| apiVersion: apps/v1 |
| kind: Deployment |
| metadata: |
| labels: |
| app: istiod |
| istio: pilot |
| istio.io/rev: default |
| release: istio |
| name: istiod |
| namespace: istio-system |
| spec: |
| replicas: 2 |
| selector: |
| matchLabels: |
| istio: pilot |
| strategy: |
| rollingUpdate: |
| maxSurge: 100% |
| maxUnavailable: 50% |
| template: |
| metadata: |
| annotations: |
| sidecar.istio.io/inject: "false" |
| labels: |
| app: istiod |
| istio: pilot |
| istio.io/rev: default |
| spec: |
| containers: |
| - args: |
| - discovery |
| - --monitoringAddr=:15014 |
| - --log_output_level=default:info |
| - --domain |
| - cluster.local |
| - --trust-domain=cluster.local |
| - --keepaliveMaxServerConnectionAge |
| # MODIFIED: Doing this every 30 min would kill a lot of longrunning clones/fetches |
| - 24h |
| env: |
| - name: REVISION |
| value: default |
| - name: JWT_POLICY |
| value: first-party-jwt |
| - name: PILOT_CERT_PROVIDER |
| value: istiod |
| - name: POD_NAME |
| valueFrom: |
| fieldRef: |
| apiVersion: v1 |
| fieldPath: metadata.name |
| - name: POD_NAMESPACE |
| valueFrom: |
| fieldRef: |
| apiVersion: v1 |
| fieldPath: metadata.namespace |
| - name: SERVICE_ACCOUNT |
| valueFrom: |
| fieldRef: |
| apiVersion: v1 |
| fieldPath: spec.serviceAccountName |
| - name: PILOT_TRACE_SAMPLING |
| value: "1" |
| - name: PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_OUTBOUND |
| value: "true" |
| - name: PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_INBOUND |
| value: "true" |
| - name: INJECTION_WEBHOOK_CONFIG_NAME |
| value: istio-sidecar-injector |
| - name: ISTIOD_ADDR |
| value: istiod.istio-system.svc:15012 |
| - name: PILOT_ENABLE_ANALYSIS |
| value: "false" |
| - name: CLUSTER_ID |
| value: Kubernetes |
| - name: CENTRAL_ISTIOD |
| value: "false" |
| image: docker.io/istio/pilot:1.6.3 |
| name: discovery |
| ports: |
| - containerPort: 8080 |
| - containerPort: 15010 |
| - containerPort: 15017 |
| - containerPort: 15053 |
| readinessProbe: |
| httpGet: |
| path: /ready |
| port: 8080 |
| initialDelaySeconds: 1 |
| periodSeconds: 3 |
| timeoutSeconds: 5 |
| resources: |
| requests: |
| cpu: 500m |
| memory: 2048Mi |
| securityContext: |
| capabilities: |
| drop: |
| - ALL |
| runAsGroup: 1337 |
| runAsNonRoot: true |
| runAsUser: 1337 |
| volumeMounts: |
| - mountPath: /etc/istio/config |
| name: config-volume |
| - mountPath: /var/run/secrets/istio-dns |
| name: local-certs |
| - mountPath: /etc/cacerts |
| name: cacerts |
| readOnly: true |
| - mountPath: /var/lib/istio/inject |
| name: inject |
| readOnly: true |
| nodeSelector: {} |
| securityContext: |
| fsGroup: 1337 |
| serviceAccountName: istiod-service-account |
| tolerations: [] |
| volumes: |
| - emptyDir: |
| medium: Memory |
| name: local-certs |
| - name: cacerts |
| secret: |
| optional: true |
| secretName: cacerts |
| - configMap: |
| name: istio-sidecar-injector |
| optional: true |
| name: inject |
| - configMap: |
| name: istio |
| name: config-volume |