Google Git
Sign in
gerrit / k8s-gerrit / 90beee4834d43ffe8a197601950b0c8f55fe1c11 / . / istio / src / Base / Base.yaml
blob: 61cf3d0161e0cc1f30fa38bc17c9a93b70488a33 [file] [log] [blame]
# Resources for Base component
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: istiod-istio-system
labels:
app: istiod
release: istio
rules:
# sidecar injection controller
- apiGroups: ["admissionregistration.k8s.io"]
resources: ["mutatingwebhookconfigurations"]
verbs: ["get", "list", "watch", "patch"]
# configuration validation webhook controller
- apiGroups: ["admissionregistration.k8s.io"]
resources: ["validatingwebhookconfigurations"]
verbs: ["get", "list", "watch", "update"]
# istio configuration
# removing CRD permissions can break older versions of Istio running alongside this control plane (https://github.com/istio/istio/issues/29382)
# please proceed with caution
- apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io"]
verbs: ["get", "watch", "list"]
resources: ["*"]
- apiGroups: ["networking.istio.io"]
verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
resources: [ "workloadentries" ]
- apiGroups: ["networking.istio.io"]
verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
resources: [ "workloadentries/status" ]
# auto-detect installed CRD definitions
- apiGroups: ["apiextensions.k8s.io"]
resources: ["customresourcedefinitions"]
verbs: ["get", "list", "watch"]
# discovery and routing
- apiGroups: [""]
resources: ["pods", "nodes", "services", "namespaces", "endpoints"]
verbs: ["get", "list", "watch"]
- apiGroups: ["discovery.k8s.io"]
resources: ["endpointslices"]
verbs: ["get", "list", "watch"]
# ingress controller
- apiGroups: ["networking.k8s.io"]
resources: ["ingresses", "ingressclasses"]
verbs: ["get", "list", "watch"]
- apiGroups: ["networking.k8s.io"]
resources: ["ingresses/status"]
verbs: ["*"]
# required for CA's namespace controller
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["create", "get", "list", "watch", "update"]
# Istiod and bootstrap.
- apiGroups: ["certificates.k8s.io"]
resources:
- "certificatesigningrequests"
- "certificatesigningrequests/approval"
- "certificatesigningrequests/status"
verbs: ["update", "create", "get", "delete", "watch"]
- apiGroups: ["certificates.k8s.io"]
resources:
- "signers"
resourceNames:
- "kubernetes.io/legacy-unknown"
verbs: ["approve"]
# Used by Istiod to verify the JWT tokens
- apiGroups: ["authentication.k8s.io"]
resources: ["tokenreviews"]
verbs: ["create"]
# Used by Istiod to verify gateway SDS
- apiGroups: ["authorization.k8s.io"]
resources: ["subjectaccessreviews"]
verbs: ["create"]
# Use for Kubernetes Service APIs
- apiGroups: ["networking.x-k8s.io"]
resources: ["*"]
verbs: ["get", "watch", "list"]
# Needed for multicluster secret reading, possibly ingress certs in the future
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "watch", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: istio-reader-istio-system
labels:
app: istio-reader
release: istio
rules:
- apiGroups:
- "config.istio.io"
- "security.istio.io"
- "networking.istio.io"
- "authentication.istio.io"
- "rbac.istio.io"
resources: ["*"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["endpoints", "pods", "services", "nodes", "replicationcontrollers", "namespaces", "secrets"]
verbs: ["get", "list", "watch"]
- apiGroups: ["discovery.k8s.io"]
resources: ["endpointslices"]
verbs: ["get", "list", "watch"]
- apiGroups: ["apps"]
resources: ["replicasets"]
verbs: ["get", "list", "watch"]
- apiGroups: ["authentication.k8s.io"]
resources: ["tokenreviews"]
verbs: ["create"]
- apiGroups: ["authorization.k8s.io"]
resources: ["subjectaccessreviews"]
verbs: ["create"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: istio-reader-istio-system
labels:
app: istio-reader
release: istio
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: istio-reader-istio-system
subjects:
- kind: ServiceAccount
name: istio-reader-service-account
namespace: istio-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: istiod-istio-system
labels:
app: istiod
release: istio
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: istiod-istio-system
subjects:
- kind: ServiceAccount
name: istiod-service-account
namespace: istio-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: istiod-istio-system
namespace: istio-system
labels:
app: istiod
release: istio
rules:
- apiGroups: ["networking.istio.io"]
verbs: ["create"]
resources: ["gateways"]
- apiGroups: [""]
resources: ["secrets"]
# TODO lock this down to istio-ca-cert if not using the DNS cert mesh config
verbs: ["create", "get", "watch", "list", "update", "delete"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: istiod-istio-system
namespace: istio-system
labels:
app: istiod
release: istio
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: istiod-istio-system
subjects:
- kind: ServiceAccount
name: istiod-service-account
namespace: istio-system
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: istio-reader-service-account
namespace: istio-system
labels:
app: istio-reader
release: istio
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: istiod-service-account
namespace: istio-system
labels:
app: istiod
release: istio
---
apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingWebhookConfiguration
metadata:
name: istiod-istio-system
labels:
app: istiod
release: istio
istio: istiod
webhooks:
- name: validation.istio.io
clientConfig:
service:
name: istiod
namespace: istio-system
path: "/validate"
caBundle: "" # patched at runtime when the webhook is ready.
rules:
- operations:
- CREATE
- UPDATE
apiGroups:
- security.istio.io
- networking.istio.io
apiVersions:
- "*"
resources:
- "*"
# Fail open until the validation webhook is ready. The webhook controller
# will update this to `Fail` and patch in the `caBundle` when the webhook
# endpoint is ready.
failurePolicy: Ignore
sideEffects: None
admissionReviewVersions: ["v1beta1", "v1"]
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
annotations:
"helm.sh/resource-policy": keep
labels:
app: istio-pilot
chart: istio
heritage: Tiller
release: istio
name: destinationrules.networking.istio.io
spec:
additionalPrinterColumns:
- JSONPath: .spec.host
description: The name of a service from the service registry
name: Host
type: string
- JSONPath: .metadata.creationTimestamp
description: 'CreationTimestamp is a timestamp representing the server time when
this object was created. It is not guaranteed to be set in happens-before order
across separate operations. Clients may not set this value. It is represented
in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
name: Age
type: date
group: networking.istio.io
names:
categories:
- istio-io
- networking-istio-io
kind: DestinationRule
listKind: DestinationRuleList
plural: destinationrules
shortNames:
- dr
singular: destinationrule
preserveUnknownFields: false
scope: Namespaced
subresources:
status: {}
validation:
openAPIV3Schema:
properties:
spec:
description: 'Configuration affecting load balancing, outlier detection,
etc. See more details at: https://istio.io/docs/reference/config/networking/destination-rule.html'
properties:
exportTo:
description: A list of namespaces to which this destination rule is
exported.
items:
format: string
type: string
type: array
host:
description: The name of a service from the service registry.
format: string
type: string
subsets:
items:
properties:
labels:
additionalProperties:
format: string
type: string
type: object
name:
description: Name of the subset.
format: string
type: string
trafficPolicy:
description: Traffic policies that apply to this subset.
properties:
connectionPool:
properties:
http:
description: HTTP connection pool settings.
properties:
h2UpgradePolicy:
description: Specify if http1.1 connection should
be upgraded to http2 for the associated destination.
enum:
- DEFAULT
- DO_NOT_UPGRADE
- UPGRADE
type: string
http1MaxPendingRequests:
description: Maximum number of pending HTTP requests
to a destination.
format: int32
type: integer
http2MaxRequests:
description: Maximum number of requests to a backend.
format: int32
type: integer
idleTimeout:
description: The idle timeout for upstream connection
pool connections.
type: string
maxRequestsPerConnection:
description: Maximum number of requests per connection
to a backend.
format: int32
type: integer
maxRetries:
format: int32
type: integer
useClientProtocol:
description: If set to true, client protocol will
be preserved while initiating connection to backend.
type: boolean
type: object
tcp:
description: Settings common to both HTTP and TCP upstream
connections.
properties:
connectTimeout:
description: TCP connection timeout.
type: string
maxConnections:
description: Maximum number of HTTP1 /TCP connections
to a destination host.
format: int32
type: integer
tcpKeepalive:
description: If set then set SO_KEEPALIVE on the socket
to enable TCP Keepalives.
properties:
interval:
description: The time duration between keep-alive
probes.
type: string
probes:
type: integer
time:
type: string
type: object
type: object
type: object
loadBalancer:
description: Settings controlling the load balancer algorithms.
oneOf:
- not:
anyOf:
- required:
- simple
- properties:
consistentHash:
oneOf:
- not:
anyOf:
- required:
- httpHeaderName
- required:
- httpCookie
- required:
- useSourceIp
- required:
- httpQueryParameterName
- required:
- httpHeaderName
- required:
- httpCookie
- required:
- useSourceIp
- required:
- httpQueryParameterName
required:
- consistentHash
- required:
- simple
- properties:
consistentHash:
oneOf:
- not:
anyOf:
- required:
- httpHeaderName
- required:
- httpCookie
- required:
- useSourceIp
- required:
- httpQueryParameterName
- required:
- httpHeaderName
- required:
- httpCookie
- required:
- useSourceIp
- required:
- httpQueryParameterName
required:
- consistentHash
properties:
consistentHash:
properties:
httpCookie:
description: Hash based on HTTP cookie.
properties:
name:
description: Name of the cookie.
format: string
type: string
path:
description: Path to set for the cookie.
format: string
type: string
ttl:
description: Lifetime of the cookie.
type: string
type: object
httpHeaderName:
description: Hash based on a specific HTTP header.
format: string
type: string
httpQueryParameterName:
description: Hash based on a specific HTTP query parameter.
format: string
type: string
minimumRingSize:
type: integer
useSourceIp:
description: Hash based on the source IP address.
type: boolean
type: object
localityLbSetting:
properties:
distribute:
description: 'Optional: only one of distribute or
failover can be set.'
items:
properties:
from:
description: Originating locality, '/' separated,
e.g.
format: string
type: string
to:
additionalProperties:
type: integer
description: Map of upstream localities to traffic
distribution weights.
type: object
type: object
type: array
enabled:
description: enable locality load balancing, this
is DestinationRule-level and will override mesh
wide settings in entirety.
nullable: true
type: boolean
failover:
description: 'Optional: only failover or distribute
can be set.'
items:
properties:
from:
description: Originating region.
format: string
type: string
to:
format: string
type: string
type: object
type: array
type: object
simple:
enum:
- ROUND_ROBIN
- LEAST_CONN
- RANDOM
- PASSTHROUGH
type: string
type: object
outlierDetection:
properties:
baseEjectionTime:
description: Minimum ejection duration.
type: string
consecutive5xxErrors:
description: Number of 5xx errors before a host is ejected
from the connection pool.
nullable: true
type: integer
consecutiveErrors:
format: int32
type: integer
consecutiveGatewayErrors:
description: Number of gateway errors before a host is
ejected from the connection pool.
nullable: true
type: integer
interval:
description: Time interval between ejection sweep analysis.
type: string
maxEjectionPercent:
format: int32
type: integer
minHealthPercent:
format: int32
type: integer
type: object
portLevelSettings:
description: Traffic policies specific to individual ports.
items:
properties:
connectionPool:
properties:
http:
description: HTTP connection pool settings.
properties:
h2UpgradePolicy:
description: Specify if http1.1 connection should
be upgraded to http2 for the associated destination.
enum:
- DEFAULT
- DO_NOT_UPGRADE
- UPGRADE
type: string
http1MaxPendingRequests:
description: Maximum number of pending HTTP
requests to a destination.
format: int32
type: integer
http2MaxRequests:
description: Maximum number of requests to a
backend.
format: int32
type: integer
idleTimeout:
description: The idle timeout for upstream connection
pool connections.
type: string
maxRequestsPerConnection:
description: Maximum number of requests per
connection to a backend.
format: int32
type: integer
maxRetries:
format: int32
type: integer
useClientProtocol:
description: If set to true, client protocol
will be preserved while initiating connection
to backend.
type: boolean
type: object
tcp:
description: Settings common to both HTTP and TCP
upstream connections.
properties:
connectTimeout:
description: TCP connection timeout.
type: string
maxConnections:
description: Maximum number of HTTP1 /TCP connections
to a destination host.
format: int32
type: integer
tcpKeepalive:
description: If set then set SO_KEEPALIVE on
the socket to enable TCP Keepalives.
properties:
interval:
description: The time duration between keep-alive
probes.
type: string
probes:
type: integer
time:
type: string
type: object
type: object
type: object
loadBalancer:
description: Settings controlling the load balancer
algorithms.
oneOf:
- not:
anyOf:
- required:
- simple
- properties:
consistentHash:
oneOf:
- not:
anyOf:
- required:
- httpHeaderName
- required:
- httpCookie
- required:
- useSourceIp
- required:
- httpQueryParameterName
- required:
- httpHeaderName
- required:
- httpCookie
- required:
- useSourceIp
- required:
- httpQueryParameterName
required:
- consistentHash
- required:
- simple
- properties:
consistentHash:
oneOf:
- not:
anyOf:
- required:
- httpHeaderName
- required:
- httpCookie
- required:
- useSourceIp
- required:
- httpQueryParameterName
- required:
- httpHeaderName
- required:
- httpCookie
- required:
- useSourceIp
- required:
- httpQueryParameterName
required:
- consistentHash
properties:
consistentHash:
properties:
httpCookie:
description: Hash based on HTTP cookie.
properties:
name:
description: Name of the cookie.
format: string
type: string
path:
description: Path to set for the cookie.
format: string
type: string
ttl:
description: Lifetime of the cookie.
type: string
type: object
httpHeaderName:
description: Hash based on a specific HTTP header.
format: string
type: string
httpQueryParameterName:
description: Hash based on a specific HTTP query
parameter.
format: string
type: string
minimumRingSize:
type: integer
useSourceIp:
description: Hash based on the source IP address.
type: boolean
type: object
localityLbSetting:
properties:
distribute:
description: 'Optional: only one of distribute
or failover can be set.'
items:
properties:
from:
description: Originating locality, '/'
separated, e.g.
format: string
type: string
to:
additionalProperties:
type: integer
description: Map of upstream localities
to traffic distribution weights.
type: object
type: object
type: array
enabled:
description: enable locality load balancing,
this is DestinationRule-level and will override
mesh wide settings in entirety.
nullable: true
type: boolean
failover:
description: 'Optional: only failover or distribute
can be set.'
items:
properties:
from:
description: Originating region.
format: string
type: string
to:
format: string
type: string
type: object
type: array
type: object
simple:
enum:
- ROUND_ROBIN
- LEAST_CONN
- RANDOM
- PASSTHROUGH
type: string
type: object
outlierDetection:
properties:
baseEjectionTime:
description: Minimum ejection duration.
type: string
consecutive5xxErrors:
description: Number of 5xx errors before a host
is ejected from the connection pool.
nullable: true
type: integer
consecutiveErrors:
format: int32
type: integer
consecutiveGatewayErrors:
description: Number of gateway errors before a host
is ejected from the connection pool.
nullable: true
type: integer
interval:
description: Time interval between ejection sweep
analysis.
type: string
maxEjectionPercent:
format: int32
type: integer
minHealthPercent:
format: int32
type: integer
type: object
port:
properties:
number:
type: integer
type: object
tls:
description: TLS related settings for connections to
the upstream service.
properties:
caCertificates:
format: string
type: string
clientCertificate:
description: REQUIRED if mode is `MUTUAL`.
format: string
type: string
credentialName:
format: string
type: string
mode:
enum:
- DISABLE
- SIMPLE
- MUTUAL
- ISTIO_MUTUAL
type: string
privateKey:
description: REQUIRED if mode is `MUTUAL`.
format: string
type: string
sni:
description: SNI string to present to the server
during TLS handshake.
format: string
type: string
subjectAltNames:
items:
format: string
type: string
type: array
type: object
type: object
type: array
tls:
description: TLS related settings for connections to the upstream
service.
properties:
caCertificates:
format: string
type: string
clientCertificate:
description: REQUIRED if mode is `MUTUAL`.
format: string
type: string
credentialName:
format: string
type: string
mode:
enum:
- DISABLE
- SIMPLE
- MUTUAL
- ISTIO_MUTUAL
type: string
privateKey:
description: REQUIRED if mode is `MUTUAL`.
format: string
type: string
sni:
description: SNI string to present to the server during
TLS handshake.
format: string
type: string
subjectAltNames:
items:
format: string
type: string
type: array
type: object
type: object
type: object
type: array
trafficPolicy:
properties:
connectionPool:
properties:
http:
description: HTTP connection pool settings.
properties:
h2UpgradePolicy:
description: Specify if http1.1 connection should be upgraded
to http2 for the associated destination.
enum:
- DEFAULT
- DO_NOT_UPGRADE
- UPGRADE
type: string
http1MaxPendingRequests:
description: Maximum number of pending HTTP requests to
a destination.
format: int32
type: integer
http2MaxRequests:
description: Maximum number of requests to a backend.
format: int32
type: integer
idleTimeout:
description: The idle timeout for upstream connection pool
connections.
type: string
maxRequestsPerConnection:
description: Maximum number of requests per connection to
a backend.
format: int32
type: integer
maxRetries:
format: int32
type: integer
useClientProtocol:
description: If set to true, client protocol will be preserved
while initiating connection to backend.
type: boolean
type: object
tcp:
description: Settings common to both HTTP and TCP upstream connections.
properties:
connectTimeout:
description: TCP connection timeout.
type: string
maxConnections:
description: Maximum number of HTTP1 /TCP connections to
a destination host.
format: int32
type: integer
tcpKeepalive:
description: If set then set SO_KEEPALIVE on the socket
to enable TCP Keepalives.
properties:
interval:
description: The time duration between keep-alive probes.
type: string
probes:
type: integer
time:
type: string
type: object
type: object
type: object
loadBalancer:
description: Settings controlling the load balancer algorithms.
oneOf:
- not:
anyOf:
- required:
- simple
- properties:
consistentHash:
oneOf:
- not:
anyOf:
- required:
- httpHeaderName
- required:
- httpCookie
- required:
- useSourceIp
- required:
- httpQueryParameterName
- required:
- httpHeaderName
- required:
- httpCookie
- required:
- useSourceIp
- required:
- httpQueryParameterName
required:
- consistentHash
- required:
- simple
- properties:
consistentHash:
oneOf:
- not:
anyOf:
- required:
- httpHeaderName
- required:
- httpCookie
- required:
- useSourceIp
- required:
- httpQueryParameterName
- required:
- httpHeaderName
- required:
- httpCookie
- required:
- useSourceIp
- required:
- httpQueryParameterName
required:
- consistentHash
properties:
consistentHash:
properties:
httpCookie:
description: Hash based on HTTP cookie.
properties:
name:
description: Name of the cookie.
format: string
type: string
path:
description: Path to set for the cookie.
format: string
type: string
ttl:
description: Lifetime of the cookie.
type: string
type: object
httpHeaderName:
description: Hash based on a specific HTTP header.
format: string
type: string
httpQueryParameterName:
description: Hash based on a specific HTTP query parameter.
format: string
type: string
minimumRingSize:
type: integer
useSourceIp:
description: Hash based on the source IP address.
type: boolean
type: object
localityLbSetting:
properties:
distribute:
description: 'Optional: only one of distribute or failover
can be set.'
items:
properties:
from:
description: Originating locality, '/' separated,
e.g.
format: string
type: string
to:
additionalProperties:
type: integer
description: Map of upstream localities to traffic
distribution weights.
type: object
type: object
type: array
enabled:
description: enable locality load balancing, this is DestinationRule-level
and will override mesh wide settings in entirety.
nullable: true
type: boolean
failover:
description: 'Optional: only failover or distribute can
be set.'
items:
properties:
from:
description: Originating region.
format: string
type: string
to:
format: string
type: string
type: object
type: array
type: object
simple:
enum:
- ROUND_ROBIN
- LEAST_CONN
- RANDOM
- PASSTHROUGH
type: string
type: object
outlierDetection:
properties:
baseEjectionTime:
description: Minimum ejection duration.
type: string
consecutive5xxErrors:
description: Number of 5xx errors before a host is ejected from
the connection pool.
nullable: true
type: integer
consecutiveErrors:
format: int32
type: integer
consecutiveGatewayErrors:
description: Number of gateway errors before a host is ejected
from the connection pool.
nullable: true
type: integer
interval:
description: Time interval between ejection sweep analysis.
type: string
maxEjectionPercent:
format: int32
type: integer
minHealthPercent:
format: int32
type: integer
type: object
portLevelSettings:
description: Traffic policies specific to individual ports.
items:
properties:
connectionPool:
properties:
http:
description: HTTP connection pool settings.
properties:
h2UpgradePolicy:
description: Specify if http1.1 connection should
be upgraded to http2 for the associated destination.
enum:
- DEFAULT
- DO_NOT_UPGRADE
- UPGRADE
type: string
http1MaxPendingRequests:
description: Maximum number of pending HTTP requests
to a destination.
format: int32
type: integer
http2MaxRequests:
description: Maximum number of requests to a backend.
format: int32
type: integer
idleTimeout:
description: The idle timeout for upstream connection
pool connections.
type: string
maxRequestsPerConnection:
description: Maximum number of requests per connection
to a backend.
format: int32
type: integer
maxRetries:
format: int32
type: integer
useClientProtocol:
description: If set to true, client protocol will
be preserved while initiating connection to backend.
type: boolean
type: object
tcp:
description: Settings common to both HTTP and TCP upstream
connections.
properties:
connectTimeout:
description: TCP connection timeout.
type: string
maxConnections:
description: Maximum number of HTTP1 /TCP connections
to a destination host.
format: int32
type: integer
tcpKeepalive:
description: If set then set SO_KEEPALIVE on the socket
to enable TCP Keepalives.
properties:
interval:
description: The time duration between keep-alive
probes.
type: string
probes:
type: integer
time:
type: string
type: object
type: object
type: object
loadBalancer:
description: Settings controlling the load balancer algorithms.
oneOf:
- not:
anyOf:
- required:
- simple
- properties:
consistentHash:
oneOf:
- not:
anyOf:
- required:
- httpHeaderName
- required:
- httpCookie
- required:
- useSourceIp
- required:
- httpQueryParameterName
- required:
- httpHeaderName
- required:
- httpCookie
- required:
- useSourceIp
- required:
- httpQueryParameterName
required:
- consistentHash
- required:
- simple
- properties:
consistentHash:
oneOf:
- not:
anyOf:
- required:
- httpHeaderName
- required:
- httpCookie
- required:
- useSourceIp
- required:
- httpQueryParameterName
- required:
- httpHeaderName
- required:
- httpCookie
- required:
- useSourceIp
- required:
- httpQueryParameterName
required:
- consistentHash
properties:
consistentHash:
properties:
httpCookie:
description: Hash based on HTTP cookie.
properties:
name:
description: Name of the cookie.
format: string
type: string
path:
description: Path to set for the cookie.
format: string
type: string
ttl:
description: Lifetime of the cookie.
type: string
type: object
httpHeaderName:
description: Hash based on a specific HTTP header.
format: string
type: string
httpQueryParameterName:
description: Hash based on a specific HTTP query parameter.
format: string
type: string
minimumRingSize:
type: integer
useSourceIp:
description: Hash based on the source IP address.
type: boolean
type: object
localityLbSetting:
properties:
distribute:
description: 'Optional: only one of distribute or
failover can be set.'
items:
properties:
from:
description: Originating locality, '/' separated,
e.g.
format: string
type: string
to:
additionalProperties:
type: integer
description: Map of upstream localities to traffic
distribution weights.
type: object
type: object
type: array
enabled:
description: enable locality load balancing, this
is DestinationRule-level and will override mesh
wide settings in entirety.
nullable: true
type: boolean
failover:
description: 'Optional: only failover or distribute
can be set.'
items:
properties:
from:
description: Originating region.
format: string
type: string
to:
format: string
type: string
type: object
type: array
type: object
simple:
enum:
- ROUND_ROBIN
- LEAST_CONN
- RANDOM
- PASSTHROUGH
type: string
type: object
outlierDetection:
properties:
baseEjectionTime:
description: Minimum ejection duration.
type: string
consecutive5xxErrors:
description: Number of 5xx errors before a host is ejected
from the connection pool.
nullable: true
type: integer
consecutiveErrors:
format: int32
type: integer
consecutiveGatewayErrors:
description: Number of gateway errors before a host is
ejected from the connection pool.
nullable: true
type: integer
interval:
description: Time interval between ejection sweep analysis.
type: string
maxEjectionPercent:
format: int32
type: integer
minHealthPercent:
format: int32
type: integer
type: object
port:
properties:
number:
type: integer
type: object
tls:
description: TLS related settings for connections to the upstream
service.
properties:
caCertificates:
format: string
type: string
clientCertificate:
description: REQUIRED if mode is `MUTUAL`.
format: string
type: string
credentialName:
format: string
type: string
mode:
enum:
- DISABLE
- SIMPLE
- MUTUAL
- ISTIO_MUTUAL
type: string
privateKey:
description: REQUIRED if mode is `MUTUAL`.
format: string
type: string
sni:
description: SNI string to present to the server during
TLS handshake.
format: string
type: string
subjectAltNames:
items:
format: string
type: string
type: array
type: object
type: object
type: array
tls:
description: TLS related settings for connections to the upstream
service.
properties:
caCertificates:
format: string
type: string
clientCertificate:
description: REQUIRED if mode is `MUTUAL`.
format: string
type: string
credentialName:
format: string
type: string
mode:
enum:
- DISABLE
- SIMPLE
- MUTUAL
- ISTIO_MUTUAL
type: string
privateKey:
description: REQUIRED if mode is `MUTUAL`.
format: string
type: string
sni:
description: SNI string to present to the server during TLS
handshake.
format: string
type: string
subjectAltNames:
items:
format: string
type: string
type: array
type: object
type: object
type: object
status:
type: object
x-kubernetes-preserve-unknown-fields: true
type: object
versions:
- name: v1alpha3
served: true
storage: true
- name: v1beta1
served: true
storage: false
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
annotations:
"helm.sh/resource-policy": keep
labels:
app: istio-pilot
chart: istio
heritage: Tiller
release: istio
name: envoyfilters.networking.istio.io
spec:
group: networking.istio.io
names:
categories:
- istio-io
- networking-istio-io
kind: EnvoyFilter
listKind: EnvoyFilterList
plural: envoyfilters
singular: envoyfilter
preserveUnknownFields: true
scope: Namespaced
subresources:
status: {}
validation:
openAPIV3Schema:
properties:
spec:
description: 'Customizing Envoy configuration generated by Istio. See more
details at: https://istio.io/docs/reference/config/networking/envoy-filter.html'
properties:
configPatches:
description: One or more patches with match conditions.
items:
properties:
applyTo:
enum:
- INVALID
- LISTENER
- FILTER_CHAIN
- NETWORK_FILTER
- HTTP_FILTER
- ROUTE_CONFIGURATION
- VIRTUAL_HOST
- HTTP_ROUTE
- CLUSTER
- EXTENSION_CONFIG
type: string
match:
description: Match on listener/route configuration/cluster.
oneOf:
- not:
anyOf:
- required:
- listener
- required:
- routeConfiguration
- required:
- cluster
- required:
- listener
- required:
- routeConfiguration
- required:
- cluster
properties:
cluster:
description: Match on envoy cluster attributes.
properties:
name:
description: The exact name of the cluster to match.
format: string
type: string
portNumber:
description: The service port for which this cluster was
generated.
type: integer
service:
description: The fully qualified service name for this
cluster.
format: string
type: string
subset:
description: The subset associated with the service.
format: string
type: string
type: object
context:
description: The specific config generation context to match
on.
enum:
- ANY
- SIDECAR_INBOUND
- SIDECAR_OUTBOUND
- GATEWAY
type: string
listener:
description: Match on envoy listener attributes.
properties:
filterChain:
description: Match a specific filter chain in a listener.
properties:
applicationProtocols:
description: Applies only to sidecars.
format: string
type: string
filter:
description: The name of a specific filter to apply
the patch to.
properties:
name:
description: The filter name to match on.
format: string
type: string
subFilter:
properties:
name:
description: The filter name to match on.
format: string
type: string
type: object
type: object
name:
description: The name assigned to the filter chain.
format: string
type: string
sni:
description: The SNI value used by a filter chain's
match condition.
format: string
type: string
transportProtocol:
description: Applies only to `SIDECAR_INBOUND` context.
format: string
type: string
type: object
name:
description: Match a specific listener by its name.
format: string
type: string
portName:
format: string
type: string
portNumber:
type: integer
type: object
proxy:
description: Match on properties associated with a proxy.
properties:
metadata:
additionalProperties:
format: string
type: string
type: object
proxyVersion:
format: string
type: string
type: object
routeConfiguration:
description: Match on envoy HTTP route configuration attributes.
properties:
gateway:
format: string
type: string
name:
description: Route configuration name to match on.
format: string
type: string
portName:
description: Applicable only for GATEWAY context.
format: string
type: string
portNumber:
type: integer
vhost:
properties:
name:
format: string
type: string
route:
description: Match a specific route within the virtual
host.
properties:
action:
description: Match a route with specific action
type.
enum:
- ANY
- ROUTE
- REDIRECT
- DIRECT_RESPONSE
type: string
name:
format: string
type: string
type: object
type: object
type: object
type: object
patch:
description: The patch to apply along with the operation.
properties:
filterClass:
description: Determines the filter insertion order.
enum:
- UNSPECIFIED
- AUTHN
- AUTHZ
- STATS
type: string
operation:
description: Determines how the patch should be applied.
enum:
- INVALID
- MERGE
- ADD
- REMOVE
- INSERT_BEFORE
- INSERT_AFTER
- INSERT_FIRST
- REPLACE
type: string
value:
description: The JSON config of the object being patched.
type: object
type: object
type: object
type: array
workloadSelector:
properties:
labels:
additionalProperties:
format: string
type: string
type: object
type: object
type: object
status:
type: object
x-kubernetes-preserve-unknown-fields: true
type: object
versions:
- name: v1alpha3
served: true
storage: true
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
annotations:
"helm.sh/resource-policy": keep
labels:
app: istio-pilot
chart: istio
heritage: Tiller
release: istio
name: gateways.networking.istio.io
spec:
group: networking.istio.io
names:
categories:
- istio-io
- networking-istio-io
kind: Gateway
listKind: GatewayList
plural: gateways
shortNames:
- gw
singular: gateway
preserveUnknownFields: false
scope: Namespaced
subresources:
status: {}
validation:
openAPIV3Schema:
properties:
spec:
description: 'Configuration affecting edge load balancer. See more details
at: https://istio.io/docs/reference/config/networking/gateway.html'
properties:
selector:
additionalProperties:
format: string
type: string
type: object
servers:
description: A list of server specifications.
items:
properties:
bind:
format: string
type: string
defaultEndpoint:
format: string
type: string
hosts:
description: One or more hosts exposed by this gateway.
items:
format: string
type: string
type: array
name:
description: An optional name of the server, when set must be
unique across all servers.
format: string
type: string
port:
properties:
name:
description: Label assigned to the port.
format: string
type: string
number:
description: A valid non-negative integer port number.
type: integer
protocol:
description: The protocol exposed on the port.
format: string
type: string
targetPort:
type: integer
type: object
tls:
description: Set of TLS related options that govern the server's
behavior.
properties:
caCertificates:
description: REQUIRED if mode is `MUTUAL`.
format: string
type: string
cipherSuites:
description: 'Optional: If specified, only support the specified
cipher list.'
items:
format: string
type: string
type: array
credentialName:
format: string
type: string
httpsRedirect:
type: boolean
maxProtocolVersion:
description: 'Optional: Maximum TLS protocol version.'
enum:
- TLS_AUTO
- TLSV1_0
- TLSV1_1
- TLSV1_2
- TLSV1_3
type: string
minProtocolVersion:
description: 'Optional: Minimum TLS protocol version.'
enum:
- TLS_AUTO
- TLSV1_0
- TLSV1_1
- TLSV1_2
- TLSV1_3
type: string
mode:
enum:
- PASSTHROUGH
- SIMPLE
- MUTUAL
- AUTO_PASSTHROUGH
- ISTIO_MUTUAL
type: string
privateKey:
description: REQUIRED if mode is `SIMPLE` or `MUTUAL`.
format: string
type: string
serverCertificate:
description: REQUIRED if mode is `SIMPLE` or `MUTUAL`.
format: string
type: string
subjectAltNames:
items:
format: string
type: string
type: array
verifyCertificateHash:
items:
format: string
type: string
type: array
verifyCertificateSpki:
items:
format: string
type: string
type: array
type: object
type: object
type: array
type: object
status:
type: object
x-kubernetes-preserve-unknown-fields: true
type: object
versions:
- name: v1alpha3
served: true
storage: true
- name: v1beta1
served: true
storage: false
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
annotations:
"helm.sh/resource-policy": keep
labels:
app: istio-pilot
chart: istio
heritage: Tiller
release: istio
name: serviceentries.networking.istio.io
spec:
additionalPrinterColumns:
- JSONPath: .spec.hosts
description: The hosts associated with the ServiceEntry
name: Hosts
type: string
- JSONPath: .spec.location
description: Whether the service is external to the mesh or part of the mesh (MESH_EXTERNAL
or MESH_INTERNAL)
name: Location
type: string
- JSONPath: .spec.resolution
description: Service discovery mode for the hosts (NONE, STATIC, or DNS)
name: Resolution
type: string
- JSONPath: .metadata.creationTimestamp
description: 'CreationTimestamp is a timestamp representing the server time when
this object was created. It is not guaranteed to be set in happens-before order
across separate operations. Clients may not set this value. It is represented
in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
name: Age
type: date
group: networking.istio.io
names:
categories:
- istio-io
- networking-istio-io
kind: ServiceEntry
listKind: ServiceEntryList
plural: serviceentries
shortNames:
- se
singular: serviceentry
preserveUnknownFields: false
scope: Namespaced
subresources:
status: {}
validation:
openAPIV3Schema:
properties:
spec:
description: 'Configuration affecting service registry. See more details
at: https://istio.io/docs/reference/config/networking/service-entry.html'
properties:
addresses:
description: The virtual IP addresses associated with the service.
items:
format: string
type: string
type: array
endpoints:
description: One or more endpoints associated with the service.
items:
properties:
address:
format: string
type: string
labels:
additionalProperties:
format: string
type: string
description: One or more labels associated with the endpoint.
type: object
locality:
description: The locality associated with the endpoint.
format: string
type: string
network:
format: string
type: string
ports:
additionalProperties:
type: integer
description: Set of ports associated with the endpoint.
type: object
serviceAccount:
format: string
type: string
weight:
description: The load balancing weight associated with the endpoint.
type: integer
type: object
type: array
exportTo:
description: A list of namespaces to which this service is exported.
items:
format: string
type: string
type: array
hosts:
description: The hosts associated with the ServiceEntry.
items:
format: string
type: string
type: array
location:
enum:
- MESH_EXTERNAL
- MESH_INTERNAL
type: string
ports:
description: The ports associated with the external service.
items:
properties:
name:
description: Label assigned to the port.
format: string
type: string
number:
description: A valid non-negative integer port number.
type: integer
protocol:
description: The protocol exposed on the port.
format: string
type: string
targetPort:
type: integer
type: object
type: array
resolution:
description: Service discovery mode for the hosts.
enum:
- NONE
- STATIC
- DNS
type: string
subjectAltNames:
items:
format: string
type: string
type: array
workloadSelector:
description: Applicable only for MESH_INTERNAL services.
properties:
labels:
additionalProperties:
format: string
type: string
type: object
type: object
type: object
status:
type: object
x-kubernetes-preserve-unknown-fields: true
type: object
versions:
- name: v1alpha3
served: true
storage: true
- name: v1beta1
served: true
storage: false
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
annotations:
"helm.sh/resource-policy": keep
labels:
app: istio-pilot
chart: istio
heritage: Tiller
release: istio
name: sidecars.networking.istio.io
spec:
group: networking.istio.io
names:
categories:
- istio-io
- networking-istio-io
kind: Sidecar
listKind: SidecarList
plural: sidecars
singular: sidecar
preserveUnknownFields: false
scope: Namespaced
subresources:
status: {}
validation:
openAPIV3Schema:
properties:
spec:
description: 'Configuration affecting network reachability of a sidecar.
See more details at: https://istio.io/docs/reference/config/networking/sidecar.html'
properties:
egress:
items:
properties:
bind:
format: string
type: string
captureMode:
enum:
- DEFAULT
- IPTABLES
- NONE
type: string
hosts:
items:
format: string
type: string
type: array
port:
description: The port associated with the listener.
properties:
name:
description: Label assigned to the port.
format: string
type: string
number:
description: A valid non-negative integer port number.
type: integer
protocol:
description: The protocol exposed on the port.
format: string
type: string
targetPort:
type: integer
type: object
type: object
type: array
ingress:
items:
properties:
bind:
description: The IP to which the listener should be bound.
format: string
type: string
captureMode:
enum:
- DEFAULT
- IPTABLES
- NONE
type: string
defaultEndpoint:
format: string
type: string
port:
description: The port associated with the listener.
properties:
name:
description: Label assigned to the port.
format: string
type: string
number:
description: A valid non-negative integer port number.
type: integer
protocol:
description: The protocol exposed on the port.
format: string
type: string
targetPort:
type: integer
type: object
type: object
type: array
outboundTrafficPolicy:
description: Configuration for the outbound traffic policy.
properties:
egressProxy:
properties:
host:
description: The name of a service from the service registry.
format: string
type: string
port:
description: Specifies the port on the host that is being addressed.
properties:
number:
type: integer
type: object
subset:
description: The name of a subset within the service.
format: string
type: string
type: object
mode:
enum:
- REGISTRY_ONLY
- ALLOW_ANY
type: string
type: object
workloadSelector:
properties:
labels:
additionalProperties:
format: string
type: string
type: object
type: object
type: object
status:
type: object
x-kubernetes-preserve-unknown-fields: true
type: object
versions:
- name: v1alpha3
served: true
storage: true
- name: v1beta1
served: true
storage: false
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
annotations:
"helm.sh/resource-policy": keep
labels:
app: istio-pilot
chart: istio
heritage: Tiller
release: istio
name: virtualservices.networking.istio.io
spec:
additionalPrinterColumns:
- JSONPath: .spec.gateways
description: The names of gateways and sidecars that should apply these routes
name: Gateways
type: string
- JSONPath: .spec.hosts
description: The destination hosts to which traffic is being sent
name: Hosts
type: string
- JSONPath: .metadata.creationTimestamp
description: 'CreationTimestamp is a timestamp representing the server time when
this object was created. It is not guaranteed to be set in happens-before order
across separate operations. Clients may not set this value. It is represented
in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
name: Age
type: date
group: networking.istio.io
names:
categories:
- istio-io
- networking-istio-io
kind: VirtualService
listKind: VirtualServiceList
plural: virtualservices
shortNames:
- vs
singular: virtualservice
preserveUnknownFields: false
scope: Namespaced
subresources:
status: {}
validation:
openAPIV3Schema:
properties:
spec:
description: 'Configuration affecting label/content routing, sni routing,
etc. See more details at: https://istio.io/docs/reference/config/networking/virtual-service.html'
properties:
exportTo:
description: A list of namespaces to which this virtual service is exported.
items:
format: string
type: string
type: array
gateways:
description: The names of gateways and sidecars that should apply these
routes.
items:
format: string
type: string
type: array
hosts:
description: The destination hosts to which traffic is being sent.
items:
format: string
type: string
type: array
http:
description: An ordered list of route rules for HTTP traffic.
items:
properties:
corsPolicy:
description: Cross-Origin Resource Sharing policy (CORS).
properties:
allowCredentials:
nullable: true
type: boolean
allowHeaders:
items:
format: string
type: string
type: array
allowMethods:
description: List of HTTP methods allowed to access the resource.
items:
format: string
type: string
type: array
allowOrigin:
description: The list of origins that are allowed to perform
CORS requests.
items:
format: string
type: string
type: array
allowOrigins:
description: String patterns that match allowed origins.
items:
oneOf:
- not:
anyOf:
- required:
- exact
- required:
- prefix
- required:
- regex
- required:
- exact
- required:
- prefix
- required:
- regex
properties:
exact:
format: string
type: string
prefix:
format: string
type: string
regex:
description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
format: string
type: string
type: object
type: array
exposeHeaders:
items:
format: string
type: string
type: array
maxAge:
type: string
type: object
delegate:
properties:
name:
description: Name specifies the name of the delegate VirtualService.
format: string
type: string
namespace:
description: Namespace specifies the namespace where the delegate
VirtualService resides.
format: string
type: string
type: object
fault:
description: Fault injection policy to apply on HTTP traffic at
the client side.
properties:
abort:
oneOf:
- not:
anyOf:
- required:
- httpStatus
- required:
- grpcStatus
- required:
- http2Error
- required:
- httpStatus
- required:
- grpcStatus
- required:
- http2Error
properties:
grpcStatus:
format: string
type: string
http2Error:
format: string
type: string
httpStatus:
description: HTTP status code to use to abort the Http
request.
format: int32
type: integer
percentage:
description: Percentage of requests to be aborted with
the error code provided.
properties:
value:
format: double
type: number
type: object
type: object
delay:
oneOf:
- not:
anyOf:
- required:
- fixedDelay
- required:
- exponentialDelay
- required:
- fixedDelay
- required:
- exponentialDelay
properties:
exponentialDelay:
type: string
fixedDelay:
description: Add a fixed delay before forwarding the request.
type: string
percent:
description: Percentage of requests on which the delay
will be injected (0-100).
format: int32
type: integer
percentage:
description: Percentage of requests on which the delay
will be injected.
properties:
value:
format: double
type: number
type: object
type: object
type: object
headers:
properties:
request:
properties:
add:
additionalProperties:
format: string
type: string
type: object
remove:
items:
format: string
type: string
type: array
set:
additionalProperties:
format: string
type: string
type: object
type: object
response:
properties:
add:
additionalProperties:
format: string
type: string
type: object
remove:
items:
format: string
type: string
type: array
set:
additionalProperties:
format: string
type: string
type: object
type: object
type: object
match:
items:
properties:
authority:
oneOf:
- not:
anyOf:
- required:
- exact
- required:
- prefix
- required:
- regex
- required:
- exact
- required:
- prefix
- required:
- regex
properties:
exact:
format: string
type: string
prefix:
format: string
type: string
regex:
description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
format: string
type: string
type: object
gateways:
description: Names of gateways where the rule should be
applied.
items:
format: string
type: string
type: array
headers:
additionalProperties:
oneOf:
- not:
anyOf:
- required:
- exact
- required:
- prefix
- required:
- regex
- required:
- exact
- required:
- prefix
- required:
- regex
properties:
exact:
format: string
type: string
prefix:
format: string
type: string
regex:
description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
format: string
type: string
type: object
type: object
ignoreUriCase:
description: Flag to specify whether the URI matching should
be case-insensitive.
type: boolean
method:
oneOf:
- not:
anyOf:
- required:
- exact
- required:
- prefix
- required:
- regex
- required:
- exact
- required:
- prefix
- required:
- regex
properties:
exact:
format: string
type: string
prefix:
format: string
type: string
regex:
description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
format: string
type: string
type: object
name:
description: The name assigned to a match.
format: string
type: string
port:
description: Specifies the ports on the host that is being
addressed.
type: integer
queryParams:
additionalProperties:
oneOf:
- not:
anyOf:
- required:
- exact
- required:
- prefix
- required:
- regex
- required:
- exact
- required:
- prefix
- required:
- regex
properties:
exact:
format: string
type: string
prefix:
format: string
type: string
regex:
description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
format: string
type: string
type: object
description: Query parameters for matching.
type: object
scheme:
oneOf:
- not:
anyOf:
- required:
- exact
- required:
- prefix
- required:
- regex
- required:
- exact
- required:
- prefix
- required:
- regex
properties:
exact:
format: string
type: string
prefix:
format: string
type: string
regex:
description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
format: string
type: string
type: object
sourceLabels:
additionalProperties:
format: string
type: string
type: object
sourceNamespace:
description: Source namespace constraining the applicability
of a rule to workloads in that namespace.
format: string
type: string
uri:
oneOf:
- not:
anyOf:
- required:
- exact
- required:
- prefix
- required:
- regex
- required:
- exact
- required:
- prefix
- required:
- regex
properties:
exact:
format: string
type: string
prefix:
format: string
type: string
regex:
description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
format: string
type: string
type: object
withoutHeaders:
additionalProperties:
oneOf:
- not:
anyOf:
- required:
- exact
- required:
- prefix
- required:
- regex
- required:
- exact
- required:
- prefix
- required:
- regex
properties:
exact:
format: string
type: string
prefix:
format: string
type: string
regex:
description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
format: string
type: string
type: object
description: withoutHeader has the same syntax with the
header, but has opposite meaning.
type: object
type: object
type: array
mirror:
properties:
host:
description: The name of a service from the service registry.
format: string
type: string
port:
description: Specifies the port on the host that is being
addressed.
properties:
number:
type: integer
type: object
subset:
description: The name of a subset within the service.
format: string
type: string
type: object
mirror_percent:
description: Percentage of the traffic to be mirrored by the `mirror`
field.
nullable: true
type: integer
mirrorPercent:
description: Percentage of the traffic to be mirrored by the `mirror`
field.
nullable: true
type: integer
mirrorPercentage:
description: Percentage of the traffic to be mirrored by the `mirror`
field.
properties:
value:
format: double
type: number
type: object
name:
description: The name assigned to the route for debugging purposes.
format: string
type: string
redirect:
description: A HTTP rule can either redirect or forward (default)
traffic.
properties:
authority:
format: string
type: string
redirectCode:
type: integer
uri:
format: string
type: string
type: object
retries:
description: Retry policy for HTTP requests.
properties:
attempts:
description: Number of retries to be allowed for a given request.
format: int32
type: integer
perTryTimeout:
description: Timeout per retry attempt for a given request.
type: string
retryOn:
description: Specifies the conditions under which retry takes
place.
format: string
type: string
retryRemoteLocalities:
description: Flag to specify whether the retries should retry
to other localities.
nullable: true
type: boolean
type: object
rewrite:
description: Rewrite HTTP URIs and Authority headers.
properties:
authority:
description: rewrite the Authority/Host header with this value.
format: string
type: string
uri:
format: string
type: string
type: object
route:
description: A HTTP rule can either redirect or forward (default)
traffic.
items:
properties:
destination:
properties:
host:
description: The name of a service from the service
registry.
format: string
type: string
port:
description: Specifies the port on the host that is
being addressed.
properties:
number:
type: integer
type: object
subset:
description: The name of a subset within the service.
format: string
type: string
type: object
headers:
properties:
request:
properties:
add:
additionalProperties:
format: string
type: string
type: object
remove:
items:
format: string
type: string
type: array
set:
additionalProperties:
format: string
type: string
type: object
type: object
response:
properties:
add:
additionalProperties:
format: string
type: string
type: object
remove:
items:
format: string
type: string
type: array
set:
additionalProperties:
format: string
type: string
type: object
type: object
type: object
weight:
format: int32
type: integer
type: object
type: array
timeout:
description: Timeout for HTTP requests, default is disabled.
type: string
type: object
type: array
tcp:
description: An ordered list of route rules for opaque TCP traffic.
items:
properties:
match:
items:
properties:
destinationSubnets:
description: IPv4 or IPv6 ip addresses of destination with
optional subnet.
items:
format: string
type: string
type: array
gateways:
description: Names of gateways where the rule should be
applied.
items:
format: string
type: string
type: array
port:
description: Specifies the port on the host that is being
addressed.
type: integer
sourceLabels:
additionalProperties:
format: string
type: string
type: object
sourceNamespace:
description: Source namespace constraining the applicability
of a rule to workloads in that namespace.
format: string
type: string
sourceSubnet:
description: IPv4 or IPv6 ip address of source with optional
subnet.
format: string
type: string
type: object
type: array
route:
description: The destination to which the connection should be
forwarded to.
items:
properties:
destination:
properties:
host:
description: The name of a service from the service
registry.
format: string
type: string
port:
description: Specifies the port on the host that is
being addressed.
properties:
number:
type: integer
type: object
subset:
description: The name of a subset within the service.
format: string
type: string
type: object
weight:
format: int32
type: integer
type: object
type: array
type: object
type: array
tls:
items:
properties:
match:
items:
properties:
destinationSubnets:
description: IPv4 or IPv6 ip addresses of destination with
optional subnet.
items:
format: string
type: string
type: array
gateways:
description: Names of gateways where the rule should be
applied.
items:
format: string
type: string
type: array
port:
description: Specifies the port on the host that is being
addressed.
type: integer
sniHosts:
description: SNI (server name indicator) to match on.
items:
format: string
type: string
type: array
sourceLabels:
additionalProperties:
format: string
type: string
type: object
sourceNamespace:
description: Source namespace constraining the applicability
of a rule to workloads in that namespace.
format: string
type: string
type: object
type: array
route:
description: The destination to which the connection should be
forwarded to.
items:
properties:
destination:
properties:
host:
description: The name of a service from the service
registry.
format: string
type: string
port:
description: Specifies the port on the host that is
being addressed.
properties:
number:
type: integer
type: object
subset:
description: The name of a subset within the service.
format: string
type: string
type: object
weight:
format: int32
type: integer
type: object
type: array
type: object
type: array
type: object
status:
type: object
x-kubernetes-preserve-unknown-fields: true
type: object
versions:
- name: v1alpha3
served: true
storage: true
- name: v1beta1
served: true
storage: false
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
annotations:
"helm.sh/resource-policy": keep
labels:
app: istio-pilot
chart: istio
heritage: Tiller
release: istio
name: workloadentries.networking.istio.io
spec:
additionalPrinterColumns:
- JSONPath: .metadata.creationTimestamp
description: 'CreationTimestamp is a timestamp representing the server time when
this object was created. It is not guaranteed to be set in happens-before order
across separate operations. Clients may not set this value. It is represented
in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
name: Age
type: date
- JSONPath: .spec.address
description: Address associated with the network endpoint.
name: Address
type: string
group: networking.istio.io
names:
categories:
- istio-io
- networking-istio-io
kind: WorkloadEntry
listKind: WorkloadEntryList
plural: workloadentries
shortNames:
- we
singular: workloadentry
preserveUnknownFields: false
scope: Namespaced
subresources:
status: {}
validation:
openAPIV3Schema:
properties:
spec:
description: 'Configuration affecting VMs onboarded into the mesh. See more
details at: https://istio.io/docs/reference/config/networking/workload-entry.html'
properties:
address:
format: string
type: string
labels:
additionalProperties:
format: string
type: string
description: One or more labels associated with the endpoint.
type: object
locality:
description: The locality associated with the endpoint.
format: string
type: string
network:
format: string
type: string
ports:
additionalProperties:
type: integer
description: Set of ports associated with the endpoint.
type: object
serviceAccount:
format: string
type: string
weight:
description: The load balancing weight associated with the endpoint.
type: integer
type: object
status:
type: object
x-kubernetes-preserve-unknown-fields: true
type: object
versions:
- name: v1alpha3
served: true
storage: true
- name: v1beta1
served: true
storage: false
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
labels:
app: istio-pilot
chart: istio
heritage: Tiller
release: istio
name: workloadgroups.networking.istio.io
spec:
additionalPrinterColumns:
- JSONPath: .metadata.creationTimestamp
description: 'CreationTimestamp is a timestamp representing the server time when
this object was created. It is not guaranteed to be set in happens-before order
across separate operations. Clients may not set this value. It is represented
in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
name: Age
type: date
group: networking.istio.io
names:
categories:
- istio-io
- networking-istio-io
kind: WorkloadGroup
listKind: WorkloadGroupList
plural: workloadgroups
shortNames:
- wg
singular: workloadgroup
preserveUnknownFields: false
scope: Namespaced
subresources:
status: {}
validation:
openAPIV3Schema:
properties:
spec:
description: 'Describes a collection of workload instances. See more details
at: https://istio.io/docs/reference/config/networking/workload-group.html'
properties:
metadata:
description: Metadata that will be used for all corresponding `WorkloadEntries`.
properties:
annotations:
additionalProperties:
format: string
type: string
type: object
labels:
additionalProperties:
format: string
type: string
type: object
type: object
probe:
description: '`ReadinessProbe` describes the configuration the user
must provide for healthchecking on their workload.'
oneOf:
- not:
anyOf:
- required:
- httpGet
- required:
- tcpSocket
- required:
- exec
- required:
- httpGet
- required:
- tcpSocket
- required:
- exec
properties:
exec:
description: health is determined by how the command that is executed
exited.
properties:
command:
description: command to run.
items:
format: string
type: string
type: array
type: object
failureThreshold:
description: Minimum consecutive failures for the probe to be considered
failed after having succeeded.
format: int32
type: integer
httpGet:
properties:
host:
description: Host name to connect to, defaults to the pod IP.
format: string
type: string
httpHeaders:
description: headers the proxy will pass on to make the request.
items:
properties:
name:
format: string
type: string
value:
format: string
type: string
type: object
type: array
path:
description: Path to access on the HTTP server.
format: string
type: string
port:
description: port on which the endpoint lives.
type: integer
scheme:
format: string
type: string
type: object
initialDelaySeconds:
description: Number of seconds after the container has started before
readiness probes are initiated.
format: int32
type: integer
periodSeconds:
description: How often (in seconds) to perform the probe.
format: int32
type: integer
successThreshold:
description: Minimum consecutive successes for the probe to be considered
successful after having failed.
format: int32
type: integer
tcpSocket:
description: health is determined by if the proxy is able to connect.
properties:
host:
format: string
type: string
port:
type: integer
type: object
timeoutSeconds:
description: Number of seconds after which the probe times out.
format: int32
type: integer
type: object
template:
description: Template to be used for the generation of `WorkloadEntry`
resources that belong to this `WorkloadGroup`.
properties:
address:
format: string
type: string
labels:
additionalProperties:
format: string
type: string
description: One or more labels associated with the endpoint.
type: object
locality:
description: The locality associated with the endpoint.
format: string
type: string
network:
format: string
type: string
ports:
additionalProperties:
type: integer
description: Set of ports associated with the endpoint.
type: object
serviceAccount:
format: string
type: string
weight:
description: The load balancing weight associated with the endpoint.
type: integer
type: object
type: object
status:
type: object
x-kubernetes-preserve-unknown-fields: true
type: object
versions:
- name: v1alpha3
served: true
storage: true
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
annotations:
"helm.sh/resource-policy": keep
labels:
app: istio-pilot
chart: istio
heritage: Tiller
istio: security
release: istio
name: authorizationpolicies.security.istio.io
spec:
group: security.istio.io
names:
categories:
- istio-io
- security-istio-io
kind: AuthorizationPolicy
listKind: AuthorizationPolicyList
plural: authorizationpolicies
singular: authorizationpolicy
preserveUnknownFields: false
scope: Namespaced
subresources:
status: {}
validation:
openAPIV3Schema:
properties:
spec:
description: 'Configuration for access control on workloads. See more details
at: https://istio.io/docs/reference/config/security/authorization-policy.html'
oneOf:
- not:
anyOf:
- required:
- provider
- required:
- provider
properties:
action:
description: Optional.
enum:
- ALLOW
- DENY
- AUDIT
- CUSTOM
type: string
provider:
properties:
name:
description: Specifies the name of the extension provider.
format: string
type: string
type: object
rules:
description: Optional.
items:
properties:
from:
description: Optional.
items:
properties:
source:
description: Source specifies the source of a request.
properties:
ipBlocks:
description: Optional.
items:
format: string
type: string
type: array
namespaces:
description: Optional.
items:
format: string
type: string
type: array
notIpBlocks:
description: Optional.
items:
format: string
type: string
type: array
notNamespaces:
description: Optional.
items:
format: string
type: string
type: array
notPrincipals:
description: Optional.
items:
format: string
type: string
type: array
notRemoteIpBlocks:
description: Optional.
items:
format: string
type: string
type: array
notRequestPrincipals:
description: Optional.
items:
format: string
type: string
type: array
principals:
description: Optional.
items:
format: string
type: string
type: array
remoteIpBlocks:
description: Optional.
items:
format: string
type: string
type: array
requestPrincipals:
description: Optional.
items:
format: string
type: string
type: array
type: object
type: object
type: array
to:
description: Optional.
items:
properties:
operation:
description: Operation specifies the operation of a request.
properties:
hosts:
description: Optional.
items:
format: string
type: string
type: array
methods:
description: Optional.
items:
format: string
type: string
type: array
notHosts:
description: Optional.
items:
format: string
type: string
type: array
notMethods:
description: Optional.
items:
format: string
type: string
type: array
notPaths:
description: Optional.
items:
format: string
type: string
type: array
notPorts:
description: Optional.
items:
format: string
type: string
type: array
paths:
description: Optional.
items:
format: string
type: string
type: array
ports:
description: Optional.
items:
format: string
type: string
type: array
type: object
type: object
type: array
when:
description: Optional.
items:
properties:
key:
description: The name of an Istio attribute.
format: string
type: string
notValues:
description: Optional.
items:
format: string
type: string
type: array
values:
description: Optional.
items:
format: string
type: string
type: array
type: object
type: array
type: object
type: array
selector:
description: Optional.
properties:
matchLabels:
additionalProperties:
format: string
type: string
type: object
type: object
type: object
status:
type: object
x-kubernetes-preserve-unknown-fields: true
type: object
versions:
- name: v1beta1
served: true
storage: true
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
annotations:
"helm.sh/resource-policy": keep
labels:
app: istio-pilot
chart: istio
heritage: Tiller
istio: security
release: istio
name: peerauthentications.security.istio.io
spec:
group: security.istio.io
names:
categories:
- istio-io
- security-istio-io
kind: PeerAuthentication
listKind: PeerAuthenticationList
plural: peerauthentications
shortNames:
- pa
singular: peerauthentication
preserveUnknownFields: false
scope: Namespaced
subresources:
status: {}
validation:
openAPIV3Schema:
properties:
spec:
description: PeerAuthentication defines how traffic will be tunneled (or
not) to the sidecar.
properties:
mtls:
description: Mutual TLS settings for workload.
properties:
mode:
description: Defines the mTLS mode used for peer authentication.
enum:
- UNSET
- DISABLE
- PERMISSIVE
- STRICT
type: string
type: object
portLevelMtls:
additionalProperties:
properties:
mode:
description: Defines the mTLS mode used for peer authentication.
enum:
- UNSET
- DISABLE
- PERMISSIVE
- STRICT
type: string
type: object
description: Port specific mutual TLS settings.
type: object
selector:
description: The selector determines the workloads to apply the ChannelAuthentication
on.
properties:
matchLabels:
additionalProperties:
format: string
type: string
type: object
type: object
type: object
status:
type: object
x-kubernetes-preserve-unknown-fields: true
type: object
versions:
- name: v1beta1
served: true
storage: true
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
annotations:
"helm.sh/resource-policy": keep
labels:
app: istio-pilot
chart: istio
heritage: Tiller
istio: security
release: istio
name: requestauthentications.security.istio.io
spec:
group: security.istio.io
names:
categories:
- istio-io
- security-istio-io
kind: RequestAuthentication
listKind: RequestAuthenticationList
plural: requestauthentications
shortNames:
- ra
singular: requestauthentication
preserveUnknownFields: false
scope: Namespaced
subresources:
status: {}
validation:
openAPIV3Schema:
properties:
spec:
description: RequestAuthentication defines what request authentication methods
are supported by a workload.
properties:
jwtRules:
description: Define the list of JWTs that can be validated at the selected
workloads' proxy.
items:
properties:
audiences:
items:
format: string
type: string
type: array
forwardOriginalToken:
description: If set to true, the orginal token will be kept for
the ustream request.
type: boolean
fromHeaders:
description: List of header locations from which JWT is expected.
items:
properties:
name:
description: The HTTP header name.
format: string
type: string
prefix:
description: The prefix that should be stripped before decoding
the token.
format: string
type: string
type: object
type: array
fromParams:
description: List of query parameters from which JWT is expected.
items:
format: string
type: string
type: array
issuer:
description: Identifies the issuer that issued the JWT.
format: string
type: string
jwks:
description: JSON Web Key Set of public keys to validate signature
of the JWT.
format: string
type: string
jwks_uri:
format: string
type: string
jwksUri:
format: string
type: string
outputPayloadToHeader:
format: string
type: string
type: object
type: array
selector:
description: The selector determines the workloads to apply the RequestAuthentication
on.
properties:
matchLabels:
additionalProperties:
format: string
type: string
type: object
type: object
type: object
status:
type: object
x-kubernetes-preserve-unknown-fields: true
type: object
versions:
- name: v1beta1
served: true
storage: true
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: istiooperators.install.istio.io
labels:
release: istio
spec:
additionalPrinterColumns:
- JSONPath: .spec.revision
description: Istio control plane revision
name: Revision
type: string
- JSONPath: .status.status
description: IOP current state
type: string
name: Status
- JSONPath: .metadata.creationTimestamp
description: 'CreationTimestamp is a timestamp representing the server time when
this object was created. It is not guaranteed to be set in happens-before order
across separate operations. Clients may not set this value. It is represented
in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
name: Age
type: date
group: install.istio.io
names:
kind: IstioOperator
plural: istiooperators
singular: istiooperator
shortNames:
- iop
- io
scope: Namespaced
subresources:
status: {}
validation:
openAPIV3Schema:
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values.
More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase.
More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
spec:
description: 'Specification of the desired state of the istio control plane resource.
More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status'
type: object
status:
description: 'Status describes each of istio control plane component status at the current time.
0 means NONE, 1 means UPDATING, 2 means HEALTHY, 3 means ERROR, 4 means RECONCILING.
More info: https://github.com/istio/api/blob/master/operator/v1alpha1/istio.operator.v1alpha1.pb.html &
https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status'
type: object
versions:
- name: v1alpha1
served: true
storage: true
---