AT_CLIENTBooleanfalseIf enabled, certificates received by the proxy will be verified against the OS CA certificate bundle.
VERIFY_SDS_CERTIFICATEBooleantrueIf enabled, certificates fetched from SDS server will be verified before sending back to proxy.
XDS_AUTHBooleantrueIf true, will authenticate XDS clients.
+

Exported metrics

+ + + + + + + + + + +
Metric NameTypeDescription
istio_buildLastValueIstio component build info
istio_cni_install_readyLastValueWhether the CNI plugin installation is ready or not
istio_cni_installs_totalSumTotal number of CNI plugins installed by the Istio CNI installer
istio_cni_repair_pods_repaired_totalSumTotal number of pods repaired by repair controller
diff --git a/content/zh/docs/reference/commands/istio_ca/index.html b/content/zh/docs/reference/commands/istio_ca/index.html deleted file mode 100644 index 1877781d44383..0000000000000 --- a/content/zh/docs/reference/commands/istio_ca/index.html +++ /dev/null @@ -1,414 +0,0 @@ ---- -WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL SOURCE IN THE 'https://github.com/istio/istio' REPO -source_repo: https://github.com/istio/istio -title: istio_ca -description: Istio Certificate Authority (CA). -generator: pkg-collateral-docs -number_of_entries: 4 -max_toc_level: 2 -remove_toc_prefix: 'istio_ca ' ---- -

Istio Certificate Authority (CA).

-
istio_ca [flags]
-
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
FlagsDescription
--append-dns-namesAppend DNS names to the certificates for webhook services.
--cert-chain <string>Path to the certificate chain file. (default ``)
--citadel-storage-namespace <string>Namespace where the Citadel pod is running. Will not be used if explicit file or other storage mechanism is specified. (default `istio-system`)
--ctrlz_address <string>The IP Address to listen on for the ControlZ introspection facility. Use '*' to indicate all addresses. (default `localhost`)
--ctrlz_port <uint16>The IP port to use for the ControlZ introspection facility (default `9876`)
--custom-dns-names <string>The list of account.namespace:customdns names, separated by comma. (default ``)
--enable-profilingEnabling profiling when monitoring Citadel.
--experimental-dual-useEnable dual-use mode. Generates certificates with a CommonName identical to the SAN.
--grpc-host-identities <string>The list of hostnames for istio ca server, separated by comma. (default `istio-ca,istio-citadel`)
--grpc-port <int>The port number for Citadel GRPC server. If unspecified, Citadel will not serve GRPC requests. (default `8060`)
--key-size <int>Size of generated private key. (default `2048`)
--kube-config <string>Specifies path to kubeconfig file. This must be specified when not running inside a Kubernetes pod. (default ``)
--listened-namespaces <string>Select the namespaces for the Citadel to listen to, separated by comma. If unspecified, Citadel tries to use the ${NAMESPACE} environment variable. If neither is set, Citadel listens to all namespaces. (default ``)
--liveness-probe-interval <duration>Interval of updating file for the liveness probe. (default `0s`)
--liveness-probe-path <string>Path to the file for the liveness probe. (default ``)
--log_as_jsonWhether to format output as JSON or in plain console-friendly format
--log_caller <string>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, caSecretController, configMapController, default, k8sController, monitor, pkiCaLog, rootCertRotator, serverCaLog] (default ``)
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [all, caSecretController, configMapController, default, k8sController, monitor, pkiCaLog, rootCertRotator, serverCaLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)
--log_rotate <string>The path for the optional rotating log file (default ``)
--log_rotate_max_age <int>The maximum age in days of a log file beyond which the file is rotated (0 indicates no limit) (default `30`)
--log_rotate_max_backups <int>The maximum number of log file backups to keep before older files are deleted (0 indicates no limit) (default `1000`)
--log_rotate_max_size <int>The maximum size in megabytes of a log file beyond which the file is rotated (default `104857600`)
--log_stacktrace_level <string>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [all, caSecretController, configMapController, default, k8sController, monitor, pkiCaLog, rootCertRotator, serverCaLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)
--log_target <stringArray>The set of paths where to output the log. This can be any path as well as the special values stdout and stderr (default `[stdout]`)
--max-workload-cert-ttl <duration>The max TTL of issued workload certificates. (default `2160h0m0s`)
--monitoring-port <int>The port number for monitoring Citadel. If unspecified, Citadel will disable monitoring. (default `15014`)
--org <string>Organization for the certificate. (default ``)
--pkcs8-keysWhether to generate PKCS#8 private keys.
--probe-check-interval <duration>Interval of checking the liveness of the CA. (default `30s`)
--read-signing-cert-onlyWhen set, Citadel only reads the self-signed signing cert and key from Kubernetes secret without generating one (if not exist). This flag avoids racing condition between multiple Citadels generating self-signed key and cert. Please make sure one and only one Citadel instance has this flag set to false.
--requested-ca-cert-ttl <duration>The requested TTL for the CA certificate. (default `8760h0m0s`)
--root-cert <string>Path to the root certificate file. (default ``)
--sds-enabledWhether SDS is enabled.
--self-signed-caIndicates whether to use auto-generated self-signed CA certificate. When set to true, the '--signing-cert' and '--signing-key' options are ignored.
--server-onlyWhen set, Citadel only serves as a server without writing the Kubernetes secrets.
--sign-ca-certsWhether Citadel signs certificates for other CAs.
--signing-cert <string>Path to the CA signing certificate file. (default ``)
--signing-key <string>Path to the CA signing key file. (default ``)
--trust-domain <string>The domain serves to identify the system with SPIFFE. (default ``)
--upstream-ca-address <string>The IP:port address of the upstream CA. When set, the CA will rely on the upstream Citadel to provision its own certificate. (default ``)
--workload-cert-grace-period-ratio <float32>The workload certificate rotation grace period, as a ratio of the workload certificate TTL. (default `0.5`)
--workload-cert-ttl <duration>The TTL of issued workload certificates. (default `2160h0m0s`)
-

istio_ca probe

-

Check the liveness or readiness of a locally-running server

-
istio_ca probe [flags]
-
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
FlagsDescription
--ctrlz_address <string>The IP Address to listen on for the ControlZ introspection facility. Use '*' to indicate all addresses. (default `localhost`)
--ctrlz_port <uint16>The IP port to use for the ControlZ introspection facility (default `9876`)
--interval <duration>Duration used for checking the target file's last modified time. (default `0s`)
--log_as_jsonWhether to format output as JSON or in plain console-friendly format
--log_caller <string>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, caSecretController, configMapController, default, k8sController, monitor, pkiCaLog, rootCertRotator, serverCaLog] (default ``)
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [all, caSecretController, configMapController, default, k8sController, monitor, pkiCaLog, rootCertRotator, serverCaLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)
--log_rotate <string>The path for the optional rotating log file (default ``)
--log_rotate_max_age <int>The maximum age in days of a log file beyond which the file is rotated (0 indicates no limit) (default `30`)
--log_rotate_max_backups <int>The maximum number of log file backups to keep before older files are deleted (0 indicates no limit) (default `1000`)
--log_rotate_max_size <int>The maximum size in megabytes of a log file beyond which the file is rotated (default `104857600`)
--log_stacktrace_level <string>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [all, caSecretController, configMapController, default, k8sController, monitor, pkiCaLog, rootCertRotator, serverCaLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)
--log_target <stringArray>The set of paths where to output the log. This can be any path as well as the special values stdout and stderr (default `[stdout]`)
--probe-path <string>Path of the file for checking the availability. (default ``)
-

istio_ca version

-

Prints out build version information

-
istio_ca version [flags]
-
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
FlagsShorthandDescription
--ctrlz_address <string>The IP Address to listen on for the ControlZ introspection facility. Use '*' to indicate all addresses. (default `localhost`)
--ctrlz_port <uint16>The IP port to use for the ControlZ introspection facility (default `9876`)
--log_as_jsonWhether to format output as JSON or in plain console-friendly format
--log_caller <string>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, caSecretController, configMapController, default, k8sController, monitor, pkiCaLog, rootCertRotator, serverCaLog] (default ``)
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [all, caSecretController, configMapController, default, k8sController, monitor, pkiCaLog, rootCertRotator, serverCaLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)
--log_rotate <string>The path for the optional rotating log file (default ``)
--log_rotate_max_age <int>The maximum age in days of a log file beyond which the file is rotated (0 indicates no limit) (default `30`)
--log_rotate_max_backups <int>The maximum number of log file backups to keep before older files are deleted (0 indicates no limit) (default `1000`)
--log_rotate_max_size <int>The maximum size in megabytes of a log file beyond which the file is rotated (default `104857600`)
--log_stacktrace_level <string>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [all, caSecretController, configMapController, default, k8sController, monitor, pkiCaLog, rootCertRotator, serverCaLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)
--log_target <stringArray>The set of paths where to output the log. This can be any path as well as the special values stdout and stderr (default `[stdout]`)
--output <string>-oOne of 'yaml' or 'json'. (default ``)
--short-sUse --short=false to generate full version information
-

Environment variables

-These environment variables affect the behavior of the istio_ca command. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Variable NameTypeDefault ValueDescription
CITADEL_ENABLE_JITTER_FOR_ROOT_CERT_ROTATORBooleantrueIf true, set up a jitter to start root cert rotator. Jitter selects a backoff time in seconds to start root cert rotator, and the back off time is below root cert check interval.
CITADEL_ENABLE_NAMESPACES_BY_DEFAULTBooleantrueDetermines whether unlabeled namespaces should be targeted by this Citadel instance
CITADEL_SELF_SIGNED_CA_CERT_TTLTime Duration87600h0m0sThe TTL of self-signed CA root certificate.
CITADEL_SELF_SIGNED_ROOT_CERT_CHECK_INTERVALTime Duration1h0m0sThe interval that self-signed CA checks its root certificate expiration time and rotates root certificate. Setting this interval to zero or a negative value disables automated root cert check and rotation. This interval is suggested to be larger than 10 minutes.
CITADEL_SELF_SIGNED_ROOT_CERT_GRACE_PERIOD_PERCENTILEInteger20Grace period percentile for self-signed root cert.
CITADEL_WORKLOAD_CERT_MIN_GRACE_PERIODTime Duration10m0sThe minimum workload certificate rotation grace period.
NAMESPACEString
-

Exported metrics

- - - - - - - - - - - - - - - - - - - -
Metric NameTypeDescription
citadel_secret_controller_csr_err_countSumThe number of errors occurred when creating the CSR.
citadel_secret_controller_csr_sign_err_countSumThe number of errors occurred when signing the CSR.
citadel_secret_controller_secret_deleted_cert_countSumThe number of certificates recreated due to secret deletion (service account still exists).
citadel_secret_controller_svc_acc_created_cert_countSumThe number of certificates created due to service account creation.
citadel_secret_controller_svc_acc_deleted_cert_countSumThe number of certificates deleted due to service account deletion.
citadel_server_authentication_failure_countSumThe number of authentication failures.
citadel_server_csr_countSumThe number of CSRs received by Citadel server.
citadel_server_csr_parsing_err_countSumThe number of errors occurred when parsing the CSR.
citadel_server_csr_sign_err_countSumThe number of errors occurred when signing the CSR.
citadel_server_id_extraction_err_countSumThe number of errors occurred when extracting the ID from CSR.
citadel_server_root_cert_expiry_timestampLastValueThe unix timestamp, in seconds, when Citadel root cert will expire. We set it to negative in case of internal error.
citadel_server_success_cert_issuance_countSumThe number of certificates issuances that have succeeded.
istio_buildLastValueIstio component build info
diff --git a/content/zh/docs/reference/commands/istioctl/index.html b/content/zh/docs/reference/commands/istioctl/index.html index b8604b7ffa9a4..4e6aed19ae6dd 100644 --- a/content/zh/docs/reference/commands/istioctl/index.html +++ b/content/zh/docs/reference/commands/istioctl/index.html @@ -4,7 +4,7 @@ title: istioctl description: Istio control interface. generator: pkg-collateral-docs -number_of_entries: 75 +number_of_entries: 99 max_toc_level: 2 remove_toc_prefix: 'istioctl ' --- @@ -36,21 +36,24 @@ Kubernetes configuration file (default ``) ---log_output_level <string> - -Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error,analysis:warn`) - - --namespace <string> -n Config namespace (default ``) + +--vklog <Level> + +number for the log level verbosity. Like -v flag. ex: --vklog=9 (default `0`) + -

istioctl analyze

-

Analyze Istio configuration and print validation messages

-
istioctl analyze <file>... [flags]
+
istioctl admin

+
A group of commands used to manage istiod configuration

+
istioctl admin [flags]
 

+

+
istioctl istiod [flags]
+

 
@@ -61,31 +64,11 @@ 
istioctl analyze

-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
@@ -96,73 +79,33 @@ 
istioctl analyze

-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
-
+
-
-
-
-
-
-
-
-
-
-
-
+

 
 

 

 
 
--all-namespacesAnalyze all namespaces 
--colorDefault true.  Disable with '=false' or set $TERM to dumb 

 --context <string>
 
 The name of the kubeconfig context to use  (default ``)
 

 
--discovery-d'true' to enable service discovery, 'false' to disable it. Defaults to true if --use-kube is set, false otherwise. Analyzers requiring resources made available by enabling service discovery will be skipped. 
--failure-threshold <Level>The severity level of analysis at which to set a non-zero exit code. Valid values: [Info Warn Error]  (default `Warn`)

 --istioNamespace <string>
 -i
 Istio system namespace  (default `istio-system`)
 Kubernetes configuration file  (default ``)
 

 
--list-analyzers-LList the analyzers available to run. Suppresses normal execution. 
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info,validation:error,processing:error,source:error,analysis:warn`)
--meshConfigFile <string>Overrides the mesh config values to use for analysis.  (default ``)

 --namespace <string>
 -n
 Config namespace  (default ``)
 

 
--output <string>-oOutput format: one of [log json yaml]  (default `log`)--selector <string>-llabel selector  (default `app=istiod`)
 

 
--output-threshold <Level>--vklog <Level>
 The severity level of analysis at which to display messages. Valid values: [Info Warn Error]  (default `Info`)
--use-kube-kUse live Kubernetes cluster for analysis 
--verbose-vEnable verbose output number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
 

 
 

-
Examples

-

-# Analyze yaml files
-istioctl analyze a.yaml b.yaml
-
-# Analyze the current live cluster
-istioctl analyze -k
-
-# Analyze the current live cluster, simulating the effect of applying additional yaml files
-istioctl analyze -k a.yaml b.yaml
-
-# Analyze yaml files, overriding service discovery to enabled
-istioctl analyze -d true a.yaml b.yaml services.yaml
-
-# Analyze the current live cluster, overriding service discovery to disabled
-istioctl analyze -k -d false
-
-# List available analyzers
-istioctl analyze -L
-
+
Examples

+
  # Retrieve information about istiod configuration.
+  istioctl admin log
 

-
istioctl authn

-

-A group of commands used to interact with Istio authentication policies.
-  tls-check
-

+
istioctl admin log

+
Retrieve or update logging levels of istiod components.

+
istioctl admin log [<pod-name>] [--level <scope>:<level>][--stack-trace-level <scope>:<level>]|[-r|--reset]|[--output|-o short|yaml] [flags]
+

+

+
istioctl admin l [<pod-name>] [--level <scope>:<level>][--stack-trace-level <scope>:<level>]|[-r|--reset]|[--output|-o short|yaml] [flags]
+

 
@@ -178,6 +121,11 @@ 
istioctl authn

+
+
+
+
+
@@ -188,27 +136,59 @@ 
istioctl authn

-
+
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+

 
 

 The name of the kubeconfig context to use  (default ``)
 

 
--ctrlz_port <int>ControlZ port  (default `9876`)

 --istioNamespace <string>
 -i
 Istio system namespace  (default `istio-system`)
 Kubernetes configuration file  (default ``)
 

 
--log_output_level <string>--level <string>
 Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info,validation:error,processing:error,source:error,analysis:warn`)Comma-separated list of output logging level for scopes in format <scope>:<level>[,<scope>:<level>,...]Possible values for <level>: none, error, warn, info, debug  (default ``)
 

 

 --namespace <string>
 -n
 Config namespace  (default ``)
 
--output <string>-oOutput format: one of json|short  (default `short`)
--reset-rReset levels to default value. (info) 
--selector <string>-llabel selector  (default `app=istiod`)
--stack-trace-level <string>Comma-separated list of stack trace level  for scopes in format <scope>:<stack-trace-level>[,<scope>:<stack-trace-level>,...] Possible values for <stack-trace-level>: none, error, warn, info, debug  (default ``)
--vklog <Level>number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)

 
 

-
Examples

-
# Check whether TLS setting are matching between authentication policy and destination rules:
-istioctl authn tls-check
+
Examples

+
  # Retrieve information about istiod logging levels.
+  istioctl admin log
+
+  # Retrieve information about istiod logging levels on a specific control plane pod.
+  istioctl admin l istiod-5c868d8bdd-pmvgg
+
+  # Update levels of the specified loggers.
+  istioctl admin log --level ads:debug,authorization:debug
+
+  # Reset levels of all the loggers to default value (info).
+  istioctl admin log -r
+
 

-
istioctl authn tls-check

-

-Check what authentication policies and destination rules pilot uses to config a proxy instance,
-and check if TLS settings are compatible between them.
-

-
istioctl authn tls-check <pod-name[.namespace]> [<service>] [flags]
+
istioctl analyze

+
Analyze Istio configuration and print validation messages

+
istioctl analyze <file>... [flags]
 

 
@@ -220,11 +200,31 @@ 
istioctl authn tls-check

+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -235,26 +235,84 @@ 
istioctl authn tls-check

-
+
+
+
+
+
+
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+

 
 
 
 
--all-namespaces-AAnalyze all namespaces 
--colorDefault true.  Disable with '=false' or set $TERM to dumb 

 --context <string>
 
 The name of the kubeconfig context to use  (default ``)
 

 
--failure-threshold <Level>The severity level of analysis at which to set a non-zero exit code. Valid values: [Info Warning Error]  (default `Error`)
--ignore-unknownDon't complain about un-parseable input documents, for cases where analyze should run only on k8s compliant inputs. 

 --istioNamespace <string>
 -i
 Istio system namespace  (default `istio-system`)
 Kubernetes configuration file  (default ``)
 

 
--log_output_level <string>--list-analyzers-LList the analyzers available to run. Suppresses normal execution. 
--meshConfigFile <string>
 Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info,validation:error,processing:error,source:error,analysis:warn`)Overrides the mesh config values to use for analysis.  (default ``)
 

 

 --namespace <string>
 -n
 Config namespace  (default ``)
 
--output <string>-oOutput format: one of [log json yaml]  (default `log`)
--output-threshold <Level>The severity level of analysis at which to display messages. Valid values: [Info Warning Error]  (default `Info`)
--recursive-RProcess directory arguments recursively. Useful when you want to analyze related manifests organized within the same directory. 
--suppress <stringArray>-SSuppress reporting a message code on a specific resource. Values are supplied in the form <code>=<resource> (e.g. '--suppress "IST0102=DestinationRule primary-dr.default"'). Can be repeated. You can include the wildcard character '*' to support a partial match (e.g. '--suppress "IST0102=DestinationRule *.default" ).  (default `[]`)
--timeout <duration>The duration to wait before failing  (default `30s`)
--use-kube-kUse live Kubernetes cluster for analysis. Set --use-kube=false to analyze files only. 
--verbose-vEnable verbose output 
--vklog <Level>number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)

 
 

-
Examples

-

-# Check settings for pod "foo-656bd7df7c-5zp4s" in namespace default:
-istioctl authn tls-check foo-656bd7df7c-5zp4s.default
+
Examples

+
  # Analyze the current live cluster
+  istioctl analyze
+
+  # Analyze the current live cluster, simulating the effect of applying additional yaml files
+  istioctl analyze a.yaml b.yaml my-app-config/
+
+  # Analyze the current live cluster, simulating the effect of applying a directory of config recursively
+  istioctl analyze --recursive my-istio-config/
 
-# Check settings for pod "foo-656bd7df7c-5zp4s" in namespace default, filtered on destination
-service "bar" :
-istioctl authn tls-check foo-656bd7df7c-5zp4s.default bar
+  # Analyze yaml files without connecting to a live cluster
+  istioctl analyze --use-kube=false a.yaml b.yaml my-app-config/
 
+  # Analyze the current live cluster and suppress PodMissingProxy for pod mypod in namespace 'testing'.
+  istioctl analyze -S "IST0103=Pod mypod.testing"
+
+  # Analyze the current live cluster and suppress PodMissingProxy for all pods in namespace 'testing',
+  # and suppress MisplacedAnnotation on deployment foobar in namespace default.
+  istioctl analyze -S "IST0103=Pod *.testing" -S "IST0107=Deployment foobar.default"
+
+  # List available analyzers
+  istioctl analyze -L
 

 
istioctl authz

 
(authz is experimental. Use `istioctl experimental authz`)

@@ -285,20 +343,30 @@ 
istioctl authz

 Kubernetes configuration file  (default ``)
 
 
---log_output_level <string>
-
-Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info,validation:error,processing:error,source:error,analysis:warn`)
-
-
 --namespace <string>
 -n
 Config namespace  (default ``)
 
+
+--vklog <Level>
+
+number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
+
 
 
-
istioctl convert-ingress

-
Converts Ingresses into VirtualService configuration on a best effort basis. The output should be considered a starting point for your Istio configuration and probably require some minor modification. Warnings will be generated where configs cannot be converted perfectly. The input must be a Kubernetes Ingress. The conversion of v1alpha1 Istio rules has been removed from istioctl.

-
istioctl convert-ingress [flags]
+
istioctl bug-report

+
bug-report selectively captures cluster information and logs into an archive to help diagnose problems.
+Proxy logs can be filtered using:
+  --include|--exclude ns1,ns2.../dep1,dep2.../pod1,pod2.../lbl1=val1,lbl2=val2.../ann1=val1,ann2=val2.../cntr1,cntr...
+where ns=namespace, dep=deployment, lbl=label, ann=annotation, cntr=container

+
The filter spec is interpreted as 'must be in (ns1 OR ns2) AND (dep1 OR dep2) AND (cntr1 OR cntr2)...'
+The log will be included only if the container matches at least one include filter and does not match any exclude filters.
+All parts of the filter are optional and can be omitted e.g. ns1//pod1 filters only for namespace ns1 and pod1.
+All names except label and annotation keys support '*' glob matching pattern.

+
e.g.
+--include ns1,ns2 (only namespaces ns1 and ns2)
+--include n*//p*/l=v* (pods with name beginning with 'p' in namespaces beginning with 'n' and having label 'l' with value beginning with 'v'.)

+
istioctl bug-report [flags]
 

 
@@ -315,61 +383,59 @@ 
istioctl convert-ingress

-
-
-
+
+
+
-
-
-
+
+
+
-
-
-
+
+
+
-
+
-
+
-
-
-
+
+
+
-
-
-
+
+
+
-
-

 
 
The name of the kubeconfig context to use  (default ``)
 

 
--filenames <stringSlice>-fInput filenames  (default `[]`)--critical-errs <stringSlice>List of comma separated glob patterns to match against log error strings. If any pattern matches an error in the log, the logs is given the highest priority for archive inclusion.  (default `[]`)
 

 
--istioNamespace <string>-iIstio system namespace  (default `istio-system`)--dir <string>Set a specific directory for temporary artifact storage.  (default ``)
 

 
--kubeconfig <string>-cKubernetes configuration file  (default ``)--dry-runOnly log commands that would be run, don't fetch or write. 
 

 
--log_output_level <string>--duration <duration>
 Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info,validation:error,processing:error,source:error,analysis:warn`)How far to go back in time from end-time for log entries to include in the archive. Default is infinity. If set, --start-time must be unset.  (default `0s`)
 

 
--namespace <string>-nConfig namespace  (default ``)--end-time <string>End time for the range of log entries to include in the archive. Default is now.  (default ``)
 

 
--output <string>-oOutput filename  (default `-`)--exclude <stringSlice>Spec for which pod's proxy logs to exclude from the archive, after the include spec is processed. See above for format and examples.  (default `["kube-node-lease,kube-public,kube-system,local-path-storage"]`)
 

-
Examples

-
istioctl convert-ingress -f samples/bookinfo/platform/kube/bookinfo-ingress.yaml
-

-
istioctl dashboard

-
Access to Istio web UIs

-
istioctl dashboard [flags]
-

-

-
istioctl dash [flags]
-istioctl d [flags]
-

-
-
-
-
-
+
+
+
-
-
-
+
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -382,20 +448,30 @@ 
istioctl dashboard

-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+

 
FlagsShorthandDescription--filename <string>-fPath to a file containing configuration in YAML format. The file contents are applied over the default values and flag settings, with lists being replaced per JSON merge semantics.  (default ``)
 

 
--context <string>--full-secrets
 The name of the kubeconfig context to use  (default ``)If set, secret contents are included in output. 
--ignore-errs <stringSlice>List of comma separated glob patterns to match against log error strings. Any error matching these patterns is ignored when calculating the log importance heuristic.  (default `[]`)
--include <stringSlice>Spec for which pod's proxy logs to include in the archive. See above for format and examples.  (default `[]`)
--istio-namespace <string>Namespace where Istio control plane is installed.  (default `istio-system`)
 

 

 --istioNamespace <string>
 Kubernetes configuration file  (default ``)
 

 
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info,validation:error,processing:error,source:error,analysis:warn`)

 --namespace <string>
 -n
 Config namespace  (default ``)
 
--start-time <string>Start time for the range of log entries to include in the archive. Default is the infinite past. If set, --duration must be unset.  (default ``)
--timeout <duration>Maximum amount of time to spend fetching logs. When timeout is reached only the logs captured so far are saved to the archive.  (default `30m0s`)
--vklog <Level>number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)

 
 

-
istioctl dashboard controlz

-
Open the ControlZ web UI for a pod in the Istio control plane

-
istioctl dashboard controlz <pod-name[.namespace]> [flags]
+
istioctl bug-report version

+
Prints out build version information

+
istioctl bug-report version [flags]
 

 
@@ -409,60 +485,62 @@ 
istioctl dashboard controlz

-
+
-
+
-
+
-
-
-
+
+
+
-
-
-
+
+
+
-
+
-
+
-
-
-
+
+
+
-
-
-
+
+
+
-
-

 
 

 --context <string>
 The name of the kubeconfig context to use  (default ``)Name of the kubeconfig Context to use.  (default ``)
 

 
--ctrlz_port <int>--critical-errs <stringSlice>
 ControlZ port  (default `9876`)List of comma separated glob patterns to match against log error strings. If any pattern matches an error in the log, the logs is given the highest priority for archive inclusion.  (default `[]`)
 

 
--istioNamespace <string>-iIstio system namespace  (default `istio-system`)--dir <string>Set a specific directory for temporary artifact storage.  (default ``)
 

 
--kubeconfig <string>-cKubernetes configuration file  (default ``)--dry-runOnly log commands that would be run, don't fetch or write. 
 

 
--log_output_level <string>--duration <duration>
 Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info,validation:error,processing:error,source:error,analysis:warn`)How far to go back in time from end-time for log entries to include in the archive. Default is infinity. If set, --start-time must be unset.  (default `0s`)
 

 
--namespace <string>-nConfig namespace  (default ``)--end-time <string>End time for the range of log entries to include in the archive. Default is now.  (default ``)
 

 
--selector <string>-llabel selector  (default ``)--exclude <stringSlice>Spec for which pod's proxy logs to exclude from the archive, after the include spec is processed. See above for format and examples.  (default `["kube-node-lease,kube-public,kube-system,local-path-storage"]`)
 

-
Examples

-
istioctl dashboard controlz pilot-123-456.istio-system
-

-
istioctl dashboard envoy

-
Open the Envoy admin dashboard for a sidecar

-
istioctl dashboard envoy <pod-name[.namespace]> [flags]
-

-
-
-
-
-
+
+
+
-
-
-
+
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -472,12 +550,7 @@ 
istioctl dashboard envoy

-
-
-
-
-
-
+
@@ -485,62 +558,36 @@ 
istioctl dashboard envoy

-
-
-
+
+
+
-
-

 
FlagsShorthandDescription--filename <string>-fPath to a file containing configuration in YAML format. The file contents are applied over the default values and flag settings, with lists being replaced per JSON merge semantics.  (default ``)
 

 
--context <string>--full-secrets
 The name of the kubeconfig context to use  (default ``)If set, secret contents are included in output. 
--ignore-errs <stringSlice>List of comma separated glob patterns to match against log error strings. Any error matching these patterns is ignored when calculating the log importance heuristic.  (default `[]`)
--include <stringSlice>Spec for which pod's proxy logs to include in the archive. See above for format and examples.  (default `[]`)
--istio-namespace <string>Namespace where Istio control plane is installed.  (default `istio-system`)
 

 

 --istioNamespace <string>
 

 --kubeconfig <string>
 -cKubernetes configuration file  (default ``)
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info,validation:error,processing:error,source:error,analysis:warn`)Path to kube config.  (default ``)
 

 

 --namespace <string>
 Config namespace  (default ``)
 

 
--selector <string>-llabel selector  (default ``)--output <string>-oOne of 'yaml' or 'json'.  (default ``)
 

-
Examples

-
istioctl dashboard envoy productpage-123-456.default
-

-
istioctl dashboard grafana

-
Open Istio's Grafana dashboard

-
istioctl dashboard grafana [flags]
-

-
-
-
-
-
+
+
+
-
-
-
+
-
-
-
-
-
-
-
-
-
-
-
+
-
+
-
+
-
-
-
+
+
+

 
FlagsShorthandDescription--short-sUse --short=false to generate full version information 
 

 
--context <string>--start-time <string>
 The name of the kubeconfig context to use  (default ``)
--istioNamespace <string>-iIstio system namespace  (default `istio-system`)
--kubeconfig <string>-cKubernetes configuration file  (default ``)Start time for the range of log entries to include in the archive. Default is the infinite past. If set, --duration must be unset.  (default ``)
 

 
--log_output_level <string>--timeout <duration>
 Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info,validation:error,processing:error,source:error,analysis:warn`)Maximum amount of time to spend fetching logs. When timeout is reached only the logs captured so far are saved to the archive.  (default `30m0s`)
 

 
--namespace <string>-nConfig namespace  (default ``)--vklog <Level>number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
 

 
 

-
Examples

-
istioctl dashboard grafana
-

-
istioctl dashboard jaeger

-
Open Istio's Jaeger dashboard

-
istioctl dashboard jaeger [flags]
-

+
istioctl completion

+
Generate the autocompletion script for istioctl for the specified shell.
+See each sub-command's help for details on how to use the generated script.
+

 
@@ -566,23 +613,31 @@ 
istioctl dashboard jaeger

-
-
-
-
-
+
+
+
+
+

 
 

 Kubernetes configuration file  (default ``)
 

 
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info,validation:error,processing:error,source:error,analysis:warn`)

 --namespace <string>
 -n
 Config namespace  (default ``)
 
--vklog <Level>number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)

 
 

-
Examples

-
istioctl dashboard jaeger
-

-
istioctl dashboard kiali

-
Open Istio's Kiali dashboard

-
istioctl dashboard kiali [flags]
+
istioctl completion bash

+
Generate the autocompletion script for the bash shell.

+
This script depends on the 'bash-completion' package.
+If it is not installed already, you can install it via your OS's package manager.

+
To load completions in your current shell session:

+
	source <(istioctl completion bash)

+
To load completions for every new session, execute once:

+
#### Linux:

+
	istioctl completion bash > /etc/bash_completion.d/istioctl

+
#### macOS:

+
	istioctl completion bash > /usr/local/etc/bash_completion.d/istioctl

+
You will need to start a new shell for this setup to take effect.
+

+
istioctl completion bash
 

 
@@ -609,23 +664,31 @@ 
istioctl dashboard kiali

-
-
-
-
-
+
+
+
+
+
+
+
+
+
+

 
 
Kubernetes configuration file  (default ``)
 

 
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info,validation:error,processing:error,source:error,analysis:warn`)

 --namespace <string>
 -n
 Config namespace  (default ``)
 
--no-descriptionsdisable completion descriptions 
--vklog <Level>number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)

 
 

-
Examples

-
istioctl dashboard kiali
-

-
istioctl dashboard prometheus

-
Open Istio's Prometheus dashboard

-
istioctl dashboard prometheus [flags]
+
istioctl completion fish

+
Generate the autocompletion script for the fish shell.

+
To load completions in your current shell session:

+
	istioctl completion fish | source

+
To load completions for every new session, execute once:

+
	istioctl completion fish > ~/.config/fish/completions/istioctl.fish

+
You will need to start a new shell for this setup to take effect.
+

+
istioctl completion fish [flags]
 

 
@@ -652,23 +715,30 @@ 
istioctl dashboard prometheus

-
-
-
-
-
+
+
+
+
+
+
+
+
+
+

 
 
Kubernetes configuration file  (default ``)
 

 
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info,validation:error,processing:error,source:error,analysis:warn`)

 --namespace <string>
 -n
 Config namespace  (default ``)
 
--no-descriptionsdisable completion descriptions 
--vklog <Level>number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)

 
 

-
Examples

-
istioctl dashboard prometheus
-

-
istioctl dashboard zipkin

-
Open Istio's Zipkin dashboard

-
istioctl dashboard zipkin [flags]
+
istioctl completion powershell

+
Generate the autocompletion script for powershell.

+
To load completions in your current shell session:

+
	istioctl completion powershell | Out-String | Invoke-Expression

+
To load completions for every new session, add the output of the above command
+to your powershell profile.
+

+
istioctl completion powershell [flags]
 

 
@@ -695,23 +765,35 @@ 
istioctl dashboard zipkin

-
-
-
-
-
+
+
+
+
+
+
+
+
+
+

 
 
Kubernetes configuration file  (default ``)
 

 
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info,validation:error,processing:error,source:error,analysis:warn`)

 --namespace <string>
 -n
 Config namespace  (default ``)
 
--no-descriptionsdisable completion descriptions 
--vklog <Level>number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)

 
 

-
Examples

-
istioctl dashboard zipkin
-

-
istioctl deregister

-
De-registers a service instance

-
istioctl deregister <svcname> <ip> [flags]
+
istioctl completion zsh

+
Generate the autocompletion script for the zsh shell.

+
If shell completion is not already enabled in your environment you will need
+to enable it.  You can execute the following once:

+
	echo "autoload -U compinit; compinit" >> ~/.zshrc

+
To load completions for every new session, execute once:

+
#### Linux:

+
	istioctl completion zsh > "${fpath[1]}/_istioctl"

+
#### macOS:

+
	istioctl completion zsh > /usr/local/share/zsh/site-functions/_istioctl

+
You will need to start a new shell for this setup to take effect.
+

+
istioctl completion zsh [flags]
 

 
@@ -738,23 +820,30 @@ 
istioctl deregister

-
-
-
-
-
+
+
+
+
+
+
+
+
+
+

 
 
Kubernetes configuration file  (default ``)
 

 
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info,validation:error,processing:error,source:error,analysis:warn`)

 --namespace <string>
 -n
 Config namespace  (default ``)
 
--no-descriptionsdisable completion descriptions 
--vklog <Level>number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)

 
 

-
Examples

-
# de-register an endpoint 172.17.0.2 from service my-svc:
-istioctl deregister my-svc 172.17.0.2
+
istioctl dashboard

+
Access to Istio web UIs

+
istioctl dashboard [flags]
 

-
istioctl experimental

-
Experimental commands that may be modified or deprecated

+

+
istioctl dash [flags]
+istioctl d [flags]
+

 
@@ -765,6 +854,16 @@ 
istioctl experimental

+
+
+
+
+
+
+
+
+
+
@@ -780,24 +879,26 @@ 
istioctl experimental

-
-
-
-
-
+
+
+
+
+
+
+
+
+
+

 
 

 

 
 
--address <string>Address to listen on. Only accepts IP address or localhost as a value. When localhost is supplied, istioctl will try to bind on both 127.0.0.1 and ::1 and will fail if neither of these address are available to bind.  (default `localhost`)
--browserWhen --browser is supplied as false, istioctl dashboard will not open the browser. Default is true which means istioctl dashboard will always open a browser to view the dashboard. 

 --context <string>
 
 The name of the kubeconfig context to use  (default ``)
 Kubernetes configuration file  (default ``)
 

 
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info,validation:error,processing:error,source:error,analysis:warn`)

 --namespace <string>
 -n
 Config namespace  (default ``)
 
--port <int>-pLocal port to listen to  (default `0`)
--vklog <Level>number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)

 
 

-
istioctl experimental add-to-mesh

-
Add workloads into Istio service mesh

-
istioctl experimental add-to-mesh [flags]
+
istioctl dashboard controlz

+
Open the ControlZ web UI for a pod in the Istio control plane

+
istioctl dashboard controlz [<type>/]<name>[.<namespace>] [flags]
 

-

-
istioctl experimental add [flags]
-

 
@@ -808,11 +909,26 @@ 
istioctl experimental add-to-mesh

+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -823,24 +939,45 @@ 
istioctl experimental add-to-mesh
Kubernetes configuration file  (default ``)
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+

 
 

 

 
--address <string>Address to listen on. Only accepts IP address or localhost as a value. When localhost is supplied, istioctl will try to bind on both 127.0.0.1 and ::1 and will fail if neither of these address are available to bind.  (default `localhost`)
--browserWhen --browser is supplied as false, istioctl dashboard will not open the browser. Default is true which means istioctl dashboard will always open a browser to view the dashboard. 

 --context <string>
 
 The name of the kubeconfig context to use  (default ``)
 

 
--ctrlz_port <int>ControlZ port  (default `9876`)

 --istioNamespace <string>
 -i
 Istio system namespace  (default `istio-system`)
 

 
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info,validation:error,processing:error,source:error,analysis:warn`)

 --namespace <string>
 -nConfig namespace  (default ``)Namespace where the addon is running, if not specified, istio-system would be used  (default `istio-system`)
--port <int>-pLocal port to listen to  (default `0`)
--selector <string>-lLabel selector  (default ``)
--vklog <Level>number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
 

 
 

-
istioctl experimental add-to-mesh external-service

-
istioctl experimental add-to-mesh external-service create a ServiceEntry and\ 
-a Service without selector for the specified external service in Istio service mesh.
-The typical usage scenario is Mesh Expansion on VMs.
-THIS COMMAND IS STILL UNDER ACTIVE DEVELOPMENT AND NOT READY FOR PRODUCTION USE.
-

-
istioctl experimental add-to-mesh external-service <svcname> <ip>... [name1:]port1 [name2:]port2 ... [flags]
+
Examples

+
  # Open ControlZ web UI for the istiod-123-456.istio-system pod
+  istioctl dashboard controlz istiod-123-456.istio-system
+
+  # Open ControlZ web UI for the istiod-56dd66799-jfdvs pod in a custom namespace
+  istioctl dashboard controlz istiod-123-456 -n custom-ns
+
+  # Open ControlZ web UI for any Istiod pod
+  istioctl dashboard controlz deployment/istiod.istio-system
+
+  # with short syntax
+  istioctl dash controlz pilot-123-456.istio-system
+  istioctl d controlz pilot-123-456.istio-system
+
+

+
istioctl dashboard envoy

+
Open the Envoy admin dashboard for a sidecar

+
istioctl dashboard envoy [<type>/]<name>[.<namespace>] [flags]
 

 
@@ -852,9 +989,14 @@ 
istioctl experimenta
 

-
-
-
+
+
+
+
+
+
+
+
@@ -872,39 +1014,42 @@ 
istioctl experimenta
 

-
-
-
+
+
+
-
-
-
+
+
+
-
-
-
+
+
+
-
-
-
+
+
+

 
 
 
--annotations <stringSlice>-aList of string annotations to apply if creating a service/endpoint; e.g. -a foo=bar,x=y  (default `[]`)--address <string>Address to listen on. Only accepts IP address or localhost as a value. When localhost is supplied, istioctl will try to bind on both 127.0.0.1 and ::1 and will fail if neither of these address are available to bind.  (default `localhost`)
--browserWhen --browser is supplied as false, istioctl dashboard will not open the browser. Default is true which means istioctl dashboard will always open a browser to view the dashboard. 
 

 

 --context <string>Kubernetes configuration file  (default ``)
 

 
--labels <stringSlice>-lList of labels to apply if creating a service/endpoint; e.g. -l env=prod,vers=2  (default `[]`)--namespace <string>-nNamespace where the addon is running, if not specified, istio-system would be used  (default `istio-system`)
 

 
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info,validation:error,processing:error,source:error,analysis:warn`)--port <int>-pLocal port to listen to  (default `0`)
 

 
--namespace <string>-nConfig namespace  (default ``)--selector <string>-lLabel selector  (default ``)
 

 
--serviceaccount <string>-sService account to link to the service  (default `default`)--vklog <Level>number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
 

 
 

-
Examples

-
istioctl experimental add-to-mesh external-service vmhttp 172.12.23.125,172.12.23.126\
-http:9080 tcp:8888 -l app=test,version=v1 -a env=stage -s stageAdmin
+
Examples

+
  # Open Envoy dashboard for the productpage-123-456.default pod
+  istioctl dashboard envoy productpage-123-456.default
+
+  # Open Envoy dashboard for one pod under a deployment
+  istioctl dashboard envoy deployment/productpage-v1
+
+  # with short syntax
+  istioctl dash envoy productpage-123-456.default
+  istioctl d envoy productpage-123-456.default
+
 

-
istioctl experimental add-to-mesh service

-
istioctl experimental add-to-mesh service restarts pods with the Istio sidecar.  Use 'add-to-mesh'
-to test deployments for compatibility with Istio.  If your service does not function after
-using 'add-to-mesh' you must re-deploy it and troubleshoot it for Istio compatibility.
-See https://istio.io/docs/setup/kubernetes/additional-setup/requirements/
-THIS COMMAND IS STILL UNDER ACTIVE DEVELOPMENT AND NOT READY FOR PRODUCTION USE.
-

-
istioctl experimental add-to-mesh service [flags]
+
istioctl dashboard grafana

+
Open Istio's Grafana dashboard

+
istioctl dashboard grafana [flags]
 

 
@@ -916,19 +1061,19 @@ 
istioctl experimental add-to-
 

-
+
-
+
-
+
-
+
-
+
-
+
@@ -941,38 +1086,32 @@ 
istioctl experimental add-to-
 

-
-
-
+
+
+
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
-
+
-
+

 
 
 
--context <string>--address <string>
 The name of the kubeconfig context to use  (default ``)Address to listen on. Only accepts IP address or localhost as a value. When localhost is supplied, istioctl will try to bind on both 127.0.0.1 and ::1 and will fail if neither of these address are available to bind.  (default `localhost`)
 

 
--injectConfigFile <string>--browser
 injection configuration filename. Cannot be used with --injectConfigMapName  (default ``)When --browser is supplied as false, istioctl dashboard will not open the browser. Default is true which means istioctl dashboard will always open a browser to view the dashboard. 
 

 
--injectConfigMapName <string>--context <string>
 ConfigMap name for Istio sidecar injection, key should be "config".  (default `istio-sidecar-injector`)The name of the kubeconfig context to use  (default ``)
 

 

 --istioNamespace <string>Kubernetes configuration file  (default ``)
 

 
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info,validation:error,processing:error,source:error,analysis:warn`)--namespace <string>-nNamespace where the addon is running, if not specified, istio-system would be used  (default `istio-system`)
 

 
--meshConfigFile <string>mesh configuration filename. Takes precedence over --meshConfigMapName if set  (default ``)
--meshConfigMapName <string>ConfigMap name for Istio mesh configuration, key should be "mesh"  (default `istio`)
--namespace <string>-nConfig namespace  (default ``)--port <int>-pLocal port to listen to  (default `0`)
 

 
--valuesFile <string>--vklog <Level>
 injection values configuration filename.  (default ``)number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
 

 
 

-
Examples

-
istioctl experimental add-to-mesh service productpage
+
Examples

+
  istioctl dashboard grafana
+
+  # with short syntax
+  istioctl dash grafana
+  istioctl d grafana
 

-
istioctl experimental analyze

-
Analyze Istio configuration and print validation messages (analyze has graduated. Use `istioctl analyze`)

-
istioctl experimental analyze <file>... [flags]
+
istioctl dashboard jaeger

+
Open Istio's Jaeger dashboard

+
istioctl dashboard jaeger [flags]
 

 
@@ -984,14 +1123,14 @@ 
istioctl experimental analyze

-
+
-
+
-
+
-
+
@@ -999,16 +1138,6 @@ 
istioctl experimental analyze

-
-
-
-
-
-
-
-
-
-
@@ -1019,73 +1148,33 @@ 
istioctl experimental analyze

-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
-
-
-
+
+
+
-
+
-
-
-
-
-
-
-
-
-
-
-
+

 
 
 
 
--all-namespaces--address <string>
 Analyze all namespaces Address to listen on. Only accepts IP address or localhost as a value. When localhost is supplied, istioctl will try to bind on both 127.0.0.1 and ::1 and will fail if neither of these address are available to bind.  (default `localhost`)
 

 
--color--browser
 Default true.  Disable with '=false' or set $TERM to dumb When --browser is supplied as false, istioctl dashboard will not open the browser. Default is true which means istioctl dashboard will always open a browser to view the dashboard. 
 

 

 --context <string>
 The name of the kubeconfig context to use  (default ``)
 

 
--discovery-d'true' to enable service discovery, 'false' to disable it. Defaults to true if --use-kube is set, false otherwise. Analyzers requiring resources made available by enabling service discovery will be skipped. 
--failure-threshold <Level>The severity level of analysis at which to set a non-zero exit code. Valid values: [Info Warn Error]  (default `Warn`)

 --istioNamespace <string>
 -i
 Istio system namespace  (default `istio-system`)
 Kubernetes configuration file  (default ``)
 

 
--list-analyzers-LList the analyzers available to run. Suppresses normal execution. 
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info,validation:error,processing:error,source:error,analysis:warn`)
--meshConfigFile <string>Overrides the mesh config values to use for analysis.  (default ``)

 --namespace <string>
 -nConfig namespace  (default ``)Namespace where the addon is running, if not specified, istio-system would be used  (default `istio-system`)
 

 
--output <string>-oOutput format: one of [yaml log json]  (default `log`)--port <int>-pLocal port to listen to  (default `0`)
 

 
--output-threshold <Level>--vklog <Level>
 The severity level of analysis at which to display messages. Valid values: [Info Warn Error]  (default `Info`)
--use-kube-kUse live Kubernetes cluster for analysis 
--verbose-vEnable verbose output number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
 

 
 

-
Examples

-

-# Analyze yaml files
-istioctl analyze a.yaml b.yaml
-
-# Analyze the current live cluster
-istioctl analyze -k
-
-# Analyze the current live cluster, simulating the effect of applying additional yaml files
-istioctl analyze -k a.yaml b.yaml
-
-# Analyze yaml files, overriding service discovery to enabled
-istioctl analyze -d true a.yaml b.yaml services.yaml
-
-# Analyze the current live cluster, overriding service discovery to disabled
-istioctl analyze -k -d false
-
-# List available analyzers
-istioctl analyze -L
+
Examples

+
  istioctl dashboard jaeger
 
+  # with short syntax
+  istioctl dash jaeger
+  istioctl d jaeger
+

+
istioctl dashboard kiali

+
Open Istio's Kiali dashboard

+
istioctl dashboard kiali [flags]
 

-
istioctl experimental authz

-
Commands to inspect and interact with the authorization policies
-  check - check Envoy config dump for authorization configuration
-  convert - convert v1alpha1 RBAC policies to v1beta1 authorization policies
-

 
@@ -1096,6 +1185,16 @@ 
istioctl experimental authz

+
+
+
+
+
+
+
+
+
+
@@ -1111,34 +1210,32 @@ 
istioctl experimental authz

-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+

 
 

 

 
 
--address <string>Address to listen on. Only accepts IP address or localhost as a value. When localhost is supplied, istioctl will try to bind on both 127.0.0.1 and ::1 and will fail if neither of these address are available to bind.  (default `localhost`)
--browserWhen --browser is supplied as false, istioctl dashboard will not open the browser. Default is true which means istioctl dashboard will always open a browser to view the dashboard. 

 --context <string>
 
 The name of the kubeconfig context to use  (default ``)
 Kubernetes configuration file  (default ``)
 

 
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info,validation:error,processing:error,source:error,analysis:warn`)

 --namespace <string>
 -nConfig namespace  (default ``)Namespace where the addon is running, if not specified, istio-system would be used  (default `istio-system`)
--port <int>-pLocal port to listen to  (default `0`)
--vklog <Level>number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
 

 
 

-
Examples

-
  # Check Envoy authorization configuration for pod httpbin-88ddbcfdd-nt5jb:
-  istioctl x authz check httpbin-88ddbcfdd-nt5jb
-
-  # Convert the v1alpha1 RBAC policies in the current cluster to v1beta1 authorization policies:
-  istioctl x authz convert > v1beta1-authz.yaml
+
Examples

+
  istioctl dashboard kiali
 
+  # with short syntax
+  istioctl dash kiali
+  istioctl d kiali
 

-
istioctl experimental authz check

-
Check reads the Envoy config dump and checks the filter configuration
-related to authorization. For example, it shows whether or not the Envoy is configured
-with authorization and the rules used in the authorization.

-
The Envoy config dump could be provided either by pod name or from a config dump file
-(the whole output of http://localhost:15000/config_dump of an Envoy instance).

-
THIS COMMAND IS STILL UNDER ACTIVE DEVELOPMENT AND NOT READY FOR PRODUCTION USE.
-

-
istioctl experimental authz check <pod-name>[.<pod-namespace>] [flags]
+
istioctl dashboard prometheus

+
Open Istio's Prometheus dashboard

+
istioctl dashboard prometheus [flags]
 

 
@@ -1150,19 +1247,19 @@ 
istioctl experimental authz check

-
-
-
+
+
+
-
+
-
+
-
-
-
+
+
+
@@ -1175,41 +1272,32 @@ 
istioctl experimental authz check
Kubernetes configuration file  (default ``)
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+

 
 
 
--all-aShow additional information (e.g. SNI and ALPN) --address <string>Address to listen on. Only accepts IP address or localhost as a value. When localhost is supplied, istioctl will try to bind on both 127.0.0.1 and ::1 and will fail if neither of these address are available to bind.  (default `localhost`)
 

 
--context <string>--browser
 The name of the kubeconfig context to use  (default ``)When --browser is supplied as false, istioctl dashboard will not open the browser. Default is true which means istioctl dashboard will always open a browser to view the dashboard. 
 

 
--file <string>-fCheck the Envoy config dump from a file  (default ``)--context <string>The name of the kubeconfig context to use  (default ``)
 

 

 --istioNamespace <string>
 

 
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info,validation:error,processing:error,source:error,analysis:warn`)

 --namespace <string>
 -nConfig namespace  (default ``)Namespace where the addon is running, if not specified, istio-system would be used  (default `istio-system`)
--port <int>-pLocal port to listen to  (default `0`)
--vklog <Level>number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
 

 
 

-
Examples

-
  # Check Envoy authorization configuration for pod httpbin-88ddbcfdd-nt5jb:
-  istioctl x authz check httpbin-88ddbcfdd-nt5jb
+
Examples

+
  istioctl dashboard prometheus
 
-  # Check Envoy authorization configuration from a config dump file:
-  istioctl x authz check -f httpbin_config_dump.json
+  # with short syntax
+  istioctl dash prometheus
+  istioctl d prometheus
 

-
istioctl experimental authz convert

-
Convert Istio v1alpha1 RBAC policy to v1beta1 authorization policy. The command talks to Kubernetes
-API server to get all the information needed to complete the conversion, including the v1alpha1 RBAC policies in the current
-cluster, the Istio config-map for root namespace configuration and the k8s Service translating the
-service name to workload selector.

-
The tool can also be used in offline mode without talking to the Kubernetes API server. In this mode,
-all needed information is provided through the command line.

-
Note: The converter tool makes a best effort attempt to keep the syntax unchanged when
-converting v1alph1 RBAC policy to v1beta1 policy. However, in some cases, strict
-mapping with equivalent syntax is not possible (e.g., constraints no longer valid
-in the new workload oriented model, converting a service name containing a wildcard
-to workload selector).

-
Please always review the converted policies, and remove the "===PLEASE REVIEW THE GENERATED POLICY AND REMOVE THIS LINE BEFORE APPLYING IT==="
-string on top of the converted policies before apply them.

-
THIS COMMAND IS STILL UNDER ACTIVE DEVELOPMENT AND NOT READY FOR PRODUCTION USE.
-

-
istioctl experimental authz convert [flags]
+
istioctl dashboard skywalking

+
Open the Istio dashboard in the SkyWalking UI

+
istioctl dashboard skywalking [flags]
 

 
@@ -1221,14 +1309,19 @@ 
istioctl experimental authz convert
 

-
+
-
+
-
-
-
+
+
+
+
+
+
+
+
@@ -1241,44 +1334,32 @@ 
istioctl experimental authz convert
 

-
-
-
+
+
+
-
-
-
+
+
+
-
+
-
-
-
-
-
-
-
-
-
-
-
+

 
 
 
--context <string>--address <string>
 The name of the kubeconfig context to use  (default ``)Address to listen on. Only accepts IP address or localhost as a value. When localhost is supplied, istioctl will try to bind on both 127.0.0.1 and ::1 and will fail if neither of these address are available to bind.  (default `localhost`)
 

 
--file <stringSlice>-fv1alpha1 RBAC policy that needs to be converted to v1beta1 authorization policy  (default `[]`)--browserWhen --browser is supplied as false, istioctl dashboard will not open the browser. Default is true which means istioctl dashboard will always open a browser to view the dashboard. 
--context <string>The name of the kubeconfig context to use  (default ``)
 

 

 --istioNamespace <string>Kubernetes configuration file  (default ``)
 

 
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info,validation:error,processing:error,source:error,analysis:warn`)--namespace <string>-nNamespace where the addon is running, if not specified, istio-system would be used  (default `istio-system`)
 

 
--meshConfigFile <string>-mIstio MeshConfig file that provides the root namespace value  (default ``)--port <int>-pLocal port to listen to  (default `0`)
 

 
--meshConfigMapName <string>--vklog <Level>
 ConfigMap name for Istio mesh configuration  (default `istio`)
--namespace <string>-nConfig namespace  (default ``)
--service <stringSlice>-sKubernetes Service resource that provides the mapping between service and workload  (default `[]`)number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
 

 
 

-
Examples

-
  # Convert the v1alpha1 RBAC policy in the current cluster:
-  istioctl x authz convert > v1beta1-authz.yaml
-
-  # Convert the v1alpha1 RBAC policy provided through command line: 
-  istioctl x authz convert -f v1alpha1-policy-1.yaml,v1alpha1-policy-2.yaml
-  --service services.yaml --meshConfigFile meshConfig.yaml > v1beta1-authz.yaml
+
Examples

+
  istioctl dashboard skywalking
 
+  # with short syntax
+  istioctl dash skywalking
+  istioctl d skywalking
 

-
istioctl experimental convert-ingress

-
(convert-ingress has graduated. Use `istioctl convert-ingress`)

-
istioctl experimental convert-ingress [flags]
+
istioctl dashboard zipkin

+
Open Istio's Zipkin dashboard

+
istioctl dashboard zipkin [flags]
 

 
@@ -1290,6 +1371,16 @@ 
istioctl experimental convert-ing
 

+
+
+
+
+
+
+
+
+
+
@@ -1305,21 +1396,31 @@ 
istioctl experimental convert-ing
 

-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+

 
 
 
--address <string>Address to listen on. Only accepts IP address or localhost as a value. When localhost is supplied, istioctl will try to bind on both 127.0.0.1 and ::1 and will fail if neither of these address are available to bind.  (default `localhost`)
--browserWhen --browser is supplied as false, istioctl dashboard will not open the browser. Default is true which means istioctl dashboard will always open a browser to view the dashboard. 

 --context <string>
 
 The name of the kubeconfig context to use  (default ``)Kubernetes configuration file  (default ``)
 

 
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info,validation:error,processing:error,source:error,analysis:warn`)

 --namespace <string>
 -nConfig namespace  (default ``)Namespace where the addon is running, if not specified, istio-system would be used  (default `istio-system`)
--port <int>-pLocal port to listen to  (default `0`)
--vklog <Level>number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
 

 
 

-
istioctl experimental create-remote-secret

-
Create a secret with credentials to allow Istio to access remote Kubernetes apiservers

-
istioctl experimental create-remote-secret <cluster-name> [flags]
+
Examples

+
  istioctl dashboard zipkin
+
+  # with short syntax
+  istioctl dash zipkin
+  istioctl d zipkin
 

+
istioctl experimental

+
Experimental commands that may be modified or deprecated

 
@@ -1330,21 +1431,6 @@ 
istioctl experimental create
 

-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
@@ -1360,41 +1446,27 @@ 
istioctl experimental create
 

-
-
-
-
-
-
+
-
+

 
 

 
 
--auth-plugin-config <stringToString>authenticator plug-in configuration. --auth-type=plugin must be set with this option  (default `[]`)
--auth-plugin-name <string>authenticator plug-in name. --auth-type=plugin must be set with this option  (default ``)
--auth-type <RemoteSecretAuthType>type of authentication to use. supported values = [bearer-token plugin]  (default `bearer-token`)

 --context <string>
 
 The name of the kubeconfig context to use  (default ``)Kubernetes configuration file  (default ``)
 

 
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info,validation:error,processing:error,source:error,analysis:warn`)

 --namespace <string>
 -n
 Config namespace  (default ``)
 

 
--service-account <string>--vklog <Level>
 create a secret with this service account's credentials.  (default `istio-reader-service-account`)number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
 

 
 

-
Examples

-

-# Create a secret to access cluster c0's apiserver and install it in cluster c1.
-istioctl --Kubeconfig=c0.yaml x create-remote-secret \
-    | kubectl -n istio-system --Kubeconfig=c1.yaml apply -f -
-
-# Delete a secret that was previously installed in c1
-istioctl --Kubeconfig=c0.yaml x create-remote-secret \
-    | kubectl -n istio-system --Kubeconfig=c1.yaml delete -f -
-
-# Create a secret  access a remote cluster with an auth plugin
-istioctl --Kubeconfig=c0.yaml x create-remote-secret --auth-type=plugin --auth-plugin-name=gcp \
-    | kubectl -n istio-system --Kubeconfig=c1.yaml apply -f -
-
-

-
istioctl experimental dashboard

-
(dashboard has graduated. Use `istioctl dashboard`)

-
istioctl experimental dashboard [flags]
+
istioctl experimental add-to-mesh

+
'istioctl experimental add-to-mesh' restarts pods with an Istio sidecar or configures meshed pod access to external services.
+Use 'add-to-mesh' as an alternate to namespace-wide auto injection for troubleshooting compatibility.

+
The 'remove-from-mesh' command can be used to restart with the sidecar removed.

+
THIS COMMAND IS UNDER ACTIVE DEVELOPMENT AND NOT READY FOR PRODUCTION USE.

+
istioctl experimental add-to-mesh [flags]
 

+

+
istioctl experimental add [flags]
+

 
@@ -1410,6 +1482,16 @@ 
istioctl experimental dashboard

+
+
+
+
+
+
+
+
+
+
@@ -1420,23 +1502,58 @@ 
istioctl experimental dashboard

-
+
+
+
+
+
+
-
+
+
+
+
+
+
+
+
+
+
+

 
 

 The name of the kubeconfig context to use  (default ``)
 

 
--injectConfigFile <string>Injection configuration filename. Cannot be used with --injectConfigMapName  (default ``)
--injectConfigMapName <string>ConfigMap name for Istio sidecar injection, key should be "config".  (default `istio-sidecar-injector`)

 --istioNamespace <string>
 -i
 Istio system namespace  (default `istio-system`)
 Kubernetes configuration file  (default ``)
 

 
--log_output_level <string>--meshConfigFile <string>Mesh configuration filename. Takes precedence over --meshConfigMapName if set  (default ``)
--meshConfigMapName <string>
 Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info,validation:error,processing:error,source:error,analysis:warn`)ConfigMap name for Istio mesh configuration, key should be "mesh"  (default `istio`)
 

 

 --namespace <string>
 -n
 Config namespace  (default ``)
 
--valuesFile <string>Injection values configuration filename.  (default ``)
--vklog <Level>number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)

 
 

-
istioctl experimental describe

-
Describe resource and related Istio configuration

-
istioctl experimental describe [flags]
+
Examples

+
  # Restart all productpage pods with an Istio sidecar
+  istioctl experimental add-to-mesh service productpage
+
+  # Restart just pods from the productpage-v1 deployment
+  istioctl experimental add-to-mesh deployment productpage-v1
+
+  # Restart just pods from the details-v1 deployment
+  istioctl x add deployment details-v1
+
+  # Control how meshed pods see an external service
+  istioctl experimental add-to-mesh external-service vmhttp 172.12.23.125,172.12.23.126 \
+   http:9080 tcp:8888 --labels app=test,version=v1 --annotations env=stage --serviceaccount stageAdmin
+

+
istioctl experimental add-to-mesh deployment

+
'istioctl experimental add-to-mesh deployment' restarts pods with the Istio sidecar.  Use 'add-to-mesh'
+to test deployments for compatibility with Istio.  It can be used instead of namespace-wide auto-injection of sidecars and is especially helpful for compatibility testing.

+
If your deployment does not function after using 'add-to-mesh' you must re-deploy it and troubleshoot it for Istio compatibility.
+See https://istio.io/v1.14/docs/ops/deployment/requirements/

+
See also 'istioctl experimental remove-from-mesh deployment' which does the reverse.

+
THIS COMMAND IS UNDER ACTIVE DEVELOPMENT AND NOT READY FOR PRODUCTION USE.

+
istioctl experimental add-to-mesh deployment <deployment> [flags]
 

 

-
istioctl experimental des [flags]
+
istioctl experimental add-to-mesh deploy <deployment> [flags]
+istioctl experimental add-to-mesh dep <deployment> [flags]
 

 
@@ -1453,6 +1570,16 @@ 
istioctl experimental describe

+
+
+
+
+
+
+
+
+
+
@@ -1463,24 +1590,58 @@ 
istioctl experimental describe

-
+
+
+
+
+
+
-
+
-
-

 
 
The name of the kubeconfig context to use  (default ``)
 

 
--injectConfigFile <string>Injection configuration filename. Cannot be used with --injectConfigMapName  (default ``)
--injectConfigMapName <string>ConfigMap name for Istio sidecar injection, key should be "config".  (default `istio-sidecar-injector`)

 --istioNamespace <string>
 -i
 Istio system namespace  (default `istio-system`)
 Kubernetes configuration file  (default ``)
 

 
--log_output_level <string>--meshConfigFile <string>Mesh configuration filename. Takes precedence over --meshConfigMapName if set  (default ``)
--meshConfigMapName <string>
 Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info,validation:error,processing:error,source:error,analysis:warn`)ConfigMap name for Istio mesh configuration, key should be "mesh"  (default `istio`)
 

 

 --namespace <string>
 -n
 Config namespace  (default ``)
 

-
istioctl experimental describe pod

-
Analyzes pod, its Services, DestinationRules, and VirtualServices and reports
-the configuration objects that affect that pod.

-
THIS COMMAND IS STILL UNDER ACTIVE DEVELOPMENT AND NOT READY FOR PRODUCTION USE.
-

-
istioctl experimental describe pod <pod> [flags]
+
+--revision <string>
+-r
+Control plane revision  (default ``)
+
+
+--valuesFile <string>
+
+Injection values configuration filename.  (default ``)
+
+
+--vklog <Level>
+
+number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
+
+
+
+
Examples

+
  # Restart pods from the productpage-v1 deployment with Istio sidecar
+  istioctl experimental add-to-mesh deployment productpage-v1
+
+  # Restart pods from the details-v1 deployment with Istio sidecar
+  istioctl x add-to-mesh deploy details-v1
+
+  # Restart pods from the ratings-v1 deployment with Istio sidecar
+  istioctl x add dep ratings-v1
+

+
istioctl experimental add-to-mesh external-service

+
istioctl experimental add-to-mesh external-service create a ServiceEntry and
+a Service without selector for the specified external service in Istio service mesh.
+The typical usage scenario is Mesh Expansion on VMs.

+
See also 'istioctl experimental remove-from-mesh external-service' which does the reverse.

+
THIS COMMAND IS UNDER ACTIVE DEVELOPMENT AND NOT READY FOR PRODUCTION USE.

+
istioctl experimental add-to-mesh external-service <svcname> <ip> [name1:]port1 [[name2:]port2] ... [flags]
 

+

+
istioctl experimental add-to-mesh es <svcname> <ip> [name1:]port1 [[name2:]port2] ... [flags]
+

 
@@ -1491,14 +1652,24 @@ 
istioctl experimental describe pod
 

+
+
+
+
+
-
+
-
+
+
+
+
+
+
@@ -1511,29 +1682,58 @@ 
istioctl experimental describe podKubernetes configuration file  (default ``)
 

-
+
+
+
+
+
+
+
+
+
+
+
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+

 
 

 
--annotations <stringSlice>-aList of string annotations to apply if creating a service/endpoint; e.g. -a foo=bar,x=y  (default `[]`)

 --context <string>
 
 The name of the kubeconfig context to use  (default ``)
 

 
--ignoreUnmeshed--injectConfigFile <string>
 Suppress warnings for unmeshed pods Injection configuration filename. Cannot be used with --injectConfigMapName  (default ``)
--injectConfigMapName <string>ConfigMap name for Istio sidecar injection, key should be "config".  (default `istio-sidecar-injector`)
 

 

 --istioNamespace <string>

 
--log_output_level <string>--labels <stringSlice>-lList of labels to apply if creating a service/endpoint; e.g. -l env=prod,vers=2  (default `[]`)
--meshConfigFile <string>Mesh configuration filename. Takes precedence over --meshConfigMapName if set  (default ``)
--meshConfigMapName <string>
 Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info,validation:error,processing:error,source:error,analysis:warn`)ConfigMap name for Istio mesh configuration, key should be "mesh"  (default `istio`)
 

 

 --namespace <string>
 -n
 Config namespace  (default ``)
 
--serviceaccount <string>-sService account to link to the service  (default `default`)
--valuesFile <string>Injection values configuration filename.  (default ``)
--vklog <Level>number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)

 
 

-
Examples

-
istioctl experimental describe pod productpage-v1-c7765c886-7zzd4
+
Examples

+
 # Control how meshed pods contact 172.12.23.125 and .126
+  istioctl experimental add-to-mesh external-service vmhttp 172.12.23.125,172.12.23.126 \
+   http:9080 tcp:8888 --labels app=test,version=v1 --annotations env=stage --serviceaccount stageAdmin
 

-
istioctl experimental describe service

-
Analyzes service, pods, DestinationRules, and VirtualServices and reports
-the configuration objects that affect that service.

-
THIS COMMAND IS STILL UNDER ACTIVE DEVELOPMENT AND NOT READY FOR PRODUCTION USE.
-

-
istioctl experimental describe service <svc> [flags]
+
istioctl experimental add-to-mesh service

+
istioctl experimental add-to-mesh service restarts pods with the Istio sidecar.  Use 'add-to-mesh'
+to test deployments for compatibility with Istio.  It can be used instead of namespace-wide auto-injection of sidecars and is especially helpful for compatibility testing.

+
If your service does not function after using 'add-to-mesh' you must re-deploy it and troubleshoot it for Istio compatibility.
+See https://istio.io/v1.14/docs/ops/deployment/requirements/

+
See also 'istioctl experimental remove-from-mesh service' which does the reverse.

+
THIS COMMAND IS UNDER ACTIVE DEVELOPMENT AND NOT READY FOR PRODUCTION USE.

+
istioctl experimental add-to-mesh service <service> [flags]
 

 

-
istioctl experimental describe svc <svc> [flags]
+
istioctl experimental add-to-mesh svc <service> [flags]
 

 
@@ -1550,9 +1750,14 @@ 
istioctl experimental describe s
 

-
+
-
+
+
+
+
+
+
@@ -1565,27 +1770,50 @@ 
istioctl experimental describe s
 

-
+
+
+
+
+
+
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+

 
The name of the kubeconfig context to use  (default ``)
 

 
--ignoreUnmeshed--injectConfigFile <string>
 Suppress warnings for unmeshed pods Injection configuration filename. Cannot be used with --injectConfigMapName  (default ``)
--injectConfigMapName <string>ConfigMap name for Istio sidecar injection, key should be "config".  (default `istio-sidecar-injector`)
 

 

 --istioNamespace <string>Kubernetes configuration file  (default ``)
 

 
--log_output_level <string>--meshConfigFile <string>Mesh configuration filename. Takes precedence over --meshConfigMapName if set  (default ``)
--meshConfigMapName <string>
 Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info,validation:error,processing:error,source:error,analysis:warn`)ConfigMap name for Istio mesh configuration, key should be "mesh"  (default `istio`)
 

 

 --namespace <string>
 -n
 Config namespace  (default ``)
 
--revision <string>-rControl plane revision  (default ``)
--valuesFile <string>Injection values configuration filename.  (default ``)
--vklog <Level>number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)

 
 

-
Examples

-
istioctl experimental describe service productpage
+
Examples

+
  # Restart all productpage pods with an Istio sidecar
+  istioctl experimental add-to-mesh service productpage
+
+  # Restart all details-v1 pods with an Istio sidecar
+  istioctl x add-to-mesh svc details-v1
+
+  # Restart all ratings-v1 pods with an Istio sidecar
+  istioctl x add svc ratings-v1
 

-
istioctl experimental kube-uninject

-

-
kube-uninject is used to prevent Istio from adding a sidecar and
-also provides the inverse of "istioctl kube-inject -f".

+
istioctl experimental authz

 

-
istioctl experimental kube-uninject [flags]
-

+
THIS COMMAND IS UNDER ACTIVE DEVELOPMENT AND NOT READY FOR PRODUCTION USE.

 
@@ -1601,11 +1829,6 @@ 
istioctl experimental kube-uninject
 

-
-
-
-
-
@@ -1616,52 +1839,25 @@ 
istioctl experimental kube-uninject
 

-
-
-
-
-
-
-
-
+
+
+

 
 
The name of the kubeconfig context to use  (default ``)
 

 
--filename <string>-fInput Kubernetes resource filename  (default ``)

 --istioNamespace <string>
 -i
 Istio system namespace  (default `istio-system`)Kubernetes configuration file  (default ``)
 

 
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info,validation:error,processing:error,source:error,analysis:warn`)

 --namespace <string>
 -n
 Config namespace  (default ``)
 

 
--output <string>-oModified output Kubernetes resource filename  (default ``)--vklog <Level>number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
 

 
 

-
Examples

-

-# Update resources before applying.
-kubectl apply -f <(istioctl experimental kube-uninject -f <resource.yaml>)
-
-# Create a persistent version of the deployment by removing Envoy sidecar.
-istioctl experimental kube-uninject -f deployment.yaml -o deployment-uninjected.yaml
-
-# Update an existing deployment.
-kubectl get deployment -o yaml | istioctl experimental kube-uninject -f - | kubectl apply -f -
-
-

-
istioctl experimental metrics

-

-Prints the metrics for the specified service(s) when running in Kubernetes.

-
This command finds a Prometheus pod running in the specified istio system 
-namespace. It then executes a series of queries per requested workload to
-find the following top-level workload metrics: total requests per second,
-error rate, and request latency at p50, p90, and p99 percentiles. The 
-query results are printed to the console, organized by workload name.

-
All metrics returned are from server-side reports. This means that latencies
-and error rates are from the perspective of the service itself and not of an
-individual client (or aggregate set of clients). Rates and latencies are
-calculated over a time interval of 1 minute.
-

-
istioctl experimental metrics <workload name>...
+
istioctl experimental authz check

+
Check prints the AuthorizationPolicy applied to a pod by directly checking
+the Envoy configuration of the pod. The command is especially useful for inspecting
+the policy propagation from Istiod to Envoy and the final AuthorizationPolicy list merged
+from multiple sources (mesh-level, namespace-level and workload-level).

+
The command also supports reading from a standalone config dump file with flag -f.

+
istioctl experimental authz check [<type>/]<name>[.<namespace>] [flags]
 

-

-
istioctl experimental m <workload name>...
-

 
@@ -1677,6 +1873,11 @@ 
istioctl experimental metrics

+
+
+
+
+
@@ -1687,28 +1888,29 @@ 
istioctl experimental metrics

-
-
-
-
-
+
+
+
+
+

 
 

 The name of the kubeconfig context to use  (default ``)
 

 
--file <string>-fThe json file with Envoy config dump to be checked  (default ``)

 --istioNamespace <string>
 -i
 Istio system namespace  (default `istio-system`)
 Kubernetes configuration file  (default ``)
 

 
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info,validation:error,processing:error,source:error,analysis:warn`)

 --namespace <string>
 -n
 Config namespace  (default ``)
 
--vklog <Level>number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)

 
 

-
Examples

-

-# Retrieve workload metrics for productpage-v1 workload
-istioctl experimental metrics productpage-v1
+
Examples

+
  # Check AuthorizationPolicy applied to pod httpbin-88ddbcfdd-nt5jb:
+  istioctl x authz check httpbin-88ddbcfdd-nt5jb
 
-# Retrieve workload metrics for various services in the different namespaces
-istioctl experimental metrics productpage-v1.foo reviews-v1.bar ratings-v1.baz
+  # Check AuthorizationPolicy applied to one pod under a deployment
+  istioctl x authz check deployment/productpage-v1
 
+  # Check AuthorizationPolicy from Envoy config dump file:
+  istioctl x authz check -f httpbin_config_dump.json
 

-
istioctl experimental multicluster

-
Commands to assist in managing a multi-cluster mesh

+
istioctl experimental config

+
Configure istioctl defaults

 
@@ -1734,20 +1936,24 @@ 
istioctl experimental multiclusterKubernetes configuration file  (default ``)
 

-
-
-
-
-
+
+
+
+
+

 
 

 
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info,validation:error,processing:error,source:error,analysis:warn`)

 --namespace <string>
 -n
 Config namespace  (default ``)
 
--vklog <Level>number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)

 
 

-
istioctl experimental multicluster apply

-
Update clusters in a multi-cluster mesh based on mesh topology

-
istioctl experimental multicluster apply  -f <mesh.yaml> [flags]
+
Examples

+
  # list configuration parameters
+  istioctl config list
+

+
istioctl experimental config list

+
List istio configurable defaults

+
istioctl experimental config list [flags]
 

 
@@ -1764,11 +1970,6 @@ 
istioctl experimental multiclu
 

-
-
-
-
-
@@ -1779,20 +1980,20 @@ 
istioctl experimental multiclu
 

-
-
-
-
-
+
+
+
+
+

 
The name of the kubeconfig context to use  (default ``)
 

 
--filename <string>-ffilename of the multicluster mesh description  (default ``)

 --istioNamespace <string>
 -i
 Istio system namespace  (default `istio-system`)Kubernetes configuration file  (default ``)
 

 
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info,validation:error,processing:error,source:error,analysis:warn`)

 --namespace <string>
 -n
 Config namespace  (default ``)
 
--vklog <Level>number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)

 
 

-
istioctl experimental multicluster describe

-
Describe status of the multi-cluster mesh's control plane' 

-
istioctl experimental multicluster describe -f <mesh.yaml> [--all] [flags]
+
istioctl experimental create-remote-secret

+
Create a secret with credentials to allow Istio to access remote Kubernetes apiservers

+
istioctl experimental create-remote-secret [flags]
 

 
@@ -1804,9 +2005,19 @@ 
istioctl experimental multi
 

-
+
+
+
+
+
+
+
+
+
+
+
-
+
@@ -1814,9 +2025,9 @@ 
istioctl experimental multi
 

-
-
-
+
+
+
@@ -1829,21 +2040,70 @@ 
istioctl experimental multi
 

-
+
+
+
+
+
+
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+

 
 
 
--all--auth-plugin-config <stringToString>Authenticator plug-in configuration. --auth-type=plugin must be set with this option  (default `[]`)
--auth-plugin-name <string>Authenticator plug-in name. --auth-type=plugin must be set with this option  (default ``)
--auth-type <RemoteSecretAuthType>
 describe the status of all clustersByContext in the mesh Type of authentication to use. supported values = [bearer-token plugin]  (default `bearer-token`)
 

 

 --context <string>The name of the kubeconfig context to use  (default ``)
 

 
--filename <string>-ffilename of the multicluster mesh description  (default ``)--create-service-accountIf true, the service account needed for creating the remote secret will be created if it doesn't exist. 
 

 

 --istioNamespace <string>Kubernetes configuration file  (default ``)
 

 
--log_output_level <string>--manifests <string>-dSpecify a path to a directory of charts and profiles
+(e.g. ~/Downloads/istio-1.14.0/manifests)
+or release tar URL (e.g. https://github.com/istio/istio/releases/download/1.14.0/istio-1.14.0-linux-amd64.tar.gz).
+  (default ``)
--name <string>
 Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info,validation:error,processing:error,source:error,analysis:warn`)Name of the local cluster whose credentials are stored in the secret. If a name is not specified the kube-system namespace's UUID of the local cluster will be used.  (default ``)
 

 

 --namespace <string>
 -n
 Config namespace  (default ``)
 
--secret-name <string>The name of the specific secret to use from the service-account. Needed when there are multiple secrets in the service account.  (default ``)
--server <string>The address and port of the Kubernetes API server.  (default ``)
--service-account <string>Create a secret with this service account's credentials. Default value is "istio-reader-service-account" if --type is "remote", "istiod" if --type is "config".  (default ``)
--type <SecretType>Type of the generated secret. supported values = [remote config]  (default `remote`)
--vklog <Level>number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)

 
 

-
istioctl experimental multicluster generate

-
generate a cluster-specific control plane configuration based on the mesh description and runtime state

-
istioctl experimental multicluster generate -f <mesh.yaml> [flags]
+
Examples

+
  # Create a secret to access cluster c0's apiserver and install it in cluster c1.
+  istioctl --kubeconfig=c0.yaml x create-remote-secret --name c0 \
+    | kubectl --kubeconfig=c1.yaml apply -f -
+
+  # Delete a secret that was previously installed in c1
+  istioctl --kubeconfig=c0.yaml x create-remote-secret --name c0 \
+    | kubectl --kubeconfig=c1.yaml delete -f -
+
+  # Create a secret access a remote cluster with an auth plugin
+  istioctl --kubeconfig=c0.yaml x create-remote-secret --name c0 --auth-type=plugin --auth-plugin-name=gcp \
+    | kubectl --kubeconfig=c1.yaml apply -f -
 

+
istioctl experimental describe

+
Describe resource and related Istio configuration

+
istioctl experimental describe [flags]
+

+

+
istioctl experimental des [flags]
+

 
@@ -1859,16 +2119,6 @@ 
istioctl experimental multi
 

-
-
-
-
-
-
-
-
-
-
@@ -1879,24 +2129,26 @@ 
istioctl experimental multi
 

-
-
-
-
-
-
+
-
+

 
 
The name of the kubeconfig context to use  (default ``)
 

 
--filename <string>-ffilename of the multicluster mesh description  (default ``)
--from <string>optional source configuration to generate multicluster aware configuration from  (default ``)

 --istioNamespace <string>
 -i
 Istio system namespace  (default `istio-system`)Kubernetes configuration file  (default ``)
 

 
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info,validation:error,processing:error,source:error,analysis:warn`)

 --namespace <string>
 -n
 Config namespace  (default ``)
 

 
--wait-for-gateways--vklog <Level>
 wait for all cluster's istio-ingressgateway IPs to be ready before generating configuration. number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
 

 
 

-
istioctl experimental post-install

-
Commands related to post-install

+
istioctl experimental describe pod

+
Analyzes pod, its Services, DestinationRules, and VirtualServices and reports
+the configuration objects that affect that pod.

+
THIS COMMAND IS UNDER ACTIVE DEVELOPMENT AND NOT READY FOR PRODUCTION USE.

+
istioctl experimental describe pod <pod> [flags]
+

+

+
istioctl experimental describe po <pod> [flags]
+

 
@@ -1912,6 +2164,11 @@ 
istioctl experimental post-installThe name of the kubeconfig context to use  (default ``)
 

+
+
+
+
+
@@ -1922,19 +2179,29 @@ 
istioctl experimental post-installKubernetes configuration file  (default ``)
 

-
-
-
-
-
+
+
+
+
+

 
 

 
--ignoreUnmeshedSuppress warnings for unmeshed pods 

 --istioNamespace <string>
 -i
 Istio system namespace  (default `istio-system`)

 
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info,validation:error,processing:error,source:error,analysis:warn`)

 --namespace <string>
 -n
 Config namespace  (default ``)
 
--vklog <Level>number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)

 
 

-
istioctl experimental post-install webhook

-
webhook command to manage webhook configurations

+
Examples

+
  istioctl experimental describe pod productpage-v1-c7765c886-7zzd4
+

+
istioctl experimental describe service

+
Analyzes service, pods, DestinationRules, and VirtualServices and reports
+the configuration objects that affect that service.

+
THIS COMMAND IS UNDER ACTIVE DEVELOPMENT AND NOT READY FOR PRODUCTION USE.

+
istioctl experimental describe service <svc> [flags]
+

+

+
istioctl experimental describe svc <svc> [flags]
+

 
@@ -1950,6 +2217,11 @@ 
istioctl experimental post-i
 

+
+
+
+
+
@@ -1960,21 +2232,27 @@ 
istioctl experimental post-i
 

-
-
-
-
-
+
+
+
+
+

 
 
The name of the kubeconfig context to use  (default ``)
 

 
--ignoreUnmeshedSuppress warnings for unmeshed pods 

 --istioNamespace <string>
 -i
 Istio system namespace  (default `istio-system`)Kubernetes configuration file  (default ``)
 

 
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info,validation:error,processing:error,source:error,analysis:warn`)

 --namespace <string>
 -n
 Config namespace  (default ``)
 
--vklog <Level>number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)

 
 

-
istioctl experimental post-install webhook disable

-
Disable webhook configurations

-
istioctl experimental post-install webhook disable [flags]
+
Examples

+
  istioctl experimental describe service productpage
+

+
istioctl experimental envoy-stats

+
Retrieve Envoy emitted metrics for the specified pod.

+
istioctl experimental envoy-stats [<type>/]<name>[.<namespace>] [flags]
 

+

+
istioctl experimental es [<type>/]<name>[.<namespace>] [flags]
+

 
@@ -1990,16 +2268,6 @@ 
istioctl experimenta
 

-
-
-
-
-
-
-
-
-
-
@@ -2010,41 +2278,41 @@ 
istioctl experimenta
 

-
-
-
-
-
-
-
-
+
+
+
-
+
+
+
+
+
+
-
+

 
 
The name of the kubeconfig context to use  (default ``)
 

 
--injectionDisable mutating webhook (default true). 
--injection-config <string>The mutating webhook configuration to disable.  (default `istio-sidecar-injector`)

 --istioNamespace <string>
 -i
 Istio system namespace  (default `istio-system`)Kubernetes configuration file  (default ``)
 

 
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info,validation:error,processing:error,source:error,analysis:warn`)

 --namespace <string>
 -n
 Config namespace  (default ``)
 

 
--validationDisable validating webhook (default true). --output <string>-oOutput format: one of json|yaml|prom  (default `short`)
 

 
--validation-config <string>--type <string>-tWhere to grab the stats: one of server|clusters  (default `server`)
--vklog <Level>
 The validating webhook configuration to disable.  (default `istio-galley`)number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
 

 
 

-
Examples

-

-# Disable all webhooks
-istioctl experimental post-install webhook disable
+
Examples

+
  # Retrieve Envoy emitted metrics for the specified pod.
+  istioctl experimental envoy-stats <pod-name[.namespace]>
+
+  # Retrieve Envoy server metrics in prometheus format
+  istioctl experimental envoy-stats <pod-name[.namespace]> --output prom
 
-# Disable all webhooks except injection
-istioctl experimental post-install webhook disable --injection=false
+  # Retrieve Envoy cluster metrics
+  istioctl experimental envoy-stats <pod-name[.namespace]> --type clusters
 
 

-
istioctl experimental post-install webhook enable

-
This command is used to enable webhook configurations after installing Istio.
-For previous Istio versions (e.g., 1.2, 1.3, etc), this command is not needed
-because in previous versions webhooks manage their own configurations.

-
istioctl experimental post-install webhook enable [flags]
+
istioctl experimental injector

+
List sidecar injector and sidecar versions

+
istioctl experimental injector [flags]
 

 
@@ -2056,31 +2324,11 @@ 
istioctl experimental
 

-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
@@ -2091,61 +2339,70 @@ 
istioctl experimental
 

-
-
-
-
-
-
+
-
+
+
+

 
 
 
--ca-bundle-file <string>PEM encoded CA bundle which will be used to validate the webhook's server certificates. If this is empty, the kube-apisever's root CA is used if it can be confirmed to have signed the webhook's certificates. This condition is sometimes true but is not guaranteed (see https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet-tls-bootstrapping)  (default ``)

 --context <string>
 
 The name of the kubeconfig context to use  (default ``)
 

 
--injectionEnable injection webhook (default true). 
--injection-path <string>The file path of the injection webhook configuration.  (default ``)
--injection-service <string>The service name of the injection webhook to manage.  (default `istio-sidecar-injector`)

 --istioNamespace <string>
 -i
 Istio system namespace  (default `istio-system`)Kubernetes configuration file  (default ``)
 

 
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info,validation:error,processing:error,source:error,analysis:warn`)

 --namespace <string>
 -n
 Config namespace  (default ``)
 

 
--read-cert-timeout <duration>--vklog <Level>
 	Max time for waiting the webhook certificate to be readable.  (default `1m0s`)number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
 

+
Examples

+
  istioctl experimental injector list
+

+
istioctl experimental injector list

+
List sidecar injector and sidecar versions

+
istioctl experimental injector list [flags]
+

+
+
-
-
-
+
+
+
+
+
-
+
-
+
-
-
-
+
+
+
-
-
-
+
+
+
+
+
+
+
+
-
+
-
+

 
--timeout <duration>	Max time for checking the validating webhook server. If the validating webhook server is not readyin the given time, exit. Otherwise, apply the webhook configuration.  (default `1m0s`)FlagsShorthandDescription
 

 
--validation--context <string>
 Enable validatation webhook (default true). The name of the kubeconfig context to use  (default ``)
 

 
--validation-path <string>The file path of the validation webhook configuration.  (default ``)--istioNamespace <string>-iIstio system namespace  (default `istio-system`)
 

 
--validation-service <string>The service name of the validation webhook to manage.  (default `istio-galley`)--kubeconfig <string>-cKubernetes configuration file  (default ``)
--namespace <string>-nConfig namespace  (default ``)
 

 
--webhook-secret <string>--vklog <Level>
 The name of an existing Kubernetes secret of a webhook. istioctl will verify that the webhook certificate is issued by the CA certificate.  (default ``)number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
 

 
 

-
Examples

-

-# Enable the webhook configuration of Galley with the given webhook configuration
-istioctl experimental post-install webhook enable --validation --webhook-secret istio.webhook.galley 
-    --namespace istio-system --validation-path validatingwebhookconfiguration.yaml
-
-# Enable the webhook configuration of Galley with the given webhook configuration and CA certificate
-istioctl experimental post-install webhook enable --validation --webhook-secret istio.webhook.galley 
-    --namespace istio-system --validation-path validatingwebhookconfiguration.yaml --ca-bundle-file ./k8s-ca-cert.pem
-
+
Examples

+
  istioctl experimental injector list
 

-
istioctl experimental post-install webhook status

-
Get webhook configurations

-
istioctl experimental post-install webhook status [flags]
+
istioctl experimental internal-debug

+

+Retrieves the debug information from Istiod or Pods in the mesh using the service account from the pod if --cert-dir is empty.
+By default it will use the default serviceAccount from (istio-system) namespace if the pod is not specified.

+

+THIS COMMAND IS UNDER ACTIVE DEVELOPMENT AND NOT READY FOR PRODUCTION USE.

+
istioctl experimental internal-debug [<type>/]<name>[.<namespace>] [flags]
 

 
@@ -2157,19 +2414,29 @@ 
istioctl experimental
 

-
+
-
+
+
+
+
+
+
+
+
+
+
+
-
+
-
+
-
+
-
+
@@ -2182,43 +2449,80 @@ 
istioctl experimental
 

-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
+
-
+
-
+

 
 
 
--context <string>--all
 The name of the kubeconfig context to use  (default ``)Send the same request to all instances of Istiod. Only applicable for in-cluster deployment. 
--authority <string>XDS Subject Alternative Name (for example istiod.istio-system.svc)  (default ``)
--cert-dir <string>XDS Endpoint certificate directory  (default ``)
 

 
--injection--context <string>
 Display the injection webhook configuration. The name of the kubeconfig context to use  (default ``)
 

 
--injection-config <string>--insecure
 The name of the MutatingWebhookConfiguration to display.  (default `istio-sidecar-injector`)Skip server certificate and domain verification. (NOT SECURE!) 
 

 

 --istioNamespace <string>Kubernetes configuration file  (default ``)
 

 
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info,validation:error,processing:error,source:error,analysis:warn`)

 --namespace <string>
 -n
 Config namespace  (default ``)
 

 
--validation--plaintextUse plain-text HTTP/2 when connecting to server (no TLS). 
--revision <string>-rControl plane revision  (default ``)
--timeout <duration>The duration to wait before failing  (default `30s`)
--vklog <Level>number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
--xds-address <string>XDS Endpoint  (default ``)
--xds-label <string>
 Display the validating webhook configuration. Istiod pod label selector  (default ``)
 

 
--validation-config <string>--xds-port <int>
 The name of the ValidatingWebhookConfiguration to display.  (default `istio-galley`)Istiod pod port  (default `15012`)
 

 
 

-
Examples

-

-# Display the webhook configuration of Galley
-istioctl experimental post-install webhook status --validation --validation-config istio-galley
-# Display the webhook configuration of Galley and Sidecar Injector
-istioctl experimental post-install webhook status --validation --validation-config istio-galley 
-  --injection --injection-config istio-sidecar-injector
+
Examples

+
  # Retrieve sync status for all Envoys in a mesh
+  istioctl x internal-debug syncz
+
+  # Retrieve sync diff for a single Envoy and Istiod
+  istioctl x internal-debug syncz istio-egressgateway-59585c5b9c-ndc59.istio-system
+
+  # SECURITY OPTIONS
+
+  # Retrieve syncz debug information directly from the control plane, using token security
+  # (This is the usual way to get the debug information with an out-of-cluster control plane.)
+  istioctl x internal-debug syncz --xds-address istio.cloudprovider.example.com:15012
+
+  # Retrieve syncz debug information via Kubernetes config, using token security
+  # (This is the usual way to get the debug information with an in-cluster control plane.)
+  istioctl x internal-debug syncz
+
+  # Retrieve syncz debug information directly from the control plane, using RSA certificate security
+  # (Certificates must be obtained before this step.  The --cert-dir flag lets istioctl bypass the Kubernetes API server.)
+  istioctl x internal-debug syncz --xds-address istio.example.com:15012 --cert-dir ~/.istio-certs
+
+  # Retrieve syncz information via XDS from specific control plane in multi-control plane in-cluster configuration
+  # (Select a specific control plane in an in-cluster canary Istio configuration.)
+  istioctl x internal-debug syncz --xds-label istio.io/rev=default
 
 

-
istioctl experimental remove-from-mesh

-
Remove workloads from Istio service mesh

-
istioctl experimental remove-from-mesh [flags]
+
istioctl experimental kube-uninject

+

+kube-uninject is used to prevent Istio from adding a sidecar and
+also provides the inverse of "istioctl kube-inject -f".
+

+
istioctl experimental kube-uninject [flags]
 

-

-
istioctl experimental rm [flags]
-

 
@@ -2234,6 +2538,11 @@ 
istioctl experimental remove-fro
 

+
+
+
+
+
@@ -2244,25 +2553,50 @@ 
istioctl experimental remove-fro
 

-
-
-
-
-
+
+
+
+
+
+
+
+
+
+

 
 
The name of the kubeconfig context to use  (default ``)
 

 
--filename <string>-fInput Kubernetes resource filename  (default ``)

 --istioNamespace <string>
 -i
 Istio system namespace  (default `istio-system`)Kubernetes configuration file  (default ``)
 

 
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info,validation:error,processing:error,source:error,analysis:warn`)

 --namespace <string>
 -n
 Config namespace  (default ``)
 
--output <string>-oModified output Kubernetes resource filename  (default ``)
--vklog <Level>number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)

 
 

-
istioctl experimental remove-from-mesh external-service

-
istioctl experimental remove-from-mesh external-service remove the ServiceEntry and\ 
-the kubernetes Service for the specified external service(eg:services running on VM) from Istio service mesh.
-The typical usage scenario is Mesh Expansion on VMs.
-THIS COMMAND IS STILL UNDER ACTIVE DEVELOPMENT AND NOT READY FOR PRODUCTION USE.
+
Examples

+
  # Update resources before applying.
+  kubectl apply -f <(istioctl experimental kube-uninject -f <resource.yaml>)
+
+  # Create a persistent version of the deployment by removing Envoy sidecar.
+  istioctl experimental kube-uninject -f deployment.yaml -o deployment-uninjected.yaml
+
+  # Update an existing deployment.
+  kubectl get deployment -o yaml | istioctl experimental kube-uninject -f - | kubectl apply -f -
+

+
istioctl experimental metrics

+

+Prints the metrics for the specified service(s) when running in Kubernetes.

+
This command finds a Prometheus pod running in the specified istio system
+namespace. It then executes a series of queries per requested workload to
+find the following top-level workload metrics: total requests per second,
+error rate, and request latency at p50, p90, and p99 percentiles. The
+query results are printed to the console, organized by workload name.

+
All metrics returned are from server-side reports. This means that latencies
+and error rates are from the perspective of the service itself and not of an
+individual client (or aggregate set of clients). Rates and latencies are
+calculated over a time interval of 1 minute.
 

-
istioctl experimental remove-from-mesh external-service <svcname> [flags]
+
istioctl experimental metrics <workload name>...
 

+

+
istioctl experimental m <workload name>...
+

 
@@ -2278,6 +2612,11 @@ 
istioctl experi
 

+
+
+
+
+
@@ -2288,25 +2627,30 @@ 
istioctl experi
 

-
-
-
-
-
+
+
+
+
+

 
 
The name of the kubeconfig context to use  (default ``)
 

 
--duration <duration>-dDuration of query metrics, default value is 1m.  (default `1m0s`)

 --istioNamespace <string>
 -i
 Istio system namespace  (default `istio-system`)Kubernetes configuration file  (default ``)
 

 
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info,validation:error,processing:error,source:error,analysis:warn`)

 --namespace <string>
 -n
 Config namespace  (default ``)
 
--vklog <Level>number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)

 
 

-
Examples

-
istioctl experimental remove-from-mesh external-service vmhttp
+
Examples

+
  # Retrieve workload metrics for productpage-v1 workload
+  istioctl experimental metrics productpage-v1
+
+  # Retrieve workload metrics for various services with custom duration
+  istioctl experimental metrics productpage-v1 -d 2m
+
+  # Retrieve workload metrics for various services in the different namespaces
+  istioctl experimental metrics productpage-v1.foo reviews-v1.bar ratings-v1.baz
 

-
istioctl experimental remove-from-mesh service

-
istioctl experimental remove-from-mesh service restarts pods with the Istio sidecar un-injected.
-THIS COMMAND IS STILL UNDER ACTIVE DEVELOPMENT AND NOT READY FOR PRODUCTION USE.
-

-
istioctl experimental remove-from-mesh service [flags]
+
istioctl experimental precheck

+
precheck inspects a Kubernetes cluster for Istio install and upgrade requirements.

+
istioctl experimental precheck [flags]
 

 
@@ -2333,24 +2677,43 @@ 
istioctl experimental re
 

-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+

 
Kubernetes configuration file  (default ``)
 

 
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info,validation:error,processing:error,source:error,analysis:warn`)

 --namespace <string>
 -n
 Config namespace  (default ``)
 
--revision <string>-rControl plane revision  (default ``)
--skip-controlplaneskip checking the control plane 
--vklog <Level>number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)

 
 

-
Examples

-
istioctl experimental remove-from-mesh service productpage
+
Examples

+
  # Verify that Istio can be installed or upgraded
+  istioctl x precheck
+
+  # Check only a single namespace
+  istioctl x precheck --namespace default
 

-
istioctl experimental upgrade

-
The upgrade command checks for upgrade version eligibility and, if eligible, upgrades the Istio control plane components in-place. Warning: traffic may be disrupted during upgrade. Please ensure PodDisruptionBudgets are defined to maintain service continuity.

-
istioctl experimental upgrade [flags]
+
istioctl experimental proxy-status

+

+Retrieves last sent and last acknowledged xDS sync from Istiod to each Envoy in the mesh
+

+
istioctl experimental proxy-status [<type>/]<name>[.<namespace>] [flags]
 

+

+
istioctl experimental ps [<type>/]<name>[.<namespace>] [flags]
+

 
@@ -2361,24 +2724,29 @@ 
istioctl experimental upgrade

-
+
-
+
-
+
-
+
-
+
+
+
+
+
+
-
+
-
+
-
+
@@ -2391,45 +2759,76 @@ 
istioctl experimental upgrade

-
-
-
+
+
+
-
+
-
+
-
-
-
+
+
+
-
+
-
+
-
+
-
+
+
+
+
+
+
-
-
-
+
+
+
-
-
-
+
+
+

 
 

 

 
 
--context <string>--authority <string>
 The name of the kubeconfig context to use  (default ``)XDS Subject Alternative Name (for example istiod.istio-system.svc)  (default ``)
 

 
--dry-run--cert-dir <string>
 Console/log output only, make no changes. XDS Endpoint certificate directory  (default ``)
 

 
--filename <string>--context <string>The name of the kubeconfig context to use  (default ``)
--file <string>
 -fPath to file containing IstioControlPlane CustomResource  (default ``)Envoy config dump JSON file  (default ``)
 

 
--force--insecure
 Apply the upgrade without eligibility checks and testing for changes in profile default values Skip server certificate and domain verification. (NOT SECURE!) 
 

 

 --istioNamespace <string>
 Kubernetes configuration file  (default ``)
 

 
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info,validation:error,processing:error,source:error,analysis:warn`)--namespace <string>-nConfig namespace  (default ``)
 

 
--logtostderr--plaintext
 Send logs to stderr. Use plain-text HTTP/2 when connecting to server (no TLS). 
 

 
--namespace <string>-nConfig namespace  (default ``)--revision <string>-rControl plane revision  (default ``)
 

 
--skip-confirmation--timeout <duration>
 If skip-confirmation is set, skips the prompting confirmation for value changes in this upgrade The duration to wait before failing  (default `30s`)
 

 
--verbose--vklog <Level>
 Verbose output. number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
--xds-address <string>XDS Endpoint  (default ``)
 

 
--versionsURI <string>-uURI for operator versions to Istio versions map  (default `https://raw.githubusercontent.com/istio/operator/master/data/versions.yaml`)--xds-label <string>Istiod pod label selector  (default ``)
 

 
--wait-wWait, if set will wait until all Pods, Services, and minimum number of Pods of a Deployment are in a ready state before the command exits. It will wait for a maximum duration of 10m0s --xds-port <int>Istiod pod port  (default `15012`)
 

 
 

-
istioctl experimental wait

-
Waits for the specified condition to be true of an Istio resource.

-
istioctl experimental wait [flags] <type> <name>[.<namespace>]
+
Examples

+
  # Retrieve sync status for all Envoys in a mesh
+  istioctl x proxy-status
+
+  # Retrieve sync diff for a single Envoy and Istiod
+  istioctl x proxy-status istio-egressgateway-59585c5b9c-ndc59.istio-system
+
+  # SECURITY OPTIONS
+
+  # Retrieve proxy status information directly from the control plane, using token security
+  # (This is the usual way to get the proxy-status with an out-of-cluster control plane.)
+  istioctl x ps --xds-address istio.cloudprovider.example.com:15012
+
+  # Retrieve proxy status information via Kubernetes config, using token security
+  # (This is the usual way to get the proxy-status with an in-cluster control plane.)
+  istioctl x proxy-status
+
+  # Retrieve proxy status information directly from the control plane, using RSA certificate security
+  # (Certificates must be obtained before this step.  The --cert-dir flag lets istioctl bypass the Kubernetes API server.)
+  istioctl x ps --xds-address istio.example.com:15012 --cert-dir ~/.istio-certs
+
+  # Retrieve proxy status information via XDS from specific control plane in multi-control plane in-cluster configuration
+  # (Select a specific control plane in an in-cluster canary Istio configuration.)
+  istioctl x ps --xds-label istio.io/rev=default
+
+

+
istioctl experimental remote-clusters

+
Lists the remote clusters each istiod instance is connected to.

+
istioctl experimental remote-clusters [flags]
 

 
@@ -2446,11 +2845,6 @@ 
istioctl experimental wait

-
-
-
-
-
@@ -2461,58 +2855,32 @@ 
istioctl experimental wait

-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
-
+
-
+

 
 
The name of the kubeconfig context to use  (default ``)
 

 
--for <string>wait condition, must be 'distribution' or 'delete'  (default `distribution`)

 --istioNamespace <string>
 -i
 Istio system namespace  (default `istio-system`)
 Kubernetes configuration file  (default ``)
 

 
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info,validation:error,processing:error,source:error,analysis:warn`)

 --namespace <string>
 -n
 Config namespace  (default ``)
 

 
--resource-version <string>wait for a specific version of config to become current, rather than using whatever is latest in kubernetes  (default ``)
--threshold <float32>the ratio of distribution required for success  (default `1`)--revision <string>-rControl plane revision  (default ``)
 

 
--timeout <duration>--vklog <Level>
 the duration to wait before failing  (default `30s`)number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
 

 
 

-
Examples

-

-# Wait until the bookinfo virtual service has been distributed to all proxies in the mesh
-istioctl experimental wait --for=distribution virtualservice bookinfo.default
-
-# Wait until 99% of the proxies receive the distribution, timing out after 5 minutes
-istioctl experimental wait --for=distribution --threshold=.99 --timeout=300 virtualservice bookinfo.default
-
-

-
istioctl kube-inject

-

-
kube-inject manually injects the Envoy sidecar into Kubernetes
-workloads. Unsupported resources are left unmodified so it is safe to
-run kube-inject over a single file that contains multiple Service,
-ConfigMap, Deployment, etc. definitions for a complex application. It's
-best to do this when the resource is initially created.

-
k8s.io/docs/concepts/workloads/pods/pod-overview/#pod-templates is
-updated for Job, DaemonSet, ReplicaSet, Pod and Deployment YAML resource
-documents. Support for additional pod-based resource types can be
-added as necessary.

-
The Istio project is continually evolving so the Istio sidecar
-configuration may change unannounced. When in doubt re-run istioctl
-kube-inject on deployments to get the most up-to-date changes.
-

-
istioctl kube-inject [flags]
+
istioctl experimental remove-from-mesh

+
'istioctl experimental remove-from-mesh' restarts pods without an Istio sidecar or removes external service access configuration.
+Use 'remove-from-mesh' to quickly test uninjected behavior as part of compatibility troubleshooting.
+The 'add-to-mesh' command can be used to add or restore the sidecar.

+
THIS COMMAND IS UNDER ACTIVE DEVELOPMENT AND NOT READY FOR PRODUCTION USE.

+
istioctl experimental remove-from-mesh [flags]
 

+

+
istioctl experimental rm [flags]
+

 
@@ -2528,21 +2896,6 @@ 
istioctl kube-inject

-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
@@ -2553,62 +2906,37 @@ 
istioctl kube-inject

-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
-
+

 
 

 The name of the kubeconfig context to use  (default ``)
 

 
--filename <string>-fInput Kubernetes resource filename  (default ``)
--injectConfigFile <string>injection configuration filename. Cannot be used with --injectConfigMapName  (default ``)
--injectConfigMapName <string>ConfigMap name for Istio sidecar injection, key should be "config".  (default `istio-sidecar-injector`)

 --istioNamespace <string>
 -i
 Istio system namespace  (default `istio-system`)
 Kubernetes configuration file  (default ``)
 

 
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info,validation:error,processing:error,source:error,analysis:warn`)
--meshConfigFile <string>mesh configuration filename. Takes precedence over --meshConfigMapName if set  (default ``)
--meshConfigMapName <string>ConfigMap name for Istio mesh configuration, key should be "mesh"  (default `istio`)

 --namespace <string>
 -n
 Config namespace  (default ``)
 

 
--output <string>-oModified output Kubernetes resource filename  (default ``)
--valuesFile <string>--vklog <Level>
 injection values configuration filename.  (default ``)number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
 

 
 

-
Examples

-

-# Update resources on the fly before applying.
-kubectl apply -f <(istioctl kube-inject -f <resource.yaml>)
+
Examples

+
  # Restart all productpage pods without an Istio sidecar
+  istioctl experimental remove-from-mesh service productpage
 
-# Create a persistent version of the deployment with Envoy sidecar
-# injected.
-istioctl kube-inject -f deployment.yaml -o deployment-injected.yaml
-
-# Update an existing deployment.
-kubectl get deployment -o yaml | istioctl kube-inject -f - | kubectl apply -f -
-
-# Capture cluster configuration for later use with kube-inject
-kubectl -n istio-system get cm istio-sidecar-injector  -o jsonpath="{.data.config}" > /tmp/inj-template.tmpl
-kubectl -n istio-system get cm istio -o jsonpath="{.data.mesh}" > /tmp/mesh.yaml
-kubectl -n istio-system get cm istio-sidecar-injector -o jsonpath="{.data.values}" > /tmp/values.json
-# Use kube-inject based on captured configuration
-istioctl kube-inject -f samples/bookinfo/platform/kube/bookinfo.yaml \
-	--injectConfigFile /tmp/inj-template.tmpl \
-	--meshConfigFile /tmp/mesh.yaml \
-	--valuesFile /tmp/values.json
+  # Restart all details-v1 pods without an Istio sidecar
+  istioctl x rm service details-v1
 
+  # Restart all ratings-v1 pods without an Istio sidecar
+  istioctl x rm deploy ratings-v1
 

-
istioctl manifest

-
The manifest subcommand generates, applies, diffs or migrates Istio manifests.

+
istioctl experimental remove-from-mesh deployment

+
'istioctl experimental remove-from-mesh deployment' restarts pods with the Istio sidecar un-injected.
+'remove-from-mesh' is a compatibility troubleshooting tool.

+
THIS COMMAND IS UNDER ACTIVE DEVELOPMENT AND NOT READY FOR PRODUCTION USE.

+
istioctl experimental remove-from-mesh deployment <deployment> [flags]
+

+

+
istioctl experimental remove-from-mesh deploy <deployment> [flags]
+istioctl experimental remove-from-mesh dep <deployment> [flags]
+

 
@@ -2624,11 +2952,6 @@ 
istioctl manifest

-
-
-
-
-
@@ -2639,31 +2962,37 @@ 
istioctl manifest

-
-
-
-
-
-
-
-
-
-
-
+
-
+

 
 

 The name of the kubeconfig context to use  (default ``)
 

 
--dry-runConsole/log output only, make no changes. 

 --istioNamespace <string>
 -i
 Istio system namespace  (default `istio-system`)
 Kubernetes configuration file  (default ``)
 

 
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info,validation:error,processing:error,source:error,analysis:warn`)
--logtostderrSend logs to stderr. 

 --namespace <string>
 -n
 Config namespace  (default ``)
 

 
--verbose--vklog <Level>
 Verbose output. number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
 

 
 

-
istioctl manifest apply

-
The apply subcommand generates an Istio install manifest and applies it to a cluster.

-
istioctl manifest apply [flags]
+
Examples

+
  # Restart all productpage-v1 pods without an Istio sidecar
+  istioctl experimental remove-from-mesh deployment productpage-v1
+
+  # Restart all details-v1 pods without an Istio sidecar
+  istioctl x remove-from-mesh deploy details-v1
+
+  # Restart all ratings-v1 pods without an Istio sidecar
+  istioctl x rm dep ratings-v1
+

+
istioctl experimental remove-from-mesh external-service

+
'istioctl experimental remove-from-mesh external-service' removes the ServiceEntry and
+the Kubernetes Service for the specified external service (e.g. services running on a VM) from Istio service mesh.
+The typical usage scenario is Mesh Expansion on VMs.

+
THIS COMMAND IS UNDER ACTIVE DEVELOPMENT AND NOT READY FOR PRODUCTION USE.

+
istioctl experimental remove-from-mesh external-service <svcname> [flags]
 

+

+
istioctl experimental remove-from-mesh es <svcname> [flags]
+

 
@@ -2679,21 +3008,6 @@ 
istioctl manifest apply

-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
@@ -2704,54 +3018,36 @@ 
istioctl manifest apply

-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
-
-
-
-
-
-
+

 
 

 The name of the kubeconfig context to use  (default ``)
 

 
--dry-runConsole/log output only, make no changes. 
--filename <string>-fPath to file containing IstioControlPlane CustomResource  (default ``)
--forceProceed even with validation errors 

 --istioNamespace <string>
 -i
 Istio system namespace  (default `istio-system`)
 Kubernetes configuration file  (default ``)
 

 
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info,validation:error,processing:error,source:error,analysis:warn`)
--logtostderrSend logs to stderr. 

 --namespace <string>
 -n
 Config namespace  (default ``)
 

 
--readiness-timeout <duration>Maximum seconds to wait for all Istio resources to be ready. The --wait flag must be set for this flag to apply  (default `5m0s`)
--set <stringSlice>-sSet a value in IstioControlPlane CustomResource. e.g. --set policy.enabled=true.
-Overrides the corresponding path value in the selected profile or passed through IstioControlPlane CR
-customization file  (default `[]`)
--skip-confirmationskipConfirmation determines whether the user is prompted for confirmation. 
-If set to true, the user is not prompted and a Yes response is assumed in all cases. 
--verbose--vklog <Level>
 Verbose output. 
--wait-wWait, if set will wait until all Pods, Services, and minimum number of Pods of a Deployment are in a ready state before the command exits. It will wait for a maximum duration of --readiness-timeout seconds number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
 

 
 

-
istioctl manifest diff

-
The diff subcommand compares manifests from two files or directories.

-
istioctl manifest diff <file|dir> <file|dir> [flags]
+
Examples

+
  # Remove "vmhttp" service entry rules
+  istioctl experimental remove-from-mesh external-service vmhttp
+
+  # Remove "vmhttp" service entry rules
+  istioctl x remove-from-mesh es vmhttp
+
+  # Remove "vmhttp" service entry rules
+  istioctl x rm es vmhttp
+

+
istioctl experimental remove-from-mesh service

+
'istioctl experimental remove-from-mesh service' restarts pods with the Istio sidecar un-injected.
+'remove-from-mesh' is a compatibility troubleshooting tool.

+
THIS COMMAND IS UNDER ACTIVE DEVELOPMENT AND NOT READY FOR PRODUCTION USE.

+
istioctl experimental remove-from-mesh service <service> [flags]
 

+

+
istioctl experimental remove-from-mesh svc <service> [flags]
+

 
@@ -2767,21 +3063,6 @@ 
istioctl manifest diff

-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
@@ -2792,47 +3073,29 @@ 
istioctl manifest diff

-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
-
+

 
 

 The name of the kubeconfig context to use  (default ``)
 

 
--directory-rcompare directory 
--dry-runConsole/log output only, make no changes. 
--ignore <string>ignoreResources ignores all listed items during comparison. It uses the same list format as selectResources  (default ``)

 --istioNamespace <string>
 -i
 Istio system namespace  (default `istio-system`)
 Kubernetes configuration file  (default ``)
 

 
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info,validation:error,processing:error,source:error,analysis:warn`)
--logtostderrSend logs to stderr. 

 --namespace <string>
 -n
 Config namespace  (default ``)
 

 
--rename <string>renameResources identifies renamed resources before comparison.
-The format of each renaming pair is A->B, all renaming pairs are comma separated.
-e.g. Service:*:istio-pilot->Service:*:istio-control - rename istio-pilot service into istio-control  (default ``)
--select <string>selectResources constrains the list of resources to compare to only the ones in this list, ignoring all others.
-The format of each list item is "::" and the items are comma separated. The "*" character represents wildcard selection.
-e.g.
-    Deployment:istio-system:* - compare all deployments in istio-system namespace
-    Service:*:istio-pilot - compare Services called "istio-pilot" in all namespaces  (default `::`)
--verbose--vklog <Level>
 Verbose output. number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
 

 
 

-
istioctl manifest generate

-
The generate subcommand generates an Istio install manifest and outputs to the console by default.

-
istioctl manifest generate [flags]
+
Examples

+
  # Restart all productpage pods without an Istio sidecar
+  istioctl experimental remove-from-mesh service productpage
+
+  # Restart all details-v1 pods without an Istio sidecar
+  istioctl x remove-from-mesh svc details-v1
+
+  # Restart all ratings-v1 pods without an Istio sidecar
+  istioctl x rm svc ratings-v1
 

+
istioctl experimental revision

+
The revision command provides a revision centric view of istio deployments. It provides insight into IstioOperator CRs defining the revision, istiod and gateway pods which are part of deployment of a particular revision.

 
@@ -2848,21 +3111,6 @@ 
istioctl manifest generate

-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
@@ -2873,14 +3121,12 @@ 
istioctl manifest generate

-
-
-
-
-
-
-
-
+
+
+
@@ -2890,25 +3136,23 @@ 
istioctl manifest generate

-
+
-
-
-
+
+
+
-
+
-
+

 
 

 The name of the kubeconfig context to use  (default ``)
 

 
--dry-runConsole/log output only, make no changes. 
--filename <string>-fPath to file containing IstioControlPlane CustomResource  (default ``)
--forceProceed even with validation errors 

 --istioNamespace <string>
 -i
 Istio system namespace  (default `istio-system`)
 Kubernetes configuration file  (default ``)
 

 
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info,validation:error,processing:error,source:error,analysis:warn`)
--logtostderrSend logs to stderr. --manifests <string>-dSpecify a path to a directory of charts and profiles
+(e.g. ~/Downloads/istio-1.14.0/manifests)
+or release tar URL (e.g. https://github.com/istio/istio/releases/download/1.14.0/istio-1.14.0-linux-amd64.tar.gz).
+  (default ``)
 

 

 --namespace <string>
 

 --output <string>
 -oManifest output directory path  (default ``)Output format for revision description (available formats: table,json)  (default `table`)
 

 
--set <stringSlice>-sSet a value in IstioControlPlane CustomResource. e.g. --set policy.enabled=true.
-Overrides the corresponding path value in the selected profile or passed through IstioControlPlane CR
-customization file  (default `[]`)--verbose-vEnable verbose output 
 

 
--verbose--vklog <Level>
 Verbose output. number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
 

 
 

-
istioctl manifest migrate

-
The migrate subcommand migrates a configuration from Helm values format to IstioControlPlane format.

-
istioctl manifest migrate [<filepath>] [flags]
+
istioctl experimental revision describe

+
Show information about a revision, including customizations, istiod version and which pods/gateways are using it.

+
istioctl experimental revision describe [flags]
 

 
@@ -2925,11 +3169,6 @@ 
istioctl manifest migrate

-
-
-
-
-
@@ -2940,14 +3179,12 @@ 
istioctl manifest migrate

-
-
-
-
-
-
-
-
+
+
+
@@ -2955,15 +3192,37 @@ 
istioctl manifest migrate

+
+
+
+
+
+
+
+
+
+
-
+

 
 
The name of the kubeconfig context to use  (default ``)
 

 
--dry-runConsole/log output only, make no changes. 

 --istioNamespace <string>
 -i
 Istio system namespace  (default `istio-system`)
 Kubernetes configuration file  (default ``)
 

 
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info,validation:error,processing:error,source:error,analysis:warn`)
--logtostderrSend logs to stderr. --manifests <string>-dSpecify a path to a directory of charts and profiles
+(e.g. ~/Downloads/istio-1.14.0/manifests)
+or release tar URL (e.g. https://github.com/istio/istio/releases/download/1.14.0/istio-1.14.0-linux-amd64.tar.gz).
+  (default ``)
 

 

 --namespace <string>
 Config namespace  (default ``)
 

 
--output <string>-oOutput format for revision description (available formats: table,json)  (default `table`)

 --verbose-vEnable verbose output 
--vklog <Level>
 Verbose output. number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
 

 
 

-
istioctl manifest versions

-
List the versions of Istio recommended for use or supported for upgrade by this version of the operator binary.

-
istioctl manifest versions [flags]
+
Examples

+
  # View the details of a revision named 'canary'
+  istioctl x revision describe canary
+
+  # View the details of a revision named 'canary' and also the pods
+  # under that particular revision
+  istioctl x revision describe canary -v
+
+  # Get details about a revision in json format (default format is human-friendly table format)
+  istioctl x revision describe canary -v -o json
+
+

+
istioctl experimental revision list

+
Show list of control plane and gateway revisions that are currently installed in cluster

+
istioctl experimental revision list [flags]
 

 
@@ -2980,11 +3239,6 @@ 
istioctl manifest versions

-
-
-
-
-
@@ -2995,14 +3249,12 @@ 
istioctl manifest versions

-
-
-
-
-
-
-
-
+
+
+
@@ -3010,19 +3262,43 @@ 
istioctl manifest versions

+
+
+
+
+
-
-
+
+
-
-
-
+
+
+

 
 
The name of the kubeconfig context to use  (default ``)
 

 
--dry-runConsole/log output only, make no changes. 

 --istioNamespace <string>
 -i
 Istio system namespace  (default `istio-system`)
 Kubernetes configuration file  (default ``)
 

 
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info,validation:error,processing:error,source:error,analysis:warn`)
--logtostderrSend logs to stderr. --manifests <string>-dSpecify a path to a directory of charts and profiles
+(e.g. ~/Downloads/istio-1.14.0/manifests)
+or release tar URL (e.g. https://github.com/istio/istio/releases/download/1.14.0/istio-1.14.0-linux-amd64.tar.gz).
+  (default ``)
 

 

 --namespace <string>
 Config namespace  (default ``)
 

 
--output <string>-oOutput format for revision description (available formats: table,json)  (default `table`)

 --verboseVerbose output. -vEnable verbose output 
 

 
--versionsURI <string>-uURI for operator versions to Istio versions map  (default `https://raw.githubusercontent.com/istio/operator/master/data/versions.yaml`)--vklog <Level>number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
 

 
 

-
istioctl profile

-
The profile subcommand lists, dumps or diffs Istio configuration profiles.

+
Examples

+
  # View summary of revisions installed in the current cluster
+  # which can be overridden with --context parameter.
+  istioctl x revision list
+
+  # View list of revisions including customizations, istiod and gateway pods
+  istioctl x revision list -v
+
+

+
istioctl experimental revision tag

+
Command group used to interact with revision tags. Revision tags allow for the creation of mutable aliases
+referring to control plane revisions for sidecar injection.

+
With revision tags, rather than relabeling a namespace from "istio.io/rev=revision-a" to "istio.io/rev=revision-b" to
+change which control plane revision handles injection, it's possible to create a revision tag "prod" and label our
+namespace "istio.io/rev=prod". The "prod" revision tag could point to "1-7-6" initially and then be changed to point to "1-8-1"
+at some later point.

+
This allows operators to change which Istio control plane revision should handle injection for a namespace or set of namespaces
+without manual relabeling of the "istio.io/rev" tag.
+

+
istioctl experimental revision tag [flags]
+

 
@@ -3038,11 +3314,6 @@ 
istioctl profile

-
-
-
-
-
@@ -3053,14 +3324,12 @@ 
istioctl profile

-
-
-
-
-
-
-
-
+
+
+
@@ -3068,15 +3337,26 @@ 
istioctl profile

+
+
+
+
+
+
+
+
+
+
-
+

 
 

 The name of the kubeconfig context to use  (default ``)
 

 
--dry-runConsole/log output only, make no changes. 

 --istioNamespace <string>
 -i
 Istio system namespace  (default `istio-system`)
 Kubernetes configuration file  (default ``)
 

 
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info,validation:error,processing:error,source:error,analysis:warn`)
--logtostderrSend logs to stderr. --manifests <string>-dSpecify a path to a directory of charts and profiles
+(e.g. ~/Downloads/istio-1.14.0/manifests)
+or release tar URL (e.g. https://github.com/istio/istio/releases/download/1.14.0/istio-1.14.0-linux-amd64.tar.gz).
+  (default ``)
 

 

 --namespace <string>
 Config namespace  (default ``)
 

 
--output <string>-oOutput format for revision description (available formats: table,json)  (default `table`)

 --verbose-vEnable verbose output 
--vklog <Level>
 Verbose output. number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
 

 
 

-
istioctl profile diff

-
The diff subcommand displays the differences between two Istio configuration profiles.

-
istioctl profile diff <file1.yaml> <file2.yaml> [flags]
+
istioctl experimental revision tag generate

+
Create a revision tag and output to the command's stdout. Tag an Istio control plane revision for use with namespace istio.io/rev
+injection labels.

+
istioctl experimental revision tag generate <revision-tag> [flags]
 

 
@@ -3088,14 +3368,14 @@ 
istioctl profile diff

-
+
-
+
-
+
-
+
@@ -3108,14 +3388,12 @@ 
istioctl profile diff

-
-
-
-
-
-
-
-
+
+
+
@@ -3123,49 +3401,78 @@ 
istioctl profile diff

-
+
+
+
+
+
+
-
+
-
-

 
 
 
 
--context <string>--auto-inject-namespaces
 The name of the kubeconfig context to use  (default ``)If set to true, the sidecars should be automatically injected into all namespaces by default 
 

 
--dry-run--context <string>
 Console/log output only, make no changes. The name of the kubeconfig context to use  (default ``)
 

 

 --istioNamespace <string>
 Kubernetes configuration file  (default ``)
 

 
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info,validation:error,processing:error,source:error,analysis:warn`)
--logtostderrSend logs to stderr. --manifests <string>-dSpecify a path to a directory of charts and profiles
+(e.g. ~/Downloads/istio-1.14.0/manifests)
+or release tar URL (e.g. https://github.com/istio/istio/releases/download/1.14.0/istio-1.14.0-linux-amd64.tar.gz).
+  (default ``)
 

 

 --namespace <string>
 Config namespace  (default ``)
 

 
--verbose--output <string>-oOutput format for revision description (available formats: table,json)  (default `table`)
--overwrite
 Verbose output. If true, allow revision tags to be overwritten, otherwise reject revision tag updates that
+overwrite existing revision tags. 
 

-
istioctl profile dump

-
The dump subcommand dumps the values in an Istio configuration profile.

-
istioctl profile dump [<profile>] [flags]
-

-
-
-
-
-
+
+
+
-
-
-
-
-
+
+
+
-
+
+
+
+
+
+
-
+
-
+
-
+
+
+

 
FlagsShorthandDescription--revision <string>-rControl plane revision to reference from a given revision tag  (default ``)
 

 
--config-path <string>-pThe path the root of the configuration subtree to dump e.g. trafficManagement.components.pilot. By default, dump whole tree  (default ``)--skip-confirmation-yThe skipConfirmation determines whether the user is prompted for confirmation.
+If set to true, the user is not prompted and a Yes response is assumed in all cases. 
 

 
--context <string>--verbose-vEnable verbose output 
--vklog <Level>
 The name of the kubeconfig context to use  (default ``)number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
 

 
--dry-run--webhook-name <string>
 Console/log output only, make no changes. Name to use for a revision tag's mutating webhook configuration.  (default ``)
 

+
Examples

+
 # Create a revision tag from the "1-8-0" revision
+ istioctl tag generate prod --revision 1-8-0 > tag.yaml
+
+ # Apply the tag to cluster
+ kubectl apply -f tag.yaml
+
+ # Point namespace "test-ns" at the revision pointed to by the "prod" revision tag
+ kubectl label ns test-ns istio.io/rev=prod
+
+ # Rollout namespace "test-ns" to update workloads to the "1-8-0" revision
+ kubectl rollout restart deployments -n test-ns
+
+

+
istioctl experimental revision tag list

+
List existing revision tags

+
istioctl experimental revision tag list [flags]
+

+

+
istioctl experimental revision tag show [flags]
+

+
+
-
-
-
+
+
+
+
+
-
+
-
+
@@ -3178,14 +3485,12 @@ 
istioctl profile dump

-
-
-
-
-
-
-
-
+
+
+
@@ -3193,16 +3498,36 @@ 
istioctl profile dump

+
+
+
+
+
+
+
+
+
+
-
+

 
--filename <string>-fPath to file containing IstioControlPlane CustomResource  (default ``)FlagsShorthandDescription
 

 
--helm-values--context <string>
 If set, dumps the Helm values that IstioControlPlaceSpec is translated to before manifests are rendered The name of the kubeconfig context to use  (default ``)
 

 

 --istioNamespace <string>
 Kubernetes configuration file  (default ``)
 

 
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info,validation:error,processing:error,source:error,analysis:warn`)
--logtostderrSend logs to stderr. --manifests <string>-dSpecify a path to a directory of charts and profiles
+(e.g. ~/Downloads/istio-1.14.0/manifests)
+or release tar URL (e.g. https://github.com/istio/istio/releases/download/1.14.0/istio-1.14.0-linux-amd64.tar.gz).
+  (default ``)
 

 

 --namespace <string>
 Config namespace  (default ``)
 

 
--output <string>-oOutput format for revision description (available formats: table,json)  (default `table`)

 --verbose-vEnable verbose output 
--vklog <Level>
 Verbose output. number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
 

 
 

-
istioctl profile list

-
The list subcommand lists the available Istio configuration profiles.

-
istioctl profile list [flags]
+
Examples

+
istioctl tag list
+

+
istioctl experimental revision tag remove

+
Remove Istio control plane revision tag.

+
Removing a revision tag should be done with care. Removing a revision tag will disrupt sidecar injection in namespaces
+that reference the tag in an "istio.io/rev" label. Verify that there are no remaining namespaces referencing a
+revision tag before removing using the "istioctl tag list" command.
+

+
istioctl experimental revision tag remove <revision-tag> [flags]
 

+

+
istioctl experimental revision tag delete <revision-tag> [flags]
+

 
@@ -3218,11 +3543,6 @@ 
istioctl profile list

-
-
-
-
-
@@ -3233,14 +3553,12 @@ 
istioctl profile list

-
-
-
-
-
-
-
-
+
+
+
@@ -3248,14 +3566,38 @@ 
istioctl profile list

+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
+

 
 

 The name of the kubeconfig context to use  (default ``)
 

 
--dry-runConsole/log output only, make no changes. 

 --istioNamespace <string>
 -i
 Istio system namespace  (default `istio-system`)
 Kubernetes configuration file  (default ``)
 

 
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info,validation:error,processing:error,source:error,analysis:warn`)
--logtostderrSend logs to stderr. --manifests <string>-dSpecify a path to a directory of charts and profiles
+(e.g. ~/Downloads/istio-1.14.0/manifests)
+or release tar URL (e.g. https://github.com/istio/istio/releases/download/1.14.0/istio-1.14.0-linux-amd64.tar.gz).
+  (default ``)
 

 

 --namespace <string>
 Config namespace  (default ``)
 

 
--output <string>-oOutput format for revision description (available formats: table,json)  (default `table`)
--skip-confirmation-yThe skipConfirmation determines whether the user is prompted for confirmation.
+If set to true, the user is not prompted and a Yes response is assumed in all cases. 

 --verbose-vEnable verbose output 
--vklog <Level>
 Verbose output. number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
 

 
 

-
istioctl proxy-config

-
A group of commands used to retrieve information about proxy configuration from the Envoy config dump

+
Examples

+
 # Remove the revision tag "prod"
+	istioctl tag remove prod
+
+

+
istioctl experimental revision tag set

+
Create or modify revision tags. Tag an Istio control plane revision for use with namespace istio.io/rev
+injection labels.

+
istioctl experimental revision tag set <revision-tag> [flags]
+

 
@@ -3266,6 +3608,11 @@ 
istioctl proxy-config

+
+
+
+
+
@@ -3281,9 +3628,12 @@ 
istioctl proxy-config

-
-
-
+
+
+
@@ -3293,21 +3643,64 @@ 
istioctl proxy-config

-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+

 
 

 

 
 
--auto-inject-namespacesIf set to true, the sidecars should be automatically injected into all namespaces by default 

 --context <string>
 
 The name of the kubeconfig context to use  (default ``)
 Kubernetes configuration file  (default ``)
 

 
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info,validation:error,processing:error,source:error,analysis:warn`)--manifests <string>-dSpecify a path to a directory of charts and profiles
+(e.g. ~/Downloads/istio-1.14.0/manifests)
+or release tar URL (e.g. https://github.com/istio/istio/releases/download/1.14.0/istio-1.14.0-linux-amd64.tar.gz).
+  (default ``)
 

 

 --namespace <string>
 

 --output <string>
 -oOutput format: one of json|short  (default `short`)Output format for revision description (available formats: table,json)  (default `table`)
--overwriteIf true, allow revision tags to be overwritten, otherwise reject revision tag updates that
+overwrite existing revision tags. 
--revision <string>-rControl plane revision to reference from a given revision tag  (default ``)
--skip-confirmation-yThe skipConfirmation determines whether the user is prompted for confirmation.
+If set to true, the user is not prompted and a Yes response is assumed in all cases. 
--verbose-vEnable verbose output 
--vklog <Level>number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
--webhook-name <string>Name to use for a revision tag's mutating webhook configuration.  (default ``)
 

 
 

-
Examples

-
  # Retrieve information about proxy configuration from an Envoy instance.
-  istioctl proxy-config <clusters|listeners|routes|endpoints|bootstrap> <pod-name[.namespace]>
+
Examples

+
 # Create a revision tag from the "1-8-0" revision
+ istioctl tag set prod --revision 1-8-0
+
+ # Point namespace "test-ns" at the revision pointed to by the "prod" revision tag
+ kubectl label ns test-ns istio.io/rev=prod
+
+ # Change the revision tag to reference the "1-8-1" revision
+ istioctl tag set prod --revision 1-8-1 --overwrite
+
+ # Make revision "1-8-1" the default revision, both resulting in that revision handling injection for "istio-injection=enabled"
+ # and validating resources cluster-wide
+ istioctl tag set default --revision 1-8-1
+
+ # Rollout namespace "test-ns" to update workloads to the "1-8-1" revision
+ kubectl rollout restart deployments -n test-ns
+
 

-
istioctl proxy-config bootstrap

-
Retrieve information about bootstrap configuration for the Envoy instance in the specified pod.

-
istioctl proxy-config bootstrap [<pod-name[.namespace]>] [flags]
+
istioctl experimental uninstall

+
The uninstall command uninstalls Istio from a cluster

+
istioctl experimental uninstall [flags]
 

-

-
istioctl proxy-config b [<pod-name[.namespace]>] [flags]
-

 
@@ -3323,9 +3716,19 @@ 
istioctl proxy-config bootstrap

-
+
+
+
+
+
+
-
+
+
+
+
+
+
@@ -3338,9 +3741,12 @@ 
istioctl proxy-config bootstrap

-
-
-
+
+
+
@@ -3348,29 +3754,54 @@ 
istioctl proxy-config bootstrap

-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+

 
 

 The name of the kubeconfig context to use  (default ``)
 

 
--file <string>--dry-runConsole/log output only, make no changes. 
--filename <string>
 -fEnvoy config dump JSON file  (default ``)The filename of the IstioOperator CR.  (default ``)
--forceProceed even with validation errors. 
 

 

 --istioNamespace <string>
 Kubernetes configuration file  (default ``)
 

 
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info,validation:error,processing:error,source:error,analysis:warn`)--manifests <string>-dSpecify a path to a directory of charts and profiles
+(e.g. ~/Downloads/istio-1.14.0/manifests)
+or release tar URL (e.g. https://github.com/istio/istio/releases/download/1.14.0/istio-1.14.0-linux-amd64.tar.gz).
+  (default ``)
 

 

 --namespace <string>
 Config namespace  (default ``)
 

 
--output <string>-oOutput format: one of json|short  (default `short`)--purgeDelete all Istio related sources for all versions 
--revision <string>-rTarget control plane revision for the command.  (default ``)
--set <stringArray>-sOverride an IstioOperator value, e.g. to choose a profile
+(--set profile=demo), enable or disable components (--set components.cni.enabled=true), or override Istio
+settings (--set meshConfig.enableTracing=true). See documentation for more info:https://istio.io/v1.14/docs/reference/config/istio.operator.v1alpha1/#IstioOperatorSpec  (default `[]`)
--skip-confirmation-yThe skipConfirmation determines whether the user is prompted for confirmation.
+If set to true, the user is not prompted and a Yes response is assumed in all cases. 
--verbose-vVerbose output. 
--vklog <Level>number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
 

 
 

-
Examples

-
  # Retrieve full bootstrap configuration for a given pod from Envoy.
-  istioctl proxy-config bootstrap <pod-name[.namespace]>
-
-  # Retrieve full bootstrap without using Kubernetes API
-  ssh <user@hostname> 'curl localhost:15000/config_dump' > envoy-config.json
-  istioctl proxy-config bootstrap --file envoy-config.json
+
Examples

+
  # Uninstall a single control plane by revision
+  istioctl x uninstall --revision foo
 
+  # Uninstall a single control plane by iop file
+  istioctl x uninstall -f iop.yaml
+  
+  # Uninstall all control planes and shared resources
+  istioctl x uninstall --purge
 

-
istioctl proxy-config cluster

-
Retrieve information about cluster configuration for the Envoy instance in the specified pod.

-
istioctl proxy-config cluster [<pod-name[.namespace]>] [flags]
+
istioctl experimental version

+
Prints out build version information

+
istioctl experimental version [flags]
 

-

-
istioctl proxy-config clusters [<pod-name[.namespace]>] [flags]
-istioctl proxy-config c [<pod-name[.namespace]>] [flags]
-

 
@@ -3381,24 +3812,24 @@ 
istioctl proxy-config cluster

-
+
-
+
-
+
-
+
-
-
-
+
+
+
-
+
-
+
@@ -3411,11 +3842,6 @@ 
istioctl proxy-config cluster

-
-
-
-
-
@@ -3423,43 +3849,77 @@ 
istioctl proxy-config cluster

-
+
-
+
-
+
-
+
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+

 
 

 

 
 
--context <string>--authority <string>
 The name of the kubeconfig context to use  (default ``)XDS Subject Alternative Name (for example istiod.istio-system.svc)  (default ``)
 

 
--direction <string>--cert-dir <string>
 Filter clusters by Direction field  (default ``)XDS Endpoint certificate directory  (default ``)
 

 
--file <string>-fEnvoy config dump JSON file  (default ``)--context <string>The name of the kubeconfig context to use  (default ``)
 

 
--fqdn <string>--insecure
 Filter clusters by substring of Service FQDN field  (default ``)Skip server certificate and domain verification. (NOT SECURE!) 
 

 

 --istioNamespace <string>
 Kubernetes configuration file  (default ``)
 

 
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info,validation:error,processing:error,source:error,analysis:warn`)

 --namespace <string>
 -n
 Config namespace  (default ``)
 

 --output <string>
 -oOutput format: one of json|short  (default `short`)One of 'yaml' or 'json'.  (default ``)
 

 
--port <int>--plaintext
 Filter clusters by Port field  (default `0`)Use plain-text HTTP/2 when connecting to server (no TLS). 
 

 
--subset <string>--remote
 Filter clusters by substring of Subset field  (default ``)Use --remote=false to suppress control plane check 
--revision <string>-rControl plane revision  (default ``)
--short-sUse --short=false to generate full version information 
--timeout <duration>The duration to wait before failing  (default `30s`)
--vklog <Level>number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
--xds-address <string>XDS Endpoint  (default ``)
--xds-label <string>Istiod pod label selector  (default ``)
--xds-port <int>Istiod pod port  (default `15012`)
 

 
 

-
Examples

-
  # Retrieve summary about cluster configuration for a given pod from Envoy.
-  istioctl proxy-config clusters <pod-name[.namespace]>
+
Examples

+
# Retrieve version information directly from the control plane, using token security
+# (This is the usual way to get the control plane version with an out-of-cluster control plane.)
+istioctl x version --xds-address istio.cloudprovider.example.com:15012
 
-  # Retrieve cluster summary for clusters with port 9080.
-  istioctl proxy-config clusters <pod-name[.namespace]> --port 9080
+# Retrieve version information via Kubernetes config, using token security
+# (This is the usual way to get the control plane version with an in-cluster control plane.)
+istioctl x version
 
-  # Retrieve full cluster dump for clusters that are inbound with a FQDN of details.default.svc.cluster.local.
-  istioctl proxy-config clusters <pod-name[.namespace]> --fqdn details.default.svc.cluster.local --direction inbound -o json
+# Retrieve version information directly from the control plane, using RSA certificate security
+# (Certificates must be obtained before this step.  The --cert-dir flag lets istioctl bypass the Kubernetes API server.)
+istioctl x version --xds-address istio.example.com:15012 --cert-dir ~/.istio-certs
 
-  # Retrieve cluster summary without using Kubernetes API
-  ssh <user@hostname> 'curl localhost:15000/config_dump' > envoy-config.json
-  istioctl proxy-config clusters --file envoy-config.json
+# Retrieve version information via XDS from specific control plane in multi-control plane in-cluster configuration
+# (Select a specific control plane in an in-cluster canary Istio configuration.)
+istioctl x version --xds-label istio.io/rev=default
 
 

-
istioctl proxy-config endpoint

-
Retrieve information about endpoint configuration for the Envoy instance in the specified pod.

-
istioctl proxy-config endpoint [<pod-name[.namespace]>] [flags]
+
istioctl experimental wait

+
Waits for the specified condition to be true of an Istio resource.

+
istioctl experimental wait [flags] <type> <name>[.<namespace>]
 

-

-
istioctl proxy-config endpoints [<pod-name[.namespace]>] [flags]
-istioctl proxy-config ep [<pod-name[.namespace]>] [flags]
-

 
@@ -3470,24 +3930,19 @@ 
istioctl proxy-config endpoint

-
+
-
+
-
+
-
+
-
+
-
-
-
-
-
-
+
@@ -3500,60 +3955,42 @@ 
istioctl proxy-config endpoint

-
-
-
-
-
-
-
-
+
+
+
-
+
-
+
-
+
-
+
+
+
+
+
+

 
 

 

 
 
--address <string>--context <string>
 Filter endpoints by address field  (default ``)The name of the kubeconfig context to use  (default ``)
 

 
--cluster <string>--for <string>
 Filter endpoints by cluster name field  (default ``)Wait condition, must be 'distribution' or 'delete'  (default `distribution`)
 

 
--context <string>--generation <string>
 The name of the kubeconfig context to use  (default ``)
--file <string>-fEnvoy config dump JSON file  (default ``)Wait for a specific generation of config to become current, rather than using whatever is latest in Kubernetes  (default ``)
 

 

 --istioNamespace <string>
 Kubernetes configuration file  (default ``)
 

 
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info,validation:error,processing:error,source:error,analysis:warn`)

 --namespace <string>
 -n
 Config namespace  (default ``)
 

 
--output <string>-oOutput format: one of json|short  (default `short`)--revision <string>-rControl plane revision  (default ``)
 

 
--port <int>--threshold <float32>
 Filter endpoints by Port field  (default `0`)The ratio of distribution required for success  (default `1`)
 

 
--status <string>--timeout <duration>
 Filter endpoints by status field  (default ``)The duration to wait before failing  (default `30s`)
--vklog <Level>number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
 

 
 

-
Examples

-
  # Retrieve full endpoint configuration for a given pod from Envoy.
-  istioctl proxy-config endpoint <pod-name[.namespace]>
-
-  # Retrieve endpoint summary for endpoint with port 9080.
-  istioctl proxy-config endpoint <pod-name[.namespace]> --port 9080
-
-  # Retrieve full endpoint with a address (172.17.0.2).
-  istioctl proxy-config endpoint <pod-name[.namespace]> --address 172.17.0.2 -o json
-
-  # Retrieve full endpoint with a cluster name (outbound|9411||zipkin.istio-system.svc.cluster.local).
-  istioctl proxy-config endpoint <pod-name[.namespace]> --cluster "outbound|9411||zipkin.istio-system.svc.cluster.local" -o json
-  # Retrieve full endpoint with the status (healthy).
-  istioctl proxy-config endpoint <pod-name[.namespace]> --status healthy -ojson
+
Examples

+
  # Wait until the bookinfo virtual service has been distributed to all proxies in the mesh
+  istioctl experimental wait --for=distribution virtualservice bookinfo.default
 
-  # Retrieve endpoint summary without using Kubernetes API
-  ssh <user@hostname> 'curl localhost:15000/clusters?format=json' > envoy-clusters.json
-  istioctl proxy-config endpoints --file envoy-clusters.json
+  # Wait until 99% of the proxies receive the distribution, timing out after 5 minutes
+  istioctl experimental wait --for=distribution --threshold=.99 --timeout=300 virtualservice bookinfo.default
 
 

-
istioctl proxy-config listener

-
Retrieve information about listener configuration for the Envoy instance in the specified pod.

-
istioctl proxy-config listener [<pod-name[.namespace]>] [flags]
-

-

-
istioctl proxy-config listeners [<pod-name[.namespace]>] [flags]
-istioctl proxy-config l [<pod-name[.namespace]>] [flags]
-

+
istioctl experimental workload

+
Commands to assist in configuring and deploying workloads running on VMs and other non-Kubernetes environments

 
@@ -3564,21 +4001,11 @@ 
istioctl proxy-config listener

-
-
-
-
-
-
-
-
-
-
@@ -3589,54 +4016,26 @@ 
istioctl proxy-config listener

-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
-
+

 
 

 

 
 
--address <string>Filter listeners by address field  (default ``)

 --context <string>
 
 The name of the kubeconfig context to use  (default ``)
 

 
--file <string>-fEnvoy config dump JSON file  (default ``)

 --istioNamespace <string>
 -i
 Istio system namespace  (default `istio-system`)
 Kubernetes configuration file  (default ``)
 

 
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info,validation:error,processing:error,source:error,analysis:warn`)

 --namespace <string>
 -n
 Config namespace  (default ``)
 

 
--output <string>-oOutput format: one of json|short  (default `short`)
--port <int>Filter listeners by Port field  (default `0`)
--type <string>--vklog <Level>
 Filter listeners by type field  (default ``)number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
 

 
 

-
Examples

-
  # Retrieve summary about listener configuration for a given pod from Envoy.
-  istioctl proxy-config listeners <pod-name[.namespace]>
+
Examples

+
  # workload group yaml generation
+  workload group create
 
-  # Retrieve listener summary for listeners with port 9080.
-  istioctl proxy-config listeners <pod-name[.namespace]> --port 9080
-
-  # Retrieve full listener dump for HTTP listeners with a wildcard address (0.0.0.0).
-  istioctl proxy-config listeners <pod-name[.namespace]> --type HTTP --address 0.0.0.0 -o json
-
-  # Retrieve listener summary without using Kubernetes API
-  ssh <user@hostname> 'curl localhost:15000/config_dump' > envoy-config.json
-  istioctl proxy-config listeners --file envoy-config.json
-
-

-
istioctl proxy-config log

-
(experimental) Retrieve information about logging levels of the Envoy instance in the specified pod, and update optionally

-
istioctl proxy-config log <pod-name[.namespace]> [flags]
+  # workload entry configuration generation
+  workload entry configure
 

-

-
istioctl proxy-config o <pod-name[.namespace]> [flags]
-

+
istioctl experimental workload entry

+
Commands dealing with WorkloadEntry resources

 
@@ -3662,54 +4061,26 @@ 
istioctl proxy-config log

-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+

 
 

 Kubernetes configuration file  (default ``)
 

 
--level <string>Comma-separated minimum per-logger level of messages to output, in the form of [<logger>:]<level>,[<logger>:]<level>,... where logger can be one of admin, aws, assert, backtrace, client, config, connection, conn_handler, dubbo, file, filter, forward_proxy, grpc, hc, health_checker, http, http2, hystrix, init, io, jwt, kafka, lua, main, misc, mongo, quic, pool, rbac, redis, router, runtime, stats, secret, tap, testing, thrift, tracing, upstream, udp, wasm and level can be one of [trace, debug, info, warning, error, critical, off]  (default ``)
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info,validation:error,processing:error,source:error,analysis:warn`)

 --namespace <string>
 -n
 Config namespace  (default ``)
 

 
--output <string>-oOutput format: one of json|short  (default `short`)
--reset-rReset levels to default value (warning). --vklog <Level>number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
 

 
 

-
Examples

-
  # Retrieve information about logging levels for a given pod from Envoy.
-  istioctl proxy-config log <pod-name[.namespace]>
-
-  # Update levels of the all loggers
-  istioctl proxy-config log <pod-name[.namespace]> --level none
-
-  # Update levels of the specified loggers.
-  istioctl proxy-config log <pod-name[.namespace]> --level http:debug,redis:debug
-
-  # Reset levels of all the loggers to default value (warning).
-  istioctl proxy-config log <pod-name[.namespace]> -r
-
+
Examples

+
entry configure -f workloadgroup.yaml -o outputDir
 

-
istioctl proxy-config route

-
Retrieve information about route configuration for the Envoy instance in the specified pod.

-
istioctl proxy-config route [<pod-name[.namespace]>] [flags]
+
istioctl experimental workload entry configure

+
Generates all the required configuration files for workload instance on a VM or non-Kubernetes environment from a WorkloadGroup artifact.
+This includes a MeshConfig resource, the cluster.env file, and necessary certificates and security tokens.
+Configure requires either the WorkloadGroup artifact path or its location on the API server.

+
istioctl experimental workload entry configure [flags]
 

-

-
istioctl proxy-config routes [<pod-name[.namespace]>] [flags]
-istioctl proxy-config r [<pod-name[.namespace]>] [flags]
-

 
@@ -3720,87 +4091,49 @@ 
istioctl proxy-config route

-
+
-
-
-
-
-
-
+
-
-
-
-
-
-
-
-
+
+
+
-
+
-
+
-
+
-
+
-
-
-
+
+
+
-
-
-
+
+
+
-
-

 
 

 

 
 
--context <string>--autoregister
 The name of the kubeconfig context to use  (default ``)
--file <string>-fEnvoy config dump JSON file  (default ``)Creates a WorkloadEntry upon connection to istiod (if enabled in pilot). 
 

 
--istioNamespace <string>-iIstio system namespace  (default `istio-system`)
--kubeconfig <string>-cKubernetes configuration file  (default ``)--capture-dnsEnables the capture of outgoing DNS packets on port 53, redirecting to istio-agent 
 

 
--log_output_level <string>--clusterID <string>
 Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info,validation:error,processing:error,source:error,analysis:warn`)The ID used to identify the cluster  (default ``)
 

 
--name <string>--context <string>
 Filter listeners by route name field  (default ``)The name of the kubeconfig context to use  (default ``)
 

 
--namespace <string>-nConfig namespace  (default ``)--externalIP <string>External IP address of the workload  (default ``)
 

 
--output <string>-oOutput format: one of json|short  (default `short`)--file <string>-ffilename of the WorkloadGroup artifact. Leave this field empty if using the API server  (default ``)
 

-
Examples

-
  # Retrieve summary about route configuration for a given pod from Envoy.
-  istioctl proxy-config routes <pod-name[.namespace]>
-
-  # Retrieve route summary for route 9080.
-  istioctl proxy-config route <pod-name[.namespace]> --name 9080
-
-  # Retrieve full route dump for route 9080
-  istioctl proxy-config route <pod-name[.namespace]> --name 9080 -o json
-
-  # Retrieve route summary without using Kubernetes API
-  ssh <user@hostname> 'curl localhost:15000/config_dump' > envoy-config.json
-  istioctl proxy-config routes --file envoy-config.json
-
-

-
istioctl proxy-config secret

-
(experimental) Retrieve information about secret configuration for the Envoy instance in the specified pod.

-
istioctl proxy-config secret [<pod-name[.namespace]>] [flags]
-

-

-
istioctl proxy-config s [<pod-name[.namespace]>] [flags]
-

-
-
-
-
-
+
+
+
-
-
-
+
-
+
-
-
-
+
+
+
@@ -3813,9 +4146,9 @@ 
istioctl proxy-config secret

-
+
-
+
@@ -3825,30 +4158,34 @@ 
istioctl proxy-config secret

-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+

 
FlagsShorthandDescription--ingressIP <string>IP address of the ingress gateway  (default ``)
 

 
--context <string>--ingressService <string>
 The name of the kubeconfig context to use  (default ``)Name of the Service to be used as the ingress gateway, in the format <service>.<namespace>. If no namespace is provided, the default istio-system namespace will be used.  (default `istio-eastwestgateway`)
 

 
--file <string>-fEnvoy config dump JSON file  (default ``)--internalIP <string>Internal IP address of the workload  (default ``)
 

 

 --istioNamespace <string>
 Kubernetes configuration file  (default ``)
 

 
--log_output_level <string>--name <string>
 Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info,validation:error,processing:error,source:error,analysis:warn`)The name of the workload group  (default ``)
 

 

 --namespace <string>
 

 --output <string>
 -oOutput format: one of json|short  (default `short`)Output directory for generated files  (default ``)
--revision <string>-rControl plane revision  (default ``)
--tokenDuration <int>The token duration in seconds (default: 1 hour)  (default `3600`)
--vklog <Level>number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
 

 
 

-
Examples

-
  # Retrieve full secret configuration for a given pod from Envoy.
-  istioctl proxy-config secret <pod-name[.namespace]>
-
-  # Retrieve full bootstrap without using Kubernetes API
-  ssh <user@hostname> 'curl localhost:15000/config_dump' > envoy-config.json
-  istioctl proxy-config secret --file envoy-config.json
-
-THIS COMMAND IS STILL UNDER ACTIVE DEVELOPMENT AND NOT READY FOR PRODUCTION USE.
+
Examples

+
  # configure example using a local WorkloadGroup artifact
+  configure -f workloadgroup.yaml -o config
 
+  # configure example using the API server
+  configure --name foo --namespace bar -o config
 

-
istioctl proxy-status

-

-Retrieves last sent and last acknowledged xDS sync from Pilot to each Envoy in the mesh

-

-
istioctl proxy-status [<pod-name[.namespace]>] [flags]
-

-

-
istioctl ps [<pod-name[.namespace]>] [flags]
-

+
istioctl experimental workload group

+
Commands dealing with WorkloadGroup resources

 
@@ -3874,38 +4211,24 @@ 
istioctl proxy-status

-
-
-
-
-
-
-
-
-
-
-
+
-
+

 
 

 Kubernetes configuration file  (default ``)
 

 
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info,validation:error,processing:error,source:error,analysis:warn`)

 --namespace <string>
 -n
 Config namespace  (default ``)
 

 
--sds-s(experimental) Retrieve synchronization between active secrets on Envoy instance with those on corresponding node agents 
--sds-json--vklog <Level>
 Determines whether SDS dump outputs JSON number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
 

 
 

-
Examples

-
# Retrieve sync status for all Envoys in a mesh
-	istioctl proxy-status
-
-# Retrieve sync diff for a single Envoy and Pilot
-	istioctl proxy-status istio-egressgateway-59585c5b9c-ndc59.istio-system
-
+
Examples

+
group create --name foo --namespace bar --labels app=foobar
 

-
istioctl register

-
Registers a service instance (e.g. VM) joining the mesh

-
istioctl register <svcname> <ip> [name1:]port1 [name2:]port2 ... [flags]
+
istioctl experimental workload group create

+
Creates a WorkloadGroup resource that provides a template for associated WorkloadEntries.
+The default output is serialized YAML, which can be piped into 'kubectl apply -f -' to send the artifact to the API Server.

+
istioctl experimental workload group create [flags]
 

 
@@ -3919,7 +4242,7 @@ 
istioctl register

-
+
@@ -3939,12 +4262,12 @@ 
istioctl register

-
+
-
+
-
+
@@ -3952,16 +4275,32 @@ 
istioctl register

-
+
+
+
+
+
+
-
+
+
+
+
+
+

 
 

 --annotations <stringSlice>
 -aList of string annotations to apply if creating a service/endpoint; e.g. -a foo=bar,test,x=y  (default `[]`)The annotations to apply to the workload instances  (default `[]`)
 

 

 --context <string>
 

 --labels <stringSlice>
 -lList of labels to apply if creating a service/endpoint; e.g. -l env=prod,vers=2  (default `[]`)The labels to apply to the workload instances; e.g. -l env=prod,vers=2  (default `[]`)
 

 
--log_output_level <string>--name <string>
 Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info,validation:error,processing:error,source:error,analysis:warn`)The name of the workload group  (default ``)
 

 

 --namespace <string>
 Config namespace  (default ``)
 

 
--serviceaccount <string>--ports <stringSlice>-pThe incoming ports exposed by the workload instance  (default `[]`)
--serviceAccount <string>
 -sService account to link to the service  (default `default`)The service identity to associate with the workload instances  (default `default`)
--vklog <Level>number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
 

 
 

-
istioctl validate

-
Validate Istio policy and rules (NOTE: validate is deprecated and will be removed in 1.6. Use 'istioctl analyze' to validate configuration.)

-
istioctl validate -f FILENAME [options] [flags]
+
Examples

+
create --name foo --namespace bar --labels app=foo,bar=baz --ports grpc=3550,http=8080 --annotations annotation=foobar --serviceAccount sa
+

+
istioctl install

+
The install command generates an Istio install manifest and applies it to a cluster.

+
istioctl install [flags]
 

+

+
istioctl apply [flags]
+

 
@@ -3972,14 +4311,30 @@ 
istioctl validate

+
+
+
+
+
+
+
+
+
+
-
+
+
+
+
+
+
@@ -3992,9 +4347,12 @@ 
istioctl validate

-
-
-
+
+
+
@@ -4002,38 +4360,2397 @@ 
istioctl validate

-
-
-
+
+
+
-
-

 
 

 

 
 
--charts <string>Deprecated, use --manifests instead.  (default ``)

 --context <string>
 
 The name of the kubeconfig context to use  (default ``)
 

 
--dry-runConsole/log output only, make no changes. 

 --filename <stringSlice>
 -fNames of files to validate  (default `[]`)Path to file containing IstioOperator custom resource
+This flag can be specified multiple times to overlay multiple files. Multiple files are overlaid in left to right order.  (default `[]`)
--forceProceed even with validation errors. 
 

 

 --istioNamespace <string>
 Kubernetes configuration file  (default ``)
 

 
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info,validation:error,processing:error,source:error,analysis:warn`)--manifests <string>-dSpecify a path to a directory of charts and profiles
+(e.g. ~/Downloads/istio-1.14.0/manifests)
+or release tar URL (e.g. https://github.com/istio/istio/releases/download/1.14.0/istio-1.14.0-linux-amd64.tar.gz).
+  (default ``)
 

 

 --namespace <string>
 Config namespace  (default ``)
 

 
--referential-xEnable structural validation for policy and telemetry --readiness-timeout <duration>Maximum time to wait for Istio resources in each component to be ready.  (default `5m0s`)
 

-
Examples

-

-		# Validate bookinfo-gateway.yaml
-		istioctl validate -f bookinfo-gateway.yaml
-		
-		# Validate current deployments under 'default' namespace within the cluster
-		kubectl get deployments -o yaml |istioctl validate -f -
-
-		# Validate current services under 'default' namespace within the cluster
-		kubectl get services -o yaml |istioctl validate -f -
-
-		# Also see the related command 'istioctl analyze'
-		istioctl analyze samples/bookinfo/networking/bookinfo-gateway.yaml
-
-

-
istioctl verify-install

-

-		verify-install verifies Istio installation status against the installation file
-		you specified when you installed Istio. It loops through all the installation
-		resources defined in your installation file and reports whether all of them are
-		in ready status. It will report failure when any of them are not ready.

-
		If you do not specify installation file it will perform pre-check for your cluster
-		and report whether the cluster is ready for Istio installation.
-

-
istioctl verify-install [flags]
+
+--revision <string>
+-r
+Target control plane revision for the command.  (default ``)
+
+
+--set <stringArray>
+-s
+Override an IstioOperator value, e.g. to choose a profile
+(--set profile=demo), enable or disable components (--set components.cni.enabled=true), or override Istio
+settings (--set meshConfig.enableTracing=true). See documentation for more info:https://istio.io/v1.14/docs/reference/config/istio.operator.v1alpha1/#IstioOperatorSpec  (default `[]`)
+
+
+--skip-confirmation
+-y
+The skipConfirmation determines whether the user is prompted for confirmation.
+If set to true, the user is not prompted and a Yes response is assumed in all cases. 
+
+
+--verify
+
+Verify the Istio control plane after installation/in-place upgrade 
+
+
+--vklog <Level>
+
+number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
+
+
+
+
Examples

+
  # Apply a default Istio installation
+  istioctl install
+
+  # Enable Tracing
+  istioctl install --set meshConfig.enableTracing=true
+
+  # Generate the demo profile and don't wait for confirmation
+  istioctl install --set profile=demo --skip-confirmation
+
+  # To override a setting that includes dots, escape them with a backslash (\).  Your shell may require enclosing quotes.
+  istioctl install --set "values.sidecarInjectorWebhook.injectedAnnotations.container\.apparmor\.security\.beta\.kubernetes\.io/istio-proxy=runtime/default"
+
+  # For setting boolean-string option, it should be enclosed quotes and escaped with a backslash (\).
+  istioctl install --set meshConfig.defaultConfig.proxyMetadata.PROXY_XDS_VIA_AGENT=\"false\"
+
+

+
istioctl kube-inject

+

+kube-inject manually injects the Istio sidecar into Kubernetes
+workloads. Unsupported resources are left unmodified so it is safe to
+run kube-inject over a single file that contains multiple Service,
+ConfigMap, Deployment, etc. definitions for a complex application. When in
+doubt re-run istioctl kube-inject on deployments to get the most up-to-date changes.

+
It's best to do kube-inject when the resource is initially created.
+

+
istioctl kube-inject [flags]
+

+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
FlagsShorthandDescription
--authority <string>XDS Subject Alternative Name (for example istiod.istio-system.svc)  (default ``)
--cert-dir <string>XDS Endpoint certificate directory  (default ``)
--context <string>The name of the kubeconfig context to use  (default ``)
--filename <string>-fInput Kubernetes resource filename  (default ``)
--injectConfigFile <string>Injection configuration filename. Cannot be used with --injectConfigMapName  (default ``)
--insecureSkip server certificate and domain verification. (NOT SECURE!) 
--istioNamespace <string>-iIstio system namespace  (default `istio-system`)
--kubeconfig <string>-cKubernetes configuration file  (default ``)
--meshConfigFile <string>Mesh configuration filename. Takes precedence over --meshConfigMapName if set  (default ``)
--meshConfigMapName <string>ConfigMap name for Istio mesh configuration, key should be "mesh"  (default `istio`)
--namespace <string>-nConfig namespace  (default ``)
--operatorFileName <string>Path to file containing IstioOperator custom resources. If configs from files like meshConfigFile, valuesFile are provided, they will be overridden by iop config values.  (default ``)
--output <string>-oModified output Kubernetes resource filename  (default ``)
--plaintextUse plain-text HTTP/2 when connecting to server (no TLS). 
--revision <string>-rControl plane revision  (default ``)
--timeout <duration>The duration to wait before failing  (default `30s`)
--valuesFile <string>Injection values configuration filename.  (default ``)
--vklog <Level>number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
--webhookConfig <string>MutatingWebhookConfiguration name for Istio  (default `istio-sidecar-injector`)
--xds-address <string>XDS Endpoint  (default ``)
--xds-label <string>Istiod pod label selector  (default ``)
--xds-port <int>Istiod pod port  (default `15012`)

+
Examples

+
  # Update resources on the fly before applying.
+  kubectl apply -f <(istioctl kube-inject -f <resource.yaml>)
+
+  # Create a persistent version of the deployment with Istio sidecar injected.
+  istioctl kube-inject -f deployment.yaml -o deployment-injected.yaml
+
+  # Update an existing deployment.
+  kubectl get deployment -o yaml | istioctl kube-inject -f - | kubectl apply -f -
+
+  # Capture cluster configuration for later use with kube-inject
+  kubectl -n istio-system get cm istio-sidecar-injector  -o jsonpath="{.data.config}" > /tmp/inj-template.tmpl
+  kubectl -n istio-system get cm istio -o jsonpath="{.data.mesh}" > /tmp/mesh.yaml
+  kubectl -n istio-system get cm istio-sidecar-injector -o jsonpath="{.data.values}" > /tmp/values.json
+
+  # Use kube-inject based on captured configuration
+  istioctl kube-inject -f samples/bookinfo/platform/kube/bookinfo.yaml \
+    --injectConfigFile /tmp/inj-template.tmpl \
+    --meshConfigFile /tmp/mesh.yaml \
+    --valuesFile /tmp/values.json
+
+

+
istioctl manifest

+
The manifest command generates and diffs Istio manifests.

+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
FlagsShorthandDescription
--context <string>The name of the kubeconfig context to use  (default ``)
--dry-runConsole/log output only, make no changes. 
--istioNamespace <string>-iIstio system namespace  (default `istio-system`)
--kubeconfig <string>-cKubernetes configuration file  (default ``)
--namespace <string>-nConfig namespace  (default ``)
--vklog <Level>number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)

+
istioctl manifest diff

+
The diff subcommand compares manifests from two files or directories. The output is a list of
+changed paths with the value changes shown as OLD-VALUE -> NEW-VALUE.
+List order changes are shown as [OLD-INDEX->NEW-INDEX], with ? used where a list item is added or
+removed.

+
istioctl manifest diff <file|dir> <file|dir> [flags]
+

+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
FlagsShorthandDescription
--context <string>The name of the kubeconfig context to use  (default ``)
--directory-rCompare directory. 
--dry-runConsole/log output only, make no changes. 
--ignore <string>Ignore all listed items during comparison, using the same list format as selectResources.  (default ``)
--istioNamespace <string>-iIstio system namespace  (default `istio-system`)
--kubeconfig <string>-cKubernetes configuration file  (default ``)
--namespace <string>-nConfig namespace  (default ``)
--rename <string>Rename resources before comparison.
+The format of each renaming pair is A->B, all renaming pairs are comma separated.
+e.g. Service:*:istiod->Service:*:istio-control - rename istiod service into istio-control  (default ``)
--select <string>Constrain the list of resources to compare to only the ones in this list, ignoring all others.
+The format of each list item is "::" and the items are comma separated. The "*" character represents wildcard selection.
+e.g.
+    Deployment:istio-system:* - compare all deployments in istio-system namespace
+    Service:*:istiod - compare Services called "istiod" in all namespaces  (default `::`)
--verbose-vVerbose output. 
--vklog <Level>number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)

+
istioctl manifest generate

+
The generate subcommand generates an Istio install manifest and outputs to the console by default.

+
istioctl manifest generate [flags]
+

+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
FlagsShorthandDescription
--charts <string>Deprecated, use --manifests instead.  (default ``)
--component <stringSlice>Specify which component to generate manifests for.  (default `[]`)
--context <string>The name of the kubeconfig context to use  (default ``)
--dry-runConsole/log output only, make no changes. 
--filename <stringSlice>-fPath to file containing IstioOperator custom resource
+This flag can be specified multiple times to overlay multiple files. Multiple files are overlaid in left to right order.  (default `[]`)
--forceProceed even with validation errors. 
--istioNamespace <string>-iIstio system namespace  (default `istio-system`)
--kubeconfig <string>-cKubernetes configuration file  (default ``)
--manifests <string>-dSpecify a path to a directory of charts and profiles
+(e.g. ~/Downloads/istio-1.14.0/manifests)
+or release tar URL (e.g. https://github.com/istio/istio/releases/download/1.14.0/istio-1.14.0-linux-amd64.tar.gz).
+  (default ``)
--namespace <string>-nConfig namespace  (default ``)
--output <string>-oManifest output directory path.  (default ``)
--revision <string>-rTarget control plane revision for the command.  (default ``)
--set <stringArray>-sOverride an IstioOperator value, e.g. to choose a profile
+(--set profile=demo), enable or disable components (--set components.cni.enabled=true), or override Istio
+settings (--set meshConfig.enableTracing=true). See documentation for more info:https://istio.io/v1.14/docs/reference/config/istio.operator.v1alpha1/#IstioOperatorSpec  (default `[]`)
--vklog <Level>number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)

+
Examples

+
  # Generate a default Istio installation
+  istioctl manifest generate
+
+  # Enable Tracing
+  istioctl manifest generate --set meshConfig.enableTracing=true
+
+  # Generate the demo profile
+  istioctl manifest generate --set profile=demo
+
+  # To override a setting that includes dots, escape them with a backslash (\).  Your shell may require enclosing quotes.
+  istioctl manifest generate --set "values.sidecarInjectorWebhook.injectedAnnotations.container\.apparmor\.security\.beta\.kubernetes\.io/istio-proxy=runtime/default"
+
+  # For setting boolean-string option, it should be enclosed quotes and escaped with a backslash (\).
+  istioctl manifest generate --set meshConfig.defaultConfig.proxyMetadata.PROXY_XDS_VIA_AGENT=\"false\"
+
+

+
istioctl manifest install

+
The install command generates an Istio install manifest and applies it to a cluster.

+
istioctl manifest install [flags]
+

+

+
istioctl manifest apply [flags]
+

+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
FlagsShorthandDescription
--charts <string>Deprecated, use --manifests instead.  (default ``)
--context <string>The name of the kubeconfig context to use  (default ``)
--dry-runConsole/log output only, make no changes. 
--filename <stringSlice>-fPath to file containing IstioOperator custom resource
+This flag can be specified multiple times to overlay multiple files. Multiple files are overlaid in left to right order.  (default `[]`)
--forceProceed even with validation errors. 
--istioNamespace <string>-iIstio system namespace  (default `istio-system`)
--kubeconfig <string>-cKubernetes configuration file  (default ``)
--manifests <string>-dSpecify a path to a directory of charts and profiles
+(e.g. ~/Downloads/istio-1.14.0/manifests)
+or release tar URL (e.g. https://github.com/istio/istio/releases/download/1.14.0/istio-1.14.0-linux-amd64.tar.gz).
+  (default ``)
--namespace <string>-nConfig namespace  (default ``)
--readiness-timeout <duration>Maximum time to wait for Istio resources in each component to be ready.  (default `5m0s`)
--revision <string>-rTarget control plane revision for the command.  (default ``)
--set <stringArray>-sOverride an IstioOperator value, e.g. to choose a profile
+(--set profile=demo), enable or disable components (--set components.cni.enabled=true), or override Istio
+settings (--set meshConfig.enableTracing=true). See documentation for more info:https://istio.io/v1.14/docs/reference/config/istio.operator.v1alpha1/#IstioOperatorSpec  (default `[]`)
--skip-confirmation-yThe skipConfirmation determines whether the user is prompted for confirmation.
+If set to true, the user is not prompted and a Yes response is assumed in all cases. 
--verifyVerify the Istio control plane after installation/in-place upgrade 
--vklog <Level>number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)

+
Examples

+
  # Apply a default Istio installation
+  istioctl install
+
+  # Enable Tracing
+  istioctl install --set meshConfig.enableTracing=true
+
+  # Generate the demo profile and don't wait for confirmation
+  istioctl install --set profile=demo --skip-confirmation
+
+  # To override a setting that includes dots, escape them with a backslash (\).  Your shell may require enclosing quotes.
+  istioctl install --set "values.sidecarInjectorWebhook.injectedAnnotations.container\.apparmor\.security\.beta\.kubernetes\.io/istio-proxy=runtime/default"
+
+  # For setting boolean-string option, it should be enclosed quotes and escaped with a backslash (\).
+  istioctl install --set meshConfig.defaultConfig.proxyMetadata.PROXY_XDS_VIA_AGENT=\"false\"
+
+

+
istioctl operator

+
The operator command installs, dumps, removes and shows the status of the operator controller.

+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
FlagsShorthandDescription
--context <string>The name of the kubeconfig context to use  (default ``)
--istioNamespace <string>-iIstio system namespace  (default `istio-system`)
--kubeconfig <string>-cKubernetes configuration file  (default ``)
--namespace <string>-nConfig namespace  (default ``)
--vklog <Level>number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)

+
istioctl operator dump

+
The dump subcommand dumps the Istio operator controller manifest.

+
istioctl operator dump [flags]
+

+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
FlagsShorthandDescription
--charts <string>Deprecated, use --manifests instead.  (default ``)
--context <string>The name of the kubeconfig context to use  (default ``)
--dry-runConsole/log output only, make no changes. 
--hub <string>The hub for the operator controller image.  (default `unknown`)
--imagePullSecrets <stringSlice>The imagePullSecrets are used to pull the operator image from the private registry,
+could be secret list separated by comma, eg. '--imagePullSecrets imagePullSecret1,imagePullSecret2'  (default `[]`)
--istioNamespace <string>-iIstio system namespace  (default `istio-system`)
--kubeconfig <string>-cKubernetes configuration file  (default ``)
--manifests <string>-dSpecify a path to a directory of charts and profiles
+(e.g. ~/Downloads/istio-1.14.0/manifests)
+or release tar URL (e.g. https://github.com/istio/istio/releases/download/1.14.0/istio-1.14.0-linux-amd64.tar.gz).
+  (default ``)
--namespace <string>-nConfig namespace  (default ``)
--operatorNamespace <string>The namespace the operator controller is installed into.  (default `istio-operator`)
--output <string>-oOutput format: one of json|yaml  (default `yaml`)
--revision <string>-rTarget revision for the operator.  (default ``)
--tag <string>The tag for the operator controller image.  (default `unknown`)
--vklog <Level>number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
--watchedNamespaces <string>The namespaces the operator controller watches, could be namespace list separated by comma, eg. 'ns1,ns2'  (default `istio-system`)

+
istioctl operator init

+
The init subcommand installs the Istio operator controller in the cluster.

+
istioctl operator init [flags]
+

+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
FlagsShorthandDescription
--charts <string>Deprecated, use --manifests instead.  (default ``)
--context <string>The name of the kubeconfig context to use  (default ``)
--dry-runConsole/log output only, make no changes. 
--filename <string>-fPath to file containing IstioOperator custom resource
+This flag can be specified multiple times to overlay multiple files. Multiple files are overlaid in left to right order.  (default ``)
--hub <string>The hub for the operator controller image.  (default `unknown`)
--imagePullSecrets <stringSlice>The imagePullSecrets are used to pull the operator image from the private registry,
+could be secret list separated by comma, eg. '--imagePullSecrets imagePullSecret1,imagePullSecret2'  (default `[]`)
--istioNamespace <string>-iIstio system namespace  (default `istio-system`)
--kubeconfig <string>-cKubernetes configuration file  (default ``)
--manifests <string>-dSpecify a path to a directory of charts and profiles
+(e.g. ~/Downloads/istio-1.14.0/manifests)
+or release tar URL (e.g. https://github.com/istio/istio/releases/download/1.14.0/istio-1.14.0-linux-amd64.tar.gz).
+  (default ``)
--namespace <string>-nConfig namespace  (default ``)
--operatorNamespace <string>The namespace the operator controller is installed into.  (default `istio-operator`)
--revision <string>-rTarget revision for the operator.  (default ``)
--tag <string>The tag for the operator controller image.  (default `unknown`)
--vklog <Level>number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
--watchedNamespaces <string>The namespaces the operator controller watches, could be namespace list separated by comma, eg. 'ns1,ns2'  (default `istio-system`)

+
istioctl operator remove

+
The remove subcommand removes the Istio operator controller from the cluster.

+
istioctl operator remove [flags]
+

+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
FlagsShorthandDescription
--context <string>The name of the kubeconfig context to use  (default ``)
--dry-runConsole/log output only, make no changes. 
--forceProceed even with validation errors. 
--istioNamespace <string>-iIstio system namespace  (default `istio-system`)
--kubeconfig <string>-cKubernetes configuration file  (default ``)
--namespace <string>-nConfig namespace  (default ``)
--operatorNamespace <string>The namespace the operator controller is installed into.  (default `istio-operator`)
--revision <string>-rTarget revision for the operator.  (default ``)
--vklog <Level>number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)

+
istioctl options

+
Displays istioctl global options

+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
FlagsShorthandDescription
--context <string>The name of the kubeconfig context to use  (default ``)
--istioNamespace <string>-iIstio system namespace  (default `istio-system`)
--kubeconfig <string>-cKubernetes configuration file  (default ``)
--namespace <string>-nConfig namespace  (default ``)
--vklog <Level>number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)

+
istioctl profile

+
The profile command lists, dumps or diffs Istio configuration profiles.

+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
FlagsShorthandDescription
--context <string>The name of the kubeconfig context to use  (default ``)
--dry-runConsole/log output only, make no changes. 
--istioNamespace <string>-iIstio system namespace  (default `istio-system`)
--kubeconfig <string>-cKubernetes configuration file  (default ``)
--namespace <string>-nConfig namespace  (default ``)
--vklog <Level>number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)

+
Examples

+
istioctl profile list
+istioctl install --set profile=demo  # Use a profile from the list
+

+
istioctl profile diff

+
The diff subcommand displays the differences between two Istio configuration profiles.

+
istioctl profile diff <profile|file1.yaml> <profile|file2.yaml> [flags]
+

+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
FlagsShorthandDescription
--charts <string>Deprecated, use --manifests instead.  (default ``)
--context <string>The name of the kubeconfig context to use  (default ``)
--dry-runConsole/log output only, make no changes. 
--istioNamespace <string>-iIstio system namespace  (default `istio-system`)
--kubeconfig <string>-cKubernetes configuration file  (default ``)
--manifests <string>-dSpecify a path to a directory of charts and profiles
+(e.g. ~/Downloads/istio-1.14.0/manifests)
+or release tar URL (e.g. https://github.com/istio/istio/releases/download/1.14.0/istio-1.14.0-linux-amd64.tar.gz).
+  (default ``)
--namespace <string>-nConfig namespace  (default ``)
--vklog <Level>number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)

+
Examples

+
  # Profile diff by providing yaml files
+  istioctl profile diff manifests/profiles/default.yaml manifests/profiles/demo.yaml
+
+  # Profile diff by providing a profile name
+  istioctl profile diff default demo
+

+
istioctl profile dump

+
The dump subcommand dumps the values in an Istio configuration profile.

+
istioctl profile dump [<profile>] [flags]
+

+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
FlagsShorthandDescription
--charts <string>Deprecated, use --manifests instead.  (default ``)
--config-path <string>-pThe path the root of the configuration subtree to dump e.g. components.pilot. By default, dump whole tree  (default ``)
--context <string>The name of the kubeconfig context to use  (default ``)
--dry-runConsole/log output only, make no changes. 
--filename <stringSlice>-fPath to file containing IstioOperator custom resource
+This flag can be specified multiple times to overlay multiple files. Multiple files are overlaid in left to right order.  (default `[]`)
--istioNamespace <string>-iIstio system namespace  (default `istio-system`)
--kubeconfig <string>-cKubernetes configuration file  (default ``)
--manifests <string>-dSpecify a path to a directory of charts and profiles
+(e.g. ~/Downloads/istio-1.14.0/manifests)
+or release tar URL (e.g. https://github.com/istio/istio/releases/download/1.14.0/istio-1.14.0-linux-amd64.tar.gz).
+  (default ``)
--namespace <string>-nConfig namespace  (default ``)
--output <string>-oOutput format: one of json|yaml|flags  (default `yaml`)
--vklog <Level>number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)

+
istioctl profile list

+
The list subcommand lists the available Istio configuration profiles.

+
istioctl profile list [flags]
+

+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
FlagsShorthandDescription
--charts <string>Deprecated, use --manifests instead.  (default ``)
--context <string>The name of the kubeconfig context to use  (default ``)
--dry-runConsole/log output only, make no changes. 
--istioNamespace <string>-iIstio system namespace  (default `istio-system`)
--kubeconfig <string>-cKubernetes configuration file  (default ``)
--manifests <string>-dSpecify a path to a directory of charts and profiles
+(e.g. ~/Downloads/istio-1.14.0/manifests)
+or release tar URL (e.g. https://github.com/istio/istio/releases/download/1.14.0/istio-1.14.0-linux-amd64.tar.gz).
+  (default ``)
--namespace <string>-nConfig namespace  (default ``)
--vklog <Level>number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)

+
istioctl proxy-config

+
A group of commands used to retrieve information about proxy configuration from the Envoy config dump

+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
FlagsShorthandDescription
--context <string>The name of the kubeconfig context to use  (default ``)
--istioNamespace <string>-iIstio system namespace  (default `istio-system`)
--kubeconfig <string>-cKubernetes configuration file  (default ``)
--namespace <string>-nConfig namespace  (default ``)
--output <string>-oOutput format: one of json|yaml|short  (default `short`)
--vklog <Level>number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)

+
Examples

+
  # Retrieve information about proxy configuration from an Envoy instance.
+  istioctl proxy-config <clusters|listeners|routes|endpoints|bootstrap|log|secret> <pod-name[.namespace]>
+

+
istioctl proxy-config all

+
Retrieve information about all configuration for the Envoy instance in the specified pod.

+
istioctl proxy-config all [<type>/]<name>[.<namespace>] [flags]
+

+

+
istioctl proxy-config a [<type>/]<name>[.<namespace>] [flags]
+

+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
FlagsShorthandDescription
--address <string>Filter listeners by address field  (default ``)
--context <string>The name of the kubeconfig context to use  (default ``)
--direction <string>Filter clusters by Direction field  (default ``)
--file <string>-fEnvoy config dump file  (default ``)
--fqdn <string>Filter clusters by substring of Service FQDN field  (default ``)
--istioNamespace <string>-iIstio system namespace  (default `istio-system`)
--kubeconfig <string>-cKubernetes configuration file  (default ``)
--name <string>Filter listeners by route name field  (default ``)
--namespace <string>-nConfig namespace  (default ``)
--output <string>-oOutput format: one of json|yaml|short  (default `short`)
--port <int>Filter clusters and listeners by Port field  (default `0`)
--subset <string>Filter clusters by substring of Subset field  (default ``)
--type <string>Filter listeners by type field  (default ``)
--verboseOutput more information 
--vklog <Level>number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)

+
Examples

+
  # Retrieve summary about all configuration for a given pod from Envoy.
+  istioctl proxy-config all <pod-name[.namespace]>
+
+  # Retrieve full cluster dump as JSON
+  istioctl proxy-config all <pod-name[.namespace]> -o json
+
+  # Retrieve full cluster dump with short syntax
+  istioctl pc a <pod-name[.namespace]>
+
+  # Retrieve cluster summary without using Kubernetes API
+  ssh <user@hostname> 'curl localhost:15000/config_dump' > envoy-config.json
+  istioctl proxy-config all --file envoy-config.json
+
+

+
istioctl proxy-config bootstrap

+
Retrieve information about bootstrap configuration for the Envoy instance in the specified pod.

+
istioctl proxy-config bootstrap [<type>/]<name>[.<namespace>] [flags]
+

+

+
istioctl proxy-config b [<type>/]<name>[.<namespace>] [flags]
+

+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
FlagsShorthandDescription
--context <string>The name of the kubeconfig context to use  (default ``)
--file <string>-fEnvoy config dump JSON file  (default ``)
--istioNamespace <string>-iIstio system namespace  (default `istio-system`)
--kubeconfig <string>-cKubernetes configuration file  (default ``)
--namespace <string>-nConfig namespace  (default ``)
--output <string>-oOutput format: one of json|yaml|short  (default `short`)
--vklog <Level>number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)

+
Examples

+
  # Retrieve full bootstrap configuration for a given pod from Envoy.
+  istioctl proxy-config bootstrap <pod-name[.namespace]>
+
+  # Retrieve full bootstrap without using Kubernetes API
+  ssh <user@hostname> 'curl localhost:15000/config_dump' > envoy-config.json
+  istioctl proxy-config bootstrap --file envoy-config.json
+
+  # Show a human-readable Istio and Envoy version summary
+  istioctl proxy-config bootstrap -o short
+
+

+
istioctl proxy-config cluster

+
Retrieve information about cluster configuration for the Envoy instance in the specified pod.

+
istioctl proxy-config cluster [<type>/]<name>[.<namespace>] [flags]
+

+

+
istioctl proxy-config clusters [<type>/]<name>[.<namespace>] [flags]
+istioctl proxy-config c [<type>/]<name>[.<namespace>] [flags]
+

+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
FlagsShorthandDescription
--context <string>The name of the kubeconfig context to use  (default ``)
--direction <string>Filter clusters by Direction field  (default ``)
--file <string>-fEnvoy config dump JSON file  (default ``)
--fqdn <string>Filter clusters by substring of Service FQDN field  (default ``)
--istioNamespace <string>-iIstio system namespace  (default `istio-system`)
--kubeconfig <string>-cKubernetes configuration file  (default ``)
--namespace <string>-nConfig namespace  (default ``)
--output <string>-oOutput format: one of json|yaml|short  (default `short`)
--port <int>Filter clusters by Port field  (default `0`)
--subset <string>Filter clusters by substring of Subset field  (default ``)
--vklog <Level>number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)

+
Examples

+
  # Retrieve summary about cluster configuration for a given pod from Envoy.
+  istioctl proxy-config clusters <pod-name[.namespace]>
+
+  # Retrieve cluster summary for clusters with port 9080.
+  istioctl proxy-config clusters <pod-name[.namespace]> --port 9080
+
+  # Retrieve full cluster dump for clusters that are inbound with a FQDN of details.default.svc.cluster.local.
+  istioctl proxy-config clusters <pod-name[.namespace]> --fqdn details.default.svc.cluster.local --direction inbound -o json
+
+  # Retrieve cluster summary without using Kubernetes API
+  ssh <user@hostname> 'curl localhost:15000/config_dump' > envoy-config.json
+  istioctl proxy-config clusters --file envoy-config.json
+
+

+
istioctl proxy-config endpoint

+
Retrieve information about endpoint configuration for the Envoy instance in the specified pod.

+
istioctl proxy-config endpoint [<type>/]<name>[.<namespace>] [flags]
+

+

+
istioctl proxy-config endpoints [<type>/]<name>[.<namespace>] [flags]
+istioctl proxy-config ep [<type>/]<name>[.<namespace>] [flags]
+

+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
FlagsShorthandDescription
--address <string>Filter endpoints by address field  (default ``)
--cluster <string>Filter endpoints by cluster name field  (default ``)
--context <string>The name of the kubeconfig context to use  (default ``)
--file <string>-fEnvoy config dump JSON file  (default ``)
--istioNamespace <string>-iIstio system namespace  (default `istio-system`)
--kubeconfig <string>-cKubernetes configuration file  (default ``)
--namespace <string>-nConfig namespace  (default ``)
--output <string>-oOutput format: one of json|yaml|short  (default `short`)
--port <int>Filter endpoints by Port field  (default `0`)
--status <string>Filter endpoints by status field  (default ``)
--vklog <Level>number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)

+
Examples

+
  # Retrieve full endpoint configuration for a given pod from Envoy.
+  istioctl proxy-config endpoint <pod-name[.namespace]>
+
+  # Retrieve endpoint summary for endpoint with port 9080.
+  istioctl proxy-config endpoint <pod-name[.namespace]> --port 9080
+
+  # Retrieve full endpoint with a address (172.17.0.2).
+  istioctl proxy-config endpoint <pod-name[.namespace]> --address 172.17.0.2 -o json
+
+  # Retrieve full endpoint with a cluster name (outbound|9411||zipkin.istio-system.svc.cluster.local).
+  istioctl proxy-config endpoint <pod-name[.namespace]> --cluster "outbound|9411||zipkin.istio-system.svc.cluster.local" -o json
+  # Retrieve full endpoint with the status (healthy).
+  istioctl proxy-config endpoint <pod-name[.namespace]> --status healthy -ojson
+
+  # Retrieve endpoint summary without using Kubernetes API
+  ssh <user@hostname> 'curl localhost:15000/clusters?format=json' > envoy-clusters.json
+  istioctl proxy-config endpoints --file envoy-clusters.json
+
+

+
istioctl proxy-config listener

+
Retrieve information about listener configuration for the Envoy instance in the specified pod.

+
istioctl proxy-config listener [<type>/]<name>[.<namespace>] [flags]
+

+

+
istioctl proxy-config listeners [<type>/]<name>[.<namespace>] [flags]
+istioctl proxy-config l [<type>/]<name>[.<namespace>] [flags]
+

+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
FlagsShorthandDescription
--address <string>Filter listeners by address field  (default ``)
--context <string>The name of the kubeconfig context to use  (default ``)
--file <string>-fEnvoy config dump JSON file  (default ``)
--istioNamespace <string>-iIstio system namespace  (default `istio-system`)
--kubeconfig <string>-cKubernetes configuration file  (default ``)
--namespace <string>-nConfig namespace  (default ``)
--output <string>-oOutput format: one of json|yaml|short  (default `short`)
--port <int>Filter listeners by Port field  (default `0`)
--type <string>Filter listeners by type field  (default ``)
--verboseOutput more information 
--vklog <Level>number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)

+
Examples

+
  # Retrieve summary about listener configuration for a given pod from Envoy.
+  istioctl proxy-config listeners <pod-name[.namespace]>
+
+  # Retrieve listener summary for listeners with port 9080.
+  istioctl proxy-config listeners <pod-name[.namespace]> --port 9080
+
+  # Retrieve full listener dump for HTTP listeners with a wildcard address (0.0.0.0).
+  istioctl proxy-config listeners <pod-name[.namespace]> --type HTTP --address 0.0.0.0 -o json
+
+  # Retrieve listener summary without using Kubernetes API
+  ssh <user@hostname> 'curl localhost:15000/config_dump' > envoy-config.json
+  istioctl proxy-config listeners --file envoy-config.json
+
+

+
istioctl proxy-config log

+
(experimental) Retrieve information about logging levels of the Envoy instance in the specified pod, and update optionally

+
istioctl proxy-config log [<type>/]<name>[.<namespace>] [flags]
+

+

+
istioctl proxy-config o [<type>/]<name>[.<namespace>] [flags]
+

+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
FlagsShorthandDescription
--context <string>The name of the kubeconfig context to use  (default ``)
--istioNamespace <string>-iIstio system namespace  (default `istio-system`)
--kubeconfig <string>-cKubernetes configuration file  (default ``)
--level <string>Comma-separated minimum per-logger level of messages to output, in the form of [<logger>:]<level>,[<logger>:]<level>,... where logger can be one of admin, aws, assert, backtrace, client, config, connection, conn_handler, dubbo, file, filter, forward_proxy, grpc, hc, health_checker, http, http2, hystrix, init, io, jwt, kafka, lua, main, misc, mongo, quic, pool, rbac, redis, router, runtime, stats, secret, tap, testing, thrift, tracing, upstream, udp, wasm and level can be one of [trace, debug, info, warning, error, critical, off]  (default ``)
--namespace <string>-nConfig namespace  (default ``)
--output <string>-oOutput format: one of json|yaml|short  (default `short`)
--reset-rReset levels to default value (warning). 
--selector <string>-lLabel selector  (default ``)
--vklog <Level>number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)

+
Examples

+
  # Retrieve information about logging levels for a given pod from Envoy.
+  istioctl proxy-config log <pod-name[.namespace]>
+
+  # Update levels of the all loggers
+  istioctl proxy-config log <pod-name[.namespace]> --level none
+
+  # Update levels of the specified loggers.
+  istioctl proxy-config log <pod-name[.namespace]> --level http:debug,redis:debug
+
+  # Reset levels of all the loggers to default value (warning).
+  istioctl proxy-config log <pod-name[.namespace]> -r
+
+

+
istioctl proxy-config rootca-compare

+
Compare ROOTCA values for given 2 pods to check the connectivity between them.

+
THIS COMMAND IS UNDER ACTIVE DEVELOPMENT AND NOT READY FOR PRODUCTION USE.

+
istioctl proxy-config rootca-compare [pod/]<name-1>[.<namespace-1>] [pod/]<name-2>[.<namespace-2>] [flags]
+

+

+
istioctl proxy-config rc [pod/]<name-1>[.<namespace-1>] [pod/]<name-2>[.<namespace-2>] [flags]
+

+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
FlagsShorthandDescription
--context <string>The name of the kubeconfig context to use  (default ``)
--istioNamespace <string>-iIstio system namespace  (default `istio-system`)
--kubeconfig <string>-cKubernetes configuration file  (default ``)
--namespace <string>-nConfig namespace  (default ``)
--output <string>-oOutput format: one of json|yaml|short  (default `short`)
--vklog <Level>number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)

+
Examples

+
  # Compare ROOTCA values for given 2 pods to check the connectivity between them.
+  istioctl proxy-config rootca-compare <pod-name-1[.namespace]> <pod-name-2[.namespace]>
+

+
istioctl proxy-config route

+
Retrieve information about route configuration for the Envoy instance in the specified pod.

+
istioctl proxy-config route [<type>/]<name>[.<namespace>] [flags]
+

+

+
istioctl proxy-config routes [<type>/]<name>[.<namespace>] [flags]
+istioctl proxy-config r [<type>/]<name>[.<namespace>] [flags]
+

+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
FlagsShorthandDescription
--context <string>The name of the kubeconfig context to use  (default ``)
--file <string>-fEnvoy config dump JSON file  (default ``)
--istioNamespace <string>-iIstio system namespace  (default `istio-system`)
--kubeconfig <string>-cKubernetes configuration file  (default ``)
--name <string>Filter listeners by route name field  (default ``)
--namespace <string>-nConfig namespace  (default ``)
--output <string>-oOutput format: one of json|yaml|short  (default `short`)
--verboseOutput more information 
--vklog <Level>number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)

+
Examples

+
  # Retrieve summary about route configuration for a given pod from Envoy.
+  istioctl proxy-config routes <pod-name[.namespace]>
+
+  # Retrieve route summary for route 9080.
+  istioctl proxy-config route <pod-name[.namespace]> --name 9080
+
+  # Retrieve full route dump for route 9080
+  istioctl proxy-config route <pod-name[.namespace]> --name 9080 -o json
+
+  # Retrieve route summary without using Kubernetes API
+  ssh <user@hostname> 'curl localhost:15000/config_dump' > envoy-config.json
+  istioctl proxy-config routes --file envoy-config.json
+
+

+
istioctl proxy-config secret

+
Retrieve information about secret configuration for the Envoy instance in the specified pod.

+
THIS COMMAND IS UNDER ACTIVE DEVELOPMENT AND NOT READY FOR PRODUCTION USE.

+
istioctl proxy-config secret [<type>/]<name>[.<namespace>] [flags]
+

+

+
istioctl proxy-config secrets [<type>/]<name>[.<namespace>] [flags]
+istioctl proxy-config s [<type>/]<name>[.<namespace>] [flags]
+

+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
FlagsShorthandDescription
--context <string>The name of the kubeconfig context to use  (default ``)
--file <string>-fEnvoy config dump JSON file  (default ``)
--istioNamespace <string>-iIstio system namespace  (default `istio-system`)
--kubeconfig <string>-cKubernetes configuration file  (default ``)
--namespace <string>-nConfig namespace  (default ``)
--output <string>-oOutput format: one of json|yaml|short  (default `short`)
--vklog <Level>number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)

+
Examples

+
  # Retrieve full secret configuration for a given pod from Envoy.
+  istioctl proxy-config secret <pod-name[.namespace]>
+
+  # Retrieve full bootstrap without using Kubernetes API
+  ssh <user@hostname> 'curl localhost:15000/config_dump' > envoy-config.json
+  istioctl proxy-config secret --file envoy-config.json
+

+
istioctl proxy-status

+

+Retrieves last sent and last acknowledged xDS sync from Istiod to each Envoy in the mesh

+

+
istioctl proxy-status [<type>/]<name>[.<namespace>] [flags]
+

+

+
istioctl ps [<type>/]<name>[.<namespace>] [flags]
+

+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
FlagsShorthandDescription
--context <string>The name of the kubeconfig context to use  (default ``)
--file <string>-fEnvoy config dump JSON file  (default ``)
--istioNamespace <string>-iIstio system namespace  (default `istio-system`)
--kubeconfig <string>-cKubernetes configuration file  (default ``)
--namespace <string>-nConfig namespace  (default ``)
--revision <string>-rControl plane revision  (default ``)
--vklog <Level>number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)

+
Examples

+
  # Retrieve sync status for all Envoys in a mesh
+  istioctl proxy-status
+
+  # Retrieve sync diff for a single Envoy and Istiod
+  istioctl proxy-status istio-egressgateway-59585c5b9c-ndc59.istio-system
+
+  # Retrieve sync diff between Istiod and one pod under a deployment
+  istioctl proxy-status deployment/productpage-v1
+
+  # Write proxy config-dump to file, and compare to Istio control plane
+  kubectl port-forward -n istio-system istio-egressgateway-59585c5b9c-ndc59 15000 &
+  curl localhost:15000/config_dump > cd.json
+  istioctl proxy-status istio-egressgateway-59585c5b9c-ndc59.istio-system --file cd.json
+
+

+
istioctl tag

+
Command group used to interact with revision tags. Revision tags allow for the creation of mutable aliases
+referring to control plane revisions for sidecar injection.

+
With revision tags, rather than relabeling a namespace from "istio.io/rev=revision-a" to "istio.io/rev=revision-b" to
+change which control plane revision handles injection, it's possible to create a revision tag "prod" and label our
+namespace "istio.io/rev=prod". The "prod" revision tag could point to "1-7-6" initially and then be changed to point to "1-8-1"
+at some later point.

+
This allows operators to change which Istio control plane revision should handle injection for a namespace or set of namespaces
+without manual relabeling of the "istio.io/rev" tag.
+

+
istioctl tag [flags]
+

+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
FlagsShorthandDescription
--context <string>The name of the kubeconfig context to use  (default ``)
--istioNamespace <string>-iIstio system namespace  (default `istio-system`)
--kubeconfig <string>-cKubernetes configuration file  (default ``)
--namespace <string>-nConfig namespace  (default ``)
--vklog <Level>number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)

+
istioctl tag generate

+
Create a revision tag and output to the command's stdout. Tag an Istio control plane revision for use with namespace istio.io/rev
+injection labels.

+
istioctl tag generate <revision-tag> [flags]
+

+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
FlagsShorthandDescription
--auto-inject-namespacesIf set to true, the sidecars should be automatically injected into all namespaces by default 
--context <string>The name of the kubeconfig context to use  (default ``)
--istioNamespace <string>-iIstio system namespace  (default `istio-system`)
--kubeconfig <string>-cKubernetes configuration file  (default ``)
--manifests <string>-dSpecify a path to a directory of charts and profiles
+(e.g. ~/Downloads/istio-1.14.0/manifests)
+or release tar URL (e.g. https://github.com/istio/istio/releases/download/1.14.0/istio-1.14.0-linux-amd64.tar.gz).
+  (default ``)
--namespace <string>-nConfig namespace  (default ``)
--overwriteIf true, allow revision tags to be overwritten, otherwise reject revision tag updates that
+overwrite existing revision tags. 
--revision <string>-rControl plane revision to reference from a given revision tag  (default ``)
--skip-confirmation-yThe skipConfirmation determines whether the user is prompted for confirmation.
+If set to true, the user is not prompted and a Yes response is assumed in all cases. 
--vklog <Level>number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
--webhook-name <string>Name to use for a revision tag's mutating webhook configuration.  (default ``)

+
Examples

+
 # Create a revision tag from the "1-8-0" revision
+ istioctl tag generate prod --revision 1-8-0 > tag.yaml
+
+ # Apply the tag to cluster
+ kubectl apply -f tag.yaml
+
+ # Point namespace "test-ns" at the revision pointed to by the "prod" revision tag
+ kubectl label ns test-ns istio.io/rev=prod
+
+ # Rollout namespace "test-ns" to update workloads to the "1-8-0" revision
+ kubectl rollout restart deployments -n test-ns
+
+

+
istioctl tag list

+
List existing revision tags

+
istioctl tag list [flags]
+

+

+
istioctl tag show [flags]
+

+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
FlagsShorthandDescription
--context <string>The name of the kubeconfig context to use  (default ``)
--istioNamespace <string>-iIstio system namespace  (default `istio-system`)
--kubeconfig <string>-cKubernetes configuration file  (default ``)
--namespace <string>-nConfig namespace  (default ``)
--vklog <Level>number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)

+
Examples

+
istioctl tag list
+

+
istioctl tag remove

+
Remove Istio control plane revision tag.

+
Removing a revision tag should be done with care. Removing a revision tag will disrupt sidecar injection in namespaces
+that reference the tag in an "istio.io/rev" label. Verify that there are no remaining namespaces referencing a
+revision tag before removing using the "istioctl tag list" command.
+

+
istioctl tag remove <revision-tag> [flags]
+

+

+
istioctl tag delete <revision-tag> [flags]
+

+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
FlagsShorthandDescription
--context <string>The name of the kubeconfig context to use  (default ``)
--istioNamespace <string>-iIstio system namespace  (default `istio-system`)
--kubeconfig <string>-cKubernetes configuration file  (default ``)
--namespace <string>-nConfig namespace  (default ``)
--skip-confirmation-yThe skipConfirmation determines whether the user is prompted for confirmation.
+If set to true, the user is not prompted and a Yes response is assumed in all cases. 
--vklog <Level>number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)

+
Examples

+
 # Remove the revision tag "prod"
+	istioctl tag remove prod
+
+

+
istioctl tag set

+
Create or modify revision tags. Tag an Istio control plane revision for use with namespace istio.io/rev
+injection labels.

+
istioctl tag set <revision-tag> [flags]
+

+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
FlagsShorthandDescription
--auto-inject-namespacesIf set to true, the sidecars should be automatically injected into all namespaces by default 
--context <string>The name of the kubeconfig context to use  (default ``)
--istioNamespace <string>-iIstio system namespace  (default `istio-system`)
--kubeconfig <string>-cKubernetes configuration file  (default ``)
--manifests <string>-dSpecify a path to a directory of charts and profiles
+(e.g. ~/Downloads/istio-1.14.0/manifests)
+or release tar URL (e.g. https://github.com/istio/istio/releases/download/1.14.0/istio-1.14.0-linux-amd64.tar.gz).
+  (default ``)
--namespace <string>-nConfig namespace  (default ``)
--overwriteIf true, allow revision tags to be overwritten, otherwise reject revision tag updates that
+overwrite existing revision tags. 
--revision <string>-rControl plane revision to reference from a given revision tag  (default ``)
--skip-confirmation-yThe skipConfirmation determines whether the user is prompted for confirmation.
+If set to true, the user is not prompted and a Yes response is assumed in all cases. 
--vklog <Level>number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
--webhook-name <string>Name to use for a revision tag's mutating webhook configuration.  (default ``)

+
Examples

+
 # Create a revision tag from the "1-8-0" revision
+ istioctl tag set prod --revision 1-8-0
+
+ # Point namespace "test-ns" at the revision pointed to by the "prod" revision tag
+ kubectl label ns test-ns istio.io/rev=prod
+
+ # Change the revision tag to reference the "1-8-1" revision
+ istioctl tag set prod --revision 1-8-1 --overwrite
+
+ # Make revision "1-8-1" the default revision, both resulting in that revision handling injection for "istio-injection=enabled"
+ # and validating resources cluster-wide
+ istioctl tag set default --revision 1-8-1
+
+ # Rollout namespace "test-ns" to update workloads to the "1-8-1" revision
+ kubectl rollout restart deployments -n test-ns
+
+

+
istioctl upgrade

+
The upgrade command is an alias for the install command that performs additional upgrade-related checks.

+
istioctl upgrade [flags]
+

+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
FlagsShorthandDescription
--charts <string>Deprecated, use --manifests instead.  (default ``)
--context <string>The name of the kubeconfig context to use  (default ``)
--dry-runConsole/log output only, make no changes. 
--filename <stringSlice>-fPath to file containing IstioOperator custom resource
+This flag can be specified multiple times to overlay multiple files. Multiple files are overlaid in left to right order.  (default `[]`)
--forceProceed even with validation errors. 
--istioNamespace <string>-iIstio system namespace  (default `istio-system`)
--kubeconfig <string>-cKubernetes configuration file  (default ``)
--manifests <string>-dSpecify a path to a directory of charts and profiles
+(e.g. ~/Downloads/istio-1.14.0/manifests)
+or release tar URL (e.g. https://github.com/istio/istio/releases/download/1.14.0/istio-1.14.0-linux-amd64.tar.gz).
+  (default ``)
--namespace <string>-nConfig namespace  (default ``)
--readiness-timeout <duration>Maximum time to wait for Istio resources in each component to be ready.  (default `5m0s`)
--set <stringArray>-sOverride an IstioOperator value, e.g. to choose a profile
+(--set profile=demo), enable or disable components (--set components.cni.enabled=true), or override Istio
+settings (--set meshConfig.enableTracing=true). See documentation for more info:https://istio.io/v1.14/docs/reference/config/istio.operator.v1alpha1/#IstioOperatorSpec  (default `[]`)
--skip-confirmation-yThe skipConfirmation determines whether the user is prompted for confirmation.
+If set to true, the user is not prompted and a Yes response is assumed in all cases. 
--verifyVerify the Istio control plane after installation/in-place upgrade 
--vklog <Level>number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)

+
istioctl validate

+
Validate Istio policy and rules files

+
istioctl validate -f FILENAME [options] [flags]
 

+

+
istioctl v -f FILENAME [options] [flags]
+

 
@@ -4049,9 +6766,80 @@ 
istioctl verify-install

-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
+
+
+
+

 
 

 The name of the kubeconfig context to use  (default ``)
 

 
--enableVerbose--filename <stringSlice>-fNames of files to validate  (default `[]`)
--istioNamespace <string>-iIstio system namespace  (default `istio-system`)
--kubeconfig <string>-cKubernetes configuration file  (default ``)
--namespace <string>-nConfig namespace  (default ``)
--referential-xEnable structural validation for policy and telemetry 
--vklog <Level>
 Enable verbose output number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)

+
Examples

+
  # Validate bookinfo-gateway.yaml
+  istioctl validate -f samples/bookinfo/networking/bookinfo-gateway.yaml
+
+  # Validate bookinfo-gateway.yaml with shorthand syntax
+  istioctl v -f samples/bookinfo/networking/bookinfo-gateway.yaml
+
+  # Validate current deployments under 'default' namespace within the cluster
+  kubectl get deployments -o yaml | istioctl validate -f -
+
+  # Validate current services under 'default' namespace within the cluster
+  kubectl get services -o yaml | istioctl validate -f -
+
+  # Also see the related command 'istioctl analyze'
+  istioctl analyze samples/bookinfo/networking/bookinfo-gateway.yaml
+
+

+
istioctl verify-install

+

+verify-install verifies Istio installation status against the installation file
+you specified when you installed Istio. It loops through all the installation
+resources defined in your installation file and reports whether all of them are
+in ready status. It will report failure when any of them are not ready.

+
If you do not specify an installation it will check for an IstioOperator resource
+and will verify if pods and services defined in it are present.

+
Note: For verifying whether your cluster is ready for Istio installation, see
+istioctl experimental precheck.
+

+
istioctl verify-install [-f <deployment or istio operator file>] [--revision <revision>] [flags]
+

+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -4069,9 +6857,12 @@ 
istioctl verify-install

-
-
-
+
+
+
@@ -4079,20 +6870,29 @@ 
istioctl verify-install

-
-
-
+
+
+
+
+
+
+
+
FlagsShorthandDescription
--context <string>The name of the kubeconfig context to use  (default ``)
 

 

 --filename <stringSlice>
 Kubernetes configuration file  (default ``)
 

 
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info,validation:error,processing:error,source:error,analysis:warn`)--manifests <string>-dSpecify a path to a directory of charts and profiles
+(e.g. ~/Downloads/istio-1.14.0/manifests)
+or release tar URL (e.g. https://github.com/istio/istio/releases/download/1.14.0/istio-1.14.0-linux-amd64.tar.gz).
+  (default ``)
 

 

 --namespace <string>
 Config namespace  (default ``)
 

 
--recursive-RProcess the directory used in -f, --filename recursively. Useful when you want to manage related manifests organized within the same directory. --revision <string>-rControl plane revision  (default ``)
--vklog <Level>number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
 

 
 

 
Examples

-

-		# Verify that Istio can be freshly installed
-		istioctl verify-install
-		
-		# Verify the deployment matches a custom Istio deployment configuration
-		istioctl verify-install -f $HOME/istio.yaml
+
  # Verify that Istio is installed correctly via Istio Operator
+  istioctl verify-install
+
+  # Verify the deployment matches a custom Istio deployment configuration
+  istioctl verify-install -f $HOME/istio.yaml
 
+  # Verify the deployment matches the Istio Operator deployment definition
+  istioctl verify-install --revision <canary>
+
+  # Verify the installation of specific revision
+  istioctl verify-install -r 1-9-0
 

 
istioctl version

 
Prints out build version information

@@ -4123,11 +6923,6 @@ 
istioctl version

 Kubernetes configuration file  (default ``)
 
 
---log_output_level <string>
-
-Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info,validation:error,processing:error,source:error,analysis:warn`)
-
-
 --namespace <string>
 -n
 Config namespace  (default ``)
@@ -4143,14 +6938,24 @@ 
istioctl version

 Use --remote=false to suppress control plane check 
 
 
+--revision <string>
+-r
+Control plane revision  (default ``)
+
+
 --short
 -s
 Use --short=false to generate full version information 
 
+
+--vklog <Level>
+
+number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
+
 
 
 
Environment variables

-These environment variables affect the behavior of the istioctl command.
+These environment variables affect the behavior of the istioctl command. Please use with caution as these environment variables are experimental and can change anytime.
 
@@ -4159,79 +6964,307 @@ 
Environment variables

-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
+
-
+
-
-
-
-
+
+
+
+
-
-
-
-
+
+
+
+
+
+
+
+
+
+
-
+
-
+
-
-
+
+
-
-
-
-
+
+
+
+
-
+
-
+
-
+
-
-
+
+
-
+
-
-
+
+
-
-
-
-
+
+
+
+
-
+
-
-
+
+
-
+
@@ -4240,22 +7273,28 @@ 
Environment variables

-
+
+
+
+
+
+
+
-
-
+
+
-
+
-
+
-
-
-
-
+
+
+
+
@@ -4264,10 +7303,16 @@ 
Environment variables

-
+
+
+
+
+
+
+
-
+
@@ -4276,10 +7321,28 @@ 
Environment variables

-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
+
@@ -4288,6 +7351,42 @@ 
Environment variables

+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -4306,16 +7405,94 @@ 
Environment variables

+
+
+
+
+
+
+
+
+
+
+
+
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
+
+
+
+
+
+
+
@@ -4330,28 +7507,52 @@ 
Environment variables

-
-
-
-
+
+
+
+
-
-
-
-
+
+
+
+
+
+
+
+
+
+
-
+
-
-
+
+
-
+
+
+
+
+
+
+
-
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -4360,10 +7561,10 @@ 
Environment variables

-
+
-
+
@@ -4378,10 +7579,64 @@ 
Environment variables

-
+
+
+
+
+
+
+
+
+
+
+
+
+
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -4390,10 +7645,46 @@ 
Environment variables

-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
+
+
+
+
+
+
+
@@ -4402,16 +7693,58 @@ 
Environment variables

-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
+
-
+

 
 

 Default Value
 Description
 
AUTO_RELOAD_PLUGIN_CERTSBooleanfalseIf enabled, if user introduces new intermediate plug-in CA, user need not to restart istiod to pick up certs.Istiod picks newly added intermediate plug-in CA certs and updates it. Plug-in new Root-CA not supported.
CERT_SIGNER_DOMAINStringThe cert signer domain info
CLOUD_PLATFORMStringCloud Platform on which proxy is running, if not specified, Istio will try to discover the platform. Valid platform values are aws, azure, gcp, none
CLUSTER_IDStringKubernetesDefines the cluster and service registry that this Istiod instance is belongs to
ENABLE_AUTO_MTLS_CHECK_POLICIESBooleantrueEnable the auto mTLS EDS output to consult the PeerAuthentication Policy, only set the {tlsMode: istio}  when server side policy enables mTLS PERMISSIVE or STRICT.
ENABLE_AUTO_SNIBooleanfalseIf enabled, automatically set SNI when `DestinationRules` do not specify the same
ENABLE_CA_SERVERBooleantrueIf this is set to false, will not create CA server in istiod.
ENABLE_DEBUG_ON_HTTPBooleantrueIf this is set to false, the debug interface will not be enabled, recommended for production
ENABLE_LEGACY_FSGROUP_INJECTIONBooleantrueIf true, Istiod will set the pod fsGroup to 1337 on injection. This is required for Kubernetes 1.18 and older (see https://github.com/kubernetes/kubernetes/issues/57923 for details) unless JWT_POLICY is "first-party-jwt".
ENABLE_LEGACY_LB_ALGORITHM_DEFAULTBooleanfalseIf enabled, destinations for which no LB algorithm is specified will use the legacy default, ROUND_ROBIN. Care should be taken when using ROUND_ROBIN in general as it can overburden endpoints, especially when weights are used.
ENABLE_MCS_AUTO_EXPORTBooleanfalseIf enabled, istiod will automatically generate Kubernetes Multi-Cluster Services (MCS) ServiceExport resources for every service in the mesh. Services defined to be cluster-local in MeshConfig are excluded.
ENABLE_MCS_CLUSTER_LOCALBooleanfalseIf enabled, istiod will treat the host `<svc>.<namespace>.svc.cluster.local` as defined by the Kubernetes Multi-Cluster Services (MCS) spec. In this mode, requests to `cluster.local` will be routed to only those endpoints residing within the same cluster as the client. Requires that both ENABLE_MCS_SERVICE_DISCOVERY and ENABLE_MCS_HOST also be enabled.
ENABLE_MCS_HOSTBooleanfalseIf enabled, istiod will configure a Kubernetes Multi-Cluster Services (MCS) host (<svc>.<namespace>.svc.clusterset.local) for each service exported (via ServiceExport) in at least one cluster. Clients must, however, be able to successfully lookup these DNS hosts. That means that either Istio DNS interception must be enabled or an MCS controller must be used. Requires that ENABLE_MCS_SERVICE_DISCOVERY also be enabled.
ENABLE_MCS_SERVICE_DISCOVERYBooleanfalseIf enabled, istiod will enable Kubernetes Multi-Cluster Services (MCS) service discovery mode. In this mode, service endpoints in a cluster will only be discoverable within the same cluster unless explicitly exported via ServiceExport.
ENABLE_MULTICLUSTER_HEADLESSBooleantrueIf true, the DNS name table for a headless service will resolve to same-network endpoints in any cluster.
ENABLE_PROBE_KEEPALIVE_CONNECTIONSBooleanfalseIf enabled, readiness probes will keep the connection from pilot-agent to the application alive. This mirrors older Istio versions' behaviors, but not kubelet's.
ENABLE_TLS_ON_SIDECAR_INGRESSBooleanfalseIf enabled, the TLS configuration on Sidecar.ingress will take effect
ENABLE_WASM_TELEMETRYBooleanfalseIf enabled, Wasm-based telemetry will be enabled.
EXTERNAL_ISTIODBooleanfalseIf this is set to true, one Istiod will control remote clusters including CA.
GCP_METADATAStringPipe separated GCP metadata, schemed as PROJECT_ID|PROJECT_NUMBER|CLUSTER_NAME|CLUSTER_ZONE
GCP_QUOTA_PROJECTStringAllows specification of a quota project to be used in requests to GCP APIs.
HTTP_STRIP_FRAGMENT_FROM_PATH_UNSAFE_IF_DISABLEDBooleantrue
INJECTION_WEBHOOK_CONFIG_NAMEStringistio-sidecar-injectorName of the mutatingwebhookconfiguration to patch, if istioctl is not used.
ISTIOCONFIGString$HOME/.istioctl/config.yamlDefault values for istioctl flags
ISTIOCTL_AUTHORITYStringThe istioctl --authority override
ISTIOCTL_CERT_DIRStringThe istioctl --cert-dir override
ISTIOCTL_INSECUREBooleanfalseThe istioctl --insecure override
ISTIOCTL_ISTIONAMESPACEStringistio-systemThe istioctl --istioNamespace override
ISTIOCTL_PLAINTEXTBooleanfalseThe istioctl --plaintext override
ISTIOCTL_PREFER_EXPERIMENTALBooleanfalseThe istioctl should use experimental subcommand variants
ISTIOCTL_XDS_ADDRESSStringThe istioctl --xds-address override
ISTIOCTL_XDS_PORTInteger15012The istioctl --xds-port override
ISTIOD_CUSTOM_HOSTStringCustom host name of istiod that istiod signs the server cert. Multiple custom host names are supported, and multiple values are separated by commas.
ISTIO_AGENT_ENABLE_WASM_REMOTE_LOAD_CONVERSIONBooleantrueIf enabled, Istio agent will intercept ECDS resource update, downloads Wasm module, and replaces Wasm module remote load with downloaded local module file.
ISTIO_BOOTSTRAPString
ISTIO_DEFAULT_REQUEST_TIMEOUTTime Duration0sDefault Http and gRPC Request timeout
ISTIO_DELTA_XDSBooleanfalseIf enabled, pilot will only send the delta configs as opposed to the state of the world on a Resource Request. This feature uses the delta xds api, but does not currently send the actual deltas.

 
BYPASS_OOP_MTLS_SAN_VERIFICATIONISTIO_GATEWAY_STRIP_HOST_PORT
 Boolean
 falseWhether or not to validate SANs for out-of-process adapters auth.If enabled, Gateway will remove any port from host/authority header before any processing of request by HTTP filters or routing.
 

 
GKE_CLUSTER_URLStringThe url of GKE clusterISTIO_GPRC_MAXRECVMSGSIZEInteger4194304Sets the max receive buffer size of gRPC stream in bytes.
 

 
INGRESS_GATEWAY_FALLBACK_SECRETStringgateway-fallbackISTIO_GPRC_MAXSTREAMSInteger100000Sets the maximum number of concurrent grpc streams.
ISTIO_MULTIROOT_MESHBooleanfalseIf enabled, mesh will support certificates signed by more than one trustAnchor for ISTIO_MUTUAL mTLS
 

 
INGRESS_GATEWAY_NAMESPACEISTIO_PROMETHEUS_ANNOTATIONS
 String
 
 
 

 
ISTIOD_ADDRJWT_POLICY
 StringService name of istiod. If empty the istiod listener, certs will be disabled.third-party-jwtThe JWT validation policy.
 

 
ISTIO_GPRC_MAXSTREAMSInteger100000Sets the maximum number of concurrent grpc streams.K8S_INGRESS_NSString
 

 
ISTIO_LANGK_REVISION
 String
 Selects the attribute expression language runtime for Mixer.KNative revision, set if running in knative
 

 
K8S_INGRESS_NSMCS_API_GROUP
 Stringmulticluster.x-k8s.ioThe group to be used for the Kubernetes Multi-Cluster Services (MCS) API.
 

 
NAMESPACEMCS_API_VERSION
 Stringistio-systemnamespace that nodeagent/citadel run inv1alpha1The version to be used for the Kubernets Multi-Cluster Services (MCS) API.
 

 
PILOT_BLOCK_HTTP_ON_443BooleantrueIf enabled, any HTTP services will be blocked on HTTPS port (443). If this is disabled, any HTTP service on port 443 could block all external trafficPILOT_ANALYSIS_INTERVALTime Duration10sIf analysis is enabled, pilot will run istio analyzers using this value as interval in seconds Istio Resources
 

 
PILOT_CERT_DIRPILOT_CERT_PROVIDER
 StringistiodThe provider of Pilot DNS certificate.
 

 

 PILOT_DEBOUNCE_AFTER
 Time Duration
 100msThe delay added to config/registry events for debouncing. This will delay the push by at least this internal. If no change is detected within this period, the push will happen,  otherwise we'll keep delaying until things settle, up to a max of PILOT_DEBOUNCE_MAX.The delay added to config/registry events for debouncing. This will delay the push by at least this interval. If no change is detected within this period, the push will happen,  otherwise we'll keep delaying until things settle, up to a max of PILOT_DEBOUNCE_MAX.
 

 

 PILOT_DEBOUNCE_MAX
 The maximum amount of time to wait for events while debouncing. If events keep showing up with no breaks for this time, we'll trigger a push.
 

 
PILOT_DEBUG_ADSZ_CONFIGPILOT_DISTRIBUTION_HISTORY_RETENTIONTime Duration1m0sIf enabled, Pilot will keep track of old versions of distributed config for this duration.
PILOT_ENABLE_ALPN_FILTER
 BooleanfalsetrueIf true, pilot will add Istio ALPN filters, required for proper protocol sniffing.
 

 
PILOT_DISABLE_XDS_MARSHALING_TO_ANYPILOT_ENABLE_ANALYSIS
 Boolean
 falseIf enabled, pilot will run istio analyzers and write analysis errors to the Status field of any Istio Resources
 

 
PILOT_DISTRIBUTION_HISTORY_RETENTIONTime Duration1m0sIf enabled, Pilot will keep track of old versions of distributed config for this duration.PILOT_ENABLE_CDS_CACHEBooleantrueIf true, Pilot will cache CDS responses. Note: this depends on PILOT_ENABLE_XDS_CACHE.
 

 

 PILOT_ENABLE_CONFIG_DISTRIBUTION_TRACKING
 If enabled, Pilot will assign meaningful nonces to each Envoy configuration message, and allow users to interrogate which envoy has which config from the debug interface.
 

 
PILOT_ENABLE_CRD_VALIDATIONPILOT_ENABLE_CROSS_CLUSTER_WORKLOAD_ENTRYBooleantrueIf enabled, pilot will read WorkloadEntry from other clusters, selectable by Services in that cluster.
PILOT_ENABLE_DESTINATION_RULE_INHERITANCE
 Boolean
 falseIf enabled, pilot will validate CRDs while retrieving CRDs from kubernetes cache.Use this flag to enable validation of CRDs in Pilot, especially in deployments that do not have galley installed.If set, workload specific DestinationRules will inherit configurations settings from mesh and namespace level rules
 

 

 PILOT_ENABLE_EDS_DEBOUNCE
 If enabled, Pilot will include EDS pushes in the push debouncing, configured by PILOT_DEBOUNCE_AFTER and PILOT_DEBOUNCE_MAX. EDS pushes may be delayed, but there will be fewer pushes. By default this is enabled
 

 
PILOT_ENABLE_FALLTHROUGH_ROUTEPILOT_ENABLE_EDS_FOR_HEADLESS_SERVICESBooleanfalseIf enabled, for headless service in Kubernetes, pilot will send endpoints over EDS, allowing the sidecar to load balance among pods in the headless service. This feature should be enabled if applications access all services explicitly via a HTTP proxy port in the sidecar.
PILOT_ENABLE_GATEWAY_APIBooleantrueIf this is set to true, support for Kubernetes gateway-api (github.com/kubernetes-sigs/gateway-api) will  be enabled. In addition to this being enabled, the gateway-api CRDs need to be installed.
PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLERBooleantrueIf this is set to true, gateway-api resources will automatically provision in cluster deployment, services, etc
PILOT_ENABLE_GATEWAY_API_STATUS
 Boolean
 trueEnableFallthroughRoute provides an option to add a final wildcard match for routes. When ALLOW_ANY traffic policy is used, a Passthrough cluster is used. When REGISTRY_ONLY traffic policy is used, a 502 error is returned.If this is set to true, gateway-api resources will have status written to them
 

 

 PILOT_ENABLE_HEADLESS_SERVICE_POD_LISTENERS
 If enabled, for a headless service/stateful set in Kubernetes, pilot will generate an outbound listener for each pod in a headless service. This feature should be disabled if headless services have a large number of pods.
 

 
PILOT_ENABLE_INBOUND_PASSTHROUGHBooleantrueIf enabled, inbound clusters will be configured as ORIGINAL_DST clusters. When disabled, requests are always sent to localhost. The primary implication of this is that when enabled, binding to POD_IP will work while localhost will not; when disable, bind to POD_IP will not work, while localhost will. The enabled behavior matches the behavior without Istio enabled at all; this flag exists only for backwards compatibility. Regardless of this setting, the configuration can be overridden with the Sidecar.Ingress.DefaultEndpoint configuration.
PILOT_ENABLE_ISTIO_TAGSBooleantrueDetermines whether or not trace spans generated by Envoy will include Istio-specific tags.
PILOT_ENABLE_LEGACY_AUTO_PASSTHROUGHBooleanfalseIf enabled, pilot will allow any upstream cluster to be used with AUTO_PASSTHROUGH. This option is intended for backwards compatibility only and is not secure with untrusted downstreams; it will be removed in the future.
PILOT_ENABLE_LEGACY_ISTIO_MUTUAL_CREDENTIAL_NAMEBooleanfalseIf enabled, Gateway's with ISTIO_MUTUAL mode and credentialName configured will use simple TLS. This is to retain legacy behavior only and not recommended for use beyond migration.
PILOT_ENABLE_METADATA_EXCHANGEBooleantrueIf true, pilot will add metadata exchange filters, which will be consumed by telemetry filter.
PILOT_ENABLE_MONGO_FILTERBooleantrueEnableMongoFilter enables injection of `envoy.filters.network.mongo_proxy` in the filter chain.

 PILOT_ENABLE_MYSQL_FILTER
 Boolean
 false
 If enabled, protocol sniffing will be used for outbound listeners whose port protocol is not specified or unsupported
 

 
PILOT_ENABLE_QUIC_LISTENERSBooleanfalseIf true, QUIC listeners will be generated wherever there are listeners terminating TLS on gateways if the gateway service exposes a UDP port with the same number (for example 443/TCP and 443/UDP)
PILOT_ENABLE_RDS_CACHEBooleantrueIf true, Pilot will cache RDS responses. Note: this depends on PILOT_ENABLE_XDS_CACHE.

 PILOT_ENABLE_REDIS_FILTER
 Boolean
 false
 EnableRedisFilter enables injection of `envoy.filters.network.redis_proxy` in the filter chain.
 

 
PILOT_ENABLE_UNSAFE_REGEXPILOT_ENABLE_ROUTE_COLLAPSE_OPTIMIZATIONBooleantrueIf true, Pilot will merge virtual hosts with the same routes into a single virtual host, as an optimization.
PILOT_ENABLE_SERVICEENTRY_SELECT_PODSBooleantrueIf enabled, service entries with selectors will select pods from the cluster. It is safe to disable it if you are quite sure you don't need this feature
PILOT_ENABLE_STATUSBooleanfalseIf enabled, pilot will update the CRD Status field of all istio resources with reconciliation status.
PILOT_ENABLE_TELEMETRY_LABELBooleantrueIf true, pilot will add telemetry related metadata to cluster and endpoint resources, which will be consumed by telemetry filter.
PILOT_ENABLE_WORKLOAD_ENTRY_AUTOREGISTRATIONBooleantrueEnables auto-registering WorkloadEntries based on associated WorkloadGroups upon XDS connection by the workload.
PILOT_ENABLE_WORKLOAD_ENTRY_HEALTHCHECKSBooleantrueEnables automatic health checks of WorkloadEntries based on the config provided in the associated WorkloadGroup
PILOT_ENABLE_XDS_CACHEBooleantrueIf true, Pilot will cache XDS responses.
PILOT_ENABLE_XDS_IDENTITY_CHECKBooleantrueIf enabled, pilot will authorize XDS clients, to ensure they are acting only as namespaces they have permissions for.
PILOT_ENDPOINT_TELEMETRY_LABELBooleantrueIf true, pilot will add telemetry related metadata to Endpoint resource, which will be consumed by telemetry filter.
PILOT_ENVOY_FILTER_STATSBooleanfalseIf true, Pilot will collect metrics for envoy filter operations.
PILOT_FILTER_GATEWAY_CLUSTER_CONFIG
 Boolean
 falseIf enabled, pilot will generate Envoy configuration that does not use safe_regex but the older, deprecated regex field. This should only be enabled to support legacy deployments that have not yet been migrated to the new safe regular expressions.If enabled, Pilot will send only clusters that referenced in gateway virtual services attached to gateway
PILOT_FLOW_CONTROL_TIMEOUTTime Duration15sIf set, the max amount of time to delay a push by. Depends on PILOT_ENABLE_FLOW_CONTROL.
 

 

 PILOT_HTTP10
 Protocol detection timeout for inbound listener
 

 
PILOT_INITIAL_FETCH_TIMEOUTTime Duration0sSpecifies the initial_fetch_timeout for config. If this time is reached without a response to the config requested by Envoy, the Envoy will move on with the init phase. This prevents envoy from getting stuck waiting on config during startup.PILOT_INSECURE_MULTICLUSTER_KUBECONFIG_OPTIONSStringComma separated list of potentially insecure kubeconfig authentication options that are allowed for multicluster authentication.Support values: all authProviders (`gcp`, `azure`, `exec`, `openstack`), `clientKey`, `clientCertificate`, `tokenFile`, and `exec`.
 

 
PILOT_PUSH_THROTTLEInteger100Limits the number of concurrent pushes allowed. On larger machines this can be increased for faster pushesPILOT_JWT_ENABLE_REMOTE_JWKSBooleanfalseIf enabled, checks to see if the configured JwksUri in RequestAuthentication is a mesh cluster URL and configures remote Jwks to let Envoy fetch the Jwks instead of Istiod.
PILOT_JWT_PUB_KEY_REFRESH_INTERVALTime Duration20m0sThe interval for istiod to fetch the jwks_uri for the jwks public key.
 

 
PILOT_RESPECT_DNS_TTLPILOT_LEGACY_INGRESS_BEHAVIOR
 BooleantrueIf enabled, DNS based clusters will respect the TTL of the DNS, rather than polling at a fixed rate. This option is only provided for backward compatibility purposes and will be removed in the near future.falseIf this is set to true, istio ingress will perform the legacy behavior, which does not meet https://kubernetes.io/docs/concepts/services-networking/ingress/#multiple-matches.
 

 
PILOT_RESTRICT_POD_UP_TRAFFIC_LOOPPILOT_MAX_REQUESTS_PER_SECONDFloating-Point25Limits the number of incoming XDS requests per second. On larger machines this can be increased to handle more proxies concurrently.
PILOT_PARTIAL_FULL_PUSHES
 Boolean
 trueIf enabled, this will block inbound traffic from matching outbound listeners, which could result in an infinite loop of traffic. This option is only provided for backward compatibility purposes and will be removed in the near future.If enabled, pilot will send partial pushes in for child resources (RDS, EDS, etc) when possible. This occurs for EDS in many cases regardless of this setting.
PILOT_PUSH_THROTTLEInteger100Limits the number of concurrent pushes allowed. On larger machines this can be increased for faster pushes
PILOT_REMOTE_CLUSTER_TIMEOUTTime Duration30sAfter this timeout expires, pilot can become ready without syncing data from clusters added via remote-secrets. Setting the timeout to 0 disables this behavior.
 

 

 PILOT_SCOPE_GATEWAY_TO_NAMESPACE
 If enabled, a gateway workload can only select gateway resources in the same namespace. Gateways with same selectors in different namespaces will not be applicable.
 

 
PILOT_SCOPE_PUSHESPILOT_SEND_UNHEALTHY_ENDPOINTS
 Boolean
 trueIf enabled, pilot will attempt to limit unnecessary pushes by determining what proxies a config or endpoint update will impact.If enabled, Pilot will include unhealthy endpoints in EDS pushes and even if they are sent Envoy does not use them for load balancing.
 

 

 PILOT_SIDECAR_USE_REMOTE_ADDRESS
 Skip validating the peer is from the same trust domain when mTLS is enabled in authentication policy
 

 
PILOT_TRACE_SAMPLINGPILOT_STATUS_BURSTInteger500If status is enabled, controls the Burst rate with which status will be updated.  See https://godoc.org/k8s.io/client-go/rest#Config Burst
PILOT_STATUS_MAX_WORKERSInteger100The maximum number of workers Pilot will use to keep configuration status up to date.  Smaller numbers will result in higher status latency, but larger numbers may impact CPU in high scale environments.
PILOT_STATUS_QPS
 Floating-Point
 100Sets the mesh-wide trace sampling percentage. Should be 0.0 - 100.0. Precision to 0.01. Default is 100, not recommended for production use.If status is enabled, controls the QPS with which status will be updated.  See https://godoc.org/k8s.io/client-go/rest#Config QPS
PILOT_STATUS_UPDATE_INTERVALTime Duration500msInterval to update the XDS distribution status.
PILOT_TRACE_SAMPLINGFloating-Point1Sets the mesh-wide trace sampling percentage. Should be 0.0 - 100.0. Precision to 0.01. Default is 1.0.
PILOT_USE_ENDPOINT_SLICEBooleanfalseIf enabled, Pilot will use EndpointSlices as the source of endpoints for Kubernetes services. By default, this is false, and Endpoints will be used. This requires the Kubernetes EndpointSlice controller to be enabled. Currently this is mutual exclusive - either Endpoints or EndpointSlices will be used
PILOT_WORKLOAD_ENTRY_GRACE_PERIODTime Duration10sThe amount of time an auto-registered workload can remain disconnected from all Pilot instances before the associated WorkloadEntry is cleaned up.
PILOT_XDS_CACHE_SIZEInteger60000The maximum number of cache entries for the XDS cache.
PILOT_XDS_CACHE_STATSBooleanfalseIf true, Pilot will collect metrics for XDS cache efficiency.
PILOT_XDS_SEND_TIMEOUTTime Duration0sThe timeout to send the XDS configuration to proxies. After this timeout is reached, Pilot will discard that push.
 

 

 POD_NAME
 
 

 
SECRET_WATCHER_RESYNC_PERIODPRIORITIZED_LEADER_ELECTIONBooleantrueIf enabled, the default revision will steal leader locks from non-default revisions
REQUIRE_3P_TOKENBooleanfalseReject k8s default tokens, without audience. If false, default K8S token will be accepted
RESOLVE_HOSTNAME_GATEWAYSBooleantrueIf true, hostnames in the LoadBalancer addresses of a Service will be resolved at the control plane for use in cross-network gateways.
REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATIONBooleanfalseIf enabled, readiness probes will be sent to 'localhost'. Otherwise, they will be sent to the Pod's IP, matching Kubernetes' behavior.
REWRITE_TCP_PROBESBooleantrueIf false, TCP probes will not be rewritten and therefor always succeed when a sidecar is used.
SHARED_MESH_CONFIG
 String
 Additional config map to load for shared MeshConfig settings. The standard mesh config will take precedence.
SPIFFE_BUNDLE_ENDPOINTSStringThe SPIFFE bundle trust domain to endpoint mappings. Istiod retrieves the root certificate from each SPIFFE bundle endpoint and uses it to verify client certifiates from that trust domain. The endpoint must be compliant to the SPIFFE Bundle Endpoint standard. For details, please refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE_Trust_Domain_and_Bundle.md . No need to configure this for root certificates issued via Istiod or web-PKI based root certificates. Use || between <trustdomain, endpoint> tuples. Use | as delimiter between trust domain and endpoint in each tuple. For example: foo|https://url/for/foo||bar|https://url/for/bar
 

 

 TERM
 Specifies terminal type.  Use 'dumb' to suppress color output
 

 
TERMINATION_DRAIN_DURATION_SECONDSInteger5The amount of time allowed for connections to complete on pilot-agent shutdown. On receiving SIGTERM or SIGINT, pilot-agent tells the active Envoy to start draining, preventing any new connections and allowing existing connections to complete. It then sleeps for the TerminationDrainDuration and then kills any remaining active Envoy processes.TOKEN_AUDIENCESStringistio-caA list of comma separated audiences to check in the JWT token before issuing a certificate. The token is accepted if it matches with one of the audiences
UNSAFE_ENABLE_ADMIN_ENDPOINTSBooleanfalseIf this is set to true, dangerous admin endpoints will be exposed on the debug interface. Not recommended for production.
UNSAFE_PILOT_ENABLE_DELTA_TESTBooleanfalseIf enabled, addition runtime tests for Delta XDS efficiency are added. These checks are extremely expensive, so this should be used only for testing, not production.
UNSAFE_PILOT_ENABLE_RUNTIME_ASSERTIONSBooleanfalseIf enabled, addition runtime asserts will be performed. These checks are both expensive and panic on failure. As a result, this should be used only for testing.
VALIDATION_WEBHOOK_CONFIG_NAMEStringistio-istio-systemName of the validatingwebhookconfiguration to patch. Empty will skip using cluster admin to patch.
VERIFY_CERTIFICATE_AT_CLIENTBooleanfalseIf enabled, certificates received by the proxy will be verified against the OS CA certificate bundle.
VERIFY_SDS_CERTIFICATEBooleantrueIf enabled, certificates fetched from SDS server will be verified before sending back to proxy.
XDS_AUTHBooleantrueIf true, will authenticate XDS clients.
 

 
USE_ISTIO_JWT_FILTERXDS_AUTH_PLAINTEXT
 Boolean
 falseUse the Istio JWT filter for JWT token verification.Authenticate plain text requests - used if Istiod is behind a gateway handling TLS
 

 
 

@@ -4421,61 +7754,32 @@ 
Exported metrics

 Metric NameTypeDescription
 
 
+auto_registration_deletes_totalSumTotal number of auto registration cleaned up by periodic timer.
+auto_registration_errors_totalSumTotal number of auto registration errors.
+auto_registration_success_totalSumTotal number of successful auto registrations.
+auto_registration_unregister_totalSumTotal number of unregistrations.
+auto_registration_updates_totalSumTotal number of auto registration updates.
+cache_flush_totalSumnumber of times operator cache was flushed
+controller_sync_errors_totalSumTotal number of errorMetric syncing controllers.
+cr_deletion_totalSumNumber of IstioOperator CR deleted
+cr_merge_failure_totalSumNumber of IstioOperator CR merge failures
+cr_validation_error_totalSumNumber of IstioOperator CR validation failures
 endpoint_no_podLastValueEndpoints without an associated pod.
-galley_runtime_processor_event_span_duration_millisecondsDistributionThe duration between each incoming event
-galley_runtime_processor_events_processed_totalCountThe number of events that have been processed
-galley_runtime_processor_snapshot_events_totalDistributionThe number of events per snapshot
-galley_runtime_processor_snapshot_lifetime_duration_millisecondsDistributionThe duration of each snapshot
-galley_runtime_processor_snapshots_published_totalCountThe number of snapshots that have been published
-galley_runtime_state_type_instances_totalLastValueThe number of type instances per type URL
-galley_runtime_strategy_on_change_totalCountThe number of times the strategy's onChange has been called
-galley_runtime_strategy_timer_max_time_reached_totalCountThe number of times the max time has been reached
-galley_runtime_strategy_timer_quiesce_reached_totalCountThe number of times a quiesce has been reached
-galley_runtime_strategy_timer_resets_totalCountThe number of times the timer has been reset
-galley_source_kube_dynamic_converter_failure_totalCountThe number of times a dynamnic kubernetes source failed converting a resources
-galley_source_kube_dynamic_converter_success_totalCountThe number of times a dynamic kubernetes source successfully converted a resource
-galley_source_kube_event_error_totalCountThe number of times a kubernetes source encountered errored while handling an event
-galley_source_kube_event_success_totalCountThe number of times a kubernetes source successfully handled an event
+galley_validation_config_delete_errorCountk8s webhook configuration delete error
+galley_validation_config_loadCountk8s webhook configuration (re)loads
+galley_validation_config_load_errorCountk8s webhook configuration (re)load error
+galley_validation_config_update_errorCountk8s webhook configuration update error
+galley_validation_config_updatesCountk8s webhook configuration updates
+get_cr_error_totalSumNumber of times fetching CR from apiserver failed
 istio_buildLastValueIstio component build info
-istio_mcp_clients_totalLastValueThe number of streams currently connected.
-istio_mcp_message_sizes_bytesDistributionSize of messages received from clients.
-istio_mcp_reconnectionsSumThe number of times the sink has reconnected.
-istio_mcp_recv_failures_totalSumThe number of recv failures in the source.
-istio_mcp_request_acks_totalSumThe number of request acks received by the source.
-istio_mcp_request_nacks_totalSumThe number of request nacks received by the source.
-istio_mcp_send_failures_totalSumThe number of send failures in the source.
-mixer_config_adapter_info_config_errors_totalLastValueThe number of errors encountered during processing of the adapter info configuration.
-mixer_config_adapter_info_configs_totalLastValueThe number of known adapters in the current config.
-mixer_config_attributes_totalLastValueThe number of known attributes in the current config.
-mixer_config_handler_configs_totalLastValueThe number of known handlers in the current config.
-mixer_config_handler_validation_error_totalLastValueThe number of errors encountered because handler validation returned error.
-mixer_config_instance_config_errors_totalLastValueThe number of errors encountered during processing of the instance configuration.
-mixer_config_instance_configs_totalLastValueThe number of known instances in the current config.
-mixer_config_rule_config_errors_totalLastValueThe number of errors encountered during processing of the rule configuration.
-mixer_config_rule_config_match_error_totalLastValueThe number of rule conditions that was not parseable.
-mixer_config_rule_configs_totalLastValueThe number of known rules in the current config.
-mixer_config_template_config_errors_totalLastValueThe number of errors encountered during processing of the template configuration.
-mixer_config_template_configs_totalLastValueThe number of known templates in the current config.
-mixer_config_unsatisfied_action_handler_totalLastValueThe number of actions that failed due to handlers being unavailable.
-mixer_dispatcher_destinations_per_requestDistributionNumber of handlers dispatched per request by Mixer
-mixer_dispatcher_destinations_per_variety_totalLastValueNumber of Mixer adapter destinations by template variety type
-mixer_dispatcher_instances_per_requestDistributionNumber of instances created per request by Mixer
-mixer_handler_closed_handlers_totalLastValueThe number of handlers that were closed during config transition.
-mixer_handler_daemons_totalLastValueThe current number of active daemon routines in a given adapter environment.
-mixer_handler_handler_build_failures_totalLastValueThe number of handlers that failed creation during config transition.
-mixer_handler_handler_close_failures_totalLastValueThe number of errors encountered while closing handlers during config transition.
-mixer_handler_new_handlers_totalLastValueThe number of handlers that were newly created during config transition.
-mixer_handler_reused_handlers_totalLastValueThe number of handlers that were re-used during config transition.
-mixer_handler_workers_totalLastValueThe current number of active worker routines in a given adapter environment.
-mixer_runtime_dispatch_duration_secondsDistributionDuration in seconds for adapter dispatches handled by Mixer.
-mixer_runtime_dispatches_totalCountTotal number of adapter dispatches handled by Mixer.
-num_failed_outgoing_requestsSumNumber of failed outgoing requests (e.g. to a token exchange server, CA, etc.)
-num_outgoing_requestsSumNumber of total outgoing requests (e.g. to a token exchange server, CA, etc.)
+istiod_managed_clustersLastValueNumber of clusters managed by istiod
+legacy_path_translation_totalSumNumber of times a legacy API path is translated
+manifest_patch_error_totalSumNumber of times K8S patch overlays failed
+manifest_render_error_totalSumNumber of times error occurred during rendering output manifest
 num_outgoing_retriesSumNumber of outgoing retry requests (e.g. to a token exchange server, CA, etc.)
-outgoing_latencySumThe latency of outgoing requests (e.g. to a token exchange server, CA, etc.) in milliseconds.
+owned_resource_totalLastValueNumber of resources currently owned by the operator
 pilot_conflict_inbound_listenerLastValueNumber of conflicting inbound listeners.
 pilot_conflict_outbound_listener_http_over_current_tcpLastValueNumber of conflicting wildcard http listeners with current wildcard tcp listener.
-pilot_conflict_outbound_listener_http_over_httpsLastValueNumber of conflicting HTTP listeners with well known HTTPS ports
 pilot_conflict_outbound_listener_tcp_over_current_httpLastValueNumber of conflicting wildcard tcp listeners with current wildcard http listener.
 pilot_conflict_outbound_listener_tcp_over_current_tcpLastValueNumber of conflicting tcp listeners with current tcp listener.
 pilot_destrule_subsetsLastValueDuplicate subsets across destination rules for same host
@@ -4483,17 +7787,17 @@ 
Exported metrics

 pilot_eds_no_instancesLastValueNumber of clusters without instances.
 pilot_endpoint_not_readyLastValueEndpoint found in unready state.
 pilot_inbound_updatesSumTotal number of updates received by pilot.
-pilot_invalid_out_listenersLastValueNumber of invalid outbound listeners.
 pilot_jwks_resolver_network_fetch_fail_totalSumTotal number of failed network fetch by pilot jwks resolver
 pilot_jwks_resolver_network_fetch_success_totalSumTotal number of successfully network fetch by pilot jwks resolver
 pilot_k8s_cfg_eventsSumEvents from k8s config.
+pilot_k8s_endpoints_pending_podLastValueNumber of endpoints that do not currently have any corresponding pods.
 pilot_k8s_endpoints_with_no_podsSumEndpoints that does not have any corresponding pods.
-pilot_k8s_object_errorsLastValueErrors converting k8s CRDs
 pilot_k8s_reg_eventsSumEvents from k8s registry.
 pilot_no_ipLastValuePods not found in the endpoint table, possibly invalid.
 pilot_proxy_convergence_timeDistributionDelay in seconds between config change and a proxy receiving all required configuration.
 pilot_proxy_queue_timeDistributionTime in seconds, a proxy is in the push queue before being dequeued.
-pilot_rds_expired_nonceSumTotal number of RDS messages with an expired nonce.
+pilot_push_triggersSumTotal number of times a push was triggered, labeled by reason for the push.
+pilot_sds_certificate_errors_totalSumTotal number of failures to fetch SDS key and certificate.
 pilot_servicesLastValueTotal services known to pilot.
 pilot_total_rejected_configsSumTotal number of configs that Pilot had to reject or ignore.
 pilot_total_xds_internal_errorsSumTotal number of internal XDS errors in pilot.
@@ -4502,23 +7806,42 @@ 
Exported metrics

 pilot_vservice_dup_domainLastValueVirtual services with dup domains.
 pilot_xdsLastValueNumber of endpoints connected to this pilot using XDS.
 pilot_xds_cds_rejectLastValuePilot rejected CDS configs.
-pilot_xds_eds_all_locality_endpointsLastValueNetwork endpoints for each cluster(across all localities), as of last push. Zero endpoints is an error.
-pilot_xds_eds_instancesLastValueInstances for each cluster(grouped by locality), as of last push. Zero instances is an error.
+pilot_xds_config_size_bytesDistributionDistribution of configuration sizes pushed to clients
+pilot_xds_delayed_push_timeouts_totalSumTotal number of XDS pushes that are delayed and timed out
+pilot_xds_delayed_pushes_totalSumTotal number of XDS pushes that are delayed.
 pilot_xds_eds_rejectLastValuePilot rejected EDS.
+pilot_xds_expired_nonceSumTotal number of XDS requests with an expired nonce.
 pilot_xds_lds_rejectLastValuePilot rejected LDS.
 pilot_xds_push_context_errorsSumNumber of errors (timeouts) initiating push context.
 pilot_xds_push_timeDistributionTotal time in seconds Pilot takes to push lds, rds, cds and eds.
 pilot_xds_pushesSumPilot build and send errors for lds, rds, cds and eds.
 pilot_xds_rds_rejectLastValuePilot rejected RDS.
+pilot_xds_send_timeDistributionTotal time in seconds Pilot takes to send generated configuration.
 pilot_xds_write_timeoutSumPilot XDS response write timeouts.
-sidecar_injection_failure_totalSumTotal number of failed Side car injection requests.
-sidecar_injection_requests_totalSumTotal number of Side car injection requests.
-sidecar_injection_skip_totalSumTotal number of skipped injection requests.
-sidecar_injection_success_totalSumTotal number of successful Side car injection requests.
-total_active_connectionsSumThe total number of active SDS connections.
-total_push_errorsSumThe total number of failed SDS pushes.
-total_pushesSumThe total number of SDS pushes.
-total_secret_update_failuresSumThe total number of dynamic secret update failures reported by proxy.
-total_stale_connectionsSumThe total number of stale SDS connections.
+remote_cluster_sync_timeouts_totalSumNumber of times remote clusters took too long to sync, causing slow startup that excludes remote clusters.
+render_manifest_totalSumNumber of component manifests rendered
+resource_creation_totalSumNumber of resources created by the operator
+resource_deletion_totalSumNumber of resources deleted by the operator
+resource_prune_totalSumNumber of resources pruned by the operator
+resource_update_totalSumNumber of resources updated by the operator
+scrape_failures_totalSumThe total number of failed scrapes.
+scrapes_totalSumThe total number of scrapes.
+sidecar_injection_failure_totalSumTotal number of failed sidecar injection requests.
+sidecar_injection_requests_totalSumTotal number of sidecar injection requests.
+sidecar_injection_skip_totalSumTotal number of skipped sidecar injection requests.
+sidecar_injection_success_totalSumTotal number of successful sidecar injection requests.
+startup_duration_secondsLastValueThe time from the process starting to being marked ready.
+versionLastValueVersion of operator binary
+wasm_cache_entriesLastValuenumber of Wasm remote fetch cache entries.
+wasm_cache_lookup_countSumnumber of Wasm remote fetch cache lookups.
+wasm_config_conversion_countSumnumber of Wasm config conversion count and results, including success, no remote load, marshal failure, remote fetch failure, miss remote fetch hint.
+wasm_config_conversion_durationDistributionTotal time in milliseconds istio-agent spends on converting remote load in Wasm config.
+wasm_remote_fetch_countSumnumber of Wasm remote fetches and results, including success, download failure, and checksum mismatch.
+webhook_patch_attempts_totalSumWebhook patching attempts
+webhook_patch_failures_totalSumWebhook patching total failures
+webhook_patch_retries_totalSumWebhook patching retries
+xds_cache_evictionsSumTotal number of xds cache evictions.
+xds_cache_readsSumTotal number of xds cache xdsCacheReads.
+xds_cache_sizeLastValueCurrent size of xds cache
 
 
diff --git a/content/zh/docs/reference/commands/mixs/index.html b/content/zh/docs/reference/commands/mixs/index.html
deleted file mode 100644
index 9abb403425bf6..0000000000000
--- a/content/zh/docs/reference/commands/mixs/index.html
+++ /dev/null
@@ -1,411 +0,0 @@
----
-WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL SOURCE IN THE 'https://github.com/istio/istio' REPO
-source_repo: https://github.com/istio/istio
-title: mixs
-description: Mixer is Istio's abstraction on top of infrastructure backends.
-generator: pkg-collateral-docs
-number_of_entries: 5
-max_toc_level: 2
-remove_toc_prefix: 'mixs '
----
-
Mixer is Istio's point of integration with infrastructure backends and is the
-nexus for policy evaluation and telemetry reporting.

-
mixs probe

-
Check the liveness or readiness of a locally-running server

-
mixs probe [flags]
-

-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
FlagsDescription
--interval <duration>Duration used for checking the target file's last modified time.  (default `0s`)
--log_as_jsonWhether to format output as JSON or in plain console-friendly format 
--log_caller <string>Comma-separated list of scopes for which to include caller information, scopes can be any of [adapters, all, api, attributes, default, grpcAdapter, loadshedding, mcp]  (default ``)
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [adapters, all, api, attributes, default, grpcAdapter, loadshedding, mcp] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info`)
--log_rotate <string>The path for the optional rotating log file  (default ``)
--log_rotate_max_age <int>The maximum age in days of a log file beyond which the file is rotated (0 indicates no limit)  (default `30`)
--log_rotate_max_backups <int>The maximum number of log file backups to keep before older files are deleted (0 indicates no limit)  (default `1000`)
--log_rotate_max_size <int>The maximum size in megabytes of a log file beyond which the file is rotated  (default `104857600`)
--log_stacktrace_level <string>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [adapters, all, api, attributes, default, grpcAdapter, loadshedding, mcp] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)
--log_target <stringArray>The set of paths where to output the log. This can be any path as well as the special values stdout and stderr  (default `[stdout]`)
--probe-path <string>Path of the file for checking the availability.  (default ``)

-
mixs server

-
Starts Mixer as a server

-
mixs server [flags]
-

-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
FlagsShorthandDescription
--adapterWorkerPoolSize <int>Max number of goroutines in the adapter worker pool  (default `1024`)
--address <string>Address to use for Mixer's gRPC API, e.g. tcp://127.0.0.1:9092 or unix:///path/to/file  (default ``)
--apiWorkerPoolSize <int>Max number of goroutines in the API worker pool  (default `1024`)
--averageLatencyThreshold <duration>Maximum average response time supported by the server. When this limit is exceeded, the server will drop traffic.  (default `0s`)
--burstSize <int>Number of requests that are permitted beyond the configured maximum for a period of time. Only valid when used with 'maxRequestsPerSecond'.  (default `0`)
--caCertFile <string>The location of the certificate file for the root certificate authority  (default `/etc/certs/root-cert.pem`)
--certFile <string>The location of the certificate file for mutual TLS  (default `/etc/certs/cert-chain.pem`)
--configDefaultNamespace <string>Namespace used to store mesh wide configuration.  (default `istio-system`)
--configStoreURL <string>URL of the config store. Use k8s://path_to_kubeconfig, fs:// for file system, or mcps://<address> for MCP/Galley. If path_to_kubeconfig is empty, in-cluster kubeconfig is used.  (default ``)
--configWaitTimeout <duration>Timeout until the initial set of configurations are received, before declaring as ready.  (default `2m0s`)
--ctrlz_address <string>The IP Address to listen on for the ControlZ introspection facility. Use '*' to indicate all addresses.  (default `localhost`)
--ctrlz_port <uint16>The IP port to use for the ControlZ introspection facility  (default `9876`)
--keyFile <string>The location of the key file for mutual TLS  (default `/etc/certs/key.pem`)
--latencyEnforcementThreshold <ratelimit>Controls the threshold, in requests per second, above which the average latency threshold will be enforced for load-shedding  (default `100`)
--latencySampleHalflife <duration>Decay rate of samples in calculation of average response latency.  (default `1s`)
--latencySamplesPerSecond <ratelimit>Controls the frequency at which the server will sample response times to calculate the average response latency.  (default `1.7976931348623157e+308`)
--livenessProbeInterval <duration>Interval of updating file for the liveness probe.  (default `0s`)
--livenessProbePath <string>Path to the file for the liveness probe.  (default ``)
--loadsheddingMode <throttlermode>When enabled, the server will log violations but will not enforce load limits.  (default `disabled`)
--log_as_jsonWhether to format output as JSON or in plain console-friendly format 
--log_caller <string>Comma-separated list of scopes for which to include caller information, scopes can be any of [adapters, all, api, attributes, default, grpcAdapter, loadshedding, mcp]  (default ``)
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [adapters, all, api, attributes, default, grpcAdapter, loadshedding, mcp] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info`)
--log_rotate <string>The path for the optional rotating log file  (default ``)
--log_rotate_max_age <int>The maximum age in days of a log file beyond which the file is rotated (0 indicates no limit)  (default `30`)
--log_rotate_max_backups <int>The maximum number of log file backups to keep before older files are deleted (0 indicates no limit)  (default `1000`)
--log_rotate_max_size <int>The maximum size in megabytes of a log file beyond which the file is rotated  (default `104857600`)
--log_stacktrace_level <string>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [adapters, all, api, attributes, default, grpcAdapter, loadshedding, mcp] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)
--log_target <stringArray>The set of paths where to output the log. This can be any path as well as the special values stdout and stderr  (default `[stdout]`)
--maxConcurrentStreams <uint>Maximum number of outstanding RPCs per connection  (default `1024`)
--maxMessageSize <uint>Maximum size of individual gRPC messages  (default `1048576`)
--maxRequestsPerSecond <ratelimit>Maximum requests per second supported by the server. Any requests above this limit will be dropped.  (default `0`)
--monitoringPort <uint16>HTTP port to use for Mixer self-monitoring information  (default `15014`)
--numCheckCacheEntries <int32>Max number of entries in the check result cache  (default `1500000`)
--port <uint16>-pTCP port to use for Mixer's gRPC API, if the address option is not specified  (default `9091`)
--profileEnable profiling via web interface host:port/debug/pprof 
--readinessProbeInterval <duration>Interval of updating file for the readiness probe.  (default `0s`)
--readinessProbePath <string>Path to the file for the readiness probe.  (default ``)
--singleThreadedIf true, each request to Mixer will be executed in a single go routine (useful for debugging) 
--trace_jaeger_url <string>URL of Jaeger HTTP collector (example: 'http://jaeger:14268/api/traces?format=jaeger.thrift').  (default ``)
--trace_log_spansWhether or not to log trace spans. 
--trace_sampling_rate <float>Sampling rate for generating trace data. Must be a value in the range [0.0, 1.0].  (default `0`)
--trace_zipkin_url <string>URL of Zipkin collector (example: 'http://zipkin:9411/api/v1/spans').  (default ``)
--useAdapterCRDsWhether or not to allow configuration of Mixer via adapter-specific CRDs 
--useTemplateCRDsWhether or not to allow configuration of Mixer via template-specific CRDs 

-
mixs version

-
Prints out build version information

-
mixs version [flags]
-

-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
FlagsShorthandDescription
--output <string>-oOne of 'yaml' or 'json'.  (default ``)
--short-sUse --short=false to generate full version information 

-
Environment variables

-These environment variables affect the behavior of the mixs command.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Variable NameTypeDefault ValueDescription
BYPASS_OOP_MTLS_SAN_VERIFICATIONBooleanfalseWhether or not to validate SANs for out-of-process adapters auth.
ISTIO_LANGStringSelects the attribute expression language runtime for Mixer.
KUBECONFIGStringPath for a kubeconfig file.
POD_NAMESPACEStringistio-systemNamespace for the Mixer pod (Downward API).

-
Exported metrics

-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Metric NameTypeDescription
istio_buildLastValueIstio component build info
istio_mcp_clients_totalLastValueThe number of streams currently connected.
istio_mcp_message_sizes_bytesDistributionSize of messages received from clients.
istio_mcp_reconnectionsSumThe number of times the sink has reconnected.
istio_mcp_recv_failures_totalSumThe number of recv failures in the source.
istio_mcp_request_acks_totalSumThe number of request acks received by the source.
istio_mcp_request_nacks_totalSumThe number of request nacks received by the source.
istio_mcp_send_failures_totalSumThe number of send failures in the source.
mixer_config_adapter_info_config_errors_totalLastValueThe number of errors encountered during processing of the adapter info configuration.
mixer_config_adapter_info_configs_totalLastValueThe number of known adapters in the current config.
mixer_config_attributes_totalLastValueThe number of known attributes in the current config.
mixer_config_handler_configs_totalLastValueThe number of known handlers in the current config.
mixer_config_handler_validation_error_totalLastValueThe number of errors encountered because handler validation returned error.
mixer_config_instance_config_errors_totalLastValueThe number of errors encountered during processing of the instance configuration.
mixer_config_instance_configs_totalLastValueThe number of known instances in the current config.
mixer_config_rule_config_errors_totalLastValueThe number of errors encountered during processing of the rule configuration.
mixer_config_rule_config_match_error_totalLastValueThe number of rule conditions that was not parseable.
mixer_config_rule_configs_totalLastValueThe number of known rules in the current config.
mixer_config_template_config_errors_totalLastValueThe number of errors encountered during processing of the template configuration.
mixer_config_template_configs_totalLastValueThe number of known templates in the current config.
mixer_config_unsatisfied_action_handler_totalLastValueThe number of actions that failed due to handlers being unavailable.
mixer_dispatcher_destinations_per_requestDistributionNumber of handlers dispatched per request by Mixer
mixer_dispatcher_destinations_per_variety_totalLastValueNumber of Mixer adapter destinations by template variety type
mixer_dispatcher_instances_per_requestDistributionNumber of instances created per request by Mixer
mixer_handler_closed_handlers_totalLastValueThe number of handlers that were closed during config transition.
mixer_handler_daemons_totalLastValueThe current number of active daemon routines in a given adapter environment.
mixer_handler_handler_build_failures_totalLastValueThe number of handlers that failed creation during config transition.
mixer_handler_handler_close_failures_totalLastValueThe number of errors encountered while closing handlers during config transition.
mixer_handler_new_handlers_totalLastValueThe number of handlers that were newly created during config transition.
mixer_handler_reused_handlers_totalLastValueThe number of handlers that were re-used during config transition.
mixer_handler_workers_totalLastValueThe current number of active worker routines in a given adapter environment.
mixer_loadshedding_predicted_cost_shed_totalSumThe total predicted cost of all requests that have been dropped.
mixer_loadshedding_requests_throttledSumThe number of requests that have been dropped by the loadshedder.
mixer_runtime_dispatch_duration_secondsDistributionDuration in seconds for adapter dispatches handled by Mixer.
mixer_runtime_dispatches_totalCountTotal number of adapter dispatches handled by Mixer.

diff --git a/content/zh/docs/reference/commands/node_agent/index.html b/content/zh/docs/reference/commands/node_agent/index.html
deleted file mode 100644
index 0e8218d78b506..0000000000000
--- a/content/zh/docs/reference/commands/node_agent/index.html
+++ /dev/null
@@ -1,178 +0,0 @@
----
-WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL SOURCE IN THE 'https://github.com/istio/istio' REPO
-source_repo: https://github.com/istio/istio
-title: node_agent
-description: Istio security per-node agent.
-generator: pkg-collateral-docs
-number_of_entries: 3
-max_toc_level: 2
-remove_toc_prefix: 'node_agent '
----
-
Istio security per-node agent.

-
node_agent [flags]
-

-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
FlagsDescription
--ca-address <string>Istio CA address  (default `istio-citadel:8060`)
--cert-chain <string>Node Agent identity cert file  (default `/etc/certs/cert-chain.pem`)
--env <string>Node Environment : unspecified | onprem | gcp | aws  (default `unspecified`)
--experimental-dual-useEnable dual-use mode. Generates certificates with a CommonName identical to the SAN. 
--key <string>Node Agent private key file  (default `/etc/certs/key.pem`)
--key-size <int>Size of generated private key  (default `2048`)
--log_as_jsonWhether to format output as JSON or in plain console-friendly format 
--log_caller <string>Comma-separated list of scopes for which to include called information, scopes can be any of [default]  (default ``)
--log_output_level <string>The minimum logging level of messages to output,  can be one of [debug, info, warn, error, fatal, none]  (default `default:info`)
--log_rotate <string>The path for the optional rotating log file  (default ``)
--log_rotate_max_age <int>The maximum age in days of a log file beyond which the file is rotated (0 indicates no limit)  (default `30`)
--log_rotate_max_backups <int>The maximum number of log file backups to keep before older files are deleted (0 indicates no limit)  (default `1000`)
--log_rotate_max_size <int>The maximum size in megabytes of a log file beyond which the file is rotated  (default `104857600`)
--log_stacktrace_level <string>The minimum logging level at which stack traces are captured, can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)
--log_target <stringArray>The set of paths where to output the log. This can be any path as well as the special values stdout and stderr  (default `[stdout]`)
--org <string>Organization for the cert  (default ``)
--platform <string>The platform istio runs on: vm | k8s  (default `vm`)
--root-cert <string>Root Certificate file  (default `/etc/certs/root-cert.pem`)
--workload-cert-ttl <duration>The requested TTL for the workload  (default `2160h0m0s`)

-
node_agent version

-
Prints out build version information

-
node_agent version [flags]
-

-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
FlagsShorthandDescription
--log_as_jsonWhether to format output as JSON or in plain console-friendly format 
--log_caller <string>Comma-separated list of scopes for which to include called information, scopes can be any of [default]  (default ``)
--log_output_level <string>The minimum logging level of messages to output,  can be one of [debug, info, warn, error, fatal, none]  (default `default:info`)
--log_rotate <string>The path for the optional rotating log file  (default ``)
--log_rotate_max_age <int>The maximum age in days of a log file beyond which the file is rotated (0 indicates no limit)  (default `30`)
--log_rotate_max_backups <int>The maximum number of log file backups to keep before older files are deleted (0 indicates no limit)  (default `1000`)
--log_rotate_max_size <int>The maximum size in megabytes of a log file beyond which the file is rotated  (default `104857600`)
--log_stacktrace_level <string>The minimum logging level at which stack traces are captured, can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)
--log_target <stringArray>The set of paths where to output the log. This can be any path as well as the special values stdout and stderr  (default `[stdout]`)
--output <string>-oOne of 'yaml' or 'json'.  (default ``)
--short-sUse --short=false to generate full version information 

-
Exported metrics

-
-
-
-
-
-
-
-
Metric NameTypeDescription
istio_buildLastValueIstio component build info

diff --git a/content/zh/docs/reference/commands/operator/index.html b/content/zh/docs/reference/commands/operator/index.html
index 377764bb7f78a..2fb1c99ae9c0c 100644
--- a/content/zh/docs/reference/commands/operator/index.html
+++ b/content/zh/docs/reference/commands/operator/index.html
@@ -333,6 +333,12 @@ 
Environment variables

 Enable the auto mTLS EDS output to consult the PeerAuthentication Policy, only set the {tlsMode: istio}  when server side policy enables mTLS PERMISSIVE or STRICT.
 
 
+ENABLE_AUTO_SNI
+Boolean
+false
+If enabled, automatically set SNI when `DestinationRules` do not specify the same
+
+
 ENABLE_CA_SERVER
 Boolean
 true
@@ -438,7 +444,7 @@ 
Environment variables

 ISTIOD_CUSTOM_HOST
 String
 
-Custom host name of istiod that istiod signs the server cert.
+Custom host name of istiod that istiod signs the server cert. Multiple custom host names are supported, and multiple values are separated by commas.
 
 
 ISTIO_AGENT_ENABLE_WASM_REMOTE_LOAD_CONVERSION
@@ -762,7 +768,7 @@ 
Environment variables

 PILOT_FILTER_GATEWAY_CLUSTER_CONFIG
 Boolean
 false
-
+If enabled, Pilot will send only clusters that referenced in gateway virtual services attached to gateway
 
 
 PILOT_FLOW_CONTROL_TIMEOUT
diff --git a/content/zh/docs/reference/commands/pilot-agent/index.html b/content/zh/docs/reference/commands/pilot-agent/index.html
index e07f6605c182c..438730e183462 100644
--- a/content/zh/docs/reference/commands/pilot-agent/index.html
+++ b/content/zh/docs/reference/commands/pilot-agent/index.html
@@ -4,7 +4,7 @@
 title: pilot-agent
 description: Istio Pilot agent.
 generator: pkg-collateral-docs
-number_of_entries: 5
+number_of_entries: 13
 max_toc_level: 2
 remove_toc_prefix: 'pilot-agent '
 ---
@@ -23,11 +23,11 @@
 
 
 --log_caller <string>
-Comma-separated list of scopes for which to include caller information, scopes can be any of [all, cacheLog, citadelClientLog, configMapController, default, googleCAClientLog, model, rbac, sdsServiceLog, secretFetcherLog, stsClientLog, validation, vaultClientLog]  (default ``)
+Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, iptables, klog, kube, mockcred, model, proxyconfig, retry, sds, serviceentry, spiffe, status, stsclient, stsserver, telemetry, token, trustBundle, validation, validationController, wasm, wle, xdsproxy]  (default ``)
 
 
 --log_output_level <string>
-Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [all, cacheLog, citadelClientLog, configMapController, default, googleCAClientLog, model, rbac, sdsServiceLog, secretFetcherLog, stsClientLog, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info`)
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, iptables, klog, kube, mockcred, model, proxyconfig, retry, sds, serviceentry, spiffe, status, stsclient, stsserver, telemetry, token, trustBundle, validation, validationController, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info`)
 
 
 --log_rotate <string>
@@ -47,18 +47,22 @@
 
 
 --log_stacktrace_level <string>
-Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [all, cacheLog, citadelClientLog, configMapController, default, googleCAClientLog, model, rbac, sdsServiceLog, secretFetcherLog, stsClientLog, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)
+Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, iptables, klog, kube, mockcred, model, proxyconfig, retry, sds, serviceentry, spiffe, status, stsclient, stsserver, telemetry, token, trustBundle, validation, validationController, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)
 
 
 --log_target <stringArray>
 The set of paths where to output the log. This can be any path as well as the special values stdout and stderr  (default `[stdout]`)
 
+
+--vklog <Level>
+number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
+
 
 
-
pilot-agent proxy

-
Envoy proxy agent

-
pilot-agent proxy [flags]
-

+
pilot-agent completion

+
Generate the autocompletion script for pilot-agent for the specified shell.
+See each sub-command's help for details on how to use the generated script.
+

 
@@ -68,100 +72,145 @@ 
pilot-agent proxy

-
-
+
+
-
-
+
+
-
-
+
+
-
-
+
+
-
-
+
+
-
-
+
+
-
-
+
+
-
-
+
+
-
-
+
+
-
-
+
+
+
+

 
 

 

 
 
--binaryPath <string>Path to the proxy binary  (default `/usr/local/bin/envoy`)--log_as_jsonWhether to format output as JSON or in plain console-friendly format 
 

 
--concurrency <int>number of worker threads to run  (default `0`)--log_caller <string>Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, iptables, klog, kube, mockcred, model, proxyconfig, retry, sds, serviceentry, spiffe, status, stsclient, stsserver, telemetry, token, trustBundle, validation, validationController, wasm, wle, xdsproxy]  (default ``)
 

 
--configPath <string>Path to the generated configuration file directory  (default `/etc/istio/proxy`)--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, iptables, klog, kube, mockcred, model, proxyconfig, retry, sds, serviceentry, spiffe, status, stsclient, stsserver, telemetry, token, trustBundle, validation, validationController, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info`)
 

 
--connectTimeout <duration>Connection timeout used by Envoy for supporting services  (default `1s`)--log_rotate <string>The path for the optional rotating log file  (default ``)
 

 
--controlPlaneAuthPolicy <string>Control Plane Authentication Policy  (default `NONE`)--log_rotate_max_age <int>The maximum age in days of a log file beyond which the file is rotated (0 indicates no limit)  (default `30`)
 

 
--controlPlaneBootstrapProcess bootstrap provided via templateFile to be used by control plane components. --log_rotate_max_backups <int>The maximum number of log file backups to keep before older files are deleted (0 indicates no limit)  (default `1000`)
 

 
--customConfigFile <string>Path to the custom configuration file  (default ``)--log_rotate_max_size <int>The maximum size in megabytes of a log file beyond which the file is rotated  (default `104857600`)
 

 
--datadogAgentAddress <string>Address of the Datadog Agent  (default ``)--log_stacktrace_level <string>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, iptables, klog, kube, mockcred, model, proxyconfig, retry, sds, serviceentry, spiffe, status, stsclient, stsserver, telemetry, token, trustBundle, validation, validationController, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)
 

 
--disableInternalTelemetryDisable internal telemetry --log_target <stringArray>The set of paths where to output the log. This can be any path as well as the special values stdout and stderr  (default `[stdout]`)
 

 
--discoveryAddress <string>Address of the discovery service exposing xDS (e.g. istio-pilot:8080)  (default `istio-pilot:15010`)--vklog <Level>number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
 

+
pilot-agent completion bash

+
Generate the autocompletion script for the bash shell.

+
This script depends on the 'bash-completion' package.
+If it is not installed already, you can install it via your OS's package manager.

+
To load completions in your current shell session:

+
	source <(pilot-agent completion bash)

+
To load completions for every new session, execute once:

+
#### Linux:

+
	pilot-agent completion bash > /etc/bash_completion.d/pilot-agent

+
#### macOS:

+
	pilot-agent completion bash > /usr/local/etc/bash_completion.d/pilot-agent

+
You will need to start a new shell for this setup to take effect.
+

+
pilot-agent completion bash
+

+
+
-
-
+
+
+
+
-
-
+
+
+
+
+
+
+
+
+
+
-
-
+
+
-
-
+
+
-
-
+
+
-
-
+
+
-
-
+
+
-
-
+
+
-
-
+
+
-
-
+
+
+
+

 
--dnsRefreshRate <string>The dns_refresh_rate for bootstrap STRICT_DNS clusters  (default `300s`)FlagsDescription
 

 
--domain <string>DNS domain suffix. If not provided uses ${POD_NAMESPACE}.svc.cluster.local  (default ``)--log_as_jsonWhether to format output as JSON or in plain console-friendly format 
--log_caller <string>Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, iptables, klog, kube, mockcred, model, proxyconfig, retry, sds, serviceentry, spiffe, status, stsclient, stsserver, telemetry, token, trustBundle, validation, validationController, wasm, wle, xdsproxy]  (default ``)
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, iptables, klog, kube, mockcred, model, proxyconfig, retry, sds, serviceentry, spiffe, status, stsclient, stsserver, telemetry, token, trustBundle, validation, validationController, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info`)
 

 
--drainDuration <duration>The time in seconds that Envoy will drain connections during a hot restart  (default `45s`)--log_rotate <string>The path for the optional rotating log file  (default ``)
 

 
--envoyAccessLogService <string>Settings of an Envoy gRPC Access Log Service API implementation  (default ``)--log_rotate_max_age <int>The maximum age in days of a log file beyond which the file is rotated (0 indicates no limit)  (default `30`)
 

 
--envoyMetricsService <string>Settings of an Envoy gRPC Metrics Service API implementation  (default ``)--log_rotate_max_backups <int>The maximum number of log file backups to keep before older files are deleted (0 indicates no limit)  (default `1000`)
 

 
--id <string>Proxy unique ID. If not provided uses ${POD_NAME}.${POD_NAMESPACE} from environment variables  (default ``)--log_rotate_max_size <int>The maximum size in megabytes of a log file beyond which the file is rotated  (default `104857600`)
 

 
--ip <string>Proxy IP address. If not provided uses ${INSTANCE_IP} environment variable.  (default ``)--log_stacktrace_level <string>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, iptables, klog, kube, mockcred, model, proxyconfig, retry, sds, serviceentry, spiffe, status, stsclient, stsserver, telemetry, token, trustBundle, validation, validationController, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)
 

 
--lightstepAccessToken <string>Access Token for LightStep Satellite pool  (default ``)--log_target <stringArray>The set of paths where to output the log. This can be any path as well as the special values stdout and stderr  (default `[stdout]`)
 

 
--lightstepAddress <string>Address of the LightStep Satellite pool  (default ``)--no-descriptionsdisable completion descriptions 
 

 
--lightstepCacertPath <string>Path to the trusted cacert used to authenticate the pool  (default ``)--vklog <Level>number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
 

+
pilot-agent completion fish

+
Generate the autocompletion script for the fish shell.

+
To load completions in your current shell session:

+
	pilot-agent completion fish | source

+
To load completions for every new session, execute once:

+
	pilot-agent completion fish > ~/.config/fish/completions/pilot-agent.fish

+
You will need to start a new shell for this setup to take effect.
+

+
pilot-agent completion fish [flags]
+

+
+
-
-
+
+
+
+
-
+
-
+
@@ -181,73 +230,98 @@ 
pilot-agent proxy

-
+
-
-
+
+
-
-
+
+
+
+

 
--lightstepSecureShould connection to the LightStep Satellite pool be secure FlagsDescription
 

 

 --log_as_json
 Whether to format output as JSON or in plain console-friendly format 
 

 

 --log_caller <string>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, cacheLog, citadelClientLog, configMapController, default, googleCAClientLog, model, rbac, sdsServiceLog, secretFetcherLog, stsClientLog, validation, vaultClientLog]  (default ``)Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, iptables, klog, kube, mockcred, model, proxyconfig, retry, sds, serviceentry, spiffe, status, stsclient, stsserver, telemetry, token, trustBundle, validation, validationController, wasm, wle, xdsproxy]  (default ``)
 

 

 --log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [all, cacheLog, citadelClientLog, configMapController, default, googleCAClientLog, model, rbac, sdsServiceLog, secretFetcherLog, stsClientLog, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info`)Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, iptables, klog, kube, mockcred, model, proxyconfig, retry, sds, serviceentry, spiffe, status, stsclient, stsserver, telemetry, token, trustBundle, validation, validationController, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info`)
 

 

 --log_rotate <string>
 

 

 --log_stacktrace_level <string>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [all, cacheLog, citadelClientLog, configMapController, default, googleCAClientLog, model, rbac, sdsServiceLog, secretFetcherLog, stsClientLog, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, iptables, klog, kube, mockcred, model, proxyconfig, retry, sds, serviceentry, spiffe, status, stsclient, stsserver, telemetry, token, trustBundle, validation, validationController, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)
 

 

 --log_target <stringArray>
 The set of paths where to output the log. This can be any path as well as the special values stdout and stderr  (default `[stdout]`)
 

 
--mixerIdentity <string>The identity used as the suffix for mixer's spiffe SAN. This would only be used by pilot all other proxy would get this value from pilot  (default ``)--no-descriptionsdisable completion descriptions 
 

 
--outlierLogPath <string>The log path for outlier detection  (default ``)--vklog <Level>number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
 

+
pilot-agent completion powershell

+
Generate the autocompletion script for powershell.

+
To load completions in your current shell session:

+
	pilot-agent completion powershell | Out-String | Invoke-Expression

+
To load completions for every new session, add the output of the above command
+to your powershell profile.
+

+
pilot-agent completion powershell [flags]
+

+
+
-
-
+
+
+
+
-
-
+
+
-
-
+
+
-
-
+
+
-
-
+
+
-
-
+
+
-
-
+
+
-
-
+
+
-
-
+
+
-
-
+
+
-
-
+
+
-
-
+
+

 
--parentShutdownDuration <duration>The time in seconds that Envoy will wait before shutting down the parent process during a hot restart  (default `1m0s`)FlagsDescription
 

 
--pilotIdentity <string>The identity used as the suffix for pilot's spiffe SAN   (default ``)--log_as_jsonWhether to format output as JSON or in plain console-friendly format 
 

 
--proxyAdminPort <uint16>Port on which Envoy should listen for administrative commands  (default `15000`)--log_caller <string>Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, iptables, klog, kube, mockcred, model, proxyconfig, retry, sds, serviceentry, spiffe, status, stsclient, stsserver, telemetry, token, trustBundle, validation, validationController, wasm, wle, xdsproxy]  (default ``)
 

 
--proxyComponentLogLevel <string>The component log level used to start the Envoy proxy  (default `misc:error`)--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, iptables, klog, kube, mockcred, model, proxyconfig, retry, sds, serviceentry, spiffe, status, stsclient, stsserver, telemetry, token, trustBundle, validation, validationController, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info`)
 

 
--proxyLogLevel <string>The log level used to start the Envoy proxy (choose from {trace, debug, info, warning, error, critical, off})  (default `warning`)--log_rotate <string>The path for the optional rotating log file  (default ``)
 

 
--serviceCluster <string>Service cluster  (default `istio-proxy`)--log_rotate_max_age <int>The maximum age in days of a log file beyond which the file is rotated (0 indicates no limit)  (default `30`)
 

 
--serviceregistry <string>Select the platform for service registry, options are {Kubernetes, Consul, MCP, Mock}  (default `Kubernetes`)--log_rotate_max_backups <int>The maximum number of log file backups to keep before older files are deleted (0 indicates no limit)  (default `1000`)
 

 
--statsdUdpAddress <string>IP Address and Port of a statsd UDP listener (e.g. 10.75.241.127:9125)  (default ``)--log_rotate_max_size <int>The maximum size in megabytes of a log file beyond which the file is rotated  (default `104857600`)
 

 
--statusPort <uint16>HTTP Port on which to serve pilot agent status. If zero, agent status will not be provided.  (default `0`)--log_stacktrace_level <string>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, iptables, klog, kube, mockcred, model, proxyconfig, retry, sds, serviceentry, spiffe, status, stsclient, stsserver, telemetry, token, trustBundle, validation, validationController, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)
 

 
--templateFile <string>Go template bootstrap config  (default ``)--log_target <stringArray>The set of paths where to output the log. This can be any path as well as the special values stdout and stderr  (default `[stdout]`)
 

 
--trust-domain <string>The domain to use for identities  (default ``)--no-descriptionsdisable completion descriptions 
 

 
--zipkinAddress <string>Address of the Zipkin service (e.g. zipkin:9411)  (default ``)--vklog <Level>number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
 

 
 

-
pilot-agent request

-
Makes an HTTP request to the Envoy admin API

-
pilot-agent request <method> <path> [<body>] [flags]
+
pilot-agent completion zsh

+
Generate the autocompletion script for the zsh shell.

+
If shell completion is not already enabled in your environment you will need
+to enable it.  You can execute the following once:

+
	echo "autoload -U compinit; compinit" >> ~/.zshrc

+
To load completions for every new session, execute once:

+
#### Linux:

+
	pilot-agent completion zsh > "${fpath[1]}/_pilot-agent"

+
#### macOS:

+
	pilot-agent completion zsh > /usr/local/share/zsh/site-functions/_pilot-agent

+
You will need to start a new shell for this setup to take effect.
+

+
pilot-agent completion zsh [flags]
 

 
@@ -263,11 +337,11 @@ 
pilot-agent request

-
+
-
+
@@ -287,17 +361,25 @@ 
pilot-agent request

-
+
+
+
+
+
+
+
+
+

 
 
 

 --log_caller <string>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, cacheLog, citadelClientLog, configMapController, default, googleCAClientLog, model, rbac, sdsServiceLog, secretFetcherLog, stsClientLog, validation, vaultClientLog]  (default ``)Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, iptables, klog, kube, mockcred, model, proxyconfig, retry, sds, serviceentry, spiffe, status, stsclient, stsserver, telemetry, token, trustBundle, validation, validationController, wasm, wle, xdsproxy]  (default ``)
 

 

 --log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [all, cacheLog, citadelClientLog, configMapController, default, googleCAClientLog, model, rbac, sdsServiceLog, secretFetcherLog, stsClientLog, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info`)Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, iptables, klog, kube, mockcred, model, proxyconfig, retry, sds, serviceentry, spiffe, status, stsclient, stsserver, telemetry, token, trustBundle, validation, validationController, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info`)
 

 

 --log_rotate <string>
 

 

 --log_stacktrace_level <string>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [all, cacheLog, citadelClientLog, configMapController, default, googleCAClientLog, model, rbac, sdsServiceLog, secretFetcherLog, stsClientLog, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, iptables, klog, kube, mockcred, model, proxyconfig, retry, sds, serviceentry, spiffe, status, stsclient, stsserver, telemetry, token, trustBundle, validation, validationController, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)
 

 

 --log_target <stringArray>
 The set of paths where to output the log. This can be any path as well as the special values stdout and stderr  (default `[stdout]`)
 
--no-descriptionsdisable completion descriptions 
--vklog <Level>number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)

 
 

-
pilot-agent version

-
Prints out build version information

-
pilot-agent version [flags]
+
pilot-agent istio-clean-iptables

+
Script responsible for cleaning up iptables rules

+
pilot-agent istio-clean-iptables [flags]
 

 
@@ -309,6 +391,11 @@ 
pilot-agent version

+
+
+
+
+
@@ -316,12 +403,12 @@ 
pilot-agent version

-
+
-
+
@@ -346,7 +433,7 @@ 
pilot-agent version

-
+
@@ -354,250 +441,1131 @@ 
pilot-agent version

-
-
-
+
+
+
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+

 
 
 
 
--dry-run-nDo not call any external dependencies like iptables 

 --log_as_json
 
 Whether to format output as JSON or in plain console-friendly format 
 

 --log_caller <string>
 Comma-separated list of scopes for which to include caller information, scopes can be any of [all, cacheLog, citadelClientLog, configMapController, default, googleCAClientLog, model, rbac, sdsServiceLog, secretFetcherLog, stsClientLog, validation, vaultClientLog]  (default ``)Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, iptables, klog, kube, mockcred, model, proxyconfig, retry, sds, serviceentry, spiffe, status, stsclient, stsserver, telemetry, token, trustBundle, validation, validationController, wasm, wle, xdsproxy]  (default ``)
 

 

 --log_output_level <string>
 Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [all, cacheLog, citadelClientLog, configMapController, default, googleCAClientLog, model, rbac, sdsServiceLog, secretFetcherLog, stsClientLog, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info`)Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, iptables, klog, kube, mockcred, model, proxyconfig, retry, sds, serviceentry, spiffe, status, stsclient, stsserver, telemetry, token, trustBundle, validation, validationController, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info`)
 

 

 --log_rotate <string>
 

 --log_stacktrace_level <string>
 Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [all, cacheLog, citadelClientLog, configMapController, default, googleCAClientLog, model, rbac, sdsServiceLog, secretFetcherLog, stsClientLog, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, iptables, klog, kube, mockcred, model, proxyconfig, retry, sds, serviceentry, spiffe, status, stsclient, stsserver, telemetry, token, trustBundle, validation, validationController, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)
 

 

 --log_target <stringArray>
 The set of paths where to output the log. This can be any path as well as the special values stdout and stderr  (default `[stdout]`)
 

 
--output <string>-oOne of 'yaml' or 'json'.  (default ``)--proxy-gid <string>-gSpecify the GID of the user for which the redirection is not applied. (same default value as -u param)  (default ``)
 

 
--short-sUse --short=false to generate full version information --proxy-uid <string>-uSpecify the UID of the user for which the redirection is not applied. Typically, this is the UID of the proxy container  (default ``)
--redirect-dnsEnable capture of dns traffic by istio-agent 
--vklog <Level>number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
 

 
 

-
Environment variables

-These environment variables affect the behavior of the pilot-agent command.
-
+
pilot-agent istio-iptables

+
istio-iptables is responsible for setting up port forwarding for Istio Sidecar.

+
pilot-agent istio-iptables [flags]
+

+

-
-
-
+
+
-
-
-
+
+
-
-
-
+
+
-
-
-
+
+
-
-
-
-
+
+
+
-
-
-
-
+
+
+
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
-
-
-
+
+
-
-
-
+
+
-
-
-
-
+
+
+
-
-
-
-
+
+
+
-
-
-
-
+
+
+
-
-
-
-
+
+
+
-
-
-
-
+
+
+
-
-
-
-
+
+
+
-
-
-
-
+
+
+
-
-
-
-
+
+
+
-
-
-
-
+
+
+
-
-
-
-
+
+
+
-
-
-
+
+
-
-
-
+
+
-
-
-
+
+
-
-
-
-
+
+
+
-
-
-
-
+
+
+
-
-
-
+
+
-
-
-
-
+
+
+
-
-
-
-
+
+
+
-
-
-
+
+
-
-
-
+
+
-
-
-
-
+
+
+
-
-
-
-
+
+
+
-
-
-
-
+
+
+
-
-
-
-
+
+
+
-
-
-
-
+
+
+
-
-
-
-
+
+
+
-
-
-
-
+
+
+
-
-
-
-
+
+
+
-
-
-
-
+
+
+
+
+
+

 
 
Variable NameTypeDefault ValueFlagsShorthand
 Description
 

 
 
 
CA_ADDRString--capture-all-dns
 Instead of only capturing DNS traffic to DNS server IP, capture all DNS traffic at port 53. This setting is only effective when redirect dns is enabled. 
 

 
CA_PROVIDERStringCitadel--cni-mode
 Whether to run as CNI plugin. 
 

 
ENABLE_INGRESS_GATEWAY_SDSBooleanfalse--drop-invalid
 Enable invalid drop in the iptables rules 
 

 
GKE_CLUSTER_URLStringThe url of GKE cluster--dry-run-nDo not call any external dependencies like iptables 
 

 
INGRESS_GATEWAY_FALLBACK_SECRETStringgateway-fallback--envoy-port <string>-pSpecify the envoy port to which redirect all TCP traffic (default $ENVOY_PORT = 15001)  (default ``)
 

 
INGRESS_GATEWAY_NAMESPACEString--inbound-capture-port <string>-zPort to which all inbound TCP traffic to the pod/VM should be redirected to (default $INBOUND_CAPTURE_PORT = 15006)  (default ``)
--inbound-tunnel-port <string>-eSpecify the istio tunnel port for inbound tcp traffic (default $INBOUND_TUNNEL_PORT = 15008)  (default ``)
--iptables-probe-port <string>
 set listen port for failure detection  (default `15002`)
 

 
INITIAL_BACKOFF_MSECInteger10--iptables-trace-logging
 Insert tracing logs for each iptables rules, using the LOG chain. 
 

 
INSTANCE_IPString--istio-exclude-interfaces <string>
 Comma separated list of NIC (optional). Neither inbound nor outbound traffic will be captured  (default ``)
 

 
ISTIOD_ADDRStringService name of istiod. If empty the istiod listener, certs will be disabled.--istio-inbound-interception-mode <string>-mThe mode used to redirect inbound connections to Envoy, either "REDIRECT" or "TPROXY"  (default ``)
 

 
ISTIO_AUTO_MTLS_ENABLEDBooleanfalseIf true, auto mTLS is enabled, sidecar checks key/cert if SDS is not enabled.--istio-inbound-ports <string>-bComma separated list of inbound ports for which traffic is to be redirected to Envoy (optional). The wildcard character "*" can be used to configure redirection for all ports. An empty list will disable  (default ``)
 

 
ISTIO_BOOTSTRAPString--istio-inbound-tproxy-mark <string>-t  (default ``)
 

 
ISTIO_BOOTSTRAP_OVERRIDEString--istio-inbound-tproxy-route-table <string>-r  (default ``)
 

 
ISTIO_GPRC_MAXSTREAMSInteger100000Sets the maximum number of concurrent grpc streams.--istio-local-exclude-ports <string>-dComma separated list of inbound ports to be excluded from redirection to Envoy (optional). Only applies when all inbound traffic (i.e. "*") is being redirected (default to $ISTIO_LOCAL_EXCLUDE_PORTS)  (default ``)
 

 
ISTIO_KUBE_APP_PROBERSString--istio-local-outbound-ports-exclude <string>-oComma separated list of outbound ports to be excluded from redirection to Envoy  (default ``)
 

 
ISTIO_META_TLS_CLIENT_CERT_CHAINString/etc/certs/cert-chain.pem--istio-outbound-ports <string>-qComma separated list of outbound ports to be explicitly included for redirection to Envoy  (default ``)
 

 
ISTIO_META_TLS_CLIENT_KEYString/etc/certs/key.pem--istio-service-cidr <string>-iComma separated list of IP ranges in CIDR form to redirect to envoy (optional). The wildcard character "*" can be used to redirect all outbound traffic. An empty list will disable all outbound  (default ``)
 

 
ISTIO_META_TLS_CLIENT_ROOT_CERTString/etc/certs/root-cert.pem--istio-service-exclude-cidr <string>-xComma separated list of IP ranges in CIDR form to be excluded from redirection. Only applies when all  outbound traffic (i.e. "*") is being redirected (default to $ISTIO_SERVICE_EXCLUDE_CIDR)  (default ``)
 

 
ISTIO_META_TLS_SERVER_CERT_CHAINString/etc/certs/cert-chain.pem--kube-virt-interfaces <string>-kComma separated list of virtual interfaces whose inbound traffic (from VM) will be treated as outbound  (default ``)
 

 
ISTIO_META_TLS_SERVER_KEYString/etc/certs/key.pem--log_as_json
 Whether to format output as JSON or in plain console-friendly format 
 

 
ISTIO_META_TLS_SERVER_ROOT_CERTString/etc/certs/root-cert.pem--log_caller <string>
 Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, iptables, klog, kube, mockcred, model, proxyconfig, retry, sds, serviceentry, spiffe, status, stsclient, stsserver, telemetry, token, trustBundle, validation, validationController, wasm, wle, xdsproxy]  (default ``)
 

 
ISTIO_NAMESPACEString--log_output_level <string>
 Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, iptables, klog, kube, mockcred, model, proxyconfig, retry, sds, serviceentry, spiffe, status, stsclient, stsserver, telemetry, token, trustBundle, validation, validationController, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info`)
 

 
NAMESPACEStringistio-systemnamespace that nodeagent/citadel run in--log_rotate <string>The path for the optional rotating log file  (default ``)
 

 
PILOT_BLOCK_HTTP_ON_443BooleantrueIf enabled, any HTTP services will be blocked on HTTPS port (443). If this is disabled, any HTTP service on port 443 could block all external traffic--log_rotate_max_age <int>The maximum age in days of a log file beyond which the file is rotated (0 indicates no limit)  (default `30`)
 

 
PILOT_CERT_DIRString--log_rotate_max_backups <int>
 The maximum number of log file backups to keep before older files are deleted (0 indicates no limit)  (default `1000`)
 

 
PILOT_DEBOUNCE_AFTERTime Duration100msThe delay added to config/registry events for debouncing. This will delay the push by at least this internal. If no change is detected within this period, the push will happen,  otherwise we'll keep delaying until things settle, up to a max of PILOT_DEBOUNCE_MAX.--log_rotate_max_size <int>The maximum size in megabytes of a log file beyond which the file is rotated  (default `104857600`)
 

 
PILOT_DEBOUNCE_MAXTime Duration10sThe maximum amount of time to wait for events while debouncing. If events keep showing up with no breaks for this time, we'll trigger a push.--log_stacktrace_level <string>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, iptables, klog, kube, mockcred, model, proxyconfig, retry, sds, serviceentry, spiffe, status, stsclient, stsserver, telemetry, token, trustBundle, validation, validationController, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)
 

 
PILOT_DEBUG_ADSZ_CONFIGBooleanfalse--log_target <stringArray>
 The set of paths where to output the log. This can be any path as well as the special values stdout and stderr  (default `[stdout]`)
 

 
PILOT_DISABLE_XDS_MARSHALING_TO_ANYBooleanfalse--network-namespace <string>
 The network namespace that iptables rules should be applied to.  (default ``)
 

 
PILOT_DISTRIBUTION_HISTORY_RETENTIONTime Duration1m0sIf enabled, Pilot will keep track of old versions of distributed config for this duration.--output-paths <string>A file path to write the applied iptables rules to.  (default ``)
 

 
PILOT_ENABLE_CONFIG_DISTRIBUTION_TRACKINGBooleantrueIf enabled, Pilot will assign meaningful nonces to each Envoy configuration message, and allow users to interrogate which envoy has which config from the debug interface.--probe-timeout <duration>failure detection timeout  (default `5s`)
 

 
PILOT_ENABLE_CRD_VALIDATIONBooleanfalseIf enabled, pilot will validate CRDs while retrieving CRDs from kubernetes cache.Use this flag to enable validation of CRDs in Pilot, especially in deployments that do not have galley installed.--proxy-gid <string>-gSpecify the GID of the user for which the redirection is not applied. (same default value as -u param)  (default ``)
 

 
PILOT_ENABLE_EDS_DEBOUNCEBooleantrueIf enabled, Pilot will include EDS pushes in the push debouncing, configured by PILOT_DEBOUNCE_AFTER and PILOT_DEBOUNCE_MAX. EDS pushes may be delayed, but there will be fewer pushes. By default this is enabled--proxy-uid <string>-uSpecify the UID of the user for which the redirection is not applied. Typically, this is the UID of the proxy container  (default ``)
 

 
PILOT_ENABLE_FALLTHROUGH_ROUTEBooleantrueEnableFallthroughRoute provides an option to add a final wildcard match for routes. When ALLOW_ANY traffic policy is used, a Passthrough cluster is used. When REGISTRY_ONLY traffic policy is used, a 502 error is returned.--redirect-dnsEnable capture of dns traffic by istio-agent 
 

 
PILOT_ENABLE_HEADLESS_SERVICE_POD_LISTENERSBooleantrueIf enabled, for a headless service/stateful set in Kubernetes, pilot will generate an outbound listener for each pod in a headless service. This feature should be disabled if headless services have a large number of pods.--restore-format-fPrint iptables rules in iptables-restore interpretable format 
 

 
PILOT_ENABLE_MYSQL_FILTERBooleanfalseEnableMysqlFilter enables injection of `envoy.filters.network.mysql_proxy` in the filter chain.--run-validationValidate iptables 
 

 
PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_INBOUNDBooleantrueIf enabled, protocol sniffing will be used for inbound listeners whose port protocol is not specified or unsupported--skip-rule-applySkip iptables apply 
 

 
PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_OUTBOUNDBooleantrueIf enabled, protocol sniffing will be used for outbound listeners whose port protocol is not specified or unsupported--vklog <Level>number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)

+
pilot-agent proxy

+
XDS proxy agent

+
pilot-agent proxy [flags]
+

+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
FlagsDescription
--concurrency <int>number of worker threads to run  (default `0`)
--domain <string>DNS domain suffix. If not provided uses ${POD_NAMESPACE}.svc.cluster.local  (default ``)
--log_as_jsonWhether to format output as JSON or in plain console-friendly format 
--log_caller <string>Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, iptables, klog, kube, mockcred, model, proxyconfig, retry, sds, serviceentry, spiffe, status, stsclient, stsserver, telemetry, token, trustBundle, validation, validationController, wasm, wle, xdsproxy]  (default ``)
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, iptables, klog, kube, mockcred, model, proxyconfig, retry, sds, serviceentry, spiffe, status, stsclient, stsserver, telemetry, token, trustBundle, validation, validationController, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info`)
--log_rotate <string>The path for the optional rotating log file  (default ``)
--log_rotate_max_age <int>The maximum age in days of a log file beyond which the file is rotated (0 indicates no limit)  (default `30`)
--log_rotate_max_backups <int>The maximum number of log file backups to keep before older files are deleted (0 indicates no limit)  (default `1000`)
--log_rotate_max_size <int>The maximum size in megabytes of a log file beyond which the file is rotated  (default `104857600`)
--log_stacktrace_level <string>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, iptables, klog, kube, mockcred, model, proxyconfig, retry, sds, serviceentry, spiffe, status, stsclient, stsserver, telemetry, token, trustBundle, validation, validationController, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)
--log_target <stringArray>The set of paths where to output the log. This can be any path as well as the special values stdout and stderr  (default `[stdout]`)
--meshConfig <string>File name for Istio mesh configuration. If not specified, a default mesh will be used. This may be overridden by PROXY_CONFIG environment variable or proxy.istio.io/config annotation.  (default `./etc/istio/config/mesh`)
--outlierLogPath <string>The log path for outlier detection  (default ``)
--proxyComponentLogLevel <string>The component log level used to start the Envoy proxy. Deprecated, use proxyLogLevel instead  (default ``)
--proxyLogLevel <string>The log level used to start the Envoy proxy (choose from {trace, debug, info, warning, error, critical, off}).Level may also include one or more scopes, such as 'info,misc:error,upstream:debug'  (default `warning,misc:error`)
--serviceCluster <string>Service cluster  (default `istio-proxy`)
--stsPort <int>HTTP Port on which to serve Security Token Service (STS). If zero, STS service will not be provided.  (default `0`)
--templateFile <string>Go template bootstrap config  (default ``)
--tokenManagerPlugin <string>Token provider specific plugin name.  (default `GoogleTokenExchange`)
--vklog <Level>number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)

+
pilot-agent request

+
Makes an HTTP request to the Envoy admin API

+
pilot-agent request <method> <path> [<body>] [flags]
+

+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
FlagsDescription
--debug-port <int32>Set the port to make a local request to. The default points to the Envoy admin API.  (default `15000`)
--log_as_jsonWhether to format output as JSON or in plain console-friendly format 
--log_caller <string>Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, iptables, klog, kube, mockcred, model, proxyconfig, retry, sds, serviceentry, spiffe, status, stsclient, stsserver, telemetry, token, trustBundle, validation, validationController, wasm, wle, xdsproxy]  (default ``)
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, iptables, klog, kube, mockcred, model, proxyconfig, retry, sds, serviceentry, spiffe, status, stsclient, stsserver, telemetry, token, trustBundle, validation, validationController, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info`)
--log_rotate <string>The path for the optional rotating log file  (default ``)
--log_rotate_max_age <int>The maximum age in days of a log file beyond which the file is rotated (0 indicates no limit)  (default `30`)
--log_rotate_max_backups <int>The maximum number of log file backups to keep before older files are deleted (0 indicates no limit)  (default `1000`)
--log_rotate_max_size <int>The maximum size in megabytes of a log file beyond which the file is rotated  (default `104857600`)
--log_stacktrace_level <string>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, iptables, klog, kube, mockcred, model, proxyconfig, retry, sds, serviceentry, spiffe, status, stsclient, stsserver, telemetry, token, trustBundle, validation, validationController, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)
--log_target <stringArray>The set of paths where to output the log. This can be any path as well as the special values stdout and stderr  (default `[stdout]`)
--vklog <Level>number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)

+
pilot-agent version

+
Prints out build version information

+
pilot-agent version [flags]
+

+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
FlagsShorthandDescription
--log_as_jsonWhether to format output as JSON or in plain console-friendly format 
--log_caller <string>Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, iptables, klog, kube, mockcred, model, proxyconfig, retry, sds, serviceentry, spiffe, status, stsclient, stsserver, telemetry, token, trustBundle, validation, validationController, wasm, wle, xdsproxy]  (default ``)
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, iptables, klog, kube, mockcred, model, proxyconfig, retry, sds, serviceentry, spiffe, status, stsclient, stsserver, telemetry, token, trustBundle, validation, validationController, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info`)
--log_rotate <string>The path for the optional rotating log file  (default ``)
--log_rotate_max_age <int>The maximum age in days of a log file beyond which the file is rotated (0 indicates no limit)  (default `30`)
--log_rotate_max_backups <int>The maximum number of log file backups to keep before older files are deleted (0 indicates no limit)  (default `1000`)
--log_rotate_max_size <int>The maximum size in megabytes of a log file beyond which the file is rotated  (default `104857600`)
--log_stacktrace_level <string>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, iptables, klog, kube, mockcred, model, proxyconfig, retry, sds, serviceentry, spiffe, status, stsclient, stsserver, telemetry, token, trustBundle, validation, validationController, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)
--log_target <stringArray>The set of paths where to output the log. This can be any path as well as the special values stdout and stderr  (default `[stdout]`)
--output <string>-oOne of 'yaml' or 'json'.  (default ``)
--short-sUse --short=false to generate full version information 
--vklog <Level>number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)

+
pilot-agent wait

+
Waits until the Envoy proxy is ready

+
pilot-agent wait [flags]
+

+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
FlagsDescription
--log_as_jsonWhether to format output as JSON or in plain console-friendly format 
--log_caller <string>Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, iptables, klog, kube, mockcred, model, proxyconfig, retry, sds, serviceentry, spiffe, status, stsclient, stsserver, telemetry, token, trustBundle, validation, validationController, wasm, wle, xdsproxy]  (default ``)
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, iptables, klog, kube, mockcred, model, proxyconfig, retry, sds, serviceentry, spiffe, status, stsclient, stsserver, telemetry, token, trustBundle, validation, validationController, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info`)
--log_rotate <string>The path for the optional rotating log file  (default ``)
--log_rotate_max_age <int>The maximum age in days of a log file beyond which the file is rotated (0 indicates no limit)  (default `30`)
--log_rotate_max_backups <int>The maximum number of log file backups to keep before older files are deleted (0 indicates no limit)  (default `1000`)
--log_rotate_max_size <int>The maximum size in megabytes of a log file beyond which the file is rotated  (default `104857600`)
--log_stacktrace_level <string>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, iptables, klog, kube, mockcred, model, proxyconfig, retry, sds, serviceentry, spiffe, status, stsclient, stsserver, telemetry, token, trustBundle, validation, validationController, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)
--log_target <stringArray>The set of paths where to output the log. This can be any path as well as the special values stdout and stderr  (default `[stdout]`)
--periodMillis <int>number of milliseconds to wait between attempts  (default `500`)
--requestTimeoutMillis <int>number of milliseconds to wait for response  (default `500`)
--timeoutSeconds <int>maximum number of seconds to wait for Envoy to be ready  (default `60`)
--url <string>URL to use in requests  (default `http://localhost:15021/healthz/ready`)
--vklog <Level>number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)

+
Environment variables

+These environment variables affect the behavior of the pilot-agent command. Please use with caution as these environment variables are experimental and can change anytime.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -606,10 +1574,76 @@ 
Environment variables

-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
+
+
+
+
+
+
+
@@ -624,28 +1658,52 @@ 
Environment variables

-
-
-
-
+
+
+
+
-
-
-
-
+
+
+
+
-
+
+
+
+
+
+
+
-
-
+
+
+
+
+
+
+
+
-
+
-
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -654,10 +1712,10 @@ 
Environment variables

-
+
-
+
@@ -672,16 +1730,70 @@ 
Environment variables

-
+
+
+
+
+
+
+
+
+
+
+
+
+
-
+
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -696,94 +1808,172 @@ 
Environment variables

-
+
-
-
+
+
+
+
+
+
+
+
-
+
-
-
+
+
-
-
-
-
+
+
+
+
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
+
-
+
-
+
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
+
-
+
-
-
-
-
+
+
+
+
-
-
-
-
+
+
+
+
-
-
-
-
+
+
+
+
-
-
-
-
+
+
+
+
-
-
-
-
+
+
+
+
-
+
-
+
+
+
+
+
+
+
-
+
-
+
+
+
+
+
+
+
+
+
+
+
+
+
Variable NameTypeDefault ValueDescription
AUTO_RELOAD_PLUGIN_CERTSBooleanfalseIf enabled, if user introduces new intermediate plug-in CA, user need not to restart istiod to pick up certs.Istiod picks newly added intermediate plug-in CA certs and updates it. Plug-in new Root-CA not supported.
BOOTSTRAP_XDS_AGENTBooleanfalseIf set to true, agent retrieves the bootstrap configuration prior to starting Envoy
CA_ADDRStringAddress of the spiffe certificate provider. Defaults to discoveryAddress
CA_PROVIDERStringCitadelname of authentication provider
CA_ROOT_CAStringExplicitly set the root CA to expect for the CA connection.
CERT_SIGNER_DOMAINStringThe cert signer domain info
CLOUD_PLATFORMStringCloud Platform on which proxy is running, if not specified, Istio will try to discover the platform. Valid platform values are aws, azure, gcp, none
CLUSTER_IDStringKubernetesDefines the cluster and service registry that this Istiod instance is belongs to
CREDENTIAL_FETCHER_TYPEStringJWTThe type of the credential fetcher. Currently supported types include GoogleComputeEngine
CREDENTIAL_IDENTITY_PROVIDERStringGoogleComputeEngineThe identity provider for credential. Currently default supported identity provider is GoogleComputeEngine
DISABLE_ENVOYBooleanfalseDisables all Envoy agent features.
DNS_PROXY_ADDRStringlocalhost:15053Custom address for the DNS proxy. If it ends with :53 and running as root allows running without iptable DNS capture
ECC_SIGNATURE_ALGORITHMStringThe type of ECC signature algorithm to use when generating private keys
ENABLE_AUTO_MTLS_CHECK_POLICIESBooleantrueEnable the auto mTLS EDS output to consult the PeerAuthentication Policy, only set the {tlsMode: istio}  when server side policy enables mTLS PERMISSIVE or STRICT.
ENABLE_AUTO_SNIBooleanfalseIf enabled, automatically set SNI when `DestinationRules` do not specify the same
ENABLE_CA_SERVERBooleantrueIf this is set to false, will not create CA server in istiod.
ENABLE_DEBUG_ON_HTTPBooleantrueIf this is set to false, the debug interface will not be enabled, recommended for production
ENABLE_LEGACY_FSGROUP_INJECTIONBooleantrueIf true, Istiod will set the pod fsGroup to 1337 on injection. This is required for Kubernetes 1.18 and older (see https://github.com/kubernetes/kubernetes/issues/57923 for details) unless JWT_POLICY is "first-party-jwt".
ENABLE_LEGACY_LB_ALGORITHM_DEFAULTBooleanfalseIf enabled, destinations for which no LB algorithm is specified will use the legacy default, ROUND_ROBIN. Care should be taken when using ROUND_ROBIN in general as it can overburden endpoints, especially when weights are used.
ENABLE_MCS_AUTO_EXPORTBooleanfalseIf enabled, istiod will automatically generate Kubernetes Multi-Cluster Services (MCS) ServiceExport resources for every service in the mesh. Services defined to be cluster-local in MeshConfig are excluded.
ENABLE_MCS_CLUSTER_LOCALBooleanfalseIf enabled, istiod will treat the host `<svc>.<namespace>.svc.cluster.local` as defined by the Kubernetes Multi-Cluster Services (MCS) spec. In this mode, requests to `cluster.local` will be routed to only those endpoints residing within the same cluster as the client. Requires that both ENABLE_MCS_SERVICE_DISCOVERY and ENABLE_MCS_HOST also be enabled.
ENABLE_MCS_HOSTBooleanfalseIf enabled, istiod will configure a Kubernetes Multi-Cluster Services (MCS) host (<svc>.<namespace>.svc.clusterset.local) for each service exported (via ServiceExport) in at least one cluster. Clients must, however, be able to successfully lookup these DNS hosts. That means that either Istio DNS interception must be enabled or an MCS controller must be used. Requires that ENABLE_MCS_SERVICE_DISCOVERY also be enabled.
ENABLE_MCS_SERVICE_DISCOVERYBooleanfalseIf enabled, istiod will enable Kubernetes Multi-Cluster Services (MCS) service discovery mode. In this mode, service endpoints in a cluster will only be discoverable within the same cluster unless explicitly exported via ServiceExport.
ENABLE_MULTICLUSTER_HEADLESSBooleantrueIf true, the DNS name table for a headless service will resolve to same-network endpoints in any cluster.
ENABLE_PROBE_KEEPALIVE_CONNECTIONSBooleanfalseIf enabled, readiness probes will keep the connection from pilot-agent to the application alive. This mirrors older Istio versions' behaviors, but not kubelet's.
ENABLE_TLS_ON_SIDECAR_INGRESSBooleanfalseIf enabled, the TLS configuration on Sidecar.ingress will take effect
ENABLE_WASM_TELEMETRYBooleanfalseIf enabled, Wasm-based telemetry will be enabled.
ENVOY_PROMETHEUS_PORTInteger15090Envoy prometheus redirection port value
ENVOY_STATUS_PORTInteger15021Envoy health status port value
ENVOY_USERStringistio-proxyEnvoy proxy username
EXIT_ON_ZERO_ACTIVE_CONNECTIONSBooleanfalseWhen set to true, terminates proxy when number of active connections become zero during draining
EXTERNAL_ISTIODBooleanfalseIf this is set to true, one Istiod will control remote clusters including CA.
FILE_DEBOUNCE_DURATIONTime Duration100msThe duration for which the file read operation is delayed once file update is detected
FILE_MOUNTED_CERTSBooleanfalse
GCP_METADATAStringPipe separated GCP metadata, schemed as PROJECT_ID|PROJECT_NUMBER|CLUSTER_NAME|CLUSTER_ZONE
GCP_QUOTA_PROJECTStringAllows specification of a quota project to be used in requests to GCP APIs.
GKE_CLUSTER_URLStringThe url of GKE cluster
GRPC_XDS_BOOTSTRAPStringetc/istio/proxy/grpc-bootstrap.jsonPath where gRPC expects to read a bootstrap file. Agent will generate one if set.
HTTP_STRIP_FRAGMENT_FROM_PATH_UNSAFE_IF_DISABLEDBooleantrue
INJECTION_WEBHOOK_CONFIG_NAMEStringistio-sidecar-injectorName of the mutatingwebhookconfiguration to patch, if istioctl is not used.
INSTANCE_IPString
INVALID_DROPBooleanfalseIf set to true, enable the invalid drop iptables rule, default false will cause iptables reset out of window packets
IPTABLES_TRACE_LOGGINGBooleanfalseWhen enable, all iptables actions will be logged. This requires NET_ADMIN privilege and has noisy logs; as a result, this is intended for debugging only
ISTIOD_CUSTOM_HOSTStringCustom host name of istiod that istiod signs the server cert. Multiple custom host names are supported, and multiple values are separated by commas.
ISTIOD_SANStringOverride the ServerName used to validate Istiod certificate. Can be used as an alternative to setting /etc/hosts for VMs - discovery address will be an IP:port
ISTIO_AGENT_ENABLE_WASM_REMOTE_LOAD_CONVERSIONBooleantrueIf enabled, Istio agent will intercept ECDS resource update, downloads Wasm module, and replaces Wasm module remote load with downloaded local module file.
ISTIO_BOOTSTRAPString
ISTIO_BOOTSTRAP_OVERRIDEString
ISTIO_DEFAULT_REQUEST_TIMEOUTTime Duration0sDefault Http and gRPC Request timeout
ISTIO_DELTA_XDSBooleanfalseIf enabled, pilot will only send the delta configs as opposed to the state of the world on a Resource Request. This feature uses the delta xds api, but does not currently send the actual deltas.
ISTIO_GATEWAY_STRIP_HOST_PORTBooleanfalseIf enabled, Gateway will remove any port from host/authority header before any processing of request by HTTP filters or routing.
ISTIO_GPRC_MAXRECVMSGSIZEInteger4194304Sets the max receive buffer size of gRPC stream in bytes.
ISTIO_GPRC_MAXSTREAMSInteger100000Sets the maximum number of concurrent grpc streams.
ISTIO_KUBE_APP_PROBERSString
ISTIO_META_CERT_SIGNERStringThe cert signer info for workload cert
ISTIO_META_CLUSTER_IDString
ISTIO_META_DNS_CAPTUREBooleanfalseIf set to true, enable the capture of outgoing DNS packets on port 53, redirecting to istio-agent on :15053
ISTIO_MULTIROOT_MESHBooleanfalseIf enabled, mesh will support certificates signed by more than one trustAnchor for ISTIO_MUTUAL mTLS
ISTIO_OUTBOUND_OWNER_GROUPSString*Comma separated list of groups whose outgoing traffic is to be redirected to Envoy.
+A group can be specified either by name or by a numeric GID.
+The wildcard character "*" can be used to configure redirection of traffic from all groups.
ISTIO_OUTBOUND_OWNER_GROUPS_EXCLUDEStringComma separated list of groups whose outgoing traffic is to be excluded from redirection to Envoy.
+A group can be specified either by name or by a numeric GID.
+Only applies when traffic from all groups (i.e. "*") is being redirected to Envoy.
ISTIO_PROMETHEUS_ANNOTATIONSString
JWT_POLICYStringthird-party-jwtThe JWT validation policy.
K8S_INGRESS_NSString
KUBERNETES_SERVICE_HOSTStringKubernetes service host, set automatically when running in-cluster
K_REVISIONStringKNative revision, set if running in knative
MCS_API_GROUPStringmulticluster.x-k8s.ioThe group to be used for the Kubernetes Multi-Cluster Services (MCS) API.
MCS_API_VERSIONStringv1alpha1The version to be used for the Kubernets Multi-Cluster Services (MCS) API.
MINIMUM_DRAIN_DURATIONTime Duration5sThe minimum duration for which agent waits before it checks for active connections and terminates proxywhen number of active connections become zero
OUTPUT_CERTSStringThe output directory for the key and certificate. If empty, key and certificate will not be saved. Must be set for VMs using provisioning certificates.
PILOT_ANALYSIS_INTERVALTime Duration10sIf analysis is enabled, pilot will run istio analyzers using this value as interval in seconds Istio Resources
PILOT_CERT_PROVIDERStringistiodThe provider of Pilot DNS certificate.
PILOT_DEBOUNCE_AFTERTime Duration100msThe delay added to config/registry events for debouncing. This will delay the push by at least this interval. If no change is detected within this period, the push will happen,  otherwise we'll keep delaying until things settle, up to a max of PILOT_DEBOUNCE_MAX.
PILOT_DEBOUNCE_MAXTime Duration10sThe maximum amount of time to wait for events while debouncing. If events keep showing up with no breaks for this time, we'll trigger a push.
PILOT_DISTRIBUTION_HISTORY_RETENTIONTime Duration1m0sIf enabled, Pilot will keep track of old versions of distributed config for this duration.
PILOT_ENABLE_ALPN_FILTERBooleantrueIf true, pilot will add Istio ALPN filters, required for proper protocol sniffing.
PILOT_ENABLE_ANALYSISBooleanfalseIf enabled, pilot will run istio analyzers and write analysis errors to the Status field of any Istio Resources
PILOT_ENABLE_CDS_CACHEBooleantrueIf true, Pilot will cache CDS responses. Note: this depends on PILOT_ENABLE_XDS_CACHE.
PILOT_ENABLE_CONFIG_DISTRIBUTION_TRACKINGBooleantrueIf enabled, Pilot will assign meaningful nonces to each Envoy configuration message, and allow users to interrogate which envoy has which config from the debug interface.
PILOT_ENABLE_CROSS_CLUSTER_WORKLOAD_ENTRYBooleantrueIf enabled, pilot will read WorkloadEntry from other clusters, selectable by Services in that cluster.
PILOT_ENABLE_DESTINATION_RULE_INHERITANCEBooleanfalseIf set, workload specific DestinationRules will inherit configurations settings from mesh and namespace level rules
PILOT_ENABLE_EDS_DEBOUNCEBooleantrueIf enabled, Pilot will include EDS pushes in the push debouncing, configured by PILOT_DEBOUNCE_AFTER and PILOT_DEBOUNCE_MAX. EDS pushes may be delayed, but there will be fewer pushes. By default this is enabled
PILOT_ENABLE_EDS_FOR_HEADLESS_SERVICESBooleanfalseIf enabled, for headless service in Kubernetes, pilot will send endpoints over EDS, allowing the sidecar to load balance among pods in the headless service. This feature should be enabled if applications access all services explicitly via a HTTP proxy port in the sidecar.
PILOT_ENABLE_GATEWAY_APIBooleantrueIf this is set to true, support for Kubernetes gateway-api (github.com/kubernetes-sigs/gateway-api) will  be enabled. In addition to this being enabled, the gateway-api CRDs need to be installed.
PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLERBooleantrueIf this is set to true, gateway-api resources will automatically provision in cluster deployment, services, etc
PILOT_ENABLE_GATEWAY_API_STATUSBooleantrueIf this is set to true, gateway-api resources will have status written to them
PILOT_ENABLE_HEADLESS_SERVICE_POD_LISTENERSBooleantrueIf enabled, for a headless service/stateful set in Kubernetes, pilot will generate an outbound listener for each pod in a headless service. This feature should be disabled if headless services have a large number of pods.
PILOT_ENABLE_INBOUND_PASSTHROUGHBooleantrueIf enabled, inbound clusters will be configured as ORIGINAL_DST clusters. When disabled, requests are always sent to localhost. The primary implication of this is that when enabled, binding to POD_IP will work while localhost will not; when disable, bind to POD_IP will not work, while localhost will. The enabled behavior matches the behavior without Istio enabled at all; this flag exists only for backwards compatibility. Regardless of this setting, the configuration can be overridden with the Sidecar.Ingress.DefaultEndpoint configuration.
PILOT_ENABLE_ISTIO_TAGSBooleantrueDetermines whether or not trace spans generated by Envoy will include Istio-specific tags.
PILOT_ENABLE_LEGACY_AUTO_PASSTHROUGHBooleanfalseIf enabled, pilot will allow any upstream cluster to be used with AUTO_PASSTHROUGH. This option is intended for backwards compatibility only and is not secure with untrusted downstreams; it will be removed in the future.
PILOT_ENABLE_LEGACY_ISTIO_MUTUAL_CREDENTIAL_NAMEBooleanfalseIf enabled, Gateway's with ISTIO_MUTUAL mode and credentialName configured will use simple TLS. This is to retain legacy behavior only and not recommended for use beyond migration.
PILOT_ENABLE_METADATA_EXCHANGEBooleantrueIf true, pilot will add metadata exchange filters, which will be consumed by telemetry filter.
PILOT_ENABLE_MONGO_FILTERBooleantrueEnableMongoFilter enables injection of `envoy.filters.network.mongo_proxy` in the filter chain.
PILOT_ENABLE_MYSQL_FILTERBooleanfalseEnableMysqlFilter enables injection of `envoy.filters.network.mysql_proxy` in the filter chain.
PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_INBOUNDBooleantrueIf enabled, protocol sniffing will be used for inbound listeners whose port protocol is not specified or unsupported
PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_OUTBOUNDBooleantrueIf enabled, protocol sniffing will be used for outbound listeners whose port protocol is not specified or unsupported
PILOT_ENABLE_QUIC_LISTENERSBooleanfalseIf true, QUIC listeners will be generated wherever there are listeners terminating TLS on gateways if the gateway service exposes a UDP port with the same number (for example 443/TCP and 443/UDP)
PILOT_ENABLE_RDS_CACHEBooleantrueIf true, Pilot will cache RDS responses. Note: this depends on PILOT_ENABLE_XDS_CACHE.
 

 

 PILOT_ENABLE_REDIS_FILTER
 EnableRedisFilter enables injection of `envoy.filters.network.redis_proxy` in the filter chain.
 

 
PILOT_ENABLE_UNSAFE_REGEXPILOT_ENABLE_ROUTE_COLLAPSE_OPTIMIZATIONBooleantrueIf true, Pilot will merge virtual hosts with the same routes into a single virtual host, as an optimization.
PILOT_ENABLE_SERVICEENTRY_SELECT_PODSBooleantrueIf enabled, service entries with selectors will select pods from the cluster. It is safe to disable it if you are quite sure you don't need this feature
PILOT_ENABLE_STATUSBooleanfalseIf enabled, pilot will update the CRD Status field of all istio resources with reconciliation status.
PILOT_ENABLE_TELEMETRY_LABELBooleantrueIf true, pilot will add telemetry related metadata to cluster and endpoint resources, which will be consumed by telemetry filter.
PILOT_ENABLE_WORKLOAD_ENTRY_AUTOREGISTRATIONBooleantrueEnables auto-registering WorkloadEntries based on associated WorkloadGroups upon XDS connection by the workload.
PILOT_ENABLE_WORKLOAD_ENTRY_HEALTHCHECKSBooleantrueEnables automatic health checks of WorkloadEntries based on the config provided in the associated WorkloadGroup
PILOT_ENABLE_XDS_CACHEBooleantrueIf true, Pilot will cache XDS responses.
PILOT_ENABLE_XDS_IDENTITY_CHECKBooleantrueIf enabled, pilot will authorize XDS clients, to ensure they are acting only as namespaces they have permissions for.
PILOT_ENDPOINT_TELEMETRY_LABELBooleantrueIf true, pilot will add telemetry related metadata to Endpoint resource, which will be consumed by telemetry filter.
PILOT_ENVOY_FILTER_STATSBooleanfalseIf true, Pilot will collect metrics for envoy filter operations.
PILOT_FILTER_GATEWAY_CLUSTER_CONFIG
 Boolean
 falseIf enabled, pilot will generate Envoy configuration that does not use safe_regex but the older, deprecated regex field. This should only be enabled to support legacy deployments that have not yet been migrated to the new safe regular expressions.If enabled, Pilot will send only clusters that referenced in gateway virtual services attached to gateway
PILOT_FLOW_CONTROL_TIMEOUTTime Duration15sIf set, the max amount of time to delay a push by. Depends on PILOT_ENABLE_FLOW_CONTROL.
 

 

 PILOT_HTTP10
 Protocol detection timeout for inbound listener
 

 
PILOT_INITIAL_FETCH_TIMEOUTTime Duration0sSpecifies the initial_fetch_timeout for config. If this time is reached without a response to the config requested by Envoy, the Envoy will move on with the init phase. This prevents envoy from getting stuck waiting on config during startup.PILOT_INSECURE_MULTICLUSTER_KUBECONFIG_OPTIONSStringComma separated list of potentially insecure kubeconfig authentication options that are allowed for multicluster authentication.Support values: all authProviders (`gcp`, `azure`, `exec`, `openstack`), `clientKey`, `clientCertificate`, `tokenFile`, and `exec`.
 

 
PILOT_PUSH_THROTTLEInteger100Limits the number of concurrent pushes allowed. On larger machines this can be increased for faster pushesPILOT_JWT_ENABLE_REMOTE_JWKSBooleanfalseIf enabled, checks to see if the configured JwksUri in RequestAuthentication is a mesh cluster URL and configures remote Jwks to let Envoy fetch the Jwks instead of Istiod.
 

 
PILOT_RESPECT_DNS_TTLPILOT_JWT_PUB_KEY_REFRESH_INTERVALTime Duration20m0sThe interval for istiod to fetch the jwks_uri for the jwks public key.
PILOT_LEGACY_INGRESS_BEHAVIOR
 BooleantrueIf enabled, DNS based clusters will respect the TTL of the DNS, rather than polling at a fixed rate. This option is only provided for backward compatibility purposes and will be removed in the near future.falseIf this is set to true, istio ingress will perform the legacy behavior, which does not meet https://kubernetes.io/docs/concepts/services-networking/ingress/#multiple-matches.
PILOT_MAX_REQUESTS_PER_SECONDFloating-Point25Limits the number of incoming XDS requests per second. On larger machines this can be increased to handle more proxies concurrently.
 

 
PILOT_RESTRICT_POD_UP_TRAFFIC_LOOPPILOT_PARTIAL_FULL_PUSHES
 Boolean
 trueIf enabled, this will block inbound traffic from matching outbound listeners, which could result in an infinite loop of traffic. This option is only provided for backward compatibility purposes and will be removed in the near future.If enabled, pilot will send partial pushes in for child resources (RDS, EDS, etc) when possible. This occurs for EDS in many cases regardless of this setting.
PILOT_PUSH_THROTTLEInteger100Limits the number of concurrent pushes allowed. On larger machines this can be increased for faster pushes
PILOT_REMOTE_CLUSTER_TIMEOUTTime Duration30sAfter this timeout expires, pilot can become ready without syncing data from clusters added via remote-secrets. Setting the timeout to 0 disables this behavior.
 

 

 PILOT_SCOPE_GATEWAY_TO_NAMESPACE
 If enabled, a gateway workload can only select gateway resources in the same namespace. Gateways with same selectors in different namespaces will not be applicable.
 

 
PILOT_SCOPE_PUSHESPILOT_SEND_UNHEALTHY_ENDPOINTS
 Boolean
 trueIf enabled, pilot will attempt to limit unnecessary pushes by determining what proxies a config or endpoint update will impact.If enabled, Pilot will include unhealthy endpoints in EDS pushes and even if they are sent Envoy does not use them for load balancing.
 

 

 PILOT_SIDECAR_USE_REMOTE_ADDRESS
 Skip validating the peer is from the same trust domain when mTLS is enabled in authentication policy
 

 
PILOT_TRACE_SAMPLINGPILOT_STATUS_BURSTInteger500If status is enabled, controls the Burst rate with which status will be updated.  See https://godoc.org/k8s.io/client-go/rest#Config Burst
PILOT_STATUS_MAX_WORKERSInteger100The maximum number of workers Pilot will use to keep configuration status up to date.  Smaller numbers will result in higher status latency, but larger numbers may impact CPU in high scale environments.
PILOT_STATUS_QPS
 Floating-Point
 100Sets the mesh-wide trace sampling percentage. Should be 0.0 - 100.0. Precision to 0.01. Default is 100, not recommended for production use.If status is enabled, controls the QPS with which status will be updated.  See https://godoc.org/k8s.io/client-go/rest#Config QPS
 

 
PLUGINSStringPILOT_STATUS_UPDATE_INTERVALTime Duration500msInterval to update the XDS distribution status.
PILOT_TRACE_SAMPLINGFloating-Point1Sets the mesh-wide trace sampling percentage. Should be 0.0 - 100.0. Precision to 0.01. Default is 1.0.
PILOT_USE_ENDPOINT_SLICEBooleanfalseIf enabled, Pilot will use EndpointSlices as the source of endpoints for Kubernetes services. By default, this is false, and Endpoints will be used. This requires the Kubernetes EndpointSlice controller to be enabled. Currently this is mutual exclusive - either Endpoints or EndpointSlices will be used
PILOT_WORKLOAD_ENTRY_GRACE_PERIODTime Duration10sThe amount of time an auto-registered workload can remain disconnected from all Pilot instances before the associated WorkloadEntry is cleaned up.
PILOT_XDS_CACHE_SIZEInteger60000The maximum number of cache entries for the XDS cache.
PILOT_XDS_CACHE_STATSBooleanfalseIf true, Pilot will collect metrics for XDS cache efficiency.
PILOT_XDS_SEND_TIMEOUTTime Duration0sThe timeout to send the XDS configuration to proxies. After this timeout is reached, Pilot will discard that push.
PKCS8_KEYBooleanfalseWhether to generate PKCS#8 private keys
 

 

 POD_NAME
 
 

 
SDS_ENABLEDPRIORITIZED_LEADER_ELECTION
 BooleanfalsetrueIf enabled, the default revision will steal leader locks from non-default revisions
PROV_CERTStringSet to a directory containing provisioned certs, for VMs
 

 
SDS_UDS_PATHPROXY_CONFIG
 Stringunix:/var/run/sds/uds_pathSDS addressThe proxy configuration. This will be set by the injection - gateways will use file mounts.
 

 
SECRET_GRACE_DURATIONTime Duration1h0m0sPROXY_CONFIG_XDS_AGENTBooleanfalseIf set to true, agent retrieves dynamic proxy-config updates via xds channel
 

 
SECRET_JOB_RUN_INTERVALTime Duration10m0sPROXY_XDS_DEBUG_VIA_AGENTBooleantrueIf set to true, the agent will listen on tap port and offer pilot's XDS istio.io/debug debug API there.
PROXY_XDS_DEBUG_VIA_AGENT_PORTInteger15004Agent debugging port.
REQUIRE_3P_TOKENBooleanfalseReject k8s default tokens, without audience. If false, default K8S token will be accepted
RESOLVE_HOSTNAME_GATEWAYSBooleantrueIf true, hostnames in the LoadBalancer addresses of a Service will be resolved at the control plane for use in cross-network gateways.
REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATIONBooleanfalseIf enabled, readiness probes will be sent to 'localhost'. Otherwise, they will be sent to the Pod's IP, matching Kubernetes' behavior.
REWRITE_TCP_PROBESBooleantrueIf false, TCP probes will not be rewritten and therefor always succeed when a sidecar is used.
SECRET_GRACE_PERIOD_RATIOFloating-Point0.5The grace period ratio for the cert rotation, by default 0.5.
 

 

 SECRET_TTL
 Time Duration
 24h0m0sThe cert lifetime requested by istio agent
 

 
SECRET_WATCHER_RESYNC_PERIODSERVICE_ACCOUNT
 String
 Name of service account
 

 
STACKDRIVER_TRACING_DEBUGBooleanfalseIf set to true, enables trace output to stdoutSHARED_MESH_CONFIGStringAdditional config map to load for shared MeshConfig settings. The standard mesh config will take precedence.
SPIFFE_BUNDLE_ENDPOINTSStringThe SPIFFE bundle trust domain to endpoint mappings. Istiod retrieves the root certificate from each SPIFFE bundle endpoint and uses it to verify client certifiates from that trust domain. The endpoint must be compliant to the SPIFFE Bundle Endpoint standard. For details, please refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE_Trust_Domain_and_Bundle.md . No need to configure this for root certificates issued via Istiod or web-PKI based root certificates. Use || between <trustdomain, endpoint> tuples. Use | as delimiter between trust domain and endpoint in each tuple. For example: foo|https://url/for/foo||bar|https://url/for/bar
TOKEN_AUDIENCESStringistio-caA list of comma separated audiences to check in the JWT token before issuing a certificate. The token is accepted if it matches with one of the audiences
TRUST_DOMAINStringcluster.localThe trust domain for spiffe certificates
 

 
STACKDRIVER_TRACING_ENABLEDUNSAFE_ENABLE_ADMIN_ENDPOINTS
 Boolean
 falseIf enabled, stackdriver will get configured as the tracer.If this is set to true, dangerous admin endpoints will be exposed on the debug interface. Not recommended for production.
 

 
STACKDRIVER_TRACING_MAX_NUMBER_OF_ANNOTATIONSInteger200Sets the max number of annotations for stackdriverUNSAFE_PILOT_ENABLE_DELTA_TESTBooleanfalseIf enabled, addition runtime tests for Delta XDS efficiency are added. These checks are extremely expensive, so this should be used only for testing, not production.
 

 
STACKDRIVER_TRACING_MAX_NUMBER_OF_ATTRIBUTESInteger200Sets the max number of attributes for stackdriverUNSAFE_PILOT_ENABLE_RUNTIME_ASSERTIONSBooleanfalseIf enabled, addition runtime asserts will be performed. These checks are both expensive and panic on failure. As a result, this should be used only for testing.
 

 
STACKDRIVER_TRACING_MAX_NUMBER_OF_MESSAGE_EVENTSInteger200Sets the max number of message events for stackdriverVALIDATION_WEBHOOK_CONFIG_NAMEStringistio-istio-systemName of the validatingwebhookconfiguration to patch. Empty will skip using cluster admin to patch.
 

 
STALED_CONNECTION_RECYCLE_RUN_INTERVALTime Duration5m0sVERIFY_CERTIFICATE_AT_CLIENTBooleanfalseIf enabled, certificates received by the proxy will be verified against the OS CA certificate bundle.
 

 
TERMINATION_DRAIN_DURATION_SECONDSInteger5The amount of time allowed for connections to complete on pilot-agent shutdown. On receiving SIGTERM or SIGINT, pilot-agent tells the active Envoy to start draining, preventing any new connections and allowing existing connections to complete. It then sleeps for the TerminationDrainDuration and then kills any remaining active Envoy processes.VERIFY_SDS_CERTIFICATEBooleantrueIf enabled, certificates fetched from SDS server will be verified before sending back to proxy.
 

 
TRUST_DOMAINWASM_INSECURE_REGISTRIES
 String
 allow agent pull wasm plugin from insecure registries, for example: 'localhost:5000,docker-registry:5000'
XDS_AUTHBooleantrueIf true, will authenticate XDS clients.
 

 
USE_ISTIO_JWT_FILTERXDS_AUTH_PLAINTEXT
 Boolean
 falseUse the Istio JWT filter for JWT token verification.Authenticate plain text requests - used if Istiod is behind a gateway handling TLS
XDS_AUTH_PROVIDERStringProvider for XDS auth
XDS_ROOT_CAStringExplicitly set the root CA to expect for the XDS connection.
 

 
 

@@ -793,31 +1983,87 @@ 
Exported metrics

 Metric NameTypeDescription
 
 
+auto_registration_deletes_totalSumTotal number of auto registration cleaned up by periodic timer.
+auto_registration_errors_totalSumTotal number of auto registration errors.
+auto_registration_success_totalSumTotal number of successful auto registrations.
+auto_registration_unregister_totalSumTotal number of unregistrations.
+auto_registration_updates_totalSumTotal number of auto registration updates.
+controller_sync_errors_totalSumTotal number of errorMetric syncing controllers.
 endpoint_no_podLastValueEndpoints without an associated pod.
+envoy_connection_terminationsSumThe total number of connection errors from envoy
+galley_validation_config_delete_errorCountk8s webhook configuration delete error
+galley_validation_config_loadCountk8s webhook configuration (re)loads
+galley_validation_config_load_errorCountk8s webhook configuration (re)load error
+galley_validation_config_update_errorCountk8s webhook configuration update error
+galley_validation_config_updatesCountk8s webhook configuration updates
 istio_buildLastValueIstio component build info
+istiod_connection_failuresSumThe total number of connection failures to Istiod
+istiod_connection_terminationsSumThe total number of connection errors to Istiod
+istiod_managed_clustersLastValueNumber of clusters managed by istiod
 num_failed_outgoing_requestsSumNumber of failed outgoing requests (e.g. to a token exchange server, CA, etc.)
+num_file_secret_failures_totalSumNumber of times secret generation failed for files
+num_file_watcher_failures_totalSumNumber of times file watcher failed to add watchers
 num_outgoing_requestsSumNumber of total outgoing requests (e.g. to a token exchange server, CA, etc.)
 num_outgoing_retriesSumNumber of outgoing retry requests (e.g. to a token exchange server, CA, etc.)
 outgoing_latencySumThe latency of outgoing requests (e.g. to a token exchange server, CA, etc.) in milliseconds.
 pilot_conflict_inbound_listenerLastValueNumber of conflicting inbound listeners.
 pilot_conflict_outbound_listener_http_over_current_tcpLastValueNumber of conflicting wildcard http listeners with current wildcard tcp listener.
-pilot_conflict_outbound_listener_http_over_httpsLastValueNumber of conflicting HTTP listeners with well known HTTPS ports
 pilot_conflict_outbound_listener_tcp_over_current_httpLastValueNumber of conflicting wildcard tcp listeners with current wildcard http listener.
 pilot_conflict_outbound_listener_tcp_over_current_tcpLastValueNumber of conflicting tcp listeners with current tcp listener.
 pilot_destrule_subsetsLastValueDuplicate subsets across destination rules for same host
 pilot_duplicate_envoy_clustersLastValueDuplicate envoy clusters caused by service entries with same hostname
 pilot_eds_no_instancesLastValueNumber of clusters without instances.
 pilot_endpoint_not_readyLastValueEndpoint found in unready state.
+pilot_inbound_updatesSumTotal number of updates received by pilot.
 pilot_jwks_resolver_network_fetch_fail_totalSumTotal number of failed network fetch by pilot jwks resolver
 pilot_jwks_resolver_network_fetch_success_totalSumTotal number of successfully network fetch by pilot jwks resolver
+pilot_k8s_cfg_eventsSumEvents from k8s config.
+pilot_k8s_endpoints_pending_podLastValueNumber of endpoints that do not currently have any corresponding pods.
+pilot_k8s_endpoints_with_no_podsSumEndpoints that does not have any corresponding pods.
+pilot_k8s_reg_eventsSumEvents from k8s registry.
 pilot_no_ipLastValuePods not found in the endpoint table, possibly invalid.
+pilot_proxy_convergence_timeDistributionDelay in seconds between config change and a proxy receiving all required configuration.
+pilot_proxy_queue_timeDistributionTime in seconds, a proxy is in the push queue before being dequeued.
+pilot_push_triggersSumTotal number of times a push was triggered, labeled by reason for the push.
+pilot_sds_certificate_errors_totalSumTotal number of failures to fetch SDS key and certificate.
+pilot_servicesLastValueTotal services known to pilot.
 pilot_total_rejected_configsSumTotal number of configs that Pilot had to reject or ignore.
+pilot_total_xds_internal_errorsSumTotal number of internal XDS errors in pilot.
+pilot_total_xds_rejectsSumTotal number of XDS responses from pilot rejected by proxy.
 pilot_virt_servicesLastValueTotal virtual services known to pilot.
 pilot_vservice_dup_domainLastValueVirtual services with dup domains.
-total_active_connectionsSumThe total number of active SDS connections.
-total_push_errorsSumThe total number of failed SDS pushes.
-total_pushesSumThe total number of SDS pushes.
-total_secret_update_failuresSumThe total number of dynamic secret update failures reported by proxy.
-total_stale_connectionsSumThe total number of stale SDS connections.
+pilot_xdsLastValueNumber of endpoints connected to this pilot using XDS.
+pilot_xds_cds_rejectLastValuePilot rejected CDS configs.
+pilot_xds_config_size_bytesDistributionDistribution of configuration sizes pushed to clients
+pilot_xds_delayed_push_timeouts_totalSumTotal number of XDS pushes that are delayed and timed out
+pilot_xds_delayed_pushes_totalSumTotal number of XDS pushes that are delayed.
+pilot_xds_eds_rejectLastValuePilot rejected EDS.
+pilot_xds_expired_nonceSumTotal number of XDS requests with an expired nonce.
+pilot_xds_lds_rejectLastValuePilot rejected LDS.
+pilot_xds_push_context_errorsSumNumber of errors (timeouts) initiating push context.
+pilot_xds_push_timeDistributionTotal time in seconds Pilot takes to push lds, rds, cds and eds.
+pilot_xds_pushesSumPilot build and send errors for lds, rds, cds and eds.
+pilot_xds_rds_rejectLastValuePilot rejected RDS.
+pilot_xds_send_timeDistributionTotal time in seconds Pilot takes to send generated configuration.
+pilot_xds_write_timeoutSumPilot XDS response write timeouts.
+remote_cluster_sync_timeouts_totalSumNumber of times remote clusters took too long to sync, causing slow startup that excludes remote clusters.
+scrape_failures_totalSumThe total number of failed scrapes.
+scrapes_totalSumThe total number of scrapes.
+sidecar_injection_failure_totalSumTotal number of failed sidecar injection requests.
+sidecar_injection_requests_totalSumTotal number of sidecar injection requests.
+sidecar_injection_skip_totalSumTotal number of skipped sidecar injection requests.
+sidecar_injection_success_totalSumTotal number of successful sidecar injection requests.
+startup_duration_secondsLastValueThe time from the process starting to being marked ready.
+wasm_cache_entriesLastValuenumber of Wasm remote fetch cache entries.
+wasm_cache_lookup_countSumnumber of Wasm remote fetch cache lookups.
+wasm_config_conversion_countSumnumber of Wasm config conversion count and results, including success, no remote load, marshal failure, remote fetch failure, miss remote fetch hint.
+wasm_config_conversion_durationDistributionTotal time in milliseconds istio-agent spends on converting remote load in Wasm config.
+wasm_remote_fetch_countSumnumber of Wasm remote fetches and results, including success, download failure, and checksum mismatch.
+webhook_patch_attempts_totalSumWebhook patching attempts
+webhook_patch_failures_totalSumWebhook patching total failures
+webhook_patch_retries_totalSumWebhook patching retries
+xds_cache_evictionsSumTotal number of xds cache evictions.
+xds_cache_readsSumTotal number of xds cache xdsCacheReads.
+xds_cache_sizeLastValueCurrent size of xds cache
 
 
diff --git a/content/zh/docs/reference/commands/pilot-discovery/index.html b/content/zh/docs/reference/commands/pilot-discovery/index.html
index 0c6ab60d4442c..bb027d882a306 100644
--- a/content/zh/docs/reference/commands/pilot-discovery/index.html
+++ b/content/zh/docs/reference/commands/pilot-discovery/index.html
@@ -4,7 +4,7 @@
 title: pilot-discovery
 description: Istio Pilot.
 generator: pkg-collateral-docs
-number_of_entries: 5
+number_of_entries: 10
 max_toc_level: 2
 remove_toc_prefix: 'pilot-discovery '
 ---
@@ -18,60 +18,146 @@
 
 
 
---ctrlz_address <string>
-The IP Address to listen on for the ControlZ introspection facility. Use '*' to indicate all addresses.  (default `localhost`)
+--vklog <Level>
+number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
 
+
+
+
pilot-discovery completion

+
Generate the autocompletion script for pilot-discovery for the specified shell.
+See each sub-command's help for details on how to use the generated script.
+

+
+
-
-
+
+
+
+
-
-
+
+
+
+

 
--ctrlz_port <uint16>The IP port to use for the ControlZ introspection facility  (default `9876`)FlagsDescription
 

 
--keepaliveInterval <duration>The time interval if no activity on the connection it pings the peer to see if the transport is alive  (default `30s`)--vklog <Level>number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
 

+
pilot-discovery completion bash

+
Generate the autocompletion script for the bash shell.

+
This script depends on the 'bash-completion' package.
+If it is not installed already, you can install it via your OS's package manager.

+
To load completions in your current shell session:

+
	source <(pilot-discovery completion bash)

+
To load completions for every new session, execute once:

+
#### Linux:

+
	pilot-discovery completion bash > /etc/bash_completion.d/pilot-discovery

+
#### macOS:

+
	pilot-discovery completion bash > /usr/local/etc/bash_completion.d/pilot-discovery

+
You will need to start a new shell for this setup to take effect.
+

+
pilot-discovery completion bash
+

+
+
-
-
+
+
+
+
-
-
+
+
-
-
+
+
+
+

 
--keepaliveMaxServerConnectionAge <duration>Maximum duration a connection will be kept open on the server before a graceful close.  (default `2562047h47m16.854775807s`)FlagsDescription
 

 
--keepaliveTimeout <duration>After having pinged for keepalive check, the client/server waits for a duration of keepaliveTimeout and if no activity is seen even after that the connection is closed.  (default `10s`)--no-descriptionsdisable completion descriptions 
 

 
--log_as_jsonWhether to format output as JSON or in plain console-friendly format --vklog <Level>number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
 

+
pilot-discovery completion fish

+
Generate the autocompletion script for the fish shell.

+
To load completions in your current shell session:

+
	pilot-discovery completion fish | source

+
To load completions for every new session, execute once:

+
	pilot-discovery completion fish > ~/.config/fish/completions/pilot-discovery.fish

+
You will need to start a new shell for this setup to take effect.
+

+
pilot-discovery completion fish [flags]
+

+
+
-
-
+
+
+
+
-
-
+
+
-
-
+
+
+
+

 
--log_caller <string>Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, all, analysis, attributes, authn, caSecretController, configMapController, conversions, default, grpcAdapter, k8sController, kube, kube-converter, mcp, meshconfig, model, pkiCaLog, processing, rbac, resource, rootCertRotator, runtime, server, serverCaLog, source, validation]  (default ``)FlagsDescription
 

 
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, caSecretController, configMapController, conversions, default, grpcAdapter, k8sController, kube, kube-converter, mcp, meshconfig, model, pkiCaLog, processing, rbac, resource, rootCertRotator, runtime, server, serverCaLog, source, validation] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info`)--no-descriptionsdisable completion descriptions 
 

 
--log_rotate <string>The path for the optional rotating log file  (default ``)--vklog <Level>number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
 

+
pilot-discovery completion powershell

+
Generate the autocompletion script for powershell.

+
To load completions in your current shell session:

+
	pilot-discovery completion powershell | Out-String | Invoke-Expression

+
To load completions for every new session, add the output of the above command
+to your powershell profile.
+

+
pilot-discovery completion powershell [flags]
+

+
+
-
-
+
+
+
+
-
-
+
+
-
-
+
+
+
+

 
--log_rotate_max_age <int>The maximum age in days of a log file beyond which the file is rotated (0 indicates no limit)  (default `30`)FlagsDescription
 

 
--log_rotate_max_backups <int>The maximum number of log file backups to keep before older files are deleted (0 indicates no limit)  (default `1000`)--no-descriptionsdisable completion descriptions 
 

 
--log_rotate_max_size <int>The maximum size in megabytes of a log file beyond which the file is rotated  (default `104857600`)--vklog <Level>number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
 

+
pilot-discovery completion zsh

+
Generate the autocompletion script for the zsh shell.

+
If shell completion is not already enabled in your environment you will need
+to enable it.  You can execute the following once:

+
	echo "autoload -U compinit; compinit" >> ~/.zshrc

+
To load completions for every new session, execute once:

+
#### Linux:

+
	pilot-discovery completion zsh > "${fpath[1]}/_pilot-discovery"

+
#### macOS:

+
	pilot-discovery completion zsh > /usr/local/share/zsh/site-functions/_pilot-discovery

+
You will need to start a new shell for this setup to take effect.
+

+
pilot-discovery completion zsh [flags]
+

+
+
-
-
+
+
+
+
-
-
+
+
+
+
+
+

 
--log_stacktrace_level <string>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, all, analysis, attributes, authn, caSecretController, configMapController, conversions, default, grpcAdapter, k8sController, kube, kube-converter, mcp, meshconfig, model, pkiCaLog, processing, rbac, resource, rootCertRotator, runtime, server, serverCaLog, source, validation] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)FlagsDescription
 

 
--log_target <stringArray>The set of paths where to output the log. This can be any path as well as the special values stdout and stderr  (default `[stdout]`)--no-descriptionsdisable completion descriptions 
--vklog <Level>number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
 

 
 

@@ -89,24 +175,29 @@ 
pilot-discovery discovery

 
 
 
---appNamespace <string>
--a
-Restrict the applications namespace the controller manages; if not set, controller watches all namespaces  (default ``)
+--caCertFile <string>
+
+File containing the x509 Server CA Certificate  (default ``)
+
+
+--clusterAliases <stringToString>
+
+Alias names for clusters  (default `[]`)
 
 
---clusterRegistriesNamespace <string>
+--clusterID <string>
 
-Namespace for ConfigMap which stores clusters configs  (default ``)
+The ID of the cluster that this Istiod instance resides  (default `Kubernetes`)
 
 
---configDir <string>
+--clusterRegistriesNamespace <string>
 
-Directory to watch for updates to config yaml files. If specified, the files will be used as the source of config, rather than a CRD client.  (default ``)
+Namespace for ConfigMap which stores clusters configs  (default `istio-system`)
 
 
---consulserverURL <string>
+--configDir <string>
 
-URL for the Consul server  (default ``)
+Directory to watch for updates to config yaml files. If specified, the files will be used as the source of config, rather than a CRD client.  (default ``)
 
 
 --ctrlz_address <string>
@@ -119,11 +210,6 @@ 
pilot-discovery discovery

 The IP port to use for the ControlZ introspection facility  (default `9876`)
 
 
---disable-install-crds
-
-Disable discovery service from verifying the existence of CRDs at startup and then installing if not detected.  It is recommended to be disable for highly available setups. 
-
-
 --domain <string>
 
 DNS domain suffix  (default `cluster.local`)
@@ -131,7 +217,7 @@ 
pilot-discovery discovery

 
 --grpcAddr <string>
 
-Discovery service grpc address  (default `:15010`)
+Discovery service gRPC address  (default `:15010`)
 
 
 --httpAddr <string>
@@ -139,6 +225,11 @@ 
pilot-discovery discovery

 Discovery service HTTP address  (default `:8080`)
 
 
+--httpsAddr <string>
+
+Injection and validation service HTTPS address  (default `:15017`)
+
+
 --keepaliveInterval <duration>
 
 The time interval if no activity on the connection it pings the peer to see if the transport is alive  (default `30s`)
@@ -159,6 +250,16 @@ 
pilot-discovery discovery

 Use a Kubernetes configuration file instead of in-cluster configuration  (default ``)
 
 
+--kubernetesApiBurst <int>
+
+Maximum burst for throttle when communicating with the kubernetes API  (default `160`)
+
+
+--kubernetesApiQPS <float32>
+
+Maximum QPS when communicating with the kubernetes API  (default `80`)
+
+
 --log_as_json
 
 Whether to format output as JSON or in plain console-friendly format 
@@ -166,12 +267,12 @@ 
pilot-discovery discovery

 
 --log_caller <string>
 
-Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, all, analysis, attributes, authn, caSecretController, configMapController, conversions, default, grpcAdapter, k8sController, kube, kube-converter, mcp, meshconfig, model, pkiCaLog, processing, rbac, resource, rootCertRotator, runtime, server, serverCaLog, source, validation]  (default ``)
+Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, adsc, all, analysis, authn, authorization, ca, controllers, default, delta, file, gateway, grpcgen, installer, klog, kube, model, monitor, pkica, pkira, processing, proxyconfig, retry, rootcertrotator, secretcontroller, serverca, serviceentry, spiffe, status, telemetry, tpath, trustBundle, util, validation, validationController, validationServer, wasm, wle]  (default ``)
 
 
 --log_output_level <string>
 
-Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, caSecretController, configMapController, conversions, default, grpcAdapter, k8sController, kube, kube-converter, mcp, meshconfig, model, pkiCaLog, processing, rbac, resource, rootCertRotator, runtime, server, serverCaLog, source, validation] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info`)
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, adsc, all, analysis, authn, authorization, ca, controllers, default, delta, file, gateway, grpcgen, installer, klog, kube, model, monitor, pkica, pkira, processing, proxyconfig, retry, rootcertrotator, secretcontroller, serverca, serviceentry, spiffe, status, telemetry, tpath, trustBundle, util, validation, validationController, validationServer, wasm, wle] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info`)
 
 
 --log_rotate <string>
@@ -196,7 +297,7 @@ 
pilot-discovery discovery

 
 --log_stacktrace_level <string>
 
-Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, all, analysis, attributes, authn, caSecretController, configMapController, conversions, default, grpcAdapter, k8sController, kube, kube-converter, mcp, meshconfig, model, pkiCaLog, processing, rbac, resource, rootCertRotator, runtime, server, serverCaLog, source, validation] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)
+Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, adsc, all, analysis, authn, authorization, ca, controllers, default, delta, file, gateway, grpcgen, installer, klog, kube, model, monitor, pkica, pkira, processing, proxyconfig, retry, rootcertrotator, secretcontroller, serverca, serviceentry, spiffe, status, telemetry, tpath, trustBundle, util, validation, validationController, validationServer, wasm, wle] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)
 
 
 --log_target <stringArray>
@@ -204,24 +305,9 @@ 
pilot-discovery discovery

 The set of paths where to output the log. This can be any path as well as the special values stdout and stderr  (default `[stdout]`)
 
 
---mcpInitialConnWindowSize <int>
-
-Initial connection window size for MCP's gRPC connection  (default `1048576`)
-
-
---mcpInitialWindowSize <int>
-
-Initial window size for MCP's gRPC connection  (default `1048576`)
-
-
---mcpMaxMsgSize <int>
-
-Max message size received by MCP's grpc client  (default `4194304`)
-
-
 --meshConfig <string>
 
-File name for Istio mesh configuration. If not specified, a default mesh will be used.  (default `/etc/istio/config/mesh`)
+File name for Istio mesh configuration. If not specified, a default mesh will be used.  (default `./etc/istio/config/mesh`)
 
 
 --monitoringAddr <string>
@@ -231,17 +317,17 @@ 
pilot-discovery discovery

 
 --namespace <string>
 -n
-Select a namespace where the controller resides. If not set, uses ${POD_NAMESPACE} environment variable  (default ``)
+Select a namespace where the controller resides. If not set, uses ${POD_NAMESPACE} environment variable  (default `istio-system`)
 
 
 --networksConfig <string>
 
-File name for Istio mesh networks configuration. If not specified, a default mesh networks will be used.  (default `/etc/istio/config/meshNetworks`)
+File name for Istio mesh networks configuration. If not specified, a default mesh networks will be used.  (default `./etc/istio/config/meshNetworks`)
 
 
 --plugins <stringSlice>
 
-comma separated list of networking plugins to enable  (default `[authn,authz,health,mixer]`)
+comma separated list of networking plugins to enable  (default `[ext_authz,authn,authz]`)
 
 
 --profile
@@ -251,22 +337,39 @@ 
pilot-discovery discovery

 
 --registries <stringSlice>
 
-Comma separated list of platform service registries to read from (choose one or more from {Kubernetes, Consul, MCP, Mock})  (default `[Kubernetes]`)
+Comma separated list of platform service registries to read from (choose one or more from {Kubernetes, Mock})  (default `[Kubernetes]`)
+
+
+--secureGRPCAddr <string>
+
+Discovery service secured gRPC address  (default `:15012`)
+
+
+--shutdownDuration <duration>
+
+Duration the discovery server needs to terminate gracefully  (default `10s`)
 
 
---resync <duration>
+--tls-cipher-suites <stringSlice>
 
-Controller resync interval  (default `1m0s`)
+Comma-separated list of cipher suites for istiod TLS server. If omitted, the default Go cipher suites will be used. 
+Preferred values: TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384, TLS_CHACHA20_POLY1305_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_GCM_SHA384. 
+Insecure values: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_3DES_EDE_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_RC4_128_SHA.  (default `[]`)
 
 
---secureGrpcAddr <string>
+--tlsCertFile <string>
 
-Discovery service grpc address, with https  (default `:15012`)
+File containing the x509 Server Certificate  (default ``)
 
 
---trust-domain <string>
+--tlsKeyFile <string>
 
-The domain serves to identify the system with spiffe  (default ``)
+File containing the x509 private key matching --tlsCertFile  (default ``)
+
+
+--vklog <Level>
+
+number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
 
 
 
@@ -283,60 +386,8 @@ 
pilot-discovery request

 
 
 
---ctrlz_address <string>
-The IP Address to listen on for the ControlZ introspection facility. Use '*' to indicate all addresses.  (default `localhost`)
-
-
---ctrlz_port <uint16>
-The IP port to use for the ControlZ introspection facility  (default `9876`)
-
-
---keepaliveInterval <duration>
-The time interval if no activity on the connection it pings the peer to see if the transport is alive  (default `30s`)
-
-
---keepaliveMaxServerConnectionAge <duration>
-Maximum duration a connection will be kept open on the server before a graceful close.  (default `2562047h47m16.854775807s`)
-
-
---keepaliveTimeout <duration>
-After having pinged for keepalive check, the client/server waits for a duration of keepaliveTimeout and if no activity is seen even after that the connection is closed.  (default `10s`)
-
-
---log_as_json
-Whether to format output as JSON or in plain console-friendly format 
-
-
---log_caller <string>
-Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, all, analysis, attributes, authn, caSecretController, configMapController, conversions, default, grpcAdapter, k8sController, kube, kube-converter, mcp, meshconfig, model, pkiCaLog, processing, rbac, resource, rootCertRotator, runtime, server, serverCaLog, source, validation]  (default ``)
-
-
---log_output_level <string>
-Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, caSecretController, configMapController, conversions, default, grpcAdapter, k8sController, kube, kube-converter, mcp, meshconfig, model, pkiCaLog, processing, rbac, resource, rootCertRotator, runtime, server, serverCaLog, source, validation] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info`)
-
-
---log_rotate <string>
-The path for the optional rotating log file  (default ``)
-
-
---log_rotate_max_age <int>
-The maximum age in days of a log file beyond which the file is rotated (0 indicates no limit)  (default `30`)
-
-
---log_rotate_max_backups <int>
-The maximum number of log file backups to keep before older files are deleted (0 indicates no limit)  (default `1000`)
-
-
---log_rotate_max_size <int>
-The maximum size in megabytes of a log file beyond which the file is rotated  (default `104857600`)
-
-
---log_stacktrace_level <string>
-Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, all, analysis, attributes, authn, caSecretController, configMapController, conversions, default, grpcAdapter, k8sController, kube, kube-converter, mcp, meshconfig, model, pkiCaLog, processing, rbac, resource, rootCertRotator, runtime, server, serverCaLog, source, validation] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)
-
-
---log_target <stringArray>
-The set of paths where to output the log. This can be any path as well as the special values stdout and stderr  (default `[stdout]`)
+--vklog <Level>
+number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
 
 
 
@@ -354,76 +405,6 @@ 
pilot-discovery version

 
 
 
---ctrlz_address <string>
-
-The IP Address to listen on for the ControlZ introspection facility. Use '*' to indicate all addresses.  (default `localhost`)
-
-
---ctrlz_port <uint16>
-
-The IP port to use for the ControlZ introspection facility  (default `9876`)
-
-
---keepaliveInterval <duration>
-
-The time interval if no activity on the connection it pings the peer to see if the transport is alive  (default `30s`)
-
-
---keepaliveMaxServerConnectionAge <duration>
-
-Maximum duration a connection will be kept open on the server before a graceful close.  (default `2562047h47m16.854775807s`)
-
-
---keepaliveTimeout <duration>
-
-After having pinged for keepalive check, the client/server waits for a duration of keepaliveTimeout and if no activity is seen even after that the connection is closed.  (default `10s`)
-
-
---log_as_json
-
-Whether to format output as JSON or in plain console-friendly format 
-
-
---log_caller <string>
-
-Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, all, analysis, attributes, authn, caSecretController, configMapController, conversions, default, grpcAdapter, k8sController, kube, kube-converter, mcp, meshconfig, model, pkiCaLog, processing, rbac, resource, rootCertRotator, runtime, server, serverCaLog, source, validation]  (default ``)
-
-
---log_output_level <string>
-
-Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, caSecretController, configMapController, conversions, default, grpcAdapter, k8sController, kube, kube-converter, mcp, meshconfig, model, pkiCaLog, processing, rbac, resource, rootCertRotator, runtime, server, serverCaLog, source, validation] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info`)
-
-
---log_rotate <string>
-
-The path for the optional rotating log file  (default ``)
-
-
---log_rotate_max_age <int>
-
-The maximum age in days of a log file beyond which the file is rotated (0 indicates no limit)  (default `30`)
-
-
---log_rotate_max_backups <int>
-
-The maximum number of log file backups to keep before older files are deleted (0 indicates no limit)  (default `1000`)
-
-
---log_rotate_max_size <int>
-
-The maximum size in megabytes of a log file beyond which the file is rotated  (default `104857600`)
-
-
---log_stacktrace_level <string>
-
-Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, all, analysis, attributes, authn, caSecretController, configMapController, conversions, default, grpcAdapter, k8sController, kube, kube-converter, mcp, meshconfig, model, pkiCaLog, processing, rbac, resource, rootCertRotator, runtime, server, serverCaLog, source, validation] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)
-
-
---log_target <stringArray>
-
-The set of paths where to output the log. This can be any path as well as the special values stdout and stderr  (default `[stdout]`)
-
-
 --output <string>
 -o
 One of 'yaml' or 'json'.  (default ``)
@@ -433,10 +414,15 @@ 
pilot-discovery version

 -s
 Use --short=false to generate full version information 
 
+
+--vklog <Level>
+
+number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
+
 
 
 
Environment variables

-These environment variables affect the behavior of the pilot-discovery command.
+These environment variables affect the behavior of the pilot-discovery command. Please use with caution as these environment variables are experimental and can change anytime.
 
@@ -454,22 +440,16 @@ 
Environment variables

-
-
-
-
-
-
-
-
-
-
-
-
-
+
-
+
+
+
+
+
+
+
@@ -484,6 +464,12 @@ 
Environment variables

+
+
+
+
+
+
@@ -496,22 +482,220 @@ 
Environment variables

-
+
-
-
-
-
-
-
-
+
-
+
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -520,10 +704,22 @@ 
Environment variables

+
+
+
+
+
+
-
+
+
+
+
+
+
+
@@ -532,22 +728,34 @@ 
Environment variables

-
-
-
-
+
+
+
+
-
+
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
+
@@ -556,22 +764,28 @@ 
Environment variables

-
+
+
+
+
+
+
+
-
-
+
+
-
+
-
+
-
-
-
-
+
+
+
+
@@ -580,10 +794,16 @@ 
Environment variables

-
+
+
+
+
+
+
+
-
+
@@ -592,10 +812,28 @@ 
Environment variables

-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
+
@@ -604,6 +842,42 @@ 
Environment variables

+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -622,16 +896,94 @@ 
Environment variables

+
+
+
+
+
+
+
+
+
+
+
+
-
+
+
+
+
+
+
+
+
+
+
+
+
+
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -646,28 +998,52 @@ 
Environment variables

-
-
-
-
+
+
+
+
-
-
-
-
+
+
+
+
-
+
+
+
+
+
+
+
-
-
+
+
+
+
+
+
+
+
-
+
-
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -676,10 +1052,10 @@ 
Environment variables

-
+
-
+
@@ -694,10 +1070,64 @@ 
Environment variables

-
+
+
+
+
+
+
+
+
+
+
+
+
+
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -708,20 +1138,68 @@ 
Environment variables

+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -730,22 +1208,58 @@ 
Environment variables

-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
+
-
+
-
-
+
+
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+

 
 

 Expected audience in the tokens. 
 

 
AUTHZ_FAILURE_LOG_BURST_SIZEInteger1
AUTHZ_FAILURE_LOG_FREQTime Duration1m0s
BYPASS_OOP_MTLS_SAN_VERIFICATIONAUTO_RELOAD_PLUGIN_CERTS
 Boolean
 falseWhether or not to validate SANs for out-of-process adapters auth.If enabled, if user introduces new intermediate plug-in CA, user need not to restart istiod to pick up certs.Istiod picks newly added intermediate plug-in CA certs and updates it. Plug-in new Root-CA not supported.
CERT_SIGNER_DOMAINStringThe cert signer domain info
 

 

 CITADEL_ENABLE_JITTER_FOR_ROOT_CERT_ROTATOR
 The TTL of self-signed CA root certificate.
 

 
CITADEL_SELF_SIGNED_CA_RSA_KEY_SIZEInteger2048Specify the RSA key size to use for self-signed Istio CA certificates.

 CITADEL_SELF_SIGNED_ROOT_CERT_CHECK_INTERVAL
 Time Duration
 1h0m0s
 Grace period percentile for self-signed root cert.
 

 
ISTIOD_ADDRCLOUD_PLATFORM
 String
 Service name of istiod. If empty the istiod listener, certs will be disabled.
ISTIO_GPRC_MAXSTREAMSInteger100000Sets the maximum number of concurrent grpc streams.Cloud Platform on which proxy is running, if not specified, Istio will try to discover the platform. Valid platform values are aws, azure, gcp, none
 

 
ISTIO_LANGCLUSTER_ID
 StringSelects the attribute expression language runtime for Mixer.KubernetesDefines the cluster and service registry that this Istiod instance is belongs to
DEFAULT_WORKLOAD_CERT_TTLTime Duration24h0m0sThe default TTL of issued workload certificates. Applied when the client sets a non-positive TTL in the CSR.
ENABLE_AUTO_MTLS_CHECK_POLICIESBooleantrueEnable the auto mTLS EDS output to consult the PeerAuthentication Policy, only set the {tlsMode: istio}  when server side policy enables mTLS PERMISSIVE or STRICT.
ENABLE_AUTO_SNIBooleanfalseIf enabled, automatically set SNI when `DestinationRules` do not specify the same
ENABLE_CA_SERVERBooleantrueIf this is set to false, will not create CA server in istiod.
ENABLE_DEBUG_ON_HTTPBooleantrueIf this is set to false, the debug interface will not be enabled, recommended for production
ENABLE_LEGACY_FSGROUP_INJECTIONBooleantrueIf true, Istiod will set the pod fsGroup to 1337 on injection. This is required for Kubernetes 1.18 and older (see https://github.com/kubernetes/kubernetes/issues/57923 for details) unless JWT_POLICY is "first-party-jwt".
ENABLE_LEGACY_LB_ALGORITHM_DEFAULTBooleanfalseIf enabled, destinations for which no LB algorithm is specified will use the legacy default, ROUND_ROBIN. Care should be taken when using ROUND_ROBIN in general as it can overburden endpoints, especially when weights are used.
ENABLE_MCS_AUTO_EXPORTBooleanfalseIf enabled, istiod will automatically generate Kubernetes Multi-Cluster Services (MCS) ServiceExport resources for every service in the mesh. Services defined to be cluster-local in MeshConfig are excluded.
ENABLE_MCS_CLUSTER_LOCALBooleanfalseIf enabled, istiod will treat the host `<svc>.<namespace>.svc.cluster.local` as defined by the Kubernetes Multi-Cluster Services (MCS) spec. In this mode, requests to `cluster.local` will be routed to only those endpoints residing within the same cluster as the client. Requires that both ENABLE_MCS_SERVICE_DISCOVERY and ENABLE_MCS_HOST also be enabled.
ENABLE_MCS_HOSTBooleanfalseIf enabled, istiod will configure a Kubernetes Multi-Cluster Services (MCS) host (<svc>.<namespace>.svc.clusterset.local) for each service exported (via ServiceExport) in at least one cluster. Clients must, however, be able to successfully lookup these DNS hosts. That means that either Istio DNS interception must be enabled or an MCS controller must be used. Requires that ENABLE_MCS_SERVICE_DISCOVERY also be enabled.
ENABLE_MCS_SERVICE_DISCOVERYBooleanfalseIf enabled, istiod will enable Kubernetes Multi-Cluster Services (MCS) service discovery mode. In this mode, service endpoints in a cluster will only be discoverable within the same cluster unless explicitly exported via ServiceExport.
ENABLE_MULTICLUSTER_HEADLESSBooleantrueIf true, the DNS name table for a headless service will resolve to same-network endpoints in any cluster.
ENABLE_PROBE_KEEPALIVE_CONNECTIONSBooleanfalseIf enabled, readiness probes will keep the connection from pilot-agent to the application alive. This mirrors older Istio versions' behaviors, but not kubelet's.
ENABLE_TLS_ON_SIDECAR_INGRESSBooleanfalseIf enabled, the TLS configuration on Sidecar.ingress will take effect
ENABLE_WASM_TELEMETRYBooleanfalseIf enabled, Wasm-based telemetry will be enabled.
EXTERNAL_CAStringExternal CA Integration Type. Permitted Values are ISTIOD_RA_KUBERNETES_API or ISTIOD_RA_ISTIO_API
EXTERNAL_ISTIODBooleanfalseIf this is set to true, one Istiod will control remote clusters including CA.
GCP_METADATAStringPipe separated GCP metadata, schemed as PROJECT_ID|PROJECT_NUMBER|CLUSTER_NAME|CLUSTER_ZONE
GCP_QUOTA_PROJECTStringAllows specification of a quota project to be used in requests to GCP APIs.
HTTP_STRIP_FRAGMENT_FROM_PATH_UNSAFE_IF_DISABLEDBooleantrue
INJECTION_WEBHOOK_CONFIG_NAMEStringistio-sidecar-injectorName of the mutatingwebhookconfiguration to patch, if istioctl is not used.
INJECT_ENABLEDBooleantrueEnable mutating webhook handler.
ISTIOD_CUSTOM_HOSTStringCustom host name of istiod that istiod signs the server cert. Multiple custom host names are supported, and multiple values are separated by commas.
ISTIO_AGENT_ENABLE_WASM_REMOTE_LOAD_CONVERSIONBooleantrueIf enabled, Istio agent will intercept ECDS resource update, downloads Wasm module, and replaces Wasm module remote load with downloaded local module file.
ISTIO_BOOTSTRAPString
ISTIO_DEFAULT_REQUEST_TIMEOUTTime Duration0sDefault Http and gRPC Request timeout
ISTIO_DELTA_XDSBooleanfalseIf enabled, pilot will only send the delta configs as opposed to the state of the world on a Resource Request. This feature uses the delta xds api, but does not currently send the actual deltas.
ISTIO_GATEWAY_STRIP_HOST_PORTBooleanfalseIf enabled, Gateway will remove any port from host/authority header before any processing of request by HTTP filters or routing.
ISTIO_GPRC_MAXRECVMSGSIZEInteger4194304Sets the max receive buffer size of gRPC stream in bytes.
ISTIO_GPRC_MAXSTREAMSInteger100000Sets the maximum number of concurrent grpc streams.
ISTIO_MULTIROOT_MESHBooleanfalseIf enabled, mesh will support certificates signed by more than one trustAnchor for ISTIO_MUTUAL mTLS
ISTIO_PROMETHEUS_ANNOTATIONSString
JWT_POLICYStringthird-party-jwtThe JWT validation policy.
JWT_RULEStringThe JWT rule used by istiod authentication
 

 

 K8S_INGRESS_NS
 
 

 
K8S_SIGNERStringKubernates CA Signer type. Valid from Kubernates 1.18

 KUBERNETES_SERVICE_HOST
 String
 Kuberenetes service host, set automatically when running in-clusterKubernetes service host, set automatically when running in-cluster
K_REVISIONStringKNative revision, set if running in knative
 

 

 MAX_WORKLOAD_CERT_TTL
 The max TTL of issued workload certificates.
 

 
PILOT_BLOCK_HTTP_ON_443BooleantrueIf enabled, any HTTP services will be blocked on HTTPS port (443). If this is disabled, any HTTP service on port 443 could block all external trafficMCS_API_GROUPStringmulticluster.x-k8s.ioThe group to be used for the Kubernetes Multi-Cluster Services (MCS) API.
 

 
PILOT_CERT_DIRMCS_API_VERSION
 Stringv1alpha1The version to be used for the Kubernets Multi-Cluster Services (MCS) API.
PILOT_ANALYSIS_INTERVALTime Duration10sIf analysis is enabled, pilot will run istio analyzers using this value as interval in seconds Istio Resources
PILOT_CERT_PROVIDERStringistiodThe provider of Pilot DNS certificate.
 

 

 PILOT_DEBOUNCE_AFTER
 Time Duration
 100msThe delay added to config/registry events for debouncing. This will delay the push by at least this internal. If no change is detected within this period, the push will happen,  otherwise we'll keep delaying until things settle, up to a max of PILOT_DEBOUNCE_MAX.The delay added to config/registry events for debouncing. This will delay the push by at least this interval. If no change is detected within this period, the push will happen,  otherwise we'll keep delaying until things settle, up to a max of PILOT_DEBOUNCE_MAX.
 

 

 PILOT_DEBOUNCE_MAX
 The maximum amount of time to wait for events while debouncing. If events keep showing up with no breaks for this time, we'll trigger a push.
 

 
PILOT_DEBUG_ADSZ_CONFIGPILOT_DISTRIBUTION_HISTORY_RETENTIONTime Duration1m0sIf enabled, Pilot will keep track of old versions of distributed config for this duration.
PILOT_ENABLE_ALPN_FILTER
 BooleanfalsetrueIf true, pilot will add Istio ALPN filters, required for proper protocol sniffing.
 

 
PILOT_DISABLE_XDS_MARSHALING_TO_ANYPILOT_ENABLE_ANALYSIS
 Boolean
 falseIf enabled, pilot will run istio analyzers and write analysis errors to the Status field of any Istio Resources
 

 
PILOT_DISTRIBUTION_HISTORY_RETENTIONTime Duration1m0sIf enabled, Pilot will keep track of old versions of distributed config for this duration.PILOT_ENABLE_CDS_CACHEBooleantrueIf true, Pilot will cache CDS responses. Note: this depends on PILOT_ENABLE_XDS_CACHE.
 

 

 PILOT_ENABLE_CONFIG_DISTRIBUTION_TRACKING
 If enabled, Pilot will assign meaningful nonces to each Envoy configuration message, and allow users to interrogate which envoy has which config from the debug interface.
 

 
PILOT_ENABLE_CRD_VALIDATIONPILOT_ENABLE_CROSS_CLUSTER_WORKLOAD_ENTRYBooleantrueIf enabled, pilot will read WorkloadEntry from other clusters, selectable by Services in that cluster.
PILOT_ENABLE_DESTINATION_RULE_INHERITANCE
 Boolean
 falseIf enabled, pilot will validate CRDs while retrieving CRDs from kubernetes cache.Use this flag to enable validation of CRDs in Pilot, especially in deployments that do not have galley installed.If set, workload specific DestinationRules will inherit configurations settings from mesh and namespace level rules
 

 

 PILOT_ENABLE_EDS_DEBOUNCE
 If enabled, Pilot will include EDS pushes in the push debouncing, configured by PILOT_DEBOUNCE_AFTER and PILOT_DEBOUNCE_MAX. EDS pushes may be delayed, but there will be fewer pushes. By default this is enabled
 

 
PILOT_ENABLE_FALLTHROUGH_ROUTEPILOT_ENABLE_EDS_FOR_HEADLESS_SERVICESBooleanfalseIf enabled, for headless service in Kubernetes, pilot will send endpoints over EDS, allowing the sidecar to load balance among pods in the headless service. This feature should be enabled if applications access all services explicitly via a HTTP proxy port in the sidecar.
PILOT_ENABLE_GATEWAY_APIBooleantrueIf this is set to true, support for Kubernetes gateway-api (github.com/kubernetes-sigs/gateway-api) will  be enabled. In addition to this being enabled, the gateway-api CRDs need to be installed.
PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLERBooleantrueIf this is set to true, gateway-api resources will automatically provision in cluster deployment, services, etc
PILOT_ENABLE_GATEWAY_API_STATUS
 Boolean
 trueEnableFallthroughRoute provides an option to add a final wildcard match for routes. When ALLOW_ANY traffic policy is used, a Passthrough cluster is used. When REGISTRY_ONLY traffic policy is used, a 502 error is returned.If this is set to true, gateway-api resources will have status written to them
 

 

 PILOT_ENABLE_HEADLESS_SERVICE_POD_LISTENERS
 If enabled, for a headless service/stateful set in Kubernetes, pilot will generate an outbound listener for each pod in a headless service. This feature should be disabled if headless services have a large number of pods.
 

 
PILOT_ENABLE_INBOUND_PASSTHROUGHBooleantrueIf enabled, inbound clusters will be configured as ORIGINAL_DST clusters. When disabled, requests are always sent to localhost. The primary implication of this is that when enabled, binding to POD_IP will work while localhost will not; when disable, bind to POD_IP will not work, while localhost will. The enabled behavior matches the behavior without Istio enabled at all; this flag exists only for backwards compatibility. Regardless of this setting, the configuration can be overridden with the Sidecar.Ingress.DefaultEndpoint configuration.
PILOT_ENABLE_ISTIO_TAGSBooleantrueDetermines whether or not trace spans generated by Envoy will include Istio-specific tags.
PILOT_ENABLE_LEGACY_AUTO_PASSTHROUGHBooleanfalseIf enabled, pilot will allow any upstream cluster to be used with AUTO_PASSTHROUGH. This option is intended for backwards compatibility only and is not secure with untrusted downstreams; it will be removed in the future.
PILOT_ENABLE_LEGACY_ISTIO_MUTUAL_CREDENTIAL_NAMEBooleanfalseIf enabled, Gateway's with ISTIO_MUTUAL mode and credentialName configured will use simple TLS. This is to retain legacy behavior only and not recommended for use beyond migration.
PILOT_ENABLE_METADATA_EXCHANGEBooleantrueIf true, pilot will add metadata exchange filters, which will be consumed by telemetry filter.
PILOT_ENABLE_MONGO_FILTERBooleantrueEnableMongoFilter enables injection of `envoy.filters.network.mongo_proxy` in the filter chain.

 PILOT_ENABLE_MYSQL_FILTER
 Boolean
 false
 If enabled, protocol sniffing will be used for outbound listeners whose port protocol is not specified or unsupported
 

 
PILOT_ENABLE_QUIC_LISTENERSBooleanfalseIf true, QUIC listeners will be generated wherever there are listeners terminating TLS on gateways if the gateway service exposes a UDP port with the same number (for example 443/TCP and 443/UDP)
PILOT_ENABLE_RDS_CACHEBooleantrueIf true, Pilot will cache RDS responses. Note: this depends on PILOT_ENABLE_XDS_CACHE.

 PILOT_ENABLE_REDIS_FILTER
 Boolean
 false
 EnableRedisFilter enables injection of `envoy.filters.network.redis_proxy` in the filter chain.
 

 
PILOT_ENABLE_UNSAFE_REGEXPILOT_ENABLE_ROUTE_COLLAPSE_OPTIMIZATIONBooleantrueIf true, Pilot will merge virtual hosts with the same routes into a single virtual host, as an optimization.
PILOT_ENABLE_SERVICEENTRY_SELECT_PODSBooleantrueIf enabled, service entries with selectors will select pods from the cluster. It is safe to disable it if you are quite sure you don't need this feature
PILOT_ENABLE_STATUS
 Boolean
 falseIf enabled, pilot will generate Envoy configuration that does not use safe_regex but the older, deprecated regex field. This should only be enabled to support legacy deployments that have not yet been migrated to the new safe regular expressions.If enabled, pilot will update the CRD Status field of all istio resources with reconciliation status.
PILOT_ENABLE_TELEMETRY_LABELBooleantrueIf true, pilot will add telemetry related metadata to cluster and endpoint resources, which will be consumed by telemetry filter.
PILOT_ENABLE_WORKLOAD_ENTRY_AUTOREGISTRATIONBooleantrueEnables auto-registering WorkloadEntries based on associated WorkloadGroups upon XDS connection by the workload.
PILOT_ENABLE_WORKLOAD_ENTRY_HEALTHCHECKSBooleantrueEnables automatic health checks of WorkloadEntries based on the config provided in the associated WorkloadGroup
PILOT_ENABLE_XDS_CACHEBooleantrueIf true, Pilot will cache XDS responses.
PILOT_ENABLE_XDS_IDENTITY_CHECKBooleantrueIf enabled, pilot will authorize XDS clients, to ensure they are acting only as namespaces they have permissions for.
PILOT_ENDPOINT_TELEMETRY_LABELBooleantrueIf true, pilot will add telemetry related metadata to Endpoint resource, which will be consumed by telemetry filter.
PILOT_ENVOY_FILTER_STATSBooleanfalseIf true, Pilot will collect metrics for envoy filter operations.
PILOT_FILTER_GATEWAY_CLUSTER_CONFIGBooleanfalseIf enabled, Pilot will send only clusters that referenced in gateway virtual services attached to gateway
PILOT_FLOW_CONTROL_TIMEOUTTime Duration15sIf set, the max amount of time to delay a push by. Depends on PILOT_ENABLE_FLOW_CONTROL.
 

 

 PILOT_HTTP10
 Protocol detection timeout for inbound listener
 

 
PILOT_INITIAL_FETCH_TIMEOUTTime Duration0sSpecifies the initial_fetch_timeout for config. If this time is reached without a response to the config requested by Envoy, the Envoy will move on with the init phase. This prevents envoy from getting stuck waiting on config during startup.PILOT_INSECURE_MULTICLUSTER_KUBECONFIG_OPTIONSStringComma separated list of potentially insecure kubeconfig authentication options that are allowed for multicluster authentication.Support values: all authProviders (`gcp`, `azure`, `exec`, `openstack`), `clientKey`, `clientCertificate`, `tokenFile`, and `exec`.
 

 
PILOT_PUSH_THROTTLEInteger100Limits the number of concurrent pushes allowed. On larger machines this can be increased for faster pushesPILOT_JWT_ENABLE_REMOTE_JWKSBooleanfalseIf enabled, checks to see if the configured JwksUri in RequestAuthentication is a mesh cluster URL and configures remote Jwks to let Envoy fetch the Jwks instead of Istiod.
 

 
PILOT_RESPECT_DNS_TTLPILOT_JWT_PUB_KEY_REFRESH_INTERVALTime Duration20m0sThe interval for istiod to fetch the jwks_uri for the jwks public key.
PILOT_LEGACY_INGRESS_BEHAVIOR
 BooleantrueIf enabled, DNS based clusters will respect the TTL of the DNS, rather than polling at a fixed rate. This option is only provided for backward compatibility purposes and will be removed in the near future.falseIf this is set to true, istio ingress will perform the legacy behavior, which does not meet https://kubernetes.io/docs/concepts/services-networking/ingress/#multiple-matches.
PILOT_MAX_REQUESTS_PER_SECONDFloating-Point25Limits the number of incoming XDS requests per second. On larger machines this can be increased to handle more proxies concurrently.
 

 
PILOT_RESTRICT_POD_UP_TRAFFIC_LOOPPILOT_PARTIAL_FULL_PUSHES
 Boolean
 trueIf enabled, this will block inbound traffic from matching outbound listeners, which could result in an infinite loop of traffic. This option is only provided for backward compatibility purposes and will be removed in the near future.If enabled, pilot will send partial pushes in for child resources (RDS, EDS, etc) when possible. This occurs for EDS in many cases regardless of this setting.
PILOT_PUSH_THROTTLEInteger100Limits the number of concurrent pushes allowed. On larger machines this can be increased for faster pushes
PILOT_REMOTE_CLUSTER_TIMEOUTTime Duration30sAfter this timeout expires, pilot can become ready without syncing data from clusters added via remote-secrets. Setting the timeout to 0 disables this behavior.
 

 

 PILOT_SCOPE_GATEWAY_TO_NAMESPACE
 If enabled, a gateway workload can only select gateway resources in the same namespace. Gateways with same selectors in different namespaces will not be applicable.
 

 
PILOT_SCOPE_PUSHESPILOT_SEND_UNHEALTHY_ENDPOINTS
 Boolean
 trueIf enabled, pilot will attempt to limit unnecessary pushes by determining what proxies a config or endpoint update will impact.If enabled, Pilot will include unhealthy endpoints in EDS pushes and even if they are sent Envoy does not use them for load balancing.
 

 

 PILOT_SIDECAR_USE_REMOTE_ADDRESS
 Skip validating the peer is from the same trust domain when mTLS is enabled in authentication policy
 

 
PILOT_TRACE_SAMPLINGPILOT_STATUS_BURSTInteger500If status is enabled, controls the Burst rate with which status will be updated.  See https://godoc.org/k8s.io/client-go/rest#Config Burst
PILOT_STATUS_MAX_WORKERSInteger100The maximum number of workers Pilot will use to keep configuration status up to date.  Smaller numbers will result in higher status latency, but larger numbers may impact CPU in high scale environments.
PILOT_STATUS_QPS
 Floating-Point
 100Sets the mesh-wide trace sampling percentage. Should be 0.0 - 100.0. Precision to 0.01. Default is 100, not recommended for production use.If status is enabled, controls the QPS with which status will be updated.  See https://godoc.org/k8s.io/client-go/rest#Config QPS
PILOT_STATUS_UPDATE_INTERVALTime Duration500msInterval to update the XDS distribution status.
PILOT_TRACE_SAMPLINGFloating-Point1Sets the mesh-wide trace sampling percentage. Should be 0.0 - 100.0. Precision to 0.01. Default is 1.0.
PILOT_USE_ENDPOINT_SLICEBooleanfalseIf enabled, Pilot will use EndpointSlices as the source of endpoints for Kubernetes services. By default, this is false, and Endpoints will be used. This requires the Kubernetes EndpointSlice controller to be enabled. Currently this is mutual exclusive - either Endpoints or EndpointSlices will be used
PILOT_WORKLOAD_ENTRY_GRACE_PERIODTime Duration10sThe amount of time an auto-registered workload can remain disconnected from all Pilot instances before the associated WorkloadEntry is cleaned up.
PILOT_XDS_CACHE_SIZEInteger60000The maximum number of cache entries for the XDS cache.
PILOT_XDS_CACHE_STATSBooleanfalseIf true, Pilot will collect metrics for XDS cache efficiency.
PILOT_XDS_SEND_TIMEOUTTime Duration0sThe timeout to send the XDS configuration to proxies. After this timeout is reached, Pilot will discard that push.
 

 

 POD_NAME
 

 POD_NAMESPACE
 Stringistio-system
PRIORITIZED_LEADER_ELECTIONBooleantrueIf enabled, the default revision will steal leader locks from non-default revisions
REQUIRE_3P_TOKENBooleanfalseReject k8s default tokens, without audience. If false, default K8S token will be accepted
RESOLVE_HOSTNAME_GATEWAYSBooleantrueIf true, hostnames in the LoadBalancer addresses of a Service will be resolved at the control plane for use in cross-network gateways.
REVISIONString
 
 
 

 
REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATIONBooleanfalseIf enabled, readiness probes will be sent to 'localhost'. Otherwise, they will be sent to the Pod's IP, matching Kubernetes' behavior.
REWRITE_TCP_PROBESBooleantrueIf false, TCP probes will not be rewritten and therefor always succeed when a sidecar is used.

 ROOT_CA_DIR
 String
 ./etc/cacerts
 Location of a local or mounted CA root
 

 
TERMINATION_DRAIN_DURATION_SECONDSInteger5The amount of time allowed for connections to complete on pilot-agent shutdown. On receiving SIGTERM or SIGINT, pilot-agent tells the active Envoy to start draining, preventing any new connections and allowing existing connections to complete. It then sleeps for the TerminationDrainDuration and then kills any remaining active Envoy processes.SHARED_MESH_CONFIGStringAdditional config map to load for shared MeshConfig settings. The standard mesh config will take precedence.
SPIFFE_BUNDLE_ENDPOINTSStringThe SPIFFE bundle trust domain to endpoint mappings. Istiod retrieves the root certificate from each SPIFFE bundle endpoint and uses it to verify client certifiates from that trust domain. The endpoint must be compliant to the SPIFFE Bundle Endpoint standard. For details, please refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE_Trust_Domain_and_Bundle.md . No need to configure this for root certificates issued via Istiod or web-PKI based root certificates. Use || between <trustdomain, endpoint> tuples. Use | as delimiter between trust domain and endpoint in each tuple. For example: foo|https://url/for/foo||bar|https://url/for/bar
TOKEN_AUDIENCESStringistio-caA list of comma separated audiences to check in the JWT token before issuing a certificate. The token is accepted if it matches with one of the audiences
 

 

 TOKEN_ISSUER
 OIDC token issuer. If set, will be used to check the tokens.
 

 
USE_ISTIO_JWT_FILTERUNSAFE_ENABLE_ADMIN_ENDPOINTSBooleanfalseIf this is set to true, dangerous admin endpoints will be exposed on the debug interface. Not recommended for production.
UNSAFE_PILOT_ENABLE_DELTA_TESTBooleanfalseIf enabled, addition runtime tests for Delta XDS efficiency are added. These checks are extremely expensive, so this should be used only for testing, not production.
UNSAFE_PILOT_ENABLE_RUNTIME_ASSERTIONSBooleanfalseIf enabled, addition runtime asserts will be performed. These checks are both expensive and panic on failure. As a result, this should be used only for testing.
USE_REMOTE_CERTS
 Boolean
 falseUse the Istio JWT filter for JWT token verification.Whether to try to load CA certs from a remote Kubernetes cluster. Used for external Istiod.
 

 
WEBHOOKVALIDATION_WEBHOOK_CONFIG_NAME
 StringName of webhook config to patch, if istioctl is not used.istio-istio-systemName of the validatingwebhookconfiguration to patch. Empty will skip using cluster admin to patch.
 

 
WORKLOAD_CERT_TTLTime Duration2160h0m0sThe TTL of issued workload certificates.VERIFY_CERTIFICATE_AT_CLIENTBooleanfalseIf enabled, certificates received by the proxy will be verified against the OS CA certificate bundle.
VERIFY_SDS_CERTIFICATEBooleantrueIf enabled, certificates fetched from SDS server will be verified before sending back to proxy.
XDS_AUTHBooleantrueIf true, will authenticate XDS clients.
XDS_AUTH_PLAINTEXTBooleanfalseAuthenticate plain text requests - used if Istiod is behind a gateway handling TLS
 

 
 

@@ -755,78 +1269,34 @@ 
Exported metrics

 Metric NameTypeDescription
 
 
-citadel_secret_controller_csr_err_countSumThe number of errors occurred when creating the CSR.
-citadel_secret_controller_csr_sign_err_countSumThe number of errors occurred when signing the CSR.
-citadel_secret_controller_secret_deleted_cert_countSumThe number of certificates recreated due to secret deletion (service account still exists).
-citadel_secret_controller_svc_acc_created_cert_countSumThe number of certificates created due to service account creation.
-citadel_secret_controller_svc_acc_deleted_cert_countSumThe number of certificates deleted due to service account deletion.
+auto_registration_deletes_totalSumTotal number of auto registration cleaned up by periodic timer.
+auto_registration_errors_totalSumTotal number of auto registration errors.
+auto_registration_success_totalSumTotal number of successful auto registrations.
+auto_registration_unregister_totalSumTotal number of unregistrations.
+auto_registration_updates_totalSumTotal number of auto registration updates.
 citadel_server_authentication_failure_countSumThe number of authentication failures.
+citadel_server_cert_chain_expiry_timestampLastValueThe unix timestamp, in seconds, when Citadel cert chain will expire. A negative time indicates the cert is expired.
 citadel_server_csr_countSumThe number of CSRs received by Citadel server.
 citadel_server_csr_parsing_err_countSumThe number of errors occurred when parsing the CSR.
 citadel_server_csr_sign_err_countSumThe number of errors occurred when signing the CSR.
 citadel_server_id_extraction_err_countSumThe number of errors occurred when extracting the ID from CSR.
-citadel_server_root_cert_expiry_timestampLastValueThe unix timestamp, in seconds, when Citadel root cert will expire. We set it to negative in case of internal error.
+citadel_server_root_cert_expiry_timestampLastValueThe unix timestamp, in seconds, when Citadel root cert will expire. A negative time indicates the cert is expired.
 citadel_server_success_cert_issuance_countSumThe number of certificates issuances that have succeeded.
+controller_sync_errors_totalSumTotal number of errorMetric syncing controllers.
 endpoint_no_podLastValueEndpoints without an associated pod.
-galley_runtime_processor_event_span_duration_millisecondsDistributionThe duration between each incoming event
-galley_runtime_processor_events_processed_totalCountThe number of events that have been processed
-galley_runtime_processor_snapshot_events_totalDistributionThe number of events per snapshot
-galley_runtime_processor_snapshot_lifetime_duration_millisecondsDistributionThe duration of each snapshot
-galley_runtime_processor_snapshots_published_totalCountThe number of snapshots that have been published
-galley_runtime_state_type_instances_totalLastValueThe number of type instances per type URL
-galley_runtime_strategy_on_change_totalCountThe number of times the strategy's onChange has been called
-galley_runtime_strategy_timer_max_time_reached_totalCountThe number of times the max time has been reached
-galley_runtime_strategy_timer_quiesce_reached_totalCountThe number of times a quiesce has been reached
-galley_runtime_strategy_timer_resets_totalCountThe number of times the timer has been reset
-galley_source_kube_dynamic_converter_failure_totalCountThe number of times a dynamnic kubernetes source failed converting a resources
-galley_source_kube_dynamic_converter_success_totalCountThe number of times a dynamic kubernetes source successfully converted a resource
-galley_source_kube_event_error_totalCountThe number of times a kubernetes source encountered errored while handling an event
-galley_source_kube_event_success_totalCountThe number of times a kubernetes source successfully handled an event
-galley_validation_cert_key_update_errorsCountGalley validation webhook certificate updates errors
-galley_validation_cert_key_updatesCountGalley validation webhook certificate updates
+galley_validation_config_delete_errorCountk8s webhook configuration delete error
 galley_validation_config_loadCountk8s webhook configuration (re)loads
 galley_validation_config_load_errorCountk8s webhook configuration (re)load error
 galley_validation_config_update_errorCountk8s webhook configuration update error
 galley_validation_config_updatesCountk8s webhook configuration updates
-galley_validation_failedCountResource validation failed
-galley_validation_http_errorCountResource validation http serve errors
-galley_validation_passedCountResource is valid
+galley_validation_failedSumResource validation failed
+galley_validation_http_errorSumResource validation http serve errors
+galley_validation_passedSumResource is valid
 istio_buildLastValueIstio component build info
-istio_mcp_clients_totalLastValueThe number of streams currently connected.
-istio_mcp_message_sizes_bytesDistributionSize of messages received from clients.
-istio_mcp_reconnectionsSumThe number of times the sink has reconnected.
-istio_mcp_recv_failures_totalSumThe number of recv failures in the source.
-istio_mcp_request_acks_totalSumThe number of request acks received by the source.
-istio_mcp_request_nacks_totalSumThe number of request nacks received by the source.
-istio_mcp_send_failures_totalSumThe number of send failures in the source.
-mixer_config_adapter_info_config_errors_totalLastValueThe number of errors encountered during processing of the adapter info configuration.
-mixer_config_adapter_info_configs_totalLastValueThe number of known adapters in the current config.
-mixer_config_attributes_totalLastValueThe number of known attributes in the current config.
-mixer_config_handler_configs_totalLastValueThe number of known handlers in the current config.
-mixer_config_handler_validation_error_totalLastValueThe number of errors encountered because handler validation returned error.
-mixer_config_instance_config_errors_totalLastValueThe number of errors encountered during processing of the instance configuration.
-mixer_config_instance_configs_totalLastValueThe number of known instances in the current config.
-mixer_config_rule_config_errors_totalLastValueThe number of errors encountered during processing of the rule configuration.
-mixer_config_rule_config_match_error_totalLastValueThe number of rule conditions that was not parseable.
-mixer_config_rule_configs_totalLastValueThe number of known rules in the current config.
-mixer_config_template_config_errors_totalLastValueThe number of errors encountered during processing of the template configuration.
-mixer_config_template_configs_totalLastValueThe number of known templates in the current config.
-mixer_config_unsatisfied_action_handler_totalLastValueThe number of actions that failed due to handlers being unavailable.
-mixer_dispatcher_destinations_per_requestDistributionNumber of handlers dispatched per request by Mixer
-mixer_dispatcher_destinations_per_variety_totalLastValueNumber of Mixer adapter destinations by template variety type
-mixer_dispatcher_instances_per_requestDistributionNumber of instances created per request by Mixer
-mixer_handler_closed_handlers_totalLastValueThe number of handlers that were closed during config transition.
-mixer_handler_daemons_totalLastValueThe current number of active daemon routines in a given adapter environment.
-mixer_handler_handler_build_failures_totalLastValueThe number of handlers that failed creation during config transition.
-mixer_handler_handler_close_failures_totalLastValueThe number of errors encountered while closing handlers during config transition.
-mixer_handler_new_handlers_totalLastValueThe number of handlers that were newly created during config transition.
-mixer_handler_reused_handlers_totalLastValueThe number of handlers that were re-used during config transition.
-mixer_handler_workers_totalLastValueThe current number of active worker routines in a given adapter environment.
-mixer_runtime_dispatch_duration_secondsDistributionDuration in seconds for adapter dispatches handled by Mixer.
-mixer_runtime_dispatches_totalCountTotal number of adapter dispatches handled by Mixer.
+istiod_managed_clustersLastValueNumber of clusters managed by istiod
+num_outgoing_retriesSumNumber of outgoing retry requests (e.g. to a token exchange server, CA, etc.)
 pilot_conflict_inbound_listenerLastValueNumber of conflicting inbound listeners.
 pilot_conflict_outbound_listener_http_over_current_tcpLastValueNumber of conflicting wildcard http listeners with current wildcard tcp listener.
-pilot_conflict_outbound_listener_http_over_httpsLastValueNumber of conflicting HTTP listeners with well known HTTPS ports
 pilot_conflict_outbound_listener_tcp_over_current_httpLastValueNumber of conflicting wildcard tcp listeners with current wildcard http listener.
 pilot_conflict_outbound_listener_tcp_over_current_tcpLastValueNumber of conflicting tcp listeners with current tcp listener.
 pilot_destrule_subsetsLastValueDuplicate subsets across destination rules for same host
@@ -834,17 +1304,17 @@ 
Exported metrics

 pilot_eds_no_instancesLastValueNumber of clusters without instances.
 pilot_endpoint_not_readyLastValueEndpoint found in unready state.
 pilot_inbound_updatesSumTotal number of updates received by pilot.
-pilot_invalid_out_listenersLastValueNumber of invalid outbound listeners.
 pilot_jwks_resolver_network_fetch_fail_totalSumTotal number of failed network fetch by pilot jwks resolver
 pilot_jwks_resolver_network_fetch_success_totalSumTotal number of successfully network fetch by pilot jwks resolver
 pilot_k8s_cfg_eventsSumEvents from k8s config.
+pilot_k8s_endpoints_pending_podLastValueNumber of endpoints that do not currently have any corresponding pods.
 pilot_k8s_endpoints_with_no_podsSumEndpoints that does not have any corresponding pods.
-pilot_k8s_object_errorsLastValueErrors converting k8s CRDs
 pilot_k8s_reg_eventsSumEvents from k8s registry.
 pilot_no_ipLastValuePods not found in the endpoint table, possibly invalid.
 pilot_proxy_convergence_timeDistributionDelay in seconds between config change and a proxy receiving all required configuration.
 pilot_proxy_queue_timeDistributionTime in seconds, a proxy is in the push queue before being dequeued.
-pilot_rds_expired_nonceSumTotal number of RDS messages with an expired nonce.
+pilot_push_triggersSumTotal number of times a push was triggered, labeled by reason for the push.
+pilot_sds_certificate_errors_totalSumTotal number of failures to fetch SDS key and certificate.
 pilot_servicesLastValueTotal services known to pilot.
 pilot_total_rejected_configsSumTotal number of configs that Pilot had to reject or ignore.
 pilot_total_xds_internal_errorsSumTotal number of internal XDS errors in pilot.
@@ -853,18 +1323,36 @@ 
Exported metrics

 pilot_vservice_dup_domainLastValueVirtual services with dup domains.
 pilot_xdsLastValueNumber of endpoints connected to this pilot using XDS.
 pilot_xds_cds_rejectLastValuePilot rejected CDS configs.
-pilot_xds_eds_all_locality_endpointsLastValueNetwork endpoints for each cluster(across all localities), as of last push. Zero endpoints is an error.
-pilot_xds_eds_instancesLastValueInstances for each cluster(grouped by locality), as of last push. Zero instances is an error.
+pilot_xds_config_size_bytesDistributionDistribution of configuration sizes pushed to clients
+pilot_xds_delayed_push_timeouts_totalSumTotal number of XDS pushes that are delayed and timed out
+pilot_xds_delayed_pushes_totalSumTotal number of XDS pushes that are delayed.
 pilot_xds_eds_rejectLastValuePilot rejected EDS.
+pilot_xds_expired_nonceSumTotal number of XDS requests with an expired nonce.
 pilot_xds_lds_rejectLastValuePilot rejected LDS.
 pilot_xds_push_context_errorsSumNumber of errors (timeouts) initiating push context.
 pilot_xds_push_timeDistributionTotal time in seconds Pilot takes to push lds, rds, cds and eds.
 pilot_xds_pushesSumPilot build and send errors for lds, rds, cds and eds.
 pilot_xds_rds_rejectLastValuePilot rejected RDS.
+pilot_xds_send_timeDistributionTotal time in seconds Pilot takes to send generated configuration.
 pilot_xds_write_timeoutSumPilot XDS response write timeouts.
-sidecar_injection_failure_totalSumTotal number of failed Side car injection requests.
-sidecar_injection_requests_totalSumTotal number of Side car injection requests.
-sidecar_injection_skip_totalSumTotal number of skipped injection requests.
-sidecar_injection_success_totalSumTotal number of successful Side car injection requests.
+remote_cluster_sync_timeouts_totalSumNumber of times remote clusters took too long to sync, causing slow startup that excludes remote clusters.
+scrape_failures_totalSumThe total number of failed scrapes.
+scrapes_totalSumThe total number of scrapes.
+sidecar_injection_failure_totalSumTotal number of failed sidecar injection requests.
+sidecar_injection_requests_totalSumTotal number of sidecar injection requests.
+sidecar_injection_skip_totalSumTotal number of skipped sidecar injection requests.
+sidecar_injection_success_totalSumTotal number of successful sidecar injection requests.
+startup_duration_secondsLastValueThe time from the process starting to being marked ready.
+wasm_cache_entriesLastValuenumber of Wasm remote fetch cache entries.
+wasm_cache_lookup_countSumnumber of Wasm remote fetch cache lookups.
+wasm_config_conversion_countSumnumber of Wasm config conversion count and results, including success, no remote load, marshal failure, remote fetch failure, miss remote fetch hint.
+wasm_config_conversion_durationDistributionTotal time in milliseconds istio-agent spends on converting remote load in Wasm config.
+wasm_remote_fetch_countSumnumber of Wasm remote fetches and results, including success, download failure, and checksum mismatch.
+webhook_patch_attempts_totalSumWebhook patching attempts
+webhook_patch_failures_totalSumWebhook patching total failures
+webhook_patch_retries_totalSumWebhook patching retries
+xds_cache_evictionsSumTotal number of xds cache evictions.
+xds_cache_readsSumTotal number of xds cache xdsCacheReads.
+xds_cache_sizeLastValueCurrent size of xds cache
 
 
diff --git a/content/zh/docs/reference/commands/sidecar-injector/index.html b/content/zh/docs/reference/commands/sidecar-injector/index.html
deleted file mode 100644
index ef587d62a57f2..0000000000000
--- a/content/zh/docs/reference/commands/sidecar-injector/index.html
+++ /dev/null
@@ -1,604 +0,0 @@
----
-WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL SOURCE IN THE 'https://github.com/istio/istio' REPO
-source_repo: https://github.com/istio/istio
-title: sidecar-injector
-description: Kubernetes webhook for automatic Istio sidecar injection.
-generator: pkg-collateral-docs
-number_of_entries: 4
-max_toc_level: 2
-remove_toc_prefix: 'sidecar-injector '
----
-
Kubernetes webhook for automatic Istio sidecar injection.

-
sidecar-injector [flags]
-

-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
FlagsDescription
--caCertFile <string>File containing the x509 Certificate for HTTPS.  (default `/etc/istio/certs/root-cert.pem`)
--healthCheckFile <string>File that should be periodically updated if health checking is enabled  (default ``)
--healthCheckInterval <duration>Configure how frequently the health check file specified by --healthCheckFile should be updated  (default `0s`)
--injectConfig <string>File containing the Istio sidecar injection configuration and template  (default `/etc/istio/inject/config`)
--injectValues <string>File containing the Istio sidecar injection values, in yaml format  (default `/etc/istio/inject/values`)
--kubeconfig <string>Specifies path to kubeconfig file. This must be specified when not running inside a Kubernetes pod.  (default ``)
--log_as_jsonWhether to format output as JSON or in plain console-friendly format 
--log_caller <string>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, default, model, rbac, validation]  (default ``)
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [all, default, model, rbac, validation] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info`)
--log_rotate <string>The path for the optional rotating log file  (default ``)
--log_rotate_max_age <int>The maximum age in days of a log file beyond which the file is rotated (0 indicates no limit)  (default `30`)
--log_rotate_max_backups <int>The maximum number of log file backups to keep before older files are deleted (0 indicates no limit)  (default `1000`)
--log_rotate_max_size <int>The maximum size in megabytes of a log file beyond which the file is rotated  (default `104857600`)
--log_stacktrace_level <string>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [all, default, model, rbac, validation] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)
--log_target <stringArray>The set of paths where to output the log. This can be any path as well as the special values stdout and stderr  (default `[stdout]`)
--meshConfig <string>File containing the Istio mesh configuration  (default `/etc/istio/config/mesh`)
--monitoringPort <int>Webhook monitoring port  (default `15014`)
--port <int>Webhook port  (default `9443`)
--reconcileWebhookConfigEnable managing webhook configuration. 
--tlsCertFile <string>File containing the x509 Certificate for HTTPS.  (default `/etc/istio/certs/cert-chain.pem`)
--tlsKeyFile <string>File containing the x509 private key matching --tlsCertFile.  (default `/etc/istio/certs/key.pem`)
--webhookConfigName <string>Name of the mutatingwebhookconfiguration resource in Kubernetes.  (default `istio-sidecar-injector`)
--webhookName <string>Name of the webhook entry in the webhook config.  (default `sidecar-injector.istio.io`)

-
sidecar-injector probe

-
Check the liveness or readiness of a locally-running server

-
sidecar-injector probe [flags]
-

-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
FlagsDescription
--caCertFile <string>File containing the x509 Certificate for HTTPS.  (default `/etc/istio/certs/root-cert.pem`)
--healthCheckFile <string>File that should be periodically updated if health checking is enabled  (default ``)
--healthCheckInterval <duration>Configure how frequently the health check file specified by --healthCheckFile should be updated  (default `0s`)
--injectConfig <string>File containing the Istio sidecar injection configuration and template  (default `/etc/istio/inject/config`)
--injectValues <string>File containing the Istio sidecar injection values, in yaml format  (default `/etc/istio/inject/values`)
--interval <duration>Duration used for checking the target file's last modified time.  (default `0s`)
--kubeconfig <string>Specifies path to kubeconfig file. This must be specified when not running inside a Kubernetes pod.  (default ``)
--log_as_jsonWhether to format output as JSON or in plain console-friendly format 
--log_caller <string>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, default, model, rbac, validation]  (default ``)
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [all, default, model, rbac, validation] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info`)
--log_rotate <string>The path for the optional rotating log file  (default ``)
--log_rotate_max_age <int>The maximum age in days of a log file beyond which the file is rotated (0 indicates no limit)  (default `30`)
--log_rotate_max_backups <int>The maximum number of log file backups to keep before older files are deleted (0 indicates no limit)  (default `1000`)
--log_rotate_max_size <int>The maximum size in megabytes of a log file beyond which the file is rotated  (default `104857600`)
--log_stacktrace_level <string>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [all, default, model, rbac, validation] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)
--log_target <stringArray>The set of paths where to output the log. This can be any path as well as the special values stdout and stderr  (default `[stdout]`)
--meshConfig <string>File containing the Istio mesh configuration  (default `/etc/istio/config/mesh`)
--monitoringPort <int>Webhook monitoring port  (default `15014`)
--port <int>Webhook port  (default `9443`)
--probe-path <string>Path of the file for checking the availability.  (default ``)
--reconcileWebhookConfigEnable managing webhook configuration. 
--tlsCertFile <string>File containing the x509 Certificate for HTTPS.  (default `/etc/istio/certs/cert-chain.pem`)
--tlsKeyFile <string>File containing the x509 private key matching --tlsCertFile.  (default `/etc/istio/certs/key.pem`)
--webhookConfigName <string>Name of the mutatingwebhookconfiguration resource in Kubernetes.  (default `istio-sidecar-injector`)
--webhookName <string>Name of the webhook entry in the webhook config.  (default `sidecar-injector.istio.io`)

-
sidecar-injector version

-
Prints out build version information

-
sidecar-injector version [flags]
-

-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
FlagsShorthandDescription
--caCertFile <string>File containing the x509 Certificate for HTTPS.  (default `/etc/istio/certs/root-cert.pem`)
--healthCheckFile <string>File that should be periodically updated if health checking is enabled  (default ``)
--healthCheckInterval <duration>Configure how frequently the health check file specified by --healthCheckFile should be updated  (default `0s`)
--injectConfig <string>File containing the Istio sidecar injection configuration and template  (default `/etc/istio/inject/config`)
--injectValues <string>File containing the Istio sidecar injection values, in yaml format  (default `/etc/istio/inject/values`)
--kubeconfig <string>Specifies path to kubeconfig file. This must be specified when not running inside a Kubernetes pod.  (default ``)
--log_as_jsonWhether to format output as JSON or in plain console-friendly format 
--log_caller <string>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, default, model, rbac, validation]  (default ``)
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [all, default, model, rbac, validation] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info`)
--log_rotate <string>The path for the optional rotating log file  (default ``)
--log_rotate_max_age <int>The maximum age in days of a log file beyond which the file is rotated (0 indicates no limit)  (default `30`)
--log_rotate_max_backups <int>The maximum number of log file backups to keep before older files are deleted (0 indicates no limit)  (default `1000`)
--log_rotate_max_size <int>The maximum size in megabytes of a log file beyond which the file is rotated  (default `104857600`)
--log_stacktrace_level <string>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [all, default, model, rbac, validation] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)
--log_target <stringArray>The set of paths where to output the log. This can be any path as well as the special values stdout and stderr  (default `[stdout]`)
--meshConfig <string>File containing the Istio mesh configuration  (default `/etc/istio/config/mesh`)
--monitoringPort <int>Webhook monitoring port  (default `15014`)
--output <string>-oOne of 'yaml' or 'json'.  (default ``)
--port <int>Webhook port  (default `9443`)
--reconcileWebhookConfigEnable managing webhook configuration. 
--short-sUse --short=false to generate full version information 
--tlsCertFile <string>File containing the x509 Certificate for HTTPS.  (default `/etc/istio/certs/cert-chain.pem`)
--tlsKeyFile <string>File containing the x509 private key matching --tlsCertFile.  (default `/etc/istio/certs/key.pem`)
--webhookConfigName <string>Name of the mutatingwebhookconfiguration resource in Kubernetes.  (default `istio-sidecar-injector`)
--webhookName <string>Name of the webhook entry in the webhook config.  (default `sidecar-injector.istio.io`)

-
Environment variables

-These environment variables affect the behavior of the sidecar-injector command.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Variable NameTypeDefault ValueDescription
ISTIOD_ADDRStringService name of istiod. If empty the istiod listener, certs will be disabled.
ISTIO_GPRC_MAXSTREAMSInteger100000Sets the maximum number of concurrent grpc streams.
PILOT_BLOCK_HTTP_ON_443BooleantrueIf enabled, any HTTP services will be blocked on HTTPS port (443). If this is disabled, any HTTP service on port 443 could block all external traffic
PILOT_CERT_DIRString
PILOT_DEBOUNCE_AFTERTime Duration100msThe delay added to config/registry events for debouncing. This will delay the push by at least this internal. If no change is detected within this period, the push will happen,  otherwise we'll keep delaying until things settle, up to a max of PILOT_DEBOUNCE_MAX.
PILOT_DEBOUNCE_MAXTime Duration10sThe maximum amount of time to wait for events while debouncing. If events keep showing up with no breaks for this time, we'll trigger a push.
PILOT_DEBUG_ADSZ_CONFIGBooleanfalse
PILOT_DISABLE_XDS_MARSHALING_TO_ANYBooleanfalse
PILOT_DISTRIBUTION_HISTORY_RETENTIONTime Duration1m0sIf enabled, Pilot will keep track of old versions of distributed config for this duration.
PILOT_ENABLE_CONFIG_DISTRIBUTION_TRACKINGBooleantrueIf enabled, Pilot will assign meaningful nonces to each Envoy configuration message, and allow users to interrogate which envoy has which config from the debug interface.
PILOT_ENABLE_CRD_VALIDATIONBooleanfalseIf enabled, pilot will validate CRDs while retrieving CRDs from kubernetes cache.Use this flag to enable validation of CRDs in Pilot, especially in deployments that do not have galley installed.
PILOT_ENABLE_EDS_DEBOUNCEBooleantrueIf enabled, Pilot will include EDS pushes in the push debouncing, configured by PILOT_DEBOUNCE_AFTER and PILOT_DEBOUNCE_MAX. EDS pushes may be delayed, but there will be fewer pushes. By default this is enabled
PILOT_ENABLE_FALLTHROUGH_ROUTEBooleantrueEnableFallthroughRoute provides an option to add a final wildcard match for routes. When ALLOW_ANY traffic policy is used, a Passthrough cluster is used. When REGISTRY_ONLY traffic policy is used, a 502 error is returned.
PILOT_ENABLE_HEADLESS_SERVICE_POD_LISTENERSBooleantrueIf enabled, for a headless service/stateful set in Kubernetes, pilot will generate an outbound listener for each pod in a headless service. This feature should be disabled if headless services have a large number of pods.
PILOT_ENABLE_MYSQL_FILTERBooleanfalseEnableMysqlFilter enables injection of `envoy.filters.network.mysql_proxy` in the filter chain.
PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_INBOUNDBooleantrueIf enabled, protocol sniffing will be used for inbound listeners whose port protocol is not specified or unsupported
PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_OUTBOUNDBooleantrueIf enabled, protocol sniffing will be used for outbound listeners whose port protocol is not specified or unsupported
PILOT_ENABLE_REDIS_FILTERBooleanfalseEnableRedisFilter enables injection of `envoy.filters.network.redis_proxy` in the filter chain.
PILOT_ENABLE_UNSAFE_REGEXBooleanfalseIf enabled, pilot will generate Envoy configuration that does not use safe_regex but the older, deprecated regex field. This should only be enabled to support legacy deployments that have not yet been migrated to the new safe regular expressions.
PILOT_HTTP10BooleanfalseEnables the use of HTTP 1.0 in the outbound HTTP listeners, to support legacy applications.
PILOT_INBOUND_PROTOCOL_DETECTION_TIMEOUTTime Duration1sProtocol detection timeout for inbound listener
PILOT_INITIAL_FETCH_TIMEOUTTime Duration0sSpecifies the initial_fetch_timeout for config. If this time is reached without a response to the config requested by Envoy, the Envoy will move on with the init phase. This prevents envoy from getting stuck waiting on config during startup.
PILOT_PUSH_THROTTLEInteger100Limits the number of concurrent pushes allowed. On larger machines this can be increased for faster pushes
PILOT_RESPECT_DNS_TTLBooleantrueIf enabled, DNS based clusters will respect the TTL of the DNS, rather than polling at a fixed rate. This option is only provided for backward compatibility purposes and will be removed in the near future.
PILOT_RESTRICT_POD_UP_TRAFFIC_LOOPBooleantrueIf enabled, this will block inbound traffic from matching outbound listeners, which could result in an infinite loop of traffic. This option is only provided for backward compatibility purposes and will be removed in the near future.
PILOT_SCOPE_GATEWAY_TO_NAMESPACEBooleanfalseIf enabled, a gateway workload can only select gateway resources in the same namespace. Gateways with same selectors in different namespaces will not be applicable.
PILOT_SCOPE_PUSHESBooleantrueIf enabled, pilot will attempt to limit unnecessary pushes by determining what proxies a config or endpoint update will impact.
PILOT_SIDECAR_USE_REMOTE_ADDRESSBooleanfalseUseRemoteAddress sets useRemoteAddress to true for side car outbound listeners.
PILOT_SKIP_VALIDATE_TRUST_DOMAINBooleanfalseSkip validating the peer is from the same trust domain when mTLS is enabled in authentication policy
PILOT_TRACE_SAMPLINGFloating-Point100Sets the mesh-wide trace sampling percentage. Should be 0.0 - 100.0. Precision to 0.01. Default is 100, not recommended for production use.
TERMINATION_DRAIN_DURATION_SECONDSInteger5The amount of time allowed for connections to complete on pilot-agent shutdown. On receiving SIGTERM or SIGINT, pilot-agent tells the active Envoy to start draining, preventing any new connections and allowing existing connections to complete. It then sleeps for the TerminationDrainDuration and then kills any remaining active Envoy processes.
USE_ISTIO_JWT_FILTERBooleanfalseUse the Istio JWT filter for JWT token verification.

-
Exported metrics

-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Metric NameTypeDescription
endpoint_no_podLastValueEndpoints without an associated pod.
istio_buildLastValueIstio component build info
pilot_conflict_inbound_listenerLastValueNumber of conflicting inbound listeners.
pilot_conflict_outbound_listener_http_over_current_tcpLastValueNumber of conflicting wildcard http listeners with current wildcard tcp listener.
pilot_conflict_outbound_listener_http_over_httpsLastValueNumber of conflicting HTTP listeners with well known HTTPS ports
pilot_conflict_outbound_listener_tcp_over_current_httpLastValueNumber of conflicting wildcard tcp listeners with current wildcard http listener.
pilot_conflict_outbound_listener_tcp_over_current_tcpLastValueNumber of conflicting tcp listeners with current tcp listener.
pilot_destrule_subsetsLastValueDuplicate subsets across destination rules for same host
pilot_duplicate_envoy_clustersLastValueDuplicate envoy clusters caused by service entries with same hostname
pilot_eds_no_instancesLastValueNumber of clusters without instances.
pilot_endpoint_not_readyLastValueEndpoint found in unready state.
pilot_jwks_resolver_network_fetch_fail_totalSumTotal number of failed network fetch by pilot jwks resolver
pilot_jwks_resolver_network_fetch_success_totalSumTotal number of successfully network fetch by pilot jwks resolver
pilot_no_ipLastValuePods not found in the endpoint table, possibly invalid.
pilot_total_rejected_configsSumTotal number of configs that Pilot had to reject or ignore.
pilot_virt_servicesLastValueTotal virtual services known to pilot.
pilot_vservice_dup_domainLastValueVirtual services with dup domains.
sidecar_injection_failure_totalSumTotal number of failed Side car injection requests.
sidecar_injection_requests_totalSumTotal number of Side car injection requests.
sidecar_injection_skip_totalSumTotal number of skipped injection requests.
sidecar_injection_success_totalSumTotal number of successful Side car injection requests.

diff --git a/content/zh/docs/reference/config/annotations/index.html b/content/zh/docs/reference/config/annotations/index.html
index ac2e26bd9d7c0..a370ca7d97ddf 100644
--- a/content/zh/docs/reference/config/annotations/index.html
+++ b/content/zh/docs/reference/config/annotations/index.html
@@ -3,11 +3,11 @@
 source_repo: https://github.com/istio/api
 title: Resource Annotations
 description: Resource annotations used by Istio.
-location: https://istio.io/docs/reference/config/annotations.html
-weight: 29
+location: https://istio.io/docs/reference/config/annotations/
+weight: 60
 ---
 

-This page presents the various resource annotations that
+This page presents the various resource annotations that
 Istio supports to control its behavior.
 

 
@@ -15,6 +15,7 @@
 	
 		
 			Annotation Name
+			Feature Status
 			Resource Types
 			Description
 		
@@ -31,45 +32,98 @@
 				
 					
 				
-					kubernetes.io/ingress.class
-					[Ingress]
-					Annotation on an Ingress resources denoting the class of controllers responsible for it.
+					galley.istio.io/analyze-suppress
+				
+					Alpha
+				
+					[Any]
+					A comma separated list of configuration analysis message codes to suppress when Istio analyzers are run. For example, to suppress reporting of IST0103 (PodMissingProxy) and IST0108 (UnknownAnnotation) on a resource, apply the annotation 'galley.istio.io/analyze-suppress=IST0108,IST0103'. If the value is '*', then all configuration analysis messages are suppressed.
 				
 			
 		
 			
+				
+					
+				
+					inject.istio.io/templates
+				
+					Alpha
+				
+					[Pod]
+					The name of the inject template(s) to use, as a comma separate list. See https://istio.io/latest/docs/setup/additional-setup/sidecar-injection/#custom-templates-experimental for more information.
+				
+			
 		
 			
+				
+					
+				
+					install.operator.istio.io/chart-owner
+				
+					Alpha
+				
+					[Any]
+					Represents the name of the chart used to create this resource.
+				
+			
 		
 			
+				
+					
+				
+					install.operator.istio.io/owner-generation
+				
+					Alpha
+				
+					[Any]
+					Represents the generation to which the resource was last reconciled.
+				
+			
 		
 			
 				
 					
 				
-					networking.istio.io/exportTo
-					[Service]
-					Specifies the namespaces to which this service should be exported to. A value of '*' indicates it is reachable within the mesh '.' indicates it is reachable within its namespace.
+					install.operator.istio.io/version
+				
+					Alpha
+				
+					[Any]
+					Represents the Istio version associated with the resource
 				
 			
 		
 			
+		
+			
+		
+			
+		
+			
 				
 					
 				
-					policy.istio.io/check
-					[Pod]
-					Determines the policy for behavior when unable to connect to Mixer. If not set, FAIL_CLOSE is set, rejecting requests.
+					istio.io/dry-run
+				
+					Alpha
+				
+					[AuthorizationPolicy]
+					Specifies whether or not the given resource is in dry-run mode. See https://istio.io/latest/docs/tasks/security/authorization/authz-dry-run/ for more information.
 				
 			
 		
 			
+		
+			
 				
 					
 				
-					policy.istio.io/checkBaseRetryWaitTime
-					[Pod]
-					Base time to wait between retries, will be adjusted by backoff and jitter. In duration format. If not set, this will be 80ms.
+					kubernetes.io/ingress.class
+				
+					Stable
+				
+					[Ingress]
+					Annotation on an Ingress resources denoting the class of controllers responsible for it.
 				
 			
 		
@@ -77,9 +131,12 @@
 				
 					
 				
-					policy.istio.io/checkMaxRetryWaitTime
-					[Pod]
-					Maximum time to wait between retries to Mixer. In duration format. If not set, this will be 1000ms.
+					networking.istio.io/exportTo
+				
+					Alpha
+				
+					[Service]
+					Specifies the namespaces to which this service should be exported to. A value of '*' indicates it is reachable within the mesh '.' indicates it is reachable within its namespace.
 				
 			
 		
@@ -87,9 +144,12 @@
 				
 					
 				
-					policy.istio.io/checkRetries
+					prometheus.istio.io/merge-metrics
+				
+					Alpha
+				
 					[Pod]
-					The maximum number of retries on transport errors to Mixer. If not set, this will be 0, indicating no retries.
+					Specifies if application Prometheus metric will be merged with Envoy metrics for this workload.
 				
 			
 		
@@ -97,17 +157,25 @@
 				
 					
 				
-					policy.istio.io/lang
+					proxy.istio.io/config
+				
+					Beta
+				
 					[Pod]
-					Selects the attribute expression language runtime for Mixer.
+					Overrides for the proxy configuration for this specific proxy. Available options can be found at https://istio.io/docs/reference/config/istio.mesh.v1alpha1/#ProxyConfig.
 				
 			
 		
 			
+		
+			
 				
 					
 				
 					readiness.status.sidecar.istio.io/applicationPorts
+				
+					Alpha
+				
 					[Pod]
 					Specifies the list of ports exposed by the application container. Used by the Envoy sidecar readiness probe to determine that Envoy is configured and ready to receive traffic.
 				
@@ -118,6 +186,9 @@
 					
 				
 					readiness.status.sidecar.istio.io/failureThreshold
+				
+					Alpha
+				
 					[Pod]
 					Specifies the failure threshold for the Envoy sidecar readiness probe.
 				
@@ -128,6 +199,9 @@
 					
 				
 					readiness.status.sidecar.istio.io/initialDelaySeconds
+				
+					Alpha
+				
 					[Pod]
 					Specifies the initial delay (in seconds) for the Envoy sidecar readiness probe.
 				
@@ -138,18 +212,35 @@
 					
 				
 					readiness.status.sidecar.istio.io/periodSeconds
+				
+					Alpha
+				
 					[Pod]
 					Specifies the period (in seconds) for the Envoy sidecar readiness probe.
 				
 			
 		
 			
+				
+					
+				
+					sidecar.istio.io/agentLogLevel
+				
+					Alpha
+				
+					[Pod]
+					Specifies the log output level for pilot-agent.
+				
+			
 		
 			
 				
 					
 				
 					sidecar.istio.io/bootstrapOverride
+				
+					Alpha
+				
 					[Pod]
 					Specifies an alternative Envoy bootstrap configuration file.
 				
@@ -160,6 +251,9 @@
 					
 				
 					sidecar.istio.io/componentLogLevel
+				
+					Alpha
+				
 					[Pod]
 					Specifies the component log level for Envoy.
 				
@@ -167,9 +261,12 @@
 		
 			
 				
-					
+					
 				
 					sidecar.istio.io/controlPlaneAuthPolicy
+				
+					Deprecated
+				
 					[Pod]
 					Specifies the auth policy used by the Istio control plane. If NONE, traffic will not be encrypted. If MUTUAL_TLS, traffic between Envoy sidecar will be wrapped into mutual TLS connections.
 				
@@ -177,9 +274,12 @@
 		
 			
 				
-					
+					
 				
 					sidecar.istio.io/discoveryAddress
+				
+					Deprecated
+				
 					[Pod]
 					Specifies the XDS discovery address to be used by the Envoy sidecar.
 				
@@ -187,9 +287,38 @@
 		
 			
 				
+					
+				
+					sidecar.istio.io/enableCoreDump
+				
+					Alpha
+				
+					[Pod]
+					Specifies whether or not an Envoy sidecar should enable core dump.
+				
+			
+		
+			
+				
+					
+				
+					sidecar.istio.io/extraStatTags
+				
+					Alpha
+				
+					[Pod]
+					An additional list of tags to extract from the in-proxy Istio telemetry. each additional tag needs to be present in this list.
+				
+			
+		
+			
+				
 					
 				
 					sidecar.istio.io/inject
+				
+					Beta
+				
 					[Pod]
 					Specifies whether or not an Envoy sidecar should be automatically injected into the workload.
 				
@@ -200,6 +329,9 @@
 					
 				
 					sidecar.istio.io/interceptionMode
+				
+					Alpha
+				
 					[Pod]
 					Specifies the mode used to redirect inbound connections to Envoy (REDIRECT or TPROXY).
 				
@@ -210,6 +342,9 @@
 					
 				
 					sidecar.istio.io/logLevel
+				
+					Alpha
+				
 					[Pod]
 					Specifies the log level for Envoy.
 				
@@ -220,6 +355,9 @@
 					
 				
 					sidecar.istio.io/proxyCPU
+				
+					Alpha
+				
 					[Pod]
 					Specifies the requested CPU setting for the Envoy sidecar.
 				
@@ -227,9 +365,25 @@
 		
 			
 				
+					
+				
+					sidecar.istio.io/proxyCPULimit
+				
+					Alpha
+				
+					[Pod]
+					Specifies the CPU limit for the Envoy sidecar.
+				
+			
+		
+			
+				
 					
 				
 					sidecar.istio.io/proxyImage
+				
+					Alpha
+				
 					[Pod]
 					Specifies the Docker image to be used by the Envoy sidecar.
 				
@@ -237,9 +391,25 @@
 		
 			
 				
+					
+				
+					sidecar.istio.io/proxyImageType
+				
+					Alpha
+				
+					[Pod]
+					Specifies the Docker image type to be used by the Envoy sidecar. Istio publishes debug and distroless image types for every release tag.
+				
+			
+		
+			
+				
 					
 				
 					sidecar.istio.io/proxyMemory
+				
+					Alpha
+				
 					[Pod]
 					Specifies the requested memory setting for the Envoy sidecar.
 				
@@ -247,9 +417,25 @@
 		
 			
 				
+					
+				
+					sidecar.istio.io/proxyMemoryLimit
+				
+					Alpha
+				
+					[Pod]
+					Specifies the memory limit for the Envoy sidecar.
+				
+			
+		
+			
+				
 					
 				
 					sidecar.istio.io/rewriteAppHTTPProbers
+				
+					Alpha
+				
 					[Pod]
 					Rewrite HTTP readiness and liveness probes to be redirected to the Envoy sidecar.
 				
@@ -257,9 +443,12 @@
 		
 			
 				
-					
+					
 				
 					sidecar.istio.io/statsInclusionPrefixes
+				
+					Deprecated
+				
 					[Pod]
 					Specifies the comma separated list of prefixes of the stats to be emitted by Envoy.
 				
@@ -267,9 +456,12 @@
 		
 			
 				
-					
+					
 				
 					sidecar.istio.io/statsInclusionRegexps
+				
+					Deprecated
+				
 					[Pod]
 					Specifies the comma separated list of regexes the stats should match to be emitted by Envoy.
 				
@@ -277,9 +469,12 @@
 		
 			
 				
-					
+					
 				
 					sidecar.istio.io/statsInclusionSuffixes
+				
+					Deprecated
+				
 					[Pod]
 					Specifies the comma separated list of suffixes of the stats to be emitted by Envoy.
 				
@@ -290,6 +485,9 @@
 					
 				
 					sidecar.istio.io/status
+				
+					Alpha
+				
 					[Pod]
 					Generated by Envoy sidecar injection that indicates the status of the operation. Includes a version hash of the executed template, as well as names of injected resources.
 				
@@ -300,6 +498,9 @@
 					
 				
 					sidecar.istio.io/userVolume
+				
+					Alpha
+				
 					[Pod]
 					Specifies one or more user volumes (as a JSON array) to be added to the Envoy sidecar.
 				
@@ -310,6 +511,9 @@
 					
 				
 					sidecar.istio.io/userVolumeMount
+				
+					Alpha
+				
 					[Pod]
 					Specifies one or more user volume mounts (as a JSON array) to be added to the Envoy sidecar.
 				
@@ -320,6 +524,9 @@
 					
 				
 					status.sidecar.istio.io/port
+				
+					Alpha
+				
 					[Pod]
 					Specifies the HTTP status Port for the Envoy sidecar. If zero, the sidecar will not provide status.
 				
@@ -330,6 +537,9 @@
 					
 				
 					traffic.sidecar.istio.io/excludeInboundPorts
+				
+					Alpha
+				
 					[Pod]
 					A comma separated list of inbound ports to be excluded from redirection to Envoy. Only applies when all inbound traffic (i.e. '*') is being redirected.
 				
@@ -340,6 +550,9 @@
 					
 				
 					traffic.sidecar.istio.io/excludeOutboundIPRanges
+				
+					Alpha
+				
 					[Pod]
 					A comma separated list of IP ranges in CIDR form to be excluded from redirection. Only applies when all outbound traffic (i.e. '*') is being redirected.
 				
@@ -350,6 +563,9 @@
 					
 				
 					traffic.sidecar.istio.io/excludeOutboundPorts
+				
+					Alpha
+				
 					[Pod]
 					A comma separated list of outbound ports to be excluded from redirection to Envoy.
 				
@@ -360,6 +576,9 @@
 					
 				
 					traffic.sidecar.istio.io/includeInboundPorts
+				
+					Alpha
+				
 					[Pod]
 					A comma separated list of inbound ports for which traffic is to be redirected to Envoy. The wildcard character '*' can be used to configure redirection for all ports. An empty list will disable all inbound redirection.
 				
@@ -370,6 +589,9 @@
 					
 				
 					traffic.sidecar.istio.io/includeOutboundIPRanges
+				
+					Alpha
+				
 					[Pod]
 					A comma separated list of IP ranges in CIDR form to redirect to Envoy (optional). The wildcard character '*' can be used to redirect all outbound traffic. An empty list will disable all outbound redirection.
 				
@@ -377,9 +599,25 @@
 		
 			
 				
+					
+				
+					traffic.sidecar.istio.io/includeOutboundPorts
+				
+					Alpha
+				
+					[Pod]
+					A comma separated list of outbound ports for which traffic is to be redirected to Envoy, regardless of the destination IP.
+				
+			
+		
+			
+				
 					
 				
 					traffic.sidecar.istio.io/kubevirtInterfaces
+				
+					Alpha
+				
 					[Pod]
 					A comma separated list of virtual interfaces whose inbound traffic (from VM) will be treated as outbound.
 				
diff --git a/content/zh/docs/reference/config/istio.analysis.v1alpha1/index.html b/content/zh/docs/reference/config/istio.analysis.v1alpha1/index.html
new file mode 100644
index 0000000000000..65f537b02cca2
--- /dev/null
+++ b/content/zh/docs/reference/config/istio.analysis.v1alpha1/index.html
@@ -0,0 +1,355 @@
+---
+WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL SOURCE IN THE 'https://github.com/istio/api' REPO
+source_repo: https://github.com/istio/api
+title: Analysis Messages
+description: Describes the structure of messages generated by Istio analyzers.
+location: https://istio.io/docs/reference/config/istio.analysis.v1alpha1.html
+layout: protoc-gen-docs
+generator: protoc-gen-docs
+weight: 20
+number_of_entries: 7
+---
+
Describes the structure of messages generated by Istio analyzers.

+
+
AnalysisMessageBase

+

+
AnalysisMessageBase describes some common information that is needed for all
+messages. All information should be static with respect to the error code.

+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
FieldTypeDescriptionRequired
typeType
+
+No
+
levelLevel
+
Represents how severe a message is. Required.

+
+		
+No
+
documentationUrlstring
+
A url pointing to the Istio documentation for this specific error type.
+Should be of the form
+^http(s)?://(preliminary\.)?istio.io/docs/reference/config/analysis/
+Required.

+
+		
+No
+

+

+
AnalysisMessageWeakSchema

+

+
AnalysisMessageWeakSchema is the set of information that’s needed to define a
+weakly-typed schema. The purpose of this proto is to provide a mechanism for
+validating istio/istio/galley/pkg/config/analysis/msg/messages.yaml to make
+sure that we don’t allow committing underspecified types.

+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
FieldTypeDescriptionRequired
messageBaseAnalysisMessageBase
+
Required

+
+		
+No
+
descriptionstring
+
A human readable description of what the error means. Required.

+
+		
+No
+
templatestring
+
A go-style template string (https://golang.org/pkg/fmt/#hdr-Printing)
+defining how to combine the args for a  particular message into a log line.
+Required.

+
+		
+No
+
argsArgType[]
+
A description of the arguments for a particular message type

+
+		
+No
+

+

+
GenericAnalysisMessage

+

+
GenericAnalysisMessage is an instance of an AnalysisMessage defined by a
+schema, whose metaschema is AnalysisMessageWeakSchema. (Names are hard.) Code
+should be able to perform validation of arguments as needed by using the
+message type information to look at the AnalysisMessageWeakSchema and examine the
+list of args at runtime. Developers can also create stronger-typed versions
+of GenericAnalysisMessage for well-known and stable message types.

+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
FieldTypeDescriptionRequired
messageBaseAnalysisMessageBase
+
Required

+
+		
+No
+
argsStruct
+
Any message-type specific arguments that need to get codified. Optional.

+
+		
+No
+
resourcePathsstring[]
+
A list of strings specifying the resource identifiers that were the cause
+of message generation. A “path” here is a (NAMESPACE\/)?RESOURCETYPE/NAME
+tuple that uniquely identifies a particular resource. There doesn’t seem to
+be a single concept for this, but this is intuitively taken from
+https://kubernetes.io/docs/reference/using-api/api-concepts/#standard-api-terminology
+At least one is required.

+
+		
+No
+

+

+
InternalErrorAnalysisMessage

+

+
InternalErrorAnalysisMessage is a strongly-typed message representing some
+error in Istio code that prevented us from performing analysis at all.

+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
FieldTypeDescriptionRequired
messageBaseAnalysisMessageBase
+
Required

+
+		
+No
+
detailstring
+
Any detail regarding specifics of the error. Should be human-readable.

+
+		
+No
+

+

+
AnalysisMessageBase.Type

+

+
A unique identifier for the type of message. Name is intended to be
+human-readable, code is intended to be machine readable. There should be a
+one-to-one mapping between name and code. (i.e. do not re-use names or
+codes between message types.)

+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
FieldTypeDescriptionRequired
namestring
+
A human-readable name for the message type. e.g. “InternalError”,
+“PodMissingProxy”. This should be the same for all messages of the same type.
+Required.

+
+		
+No
+
codestring
+
A 7 character code matching ^IST[0-9]{4}$ intended to uniquely identify
+the message type. (e.g. “IST0001” is mapped to the “InternalError” message
+type.) 0000-0100 are reserved. Required.

+
+		
+No
+

+

+
AnalysisMessageWeakSchema.ArgType

+

+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
FieldTypeDescriptionRequired
namestring
+
Required

+
+		
+No
+
goTypestring
+
Required. Should be a golang type, used in code generation.
+Ideally this will change to a less language-pinned type before this gets
+out of alpha, but for compatibility with current istio/istio code it’s
+go_type for now.

+
+		
+No
+

+

+
AnalysisMessageBase.Level

+

+
The values here are chosen so that more severe messages get sorted higher,
+as well as leaving space in between to add more later

+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
NameDescription
UNKNOWN
+
invalid, but included for proto compatibility for 0 values

+
+
ERROR
+
WARNING
+
INFO
+

+

diff --git a/content/zh/docs/reference/config/istio.mesh.v1alpha1/index.html b/content/zh/docs/reference/config/istio.mesh.v1alpha1/index.html
index 8f7fa9b488370..8eeab3fb16580 100644
--- a/content/zh/docs/reference/config/istio.mesh.v1alpha1/index.html
+++ b/content/zh/docs/reference/config/istio.mesh.v1alpha1/index.html
@@ -1,71 +1,2170 @@
 ---
 WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL SOURCE IN THE 'https://github.com/istio/api' REPO
 source_repo: https://github.com/istio/api
-title: Service Mesh
+title: Global Mesh Options
 description: Configuration affecting the service mesh as a whole.
 location: https://istio.io/docs/reference/config/istio.mesh.v1alpha1.html
 layout: protoc-gen-docs
 generator: protoc-gen-docs
-number_of_entries: 26
+weight: 20
+number_of_entries: 57
 ---
 
Configuration affecting the service mesh as a whole.

 
-
AuthenticationPolicy

+
MeshConfig

+

+
MeshConfig defines mesh-wide settings for the Istio service mesh.

+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
FieldTypeDescriptionRequired
proxyListenPortint32
+
Port on which Envoy should listen for incoming connections from
+other services. Default port is 15001.

+
+		
+No
+
proxyHttpPortint32
+
Port on which Envoy should listen for HTTP PROXY requests if set.

+
+		
+No
+
connectTimeoutDuration
+
Connection timeout used by Envoy. (MUST BE >=1ms)
+Default timeout is 10s.

+
+		
+No
+
protocolDetectionTimeoutDuration
+
Automatic protocol detection uses a set of heuristics to
+determine whether the connection is using TLS or not (on the
+server side), as well as the application protocol being used
+(e.g., http vs tcp). These heuristics rely on the client sending
+the first bits of data. For server first protocols like MySQL,
+MongoDB, etc. Envoy will timeout on the protocol detection after
+the specified period, defaulting to non mTLS plain TCP
+traffic. Set this field to tweak the period that Envoy will wait
+for the client to send the first bits of data. (MUST BE >=1ms or
+0s to disable). Default detection timeout is 0s (no timeout).

+
+		
+No
+
tcpKeepaliveTcpKeepalive
+
If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives.

+
+		
+No
+
ingressClassstring
+
Class of ingress resources to be processed by Istio ingress
+controller. This corresponds to the value of
+kubernetes.io/ingress.class annotation.

+
+		
+No
+
ingressServicestring
+
Name of the Kubernetes service used for the istio ingress controller.
+If no ingress controller is specified, the default value istio-ingressgateway is used.

+
+		
+No
+
ingressControllerModeIngressControllerMode
+
Defines whether to use Istio ingress controller for annotated or all ingress resources.
+Default mode is STRICT.

+
+		
+No
+
ingressSelectorstring
+
Defines which gateway deployment to use as the Ingress controller. This field corresponds to
+the Gateway.selector field, and will be set as istio: INGRESS_SELECTOR.
+By default, ingressgateway is used, which will select the default IngressGateway as it has the
+istio: ingressgateway labels.
+It is recommended that this is the same value as ingress_service.

+
+		
+No
+
enableTracingbool
+
Flag to control generation of trace spans and request IDs.
+Requires a trace span collector defined in the proxy configuration.

+
+		
+No
+
accessLogFilestring
+
File address for the proxy access log (e.g. /dev/stdout).
+Empty value disables access logging.

+
+		
+No
+
accessLogFormatstring
+
Format for the proxy access log
+Empty value results in proxy’s default access log format

+
+		
+No
+
accessLogEncodingAccessLogEncoding
+
Encoding for the proxy access log (TEXT or JSON).
+Default value is TEXT.

+
+		
+No
+
enableEnvoyAccessLogServicebool
+
This flag enables Envoy’s gRPC Access Log Service.
+See Access Log Service
+for details about Envoy’s gRPC Access Log Service API.
+Default value is false.

+
+		
+No
+
disableEnvoyListenerLogbool
+
This flag disables Envoy Listener logs.
+See Listener Access Log
+Istio Enables Envoy’s listener access logs on “NoRoute” response flag.
+Default value is false.

+
+		
+No
+
defaultConfigProxyConfig
+
Default proxy config used by gateway and sidecars.
+In case of Kubernetes, the proxy config is applied once during the injection process,
+and remain constant for the duration of the pod. The rest of the mesh config can be changed
+at runtime and config gets distributed dynamically.
+On Kubernetes, this can be overridden on individual pods with the proxy.istio.io/config annotation.

+
+		
+No
+
outboundTrafficPolicyOutboundTrafficPolicy
+
Set the default behavior of the sidecar for handling outbound
+traffic from the application.  If your application uses one or
+more external services that are not known apriori, setting the
+policy to ALLOW_ANY will cause the sidecars to route any unknown
+traffic originating from the application to its requested
+destination. Users are strongly encouraged to use ServiceEntries
+to explicitly declare any external dependencies, instead of using
+ALLOW_ANY, so that traffic to these services can be
+monitored. Can be overridden at a Sidecar level by setting the
+OutboundTrafficPolicy in the Sidecar
+API.
+Default mode is ALLOW_ANY which means outbound traffic to unknown destinations will be allowed.

+
+		
+No
+
configSourcesConfigSource[]
+
ConfigSource describes a source of configuration data for networking
+rules, and other Istio configuration artifacts. Multiple data sources
+can be configured for a single control plane.

+
+		
+No
+
enableAutoMtlsBoolValue
+
This flag is used to enable mutual TLS automatically for service to service communication
+within the mesh, default true.
+If set to true, and a given service does not have a corresponding DestinationRule configured,
+or its DestinationRule does not have ClientTLSSettings specified, Istio configures client side
+TLS configuration appropriately. More specifically,
+If the upstream authentication policy is in STRICT mode, use Istio provisioned certificate
+for mutual TLS to connect to upstream.
+If upstream service is in plain text mode, use plain text.
+If the upstream authentication policy is in PERMISSIVE mode, Istio configures clients to use
+mutual TLS when server sides are capable of accepting mutual TLS traffic.
+If service DestinationRule exists and has ClientTLSSettings specified, that is always used instead.

+
+		
+No
+
trustDomainstring
+
The trust domain corresponds to the trust root of a system.
+Refer to SPIFFE-ID

+
+		
+No
+
trustDomainAliasesstring[]
+
The trust domain aliases represent the aliases of trust_domain.
+For example, if we have

+
+
trustDomain: td1
+trustDomainAliases: ["td2", "td3"]
+

+
+
Any service with the identity td1/ns/foo/sa/a-service-account, td2/ns/foo/sa/a-service-account,
+or td3/ns/foo/sa/a-service-account will be treated the same in the Istio mesh.

+
+		
+No
+
caCertificatesCertificateData[]
+
The extra root certificates for workload-to-workload communication.
+The plugin certificates (the ‘cacerts’ secret) or self-signed certificates (the ‘istio-ca-secret’ secret)
+are automatically added by Istiod.
+The CA certificate that signs the workload certificates is automatically added by Istio Agent.

+
+		
+No
+
defaultServiceExportTostring[]
+
The default value for the ServiceEntry.export_to field and services
+imported through container registry integrations, e.g. this applies to
+Kubernetes Service resources. The value is a list of namespace names and
+reserved namespace aliases. The allowed namespace aliases are:

+
+
* - All Namespaces
+. - Current Namespace
+~ - No Namespace
+

+
+
If not set the system will use “*” as the default value which implies that
+services are exported to all namespaces.

+
+
All namespaces is a reasonable default for implementations that don’t
+need to restrict access or visibility of services across namespace
+boundaries. If that requirement is present it is generally good practice to
+make the default Current namespace so that services are only visible
+within their own namespaces by default. Operators can then expand the
+visibility of services to other namespaces as needed. Use of No Namespace
+is expected to be rare but can have utility for deployments where
+dependency management needs to be precise even within the scope of a single
+namespace.

+
+
For further discussion see the reference documentation for ServiceEntry,
+Sidecar, and Gateway.

+
+		
+No
+
defaultVirtualServiceExportTostring[]
+
The default value for the VirtualService.export_to field. Has the same
+syntax as default_service_export_to.

+
+
If not set the system will use “*” as the default value which implies that
+virtual services are exported to all namespaces

+
+		
+No
+
defaultDestinationRuleExportTostring[]
+
The default value for the DestinationRule.export_to field. Has the same
+syntax as default_service_export_to.

+
+
If not set the system will use “*” as the default value which implies that
+destination rules are exported to all namespaces

+
+		
+No
+
rootNamespacestring
+
The namespace to treat as the administrative root namespace for
+Istio configuration. When processing a leaf namespace Istio will search for
+declarations in that namespace first and if none are found it will
+search in the root namespace. Any matching declaration found in the root
+namespace is processed as if it were declared in the leaf namespace.

+
+
The precise semantics of this processing are documented on each resource
+type.

+
+		
+No
+
localityLbSettingLocalityLoadBalancerSetting
+
Locality based load balancing distribution or failover settings.

+
+		
+No
+
dnsRefreshRateDuration
+
Configures DNS refresh rate for Envoy clusters of type STRICT_DNS
+Default refresh rate is 5s.

+
+		
+No
+
h2UpgradePolicyH2UpgradePolicy
+
Specify if http1.1 connections should be upgraded to http2 by default.
+if sidecar is installed on all pods in the mesh, then this should be set to UPGRADE.
+If one or more services or namespaces do not have sidecar(s), then this should be set to DO_NOT_UPGRADE.
+It can be enabled by destination using the destinationRule.trafficPolicy.connectionPool.http.h2UpgradePolicy override.

+
+		
+No
+
inboundClusterStatNamestring
+
Name to be used while emitting statistics for inbound clusters. The same pattern is used while computing stat prefix for
+network filters like TCP and Redis.
+By default, Istio emits statistics with the pattern inbound|<port>|<port-name>|<service-FQDN>.
+For example inbound|7443|grpc-reviews|reviews.prod.svc.cluster.local. This can be used to override that pattern.

+
+
A Pattern can be composed of various pre-defined variables. The following variables are supported.

+
+
    
+
  • %SERVICE% - Will be substituted with name of the service.
    • 
+
  • %SERVICE_FQDN% - Will be substituted with FQDN of the service.
    • 
+
  • %SERVICE_PORT% - Will be substituted with port of the service.
    • 
+
  • %SERVICE_PORT_NAME% - Will be substituted with port name of the service.
    • 
+

+
+
Following are some examples of supported patterns for reviews:

+
+
    
+
  • %SERVICE_FQDN%_%SERVICE_PORT% will use reviews.prod.svc.cluster.local_7443 as the stats name.
    • 
+
  • %SERVICE% will use reviews.prod as the stats name.
    • 
+

+
+		
+No
+
outboundClusterStatNamestring
+
Name to be used while emitting statistics for outbound clusters. The same pattern is used while computing stat prefix for
+network filters like TCP and Redis.
+By default, Istio emits statistics with the pattern outbound|<port>|<subsetname>|<service-FQDN>.
+For example outbound|8080|v2|reviews.prod.svc.cluster.local. This can be used to override that pattern.

+
+
A Pattern can be composed of various pre-defined variables. The following variables are supported.

+
+
    
+
  • %SERVICE% - Will be substituted with name of the service.
    • 
+
  • %SERVICE_FQDN% - Will be substituted with FQDN of the service.
    • 
+
  • %SERVICE_PORT% - Will be substituted with port of the service.
    • 
+
  • %SERVICE_PORT_NAME% - Will be substituted with port name of the service.
    • 
+
  • %SUBSET_NAME% - Will be substituted with subset.
    • 
+

+
+
Following are some examples of supported patterns for reviews:

+
+
    
+
  • %SERVICE_FQDN%_%SERVICE_PORT% will use reviews.prod.svc.cluster.local_7443 as the stats name.
    • 
+
  • %SERVICE% will use reviews.prod as the stats name.
    • 
+

+
+		
+No
+
certificatesCertificate[]
+
Configure the provision of certificates.

+
+		
+No
+
thriftConfigThriftConfig
+
Set configuration for Thrift protocol

+
+		
+No
+
enablePrometheusMergeBoolValue
+
If enabled, Istio agent will merge metrics exposed by the application with metrics from Envoy
+and Istio agent. The sidecar injection will replace prometheus.io annotations present on the pod
+and redirect them towards Istio agent, which will then merge metrics of from the application with Istio metrics.
+This relies on the annotations prometheus.io/scrape, prometheus.io/port, and
+prometheus.io/path annotations.
+If you are running a separately managed Envoy with an Istio sidecar, this may cause issues, as the metrics will collide.
+In this case, it is recommended to disable aggregation on that deployment with the
+prometheus.istio.io/merge-metrics: "false" annotation.
+If not specified, this will be enabled by default.

+
+		
+No
+
extensionProvidersExtensionProvider[]
+
Defines a list of extension providers that extend Istio’s functionality. For example, the AuthorizationPolicy
+can be used with an extension provider to delegate the authorization decision to a custom authorization system.

+
+		
+No
+
defaultProvidersDefaultProviders
+
Specifies extension providers to use by default in Istio configuration resources.

+
+		
+No
+
discoverySelectorsLabelSelector[]
+
A list of Kubernetes selectors that specify the set of namespaces that Istio considers when
+computing configuration updates for sidecars. This can be used to reduce Istio’s computational load
+by limiting the number of entities (including services, pods, and endpoints) that are watched and processed.
+If omitted, Istio will use the default behavior of processing all namespaces in the cluster.
+Elements in the list are disjunctive (OR semantics), i.e. a namespace will be included if it matches any selector.
+The following example selects any namespace that matches either below:
+1. The namespace has both of these labels: env: prod and region: us-east1
+2. The namespace has label app equal to cassandra or spark.

+
+
discoverySelectors:
+  - matchLabels:
+      env: prod
+      region: us-east1
+  - matchExpressions:
+    - key: app
+      operator: In
+      values:
+        - cassandra
+        - spark
+

+
+
Refer to the kubernetes selector docs
+for additional detail on selector semantics.

+
+		
+No
+
pathNormalizationProxyPathNormalization
+
ProxyPathNormalization configures how URL paths in incoming and outgoing HTTP requests are
+normalized by the sidecars and gateways.
+The normalized paths will be used in all aspects through the requests’ lifetime on the
+sidecars and gateways, which includes routing decisions in outbound direction (client proxy),
+authorization policy match and enforcement in inbound direction (server proxy), and the URL
+path proxied to the upstream service.
+If not set, the NormalizationType.DEFAULT configuration will be used.

+
+		
+No
+
defaultHttpRetryPolicyHTTPRetry
+
Configure the default HTTP retry policy.
+The default number of retry attempts is set at 2 for these errors:
+  “connect-failure,refused-stream,unavailable,cancelled,retriable-status-codes”.
+Setting the number of attempts to 0 disables retry policy globally.
+This setting can be overriden on a per-host basis using the Virtual Service
+API.
+All settings in the retry policy except perTryTimeout can currently be
+configured globally via this field.

+
+		
+No
+
meshMTLSTLSConfig
+
Configuration of mTLS for traffic between workloads within the mesh.

+
+		
+No
+

+

+
ConfigSource

+

+
ConfigSource describes information about a configuration store inside a
+mesh. A single control plane instance can interact with one or more data
+sources.

+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
FieldTypeDescriptionRequired
addressstring
+
Address of the server implementing the Istio Mesh Configuration
+protocol (MCP). Can be IP address or a fully qualified DNS name.
+Use fs:/// to specify a file-based backend with absolute path to the directory.

+
+		
+No
+
tlsSettingsClientTLSSettings
+
Use the tls_settings to specify the tls mode to use. If the MCP server
+uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS
+mode as ISTIO_MUTUAL.

+
+		
+No
+
subscribedResourcesResource[]
+
Describes the source of configuration, if nothing is specified default is MCP

+
+		
+No
+

+

+
Certificate

+

+
Certificate configures the provision of a certificate and its key.
+Example 1: key and cert stored in a secret

+
+
{ secretName: galley-cert
+  secretNamespace: istio-system
+  dnsNames:
+    - galley.istio-system.svc
+    - galley.mydomain.com
+}
+

+
+
Example 2: key and cert stored in a directory

+
+
{ dnsNames:
+    - pilot.istio-system
+    - pilot.istio-system.svc
+    - pilot.mydomain.com
+}
+

+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
FieldTypeDescriptionRequired
secretNamestring
+
Name of the secret the certificate and its key will be stored into.
+If it is empty, it will not be stored into a secret.
+Instead, the certificate and its key will be stored into a hard-coded directory.

+
+		
+No
+
dnsNamesstring[]
+
The DNS names for the certificate. A certificate may contain
+multiple DNS names.

+
+		
+No
+

+

+
MeshConfig.OutboundTrafficPolicy

+

+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
FieldTypeDescriptionRequired
modeMode
+
+No
+

+

+
MeshConfig.CertificateData

+

+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
FieldTypeDescriptionRequired
pemstring (oneof)
+
The PEM data of the certificate.

+
+		
+No
+
spiffeBundleUrlstring (oneof)
+
The SPIFFE bundle endpoint URL that complies to:
+https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE_Trust_Domain_and_Bundle.md#the-spiffe-trust-domain-and-bundle
+The endpoint should support authentication based on Web PKI:
+https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE_Trust_Domain_and_Bundle.md#521-web-pki
+The certificate is retrieved from the endpoint.

+
+		
+No
+
certSignersstring[]
+
Optional. Specify the kubernetes signers (External CA) that use this trustAnchor
+when Istiod is acting as RA(registration authority)
+If set, they are used for these signers. Otherwise, this trustAnchor is used for all signers.

+
+		
+No
+
trustDomainsstring[]
+
Optional. Specify the list of trust domains to which this trustAnchor data belongs.
+If set, they are used for these trust domains. Otherwise, this trustAnchor is used for default trust domain
+and its aliases.
+Note that we can have multiple trustAnchor data for a same trust_domain.
+In that case, trustAnchors with a same trust domain will be merged and used together to verify peer certificates.
+If neither cert_signers nor trust_domains is set, this trustAnchor is used for all trust domains and all signers.
+If only trust_domains is set, this trustAnchor is used for these trust_domains and all signers.
+If only cert_signers is set, this trustAnchor is used for these cert_signers and all trust domains.
+If both cert_signers and trust_domains is set, this trustAnchor is only used for these signers and trust domains.

+
+		
+No
+

+

+
MeshConfig.ThriftConfig

+

+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
FieldTypeDescriptionRequired
rateLimitUrlstring
+
Specify thrift rate limit service URL. If pilot has thrift protocol support enabled,
+this will enable the rate limit service for destinations that have matching rate
+limit configurations.

+
+		
+No
+
rateLimitTimeoutDuration
+
Specify thrift rate limit service timeout, in milliseconds. Default is 50ms

+
+		
+No
+

+

+
MeshConfig.CA

+

+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
FieldTypeDescriptionRequired
addressstring
+
REQUIRED. Address of the CA server implementing the Istio CA gRPC API.
+Can be IP address or a fully qualified DNS name with port
+Eg: custom-ca.default.svc.cluster.local:8932, 192.168.23.2:9000

+
+		
+No
+
tlsSettingsClientTLSSettings
+
Use the tls_settings to specify the tls mode to use.
+Regarding tls_settings:
+- DISABLE MODE is legitimate for the case Istiod is making the request via an Envoy sidecar.
+DISABLE MODE can also be used for testing
+- TLS MUTUAL MODE be on by default. If the CA certificates
+(cert bundle to verify the CA server’s certificate) is omitted, Istiod will
+use the system root certs to verify the CA server’s certificate.

+
+		
+No
+
requestTimeoutDuration
+
timeout for forward CSR requests from Istiod to External CA
+Default: 10s

+
+		
+No
+
istiodSidebool
+
Use istiod_side to specify CA Server integrate to Istiod side or Agent side
+Default: true

+
+		
+No
+

+

+
MeshConfig.ExtensionProvider

+

+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
FieldTypeDescriptionRequired
namestring
+
REQUIRED. A unique name identifying the extension provider.

+
+		
+No
+
envoyExtAuthzHttpEnvoyExternalAuthorizationHttpProvider (oneof)
+
Configures an external authorizer that implements the Envoy ext_authz filter authorization check service using the HTTP API.

+
+		
+No
+
envoyExtAuthzGrpcEnvoyExternalAuthorizationGrpcProvider (oneof)
+
Configures an external authorizer that implements the Envoy ext_authz filter authorization check service using the gRPC API.

+
+		
+No
+
zipkinZipkinTracingProvider (oneof)
+
Configures a tracing provider that uses the Zipkin API.

+
+		
+No
+
lightstepLightstepTracingProvider (oneof)
+
Configures a Lightstep tracing provider.

+
+		
+No
+
datadogDatadogTracingProvider (oneof)
+
Configures a Datadog tracing provider.

+
+		
+No
+
stackdriverStackdriverProvider (oneof)
+
Configures a Stackdriver provider.

+
+		
+No
+
opencensusOpenCensusAgentTracingProvider (oneof)
+
Configures an OpenCensusAgent tracing provider.

+
+		
+No
+
skywalkingSkyWalkingTracingProvider (oneof)
+
Configures a Apache SkyWalking provider.

+
+		
+No
+
prometheusPrometheusMetricsProvider (oneof)
+
Configures a Prometheus metrics provider.

+
+		
+No
+
envoyFileAccessLogEnvoyFileAccessLogProvider (oneof)
+
Configures an Envoy File Access Log provider.

+
+		
+No
+
envoyHttpAlsEnvoyHttpGrpcV3LogProvider (oneof)
+
Configures an Envoy Access Logging Service provider for HTTP traffic.

+
+		
+No
+
envoyTcpAlsEnvoyTcpGrpcV3LogProvider (oneof)
+
Configures an Envoy Access Logging Service provider for TCP traffic.

+
+		
+No
+
envoyOtelAlsEnvoyOpenTelemetryLogProvider (oneof)
+
Configures an Envoy Open Telemetry Access Logging Service provider.

+
+		
+No
+

+

+
MeshConfig.DefaultProviders

+

+
Holds the name references to the providers that will be used by default
+in other Istio configuration resources if the provider is not specified.

+
+
These names must match a provider defined in extension_providers that is
+one of the supported tracing providers.

+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
FieldTypeDescriptionRequired
tracingstring[]
+
Name of the default provider(s) for tracing.

+
+		
+No
+
metricsstring[]
+
Name of the default provider(s) for metrics.

+
+		
+No
+
accessLoggingstring[]
+
Name of the default provider(s) for access logging.

+
+		
+No
+

+

+
MeshConfig.ProxyPathNormalization

+

+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
FieldTypeDescriptionRequired
normalizationNormalizationType
+
+No
+

+

+
MeshConfig.TLSConfig

+

+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
FieldTypeDescriptionRequired
minProtocolVersionTLSProtocol
+
Optional: the minimum TLS protocol version. The default minimum
+TLS version will be TLS 1.2. As servers may not be Envoy and be
+set to TLS 1.2 (e.g., workloads using mTLS without sidecars), the
+minimum TLS version for clients may also be TLS 1.2.
+In the current Istio implementation, the maximum TLS protocol version
+is TLS 1.3.

+
+		
+No
+

+

+
MeshConfig.ServiceSettings.Settings

+

+
Settings for the selected services.

+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
FieldTypeDescriptionRequired
clusterLocalbool
+
If true, specifies that the client and service endpoints must reside in the same cluster.
+By default, in multi-cluster deployments, the Istio control plane assumes all service
+endpoints to be reachable from any client in any of the clusters which are part of the
+mesh. This configuration option limits the set of service endpoints visible to a client
+to be cluster scoped.

+
+
There are some common scenarios when this can be useful:

+
+
    
+
  • A service (or group of services) is inherently local to the cluster and has local storage
+for that cluster. For example, the kube-system namespace (e.g. the Kube API Server).
    • 
+
  • A mesh administrator wants to slowly migrate services to Istio. They might start by first
+having services cluster-local and then slowly transition them to mesh-wide. They could do
+this service-by-service (e.g. mysvc.myns.svc.cluster.local) or as a group
+(e.g. *.myns.svc.cluster.local).
    • 
+

+
+
By default Istio will consider kubernetes.default.svc (i.e. the API Server) as well as all
+services in the kube-system namespace to be cluster-local, unless explicitly overridden here.

+
+		
+No
+

+

+
MeshConfig.ExtensionProvider.EnvoyExternalAuthorizationRequestBody

+

+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
FieldTypeDescriptionRequired
maxRequestBytesuint32
+
Sets the maximum size of a message body that the ext-authz filter will hold in memory.
+If max_request_bytes is reached, and allow_partial_message is false, Envoy will return a 413 (Payload Too Large).
+Otherwise the request will be sent to the provider with a partial message.
+Note that this setting will have precedence over the fail_open field, the 413 will be returned even when the
+fail_open is set to true.

+
+		
+No
+
allowPartialMessagebool
+
When this field is true, ext-authz filter will buffer the message until max_request_bytes is reached.
+The authorization request will be dispatched and no 413 HTTP error will be returned by the filter.
+A “x-envoy-auth-partial-body: false|true” metadata header will be added to the authorization request message
+indicating if the body data is partial.

+
+		
+No
+
packAsBytesbool
+
If true, the body sent to the external authorization service in the gRPC authorization request is set with raw bytes
+in the raw_body field (https://github.com/envoyproxy/envoy/blame/cffb095d59d7935abda12b9509bcd136808367bb/api/envoy/service/auth/v3/attribute_context.proto#L153).
+Otherwise, it will be filled with UTF-8 string in the body field (https://github.com/envoyproxy/envoy/blame/cffb095d59d7935abda12b9509bcd136808367bb/api/envoy/service/auth/v3/attribute_context.proto#L147).
+This field only works with the envoy_ext_authz_grpc provider and has no effect for the envoy_ext_authz_http provider.

+
+		
+No
+

+

+
MeshConfig.ExtensionProvider.EnvoyExternalAuthorizationHttpProvider

+

+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
FieldTypeDescriptionRequired
servicestring
+
REQUIRED. Specifies the service that implements the Envoy ext_authz HTTP authorization service.
+The format is [<Namespace>/]<Hostname>. The specification of <Namespace> is required only when it is insufficient
+to unambiguously resolve a service in the service registry. The <Hostname> is a fully qualified host name of a
+service defined by the Kubernetes service or ServiceEntry.

+
+
Example: “my-ext-authz.foo.svc.cluster.local” or “bar/my-ext-authz.example.com”.

+
+		
+No
+
portuint32
+
REQUIRED. Specifies the port of the service.

+
+		
+No
+
timeoutDuration
+
The maximum duration that the proxy will wait for a response from the provider (default timeout: 600s).
+When this timeout condition is met, the proxy marks the communication to the authorization service as failure.
+In this situation, the response sent back to the client will depend on the configured fail_open field.

+
+		
+No
+
pathPrefixstring
+
Sets a prefix to the value of authorization request header Path.
+For example, setting this to “/check” for an original user request at path “/admin” will cause the
+authorization check request to be sent to the authorization service at the path “/check/admin” instead of “/admin”.

+
+		
+No
+
failOpenbool
+
If true, the user request will be allowed even if the communication with the authorization service has failed,
+or if the authorization service has returned a HTTP 5xx error.
+Default is false and the request will be rejected with “Forbidden” response.

+
+		
+No
+
statusOnErrorstring
+
Sets the HTTP status that is returned to the client when there is a network error to the authorization service.
+The default status is “403” (HTTP Forbidden).

+
+		
+No
+
includeHeadersInCheckstring[]
+
DEPRECATED. Use include_request_headers_in_check instead.

+
+		
+No
+
includeRequestHeadersInCheckstring[]
+
List of client request headers that should be included in the authorization request sent to the authorization service.
+Note that in addition to the headers specified here following headers are included by default:
+1. Host, Method, Path and Content-Length are automatically sent.
+2. Content-Length will be set to 0 and the request will not have a message body. However, the authorization
+request can include the buffered client request body (controlled by include_request_body_in_check setting),
+consequently the value of Content-Length of the authorization request reflects the size of its payload size.

+
+
Exact, prefix and suffix matches are supported (similar to the authorization policy rule syntax except the presence match
+https://istio.io/latest/docs/reference/config/security/authorization-policy/#Rule):
+- Exact match: “abc” will match on value “abc”.
+- Prefix match: “abc*” will match on value “abc” and “abcd”.
+- Suffix match: “*abc” will match on value “abc” and “xabc”.

+
+		
+No
+
includeAdditionalHeadersInCheckmap<string, string>
+
Set of additional fixed headers that should be included in the authorization request sent to the authorization service.
+Key is the header name and value is the header value.
+Note that client request of the same key or headers specified in include_request_headers_in_check will be overridden.

+
+		
+No
+
includeRequestBodyInCheckEnvoyExternalAuthorizationRequestBody
+
If set, the client request body will be included in the authorization request sent to the authorization service.

+
+		
+No
+
headersToUpstreamOnAllowstring[]
+
List of headers from the authorization service that should be added or overridden in the original request and
+forwarded to the upstream when the authorization check result is allowed (HTTP code 200).
+If not specified, the original request will not be modified and forwarded to backend as-is.
+Note, any existing headers will be overridden.

+
+
Exact, prefix and suffix matches are supported (similar to the authorization policy rule syntax except the presence match
+https://istio.io/latest/docs/reference/config/security/authorization-policy/#Rule):
+- Exact match: “abc” will match on value “abc”.
+- Prefix match: “abc*” will match on value “abc” and “abcd”.
+- Suffix match: “*abc” will match on value “abc” and “xabc”.

+
+		
+No
+
headersToDownstreamOnDenystring[]
+
List of headers from the authorization service that should be forwarded to downstream when the authorization
+check result is not allowed (HTTP code other than 200).
+If not specified, all the authorization response headers, except Authority (Host) will be in the response to
+the downstream.
+When a header is included in this list, Path, Status, Content-Length, WWWAuthenticate and Location are
+automatically added.
+Note, the body from the authorization service is always included in the response to downstream.

+
+
Exact, prefix and suffix matches are supported (similar to the authorization policy rule syntax except the presence match
+https://istio.io/latest/docs/reference/config/security/authorization-policy/#Rule):
+- Exact match: “abc” will match on value “abc”.
+- Prefix match: “abc*” will match on value “abc” and “abcd”.
+- Suffix match: “*abc” will match on value “abc” and “xabc”.

+
+		
+No
+
headersToDownstreamOnAllowstring[]
+
List of headers from the authorization service that should be forwarded to downstream when the authorization
+check result is allowed (HTTP code 200).
+If not specified, the original response will not be modified and forwarded to downstream as-is.
+Note, any existing headers will be overridden.

+
+
Exact, prefix and suffix matches are supported (similar to the authorization policy rule syntax except the presence match
+https://istio.io/latest/docs/reference/config/security/authorization-policy/#Rule):
+- Exact match: “abc” will match on value “abc”.
+- Prefix match: “abc*” will match on value “abc” and “abcd”.
+- Suffix match: “*abc” will match on value “abc” and “xabc”.

+
+		
+No
+

+

+
MeshConfig.ExtensionProvider.EnvoyExternalAuthorizationGrpcProvider

+

+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
FieldTypeDescriptionRequired
servicestring
+
REQUIRED. Specifies the service that implements the Envoy ext_authz gRPC authorization service.
+The format is [<Namespace>/]<Hostname>. The specification of <Namespace> is required only when it is insufficient
+to unambiguously resolve a service in the service registry. The <Hostname> is a fully qualified host name of a
+service defined by the Kubernetes service or ServiceEntry.

+
+
Example: “my-ext-authz.foo.svc.cluster.local” or “bar/my-ext-authz.example.com”.

+
+		
+No
+
portuint32
+
REQUIRED. Specifies the port of the service.

+
+		
+No
+
timeoutDuration
+
The maximum duration that the proxy will wait for a response from the provider, this is the timeout for a specific request (default timeout: 600s).
+When this timeout condition is met, the proxy marks the communication to the authorization service as failure.
+In this situation, the response sent back to the client will depend on the configured fail_open field.

+
+		
+No
+
failOpenbool
+
If true, the HTTP request or TCP connection will be allowed even if the communication with the authorization service has failed,
+or if the authorization service has returned a HTTP 5xx error.
+Default is false. For HTTP request, it will be rejected with 403 (HTTP Forbidden). For TCP connection, it will be closed immediately.

+
+		
+No
+
statusOnErrorstring
+
Sets the HTTP status that is returned to the client when there is a network error to the authorization service.
+The default status is “403” (HTTP Forbidden).

+
+		
+No
+
includeRequestBodyInCheckEnvoyExternalAuthorizationRequestBody
+
If set, the client request body will be included in the authorization request sent to the authorization service.

+
+		
+No
+

+

+
MeshConfig.ExtensionProvider.ZipkinTracingProvider

+

+
Defines configuration for a Zipkin tracer.

+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
FieldTypeDescriptionRequired
servicestring
+
REQUIRED. Specifies the service that the Zipkin API.
+The format is [<Namespace>/]<Hostname>. The specification of <Namespace> is required only when it is insufficient
+to unambiguously resolve a service in the service registry. The <Hostname> is a fully qualified host name of a
+service defined by the Kubernetes service or ServiceEntry.

+
+
Example: “zipkin.default.svc.cluster.local” or “bar/zipkin.example.com”.

+
+		
+No
+
portuint32
+
REQUIRED. Specifies the port of the service.

+
+		
+No
+
maxTagLengthuint32
+
Optional. Controls the overall path length allowed in a reported span.
+NOTE: currently only controls max length of the path tag.

+
+		
+No
+

+

+
MeshConfig.ExtensionProvider.LightstepTracingProvider

+

+
Defines configuration for a Lightstep tracer.

+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
FieldTypeDescriptionRequired
servicestring
+
REQUIRED. Specifies the service for the Lightstep collector.
+The format is [<Namespace>/]<Hostname>. The specification of <Namespace> is required only when it is insufficient
+to unambiguously resolve a service in the service registry. The <Hostname> is a fully qualified host name of a
+service defined by the Kubernetes service or ServiceEntry.

+
+
Example: “lightstep.default.svc.cluster.local” or “bar/lightstep.example.com”.

+
+		
+No
+
portuint32
+
REQUIRED. Specifies the port of the service.

+
+		
+No
+
accessTokenstring
+
The Lightstep access token.

+
+		
+No
+
maxTagLengthuint32
+
Optional. Controls the overall path length allowed in a reported span.
+NOTE: currently only controls max length of the path tag.

+
+		
+No
+

+

+
MeshConfig.ExtensionProvider.DatadogTracingProvider

+

+
Defines configuration for a Datadog tracer.

+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
FieldTypeDescriptionRequired
servicestring
+
REQUIRED. Specifies the service for the Datadog agent.
+The format is [<Namespace>/]<Hostname>. The specification of <Namespace> is required only when it is insufficient
+to unambiguously resolve a service in the service registry. The <Hostname> is a fully qualified host name of a
+service defined by the Kubernetes service or ServiceEntry.

+
+
Example: “datadog.default.svc.cluster.local” or “bar/datadog.example.com”.

+
+		
+No
+
portuint32
+
REQUIRED. Specifies the port of the service.

+
+		
+No
+
maxTagLengthuint32
+
Optional. Controls the overall path length allowed in a reported span.
+NOTE: currently only controls max length of the path tag.

+
+		
+No
+

+

+
MeshConfig.ExtensionProvider.SkyWalkingTracingProvider

+

+
Defines configuration for a SkyWalking tracer.

+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
FieldTypeDescriptionRequired
servicestring
+
REQUIRED. Specifies the service for the SkyWalking receiver.
+The format is [<Namespace>/]<Hostname>. The specification of <Namespace> is required only when it is insufficient
+to unambiguously resolve a service in the service registry. The <Hostname> is a fully qualified host name of a
+service defined by the Kubernetes service or ServiceEntry.

+
+
Example: “skywalking.default.svc.cluster.local” or “bar/skywalking.example.com”.

+
+		
+No
+
portuint32
+
REQUIRED. Specifies the port of the service.

+
+		
+No
+
accessTokenstring
+
Optional. The SkyWalking OAP access token.

+
+		
+No
+

+

+
MeshConfig.ExtensionProvider.StackdriverProvider

+

+
Defines configuration for Stackdriver.

+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
FieldTypeDescriptionRequired
maxTagLengthuint32
+
Optional. Controls the overall path length allowed in a reported span.
+NOTE: currently only controls max length of the path tag.

+
+		
+No
+
loggingLogging
+
Optional. Controls Stackdriver logging behavior.

+
+		
+No
+

+

+
MeshConfig.ExtensionProvider.OpenCensusAgentTracingProvider

+

+
Defines configuration for an OpenCensus tracer writing to an OpenCensus backend.

+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
FieldTypeDescriptionRequired
servicestring
+
REQUIRED. Specifies the service for the OpenCensusAgent.
+The format is [<Namespace>/]<Hostname>. The specification of <Namespace> is required only when it is insufficient
+to unambiguously resolve a service in the service registry. The <Hostname> is a fully qualified host name of a
+service defined by the Kubernetes service or ServiceEntry.

+
+
Example: “ocagent.default.svc.cluster.local” or “bar/ocagent.example.com”.

+
+		
+No
+
portuint32
+
REQUIRED. Specifies the port of the service.

+
+		
+No
+
contextTraceContext[]
+
Specifies the set of context propagation headers used for distributed
+tracing. Default is ["W3C_TRACE_CONTEXT"]. If multiple values are specified,
+the proxy will attempt to read each header for each request and will
+write all headers.

+
+		
+No
+
maxTagLengthuint32
+
Optional. Controls the overall path length allowed in a reported span.
+NOTE: currently only controls max length of the path tag.

+
+		
+No
+

+

+
MeshConfig.ExtensionProvider.PrometheusMetricsProvider

+

+

+
MeshConfig.ExtensionProvider.EnvoyFileAccessLogProvider

+

+
Defines configuration for Envoy-based access logging that writes to
+local files (and/or standard streams).

+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
FieldTypeDescriptionRequired
pathstring
+
Path to a local file to write the access log entries.
+This may be used to write to streams, via /dev/stderr and /dev/stdout
+If unspecified, defaults to /dev/stdout.

+
+		
+No
+
logFormatLogFormat
+
Optional. Allows overriding of the default access log format.

+
+		
+No
+

+

+
MeshConfig.ExtensionProvider.EnvoyHttpGrpcV3LogProvider

 

-
AuthenticationPolicy defines authentication policy. It can be set for
-different scopes (mesh, service …), and the most narrow scope with
-non-INHERIT value will be used.
-Mesh policy cannot be INHERIT.

+
Defines configuration for an Envoy Access Logging Service
+integration for HTTP traffic.

 
-
+

-
+
+
+
-
-
+
+
+
+
-
-
+
+
+
+
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+

 
 
NameFieldType
 DescriptionRequired
 

 
 
NONE
servicestring
 
-
Do not encrypt Envoy to Envoy traffic.

+
REQUIRED. Specifies the service that implements the Envoy ALS gRPC authorization service.
+The format is [<Namespace>/]<Hostname>. The specification of <Namespace> is required only when it is insufficient
+to unambiguously resolve a service in the service registry. The <Hostname> is a fully qualified host name of a
+service defined by the Kubernetes service or ServiceEntry.

+
+
Example: “envoy-als.foo.svc.cluster.local” or “bar/envoy-als.example.com”.

 
+		
+No
 
 
MUTUAL_TLS
portuint32
 
-
Envoy to Envoy traffic is wrapped into mutual TLS connections.

+
REQUIRED. Specifies the port of the service.

 
+		
+No
 
 
INHERIT
logNamestring
 
-
Use the policy defined by the parent scope. Should not be used for mesh
-policy.

+
Optional. The friendly name of the access log.
+Defaults:
+-  “http_envoy_accesslog”
+-  “listener_envoy_accesslog”

+
+		
+No
+
filterStateObjectsToLogstring[]
+
Optional. Additional filter state objects to log.

+
+		
+No
+
additionalRequestHeadersToLogstring[]
+
Optional. Additional request headers to log.

+
+		
+No
+
additionalResponseHeadersToLogstring[]
+
Optional. Additional response headers to log.

+
+		
+No
+
additionalResponseTrailersToLogstring[]
+
Optional. Additional response trailers to log.

 
+		
+No
 
 

 
 

 

-
Certificate

+
MeshConfig.ExtensionProvider.EnvoyTcpGrpcV3LogProvider

 

-
Certificate configures the provision of a certificate and its key.
-Example 1: key and cert stored in a secret
-{ secretName: galley-cert
-  secretNamespace: istio-system
-  dnsNames:
-    - galley.istio-system.svc
-    - galley.mydomain.com
-}
-Example 2: key and cert stored in a directory
-{ dnsNames:
-    - pilot.istio-system
-    - pilot.istio-system.svc
-    - pilot.mydomain.com
-}

+
Defines configuration for an Envoy Access Logging Service
+integration for TCP traffic.

 
 
@@ -77,25 +2176,52 @@ 
Certificate

-
-
+
+
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+

 
 
 
 
secretName
service
 string
 
-
Name of the secret the certificate and its key will be stored into.
-If it is empty, it will not be stored into a secret.
-Instead, the certificate and its key will be stored into a hard-coded directory.

+
REQUIRED. Specifies the service that implements the Envoy ALS gRPC authorization service.
+The format is [<Namespace>/]<Hostname>. The specification of <Namespace> is required only when it is insufficient
+to unambiguously resolve a service in the service registry. The <Hostname> is a fully qualified host name of a
+service defined by the Kubernetes service or ServiceEntry.

+
+
Example: “envoy-als.foo.svc.cluster.local” or “bar/envoy-als.example.com”.

 
 		
 
 No
 
 
dnsNames
portuint32
+
REQUIRED. Specifies the port of the service.

+
+		
+No
+
logNamestring
+
Optional. The friendly name of the access log.
+Defaults:
+- “tcp_envoy_accesslog”
+- “listener_envoy_accesslog”

+
+		
+No
+
filterStateObjectsToLog
 string[]
 
-
The DNS names for the certificate. A certificate may contain
-multiple DNS names.

+
Optional. Additional filter state objects to log.

 
 		
 
@@ -105,11 +2231,9 @@ 
Certificate

 

 

 

-
ConfigSource

+
MeshConfig.ExtensionProvider.EnvoyOpenTelemetryLogProvider

 

-
ConfigSource describes information about a configuration store inside a
-mesh. A single control plane instance can interact with one or more data
-sources.

+
Defines configuration for an Envoy OpenTelemetry (gRPC) Access Log

 
 
@@ -121,37 +2245,52 @@ 
ConfigSource

-
-
+
+
-
-
-
+
+
+
-
-
-
+
+
+
+
+
+
+
+
+

 
 
 
 
address
service
 string
 
-
Address of the server implementing the Istio Mesh Configuration
-protocol (MCP). Can be IP address or a fully qualified DNS name.
-Use fs:/// to specify a file-based backend with absolute path to the directory.

+
REQUIRED. Specifies the service that implements the Envoy ALS gRPC authorization service.
+The format is [<Namespace>/]<Hostname>. The specification of <Namespace> is required only when it is insufficient
+to unambiguously resolve a service in the service registry. The <Hostname> is a fully qualified host name of a
+service defined by the Kubernetes service or ServiceEntry.

+
+
Example: “envoy-als.foo.svc.cluster.local” or “bar/envoy-als.example.com”.

 
 		
 
 No
 
 
tlsSettingsTLSSettings
portuint32
 
-
Use the tlssettings to specify the tls mode to use. If the MCP server
-uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS
-mode as ISTIOMUTUAL.

+
REQUIRED. Specifies the port of the service.

 
 		
 
 No
 
 
subscribedResourcesResource[]
logNamestring
 
-
Describes the source of configuration, if nothing is specified default is MCP

+
Optional. The friendly name of the access log.
+Defaults:
+- “otel_envoy_accesslog”

+
+		
+No
+
logFormatLogFormat
+
Optional. Format for the proxy access log
+Empty value results in proxy’s default access log format, following Envoy access logging formatting.

 
 		
 
@@ -161,55 +2300,41 @@ 
ConfigSource

 

 

 

-
LocalityLoadBalancerSetting

+
MeshConfig.ExtensionProvider.StackdriverProvider.Logging

 

-
Locality-weighted load balancing allows administrators to control the
-distribution of traffic to endpoints based on the localities of where the
-traffic originates and where it will terminate. These localities are
-specified using arbitrary labels that designate a hierarchy of localities in
-{region}/{zone}/{sub-zone} form. For additional detail refer to
-Locality Weight
-The following example shows how to setup locality weights mesh-wide.

-
-
Given a mesh with workloads and their service deployed to “us-west/zone1/”
-and “us-west/zone2/”. This example specifies that when traffic accessing a
-service originates from workloads in “us-west/zone1/”, 80% of the traffic
-will be sent to endpoints in “us-west/zone1/”, i.e the same zone, and the
-remaining 20% will go to endpoints in “us-west/zone2/”. This setup is
-intended to favor routing traffic to endpoints in the same locality.
-A similar setting is specified for traffic originating in “us-west/zone2/”.

-
-
  distribute:
-    - from: us-west/zone1/*
-      to:
-        "us-west/zone1/*": 80
-        "us-west/zone2/*": 20
-    - from: us-west/zone2/*
-      to:
-        "us-west/zone1/*": 20
-        "us-west/zone2/*": 80
-

-
-
If the goal of the operator is not to distribute load across zones and
-regions but rather to restrict the regionality of failover to meet other
-operational requirements an operator can set a ‘failover’ policy instead of
-a ‘distribute’ policy.

-
-
The following example sets up a locality failover policy for regions.
-Assume a service resides in zones within us-east, us-west & eu-west
-this example specifies that when endpoints within us-east become unhealthy
-traffic should failover to endpoints in any zone or sub-zone within eu-west
-and similarly us-west should failover to us-east.

-
-
 failover:
-   - from: us-east
-     to: eu-west
-   - from: us-west
-     to: us-east
-

+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
FieldTypeDescriptionRequired
labelsmap<string, string>
+
Collection of tag names and tag expressions to include in the log
+entry. Conflicts are resolved by the tag name by overriding previously
+supplied values.

 
-
Locality load balancing settings.

+
Example:
+  labels:
+    path: request.url_path
+    foo: request.headers[‘x-foo’]

 
+		
+No
+

+

+
MeshConfig.ExtensionProvider.EnvoyFileAccessLogProvider.LogFormat

+

 
@@ -220,28 +2345,39 @@ 
LocalityLoadBalancerSetting

-
-
-
+
+
+
-
-
-
+
+
+

 
 

 

 
 
distributeDistribute[]
textstring (oneof)
 
-
Optional: only one of distribute or failover can be set.
-Explicitly specify loadbalancing weight across different zones and geographical locations.
-Refer to Locality weighted load balancing
-If empty, the locality weight is set according to the endpoints number within it.

+
Textual format for the envoy access logs. Envoy command operators may be
+used in the format. The format string documentation
+provides more information.

+
+
NOTE: Istio will insert a newline (‘\n’) on all formats (if missing).

+
+
Example: text: "%LOCAL_REPLY_BODY%:%RESPONSE_CODE%:path=%REQ(:path)%"

 
 		
 
 No
 
 
failoverFailover[]
labelsStruct (oneof)
 
-
Optional: only failover or distribute can be set.
-Explicitly specify the region traffic will land on when endpoints in local region becomes unhealthy.
-Should be used together with OutlierDetection to detect unhealthy endpoints.
-Note: if no OutlierDetection specified, this will not take effect.

+
Structured format for the envoy access logs. Envoy command operators
+can be used as values for fields within the Struct. Values are rendered
+as strings, numbers, or boolean values, as appropriate
+(see: format dictionaries). Nested JSON is
+supported for some command operators (e.g. FILTER_STATE or DYNAMIC_METADATA).

+
+
Example:

+
+
labels:
+  status: "%RESPONSE_CODE%"
+  message: "%LOCAL_REPLY_BODY%"
+

 
 		
 
@@ -251,16 +2387,8 @@ 
LocalityLoadBalancerSetting

 

 

 

-
LocalityLoadBalancerSetting.Distribute

+
MeshConfig.ExtensionProvider.EnvoyOpenTelemetryLogProvider.LogFormat

 

-
Describes how traffic originating in the ‘from’ zone or sub-zone is
-distributed over a set of ‘to’ zones. Syntax for specifying a zone is
-{region}/{zone}/{sub-zone} and terminal wildcards are allowed on any
-segment of the specification. Examples:
-* - matches all localities
-us-west/* - all zones and sub-zones within the us-west region
-us-west/zone-1/* - all sub-zones within us-west/zone-1

-
 
@@ -271,24 +2399,39 @@ 
LocalityLoadBalancerSetting.Dist
 

-
-
+
+
-
-
-
+
+
+

 
 

 
 
from
text
 string
 
-
Originating locality, ‘/’ separated, e.g. ‘region/zone/sub_zone’.

+
Textual format for the envoy access logs. Envoy command operators may be
+used in the format. The format string documentation
+provides more information.
+Alias to body filed in Open Telemetry
+Example: text: "%LOCAL_REPLY_BODY%:%RESPONSE_CODE%:path=%REQ(:path)%"

 
 		
 
 No
 
 
tomap<string, uint32>
labelsStruct
 
-
Map of upstream localities to traffic distribution weights. The sum of
-all weights should be == 100. Any locality not assigned a weight will
-receive no traffic.

+
Optional. Additional attributes that describe the specific event occurrence.
+Structured format for the envoy access logs. Envoy command operators
+can be used as values for fields within the Struct. Values are rendered
+as strings, numbers, or boolean values, as appropriate
+(see: format dictionaries). Nested JSON is
+supported for some command operators (e.g. FILTER_STATE or DYNAMIC_METADATA).
+Alias to attributes filed in Open Telemetry

+
+
Example:

+
+
labels:
+  status: "%RESPONSE_CODE%"
+  message: "%LOCAL_REPLY_BODY%"
+

 
 		
 
@@ -298,15 +2441,12 @@ 
LocalityLoadBalancerSetting.Dist
 

 

 

-
LocalityLoadBalancerSetting.Failover

+
k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelector

 

-
Specify the traffic failover policy across regions. Since zone and sub-zone
-failover is supported by default this only needs to be specified for
-regions when the operator needs to constrain traffic failover so that
-the default behavior of failing over to any endpoint globally does not
-apply. This is useful when failing over traffic across regions would not
-improve service health or may need to be restricted for other reasons
-like regulatory controls.

+
A label selector is a label query over a set of resources. The result of matchLabels and
+matchExpressions are ANDed. An empty label selector matches all objects. A null
+label selector matches no objects.
++structType=atomic

 
 
@@ -318,23 +2458,26 @@ 
LocalityLoadBalancerSetting.Failov
 
 

-
-
-
+
+
+
-
-
-
+
+
+

 
 
fromstring
matchLabelsmap<string, string>
 
-
Originating region.

+
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+map is equivalent to an element of matchExpressions, whose key field is “key”, the
+operator is “In”, and the values array contains only “value”. The requirements are ANDed.
++optional

 
 		
 
 No
 
 
tostring
matchExpressionsLabelSelectorRequirement[]
 
-
Destination region the traffic will fail over to when endpoints in
-the ‘from’ region becomes unhealthy.

+
matchExpressions is a list of label selector requirements. The requirements are ANDed.
++optional

 
 		
 
@@ -344,17 +2487,9 @@ 
LocalityLoadBalancerSetting.Failov
 

 

 

-
MeshConfig

+
Tracing

 

-
MeshConfig defines mesh-wide variables shared by all Envoy instances in the
-Istio service mesh.

-
-
NOTE: This configuration type should be used for the low-level global
-configuration, such as component addresses and port numbers. It should not
-be used for the features of the mesh that can be scoped by service or by
-namespace. Some of the fields in the mesh config are going to be deprecated
-and replaced with several individual configuration types (for example,
-tracing configuration).

+
Tracing defines configuration for the tracing performed by Envoy instances.

 
 
@@ -366,565 +2501,616 @@ 
MeshConfig

-
-
-
+
+
+
+
+
+
+
+
+
-
-
-
+
+
+
+
+
+
+
+
+
-
-
-
+
+
+
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+

 
 
 
 
mixerCheckServerstring
zipkinZipkin (oneof)
 
-
Address of the server that will be used by the proxies for policy
-check calls. By using different names for mixerCheckServer and
-mixerReportServer, it is possible to have one set of Mixer servers handle
-policy check calls while another set of Mixer servers handle telemetry
-calls.

+
Use a Zipkin tracer.

 
-
NOTE: Omitting mixerCheckServer while specifying mixerReportServer is
-equivalent to setting disablePolicyChecks to true.

+		
+No
+
lightstepLightstep (oneof)
+
Use a Lightstep tracer.

 
 		
 
 No
 
 
mixerReportServerstring
datadogDatadog (oneof)
+
Use a Datadog tracer.

+
+		
+No
+
stackdriverStackdriver (oneof)
 
-
Address of the server that will be used by the proxies for policy report
-calls.

+
Use a Stackdriver tracer.

 
 		
 
 No
 
 
disablePolicyChecksbool
openCensusAgentOpenCensusAgent (oneof)
 
-
Disable policy checks by the Mixer service. Default
-is false, i.e. Mixer policy check is enabled by default.

+
Use an OpenCensus tracer exporting to an OpenCensus agent.

 
 		
 
 No
 
 
policyCheckFailOpenbool
samplingdouble
+
The percentage of requests (0.0 - 100.0) that will be randomly selected for trace generation,
+if not requested by the client or not forced. Default is 1.0.

+
+		
 
-
Allow all traffic in cases when the Mixer policy service cannot be reached.
-Default is false which means the traffic is denied when the client is unable
-to connect to Mixer.

+No
+
tlsSettingsClientTLSSettings
+
Use the tls_settings to specify the tls mode to use. If the remote tracing service
+uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS
+mode as ISTIO_MUTUAL.

+
+		
+No
+

+

+
PrivateKeyProvider

+

+
PrivateKeyProvider defines private key configuration for gateways and sidecars. This can be configured
+mesh wide or individual per-workload basis.

 
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
-
-
+
+
FieldTypeDescriptionRequired
cryptombCryptoMb (oneof)
 
 
 No
 
 
sidecarToTelemetrySessionAffinitybool

+

+
ProxyConfig

+

+
ProxyConfig defines variables for individual Envoy instances. This can be configured on a per-workload basis
+as well as by the mesh-wide defaults.
+To set the mesh wide defaults, configure the defaultConfig section of meshConfig. For example:

+
+
meshConfig:
+  defaultConfig:
+    discoveryAddress: istiod:15012
+

+
+
This can also be configured on a per-workload basis by configuring the proxy.istio.io/config annotation on the pod. For example:

+
+
annotations:
+  proxy.istio.io/config: |
+    discoveryAddress: istiod:15012
+

+
+
If both are configured, the two are merged with per field semantics; the field set in annotation will fully replace the field from mesh config defaults.
+This is different than a deep merge provided by protobuf.
+For example, "tracing": { "sampling": 5 } would completely override a setting configuring a tracing provider
+such as "tracing": { "zipkin": { "address": "..." } }.

+
+
Note: fields in ProxyConfig are not dynamically configured; changes will require restart of workloads to take effect.

+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
-
-
+
+
+
-
-
-
+
+
+
-
-
-
+
+
+
-
-
+
+
-
-
-
+
+
+
-
-
+
+
-
-
+
+
-
-
-
+
+
+
-
-
-
+
+
+
-
-
+
+
-
-
-
+
+
+
-
-
-
+
+
+
-
-
-
+
+
+
-
-
-
+
+
+
-
-
-
+
+
+
-
-
-
+
+
+
-
-
-
+
+
+
-
-
-
+
+
+
-
-
-
+
+
+
-
-
-
+
+
+
-
-
+
+
-
-
-
+
+
+
-
-
-
+
+
+
-
-
-
+
+
+
-
-
-
+
+
+
-
-
-
-
-
-
-
-
-
+
+
+
-
-
-
+
+
+
-
-
-
+
+
+
-
-
-
+
+
+
-
-
-
+
+
+
-
-
+
+
FieldTypeDescriptionRequired
configPathstring
 
-
Enable session affinity for Envoy Mixer reports so that calls from a proxy will
-always target the same Mixer instance.

+
Path to the generated configuration file directory.
+Proxy agent generates the actual configuration and stores it in this directory.

 
 		
 
 No
 
 
proxyListenPortint32
binaryPathstring
 
-
Port on which Envoy should listen for incoming connections from
-other services.

+
Path to the proxy binary

 
 		
 
 No
 
 
proxyHttpPortint32
serviceClusterstring (oneof)
 
-
Port on which Envoy should listen for HTTP PROXY requests if set.

+
Service cluster defines the name for the service_cluster that is
+shared by all Envoy instances. This setting corresponds to
+--service-cluster flag in Envoy.  In a typical Envoy deployment, the
+service-cluster flag is used to identify the caller, for
+source-based routing scenarios.

+
+
Since Istio does not assign a local service/service version to each
+Envoy instance, the name is same for all of them.  However, the
+source/caller’s identity (e.g., IP address) is encoded in the
+--service-node flag when launching Envoy.  When the RDS service
+receives API calls from Envoy, it uses the value of the service-node
+flag to compute routes that are relative to the service instances
+located at that IP address.

 
 		
 
 No
 
 
connectTimeoutDuration
tracingServiceNameTracingServiceName (oneof)
 
-
Connection timeout used by Envoy. (MUST BE >=1ms)

+
Used by Envoy proxies to assign the values for the service names in trace
+spans.

 
 		
 
 No
 
 
protocolDetectionTimeout
drainDuration
 Duration
 
-
Automatic protocol detection uses a set of heuristics to
-determine whether the connection is using TLS or not (on the
-server side), as well as the application protocol being used
-(e.g., http vs tcp). These heuristics rely on the client sending
-the first bits of data. For server first protocols like MySQL,
-MongoDB, etc., Envoy will timeout on the protocol detection after
-the specified period, defaulting to non mTLS plain TCP
-traffic. Set this field to tweak the period that Envoy will wait
-for the client to send the first bits of data. (MUST BE >=1ms)

+
The time in seconds that Envoy will drain connections during a hot
+restart. MUST be >=1s (e.g., 1s/1m/1h)
+Default drain duration is 45s.

 
 		
 
 No
 
 
tcpKeepaliveTcpKeepalive
parentShutdownDurationDuration
 
-
If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives.

+
The time in seconds that Envoy will wait before shutting down the
+parent process during a hot restart. MUST be >=1s (e.g., 1s/1m/1h).
+MUST BE greater than drain_duration parameter.
+Default shutdown duration is 60s.

 
 		
 
 No
 
 
ingressClass
discoveryAddress
 string
 
-
Class of ingress resources to be processed by Istio ingress
-controller. This corresponds to the value of
-“kubernetes.io/ingress.class” annotation.

+
Address of the discovery service exposing xDS with mTLS connection.
+The inject configuration may override this value.

 
 		
 
 No
 
 
ingressService
statsdUdpAddress
 string
 
-
Name of theKubernetes service used for the istio ingress controller.

+
IP Address and Port of a statsd UDP listener (e.g. 10.75.241.127:9125).

 
 		
 
 No
 
 
ingressControllerModeIngressControllerMode
proxyAdminPortint32
 
-
Defines whether to use Istio ingress controller for annotated or all ingress resources.

+
Port on which Envoy should listen for administrative commands.
+Default port is 15000.

 
 		
 
 No
 
 
enableTracingbool
controlPlaneAuthPolicyAuthenticationPolicy
 
-
Flag to control generation of trace spans and request IDs.
-Requires a trace span collector defined in the proxy configuration.

+
AuthenticationPolicy defines how the proxy is authenticated when it connects to the control plane.
+Default is set to MUTUAL_TLS.

 
 		
 
 No
 
 
accessLogFile
customConfigFile
 string
 
-
File address for the proxy access log (e.g. /dev/stdout).
-Empty value disables access logging.

+
File path of custom proxy configuration, currently used by proxies
+in front of Mixer and Pilot.

 
 		
 
 No
 
 
accessLogFormatstring
statNameLengthint32
 
-
Format for the proxy access log
-Empty value results in proxy’s default access log format

+
Maximum length of name field in Envoy’s metrics. The length of the name field
+is determined by the length of a name field in a service and the set of labels that
+comprise a particular version of the service. The default value is set to 189 characters.
+Envoy’s internal metrics take up 67 characters, for a total of 256 character name per metric.
+Increase the value of this field if you find that the metrics from Envoys are truncated.

 
 		
 
 No
 
 
accessLogEncodingAccessLogEncoding
concurrencyInt32Value
 
-
Encoding for the proxy access log (text or json).
-Default value is text.

+
The number of worker threads to run.
+If unset, this will be automatically determined based on CPU requests/limits.
+If set to 0, all cores on the machine will be used.
+Default is 2 worker threads.

 
 		
 
 No
 
 
enableEnvoyAccessLogServicebool
proxyBootstrapTemplatePathstring
 
-
This flag enables Envoy’s gRPC Access Log Service.
-See Access Log Service
-for details about Envoy’s gRPC Access Log Service API.

+
Path to the proxy bootstrap template file

 
 		
 
 No
 
 
defaultConfigProxyConfig
interceptionModeInboundInterceptionMode
 
-
Default proxy config used by the proxy injection mechanism operating in the mesh
-(e.g. Kubernetes admission controller)
-In case of Kubernetes, the proxy config is applied once during the injection process,
-and remain constant for the duration of the pod. The rest of the mesh config can be changed
-at runtime and config gets distributed dynamically.

+
The mode used to redirect inbound traffic to Envoy.

 
 		
 
 No
 
 
outboundTrafficPolicyOutboundTrafficPolicy
tracingTracing
 
-
Set the default behavior of the sidecar for handling outbound traffic
-from the application.  If your application uses one or more external
-services that are not known apriori, setting the policy to ALLOWANY
-will cause the sidecars to route any unknown traffic originating from
-the application to its requested destination.  Users are strongly
-encouraged to use ServiceEntries to explicitly declare any external
-dependencies, instead of using allowany, so that traffic to these
-services can be monitored.

+
Tracing configuration to be used by the proxy.

 
 		
 
 No
 
 
enableClientSidePolicyCheckbool
envoyAccessLogServiceRemoteService
 
-
Enables client side policy checks.

+
Address of the service to which access logs from Envoys should be
+sent. (e.g. accesslog-service:15000). See Access Log
+Service
+for details about Envoy’s gRPC Access Log Service API.

 
 		
 
 No
 
 
sdsUdsPathstring
envoyMetricsServiceRemoteService
 
-
Unix Domain Socket through which Envoy communicates with NodeAgent SDS to get key/cert for mTLS.
-Use secret-mount files instead of SDS if set to empty.

+
Address of the Envoy Metrics Service implementation (e.g. metrics-service:15000).
+See Metric Service
+for details about Envoy’s Metrics Service API.

 
 		
 
 No
 
 
configSourcesConfigSource[]
proxyMetadatamap<string, string>
 
-
ConfigSource describes a source of configuration data for networking
-rules, and other Istio configuration artifacts. Multiple data sources
-can be configured for a single control plane.

+
Additional environment variables for the proxy.
+Names starting with ISTIO_META_ will be included in the generated bootstrap and sent to the XDS server.

 
 		
 
 No
 
 
enableAutoMtlsBoolValue
runtimeValuesmap<string, string>
 
-
This flag is used to enable mutual TLS automatically for service to service communication
-within the mesh, default true.
-If set to true, and a given service does not have a corresponding DestinationRule configured,
-or its DestinationRule does not have TLSSettings specified, Istio configures client side
-TLS configuration appropriately. More specifically,
-If the upstream authentication policy is in STRICT mode, use Istio provisioned certificate
-for mutual TLS to connect to upstream.
-If upstream service is in plain text mode, use plain text.
-If the upstream authentication policy is in PERMISSIVE mode, Istio configures clients to use
-mutual TLS when server sides are capable of accepting mutual TLS traffic.
-If service DestinationRule exists and has TLSSettings specified, that is always used instead.

+
Envoy runtime configuration to set during bootstrapping.
+This enables setting experimental, unsafe, unsupported, and deprecated features that should be used with extreme caution.

 
 		
 
 No
 
 
trustDomainstring
statusPortint32
 
-
The trust domain corresponds to the trust root of a system.
-Refer to SPIFFE-ID

+
Port on which the agent should listen for administrative commands such as readiness probe.
+Default is set to port 15020.

 
 		
 
 No
 
 
trustDomainAliases
extraStatTags
 string[]
 
-
The trust domain aliases represent the aliases of trust_domain.
-For example, if we have

-
-
trustDomain: td1
-trustDomainAliases: ["td2", "td3"]
-

-
-
Any service with the identity td1/ns/foo/sa/a-service-account, td2/ns/foo/sa/a-service-account,
-or td3/ns/foo/sa/a-service-account will be treated the same in the Istio mesh.

+
An additional list of tags to extract from the in-proxy Istio telemetry. These extra tags can be
+added by configuring the telemetry extension. Each additional tag needs to be present in this list.
+Extra tags emitted by the telemetry extensions must be listed here so that they can be processed
+and exposed as Prometheus metrics.

 
 		
 
 No
 
 
defaultServiceExportTostring[]
terminationDrainDurationDuration
 
-
The default value for the ServiceEntry.export_to field and services
-imported through container registry integrations, e.g. this applies to
-Kubernetes Service resources. The value is a list of namespace names and
-reserved namespace aliases. The allowed namespace aliases are:

-
-
    
-
  • - All Namespaces
-. - Current Namespace
-~ - No Namespace
    • 
-

-
-
If not set the system will use “*” as the default value which implies that
-services are exported to all namespaces.

-
-
‘All namespaces’ is a reasonable default for implementations that don’t
-need to restrict access or visibility of services across namespace
-boundaries. If that requirement is present it is generally good practice to
-make the default ‘Current namespace’ so that services are only visible
-within their own namespaces by default. Operators can then expand the
-visibility of services to other namespaces as needed. Use of ‘No Namespace’
-is expected to be rare but can have utility for deployments where
-dependency management needs to be precise even within the scope of a single
-namespace.

-
-
For further discussion see the reference documentation for ServiceEntry,
-Sidecar, and Gateway.

+
The amount of time allowed for connections to complete on proxy shutdown.
+On receiving SIGTERM or SIGINT, istio-agent tells the active Envoy to start draining,
+preventing any new connections and allowing existing connections to complete. It then
+sleeps for the termination_drain_duration and then kills any remaining active Envoy processes.
+If not set, a default of 5s will be applied.

 
 		
 
 No
 
 
defaultVirtualServiceExportTostring[]
meshIdstring
 
-
The default value for the VirtualService.exportto field. Has the same
-syntax as ‘defaultserviceexportto’.

-
-
If not set the system will use “*” as the default value which implies that
-virtual services are exported to all namespaces

+
The unique identifier for the service mesh
+All control planes running in the same service mesh should specify the same mesh ID.
+Mesh ID is used to label telemetry reports for cases where telemetry from multiple meshes is mixed together.

 
 		
 
 No
 
 
defaultDestinationRuleExportTostring[]
readinessProbeReadinessProbe
 
-
The default value for the DestinationRule.exportto field. Has the same
-syntax as ‘defaultserviceexportto’.

-
-
If not set the system will use “*” as the default value which implies that
-destination rules are exported to all namespaces

+
VM Health Checking readiness probe. This health check config exactly mirrors the
+kubernetes readiness probe configuration both in schema and logic.
+Only one health check method of 3 can be set at a time.

 
 		
 
 No
 
 
rootNamespacestring
proxyStatsMatcherProxyStatsMatcher
 
-
The namespace to treat as the administrative root namespace for
-Istio configuration. When processing a leaf namespace Istio will search for
-declarations in that namespace first and if none are found it will
-search in the root namespace. Any matching declaration found in the root
-namespace is processed as if it were declared in the leaf namespace.

+
Proxy stats matcher defines configuration for reporting custom Envoy stats.
+To reduce memory and CPU overhead from Envoy stats system, Istio proxies by
+default create and expose only a subset of Envoy stats. This option is to
+control creation of additional Envoy stats with prefix, suffix, and regex
+expressions match on the name of the stats. This replaces the stats
+inclusion annotations
+(sidecar.istio.io/statsInclusionPrefixes,
+sidecar.istio.io/statsInclusionRegexps, and
+sidecar.istio.io/statsInclusionSuffixes). For example, to enable stats
+for circuit breaker, retry, and upstream connections, you can specify stats
+matcher as follow:

 
-
The precise semantics of this processing are documented on each resource
-type.

+
proxyStatsMatcher:
+  inclusionRegexps:
+    - .*circuit_breakers.*
+  inclusionPrefixes:
+    - upstream_rq_retry
+    - upstream_cx
+

 
-		
-No
-
localityLbSettingLocalityLoadBalancerSetting
-
Locality based load balancing distribution or failover settings.

+
Note including more Envoy stats might increase number of time series
+collected by prometheus significantly. Care needs to be taken on Prometheus
+resource provision and configuration to reduce cardinality.

 
 		
 
 No
 
 
dnsRefreshRateDuration
holdApplicationUntilProxyStartsBoolValue
 
-
Configures DNS refresh rate for Envoy clusters of type STRICT_DNS

+
Boolean flag for enabling/disabling the holdApplicationUntilProxyStarts behavior.
+This feature adds hooks to delay application startup until the pod proxy
+is ready to accept traffic, mitigating some startup race conditions.
+Default value is ‘false’.

 
 		
 
 No
 
 
disableReportBatchbool
caCertificatesPemstring[]
 
-
The flag to disable report batch.

+
The PEM data of the extra root certificates for workload-to-workload communication.
+This includes the certificates defined in MeshConfig and any other certificates that Istiod uses as CA.
+The plugin certificates (the ‘cacerts’ secret), self-signed certificates (the ‘istio-ca-secret’ secret)
+are added automatically by Istiod.

 
 		
 
 No
 
 
reportBatchMaxEntriesuint32
imageProxyImage
 
-
When disablereportbatch is false, this value specifies the maximum number
-of requests that are batched in report. If left unspecified, the default value
-of reportbatchmax_entries == 0 will use the hardcoded defaults of
-istio::mixerclient::ReportOptions.

+
Specifies the details of the proxy image.

 
 		
 
 No
 
 
reportBatchMaxTimeDuration
privateKeyProviderPrivateKeyProvider
 
-
When disablereportbatch is false, this value specifies the maximum elapsed
-time a batched report will be sent after a user request is processed. If left
-unspecified, the default reportbatchmax_time == 0 will use the hardcoded
-defaults of istio::mixerclient::ReportOptions.

+
Specifies the details of the Private Key Provider configuration for gateway and sidecar proxies.

 
 		
 
 No
 
 
h2UpgradePolicyH2UpgradePolicy
zipkinAddressstring
 
-
Specify if http1.1 connections should be upgraded to http2 by default.
-if sidecar is installed on all pods in the mesh, then this should be set to UPGRADE.
-If one or more services or namespaces do not have sidecar(s), then this should be set to DONOTUPGRADE.
-It can be enabled by destination using the destinationRule.trafficPolicy.connectionPool.http.h2UpgradePolicy override.

+
Address of the Zipkin service (e.g. zipkin:9411).
+DEPRECATED: Use tracing instead.

 
 		
 
 No
 
 
inboundClusterStatName

+

+
RemoteService

+

+
+
+
+
+
+
+
+
+
+
+
+
-
-
-
+
+
+
-
-
-
+
+
+
FieldTypeDescriptionRequired
address
 string
 
-
Name to be used while emitting statistics for inbound clusters.
-By default, Istio emits statistics with the pattern inbound|||.
-For example inbound|7443|grpc-reviews|reviews.prod.svc.cluster.local. This can be used to override that pattern.

-
-
A Pattern can be composed of various pre-defined variables. The following variables are supported.
-%SERVICE% - Will be substituted with name of the service.
-%SERVICEFQDN% - Will be substituted with FQDN of the service.
-%SERVICEPORT% - Will be substituted with port of the service.
-%SERVICEPORTNAME% - Will be substituted with port name of the service.

-
-
Following are some examples of supported patterns for reviews.
-%SERVICEFQDN%%SERVICEPORT% will use reviews.prod.svc.cluster.local7443 as the stats name.
-%SERVICE% will use reviews.prod as the stats name.

+
Address of a remove service used for various purposes (access log
+receiver, metrics receiver, etc.). Can be IP address or a fully
+qualified DNS name.

 
 		
 
 No
 
 
outboundClusterStatNamestring
tlsSettingsClientTLSSettings
 
-
Name to be used while emitting statistics for outbound clusters.
-By default, Istio emits statistics with the pattern outbound|||.
-For example outbound|8080|v2|reviews.prod.svc.cluster.local. This can be used to override that pattern.

-
-
A Pattern can be composed of various pre-defined variables. The following variables are supported.
-%SERVICE% - Will be substituted with name of the service.
-%SERVICEFQDN% - Will be substituted with FQDN of the service.
-%SERVICEPORT% - Will be substituted with port of the service.
-%SERVICEPORTNAME% - Will be substituted with port name of the service.
-%SUBSET_NAME% - Will be substituted with subset.

-
-
Following are some examples of supported patterns for reviews.
-%SERVICEFQDN%%SERVICEPORT% will use reviews.prod.svc.cluster.local7443 as the stats name.
-%SERVICE% will use reviews.prod as the stats name.

+
Use the tls_settings to specify the tls mode to use. If the remote service
+uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS
+mode as ISTIO_MUTUAL.

 
 		
 
 No
 
 
certificatesCertificate[]
tcpKeepaliveTcpKeepalive
 
-
Configure the provision of certificates.

+
If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives.

 
 		
 
@@ -934,102 +3120,130 @@ 
MeshConfig

 

 

 

-
MeshConfig.AccessLogEncoding

+
Tracing.Zipkin

 

-
+
Zipkin defines configuration for a Zipkin tracer.

+
+

-
+
+
+
-
-
+
+
+
-
-
-

 
 
NameFieldType
 DescriptionRequired
 

 
 
TEXT
addressstring
 
+
Address of the Zipkin service (e.g. zipkin:9411).

+
 
JSON
 
+No
 
 

 
 

 

-
MeshConfig.H2UpgradePolicy

+
Tracing.Lightstep

 

-
Default Policy for upgrading http1.1 connections to http2.

+
Defines configuration for a Lightstep tracer.

 
-
+

-
+
+
+
-
-
+
+
+
+
-
-
+
+
+
+

 
 
NameFieldType
 DescriptionRequired
 

 
 
DO_NOT_UPGRADE
addressstring
 
-
Do not upgrade connections to http2.

+
Address of the Lightstep Satellite pool.

 
+		
+No
 
 
UPGRADE
accessTokenstring
 
-
Upgrade the connections to http2.

+
The Lightstep access token.

 
+		
+No
 
 

 
 

 

-
MeshConfig.IngressControllerMode

+
Tracing.Datadog

 

-
+
Datadog defines configuration for a Datadog tracer.

+
+

-
+
+
+
-
-
+
+
+
-
-
-
-
-
-
+

 
 
NameFieldType
 DescriptionRequired
 

 
 
OFF
addressstring
 
-
Disables Istio ingress controller.

+
Address of the Datadog Agent.

 
 
DEFAULT
 
-
Istio ingress controller will act on ingress resources that do not
-contain any annotation or whose annotations match the value
-specified in the ingress_class parameter described earlier. Use this
-mode if Istio ingress controller will be the default ingress
-controller for the entireKubernetes cluster.

-
+No
 		
 
STRICT
-
Istio ingress controller will only act on ingress resources whose
-annotations match the value specified in the ingress_class parameter
-described earlier. Use this mode if Istio ingress controller will be
-a secondary ingress controller (e.g., in addition to a
-cloud-provided ingress controller).

+

+

+
Tracing.Stackdriver

+

+
Stackdriver defines configuration for a Stackdriver tracer.
+See Envoy’s OpenCensus trace configuration
+and
+OpenCensus trace config for details.

 
-
+
+
+
+
+
+
+
+
+
FieldTypeDescriptionRequired
 

 
 

 

-
MeshConfig.OutboundTrafficPolicy

+
Tracing.OpenCensusAgent

 

+
OpenCensusAgent defines configuration for an OpenCensus tracer writing to
+an OpenCensus agent backend. See
+Envoy’s OpenCensus trace configuration
+and
+OpenCensus trace config
+for details.

+
 
@@ -1040,10 +3254,29 @@ 
MeshConfig.OutboundTrafficPolicy

-
-
-
+
+
+
+
+
+
+
+
+

 
 

 

 
 
modeMode
addressstring
+
gRPC address for the OpenCensus agent (e.g. dns://authority/host:port or
+unix:path). See gRPC naming
+docs for
+details.

+
+		
+No
+
contextTraceContext[]
 
+
Specifies the set of context propagation headers used for distributed
+tracing. Default is ["W3C_TRACE_CONTEXT"]. If multiple values are specified,
+the proxy will attempt to read each header for each request and will
+write all headers.

+
 		
 
 No
@@ -1052,55 +3285,43 @@ 
MeshConfig.OutboundTrafficPolicy

 

 

 

-
MeshConfig.OutboundTrafficPolicy.Mode

+
PrivateKeyProvider.CryptoMb

 

-
+
CryptoMb PrivateKeyProvider configuration

+
+

-
+
+
+
-
-
+
+
+
-
-
-

 
 
NameFieldType
 DescriptionRequired
 

 
 
REGISTRY_ONLY
pollDelayDuration
 
-
outbound traffic will be restricted to services defined in the
-service registry as well as those defined through ServiceEntries

+
How long to wait until the per-thread processing queue should be processed. If the processing queue
+gets full (eight sign or decrypt requests are received) it is processed immediately.
+However, if the queue is not filled before the delay has expired, the requests already in the queue
+are processed, even if the queue is not full.
+In effect, this value controls the balance between latency and throughput.
+The duration needs to be set to a non-zero value.

 
 
ALLOW_ANY
 
-
outbound traffic to unknown destinations will be allowed, in case
-there are no services or ServiceEntries for the destination port

-
+No
 		
 

 
 

 

-
MeshNetworks

+
ProxyConfig.ProxyStatsMatcher

 

-
MeshNetworks (config map) provides information about the set of networks
-inside a mesh and how to route to endpoints in each network. For example

-
-
MeshNetworks(file/config map):

-
-
networks:
-  network1:
-  - endpoints:
-    - fromRegistry: registry1 #must match kubeconfig name in Kubernetes secret
-    - fromCidr: 192.168.100.0/22 #a VM network for example
-    gateways:
-    - registryServiceName: istio-ingressgateway.istio-system.svc.cluster.local
-      port: 15443
-      locality: us-east-1a
-    - address: 192.168.100.1
-      port: 15443
-      locality: us-east-1a
-

+
Proxy stats name matchers for stats creation. Note this is in addition to
+the minimum Envoy stats that Istio generates by default.

 
 
@@ -1112,17 +3333,37 @@ 
MeshNetworks

-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -1173,70 +3414,48 @@ 
Network

 
 
 
 
networksmap<string, Network>
inclusionPrefixesstring[]
 
-
The set of networks inside this mesh. Each network should
-have a unique name and information about how to infer the endpoints in
-the network as well as the gateways associated with the network.

+
Proxy stats name prefix matcher for inclusion.

 
 		
 
-Yes
+No
+
inclusionSuffixesstring[]
+
Proxy stats name suffix matcher for inclusion.

+
+		
+No
+
inclusionRegexpsstring[]
+
Proxy stats name regexps matcher for inclusion.

+
+		
+No
 
 

 
 
 

 

-
Network.IstioNetworkGateway

+
MeshNetworks

 

-
The gateway associated with this network. Traffic from remote networks
-will arrive at the specified gateway:port. All incoming traffic must
-use mTLS.

-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
FieldTypeDescriptionRequired
registryServiceNamestring (oneof)
-
A fully qualified domain name of the gateway service.  Pilot will
-lookup the service from the service registries in the network and
-obtain the endpoint IPs of the gateway from the service
-registry. Note that while the service name is a fully qualified
-domain name, it need not be resolvable outside the orchestration
-platform for the registry. e.g., this could be
-istio-ingressgateway.istio-system.svc.cluster.local.

+
MeshNetworks (config map) provides information about the set of networks
+inside a mesh and how to route to endpoints in each network. For example

 
-		
-Yes
-
addressstring (oneof)
-
IP address or externally resolvable DNS address associated with the gateway.

+
MeshNetworks(file/config map):

 
-		
-Yes
-
portuint32
-
The port associated with the gateway.

+
networks:
+  network1:
+    endpoints:
+    - fromRegistry: registry1 #must match kubeconfig name in Kubernetes secret
+    - fromCidr: 192.168.100.0/22 #a VM network for example
+    gateways:
+    - registryServiceName: istio-ingressgateway.istio-system.svc.cluster.local
+      port: 15443
+      locality: us-east-1a
+    - address: 192.168.100.1
+      port: 15443
+      locality: us-east-1a
+

 
-		
-Yes
-

+
+
+
+
+
+
-
-
-
+
+
+
+
+
@@ -1286,7 +3505,7 @@ 
Network.NetworkEndpoints

@@ -1300,15 +3519,17 @@ 
Network.NetworkEndpoints
FieldTypeDescriptionRequired
 
localitystring
networksmap<string, Network>
 
-
The locality associated with an explicitly specified gateway (i.e. ip)

+
The set of networks inside this mesh. Each network should
+have a unique name and information about how to infer the endpoints in
+the network as well as the gateways associated with the network.

 
 		
 
-No
+Yes
 
 

 
 
 
 

-Yes
+No
 
 

 

 
 
 
-Yes
+No
 
 

 
 

 

-
ProxyConfig

+
Network.IstioNetworkGateway

 

-
ProxyConfig defines variables for individual Envoy instances.

+
The gateway associated with this network. Traffic from remote networks
+will arrive at the specified gateway:port. All incoming traffic must
+use mTLS.

 
 
@@ -1320,262 +3541,194 @@ 
ProxyConfig

-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
-
-
-
+
+
+
-
-
-
+
+
+
-
-
+
+
-
-
-
-
-
+
+

 
 
 
 
configPathstring
-
Path to the generated configuration file directory.
-Proxy agent generates the actual configuration and stores it in this directory.

-
-		
-No
-
binaryPathstring
-
Path to the proxy binary

-
-		
-No
-
serviceClusterstring
registryServiceNamestring (oneof)
 
-
Service cluster defines the name for the service_cluster that is
-shared by all Envoy instances. This setting corresponds to
-–service-cluster flag in Envoy.  In a typical Envoy deployment, the
-service-cluster flag is used to identify the caller, for
-source-based routing scenarios.

-
-
Since Istio does not assign a local service/service version to each
-Envoy instance, the name is same for all of them.  However, the
-source/caller’s identity (e.g., IP address) is encoded in the
-–service-node flag when launching Envoy.  When the RDS service
-receives API calls from Envoy, it uses the value of the service-node
-flag to compute routes that are relative to the service instances
-located at that IP address.

+
A fully qualified domain name of the gateway service.  Pilot will
+lookup the service from the service registries in the network and
+obtain the endpoint IPs of the gateway from the service
+registry. Note that while the service name is a fully qualified
+domain name, it need not be resolvable outside the orchestration
+platform for the registry. e.g., this could be
+istio-ingressgateway.istio-system.svc.cluster.local.

 
 		
 
 No
 
 
drainDurationDuration
addressstring (oneof)
 
-
The time in seconds that Envoy will drain connections during a hot
-restart. MUST be >=1s (e.g., 1s/1m/1h)

+
IP address or externally resolvable DNS address associated with the gateway.

 
 		
 
 No
 
 
parentShutdownDurationDuration
portuint32
 
-
The time in seconds that Envoy will wait before shutting down the
-parent process during a hot restart. MUST be >=1s (e.g., 1s/1m/1h).
-MUST BE greater than drainduration_ parameter.

+
The port associated with the gateway.

 
 		
 
-No
+Yes
 
 
discoveryAddress
locality
 string
 
-
Address of the discovery service exposing xDS with mTLS connection.

+
The locality associated with an explicitly specified gateway (i.e. ip)

 
 		
 
 No
 
 
connectTimeoutDuration
-
Connection timeout used by Envoy for supporting services. (MUST BE >=1ms)

-
-		
-No
-

+

+
MeshConfig.OutboundTrafficPolicy.Mode

+

+
+
+
+
+
-
-
-
+
+
+
+
-
-
-
-
+
+
-
-
-
-
-
+
NameDescription
 
statsdUdpAddressstring
REGISTRY_ONLY
 
-
IP Address and Port of a statsd UDP listener (e.g. 10.75.241.127:9125).

+
outbound traffic will be restricted to services defined in the
+service registry as well as those defined through ServiceEntries

 
-		
-No
 
 
proxyAdminPortint32
ALLOW_ANY
 
-
Port on which Envoy should listen for administrative commands.

+
outbound traffic to unknown destinations will be allowed, in case
+there are no services or ServiceEntries for the destination port

 
-		
-No
 
 
controlPlaneAuthPolicyAuthenticationPolicy
-
Authentication policy defines the global switch to control authentication
-for Envoy-to-Envoy communication for istio components Mixer and Pilot.

+

+

+
MeshConfig.ExtensionProvider.OpenCensusAgentTracingProvider.TraceContext

+

+
TraceContext selects the context propagation headers used for
+distributed tracing.

 
-
-
-No
-
+
+
+
+
+
-
-
-
+
+
+
+
-
-
-
-
+
+
-
-
-
-
+
+
-
-
-
-
+
+
-
-
-
-
-
-
+
+
NameDescription
 
customConfigFilestring
W3C_TRACE_CONTEXT
 
-
File path of custom proxy configuration, currently used by proxies
-in front of Mixer and Pilot.

+
Use W3C Trace Context propagation using the traceparent HTTP header.
+See the
+Trace Context documentation for details.

 
-		
-No
 
 
statNameLengthint32
GRPC_BIN
 
-
Maximum length of name field in Envoy’s metrics. The length of the name field
-is determined by the length of a name field in a service and the set of labels that
-comprise a particular version of the service. The default value is set to 189 characters.
-Envoy’s internal metrics take up 67 characters, for a total of 256 character name per metric.
-Increase the value of this field if you find that the metrics from Envoys are truncated.

+
Use gRPC binary context propagation using the grpc-trace-bin http header.

 
-		
-No
 
 
concurrencyint32
CLOUD_TRACE_CONTEXT
 
-
The number of worker threads to run. Default value is number of cores on the machine.

+
Use Cloud Trace context propagation using the
+X-Cloud-Trace-Context http header.

 
-		
-No
 
 
proxyBootstrapTemplatePathstring
B3
 
-
Path to the proxy bootstrap template file

+
Use multi-header B3 context propagation using the X-B3-TraceId,
+X-B3-SpanId, and X-B3-Sampled HTTP headers. See
+B3 header propagation README
+for details.

 
-		
-No
 
 
interceptionModeInboundInterceptionMode
-
The mode used to redirect inbound traffic to Envoy.

-
-		
-No
-

+

+
MeshConfig.ProxyPathNormalization.NormalizationType

+

+
+
+
+
+
-
-
-
+
+
+
+
-
-
-
-
+
+
-
-
-
-
+
+
-
-
-
-
+
+
-
-
-
-
+
+
-
NameDescription
 
tracingTracing
DEFAULT
 
-
Tracing configuration to be used by the proxy.

+
Apply default normalizations. Currently, this is BASE.

 
-		
-No
 
 
sdsSDS
NONE
 
-
secret discovery service(SDS) configuration to be used by the proxy.

+
No normalization, paths are used as is.

 
-		
-No
 
 
envoyAccessLogServiceRemoteService
BASE
 
-
Address of the service to which access logs from Envoys should be
-sent. (e.g. accesslog-service:15000). See Access Log
-Service
-for details about Envoy’s gRPC Access Log Service API.

+
Normalize according to RFC 3986.
+For Envoy proxies, this is the normalize_path option.
+For example, /a/../b normalizes to /b.

 
-		
-No
 
 
envoyMetricsServiceRemoteService
MERGE_SLASHES
 
-
Address of the Envoy Metrics Service implementation (e.g. metrics-service:15000).
-See Metric Service
-for details about Envoy’s Metrics Service API.

+
In addition to the BASE normalization, consecutive slashes are also merged.
+For example, /a//b normalizes to a/b.

 
-		
-No
 
 
zipkinAddressstring
DECODE_AND_MERGE_SLASHES
 
-
Address of the Zipkin service (e.g. zipkin:9411).
-DEPRECATED: Use tracing instead.

+
In addition to normalization in MERGE_SLASHES, slash characters are UTF-8 decoded (case insensitive) prior to merging.
+This means %2F, %2f, %5C, and %5c sequences in the request path will be rewritten to / or \.
+For example, /a%2f/b normalizes to a/b.

 
-		
-No
 
 

 
 

 

-
ProxyConfig.InboundInterceptionMode

+
MeshConfig.TLSConfig.TLSProtocol

 

-
The mode used to redirect inbound traffic to Envoy.
-This setting has no effect on outbound traffic: iptables REDIRECT is always used for
-outbound connections.

+
TLS protocol versions.

 
 
@@ -1585,83 +3738,81 @@ 
ProxyConfig.InboundInterceptionMode
 
 

-
-
+
+
-
-
+
+
+
+
+
+

 
 
REDIRECT
TLS_AUTO
 
-
The REDIRECT mode uses iptables REDIRECT to NAT and redirect to Envoy. This mode loses
-source IP addresses during redirection.

+
Automatically choose the optimal TLS version.

 
 		
 
TPROXY
TLSV1_2
 
-
The TPROXY mode uses iptables TPROXY to redirect to Envoy. This mode preserves both the
-source and destination IP addresses and ports, so that they can be used for advanced
-filtering and manipulation. This mode also configures the sidecar to run with the
-CAPNETADMIN capability, which is required to use TPROXY.

+
TLS version 1.2

+
+
TLSV1_3
+
TLS version 1.3

 
 		
 

 
 

 

-
RemoteService

+
MeshConfig.IngressControllerMode

 

-
+

-
-
+
-
-
-
-
+
+
-
-
-
-
+
+
-
-
-
-
+
+
+
+
+

 
 
FieldTypeName
 DescriptionRequired
 

 
 
addressstring
UNSPECIFIED
 
-
Address of a remove service used for various purposes (access log
-receiver, metrics receiver, etc.). Can be IP address or a fully
-qualified DNS name.

+
Unspecified Istio ingress controller.

 
-		
-No
 
 
tlsSettingsTLSSettings
OFF
 
-
Use the tls_settings to specify the tls mode to use. If the remote service
-uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS
-mode as ISTIO_MUTUAL.

+
Disables Istio ingress controller.

 
-		
-No
 
 
tcpKeepaliveTcpKeepalive
DEFAULT
 
-
If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives.

+
Istio ingress controller will act on ingress resources that do not
+contain any annotation or whose annotations match the value
+specified in the ingress_class parameter described earlier. Use this
+mode if Istio ingress controller will be the default ingress
+controller for the entire Kubernetes cluster.

 
 
STRICT
 
-No
+
Istio ingress controller will only act on ingress resources whose
+annotations match the value specified in the ingress_class parameter
+described earlier. Use this mode if Istio ingress controller will be
+a secondary ingress controller (e.g., in addition to a
+cloud-provided ingress controller).

+
 		
 

 
 

 

-
Resource

+
MeshConfig.AccessLogEncoding

 

-
Resource describes the source of configuration

-
 
@@ -1670,250 +3821,242 @@ 
Resource

-
-
+
+
+
+
+
+

 
 

 

 
 
SERVICE_REGISTRY
TEXT
 
-
Set to only receive service entries that are generated by the platform.
-These auto generated service entries are combination of services and endpoints
-that are generated by a specific platform e.g. k8

+
text encoding for the proxy access log

+
+
JSON
+
json encoding for the proxy access log

 
 		
 

 
 

 

-
SDS

+
MeshConfig.H2UpgradePolicy

 

-
SDS defines secret discovery service(SDS) configuration to be used by the proxy.
-For workload, its values are set in sidecar injector(passed as arguments to istio-proxy container).
-For pilot/mixer, it’s passed as arguments to istio-proxy container in pilot/mixer deployment yaml files directly.

+
Default Policy for upgrading http1.1 connections to http2.

 
-
+

-
-
+
-
-
-
-
+
+
-
-
-
-
+
+
-

 
 
FieldTypeName
 DescriptionRequired
 

 
 
enabledbool
DO_NOT_UPGRADE
 
-
True if SDS is enabled.

+
Do not upgrade connections to http2.

 
-		
-No
 
 
k8sSaJwtPathstring
UPGRADE
 
-
Path of k8s service account JWT path.

+
Upgrade the connections to http2.

 
-		
-No
 
 

 
 

 

-
Tracing

+
Resource

 

-
Tracing defines configuration for the tracing performed by Envoy instances.

+
Resource describes the source of configuration

 
-
+

-
-
+
-
-
-
-
+
+
-
-
-
-
-
+

 
 
FieldTypeName
 DescriptionRequired
 

 
 
zipkinZipkin (oneof)
SERVICE_REGISTRY
 
-
Use a Zipkin tracer.

+
Set to only receive service entries that are generated by the platform.
+These auto generated service entries are combination of services and endpoints
+that are generated by a specific platform e.g. k8

 
-		
-Yes
 
 
lightstepLightstep (oneof)
-
Use a LightStep tracer.

+

+

+
Tracing.OpenCensusAgent.TraceContext

+

+
TraceContext selects the context propagation headers used for
+distributed tracing.

 
-
-
-Yes
-
+
+
+
+
+
-
-
-
+
+
+
+
+
+
+
-
-
-
+
+
+
+
+
NameDescription
 
datadogDatadog (oneof)
W3C_TRACE_CONTEXT
 
-
Use a Datadog tracer.

+
Use W3C Trace Context propagation using the traceparent HTTP header.
+See the
+Trace Context documentation for details.

 
 
GRPC_BIN
 
-Yes
+
Use gRPC binary context propagation using the grpc-trace-bin http header.

+
 		
 
stackdriverStackdriver (oneof)
CLOUD_TRACE_CONTEXT
 
-
Use a Stackdriver tracer.

+
Use Cloud Trace context propagation using the
+X-Cloud-Trace-Context http header.

 
 
B3
 
-Yes
+
Use multi-header B3 context propagation using the X-B3-TraceId,
+X-B3-SpanId, and X-B3-Sampled HTTP headers. See
+B3 header propagation README
+for details.

+
 		
 

 
 

 

-
Tracing.Datadog

+
ProxyConfig.TracingServiceName

 

-
Datadog defines configuration for a Datadog tracer.

+
Allows specification of various Istio-supported naming schemes for the
+Envoy service_cluster value. The servce_cluster value is primarily used
+by Envoys to provide service names for tracing spans.

 
-
+

-
-
+
-
-
-
-
+
+
+
+
+
+
+
+
+

 
 
FieldTypeName
 DescriptionRequired
 

 
 
addressstring
APP_LABEL_AND_NAMESPACE
 
-
Address of the Datadog Agent.

+
Default scheme. Uses the app label and workload namespace to construct
+a cluster name. If the app label does not exist istio-proxy is used.

 
 
CANONICAL_NAME_ONLY
 
-No
+
Uses the canonical name for a workload (excluding namespace).

+
+
CANONICAL_NAME_AND_NAMESPACE
+
Uses the canonical name and namespace for a workload.

+
 		
 

 
 

 

-
Tracing.Lightstep

+
ProxyConfig.InboundInterceptionMode

 

-
Defines configuration for a LightStep tracer.

+
The mode used to redirect inbound traffic to Envoy.
+This setting has no effect on outbound traffic: iptables REDIRECT is always used for
+outbound connections.

 
-
+

-
-
+
-
-
-
-
-
-
-
-
-
-
+
+
-
-
-
-
+
+
-
-
-
-
+
+
-

 
 
FieldTypeName
 DescriptionRequired
 

 
 
addressstring
-
Address of the LightStep Satellite pool.

-
-		
-No
-
accessTokenstring
REDIRECT
 
-
The LightStep access token.

+
The REDIRECT mode uses iptables REDIRECT to NAT and redirect to Envoy. This mode loses
+source IP addresses during redirection.

 
-		
-No
 
 
securebool
TPROXY
 
-
True if a secure connection should be used when communicating with the pool.

+
The TPROXY mode uses iptables TPROXY to redirect to Envoy. This mode preserves both the
+source and destination IP addresses and ports, so that they can be used for advanced
+filtering and manipulation. This mode also configures the sidecar to run with the
+CAP_NET_ADMIN capability, which is required to use TPROXY.

 
-		
-No
 
 
cacertPathstring
NONE
 
-
Path to the trusted cacert used to authenticate the pool.

+
The NONE mode does not configure redirect to Envoy at all. This is an advanced
+configuration that typically requires changes to user applications.

 
-		
-No
 
 

 
 

 

-
Tracing.Stackdriver

+
AuthenticationPolicy

 

-
Stackdriver defines configuration for a Stackdriver tracer.
-See Opencensus trace config for details.

+
AuthenticationPolicy defines how the proxy is authenticated when it connects to the control plane.
+It can be set for two different scopes, mesh-wide or set on a per-pod basis using the ProxyConfig annotation.
+Mesh policy cannot be INHERIT.

 
-
+

-
-
+
-
-
-

 
 
FieldTypeName
 DescriptionRequired
 

 
 

-

-
Tracing.Zipkin

-

-
Zipkin defines configuration for a Zipkin tracer.

+
+NONE
+
+
Do not encrypt proxy to control plane traffic.

 
-
-
-
-
-
-
-
+
-
-
-
-
-
+
+
+
+
+
diff --git a/content/zh/docs/reference/config/istio.operator.v1alpha1/index.html b/content/zh/docs/reference/config/istio.operator.v1alpha1/index.html
index 755b6710eafe1..fb906d94f84d0 100644
--- a/content/zh/docs/reference/config/istio.operator.v1alpha1/index.html
+++ b/content/zh/docs/reference/config/istio.operator.v1alpha1/index.html
@@ -7,13 +7,36 @@
 layout: protoc-gen-docs
 generator: protoc-gen-docs
 weight: 20
-number_of_entries: 60
+number_of_entries: 61
 ---
-
Configuration affecting Istio control plane installation version and shape.

+
Configuration affecting Istio control plane installation version and shape.
+Note: unlike other Istio protos, field names must use camelCase. This is asserted in tests.
+Without camelCase, the json tag on the Go struct will not match the user’s JSON representation.
+This leads to Kubernetes merge libraries, which rely on this tag, to fail.
+All other usages use jsonpb which does not use the json tag.

 
-
Affinity

+
IstioOperatorSpec

-
Mirrors k8s.io.api.core.v1.

+
IstioOperatorSpec defines the desired installed state of Istio components.
+The spec is a used to define a customization of the default profile values that are supplied with each Istio release.
+Because the spec is a customization API, specifying an empty IstioOperatorSpec results in a default Istio
+component values.

+
+
apiVersion: install.istio.io/v1alpha1
+kind: IstioOperator
+spec:
+  profile: default
+  hub: gcr.io/istio-testing
+  tag: latest
+  revision: 1-8-0
+  meshConfig:
+    accessLogFile: /dev/stdout
+    enableTracing: true
+  components:
+    egressGateways:
+    - name: istio-egressgateway
+      enabled: true
+

 
 
FieldTypeDescriptionRequired
 
addressstring
MUTUAL_TLS
 
-
Address of the Zipkin service (e.g. zipkin:9411).

+
Proxy to control plane traffic is wrapped into mutual TLS connections.

 
 
INHERIT
 
-No
+
Use the policy defined by the parent scope. Should not be used for mesh
+policy.

+
 		
 

 
 

@@ -25,162 +48,154 @@ 
Affinity

-
-
-
+
+
+
-
-
-
+
+
+
-
-
-
+
+
+
-
-

 
 
 
 
nodeAffinityNodeAffinity
profilestring
 
+
Path or name for the profile e.g.

+
+
    
+
  • minimal (looks in profiles dir for a file called minimal.yaml)
    • 
+
  • /tmp/istio/install/values/custom/custom-install.yaml (local file path)
    • 
+

+
+
default profile is used if this field is unset.

+
 		
 
 No
 
 
podAffinityPodAffinity
installPackagePathstring
 
+
Path for the install package. e.g.

+
+
    
+
  • /tmp/istio-installer/nightly (local file path)
    • 
+

+
 		
 
 No
 
 
podAntiAffinityPodAntiAffinity
hubstring
 
+
Root for docker image paths e.g. docker.io/istio

+
 		
 
 No
 
 

-

-
BaseComponentSpec

-

-
Configuration for base component.

-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
-
-
FieldTypeDescriptionRequired
enabledTypeBoolValueForPB
tagValue
 
-
Selects whether this component is installed.

+
Version tag for docker images e.g. 1.7.2

 
 		
 
 No
 
 

-

-
ClientIPConfig

-

-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
-
-
FieldTypeDescriptionRequired
timeoutSecondsint32
namespacestring
 
+
Namespace to install control plane resources into. If unset, Istio will be installed into the same namespace
+as the IstioOperator CR. You must also set values.global.istioNamespace if you wish to install Istio in
+a custom namespace.
+If you have enabled CNI, you must  exclude this namespace by adding it to the list values.cni.excludeNamespaces.

+
 		
 
 No
 
 

-

-
ComponentSpec

-

-
Configuration for internal components.

+
+revision
+string
+
+
Identify the revision this installation is associated with.
+This option is currently experimental.

 
-
-
-
-
-
-
-
+
+
-
-
-
-
-
+
+
+
-
-
-
+
+
+
-
-
-
+
+
+
-
-
-
+
+
+
-
-
-
+
+
+
-
-
-
+
+
+
FieldTypeDescriptionRequired
+No
+
 
enabledTypeBoolValueForPB
defaultRevisionbool
 
-
Selects whether this component is installed.

+
Identify whether this revision is the default revision for the cluster
+This option is currently experimental.

 
 		
 
 No
 
 
namespacestring
meshConfigStruct
 
-
Namespace for the component.

+
Config used by control plane components internally.

 
 		
 
 No
 
 
hubstring
componentsIstioComponentSetSpec
 
-
Hub for the component (overrides top level hub setting).

+
Kubernetes resource settings, enablement and component-specific settings that are not internal to the
+component.

 
 		
 
 No
 
 
tagTypeInterface
valuesStruct
 
-
Tag for the component (overrides top level tag setting).

+
Overrides for default values.yaml. This is a validated pass-through to Helm templates.
+See the Helm installation options for schema details.
+Anything that is available in IstioOperatorSpec should be set above rather than using the passthrough. This
+includes Kubernetes resource settings for components in KubernetesResourcesSpec.

 
 		
 
 No
 
 
specTypeInterface
unvalidatedValuesStruct
 
-
Arbitrary install time configuration for the component.

+
Unvalidated overrides for default values.yaml. Used for custom templates where new parameters are added.

 
 		
 
 No
 
 
k8sKubernetesResourcesSpec
addonComponentsmap<string, ExternalComponentSpec>
 
-
Kubernetes resource spec.

+
Deprecated.
+Users should manage the installation of addon components on their own.
+Refer to samples/addons for demo installation of addon components.

 
 		
 
@@ -190,8 +205,10 @@ 
ComponentSpec

 

 

 

-
ConfigMapKeySelector

+
InstallStatus

 

+
Observed state of IstioOperator

+
 
@@ -202,28 +219,44 @@ 
ConfigMapKeySelector

-
-
-
+
+
+
-
-
+
+
-
-
-
+
+
+

 
 

 

 
 
localObjectReferenceLocalObjectReference
statusStatus
 
+
Overall status of all components controlled by the operator.

+
+
    
+
  • If all components have status NONE, overall status is NONE.
    • 
+
  • If all components are HEALTHY, overall status is HEALTHY.
    • 
+
  • If one or more components are RECONCILING and others are HEALTHY, overall status is RECONCILING.
    • 
+
  • If one or more components are UPDATING and others are HEALTHY, overall status is UPDATING.
    • 
+
  • If components are a mix of RECONCILING, UPDATING and HEALTHY, overall status is UPDATING.
    • 
+
  • If any component is in ERROR state, overall status is ERROR.
    • 
+
  • If further action is needed for reconciliation to proceed, overall status is ACTION_REQUIRED.
    • 
+

+
 		
 
 No
 
 
key
message
 string
 
+
Optional message providing additional information about the existing overall status.

+
 		
 
 No
 
 
optionalbool
componentStatusmap<string, VersionStatus>
 
+
Individual status of each component controlled by the operator. The map key is the name of the component.

+
 		
 
 No
@@ -232,8 +265,10 @@ 
ConfigMapKeySelector

 

 

 

-
CrossVersionObjectReference

+
IstioComponentSetSpec

 

+
IstioComponentSpec defines the desired installed state of Istio components.

+
 
@@ -244,62 +279,56 @@ 
CrossVersionObjectReference

-
-
-
+
+
+
-
-
-
+
+
+
-
-
-
+
+
+
-
-

 
 

 

 
 
kindstring
baseBaseComponentSpec
 
 
 
 No
 
 
namestring
pilotComponentSpec
 
 
 
 No
 
 
apiVersionstring
cniComponentSpec
 
 
 
 No
 
 

-

-
DeploymentStrategy

-

-
Mirrors k8s.io.api.apps.v1.DeploymentStrategy for unmarshaling.

+
+istiodRemote
+ComponentSpec
+
+
Remote cluster using an external control plane.

 
-
-
-
-
-
-
-
+
+
-
-
-
-
-
+
+
+
-
-
-
+
+
+
FieldTypeDescriptionRequired
+No
+
 
typestring
ingressGatewaysGatewaySpec[]
 
 
 
 No
 
 
rollingUpdateRollingUpdateDeployment
egressGatewaysGatewaySpec[]
 
 
 
@@ -309,8 +338,10 @@ 
DeploymentStrategy

 

 

 

-
EnvVar

+
BaseComponentSpec

 

+
Configuration for base component.

+
 
@@ -321,28 +352,23 @@ 
EnvVar

-
-
-
-
-
-
-
-
-
+
+
+
-
-
-
+
+
+

 
 

 

 
 
namestring
-
-No
-
valuestring
enabledBoolValue
 
+
Selects whether this component is installed.

+
 		
 
 No
 
 
valueFromEnvVarSource
k8sKubernetesResourcesSpec
 
+
Kubernetes resource spec.

+
 		
 
 No
@@ -351,8 +377,10 @@ 
EnvVar

 

 

 

-
EnvVarSource

+
ComponentSpec

 

+
Configuration for internal components.

+
 
@@ -363,63 +391,67 @@ 
EnvVarSource

-
-
-
+
+
+
-
-
-
+
+
+
-
-
-
+
+
+
-
-
-
+
+
+
-
-

 
 

 

 
 
fieldRefObjectFieldSelector
enabledBoolValue
 
+
Selects whether this component is installed.

+
 		
 
 No
 
 
resourceFieldRefResourceFieldSelector
namespacestring
 
+
Namespace for the component.

+
 		
 
 No
 
 
configMapKeyRefConfigMapKeySelector
hubstring
 
+
Hub for the component (overrides top level hub setting).

+
 		
 
 No
 
 
secretKeyRefSecretKeySelector
tagValue
 
+
Tag for the component (overrides top level tag setting).

+
 		
 
 No
 
 

-

-
ExecAction

-

-
Mirrors k8s.io.api.core.v1.ExecAction for unmarshaling.

+
+spec
+Struct
+
+
Arbitrary install time configuration for the component.

 
-
-
-
-
-
-
-
+
+
-
-
-
-
-
+
+
+
-
+
-
+
-
+
-
-
-
-
FieldTypeDescriptionRequired
+No
+
 
commandstring[]
k8sKubernetesResourcesSpec
 
+
Kubernetes resource spec.

+
 		
 
 No
@@ -444,7 +476,7 @@ 
ExternalComponentSpec

 

 

 enabledTypeBoolValueForPBBoolValue
 
 
Selects whether this component is installed.

 
@@ -466,7 +498,7 @@ 
ExternalComponentSpec

 

 

 specTypeInterfaceStruct
 
 
Arbitrary install time configuration for the component.

 
@@ -475,7 +507,7 @@ 
ExternalComponentSpec

 No
 		
 

 chartPath
 string
 
@@ -503,57 +535,6 @@ 
ExternalComponentSpec

 		
 
Kubernetes resource spec.

 
-		
-No
-

-

-
ExternalMetricSource

-

-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
-
+
FieldTypeDescriptionRequired
metricNamestring
-
-No
-
metricSelectorLabelSelector
-
-No
-
targetValueQuantity
-
-No
-
targetAverageValueQuantity
 
 
 No
@@ -578,7 +559,7 @@ 
GatewaySpec

 

 

 enabledTypeBoolValueForPBBoolValue
 
 
Selects whether this gateway is installed.

 
@@ -633,7 +614,7 @@ 
GatewaySpec

 

 

 tagTypeInterfaceValue
 
 
Tag for the component (overrides top level tag setting).

 
@@ -656,9 +637,9 @@ 
GatewaySpec

 

 

 

-
HTTPGetAction

+
KubernetesResourcesSpec

 

-
Mirrors k8s.io.api.core.v1.HTTPGetAction for unmarshaling.

+
KubernetesResourcesConfig is a common set of k8s resource configs for components.

 
 
@@ -670,238 +651,241 @@ 
HTTPGetAction

-
-
-
+
+
+
-
-
-
+
+
+
-
-
-
+
+
+
-
-
+
+
-
-
-
+
+
+
-
-

 
 
 
 
pathstring
affinityAffinity
 
+
k8s affinity.
+https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity

+
 		
 
 No
 
 
portTypeInterface_kubernetes
envEnvVar[]
 
+
Deployment environment variables.
+https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/

+
 		
 
 No
 
 
hoststring
hpaSpecHorizontalPodAutoscalerSpec
 
+
k8s HorizontalPodAutoscaler settings.
+https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/

+
 		
 
 No
 
 
scheme
imagePullPolicy
 string
 
+
k8s imagePullPolicy.
+https://kubernetes.io/docs/concepts/containers/images/

+
 		
 
 No
 
 
httpHeadersHTTPHeader[]
nodeSelectormap<string, string>
 
+
k8s nodeSelector.
+https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector

+
 		
 
 No
 
 

-

-
HTTPHeader

-

-
Mirrors k8s.io.api.core.v1.HTTPHeader for unmarshaling.

+
+podDisruptionBudget
+PodDisruptionBudgetSpec
+
+
k8s PodDisruptionBudget settings.
+https://kubernetes.io/docs/concepts/workloads/pods/disruptions/#how-disruption-budgets-work

 
-
-
-
-
-
-
-
+
+
-
-
-
-
-
+
+
+
-
-
+
+
-
-
FieldTypeDescriptionRequired
+No
+
 
namestring
podAnnotationsmap<string, string>
 
+
k8s pod annotations.
+https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/

+
 		
 
 No
 
 
value
priorityClassName
 string
 
+
k8s priority_class_name. Default for all resources unless overridden.
+https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass

+
 		
 
 No
 
 

-

-
HorizontalPodAutoscalerSpec

-

-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
-
-
-
+
+
+
-
-
-
+
+
+
-
-
-
+
+
+
-
-
FieldTypeDescriptionRequired
scaleTargetRefCrossVersionObjectReference
readinessProbeReadinessProbe
 
+
k8s readinessProbe settings.
+https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/
+k8s.io.api.core.v1.Probe readiness_probe = 9;

+
 		
 
 No
 
 
minReplicasint32
replicaCountuint32
 
+
k8s Deployment replicas setting.
+https://kubernetes.io/docs/concepts/workloads/controllers/deployment/

+
 		
 
 No
 
 
maxReplicasint32
resourcesResources
 
+
k8s resources settings.
+https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container

+
 		
 
 No
 
 
metricsMetricSpec[]
serviceServiceSpec
 
+
k8s Service settings.
+https://kubernetes.io/docs/concepts/services-networking/service/

+
 		
 
 No
 
 

-

-
InstallStatus

-

-
Observed state of IstioOperator

-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
-
-
-
+
+
+
-
-
FieldTypeDescriptionRequired
statusStatus
strategyDeploymentStrategy
 
-
Overall status of all components controlled by the operator.
-- If all components have status NONE, overall status is NONE.
-- If all components are HEALTHY, overall status is HEALTHY.
-- If one or more components are RECONCILING and others are HEALTHY, overall status is RECONCILING.
-- If one or more components are UPDATING and others are HEALTHY, overall status is UPDATING.
-- If components are a mix of RECONCILING, UPDATING and HEALTHY, overall status is UPDATING.
-- If any component is in ERROR state, overall status is ERROR.

+
k8s deployment strategy.
+https://kubernetes.io/docs/concepts/workloads/controllers/deployment/

 
 		
 
 No
 
 
componentStatusmap<string, VersionStatus>
tolerationsToleration[]
 
-
Individual status of each component controlled by the operator. The map key is the name of the component.

+
k8s toleration
+https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/

 
 		
 
 No
 
 

-

-
InstallStatus.Status

-

-
Status describes the current state of a component.

-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
-
-
+
+
+
+
-
-
+
+
+
+
-
-
+
+
+
+
-
-
+
+
+
+
NameDescription
NONE
serviceAnnotationsmap<string, string>
 
-
Component is not present.

+
k8s service annotations.
+https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/

 
+		
+No
 
 
UPDATING
securityContextPodSecurityContext
 
-
Component is being updated to a different version.

+
k8s pod security context
+https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod

 
+		
+No
 
 
RECONCILING
volumesVolume[]
 
-
Controller has started but not yet completed reconciliation loop for the component.

+
k8s volume
+https://kubernetes.io/docs/concepts/storage/volumes/
+Volumes defines the collection of Volume to inject into the pod.

 
+		
+No
 
 
HEALTHY
volumeMountsVolumeMount[]
 
-
Component is healthy.

+
k8s volumeMounts
+VolumeMounts defines the collection of VolumeMount to inject into containers.

 
+		
+No
 
 
ERROR
overlaysK8sObjectOverlay[]
 
-
Component is in an error state.

+
Overlays for k8s resources in rendered manifests.

 
+		
+No
 
 

 
 

 

-
InstallStatus.VersionStatus

+
K8sObjectOverlay

 

-
VersionStatus is the status and version of a component.

+
Patch for an existing k8s resource.

 
 
@@ -913,28 +897,46 @@ 
InstallStatus.VersionStatus

-
-
+
+
-
-
-
+
+
+
-
-
+
+
+
+
+
+
+
+

 
 
 
 
version
apiVersion
 string
 
+
Resource API version.

+
 		
 
 No
 
 
statusStatus
kindstring
 
+
Resource kind.

+
 		
 
 No
 
 
error
name
 string
 
+
Name of resource.
+Namespace is always the component namespace.

+
+		
+No
+
patchesPathValue[]
+
List of patches to apply to resource.

+
 		
 
 No
@@ -943,9 +945,9 @@ 
InstallStatus.VersionStatus

 

 

 

-
IstioComponentSetSpec

+
Affinity

 

-
IstioComponentSpec defines the desired installed state of Istio components.

+
See k8s.io.api.core.v1.Affinity.

 
 
@@ -957,108 +959,176 @@ 
IstioComponentSetSpec

-
-
-
+
+
+
-
-
-
+
+
+
-
-
-
+
+
+
-
-
-
+
+

 
 
 
 
baseBaseComponentSpec
nodeAffinityNodeAffinity
 
 
 
 No
 
 
pilotComponentSpec
podAffinityPodAffinity
 
 
 
 No
 
 
proxyComponentSpec
podAntiAffinityPodAntiAffinity
 
 
 
 No
 
 
sidecarInjectorComponentSpec

+

+
ConfigMapKeySelector

+

+
See k8s.io.api.core.v1.ConfigMapKeySelector.

+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
-
-
+
+
+
-
-
-
+
+
+
-
-
-
+
+
FieldTypeDescriptionRequired
localObjectReferenceLocalObjectReference
 
 
 
 No
 
 
policyComponentSpec
keystring
 
 
 
 No
 
 
telemetryComponentSpec
optionalbool
 
 
 
 No
 
 
citadelComponentSpec

+

+
ClientIPConfig

+

+
See k8s.io.api.core.v1.ClientIPConfig.

+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
-
-
+
+
FieldTypeDescriptionRequired
timeoutSecondsint32
 
 
 
 No
 
 
nodeAgentComponentSpec

+

+
CrossVersionObjectReference

+

+
See k8s.io.api.autoscaling.v2beta2.CrossVersionObjectReference.

+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
-
-
+
+
+
-
-
-
+
+
+
-
-
-
+
+
FieldTypeDescriptionRequired
kindstring
 
 
 
 No
 
 
galleyComponentSpec
namestring
 
 
 
 No
 
 
cniComponentSpec
apiVersionstring
 
 
 
 No
 
 
ingressGatewaysGatewaySpec[]

+

+
DeploymentStrategy

+

+
See k8s.io.api.apps.v1.DeploymentStrategy.

+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
-
-
+
+
+
FieldTypeDescriptionRequired
typestring
 
 
 
 No
 
 
egressGatewaysGatewaySpec[]
rollingUpdateRollingUpdateDeployment
 
 
 
@@ -1068,12 +1138,9 @@ 
IstioComponentSetSpec

 

 

 

-
IstioOperatorSpec

+
EnvVar

 

-
IstioOperatorSpec defines the desired installed state of Istio components.
-The spec is a used to define a customization of the default profile values that are supplied with each Istio release.
-Because the spec is a customization API, specifying an empty IstioOperatorSpec results in a default Istio
-component values.

+
See k8s.io.api.core.v1.EnvVar.

 
 
@@ -1085,132 +1152,160 @@ 
IstioOperatorSpec

-
-
+
+
-
-
+
+
-
-
-
+
+
+
-
-
-
-
+

 
 
 
 
profile
name
 string
 
-
Path or name for the profile e.g.
-    - minimal (looks in profiles dir for a file called minimal.yaml)
-    - /tmp/istio/install/values/custom/custom-install.yaml (local file path)
-default profile is used if this field is unset.

-
 		
 
 No
 
 
installPackagePath
value
 string
 
-
Path for the install package. e.g.
-    - /tmp/istio-installer/nightly (local file path)

-
 		
 
 No
 
 
hubstring
valueFromEnvVarSource
 
-
Root for docker image paths e.g. docker.io/istio

-
 		
 
 No
 
 
tagTypeInterface2
-
Version tag for docker images e.g. 1.0.6

+

+

+
EnvVarSource

+

+
See k8s.io.api.core.v1.EnvVarSource.

 
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
-
-
-
+
+
+
-
-
-
+
+
+
-
-
-
+
+
+
-
-
-
+
+
FieldTypeDescriptionRequired
fieldRefObjectFieldSelector
 
 
 No
 
 
namespacestring
-
Namespace to install control plane resources into. If unset, Istio will be installed into the same namespace
-as the IstioOperator CR.

-
+
resourceFieldRefResourceFieldSelector
 
 
 No
 
 
revisionstring
configMapKeyRefConfigMapKeySelector
 
-
Identify the revision this installation is associated with.
-This option is currently experimental.

-
 		
 
 No
 
 
meshConfigMeshConfig
secretKeyRefSecretKeySelector
 
-
Config used by control plane components internally.

-
 		
 
 No
 
 
componentsIstioComponentSetSpec

+

+
ExecAction

+

+
See k8s.io.api.core.v1.ExecAction.

+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
FieldTypeDescriptionRequired
commandstring[]
 
-
Kubernetes resource settings, enablement and component-specific settings that are not internal to the
-component.

+		
+No
+

+

+
ExternalMetricSource

+

+
See k8s.io.api.autoscaling.v2beta2.CrossVersionObjectReference.

 
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
-
-
+
+
+
-
-
-
+
+
+
-
-
-
+
+
+
FieldTypeDescriptionRequired
metricNamestring
 
 
 No
 
 
addonComponentsmap<string, ExternalComponentSpec>
metricSelectorLabelSelector
 
-
Extra addon components which are not explicitly specified above.

-
 		
 
 No
 
 
valuesTypeMapStringInterface2
targetValueIntOrString
 
-
Overrides for default values.yaml. This is a validated pass-through to Helm templates.
-See the Helm installation options for schema details: https://istio.io/docs/reference/config/installation-options/.
-Anything that is available in IstioOperatorSpec should be set above rather than using the passthrough. This
-includes Kubernetes resource settings for components in KubernetesResourcesSpec.

-
 		
 
 No
 
 
unvalidatedValuesTypeMapStringInterface2
targetAverageValueIntOrString
 
-
Unvalidated overrides for default values.yaml. Used for custom templates where new parameters are added.

-
 		
 
 No
@@ -1219,9 +1314,9 @@ 
IstioOperatorSpec

 

 

 

-
K8sObjectOverlay

+
HTTPGetAction

 

-
Patch for an existing k8s resource.

+
See k8s.io.api.core.v1.HTTPGetAction.

 
 
@@ -1233,46 +1328,46 @@ 
K8sObjectOverlay

-
-
+
+
-
-
+
+
+
+
+
+
+
+
-
-
+
+
-
-
-
+
+
+

 
 
 
 
apiVersion
path
 string
 
-
Resource API version.

-
 		
 
 No
 
 
kind
portIntOrString
+
+No
+
host
 string
 
-
Resource kind.

-
 		
 
 No
 
 
name
scheme
 string
 
-
Name of resource.
-Namespace is always the component namespace.

-
 		
 
 No
 
 
patchesPathValue[]
httpHeadersHTTPHeader[]
 
-
List of patches to apply to resource.

-
 		
 
 No
@@ -1281,8 +1376,10 @@ 
K8sObjectOverlay

 

 

 

-
K8sObjectOverlay.PathValue

+
HTTPHeader

 

+
See k8s.io.api.core.v1.HTTPHeader.

+
 
@@ -1293,30 +1390,19 @@ 
K8sObjectOverlay.PathValue

-
-
+
+
-
+
-
+

 
 

 

 
 
path
name
 string
 
-
Path of the form a.[key1:value1].b.[:value2]
-Where [key1:value1] is a selector for a key-value pair to identify a list element and [:value] is a value
-selector to identify a list element in a leaf list.
-All path intermediate nodes must exist.

-
 		
 
 No
 
 

 valueTypeInterfacestring
 
-
Value to add, delete or replace.
-For add, the path should be a new leaf.
-For delete, value should be unset.
-For replace, path should reference an existing node.
-All values are strings but are converted into appropriate type based on schema.

-
 		
 
 No
@@ -1325,9 +1411,9 @@ 
K8sObjectOverlay.PathValue

 

 

 

-
KubernetesResourcesSpec

+
HorizontalPodAutoscalerSpec

 

-
KubernetesResourcesConfig is a common set of k8s resource configs for components.

+
See k8s.io.api.autoscaling.v2beta1.HorizontalPodAutoscalerSpec.

 
 
@@ -1339,193 +1425,397 @@ 
KubernetesResourcesSpec

-
-
-
+
+
+
-
-
-
+
+
+
-
-
-
+
+
+
-
-
+
+
+
+
+
+
+
+

 
 
 
 
affinityAffinity
scaleTargetRefCrossVersionObjectReference
 
-
k8s affinity.
-https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity

-
 		
 
 No
 
 
envEnvVar[]
minReplicasint32
 
-
Deployment environment variables.
-https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/

-
 		
 
 No
 
 
hpaSpecHorizontalPodAutoscalerSpec
maxReplicasint32
 
-
k8s HorizontalPodAutoscaler settings.
-https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/

-
 		
 
 No
 
 
imagePullPolicy
metricsMetricSpec[]
+
+No
+

+

+
LocalObjectReference

+

+
See k8s.io.api.core.v1.LocalObjectReference.

+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
FieldTypeDescriptionRequired
name
 string
 
-
k8s imagePullPolicy.
-https://kubernetes.io/docs/concepts/containers/images/

+		
+No
+

+

+
MetricSpec

+

+
See k8s.io.autoscaling.v2beta1.MetricSpec.

 
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
FieldTypeDescriptionRequired
typestring
 
 
 No
 
 
nodeSelectormap<string, string>
objectObjectMetricSource
 
-
k8s nodeSelector.
-https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector

+		
+No
+
podsPodsMetricSource
+
+No
+
resourceResourceMetricSource
+
+No
+
externalExternalMetricSource
+
+No
+

+

+
NodeAffinity

+

+
See k8s.io.api.core.v1.NodeAffinity.

 
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
-
-
+
+
+
+
+
+
+
FieldTypeDescriptionRequired
requiredDuringSchedulingIgnoredDuringExecutionNodeSelector
 
 
 No
 
 
podDisruptionBudgetPodDisruptionBudgetSpec
preferredDuringSchedulingIgnoredDuringExecutionPreferredSchedulingTerm[]
 
-
k8s PodDisruptionBudget settings.
-https://kubernetes.io/docs/concepts/workloads/pods/disruptions/#how-disruption-budgets-work

+		
+No
+

+

+
NodeSelector

+

+
See k8s.io.api.core.v1.NodeSelector.

 
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
-
-
+
+
FieldTypeDescriptionRequired
nodeSelectorTermsNodeSelectorTerm[]
 
 
 No
 
 
podAnnotationsmap<string, string>

+

+
NodeSelectorTerm

+

+
See k8s.io.api.core.v1.NodeSelectorTerm.

+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
FieldTypeDescriptionRequired
matchExpressionsNodeSelectorRequirement[]
 
-
k8s pod annotations.
-https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/

+		
+No
+
matchFieldsNodeSelectorRequirement[]
+
+No
+

+

+
NodeSelectorRequirement

+

+
See k8s.io.api.core.v1.NodeSelectorRequirement.

 
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
-
+
+
+
+
+
+
+
+
+
+
+
+
FieldTypeDescriptionRequired
keystring
 
 
 No
 
 
priorityClassName
operator
 string
 
-
k8s priorityclassname. Default for all resources unless overridden.
-https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass

+		
+No
+
valuesstring[]
+
+No
+

+

+
ObjectFieldSelector

+

+
See k8s.io.api.core.v1.ObjectFieldSelector.

 
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
-
-
+
+
+
+
+
+
+
+
FieldTypeDescriptionRequired
apiVersionstring
 
 
 No
 
 
readinessProbeReadinessProbe
fieldPathstring
+
+No
+

+

+
ObjectMeta

+

+
From k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta.

+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
-
-
+
+
+
-
-
-
-
+
FieldTypeDescriptionRequired
namestring
 
-
k8s readinessProbe settings.
-https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/
-k8s.io.api.core.v1.Probe readiness_probe = 9;

-
 		
 
 No
 
 
replicaCountuint32
namespacestring
 
-
k8s Deployment replicas setting.
-https://kubernetes.io/docs/concepts/workloads/controllers/deployment/

-
 		
 
 No
 
 
resourcesResources
-
k8s resources settings.
-https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container

+

+

+
ObjectMetricSource

+

+
See k8s.io.autoscaling.v2beta1.ObjectMetricSource.

 
-
-
-No
-
+
+
+
+
+
+
+
-
-
-
+
+
+
+
+
-
-
-
+
+
+
-
-
-
+
+
+
-
-
-
+
+
+
-
-
-
+
+
+
FieldTypeDescriptionRequired
 
serviceServiceSpec
targetCrossVersionObjectReference
 
-
k8s Service settings.
-https://kubernetes.io/docs/concepts/services-networking/service/

-
 		
 
 No
 
 
strategyDeploymentStrategy
metricNamestring
 
-
k8s deployment strategy.
-https://kubernetes.io/docs/concepts/workloads/controllers/deployment/

-
 		
 
 No
 
 
tolerationsToleration[]
targetValueIntOrString
 
-
k8s toleration
-https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/

-
 		
 
 No
 
 
serviceAnnotationsmap<string, string>
selectorLabelSelector
 
-
k8s service annotations.
-https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/

-
 		
 
 No
 
 
overlaysK8sObjectOverlay[]
averageValueIntOrString
 
-
Overlays for k8s resources in rendered manifests.

-
 		
 
 No
@@ -1534,8 +1824,10 @@ 
KubernetesResourcesSpec

 

 

 

-
LocalObjectReference

+
PodAffinity

 

+
See k8s.io.api.core.v1.PodAffinity.

+
 
@@ -1546,9 +1838,18 @@ 
LocalObjectReference

-
-
-
+
+
+
+
+
+
+
+
+

 
 

 

 
 
namestring
requiredDuringSchedulingIgnoredDuringExecutionPodAffinityTerm[]
+
+No
+
preferredDuringSchedulingIgnoredDuringExecutionWeightedPodAffinityTerm[]
 
 
 
@@ -1558,8 +1859,10 @@ 
LocalObjectReference

 

 

 

-
MetricSpec

+
PodAntiAffinity

 

+
See k8s.io.api.core.v1.PodAntiAffinity.

+
 
@@ -1570,45 +1873,62 @@ 
MetricSpec

-
-
-
+
+
+
-
-
-
+
+
+
-
-
-
+
+

 
 

 

 
 
typestring
requiredDuringSchedulingIgnoredDuringExecutionPodAffinityTerm[]
 
 
 
 No
 
 
objectObjectMetricSource
preferredDuringSchedulingIgnoredDuringExecutionWeightedPodAffinityTerm[]
 
 
 
 No
 
 
podsPodsMetricSource

+

+
PodAffinityTerm

+

+
See k8s.io.api.core.v1.PodAntiAffinity.

+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
-
-
+
+
+
-
-
-
+
+
+
FieldTypeDescriptionRequired
labelSelectorLabelSelector
 
 
 
 No
 
 
resourceResourceMetricSource
namespacesstring[]
 
 
 
 No
 
 
externalExternalMetricSource
topologyKeystring
 
 
 
@@ -1618,8 +1938,10 @@ 
MetricSpec

 

 

 

-
NodeAffinity

+
PodDisruptionBudgetSpec

 

+
See k8s.io.api.policy.v1beta1.PodDisruptionBudget.

+
 
@@ -1630,18 +1952,27 @@ 
NodeAffinity

-
-
-
+
+
+
-
-
-
+
+
+
+
+
+
+
+
+

 
 

 

 
 
requiredDuringSchedulingIgnoredDuringExecutionNodeSelector
minAvailableIntOrString
 
 
 
 No
 
 
preferredDuringSchedulingIgnoredDuringExecutionPreferredSchedulingTerm[]
selectorLabelSelector
+
+No
+
maxUnavailableIntOrString
 
 
 
@@ -1651,8 +1982,10 @@ 
NodeAffinity

 

 

 

-
NodeSelector

+
PodsMetricSource

 

+
See k8s.io.api.core.v1.PodsMetricSource.

+
 
@@ -1663,9 +1996,27 @@ 
NodeSelector

-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+

 
 

 

 
 
nodeSelectorTermsNodeSelectorTerm[]
metricNamestring
+
+No
+
targetAverageValueIntOrString
+
+No
+
selectorLabelSelector
 
 
 
@@ -1675,8 +2026,10 @@ 
NodeSelector

 

 

 

-
NodeSelectorRequirement

+
PreferredSchedulingTerm

 

+
See k8s.io.api.core.v1.PreferredSchedulingTerm.

+
 
@@ -1687,27 +2040,18 @@ 
NodeSelectorRequirement

-
-
-
-
-
-
-
-
-
+
+
+
-
-
-
+
+
+

 
 

 

 
 
keystring
-
-No
-
operatorstring
weightint32
 
 
 
 No
 
 
valuesstring[]
preferenceNodeSelectorTerm
 
 
 
@@ -1717,8 +2061,10 @@ 
NodeSelectorRequirement

 

 

 

-
NodeSelectorTerm

+
ReadinessProbe

 

+
See k8s.io.api.core.v1.ReadinessProbe.

+
 
@@ -1729,51 +2075,72 @@ 
NodeSelectorTerm

-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
-
-
+
+
+
-
-

 
 

 

 
 
matchExpressionsNodeSelectorRequirement[]
execExecAction
+
+No
+
httpGetHTTPGetAction
+
+No
+
tcpSocketTCPSocketAction
+
+No
+
initialDelaySecondsint32
+
+No
+
timeoutSecondsint32
 
 
 
 No
 
 
matchFieldsNodeSelectorRequirement[]
periodSecondsint32
 
 
 
 No
 
 

-

-
ObjectFieldSelector

-

-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
-
-
-
+
+
+
FieldTypeDescriptionRequired
apiVersionstring
successThresholdint32
 
 
 
 No
 
 
fieldPathstring
failureThresholdint32
 
 
 
@@ -1783,8 +2150,10 @@ 
ObjectFieldSelector

 

 

 

-
ObjectMeta

+
ResourceFieldSelector

 

+
See k8s.io.api.core.v1..

+
 
@@ -1795,19 +2164,17 @@ 
ObjectMeta

-
-
+
+
-
-
+
+
@@ -1815,11 +2182,22 @@ 
ObjectMeta

 No
 
+
+
+
+
+
+

 
 

 

 
 
name
containerName
 string
 
-
From k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta.

-
 		
 
 No
 
 
namespace
resource
 string
 
 
 
divisorIntOrString
+
+No
+

 
 

 

-
ObjectMetricSource

+
ResourceMetricSource

 

+
See k8s.io.api.core.v1.ResourceMetricSource.

+
 
@@ -1830,45 +2208,62 @@ 
ObjectMetricSource

-
-
-
+
+
+
-
-
-
+
+
+
-
-
-
+
+
+
-
-
-
+
+

 
 

 

 
 
targetCrossVersionObjectReference
namestring
 
 
 
 No
 
 
metricNamestring
targetAverageUtilizationint32
 
 
 
 No
 
 
targetValueQuantity
targetAverageValueIntOrString
 
 
 
 No
 
 
selectorLabelSelector

+

+
Resources

+

+
See k8s.io.api.core.v1.ResourceRequirements.

+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
-
-
+
+
+
FieldTypeDescriptionRequired
limitsmap<string, string>
 
 
 
 No
 
 
averageValueQuantity
requestsmap<string, string>
 
 
 
@@ -1878,8 +2273,10 @@ 
ObjectMetricSource

 

 

 

-
PodAffinity

+
RollingUpdateDeployment

 

+
See k8s.io.api.apps.v1.RollingUpdateDeployment.

+
 
@@ -1890,18 +2287,18 @@ 
PodAffinity

-
-
-
+
+
+
-
-
-
+
+
+

 
 

 

 
 
requiredDuringSchedulingIgnoredDuringExecutionPodAffinityTerm[]
maxUnavailableIntOrString
 
 
 
 No
 
 
preferredDuringSchedulingIgnoredDuringExecutionWeightedPodAffinityTerm[]
maxSurgeIntOrString
 
 
 
@@ -1911,8 +2308,10 @@ 
PodAffinity

 

 

 

-
PodAffinityTerm

+
SecretKeySelector

 

+
See k8s.io.api.core.v1.SecretKeySelector.

+
 
@@ -1923,27 +2322,27 @@ 
PodAffinityTerm

-
-
-
+
+
+
-
-
-
+
+
+
-
-
-
+
+
+

 
 

 

 
 
labelSelectorLabelSelector
localObjectReferenceLocalObjectReference
 
 
 
 No
 
 
namespacesstring[]
keystring
 
 
 
 No
 
 
topologyKeystring
optionalbool
 
 
 
@@ -1953,8 +2352,10 @@ 
PodAffinityTerm

 

 

 

-
PodAntiAffinity

+
ServiceSpec

 

+
See k8s.io.api.core.v1.ServiceSpec.

+
 
@@ -1965,85 +2366,62 @@ 
PodAntiAffinity

-
-
-
+
+
+
-
-
-
+
+
+
-
-

 
 

 

 
 
requiredDuringSchedulingIgnoredDuringExecutionPodAffinityTerm[]
portsServicePort[]
 
 
 
 No
 
 
preferredDuringSchedulingIgnoredDuringExecutionWeightedPodAffinityTerm[]
selectormap<string, string>
 
 
 
 No
 
 

-

-
PodDisruptionBudgetSpec

-

-
Mirrors k8s.io.api.policy.v1beta1.PodDisruptionBudget for unmarshaling.

-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
-
-
-
+
+
+
-
-
-
+
+
+
-
-
FieldTypeDescriptionRequired
minAvailableuint32
clusterIPstring
 
 
 
 No
 
 
selectorLabelSelector
typestring
 
 
 
 No
 
 
maxUnavailableuint32
externalIPsstring[]
 
 
 
 No
 
 

-

-
PodsMetricSource

-

-
-
-
-
-
-
-
+
+
+
+
+
-
-
-
-
+
+
@@ -2051,41 +2429,35 @@ 
PodsMetricSource

 No
 
-
-
-
+
+
+
-
-
-
+
+
+
-
-
FieldTypeDescriptionRequired
sessionAffinitystring
+
+No
+
 
metricName
loadBalancerIP
 string
 
 
 
targetAverageValueQuantity
loadBalancerSourceRangesstring[]
 
 
 
 No
 
 
selectorLabelSelector
externalNamestring
 
 
 
 No
 
 

-

-
PreferredSchedulingTerm

-

-
-
-
-
-
-
-
+
+
+
+
+
-
-
-
-
+
+
@@ -2093,9 +2465,18 @@ 
PreferredSchedulingTerm

 No
 
-
-
-
+
+
+
+
+
+
+
+
+
FieldTypeDescriptionRequired
externalTrafficPolicystring
+
+No
+
 
weight
healthCheckNodePort
 int32
 
 
 
preferenceNodeSelectorTerm
publishNotReadyAddressesbool
+
+No
+
sessionAffinityConfigSessionAffinityConfig
 
 
 
@@ -2105,9 +2486,9 @@ 
PreferredSchedulingTerm

 

 

 

-
ReadinessProbe

+
ServicePort

 

-
Mirrors k8s.io.api.core.v1.Probe for unmarshaling.

+
See k8s.io.api.core.v1..

 
 
@@ -2119,35 +2500,26 @@ 
ReadinessProbe

-
-
-
-
-
-
-
-
-
+
+
+
-
-
-
+
+
+
-
-
+
+
@@ -2155,17 +2527,17 @@ 
ReadinessProbe

 No
 
-
-
-
+
+
+
-
-
+
+
@@ -2173,18 +2545,26 @@ 
ReadinessProbe

 No
 
-
-
-
-
-
+
+

 
 
 
 
execExecAction
-
-No
-
httpGetHTTPGetAction
namestring
 
 
 
 No
 
 
tcpSocketTCPSocketAction
protocolstring
 
 
 
 No
 
 
initialDelaySeconds
port
 int32
 
 
 
timeoutSecondsint32
targetPortIntOrString
 
 
 
 No
 
 
periodSeconds
nodePort
 int32
 
 
 
successThresholdint32
-
-No
-

+

+
SessionAffinityConfig

+

+
See k8s.io.api.core.v1.SessionAffinityConfig.

+
+
+
+
+
+
+
+
-
-
-
+
+
+
+
+
FieldTypeDescriptionRequired
 
failureThresholdint32
clientIPClientIPConfig
 
 
 
@@ -2194,8 +2574,10 @@ 
ReadinessProbe

 

 

 

-
ResourceFieldSelector

+
TCPSocketAction

 

+
See k8s.io.api.core.v1.TCPSocketAction.

+
 
@@ -2206,17 +2588,17 @@ 
ResourceFieldSelector

-
-
-
+
+
+
-
-
+
+
@@ -2224,20 +2606,13 @@ 
ResourceFieldSelector

 No
 
-
-
-
-
-
-

 
 

 

 
 
containerNamestring
portIntOrString
 
 
 
 No
 
 
resource
host
 string
 
 
 
divisorQuantity
-
-No
-

 
 

 

-
ResourceMetricSource

+
Toleration

 

+
See k8s.io.api.core.v1.Toleration.

+
 
@@ -2248,8 +2623,8 @@ 
ResourceMetricSource

-
-
+
+
@@ -2257,18 +2632,36 @@ 
ResourceMetricSource

 No
 
-
-
-
+
+
+
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+

 
 

 

 
 
name
key
 string
 
 
 
targetAverageUtilizationTypeInterface_kubernetes
operatorstring
 
 
 
 No
 
 
targetAverageValueQuantity
valuestring
+
+No
+
effectstring
+
+No
+
tolerationSecondsint64
 
 
 
@@ -2278,9 +2671,9 @@ 
ResourceMetricSource

 

 

 

-
Resources

+
WeightedPodAffinityTerm

 

-
Mirrors k8s.io.api.core.v1.ResourceRequirements for unmarshaling.

+
See k8s.io.api.core.v1.WeightedPodAffinityTerm.

 
 
@@ -2292,18 +2685,18 @@ 
Resources

-
-
-
+
+
+
-
-
-
+
+
+

 
 
 
 
limitsmap<string, string>
weightint32
 
 
 
 No
 
 
requestsmap<string, string>
podAffinityTermPodAffinityTerm
 
 
 
@@ -2313,9 +2706,9 @@ 
Resources

 

 

 

-
RollingUpdateDeployment

+
PodSecurityContext

 

-
Mirrors k8s.io.api.apps.v1.RollingUpdateDeployment for unmarshaling.

+
See k8s.io.api.core.v1.PodSecurityContext.

 
 
@@ -2327,50 +2720,80 @@ 
RollingUpdateDeployment

-
-
-
+
+
+
-
-
-
+
+
+
-
-

 
 
 
 
maxUnavailableTypeInterface_kubernetes
seLinuxOptionsSELinuxOptions
 
 
 
 No
 
 
maxSurgeTypeInterface_kubernetes
runAsUserint64
 
 
 
 No
 
 

-

-
SecretKeySelector

-

-
-
-
-
-
-
-
+
+
+
+
+
-
-
-
-
-
+
+
+
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -2378,9 +2801,9 @@ 
SecretKeySelector

 No
 
-
-
-
+
+
+
FieldTypeDescriptionRequired
runAsNonRootbool
+
+No
+
 
localObjectReferenceLocalObjectReference
supplementalGroupsint64[]
 
 
 
 No
 
 
key
fsGroupint64
+
+No
+
runAsGroupint64
+
+No
+
sysctlsSysctl[]
+
+No
+
windowsOptionsWindowsSecurityContextOptions
+
+No
+
fsGroupChangePolicy
 string
 
 
 
optionalbool
seccompProfileSeccompProfile
 
 
 
@@ -2390,8 +2813,10 @@ 
SecretKeySelector

 

 

 

-
ServicePort

+
SELinuxOptions

 

+
See k8s.io.api.core.v1.SELinuxOptions.

+
 
@@ -2402,8 +2827,8 @@ 
ServicePort

-
-
+
+
@@ -2411,8 +2836,8 @@ 
ServicePort

 No
 
-
-
+
+
@@ -2420,27 +2845,18 @@ 
ServicePort

 No
 
-
-
-
-
-
-
-
-
-
+
+
+
-
-
-
+
+
+

 
 

 

 
 
name
user
 string
 
 
 
protocol
role
 string
 
 
 
portint32
-
-No
-
targetPortTypeInterface_kubernetes
typestring
 
 
 
 No
 
 
nodePortint32
levelstring
 
 
 
@@ -2450,8 +2866,10 @@ 
ServicePort

 

 

 

-
ServiceSpec

+
Sysctl

 

+
See k8s.io.api.core.v1.Sysctl.

+
 
@@ -2462,26 +2880,43 @@ 
ServiceSpec

-
-
-
+
+
+
-
-
-
+
+
+
-
-
+
+

 
 

 

 
 
portsServicePort[]
namestring
 
 
 
 No
 
 
selectormap<string, string>
valuestring
 
 
 
 No
 
 
clusterIP

+

+
WindowsSecurityContextOptions

+

+
See k8s.io.api.core.v1.WindowsSecurityContextOptions.

+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -2489,8 +2924,8 @@ 
ServiceSpec

 No
 
-
-
+
+
@@ -2498,17 +2933,34 @@ 
ServiceSpec

 No
 
-
-
-
+
+
+
-
-
+
+
FieldTypeDescriptionRequired
gmsaCredentialSpecName
 string
 
 
 
type
gmsaCredentialSpec
 string
 
 
 
externalIPsstring[]
runAsUserNamestring
 
 
 
 No
 
 
sessionAffinity

+

+
SeccompProfile

+

+
See k8s.io.api.core.v1.SeccompProfile.

+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -2516,8 +2968,8 @@ 
ServiceSpec

 No
 
-
-
+
+
@@ -2525,54 +2977,91 @@ 
ServiceSpec

 No
 
-
-
-
+
+
FieldTypeDescriptionRequired
type
 string
 
 
 
loadBalancerIP
localhostProfile
 string
 
 
 
loadBalancerSourceRangesstring[]

+

+
IntOrString

+

+
IntOrString is a type that can hold an int32 or a string.  When used in
+JSON or YAML marshalling and unmarshalling, it produces or consumes the
+inner type.  This allows you to have, for example, a JSON field that can
+accept a name or number.

+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
-
-
+
+
+
-
-
-
+
+
+
-
-
-
+
+
FieldTypeDescriptionRequired
typeint64
 
 
 
 No
 
 
externalNamestring
intValInt32Value
 
 
 
 No
 
 
externalTrafficPolicystring
strValStringValue
 
 
 
 No
 
 
healthCheckNodePortint32

+

+
InstallStatus.VersionStatus

+

+
VersionStatus is the status and version of a component.

+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
-
-
+
+
+
-
-
-
+
+
+
FieldTypeDescriptionRequired
versionstring
 
 
 
 No
 
 
publishNotReadyAddressesbool
statusStatus
 
 
 
 No
 
 
sessionAffinityConfigSessionAffinityConfig
errorstring
 
 
 
@@ -2582,7 +3071,7 @@ 
ServiceSpec

 

 

 

-
SessionAffinityConfig

+
K8sObjectOverlay.PathValue

 

 
@@ -2594,10 +3083,30 @@ 
SessionAffinityConfig

-
-
-
+
+
+
+
+
+
+
+
+

 
 
 
 
clientIPClientIPConfig
pathstring
+
Path of the form a.[key1:value1].b.[:value2]
+Where [key1:value1] is a selector for a key-value pair to identify a list element and [:value] is a value
+selector to identify a list element in a leaf list.
+All path intermediate nodes must exist.

+
+		
 
+No
+
valueValue
+
Value to add, delete or replace.
+For add, the path should be a new leaf.
+For delete, value should be unset.
+For replace, path should reference an existing node.
+All values are strings but are converted into appropriate type based on schema.

+
 		
 
 No
@@ -2606,9 +3115,14 @@ 
SessionAffinityConfig

 

 

 

-
TCPSocketAction

+
google.protobuf.Value

 

-
Mirrors k8s.io.api.core.v1.TCPSocketAction for unmarshaling.

+
Value represents a dynamically typed value which can be either
+null, a number, a string, a boolean, a recursive struct value, or a
+list of values. A producer of value is expected to set one of that
+variants, absence of any variant indicates an error.

+
+
The JSON representation for Value is JSON value.

 
 
@@ -2620,65 +3134,79 @@ 
TCPSocketAction

-
-
-
+
+
+
-
-
-
+
+
+
-
-

 
 
 
 
portTypeInterface_kubernetes
nullValueNullValue (oneof)
 
+
Represents a null value.

+
 		
 
 No
 
 
hoststring
numberValuedouble (oneof)
 
+
Represents a double value.

+
 		
 
 No
 
 

-

-
TypeBoolValueForPB

-

-
GOTYPE: *BoolValueForPB

-
-

-
TypeIntOrStringForPB

-

-
GOTYPE: *IntOrStringForPB

-
-

-
TypeInterface

-

-
GOTYPE: interface{}

+
+stringValue
+string (oneof)
+
+
Represents a string value.

 
-

-
TypeInterface2

-

-
GOTYPE: interface{}

+
+
+No
+
+
+
+boolValue
+bool (oneof)
+
+
Represents a boolean value.

 
-

-
TypeInterface_kubernetes

-

-
GOTYPE: interface{}

+
+
+No
+
+
+
+structValue
+Struct (oneof)
+
+
Represents a structured value.

 
-

-
TypeMapStringInterface

-

-
GOTYPE: map[string]interface{}

+
+
+No
+
+
+
+listValue
+ListValue (oneof)
+
+
Represents a repeated Value.

 
+
+
+No
+
+
+
+
 

-
TypeMapStringInterface2

+
k8s.io.api.core.v1.Volume

 

-
This is required because synthetic type definition has file rather than package scope.
-GOTYPE: map[string]interface{}

+
Volume represents a named volume in a pod that may be accessed by any container in the pod.

 
-

-
WeightedPodAffinityTerm

-

 
@@ -2689,19 +3217,27 @@ 
WeightedPodAffinityTerm

-
-
-
+
+
+
-
-
-
+
+
+

 
 

 

 
 
weightint32
namestring
 
+
name of the volume.
+Must be a DNS_LABEL and unique within the pod.
+More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names

+
 		
 
 No
 
 
podAffinityTermPodAffinityTerm
volumeSourceVolumeSource
 
+
volumeSource represents the location and type of the mounted volume.
+If not specified, the Volume is implied to be an EmptyDir.
+This implied behavior is deprecated and will be removed in a future version.

+
 		
 
 No
@@ -2710,10 +3246,9 @@ 
WeightedPodAffinityTerm

 

 

 

-
k8s.io.api.core.v1.Toleration

+
k8s.io.api.core.v1.VolumeMount

 

-
The pod this Toleration is attached to tolerates any taint that matches
-the triple <key,value,effect> using the matching operator <operator>.

+
VolumeMount describes a mounting of a Volume within a container.

 
 
@@ -2725,27 +3260,23 @@ 
k8s.io.api.core.v1.Toleration

-
-
+
+
-
-
-
+
+
+
@@ -2753,25 +3284,24 @@ 
k8s.io.api.core.v1.Toleration

 No
 
-
-
+
+
-
-
+
+
@@ -2779,14 +3309,14 @@ 
k8s.io.api.core.v1.Toleration

 No
 
-
-
-
+
+
+
@@ -2794,84 +3324,16 @@ 
k8s.io.api.core.v1.Toleration

 No
 
-
-

 
 
 
 
key
name
 string
 
-
Key is the taint key that the toleration applies to. Empty means match all taint keys.
-If the key is empty, operator must be Exists; this combination means to match all values and all keys.
-+optional

+
This must match the Name of a Volume.

 
 		
 
 No
 
 
operatorstring
readOnlybool
 
-
Operator represents a key’s relationship to the value.
-Valid operators are Exists and Equal. Defaults to Equal.
-Exists is equivalent to wildcard for value, so that a pod can
-tolerate all taints of a particular category.
+
Mounted read-only if true, read-write otherwise (false or unspecified).
+Defaults to false.
 +optional

 
 		
 
value
mountPath
 string
 
-
Value is the taint value the toleration matches to.
-If the operator is Exists, the value should be empty, otherwise just a regular string.
-+optional

+
Path within the container at which the volume should be mounted.  Must
+not contain ‘:’.

 
 		
 
 No
 
 
effect
subPath
 string
 
-
Effect indicates the taint effect to match. Empty means match all taint effects.
-When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
+
Path within the volume from which the container’s volume should be mounted.
+Defaults to “” (volume’s root).
 +optional

 
 		
 
tolerationSecondsint64
mountPropagationstring
 
-
TolerationSeconds represents the period of time the toleration (which must be
-of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
-it is not set, which means tolerate the taint forever (do not evict). Zero and
-negative values will be treated as 0 (evict immediately) by the system.
+
mountPropagation determines how mounts are propagated from the host
+to container and the other way around.
+When not set, MountPropagationNone is used.
+This field is beta in 1.10.
 +optional

 
 		
 

-

-
k8s.io.apimachinery.pkg.api.resource.Quantity

-

-
Quantity is a fixed-point representation of a number.
-It provides convenient marshaling/unmarshaling in JSON and YAML,
-in addition to String() and Int64() accessors.

-
-
The serialization format is:

-
-
        ::= 
-  (Note that  may be empty, from the “” case in .)
-           ::= 0 | 1 | … | 9
-          ::=  | 
-          ::=  | . | . | .
-            ::= “+” | “-”
-    ::=  | 
-          ::=  |  | 
-        ::= Ki | Mi | Gi | Ti | Pi | Ei
-  (International System of units; See: http://physics.nist.gov/cuu/Units/binary.html)
-       ::= m | “” | k | M | G | T | P | E
-  (Note that 1024 = 1Ki but 1000 = 1k; I didn’t choose the capitalization.)
- ::= “e”  | “E” 

-
-
No matter which of the three exponent forms is used, no quantity may represent
-a number greater than 2^63-1 in magnitude, nor may it have more than 3 decimal
-places. Numbers larger or more precise will be capped or rounded up.
-(E.g.: 0.1m will rounded up to 1m.)
-This may be extended in the future if we require larger or smaller quantities.

-
-
When a Quantity is parsed from a string, it will remember the type of suffix
-it had, and will use the same type again when it is serialized.

-
-
Before serializing, Quantity will be put in “canonical form”.
-This means that Exponent/suffix will be adjusted up or down (with a
-corresponding increase or decrease in Mantissa) such that:
-  a. No precision is lost
-  b. No fractional digits will be emitted
-  c. The exponent (or suffix) is as large as possible.
-The sign will be omitted unless the number is negative.

-
-
Examples:
-  1.5 will be serialized as “1500m”
-  1.5Gi will be serialized as “1536Mi”

-
-
Note that the quantity will NEVER be internally represented by a
-floating point number. That is the whole point of this exercise.

-
-
Non-canonical values will still parse as long as they are well formed,
-but will be re-emitted in their canonical form. (So always use canonical
-form, or don’t diff.)

-
-
This format is intended to make it difficult to use these numbers without
-writing some sort of special handling code in the hopes that that will
-cause implementors to also use a fixed point implementation.

-
-
+protobuf=true
-+protobuf.embed=string
-+protobuf.options.marshal=false
-+protobuf.options.(gogoproto.goproto_stringer)=false
-+k8s:deepcopy-gen=true
-+k8s:openapi-gen=true

-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
-
+
FieldTypeDescriptionRequired
string
subPathExpr
 string
 
+
Expanded path within the volume from which the container’s volume should be mounted.
+Behaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container’s environment.
+Defaults to “” (volume’s root).
+SubPathExpr and SubPath are mutually exclusive.
++optional

+
 		
 
 No
@@ -2884,7 +3346,8 @@ 
k8s.io.apimachinery.
 

 
A label selector is a label query over a set of resources. The result of matchLabels and
 matchExpressions are ANDed. An empty label selector matches all objects. A null
-label selector matches no objects.

+label selector matches no objects.
++structType=atomic

 
 
@@ -2925,3 +3388,62 @@ 
k8s.io.apimachinery.
 
 

 

 

+
InstallStatus.Status

+

+
Status describes the current state of a component.

+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
NameDescription
NONE
+
Component is not present.

+
+
UPDATING
+
Component is being updated to a different version.

+
+
RECONCILING
+
Controller has started but not yet completed reconciliation loop for the component.

+
+
HEALTHY
+
Component is healthy.

+
+
ERROR
+
Component is in an error state.

+
+
ACTION_REQUIRED
+
Overall status only and would not be set as a component status.
+Action is needed from the user for reconciliation to proceed
+e.g. There are proxies still pointing to the control plane revision when try to remove an IstioOperator CR.

+
+

+

diff --git a/content/zh/docs/reference/config/labels/index.html b/content/zh/docs/reference/config/labels/index.html
new file mode 100644
index 0000000000000..370ee0da3c6d8
--- /dev/null
+++ b/content/zh/docs/reference/config/labels/index.html
@@ -0,0 +1,125 @@
+---
+WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL SOURCE IN THE 'https://github.com/istio/api' REPO
+source_repo: https://github.com/istio/api
+title: Resource Labels
+description: Resource labels used by Istio.
+location: https://istio.io/docs/reference/config/labels/
+weight: 60
+---
+

+This page presents the various resource labels that
+Istio supports to control its behavior.
+

+
+
+	
+		
+			
+			
+			
+			
+		
+	
+	
+		
+			
+				
+					
+				
+					
+				
+					
+				
+					
+					
+				
+			
+		
+			
+				
+					
+				
+					
+				
+					
+				
+					
+					
+				
+			
+		
+			
+		
+			
+		
+			
+		
+			
+		
+			
+				
+					
+				
+					
+				
+					
+				
+					
+					
+				
+			
+		
+			
+				
+					
+				
+					
+				
+					
+				
+					
+					
+				
+			
+		
+			
+				
+					
+				
+					
+				
+					
+				
+					
+					
+				
+			
+		
+			
+				
+					
+				
+					
+				
+					
+				
+					
+					
+				
+			
+		
+			
+				
+					
+				
+					
+				
+					
+				
+					
+					
+				
+			
+		
+	
+
Label NameFeature StatusResource TypesDescription
istio.io/revAlpha[Namespace]Istio control plane revision associated with the resource; e.g. `canary`
networking.istio.io/gatewayPortAlpha[Service]IstioGatewayPortLabel overrides the default 15443 value to use for a multi-network gateway's port
service.istio.io/canonical-nameAlpha[Pod]The name of the canonical service a workload belongs to
service.istio.io/canonical-revisionAlpha[Pod]The name of a revision within a canonical service that the workload belongs to
topology.istio.io/clusterAlpha[Pod]This label is applied to a workload internally that identifies the Kubernetes cluster containing the workload. The cluster ID is specified during Istio installation for each cluster via `values.global.multiCluster.clusterName`. It should be noted that this is only used internally within Istio and is not an actual label on workload pods. If a pod contains this label, it will be overridden by Istio internally with the cluster ID specified during Istio installation. This label provides a way to select workloads by cluster when using DestinationRules. For example, a service owner could create a DestinationRule containing a subset per cluster and then use these subsets to control traffic flow to each cluster independently.
topology.istio.io/networkBeta[Namespace Pod Service]A label used to identify the network for one or more pods. This is used
internally by Istio to group pods resident in the same L3 domain/network.
Istio assumes that pods in the same network are directly reachable from
one another. When pods are in different networks, an Istio Gateway
(e.g. east-west gateway) is typically used to establish connectivity
(with AUTO_PASSTHROUGH mode). This label can be applied to the following
resources to help automate Istio's multi-network configuration.

* Istio System Namespace: Applying this label to the system namespace
  establishes a default network for pods managed by the control plane.
  This is typically configured during control plane installation using an
  admin-specified value.

* Pod: Applying this label to a pod allows overriding the default network
  on a per-pod basis. This is typically applied to the pod via webhook
  injection, but can also be manually specified on the pod by the service
  owner. The Istio installation in each cluster configures webhook injection
  using an admin-specified value.

* Gateway Service: Applying this label to the Service for an Istio Gateway,
  indicates that Istio should use this service as the gateway for the
  network, when configuring cross-network traffic. Istio will configure
  pods residing outside of the network to access the Gateway service
  via `spec.externalIPs`, `status.loadBalancer.ingress[].ip`, or in the case
  of a NodePort service, the Node's address. The label is configured when
  installing the gateway (e.g. east-west gateway) and should match either
  the default network for the control plane (as specified by the Istio System
  Namespace label) or the network of the targeted pods.
topology.istio.io/subzoneBeta[Node]User-provided node label for identifying the locality subzone of a workload. This allows admins to specify a more granular level of locality than what is offered by default with Kubernetes regions and zones.

diff --git a/content/zh/docs/reference/config/meta/v1beta1/istio-status/index.html b/content/zh/docs/reference/config/meta/v1beta1/istio-status/index.html
new file mode 100644
index 0000000000000..ea2e6136e5d29
--- /dev/null
+++ b/content/zh/docs/reference/config/meta/v1beta1/istio-status/index.html
@@ -0,0 +1,154 @@
+---
+WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL SOURCE IN THE 'https://github.com/istio/api' REPO
+source_repo: https://github.com/istio/api
+title: Istio Status
+description: Common status field for all istio collections.
+location: https://istio.io/docs/reference/config/meta/v1beta1/istio-status.html
+layout: protoc-gen-docs
+generator: protoc-gen-docs
+number_of_entries: 2
+---
+
IstioStatus

+

+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
FieldTypeDescriptionRequired
conditionsIstioCondition[]
+
Current service state of pod.
+More info: https://istio.io/docs/reference/config/config-status/
++optional
++patchMergeKey=type
++patchStrategy=merge

+
+		
+No
+
validationMessagesAnalysisMessageBase[]
+
Includes any errors or warnings detected by Istio’s analyzers.
++optional
++patchMergeKey=type
++patchStrategy=merge

+
+		
+No
+
observedGenerationint64
+
Resource Generation to which the Reconciled Condition refers.
+When this value is not equal to the object’s metadata generation, reconciled condition  calculation for the current
+generation is still in progress.  See https://istio.io/latest/docs/reference/config/config-status/ for more info.
++optional

+
+		
+No
+

+

+
IstioCondition

+

+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
FieldTypeDescriptionRequired
typestring
+
Type is the type of the condition.

+
+		
+No
+
statusstring
+
Status is the status of the condition.
+Can be True, False, Unknown.

+
+		
+No
+
lastProbeTimeTimestamp
+
Last time we probed the condition.
++optional

+
+		
+No
+
lastTransitionTimeTimestamp
+
Last time the condition transitioned from one status to another.
++optional

+
+		
+No
+
reasonstring
+
Unique, one-word, CamelCase reason for the condition’s last transition.
++optional

+
+		
+No
+
messagestring
+
Human-readable message indicating details about last transition.
++optional

+
+		
+No
+

+

diff --git a/content/zh/docs/reference/config/networking/destination-rule/index.html b/content/zh/docs/reference/config/networking/destination-rule/index.html
index 20a367d083a66..4d8aa4a4211e5 100644
--- a/content/zh/docs/reference/config/networking/destination-rule/index.html
+++ b/content/zh/docs/reference/config/networking/destination-rule/index.html
@@ -7,8 +7,8 @@
 layout: protoc-gen-docs
 generator: protoc-gen-docs
 schema: istio.networking.v1alpha3.DestinationRule
-aliases: [/zh/docs/reference/config/networking/v1alpha3/destination-rule.html]
-number_of_entries: 19
+aliases: [/zh/docs/reference/config/networking/v1alpha3/destination-rule]
+number_of_entries: 21
 ---
 
DestinationRule defines policies that apply to traffic intended for a
 service after routing has occurred. These rules specify configuration
@@ -17,6 +17,9 @@
 balancing pool. For example, a simple load balancing policy for the
 ratings service would look as follows:

 
+
{{}}
+{{}}

+
 
apiVersion: networking.istio.io/v1alpha3
 kind: DestinationRule
 metadata:
@@ -25,15 +28,36 @@
   host: ratings.prod.svc.cluster.local
   trafficPolicy:
     loadBalancer:
-      simple: LEAST_CONN
+      simple: LEAST_REQUEST
+

+
+
{{}}

+
+
{{}}

+
+
apiVersion: networking.istio.io/v1beta1
+kind: DestinationRule
+metadata:
+  name: bookinfo-ratings
+spec:
+  host: ratings.prod.svc.cluster.local
+  trafficPolicy:
+    loadBalancer:
+      simple: LEAST_REQUEST
 

 
+
{{}}
+{{}}

+
 
Version specific policies can be specified by defining a named
 subset and overriding the settings specified at the service level. The
 following rule uses a round robin load balancing policy for all traffic
 going to a subset named testversion that is composed of endpoints (e.g.,
 pods) with labels (version:v3).

 
+
{{}}
+{{}}

+
 
apiVersion: networking.istio.io/v1alpha3
 kind: DestinationRule
 metadata:
@@ -42,7 +66,29 @@
   host: ratings.prod.svc.cluster.local
   trafficPolicy:
     loadBalancer:
-      simple: LEAST_CONN
+      simple: LEAST_REQUEST
+  subsets:
+  - name: testversion
+    labels:
+      version: v3
+    trafficPolicy:
+      loadBalancer:
+        simple: ROUND_ROBIN
+

+
+
{{}}

+
+
{{}}

+
+
apiVersion: networking.istio.io/v1beta1
+kind: DestinationRule
+metadata:
+  name: bookinfo-ratings
+spec:
+  host: ratings.prod.svc.cluster.local
+  trafficPolicy:
+    loadBalancer:
+      simple: LEAST_REQUEST
   subsets:
   - name: testversion
     labels:
@@ -52,6 +98,9 @@
         simple: ROUND_ROBIN
 

 
+
{{}}
+{{}}

+
 
Note: Policies specified for subsets will not take effect until
 a route rule explicitly sends traffic to this subset.

 
@@ -60,6 +109,9 @@
 traffic to port 80, while uses a round robin load balancing setting for
 traffic to the port 9080.

 
+
{{}}
+{{}}

+
 
apiVersion: networking.istio.io/v1alpha3
 kind: DestinationRule
 metadata:
@@ -71,40 +123,93 @@
     - port:
         number: 80
       loadBalancer:
-        simple: LEAST_CONN
+        simple: LEAST_REQUEST
     - port:
         number: 9080
       loadBalancer:
         simple: ROUND_ROBIN
 

 
-
ConnectionPoolSettings

-

-
Connection pool settings for an upstream host. The settings apply to
-each individual host in the upstream service.  See Envoy’s circuit
-breaker
-for more details. Connection pool settings can be applied at the TCP
-level as well as at HTTP level.

+
{{}}

 
-
For example, the following rule sets a limit of 100 connections to redis
-service called myredissrv with a connect timeout of 30ms

+
{{}}

 
-
apiVersion: networking.istio.io/v1alpha3
+
apiVersion: networking.istio.io/v1beta1
 kind: DestinationRule
 metadata:
-  name: bookinfo-redis
+  name: bookinfo-ratings-port
 spec:
-  host: myredissrv.prod.svc.cluster.local
-  trafficPolicy:
-    connectionPool:
-      tcp:
-        maxConnections: 100
-        connectTimeout: 30ms
-        tcpKeepalive:
-          time: 7200s
-          interval: 75s
+  host: ratings.prod.svc.cluster.local
+  trafficPolicy: # Apply to all ports
+    portLevelSettings:
+    - port:
+        number: 80
+      loadBalancer:
+        simple: LEAST_REQUEST
+    - port:
+        number: 9080
+      loadBalancer:
+        simple: ROUND_ROBIN
+

+
+
{{}}

+
+
Destination Rules can be customized to specific workloads as well.
+The following example shows how a destination rule can be applied to a
+specific workload using the workloadSelector configuration.

+
+
{{}}
+{{}}

+
+
apiVersion: networking.istio.io/v1alpha3
+kind: DestinationRule
+metadata:
+  name: configure-client-mtls-dr-with-workloadselector
+  spec:
+    workloadSelector:
+      matchLabels:
+        app: ratings
+    trafficPolicy:
+      loadBalancer:
+        simple: ROUND_ROBIN
+      portLevelSettings:
+        - port:
+            number: 31443
+          tls:
+            credentialName: client-credential
+            mode: MUTUAL
+

+
+
{{}}
+{{}}

+
+
apiVersion: networking.istio.io/v1beta1
+kind: DestinationRule
+metadata:
+  name: configure-client-mtls-dr-with-workloadselector
+  spec:
+    workloadSelector:
+      matchLabels:
+        app: ratings
+    trafficPolicy:
+      loadBalancer:
+        simple: ROUND_ROBIN
+      portLevelSettings:
+        - port:
+            number: 31443
+          tls:
+            credentialName: client-credential
+            mode: MUTUAL
 

 
+
{{}}
+{{}}

+
+
DestinationRule

+

+
DestinationRule defines policies that apply to traffic intended for a service
+after routing has occurred.

+
 
@@ -115,22 +220,92 @@ 
ConnectionPoolSettings

-
-
-
+
+
+
+
+
+
+
+
+
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+

 
 

 

 
 
tcpTCPSettings
hoststring
 
-
Settings common to both HTTP and TCP upstream connections.

+
The name of a service from the service registry. Service
+names are looked up from the platform’s service registry (e.g.,
+Kubernetes services, Consul services, etc.) and from the hosts
+declared by ServiceEntries. Rules defined for
+services that do not exist in the service registry will be ignored.

+
+
Note for Kubernetes users: When short names are used (e.g. “reviews”
+instead of “reviews.default.svc.cluster.local”), Istio will interpret
+the short name based on the namespace of the rule, not the service. A
+rule in the “default” namespace containing a host “reviews” will be
+interpreted as “reviews.default.svc.cluster.local”, irrespective of
+the actual namespace associated with the reviews service. To avoid
+potential misconfigurations, it is recommended to always use fully
+qualified domain names over short names.

+
+
Note that the host field applies to both HTTP and TCP services.

+
+		
+Yes
+
trafficPolicyTrafficPolicy
+
Traffic policies to apply (load balancing policy, connection pool
+sizes, outlier detection).

 
 		
 
 No
 
 
httpHTTPSettings
subsetsSubset[]
 
-
HTTP connection pool settings.

+
One or more named sets that represent individual versions of a
+service. Traffic policies can be overridden at subset level.

+
+		
+No
+
exportTostring[]
+
A list of namespaces to which this destination rule is exported.
+The resolution of a destination rule to apply to a service occurs in the
+context of a hierarchy of namespaces. Exporting a destination rule allows
+it to be included in the resolution hierarchy for services in
+other namespaces. This feature provides a mechanism for service owners
+and mesh administrators to control the visibility of destination rules
+across namespace boundaries.

+
+
If no namespaces are specified then the destination rule is exported to all
+namespaces by default.

+
+
The value “.” is reserved and defines an export to the same namespace that
+the destination rule is declared in. Similarly, the value “*” is reserved and
+defines an export to all namespaces.

+
+		
+No
+
workloadSelectorWorkloadSelector
+
Criteria used to select the specific set of pods/VMs on which this
+ DestinationRule configuration should be applied. If specified, the DestinationRule
+ configuration will be applied only to the workload instances matching the workload selector
+ label in the same namespace. Workload selectors do not apply across namespace boundaries.
+ If omitted, the DestinationRule falls back to its default behavior.
+ For example, if specific sidecars need to have egress TLS settings for services outside
+ of the mesh, instead of every sidecar in the mesh needing to have the
+ configuration (which is the default behaviour), a workload selector can be specified.

 
 		
 
@@ -140,9 +315,10 @@ 
ConnectionPoolSettings

 

 

 

-
ConnectionPoolSettings.HTTPSettings

+
TrafficPolicy

 

-
Settings applicable to HTTP1.1/HTTP2/GRPC connections.

+
Traffic policies to apply for a specific destination, across all
+destination ports. See DestinationRule for examples.

 
 
@@ -154,71 +330,72 @@ 
ConnectionPoolSettings.HTTPSettings
 
 

-
-
-
+
+
+
-
-
-
+
+
+
-
-
-
+
+
+
-
-
-
+
+
+
-
-
-
+
+
+
-
-
-
+
+
+

 
 
http1MaxPendingRequestsint32
loadBalancerLoadBalancerSettings
 
-
Maximum number of pending HTTP requests to a destination. Default 2^32-1.

+
Settings controlling the load balancer algorithms.

 
 		
 
 No
 
 
http2MaxRequestsint32
connectionPoolConnectionPoolSettings
 
-
Maximum number of requests to a backend. Default 2^32-1.

+
Settings controlling the volume of connections to an upstream service

 
 		
 
 No
 
 
maxRequestsPerConnectionint32
outlierDetectionOutlierDetection
 
-
Maximum number of requests per connection to a backend. Setting this
-parameter to 1 disables keep alive. Default 0, meaning “unlimited”,
-up to 2^29.

+
Settings controlling eviction of unhealthy hosts from the load balancing pool

 
 		
 
 No
 
 
maxRetriesint32
tlsClientTLSSettings
 
-
Maximum number of retries that can be outstanding to all hosts in a
-cluster at a given time. Defaults to 2^32-1.

+
TLS related settings for connections to the upstream service.

 
 		
 
 No
 
 
idleTimeoutDuration
portLevelSettingsPortTrafficPolicy[]
 
-
The idle timeout for upstream connection pool connections. The idle timeout is defined as the period in which there are no active requests.
-If not set, the default is 1 hour. When the idle timeout is reached the connection will be closed.
-Note that request based timeouts mean that HTTP/2 PINGs will not keep the connection alive. Applies to both HTTP1.1 and HTTP2 connections.

+
Traffic policies specific to individual ports. Note that port level
+settings will override the destination-level settings. Traffic
+settings specified at the destination-level will not be inherited when
+overridden by port-level settings, i.e. default values will be applied
+to fields omitted in port-level traffic policies.

 
 		
 
 No
 
 
h2UpgradePolicyH2UpgradePolicy
tunnelTunnelSettings
 
-
Specify if http1.1 connection should be upgraded to http2 for the associated destination.

+
Configuration of tunneling TCP over other transport or application layers
+for the host configured in the DestinationRule.
+Tunnel settings can be applied to TCP or TLS routes and can’t be applied to HTTP routes.

 
 		
 
@@ -228,47 +405,680 @@ 
ConnectionPoolSettings.HTTPSettings
 

 

 

-
ConnectionPoolSettings.HTTPSettings.H2UpgradePolicy

+
Subset

 

-
Policy for upgrading http1.1 connections to http2.

-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
NameDescription
DEFAULT
-
Use the global default.

+
A subset of endpoints of a service. Subsets can be used for scenarios
+like A/B testing, or routing to a specific version of a service. Refer
+to VirtualService documentation for examples of using
+subsets in these scenarios. In addition, traffic policies defined at the
+service-level can be overridden at a subset-level. The following rule
+uses a round robin load balancing policy for all traffic going to a
+subset named testversion that is composed of endpoints (e.g., pods) with
+labels (version:v3).

 
-
DO_NOT_UPGRADE
-
Do not upgrade the connection to http2.
-This opt-out option overrides the default.

+
{{}}
+{{}}

 
-
UPGRADE
-
Upgrade the connection to http2.
-This opt-in option overrides the default.

+
apiVersion: networking.istio.io/v1alpha3
+kind: DestinationRule
+metadata:
+  name: bookinfo-ratings
+spec:
+  host: ratings.prod.svc.cluster.local
+  trafficPolicy:
+    loadBalancer:
+      simple: LEAST_REQUEST
+  subsets:
+  - name: testversion
+    labels:
+      version: v3
+    trafficPolicy:
+      loadBalancer:
+        simple: ROUND_ROBIN
+

+
+
{{}}

+
+
{{}}

+
+
apiVersion: networking.istio.io/v1beta1
+kind: DestinationRule
+metadata:
+  name: bookinfo-ratings
+spec:
+  host: ratings.prod.svc.cluster.local
+  trafficPolicy:
+    loadBalancer:
+      simple: LEAST_REQUEST
+  subsets:
+  - name: testversion
+    labels:
+      version: v3
+    trafficPolicy:
+      loadBalancer:
+        simple: ROUND_ROBIN
+

+
+
{{}}
+{{}}

+
+
Note: Policies specified for subsets will not take effect until
+a route rule explicitly sends traffic to this subset.

+
+
One or more labels are typically required to identify the subset destination,
+however, when the corresponding DestinationRule represents a host that
+supports multiple SNI hosts (e.g., an egress gateway), a subset without labels
+may be meaningful. In this case a traffic policy with ClientTLSSettings
+can be used to identify a specific SNI host corresponding to the named subset.

+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
FieldTypeDescriptionRequired
namestring
+
Name of the subset. The service name and the subset name can
+be used for traffic splitting in a route rule.

+
+		
+Yes
+
labelsmap<string, string>
+
Labels apply a filter over the endpoints of a service in the
+service registry. See route rules for examples of usage.

+
+		
+No
+
trafficPolicyTrafficPolicy
+
Traffic policies that apply to this subset. Subsets inherit the
+traffic policies specified at the DestinationRule level. Settings
+specified at the subset level will override the corresponding settings
+specified at the DestinationRule level.

+
+		
+No
+

+
+
LoadBalancerSettings

+

+
Load balancing policies to apply for a specific destination. See Envoy’s
+load balancing
+documentation
+for more details.

+
+
For example, the following rule uses a round robin load balancing policy
+for all traffic going to the ratings service.

+
+
{{}}
+{{}}

+
+
apiVersion: networking.istio.io/v1alpha3
+kind: DestinationRule
+metadata:
+  name: bookinfo-ratings
+spec:
+  host: ratings.prod.svc.cluster.local
+  trafficPolicy:
+    loadBalancer:
+      simple: ROUND_ROBIN
+

+
+
{{}}

+
+
{{}}

+
+
apiVersion: networking.istio.io/v1beta1
+kind: DestinationRule
+metadata:
+  name: bookinfo-ratings
+spec:
+  host: ratings.prod.svc.cluster.local
+  trafficPolicy:
+    loadBalancer:
+      simple: ROUND_ROBIN
+

+
+
{{}}
+{{}}

+
+
The following example sets up sticky sessions for the ratings service
+hashing-based load balancer for the same ratings service using the
+the User cookie as the hash key.

+
+
{{}}
+{{}}

+
+
apiVersion: networking.istio.io/v1alpha3
+kind: DestinationRule
+metadata:
+  name: bookinfo-ratings
+spec:
+  host: ratings.prod.svc.cluster.local
+  trafficPolicy:
+    loadBalancer:
+      consistentHash:
+        httpCookie:
+          name: user
+          ttl: 0s
+

+
+
{{}}

+
+
{{}}

+
+
apiVersion: networking.istio.io/v1beta1
+kind: DestinationRule
+metadata:
+  name: bookinfo-ratings
+spec:
+  host: ratings.prod.svc.cluster.local
+  trafficPolicy:
+    loadBalancer:
+      consistentHash:
+        httpCookie:
+          name: user
+          ttl: 0s
+

+
+
{{}}
+{{}}

+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
FieldTypeDescriptionRequired
simpleSimpleLB (oneof)
+
+No
+
consistentHashConsistentHashLB (oneof)
+
+No
+
localityLbSettingLocalityLoadBalancerSetting
+
Locality load balancer settings, this will override mesh wide settings in entirety, meaning no merging would be performed
+between this object and the object one in MeshConfig

+
+		
+No
+
warmupDurationSecsDuration
+
Represents the warmup duration of Service. If set, the newly created endpoint of service
+remains in warmup mode starting from its creation time for the duration of this window and
+Istio progressively increases amount of traffic for that endpoint instead of sending proportional amount of traffic.
+This should be enabled for services that require warm up time to serve full production load with reasonable latency.
+Currently this is only supported for ROUND_ROBIN and LEAST_CONN load balancers.

+
+		
+No
+

+

+
ConnectionPoolSettings

+

+
Connection pool settings for an upstream host. The settings apply to
+each individual host in the upstream service.  See Envoy’s circuit
+breaker
+for more details. Connection pool settings can be applied at the TCP
+level as well as at HTTP level.

+
+
For example, the following rule sets a limit of 100 connections to redis
+service called myredissrv with a connect timeout of 30ms

+
+
{{}}
+{{}}

+
+
apiVersion: networking.istio.io/v1alpha3
+kind: DestinationRule
+metadata:
+  name: bookinfo-redis
+spec:
+  host: myredissrv.prod.svc.cluster.local
+  trafficPolicy:
+    connectionPool:
+      tcp:
+        maxConnections: 100
+        connectTimeout: 30ms
+        tcpKeepalive:
+          time: 7200s
+          interval: 75s
+

+
+
{{}}

+
+
{{}}

+
+
apiVersion: networking.istio.io/v1beta1
+kind: DestinationRule
+metadata:
+  name: bookinfo-redis
+spec:
+  host: myredissrv.prod.svc.cluster.local
+  trafficPolicy:
+    connectionPool:
+      tcp:
+        maxConnections: 100
+        connectTimeout: 30ms
+        tcpKeepalive:
+          time: 7200s
+          interval: 75s
+

+
+
{{}}
+{{}}

+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
FieldTypeDescriptionRequired
tcpTCPSettings
+
Settings common to both HTTP and TCP upstream connections.

+
+		
+No
+
httpHTTPSettings
+
HTTP connection pool settings.

+
+		
+No
+

+

+
OutlierDetection

+

+
A Circuit breaker implementation that tracks the status of each
+individual host in the upstream service.  Applicable to both HTTP and
+TCP services.  For HTTP services, hosts that continually return 5xx
+errors for API calls are ejected from the pool for a pre-defined period
+of time. For TCP services, connection timeouts or connection
+failures to a given host counts as an error when measuring the
+consecutive errors metric. See Envoy’s outlier
+detection
+for more details.

+
+
The following rule sets a connection pool size of 100 HTTP1 connections
+with no more than 10 req/connection to the “reviews” service. In addition,
+it sets a limit of 1000 concurrent HTTP2 requests and configures upstream
+hosts to be scanned every 5 mins so that any host that fails 7 consecutive
+times with a 502, 503, or 504 error code will be ejected for 15 minutes.

+
+
{{}}
+{{}}

+
+
apiVersion: networking.istio.io/v1alpha3
+kind: DestinationRule
+metadata:
+  name: reviews-cb-policy
+spec:
+  host: reviews.prod.svc.cluster.local
+  trafficPolicy:
+    connectionPool:
+      tcp:
+        maxConnections: 100
+      http:
+        http2MaxRequests: 1000
+        maxRequestsPerConnection: 10
+    outlierDetection:
+      consecutive5xxErrors: 7
+      interval: 5m
+      baseEjectionTime: 15m
+

+
+
{{}}

+
+
{{}}

+
+
apiVersion: networking.istio.io/v1beta1
+kind: DestinationRule
+metadata:
+  name: reviews-cb-policy
+spec:
+  host: reviews.prod.svc.cluster.local
+  trafficPolicy:
+    connectionPool:
+      tcp:
+        maxConnections: 100
+      http:
+        http2MaxRequests: 1000
+        maxRequestsPerConnection: 10
+    outlierDetection:
+      consecutive5xxErrors: 7
+      interval: 5m
+      baseEjectionTime: 15m
+

+
+
{{}}
+{{}}

+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
FieldTypeDescriptionRequired
splitExternalLocalOriginErrorsbool
+
Determines whether to distinguish local origin failures from external errors. If set to true
+consecutive_local_origin_failure is taken into account for outlier detection calculations.
+This should be used when you want to derive the outlier detection status based on the errors
+seen locally such as failure to connect, timeout while connecting etc. rather than the status code
+retuned by upstream service. This is especially useful when the upstream service explicitly returns
+a 5xx for some requests and you want to ignore those responses from upstream service while determining
+the outlier detection status of a host.
+Defaults to false.

+
+		
+No
+
consecutiveLocalOriginFailuresUInt32Value
+
The number of consecutive locally originated failures before ejection
+occurs. Defaults to 5. Parameter takes effect only when split_external_local_origin_errors
+is set to true.

+
+		
+No
+
consecutiveGatewayErrorsUInt32Value
+
Number of gateway errors before a host is ejected from the connection pool.
+When the upstream host is accessed over HTTP, a 502, 503, or 504 return
+code qualifies as a gateway error. When the upstream host is accessed over
+an opaque TCP connection, connect timeouts and connection error/failure
+events qualify as a gateway error.
+This feature is disabled by default or when set to the value 0.

+
+
Note that consecutive_gateway_errors and consecutive_5xx_errors can be
+used separately or together. Because the errors counted by
+consecutive_gateway_errors are also included in consecutive_5xx_errors,
+if the value of consecutive_gateway_errors is greater than or equal to
+the value of consecutive_5xx_errors, consecutive_gateway_errors will have
+no effect.

+
+		
+No
+
consecutive5xxErrorsUInt32Value
+
Number of 5xx errors before a host is ejected from the connection pool.
+When the upstream host is accessed over an opaque TCP connection, connect
+timeouts, connection error/failure and request failure events qualify as a
+5xx error.
+This feature defaults to 5 but can be disabled by setting the value to 0.

+
+
Note that consecutive_gateway_errors and consecutive_5xx_errors can be
+used separately or together. Because the errors counted by
+consecutive_gateway_errors are also included in consecutive_5xx_errors,
+if the value of consecutive_gateway_errors is greater than or equal to
+the value of consecutive_5xx_errors, consecutive_gateway_errors will have
+no effect.

+
+		
+No
+
intervalDuration
+
Time interval between ejection sweep analysis. format:
+1h/1m/1s/1ms. MUST BE >=1ms. Default is 10s.

+
+		
+No
+
baseEjectionTimeDuration
+
Minimum ejection duration. A host will remain ejected for a period
+equal to the product of minimum ejection duration and the number of
+times the host has been ejected. This technique allows the system to
+automatically increase the ejection period for unhealthy upstream
+servers. format: 1h/1m/1s/1ms. MUST BE >=1ms. Default is 30s.

+
+		
+No
+
maxEjectionPercentint32
+
Maximum % of hosts in the load balancing pool for the upstream
+service that can be ejected. Defaults to 10%.

+
+		
+No
+
minHealthPercentint32
+
Outlier detection will be enabled as long as the associated load balancing
+pool has at least min_health_percent hosts in healthy mode. When the
+percentage of healthy hosts in the load balancing pool drops below this
+threshold, outlier detection will be disabled and the proxy will load balance
+across all hosts in the pool (healthy and unhealthy). The threshold can be
+disabled by setting it to 0%. The default is 0% as it’s not typically
+applicable in k8s environments with few pods per service.

+
+		
+No
+

+

+
ClientTLSSettings

+

+
SSL/TLS related settings for upstream connections. See Envoy’s TLS
+context
+for more details. These settings are common to both HTTP and TCP upstreams.

+
+
For example, the following rule configures a client to use mutual TLS
+for connections to upstream database cluster.

+
+
{{}}
+{{}}

+
+
apiVersion: networking.istio.io/v1alpha3
+kind: DestinationRule
+metadata:
+  name: db-mtls
+spec:
+  host: mydbserver.prod.svc.cluster.local
+  trafficPolicy:
+    tls:
+      mode: MUTUAL
+      clientCertificate: /etc/certs/myclientcert.pem
+      privateKey: /etc/certs/client_private_key.pem
+      caCertificates: /etc/certs/rootcacerts.pem
+

+
+
{{}}

+
+
{{}}

+
+
apiVersion: networking.istio.io/v1beta1
+kind: DestinationRule
+metadata:
+  name: db-mtls
+spec:
+  host: mydbserver.prod.svc.cluster.local
+  trafficPolicy:
+    tls:
+      mode: MUTUAL
+      clientCertificate: /etc/certs/myclientcert.pem
+      privateKey: /etc/certs/client_private_key.pem
+      caCertificates: /etc/certs/rootcacerts.pem
+

+
+
{{}}
+{{}}

+
+
The following rule configures a client to use TLS when talking to a
+foreign service whose domain matches *.foo.com.

+
+
{{}}
+{{}}

+
+
apiVersion: networking.istio.io/v1alpha3
+kind: DestinationRule
+metadata:
+  name: tls-foo
+spec:
+  host: "*.foo.com"
+  trafficPolicy:
+    tls:
+      mode: SIMPLE
+

+
+
{{}}

+
+
{{}}

+
+
apiVersion: networking.istio.io/v1beta1
+kind: DestinationRule
+metadata:
+  name: tls-foo
+spec:
+  host: "*.foo.com"
+  trafficPolicy:
+    tls:
+      mode: SIMPLE
+

+
+
{{}}
+{{}}

+
+
The following rule configures a client to use Istio mutual TLS when talking
+to rating services.

+
+
{{}}
+{{}}

+
+
apiVersion: networking.istio.io/v1alpha3
+kind: DestinationRule
+metadata:
+  name: ratings-istio-mtls
+spec:
+  host: ratings.prod.svc.cluster.local
+  trafficPolicy:
+    tls:
+      mode: ISTIO_MUTUAL
+

 
-

-

-
ConnectionPoolSettings.TCPSettings

-

-
Settings common to both HTTP and TCP upstream connections.

+
{{}}

+
+
{{}}

+
+
apiVersion: networking.istio.io/v1beta1
+kind: DestinationRule
+metadata:
+  name: ratings-istio-mtls
+spec:
+  host: ratings.prod.svc.cluster.local
+  trafficPolicy:
+    tls:
+      mode: ISTIO_MUTUAL
+

+
+
{{}}
+{{}}

 
 
@@ -280,33 +1090,126 @@ 
ConnectionPoolSettings.TCPSettings
 

-
-
-
+
+
+
+
+
+
+
+
+
-
-
-
+
+
+
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+

 
 
maxConnectionsint32
modeTLSmode
 
-
Maximum number of HTTP1 /TCP connections to a destination host. Default 2^32-1.

+
Indicates whether connections to this port should be secured
+using TLS. The value of this field determines how TLS is enforced.

+
+		
+Yes
+
clientCertificatestring
+
REQUIRED if mode is MUTUAL. The path to the file holding the
+client-side TLS certificate to use.
+Should be empty if mode is ISTIO_MUTUAL.

 
 		
 
 No
 
 
connectTimeoutDuration
privateKeystring
 
-
TCP connection timeout.

+
REQUIRED if mode is MUTUAL. The path to the file holding the
+client’s private key.
+Should be empty if mode is ISTIO_MUTUAL.

 
 		
 
 No
 
 
tcpKeepaliveTcpKeepalive
caCertificatesstring
 
-
If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives.

+
OPTIONAL: The path to the file containing certificate authority
+certificates to use in verifying a presented server certificate. If
+omitted, the proxy will not verify the server’s certificate.
+Should be empty if mode is ISTIO_MUTUAL.

+
+		
+No
+
credentialNamestring
+
The name of the secret that holds the TLS certs for the
+client including the CA certificates. Secret must exist in the
+same namespace with the proxy using the certificates.
+The secret (of type generic)should contain the
+following keys and values: key: <privateKey>,
+cert: <clientCert>, cacert: <CACertificate>.
+Here CACertificate is used to verify the server certificate.
+Secret of type tls for client certificates along with
+ca.crt key for CA certificates is also supported.
+Only one of client certificates and CA certificate
+or credentialName can be specified.

+
+
NOTE: This field is applicable at sidecars only if
+DestinationRule has a workloadSelector specified.
+Otherwise the field will be applicable only at gateways, and
+sidecars will continue to use the certificate paths.

+
+		
+No
+
subjectAltNamesstring[]
+
A list of alternate names to verify the subject identity in the
+certificate. If specified, the proxy will verify that the server
+certificate’s subject alt name matches one of the specified values.
+If specified, this list overrides the value of subject_alt_names
+from the ServiceEntry.

+
+		
+No
+
snistring
+
SNI string to present to the server during TLS handshake.

+
+		
+No
+
insecureSkipVerifyBoolValue
+
InsecureSkipVerify specifies whether the proxy should skip verifying the
+CA signature and SAN for the server certificate corresponding to the host.
+This flag should only be set if global CA signature verifcation is
+enabled, VerifyCertAtClient environmental variable is set to true,
+but no verification is desired for a specific host. If enabled with or
+without VerifyCertAtClient enabled, verification of the CA signature and
+SAN will be skipped.

+
+
InsecureSkipVerify is false by default.
+VerifyCertAtClient is false by default in Istio version 1.9 but will
+be true by default in a later version where, going forward, it will be
+enabled by default.

 
 		
 
@@ -316,9 +1219,54 @@ 
ConnectionPoolSettings.TCPSettings
 

 

-
ConnectionPoolSettings.TCPSettings.TcpKeepalive

+
LocalityLoadBalancerSetting

 

-
TCP keepalive.

+
Locality-weighted load balancing allows administrators to control the
+distribution of traffic to endpoints based on the localities of where the
+traffic originates and where it will terminate. These localities are
+specified using arbitrary labels that designate a hierarchy of localities in
+{region}/{zone}/{sub-zone} form. For additional detail refer to
+Locality Weight
+The following example shows how to setup locality weights mesh-wide.

+
+
Given a mesh with workloads and their service deployed to “us-west/zone1/”
+and “us-west/zone2/”. This example specifies that when traffic accessing a
+service originates from workloads in “us-west/zone1/”, 80% of the traffic
+will be sent to endpoints in “us-west/zone1/”, i.e the same zone, and the
+remaining 20% will go to endpoints in “us-west/zone2/”. This setup is
+intended to favor routing traffic to endpoints in the same locality.
+A similar setting is specified for traffic originating in “us-west/zone2/”.

+
+
  distribute:
+    - from: us-west/zone1/*
+      to:
+        "us-west/zone1/*": 80
+        "us-west/zone2/*": 20
+    - from: us-west/zone2/*
+      to:
+        "us-west/zone1/*": 20
+        "us-west/zone2/*": 80
+

+
+
If the goal of the operator is not to distribute load across zones and
+regions but rather to restrict the regionality of failover to meet other
+operational requirements an operator can set a ‘failover’ policy instead of
+a ‘distribute’ policy.

+
+
The following example sets up a locality failover policy for regions.
+Assume a service resides in zones within us-east, us-west & eu-west
+this example specifies that when endpoints within us-east become unhealthy
+traffic should failover to endpoints in any zone or sub-zone within eu-west
+and similarly us-west should failover to us-east.

+
+
 failover:
+   - from: us-east
+     to: eu-west
+   - from: us-west
+     to: us-east
+

+
+
Locality load balancing settings.

 
 
@@ -330,39 +1278,93 @@ 
ConnectionPoolSettings.
 
 

-
-
-
+
+
+
-
-
-
+
+
+
-
-
-
+
+
+
+
+
+
+
+
+

 
 
probesuint32
distributeDistribute[]
 
-
Maximum number of keepalive probes to send without response before
-deciding the connection is dead. Default is to use the OS level configuration
-(unless overridden, Linux defaults to 9.)

+
Optional: only one of distribute, failover or failoverPriority can be set.
+Explicitly specify loadbalancing weight across different zones and geographical locations.
+Refer to Locality weighted load balancing
+If empty, the locality weight is set according to the endpoints number within it.

 
 		
 
 No
 
 
timeDuration
failoverFailover[]
 
-
The time duration a connection needs to be idle before keep-alive
-probes start being sent. Default is to use the OS level configuration
-(unless overridden, Linux defaults to 7200s (ie 2 hours.)

+
Optional: only one of distribute, failover or failoverPriority can be set.
+Explicitly specify the region traffic will land on when endpoints in local region becomes unhealthy.
+Should be used together with OutlierDetection to detect unhealthy endpoints.
+Note: if no OutlierDetection specified, this will not take effect.

 
 		
 
 No
 
 
intervalDuration
failoverPrioritystring[]
 
-
The time duration between keep-alive probes.
-Default is to use the OS level configuration
-(unless overridden, Linux defaults to 75s.)

+
failoverPriority is an ordered list of labels used to sort endpoints to do priority based load balancing.
+This is to support traffic failover across different groups of endpoints.
+Suppose there are total N labels specified:

+
+
    
+
  1. Endpoints matching all N labels with the client proxy have priority P(0) i.e. the highest priority.
    2. 
+
  2. Endpoints matching the first N-1 labels with the client proxy have priority P(1) i.e. second highest priority.
    3. 
+
  3. By extension of this logic, endpoints matching only the first label with the client proxy has priority P(N-1) i.e. second lowest priority.
    4. 
+
  4. All the other endpoints have priority P(N) i.e. lowest priority.
    5. 
+

+
+
Note: For a label to be considered for match, the previous labels must match, i.e. nth label would be considered matched only if first n-1 labels match.

+
+
It can be any label specified on both client and server workloads.
+The following labels which have special semantic meaning are also supported:

+
+
    
+
  • topology.istio.io/network is used to match the network metadata of an endpoint, which can be specified by pod/namespace label topology.istio.io/network, sidecar env ISTIO_META_NETWORK or MeshNetworks.
    • 
+
  • topology.istio.io/cluster is used to match the clusterID of an endpoint, which can be specified by pod label topology.istio.io/cluster or pod env ISTIO_META_CLUSTER_ID.
    • 
+
  • topology.kubernetes.io/region is used to match the region metadata of an endpoint, which maps to Kubernetes node label topology.kubernetes.io/region or the deprecated label failure-domain.beta.kubernetes.io/region.
    • 
+
  • topology.kubernetes.io/zone is used to match the zone metadata of an endpoint, which maps to Kubernetes node label topology.kubernetes.io/zone or the deprecated label failure-domain.beta.kubernetes.io/zone.
    • 
+
  • topology.istio.io/subzone is used to match the subzone metadata of an endpoint, which maps to Istio node label topology.istio.io/subzone.
    • 
+

+
+
The below topology config indicates the following priority levels:

+
+
failoverPriority:
+- "topology.istio.io/network"
+- "topology.kubernetes.io/region"
+- "topology.kubernetes.io/zone"
+- "topology.istio.io/subzone"
+

+
+
    
+
  1. endpoints match same [network, region, zone, subzone] label with the client proxy have the highest priority.
    2. 
+
  2. endpoints have same [network, region, zone] label but different [subzone] label with the client proxy have the second highest priority.
    3. 
+
  3. endpoints have same [network, region] label but different [zone] label with the client proxy have the third highest priority.
    4. 
+
  4. endpoints have same [network] but different [region] labels with the client proxy have the fourth highest priority.
    5. 
+
  5. all the other endpoints have the same lowest priority.
    6. 
+

+
+
Optional: only one of distribute, failover or failoverPriority can be set.
+And it should be used together with OutlierDetection to detect unhealthy endpoints, otherwise has no effect.

+
+		
+No
+
enabledBoolValue
+
enable locality load balancing, this is DestinationRule-level and will override mesh wide settings in entirety.
+e.g. true means that turn on locality load balancing for this DestinationRule no matter what mesh wide settings is.

 
 		
 
@@ -372,10 +1374,9 @@ 
ConnectionPoolSettings.
 

 

 

-
DestinationRule

+
TrafficPolicy.PortTrafficPolicy

 

-
DestinationRule defines policies that apply to traffic intended for a service
-after routing has occurred.

+
Traffic policies that apply to specific ports of the service

 
 
@@ -387,77 +1388,56 @@ 
DestinationRule

-
-
-
+
+
+
-
-
-
+
+
+
-
-
-
+
+
+
-
-
-
-
+
+
+
+
+
+
+
+
+

 
 
 
 
hoststring
portPortSelector
 
-
The name of a service from the service registry. Service
-names are looked up from the platform’s service registry (e.g.,
-Kubernetes services, Consul services, etc.) and from the hosts
-declared by ServiceEntries. Rules defined for
-services that do not exist in the service registry will be ignored.

-
-
Note for Kubernetes users: When short names are used (e.g. “reviews”
-instead of “reviews.default.svc.cluster.local”), Istio will interpret
-the short name based on the namespace of the rule, not the service. A
-rule in the “default” namespace containing a host “reviews” will be
-interpreted as “reviews.default.svc.cluster.local”, irrespective of
-the actual namespace associated with the reviews service. To avoid
-potential misconfigurations, it is recommended to always use fully
-qualified domain names over short names.

-
-
Note that the host field applies to both HTTP and TCP services.

+
Specifies the number of a port on the destination service
+on which this policy is being applied.

 
 		
 
-Yes
+No
 
 
trafficPolicyTrafficPolicy
loadBalancerLoadBalancerSettings
 
-
Traffic policies to apply (load balancing policy, connection pool
-sizes, outlier detection).

+
Settings controlling the load balancer algorithms.

 
 		
 
 No
 
 
subsetsSubset[]
connectionPoolConnectionPoolSettings
 
-
One or more named sets that represent individual versions of a
-service. Traffic policies can be overridden at subset level.

+
Settings controlling the volume of connections to an upstream service

 
 		
 
 No
 
 
exportTostring[]
-
A list of namespaces to which this destination rule is exported.
-The resolution of a destination rule to apply to a service occurs in the
-context of a hierarchy of namespaces. Exporting a destination rule allows
-it to be included in the resolution hierarchy for services in
-other namespaces. This feature provides a mechanism for service owners
-and mesh administrators to control the visibility of destination rules
-across namespace boundaries.

-
-
If no namespaces are specified then the destination rule is exported to all
-namespaces by default.

-
-
The value “.” is reserved and defines an export to the same namespace that
-the destination rule is declared in. Similarly, the value “*” is reserved and
-defines an export to all namespaces.

+
outlierDetectionOutlierDetection
+
Settings controlling eviction of unhealthy hosts from the load balancing pool

 
-
NOTE: in the current release, the exportTo value is restricted to
-“.” or “*” (i.e., the current namespace or all namespaces).

+		
+No
+
tlsClientTLSSettings
+
TLS related settings for connections to the upstream service.

 
 		
 
@@ -467,45 +1447,8 @@ 
DestinationRule

 

 

 

-
LoadBalancerSettings

+
TrafficPolicy.TunnelSettings

 

-
Load balancing policies to apply for a specific destination. See Envoy’s
-load balancing
-documentation
-for more details.

-
-
For example, the following rule uses a round robin load balancing policy
-for all traffic going to the ratings service.

-
-
apiVersion: networking.istio.io/v1alpha3
-kind: DestinationRule
-metadata:
-  name: bookinfo-ratings
-spec:
-  host: ratings.prod.svc.cluster.local
-  trafficPolicy:
-    loadBalancer:
-      simple: ROUND_ROBIN
-

-
-
The following example sets up sticky sessions for the ratings service
-hashing-based load balancer for the same ratings service using the
-the User cookie as the hash key.

-
-
 apiVersion: networking.istio.io/v1alpha3
- kind: DestinationRule
- metadata:
-   name: bookinfo-ratings
- spec:
-   host: ratings.prod.svc.cluster.local
-   trafficPolicy:
-     loadBalancer:
-       consistentHash:
-         httpCookie:
-           name: user
-           ttl: 0s
-

-
 
@@ -516,34 +1459,42 @@ 
LoadBalancerSettings

-
-
-
+
+
+
-
-
-
+
+
+
-
-
-
+
+
+
@@ -553,8 +1504,7 @@ 
LoadBalancerSettings.ConsistentHa
 

 
Consistent Hash-based load balancing can be used to provide soft
 session affinity based on HTTP headers, cookies or other
-properties. This load balancing policy is applicable only for HTTP
-connections. The affinity to a particular destination host will be
+properties. The affinity to a particular destination host will be
 lost when one or more hosts are added/removed from the destination
 service.

 
@@ -576,7 +1526,7 @@ 
LoadBalancerSettings.ConsistentHa
 
 
 

@@ -587,18 +1537,30 @@ 
LoadBalancerSettings.ConsistentHa
 
 
 

+
+
+
+
+
+
@@ -671,203 +1633,9 @@ 
LoadBalancerSettings.C
 

 
 

 

 
 
simpleSimpleLB (oneof)
protocolstring
 
+
Specifies which protocol to use for tunneling the downstream connection.
+Supported protocols are:
+  connect - uses HTTP CONNECT;
+  post - uses HTTP POST.
+HTTP version for upstream requests is determined by the service protocol defined for the proxy.

+
 		
 
 Yes
 
 
consistentHashConsistentHashLB (oneof)
targetHoststring
 
+
Specifies a host to which the downstream connection is tunneled.
+Target host must be an FQDN or IP address.

+
 		
 
 Yes
 
 
localityLbSettingLocalityLoadBalancerSetting
targetPortuint32
 
-
Locality load balancer settings, this will override mesh wide settings in entirety, meaning no merging would be performed
-between this object and the object one in MeshConfig

+
Specifies a port to which the downstream connection is tunneled.

 
 		
 
-No
+Yes
 
 

 

-Yes
+No
 
 

 
 

 useSourceIp
 bool (oneof)
 
-
Hash based on the source IP address.

+
Hash based on the source IP address.
+This is applicable for both TCP and HTTP connections.

 
 		
 
-Yes
+No
+
httpQueryParameterNamestring (oneof)
+
Hash based on a specific HTTP query parameter.

+
+		
+No
 
 

 

 

 

-
LoadBalancerSettings.SimpleLB

-

-
Standard load balancing algorithms that require no tuning.

-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
NameDescription
ROUND_ROBIN
-
Round Robin policy. Default

-
-
LEAST_CONN
-
The least request load balancer uses an O(1) algorithm which selects
-two random healthy hosts and picks the host which has fewer active
-requests.

-
-
RANDOM
-
The random load balancer selects a random healthy host. The random
-load balancer generally performs better than round robin if no health
-checking policy is configured.

-
-
PASSTHROUGH
-
This option will forward the connection to the original IP address
-requested by the caller without doing any form of load
-balancing. This option must be used with care. It is meant for
-advanced use cases. Refer to Original Destination load balancer in
-Envoy for further details.

-
-

-

-
LocalityLoadBalancerSetting

-

-
Locality-weighted load balancing allows administrators to control the
-distribution of traffic to endpoints based on the localities of where the
-traffic originates and where it will terminate. These localities are
-specified using arbitrary labels that designate a hierarchy of localities in
-{region}/{zone}/{sub-zone} form. For additional detail refer to
-Locality Weight
-The following example shows how to setup locality weights mesh-wide.

-
-
Given a mesh with workloads and their service deployed to “us-west/zone1/”
-and “us-west/zone2/”. This example specifies that when traffic accessing a
-service originates from workloads in “us-west/zone1/”, 80% of the traffic
-will be sent to endpoints in “us-west/zone1/”, i.e the same zone, and the
-remaining 20% will go to endpoints in “us-west/zone2/”. This setup is
-intended to favor routing traffic to endpoints in the same locality.
-A similar setting is specified for traffic originating in “us-west/zone2/”.

-
-
  distribute:
-    - from: us-west/zone1/*
-      to:
-        "us-west/zone1/*": 80
-        "us-west/zone2/*": 20
-    - from: us-west/zone2/*
-      to:
-        "us-west/zone1/*": 20
-        "us-west/zone2/*": 80
-

-
-
If the goal of the operator is not to distribute load across zones and
-regions but rather to restrict the regionality of failover to meet other
-operational requirements an operator can set a ‘failover’ policy instead of
-a ‘distribute’ policy.

-
-
The following example sets up a locality failover policy for regions.
-Assume a service resides in zones within us-east, us-west & eu-west
-this example specifies that when endpoints within us-east become unhealthy
-traffic should failover to endpoints in any zone or sub-zone within eu-west
-and similarly us-west should failover to us-east.

-
-
 failover:
-   - from: us-east
-     to: eu-west
-   - from: us-west
-     to: us-east
-

-
-
Locality load balancing settings.

-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
FieldTypeDescriptionRequired
distributeDistribute[]
-
Optional: only one of distribute or failover can be set.
-Explicitly specify loadbalancing weight across different zones and geographical locations.
-Refer to Locality weighted load balancing
-If empty, the locality weight is set according to the endpoints number within it.

-
-		
-No
-
failoverFailover[]
-
Optional: only failover or distribute can be set.
-Explicitly specify the region traffic will land on when endpoints in local region becomes unhealthy.
-Should be used together with OutlierDetection to detect unhealthy endpoints.
-Note: if no OutlierDetection specified, this will not take effect.

-
-		
-No
-

-

-
LocalityLoadBalancerSetting.Distribute

-

-
Describes how traffic originating in the ‘from’ zone or sub-zone is
-distributed over a set of ‘to’ zones. Syntax for specifying a zone is
-{region}/{zone}/{sub-zone} and terminal wildcards are allowed on any
-segment of the specification. Examples:
-* - matches all localities
-us-west/* - all zones and sub-zones within the us-west region
-us-west/zone-1/* - all sub-zones within us-west/zone-1

-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
FieldTypeDescriptionRequired
fromstring
-
Originating locality, ‘/’ separated, e.g. ‘region/zone/sub_zone’.

-
-		
-No
-
tomap<string, uint32>
-
Map of upstream localities to traffic distribution weights. The sum of
-all weights should be == 100. Any locality not assigned a weight will
-receive no traffic.

-
-		
-No
-

-

-
LocalityLoadBalancerSetting.Failover

+
ConnectionPoolSettings.TCPSettings

 

-
Specify the traffic failover policy across regions. Since zone and sub-zone
-failover is supported by default this only needs to be specified for
-regions when the operator needs to constrain traffic failover so that
-the default behavior of failing over to any endpoint globally does not
-apply. This is useful when failing over traffic across regions would not
-improve service health or may need to be restricted for other reasons
-like regulatory controls.

+
Settings common to both HTTP and TCP upstream connections.

 
 
@@ -879,23 +1647,34 @@ 
LocalityLoadBalancerSetting.Failov
 
 

-
-
-
+
+
+
-
-
-
+
+
+
+
+
+
+
+
+

 
 
fromstring
maxConnectionsint32
 
-
Originating region.

+
Maximum number of HTTP1 /TCP connections to a destination host. Default 2^32-1.

 
 		
 
 No
 
 
tostring
connectTimeoutDuration
 
-
Destination region the traffic will fail over to when endpoints in
-the ‘from’ region becomes unhealthy.

+
TCP connection timeout. format:
+1h/1m/1s/1ms. MUST BE >=1ms. Default is 10s.

+
+		
+No
+
tcpKeepaliveTcpKeepalive
+
If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives.

 
 		
 
@@ -905,42 +1684,9 @@ 
LocalityLoadBalancerSetting.Failov
 

 

 

-
OutlierDetection

+
ConnectionPoolSettings.HTTPSettings

 

-
A Circuit breaker implementation that tracks the status of each
-individual host in the upstream service.  Applicable to both HTTP and
-TCP services.  For HTTP services, hosts that continually return 5xx
-errors for API calls are ejected from the pool for a pre-defined period
-of time. For TCP services, connection timeouts or connection
-failures to a given host counts as an error when measuring the
-consecutive errors metric. See Envoy’s outlier
-detection
-for more details.

-
-
The following rule sets a connection pool size of 100 HTTP1 connections
-with no more than 10 req/connection to the “reviews” service. In addition,
-it sets a limit of 1000 concurrent HTTP2 requests and configures upstream
-hosts to be scanned every 5 mins so that any host that fails 7 consecutive
-times with a 502, 503, or 504 error code will be ejected for 15 minutes.

-
-
apiVersion: networking.istio.io/v1alpha3
-kind: DestinationRule
-metadata:
-  name: reviews-cb-policy
-spec:
-  host: reviews.prod.svc.cluster.local
-  trafficPolicy:
-    connectionPool:
-      tcp:
-        maxConnections: 100
-      http:
-        http2MaxRequests: 1000
-        maxRequestsPerConnection: 10
-    outlierDetection:
-      consecutiveErrors: 7
-      interval: 5m
-      baseEjectionTime: 15m
-

+
Settings applicable to HTTP1.1/HTTP2/GRPC connections.

 
 
@@ -952,160 +1698,88 @@ 
OutlierDetection

-
-
+
+
-
-
-
-
-
-
-
-
-
+
+
+
-
-
+
+
-
-
+
+
-
-

 
 
 
 
consecutiveErrors
http1MaxPendingRequests
 int32
 
-
Number of errors before a host is ejected from the connection
-pool. Defaults to 5. When the upstream host is accessed over HTTP, a
-502, 503, or 504 return code qualifies as an error. When the upstream host
-is accessed over an opaque TCP connection, connect timeouts and
-connection error/failure events qualify as an error.

-
-		
-No
-
intervalDuration
-
Time interval between ejection sweep analysis. format:
-1h/1m/1s/1ms. MUST BE >=1ms. Default is 10s.

+
Maximum number of pending HTTP requests to a destination. Default 2^32-1.

 
 		
 
 No
 
 
baseEjectionTimeDuration
http2MaxRequestsint32
 
-
Minimum ejection duration. A host will remain ejected for a period
-equal to the product of minimum ejection duration and the number of
-times the host has been ejected. This technique allows the system to
-automatically increase the ejection period for unhealthy upstream
-servers. format: 1h/1m/1s/1ms. MUST BE >=1ms. Default is 30s.

+
Maximum number of requests to a backend. Default 2^32-1.

 
 		
 
 No
 
 
maxEjectionPercent
maxRequestsPerConnection
 int32
 
-
Maximum % of hosts in the load balancing pool for the upstream
-service that can be ejected. Defaults to 10%.

+
Maximum number of requests per connection to a backend. Setting this
+parameter to 1 disables keep alive. Default 0, meaning “unlimited”,
+up to 2^29.

 
 		
 
 No
 
 
minHealthPercent
maxRetries
 int32
 
-
Outlier detection will be enabled as long as the associated load balancing
-pool has at least minhealthpercent hosts in healthy mode. When the
-percentage of healthy hosts in the load balancing pool drops below this
-threshold, outlier detection will be disabled and the proxy will load balance
-across all hosts in the pool (healthy and unhealthy). The threshold can be
-disabled by setting it to 0%. The default is 0% as it’s not typically
-applicable in k8s environments with few pods per service.

+
Maximum number of retries that can be outstanding to all hosts in a
+cluster at a given time. Defaults to 2^32-1.

 
 		
 
 No
 
 

-

-
Subset

-

-
A subset of endpoints of a service. Subsets can be used for scenarios
-like A/B testing, or routing to a specific version of a service. Refer
-to VirtualService documentation for examples of using
-subsets in these scenarios. In addition, traffic policies defined at the
-service-level can be overridden at a subset-level. The following rule
-uses a round robin load balancing policy for all traffic going to a
-subset named testversion that is composed of endpoints (e.g., pods) with
-labels (version:v3).

-
-
apiVersion: networking.istio.io/v1alpha3
-kind: DestinationRule
-metadata:
-  name: bookinfo-ratings
-spec:
-  host: ratings.prod.svc.cluster.local
-  trafficPolicy:
-    loadBalancer:
-      simple: LEAST_CONN
-  subsets:
-  - name: testversion
-    labels:
-      version: v3
-    trafficPolicy:
-      loadBalancer:
-        simple: ROUND_ROBIN
-

-
-
Note: Policies specified for subsets will not take effect until
-a route rule explicitly sends traffic to this subset.

-
-
One or more labels are typically required to identify the subset destination,
-however, when the corresponding DestinationRule represents a host that
-supports multiple SNI hosts (e.g., an egress gateway), a subset without labels
-may be meaningful. In this case a traffic policy with TLSSettings
-can be used to identify a specific SNI host corresponding to the named subset.

-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
-
-
-
+
+
+
-
-
-
+
+
+
FieldTypeDescriptionRequired
namestring
idleTimeoutDuration
 
-
Name of the subset. The service name and the subset name can
-be used for traffic splitting in a route rule.

+
The idle timeout for upstream connection pool connections. The idle timeout
+is defined as the period in which there are no active requests.
+If not set, the default is 1 hour. When the idle timeout is reached,
+the connection will be closed. If the connection is an HTTP/2
+connection a drain sequence will occur prior to closing the connection.
+Note that request based timeouts mean that HTTP/2 PINGs will not
+keep the connection alive. Applies to both HTTP1.1 and HTTP2 connections.

 
 		
 
-Yes
+No
 
 
labelsmap<string, string>
h2UpgradePolicyH2UpgradePolicy
 
-
Labels apply a filter over the endpoints of a service in the
-service registry. See route rules for examples of usage.

+
Specify if http1.1 connection should be upgraded to http2 for the associated destination.

 
 		
 
 No
 
 
trafficPolicyTrafficPolicy
useClientProtocolbool
 
-
Traffic policies that apply to this subset. Subsets inherit the
-traffic policies specified at the DestinationRule level. Settings
-specified at the subset level will override the corresponding settings
-specified at the DestinationRule level.

+
If set to true, client protocol will be preserved while initiating connection to backend.
+Note that when this is set to true, h2_upgrade_policy will be ineffective i.e. the client
+connections will not be upgraded to http2.

 
 		
 
@@ -1115,56 +1789,9 @@ 
Subset

 

 

 

-
TLSSettings

+
ConnectionPoolSettings.TCPSettings.TcpKeepalive

 

-
SSL/TLS related settings for upstream connections. See Envoy’s TLS
-context
-for more details. These settings are common to both HTTP and TCP upstreams.

-
-
For example, the following rule configures a client to use mutual TLS
-for connections to upstream database cluster.

-
-
apiVersion: networking.istio.io/v1alpha3
-kind: DestinationRule
-metadata:
-  name: db-mtls
-spec:
-  host: mydbserver.prod.svc.cluster.local
-  trafficPolicy:
-    tls:
-      mode: MUTUAL
-      clientCertificate: /etc/certs/myclientcert.pem
-      privateKey: /etc/certs/client_private_key.pem
-      caCertificates: /etc/certs/rootcacerts.pem
-

-
-
The following rule configures a client to use TLS when talking to a
-foreign service whose domain matches *.foo.com.

-
-
apiVersion: networking.istio.io/v1alpha3
-kind: DestinationRule
-metadata:
-  name: tls-foo
-spec:
-  host: "*.foo.com"
-  trafficPolicy:
-    tls:
-      mode: SIMPLE
-

-
-
The following rule configures a client to use Istio mutual TLS when talking
-to rating services.

-
-
apiVersion: networking.istio.io/v1alpha3
-kind: DestinationRule
-metadata:
-  name: ratings-istio-mtls
-spec:
-  host: ratings.prod.svc.cluster.local
-  trafficPolicy:
-    tls:
-      mode: ISTIO_MUTUAL
-

+
TCP keepalive.

 
 
@@ -1176,78 +1803,89 @@ 
TLSSettings

-
-
-
-
-
-
-
-
-
+
+
+
-
-
-
+
+
+
-
-
-
+
+
+
-
-
-
+
+

 
 
 
 
modeTLSmode
-
Indicates whether connections to this port should be secured
-using TLS. The value of this field determines how TLS is enforced.

-
-		
-Yes
-
clientCertificatestring
probesuint32
 
-
REQUIRED if mode is MUTUAL. The path to the file holding the
-client-side TLS certificate to use.
-Should be empty if mode is ISTIO_MUTUAL.

+
Maximum number of keepalive probes to send without response before
+deciding the connection is dead. Default is to use the OS level configuration
+(unless overridden, Linux defaults to 9.)

 
 		
 
 No
 
 
privateKeystring
timeDuration
 
-
REQUIRED if mode is MUTUAL. The path to the file holding the
-client’s private key.
-Should be empty if mode is ISTIO_MUTUAL.

+
The time duration a connection needs to be idle before keep-alive
+probes start being sent. Default is to use the OS level configuration
+(unless overridden, Linux defaults to 7200s (ie 2 hours.)

 
 		
 
 No
 
 
caCertificatesstring
intervalDuration
 
-
OPTIONAL: The path to the file containing certificate authority
-certificates to use in verifying a presented server certificate. If
-omitted, the proxy will not verify the server’s certificate.
-Should be empty if mode is ISTIO_MUTUAL.

+
The time duration between keep-alive probes.
+Default is to use the OS level configuration
+(unless overridden, Linux defaults to 75s.)

 
 		
 
 No
 
 
subjectAltNamesstring[]

+

+
LocalityLoadBalancerSetting.Distribute

+

+
Describes how traffic originating in the ‘from’ zone or sub-zone is
+distributed over a set of ‘to’ zones. Syntax for specifying a zone is
+{region}/{zone}/{sub-zone} and terminal wildcards are allowed on any
+segment of the specification. Examples:

+
+
* - matches all localities

+
+
us-west/* - all zones and sub-zones within the us-west region

+
+
us-west/zone-1/* - all sub-zones within us-west/zone-1

+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
-
-
+
+
+
FieldTypeDescriptionRequired
fromstring
 
-
A list of alternate names to verify the subject identity in the
-certificate. If specified, the proxy will verify that the server
-certificate’s subject alt name matches one of the specified values.
-If specified, this list overrides the value of subjectaltnames
-from the ServiceEntry.

+
Originating locality, ‘/’ separated, e.g. ‘region/zone/sub_zone’.

 
 		
 
 No
 
 
snistring
tomap<string, uint32>
 
-
SNI string to present to the server during TLS handshake.

+
Map of upstream localities to traffic distribution weights. The sum of
+all weights should be 100. Any locality not present will
+receive no traffic.

 
 		
 
@@ -1257,58 +1895,57 @@ 
TLSSettings

 

 

 

-
TLSSettings.TLSmode

+
LocalityLoadBalancerSetting.Failover

 

-
TLS connection mode

+
Specify the traffic failover policy across regions. Since zone and sub-zone
+failover is supported by default this only needs to be specified for
+regions when the operator needs to constrain traffic failover so that
+the default behavior of failing over to any endpoint globally does not
+apply. This is useful when failing over traffic across regions would not
+improve service health or may need to be restricted for other reasons
+like regulatory controls.

 
-
+

-
+
+
+
-
-
+
+
+
-
-
-
-
-
+
+
+
-
-
-

 
 
NameFieldType
 DescriptionRequired
 

 
 
DISABLE
fromstring
 
-
Do not setup a TLS connection to the upstream endpoint.

+
Originating region.

 
 
SIMPLE
 
-
Originate a TLS connection to the upstream endpoint.

-
+No
 		
 
MUTUAL
tostring
 
-
Secure connections to the upstream using mutual TLS by presenting
-client certificates for authentication.

+
Destination region the traffic will fail over to when endpoints in
+the ‘from’ region becomes unhealthy.

 
 
ISTIO_MUTUAL
 
-
Secure connections to the upstream using mutual TLS by presenting
-client certificates for authentication.
-Compared to Mutual mode, this mode uses certificates generated
-automatically by Istio for mTLS authentication. When this mode is
-used, all other fields in TLSSettings should be empty.

-
+No
 		
 

 
 

 

-
TrafficPolicy

+
google.protobuf.UInt32Value

 

-
Traffic policies to apply for a specific destination, across all
-destination ports. See DestinationRule for examples.

+
Wrapper message for uint32.

+
+
The JSON representation for UInt32Value is JSON number.

 
 
@@ -1320,136 +1957,171 @@ 
TrafficPolicy

-
-
-
+
+
+
-
-
-
-
+

 
 
 
 
loadBalancerLoadBalancerSettings
valueuint32
 
-
Settings controlling the load balancer algorithms.

+
The uint32 value.

 
 		
 
 No
 
 
connectionPoolConnectionPoolSettings
-
Settings controlling the volume of connections to an upstream service

+

+

+
LoadBalancerSettings.SimpleLB

+

+
Standard load balancing algorithms that require no tuning.

 
-

-No
-

+
+
+
+
-
-
-
+
+
+
+
+
+
+
-
-
-
+
+
+
+
+
-
-
-
+
+
+
+
+
NameDescription
 
outlierDetectionOutlierDetection
UNSPECIFIED
 
-
Settings controlling eviction of unhealthy hosts from the load balancing pool

+
No load balancing algorithm has been specified by the user. Istio
+will select an appropriate default.

 
 
RANDOM
 
-No
+
The random load balancer selects a random healthy host. The random
+load balancer generally performs better than round robin if no health
+checking policy is configured.

+
 		
 
tlsTLSSettings
PASSTHROUGH
 
-
TLS related settings for connections to the upstream service.

+
This option will forward the connection to the original IP address
+requested by the caller without doing any form of load
+balancing. This option must be used with care. It is meant for
+advanced use cases. Refer to Original Destination load balancer in
+Envoy for further details.

 
 
ROUND_ROBIN
 
-No
+
A basic round robin load balancing policy. This is generally unsafe
+for many scenarios (e.g. when enpoint weighting is used) as it can
+overburden endpoints. In general, prefer to use LEAST_REQUEST as a
+drop-in replacement for ROUND_ROBIN.

+
 		
 
portLevelSettingsPortTrafficPolicy[]
LEAST_REQUEST
 
-
Traffic policies specific to individual ports. Note that port level
-settings will override the destination-level settings. Traffic
-settings specified at the destination-level will not be inherited when
-overridden by port-level settings, i.e. default values will be applied
-to fields omitted in port-level traffic policies.

+
The least request load balancer spreads load across endpoints, favoring
+endpoints with the least outstanding requests. This is generally safer
+and outperforms ROUND_ROBIN in nearly all cases. Prefer to use
+LEAST_REQUEST as a drop-in replacement for ROUND_ROBIN.

 
 
LEAST_CONN
 
-No
+
Deprecated. Use LEAST_REQUEST instead.

+
 		
 

 
 

 

-
TrafficPolicy.PortTrafficPolicy

+
ConnectionPoolSettings.HTTPSettings.H2UpgradePolicy

 

-
Traffic policies that apply to specific ports of the service

+
Policy for upgrading http1.1 connections to http2.

 
-
+

-
-
+
-
-
-
-
+
+
-
-
-
-
+
+
-
-
-
-
+
+
-
-
-
-
+
+

 
 
FieldTypeName
 DescriptionRequired
 

 
 
portPortSelector
DEFAULT
 
-
Specifies the number of a port on the destination service
-on which this policy is being applied.

+
Use the global default.

 
-		
-No
 
 
loadBalancerLoadBalancerSettings
DO_NOT_UPGRADE
 
-
Settings controlling the load balancer algorithms.

+
Do not upgrade the connection to http2.
+This opt-out option overrides the default.

 
-		
-No
 
 
connectionPoolConnectionPoolSettings
UPGRADE
 
-
Settings controlling the volume of connections to an upstream service

+
Upgrade the connection to http2.
+This opt-in option overrides the default.

 
-		
-No
 
 
outlierDetectionOutlierDetection

+

+
ClientTLSSettings.TLSmode

+

+
TLS connection mode

+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
-
-
+
+
+
+
+
diff --git a/content/zh/docs/reference/config/networking/envoy-filter/index.html b/content/zh/docs/reference/config/networking/envoy-filter/index.html
index 91b8d3be52832..eb7eae60fac08 100644
--- a/content/zh/docs/reference/config/networking/envoy-filter/index.html
+++ b/content/zh/docs/reference/config/networking/envoy-filter/index.html
@@ -6,8 +6,9 @@
 location: https://istio.io/docs/reference/config/networking/envoy-filter.html
 layout: protoc-gen-docs
 generator: protoc-gen-docs
-aliases: [/docs/reference/config/networking/v1alpha3/envoy-filter.html]
-number_of_entries: 21
+schema: istio.networking.v1alpha3.EnvoyFilter
+aliases: [/zh/docs/reference/config/networking/v1alpha3/envoy-filter]
+number_of_entries: 18
 ---
 
EnvoyFilter provides a mechanism to customize the Envoy
 configuration generated by Istio Pilot. Use EnvoyFilter to modify
@@ -22,22 +23,20 @@
 namespace,
 followed by all matching EnvoyFilters in the workload’s namespace.

 
-
NOTE 1: Since this is break glass configuration, there will not
-be any backward compatibility across different Istio releases. In
-other words, this configuration is subject to change based on
-internal implementation of Istio networking subsystem.

-
-
NOTE 2: The envoy configuration provided through this mechanism
-should be carefully monitored across Istio proxy version upgrades,
-to ensure that deprecated fields are removed and replaced
+
NOTE 1: Some aspects of this API are deeply tied to the internal
+implementation in Istio networking subsystem as well as Envoy’s XDS
+API. While the EnvoyFilter API by itself will maintain backward
+compatibility, any envoy configuration provided through this
+mechanism should be carefully monitored across Istio proxy version
+upgrades, to ensure that deprecated fields are removed and replaced
 appropriately.

 
-
NOTE 3: When multiple EnvoyFilters are bound to the same
+
NOTE 2: When multiple EnvoyFilters are bound to the same
 workload in a given namespace, all patches will be processed
 sequentially in order of creation time.  The behavior is undefined
 if multiple EnvoyFilter configurations conflict with each other.

 
-
NOTE 4: *_To apply an EnvoyFilter resource to all workloads
+
NOTE 3: To apply an EnvoyFilter resource to all workloads
 (sidecars and gateways) in the system, define the resource in the
 config root
 namespace,
@@ -48,7 +47,7 @@
 protocol filter on all sidecars in the system, for outbound port
 9307. The filter should be added before the terminating tcp_proxy
 filter to take effect. In addition, it sets a 30s idle timeout for
-all HTTP connections in both gateays and sidecars.

+all HTTP connections in both gateways and sidecars.
apiVersion: networking.istio.io/v1alpha3
 kind: EnvoyFilter
@@ -64,12 +63,13 @@
         portNumber: 9307
         filterChain:
           filter:
-            name: "envoy.tcp_proxy"
+            name: "envoy.filters.network.tcp_proxy"
     patch:
       operation: INSERT_BEFORE
       value:
+        # This is the full filter config including the name and typed_config section.
         name: "envoy.config.filter.network.custom_protocol"
-        config:
+        typed_config:
          ...
   - applyTo: NETWORK_FILTER # http connection manager is a filter in Envoy
     match:
@@ -77,13 +77,15 @@
       listener:
         filterChain:
           filter:
-            name: "envoy.http_connection_manager"
+            name: "envoy.filters.network.http_connection_manager"
     patch:
       operation: MERGE
       value:
+        name: "envoy.filters.network.http_connection_manager"
         typed_config:
-          "@type": "type.googleapis.com/envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager"
-          idle_timeout: 30s
+          "@type": "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager"
+          common_http_protocol_options:
+            idle_timeout: 30s
 
The following example enables Envoy’s Lua filter for all inbound
@@ -111,27 +113,28 @@
         portNumber: 8080
         filterChain:
           filter:
-            name: "envoy.http_connection_manager"
+            name: "envoy.filters.network.http_connection_manager"
             subFilter:
-              name: "envoy.router"
+              name: "envoy.filters.http.router"
     patch:
       operation: INSERT_BEFORE
       value: # lua filter specification
-       name: envoy.lua
-       config:
-         inlineCode: |
-           function envoy_on_request(request_handle)
-             -- Make an HTTP call to an upstream host with the following headers, body, and timeout.
-             local headers, body = request_handle:httpCall(
-              "lua_cluster",
-              {
-               [":method"] = "POST",
-               [":path"] = "/acl",
-               [":authority"] = "internal.org.net"
-              },
-             "authorize call",
-             5000)
-           end
+       name: envoy.filters.http.lua
+       typed_config:
+          "@type": "type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua"
+          inlineCode: |
+            function envoy_on_request(request_handle)
+              -- Make an HTTP call to an upstream host with the following headers, body, and timeout.
+              local headers, body = request_handle:httpCall(
+               "lua_cluster",
+               {
+                [":method"] = "POST",
+                [":path"] = "/acl",
+                [":authority"] = "internal.org.net"
+               },
+              "authorize call",
+              5000)
+            end
   # The second patch adds the cluster that is referenced by the lua code
   # cds match is omitted as a new cluster is being added
   - applyTo: CLUSTER
@@ -144,12 +147,16 @@
         type: STRICT_DNS
         connect_timeout: 0.5s
         lb_policy: ROUND_ROBIN
-        hosts:
-        - socket_address:
-            protocol: TCP
-            address: "internal.org.net"
-            port_value: 8888
-
+        load_assignment:
+          cluster_name: lua_cluster
+          endpoints:
+          - lb_endpoints:
+            - endpoint:
+                address:
+                  socket_address:
+                    protocol: TCP
+                    address: "internal.org.net"
+                    port_value: 8888
 
 
 
The following example overwrites certain fields (HTTP idle timeout
@@ -165,7 +172,7 @@
 spec:
   workloadSelector:
     labels:
-      istio: ingress-gateway
+      istio: ingressgateway
   configPatches:
   - applyTo: NETWORK_FILTER # http connection manager is a filter in Envoy
     match:
@@ -174,12 +181,205 @@
         filterChain:
           sni: app.example.com
           filter:
-            name: "envoy.http_connection_manager"
+            name: "envoy.filters.network.http_connection_manager"
+    patch:
+      operation: MERGE
+      value:
+        typed_config:
+          "@type": "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager"
+          xff_num_trusted_hops: 5
+          common_http_protocol_options:
+            idle_timeout: 30s
+
+
+
The following example inserts an attributegen filter
+that produces istio_operationId attribute which is consumed
+by the istio.stats fiter. filterClass: STATS encodes this dependency.

+
+
apiVersion: networking.istio.io/v1alpha3
+kind: EnvoyFilter
+metadata:
+  name: reviews-request-operation
+  namespace: myns
+spec:
+  workloadSelector:
+    labels:
+      app: reviews
+  configPatches:
+  - applyTo: HTTP_FILTER
+    match:
+      context: SIDECAR_INBOUND
+    patch:
+      operation: ADD
+      filterClass: STATS # This filter will run *before* the Istio stats filter.
+      value:
+        name: istio.request_operation
+        typed_config:
+         "@type": type.googleapis.com/udpa.type.v1.TypedStruct
+         type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
+         value:
+           config:
+             configuration: |
+               {
+                 "attributes": [
+                   {
+                     "output_attribute": "istio_operationId",
+                     "match": [
+                       {
+                         "value": "ListReviews",
+                         "condition": "request.url_path == '/reviews' && request.method == 'GET'"
+                       }]
+                   }]
+               }
+             vm_config:
+               runtime: envoy.wasm.runtime.null
+               code:
+                 local: { inline_string: "envoy.wasm.attributegen" }
+

+
+
The following example inserts an http ext_authz filter in the myns namespace.

+
+
apiVersion: networking.istio.io/v1alpha3
+kind: EnvoyFilter
+metadata:
+  name: myns-ext-authz
+  namespace: myns
+spec:
+  configPatches:
+  - applyTo: HTTP_FILTER
+    match:
+      context: SIDECAR_INBOUND
+    patch:
+      operation: ADD
+      filterClass: AUTHZ # This filter will run *after* the Istio authz filter.
+      value:
+        name: envoy.filters.http.ext_authz
+        typed_config:
+          "@type": type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz
+          grpc_service:
+            envoy_grpc:
+              cluster_name: acme-ext-authz
+            initial_metadata:
+            - key: foo
+              value: myauth.acme # required by local ext auth server.
+

+
+
A workload in the myns namespace needs to access a different ext_auth server
+that does not accept initial metadata. Since proto merge cannot remove fields, the
+following configuration uses the REPLACE operation. If you do not need to inherit
+fields, REPLACE is preferred over MERGE.

+
+
apiVersion: networking.istio.io/v1alpha3
+kind: EnvoyFilter
+metadata:
+  name: mysvc-ext-authz
+  namespace: myns
+spec:
+  workloadSelector:
+    labels:
+      app: mysvc
+  configPatches:
+  - applyTo: HTTP_FILTER
+    match:
+      context: SIDECAR_INBOUND
+    patch:
+      operation: REPLACE
+      value:
+        name: envoy.filters.http.ext_authz
+        typed_config:
+          "@type": type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz
+          grpc_service:
+            envoy_grpc:
+              cluster_name: acme-ext-authz-alt
+

+
+
The following example deploys a Wasm extension for all inbound sidecar HTTP requests.

+
+
apiVersion: networking.istio.io/v1alpha3
+kind: EnvoyFilter
+metadata:
+  name: wasm-example
+  namespace: myns
+spec:
+  configPatches:
+  # The first patch defines a named Wasm extension and provides a URL to fetch Wasm binary from,
+  # and the binary configuration. It should come before the next patch that applies it.
+  # This resource is visible to all proxies in the namespace "myns". It is possible to provide
+  # multiple definitions for the same name "my-wasm-extension" in multiple namespaces. We recommend that:
+  # - if overriding is desired, then the root level definition can be overriden per namespace with REPLACE.
+  # - if overriding is not desired, then the name should be qualified with the namespace "myns/my-wasm-extension",
+  #   to avoid accidental name collisions.
+  - applyTo: EXTENSION_CONFIG
+    patch:
+      operation: ADD # REPLACE is also supported, and would override a cluster level resource with the same name.
+      value:
+        name: my-wasm-extension
+        typed_config:
+          "@type": type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
+          config:
+            root_id: my-wasm-root-id
+            vm_config:
+              vm_id: my-wasm-vm-id
+              runtime: envoy.wasm.runtime.v8
+              code:
+                remote:
+                  http_uri:
+                    uri: http://my-wasm-binary-uri
+            configuration:
+              "@type": "type.googleapis.com/google.protobuf.StringValue"
+              value: |
+                {}
+  # The second patch instructs to apply the above Wasm filter to the listener/http connection manager.
+  - applyTo: HTTP_FILTER
+    match:
+      listener:
+        filterChain:
+          filter:
+            name: envoy.filters.network.http_connection_manager
+            subFilter:
+              name: envoy.filters.http.router
+    patch:
+      operation: INSERT_BEFORE
+      value:
+        name: my-wasm-extension # This must match the name above
+        config_discovery:
+          config_source:
+            ads: {}
+          type_urls: ["type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm"]
+

+
+
The following example adds a Wasm service extension for all proxies using a locally available Wasm file.
+The singleton Wasm extension is used to maintain a shared state between workers executing Wasm filters.
+For example, a local rate limit extension would rely on a singleton to limit requests across all workers.
+As another example, an authorization Wasm extension can use a singleton to maintain a database of accounts.

+
+
apiVersion: networking.istio.io/v1alpha3
+kind: EnvoyFilter
+metadata:
+  name: wasm-service
+  namespace: myns
+spec:
+  configPatches:
+  - applyTo: BOOTSTRAP
     patch:
       operation: MERGE
       value:
-        idle_timeout: 30s
-        xff_num_trusted_hops: 5
+        bootstrap_extensions:
+        - name: envoy.bootstrap.wasm
+          typed_config:
+            "@type": type.googleapis.com/envoy.extensions.wasm.v3.WasmService
+            singleton: true
+            config:
+              name: my_plugin
+              configuration:
+                "@type": type.googleapis.com/google.protobuf.StringValue
+                value: |
+                  {}
+              vm_config:
+                runtime: "envoy.wasm.runtime.v8"
+                code:
+                  local:
+                    filename: "/etc/envoy_filter_http_wasm_example.wasm"
 
EnvoyFilter

@@ -199,14 +399,14 @@ 
EnvoyFilter

-
+
+
+
+
+
+
+
NameDescription
DISABLE
 
-
Settings controlling eviction of unhealthy hosts from the load balancing pool

+
Do not setup a TLS connection to the upstream endpoint.

 
 
SIMPLE
 
-No
+
Originate a TLS connection to the upstream endpoint.

+
 		
 
tlsTLSSettings
MUTUAL
 
-
TLS related settings for connections to the upstream service.

+
Secure connections to the upstream using mutual TLS by presenting
+client certificates for authentication.

 
 
ISTIO_MUTUAL
 
-No
+
Secure connections to the upstream using mutual TLS by presenting
+client certificates for authentication.
+Compared to Mutual mode, this mode uses certificates generated
+automatically by Istio for mTLS authentication. When this mode is
+used, all other fields in ClientTLSSettings should be empty.

+
 		
 

 
 
 
 
 
 
 
 
 

 workloadSelectorWorkloadSelectorWorkloadSelector
 
 
Criteria used to select the specific set of pods/VMs on which
 this patch configuration should be applied. If omitted, the set
 of patches in this configuration will be applied to all workload
-instances in the same namespace.  If omitted, the EnvoyFilter
+instances in the same namespace.  If omitted, the EnvoyFilter
 patches will be applied to all workloads in the same
-namespace. If the EnvoyFilter is present in the config root
+namespace. If the EnvoyFilter is present in the config root
 namespace, it will be applied to all applicable workloads in any
 namespace.

 
@@ -226,88 +426,81 @@ 
EnvoyFilter

 Yes
 		
 
priorityint32
+
Priority defines the order in which patch sets are applied within a context.
+When one patch depends on another patch, the order of patch application
+is significant. The API provides two primary ways to order patches.
+Patch sets in the root namespace are applied before the patch sets in the
+workload namespace. Patches within a patch set are processed in the order
+that they appear in the configPatches list.

+
+
The default value for priority is 0 and the range is [ min-int32, max-int32 ].
+A patch set with a negative priority is processed before the default. A patch
+set with a positive priority is processed after the default.

+
+
It is recommended to start with priority values that are multiples of 10
+to leave room for further insertion.

+
+
Patch sets are sorted in the following ascending key order:
+priority, creation time, fully qualified resource name.

+
+		
+No
+

 
 

 

-
EnvoyFilter.ApplyTo

+
EnvoyFilter.ProxyMatch

 

-
ApplyTo specifies where in the Envoy configuration, the given patch should be applied.

+
One or more properties of the proxy to match on.

 
-
+

-
+
+
+
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
-
-
-
-
-
+
+
+
-
-
-
@@ -315,7 +508,7 @@ 
EnvoyFilter.ApplyTo
EnvoyFilter.ClusterMatch

-
Conditions specified in ClusterMatch must be met for the patch
+
Conditions specified in ClusterMatch must be met for the patch
 to be applied to a cluster.

 
 

 
 
NameFieldType
 DescriptionRequired
 

 
 
INVALID
-
LISTENER
-
Applies the patch to the listener.

-
-
FILTER_CHAIN
-
Applies the patch to the filter chain.

-
-
NETWORK_FILTER
-
Applies the patch to the network filter chain, to modify an
-existing filter or add a new filter.

-
-
HTTP_FILTER
-
Applies the patch to the HTTP filter chain in the http
-connection manager, to modify an existing filter or add a new
-filter.

-
-
ROUTE_CONFIGURATION
proxyVersionstring
 
-
Applies the patch to the Route configuration (rds output)
-inside a HTTP connection manager. This does not apply to the
-virtual host. Currently, only MERGE operation is allowed on the
-route configuration objects.

+
A regular expression in golang regex format (RE2) that can be
+used to select proxies using a specific version of istio
+proxy. The Istio version for a given proxy is obtained from the
+node metadata field ISTIO_VERSION supplied by the proxy when
+connecting to Pilot. This value is embedded as an environment
+variable (ISTIO_META_ISTIO_VERSION) in the Istio proxy docker
+image. Custom proxy implementations should provide this metadata
+variable to take advantage of the Istio version check option.

 
 
VIRTUAL_HOST
 
-
Applies the patch to a virtual host inside a route configuration.

-
+No
 		
 
HTTP_ROUTE
metadatamap<string, string>
 
-
Applies the patch to a route object inside the matched virtual
-host in a route configuration. Currently, only MERGE operation
-is allowed on the route objects.

+
Match on the node metadata supplied by a proxy when connecting
+to Istio Pilot. Note that while Envoy’s node metadata is of
+type Struct, only string key-value pairs are processed by
+Pilot. All keys specified in the metadata must match with exact
+values. The match will fail if any of the specified keys are
+absent or the values fail to match.

 
 
CLUSTER
 
-
Applies the patch to a cluster in a CDS output. Also used to add new clusters.

-
+No
 		
 

 
 
 
 

@@ -333,7 +526,8 @@ 
EnvoyFilter.ClusterMatch

 
uint32
 
 
The service port for which this cluster was generated.  If
-omitted, applies to clusters for any port.

+omitted, applies to clusters for any port.
+Note: for inbound cluster, it is the service target port.

 
 		
 
@@ -347,7 +541,8 @@ 
EnvoyFilter.ClusterMatch

 
The fully qualified service name for this cluster. If omitted,
 applies to clusters for any service. For services defined
 through service entries, the service name is same as the hosts
-defined in the service entry.

+defined in the service entry.
+Note: for inbound cluster, this is ignored.

 
 		
 
@@ -371,7 +566,7 @@ 
EnvoyFilter.ClusterMatch

 		string
 
 
The exact name of the cluster to match. To match a specific
-cluster by name, such as the internally generated “Passthrough”
+cluster by name, such as the internally generated Passthrough
 cluster, leave all fields in clusterMatch empty, except the
 name.

 
@@ -383,85 +578,96 @@ 
EnvoyFilter.ClusterMatch

 

 

 

-
EnvoyFilter.DeprecatedListenerMatch.ListenerProtocol

+
EnvoyFilter.RouteConfigurationMatch

 

-
+
Conditions specified in RouteConfigurationMatch must be met for
+the patch to be applied to a route configuration object or a
+specific virtual host within the route configuration.

+
+

-
+
+
+
-
-
+
+
+
-
-
-
-
-
+
+
+
-
-
-

 
 
NameFieldType
 DescriptionRequired
 

 
 
ALL
portNumberuint32
 
-
All protocols

+
The service port number or gateway server port number for which
+this route configuration was generated. If omitted, applies to
+route configurations for all ports.

 
 
HTTP
 
-
HTTP or HTTPS (with termination) / HTTP2/gRPC

-
+No
 		
 
TCP
portNamestring
 
-
Any non-HTTP listener

+
Applicable only for GATEWAY context. The gateway server port
+name for which this route configuration was generated.

 
 

-

-
EnvoyFilter.DeprecatedListenerMatch.ListenerType

-

-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
-
-
+
+
+
+
-
-
+
+
+
+
NameDescription
ANY
 
-
All listeners

-
+No
 		
 
SIDECAR_INBOUND
gatewaystring
 
-
Inbound listener in sidecar

+
The Istio gateway config’s namespace/name for which this route
+configuration was generated. Applies only if the context is
+GATEWAY. Should be in the namespace/name format. Use this field
+in conjunction with the portNumber and portName to accurately
+select the Envoy route configuration for a specific HTTPS
+server within a gateway config object.

 
+		
+No
 
 
SIDECAR_OUTBOUND
vhostVirtualHostMatch
 
-
Outbound listener in sidecar

+
Match a specific virtual host in a route configuration and
+apply the patch to the virtual host.

 
+		
+No
 
 
GATEWAY
namestring
 
-
Gateway listener

+
Route configuration name to match on. Can be used to match a
+specific route configuration by name, such as the internally
+generated http_proxy route configuration for all sidecars.

 
+		
+No
 
 

 
 

 

-
EnvoyFilter.EnvoyConfigObjectMatch

+
EnvoyFilter.ListenerMatch

 

-
One or more match conditions to be met before a patch is applied
-to the generated configuration for a given proxy.

+
Conditions specified in a listener match must be met for the
+patch to be applied to a specific listener across all filter
+chains, or a specific filter chain inside the listener.

 
 
@@ -473,7 +679,116 @@ 
EnvoyFilter.EnvoyConfigObjectMatch
 

-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+

 
 
portNumberuint32
+
The service port/gateway port to which traffic is being
+sent/received. If not specified, matches all listeners. Even though
+inbound listeners are generated for the instance/pod ports, only
+service ports should be used to match listeners.

+
+		
+No
+
filterChainFilterChainMatch
+
Match a specific filter chain in a listener. If specified, the
+patch will be applied to the filter chain (and a specific
+filter if specified) and not to other filter chains in the
+listener.

+
+		
+No
+
namestring
+
Match a specific listener by its name. The listeners generated
+by Pilot are typically named as IP:Port.

+
+		
+No
+

+

+
EnvoyFilter.Patch

+

+
Patch specifies how the selected object should be modified.

+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
FieldTypeDescriptionRequired
operationOperation
+
Determines how the patch should be applied.

+
+		
+No
+
valueStruct
+
The JSON config of the object being patched. This will be merged using
+proto merge semantics with the existing proto in the path.

+
+		
+No
+
filterClassFilterClass
+
Determines the filter insertion order.

+
+		
+No
+

+

+
EnvoyFilter.EnvoyConfigObjectMatch

+

+
One or more match conditions to be met before a patch is applied
+to the generated configuration for a given proxy.

+
+
+
+
+
+
+
+
+
+
+
+
@@ -516,7 +831,7 @@ 
EnvoyFilter.EnvoyConfigObjectMatch
 

@@ -527,7 +842,7 @@ 
EnvoyFilter.EnvoyConfigObjectMatch
 

@@ -554,11 +869,11 @@ 
EnvoyFilter.EnvoyConfigObjectPatchSpecifies where in the Envoy configuration, the patch should be
 applied.  The match is expected to select the appropriate
 object based on applyTo.  For example, an applyTo with
-HTTPFILTER is expected to have a match condition on the
+HTTP_FILTER is expected to have a match condition on the
 listeners, with a network filter selection on
-envoy.httpconnection_manager and a sub filter selection on the
+envoy.filters.network.http_connection_manager and a sub filter selection on the
 HTTP filter relative to which the insertion should be
-performed. Similarly, an applyTo on CLUSTER should have a match
+performed. Similarly, an applyTo on CLUSTER should have a match
 (if provided) on the cluster and not on a listener.

 
 
@@ -591,88 +906,51 @@ 
EnvoyFilter.EnvoyConfigObjectPatch
 
FieldTypeDescriptionRequired

 context
 PatchContext
 
@@ -505,7 +820,7 @@ 
EnvoyFilter.EnvoyConfigObjectMatch
 

-Yes
+No
 
 

 

-Yes
+No
 
 

 

-Yes
+No
 
 

 

 

-
EnvoyFilter.Filter.FilterType

-

-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
NameDescription
INVALID
-
placeholder

-
-
HTTP
-
Http filter

-
-
NETWORK
-
Network filter

-
-

-

-
EnvoyFilter.InsertPosition.Index

+
EnvoyFilter.RouteConfigurationMatch.RouteMatch

 

-
Index/position in the filter chain.

+
Match a specific route inside a virtual host in a route configuration.

 
-
+

-
+
+
+
-
-
+
+
+
-
-
-
-
-
+
+
+
-
-
-

 
 
NameFieldType
 DescriptionRequired
 

 
 
FIRST
namestring
 
-
Insert first

+
The Route objects generated by default are named as
+default.  Route objects generated using a virtual service
+will carry the name used in the virtual service’s HTTP
+routes.

 
 
LAST
 
-
Insert last

-
+No
 		
 
BEFORE
actionAction
 
-
Insert before the named filter.

+
Match a route with specific action type.

 
 
AFTER
 
-
Insert after the named filter.

-
+No
 		
 

 
 

 

-
EnvoyFilter.ListenerMatch

+
EnvoyFilter.RouteConfigurationMatch.VirtualHostMatch

 

-
Conditions specified in a listener match must be met for the
-patch to be applied to a specific listener across all filter
-chains, or a specific filter chain inside the listener.

+
Match a specific virtual host inside a route configuration.

 
 
@@ -684,40 +962,25 @@ 
EnvoyFilter.ListenerMatch

-
-
-
-
-
-
-
-
-
+
+
+
-
-
-
+
+
+
+
+
+
+
+
+
-
+
-
+
+
+
+
+
+
+
-
-
-
-

 
 
 
 
portNumberuint32
-
The service port/gateway port to which traffic is being
-sent/received. If not specified, matches all listeners. Even though
-inbound listeners are generated for the instance/pod ports, only
-service ports should be used to match listeners.

-
-		
-No
-
filterChainFilterChainMatch
namestring
 
-
Match a specific filter chain in a listener. If specified, the
-patch will be applied to the filter chain (and a specific
-filter if specified) and not to other filter chains in the
-listener.

+
The VirtualHosts objects generated by Istio are named as
+host:port, where the host typically corresponds to the
+VirtualService’s host field or the hostname of a service in the
+registry.

 
 		
 
 No
 
 
namestring
routeRouteMatch
 
-
Match a specific listener by its name. The listeners generated
-by Pilot are typically named as IP:Port.

+
Match a specific route within the virtual host.

 
 		
 
@@ -772,11 +1035,11 @@ 
EnvoyFilter.ListenerMatch.Fi
 
transportProtocol
 string
 
-
Applies only to SIDECARINBOUND context. If non-empty, a
+
Applies only to SIDECAR_INBOUND context. If non-empty, a
 transport protocol to consider when determining a filter
 chain match.  This value will be compared against the
 transport protocol of a new connection, when it’s detected by
-the tlsinspector listener filter.

+the tls_inspector listener filter.

 
 
Accepted values include:

 
@@ -798,9 +1061,9 @@ 
EnvoyFilter.ListenerMatch.Fi
 of application protocols to consider when determining a
 filter chain match.  This value will be compared against the
 application protocols of a new connection, when it’s detected
-by one of the listener filters such as the http_inspector.

+by one of the listener filters such as the http_inspector.

 
-
Accepted values include: h2,http/1.1,http/1.0

+
Accepted values include: h2, http/1.1, http/1.0

 
 

 
@@ -812,9 +1075,21 @@ 
EnvoyFilter.ListenerMatch.Fi
 
FilterMatch
 
 
The name of a specific filter to apply the patch to. Set this
-to envoy.httpconnectionmanager to add a filter or apply a
+to envoy.filters.network.http_connection_manager to add a filter or apply a
 patch to the HTTP connection manager.

 
+		
+No
+
destinationPortuint32
+
The destination_port value used by a filter chain’s match condition.
+This condition will evaluate to false if the filter chain has no destination_port match.

+
 		
 
 No
@@ -841,7 +1116,9 @@ 
EnvoyFilter.ListenerMatch.FilterM
 
name
 string
 
-
The filter name to match on.

+
The filter name to match on.
+For standard Envoy filters, canonical filter
+names should be used.

 
 		
 
@@ -868,8 +1145,8 @@ 
EnvoyFilter.ListenerMatch.SubF
 

 
Conditions to match a specific filter within another
 filter. This field is typically useful to match a HTTP filter
-inside the envoy.httpconnectionmanager network filter. This
-could also be applicable for thrift filters.

+inside the envoy.filters.network.http_connection_manager network filter.
+This could also be applicable for thrift filters.

 
 
@@ -895,41 +1172,44 @@ 
EnvoyFilter.ListenerMatch.SubF
 
 

 

 

-
EnvoyFilter.Patch

+
EnvoyFilter.RouteConfigurationMatch.RouteMatch.Action

 

-
Patch specifies how the selected object should be modified.

+
Action refers to the route action taken by Envoy when a http route matches.

 
-
+

-
-
+
-
-
-
-
+
+
+
+
+
-
-
-
+
+
+
+
+
@@ -957,7 +1237,8 @@ 
EnvoyFilter.Patch.Operation

@@ -966,8 +1247,8 @@ 
EnvoyFilter.Patch.Operation

@@ -975,10 +1256,10 @@ 
EnvoyFilter.Patch.Operation

@@ -986,8 +1267,10 @@ 
EnvoyFilter.Patch.Operation

+
+
+
+
+
+
+
+

 
 
FieldTypeName
 DescriptionRequired
 

 
 
operationOperation
ANY
 
-
Determines how the patch should be applied.

+
All three route actions

 
 
ROUTE
 
-No
+
Route traffic to a cluster / weighted clusters.

+
 		
 
valueStruct
REDIRECT
 
-
The JSON config of the object being patched. This will be merged using
-json merge semantics with the existing proto in the path.

+
Redirect request.

 
 
DIRECT_RESPONSE
 
-No
+
directly respond to a request with specific payload.

+
 		
 

 
 
MERGE
 
 
Merge the provided config with the generated config using
-json merge semantics.

+proto merge semantics. If you are specifying config in its
+entirety, use REPLACE instead.

 
 		
 

 

 
Add the provided config to an existing list (of listeners,
 clusters, virtual hosts, network filters, or http
-filters). This operation will be ignored when applyTo is set
-to ROUTECONFIGURATION, or HTTPROUTE.

+filters). This operation will be ignored when applyTo is set
+to ROUTE_CONFIGURATION, or HTTP_ROUTE.

 
 		
 

 
REMOVE
 
 
Remove the selected object from the list (of listeners,
-clusters, virtual hosts, network filters, or http
+clusters, virtual hosts, network filters, routes, or http
 filters). Does not require a value to be specified. This
-operation will be ignored when applyTo is set to
-ROUTECONFIGURATION, or HTTPROUTE.

+operation will be ignored when applyTo is set to
+ROUTE_CONFIGURATION, or HTTP_ROUTE.

 
 		
 

 
INSERT_BEFORE
 
 
Insert operation on an array of named objects. This operation
-is typically useful only in the context of filters, where the
-order of filters matter. For clusters and virtual hosts,
+is typically useful only in the context of filters or routes,
+where the order of elements matter. Routes should be ordered
+based on most to least specific matching criteria since the
+first matching element is selected. For clusters and virtual hosts,
 order of the element in the array does not matter. Insert
 before the selected filter or sub filter. If no filter is
 selected, the specified filter will be inserted at the front
@@ -999,22 +1282,56 @@ 
EnvoyFilter.Patch.Operation

 		INSERT_AFTER
 
 
Insert operation on an array of named objects. This operation
-is typically useful only in the context of filters, where the
-order of filters matter. For clusters and virtual hosts,
+is typically useful only in the context of filters or routes,
+where the order of elements matter. Routes should be ordered
+based on most to least specific matching criteria since the
+first matching element is selected. For clusters and virtual hosts,
 order of the element in the array does not matter. Insert
 after the selected filter or sub filter. If no filter is
 selected, the specified filter will be inserted at the end
 of the list.

 
+
INSERT_FIRST
+
Insert operation on an array of named objects. This operation
+is typically useful only in the context of filters or routes,
+where the order of elements matter. Routes should be ordered
+based on most to least specific matching criteria since the
+first matching element is selected. For clusters and virtual hosts,
+order of the element in the array does not matter. Insert
+first in the list based on the presence of selected filter or not.
+This is specifically useful when you want your filter first in the
+list based on a match condition specified in Match clause.

+
+
REPLACE
+
Replace contents of a named filter with new contents.
+REPLACE operation is only valid for HTTP_FILTER and
+NETWORK_FILTER. If the named filter is not found, this operation
+has no effect.

+
 		
 

 
 

 

-
EnvoyFilter.PatchContext

+
EnvoyFilter.Patch.FilterClass

 

-
PatchContext selects a class of configurations based on the
-traffic flow direction and workload type.

+
FilterClass determines the filter insertion point in the filter chain
+relative to the filters implicitly inserted by the control plane.
+It is used in conjuction with the ADD operation.
+This is the preferred insertion mechanism for adding filters over
+the INSERT_* operations since those operations rely on potentially unstable
+filter names.
+Filter ordering is important if your filter depends on or affects the
+functioning of a another filter in the filter chain.
+Within a filter class, filters are inserted in the order of processing.

 
 
@@ -1024,218 +1341,140 @@ 
EnvoyFilter.PatchContext

-
-
+
+
-
-
+
+
-
-
+
+
-
-
+
+

 
 
 
 
ANY
UNSPECIFIED
 
-
All listeners/routes/clusters in both sidecars and gateways.

+
Control plane decides where to insert the filter.
+Do not specify FilterClass if the filter is independent of others.

 
 		
 
SIDECAR_INBOUND
AUTHN
 
-
Inbound listener/route/cluster in sidecar.

+
Insert filter after Istio authentication filters.

 
 		
 
SIDECAR_OUTBOUND
AUTHZ
 
-
Outbound listener/route/cluster in sidecar.

+
Insert filter after Istio authorization filters.

 
 		
 
GATEWAY
STATS
 
-
Gateway listener/route/cluster.

+
Insert filter before Istio stats filters.

 
 		
 

 
 

 

-
EnvoyFilter.ProxyMatch

+
EnvoyFilter.ApplyTo

 

-
One or more properties of the proxy to match on.

+
ApplyTo specifies where in the Envoy configuration, the given patch should be applied.

 
-
+

-
-
+
-
-
-
-
-
+
+
-
-
-
+
+
-
-
-
-

 
 
FieldTypeName
 DescriptionRequired
 

 
 
proxyVersionstring
-
A regular expression in golang regex format (RE2) that can be
-used to select proxies using a specific version of istio
-proxy. The Istio version for a given proxy is obtained from the
-node metadata field ISTIOVERSION supplied by the proxy when
-connecting to Pilot. This value is embedded as an environment
-variable (ISTIOMETAISTIOVERSION) in the Istio proxy docker
-image. Custom proxy implementations should provide this metadata
-variable to take advantage of the Istio version check option.

-
-
INVALID
 
-No
 
 
metadatamap<string, string>
LISTENER
 
-
Match on the node metadata supplied by a proxy when connecting
-to Istio Pilot. Note that while Envoy’s node metadata is of
-type Struct, only string key-value pairs are processed by
-Pilot. All keys specified in the metadata must match with exact
-values. The match will fail if any of the specified keys are
-absent or the values fail to match.

+
Applies the patch to the listener.

 
 		
-No
-

-

-
EnvoyFilter.RouteConfigurationMatch

-

-
Conditions specified in RouteConfigurationMatch must be met for
-the patch to be applied to a route configuration object or a
-specific virtual host within the route configuration.

-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
-
-
-
-
+
+
-
-
-
-
+
+
-
-
-
-
+
+
-
-
-
-
+
+
-
-
-
FieldTypeDescriptionRequired
 
portNumberuint32
FILTER_CHAIN
 
-
The service port number or gateway server port number for which
-this route configuration was generated. If omitted, applies to
-route configurations for all ports.

+
Applies the patch to the filter chain.

 
-		
-No
 
 
portNamestring
NETWORK_FILTER
 
-
Applicable only for GATEWAY context. The gateway server port
-name for which this route configuration was generated.

+
Applies the patch to the network filter chain, to modify an
+existing filter or add a new filter.

 
-		
-No
 
 
gatewaystring
HTTP_FILTER
 
-
The Istio gateway config’s namespace/name for which this route
-configuration was generated. Applies only if the context is
-GATEWAY. Should be in the namespace/name format. Use this field
-in conjunction with the portNumber and portName to accurately
-select the Envoy route configuration for a specific HTTPS
-server within a gateway config object.

+
Applies the patch to the HTTP filter chain in the http
+connection manager, to modify an existing filter or add a new
+filter.

 
-		
-No
 
 
vhostVirtualHostMatch
ROUTE_CONFIGURATION
 
-
Match a specific virtual host in a route configuration and
-apply the patch to the virtual host.

+
Applies the patch to the Route configuration (rds output)
+inside a HTTP connection manager. This does not apply to the
+virtual host. Currently, only MERGE operation is allowed on the
+route configuration objects.

 
-		
-No
 
 
namestring
VIRTUAL_HOST
 
-
Route configuration name to match on. Can be used to match a
-specific route configuration by name, such as the internally
-generated “http_proxy” route configuration for all sidecars.

+
Applies the patch to a virtual host inside a route configuration.

 
-		
-No
 
 

-

-
EnvoyFilter.RouteConfigurationMatch.RouteMatch

-

-
Match a specific route inside a virtual host in a route configuration.

-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
-
-
-
+
+
+
+
+
FieldTypeDescriptionRequired
namestring
HTTP_ROUTE
 
-
The Route objects generated by default are named as
-“default”.  Route objects generated using a virtual service
-will carry the name used in the virtual service’s HTTP
-routes.

+
Applies the patch to a route object inside the matched virtual
+host in a route configuration.

 
 
CLUSTER
 
-No
+
Applies the patch to a cluster in a CDS output. Also used to add new clusters.

+
 		
 
actionAction
EXTENSION_CONFIG
 
-
Match a route with specific action type.

+
Applies the patch to or adds an extension config in ECDS output. Note that ECDS
+is only supported by HTTP filters.

 
 
BOOTSTRAP
 
-No
+
Applies the patch to bootstrap configuration.

+
 		
 

 
 

 

-
EnvoyFilter.RouteConfigurationMatch.RouteMatch.Action

+
EnvoyFilter.PatchContext

 

-
Action refers to the route action taken by Envoy when a http route matches.

+
PatchContext selects a class of configurations based on the
+traffic flow direction and workload type.

 
 
@@ -1245,74 +1484,32 @@ 
EnvoyFilter.Route
 
 

-
+
-
-
-
-
-
-
-
-
-
-
+
+
-
-

 
 

 ANY
 
-
All three route actions

-
-
ROUTE
-
Route traffic to a cluster / weighted clusters.

-
-
REDIRECT
-
Redirect request.

+
All listeners/routes/clusters in both sidecars and gateways.

 
 		
 
DIRECT_RESPONSE
SIDECAR_INBOUND
 
-
directly respond to a request with specific payload.

+
Inbound listener/route/cluster in sidecar.

 
 		
 

-

-
EnvoyFilter.RouteConfigurationMatch.VirtualHostMatch

-

-
Match a specific virtual host inside a route configuration.

-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
-
-
-
-
+
+
-
diff --git a/content/zh/docs/reference/config/networking/gateway/index.html b/content/zh/docs/reference/config/networking/gateway/index.html
index a5e7e58c64f23..94539151f7f93 100644
--- a/content/zh/docs/reference/config/networking/gateway/index.html
+++ b/content/zh/docs/reference/config/networking/gateway/index.html
@@ -6,7 +6,8 @@
 location: https://istio.io/docs/reference/config/networking/gateway.html
 layout: protoc-gen-docs
 generator: protoc-gen-docs
-aliases: [/docs/reference/config/networking/v1alpha3/gateway.html]
+schema: istio.networking.v1alpha3.Gateway
+aliases: [/zh/docs/reference/config/networking/v1alpha3/gateway]
 number_of_entries: 6
 ---
 
Gateway describes a load balancer operating at the edge of the mesh
@@ -22,6 +23,9 @@
 on these ports, it is the responsibility of the user to ensure that
 external traffic to these ports are allowed into the mesh.

 
+
{{}}
+{{}}

+
 
apiVersion: networking.istio.io/v1alpha3
 kind: Gateway
 metadata:
@@ -74,6 +78,65 @@
     - "*"
 

 
+
{{}}

+
+
{{}}

+
+
apiVersion: networking.istio.io/v1beta1
+kind: Gateway
+metadata:
+  name: my-gateway
+  namespace: some-config-namespace
+spec:
+  selector:
+    app: my-gateway-controller
+  servers:
+  - port:
+      number: 80
+      name: http
+      protocol: HTTP
+    hosts:
+    - uk.bookinfo.com
+    - eu.bookinfo.com
+    tls:
+      httpsRedirect: true # sends 301 redirect for http requests
+  - port:
+      number: 443
+      name: https-443
+      protocol: HTTPS
+    hosts:
+    - uk.bookinfo.com
+    - eu.bookinfo.com
+    tls:
+      mode: SIMPLE # enables HTTPS on this port
+      serverCertificate: /etc/certs/servercert.pem
+      privateKey: /etc/certs/privatekey.pem
+  - port:
+      number: 9443
+      name: https-9443
+      protocol: HTTPS
+    hosts:
+    - "bookinfo-namespace/*.bookinfo.com"
+    tls:
+      mode: SIMPLE # enables HTTPS on this port
+      credentialName: bookinfo-secret # fetches certs from Kubernetes secret
+  - port:
+      number: 9080
+      name: http-wildcard
+      protocol: HTTP
+    hosts:
+    - "*"
+  - port:
+      number: 2379 # to expose internal service via external port 2379
+      name: mongo
+      protocol: MONGO
+    hosts:
+    - "*"
+

+
+
{{}}
+{{}}

+
 
The Gateway specification above describes the L4-L6 properties of a load
 balancer. A VirtualService can then be bound to a gateway to control
 the forwarding of traffic arriving at a particular host or gateway port.

@@ -89,6 +152,9 @@
 applicable across ports 443, 9080. Note that http://uk.bookinfo.com
 gets redirected to https://uk.bookinfo.com (i.e. 80 redirects to 443).

 
+
{{}}
+{{}}

+
 
apiVersion: networking.istio.io/v1alpha3
 kind: VirtualService
 metadata:
@@ -126,22 +192,92 @@
       weight: 20
 

 
+
{{}}

+
+
{{}}

+
+
apiVersion: networking.istio.io/v1beta1
+kind: VirtualService
+metadata:
+  name: bookinfo-rule
+  namespace: bookinfo-namespace
+spec:
+  hosts:
+  - reviews.prod.svc.cluster.local
+  - uk.bookinfo.com
+  - eu.bookinfo.com
+  gateways:
+  - some-config-namespace/my-gateway
+  - mesh # applies to all the sidecars in the mesh
+  http:
+  - match:
+    - headers:
+        cookie:
+          exact: "user=dev-123"
+    route:
+    - destination:
+        port:
+          number: 7777
+        host: reviews.qa.svc.cluster.local
+  - match:
+    - uri:
+        prefix: /reviews/
+    route:
+    - destination:
+        port:
+          number: 9080 # can be omitted if it's the only port for reviews
+        host: reviews.prod.svc.cluster.local
+      weight: 80
+    - destination:
+        host: reviews.qa.svc.cluster.local
+      weight: 20
+

+
+
{{}}
+{{}}

+
 
The following VirtualService forwards traffic arriving at (external)
 port 27017 to internal Mongo server on port 5555. This rule is not
 applicable internally in the mesh as the gateway list omits the
 reserved name mesh.

 
+
{{}}
+{{}}

+
 
apiVersion: networking.istio.io/v1alpha3
 kind: VirtualService
 metadata:
-  name: bookinfo-Mongo
+  name: bookinfo-mongo
+  namespace: bookinfo-namespace
+spec:
+  hosts:
+  - mongosvr.prod.svc.cluster.local # name of internal Mongo service
+  gateways:
+  - some-config-namespace/my-gateway # can omit the namespace if gateway is in same namespace as virtual service.
+  tcp:
+  - match:
+    - port: 27017
+    route:
+    - destination:
+        host: mongo.prod.svc.cluster.local
+        port:
+          number: 5555
+

+
+
{{}}

+
+
{{}}

+
+
apiVersion: networking.istio.io/v1beta1
+kind: VirtualService
+metadata:
+  name: bookinfo-mongo
   namespace: bookinfo-namespace
 spec:
   hosts:
   - mongosvr.prod.svc.cluster.local # name of internal Mongo service
   gateways:
-  - some-config-namespace/my-gateway # can omit the namespace if gateway is in same
-                                       namespace as virtual service.
+  - some-config-namespace/my-gateway # can omit the namespace if gateway is in same namespace as virtual service.
   tcp:
   - match:
     - port: 27017
@@ -152,12 +288,18 @@
           number: 5555
 

 
+
{{}}
+{{}}

+
 
It is possible to restrict the set of virtual services that can bind to
 a gateway server using the namespace/hostname syntax in the hosts field.
 For example, the following Gateway allows any virtual service in the ns1
 namespace to bind to it, while restricting only the virtual service with
 foo.bar.com host in the ns2 namespace to bind to it.

 
+
{{}}
+{{}}

+
 
apiVersion: networking.istio.io/v1alpha3
 kind: Gateway
 metadata:
@@ -176,6 +318,31 @@
     - "ns2/foo.bar.com"
 

 
+
{{}}

+
+
{{}}

+
+
apiVersion: networking.istio.io/v1beta1
+kind: Gateway
+metadata:
+  name: my-gateway
+  namespace: some-config-namespace
+spec:
+  selector:
+    app: my-gateway-controller
+  servers:
+  - port:
+      number: 80
+      name: http
+      protocol: HTTP
+    hosts:
+    - "ns1/*"
+    - "ns2/foo.bar.com"
+

+
+
{{}}
+{{}}

+
 
Gateway

 
Gateway describes a load balancer operating at the edge of the mesh
@@ -207,10 +374,17 @@ 
Gateway

 
FieldTypeDescriptionRequired
namestring
SIDECAR_OUTBOUND
 
-
The VirtualHosts objects generated by Istio are named as
-host:port, where the host typically corresponds to the
-VirtualService’s host field or the hostname of a service in the
-registry.

+
Outbound listener/route/cluster in sidecar.

 
-		
-No
 
 
routeRouteMatch
GATEWAY
 
-
Match a specific route within the virtual host.

+
Gateway listener/route/cluster.

 
-		
-No
 
 

 
 
map<string, string>
 
 
One or more labels that indicate a specific set of pods/VMs
-on which this gateway configuration should be applied. The scope of
-label search is restricted to the configuration namespace in which the
-the resource is present. In other words, the Gateway resource must
-reside in the same namespace as the gateway workload instance.

+on which this gateway configuration should be applied.
+By default workloads are searched across all namespaces based on label selectors.
+This implies that a gateway resource in the namespace “foo” can select pods in
+the namespace “bar” based on labels.
+This behavior can be controlled via the PILOT_SCOPE_GATEWAY_TO_NAMESPACE
+environment variable in istiod. If this variable is set
+to true, the scope of label search is restricted to the configuration
+namespace in which the the resource is present. In other words, the Gateway
+resource must reside in the same namespace as the gateway workload
+instance.
+If selector is nil, the Gateway will be applied to all workloads.

 
 		
 
@@ -220,71 +394,41 @@ 
Gateway

 

 

 

-
Port

-

-
Port describes the properties of a specific port of a service.

-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
FieldTypeDescriptionRequired
numberuint32
-
A valid non-negative integer port number.

-
-		
-Yes
-
protocolstring
-
The protocol exposed on the port.
-MUST BE one of HTTP|HTTPS|GRPC|HTTP2|MONGO|TCP|TLS.
-TLS implies the connection will be routed based on the SNI header to
-the destination without terminating the TLS connection.

-
-		
-Yes
-
namestring
-
Label assigned to the port.

-
-		
-No
-

-

 
Server

 

 
Server describes the properties of the proxy on a given load balancer
 port. For example,

 
+
{{}}
+{{}}

+
 
apiVersion: networking.istio.io/v1alpha3
 kind: Gateway
 metadata:
   name: my-ingress
 spec:
   selector:
-    app: my-ingress-gateway
+    app: my-ingressgateway
+  servers:
+  - port:
+      number: 80
+      name: http2
+      protocol: HTTP2
+    hosts:
+    - "*"
+

+
+
{{}}

+
+
{{}}

+
+
apiVersion: networking.istio.io/v1beta1
+kind: Gateway
+metadata:
+  name: my-ingress
+spec:
+  selector:
+    app: my-ingressgateway
   servers:
   - port:
       number: 80
@@ -294,15 +438,41 @@ 
Server

     - "*"
 

 
+
{{}}
+{{}}

+
 
Another example

 
+
{{}}
+{{}}

+
 
apiVersion: networking.istio.io/v1alpha3
 kind: Gateway
 metadata:
   name: my-tcp-ingress
 spec:
   selector:
-    app: my-tcp-ingress-gateway
+    app: my-tcp-ingressgateway
+  servers:
+  - port:
+      number: 27018
+      name: mongo
+      protocol: MONGO
+    hosts:
+    - "*"
+

+
+
{{}}

+
+
{{}}

+
+
apiVersion: networking.istio.io/v1beta1
+kind: Gateway
+metadata:
+  name: my-tcp-ingress
+spec:
+  selector:
+    app: my-tcp-ingressgateway
   servers:
   - port:
       number: 27018
@@ -312,15 +482,21 @@ 
Server

     - "*"
 

 
+
{{}}
+{{}}

+
 
The following is an example of TLS configuration for port 443

 
+
{{}}
+{{}}

+
 
apiVersion: networking.istio.io/v1alpha3
 kind: Gateway
 metadata:
   name: my-tls-ingress
 spec:
   selector:
-    app: my-tls-ingress-gateway
+    app: my-tls-ingressgateway
   servers:
   - port:
       number: 443
@@ -330,10 +506,35 @@ 
Server

     - "*"
     tls:
       mode: SIMPLE
-      serverCertificate: /etc/certs/server.pem
-      privateKey: /etc/certs/privatekey.pem
+      credentialName: tls-cert
+

+
+
{{}}

+
+
{{}}

+
+
apiVersion: networking.istio.io/v1beta1
+kind: Gateway
+metadata:
+  name: my-tls-ingress
+spec:
+  selector:
+    app: my-tls-ingressgateway
+  servers:
+  - port:
+      number: 443
+      name: https
+      protocol: HTTPS
+    hosts:
+    - "*"
+    tls:
+      mode: SIMPLE
+      credentialName: tls-cert
 

 
+
{{}}
+{{}}

+
 
@@ -356,6 +557,24 @@ 
Server

 Yes
 
+
+
+
+
+
+
@@ -397,7 +616,7 @@ 
Server

-
+
-
-
+
+
+
+
+
+
+
+

 
 

 
bindstring
+
The ip or the Unix domain socket to which the listener should be bound
+to. Format: x.x.x.x or unix:///path/to/uds or unix://@foobar
+(Linux abstract namespace). When using Unix domain sockets, the port
+number should be 0.
+This can be used to restrict the reachability of this server to be gateway internal only.
+This is typically used when a gateway needs to communicate to another mesh service
+e.g. publishing metrics. In such case, the server created with the
+specified bind will not be available to external gateway clients.

+
+		
+No
+

 

 hosts
 string[]
 

 

 tlsTLSOptionsServerTLSSettings
 
 
Set of TLS related options that govern the server’s behavior. Use
 these options to control if all http requests should be redirected to
@@ -408,13 +627,78 @@ 
Server

 No
 		
 
defaultEndpoint
namestring
+
An optional name of the server, when set must be unique across all servers.
+This will be used for variety of purposes like prefixing stats generated with
+this name etc.

+
+		
+No
+

+

+
Port

+

+
Port describes the properties of a specific port of a service.

+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
FieldTypeDescriptionRequired
numberuint32
+
A valid non-negative integer port number.

+
+		
+Yes
+
protocolstring
+
The protocol exposed on the port.
+MUST BE one of HTTP|HTTPS|GRPC|HTTP2|MONGO|TCP|TLS.
+TLS implies the connection will be routed based on the SNI header to
+the destination without terminating the TLS connection.

+
+		
+Yes
+
name
 string
 
-
The loopback IP endpoint or Unix domain socket to which traffic should
-be forwarded to by default. Format should be 127.0.0.1:PORT or
-unix:///path/to/socket or unix://@foobar (Linux abstract namespace).

+
Label assigned to the port.

+
+		
+Yes
+
targetPortuint32
+
The port number on the endpoint where the traffic will be
+received. Applicable only when used with ServiceEntries.

 
 		
 
@@ -424,7 +708,7 @@ 
Server

 

 

 

-
Server.TLSOptions

+
ServerTLSSettings

 

 
@@ -436,21 +720,21 @@ 
Server.TLSOptions

-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+

 
 
 
 

 httpsRedirect
 bool
 
-
If set to true, the load balancer will send a 301 redirect for all
-http connections, asking the clients to use HTTPS.

+
If set to true, the load balancer will send a 301 redirect for
+all http connections, asking the clients to use HTTPS.

 
 		
 
 No
 
 

 modeTLSmodeTLSmode
 
 
Optional: Indicates whether connections to this port should be
 secured using TLS. The value of this field determines how TLS is
@@ -461,7 +745,7 @@ 
Server.TLSOptions

 No
 		
 

 serverCertificate
 string
 
@@ -473,7 +757,7 @@ 
Server.TLSOptions

 No
 		
 

 privateKey
 string
 
@@ -485,7 +769,7 @@ 
Server.TLSOptions

 No
 		
 

 caCertificates
 string
 
@@ -498,33 +782,28 @@ 
Server.TLSOptions

 No
 		
 

 credentialName
 string
 
-
The credentialName stands for a unique identifier that can be used
-to identify the serverCertificate and the privateKey. The
-credentialName appended with suffix “-cacert” is used to identify
-the CaCertificates associated with this server. Gateway workloads
-capable of fetching credentials from a remote credential store such
-as Kubernetes secrets, will be configured to retrieve the
-serverCertificate and the privateKey using credentialName, instead
-of using the file system paths specified above. If using mutual TLS,
-gateway workload instances will retrieve the CaCertificates using
-credentialName-cacert. The semantics of the name are platform
-dependent.  In Kubernetes, the default Istio supplied credential
-server expects the credentialName to match the name of the
-Kubernetes secret that holds the server certificate, the private
-key, and the CA certificate (if using mutual TLS). Set the
-ISTIO_META_USER_SDS metadata variable in the gateway’s proxy to
-enable the dynamic credential fetching feature.

+
For gateways running on Kubernetes, the name of the secret that
+holds the TLS certs including the CA certificates. Applicable
+only on Kubernetes. The secret (of type generic) should
+contain the following keys and values: key:
+<privateKey> and cert: <serverCert>. For mutual TLS,
+cacert: <CACertificate> can be provided in the same secret or
+a separate secret named <secret>-cacert.
+Secret of type tls for server certificates along with
+ca.crt key for CA certificates is also supported.
+Only one of server certificates and CA certificate
+or credentialName can be specified.

 
 		
 
 No
 
 

 subjectAltNames
 string[]
 
@@ -536,13 +815,13 @@ 
Server.TLSOptions

 No
 		
 

 verifyCertificateSpki
 string[]
 
 
An optional list of base64-encoded SHA-256 hashes of the SKPIs of
 authorized client certificates.
-Note: When both verifycertificatehash and verifycertificatespki
+Note: When both verify_certificate_hash and verify_certificate_spki
 are specified, a hash matching either value will result in the
 certificate being accepted.

 
@@ -551,14 +830,14 @@ 
Server.TLSOptions

 No
 		
 

 verifyCertificateHash
 string[]
 
 
An optional list of hex-encoded SHA-256 hashes of the
 authorized client certificates. Both simple and colon separated
 formats are acceptable.
-Note: When both verifycertificatehash and verifycertificatespki
+Note: When both verify_certificate_hash and verify_certificate_spki
 are specified, a hash matching either value will result in the
 certificate being accepted.

 
@@ -567,9 +846,9 @@ 
Server.TLSOptions

 No
 		
 

 minProtocolVersionTLSProtocolTLSProtocol
 
 
Optional: Minimum TLS protocol version.

 
@@ -578,9 +857,9 @@ 
Server.TLSOptions

 No
 		
 

 maxProtocolVersionTLSProtocolTLSProtocol
 
 
Optional: Maximum TLS protocol version.

 
@@ -589,7 +868,7 @@ 
Server.TLSOptions

 No
 		
 

 cipherSuites
 string[]
 
@@ -604,9 +883,9 @@ 
Server.TLSOptions

 

 

 

-
Server.TLSOptions.TLSProtocol

+
ServerTLSSettings.TLSmode

 

-
TLS protocol versions.

+
TLS modes enforced by the proxy

 
 
@@ -616,47 +895,65 @@ 
Server.TLSOptions.TLSProtocol

-
-
+
+
-
-
+
+
-
-
+
+
-
-
+
+
-
-
+
+

 
 
 
 
TLS_AUTO
PASSTHROUGH
 
-
Automatically choose the optimal TLS version.

+
The SNI string presented by the client will be used as the
+match criterion in a VirtualService TLS route to determine
+the destination service from the service registry.

 
 		
 
TLSV1_0
SIMPLE
 
-
TLS version 1.0

+
Secure connections with standard TLS semantics.

 
 		
 
TLSV1_1
MUTUAL
 
-
TLS version 1.1

+
Secure connections to the downstream using mutual TLS by
+presenting server certificates for authentication.

 
 		
 
TLSV1_2
AUTO_PASSTHROUGH
 
-
TLS version 1.2

+
Similar to the passthrough mode, except servers with this TLS
+mode do not require an associated VirtualService to map from
+the SNI value to service in the registry. The destination
+details such as the service/subset/port are encoded in the
+SNI value. The proxy will forward to the upstream (Envoy)
+cluster (a group of endpoints) specified by the SNI
+value. This server is typically used to provide connectivity
+between services in disparate L3 networks that otherwise do
+not have direct connectivity between their respective
+endpoints. Use of this mode assumes that both the source and
+the destination are using Istio mTLS to secure traffic.

 
 		
 
TLSV1_3
ISTIO_MUTUAL
 
-
TLS version 1.3

+
Secure connections from the downstream using mutual TLS by
+presenting server certificates for authentication.  Compared
+to Mutual mode, this mode uses certificates, representing
+gateway workload identity, generated automatically by Istio
+for mTLS authentication. When this mode is used, all other
+fields in TLSOptions should be empty.

 
 		
 

 
 

 

-
Server.TLSOptions.TLSmode

+
ServerTLSSettings.TLSProtocol

 

-
TLS modes enforced by the proxy

+
TLS protocol versions.

 
 
@@ -666,55 +963,38 @@ 
Server.TLSOptions.TLSmode

-
-
+
+
-
-
+
+
-
-
+
+
-
-
+
+
-
-
+
+
diff --git a/content/zh/docs/reference/config/networking/proxy-config/index.html b/content/zh/docs/reference/config/networking/proxy-config/index.html
new file mode 100644
index 0000000000000..fb927f0eb6b97
--- /dev/null
+++ b/content/zh/docs/reference/config/networking/proxy-config/index.html
@@ -0,0 +1,168 @@
+---
+WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL SOURCE IN THE 'https://github.com/istio/api' REPO
+source_repo: https://github.com/istio/api
+title: ProxyConfig
+description: Provides configuration for individual workloads.
+location: https://istio.io/docs/reference/config/networking/proxy-config.html
+layout: protoc-gen-docs
+generator: protoc-gen-docs
+schema: istio.networking.v1beta1.ProxyConfig
+aliases: [/zh/docs/reference/config/networking/v1beta1/proxy-config]
+number_of_entries: 2
+---
+
ProxyConfig exposes proxy level configuration options. ProxyConfig can be configured on a per-workload basis,
+a per-namespace basis, or mesh-wide. ProxyConfig is not a required resource; there are default values in place, which are documented
+inline with each field.

+
+
NOTE: fields in ProxyConfig are not dynamically configured - changes will require restart of workloads to take effect.

+
+
For any namespace, including the root configuration namespace, it is only valid
+to have a single workload selector-less ProxyConfig resource.

+
+
For resources with a workload selector, it is only valid to have one resource selecting
+any given workload.

+
+
For mesh level configuration, put the resource in the root configuration namespace for
+your Istio installation without a workload selector:

+
+
apiVersion: networking.istio.io/v1beta1
+kind: ProxyConfig
+metadata:
+  name: my-proxyconfig
+  namespace: istio-system
+spec:
+  concurrency: 0
+  image:
+    type: distroless
+

+
+
For namespace level configuration, put the resource in the desired namespace without a workload selector:

+
+
apiVersion: networking.istio.io/v1beta1
+kind: ProxyConfig
+metadata:
+  name: my-ns-proxyconfig
+  namespace: user-namespace
+spec:
+  concurrency: 0
+

+
+
For workload level configuration, set the selector field on the ProxyConfig resource:

+
+
apiVersion: networking.istio.io/v1beta1
+kind: ProxyConfig
+metadata:
+  name: per-workload-proxyconfig
+  namespace: example
+spec:
+  selector:
+    labels:
+      app: ratings
+  concurrency: 0
+  image:
+    type: debug
+

+
+
If a ProxyConfig CR is defined that matches a workload it will merge with its proxy.istio.io/config annotation if present,
+with the CR taking precedence over the annotation for overlapping fields. Similarly, if a mesh wide ProxyConfig CR is defined and
+meshConfig.DefaultConfig is set, the two resources will be merged with the CR taking precedence for overlapping fields.

+
+
ProxyConfig

+

+
ProxyConfig exposes proxy level configuration options.

+
+

 
 
 
 
PASSTHROUGH
TLS_AUTO
 
-
The SNI string presented by the client will be used as the match
-criterion in a VirtualService TLS route to determine the
-destination service from the service registry.

+
Automatically choose the optimal TLS version.

 
 		
 
SIMPLE
TLSV1_0
 
-
Secure connections with standard TLS semantics.

+
TLS version 1.0

 
 		
 
MUTUAL
TLSV1_1
 
-
Secure connections to the downstream using mutual TLS by presenting
-server certificates for authentication.

+
TLS version 1.1

 
 		
 
AUTO_PASSTHROUGH
TLSV1_2
 
-
Similar to the passthrough mode, except servers with this TLS mode
-do not require an associated VirtualService to map from the SNI
-value to service in the registry. The destination details such as
-the service/subset/port are encoded in the SNI value. The proxy
-will forward to the upstream (Envoy) cluster (a group of
-endpoints) specified by the SNI value. This server is typically
-used to provide connectivity between services in disparate L3
-networks that otherwise do not have direct connectivity between
-their respective endpoints. Use of this mode assumes that both the
-source and the destination are using Istio mTLS to secure traffic.

+
TLS version 1.2

 
 		
 
ISTIO_MUTUAL
TLSV1_3
 
-
Secure connections from the downstream using mutual TLS by presenting
-server certificates for authentication.
-Compared to Mutual mode, this mode uses certificates, representing
-gateway workload identity, generated automatically by Istio for
-mTLS authentication. When this mode is used, all other fields in
-TLSOptions should be empty.

+
TLS version 1.3

 
 		
 

+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
FieldTypeDescriptionRequired
selectorWorkloadSelector
+
Optional. Selectors specify the set of pods/VMs on which this ProxyConfig resource should be applied.
+If not set, the ProxyConfig resource will be applied to all workloads in the namespace where this resource is defined.

+
+		
+No
+
concurrencyInt32Value
+
The number of worker threads to run.
+If unset, defaults to 2. If set to 0, this will be configured to use all cores on the machine using
+CPU requests and limits to choose a value, with limits taking precedence over requests.

+
+		
+No
+
environmentVariablesmap<string, string>
+
Additional environment variables for the proxy.
+Names starting with ISTIO_META_ will be included in the generated bootstrap configuration and sent to the XDS server.

+
+		
+No
+
imageProxyImage
+
Specifies the details of the proxy image.

+
+		
+No
+

+

+
ProxyImage

+

+
The following values are used to construct proxy image url.
+$hub/$image_name/$tag-$image_type
+example: docker.io/istio/proxyv2:1.11.1 or docker.io/istio/proxyv2:1.11.1-distroless
+This information was previously part of the Values API.

+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
FieldTypeDescriptionRequired
imageTypestring
+
The image type of the image.
+Istio publishes default, debug, and distroless images.
+Other values are allowed if those image types (example: centos) are published to the specified hub.
+supported values: default, debug, distroless.

+
+		
+No
+

+

diff --git a/content/zh/docs/reference/config/networking/service-entry/index.html b/content/zh/docs/reference/config/networking/service-entry/index.html
index 4360551642e4f..f07c7b92b2e69 100644
--- a/content/zh/docs/reference/config/networking/service-entry/index.html
+++ b/content/zh/docs/reference/config/networking/service-entry/index.html
@@ -6,21 +6,33 @@
 location: https://istio.io/docs/reference/config/networking/service-entry.html
 layout: protoc-gen-docs
 generator: protoc-gen-docs
-aliases: [/zh/docs/reference/config/networking/v1alpha3/service-entry.html]
-number_of_entries: 4
+schema: istio.networking.v1alpha3.ServiceEntry
+aliases: [/zh/docs/reference/config/networking/v1alpha3/service-entry]
+number_of_entries: 3
 ---
-
ServiceEntry enables adding additional entries into Istio’s internal
-service registry, so that auto-discovered services in the mesh can
-access/route to these manually specified services. A service entry
-describes the properties of a service (DNS name, VIPs, ports, protocols,
-endpoints). These services could be external to the mesh (e.g., web
-APIs) or mesh-internal services that are not part of the platform’s
-service registry (e.g., a set of VMs talking to services in Kubernetes).

+
ServiceEntry enables adding additional entries into Istio’s
+internal service registry, so that auto-discovered services in the
+mesh can access/route to these manually specified services. A
+service entry describes the properties of a service (DNS name,
+VIPs, ports, protocols, endpoints). These services could be
+external to the mesh (e.g., web APIs) or mesh-internal services
+that are not part of the platform’s service registry (e.g., a set
+of VMs talking to services in Kubernetes). In addition, the
+endpoints of a service entry can also be dynamically selected by
+using the workloadSelector field. These endpoints can be VM
+workloads declared using the WorkloadEntry object or Kubernetes
+pods. The ability to select both pods and VMs under a single
+service allows for migration of services from VMs to Kubernetes
+without having to change the existing DNS names associated with the
+services.

 
 
The following example declares a few external APIs accessed by internal
 applications over HTTPS. The sidecar inspects the SNI value in the
 ClientHello message to route to the appropriate external service.

 
+
{{}}
+{{}}

+
 
apiVersion: networking.istio.io/v1alpha3
 kind: ServiceEntry
 metadata:
@@ -38,11 +50,38 @@
   resolution: DNS
 

 
+
{{}}

+
+
{{}}

+
+
apiVersion: networking.istio.io/v1beta1
+kind: ServiceEntry
+metadata:
+  name: external-svc-https
+spec:
+  hosts:
+  - api.dropboxapi.com
+  - www.googleapis.com
+  - api.facebook.com
+  location: MESH_EXTERNAL
+  ports:
+  - number: 443
+    name: https
+    protocol: TLS
+  resolution: DNS
+

+
+
{{}}
+{{}}

+
 
The following configuration adds a set of MongoDB instances running on
 unmanaged VMs to Istio’s registry, so that these services can be treated
 as any other service in the mesh. The associated DestinationRule is used
 to initiate mTLS connections to the database instances.

 
+
{{}}
+{{}}

+
 
apiVersion: networking.istio.io/v1alpha3
 kind: ServiceEntry
 metadata:
@@ -63,8 +102,38 @@
   - address: 3.3.3.3
 

 
+
{{}}

+
+
{{}}

+
+
apiVersion: networking.istio.io/v1beta1
+kind: ServiceEntry
+metadata:
+  name: external-svc-mongocluster
+spec:
+  hosts:
+  - mymongodb.somedomain # not used
+  addresses:
+  - 192.192.192.192/24 # VIPs
+  ports:
+  - number: 27018
+    name: mongodb
+    protocol: MONGO
+  location: MESH_INTERNAL
+  resolution: STATIC
+  endpoints:
+  - address: 2.2.2.2
+  - address: 3.3.3.3
+

+
+
{{}}
+{{}}

+
 
and the associated DestinationRule

 
+
{{}}
+{{}}

+
 
apiVersion: networking.istio.io/v1alpha3
 kind: DestinationRule
 metadata:
@@ -79,10 +148,34 @@
       caCertificates: /etc/certs/rootcacerts.pem
 

 
+
{{}}

+
+
{{}}

+
+
apiVersion: networking.istio.io/v1beta1
+kind: DestinationRule
+metadata:
+  name: mtls-mongocluster
+spec:
+  host: mymongodb.somedomain
+  trafficPolicy:
+    tls:
+      mode: MUTUAL
+      clientCertificate: /etc/certs/myclientcert.pem
+      privateKey: /etc/certs/client_private_key.pem
+      caCertificates: /etc/certs/rootcacerts.pem
+

+
+
{{}}
+{{}}

+
 
The following example uses a combination of service entry and TLS
 routing in a virtual service to steer traffic based on the SNI value to
 an internal egress firewall.

 
+
{{}}
+{{}}

+
 
apiVersion: networking.istio.io/v1alpha3
 kind: ServiceEntry
 metadata:
@@ -99,8 +192,34 @@
   resolution: NONE
 

 
+
{{}}

+
+
{{}}

+
+
apiVersion: networking.istio.io/v1beta1
+kind: ServiceEntry
+metadata:
+  name: external-svc-redirect
+spec:
+  hosts:
+  - wikipedia.org
+  - "*.wikipedia.org"
+  location: MESH_EXTERNAL
+  ports:
+  - number: 443
+    name: https
+    protocol: TLS
+  resolution: NONE
+

+
+
{{}}
+{{}}

+
 
And the associated VirtualService to route based on the SNI value.

 
+
{{}}
+{{}}

+
 
apiVersion: networking.istio.io/v1alpha3
 kind: VirtualService
 metadata:
@@ -119,6 +238,31 @@
         host: internal-egress-firewall.ns1.svc.cluster.local
 

 
+
{{}}

+
+
{{}}

+
+
apiVersion: networking.istio.io/v1beta1
+kind: VirtualService
+metadata:
+  name: tls-routing
+spec:
+  hosts:
+  - wikipedia.org
+  - "*.wikipedia.org"
+  tls:
+  - match:
+    - sniHosts:
+      - wikipedia.org
+      - "*.wikipedia.org"
+    route:
+    - destination:
+        host: internal-egress-firewall.ns1.svc.cluster.local
+

+
+
{{}}
+{{}}

+
 
The virtual service with TLS match serves to override the default SNI
 match. In the absence of a virtual service, traffic will be forwarded to
 the wikipedia domains.

@@ -131,6 +275,9 @@
 current namespace, represented by “.”, so that it cannot be used by other
 namespaces.

 
+
{{}}
+{{}}

+
 
apiVersion: networking.istio.io/v1alpha3
 kind: ServiceEntry
 metadata:
@@ -138,7 +285,29 @@
   namespace : egress
 spec:
   hosts:
-  - httpbin.com
+  - example.com
+  exportTo:
+  - "."
+  location: MESH_EXTERNAL
+  ports:
+  - number: 80
+    name: http
+    protocol: HTTP
+  resolution: DNS
+

+
+
{{}}

+
+
{{}}

+
+
apiVersion: networking.istio.io/v1beta1
+kind: ServiceEntry
+metadata:
+  name: external-svc-httpbin
+  namespace : egress
+spec:
+  hosts:
+  - example.com
   exportTo:
   - "."
   location: MESH_EXTERNAL
@@ -149,8 +318,14 @@
   resolution: DNS
 

 
+
{{}}
+{{}}

+
 
Define a gateway to handle all egress traffic.

 
+
{{}}
+{{}}

+
 
apiVersion: networking.istio.io/v1alpha3
 kind: Gateway
 metadata:
@@ -168,6 +343,30 @@
    - "*"
 

 
+
{{}}

+
+
{{}}

+
+
apiVersion: networking.istio.io/v1beta1
+kind: Gateway
+metadata:
+ name: istio-egressgateway
+ namespace: istio-system
+spec:
+ selector:
+   istio: egressgateway
+ servers:
+ - port:
+     number: 80
+     name: http
+     protocol: HTTP
+   hosts:
+   - "*"
+

+
+
{{}}
+{{}}

+
 
And the associated VirtualService to route from the sidecar to the
 gateway service (istio-egressgateway.istio-system.svc.cluster.local), as
 well as route from the gateway to the external service. Note that the
@@ -175,6 +374,9 @@
 through the gateway to the external service. Forcing traffic to go through
 a managed middle proxy like this is a common practice.

 
+
{{}}
+{{}}

+
 
apiVersion: networking.istio.io/v1alpha3
 kind: VirtualService
 metadata:
@@ -182,7 +384,7 @@
   namespace: egress
 spec:
   hosts:
-  - httpbin.com
+  - example.com
   exportTo:
   - "*"
   gateways:
@@ -202,14 +404,54 @@
       - istio-egressgateway
     route:
     - destination:
-        host: httpbin.com
+        host: example.com
 

 
+
{{}}

+
+
{{}}

+
+
apiVersion: networking.istio.io/v1beta1
+kind: VirtualService
+metadata:
+  name: gateway-routing
+  namespace: egress
+spec:
+  hosts:
+  - example.com
+  exportTo:
+  - "*"
+  gateways:
+  - mesh
+  - istio-egressgateway
+  http:
+  - match:
+    - port: 80
+      gateways:
+      - mesh
+    route:
+    - destination:
+        host: istio-egressgateway.istio-system.svc.cluster.local
+  - match:
+    - port: 80
+      gateways:
+      - istio-egressgateway
+    route:
+    - destination:
+        host: example.com
+

+
+
{{}}
+{{}}

+
 
The following example demonstrates the use of wildcards in the hosts for
 external services. If the connection has to be routed to the IP address
 requested by the application (i.e. application resolves DNS and attempts
 to connect to a specific IP), the discovery mode must be set to NONE.

 
+
{{}}
+{{}}

+
 
apiVersion: networking.istio.io/v1alpha3
 kind: ServiceEntry
 metadata:
@@ -225,10 +467,35 @@
   resolution: NONE
 

 
+
{{}}

+
+
{{}}

+
+
apiVersion: networking.istio.io/v1beta1
+kind: ServiceEntry
+metadata:
+  name: external-svc-wildcard-example
+spec:
+  hosts:
+  - "*.bar.com"
+  location: MESH_EXTERNAL
+  ports:
+  - number: 80
+    name: http
+    protocol: HTTP
+  resolution: NONE
+

+
+
{{}}
+{{}}

+
 
The following example demonstrates a service that is available via a
 Unix Domain Socket on the host of the client. The resolution must be
 set to STATIC to use Unix address endpoints.

 
+
{{}}
+{{}}

+
 
apiVersion: networking.istio.io/v1alpha3
 kind: ServiceEntry
 metadata:
@@ -246,6 +513,30 @@
   - address: unix:///var/run/example/socket
 

 
+
{{}}

+
+
{{}}

+
+
apiVersion: networking.istio.io/v1beta1
+kind: ServiceEntry
+metadata:
+  name: unix-domain-socket-example
+spec:
+  hosts:
+  - "example.unix.local"
+  location: MESH_EXTERNAL
+  ports:
+  - number: 80
+    name: http
+    protocol: HTTP
+  resolution: STATIC
+  endpoints:
+  - address: unix:///var/run/example/socket
+

+
+
{{}}
+{{}}

+
 
For HTTP-based services, it is possible to create a VirtualService
 backed by multiple DNS addressable endpoints. In such a scenario, the
 application can use the HTTP_PROXY environment variable to transparently
@@ -254,6 +545,9 @@
 service called foo.bar.com backed by three domains: us.foo.bar.com:8080,
 uk.foo.bar.com:9080, and in.foo.bar.com:7080

 
+
{{}}
+{{}}

+
 
apiVersion: networking.istio.io/v1alpha3
 kind: ServiceEntry
 metadata:
@@ -270,15 +564,47 @@
   endpoints:
   - address: us.foo.bar.com
     ports:
-      https: 8080
+      http: 8080
+  - address: uk.foo.bar.com
+    ports:
+      http: 9080
+  - address: in.foo.bar.com
+    ports:
+      http: 7080
+

+
+
{{}}

+
+
{{}}

+
+
apiVersion: networking.istio.io/v1beta1
+kind: ServiceEntry
+metadata:
+  name: external-svc-dns
+spec:
+  hosts:
+  - foo.bar.com
+  location: MESH_EXTERNAL
+  ports:
+  - number: 80
+    name: http
+    protocol: HTTP
+  resolution: DNS
+  endpoints:
+  - address: us.foo.bar.com
+    ports:
+      http: 8080
   - address: uk.foo.bar.com
     ports:
-      https: 9080
+      http: 9080
   - address: in.foo.bar.com
     ports:
-      https: 7080
+      http: 7080
 

 
+
{{}}
+{{}}

+
 
With HTTP_PROXY=http://localhost/, calls from the application to
 http://foo.bar.com will be load balanced across the three domains
 specified above. In other words, a call to http://foo.bar.com/baz would
@@ -288,6 +614,9 @@
 containing a subject alternate name
 whose format conforms to the SPIFFE standard:

 
+
{{}}
+{{}}

+
 
apiVersion: networking.istio.io/v1alpha3
 kind: ServiceEntry
 metadata:
@@ -295,7 +624,7 @@
   namespace : httpbin-ns
 spec:
   hosts:
-  - httpbin.com
+  - example.com
   location: MESH_INTERNAL
   ports:
   - number: 80
@@ -309,6 +638,153 @@
   - "spiffe://cluster.local/ns/httpbin-ns/sa/httpbin-service-account"
 

 
+
{{}}

+
+
{{}}

+
+
apiVersion: networking.istio.io/v1beta1
+kind: ServiceEntry
+metadata:
+  name: httpbin
+  namespace : httpbin-ns
+spec:
+  hosts:
+  - example.com
+  location: MESH_INTERNAL
+  ports:
+  - number: 80
+    name: http
+    protocol: HTTP
+  resolution: STATIC
+  endpoints:
+  - address: 2.2.2.2
+  - address: 3.3.3.3
+  subjectAltNames:
+  - "spiffe://cluster.local/ns/httpbin-ns/sa/httpbin-service-account"
+

+
+
{{}}
+{{}}

+
+
The following example demonstrates the use of ServiceEntry with a
+workloadSelector to handle the migration of a service
+details.bookinfo.com from VMs to Kubernetes. The service has two
+VM-based instances with sidecars as well as a set of Kubernetes
+pods managed by a standard deployment object. Consumers of this
+service in the mesh will be automatically load balanced across the
+VMs and Kubernetes.  VM for the details.bookinfo.com
+service. This VM has sidecar installed and bootstrapped using the
+details-legacy service account. The sidecar receives HTTP traffic
+on port 80 (wrapped in istio mutual TLS) and forwards it to the
+application on the localhost on the same port.

+
+
{{}}
+{{}}

+
+
apiVersion: networking.istio.io/v1alpha3
+kind: WorkloadEntry
+metadata:
+  name: details-vm-1
+spec:
+  serviceAccount: details
+  address: 2.2.2.2
+  labels:
+    app: details
+    instance-id: vm1
+---
+apiVersion: networking.istio.io/v1alpha3
+kind: WorkloadEntry
+metadata:
+  name: details-vm-2
+spec:
+  serviceAccount: details
+  address: 3.3.3.3
+  labels:
+    app: details
+    instance-id: vm2
+

+
+
{{}}

+
+
{{}}

+
+
apiVersion: networking.istio.io/v1beta1
+kind: WorkloadEntry
+metadata:
+  name: details-vm-1
+spec:
+  serviceAccount: details
+  address: 2.2.2.2
+  labels:
+    app: details
+    instance-id: vm1
+---
+apiVersion: networking.istio.io/v1beta1
+kind: WorkloadEntry
+metadata:
+  name: details-vm-2
+spec:
+  serviceAccount: details
+  address: 3.3.3.3
+  labels:
+    app: details
+    instance-id: vm2
+

+
+
{{}}
+{{}}

+
+
Assuming there is also a Kubernetes deployment with pod labels
+app: details using the same service account details, the
+following service entry declares a service spanning both VMs and
+Kubernetes:

+
+
{{}}
+{{}}

+
+
apiVersion: networking.istio.io/v1alpha3
+kind: ServiceEntry
+metadata:
+  name: details-svc
+spec:
+  hosts:
+  - details.bookinfo.com
+  location: MESH_INTERNAL
+  ports:
+  - number: 80
+    name: http
+    protocol: HTTP
+  resolution: STATIC
+  workloadSelector:
+    labels:
+      app: details
+

+
+
{{}}

+
+
{{}}

+
+
apiVersion: networking.istio.io/v1beta1
+kind: ServiceEntry
+metadata:
+  name: details-svc
+spec:
+  hosts:
+  - details.bookinfo.com
+  location: MESH_INTERNAL
+  ports:
+  - number: 80
+    name: http
+    protocol: HTTP
+  resolution: STATIC
+  workloadSelector:
+    labels:
+      app: details
+

+
+
{{}}
+{{}}

+
 
ServiceEntry

 

 
ServiceEntry enables adding additional entries into Istio’s internal
@@ -338,9 +814,23 @@ 
ServiceEntry

 will be matched against the hosts field.
 
 
-
Note that when resolution is set to type DNS
-and no endpoints are specified, the host field will be used as the DNS name
-of the endpoint to route traffic to.

+
NOTE 1: When resolution is set to type DNS and no endpoints
+are specified, the host field will be used as the DNS name of the
+endpoint to route traffic to.

+
+
NOTE 2: If the hostname matches with the name of a service
+from another service registry such as Kubernetes that also
+supplies its own set of endpoints, the ServiceEntry will be
+treated as a decorator of the existing Kubernetes
+service. Properties in the service entry will be added to the
+Kubernetes service if applicable. Currently, the only the
+following additional properties will be considered by istiod:

+
+
    
+
  1. subjectAltNames: In addition to verifying the SANs of the
+service accounts associated with the pods of the service, the
+SANs specified here will also be verified.
    2. 
+

 
 

 
@@ -373,7 +863,7 @@ 
ServiceEntry

 

 

 portsPort[]Port[]
 
 
The ports associated with the external service. If the
 Endpoints are Unix domain socket addresses, there must be exactly one
@@ -403,7 +893,7 @@ 
ServiceEntry

 
Service discovery mode for the hosts. Care must be taken
 when setting the resolution mode to NONE for a TCP port without
 accompanying IP addresses. In such cases, traffic to any IP on
-said port will be allowed (i.e. 0.0.0.0:).

+said port will be allowed (i.e. 0.0.0.0:<port>).

 
 		
 
@@ -412,9 +902,26 @@ 
ServiceEntry

 

 

 endpointsEndpoint[]WorkloadEntry[]
+
One or more endpoints associated with the service. Only one of
+endpoints or workloadSelector can be specified.

+
+		
+No
+
workloadSelectorWorkloadSelector
 
-
One or more endpoints associated with the service.

+
Applicable only for MESH_INTERNAL services. Only one of
+endpoints or workloadSelector can be specified. Selects one
+or more Kubernetes pods or VM workloads (specified using
+WorkloadEntry) based on their labels. The WorkloadEntry object
+representing the VMs should be defined in the same namespace as
+the ServiceEntry.

 
 		
 
@@ -442,9 +949,6 @@ 
ServiceEntry

 the annotation “networking.istio.io/exportTo” to a comma-separated list
 of namespace names.

 
-
NOTE: in the current release, the exportTo value is restricted to
-“.” or “*” (i.e., the current namespace or all namespaces).

-
 		
 
 No
@@ -454,124 +958,13 @@ 
ServiceEntry

 		subjectAltNames
 string[]
 
-
The list of subject alternate names allowed for workload instances that
-implement this service. This information is used to enforce
-secure-naming.
-If specified, the proxy will verify that the server
-certificate’s subject alternate name matches one of the specified values.

+
If specified, the proxy will verify that the server certificate’s
+subject alternate name matches one of the specified values.

 
-		
-No
-

-

-
ServiceEntry.Endpoint

-

-
Endpoint defines a network address (IP or hostname) associated with
-the mesh service.

-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
diff --git a/content/zh/docs/reference/config/networking/sidecar/index.html b/content/zh/docs/reference/config/networking/sidecar/index.html
index 00fa64dd9c897..332824e82bbd2 100644
--- a/content/zh/docs/reference/config/networking/sidecar/index.html
+++ b/content/zh/docs/reference/config/networking/sidecar/index.html
@@ -6,7 +6,8 @@
 location: https://istio.io/docs/reference/config/networking/sidecar.html
 layout: protoc-gen-docs
 generator: protoc-gen-docs
-aliases: [/zh/docs/reference/config/networking/v1alpha3/sidecar.html]
+schema: istio.networking.v1alpha3.Sidecar
+aliases: [/zh/docs/reference/config/networking/v1alpha3/sidecar]
 number_of_entries: 7
 ---
 
Sidecar describes the configuration of the sidecar proxy that mediates
@@ -30,22 +31,29 @@
 workloadSelector that selects this workload instance, over a Sidecar configuration
 without any workloadSelector.

 
-
NOTE 1: Each namespace can have only one Sidecar configuration without any
-workloadSelector. The behavior of the system is undefined if more
-than one selector-less Sidecar configurations exist in a given namespace. The
-behavior of the system is undefined if two or more Sidecar configurations
-with a workloadSelector select the same workload instance.

+
NOTE 1: Each namespace can have only one Sidecar
+configuration without any workloadSelector that specifies the
+default for all pods in that namespace. It is recommended to use
+the name default for the namespace-wide sidecar. The behavior of
+the system is undefined if more than one selector-less Sidecar
+configurations exist in a given namespace. The behavior of the
+system is undefined if two or more Sidecar configurations with a
+workloadSelector select the same workload instance.

 
-
NOTE 2: A Sidecar configuration in the MeshConfig
+
NOTE 2: A Sidecar configuration in the MeshConfig
 root namespace
 will be applied by default to all namespaces without a Sidecar
 configuration. This global default Sidecar configuration should not have
 any workloadSelector.

 
-
The example below declares a global default Sidecar configuration in the
-root namespace called istio-config, that configures sidecars in
-all namespaces to allow egress traffic only to other workloads in
-the same namespace, and to services in the istio-system namespace.

+
The example below declares a global default Sidecar configuration
+in the root namespace called istio-config, that configures
+sidecars in all namespaces to allow egress traffic only to other
+workloads in the same namespace as well as to services in the
+istio-system namespace.

+
+
{{}}
+{{}}

 
 
apiVersion: networking.istio.io/v1alpha3
 kind: Sidecar
@@ -59,11 +67,33 @@
     - "istio-system/*"
 

 
-
The example below declares a Sidecar configuration in the prod-us1
-namespace that overrides the global default defined above, and
-configures the sidecars in the namespace to allow egress traffic to
-public services in the prod-us1, prod-apis, and the istio-system
-namespaces.

+
{{}}

+
+
{{}}

+
+
apiVersion: networking.istio.io/v1beta1
+kind: Sidecar
+metadata:
+  name: default
+  namespace: istio-config
+spec:
+  egress:
+  - hosts:
+    - "./*"
+    - "istio-system/*"
+

+
+
{{}}
+{{}}

+
+
The example below declares a Sidecar configuration in the
+prod-us1 namespace that overrides the global default defined
+above, and configures the sidecars in the namespace to allow egress
+traffic to public services in the prod-us1, prod-apis, and the
+istio-system namespaces.

+
+
{{}}
+{{}}

 
 
apiVersion: networking.istio.io/v1alpha3
 kind: Sidecar
@@ -78,19 +108,47 @@
     - "istio-system/*"
 

 
-
The example below declares a Sidecar configuration in the prod-us1 namespace
-that accepts inbound HTTP traffic on port 9080 and forwards
-it to the attached workload instance listening on a Unix domain socket. In the
-egress direction, in addition to the istio-system namespace, the sidecar
-proxies only HTTP traffic bound for port 9080 for services in the
-prod-us1 namespace.

+
{{}}

 
-
apiVersion: networking.istio.io/v1alpha3
+
{{}}

+
+
apiVersion: networking.istio.io/v1beta1
 kind: Sidecar
 metadata:
   name: default
   namespace: prod-us1
 spec:
+  egress:
+  - hosts:
+    - "prod-us1/*"
+    - "prod-apis/*"
+    - "istio-system/*"
+

+
+
{{}}
+{{}}

+
+
The following example declares a Sidecar configuration in the
+prod-us1 namespace for all pods with labels app: ratings
+belonging to the ratings.prod-us1 service.  The workload accepts
+inbound HTTP traffic on port 9080. The traffic is then forwarded to
+the attached workload instance listening on a Unix domain
+socket. In the egress direction, in addition to the istio-system
+namespace, the sidecar proxies only HTTP traffic bound for port
+9080 for services in the prod-us1 namespace.

+
+
{{}}
+{{}}

+
+
apiVersion: networking.istio.io/v1alpha3
+kind: Sidecar
+metadata:
+  name: ratings
+  namespace: prod-us1
+spec:
+  workloadSelector:
+    labels:
+      app: ratings
   ingress:
   - port:
       number: 9080
@@ -108,18 +166,56 @@
     - "istio-system/*"
 

 
-
If the workload is deployed without IPTables-based traffic capture, the
-Sidecar configuration is the only way to configure the ports on the proxy
-attached to the workload instance. The following example declares a Sidecar
-configuration in the prod-us1 namespace for all pods with labels
-app: productpage belonging to the productpage.prod-us1 service. Assuming
-that these pods are deployed without IPtable rules (i.e. the istio-init
-container) and the proxy metadata ISTIO_META_INTERCEPTION_MODE is set to
-NONE, the specification, below, allows such pods to receive HTTP traffic
-on port 9080 and forward it to the application listening on
-127.0.0.1:8080. It also allows the application to communicate with a
-backing MySQL database on 127.0.0.1:3306, that then gets proxied to the
-externally hosted MySQL service at mysql.foo.com:3306.

+
{{}}

+
+
{{}}

+
+
apiVersion: networking.istio.io/v1beta1
+kind: Sidecar
+metadata:
+  name: ratings
+  namespace: prod-us1
+spec:
+  workloadSelector:
+    labels:
+      app: ratings
+  ingress:
+  - port:
+      number: 9080
+      protocol: HTTP
+      name: somename
+    defaultEndpoint: unix:///var/run/someuds.sock
+  egress:
+  - port:
+      number: 9080
+      protocol: HTTP
+      name: egresshttp
+    hosts:
+    - "prod-us1/*"
+  - hosts:
+    - "istio-system/*"
+

+
+
{{}}
+{{}}

+
+
If the workload is deployed without IPTables-based traffic capture,
+the Sidecar configuration is the only way to configure the ports
+on the proxy attached to the workload instance. The following
+example declares a Sidecar configuration in the prod-us1
+namespace for all pods with labels app: productpage belonging to
+the productpage.prod-us1 service. Assuming that these pods are
+deployed without IPtable rules (i.e. the istio-init container)
+and the proxy metadata ISTIO_META_INTERCEPTION_MODE is set to
+NONE, the specification, below, allows such pods to receive HTTP
+traffic on port 9080 (wrapped inside Istio mutual TLS) and forward
+it to the application listening on 127.0.0.1:8080. It also allows
+the application to communicate with a backing MySQL database on
+127.0.0.1:3306, that then gets proxied to the externally hosted
+MySQL service at mysql.foo.com:3306.

+
+
{{}}
+{{}}

 
 
apiVersion: networking.istio.io/v1alpha3
 kind: Sidecar
@@ -148,8 +244,45 @@
     - "*/mysql.foo.com"
 

 
+
{{}}

+
+
{{}}

+
+
apiVersion: networking.istio.io/v1beta1
+kind: Sidecar
+metadata:
+  name: no-ip-tables
+  namespace: prod-us1
+spec:
+  workloadSelector:
+    labels:
+      app: productpage
+  ingress:
+  - port:
+      number: 9080 # binds to proxy_instance_ip:9080 (0.0.0.0:9080, if no unicast IP is available for the instance)
+      protocol: HTTP
+      name: somename
+    defaultEndpoint: 127.0.0.1:8080
+    captureMode: NONE # not needed if metadata is set for entire proxy
+  egress:
+  - port:
+      number: 3306
+      protocol: MYSQL
+      name: egressmysql
+    captureMode: NONE # not needed if metadata is set for entire proxy
+    bind: 127.0.0.1
+    hosts:
+    - "*/mysql.foo.com"
+

+
+
{{}}
+{{}}

+
 
And the associated service entry for routing to mysql.foo.com:3306

 
+
{{}}
+{{}}

+
 
apiVersion: networking.istio.io/v1alpha3
 kind: ServiceEntry
 metadata:
@@ -166,6 +299,29 @@
   resolution: DNS
 

 
+
{{}}

+
+
{{}}

+
+
apiVersion: networking.istio.io/v1beta1
+kind: ServiceEntry
+metadata:
+  name: external-svc-mysql
+  namespace: ns1
+spec:
+  hosts:
+  - mysql.foo.com
+  ports:
+  - number: 3306
+    name: mysql
+    protocol: MYSQL
+  location: MESH_EXTERNAL
+  resolution: DNS
+

+
+
{{}}
+{{}}

+
 
It is also possible to mix and match traffic capture modes in a single
 proxy. For example, consider a setup where internal services are on the
 192.168.0.0/16 subnet. So, IP tables are setup on the VM to capture all
@@ -173,10 +329,14 @@
 additional network interface on 172.16.0.0/16 subnet for inbound
 traffic. The following Sidecar configuration allows the VM to expose a
 listener on 172.16.1.32:80 (the VM’s IP) for traffic arriving from the
-172.16.0.0/16 subnet. Note that in this scenario, the
-ISTIO_META_INTERCEPTION_MODE metadata on the proxy in the VM should
-contain REDIRECT or TPROXY as its value, implying that IP tables
-based traffic capture is active.

+172.16.0.0/16 subnet.

+
+
NOTE: The ISTIO_META_INTERCEPTION_MODE metadata on the
+proxy in the VM should contain REDIRECT or TPROXY as its value,
+implying that IP tables based traffic capture is active.

+
+
{{}}
+{{}}

 
 
apiVersion: networking.istio.io/v1alpha3
 kind: Sidecar
@@ -205,42 +365,267 @@
     - "*/*"
 

 
-
CaptureMode

+
{{}}

+
+
{{}}

+
+
apiVersion: networking.istio.io/v1beta1
+kind: Sidecar
+metadata:
+  name: partial-ip-tables
+  namespace: prod-us1
+spec:
+  workloadSelector:
+    labels:
+      app: productpage
+  ingress:
+  - bind: 172.16.1.32
+    port:
+      number: 80 # binds to 172.16.1.32:80
+      protocol: HTTP
+      name: somename
+    defaultEndpoint: 127.0.0.1:8080
+    captureMode: NONE
+  egress:
+    # use the system detected defaults
+    # sets up configuration to handle outbound traffic to services
+    # in 192.168.0.0/16 subnet, based on information provided by the
+    # service registry
+  - captureMode: IPTABLES
+    hosts:
+    - "*/*"
+

+
+
{{}}
+{{}}

+
+
The following example declares a Sidecar configuration in the
+prod-us1 namespace for all pods with labels app: ratings
+belonging to the ratings.prod-us1 service.  The service accepts
+inbound HTTPS traffic on port 8443 and the sidecar proxy terminates
+one way TLS using the given server certificates.
+The traffic is then forwarded to the attached workload instance
+listening on a Unix domain socket.
+It is expected that PeerAuthentication policy would be configured
+in order to set mTLS mode to “DISABLE” on specific
+ports.
+In this example, the mTLS mode is disabled on PORT 80.
+This feature is currently experimental.

+
+
{{}}
+{{}}

+
+
apiVersion: networking.istio.io/v1alpha3
+kind: Sidecar
+metadata:
+  name: ratings
+  namespace: prod-us1
+spec:
+  workloadSelector:
+    labels:
+      app: ratings
+  ingress:
+  - port:
+      number: 80
+      protocol: HTTPS
+      name: somename
+    defaultEndpoint: unix:///var/run/someuds.sock
+    tls:
+      mode: SIMPLE
+      privateKey: "/etc/certs/privatekey.pem"
+      serverCertificate: "/etc/certs/servercert.pem"
+

+
+
{{}}

+
+
{{}}

+
+
apiVersion: v1
+kind: Service
+metadata:
+  name: ratings
+  labels:
+    app: ratings
+    service: ratings
+spec:
+  ports:
+  - port: 8443
+    name: https
+    targetPort: 80
+  selector:
+    app: ratings
+

+
+
{{}}

+
+
{{}}

+
+
apiVersion: security.istio.io/v1beta1
+kind: PeerAuthentication
+metadata:
+  name: ratings-peer-auth
+  namespace: prod-us1
+spec:
+  selector:
+    matchLabels:
+      app: ratings
+  mtls:
+    mode: STRICT
+  portLevelMtls:
+    80:
+      mode: DISABLE
+

+
+
{{}}
+{{}}

+
+
Sidecar

 

-
CaptureMode describes how traffic to a listener is expected to be
-captured. Applicable only when the listener is bound to an IP.

+
Sidecar describes the configuration of the sidecar proxy that mediates
+inbound and outbound communication of the workload instance to which it is
+attached.

 
-
FieldTypeDescriptionRequired
addressstring
-
Address associated with the network endpoint without the
-port.  Domain names can be used if and only if the resolution is set
-to DNS, and must be fully-qualified without wildcards. Use the form
-unix:///absolute/path/to/socket for Unix domain socket endpoints.

-
-		
-Yes
-
portsmap<string, uint32>
-
Set of ports associated with the endpoint. The ports must be
-associated with a port name that was declared as part of the
-service. Do not use for unix:// addresses.

-
-		
-No
-
labelsmap<string, string>
-
One or more labels associated with the endpoint.

-
-		
-No
-
networkstring
-
Network enables Istio to group endpoints resident in the same L3
-domain/network. All endpoints in the same network are assumed to be
-directly reachable from one another. When endpoints in different
-networks cannot reach each other directly, an Istio Gateway can be
-used to establish connectivity (usually using the
-AUTO_PASSTHROUGH mode in a Gateway Server). This is
-an advanced configuration used typically for spanning an Istio mesh
-over multiple clusters.

-
-		
-No
-
localitystring
-
The locality associated with the endpoint. A locality corresponds
-to a failure domain (e.g., country/region/zone). Arbitrary failure
-domain hierarchies can be represented by separating each
-encapsulating failure domain by /. For example, the locality of an
-an endpoint in US, in US-East-1 region, within availability zone
-az-1, in data center rack r11 can be represented as
-us/us-east-1/az-1/r11. Istio will configure the sidecar to route to
-endpoints within the same locality as the sidecar. If none of the
-endpoints in the locality are available, endpoints parent locality
-(but within the same network ID) will be chosen. For example, if
-there are two endpoints in same network (networkID “n1”), say e1
-with locality us/us-east-1/az-1/r11 and e2 with locality
-us/us-east-1/az-2/r12, a sidecar from us/us-east-1/az-1/r11 locality
-will prefer e1 from the same locality over e2 from a different
-locality. Endpoint e2 could be the IP associated with a gateway
-(that bridges networks n1 and n2), or the IP associated with a
-standard service endpoint.

-
-		
-No
-
weightuint32
-
The load balancing weight associated with the endpoint. Endpoints
-with higher weights will receive proportionally higher traffic.

+
NOTE: When using the workloadEntry with workloadSelectors, the
+service account specified in the workloadEntry will also be used
+to derive the additional subject alternate names that should be
+verified.

 
 		
 
@@ -663,13 +1056,29 @@ 
ServiceEntry.Resolution

 		DNS
 
 
Attempt to resolve the IP address by querying the ambient DNS,
-during request processing. If no endpoints are specified, the proxy
+asynchronously. If no endpoints are specified, the proxy
 will resolve the DNS address specified in the hosts field, if
 wildcards are not used. If endpoints are specified, the DNS
 addresses specified in the endpoints will be resolved to determine
 the destination IP address.  DNS resolution cannot be used with Unix
 domain socket endpoints.

 
+
DNS_ROUND_ROBIN
+
Attempt to resolve the IP address by querying the ambient DNS,
+asynchronously. Unlike DNS, DNS_ROUND_ROBIN only uses the
+first IP address returned when a new connection needs to be initiated
+without relying on complete results of DNS resolution and connections
+made to hosts will be retained even if DNS records change frequently
+eliminating draining connection pools and connection cycling.
+This is best suited for large web scale services that
+must be accessed via DNS. The proxy will resolve the DNS address
+specified in the hosts field, if wildcards are not used. DNS resolution
+cannot be used with Unix domain socket endpoints.

+
 		
 

 

+

-
+
+
+
-
-
+
+
+
+
-
-
+
+
+
+
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+

 
 
NameFieldType
 DescriptionRequired
 

 
 
DEFAULT
workloadSelectorWorkloadSelector
 
-
The default capture mode defined by the environment.

+
Criteria used to select the specific set of pods/VMs on which this
+Sidecar configuration should be applied. If omitted, the Sidecar
+configuration will be applied to all workload instances in the same namespace.

 
+		
+No
 
 
IPTABLES
ingressIstioIngressListener[]
 
-
Capture traffic using IPtables redirection.

+
Ingress specifies the configuration of the sidecar for processing
+inbound traffic to the attached workload instance. If omitted, Istio will
+automatically configure the sidecar based on the information about the workload
+obtained from the orchestration platform (e.g., exposed ports, services,
+etc.). If specified, inbound ports are configured if and only if the
+workload instance is associated with a service.

 
+		
+No
 
 
NONE
egressIstioEgressListener[]
 
-
No traffic capture. When used in an egress listener, the application is
-expected to explicitly communicate with the listener port or Unix
-domain socket. When used in an ingress listener, care needs to be taken
-to ensure that the listener port is not in use by other processes on
-the host.

+
Egress specifies the configuration of the sidecar for processing
+outbound traffic from the attached workload instance to other
+services in the mesh. If not specified, inherits the system
+detected defaults from the namespace-wide or the global default Sidecar.

 
+		
+No
+
outboundTrafficPolicyOutboundTrafficPolicy
+
Configuration for the outbound traffic policy.  If your
+application uses one or more external services that are not known
+apriori, setting the policy to ALLOW_ANY will cause the
+sidecars to route any unknown traffic originating from the
+application to its requested destination. If not specified,
+inherits the system detected defaults from the namespace-wide or
+the global default Sidecar.

+
+		
+No
+

+

+
IstioIngressListener

+

+
IstioIngressListener specifies the properties of an inbound
+traffic listener on the sidecar proxy attached to a workload instance.

+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -263,7 +648,7 @@ 
IstioEgressListener

-
+
FieldTypeDescriptionRequired
portPort
+
The port associated with the listener.

+
+		
+Yes
+
bindstring
+
The IP to which the listener should be bound. Must be in the
+format x.x.x.x. Unix domain socket addresses are not allowed in
+the bind field for ingress listeners. If omitted, Istio will
+automatically configure the defaults based on imported services
+and the workload instances to which this configuration is applied
+to.

+
+		
+No
+
captureModeCaptureMode
+
The captureMode option dictates how traffic to the listener is
+expected to be captured (or not).

+
+		
+No
+
defaultEndpointstring
+
The IP endpoint or Unix domain socket to which
+traffic should be forwarded to. This configuration can be used to
+redirect traffic arriving at the bind IP:Port on the sidecar to a localhost:port
+or Unix domain socket where the application workload instance is listening for
+connections. Arbitrary IPs are not supported. Format should be one of 127.0.0.1:PORT, 0.0.0.0:PORT
+(which will forward to the instance IP), or unix:///path/to/socket

+
+		
+Yes
 
 

 
 
 

 portPortPort
 
 
The port associated with the listener. If using Unix domain socket,
 use 0 as the port number, with a valid protocol. The port if
@@ -342,15 +727,6 @@ 
IstioEgressListener

 not be available. Refer to the exportTo setting in VirtualService,
 DestinationRule, and ServiceEntry configurations for details.

 
-
WARNING: The list of egress hosts in a Sidecar must also include
-the Mixer control plane services if they are enabled. Envoy will not
-be able to reach them otherwise. For example, add host
-istio-system/istio-telemetry.istio-system.svc.cluster.local if telemetry
-is enabled, istio-system/istio-policy.istio-system.svc.cluster.local if
-policy is enabled, or add istio-system/* to allow all services in the
-istio-system namespace. This requirement is temporary and will be removed
-in a future Istio release.

-
 		
 
 Yes
@@ -359,10 +735,17 @@ 
IstioEgressListener

 

 

 

-
IstioIngressListener

+
WorkloadSelector

 

-
IstioIngressListener specifies the properties of an inbound
-traffic listener on the sidecar proxy attached to a workload instance.

+
WorkloadSelector specifies the criteria used to determine if the
+Gateway, Sidecar, EnvoyFilter, ServiceEntry, or DestinationRule
+configuration can be applied to a proxy. The matching criteria
+includes the metadata associated with a proxy, workload instance
+info such as labels attached to the pod/VM, or any other info that
+the proxy provides to Istio during the initial handshake. If
+multiple conditions are specified, all conditions need to match in
+order for the workload instance to be selected. Currently, only
+label based selection mechanism is supported.

 
 
@@ -374,54 +757,14 @@ 
IstioIngressListener

-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+

 
 
 
 
portPort
-
The port associated with the listener.

-
-		
-Yes
-
bindstring
-
The IP to which the listener should be bound. Must be in the
-format x.x.x.x. Unix domain socket addresses are not allowed in
-the bind field for ingress listeners. If omitted, Istio will
-automatically configure the defaults based on imported services
-and the workload instances to which this configuration is applied
-to.

-
-		
-No
-
captureModeCaptureMode
-
The captureMode option dictates how traffic to the listener is
-expected to be captured (or not).

-
-		
-No
-
defaultEndpointstring
labelsmap<string, string>
 
-
The loopback IP endpoint or Unix domain socket to which
-traffic should be forwarded to. This configuration can be used to
-redirect traffic arriving at the bind IP:Port on the sidecar to a localhost:port
-or Unix domain socket where the application workload instance is listening for
-connections. Format should be 127.0.0.1:PORT or unix:///path/to/socket

+
One or more labels that indicate a specific set of pods/VMs
+on which the configuration should be applied. The scope of
+label search is restricted to the configuration namespace in which the
+the resource is present.

 
 		
 
@@ -494,114 +837,42 @@ 
OutboundTrafficPolicy.Mode

 

 

 

-
Sidecar

+
CaptureMode

 

-
Sidecar describes the configuration of the sidecar proxy that mediates
-inbound and outbound communication of the workload instance to which it is
-attached.

+
CaptureMode describes how traffic to a listener is expected to be
+captured. Applicable only when the listener is bound to an IP.

 
-
+

-
-
+
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
-
-
-
-
+
+
-
-
-
-

 
 
FieldTypeName
 DescriptionRequired
 

 
 
workloadSelectorWorkloadSelector
-
Criteria used to select the specific set of pods/VMs on which this
-Sidecar configuration should be applied. If omitted, the Sidecar
-configuration will be applied to all workload instances in the same namespace.

-
-		
-No
-
ingressIstioIngressListener[]
-
Ingress specifies the configuration of the sidecar for processing
-inbound traffic to the attached workload instance. If omitted, Istio will
-automatically configure the sidecar based on the information about the workload
-obtained from the orchestration platform (e.g., exposed ports, services,
-etc.). If specified, inbound ports are configured if and only if the
-workload instance is associated with a service.

-
-		
-No
-
egressIstioEgressListener[]
DEFAULT
 
-
Egress specifies the configuration of the sidecar for processing
-outbound traffic from the attached workload instance to other services in the
-mesh.

+
The default capture mode defined by the environment.

 
-		
-Yes
 
 
outboundTrafficPolicyOutboundTrafficPolicy
IPTABLES
 
-
This allows to configure the outbound traffic policy.
-If your application uses one or more external
-services that are not known apriori, setting the policy to ALLOW_ANY
-will cause the sidecars to route any unknown traffic originating from
-the application to its requested destination.

+
Capture traffic using IPtables redirection.

 
 		
-No
-

-

-
WorkloadSelector

-

-
WorkloadSelector specifies the criteria used to determine if the Gateway,
-Sidecar, or EnvoyFilter configuration can be applied to a proxy. The matching criteria
-includes the metadata associated with a proxy, workload instance info such as
-labels attached to the pod/VM, or any other info that the proxy provides
-to Istio during the initial handshake. If multiple conditions are
-specified, all conditions need to match in order for the workload instance to be
-selected. Currently, only label based selection mechanism is supported.

-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
-
diff --git a/content/zh/docs/reference/config/networking/virtual-service/index.html b/content/zh/docs/reference/config/networking/virtual-service/index.html
index 5e1f51a48462d..ca7653e7a86de 100644
--- a/content/zh/docs/reference/config/networking/virtual-service/index.html
+++ b/content/zh/docs/reference/config/networking/virtual-service/index.html
@@ -6,8 +6,9 @@
 location: https://istio.io/docs/reference/config/networking/virtual-service.html
 layout: protoc-gen-docs
 generator: protoc-gen-docs
-aliases: [/zh/docs/reference/config/networking/v1alpha3/virtual-service.html]
-number_of_entries: 23
+schema: istio.networking.v1alpha3.VirtualService
+aliases: [/zh/docs/reference/config/networking/v1alpha3/virtual-service]
+number_of_entries: 25
 ---
 
Configuration affecting traffic routing. Here are a few terms useful to define
 in the context of traffic routing.

@@ -51,6 +52,9 @@
 HTTP requests with path starting with /wpcatalog/ or /consumercatalog/ will
 be rewritten to /newcatalog and sent to pods with label “version: v2”.

 
+
{{}}
+{{}}

+
 
apiVersion: networking.istio.io/v1alpha3
 kind: VirtualService
 metadata:
@@ -78,10 +82,47 @@
         subset: v1
 

 
+
{{}}

+
+
{{}}

+
+
apiVersion: networking.istio.io/v1beta1
+kind: VirtualService
+metadata:
+  name: reviews-route
+spec:
+  hosts:
+  - reviews.prod.svc.cluster.local
+  http:
+  - name: "reviews-v2-routes"
+    match:
+    - uri:
+        prefix: "/wpcatalog"
+    - uri:
+        prefix: "/consumercatalog"
+    rewrite:
+      uri: "/newcatalog"
+    route:
+    - destination:
+        host: reviews.prod.svc.cluster.local
+        subset: v2
+  - name: "reviews-v1-route"
+    route:
+    - destination:
+        host: reviews.prod.svc.cluster.local
+        subset: v1
+

+
+
{{}}
+{{}}

+
 
A subset/version of a route destination is identified with a reference
 to a named service subset which must be declared in a corresponding
 DestinationRule.

 
+
{{}}
+{{}}

+
 
apiVersion: networking.istio.io/v1alpha3
 kind: DestinationRule
 metadata:
@@ -97,40 +138,32 @@
       version: v2
 

 
-
CorsPolicy

-

-
Describes the Cross-Origin Resource Sharing (CORS) policy, for a given
-service. Refer to CORS
-for further details about cross origin resource sharing. For example,
-the following rule restricts cross origin requests to those originating
-from example.com domain using HTTP POST/GET, and sets the
-Access-Control-Allow-Credentials header to false. In addition, it only
-exposes X-Foo-bar header and sets an expiry period of 1 day.

+
{{}}

 
-
apiVersion: networking.istio.io/v1alpha3
-kind: VirtualService
+
{{}}

+
+
apiVersion: networking.istio.io/v1beta1
+kind: DestinationRule
 metadata:
-  name: ratings-route
+  name: reviews-destination
 spec:
-  hosts:
-  - ratings.prod.svc.cluster.local
-  http:
-  - route:
-    - destination:
-        host: ratings.prod.svc.cluster.local
-        subset: v1
-    corsPolicy:
-      allowOrigins:
-      - exact: example.com
-      allowMethods:
-      - POST
-      - GET
-      allowCredentials: false
-      allowHeaders:
-      - X-Foo-Bar
-      maxAge: "24h"
+  host: reviews.prod.svc.cluster.local
+  subsets:
+  - name: v1
+    labels:
+      version: v1
+  - name: v2
+    labels:
+      version: v2
 

 
+
{{}}
+{{}}

+
+
VirtualService

+

+
Configuration affecting traffic routing.

+
 
FieldTypeDescriptionRequired
 
labelsmap<string, string>
NONE
 
-
One or more labels that indicate a specific set of pods/VMs
-on which this Sidecar configuration should be applied. The scope of
-label search is restricted to the configuration namespace in which the
-the resource is present.

+
No traffic capture. When used in an egress listener, the application is
+expected to explicitly communicate with the listener port or Unix
+domain socket. When used in an ingress listener, care needs to be taken
+to ensure that the listener port is not in use by other processes on
+the host.

 
-		
-Yes
 
 

 

@@ -141,74 +174,131 @@ 
CorsPolicy

 
-
-
+
+
-
-
+
+
-
-
-
+
+
+
-
-
-
+
+
+
-
-
-
+
+
+
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+

 
 

 
 
allowOrigin
hosts
 string[]
 
-
The list of origins that are allowed to perform CORS requests. The
-content will be serialized into the Access-Control-Allow-Origin
-header. Wildcard * will allow all origins.

+
The destination hosts to which traffic is being sent. Could
+be a DNS name with wildcard prefix or an IP address.  Depending on the
+platform, short-names can also be used instead of a FQDN (i.e. has no
+dots in the name). In such a scenario, the FQDN of the host would be
+derived based on the underlying platform.

+
+
A single VirtualService can be used to describe all the traffic
+properties of the corresponding hosts, including those for multiple
+HTTP and TCP ports. Alternatively, the traffic properties of a host
+can be defined using more than one VirtualService, with certain
+caveats. Refer to the
+Operations Guide
+for details.

+
+
Note for Kubernetes users: When short names are used (e.g. “reviews”
+instead of “reviews.default.svc.cluster.local”), Istio will interpret
+the short name based on the namespace of the rule, not the service. A
+rule in the “default” namespace containing a host “reviews” will be
+interpreted as “reviews.default.svc.cluster.local”, irrespective of
+the actual namespace associated with the reviews service. To avoid
+potential misconfigurations, it is recommended to always use fully
+qualified domain names over short names.

+
+
The hosts field applies to both HTTP and TCP services. Service inside
+the mesh, i.e., those found in the service registry, must always be
+referred to using their alphanumeric names. IP addresses are allowed
+only for services defined via the Gateway.

+
+
Note: It must be empty for a delegate VirtualService.

 
 		
 
 No
 
 
allowMethods
gateways
 string[]
 
-
List of HTTP methods allowed to access the resource. The content will
-be serialized into the Access-Control-Allow-Methods header.

+
The names of gateways and sidecars that should apply these routes.
+Gateways in other namespaces may be referred to by
+<gateway namespace>/<gateway name>; specifying a gateway with no
+namespace qualifier is the same as specifying the VirtualService’s
+namespace. A single VirtualService is used for sidecars inside the mesh as
+well as for one or more gateways. The selection condition imposed by this
+field can be overridden using the source field in the match conditions
+of protocol-specific routes. The reserved word mesh is used to imply
+all the sidecars in the mesh. When this field is omitted, the default
+gateway (mesh) will be used, which would apply the rule to all
+sidecars in the mesh. If a list of gateway names is provided, the
+rules will apply only to the gateways. To apply the rules to both
+gateways and sidecars, specify mesh as one of the gateway names.

 
 		
 
 No
 
 
allowHeadersstring[]
httpHTTPRoute[]
 
-
List of HTTP headers that can be used when requesting the
-resource. Serialized to Access-Control-Allow-Headers header.

+
An ordered list of route rules for HTTP traffic. HTTP routes will be
+applied to platform service ports named ‘http-’/‘http2-’/‘grpc-*’, gateway
+ports with protocol HTTP/HTTP2/GRPC/ TLS-terminated-HTTPS and service
+entry ports using HTTP/HTTP2/GRPC protocols.  The first rule matching
+an incoming request is used.

 
 		
 
 No
 
 
exposeHeadersstring[]
tlsTLSRoute[]
 
-
A white list of HTTP headers that the browsers are allowed to
-access. Serialized into Access-Control-Expose-Headers header.

+
An ordered list of route rule for non-terminated TLS & HTTPS
+traffic. Routing is typically performed using the SNI value presented
+by the ClientHello message. TLS routes will be applied to platform
+service ports named ‘https-’, ‘tls-’, unterminated gateway ports using
+HTTPS/TLS protocols (i.e. with “passthrough” TLS mode) and service
+entry ports using HTTPS/TLS protocols.  The first rule matching an
+incoming request is used.  NOTE: Traffic ‘https-’ or ‘tls-’ ports
+without associated virtual service will be treated as opaque TCP
+traffic.

 
 		
 
 No
 
 
maxAgeDuration
tcpTCPRoute[]
 
-
Specifies how long the results of a preflight request can be
-cached. Translates to the Access-Control-Max-Age header.

+
An ordered list of route rules for opaque TCP traffic. TCP routes will
+be applied to any port that is not a HTTP or TLS port. The first rule
+matching an incoming request is used.

 
 		
 
 No
 
 
allowCredentialsBoolValue
exportTostring[]
 
-
Indicates whether the caller is allowed to send the actual request
-(not the preflight) using credentials. Translates to
-Access-Control-Allow-Credentials header.

+
A list of namespaces to which this virtual service is exported. Exporting a
+virtual service allows it to be used by sidecars and gateways defined in
+other namespaces. This feature provides a mechanism for service owners
+and mesh administrators to control the visibility of virtual services
+across namespace boundaries.

+
+
If no namespaces are specified then the virtual service is exported to all
+namespaces by default.

+
+
The value “.” is reserved and defines an export to the same namespace that
+the virtual service is declared in. Similarly the value “*” is reserved and
+defines an export to all namespaces.

 
 		
 
@@ -241,6 +331,9 @@ 
Destination

 of the reviews service with label “version: v1” (i.e., subset v1), and
 some to subset v2, in a Kubernetes environment.

 
+
{{}}
+{{}}

+
 
apiVersion: networking.istio.io/v1alpha3
 kind: VirtualService
 metadata:
@@ -267,8 +360,44 @@ 
Destination

         subset: v1
 

 
+
{{}}

+
+
{{}}

+
+
apiVersion: networking.istio.io/v1beta1
+kind: VirtualService
+metadata:
+  name: reviews-route
+  namespace: foo
+spec:
+  hosts:
+  - reviews # interpreted as reviews.foo.svc.cluster.local
+  http:
+  - match:
+    - uri:
+        prefix: "/wpcatalog"
+    - uri:
+        prefix: "/consumercatalog"
+    rewrite:
+      uri: "/newcatalog"
+    route:
+    - destination:
+        host: reviews # interpreted as reviews.foo.svc.cluster.local
+        subset: v2
+  - route:
+    - destination:
+        host: reviews # interpreted as reviews.foo.svc.cluster.local
+        subset: v1
+

+
+
{{}}
+{{}}

+
 
And the associated DestinationRule

 
+
{{}}
+{{}}

+
 
apiVersion: networking.istio.io/v1alpha3
 kind: DestinationRule
 metadata:
@@ -285,6 +414,29 @@ 
Destination

       version: v2
 

 
+
{{}}

+
+
{{}}

+
+
apiVersion: networking.istio.io/v1beta1
+kind: DestinationRule
+metadata:
+  name: reviews-destination
+  namespace: foo
+spec:
+  host: reviews # interpreted as reviews.foo.svc.cluster.local
+  subsets:
+  - name: v1
+    labels:
+      version: v1
+  - name: v2
+    labels:
+      version: v2
+

+
+
{{}}
+{{}}

+
 
The following VirtualService sets a timeout of 5s for all calls to
 productpage.prod.svc.cluster.local service in Kubernetes. Notice that
 there are no subsets defined in this rule. Istio will fetch all
@@ -295,6 +447,9 @@ 
Destination

 productpage.prod.svc.cluster.local. Therefore the rule’s namespace does
 not have an impact in resolving the name of the productpage service.

 
+
{{}}
+{{}}

+
 
apiVersion: networking.istio.io/v1alpha3
 kind: VirtualService
 metadata:
@@ -310,11 +465,36 @@ 
Destination

         host: productpage.prod.svc.cluster.local
 

 
+
{{}}

+
+
{{}}

+
+
apiVersion: networking.istio.io/v1beta1
+kind: VirtualService
+metadata:
+  name: my-productpage-rule
+  namespace: istio-system
+spec:
+  hosts:
+  - productpage.prod.svc.cluster.local # ignores rule namespace
+  http:
+  - timeout: 5s
+    route:
+    - destination:
+        host: productpage.prod.svc.cluster.local
+

+
+
{{}}
+{{}}

+
 
To control routing for traffic bound to services outside the mesh, external
 services must first be added to Istio’s internal service registry using the
 ServiceEntry resource. VirtualServices can then be defined to control traffic
 bound to these external services. For example, the following rules define a
-Service for wikipedia.org and set a timeout of 5s for http requests.

+Service for wikipedia.org and set a timeout of 5s for HTTP requests.

+
+
{{}}
+{{}}

 
 
apiVersion: networking.istio.io/v1alpha3
 kind: ServiceEntry
@@ -329,7 +509,7 @@ 
Destination

     name: example-http
     protocol: HTTP
   resolution: DNS
-
+---
 apiVersion: networking.istio.io/v1alpha3
 kind: VirtualService
 metadata:
@@ -344,14 +524,49 @@ 
Destination

         host: wikipedia.org
 

 
-
-
-
-
-
-
-
-
+
{{}}

+
+
{{}}

+
+
apiVersion: networking.istio.io/v1beta1
+kind: ServiceEntry
+metadata:
+  name: external-svc-wikipedia
+spec:
+  hosts:
+  - wikipedia.org
+  location: MESH_EXTERNAL
+  ports:
+  - number: 80
+    name: example-http
+    protocol: HTTP
+  resolution: DNS
+---
+apiVersion: networking.istio.io/v1beta1
+kind: VirtualService
+metadata:
+  name: my-wiki-rule
+spec:
+  hosts:
+  - wikipedia.org
+  http:
+  - timeout: 5s
+    route:
+    - destination:
+        host: wikipedia.org
+

+
+
{{}}
+{{}}

+
+
FieldTypeDescriptionRequired

+
+
+
+
+
+
+
@@ -369,9 +584,9 @@ 
Destination

 the short name based on the namespace of the rule, not the service. A
 rule in the “default” namespace containing a host “reviews will be
 interpreted as “reviews.default.svc.cluster.local”, irrespective of
-the actual namespace associated with the reviews service. To avoid
-potential misconfigurations, it is recommended to always use fully
-qualified domain names over short names.

+the actual namespace associated with the reviews service. To avoid
+potential misconfiguration, it is recommended to always use fully
+qualified domain names over short names.
FieldTypeDescriptionRequired

 
 
 

 
 
 
@@ -407,16 +622,10 @@ 
Destination

 

 

 
-
HTTPFaultInjection

+
HTTPRoute

 

-
HTTPFaultInjection can be used to specify one or more faults to inject
-while forwarding http requests to the destination specified in a route.
-Fault specification is part of a VirtualService rule. Faults include
-aborting the Http request from downstream service, and/or delaying
-proxying of requests. A fault rule MUST HAVE delay or abort or both.

-
-
Note: Delay and abort faults are independent of one another, even if
-both are specified simultaneously.

+
Describes match conditions and actions for routing HTTP/1.1, HTTP2, and
+gRPC traffic. See VirtualService for usage examples.

 
 
@@ -428,194 +637,592 @@ 
HTTPFaultInjection

-
-
-
+
+
+
-
-
-
+
+
+
-
-

 
 
 
 
delayDelay
namestring
 
-
Delay requests before forwarding, emulating various failures such as
-network issues, overloaded upstream service, etc.

+
The name assigned to the route for debugging purposes. The
+route’s name will be concatenated with the match’s name and will
+be logged in the access logs for requests matching this
+route/match.

 
 		
 
 No
 
 
abortAbort
matchHTTPMatchRequest[]
 
-
Abort Http request attempts and return error codes back to downstream
-service, giving the impression that the upstream service is faulty.

+
Match conditions to be satisfied for the rule to be
+activated. All conditions inside a single match block have AND
+semantics, while the list of match blocks have OR semantics. The rule
+is matched if any one of the match blocks succeed.

 
 		
 
 No
 
 

-

-
HTTPFaultInjection.Abort

-

-
Abort specification is used to prematurely abort a request with a
-pre-specified error code. The following example will return an HTTP 400
-error code for 1 out of every 1000 requests to the “ratings” service “v1”.

-
-
apiVersion: networking.istio.io/v1alpha3
-kind: VirtualService
-metadata:
-  name: ratings-route
-spec:
-  hosts:
-  - ratings.prod.svc.cluster.local
-  http:
-  - route:
-    - destination:
-        host: ratings.prod.svc.cluster.local
-        subset: v1
-    fault:
-      abort:
-        percentage:
-          value: 0.1
-        httpStatus: 400
-

-
-
The httpStatus field is used to indicate the HTTP status code to
-return to the caller. The optional percentage field can be used to only
-abort a certain percentage of requests. If not specified, all requests are
-aborted.

+
routeHTTPRouteDestination[]
+
A HTTP rule can either redirect or forward (default) traffic. The
+forwarding target can be one of several versions of a service (see
+glossary in beginning of document). Weights associated with the
+service version determine the proportion of traffic it receives.

 
-
-
-
-
-
-
-
+
+
-
-
-
-
-
+
+
+
-
-
-
+
+
+
-
-
-
+
+
+
-
-
FieldTypeDescriptionRequired
+No
+
 
httpStatusint32 (oneof)
redirectHTTPRedirect
 
-
HTTP status code to use to abort the Http request.

+
A HTTP rule can either redirect or forward (default) traffic. If
+traffic passthrough option is specified in the rule,
+route/redirect will be ignored. The redirect primitive can be used to
+send a HTTP 301 redirect to a different URI or Authority.

 
 		
 
-Yes
+No
 
 
percentagePercent
delegateDelegate
 
-
Percentage of requests to be aborted with the error code provided.

+
Delegate is used to specify the particular VirtualService which
+can be used to define delegate HTTPRoute.

+
+
It can be set only when Route and Redirect are empty, and the route
+rules of the delegate VirtualService will be merged with that in the
+current one.

+
+
NOTE:

+
+
    
+
  1. Only one level delegation is supported.
    2. 
+
  2. The delegate’s HTTPMatchRequest must be a strict subset of the root’s,
+otherwise there is a conflict and the HTTPRoute will not take effect.
    3. 
+

 
 		
 
 No
 
 
percentint32
rewriteHTTPRewrite
 
-
Percentage of requests to be aborted with the error code provided (0-100).
-Use of integer percent value is deprecated. Use the double percentage
-field instead.

+
Rewrite HTTP URIs and Authority headers. Rewrite cannot be used with
+Redirect primitive. Rewrite will be performed before forwarding.

 
 		
 
 No
 
 

-
-
HTTPFaultInjection.Delay

-

-
Delay specification is used to inject latency into the request
-forwarding path. The following example will introduce a 5 second delay
-in 1 out of every 1000 requests to the “v1” version of the “reviews”
-service from all pods with label env: prod

-
-
apiVersion: networking.istio.io/v1alpha3
-kind: VirtualService
-metadata:
-  name: reviews-route
-spec:
-  hosts:
-  - reviews.prod.svc.cluster.local
-  http:
-  - match:
-    - sourceLabels:
-        env: prod
-    route:
-    - destination:
-        host: reviews.prod.svc.cluster.local
-        subset: v1
-    fault:
-      delay:
-        percentage:
-          value: 0.1
-        fixedDelay: 5s
-

+
timeoutDuration
+
Timeout for HTTP requests, default is disabled.

 
-
The fixedDelay field is used to indicate the amount of delay in seconds.
-The optional percentage field can be used to only delay a certain
-percentage of requests. If left unspecified, all request will be delayed.

+		
+No
+
retriesHTTPRetry
+
Retry policy for HTTP requests.

 
-
-
-
-
-
-
-
+
+
-
-
-
-
-
+
+
+
-
-
-
+
+
+
-
-
-
+
+
+
-
-
FieldTypeDescriptionRequired
+No
+
 
fixedDelayDuration (oneof)
faultHTTPFaultInjection
 
-
Add a fixed delay before forwarding the request. Format:
-1h/1m/1s/1ms. MUST be >=1ms.

+
Fault injection policy to apply on HTTP traffic at the client side.
+Note that timeouts or retries will not be enabled when faults are
+enabled on the client side.

 
 		
 
-Yes
+No
 
 
percentagePercent
mirrorDestination
 
-
Percentage of requests on which the delay will be injected.

+
Mirror HTTP traffic to a another destination in addition to forwarding
+the requests to the intended destination. Mirrored traffic is on a
+best effort basis where the sidecar/gateway will not wait for the
+mirrored cluster to respond before returning the response from the
+original destination.  Statistics will be generated for the mirrored
+destination.

 
 		
 
 No
 
 
percentint32
mirrorPercentagePercent
 
-
Percentage of requests on which the delay will be injected (0-100).
-Use of integer percent value is deprecated. Use the double percentage
-field instead.

+
Percentage of the traffic to be mirrored by the mirror field.
+If this field is absent, all the traffic (100%) will be mirrored.
+Max value is 100.

 
 		
 
 No
 
 

-
-
HTTPMatchRequest

+
corsPolicyCorsPolicy
+
Cross-Origin Resource Sharing policy (CORS). Refer to
+CORS
+for further details about cross origin resource sharing.

+
+		
+No
+
headersHeaders
+
Header manipulation rules

+
+		
+No
+

+

+
Delegate

+

+
Describes the delegate VirtualService.
+The following routing rules forward the traffic to /productpage by a delegate VirtualService named productpage,
+forward the traffic to /reviews by a delegate VirtualService named reviews.

+
+
apiVersion: networking.istio.io/v1alpha3
+kind: VirtualService
+metadata:
+  name: bookinfo
+spec:
+  hosts:
+  - "bookinfo.com"
+  gateways:
+  - mygateway
+  http:
+  - match:
+    - uri:
+        prefix: "/productpage"
+    delegate:
+       name: productpage
+       namespace: nsA
+  - match:
+    - uri:
+        prefix: "/reviews"
+    delegate:
+        name: reviews
+        namespace: nsB
+

+
+
apiVersion: networking.istio.io/v1alpha3
+kind: VirtualService
+metadata:
+  name: productpage
+  namespace: nsA
+spec:
+  http:
+  - match:
+     - uri:
+        prefix: "/productpage/v1/"
+    route:
+    - destination:
+        host: productpage-v1.nsA.svc.cluster.local
+  - route:
+    - destination:
+        host: productpage.nsA.svc.cluster.local
+

+
+
apiVersion: networking.istio.io/v1alpha3
+kind: VirtualService
+metadata:
+  name: reviews
+  namespace: nsB
+spec:
+  http:
+  - route:
+    - destination:
+        host: reviews.nsB.svc.cluster.local
+

+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
FieldTypeDescriptionRequired
namestring
+
Name specifies the name of the delegate VirtualService.

+
+		
+No
+
namespacestring
+
Namespace specifies the namespace where the delegate VirtualService resides.
+By default, it is same to the root’s.

+
+		
+No
+

+

+
Headers

+

+
Message headers can be manipulated when Envoy forwards requests to,
+or responses from, a destination service. Header manipulation rules can
+be specified for a specific route destination or for all destinations.
+The following VirtualService adds a test header with the value true
+to requests that are routed to any reviews service destination.
+It also removes the foo response header, but only from responses
+coming from the v1 subset (version) of the reviews service.

+
+
{{}}
+{{}}

+
+
apiVersion: networking.istio.io/v1alpha3
+kind: VirtualService
+metadata:
+  name: reviews-route
+spec:
+  hosts:
+  - reviews.prod.svc.cluster.local
+  http:
+  - headers:
+      request:
+        set:
+          test: "true"
+    route:
+    - destination:
+        host: reviews.prod.svc.cluster.local
+        subset: v2
+      weight: 25
+    - destination:
+        host: reviews.prod.svc.cluster.local
+        subset: v1
+      headers:
+        response:
+          remove:
+          - foo
+      weight: 75
+

+
+
{{}}

+
+
{{}}

+
+
apiVersion: networking.istio.io/v1beta1
+kind: VirtualService
+metadata:
+  name: reviews-route
+spec:
+  hosts:
+  - reviews.prod.svc.cluster.local
+  http:
+  - headers:
+      request:
+        set:
+          test: "true"
+    route:
+    - destination:
+        host: reviews.prod.svc.cluster.local
+        subset: v2
+      weight: 25
+    - destination:
+        host: reviews.prod.svc.cluster.local
+        subset: v1
+      headers:
+        response:
+          remove:
+          - foo
+      weight: 75
+

+
+
{{}}
+{{}}

+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
FieldTypeDescriptionRequired
requestHeaderOperations
+
Header manipulation rules to apply before forwarding a request
+to the destination service

+
+		
+No
+
responseHeaderOperations
+
Header manipulation rules to apply before returning a response
+to the caller

+
+		
+No
+

+

+
TLSRoute

+

+
Describes match conditions and actions for routing unterminated TLS
+traffic (TLS/HTTPS) The following routing rule forwards unterminated TLS
+traffic arriving at port 443 of gateway called “mygateway” to internal
+services in the mesh based on the SNI value.

+
+
{{}}
+{{}}

+
+
apiVersion: networking.istio.io/v1alpha3
+kind: VirtualService
+metadata:
+  name: bookinfo-sni
+spec:
+  hosts:
+  - "*.bookinfo.com"
+  gateways:
+  - mygateway
+  tls:
+  - match:
+    - port: 443
+      sniHosts:
+      - login.bookinfo.com
+    route:
+    - destination:
+        host: login.prod.svc.cluster.local
+  - match:
+    - port: 443
+      sniHosts:
+      - reviews.bookinfo.com
+    route:
+    - destination:
+        host: reviews.prod.svc.cluster.local
+

+
+
{{}}

+
+
{{}}

+
+
apiVersion: networking.istio.io/v1beta1
+kind: VirtualService
+metadata:
+  name: bookinfo-sni
+spec:
+  hosts:
+  - "*.bookinfo.com"
+  gateways:
+  - mygateway
+  tls:
+  - match:
+    - port: 443
+      sniHosts:
+      - login.bookinfo.com
+    route:
+    - destination:
+        host: login.prod.svc.cluster.local
+  - match:
+    - port: 443
+      sniHosts:
+      - reviews.bookinfo.com
+    route:
+    - destination:
+        host: reviews.prod.svc.cluster.local
+

+
+
{{}}
+{{}}

+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
FieldTypeDescriptionRequired
matchTLSMatchAttributes[]
+
Match conditions to be satisfied for the rule to be
+activated. All conditions inside a single match block have AND
+semantics, while the list of match blocks have OR semantics. The rule
+is matched if any one of the match blocks succeed.

+
+		
+Yes
+
routeRouteDestination[]
+
The destination to which the connection should be forwarded to.

+
+		
+No
+

+

+
TCPRoute

+

+
Describes match conditions and actions for routing TCP traffic. The
+following routing rule forwards traffic arriving at port 27017 for
+mongo.prod.svc.cluster.local to another Mongo server on port 5555.

+
+
{{}}
+{{}}

+
+
apiVersion: networking.istio.io/v1alpha3
+kind: VirtualService
+metadata:
+  name: bookinfo-mongo
+spec:
+  hosts:
+  - mongo.prod.svc.cluster.local
+  tcp:
+  - match:
+    - port: 27017
+    route:
+    - destination:
+        host: mongo.backup.svc.cluster.local
+        port:
+          number: 5555
+

+
+
{{}}

+
+
{{}}

+
+
apiVersion: networking.istio.io/v1beta1
+kind: VirtualService
+metadata:
+  name: bookinfo-mongo
+spec:
+  hosts:
+  - mongo.prod.svc.cluster.local
+  tcp:
+  - match:
+    - port: 27017
+    route:
+    - destination:
+        host: mongo.backup.svc.cluster.local
+        port:
+          number: 5555
+

+
+
{{}}
+{{}}

+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
FieldTypeDescriptionRequired
matchL4MatchAttributes[]
+
Match conditions to be satisfied for the rule to be
+activated. All conditions inside a single match block have AND
+semantics, while the list of match blocks have OR semantics. The rule
+is matched if any one of the match blocks succeed.

+
+		
+No
+
routeRouteDestination[]
+
The destination to which the connection should be forwarded to.

+
+		
+No
+

+

+
HTTPMatchRequest

 

 
HttpMatchRequest specifies a set of criterion to be met in order for the
 rule to be applied to the HTTP request. For example, the following
@@ -623,6 +1230,9 @@ 
HTTPMatchRequest

 starts with /ratings/v2/ and the request contains a custom end-user header
 with value jason.

 
+
{{}}
+{{}}

+
 
apiVersion: networking.istio.io/v1alpha3
 kind: VirtualService
 metadata:
@@ -643,7 +1253,35 @@ 
HTTPMatchRequest

         host: ratings.prod.svc.cluster.local
 

 
-
HTTPMatchRequest CANNOT be empty.

+
{{}}

+
+
{{}}

+
+
apiVersion: networking.istio.io/v1beta1
+kind: VirtualService
+metadata:
+  name: ratings-route
+spec:
+  hosts:
+  - ratings.prod.svc.cluster.local
+  http:
+  - match:
+    - headers:
+        end-user:
+          exact: jason
+      uri:
+        prefix: "/ratings/v2/"
+      ignoreUriCase: true
+    route:
+    - destination:
+        host: ratings.prod.svc.cluster.local
+

+
+
{{}}
+{{}}

+
+
HTTPMatchRequest CANNOT be empty.
+Note: No regex string match can be set when delegate VirtualService is specified.

 
 
@@ -680,7 +1318,7 @@ 
HTTPMatchRequest
  • prefix: "value" for prefix-based match
    • 
 
-
  • regex: "value" for ECMAscript style regex-based match
    • 
+
  • regex: "value" for RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
    • Note: Case-insensitive matching could be enabled via the
@@ -703,7 +1341,7 @@ 
    HTTPMatchRequest
  • prefix: "value" for prefix-based match
    • 
 
-
  • regex: "value" for ECMAscript style regex-based match
    • 
+
  • regex: "value" for RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
    • 
@@ -723,7 +1361,7 @@ 
    HTTPMatchRequest
  • prefix: "value" for prefix-based match
    • 
 
-
  • regex: "value" for ECMAscript style regex-based match
    • 
+
  • regex: "value" for RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
    • 
@@ -743,7 +1381,7 @@ 
    HTTPMatchRequest
  • prefix: "value" for prefix-based match
    • 
 
-
  • regex: "value" for ECMAscript style regex-based match
    • 
+
  • regex: "value" for RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
    • 
@@ -765,10 +1403,11 @@ 
    HTTPMatchRequest
  • prefix: "value" for prefix-based match
    • 
 
-
  • regex: "value" for ECMAscript style regex-based match
    • 
+
  • regex: "value" for RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
    • 
 
-
    Note: The keys uri, scheme, method, and authority will be ignored.
    
+
    If the value is empty and only the name of header is specfied, presence of the header is checked.
+Note: The keys uri, scheme, method, and authority will be ignored.
    
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
    
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
    
@@ -792,11 +1431,24 @@ 
    HTTPMatchRequest
    
     		sourceLabels
 map<string, string>
 
-
    One or more labels that constrain the applicability of a rule to
-workloads with the given labels. If the VirtualService has a list of
-gateways specified at the top, it must include the reserved gateway
+
    One or more labels that constrain the applicability of a rule to source (client) workloads
+with the given labels. If the VirtualService has a list of gateways specified
+in the top-level gateways field, it must include the reserved gateway
 mesh for this field to be applicable.
    
 
+    		
+No
+
    gatewaysstring[]
+
    Names of gateways where the rule should be applied. Gateway names
+in the top-level gateways field of the VirtualService (if any) are overridden. The gateway
+match is independent of sourceLabels.
    
+
     		
 
 No
@@ -808,64 +1460,216 @@ 
    HTTPMatchRequest
    
     		
 
    Query parameters for matching.
    
 
-
    Ex:
-- For a query parameter like “?key=true”, the map key would be “key” and
-  the string match could be defined as exact: "true".
-- For a query parameter like “?key”, the map key would be “key” and the
-  string match could be defined as exact: "".
-- For a query parameter like “?key=123”, the map key would be “key” and the
-  string match could be defined as regex: "\d+$". Note that this
-  configuration will only match values like “123” but not “a123” or “123a”.
    
+
    Ex:
    
+
+
      
+
    • For a query parameter like “?key=true”, the map key would be “key” and
+the string match could be defined as exact: "true".
      • 
+
+
    • For a query parameter like “?key”, the map key would be “key” and the
+string match could be defined as exact: "".
      • 
+
+
    • For a query parameter like “?key=123”, the map key would be “key” and the
+string match could be defined as regex: "\d+$". Note that this
+configuration will only match values like “123” but not “a123” or “123a”.
      • 
+
    
+
+
    Note: prefix matching is currently not supported.
    
+
+    		
+No
+
    ignoreUriCasebool
+
    Flag to specify whether the URI matching should be case-insensitive.
    
+
+
    Note: The case will be ignored only in the case of exact and prefix
+URI matches.
    
+
+    		
+No
+
    withoutHeadersmap<string, StringMatch>
+
    withoutHeader has the same syntax with the header, but has opposite meaning.
+If a header is matched with a matching rule among withoutHeader, the traffic becomes not matched one.
    
+
+    		
+No
+
    sourceNamespacestring
+
    Source namespace constraining the applicability of a rule to workloads in that namespace.
+If the VirtualService has a list of gateways specified in the top-level gateways field,
+it must include the reserved gateway mesh for this field to be applicable.
    
+
+    		
+No
+
    
+
    
+
    HTTPRouteDestination
    
+
    
+
    Each routing rule is associated with one or more service versions (see
+glossary in beginning of document). Weights associated with the version
+determine the proportion of traffic it receives. For example, the
+following rule will route 25% of traffic for the “reviews” service to
+instances with the “v2” tag and the remaining traffic (i.e., 75%) to
+“v1”.
    
+
+
    {{}}
+{{}}
    
+
+
    apiVersion: networking.istio.io/v1alpha3
+kind: VirtualService
+metadata:
+  name: reviews-route
+spec:
+  hosts:
+  - reviews.prod.svc.cluster.local
+  http:
+  - route:
+    - destination:
+        host: reviews.prod.svc.cluster.local
+        subset: v2
+      weight: 25
+    - destination:
+        host: reviews.prod.svc.cluster.local
+        subset: v1
+      weight: 75
+
    
+
+
    {{}}
    
+
+
    {{}}
    
+
+
    apiVersion: networking.istio.io/v1beta1
+kind: VirtualService
+metadata:
+  name: reviews-route
+spec:
+  hosts:
+  - reviews.prod.svc.cluster.local
+  http:
+  - route:
+    - destination:
+        host: reviews.prod.svc.cluster.local
+        subset: v2
+      weight: 25
+    - destination:
+        host: reviews.prod.svc.cluster.local
+        subset: v1
+      weight: 75
+
    
+
+
    {{}}
+{{}}
    
+
+
    And the associated DestinationRule
    
+
+
    {{}}
+{{}}
    
+
+
    apiVersion: networking.istio.io/v1alpha3
+kind: DestinationRule
+metadata:
+  name: reviews-destination
+spec:
+  host: reviews.prod.svc.cluster.local
+  subsets:
+  - name: v1
+    labels:
+      version: v1
+  - name: v2
+    labels:
+      version: v2
+
    
+
+
    {{}}
    
+
+
    {{}}
    
 
-
    Note: prefix matching is currently not supported.
    
+
    apiVersion: networking.istio.io/v1beta1
+kind: DestinationRule
+metadata:
+  name: reviews-destination
+spec:
+  host: reviews.prod.svc.cluster.local
+  subsets:
+  - name: v1
+    labels:
+      version: v1
+  - name: v2
+    labels:
+      version: v2
+
    
 
-
-
-No
-
-
-
-ignoreUriCase
-bool
-
-
    Flag to specify whether the URI matching should be case-insensitive.
    
+
    {{}}
+{{}}
    
 
-
    Note: The case will be ignored only in the case of exact and prefix
-URI matches.
    
+
    Traffic can also be split across two entirely different services without
+having to define new subsets. For example, the following rule forwards 25% of
+traffic to reviews.com to dev.reviews.com
    
 
-
-
-No
-
-
-
-
-
    
-
    HTTPRedirect
    
-
    
-
    HTTPRedirect can be used to send a 301 redirect response to the caller,
-where the Authority/Host and the URI in the response can be swapped with
-the specified values. For example, the following rule redirects
-requests for /v1/getProductRatings API on the ratings service to
-/v1/bookRatings provided by the bookratings service.
    
+
    {{}}
+{{}}
    
 
 
    apiVersion: networking.istio.io/v1alpha3
 kind: VirtualService
 metadata:
-  name: ratings-route
+  name: reviews-route-two-domains
 spec:
   hosts:
-  - ratings.prod.svc.cluster.local
+  - reviews.com
   http:
-  - match:
-    - uri:
-        exact: /v1/getProductRatings
-    redirect:
-      uri: /v1/bookRatings
-      authority: newratings.default.svc.cluster.local
-  ...
+  - route:
+    - destination:
+        host: dev.reviews.com
+      weight: 25
+    - destination:
+        host: reviews.com
+      weight: 75
+
    
+
+
    {{}}
    
+
+
    {{}}
    
+
+
    apiVersion: networking.istio.io/v1beta1
+kind: VirtualService
+metadata:
+  name: reviews-route-two-domains
+spec:
+  hosts:
+  - reviews.com
+  http:
+  - route:
+    - destination:
+        host: dev.reviews.com
+      weight: 25
+    - destination:
+        host: reviews.com
+      weight: 75
 
    
 
+
    {{}}
+{{}}
    
+
 
@@ -876,37 +1680,36 @@ 
    HTTPRedirect
    
-
-
-
+
+
+
-
-
-
+
+
+
-
-
-
+
+
+
    
 
 
    
 
    
     
 
    uristring
    destinationDestination
 
-
    On a redirect, overwrite the Path portion of the URL with this
-value. Note that the entire path will be replaced, irrespective of the
-request URI being matched as an exact path or prefix.
    
+
    Destination uniquely identifies the instances of a service
+to which the request/connection should be forwarded to.
    
 
     		
 
-No
+Yes
 
 
    authoritystring
    weightint32
 
-
    On a redirect, overwrite the Authority/Host portion of the URL with
-this value.
    
+
    Weight specifies the relative proportion of traffic to be forwarded to the destination. A destination will receive weight/(sum of all weights) requests.
+If there is only one destination in a rule, it will receive all traffic.
+Otherwise, if weight is 0, the destination will not receive any traffic.
    
 
     		
 
 No
 
 
    redirectCodeuint32
    headersHeaders
 
-
    On a redirect, Specifies the HTTP status code to use in the redirect
-response. The default response code is MOVED_PERMANENTLY (301).
    
+
    Header manipulation rules
    
 
     		
 
@@ -916,29 +1719,9 @@ 
    HTTPRedirect
    
 
    
 
    
 
    
-
    HTTPRetry
    
+
    RouteDestination
    
 
    
-
    Describes the retry policy to use when a HTTP request fails. For
-example, the following rule sets the maximum number of retries to 3 when
-calling ratings:v1 service, with a 2s timeout per retry attempt.
    
-
-
    apiVersion: networking.istio.io/v1alpha3
-kind: VirtualService
-metadata:
-  name: ratings-route
-spec:
-  hosts:
-  - ratings.prod.svc.cluster.local
-  http:
-  - route:
-    - destination:
-        host: ratings.prod.svc.cluster.local
-        subset: v1
-    retries:
-      attempts: 3
-      perTryTimeout: 2s
-      retryOn: gateway-error,connect-failure,refused-stream
-
    
+
    L4 routing rule weighted destination.
    
 
 
@@ -950,38 +1733,25 @@ 
    HTTPRetry
    
-
-
-
+
+
+
-
-
-
-
-
-
-
-
-
+
+
+
    
 
 
 
 
    attemptsint32
    destinationDestination
 
-
    Number of retries for a given request. The interval
-between retries will be determined automatically (25ms+). Actual
-number of retries attempted depends on the httpReqTimeout.
    
+
    Destination uniquely identifies the instances of a service
+to which the request/connection should be forwarded to.
    
 
     		
 
 Yes
 
 
    perTryTimeoutDuration
-
    Timeout per retry attempt for a given request. format: 1h/1m/1s/1ms. MUST BE >=1ms.
    
-
-    		
-No
-
    retryOnstring
    weightint32
 
-
    Specifies the conditions under which retry takes place.
-One or more policies can be specified using a ‘,’ delimited list.
-See the retry policies
-and gRPC retry policies for more details.
    
+
    Weight specifies the relative proportion of traffic to be forwarded to the destination. A destination will receive weight/(sum of all weights) requests.
+If there is only one destination in a rule, it will receive all traffic.
+Otherwise, if weight is 0, the destination will not receive any traffic.
    
 
     		
 
@@ -991,32 +1761,10 @@ 
    HTTPRetry
    
 
    
 
    
 
    
-
    HTTPRewrite
    
+
    L4MatchAttributes
    
 
    
-
    HTTPRewrite can be used to rewrite specific parts of a HTTP request
-before forwarding the request to the destination. Rewrite primitive can
-be used only with HTTPRouteDestination. The following example
-demonstrates how to rewrite the URL prefix for api call (/ratings) to
-ratings service before making the actual API call.
    
-
-
    apiVersion: networking.istio.io/v1alpha3
-kind: VirtualService
-metadata:
-  name: ratings-route
-spec:
-  hosts:
-  - ratings.prod.svc.cluster.local
-  http:
-  - match:
-    - uri:
-        prefix: /ratings
-    rewrite:
-      uri: /v1/bookRatings
-    route:
-    - destination:
-        host: ratings.prod.svc.cluster.local
-        subset: v1
-
    
+
    L4 connection match attributes. Note that L4 connection matching support
+is incomplete.
    
 
 
@@ -1028,24 +1776,65 @@ 
    HTTPRewrite
    
-
-
-
+
+
+
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
    
 
 
 
 
    uristring
    destinationSubnetsstring[]
 
-
    rewrite the path (or the prefix) portion of the URI with this
-value. If the original URI was matched based on prefix, the value
-provided in this field will replace the corresponding matched prefix.
    
+
    IPv4 or IPv6 ip addresses of destination with optional subnet.  E.g.,
+a.b.c.d/xx form or just a.b.c.d.
    
 
     		
 
 No
 
 
    authority
    portuint32
+
    Specifies the port on the host that is being addressed. Many services
+only expose a single port or label ports with the protocols they support,
+in these cases it is not required to explicitly select the port.
    
+
+    		
+No
+
    sourceLabelsmap<string, string>
+
    One or more labels that constrain the applicability of a rule to
+workloads with the given labels. If the VirtualService has a list of
+gateways specified in the top-level gateways field, it should include the reserved gateway
+mesh in order for this field to be applicable.
    
+
+    		
+No
+
    gatewaysstring[]
+
    Names of gateways where the rule should be applied. Gateway names
+in the top-level gateways field of the VirtualService (if any) are overridden. The gateway
+match is independent of sourceLabels.
    
+
+    		
+No
+
    sourceNamespace
 string
 
-
    rewrite the Authority/Host header with this value.
    
+
    Source namespace constraining the applicability of a rule to workloads in that namespace.
+If the VirtualService has a list of gateways specified in the top-level gateways field,
+it must include the reserved gateway mesh for this field to be applicable.
    
 
     		
 
@@ -1055,10 +1844,9 @@ 
    HTTPRewrite
    
 
    
 
    
 
    
-
    HTTPRoute
    
+
    TLSMatchAttributes
    
 
    
-
    Describes match conditions and actions for routing HTTP/1.1, HTTP2, and
-gRPC traffic. See VirtualService for usage examples.
    
+
    TLS connection match attributes.
    
 
 
@@ -1070,156 +1858,220 @@ 
    HTTPRoute
    
-
-
-
+
+
+
-
-
-
+
+
+
-
-
-
+
+
+
-
-
-
+
+
+
-
-
-
+
+
+
-
-
-
+
+
+
-
-
-
+
+
    
 
 
 
 
    namestring
    sniHostsstring[]
 
-
    The name assigned to the route for debugging purposes. The
-route’s name will be concatenated with the match’s name and will
-be logged in the access logs for requests matching this
-route/match.
    
+
    SNI (server name indicator) to match on. Wildcard prefixes
+can be used in the SNI value, e.g., *.com will match foo.example.com
+as well as example.com. An SNI value must be a subset (i.e., fall
+within the domain) of the corresponding virtual serivce’s hosts.
    
 
     		
 
-No
+Yes
 
 
    matchHTTPMatchRequest[]
    destinationSubnetsstring[]
 
-
    Match conditions to be satisfied for the rule to be
-activated. All conditions inside a single match block have AND
-semantics, while the list of match blocks have OR semantics. The rule
-is matched if any one of the match blocks succeed.
    
+
    IPv4 or IPv6 ip addresses of destination with optional subnet.  E.g.,
+a.b.c.d/xx form or just a.b.c.d.
    
 
     		
 
 No
 
 
    routeHTTPRouteDestination[]
    portuint32
 
-
    A http rule can either redirect or forward (default) traffic. The
-forwarding target can be one of several versions of a service (see
-glossary in beginning of document). Weights associated with the
-service version determine the proportion of traffic it receives.
    
+
    Specifies the port on the host that is being addressed. Many services
+only expose a single port or label ports with the protocols they
+support, in these cases it is not required to explicitly select the
+port.
    
 
     		
 
 No
 
 
    redirectHTTPRedirect
    sourceLabelsmap<string, string>
 
-
    A http rule can either redirect or forward (default) traffic. If
-traffic passthrough option is specified in the rule,
-route/redirect will be ignored. The redirect primitive can be used to
-send a HTTP 301 redirect to a different URI or Authority.
    
+
    One or more labels that constrain the applicability of a rule to
+workloads with the given labels. If the VirtualService has a list of
+gateways specified in the top-level gateways field, it should include the reserved gateway
+mesh in order for this field to be applicable.
    
 
     		
 
 No
 
 
    rewriteHTTPRewrite
    gatewaysstring[]
 
-
    Rewrite HTTP URIs and Authority headers. Rewrite cannot be used with
-Redirect primitive. Rewrite will be performed before forwarding.
    
+
    Names of gateways where the rule should be applied. Gateway names
+in the top-level gateways field of the VirtualService (if any) are overridden. The gateway
+match is independent of sourceLabels.
    
 
     		
 
 No
 
 
    timeoutDuration
    sourceNamespacestring
 
-
    Timeout for HTTP requests.
    
+
    Source namespace constraining the applicability of a rule to workloads in that namespace.
+If the VirtualService has a list of gateways specified in the top-level gateways field,
+it must include the reserved gateway mesh for this field to be applicable.
    
 
     		
 
 No
 
 
    retriesHTTPRetry
    
+
    
+
    HTTPRedirect
    
+
    
+
    HTTPRedirect can be used to send a 301 redirect response to the caller,
+where the Authority/Host and the URI in the response can be swapped with
+the specified values. For example, the following rule redirects
+requests for /v1/getProductRatings API on the ratings service to
+/v1/bookRatings provided by the bookratings service.
    
+
+
    {{}}
+{{}}
    
+
+
    apiVersion: networking.istio.io/v1alpha3
+kind: VirtualService
+metadata:
+  name: ratings-route
+spec:
+  hosts:
+  - ratings.prod.svc.cluster.local
+  http:
+  - match:
+    - uri:
+        exact: /v1/getProductRatings
+    redirect:
+      uri: /v1/bookRatings
+      authority: newratings.default.svc.cluster.local
+  ...
+
    
+
+
    {{}}
    
+
+
    {{}}
    
+
+
    apiVersion: networking.istio.io/v1beta1
+kind: VirtualService
+metadata:
+  name: ratings-route
+spec:
+  hosts:
+  - ratings.prod.svc.cluster.local
+  http:
+  - match:
+    - uri:
+        exact: /v1/getProductRatings
+    redirect:
+      uri: /v1/bookRatings
+      authority: newratings.default.svc.cluster.local
+  ...
+
    
+
+
    {{}}
+{{}}
    
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
-
-
+
+
+
-
-
-
+
+
+
-
-
-
+
+
+
-
-
-
+
+
+
-
-
-
+
+
+
    FieldTypeDescriptionRequired
    uristring
 
-
    Retry policy for HTTP requests.
    
+
    On a redirect, overwrite the Path portion of the URL with this
+value. Note that the entire path will be replaced, irrespective of the
+request URI being matched as an exact path or prefix.
    
 
     		
 
 No
 
 
    faultHTTPFaultInjection
    authoritystring
 
-
    Fault injection policy to apply on HTTP traffic at the client side.
-Note that timeouts or retries will not be enabled when faults are
-enabled on the client side.
    
+
    On a redirect, overwrite the Authority/Host portion of the URL with
+this value.
    
 
     		
 
 No
 
 
    mirrorDestination
    portuint32 (oneof)
 
-
    Mirror HTTP traffic to a another destination in addition to forwarding
-the requests to the intended destination. Mirrored traffic is on a
-best effort basis where the sidecar/gateway will not wait for the
-mirrored cluster to respond before returning the response from the
-original destination.  Statistics will be generated for the mirrored
-destination.
    
+
    On a redirect, overwrite the port portion of the URL with this value.
    
 
     		
 
 No
 
 
    mirrorPercentUInt32Value
    derivePortRedirectPortSelection (oneof)
 
-
    Percentage of the traffic to be mirrored by the mirror field.
-If this field is absent, all the traffic (100%) will be mirrored.
-Max value is 100.
    
+
    On a redirect, dynamically set the port:
+* FROM_PROTOCOL_DEFAULT: automatically set to 80 for HTTP and 443 for HTTPS.
+* FROM_REQUEST_PORT: automatically use the port of the request.
    
 
     		
 
 No
 
 
    corsPolicyCorsPolicy
    schemestring
 
-
    Cross-Origin Resource Sharing policy (CORS). Refer to
-CORS
-for further details about cross origin resource sharing.
    
+
    On a redirect, overwrite the scheme portion of the URL with this value.
+For example, http or https.
+If unset, the original scheme will be used.
+If derivePort is set to FROM_PROTOCOL_DEFAULT, this will impact the port used as well
    
 
     		
 
 No
 
 
    headersHeaders
    redirectCodeuint32
 
-
    Header manipulation rules
    
+
    On a redirect, Specifies the HTTP status code to use in the redirect
+response. The default response code is MOVED_PERMANENTLY (301).
    
 
     		
 
@@ -1229,161 +2081,141 @@ 
    HTTPRoute
    
 
    
 
    
 
    
-
    HTTPRouteDestination
    
+
    HTTPRewrite
    
 
    
-
    Each routing rule is associated with one or more service versions (see
-glossary in beginning of document). Weights associated with the version
-determine the proportion of traffic it receives. For example, the
-following rule will route 25% of traffic for the “reviews” service to
-instances with the “v2” tag and the remaining traffic (i.e., 75%) to
-“v1”.
    
+
    HTTPRewrite can be used to rewrite specific parts of a HTTP request
+before forwarding the request to the destination. Rewrite primitive can
+be used only with HTTPRouteDestination. The following example
+demonstrates how to rewrite the URL prefix for api call (/ratings) to
+ratings service before making the actual API call.
    
+
+
    {{}}
+{{}}
    
 
 
    apiVersion: networking.istio.io/v1alpha3
 kind: VirtualService
 metadata:
-  name: reviews-route
+  name: ratings-route
 spec:
   hosts:
-  - reviews.prod.svc.cluster.local
+  - ratings.prod.svc.cluster.local
   http:
-  - route:
-    - destination:
-        host: reviews.prod.svc.cluster.local
-        subset: v2
-      weight: 25
+  - match:
+    - uri:
+        prefix: /ratings
+    rewrite:
+      uri: /v1/bookRatings
+    route:
     - destination:
-        host: reviews.prod.svc.cluster.local
+        host: ratings.prod.svc.cluster.local
         subset: v1
-      weight: 75
 
    
 
-
    And the associated DestinationRule
    
-
-
    apiVersion: networking.istio.io/v1alpha3
-kind: DestinationRule
-metadata:
-  name: reviews-destination
-spec:
-  host: reviews.prod.svc.cluster.local
-  subsets:
-  - name: v1
-    labels:
-      version: v1
-  - name: v2
-    labels:
-      version: v2
-
    
+
    {{}}
    
 
-
    Traffic can also be split across two entirely different services without
-having to define new subsets. For example, the following rule forwards 25% of
-traffic to reviews.com to dev.reviews.com
    
+
    {{}}
    
 
-
    apiVersion: networking.istio.io/v1alpha3
+
    apiVersion: networking.istio.io/v1beta1
 kind: VirtualService
 metadata:
-  name: reviews-route-two-domains
+  name: ratings-route
 spec:
   hosts:
-  - reviews.com
+  - ratings.prod.svc.cluster.local
   http:
-  - route:
-    - destination:
-        host: dev.reviews.com
-      weight: 25
+  - match:
+    - uri:
+        prefix: /ratings
+    rewrite:
+      uri: /v1/bookRatings
+    route:
     - destination:
-        host: reviews.com
-      weight: 75
+        host: ratings.prod.svc.cluster.local
+        subset: v1
 
    
 
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
    {{}}
+{{}}
    
+
+
    FieldTypeDescriptionRequired
    destinationDestination
-
    Destination uniquely identifies the instances of a service
-to which the request/connection should be forwarded to.
    
-
-    		
-Yes
-
    
+
+
+
+
+
+
-
-
-
+
+
+
+
+
-
-
-
+
+
+
-
-
-
-
+
    FieldTypeDescriptionRequired
 
    weightint32
    uristring
 
-
    The proportion of traffic to be forwarded to the service
-version. (0-100). Sum of weights across destinations SHOULD BE == 100.
-If there is only one destination in a rule, the weight value is assumed to
-be 100.
    
+
    rewrite the path (or the prefix) portion of the URI with this
+value. If the original URI was matched based on prefix, the value
+provided in this field will replace the corresponding matched prefix.
    
 
     		
 
 No
 
 
    headersHeaders
    authoritystring
 
-
    Header manipulation rules
    
+
    rewrite the Authority/Host header with this value.
    
 
     		
 
 No
 
 
    removeResponseHeadersstring[]
-
    Use of remove_response_header is deprecated. Use the headers
-field instead.
    
+
    
+
    
+
    StringMatch
    
+
    
+
    Describes how to match a given string in HTTP headers. Match is
+case-sensitive.
    
 
-
-
-No
-
+
+
+
+
+
+
+
-
-
-
+
+
+
+
+
-
-
-
+
+
+
-
-
-
+
+
+
    FieldTypeDescriptionRequired
 
    appendResponseHeadersmap<string, string>
    exactstring (oneof)
 
-
    Use of append_response_headers is deprecated. Use the headers
-field instead.
    
+
    exact string match
    
 
     		
 
 No
 
 
    removeRequestHeadersstring[]
    prefixstring (oneof)
 
-
    Use of remove_request_headers is deprecated. Use the headers
-field instead.
    
+
    prefix-based match
    
 
     		
 
 No
 
 
    appendRequestHeadersmap<string, string>
    regexstring (oneof)
 
-
    Use of append_request_headers is deprecated. Use the headers
-field instead.
    
+
    RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
    
 
     		
 
@@ -1393,43 +2225,60 @@ 
    HTTPRouteDestination
    
 
    
 
    
 
    
-
    Headers
    
+
    HTTPRetry
    
 
    
-
    Message headers can be manipulated when Envoy forwards requests to,
-or responses from, a destination service. Header manipulation rules can
-be specified for a specific route destination or for all destinations.
-The following VirtualService adds a test header with the value true
-to requests that are routed to any reviews service destination.
-It also romoves the foo response header, but only from responses
-coming from the v1 subset (version) of the reviews service.
    
+
    Describes the retry policy to use when a HTTP request fails. For
+example, the following rule sets the maximum number of retries to 3 when
+calling ratings:v1 service, with a 2s timeout per retry attempt.
+A retry will be attempted if there is a connect-failure, refused_stream
+or when the upstream server responds with Service Unavailable(503).
    
+
+
    {{}}
+{{}}
    
 
 
    apiVersion: networking.istio.io/v1alpha3
 kind: VirtualService
 metadata:
-  name: reviews-route
+  name: ratings-route
 spec:
   hosts:
-  - reviews.prod.svc.cluster.local
+  - ratings.prod.svc.cluster.local
   http:
-  - headers:
-      request:
-        set:
-          test: true
-    route:
+  - route:
     - destination:
-        host: reviews.prod.svc.cluster.local
-        subset: v2
-      weight: 25
+        host: ratings.prod.svc.cluster.local
+        subset: v1
+    retries:
+      attempts: 3
+      perTryTimeout: 2s
+      retryOn: connect-failure,refused-stream,503
+
    
+
+
    {{}}
    
+
+
    {{}}
    
+
+
    apiVersion: networking.istio.io/v1beta1
+kind: VirtualService
+metadata:
+  name: ratings-route
+spec:
+  hosts:
+  - ratings.prod.svc.cluster.local
+  http:
+  - route:
     - destination:
-        host: reviews.prod.svc.cluster.local
+        host: ratings.prod.svc.cluster.local
         subset: v1
-      headers:
-        response:
-          remove:
-          - foo
-      weight: 75
+    retries:
+      attempts: 3
+      perTryTimeout: 2s
+      retryOn: gateway-error,connect-failure,refused-stream
 
    
 
+
    {{}}
+{{}}
    
+
 
@@ -1440,75 +2289,56 @@ 
    Headers
    
-
-
-
-
-
-
-
-
-
+
+
+
-
-
    
 
 
    
 
    
     
 
    requestHeaderOperations
-
    Header manipulation rules to apply before forwarding a request
-to the destination service
    
-
-    		
-No
-
    responseHeaderOperations
    attemptsint32
 
-
    Header manipulation rules to apply before returning a response
-to the caller
    
+
    Number of retries to be allowed for a given request. The interval
+between retries will be determined automatically (25ms+). When request
+timeout of the HTTP route
+or per_try_timeout is configured, the actual number of retries attempted also depends on
+the specified request timeout and per_try_timeout values.
    
 
     		
 
-No
+Yes
 
 
    
-
    
-
    Headers.HeaderOperations
    
-
    
-
    HeaderOperations Describes the header manipulations to apply
    
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
-
-
-
+
+
+
-
-
-
+
+
+
    FieldTypeDescriptionRequired
    setmap<string, string>
    perTryTimeoutDuration
 
-
    Overwrite the headers specified by key with the given values
    
+
    Timeout per attempt for a given request, including the initial call and any retries. Format: 1h/1m/1s/1ms. MUST BE >=1ms.
+Default is same value as request
+timeout of the HTTP route,
+which means no timeout.
    
 
     		
 
 No
 
 
    addmap<string, string>
    retryOnstring
 
-
    Append the given values to the headers specified by keys
-(will create a comma-separated list of values)
    
+
    Specifies the conditions under which retry takes place.
+One or more policies can be specified using a ‘,’ delimited list.
+If retry_on specifies a valid HTTP status, it will be added to retriable_status_codes retry policy.
+See the retry policies
+and gRPC retry policies for more details.
    
 
     		
 
 No
 
 
    removestring[]
    retryRemoteLocalitiesBoolValue
 
-
    Remove a the specified headers
    
+
    Flag to specify whether the retries should retry to other localities.
+See the retry plugin configuration for more details.
    
 
     		
 
@@ -1518,10 +2348,73 @@ 
    Headers.HeaderOperations
    
 
    
 
    
 
    
-
    L4MatchAttributes
    
+
    CorsPolicy
    
 
    
-
    L4 connection match attributes. Note that L4 connection matching support
-is incomplete.
    
+
    Describes the Cross-Origin Resource Sharing (CORS) policy, for a given
+service. Refer to CORS
+for further details about cross origin resource sharing. For example,
+the following rule restricts cross origin requests to those originating
+from example.com domain using HTTP POST/GET, and sets the
+Access-Control-Allow-Credentials header to false. In addition, it only
+exposes X-Foo-bar header and sets an expiry period of 1 day.
    
+
+
    {{}}
+{{}}
    
+
+
    apiVersion: networking.istio.io/v1alpha3
+kind: VirtualService
+metadata:
+  name: ratings-route
+spec:
+  hosts:
+  - ratings.prod.svc.cluster.local
+  http:
+  - route:
+    - destination:
+        host: ratings.prod.svc.cluster.local
+        subset: v1
+    corsPolicy:
+      allowOrigins:
+      - exact: https://example.com
+      allowMethods:
+      - POST
+      - GET
+      allowCredentials: false
+      allowHeaders:
+      - X-Foo-Bar
+      maxAge: "24h"
+
    
+
+
    {{}}
    
+
+
    {{}}
    
+
+
    apiVersion: networking.istio.io/v1beta1
+kind: VirtualService
+metadata:
+  name: ratings-route
+spec:
+  hosts:
+  - ratings.prod.svc.cluster.local
+  http:
+  - route:
+    - destination:
+        host: ratings.prod.svc.cluster.local
+        subset: v1
+    corsPolicy:
+      allowOrigins:
+      - exact: https://example.com
+      allowMethods:
+      - POST
+      - GET
+      allowCredentials: false
+      allowHeaders:
+      - X-Foo-Bar
+      maxAge: "24h"
+
    
+
+
    {{}}
+{{}}
    
 
 
@@ -1531,54 +2424,76 @@ 
    L4MatchAttributes
    
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
-
-
+
+
+
-
-
-
+
+
+
-
-
-
+
+
+
    
 
 
    Description
 Required
 
    destinationSubnets
    allowOriginsStringMatch[]
+
    String patterns that match allowed origins.
+An origin is allowed if any of the string matchers match.
+If a match is found, then the outgoing Access-Control-Allow-Origin would be set to the origin as provided by the client.
    
+
+    		
+No
+
    allowMethodsstring[]
+
    List of HTTP methods allowed to access the resource. The content will
+be serialized into the Access-Control-Allow-Methods header.
    
+
+    		
+No
+
    allowHeaders
 string[]
 
-
    IPv4 or IPv6 ip addresses of destination with optional subnet.  E.g.,
-a.b.c.d/xx form or just a.b.c.d.
    
+
    List of HTTP headers that can be used when requesting the
+resource. Serialized to Access-Control-Allow-Headers header.
    
 
     		
 
 No
 
 
    portuint32
    exposeHeadersstring[]
 
-
    Specifies the port on the host that is being addressed. Many services
-only expose a single port or label ports with the protocols they support,
-in these cases it is not required to explicitly select the port.
    
+
    A list of HTTP headers that the browsers are allowed to
+access. Serialized into Access-Control-Expose-Headers header.
    
 
     		
 
 No
 
 
    sourceLabelsmap<string, string>
    maxAgeDuration
 
-
    One or more labels that constrain the applicability of a rule to
-workloads with the given labels. If the VirtualService has a list of
-gateways specified at the top, it should include the reserved gateway
-mesh in order for this field to be applicable.
    
+
    Specifies how long the results of a preflight request can be
+cached. Translates to the Access-Control-Max-Age header.
    
 
     		
 
 No
 
 
    gatewaysstring[]
    allowCredentialsBoolValue
 
-
    Names of gateways where the rule should be applied to. Gateway names
-at the top of the VirtualService (if any) are overridden. The gateway
-match is independent of sourceLabels.
    
+
    Indicates whether the caller is allowed to send the actual request
+(not the preflight) using credentials. Translates to
+Access-Control-Allow-Credentials header.
    
 
     		
 
@@ -1588,9 +2503,16 @@ 
    L4MatchAttributes
    
 
    
 
    
 
    
-
    Percent
    
+
    HTTPFaultInjection
    
 
    
-
    Percent specifies a percentage in the range of [0.0, 100.0].
    
+
    HTTPFaultInjection can be used to specify one or more faults to inject
+while forwarding HTTP requests to the destination specified in a route.
+Fault specification is part of a VirtualService rule. Faults include
+aborting the Http request from downstream service, and/or delaying
+proxying of requests. A fault rule MUST HAVE delay or abort or both.
    
+
+
    Note: Delay and abort faults are independent of one another, even if
+both are specified simultaneously.
    
 
 
@@ -1602,10 +2524,25 @@ 
    Percent
    
-
-
-
+
+
+
+
+
+
+
+
+
    
 
 
 
 
    valuedouble
    delayDelay
+
    Delay requests before forwarding, emulating various failures such as
+network issues, overloaded upstream service, etc.
    
+
+    		
+No
+
    abortAbort
 
+
    Abort Http request attempts and return error codes back to downstream
+service, giving the impression that the upstream service is faulty.
    
+
     		
 
 No
@@ -1643,9 +2580,9 @@ 
    PortSelector
    
 
    
 
    
 
    
-
    RouteDestination
    
+
    Percent
    
 
    
-
    L4 routing rule weighted destination.
    
+
    Percent specifies a percentage in the range of [0.0, 100.0].
    
 
 
@@ -1657,26 +2594,10 @@ 
    RouteDestination
    
-
-
-
-
-
-
-
-
-
+
+
+
    
 
 
 
 
    destinationDestination
-
    Destination uniquely identifies the instances of a service
-to which the request/connection should be forwarded to.
    
-
-    		
-Yes
-
    weightint32
    valuedouble
 
-
    The proportion of traffic to be forwarded to the service
-version. If there is only one destination in a rule, all traffic will be
-routed to it irrespective of the weight.
    
-
     		
 
 No
@@ -1685,10 +2606,9 @@ 
    RouteDestination
    
 
    
 
    
 
    
-
    StringMatch
    
+
    Headers.HeaderOperations
    
 
    
-
    Describes how to match a given string in HTTP headers. Match is
-case-sensitive.
    
+
    HeaderOperations Describes the header manipulations to apply
    
 
 
@@ -1700,106 +2620,107 @@ 
    StringMatch
    
-
-
-
+
+
+
-
-
-
+
+
+
-
-
-
+
+
+
    
 
 
 
 
    exactstring (oneof)
    setmap<string, string>
 
-
    exact string match
    
+
    Overwrite the headers specified by key with the given values
    
 
     		
 
-Yes
+No
 
 
    prefixstring (oneof)
    addmap<string, string>
 
-
    prefix-based match
    
+
    Append the given values to the headers specified by keys
+(will create a comma-separated list of values)
    
 
     		
 
-Yes
+No
 
 
    regexstring (oneof)
    removestring[]
 
-
    ECMAscript style regex-based match
    
+
    Remove the specified headers
    
 
     		
 
-Yes
+No
 
 
    
     
 
    
 
    
-
    TCPRoute
    
+
    HTTPFaultInjection.Delay
    
 
    
-
    Describes match conditions and actions for routing TCP traffic. The
-following routing rule forwards traffic arriving at port 27017 for
-mongo.prod.svc.cluster.local to another Mongo server on port 5555.
    
+
    Delay specification is used to inject latency into the request
+forwarding path. The following example will introduce a 5 second delay
+in 1 out of every 1000 requests to the “v1” version of the “reviews”
+service from all pods with label env: prod
    
+
+
    {{}}
+{{}}
    
 
 
    apiVersion: networking.istio.io/v1alpha3
 kind: VirtualService
 metadata:
-  name: bookinfo-Mongo
+  name: reviews-route
 spec:
   hosts:
-  - mongo.prod.svc.cluster.local
-  tcp:
+  - reviews.prod.svc.cluster.local
+  http:
   - match:
-    - port: 27017
+    - sourceLabels:
+        env: prod
     route:
     - destination:
-        host: mongo.backup.svc.cluster.local
-        port:
-          number: 5555
+        host: reviews.prod.svc.cluster.local
+        subset: v1
+    fault:
+      delay:
+        percentage:
+          value: 0.1
+        fixedDelay: 5s
 
    
 
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
    FieldTypeDescriptionRequired
    matchL4MatchAttributes[]
-
    Match conditions to be satisfied for the rule to be
-activated. All conditions inside a single match block have AND
-semantics, while the list of match blocks have OR semantics. The rule
-is matched if any one of the match blocks succeed.
    
+
    {{}}
    
 
-    		
-No
-
    routeRouteDestination[]
-
    The destination to which the connection should be forwarded to.
    
+
    {{}}
    
 
-    		
-No
-
    
-
    
-
    TLSMatchAttributes
    
-
    
-
    TLS connection match attributes.
    
+
    apiVersion: networking.istio.io/v1beta1
+kind: VirtualService
+metadata:
+  name: reviews-route
+spec:
+  hosts:
+  - reviews.prod.svc.cluster.local
+  http:
+  - match:
+    - sourceLabels:
+        env: prod
+    route:
+    - destination:
+        host: reviews.prod.svc.cluster.local
+        subset: v1
+    fault:
+      delay:
+        percentage:
+          value: 0.1
+        fixedDelay: 5s
+
    
+
+
    {{}}
+{{}}
    
+
+
    The fixedDelay field is used to indicate the amount of delay in seconds.
+The optional percentage field can be used to only delay a certain
+percentage of requests. If left unspecified, all request will be delayed.
    
 
 
@@ -1811,67 +2732,36 @@ 
    TLSMatchAttributes
    
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
-
-
-
+
+
+
-
-
-
+
+
+
    
 
 
 
 
    sniHostsstring[]
-
    SNI (server name indicator) to match on. Wildcard prefixes
-can be used in the SNI value, e.g., *.com will match foo.example.com
-as well as example.com. An SNI value must be a subset (i.e., fall
-within the domain) of the corresponding virtual serivce’s hosts.
    
-
-    		
-Yes
-
    destinationSubnetsstring[]
-
    IPv4 or IPv6 ip addresses of destination with optional subnet.  E.g.,
-a.b.c.d/xx form or just a.b.c.d.
    
-
-    		
-No
-
    portuint32
    fixedDelayDuration (oneof)
 
-
    Specifies the port on the host that is being addressed. Many services
-only expose a single port or label ports with the protocols they
-support, in these cases it is not required to explicitly select the
-port.
    
+
    Add a fixed delay before forwarding the request. Format:
+1h/1m/1s/1ms. MUST be >=1ms.
    
 
     		
 
-No
+Yes
 
 
    sourceLabelsmap<string, string>
    percentagePercent
 
-
    One or more labels that constrain the applicability of a rule to
-workloads with the given labels. If the VirtualService has a list of
-gateways specified at the top, it should include the reserved gateway
-mesh in order for this field to be applicable.
    
+
    Percentage of requests on which the delay will be injected.
    
 
     		
 
 No
 
 
    gatewaysstring[]
    percentint32
 
-
    Names of gateways where the rule should be applied to. Gateway names
-at the top of the VirtualService (if any) are overridden. The gateway
-match is independent of sourceLabels.
    
+
    Percentage of requests on which the delay will be injected (0-100).
+Use of integer percent value is deprecated. Use the double percentage
+field instead.
    
 
     		
 
@@ -1881,39 +2771,65 @@ 
    TLSMatchAttributes
    
 
    
 
    
 
    
-
    TLSRoute
    
+
    HTTPFaultInjection.Abort
    
 
    
-
    Describes match conditions and actions for routing unterminated TLS
-traffic (TLS/HTTPS) The following routing rule forwards unterminated TLS
-traffic arriving at port 443 of gateway called “mygateway” to internal
-services in the mesh based on the SNI value.
    
+
    Abort specification is used to prematurely abort a request with a
+pre-specified error code. The following example will return an HTTP 400
+error code for 1 out of every 1000 requests to the “ratings” service “v1”.
    
+
+
    {{}}
+{{}}
    
 
 
    apiVersion: networking.istio.io/v1alpha3
 kind: VirtualService
 metadata:
-  name: bookinfo-sni
+  name: ratings-route
 spec:
   hosts:
-  - "*.bookinfo.com"
-  gateways:
-  - mygateway
-  tls:
-  - match:
-    - port: 443
-      sniHosts:
-      - login.bookinfo.com
-    route:
+  - ratings.prod.svc.cluster.local
+  http:
+  - route:
     - destination:
-        host: login.prod.svc.cluster.local
-  - match:
-    - port: 443
-      sniHosts:
-      - reviews.bookinfo.com
-    route:
+        host: ratings.prod.svc.cluster.local
+        subset: v1
+    fault:
+      abort:
+        percentage:
+          value: 0.1
+        httpStatus: 400
+
    
+
+
    {{}}
    
+
+
    {{}}
    
+
+
    apiVersion: networking.istio.io/v1beta1
+kind: VirtualService
+metadata:
+  name: ratings-route
+spec:
+  hosts:
+  - ratings.prod.svc.cluster.local
+  http:
+  - route:
     - destination:
-        host: reviews.prod.svc.cluster.local
+        host: ratings.prod.svc.cluster.local
+        subset: v1
+    fault:
+      abort:
+        percentage:
+          value: 0.1
+        httpStatus: 400
 
    
 
+
    {{}}
+{{}}
    
+
+
    The httpStatus field is used to indicate the HTTP status code to
+return to the caller. The optional percentage field can be used to only
+abort a certain percentage of requests. If not specified, all requests are
+aborted.
    
+
 
@@ -1924,25 +2840,22 @@ 
    TLSRoute
    
-
-
-
+
+
+
-
-
-
+
+
+
    
 
 
    
 
    
     
 
    matchTLSMatchAttributes[]
    httpStatusint32 (oneof)
 
-
    Match conditions to be satisfied for the rule to be
-activated. All conditions inside a single match block have AND
-semantics, while the list of match blocks have OR semantics. The rule
-is matched if any one of the match blocks succeed.
    
+
    HTTP status code to use to abort the Http request.
    
 
     		
 
 Yes
 
 
    routeRouteDestination[]
    percentagePercent
 
-
    The destination to which the connection should be forwarded to.
    
+
    Percentage of requests to be aborted with the error code provided.
    
 
     		
 
@@ -1952,9 +2865,11 @@ 
    TLSRoute
    
 
    
 
    
 
    
-
    VirtualService
    
+
    google.protobuf.UInt32Value
    
 
    
-
    Configuration affecting traffic routing.
    
+
    Wrapper message for uint32.
    
+
+
    The JSON representation for UInt32Value is JSON number.
    
 
 
@@ -1966,129 +2881,11 @@ 
    VirtualService
    
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
    
 
 
 
 
    hostsstring[]
-
    The destination hosts to which traffic is being sent. Could
-be a DNS name with wildcard prefix or an IP address.  Depending on the
-platform, short-names can also be used instead of a FQDN (i.e. has no
-dots in the name). In such a scenario, the FQDN of the host would be
-derived based on the underlying platform.
    
-
-
    A single VirtualService can be used to describe all the traffic
-properties of the corresponding hosts, including those for multiple
-HTTP and TCP ports. Alternatively, the traffic properties of a host
-can be defined using more than one VirtualService, with certain
-caveats. Refer to the
-Operations Guide
-for details.
    
-
-
    Note for Kubernetes users: When short names are used (e.g. “reviews”
-instead of “reviews.default.svc.cluster.local”), Istio will interpret
-the short name based on the namespace of the rule, not the service. A
-rule in the “default” namespace containing a host “reviews” will be
-interpreted as “reviews.default.svc.cluster.local”, irrespective of
-the actual namespace associated with the reviews service. To avoid
-potential misconfigurations, it is recommended to always use fully
-qualified domain names over short names.
    
-
-
    The hosts field applies to both HTTP and TCP services. Service inside
-the mesh, i.e., those found in the service registry, must always be
-referred to using their alphanumeric names. IP addresses are allowed
-only for services defined via the Gateway.
    
-
-    		
-Yes
-
    gatewaysstring[]
-
    The names of gateways and sidecars that should apply these routes. A
-single VirtualService is used for sidecars inside the mesh as well as
-for one or more gateways. The selection condition imposed by this
-field can be overridden using the source field in the match conditions
-of protocol-specific routes. The reserved word mesh is used to imply
-all the sidecars in the mesh. When this field is omitted, the default
-gateway (mesh) will be used, which would apply the rule to all
-sidecars in the mesh. If a list of gateway names is provided, the
-rules will apply only to the gateways. To apply the rules to both
-gateways and sidecars, specify mesh as one of the gateway names.
    
-
-    		
-No
-
    httpHTTPRoute[]
-
    An ordered list of route rules for HTTP traffic. HTTP routes will be
-applied to platform service ports named ‘http-’/‘http2-’/‘grpc-*’, gateway
-ports with protocol HTTP/HTTP2/GRPC/ TLS-terminated-HTTPS and service
-entry ports using HTTP/HTTP2/GRPC protocols.  The first rule matching
-an incoming request is used.
    
-
-    		
-No
-
    tlsTLSRoute[]
-
    An ordered list of route rule for non-terminated TLS & HTTPS
-traffic. Routing is typically performed using the SNI value presented
-by the ClientHello message. TLS routes will be applied to platform
-service ports named ‘https-’, ‘tls-’, unterminated gateway ports using
-HTTPS/TLS protocols (i.e. with “passthrough” TLS mode) and service
-entry ports using HTTPS/TLS protocols.  The first rule matching an
-incoming request is used.  NOTE: Traffic ‘https-’ or ‘tls-’ ports
-without associated virtual service will be treated as opaque TCP
-traffic.
    
-
-    		
-No
-
    tcpTCPRoute[]
-
    An ordered list of route rules for opaque TCP traffic. TCP routes will
-be applied to any port that is not a HTTP or TLS port. The first rule
-matching an incoming request is used.
    
-
-    		
-No
-
    exportTostring[]
    valueuint32
 
-
    A list of namespaces to which this virtual service is exported. Exporting a
-virtual service allows it to be used by sidecars and gateways defined in
-other namespaces. This feature provides a mechanism for service owners
-and mesh administrators to control the visibility of virtual services
-across namespace boundaries.
    
-
-
    If no namespaces are specified then the virtual service is exported to all
-namespaces by default.
    
-
-
    The value “.” is reserved and defines an export to the same namespace that
-the virtual service is declared in. Similarly the value “*” is reserved and
-defines an export to all namespaces.
    
-
-
    NOTE: in the current release, the exportTo value is restricted to
-“.” or “*” (i.e., the current namespace or all namespaces).
    
+
    The uint32 value.
    
 
     		
 
@@ -2098,31 +2895,24 @@ 
    VirtualService
    
 
    
 
    
 
    
-
    google.protobuf.UInt32Value
    
+
    HTTPRedirect.RedirectPortSelection
    
 
    
-
    Wrapper message for uint32.
    
-
-
    The JSON representation for UInt32Value is JSON number.
    
-
-
+
    
-
-
+
-
-
-
-
+
+
+
+
+
diff --git a/content/zh/docs/reference/config/networking/workload-entry/index.html b/content/zh/docs/reference/config/networking/workload-entry/index.html
new file mode 100644
index 0000000000000..2b8051aa58411
--- /dev/null
+++ b/content/zh/docs/reference/config/networking/workload-entry/index.html
@@ -0,0 +1,362 @@
+---
+WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL SOURCE IN THE 'https://github.com/istio/api' REPO
+source_repo: https://github.com/istio/api
+title: Workload Entry
+description: Configuration affecting VMs onboarded into the mesh.
+location: https://istio.io/docs/reference/config/networking/workload-entry.html
+layout: protoc-gen-docs
+generator: protoc-gen-docs
+schema: istio.networking.v1alpha3.WorkloadEntry
+aliases: [/zh/docs/reference/config/networking/v1alpha3/workload-entry]
+number_of_entries: 1
+---
+
    WorkloadEntry enables operators to describe the properties of a
+single non-Kubernetes workload such as a VM or a bare metal server
+as it is onboarded into the mesh. A WorkloadEntry must be
+accompanied by an Istio ServiceEntry that selects the workload
+through the appropriate labels and provides the service definition
+for a MESH_INTERNAL service (hostnames, port properties, etc.). A
+ServiceEntry object can select multiple workload entries as well
+as Kubernetes pods based on the label selector specified in the
+service entry.
    
+
+
    When a workload connects to istiod, the status field in the
+custom resource will be updated to indicate the health of the
+workload along with other details, similar to how Kubernetes
+updates the status of a pod.
    
+
+
    The following example declares a workload entry representing a VM
+for the details.bookinfo.com service. This VM has sidecar
+installed and bootstrapped using the details-legacy service
+account. The service is exposed on port 80 to applications in the
+mesh. The HTTP traffic to this service is wrapped in Istio mutual
+TLS and sent to sidecars on VMs on target port 8080, that in turn
+forward it to the application on localhost on the same port.
    
+
+
    {{}}
+{{}}
    
+
+
    apiVersion: networking.istio.io/v1alpha3
+kind: WorkloadEntry
+metadata:
+  name: details-svc
+spec:
+  # use of the service account indicates that the workload has a
+  # sidecar proxy bootstrapped with this service account. Pods with
+  # sidecars will automatically communicate with the workload using
+  # istio mutual TLS.
+  serviceAccount: details-legacy
+  address: 2.2.2.2
+  labels:
+    app: details-legacy
+    instance-id: vm1
+
    
+
+
    {{}}
    
+
+
    {{}}
    
+
+
    apiVersion: networking.istio.io/v1beta1
+kind: WorkloadEntry
+metadata:
+  name: details-svc
+spec:
+  # use of the service account indicates that the workload has a
+  # sidecar proxy bootstrapped with this service account. Pods with
+  # sidecars will automatically communicate with the workload using
+  # istio mutual TLS.
+  serviceAccount: details-legacy
+  address: 2.2.2.2
+  labels:
+    app: details-legacy
+    instance-id: vm1
+
    
+
+
    {{}}
+{{}}
    
+
+
    and the associated service entry
    
+
+
    {{}}
+{{}}
    
+
+
    apiVersion: networking.istio.io/v1alpha3
+kind: ServiceEntry
+metadata:
+  name: details-svc
+spec:
+  hosts:
+  - details.bookinfo.com
+  location: MESH_INTERNAL
+  ports:
+  - number: 80
+    name: http
+    protocol: HTTP
+    targetPort: 8080
+  resolution: STATIC
+  workloadSelector:
+    labels:
+      app: details-legacy
+
    
+
+
    {{}}
    
+
+
    {{}}
    
+
+
    apiVersion: networking.istio.io/v1beta1
+kind: ServiceEntry
+metadata:
+  name: details-svc
+spec:
+  hosts:
+  - details.bookinfo.com
+  location: MESH_INTERNAL
+  ports:
+  - number: 80
+    name: http
+    protocol: HTTP
+    targetPort: 8080
+  resolution: STATIC
+  workloadSelector:
+    labels:
+      app: details-legacy
+
    
+
+
    {{}}
+{{}}
    
+
+
    The following example declares the same VM workload using
+its fully qualified DNS name. The service entry’s resolution
+mode should be changed to DNS to indicate that the client-side
+sidecars should dynamically resolve the DNS name at runtime before
+forwarding the request.
    
+
+
    {{}}
+{{}}
    
+
+
    apiVersion: networking.istio.io/v1alpha3
+kind: WorkloadEntry
+metadata:
+  name: details-svc
+spec:
+  # use of the service account indicates that the workload has a
+  # sidecar proxy bootstrapped with this service account. Pods with
+  # sidecars will automatically communicate with the workload using
+  # istio mutual TLS.
+  serviceAccount: details-legacy
+  address: vm1.vpc01.corp.net
+  labels:
+    app: details-legacy
+    instance-id: vm1
+
    
+
+
    {{}}
    
+
+
    {{}}
    
+
+
    apiVersion: networking.istio.io/v1beta1
+kind: WorkloadEntry
+metadata:
+  name: details-svc
+spec:
+  # use of the service account indicates that the workload has a
+  # sidecar proxy bootstrapped with this service account. Pods with
+  # sidecars will automatically communicate with the workload using
+  # istio mutual TLS.
+  serviceAccount: details-legacy
+  address: vm1.vpc01.corp.net
+  labels:
+    app: details-legacy
+    instance-id: vm1
+
    
+
+
    {{}}
+{{}}
    
+
+
    and the associated service entry
    
+
+
    {{}}
+{{}}
    
+
+
    apiVersion: networking.istio.io/v1alpha3
+kind: ServiceEntry
+metadata:
+  name: details-svc
+spec:
+  hosts:
+  - details.bookinfo.com
+  location: MESH_INTERNAL
+  ports:
+  - number: 80
+    name: http
+    protocol: HTTP
+    targetPort: 8080
+  resolution: DNS
+  workloadSelector:
+    labels:
+      app: details-legacy
+
    
+
+
    {{}}
    
+
+
    {{}}
    
+
+
    apiVersion: networking.istio.io/v1beta1
+kind: ServiceEntry
+metadata:
+  name: details-svc
+spec:
+  hosts:
+  - details.bookinfo.com
+  location: MESH_INTERNAL
+  ports:
+  - number: 80
+    name: http
+    protocol: HTTP
+    targetPort: 8080
+  resolution: DNS
+  workloadSelector:
+    labels:
+      app: details-legacy
+
    
+
+
    {{}}
+{{}}
    
+
+
    WorkloadEntry
    
+
    
+
    WorkloadEntry enables specifying the properties of a single non-Kubernetes workload such a VM or a bare metal services that can be referred to by service entries.
    
+
+
    
 
 
    FieldTypeName
 DescriptionRequired
 
    
     
 
    valueuint32
    FROM_PROTOCOL_DEFAULT
 
-
    The uint32 value.
    
-
 
    FROM_REQUEST_PORT
 
-No
 
 
    
 
    
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
    FieldTypeDescriptionRequired
    addressstring
+
    Address associated with the network endpoint without the
+port.  Domain names can be used if and only if the resolution is set
+to DNS, and must be fully-qualified without wildcards. Use the form
+unix:///absolute/path/to/socket for Unix domain socket endpoints.
    
+
+    		
+Yes
+
    portsmap<string, uint32>
+
    Set of ports associated with the endpoint. If the port map is
+specified, it must be a map of servicePortName to this endpoint’s
+port, such that traffic to the service port will be forwarded to
+the endpoint port that maps to the service’s portName. If
+omitted, and the targetPort is specified as part of the service’s
+port specification, traffic to the service port will be forwarded
+to one of the endpoints on the specified targetPort. If both
+the targetPort and endpoint’s port map are not specified, traffic
+to a service port will be forwarded to one of the endpoints on
+the same port.
    
+
+
    NOTE 1: Do not use for unix:// addresses.
    
+
+
    NOTE 2: endpoint port map takes precedence over targetPort.
    
+
+    		
+No
+
    labelsmap<string, string>
+
    One or more labels associated with the endpoint.
    
+
+    		
+No
+
    networkstring
+
    Network enables Istio to group endpoints resident in the same L3
+domain/network. All endpoints in the same network are assumed to be
+directly reachable from one another. When endpoints in different
+networks cannot reach each other directly, an Istio Gateway can be
+used to establish connectivity (usually using the
+AUTO_PASSTHROUGH mode in a Gateway Server). This is
+an advanced configuration used typically for spanning an Istio mesh
+over multiple clusters.
    
+
+    		
+No
+
    localitystring
+
    The locality associated with the endpoint. A locality corresponds
+to a failure domain (e.g., country/region/zone). Arbitrary failure
+domain hierarchies can be represented by separating each
+encapsulating failure domain by /. For example, the locality of an
+an endpoint in US, in US-East-1 region, within availability zone
+az-1, in data center rack r11 can be represented as
+us/us-east-1/az-1/r11. Istio will configure the sidecar to route to
+endpoints within the same locality as the sidecar. If none of the
+endpoints in the locality are available, endpoints parent locality
+(but within the same network ID) will be chosen. For example, if
+there are two endpoints in same network (networkID “n1”), say e1
+with locality us/us-east-1/az-1/r11 and e2 with locality
+us/us-east-1/az-2/r12, a sidecar from us/us-east-1/az-1/r11 locality
+will prefer e1 from the same locality over e2 from a different
+locality. Endpoint e2 could be the IP associated with a gateway
+(that bridges networks n1 and n2), or the IP associated with a
+standard service endpoint.
    
+
+    		
+No
+
    weightuint32
+
    The load balancing weight associated with the endpoint. Endpoints
+with higher weights will receive proportionally higher traffic.
    
+
+    		
+No
+
    serviceAccountstring
+
    The service account associated with the workload if a sidecar
+is present in the workload. The service account must be present
+in the same namespace as the configuration ( WorkloadEntry or a
+ServiceEntry)
    
+
+    		
+No
+
    
+
    
diff --git a/content/zh/docs/reference/config/networking/workload-group/index.html b/content/zh/docs/reference/config/networking/workload-group/index.html
new file mode 100644
index 0000000000000..5b0352e6ccf1a
--- /dev/null
+++ b/content/zh/docs/reference/config/networking/workload-group/index.html
@@ -0,0 +1,443 @@
+---
+WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL SOURCE IN THE 'https://github.com/istio/api' REPO
+source_repo: https://github.com/istio/api
+title: Workload Group
+description: Describes a collection of workload instances.
+location: https://istio.io/docs/reference/config/networking/workload-group.html
+layout: protoc-gen-docs
+generator: protoc-gen-docs
+schema: istio.networking.v1alpha3.WorkloadGroup
+aliases: [/zh/docs/reference/config/networking/v1alpha3/workload-group]
+number_of_entries: 7
+---
+
    WorkloadGroup describes a collection of workload instances.
+It provides a specification that the workload instances can use to bootstrap
+their proxies, including the metadata and identity. It is only intended to
+be used with non-k8s workloads like Virtual Machines, and is meant to mimic
+the existing sidecar injection and deployment specification model used for
+Kubernetes workloads to bootstrap Istio proxies.
    
+
+
    The following example declares a workload group representing a collection
+of workloads that will be registered under reviews in namespace
+bookinfo. The set of labels will be associated with each workload
+instance during the bootstrap process, and the ports 3550 and 8080
+will be associated with the workload group and use service account default.
+app.kubernetes.io/version is just an arbitrary example of a label.
    
+
+
    {{}}
+{{}}
    
+
+
    apiVersion: networking.istio.io/v1alpha3
+kind: WorkloadGroup
+metadata:
+  name: reviews
+  namespace: bookinfo
+spec:
+  metadata:
+    labels:
+      app.kubernetes.io/name: reviews
+      app.kubernetes.io/version: "1.3.4"
+  template:
+    ports:
+      grpc: 3550
+      http: 8080
+    serviceAccount: default
+  probe:
+    initialDelaySeconds: 5
+    timeoutSeconds: 3
+    periodSeconds: 4
+    successThreshold: 3
+    failureThreshold: 3
+    httpGet:
+     path: /foo/bar
+     host: 127.0.0.1
+     port: 3100
+     scheme: HTTPS
+     httpHeaders:
+     - name: Lit-Header
+       value: Im-The-Best
+
    
+
+
    {{}}
+{{}}
    
+
+
    WorkloadGroup
    
+
    
+
    WorkloadGroup enables specifying the properties of a single workload for bootstrap and
+provides a template for WorkloadEntry, similar to how Deployment specifies properties
+of workloads via Pod templates. A WorkloadGroup can have more than one WorkloadEntry.
+WorkloadGroup has no relationship to resources which control service registry like ServiceEntry
+and as such doesn’t configure host name for these workloads.
    
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
    FieldTypeDescriptionRequired
    metadataObjectMeta
+
    Metadata that will be used for all corresponding WorkloadEntries.
+User labels for a workload group should be set here in metadata rather than in template.
    
+
+    		
+No
+
    templateWorkloadEntry
+
    Template to be used for the generation of WorkloadEntry resources that belong to this WorkloadGroup.
+Please note that address and labels fields should not be set in the template, and an empty serviceAccount
+should default to default. The workload identities (mTLS certificates) will be bootstrapped using the
+specified service account’s token. Workload entries in this group will be in the same namespace as the
+workload group, and inherit the labels and annotations from the above metadata field.
    
+
+    		
+Yes
+
    probeReadinessProbe
+
    ReadinessProbe describes the configuration the user must provide for healthchecking on their workload.
+This configuration mirrors K8S in both syntax and logic for the most part.
    
+
+    		
+No
+
    
+
    
+
    ReadinessProbe
    
+
    
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
    FieldTypeDescriptionRequired
    initialDelaySecondsint32
+
    Number of seconds after the container has started before readiness probes are initiated.
    
+
+    		
+No
+
    timeoutSecondsint32
+
    Number of seconds after which the probe times out.
+Defaults to 1 second. Minimum value is 1 second.
    
+
+    		
+No
+
    periodSecondsint32
+
    How often (in seconds) to perform the probe.
+Default to 10 seconds. Minimum value is 1 second.
    
+
+    		
+No
+
    successThresholdint32
+
    Minimum consecutive successes for the probe to be considered successful after having failed.
+Defaults to 1 second.
    
+
+    		
+No
+
    failureThresholdint32
+
    Minimum consecutive failures for the probe to be considered failed after having succeeded.
+Defaults to 3 seconds.
    
+
+    		
+No
+
    httpGetHTTPHealthCheckConfig (oneof)
+
    httpGet is performed to a given endpoint
+and the status/able to connect determines health.
    
+
+    		
+No
+
    tcpSocketTCPHealthCheckConfig (oneof)
+
    Health is determined by if the proxy is able to connect.
    
+
+    		
+No
+
    execExecHealthCheckConfig (oneof)
+
    Health is determined by how the command that is executed exited.
    
+
+    		
+No
+
    
+
    
+
    HTTPHealthCheckConfig
    
+
    
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
    FieldTypeDescriptionRequired
    pathstring
+
    Path to access on the HTTP server.
    
+
+    		
+No
+
    portuint32
+
    Port on which the endpoint lives.
    
+
+    		
+Yes
+
    hoststring
+
    Host name to connect to, defaults to the pod IP. You probably want to set
+“Host” in httpHeaders instead.
    
+
+    		
+No
+
    schemestring
+
    HTTP or HTTPS, defaults to HTTP
    
+
+    		
+No
+
    httpHeadersHTTPHeader[]
+
    Headers the proxy will pass on to make the request.
+Allows repeated headers.
    
+
+    		
+No
+
    
+
    
+
    HTTPHeader
    
+
    
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
    FieldTypeDescriptionRequired
    namestring
+
    The header field name
    
+
+    		
+No
+
    valuestring
+
    The header field value
    
+
+    		
+No
+
    
+
    
+
    TCPHealthCheckConfig
    
+
    
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
    FieldTypeDescriptionRequired
    hoststring
+
    Host to connect to, defaults to localhost
    
+
+    		
+No
+
    portuint32
+
    Port of host
    
+
+    		
+Yes
+
    
+
    
+
    ExecHealthCheckConfig
    
+
    
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
    FieldTypeDescriptionRequired
    commandstring[]
+
    Command to run. Exit status of 0 is treated as live/healthy and non-zero is unhealthy.
    
+
+    		
+No
+
    
+
    
+
    WorkloadGroup.ObjectMeta
    
+
    
+
    ObjectMeta describes metadata that will be attached to a WorkloadEntry.
+It is a subset of the supported Kubernetes metadata.
    
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
    FieldTypeDescriptionRequired
    labelsmap<string, string>
+
    Labels to attach
    
+
+    		
+No
+
    annotationsmap<string, string>
+
    Annotations to attach
    
+
+    		
+No
+
    
+
    
diff --git a/content/zh/docs/reference/config/proxy_extensions/accesslogpolicy/index.html b/content/zh/docs/reference/config/proxy_extensions/accesslogpolicy/index.html
new file mode 100644
index 0000000000000..291d833a7383e
--- /dev/null
+++ b/content/zh/docs/reference/config/proxy_extensions/accesslogpolicy/index.html
@@ -0,0 +1,62 @@
+---
+WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL SOURCE IN THE 'https://github.com/istio/proxy' REPO
+source_repo: https://github.com/istio/proxy
+title: AccessLogPolicy Config
+description: Configuration for AccessLogPolicy Filter.
+location: https://istio.io/docs/reference/config/proxy_extensions/accesslogpolicy.html
+layout: protoc-gen-docs
+generator: protoc-gen-docs
+weight: 20
+number_of_entries: 1
+---
+
    Accesslog Policy plugin is a stateful http log sampler.
+It decides whether a request is logged based on the following rules.
+ 1. All requests resulting in errors are logged.
+ 2. First successful request within logwindowduration from a specific
+ source ip (source principal) is logged.
+The plugin records its decision in the istio.accesslogpolicy attribute with
+a value of “no”. A downstream plugin may honor the the attribute. For
+example, Stackdriver plugin will not produce an access log entry if this
+attribute is set.
    
+
+
    AccessLogPolicyConfig
    
+
    
+
    Top level Config for Access Log Policy Config Filter.
    
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
    FieldTypeDescriptionRequired
    log_window_durationDuration
+
    Optional. Allows specifying logging window for successful requests.
+The default duration is 12h.
    
+
+    		
+No
+
    max_client_cache_sizeint32
+
    Optional. Allows specifying max client cache size.
+The default is 500 entries.
    
+
+    		
+No
+
    
+
    
diff --git a/content/zh/docs/reference/config/proxy_extensions/attributegen/index.html b/content/zh/docs/reference/config/proxy_extensions/attributegen/index.html
new file mode 100644
index 0000000000000..de64804a172c6
--- /dev/null
+++ b/content/zh/docs/reference/config/proxy_extensions/attributegen/index.html
@@ -0,0 +1,283 @@
+---
+WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL SOURCE IN THE 'https://github.com/istio/proxy' REPO
+source_repo: https://github.com/istio/proxy
+title: AttributeGen Config
+description: Configuration for Attribute Generation plugin.
+location: https://istio.io/docs/reference/config/proxy_extensions/attributegen.html
+layout: protoc-gen-docs
+generator: protoc-gen-docs
+schema: istio.attributegen
+weight: 20
+number_of_entries: 3
+---
+
    AttributeGen plugin uses builtin attributes
+as inputs and produces new attributes that can be used by downstream plugins.
    
+
+
    The following is an example of a configuration that produces one attribute
+named istio_operationId using request.url_path and request.method.
    
+
+
    {{}}
+{{}}
    
+
+
    {
+  "attributes": [
+    {
+      "output_attribute": "istio_operationId",
+      "match": [
+        {
+          "value": "ListBooks",
+          "condition": "request.url_path == '/books' && request.method ==
+          'GET'"
+        },
+        {
+          "value": "GetBook",
+          "condition":
+          "request.url_path.matches('^/shelves/[[:alnum:]]*/books/[[:alnum:]]*$')
+          && request.method == 'GET'"
+        },
+        {
+          "value": "CreateBook",
+          "condition": "request.url_path == '/books/' && request.method ==
+          'POST'"
+        }
+      ]
+    }
+  ]
+}
+
+
    
+
+
    {{}}
+{{}}
    
+
+
    If the Stats plugin runs after AttributeGen, it can use istio_operationId
+to populate a dimension on a metric.
    
+
+
    The following is an example of response codes being mapped into a smaller
+number of response classes as the istio_responseClass attribute. For
+example, all response codes in 200s are mapped to 2xx.
    
+
+
    {{}}
+{{}}
    
+
+
    {
+  "attributes": [
+    {
+      "output_attribute": "istio_responseClass",
+      "match": [
+        {
+          "value": "2xx",
+          "condition": "response.code >= 200 && response.code <= 299"
+        },
+        {
+          "value": "3xx",
+          "condition": "response.code >= 300 && response.code <= 399"
+        },
+        {
+          "value": "404",
+          "condition": "response.code == 404"
+        },
+        {
+          "value": "429",
+          "condition": "response.code == 429"
+        },
+        {
+          "value": "503",
+          "condition": "response.code == 503"
+        },
+        {
+          "value": "5xx",
+          "condition": "response.code >= 500 && response.code <= 599"
+        },
+        {
+          "value": "4xx",
+          "condition": "response.code >= 400 && response.code <= 499"
+        }
+      ]
+    }
+  ]
+}
+
+
    
+
+
    {{}}
+{{}}
    
+
+
    If multiple AttributeGene configurations produce the same attribute, the
+result of the last configuration will be visible to downstream filters.
    
+
+
    PluginConfig
    
+
    
+
    Top level configuration to generate new attributes based on attributes of the
+proxied traffic.
    
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
    FieldTypeDescriptionRequired
    debugbool
+
    The following settings should be rarely used.
+Enable debug for this filter.
    
+
+    		
+No
+
    attributesAttributeGeneration[]
+
    Multiple independent attribute generation configurations.
    
+
+    		
+No
+
    
+
    
+
    AttributeGeneration
    
+
    
+
    AttributeGeneration define generation of one attribute.
    
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
    FieldTypeDescriptionRequired
    output_attributestring
+
    The name of the attribute that is populated on a successful match.
+An attribute name SHOULD NOT contain a .. You may use underscores for
+namespacing instead.
    
+
+
    Example: istio_operationId
    
+
+
    istio_ attribute namespace is reserved by Istio.
    
+
+
    AttributeGeneration may fail to evaluate when an attribute is not
+available. For example, response.code may not be available when a request
+ends abruptly. When attribute generation fails, it will not populate the
+attribute.
    
+
+
    If the generated attribute is used by an authz plugin, it should account
+for the possibility that the attribute may be missing. Use
+has(attribute_name) function to check for presence of an attribute before
+using its value, and provide appropriate defaults. For example the
+following is a safe use of response.code
    
+
+
    has(response.code)?response.code:200
    
+
+    		
+No
+
    matchMatch[]
+
    Matches are evaluated in order until the first successful match.
+The value specified by the successful match is assgined to the
+output_attribute.
    
+
+    		
+No
+
    
+
    
+
    Match
    
+
    
+
    If the condition evaluates to true then the Match returns the specified
+value.
    
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
    FieldTypeDescriptionRequired
    conditionstring
+
    The condition is a CEL
+expression
+that may use builtin attributes.
    
+
+
    Example:
    
+
+
    {{}}
+{{}}
    
+
+
       {
+     "value": "GetBook",
+     "condition":
+     "request.url_path.matches('^/shelves/[[:alnum:]]*/books/[[:alnum:]]*$')
+     && request.method == 'GET'"
+   },
+
    
+
+
    Note: CEL uses re2 regex
+library. Use anchors {^, $} to ensure that the regex evaluates
+efficiently.
    
+
+
    Note: request.url_path is normalized and stripped of query params.
    
+
+
    a Read only operation on books
    
+
+
    { "value": "ReadOnlyBooks",
+  "condition": "request.url_path.startsWith('/books/') &&
+  in(request.method, ['GET', 'HEAD'])"}
+
    
+
+
    {{}}
+{{}}
    
+
+
    An empty condition evaluates to true and should be used to provide a
+default value.
    
+
+    		
+No
+
    valuestring
+
    If condition evaluates to true, return the value.
    
+
+    		
+No
+
    
+
    
diff --git a/content/zh/docs/reference/config/proxy_extensions/metadata_exchange/index.html b/content/zh/docs/reference/config/proxy_extensions/metadata_exchange/index.html
index 95297d55cb0cc..a24f779489368 100644
--- a/content/zh/docs/reference/config/proxy_extensions/metadata_exchange/index.html
+++ b/content/zh/docs/reference/config/proxy_extensions/metadata_exchange/index.html
@@ -1,9 +1,9 @@
 ---
 WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL SOURCE IN THE 'https://github.com/istio/proxy' REPO
 source_repo: https://github.com/istio/proxy
-title: 元数据交换配置
-description: 元数据交换过滤器的配置。
-location: https://istio.io/zh/docs/reference/config/proxy_extensions/metadata_exchange.html
+title: Metadata Exchange Config
+description: Configuration for Metadata Exchange Filter.
+location: https://istio.io/docs/reference/config/proxy_extensions/metadata_exchange.html
 layout: protoc-gen-docs
 generator: protoc-gen-docs
 weight: 20
@@ -14,10 +14,10 @@ 
    PluginConfig
    
 
-
-
-
-
+
+
+
+
@@ -25,13 +25,13 @@ 
    PluginConfig
    
@@ -39,17 +39,17 @@ 
    PluginConfig
    google.protobuf.UInt32Value
    
-
    uint32类型的封装。
    
+
    Wrapper message for uint32.
    
 
-
    在 JSON 中UInt32Value表示是一个 JSON 数字类型。
    
+
    The JSON representation for UInt32Value is JSON number.
    
 
 
    
 
 
    字段类型描述是否必须FieldTypeDescriptionRequired
 
    
     
 
 
    max_peer_cache_size
 UInt32Value
 
-
    
-对端元数据缓存的最大值。和许多短暂的对等点连接的长期代理可以构建一个大型缓存。要关闭缓存,请将此字段设置为零。
-
    
+
    maximum size of the peer metadata cache.
+A long lived proxy that connects with many transient peers can build up a
+large cache. To turn off the cache, set this field to zero.
    
 
     		
 
-否
+No
 
 
    
     
 
 
 
    
-
-
-
-
+
+
+
+
@@ -57,11 +57,11 @@ 
    google.protobuf.UInt32Value
    
diff --git a/content/zh/docs/reference/config/proxy_extensions/stackdriver/index.html b/content/zh/docs/reference/config/proxy_extensions/stackdriver/index.html
new file mode 100644
index 0000000000000..fc15e7ac6b010
--- /dev/null
+++ b/content/zh/docs/reference/config/proxy_extensions/stackdriver/index.html
@@ -0,0 +1,292 @@
+---
+WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL SOURCE IN THE 'https://github.com/istio/proxy' REPO
+source_repo: https://github.com/istio/proxy
+title: Stackdriver Config
+description: Configuration for Stackdriver filter.
+location: https://istio.io/docs/reference/config/proxy_extensions/stackdriver.html
+layout: protoc-gen-docs
+generator: protoc-gen-docs
+weight: 20
+number_of_entries: 3
+---
+
    CustomConfig
    
+
    
+
    Custom instance configuration overrides.
+Provides a way to customize metrics/logs.
    
+
+
    
 
 
    字段类型描述是否必须FieldTypeDescriptionRequired
 
    
     
 
 
    value
 uint32
 
-
    是 uint32 类型的值。
    
+
    The uint32 value.
    
 
     		
 
-否
+No
 
 
    
 
    
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
    FieldTypeDescriptionRequired
    dimensionsmap<string, string>
+
    (Optional) Collection of tag names and tag expressions to include in the
+instance. Conflicts are resolved by the tag name by overriding previously
+supplied values.
    
+
+    		
+No
+
    
+
+
    PluginConfig
    
+
    
+
    next id: 15
    
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
    FieldTypeDescriptionRequired
    max_log_batch_size_in_bytesint32
+
    Optional. Allows configuration of the size of the LogWrite request. The
+size is in bytes, so that it allows for better performance. Default is 4MB.
+The size of one log entry within LogWrite request is approx 1Kb.
    
+
+    		
+No
+
    log_report_durationDuration
+
    Optional. Allows configuration of the time between calls out to the
+stackdriver logging service to report buffered LogWrite request.
+Customers can choose to report more aggressively by keeping shorter report
+interval if needed. Default is 10s.
    
+
+    		
+No
+
    enable_audit_logbool
+
    Optional. Controls whether to export audit log.
    
+
+    		
+No
+
    destination_service_namestring
+
    Optional. FQDN of destination service that the request routed to, e.g.
+productpage.default.svc.cluster.local. If not provided, request host header
+will be used instead
    
+
+    		
+No
+
    enable_mesh_edges_reportingbool
+
    Optional. Controls whether or not to export mesh edges to a mesh edges
+service. This is disabled by default.
    
+
+    		
+No
+
    mesh_edges_reporting_durationDuration
+
    Optional. Allows configuration of the time between calls out to the mesh
+edges service to report NEW edges. The minimum configurable duration is
+10s. NOTE: This option ONLY configures the intermediate reporting of
+novel edges. Once every 10m, all edges observed in that 10m window are
+reported and the local cache is cleared.
+The default duration is 1m. Any value greater than 10m will result in
+reporting every 10m.
    
+
+    		
+No
+
    max_peer_cache_sizeint32
+
    maximum size of the peer metadata cache.
+A long lived proxy that connects with many transient peers can build up a
+large cache. To turn off the cache, set this field to a negative value.
    
+
+    		
+No
+
    disable_host_header_fallbackbool
+
    Optional: Disable using host header as a fallback if destination service is
+not available from the controlplane. Disable the fallback if the host
+header originates outsides the mesh, like at ingress.
    
+
+    		
+No
+
    max_edges_batch_sizeint32
+
    Optional. Allows configuration of the number of traffic assertions to batch
+into a single request. Default is 100. Max is 1000.
    
+
+    		
+No
+
    disable_http_size_metricsbool
+
    Optional. Allows disabling of reporting of the request and response size
+metrics for HTTP traffic. Defaults to false (request and response size
+metrics are enabled).
    
+
+    		
+No
+
    enable_log_compressionBoolValue
+
    Optional. Allows enabling log compression for stackdriver access logs.
    
+
+    		
+No
+
    access_loggingAccessLogging
+
    Optional. Controls what type of logs to export..
    
+
+    		
+No
+
    custom_log_configCustomConfig
+
    (Optional) Collection of tag names and tag expressions to include in the
+logs. Conflicts are resolved by the tag name by overriding previously
+supplied values. Does not apply to audit logs.
+See https://istio.io/latest/docs/tasks/observability/metrics/customize-metrics/#use-expressions-for-values
+for more details about the expression language.
    
+
+    		
+No
+
    metric_expiry_durationDuration
+
    Optional. Controls the metric expiry duration. If a metric time series is
+not updated for the given duration, it will be purged from time series
+cache as well as metric reporting. If this is not set or set to 0, time
+series will never be expired. This option is useful to avoid unbounded
+metric label explodes proxy memory.
    
+
+    		
+No
+
    disable_server_access_loggingbool
+
    Optional. Controls whether to export server access log.
+This is deprecated in favor of AccessLogging enum.
    
+
+    		
+No
+
    
+
    
+
    PluginConfig.AccessLogging
    
+
    
+
    Types of Access logs to export. Does not affect audit logging.
    
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
    NameDescription
    NONE
+
    No Logs.
    
+
+
    FULL
+
    All logs including both success and error logs.
    
+
+
    ERRORS_ONLY
+
    All error logs. This is currently only available for outbound/client side
+logs. A request is classified as error when status>=400 or
+response_flag != "-"
    
+
+
    
+
    
diff --git a/content/zh/docs/reference/config/proxy_extensions/stats/index.html b/content/zh/docs/reference/config/proxy_extensions/stats/index.html
new file mode 100644
index 0000000000000..37dbb855e6581
--- /dev/null
+++ b/content/zh/docs/reference/config/proxy_extensions/stats/index.html
@@ -0,0 +1,283 @@
+---
+WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL SOURCE IN THE 'https://github.com/istio/proxy' REPO
+source_repo: https://github.com/istio/proxy
+title: Stats Config
+description: Configuration for Stats Filter.
+location: https://istio.io/docs/reference/config/proxy_extensions/stats.html
+layout: protoc-gen-docs
+generator: protoc-gen-docs
+weight: 20
+number_of_entries: 4
+---
+
    MetricConfig
    
+
    
+
    Metric instance configuration overrides.
+The metric value and the metric type are optional and permit changing the
+reported value for an existing metric.
+The standard metrics are optimized and reported through a “fast-path”.
+The customizations allow full configurability, at the cost of a “slower”
+path.
    
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
    FieldTypeDescriptionRequired
    dimensionsmap<string, string>
+
    (Optional) Collection of tag names and tag expressions to include in the
+metric. Conflicts are resolved by the tag name by overriding previously
+supplied values.
    
+
+    		
+No
+
    namestring
+
    (Optional) Metric name to restrict the override to a metric. If not
+specified, applies to all.
    
+
+    		
+No
+
    tags_to_removestring[]
+
    (Optional) A list of tags to remove.
    
+
+    		
+No
+
    matchstring
+
    NOT IMPLEMENTED. (Optional) Conditional enabling the override.
    
+
+    		
+No
+
    
+
    
+
    MetricDefinition
    
+
    
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
    FieldTypeDescriptionRequired
    namestring
+
    Metric name.
    
+
+    		
+No
+
    valuestring
+
    Metric value expression.
    
+
+    		
+No
+
    typeMetricType
+
    NOT IMPLEMENTED (Optional) Metric type.
    
+
+    		
+No
+
    
+
    
+
    PluginConfig
    
+
    
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
    FieldTypeDescriptionRequired
    debugbool
+
    next id: 7
+The following settings should be rarely used.
+Enable debug for this filter.
+DEPRECATED.
    
+
+    		
+No
+
    max_peer_cache_sizeint32
+
    maximum size of the peer metadata cache.
+A long lived proxy that connects with many transient peers can build up a
+large cache. To turn off the cache, set this field to a negative value.
+DEPRECATED.
    
+
+    		
+No
+
    stat_prefixstring
+
    prefix to add to stats emitted by the plugin.
+DEPRECATED.
    
+
+    		
+No
+
    field_separatorstring
+
    Stats api squashes dimensions in a single string.
+The squashed string is parsed at prometheus scrape time to recover
+dimensions. The following 2 fields set the field and value separators {key:
+value} –>  key{valueseparator}value{fieldseparator}
    
+
+    		
+No
+
    value_separatorstring
+
    default: “==”
    
+
+    		
+No
+
    disable_host_header_fallbackbool
+
    Optional: Disable using host header as a fallback if destination service is
+not available from the controlplane. Disable the fallback if the host
+header originates outsides the mesh, like at ingress.
    
+
+    		
+No
+
    tcp_reporting_durationDuration
+
    Optional. Allows configuration of the time between calls out to for TCP
+metrics reporting. The default duration is 15s.
    
+
+    		
+No
+
    metricsMetricConfig[]
+
    Metric overrides.
    
+
+    		
+No
+
    definitionsMetricDefinition[]
+
    Metric definitions.
    
+
+    		
+No
+
    
+
    
+
    MetricType
    
+
    
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
    NameDescription
    COUNTER
+
    GAUGE
+
    HISTOGRAM
+
    
+
    
diff --git a/content/zh/docs/reference/config/proxy_extensions/wasm-plugin/index.html b/content/zh/docs/reference/config/proxy_extensions/wasm-plugin/index.html
new file mode 100644
index 0000000000000..3ad731a4510fd
--- /dev/null
+++ b/content/zh/docs/reference/config/proxy_extensions/wasm-plugin/index.html
@@ -0,0 +1,526 @@
+---
+WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL SOURCE IN THE 'https://github.com/istio/api' REPO
+source_repo: https://github.com/istio/api
+title: Wasm Plugin
+description: Extend the functionality provided by the Istio proxy through WebAssembly filters.
+location: https://istio.io/docs/reference/config/proxy_extensions/wasm-plugin.html
+layout: protoc-gen-docs
+generator: protoc-gen-docs
+schema: istio.extensions.v1alpha1.WasmPlugin
+aliases: [/zh/docs/reference/config/extensions/v1alpha1/wasm-plugin]
+number_of_entries: 6
+---
+
    WasmPlugins provides a mechanism to extend the functionality provided by
+the Istio proxy through WebAssembly filters.
    
+
+
    Order of execution (as part of Envoy’s filter chain) is determined by
+phase and priority settings, allowing the configuration of complex
+interactions between user-supplied WasmPlugins and Istio’s internal
+filters.
    
+
+
    Examples:
    
+
+
    AuthN Filter deployed to ingress-gateway that implements an OpenID flow
+and populates the Authorization header with a JWT to be consumed by
+Istio AuthN.
    
+
+
    apiVersion: extensions.istio.io/v1alpha1
+kind: WasmPlugin
+metadata:
+  name: openid-connect
+  namespace: istio-ingress
+spec:
+  selector:
+    matchLabels:
+      istio: ingressgateway
+  url: file:///opt/filters/openid.wasm
+  sha256: 1ef0c9a92b0420cf25f7fe5d481b231464bc88f486ca3b9c83ed5cc21d2f6210
+  phase: AUTHN
+  pluginConfig:
+    openid_server: authn
+    openid_realm: ingress
+
    
+
+
    This is the same as the last example, but using an OCI image.
    
+
+
    apiVersion: extensions.istio.io/v1alpha1
+kind: WasmPlugin
+metadata:
+  name: openid-connect
+  namespace: istio-ingress
+spec:
+  selector:
+    labels:
+      istio: ingressgateway
+  url: oci://private-registry:5000/openid-connect/openid:latest
+  imagePullPolicy: IfNotPresent
+  imagePullSecret: private-registry-pull-secret
+  phase: AUTHN
+  pluginConfig:
+    openid_server: authn
+    openid_realm: ingress
+
    
+
+
    This is the same as the last example, but using VmConfig to configure environment variables in the VM.
    
+
+
    apiVersion: extensions.istio.io/v1alpha1
+kind: WasmPlugin
+metadata:
+  name: openid-connect
+  namespace: istio-ingress
+spec:
+  selector:
+    labels:
+      istio: ingressgateway
+  url: oci://private-registry:5000/openid-connect/openid:latest
+  imagePullPolicy: IfNotPresent
+  imagePullSecret: private-registry-pull-secret
+  phase: AUTHN
+  pluginConfig:
+    openid_server: authn
+    openid_realm: ingress
+  vmConfig:
+    env:
+    - name: POD_NAME
+      valueFrom: HOST
+    - name: TRUST_DOMAIN
+      value: "cluster.local"
+
    
+
+
    And a more complex example that deploys three WasmPlugins and orders them
+using phase and priority. The (hypothetical) setup is that the
+openid-connect filter performs an OpenID Connect flow to authenticate the
+user, writing a signed JWT into the Authorization header of the request,
+which can be verified by the Istio authn plugin. Then, the acl-check plugin
+kicks in, passing the JWT to a policy server, which in turn responds with a
+signed token that contains information about which files and functions of the
+system are available to the user that was previously authenticated. The
+acl-check filter writes this token to a header. Finally, the check-header
+filter verifies the token in that header and makes sure that the token’s
+contents (the permitted ‘function’) matches its plugin configuration.
    
+
+
    The resulting filter chain looks like this:
+-> openid-connect -> istio.authn -> acl-check -> check-header -> router
    
+
+
    apiVersion: extensions.istio.io/v1alpha1
+kind: WasmPlugin
+metadata:
+  name: openid-connect
+  namespace: istio-ingress
+spec:
+  selector:
+    matchLabels:
+      istio: ingressgateway
+  url: oci://private-registry:5000/openid-connect/openid:latest
+  imagePullPolicy: IfNotPresent
+  imagePullSecret: private-registry-pull-secret
+  phase: AUTHN
+  pluginConfig:
+    openid_server: authn
+    openid_realm: ingress
+
    
+
+
    apiVersion: extensions.istio.io/v1alpha1
+kind: WasmPlugin
+metadata:
+  name: acl-check
+  namespace: istio-ingress
+spec:
+  selector:
+    matchLabels:
+      istio: ingressgateway
+  url: oci://private-registry:5000/acl-check/acl:latest
+  imagePullPolicy: Always
+  imagePullSecret: private-registry-pull-secret
+  phase: AUTHZ
+  priority: 1000
+  pluginConfig:
+    acl_server: some_server
+    set_header: authz_complete
+
    
+
+
    apiVersion: extensions.istio.io/v1alpha1
+kind: WasmPlugin
+metadata:
+  name: check-header
+  namespace: istio-ingress
+spec:
+  selector:
+    matchLabels:
+      istio: ingressgateway
+  url: oci://private-registry:5000/check-header:latest
+  imagePullPolicy: IfNotPresent
+  imagePullSecret: private-registry-pull-secret
+  phase: AUTHZ
+  priority: 10
+  pluginConfig:
+    read_header: authz_complete
+    verification_key: a89gAzxvls0JKAKIJSBnnvvvkIO
+    function: read_data
+
    
+
+
    WasmPlugin
    
+
    
+
    WasmPlugins provides a mechanism to extend the functionality provided by
+the Istio proxy through WebAssembly filters.
    
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
    FieldTypeDescriptionRequired
    selectorWorkloadSelector
+
    Criteria used to select the specific set of pods/VMs on which
+this plugin configuration should be applied. If omitted, this
+configuration will be applied to all workload instances in the same
+namespace. If the WasmPlugin is present in the config root
+namespace, it will be applied to all applicable workloads in any
+namespace.
    
+
+    		
+No
+
    urlstring
+
    URL of a Wasm module or OCI container. If no scheme is present,
+defaults to oci://, referencing an OCI image. Other valid schemes
+are file:// for referencing .wasm module files present locally
+within the proxy container, and http[s]:// for .wasm module files
+hosted remotely.
    
+
+    		
+No
+
    sha256string
+
    SHA256 checksum that will be used to verify Wasm module or OCI container.
+If the url field already references a SHA256 (using the @sha256:
+notation), it must match the value of this field. If an OCI image is
+referenced by tag and this field is set, its checksum will be verified
+against the contents of this field after pulling.
    
+
+    		
+No
+
    imagePullPolicyPullPolicy
+
    The pull behaviour to be applied when fetching an OCI image. Only
+relevant when images are referenced by tag instead of SHA. Defaults
+to IfNotPresent, except when an OCI image is referenced in the url
+and the latest tag is used, in which case Always is the default,
+mirroring K8s behaviour.
+Setting is ignored if url field is referencing a Wasm module directly
+using file:// or http[s]://
    
+
+    		
+No
+
    imagePullSecretstring
+
    Credentials to use for OCI image pulling.
+Name of a K8s Secret in the same namespace as the WasmPlugin that
+contains a docker pull secret which is to be used to authenticate
+against the registry when pulling the image.
    
+
+    		
+No
+
    verificationKeystring
+
    Public key that will be used to verify signatures of signed OCI images
+or Wasm modules. Must be supplied in PEM format.
    
+
+    		
+No
+
    pluginConfigStruct
+
    The configuration that will be passed on to the plugin.
    
+
+    		
+No
+
    pluginNamestring
+
    The plugin name to be used in the Envoy configuration (used to be called
+rootID). Some .wasm modules might require this value to select the Wasm
+plugin to execute.
    
+
+    		
+No
+
    phasePluginPhase
+
    Determines where in the filter chain this WasmPlugin is to be injected.
    
+
+    		
+No
+
    priorityInt64Value
+
    Determines ordering of WasmPlugins in the same phase.
+When multiple WasmPlugins are applied to the same workload in the
+same phase, they will be applied by priority, in descending order.
+If priority is not set, or two WasmPlugins exist with the same
+value, the ordering will be deterministically derived from name and
+namespace of the WasmPlugins. Defaults to 0.
    
+
+    		
+No
+
    vmConfigVmConfig
+
    Configuration for a Wasm VM.
+more details can be found here.
    
+
+    		
+No
+
    
+
    
+
    VmConfig
    
+
    
+
    Configuration for a Wasm VM.
+more details can be found here.
    
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
    FieldTypeDescriptionRequired
    envEnvVar[]
+
    Specifies environment variables to be injected to this VM.
+Note that if a key does not exist, it will be ignored.
    
+
+    		
+No
+
    
+
    
+
    EnvVar
    
+
    
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
    FieldTypeDescriptionRequired
    namestring
+
    Required
+Name of the environment variable. Must be a C_IDENTIFIER.
    
+
+    		
+No
+
    valueFromEnvValueSource
+
    Required
+Source for the environment variable’s value.
    
+
+    		
+No
+
    valuestring
+
    Value for the environment variable.
+Note that if value_from is HOST, it will be ignored.
+Defaults to “”.
    
+
+    		
+No
+
    
+
    
+
    PluginPhase
    
+
    
+
    The phase in the filter chain where the plugin will be injected.
    
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
    NameDescription
    UNSPECIFIED_PHASE
+
    Control plane decides where to insert the plugin. This will generally
+be at the end of the filter chain, right before the Router.
+Do not specify PluginPhase if the plugin is independent of others.
    
+
+
    AUTHN
+
    Insert plugin before Istio authentication filters.
    
+
+
    AUTHZ
+
    Insert plugin before Istio authorization filters and after Istio authentication filters.
    
+
+
    STATS
+
    Insert plugin before Istio stats filters and after Istio authorization filters.
    
+
+
    
+
    
+
    PullPolicy
    
+
    
+
    The pull behaviour to be applied when fetching an OCI image,
+mirroring K8s behaviour.
    
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
    NameDescription
    UNSPECIFIED_POLICY
+
    Defaults to IfNotPresent, except for OCI images with tag latest, for which
+the default will be Always.
    
+
+
    IfNotPresent
+
    If an existing version of the image has been pulled before, that
+will be used. If no version of the image is present locally, we
+will pull the latest version.
    
+
+
    Always
+
    We will always pull the latest version of an image when applying
+this plugin.
    
+
+
    
+
    
+
    EnvValueSource
    
+
    
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
    NameDescription
    INLINE
+
    Explicitly given key-value pairs to be injected to this VM
    
+
+
    HOST
+
    Istio-proxy’s environment variables exposed to this VM.
    
+
+
    
+
    
diff --git a/content/zh/docs/reference/config/security/authorization-policy/index.html b/content/zh/docs/reference/config/security/authorization-policy/index.html
index cda05e812d636..e3f17e020a108 100644
--- a/content/zh/docs/reference/config/security/authorization-policy/index.html
+++ b/content/zh/docs/reference/config/security/authorization-policy/index.html
@@ -8,124 +8,144 @@
 generator: protoc-gen-docs
 schema: istio.security.v1beta1.AuthorizationPolicy
 weight: 20
-aliases: [/zh/docs/reference/config/authorization/authorization-policy.html]
-number_of_entries: 7
+aliases: [/zh/docs/reference/config/authorization/authorization-policy]
+number_of_entries: 9
 ---
 
    Istio Authorization Policy enables access control on workloads in the mesh.
    
 
-
    For example, the following authorization policy applies to workloads matched with
-label selector “app: httpbin, version: v1”.
    
+
    Authorization policy supports CUSTOM, DENY and ALLOW actions for access control. When CUSTOM, DENY and ALLOW actions
+are used for a workload at the same time, the CUSTOM action is evaluated first, then the DENY action, and finally the ALLOW action.
+The evaluation is determined by the following rules:
    
 
-
    It allows requests from:
-- service account “cluster.local/ns/default/sa/sleep” or
-- namespace “test”
-to access the workload with:
-- “GET” method at paths of prefix “/info” or,
-- “POST” method at path “/data”.
-when the request has a valid JWT token issued by “https://accounts.google.com”.
    
+
      
+
    1. If there are any CUSTOM policies that match the request, evaluate and deny the request if the evaluation result is deny.
      2. 
+
    2. If there are any DENY policies that match the request, deny the request.
      3. 
+
    3. If there are no ALLOW policies for the workload, allow the request.
      4. 
+
    4. If any of the ALLOW policies match the request, allow the request.
      5. 
+
    5. Deny the request.
      6. 
+
    
 
-
    Any other requests will be rejected.
    
+
    Istio Authorization Policy also supports the AUDIT action to decide whether to log requests.
+AUDIT policies do not affect whether requests are allowed or denied to the workload.
+Requests will be allowed or denied based solely on CUSTOM, DENY and ALLOW actions.
    
 
-
    apiVersion: security.istio.io/v1beta1
-kind: AuthorizationPolicy
-metadata:
- name: httpbin
- namespace: foo
-spec:
- selector:
-   matchLabels:
-     app: httpbin
-     version: v1
- rules:
- - from:
-   - source:
-       principals: ["cluster.local/ns/default/sa/sleep"]
-   - source:
-       namespaces: ["test"]
-   to:
-   - operation:
-       methods: ["GET"]
-       paths: ["/info*"]
-   - operation:
-       methods: ["POST"]
-       paths: ["/data"]
-   when:
-   - key: request.auth.claims[iss]
-     values: ["https://accounts.google.com"]
-
    
+
    A request will be internally marked that it should be audited if there is an AUDIT policy on the workload that matches the request.
+A separate plugin must be configured and enabled to actually fulfill the audit decision and complete the audit behavior.
+The request will not be audited if there are no such supporting plugins enabled.
+Currently, the only supported plugin is the Stackdriver plugin.
    
 
-
    Access control is enabled on a workload if there is any authorization policies selecting
-the workload. When access control is enabled, the default behavior is deny (deny-by-default)
-which means requests to the workload will be rejected if the request is not allowed by any of
-the authorization policies selecting the workload.
    
+
    Here is an example of Istio Authorization Policy:
    
 
-
    Currently AuthorizationPolicy only supports “ALLOW” action. This means that
-if multiple authorization policies apply to the same workload, the effect is additive.
    
+
    It sets the action to “ALLOW” to create an allow policy. The default action is “ALLOW”
+but it is useful to be explicit in the policy.
    
 
-
    Authorization Policy scope (target) is determined by “metadata/namespace” and
-an optional “selector”.
-- “metadata/namespace” tells which namespace the policy applies. If set to root
-namespace, the policy applies to all namespaces in a mesh.
-- workload “selector” can be used to further restrict where a policy applies.
    
+
    It allows requests from:
    
 
-
    For example,
    
+
      
+
    • service account “cluster.local/ns/default/sa/sleep” or
      • 
+
    • namespace “test”
      • 
+
    
+
+
    to access the workload with:
    
 
-
    The following authorization policy applies to workloads containing label
-“app: httpbin” in namespace bar.
    
+
      
+
    • “GET” method at paths of prefix “/info” or,
      • 
+
    • “POST” method at path “/data”.
      • 
+
    
+
+
    when the request has a valid JWT token issued by “https://accounts.google.com”.
    
+
+
    Any other requests will be denied.
    
 
 
    apiVersion: security.istio.io/v1beta1
 kind: AuthorizationPolicy
 metadata:
- name: policy
- namespace: bar
+  name: httpbin
+  namespace: foo
 spec:
- selector:
-   matchLabels:
-     app: httpbin
+  action: ALLOW
+  rules:
+  - from:
+    - source:
+        principals: ["cluster.local/ns/default/sa/sleep"]
+    - source:
+        namespaces: ["test"]
+    to:
+    - operation:
+        methods: ["GET"]
+        paths: ["/info*"]
+    - operation:
+        methods: ["POST"]
+        paths: ["/data"]
+    when:
+    - key: request.auth.claims[iss]
+      values: ["https://accounts.google.com"]
 
    
 
-
    The following authorization policy applies to all workloads in namespace foo.
    
+
    The following is another example that sets action to “DENY” to create a deny policy.
+It denies requests from the “dev” namespace to the “POST” method on all workloads
+in the “foo” namespace.
    
 
 
    apiVersion: security.istio.io/v1beta1
 kind: AuthorizationPolicy
 metadata:
- name: policy
- namespace: foo
+  name: httpbin
+  namespace: foo
 spec:
+  action: DENY
+  rules:
+  - from:
+    - source:
+        namespaces: ["dev"]
+    to:
+    - operation:
+        methods: ["POST"]
 
    
 
-
    The following authorization policy applies to workloads containing label
-“version: v1” in all namespaces in the mesh. (Assuming the root namespace is
-configured to “istio-config”).
    
+
    The following authorization policy sets the action to “AUDIT”. It will audit any GET requests to the path with the
+prefix “/user/profile”.
    
 
 
    apiVersion: security.istio.io/v1beta1
 kind: AuthorizationPolicy
 metadata:
- name: policy
- namespace: istio-config
+  namespace: ns1
+  name: anyname
 spec:
- selector:
-   matchLabels:
-     version: v1
+  selector:
+    matchLabels:
+      app: myapi
+  action: AUDIT
+  rules:
+  - to:
+    - operation:
+        methods: ["GET"]
+        paths: ["/user/profile/*"]
 
    
 
-
    AuthorizationPolicy
    
-
    
-
    AuthorizationPolicy enables access control on workloads.
    
+
    Authorization Policy scope (target) is determined by “metadata/namespace” and
+an optional “selector”.
    
+
+
      
+
    • “metadata/namespace” tells which namespace the policy applies. If set to root
+namespace, the policy applies to all namespaces in a mesh.
      • 
+
    • workload “selector” can be used to further restrict where a policy applies.
      • 
+
    
 
-
    For example, the following authorization policy denies all requests to workloads
-in namespace foo.
    
+
    For example,
    
+
+
    The following authorization policy applies to all workloads in namespace foo. It allows nothing and effectively denies
+all requests to workloads in namespace foo.
    
 
 
    apiVersion: security.istio.io/v1beta1
 kind: AuthorizationPolicy
 metadata:
- name: deny-all
+ name: allow-nothing
  namespace: foo
 spec:
+  {}
 
    
 
-
    The following authorization policy allows all requests to workloads in namespace
-foo.
    
+
    The following authorization policy allows all requests to workloads in namespace foo.
    
 
 
    apiVersion: security.istio.io/v1beta1
 kind: AuthorizationPolicy
@@ -134,9 +154,41 @@ 
    AuthorizationPolicy
    
  namespace: foo
 spec:
  rules:
- - {}
+ - {}
+
    
+
+
    The following authorization policy applies to workloads containing label “app: httpbin” in namespace bar. It allows
+nothing and effectively denies all requests to the selected workloads.
    
+
+
    apiVersion: security.istio.io/v1beta1
+kind: AuthorizationPolicy
+metadata:
+  name: allow-nothing
+  namespace: bar
+spec:
+  selector:
+    matchLabels:
+      app: httpbin
 
    
 
+
    The following authorization policy applies to workloads containing label “version: v1” in all namespaces in the mesh.
+(Assuming the root namespace is configured to “istio-system”).
    
+
+
    apiVersion: security.istio.io/v1beta1
+kind: AuthorizationPolicy
+metadata:
+ name: allow-nothing
+ namespace: istio-system
+spec:
+ selector:
+   matchLabels:
+     version: v1
+
    
+
+
    AuthorizationPolicy
    
+
    
+
    AuthorizationPolicy enables access control on workloads.
    
+
 
@@ -149,11 +201,13 @@ 
    AuthorizationPolicy
    
-
+
+
+
+
+
+
+
+
+
+
+
+
+
    
 
 
    
 
    
 
    
 selectorWorkloadSelectorWorkloadSelector
 
-
    Optional. Workload selector decides where to apply the authorization policy.
-If not set, the authorization policy will be applied to all workloads in the
-same namespace as the authorization policy.
    
+
    Optional. The selector decides where to apply the authorization policy. The selector will match with workloads
+in the same namespace as the authorization policy. If the authorization policy is in the root namespace, the selector
+will additionally match with workloads in all namespaces.
    
+
+
    If not set, the selector will match all workloads.
    
 
     		
 
@@ -164,9 +218,32 @@ 
    AuthorizationPolicy
    
     		rules
 Rule[]
 
-
    Optional. A list of rules to specify the allowed access to the workload.
    
+
    Optional. A list of rules to match the request. A match occurs when at least one rule matches the request.
    
+
+
    If not set, the match will never occur. This is equivalent to setting a default of deny for the target workloads if
+the action is ALLOW.
    
+
+    		
+No
+
    actionAction
+
    Optional. The action to take if the request is matched with the rules. Default is ALLOW if not specified.
    
 
-
    If not set, access is denied unless explicitly allowed by other authorization policy.
    
+    		
+No
+
    providerExtensionProvider (oneof)
+
    Specifies detailed configuration of the CUSTOM action. Must be used only with CUSTOM action.
    
 
     		
 
@@ -176,9 +253,20 @@ 
    AuthorizationPolicy
    
 
    
 
    
 
    
-
    Condition
    
+
    Rule
    
 
    
-
    Condition specifies additional required attributes.
    
+
    Rule matches requests from a list of sources that perform a list of operations subject to a
+list of conditions. A match occurs when at least one source, one operation and all conditions
+matches the request. An empty rule is always matched.
    
+
+
    Any string field in the rule supports Exact, Prefix, Suffix and Presence match:
    
+
+
      
+
    • Exact match: “abc” will match on value “abc”.
      • 
+
    • Prefix match: “abc*” will match on value “abc” and “abcd”.
      • 
+
    • Suffix match: “*abc” will match on value “abc” and “xabc”.
      • 
+
    • Presence match: “*” will match when value is not empty.
      • 
+
    
 
 
@@ -190,27 +278,200 @@ 
    Condition
    
-
-
-
+
+
+
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
    
 
 
 
 
    keystring
    fromFrom[]
 
-
    The name of an Istio attribute.
-See the full list of supported attributes.
    
+
    Optional. from specifies the source of a request.
    
+
+
    If not set, any source is allowed.
    
 
     		
 
-Yes
+No
 
 
    values
    toTo[]
+
    Optional. to specifies the operation of a request.
    
+
+
    If not set, any operation is allowed.
    
+
+    		
+No
+
    whenCondition[]
+
    Optional. when specifies a list of additional conditions of a request.
    
+
+
    If not set, any condition is allowed.
    
+
+    		
+No
+
    
+
    
+
    Source
    
+
    
+
    Source specifies the source identities of a request. Fields in the source are
+ANDed together.
    
+
+
    For example, the following source matches if the principal is “admin” or “dev”
+and the namespace is “prod” or “test” and the ip is not “1.2.3.4”.
    
+
+
    principals: ["admin", "dev"]
+namespaces: ["prod", "test"]
+notIpBlocks: ["1.2.3.4"]
+
    
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -218,7 +479,16 @@ 
    Condition
    Operation
    
-
    Operation specifies the operations of a request.
    
+
    Operation specifies the operations of a request. Fields in the operation are
+ANDed together.
    
+
+
    For example, the following operation matches if the host has suffix “.example.com”
+and the method is “GET” or “HEAD” and the path doesn’t have prefix “/admin”.
    
+
+
    hosts: ["*.example.com"]
+methods: ["GET", "HEAD"]
+notPaths: ["/admin*"]
+
    
 
 
    FieldTypeDescriptionRequired
    principalsstring[]
+
    Optional. A list of peer identities derived from the peer certificate. The peer identity is in the format of
+"<TRUST_DOMAIN>/ns/<NAMESPACE>/sa/<SERVICE_ACCOUNT>", for example, "cluster.local/ns/default/sa/productpage".
+This field requires mTLS enabled and is the same as the source.principal attribute.
    
+
+
    If not set, any principal is allowed.
    
+
+    		
+No
+
    notPrincipals
 string[]
 
-
    The allowed values for the attribute.
    
+
    Optional. A list of negative match of peer identities.
    
 
     		
 
-Yes
+No
+
    requestPrincipalsstring[]
+
    Optional. A list of request identities derived from the JWT. The request identity is in the format of
+"<ISS>/<SUB>", for example, "example.com/sub-1". This field requires request authentication enabled and is the
+same as the request.auth.principal attribute.
    
+
+
    If not set, any request principal is allowed.
    
+
+    		
+No
+
    notRequestPrincipalsstring[]
+
    Optional. A list of negative match of request identities.
    
+
+    		
+No
+
    namespacesstring[]
+
    Optional. A list of namespaces derived from the peer certificate.
+This field requires mTLS enabled and is the same as the source.namespace attribute.
    
+
+
    If not set, any namespace is allowed.
    
+
+    		
+No
+
    notNamespacesstring[]
+
    Optional. A list of negative match of namespaces.
    
+
+    		
+No
+
    ipBlocksstring[]
+
    Optional. A list of IP blocks, populated from the source address of the IP packet. Single IP (e.g. “1.2.3.4”) and
+CIDR (e.g. “1.2.3.0/24”) are supported. This is the same as the source.ip attribute.
    
+
+
    If not set, any IP is allowed.
    
+
+    		
+No
+
    notIpBlocksstring[]
+
    Optional. A list of negative match of IP blocks.
    
+
+    		
+No
+
    remoteIpBlocksstring[]
+
    Optional. A list of IP blocks, populated from X-Forwarded-For header or proxy protocol.
+To make use of this field, you must configure the numTrustedProxies field of the gatewayTopology under the meshConfig
+when you install Istio or using an annotation on the ingress gateway.  See the documentation here:
+Configuring Gateway Network Topology.
+Single IP (e.g. “1.2.3.4”) and CIDR (e.g. “1.2.3.0/24”) are supported.
+This is the same as the remote.ip attribute.
    
+
+
    If not set, any IP is allowed.
    
+
+    		
+No
+
    notRemoteIpBlocksstring[]
+
    Optional. A list of negative match of remote IP blocks.
    
+
+    		
+No
 
 
    
     
 
 
 
    
@@ -234,10 +504,23 @@ 
    Operation
    
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
    
 
 
    hosts
 string[]
 
-
    Optional. A list of hosts, which matches to the “request.host” attribute.
    
+
    Optional. A list of hosts as specified in the HTTP request. The match is case-insensitive.
+See the security best practices for
+recommended usage of this field.
    
 
 
    If not set, any host is allowed. Must be used only with HTTP.
    
 
+    		
+No
+
    notHostsstring[]
+
    Optional. A list of negative match of hosts as specified in the HTTP request. The match is case-insensitive.
    
+
     		
 
 No
@@ -247,10 +530,21 @@ 
    Operation
    
     		ports
 string[]
 
-
    Optional. A list of ports, which matches to the “destination.port” attribute.
    
+
    Optional. A list of ports as specified in the connection.
    
 
 
    If not set, any port is allowed.
    
 
+    		
+No
+
    notPortsstring[]
+
    Optional. A list of negative match of ports as specified in the connection.
    
+
     		
 
 No
@@ -260,11 +554,21 @@ 
    Operation
    
     		methods
 string[]
 
-
    Optional. A list of methods, which matches to the “request.method” attribute.
-For gRPC service, this should be the fully-qualified name in the form of
-“/package.service/method”
    
+
    Optional. A list of methods as specified in the HTTP request.
+For gRPC service, this will always be “POST”.
    
+
+
    If not set, any method is allowed. Must be used only with HTTP.
    
 
-
    If not set, any method is allowed. Must be used only with HTTP or gRPC.
    
+    		
+No
+
    notMethodsstring[]
+
    Optional. A list of negative match of methods as specified in the HTTP request.
    
 
     		
 
@@ -275,10 +579,23 @@ 
    Operation
    
     		paths
 string[]
 
-
    Optional. A list of paths, which matches to the “request.url_path” attribute.
    
+
    Optional. A list of paths as specified in the HTTP request. See the Authorization Policy Normalization
+for details of the path normalization.
+For gRPC service, this will be the fully-qualified name in the form of “/package.service/method”.
    
 
 
    If not set, any path is allowed. Must be used only with HTTP.
    
 
+    		
+No
+
    notPathsstring[]
+
    Optional. A list of negative match of paths.
    
+
     		
 
 No
@@ -287,16 +604,9 @@ 
    Operation
    
 
 
    
 
    
-
    Rule
    
+
    Condition
    
 
    
-
    Rule allows access from a list of sources to perform a list of operations when
-the condition is matched.
    
-
-
    Any string field in the rule supports Exact, Prefix, Suffix and Presence match:
-- Exact match: “abc” will match on value “abc”.
-- Prefix match: “abc” will match on value “abc” and “abcd”.
-- Suffix match: “abc” will match on value “abc” and “xabc”.
-- Presence match: “*” will match when value is not empty.
    
+
    Condition specifies additional required attributes.
    
 
 
@@ -308,39 +618,63 @@ 
    Rule
    
-
-
-
+
+
+
+
+
+
+
+
+
-
-
-
+
+
+
-
-
-
+
+
    
 
 
 
 
    fromFrom[]
    keystring
 
-
    Optional. from specifies the source of a request.
    
+
    The name of an Istio attribute.
+See the full list of supported attributes.
    
 
-
    If not set, any source is allowed.
    
+    		
+Yes
+
    valuesstring[]
+
    Optional. A list of allowed values for the attribute.
+Note: at least one of values or not_values must be set.
    
 
     		
 
 No
 
 
    toTo[]
    notValuesstring[]
 
-
    Optional. to specifies the operation of a request.
    
-
-
    If not set, any operation is allowed.
    
+
    Optional. A list of negative match of values for the attribute.
+Note: at least one of values or not_values must be set.
    
 
     		
 
 No
 
 
    whenCondition[]
    
+
    
+
    AuthorizationPolicy.ExtensionProvider
    
+
    
+
+
+
+
+
+
+
+
+
+
+
+
+
    FieldTypeDescriptionRequired
    namestring
 
-
    Optional. when specifies a list of additional conditions of a request.
    
-
-
    If not set, any condition is allowed.
    
+
    Specifies the name of the extension provider. The list of available providers is defined in the MeshConfig.
+Note, currently at most 1 extension provider is allowed per workload. Different workloads can use different extension provider.
    
 
     		
 
@@ -406,74 +740,74 @@ 
    Rule.To
    
 
    
 
    
 
    
-
    Source
    
+
    AuthorizationPolicy.Action
    
 
    
-
    Source specifies the source identities of a request.
    
+
    Action specifies the operation to take.
    
 
-
+
    
-
-
+
-
-
-
-
+
+
-
-
-
-
+
+
-
-
-
-
+
+
-
-
-
-
+
+
-
diff --git a/content/zh/docs/reference/config/security/istio.authentication.v1alpha1/index.html b/content/zh/docs/reference/config/security/istio.authentication.v1alpha1/index.html
deleted file mode 100644
index aa66171339895..0000000000000
--- a/content/zh/docs/reference/config/security/istio.authentication.v1alpha1/index.html
+++ /dev/null
@@ -1,743 +0,0 @@
----
-WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL SOURCE IN THE 'https://github.com/istio/api' REPO
-source_repo: https://github.com/istio/api
-title: Authentication Policy
-description: Authentication policy for Istio services.
-location: https://istio.io/docs/reference/config/security/istio.authentication.v1alpha1.html
-layout: protoc-gen-docs
-generator: protoc-gen-docs
-schema: istio.authentication.v1alpha1.Policy
-weight: 10
-aliases: [/docs/reference/config/istio.authentication.v1alpha1.html]
-number_of_entries: 11
----
-
    This package defines user-facing authentication policy.
    
-
-
    Jwt
    
-
    
-
    JSON Web Token (JWT) token format for authentication as defined by
-RFC 7519. See OAuth 2.0 and
-OIDC 1.0 for how this is used in the whole
-authentication flow.
    
-
-
    For example:
    
-
-
    A JWT for any requests:
    
-
-
    issuer: https://example.com
-audiences:
-- bookstore_android.apps.googleusercontent.com
-  bookstore_web.apps.googleusercontent.com
-jwksUri: https://example.com/.well-known/jwks.json
-
    
-
-
    A JWT for all requests except request at path /health_check and path with
-prefix /status/. This is useful to expose some paths for public access but
-keep others JWT validated.
    
-
-
    issuer: https://example.com
-jwksUri: https://example.com/.well-known/jwks.json
-triggerRules:
-- excludedPaths:
-  - exact: /health_check
-  - prefix: /status/
-
    
-
-
    A JWT only for requests at path /admin. This is useful to only require JWT
-validation on a specific set of paths but keep others public accessible.
    
-
-
    issuer: https://example.com
-jwksUri: https://example.com/.well-known/jwks.json
-triggerRules:
-- includedPaths:
-  - prefix: /admin
-
    
-
-
    A JWT only for requests at path of prefix /status/ but except the path of
-/status/version. This means for any request path with prefix /status/ except
-/status/version will require a valid JWT to proceed.
    
-
-
    issuer: https://example.com
-jwksUri: https://example.com/.well-known/jwks.json
-triggerRules:
-- excludedPaths:
-  - exact: /status/version
-  includedPaths:
-  - prefix: /status/
-
    
-
-
    
 
 
    FieldTypeName
 DescriptionRequired
 
    
     
 
    principalsstring[]
    ALLOW
 
-
    Optional. A list of source peer identities (i.e. service account), which
-matches to the “source.principal” attribute.
    
-
-
    If not set, any principal is allowed.
    
+
    Allow a request only if it matches the rules. This is the default type.
    
 
-    		
-No
 
 
    requestPrincipalsstring[]
    DENY
 
-
    Optional. A list of request identities (i.e. “iss/sub” claims), which
-matches to the “request.auth.principal” attribute.
    
-
-
    If not set, any request principal is allowed.
    
+
    Deny a request if it matches any of the rules.
    
 
-    		
-No
 
 
    namespacesstring[]
    AUDIT
 
-
    Optional. A list of namespaces, which matches to the “source.namespace”
-attribute.
    
-
-
    If not set, any namespace is allowed.
    
+
    Audit a request if it matches any of the rules.
    
 
-    		
-No
 
 
    ipBlocksstring[]
    CUSTOM
 
-
    Optional. A list of IP blocks, which matches to the “source.ip” attribute.
-Single IP (e.g. “1.2.3.4”) and CIDR (e.g. “1.2.3.0/24”) are supported.
    
+
    The CUSTOM action allows an extension to handle the user request if the matching rules evaluate to true.
+The extension is evaluated independently and before the native ALLOW and DENY actions. When used together, A request
+is allowed if and only if all the actions return allow, in other words, the extension cannot bypass the
+authorization decision made by ALLOW and DENY action.
+Extension behavior is defined by the named providers declared in MeshConfig. The authorization policy refers to
+the extension by specifying the name of the provider.
+One example use case of the extension is to integrate with a custom external authorization system to delegate
+the authorization decision to it.
    
 
-
    If not set, any IP is allowed.
    
+
    Note: The CUSTOM action is currently an alpha feature and is subject to breaking changes in later versions.
    
+
+
    The following authorization policy applies to an ingress gateway and delegates the authorization check to a named extension
+“my-custom-authz” if the request path has prefix “/admin/”.
    
+
+
    apiVersion: security.istio.io/v1beta1
+kind: AuthorizationPolicy
+metadata:
+ name: ext-authz
+ namespace: istio-system
+spec:
+ selector:
+   matchLabels:
+     app: istio-ingressgateway
+ action: CUSTOM
+ provider:
+   name: "my-custom-authz"
+ rules:
+ - to:
+   - operation:
+       paths: ["/admin/*"]
+
    
 
-    		
-No
 
 
    
 
    
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
    FieldTypeDescriptionRequired
    issuerstring
-
    Identifies the issuer that issued the JWT. See
-issuer
-Usually a URL or an email address.
    
-
-
    Example: https://securetoken.google.com
-Example: 1234567-compute@developer.gserviceaccount.com
    
-
-    		
-No
-
    audiencesstring[]
-
    The list of JWT
-audiences.
-that are allowed to access. A JWT containing any of these
-audiences will be accepted.
    
-
-
    The service name will be accepted if audiences is empty.
    
-
-
    Example:
    
-
-
    audiences:
-- bookstore_android.apps.googleusercontent.com
-  bookstore_web.apps.googleusercontent.com
-
    
-
-    		
-No
-
    jwksUristring
-
    URL of the provider’s public key set to validate signature of the
-JWT. See OpenID Discovery.
    
-
-
    Optional if the key set document can either (a) be retrieved from
-OpenID
-Discovery of
-the issuer or (b) inferred from the email domain of the issuer (e.g. a
-Google service account).
    
-
-
    Example: https://www.googleapis.com/oauth2/v1/certs
    
-
-
    Note: Only one of jwks_uri and jwks should be used.
    
-
-    		
-No
-
    jwksstring
-
    JSON Web Key Set of public keys to validate signature of the JWT.
-See https://auth0.com/docs/jwks.
    
-
-
    Note: Only one of jwks_uri and jwks should be used.
    
-
-    		
-No
-
    jwtHeadersstring[]
-
    JWT is sent in a request header. header represents the
-header name.
    
-
-
    For example, if header=x-goog-iap-jwt-assertion, the header
-format will be x-goog-iap-jwt-assertion: <JWT>.
    
-
-    		
-No
-
    jwtParamsstring[]
-
    JWT is sent in a query parameter. query represents the
-query parameter name.
    
-
-
    For example, query=jwt_token.
    
-
-    		
-No
-
    triggerRulesTriggerRule[]
-
    List of trigger rules to decide if this JWT should be used to validate the
-request. The JWT validation happens if any one of the rules matched.
-If the list is not empty and none of the rules matched, authentication will
-skip the JWT validation.
-Leave this empty to always trigger the JWT validation.
    
-
-    		
-No
-
    
-
    
-
    Jwt.TriggerRule
    
-
    
-
    Trigger rule to match against a request. The trigger rule is satisfied if
-and only if both rules, excludedpaths and includepaths are satisfied.
    
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
    FieldTypeDescriptionRequired
    excludedPathsStringMatch[]
-
    List of paths to be excluded from the request. The rule is satisfied if
-request path does not match to any of the path in this list.
    
-
-    		
-No
-
    includedPathsStringMatch[]
-
    List of paths that the request must include. If the list is not empty, the
-rule is satisfied if request path matches at least one of the path in the list.
-If the list is empty, the rule is ignored, in other words the rule is always satisfied.
    
-
-    		
-No
-
    
-
    
-
    MutualTls
    
-
    
-
    TLS authentication params.
    
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
    FieldTypeDescriptionRequired
    allowTlsbool
-
    WILL BE DEPRECATED, if set, will translates to TLS_PERMISSIVE mode.
-Set this flag to true to allow regular TLS (i.e without client x509
-certificate). If request carries client certificate, identity will be
-extracted and used (set to peer identity). Otherwise, peer identity will
-be left unset.
-When the flag is false (default), request must have client certificate.
    
-
-    		
-No
-
    modeMode
-
    Defines the mode of mTLS authentication.
    
-
-    		
-No
-
    
-
    
-
    MutualTls.Mode
    
-
    
-
    Defines the acceptable connection TLS mode.
    
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
    NameDescription
    STRICT
-
    Client cert must be presented, connection is in TLS.
    
-
-
    PERMISSIVE
-
    Connection can be either plaintext or TLS, and client cert can be omitted.
    
-
-
    
-
    
-
    OriginAuthenticationMethod
    
-
    
-
    OriginAuthenticationMethod defines authentication method/params for origin
-authentication. Origin could be end-user, device, delegate service etc.
-Currently, only JWT is supported for origin authentication.
    
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
    FieldTypeDescriptionRequired
    jwtJwt
-
    Jwt params for the method.
    
-
-    		
-No
-
    
-
    
-
    PeerAuthenticationMethod
    
-
    
-
    PeerAuthenticationMethod defines one particular type of authentication, e.g
-mutual TLS, JWT etc, (no authentication is one type by itself) that can
-be used for peer authentication.
-The type can be progammatically determine by checking the type of the
-“params” field.
    
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
    FieldTypeDescriptionRequired
    mtlsMutualTls (oneof)
-
    Set if mTLS is used.
    
-
-    		
-Yes
-
    
-
    
-
    Policy
    
-
    
-
    Policy defines what authentication methods can be accepted on workload(s),
-and if authenticated, which method/certificate will set the request principal
-(i.e request.auth.principal attribute).
    
-
-
    Authentication policy is composed of 2-part authentication:
-- peer: verify caller service credentials. This part will set source.user
-(peer identity).
-- origin: verify the origin credentials. This part will set request.auth.user
-(origin identity), as well as other attributes like request.auth.presenter,
-request.auth.audiences and raw claims. Note that the identity could be
-end-user, service account, device etc.
    
-
-
    Last but not least, the principal binding rule defines which identity (peer
-or origin) should be used as principal. By default, it uses peer.
    
-
-
    Examples:
    
-
-
    Policy to enable mTLS for all services in namespace frod. The policy name must be
-default, and it contains no rule for targets.
    
-
-
    apiVersion: authentication.istio.io/v1alpha1
-kind: Policy
-metadata:
-  name: default
-  namespace: frod
-spec:
-  peers:
-  - mtls:
-
    
-
-
    Policy to disable mTLS for “productpage” service
    
-
-
    apiVersion: authentication.istio.io/v1alpha1
-kind: Policy
-metadata:
-  name: productpage-mTLS-disable
-  namespace: frod
-spec:
-  targets:
-  - name: productpage
-
    
-
-
    Policy to require mTLS for peer authentication, and JWT for origin authentication
-for productpage:9000 except the path ‘/health_check’ . Principal is set from origin identity.
    
-
-
    apiVersion: authentication.istio.io/v1alpha1
-kind: Policy
-metadata:
-  name: productpage-mTLS-with-JWT
-  namespace: frod
-spec:
-  targets:
-  - name: productpage
-    ports:
-    - number: 9000
-  peers:
-  - mtls:
-  origins:
-  - jwt:
-      issuer: "https://securetoken.google.com"
-      audiences:
-      - "productpage"
-      jwksUri: "https://www.googleapis.com/oauth2/v1/certs"
-      jwtHeaders:
-      - "x-goog-iap-jwt-assertion"
-      triggerRules:
-      - excludedPaths:
-        - exact: /health_check
-  principalBinding: USE_ORIGIN
-
    
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
    FieldTypeDescriptionRequired
    targetsTargetSelector[]
-
    List rules to select workloads that the policy should be applied on.
-If empty, policy will be used on all workloads in the same namespace.
    
-
-    		
-No
-
    peersPeerAuthenticationMethod[]
-
    List of authentication methods that can be used for peer authentication.
-They will be evaluated in order; the first validate one will be used to
-set peer identity (source.user) and other peer attributes. If none of
-these methods pass, request will be rejected with authentication failed error (401).
-Leave the list empty if peer authentication is not required
    
-
-    		
-No
-
    peerIsOptionalbool
-
    Set this flag to true to accept request (for peer authentication perspective),
-even when none of the peer authentication methods defined above satisfied.
-Typically, this is used to delay the rejection decision to next layer (e.g
-authorization).
-This flag is ignored if no authentication defined for peer (peers field is empty).
    
-
-    		
-No
-
    originsOriginAuthenticationMethod[]
-
    List of authentication methods that can be used for origin authentication.
-Similar to peers, these will be evaluated in order; the first validate one
-will be used to set origin identity and attributes (i.e request.auth.user,
-request.auth.issuer etc). If none of these methods pass, request will be
-rejected with authentication failed error (401).
-A method may be skipped, depends on its trigger rule. If all of these methods
-are skipped, origin authentication will be ignored, as if it is not defined.
-Leave the list empty if origin authentication is not required.
    
-
-    		
-No
-
    originIsOptionalbool
-
    Set this flag to true to accept request (for origin authentication perspective),
-even when none of the origin authentication methods defined above satisfied.
-Typically, this is used to delay the rejection decision to next layer (e.g
-authorization).
-This flag is ignored if no authentication defined for origin (origins field is empty).
    
-
-    		
-No
-
    principalBindingPrincipalBinding
-
    Define whether peer or origin identity should be use for principal. Default
-value is USE_PEER.
-If peer (or origin) identity is not available, either because of peer/origin
-authentication is not defined, or failed, principal will be left unset.
-In other words, binding rule does not affect the decision to accept or
-reject request.
    
-
-    		
-No
-
    
-
    
-
    PortSelector
    
-
    
-
    PortSelector specifies the name or number of a port to be used for
-matching targets for authentication policy. This is copied from
-networking API to avoid dependency.
    
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
    FieldTypeDescriptionRequired
    numberuint32 (oneof)
-
    Valid port number
    
-
-    		
-Yes
-
    namestring (oneof)
-
    Port name
    
-
-    		
-Yes
-
    
-
    
-
    PrincipalBinding
    
-
    
-
    Associates authentication with request principal.
    
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
    NameDescription
    USE_PEER
-
    Principal will be set to the identity from peer authentication.
    
-
-
    USE_ORIGIN
-
    Principal will be set to the identity from origin authentication.
    
-
-
    
-
    
-
    StringMatch
    
-
    
-
    Describes how to match a given string. Match is case-sensitive.
    
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
    FieldTypeDescriptionRequired
    exactstring (oneof)
-
    exact string match.
    
-
-    		
-Yes
-
    prefixstring (oneof)
-
    prefix-based match.
    
-
-    		
-Yes
-
    suffixstring (oneof)
-
    suffix-based match.
    
-
-    		
-Yes
-
    regexstring (oneof)
-
    ECMAscript style regex-based match as defined by EDCA-262.
-Example: “^/pets/(.*?)?”
    
-
-    		
-Yes
-
    
-
    
-
    TargetSelector
    
-
    
-
    TargetSelector defines a matching rule to a workload. A workload is selected
-if it is associated with the service name and service port(s) specified in the selector rule.
    
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
    FieldTypeDescriptionRequired
    namestring
-
    The name must be a short name from the service registry. The
-fully qualified domain name will be resolved in a platform specific manner.
    
-
-    		
-Yes
-
    portsPortSelector[]
-
    Specifies the ports. Note that this is the port(s) exposed by the service, not workload instance ports.
-For example, if a service is defined as below, then 8000 should be used, not 9000.
    
-
-
    kind: Service
-metadata:
-  ...
-spec:
-  ports:
-  - name: http
-    port: 8000
-    targetPort: 9000
-  selector:
-    app: backend
-
    
-
-
    Leave empty to match all ports that are exposed.
    
-
-    		
-No
-
    
-
    
diff --git a/content/zh/docs/reference/config/security/istio.rbac.v1alpha1/index.html b/content/zh/docs/reference/config/security/istio.rbac.v1alpha1/index.html
deleted file mode 100644
index fdec662350f6e..0000000000000
--- a/content/zh/docs/reference/config/security/istio.rbac.v1alpha1/index.html
+++ /dev/null
@@ -1,504 +0,0 @@
----
-WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL SOURCE IN THE 'https://github.com/istio/api' REPO
-source_repo: https://github.com/istio/api
-title: RBAC (deprecated)
-description: Configuration for Role Based Access Control.
-location: https://istio.io/docs/reference/config/security/istio.rbac.v1alpha1.html
-layout: protoc-gen-docs
-generator: protoc-gen-docs
-schema: istio.rbac.v1alpha1.RbacConfig
-schema: istio.rbac.v1alpha1.ServiceRole
-schema: istio.rbac.v1alpha1.ServiceRoleBinding
-weight: 40
-aliases: [/zh/docs/reference/config/authorization/istio.rbac.v1alpha1.html]
-number_of_entries: 9
----
-
    Note: The v1alpha1 RBAC policy is deprecated by the v1beta1 Authorization policy.
-This page is kept for migration purpose and will be removed in Istio 1.6.
    
-
-
    Istio RBAC (Role Based Access Control) defines ServiceRole and ServiceRoleBinding
-objects.
    
-
-
    A ServiceRole specification includes a list of rules (permissions). Each rule has
-the following standard fields:
    
-
-
      
-
    • services: a list of services.
      • 
-
    • methods: A list of HTTP methods. You can set the value to \* to include all HTTP methods.
-         This field should not be set for TCP services. The policy will be ignored.
-         For gRPC services, only POST is allowed; other methods will result in denying services.
      • 
-
    • paths: HTTP paths or gRPC methods. Note that gRPC methods should be
-presented in the form of “/packageName.serviceName/methodName” and are case sensitive.
      • 
-
    
-
-
    In addition to the standard fields, operators can also use custom keys in the constraints field,
-the supported keys are listed in the “constraints and properties” page.
    
-
-
    Below is an example of ServiceRole object “product-viewer”, which has “read” (“GET” and “HEAD”)
-access to “products.svc.cluster.local” service at versions “v1” and “v2”. “path” is not specified,
-so it applies to any path in the service.
    
-
-
    apiVersion: "rbac.istio.io/v1alpha1"
-kind: ServiceRole
-metadata:
-  name: products-viewer
-  namespace: default
-spec:
-  rules:
-  - services: ["products.svc.cluster.local"]
-    methods: ["GET", "HEAD"]
-    constraints:
-    - key: "destination.labels[version]"
-      values: ["v1", "v2"]
-
    
-
-
    A ServiceRoleBinding specification includes two parts:
    
-
-
      
-
    • The roleRef field that refers to a ServiceRole object in the same namespace.
      • 
-
    • A list of subjects that are assigned the roles.
      • 
-
    
-
-
    In addition to a simple user field, operators can also use custom keys in the properties field,
-the supported keys are listed in the “constraints and properties” page.
    
-
-
    Below is an example of ServiceRoleBinding object “test-binding-products”, which binds two subjects
-to ServiceRole “product-viewer”:
    
-
-
      
-
    • User “alice@yahoo.com”
      • 
-
    • Services in “abc” namespace.
      • 
-
    
-
-
    apiVersion: "rbac.istio.io/v1alpha1"
-kind: ServiceRoleBinding
-metadata:
-  name: test-binding-products
-  namespace: default
-spec:
-  subjects:
-  - user: alice@yahoo.com
-  - properties:
-      source.namespace: "abc"
-  roleRef:
-    kind: ServiceRole
-    name: "products-viewer"
-
    
-
-
    AccessRule
    
-
    
-
    AccessRule defines a permission to access a list of services.
    
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
    FieldTypeDescriptionRequired
    servicesstring[]
-
    A list of service names.
-Exact match, prefix match, and suffix match are supported for service names.
-For example, the service name “bookstore.mtv.cluster.local” matches
-“bookstore.mtv.cluster.local” (exact match), or “bookstore*” (prefix match),
-or “*.mtv.cluster.local” (suffix match).
-If set to [”*”], it refers to all services in the namespace.
    
-
-    		
-Yes
-
    pathsstring[]
-
    Optional. A list of HTTP paths or gRPC methods.
-gRPC methods must be presented as fully-qualified name in the form of
-“/packageName.serviceName/methodName” and are case sensitive.
-Exact match, prefix match, and suffix match are supported. For example,
-the path “/books/review” matches “/books/review” (exact match),
-or “/books/*” (prefix match), or “*/review” (suffix match).
-If not specified, it matches to any path.
-This field should not be set for TCP services. The policy will be ignored.
    
-
-    		
-No
-
    methodsstring[]
-
    Optional. A list of HTTP methods (e.g., “GET”, “POST”).
-If not specified or specified as “*”, it matches to any methods.
-This field should not be set for TCP services. The policy will be ignored.
-For gRPC services, only POST is allowed; other methods will result in denying services.
    
-
-    		
-No
-
    constraintsConstraint[]
-
    Optional. Extra constraints in the ServiceRole specification.
    
-
-    		
-No
-
    
-
    
-
    AccessRule.Constraint
    
-
    
-
    Definition of a custom constraint. The supported keys are listed in the “constraint and properties” page.
    
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
    FieldTypeDescriptionRequired
    keystring
-
    Key of the constraint.
    
-
-    		
-No
-
    valuesstring[]
-
    List of valid values for the constraint.
-Exact match, prefix match, and suffix match are supported.
-For example, the value “v1alpha2” matches “v1alpha2” (exact match),
-or “v1*” (prefix match), or “*alpha2” (suffix match).
    
-
-    		
-No
-
    
-
    
-
    RbacConfig
    
-
    
-
    RbacConfig implements the ClusterRbacConfig Custom Resource Definition for controlling Istio RBAC behavior.
-The ClusterRbacConfig Custom Resource is a singleton where only one ClusterRbacConfig should be created
-globally in the mesh and the namespace should be the same to other Istio components, which usually is istio-system.
    
-
-
    Below is an example of an ClusterRbacConfig resource called istio-rbac-config which enables Istio RBAC for all
-services in the default namespace.
    
-
-
    apiVersion: "rbac.istio.io/v1alpha1"
-kind: ClusterRbacConfig
-metadata:
-  name: default
-  namespace: istio-system
-spec:
-  mode: ON_WITH_INCLUSION
-  inclusion:
-    namespaces: [ "default" ]
-
    
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
    FieldTypeDescriptionRequired
    modeMode
-
    Istio RBAC mode.
    
-
-    		
-No
-
    inclusionTarget
-
    A list of services or namespaces that should be enforced by Istio RBAC policies. Note: This field have
-effect only when mode is ONWITHINCLUSION and will be ignored for any other modes.
    
-
-    		
-No
-
    exclusionTarget
-
    A list of services or namespaces that should not be enforced by Istio RBAC policies. Note: This field have
-effect only when mode is ONWITHEXCLUSION and will be ignored for any other modes.
    
-
-    		
-No
-
    
-
    
-
    RbacConfig.Mode
    
-
    
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
    NameDescription
    OFF
-
    Disable Istio RBAC completely, Istio RBAC policies will not be enforced.
    
-
-
    ON
-
    Enable Istio RBAC for all services and namespaces. Note Istio RBAC is deny-by-default
-which means all requests will be denied if it’s not allowed by RBAC rules.
    
-
-
    ON_WITH_INCLUSION
-
    Enable Istio RBAC only for services and namespaces specified in the inclusion field. Any other
-services and namespaces not in the inclusion field will not be enforced by Istio RBAC policies.
    
-
-
    ON_WITH_EXCLUSION
-
    Enable Istio RBAC for all services and namespaces except those specified in the exclusion field. Any other
-services and namespaces not in the exclusion field will be enforced by Istio RBAC policies.
    
-
-
    
-
    
-
    RbacConfig.Target
    
-
    
-
    Target defines a list of services or namespaces.
    
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
    FieldTypeDescriptionRequired
    servicesstring[]
-
    A list of services.
    
-
-    		
-No
-
    namespacesstring[]
-
    A list of namespaces.
    
-
-    		
-No
-
    
-
    
-
    RoleRef
    
-
    
-
    RoleRef refers to a role object.
    
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
    FieldTypeDescriptionRequired
    kindstring
-
    The type of the role being referenced.
-Currently, “ServiceRole” is the only supported value for “kind”.
    
-
-    		
-Yes
-
    namestring
-
    The name of the ServiceRole object being referenced.
-The ServiceRole object must be in the same namespace as the ServiceRoleBinding object.
    
-
-    		
-Yes
-
    
-
    
-
    ServiceRole
    
-
    
-
    ServiceRole specification contains a list of access rules (permissions).
    
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
    FieldTypeDescriptionRequired
    rulesAccessRule[]
-
    The set of access rules (permissions) that the role has.
    
-
-    		
-Yes
-
    
-
    
-
    ServiceRoleBinding
    
-
    
-
    ServiceRoleBinding assigns a ServiceRole to a list of subjects.
    
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
    FieldTypeDescriptionRequired
    subjectsSubject[]
-
    List of subjects that are assigned the ServiceRole object.
    
-
-    		
-Yes
-
    roleRefRoleRef
-
    Reference to the ServiceRole object.
    
-
-    		
-Yes
-
    
-
    
-
    Subject
    
-
    
-
    Subject defines an identity. The identity is either a user or identified by a set of properties.
-The supported keys in properties are listed in “constraint and properties” page.
    
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
    FieldTypeDescriptionRequired
    userstring
-
    Optional. The user name/ID that the subject represents.
    
-
-    		
-No
-
    propertiesmap<string, string>
-
    Optional. The set of properties that identify the subject.
    
-
-    		
-No
-
    
-
    
diff --git a/content/zh/docs/reference/config/security/jwt/index.html b/content/zh/docs/reference/config/security/jwt/index.html
index 5595fd537aba7..d2804820347bd 100644
--- a/content/zh/docs/reference/config/security/jwt/index.html
+++ b/content/zh/docs/reference/config/security/jwt/index.html
@@ -7,50 +7,9 @@
 layout: protoc-gen-docs
 generator: protoc-gen-docs
 schema: istio.security.v1beta1.JWTRule
-aliases: [/docs/reference/config/security/v1beta1/jwt]
+aliases: [/zh/docs/reference/config/security/v1beta1/jwt]
 number_of_entries: 2
 ---
-
    JWTHeader
    
-
    
-
    This message specifies a header location to extract JWT token.
    
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
    FieldTypeDescriptionRequired
    namestring
-
    The HTTP header name.
    
-
-    		
-Yes
-
    prefixstring
-
    The prefix that should be stripped before decoding the token.
-For example, for “Authorization: Bearer ”, prefix=“Bearer ” with a space at the end.
-If the header doesn’t have this exact prefix, it is considerred invalid.
    
-
-    		
-No
-
    
-
    
 
    JWTRule
    
 
    
 
    JSON Web Token (JWT) token format for authentication as defined by
@@ -62,8 +21,8 @@ 
    JWTRule
    
 
 
    Spec for a JWT that is issued by https://example.com, with the audience claims must be either
 bookstore_android.apps.example.com or bookstore_web.apps.example.com.
-The token should be presented at the Authorization header (default). The Json web key set (JWKS)
-will be discovered followwing OpenID Connect protocol.
    
+The token should be presented at the Authorization header (default). The JSON Web Key Set (JWKS)
+will be discovered following OpenID Connect protocol.
    
 
 
    issuer: https://example.com
 audiences:
@@ -71,12 +30,12 @@ 
    JWTRule
    
   bookstore_web.apps.example.com
 
    
 
-
    This example specifies token in non-default location (x-goog-iap-jwt-assertion header). It also
+
    This example specifies a token in a non-default location (x-goog-iap-jwt-assertion header). It also
 defines the URI to fetch JWKS explicitly.
    
 
 
    issuer: https://example.com
 jwksUri: https://example.com/.secret/jwks.json
-jwtHeaders:
+fromHeaders:
 - "x-goog-iap-jwt-assertion"
 
    
 
@@ -144,7 +103,7 @@ 
    JWTRule
    
 
 
    Example: https://www.googleapis.com/oauth2/v1/certs
    
 
-
    Note: Only one of jwksuri and jwks should be used. jwksuri will be ignored if it does.
    
+
    Note: Only one of jwksUri and jwks should be used.
    
 
 
 
@@ -158,7 +117,7 @@ 
    JWTRule
    
 
    JSON Web Key Set of public keys to validate signature of the JWT.
 See https://auth0.com/docs/jwks.
    
 
-
    Note: Only one of jwksuri and jwks should be used. jwksuri will be ignored if it does.
    
+
    Note: Only one of jwksUri and jwks should be used.
    
 
 
 
@@ -172,11 +131,14 @@ 
    JWTRule
    
 
    List of header locations from which JWT is expected. For example, below is the location spec
 if JWT is expected to be found in x-jwt-assertion header, and have “Bearer ” prefix:
    
 
-
      fromHeaders:
+
      fromHeaders:
   - name: x-jwt-assertion
     prefix: "Bearer "
 
    
 
+
    Note: Requests with multiple tokens (at different locations) are not supported, the output principal of
+such requests is undefined.
    
+
 
 
 No
@@ -189,10 +151,13 @@ 
    JWTRule
    
 
    List of query parameters from which JWT is expected. For example, if JWT is provided via query
 parameter my_token (e.g /path?my_token=), the config is:
    
 
-
      fromParams:
+
      fromParams:
   - "my_token"
 
    
 
+
    Note: Requests with multiple tokens (at different locations) are not supported, the output principal of
+such requests is undefined.
    
+
 
 
 No
@@ -215,7 +180,48 @@ 
    JWTRule
    
 forwardOriginalToken
 bool
 
-
    If set to true, the orginal token will be kept for the ustream request. Default is false.
    
+
    If set to true, the original token will be kept for the upstream request. Default is false.
    
+
+
+
+No
+
+
+
+
+
    
+
    JWTHeader
    
+
    
+
    This message specifies a header location to extract JWT token.
    
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
+
    FieldTypeDescriptionRequired
    namestring
+
    The HTTP header name.
    
+
+    		
+Yes
+
    prefixstring
+
    The prefix that should be stripped before decoding the token.
+For example, for “Authorization: Bearer ”, prefix=“Bearer ” with a space at the end.
+If the header doesn’t have this exact prefix, it is considered invalid.
    
 
     		
 
diff --git a/content/zh/docs/reference/config/security/peer_authentication/index.html b/content/zh/docs/reference/config/security/peer_authentication/index.html
index 4271f29aded1d..7af74ce9cb451 100644
--- a/content/zh/docs/reference/config/security/peer_authentication/index.html
+++ b/content/zh/docs/reference/config/security/peer_authentication/index.html
@@ -7,7 +7,7 @@
 layout: protoc-gen-docs
 generator: protoc-gen-docs
 schema: istio.security.v1beta1.PeerAuthentication
-aliases: [/docs/reference/config/security/v1beta1/peer_authentication]
+aliases: [/zh/docs/reference/config/security/v1beta1/peer_authentication]
 number_of_entries: 3
 ---
 
    PeerAuthentication
    
@@ -74,7 +74,7 @@ 
    PeerAuthentication
    
       mode: DISABLE
 
 
-
    Policy to inherite mTLS mode from namespace (or mesh) settings, and overwrite
+
    Policy to inherit mTLS mode from namespace (or mesh) settings, and overwrite
 settings for port 8080
    
 
 
    apiVersion: security.istio.io/v1beta1
@@ -105,7 +105,7 @@ 
    PeerAuthentication
    
 
    
 
    
 selectorWorkloadSelectorWorkloadSelector
 
 
    The selector determines the workloads to apply the ChannelAuthentication on.
 If not set, the policy will be applied to all workloads in the same namespace as the policy.
    
@@ -130,7 +130,8 @@ 
    PeerAuthentication
    
     		portLevelMtls
 map<uint32, MutualTLS>
 
-
    Port specific mutual TLS settings.
    
+
    Port specific mutual TLS settings. These only apply when a workload selector
+is specified.
    
 
     		
 
diff --git a/content/zh/docs/reference/config/security/request_authentication/index.html b/content/zh/docs/reference/config/security/request_authentication/index.html
index 03cacf522efac..583278475441c 100644
--- a/content/zh/docs/reference/config/security/request_authentication/index.html
+++ b/content/zh/docs/reference/config/security/request_authentication/index.html
@@ -7,13 +7,13 @@
 layout: protoc-gen-docs
 generator: protoc-gen-docs
 schema: istio.security.v1beta1.RequestAuthentication
-aliases: [/docs/reference/config/security/v1beta1/request_authentication]
+aliases: [/zh/docs/reference/config/security/v1beta1/request_authentication]
 number_of_entries: 1
 ---
 
    RequestAuthentication
    
 
    
 
    RequestAuthentication defines what request authentication methods are supported by a workload.
-If will reject a request if the request contains invalid authentication information, based on the
+It will reject a request if the request contains invalid authentication information, based on the
 configured authentication rules. A request that does not contain any authentication credentials
 will be accepted but will not have any authenticated identity. To restrict access to authenticated
 requests only, this should be accompanied by an authorization rule.
@@ -26,8 +26,8 @@ 
    RequestAuthentication
    
 
    apiVersion: security.istio.io/v1beta1
 kind: RequestAuthentication
 metadata:
- name: httpbin
- namespace: foo
+  name: httpbin
+  namespace: foo
 spec:
   selector:
     matchLabels:
@@ -39,83 +39,183 @@ 
    RequestAuthentication
    
 apiVersion: security.istio.io/v1beta1
 kind: AuthorizationPolicy
 metadata:
- name: httpbin
- namespace: foo
+  name: httpbin
+  namespace: foo
 spec:
- selector:
-   matchLabels:
-     app: httpbin
- rules:
- - from:
-   - source:
-       requestPrincipals: ["*"]
+  selector:
+    matchLabels:
+      app: httpbin
+  rules:
+  - from:
+    - source:
+        requestPrincipals: ["*"]
 
    
 
 
      
-
    • The next example shows how to set a different JWT requirement for a different host. The RequestAuthentication
-declares it can accpet JWTs issuer by either issuer-foo or issuer-bar (the public key set is implicitly
-set from the OpenID Connect spec).
-“`yaml
-apiVersion: security.istio.io/v1beta1
+
    • A policy in the root namespace (“istio-system” by default) applies to workloads in all namespaces
+in a mesh. The following policy makes all workloads only accept requests that contain a
+valid JWT token.
      • 
+
    
+
+
    apiVersion: security.istio.io/v1beta1
 kind: RequestAuthentication
 metadata:
-name: httpbin
-namespace: foo
+  name: req-authn-for-all
+  namespace: istio-system
 spec:
-selector:
-matchLabels:
-  app: httpbin
-jwtRules:
+  jwtRules:
+  - issuer: "issuer-foo"
+    jwksUri: https://example.com/.well-known/jwks.json
+---
+apiVersion: security.istio.io/v1beta1
+kind: AuthorizationPolicy
+metadata:
+  name: require-jwt-for-all
+  namespace: istio-system
+spec:
+  rules:
+  - from:
+    - source:
+        requestPrincipals: ["*"]
+
    
 
 
      
-
    • issuer: “issuer-foo”
      • 
-
    • issuer: “issuer-bar”
-—
+
    • The next example shows how to set a different JWT requirement for a different host. The RequestAuthentication
+declares it can accept JWTs issued by either issuer-foo or issuer-bar (the public key set is implicitly
+set from the OpenID Connect spec).
      • 
+
    
+
+
    apiVersion: security.istio.io/v1beta1
+kind: RequestAuthentication
+metadata:
+  name: httpbin
+  namespace: foo
+spec:
+  selector:
+    matchLabels:
+      app: httpbin
+  jwtRules:
+  - issuer: "issuer-foo"
+  - issuer: "issuer-bar"
+---
 apiVersion: security.istio.io/v1beta1
 kind: AuthorizationPolicy
 metadata:
-name: httpbin
-namespace: foo
+  name: httpbin
+  namespace: foo
 spec:
-selector:
-matchLabels:
-app: httpbin
-rules:
-
  • from:
    • 
-
  • source:
-requestPrincipals: [“issuer-foo/*”]
-to:
-hosts: [“example.com”]
    • 
-
  • from:
    • 
-
  • source:
-requestPrincipals: [“issuer-bar/”]
-to:
-hosts: [“another-host.com”]
-
-- You can fine tune the authorization policy to set different requirement per path. For example,
-to require JWT on all paths, except /healthz, the same `RequestAuthentication` can be used, but the
-authorization policy could be:
-yaml
-apiVersion: security.istio.io/v1beta1
+  selector:
+    matchLabels:
+      app: httpbin
+  rules:
+  - from:
+    - source:
+        requestPrincipals: ["issuer-foo/*"]
+    to:
+    - operation:
+        hosts: ["example.com"]
+  - from:
+    - source:
+        requestPrincipals: ["issuer-bar/*"]
+    to:
+    - operation:
+        hosts: ["another-host.com"]
+
    • 
+
+
      
+
    • You can fine tune the authorization policy to set different requirement per path. For example,
+to require JWT on all paths, except /healthz, the same RequestAuthentication can be used, but the
+authorization policy could be:
      • 
+
    
+
+
    apiVersion: security.istio.io/v1beta1
 kind: AuthorizationPolicy
 metadata:
-name: httpbin
-namespace: foo
+  name: httpbin
+  namespace: foo
 spec:
-selector:
-matchLabels:
-app: httpbin
-rules:
-- from:
-- source:
-requestPrincipals: [””]
-- to:
-- operation:
-paths: [“/healthz]
-“`
-
+  selector:
+    matchLabels:
+      app: httpbin
+  rules:
+  - from:
+    - source:
+        requestPrincipals: ["*"]
+  - to:
+    - operation:
+        paths: ["/healthz"]
+
    
+
+
    [Experimental] Routing based on derived metadata
+is now supported. A prefix ‘@’ is used to denote a match against internal metadata instead of the headers in the request.
+Currently this feature is only supported for the following metadata:
    
+
+
      
+
    • request.auth.claims.{claim-name}[.{sub-claim}]* which are extracted from validated JWT tokens. The claim name
+currently does not support the . character. Examples: request.auth.claims.sub and request.auth.claims.name.givenName.
      • 
 
    
 
+
    The use of matches against JWT claim metadata is only supported in Gateways. The following example shows:
    
+
+
      
+
    • RequestAuthentication to decode and validate a JWT. This also makes the @request.auth.claims available for use in the VirtualService.
      • 
+
    • AuthorizationPolicy to check for valid principals in the request. This makes the JWT required for the request.
      • 
+
    • VirtualService to route the request based on the “sub” claim.
      • 
+
    
+
+
    apiVersion: security.istio.io/v1beta1
+kind: RequestAuthentication
+metadata:
+  name: jwt-on-ingress
+  namespace: istio-system
+spec:
+ selector:
+   matchLabels:
+     app: istio-ingressgateway
+  jwtRules:
+  - issuer: "example.com"
+    jwksUri: https://example.com/.well-known/jwks.json
+---
+apiVersion: security.istio.io/v1beta1
+kind: AuthorizationPolicy
+metadata:
+  name: require-jwt
+  namespace: istio-system
+spec:
+ selector:
+   matchLabels:
+     app: istio-ingressgateway
+  rules:
+  - from:
+    - source:
+        requestPrincipals: ["*"]
+---
+apiVersion: networking.istio.io/v1alpha3
+kind: VirtualService
+metadata:
+  name: route-jwt
+spec:
+  hosts:
+  - foo.prod.svc.cluster.local
+  gateways:
+  - istio-ingressgateway
+  http:
+  - name: "v2"
+    match:
+    - headers:
+        "@request.auth.claims.sub":
+          exact: "dev"
+    route:
+    - destination:
+        host: foo.prod.svc.cluster.local
+        subset: v2
+  - name: "default"
+    route:
+    - destination:
+        host: foo.prod.svc.cluster.local
+        subset: v1
+
    
+
 
@@ -128,10 +228,13 @@ 
    RequestAuthentication
    
-
+
-
+
    
 
 
    
 
    
 
    
 selectorWorkloadSelectorWorkloadSelector
 
-
    The selector determines the workloads to apply the RequestAuthentication on.
-If not set, the policy will be applied to all workloads in the same namespace as the policy.
    
+
    Optional. The selector decides where to apply the request authentication policy. The selector will match with workloads
+in the same namespace as the request authentication policy. If the request authentication policy is in the root namespace,
+the selector will additionally match with workloads in all namespaces.
    
+
+
    If not set, the selector will match all workloads.
    
 
     		
 
@@ -140,14 +243,15 @@ 
    RequestAuthentication
    
 
    
 
    
 jwtRulesJWTRule[]JWTRule[]
 
 
    Define the list of JWTs that can be validated at the selected workloads’ proxy. A valid token
 will be used to extract the authenticated identity.
-Each rule will be activated only when a token is presented at the location recorgnized by the
+Each rule will be activated only when a token is presented at the location recognized by the
 rule. The token will be validated based on the JWT rule config. If validation fails, the request will
 be rejected.
-Note: if more than one token is presented (at different locations), the output principal is nondeterministic.
    
+Note: Requests with multiple tokens (at different locations) are not supported, the output principal of
+such requests is undefined.
    
 
     		
 
diff --git a/content/zh/docs/reference/config/telemetry/index.html b/content/zh/docs/reference/config/telemetry/index.html
new file mode 100644
index 0000000000000..173a76d7295e2
--- /dev/null
+++ b/content/zh/docs/reference/config/telemetry/index.html
@@ -0,0 +1,1198 @@
+---
+WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL SOURCE IN THE 'https://github.com/istio/api' REPO
+source_repo: https://github.com/istio/api
+title: Telemetry
+description: Telemetry configuration for workloads.
+location: https://istio.io/docs/reference/config/telemetry.html
+layout: protoc-gen-docs
+generator: protoc-gen-docs
+schema: istio.telemetry.v1alpha1.Telemetry
+aliases: [/zh/docs/reference/config/telemetry/v1alpha1/telemetry]
+number_of_entries: 18
+---
+
    Telemetry defines how the telemetry is generated for workloads within a mesh.
    
+
+
    For mesh level configuration, put the resource in root configuration
+namespace for your Istio installation without a workload selector.
    
+
+
    For any namespace, including the root configuration namespace, it is only
+valid to have a single workload selector-less Telemetry resource.
    
+
+
    For resources with a workload selector, it is only valid to have one resource
+selecting any given workload.
    
+
+
    The hierarchy of Telemetry configuration is as follows:
    
+
+
      
+
    1. Workload-specific configuration
      2. 
+
    2. Namespace-specific configuration
      3. 
+
    3. Root namespace configuration
      4. 
+
    
+
+
    Examples:
    
+
+
    Policy to enable random sampling for 10% of traffic:
    
+
+
    apiVersion: telemetry.istio.io/v1alpha1
+kind: Telemetry
+metadata:
+  name: mesh-default
+  namespace: istio-system
+spec:
+  # no selector specified, applies to all workloads
+  tracing:
+  - randomSamplingPercentage: 10.00
+
    
+
+
    Policy to disable trace reporting for the “foo” workload (note: tracing
+context will still be propagated):
    
+
+
    apiVersion: telemetry.istio.io/v1alpha1
+kind: Telemetry
+metadata:
+  name: foo-tracing
+  namespace: bar
+spec:
+  selector:
+    matchLabels:
+      service.istio.io/canonical-name: foo
+  tracing:
+  - disableSpanReporting: true
+
    
+
+
    Policy to select the alternate zipkin provider for trace reporting:
    
+
+
    apiVersion: telemetry.istio.io/v1alpha1
+kind: Telemetry
+metadata:
+  name: foo-tracing-alternate
+  namespace: baz
+spec:
+  selector:
+    matchLabels:
+      service.istio.io/canonical-name: foo
+  tracing:
+  - providers:
+    - name: "zipkin-alternate"
+    randomSamplingPercentage: 10.00
+
    
+
+
    Policy to add a custom tag from a literal value:
    
+
+
    apiVersion: telemetry.istio.io/v1alpha1
+kind: Telemetry
+metadata:
+  name: mesh-default
+  namespace: istio-system
+spec:
+  # no selector specified, applies to all workloads
+  tracing:
+  - randomSamplingPercentage: 10.00
+    customTags:
+      my_new_foo_tag:
+        literal:
+          value: "foo"
+
    
+
+
    Policy to disable server-side metrics for Stackdriver for an entire mesh:
    
+
+
    apiVersion: telemetry.istio.io/v1alpha1
+kind: Telemetry
+metadata:
+  name: mesh-default
+  namespace: istio-system
+spec:
+  # no selector specified, applies to all workloads
+  metrics:
+  - providers:
+    - name: stackdriver
+    overrides:
+    - match:
+        metric: ALL_METRICS
+        mode: SERVER
+      disabled: true
+
    
+
+
    Policy to add dimensions to all Prometheus metrics for the foo namespace:
    
+
+
    apiVersion: telemetry.istio.io/v1alpha1
+kind: Telemetry
+metadata:
+  name: namespace-metrics
+  namespace: foo
+spec:
+  # no selector specified, applies to all workloads in the namespace
+  metrics:
+  - providers:
+    - name: prometheus
+    overrides:
+    # match clause left off matches all istio metrics, client and server
+    - tagOverrides:
+        request_method:
+          value: "request.method"
+        request_host:
+          value: "request.host"
+
    
+
+
    Policy to remove the response_code dimension on some Prometheus metrics for
+the bar.foo workload:
    
+
+
    apiVersion: telemetry.istio.io/v1alpha1
+kind: Telemetry
+metadata:
+  name: remove-response-code
+  namespace: foo
+spec:
+  selector:
+    matchLabels:
+      service.istio.io/canonical-name: bar
+  metrics:
+  - providers:
+    - name: prometheus
+    overrides:
+    - match:
+        metric: REQUEST_COUNT
+      tagOverrides:
+        response_code:
+          operation: REMOVE
+    - match:
+        metric: REQUEST_DURATION
+      tagOverrides:
+        response_code:
+          operation: REMOVE
+    - match:
+        metric: REQUEST_BYTES
+      tagOverrides:
+        response_code:
+          operation: REMOVE
+    - match:
+        metric: RESPONSE_BYTES
+      tagOverrides:
+        response_code:
+          operation: REMOVE
+
    
+
+
    Policy to enable access logging for the entire mesh:
    
+
+
    apiVersion: telemetry.istio.io/v1alpha1
+kind: Telemetry
+metadata:
+  name: mesh-default
+  namespace: istio-system
+spec:
+  # no selector specified, applies to all workloads
+  accessLogging:
+  - providers:
+    - name: envoy
+    # By default, this turns on access logging (no need to set `disabled:
+    false`). # Unspecified `disabled` will be treated as `disabled: false`,
+    except in # cases where a parent configuration has marked as `disabled:
+    true`. In # those cases, `disabled: false` must be set explicitly to
+    override.
+
    
+
+
    Policy to disable access logging for the foo namespace:
    
+
+
    apiVersion: telemetry.istio.io/v1alpha1
+kind: Telemetry
+metadata:
+  name: namespace-no-log
+  namespace: foo
+spec:
+  # no selector specified, applies to all workloads in the namespace
+  accessLogging:
+  - disabled: true
+
    
+
+
    Telemetry
    
+
    
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
    FieldTypeDescriptionRequired
    selectorWorkloadSelector
+
    Optional. The selector decides where to apply the Telemetry policy.
+If not set, the Telemetry policy will be applied to all workloads in the
+same namespace as the Telemetry policy.
    
+
+    		
+No
+
    tracingTracing[]
+
    Optional. Tracing configures the tracing behavior for all
+selected workloads.
    
+
+    		
+No
+
    metricsMetrics[]
+
    Optional. Metrics configure the metrics behavior for all
+selected workloads.
    
+
+    		
+No
+
    accessLoggingAccessLogging[]
+
    Optional. AccessLogging configures the access logging behavior for all
+selected workloads.
    
+
+    		
+No
+
    
+
    
+
    Tracing
    
+
    
+
    Tracing configures tracing behavior for workloads within a mesh.
+It can be used to enable/disable tracing, as well as to set sampling
+rates and custom tag extraction.
    
+
+
    Tracing configuration support overrides of the fields providers,
+random_sampling_percentage, disable_span_reporting, and custom_tags at
+each level in the configuration hierarchy, with missing values filled in
+from parent resources. However, when specified, custom_tags will
+fully replace any values provided by parent configuration.
    
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
    FieldTypeDescriptionRequired
    matchTracingSelector
+
    Allows tailoring of behavior to specific conditions.
    
+
+    		
+No
+
    providersProviderRef[]
+
    Optional. Name of provider(s) to use for span reporting. If a provider is
+not specified, the [default tracing
+provider][istio.mesh.v1alpha1.MeshConfig.default_providers.tracing] will be
+used. NOTE: At the moment, only a single provider can be specified in a
+given Tracing rule.
    
+
+    		
+No
+
    randomSamplingPercentageDoubleValue
+
    Controls the rate at which traffic will be selected for tracing if no
+prior sampling decision has been made. If a prior sampling decision has
+been made, that decision will be respected. However, if no sampling
+decision has been made (example: no x-b3-sampled tracing header was
+present in the requests), the traffic will be selected for telemetry
+generation at the percentage specified.
    
+
+
    Defaults to 0%. Valid values [0.00-100.00]. Can be specified in 0.01%
+increments.
    
+
+    		
+No
+
    disableSpanReportingBoolValue
+
    Controls span reporting. If set to true, no spans will be reported for
+impacted workloads. This does NOT impact context propagation or trace
+sampling behavior.
    
+
+    		
+No
+
    customTagsmap<string, CustomTag>
+
    Optional. Configures additional custom tags to the generated trace spans.
    
+
+    		
+No
+
    
+
    
+
    ProviderRef
    
+
    
+
    Used to bind Telemetry configuration to specific providers for
+targeted customization.
    
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
    FieldTypeDescriptionRequired
    namestring
+
    Required. Name of Telemetry provider in MeshConfig.
    
+
+    		
+No
+
    
+
    
+
    Metrics
    
+
    
+
    Metrics defines the workload-level overrides for metrics generation behavior
+within a mesh. It can be used to enable/disable metrics generation, as well
+as to customize the dimensions of the generated metrics.
    
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
    FieldTypeDescriptionRequired
    providersProviderRef[]
+
    Optional. Name of providers to which this configuration should apply.
+If a provider is not specified, the [default metrics
+provider][istio.mesh.v1alpha1.MeshConfig.default_providers.metrics] will be
+used.
    
+
+    		
+No
+
    overridesMetricsOverrides[]
+
    Optional. Ordered list of overrides to metrics generation behavior.
    
+
+
    Specified overrides will be applied in order. They will be applied on
+top of inherited overrides from other resources in the hierarchy in the
+following order:
+1. Mesh-scoped overrides
+2. Namespace-scoped overrides
+3. Workload-scoped overrides
    
+
+
    Because overrides are applied in order, users are advised to order their
+overrides from least specific to most specific matches. That is, it is
+a best practice to list any universal overrides first, with tailored
+overrides following them.
    
+
+    		
+No
+
    
+
    
+
    MetricSelector
    
+
    
+
    Provides a mechanism for matching metrics for the application of override
+behaviors.
    
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
    FieldTypeDescriptionRequired
    metricIstioMetric (oneof)
+
    One of the well-known Istio Standard Metrics.
    
+
+    		
+No
+
    customMetricstring (oneof)
+
    Allows free-form specification of a metric. No validation of custom
+metrics is provided.
    
+
+    		
+No
+
    modeWorkloadMode
+
    Controls which mode of metrics generation is selected: CLIENT and/or
+SERVER.
    
+
+    		
+No
+
    
+
    
+
    MetricsOverrides
    
+
    
+
    MetricsOverrides defines custom metric generation behavior for an individual
+metric or the set of all standard metrics.
    
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
    FieldTypeDescriptionRequired
    matchMetricSelector
+
    Match allows provides the scope of the override. It can be used to select
+individual metrics, as well as the workload modes (server and/or client)
+in which the metrics will be generated.
    
+
+
    If match is not specified, the overrides will apply to all metrics for
+both modes of operation (client and server).
    
+
+    		
+No
+
    disabledBoolValue
+
    Optional. Must explicitly set this to “true” to turn off metrics reporting
+for the listed metrics. If disabled has been set to “true” in a parent
+configuration, it must explicitly be set to “false” to turn metrics
+reporting on in the workloads selected by the Telemetry resource.
    
+
+    		
+No
+
    tagOverridesmap<string, TagOverride>
+
    Optional. Collection of tag names and tag expressions to override in the
+selected metric(s).
+The key in the map is the name of the tag.
+The value in the map is the operation to perform on the the tag.
+WARNING: some providers may not support adding/removing tags.
+See also: https://istio.io/latest/docs/reference/config/metrics/#labels
    
+
+    		
+No
+
    
+
    
+
    AccessLogging
    
+
    
+
    Access logging defines the workload-level overrides for access log
+generation. It can be used to select provider or enable/disable access log
+generation for a workload.
    
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
    FieldTypeDescriptionRequired
    matchLogSelector
+
    Allows tailoring of logging behavior to specific conditions.
    
+
+    		
+No
+
    providersProviderRef[]
+
    Optional. Name of providers to which this configuration should apply.
+If a provider is not specified, the [default logging
+provider][istio.mesh.v1alpha1.MeshConfig.default_providers.] will be used.
    
+
+    		
+No
+
    disabledBoolValue
+
    Controls logging. If set to true, no access logs will be generated for
+impacted workloads (for the specified providers).
+NOTE: currently default behavior will be controlled by the provider(s)
+selected above. Customization controls will be added to this API in
+future releases.
    
+
+    		
+No
+
    filterFilter
+
    Optional. If specified, this filter will be used to select specific
+requests/connections for logging.
    
+
+    		
+No
+
    
+
    
+
    Tracing.TracingSelector
    
+
    
+
    TracingSelector provides a coarse-grained ability to configure tracing
+behavior based on certain traffic metadata (such as traffic direction).
    
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
    FieldTypeDescriptionRequired
    modeWorkloadMode
+
    This determines whether or not to apply the tracing configuration
+based on the direction of traffic relative to the proxied workload.
    
+
+    		
+No
+
    
+
    
+
    Tracing.CustomTag
    
+
    
+
    CustomTag defines a tag to be added to a trace span that is based on
+an operator-supplied value. This value can either be a hard-coded value,
+a value taken from an environment variable known to the sidecar proxy, or
+from a request header.
    
+
+
    NOTE: when specified, custom_tags will fully replace any values provided
+by parent configuration.
    
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
    FieldTypeDescriptionRequired
    literalLiteral (oneof)
+
    Literal adds the same, hard-coded value to each span.
    
+
+    		
+No
+
    environmentEnvironment (oneof)
+
    Environment adds the value of an environment variable to each span.
    
+
+    		
+No
+
    headerRequestHeader (oneof)
+
    RequestHeader adds the value of an header from the request to each
+span.
    
+
+    		
+No
+
    
+
    
+
    Tracing.Literal
    
+
    
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
    FieldTypeDescriptionRequired
    valuestring
+
    The tag value to use.
    
+
+    		
+No
+
    
+
    
+
    Tracing.Environment
    
+
    
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
    FieldTypeDescriptionRequired
    namestring
+
    Name of the environment variable from which to extract the tag value.
    
+
+    		
+No
+
    defaultValuestring
+
    Optional. If the environment variable is not found, this value will be
+used instead.
    
+
+    		
+No
+
    
+
    
+
    Tracing.RequestHeader
    
+
    
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
    FieldTypeDescriptionRequired
    namestring
+
    Name of the header from which to extract the tag value.
    
+
+    		
+No
+
    defaultValuestring
+
    Optional. If the header is not found, this value will be
+used instead.
    
+
+    		
+No
+
    
+
    
+
    MetricsOverrides.TagOverride
    
+
    
+
    TagOverride specifies an operation to perform on a metric dimension (also
+known as a label). Tags may be added, removed, or have their default
+values overridden.
    
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
    FieldTypeDescriptionRequired
    operationOperation
+
    Operation controls whether or not to update/add a tag, or to remove it.
    
+
+    		
+No
+
    valuestring
+
    Value is only considered if the operation is UPSERT.
+Values are CEL expressions over
+attributes. Examples include: “string(destination.port)” and
+“request.host”. Istio exposes all standard Envoy
+attributes.
+Additionally, Istio exposes node metadata as attributes.
+More information is provided in the customization
+docs.
    
+
+    		
+No
+
    
+
    
+
    AccessLogging.LogSelector
    
+
    
+
    LogSelector provides a coarse-grained ability to configure logging behavior
+based on certain traffic metadata (such as traffic direction). LogSelector
+applies to traffic metadata which is not represented in the attribute set
+currently supported by Filters. It allows control planes to limit the
+configuration sent to individual workloads. Finer-grained logging behavior
+can be further configured via filter.
    
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
    FieldTypeDescriptionRequired
    modeWorkloadMode
+
    This determines whether or not to apply the access logging configuration
+based on the direction of traffic relative to the proxied workload.
    
+
+    		
+No
+
    
+
    
+
    AccessLogging.Filter
    
+
    
+
    Allows specification of an access log filter.
    
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
    FieldTypeDescriptionRequired
    expressionstring
+
    CEL expression for selecting when requests/connections should be logged.
    
+
+
    Examples:
    
+
+
      
+
    • response.code >= 400
      • 
+
    • connection.mtls && request.url_path.contains('v1beta3')
      • 
+
    
+
+    		
+No
+
    
+
    
+
    MetricSelector.IstioMetric
    
+
    
+
    Curated list of known metric types that is supported by Istio metric
+providers. See also:
+https://istio.io/latest/docs/reference/config/metrics/#metrics
    
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
    NameDescription
    ALL_METRICS
+
    Use of this enum indicates that the override should apply to all Istio
+default metrics.
    
+
+
    REQUEST_COUNT
+
    Counter of requests to/from an application, generated for HTTP, HTTP/2,
+and GRPC traffic.
    
+
+
    The Prometheus provider exports this metric as: istio_requests_total.
    
+
+
    The Stackdriver provider exports this metric as:
    
+
+
      
+
    • istio.io/service/server/request_count (SERVER mode)
      • 
+
    • istio.io/service/client/request_count (CLIENT mode)
      • 
+
    
+
+
    REQUEST_DURATION
+
    Histogram of request durations, generated for HTTP, HTTP/2, and GRPC
+traffic.
    
+
+
    The Prometheus provider exports this metric as:
+istio_request_duration_milliseconds.
    
+
+
    The Stackdriver provider exports this metric as:
    
+
+
      
+
    • istio.io/service/server/response_latencies (SERVER mode)
      • 
+
    • istio.io/service/client/roundtrip_latencies (CLIENT mode)
      • 
+
    
+
+
    REQUEST_SIZE
+
    Histogram of request body sizes, generated for HTTP, HTTP/2, and GRPC
+traffic.
    
+
+
    The Prometheus provider exports this metric as: istio_request_bytes.
    
+
+
    The Stackdriver provider exports this metric as:
    
+
+
      
+
    • istio.io/service/server/request_bytes (SERVER mode)
      • 
+
    • istio.io/service/client/request_bytes (CLIENT mode)
      • 
+
    
+
+
    RESPONSE_SIZE
+
    Histogram of response body sizes, generated for HTTP, HTTP/2, and GRPC
+traffic.
    
+
+
    The Prometheus provider exports this metric as: istio_response_bytes.
    
+
+
    The Stackdriver provider exports this metric as:
    
+
+
      
+
    • istio.io/service/server/response_bytes (SERVER mode)
      • 
+
    • istio.io/service/client/response_bytes (CLIENT mode)
      • 
+
    
+
+
    TCP_OPENED_CONNECTIONS
+
    Counter of TCP connections opened over lifetime of workload.
    
+
+
    The Prometheus provider exports this metric as:
+istio_tcp_connections_opened_total.
    
+
+
    The Stackdriver provider exports this metric as:
    
+
+
      
+
    • istio.io/service/server/connection_open_count (SERVER mode)
      • 
+
    • istio.io/service/client/connection_open_count (CLIENT mode)
      • 
+
    
+
+
    TCP_CLOSED_CONNECTIONS
+
    Counter of TCP connections closed over lifetime of workload.
    
+
+
    The Prometheus provider exports this metric as:
+istio_tcp_connections_closed_total.
    
+
+
    The Stackdriver provider exports this metric as:
    
+
+
      
+
    • istio.io/service/server/connection_close_count (SERVER mode)
      • 
+
    • istio.io/service/client/connection_close_count (CLIENT mode)
      • 
+
    
+
+
    TCP_SENT_BYTES
+
    Counter of bytes sent during a response over a TCP connection.
    
+
+
    The Prometheus provider exports this metric as:
+istio_tcp_sent_bytes_total.
    
+
+
    The Stackdriver provider exports this metric as:
    
+
+
      
+
    • istio.io/service/server/sent_bytes_count (SERVER mode)
      • 
+
    • istio.io/service/client/sent_bytes_count (CLIENT mode)
      • 
+
    
+
+
    TCP_RECEIVED_BYTES
+
    Counter of bytes received during a request over a TCP connection.
    
+
+
    The Prometheus provider exports this metric as:
+istio_tcp_received_bytes_total.
    
+
+
    The Stackdriver provider exports this metric as:
    
+
+
      
+
    • istio.io/service/server/received_bytes_count (SERVER mode)
      • 
+
    • istio.io/service/client/received_bytes_count (CLIENT mode)
      • 
+
    
+
+
    GRPC_REQUEST_MESSAGES
+
    Counter incremented for every gRPC messages sent from a client.
    
+
+
    The Prometheus provider exports this metric as:
+istio_request_messages_total
    
+
+
    GRPC_RESPONSE_MESSAGES
+
    Counter incremented for every gRPC messages sent from a server.
    
+
+
    The Prometheus provider exports this metric as:
+istio_response_messages_total
    
+
+
    
+
    
+
    MetricsOverrides.TagOverride.Operation
    
+
    
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
    NameDescription
    UPSERT
+
    Insert or Update the tag with the provided value expression. The
+value field MUST be specified if UPSERT is used as the operation.
    
+
+
    REMOVE
+
    Specifies that the tag should not be included in the metric when
+generated.
    
+
+
    
+
    
+
    WorkloadMode
    
+
    
+
    WorkloadMode allows selection of the role of the underlying workload in
+network traffic. A workload is considered as acting as a SERVER if it is
+the destination of the traffic (that is, traffic direction, from the
+perspective of the workload is inbound). If the workload is the source of
+the network traffic, it is considered to be in CLIENT mode (traffic is
+outbound from the workload).
    
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
    NameDescription
    CLIENT_AND_SERVER
+
    Selects for scenarios when the workload is either the
+source or destination of the network traffic.
    
+
+
    CLIENT
+
    Selects for scenarios when the workload is the
+source of the network traffic.
    
+
+
    SERVER
+
    Selects for scenarios when the workload is the
+destination of the network traffic.
    
+
+
    
+
    
diff --git a/scripts/grab_reference_docs_zh.sh b/scripts/grab_reference_docs_zh.sh
new file mode 100755
index 0000000000000..2f24b524c6f28
--- /dev/null
+++ b/scripts/grab_reference_docs_zh.sh
@@ -0,0 +1,192 @@
+#!/bin/bash
+
+# Copyright Istio Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# This script copies generated .pb.html files, which contain reference docs for protos, and installs
+# them in their targeted location within the content/en/docs/reference tree of this repo. Each .pb.html file contains a
+# line that indicates the target directory location. The line is of the form:
+#
+#  location: https://istio.io/docs/reference/...
+#
+# Additionally, this script also builds Istio components and runs them to extract their command-line docs which it
+# copies to content/en/docs/reference/commands.
+
+if [[ "$1" != "" ]]; then
+  SOURCE_BRANCH_NAME="$1"
+else
+  SOURCE_BRANCH_NAME="master"
+fi
+
+if [[ "$2" != "" ]]; then
+  ISTIO_API_GIT_SOURCE="$2"
+fi
+
+# The repos to mine for docs, just add new entries here to pull in more repos.
+REPOS=(
+    https://github.com/istio/istio.git@"${SOURCE_BRANCH_NAME}"
+    https://github.com/istio/api.git@"${SOURCE_BRANCH_NAME}"
+    https://github.com/istio/proxy.git@"${SOURCE_BRANCH_NAME}"
+)
+
+# The components to build and extract usage docs from.
+COMPONENTS=(
+    https://github.com/istio/istio.git@"${SOURCE_BRANCH_NAME}"@istioctl/cmd/istioctl@istioctl
+    https://github.com/istio/istio.git@"${SOURCE_BRANCH_NAME}"@pilot/cmd/pilot-agent@pilot-agent
+    https://github.com/istio/istio.git@"${SOURCE_BRANCH_NAME}"@pilot/cmd/pilot-discovery@pilot-discovery
+    https://github.com/istio/istio.git@"${SOURCE_BRANCH_NAME}"@operator/cmd/operator@operator
+    https://github.com/istio/istio.git@"${SOURCE_BRANCH_NAME}"@cni/cmd/install-cni@install-cni
+)
+
+# The repo to fetch config analysis message data from
+CONFIG_ANALYSIS_MESSAGE_REPO="https://github.com/istio/istio.git@${SOURCE_BRANCH_NAME}@pkg/config/analysis/msg/messages.yaml"
+
+SCRIPTPATH="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+ROOTDIR=$(dirname "${SCRIPTPATH}")
+
+WORK_DIR="$(mktemp -d)"
+COMP_OUTPUT_DIR="${ROOTDIR}/content/zh/docs/reference/commands"
+
+export GOOS=linux
+export GOARCH=amd64
+
+echo "WORK_DIR =" "${WORK_DIR}"
+
+#####################
+
+# Given the name of a .pb.html file, extracts the $location marker and then proceeds to
+# copy the file to the corresponding content/en/docs/ hierarchy.
+locate_file() {
+    FILENAME=$1
+
+    LOCATION=$(grep '^location: https://istio.io/docs' "${FILENAME}")
+    LEN=${#LOCATION}
+    if [[ ${LEN} -eq 0 ]]; then
+        echo "    No 'location:' tag in $FILENAME, skipping"
+        return
+    fi
+
+    FNP=${LOCATION:31}
+    FN=$(echo "${FNP}" | rev | cut -d'/' -f1 | rev)
+    FN=${FN%.html}
+    PP=$(echo "${FNP}" | rev | cut -d'/' -f2- | rev)
+    mkdir -p "${ROOTDIR}/content/zh/docs${PP}/${FN}"
+    sed -E -e 's/(href="https:\/\/istio.io.*)\.html/\1\//' -e 's/href="https:\/\/istio.io(\/[^vV])/href="\1/g' -e 's/href="\/latest\/zh\//href="\/zh\//g' -e 's/href="\/docs\//href="\/zh\/docs\//g' -e 's/\[\/docs\//\[\/zh\/docs\//g' "${FILENAME}" >"${ROOTDIR}/content/zh/docs${PP}/${FN}/index.html"
+
+    LEN=${#WORK_DIR}
+
+    if [[ "${REPO_URL}" != "https://github.com/istio/istio.git" && "${REPO_URL}" != "https://github.com/istio/api.git" && "${REPO_URL}" != "https://github.com/istio/proxy.git" ]]; then
+        sed -i -e 's/layout: protoc-gen-docs/layout: partner-component/g' "${ROOTDIR}/content/zh/docs${PP}/${FN}/index.html"
+    fi
+
+    REPOX=${REPO_URL/.git/}
+    REPOX=${REPOX//\//\\\/}
+
+    sed -i -e "s/title: /WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL SOURCE IN THE '${REPOX}' REPO\ntitle: /g" "${ROOTDIR}/content/zh/docs${PP}/${FN}/index.html"
+    sed -i -e "s/title: /source_repo: ${REPOX}\ntitle: /g" "${ROOTDIR}/content/zh/docs${PP}/${FN}/index.html"
+}
+
+handle_feature_status_scraping() {
+    curl "https://raw.githubusercontent.com/istio/enhancements/${SOURCE_BRANCH_NAME}/features.yaml" -o "${ROOTDIR}/data/features.yaml"
+}
+
+handle_doc_scraping() {
+    for repo in "${REPOS[@]}"; do
+        if [[ "$repo" == https://github.com/istio/api.git* ]]; then
+            repo="${ISTIO_API_GIT_SOURCE:-$repo}"
+        fi
+
+        REPO_URL=$(echo "$repo" | cut -d @ -f 1)
+        REPO_BRANCH=$(echo "$repo" | cut -d @ -f 2)
+        DEST_DIR=${REPO_URL//\//_}
+
+        echo "  INPUT REPO: ${REPO_URL}@${REPO_BRANCH}"
+
+        git clone --depth=1 -q -b "${REPO_BRANCH}" "${REPO_URL}" "${DEST_DIR}"
+
+        # delete the vendor directory so we don't get .pb.html out of there
+        rm -fr "${DEST_DIR}/vendor"
+
+        find "${DEST_DIR}" -type f -name '*.pb.html' -print0 | while IFS= read -r -d '' f; do
+            locate_file "${f}"
+        done
+
+        rm -fr "${DEST_DIR}"
+    done
+}
+
+handle_components() {
+    for comp in "${COMPONENTS[@]}"; do
+        REPO_URL=$(echo "${comp}" | cut -d @ -f 1)
+        REPO_BRANCH=$(echo "${comp}" | cut -d @ -f 2)
+        REPO_NAME=$(echo "${REPO_URL}" | cut -d / -f 5 | cut -d . -f 1)
+        COMP_PATH=$(echo "${comp}" | cut -d @ -f 3)
+        COMP_NAME=$(echo "${comp}" | cut -d @ -f 4)
+
+        echo "  COMPONENT: ${COMP_NAME} from ${REPO_URL}@${REPO_BRANCH}"
+
+        git clone --depth=1 -q -b "${REPO_BRANCH}" "${REPO_URL}"
+
+        pushd "${REPO_NAME}" >/dev/null || exit
+        pushd "${COMP_PATH}" >/dev/null || exit
+
+        go build -o "${COMP_NAME}"
+        mkdir -p "${COMP_OUTPUT_DIR}/${COMP_NAME}"
+        "./${COMP_NAME}" collateral -o "${COMP_OUTPUT_DIR}/${COMP_NAME}" --html_fragment_with_front_matter
+        mv "${COMP_OUTPUT_DIR}/${COMP_NAME}/${COMP_NAME}.html" "${COMP_OUTPUT_DIR}/${COMP_NAME}/index.html"
+        rm -fr "${COMP_NAME}"
+
+        sed -i -e "s/title: /WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL SOURCE IN THE 'https:\/\/github.com\/istio\/istio' REPO\ntitle: /g" "${COMP_OUTPUT_DIR}/${COMP_NAME}/index.html"
+        sed -i -e "s/title: /source_repo: https:\/\/github.com\/istio\/istio\ntitle: /g" "${COMP_OUTPUT_DIR}/${COMP_NAME}/index.html"
+
+        popd >/dev/null || exit
+        popd >/dev/null || exit
+
+        rm -fr "${REPO_NAME}"
+    done
+}
+
+handle_config_analysis_messages() {
+    REPO_URL=$(echo "${CONFIG_ANALYSIS_MESSAGE_REPO}" | cut -d @ -f 1)
+    REPO_BRANCH=$(echo "${CONFIG_ANALYSIS_MESSAGE_REPO}" | cut -d @ -f 2)
+    REPO_NAME=$(echo "${REPO_URL}" | cut -d / -f 5 | cut -d . -f 1)
+    FILE_PATH=$(echo "${CONFIG_ANALYSIS_MESSAGE_REPO}" | cut -d @ -f 3)
+
+    git clone --depth=1 -q -b "${REPO_BRANCH}" "${REPO_URL}"
+
+    pushd "${REPO_NAME}" >/dev/null || exit
+    cp "${FILE_PATH}" "${ROOTDIR}/data/analysis.yaml"
+    popd >/dev/null || exit
+
+    rm -fr "${REPO_NAME}"
+}
+
+# delete all the existing generated files so that any stale files are removed
+find "${ROOTDIR}/content/zh/docs/reference" -name '*.html' -type f -print0 | xargs -0 rm 2>/dev/null
+
+# Prepare the work directory
+mkdir -p "${WORK_DIR}"
+pushd "${WORK_DIR}" >/dev/null || exit
+
+echo "Handling doc scraping"
+handle_doc_scraping
+
+echo "Handling component docs"
+handle_components
+
+echo "Fetching config analysis data"
+handle_config_analysis_messages
+
+echo "Handling feature status"
+handle_feature_status_scraping
\ No newline at end of file

From 2b925487849f37ac780356d3177d0bc5f18aafda Mon Sep 17 00:00:00 2001
From: Eric Van Norman 
Date: Mon, 2 May 2022 11:05:00 -0500
Subject: [PATCH 2/2] Update grab_reference_docs.sh to do both `en` and `zh`.

---
 scripts/grab_reference_docs.sh | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/scripts/grab_reference_docs.sh b/scripts/grab_reference_docs.sh
index 1f9386768beb4..8e3660b8f42c0 100755
--- a/scripts/grab_reference_docs.sh
+++ b/scripts/grab_reference_docs.sh
@@ -57,6 +57,7 @@ ROOTDIR=$(dirname "${SCRIPTPATH}")
 
 WORK_DIR="$(mktemp -d)"
 COMP_OUTPUT_DIR="${ROOTDIR}/content/en/docs/reference/commands"
+COMP_OUTPUT_DIR_ZH="${ROOTDIR}/content/zh/docs/reference/commands"
 
 export GOOS=linux
 export GOARCH=amd64
@@ -82,12 +83,15 @@ locate_file() {
     FN=${FN%.html}
     PP=$(echo "${FNP}" | rev | cut -d'/' -f2- | rev)
     mkdir -p "${ROOTDIR}/content/en/docs${PP}/${FN}"
+    mkdir -p "${ROOTDIR}/content/zh/docs${PP}/${FN}"
     sed -E -e 's/(href="https:\/\/istio.io.*)\.html/\1\//' -e 's/href="https:\/\/istio.io(\/[^vV])/href="\1/g' -e 's/href="\/latest\//href="\//g' "${FILENAME}" >"${ROOTDIR}/content/en/docs${PP}/${FN}/index.html"
+    sed -E -e 's/(href="https:\/\/istio.io.*)\.html/\1\//' -e 's/href="https:\/\/istio.io(\/[^vV])/href="\1/g' -e 's/href="\/latest\/zh\//href="\/zh\//g' -e 's/href="\/docs\//href="\/zh\/docs\//g' -e 's/\[\/docs\//\[\/zh\/docs\//g' "${FILENAME}" >"${ROOTDIR}/content/zh/docs${PP}/${FN}/index.html"
 
     LEN=${#WORK_DIR}
 
     if [[ "${REPO_URL}" != "https://github.com/istio/istio.git" && "${REPO_URL}" != "https://github.com/istio/api.git" && "${REPO_URL}" != "https://github.com/istio/proxy.git" ]]; then
         sed -i -e 's/layout: protoc-gen-docs/layout: partner-component/g' "${ROOTDIR}/content/en/docs${PP}/${FN}/index.html"
+        sed -i -e 's/layout: protoc-gen-docs/layout: partner-component/g' "${ROOTDIR}/content/zh/docs${PP}/${FN}/index.html"
     fi
 
     REPOX=${REPO_URL/.git/}
@@ -95,6 +99,8 @@ locate_file() {
 
     sed -i -e "s/title: /WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL SOURCE IN THE '${REPOX}' REPO\ntitle: /g" "${ROOTDIR}/content/en/docs${PP}/${FN}/index.html"
     sed -i -e "s/title: /source_repo: ${REPOX}\ntitle: /g" "${ROOTDIR}/content/en/docs${PP}/${FN}/index.html"
+    sed -i -e "s/title: /WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL SOURCE IN THE '${REPOX}' REPO\ntitle: /g" "${ROOTDIR}/content/zh/docs${PP}/${FN}/index.html"
+    sed -i -e "s/title: /source_repo: ${REPOX}\ntitle: /g" "${ROOTDIR}/content/zh/docs${PP}/${FN}/index.html"
 }
 
 handle_feature_status_scraping() {
@@ -144,11 +150,14 @@ handle_components() {
         go build -o "${COMP_NAME}"
         mkdir -p "${COMP_OUTPUT_DIR}/${COMP_NAME}"
         "./${COMP_NAME}" collateral -o "${COMP_OUTPUT_DIR}/${COMP_NAME}" --html_fragment_with_front_matter
-        mv "${COMP_OUTPUT_DIR}/${COMP_NAME}/${COMP_NAME}.html" "${COMP_OUTPUT_DIR}/${COMP_NAME}/index.html"
+        cp "${COMP_OUTPUT_DIR}/${COMP_NAME}/${COMP_NAME}.html" "${COMP_OUTPUT_DIR}/${COMP_NAME}/index.html"
+        mv "${COMP_OUTPUT_DIR}/${COMP_NAME}/${COMP_NAME}.html" "${COMP_OUTPUT_DIR_ZH}/${COMP_NAME}/index.html"
         rm -fr "${COMP_NAME}"
 
         sed -i -e "s/title: /WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL SOURCE IN THE 'https:\/\/github.com\/istio\/istio' REPO\ntitle: /g" "${COMP_OUTPUT_DIR}/${COMP_NAME}/index.html"
         sed -i -e "s/title: /source_repo: https:\/\/github.com\/istio\/istio\ntitle: /g" "${COMP_OUTPUT_DIR}/${COMP_NAME}/index.html"
+        sed -i -e "s/title: /WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL SOURCE IN THE 'https:\/\/github.com\/istio\/istio' REPO\ntitle: /g" "${COMP_OUTPUT_DIR_ZH}/${COMP_NAME}/index.html"
+        sed -i -e "s/title: /source_repo: https:\/\/github.com\/istio\/istio\ntitle: /g" "${COMP_OUTPUT_DIR_ZH}/${COMP_NAME}/index.html"
 
         popd >/dev/null || exit
         popd >/dev/null || exit
@@ -174,6 +183,7 @@ handle_config_analysis_messages() {
 
 # delete all the existing generated files so that any stale files are removed
 find "${ROOTDIR}/content/en/docs/reference" -name '*.html' -type f -print0 | xargs -0 rm 2>/dev/null
+find "${ROOTDIR}/content/zh/docs/reference" -name '*.html' -type f -print0 | xargs -0 rm 2>/dev/null
 
 # Prepare the work directory
 mkdir -p "${WORK_DIR}"