Last active
September 21, 2019 15:55
-
-
Save emedina/dfd3354a5b5f2b76fedf410cb03ecd67 to your computer and use it in GitHub Desktop.
Istio 1.3.0
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
# Source: istio/templates/namespace.yaml | |
kind: Namespace | |
apiVersion: v1 | |
metadata: | |
name: istio-system | |
labels: | |
istio-injection: disabled | |
--- | |
# Source: istio/charts/istio/charts/galley/templates/poddisruptionbudget.yaml | |
apiVersion: policy/v1beta1 | |
kind: PodDisruptionBudget | |
metadata: | |
name: istio-galley | |
namespace: istio-system | |
labels: | |
app: galley | |
chart: galley | |
heritage: Tiller | |
release: istio-system | |
istio: galley | |
spec: | |
minAvailable: 1 | |
selector: | |
matchLabels: | |
app: galley | |
release: istio-system | |
istio: galley | |
--- | |
# Source: istio/charts/istio/charts/gateways/templates/poddisruptionbudget.yaml | |
apiVersion: policy/v1beta1 | |
kind: PodDisruptionBudget | |
metadata: | |
name: istio-ingressgateway | |
namespace: istio-system | |
labels: | |
chart: gateways | |
heritage: Tiller | |
release: istio-system | |
app: istio-ingressgateway | |
istio: ingressgateway | |
spec: | |
minAvailable: 1 | |
selector: | |
matchLabels: | |
release: istio-system | |
app: istio-ingressgateway | |
istio: ingressgateway | |
--- | |
--- | |
# Source: istio/charts/istio/charts/mixer/templates/poddisruptionbudget.yaml | |
apiVersion: policy/v1beta1 | |
kind: PodDisruptionBudget | |
metadata: | |
name: istio-policy | |
namespace: istio-system | |
labels: | |
app: policy | |
chart: mixer | |
heritage: Tiller | |
release: istio-system | |
version: 1.3.0 | |
istio: mixer | |
istio-mixer-type: policy | |
spec: | |
minAvailable: 1 | |
selector: | |
matchLabels: | |
app: policy | |
release: istio-system | |
istio: mixer | |
istio-mixer-type: policy | |
--- | |
apiVersion: policy/v1beta1 | |
kind: PodDisruptionBudget | |
metadata: | |
name: istio-telemetry | |
namespace: istio-system | |
labels: | |
app: telemetry | |
chart: mixer | |
heritage: Tiller | |
release: istio-system | |
version: 1.3.0 | |
istio: mixer | |
istio-mixer-type: telemetry | |
spec: | |
minAvailable: 1 | |
selector: | |
matchLabels: | |
app: telemetry | |
release: istio-system | |
istio: mixer | |
istio-mixer-type: telemetry | |
--- | |
--- | |
# Source: istio/charts/istio/charts/pilot/templates/poddisruptionbudget.yaml | |
apiVersion: policy/v1beta1 | |
kind: PodDisruptionBudget | |
metadata: | |
name: istio-pilot | |
namespace: istio-system | |
labels: | |
app: pilot | |
chart: pilot | |
heritage: Tiller | |
release: istio-system | |
istio: pilot | |
spec: | |
minAvailable: 1 | |
selector: | |
matchLabels: | |
app: pilot | |
release: istio-system | |
istio: pilot | |
--- | |
# Source: istio/charts/istio/charts/sidecarInjectorWebhook/templates/poddisruptionbudget.yaml | |
apiVersion: policy/v1beta1 | |
kind: PodDisruptionBudget | |
metadata: | |
name: istio-sidecar-injector | |
namespace: istio-system | |
labels: | |
app: sidecarInjectorWebhook | |
release: istio-system | |
istio: sidecar-injector | |
spec: | |
minAvailable: 1 | |
selector: | |
matchLabels: | |
app: sidecarInjectorWebhook | |
release: istio-system | |
istio: sidecar-injector | |
--- | |
# Source: istio/charts/istio/charts/galley/templates/configmap.yaml | |
apiVersion: v1 | |
kind: ConfigMap | |
metadata: | |
name: istio-galley-configuration | |
namespace: istio-system | |
labels: | |
app: galley | |
chart: galley | |
heritage: Tiller | |
release: istio-system | |
istio: galley | |
data: | |
validatingwebhookconfiguration.yaml: |- | |
apiVersion: admissionregistration.k8s.io/v1beta1 | |
kind: ValidatingWebhookConfiguration | |
metadata: | |
name: istio-galley | |
labels: | |
app: galley | |
chart: galley | |
heritage: Tiller | |
release: istio-system | |
istio: galley | |
webhooks: | |
- name: pilot.validation.istio.io | |
clientConfig: | |
service: | |
name: istio-galley | |
namespace: istio-system | |
path: "/admitpilot" | |
caBundle: "" | |
rules: | |
- operations: | |
- CREATE | |
- UPDATE | |
apiGroups: | |
- config.istio.io | |
apiVersions: | |
- v1alpha2 | |
resources: | |
- httpapispecs | |
- httpapispecbindings | |
- quotaspecs | |
- quotaspecbindings | |
- operations: | |
- CREATE | |
- UPDATE | |
apiGroups: | |
- rbac.istio.io | |
apiVersions: | |
- "*" | |
resources: | |
- "*" | |
- operations: | |
- CREATE | |
- UPDATE | |
apiGroups: | |
- authentication.istio.io | |
apiVersions: | |
- "*" | |
resources: | |
- "*" | |
- operations: | |
- CREATE | |
- UPDATE | |
apiGroups: | |
- networking.istio.io | |
apiVersions: | |
- "*" | |
resources: | |
- destinationrules | |
- envoyfilters | |
- gateways | |
- serviceentries | |
- sidecars | |
- virtualservices | |
failurePolicy: Fail | |
sideEffects: None | |
- name: mixer.validation.istio.io | |
clientConfig: | |
service: | |
name: istio-galley | |
namespace: istio-system | |
path: "/admitmixer" | |
caBundle: "" | |
rules: | |
- operations: | |
- CREATE | |
- UPDATE | |
apiGroups: | |
- config.istio.io | |
apiVersions: | |
- v1alpha2 | |
resources: | |
- rules | |
- attributemanifests | |
- circonuses | |
- deniers | |
- fluentds | |
- kubernetesenvs | |
- listcheckers | |
- memquotas | |
- noops | |
- opas | |
- prometheuses | |
- rbacs | |
- solarwindses | |
- stackdrivers | |
- cloudwatches | |
- dogstatsds | |
- statsds | |
- stdios | |
- apikeys | |
- authorizations | |
- checknothings | |
# - kuberneteses | |
- listentries | |
- logentries | |
- metrics | |
- quotas | |
- reportnothings | |
- tracespans | |
- adapters | |
- handlers | |
- instances | |
- templates | |
- zipkins | |
failurePolicy: Fail | |
sideEffects: None | |
--- | |
# Source: istio/charts/istio/charts/security/templates/configmap.yaml | |
apiVersion: v1 | |
kind: ConfigMap | |
metadata: | |
name: istio-security-custom-resources | |
namespace: istio-system | |
labels: | |
app: security | |
chart: security | |
heritage: Tiller | |
release: istio-system | |
istio: citadel | |
data: | |
custom-resources.yaml: |- | |
# These policy and destination rules effectively enable mTLS for all services in the mesh. For now, | |
# they are added to Istio installation yaml for backward compatible. In future, they should be in | |
# a separated yaml file so that customer can enable mTLS independent from installation. | |
# Authentication policy to enable mutual TLS for all services (that have sidecar) in the mesh. | |
apiVersion: "authentication.istio.io/v1alpha1" | |
kind: "MeshPolicy" | |
metadata: | |
name: "default" | |
labels: | |
app: security | |
chart: security | |
heritage: Tiller | |
release: istio-system | |
spec: | |
peers: | |
- mtls: {} | |
--- | |
# Corresponding destination rule to configure client side to use mutual TLS when talking to | |
# any service (host) in the mesh. | |
apiVersion: networking.istio.io/v1alpha3 | |
kind: DestinationRule | |
metadata: | |
name: "default" | |
namespace: istio-system | |
labels: | |
app: security | |
chart: security | |
heritage: Tiller | |
release: istio-system | |
spec: | |
host: "*.local" | |
trafficPolicy: | |
tls: | |
mode: ISTIO_MUTUAL | |
--- | |
# Destination rule to disable (m)TLS when talking to API server, as API server doesn't have sidecar. | |
# Customer should add similar destination rules for other services that don't have sidecar. | |
apiVersion: networking.istio.io/v1alpha3 | |
kind: DestinationRule | |
metadata: | |
name: "api-server" | |
namespace: istio-system | |
labels: | |
app: security | |
chart: security | |
heritage: Tiller | |
release: istio-system | |
spec: | |
host: "kubernetes.default.svc.cluster.local" | |
trafficPolicy: | |
tls: | |
mode: DISABLE | |
run.sh: |- | |
#!/bin/sh | |
set -x | |
if [ "$#" -ne "1" ]; then | |
echo "first argument should be path to custom resource yaml" | |
exit 1 | |
fi | |
pathToResourceYAML=${1} | |
kubectl get validatingwebhookconfiguration istio-galley 2>/dev/null | |
if [ "$?" -eq 0 ]; then | |
echo "istio-galley validatingwebhookconfiguration found - waiting for istio-galley deployment to be ready" | |
while true; do | |
kubectl -n istio-system get deployment istio-galley 2>/dev/null | |
if [ "$?" -eq 0 ]; then | |
break | |
fi | |
sleep 1 | |
done | |
kubectl -n istio-system rollout status deployment istio-galley | |
if [ "$?" -ne 0 ]; then | |
echo "istio-galley deployment rollout status check failed" | |
exit 1 | |
fi | |
echo "istio-galley deployment ready for configuration validation" | |
fi | |
sleep 5 | |
kubectl apply -f ${pathToResourceYAML} | |
--- | |
# Source: istio/charts/istio/templates/configmap.yaml | |
apiVersion: v1 | |
kind: ConfigMap | |
metadata: | |
name: istio | |
namespace: istio-system | |
labels: | |
app: istio | |
chart: istio | |
heritage: Tiller | |
release: istio-system | |
data: | |
mesh: |- | |
# Set the following variable to true to disable policy checks by the Mixer. | |
# Note that metrics will still be reported to the Mixer. | |
disablePolicyChecks: true | |
# reportBatchMaxEntries is the number of requests that are batched before telemetry data is sent to the mixer server | |
reportBatchMaxEntries: 100 | |
# reportBatchMaxTime is the max waiting time before the telemetry data of a request is sent to the mixer server | |
reportBatchMaxTime: 1s | |
# Set enableTracing to false to disable request tracing. | |
enableTracing: true | |
# Set accessLogFile to empty string to disable access log. | |
accessLogFile: "" | |
# If accessLogEncoding is TEXT, value will be used directly as the log format | |
# example: "[%START_TIME%] %REQ(:METHOD)% %REQ(X-ENVOY-ORIGINAL-PATH?:PATH)% %PROTOCOL%\n" | |
# If AccessLogEncoding is JSON, value will be parsed as map[string]string | |
# example: '{"start_time": "%START_TIME%", "req_method": "%REQ(:METHOD)%"}' | |
# Leave empty to use default log format | |
accessLogFormat: "" | |
# Set accessLogEncoding to JSON or TEXT to configure sidecar access log | |
accessLogEncoding: 'TEXT' | |
enableEnvoyAccessLogService: false | |
mixerCheckServer: istio-policy.istio-system.svc.cluster.local:15004 | |
mixerReportServer: istio-telemetry.istio-system.svc.cluster.local:15004 | |
# policyCheckFailOpen allows traffic in cases when the mixer policy service cannot be reached. | |
# Default is false which means the traffic is denied when the client is unable to connect to Mixer. | |
policyCheckFailOpen: false | |
# Let Pilot give ingresses the public IP of the Istio ingressgateway | |
ingressService: istio-ingressgateway | |
# Default connect timeout for dynamic clusters generated by Pilot and returned via XDS | |
connectTimeout: 10s | |
# Automatic protocol detection uses a set of heuristics to | |
# determine whether the connection is using TLS or not (on the | |
# server side), as well as the application protocol being used | |
# (e.g., http vs tcp). These heuristics rely on the client sending | |
# the first bits of data. For server first protocols like MySQL, | |
# MongoDB, etc., Envoy will timeout on the protocol detection after | |
# the specified period, defaulting to non mTLS plain TCP | |
# traffic. Set this field to tweak the period that Envoy will wait | |
# for the client to send the first bits of data. (MUST BE >=1ms) | |
protocolDetectionTimeout: 100ms | |
# DNS refresh rate for Envoy clusters of type STRICT_DNS | |
dnsRefreshRate: 300s | |
# Unix Domain Socket through which envoy communicates with NodeAgent SDS to get | |
# key/cert for mTLS. Use secret-mount files instead of SDS if set to empty. | |
sdsUdsPath: "" | |
# The trust domain corresponds to the trust root of a system. | |
# Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain | |
trustDomain: "" | |
# Set the default behavior of the sidecar for handling outbound traffic from the application: | |
# ALLOW_ANY - outbound traffic to unknown destinations will be allowed, in case there are no | |
# services or ServiceEntries for the destination port | |
# REGISTRY_ONLY - restrict outbound traffic to services defined in the service registry as well | |
# as those defined through ServiceEntries | |
outboundTrafficPolicy: | |
mode: ALLOW_ANY | |
localityLbSetting: | |
enabled: true | |
# The namespace to treat as the administrative root namespace for istio | |
# configuration. | |
rootnamespace: istio-system | |
configSources: | |
- address: istio-galley.istio-system.svc:9901 | |
tlsSettings: | |
mode: ISTIO_MUTUAL | |
defaultConfig: | |
# | |
# TCP connection timeout between Envoy & the application, and between Envoys. Used for static clusters | |
# defined in Envoy's configuration file | |
connectTimeout: 10s | |
# | |
### ADVANCED SETTINGS ############# | |
# Where should envoy's configuration be stored in the istio-proxy container | |
configPath: "/etc/istio/proxy" | |
binaryPath: "/usr/local/bin/envoy" | |
# The pseudo service name used for Envoy. | |
serviceCluster: istio-proxy | |
# These settings that determine how long an old Envoy | |
# process should be kept alive after an occasional reload. | |
drainDuration: 45s | |
parentShutdownDuration: 1m0s | |
# | |
# The mode used to redirect inbound connections to Envoy. This setting | |
# has no effect on outbound traffic: iptables REDIRECT is always used for | |
# outbound connections. | |
# If "REDIRECT", use iptables REDIRECT to NAT and redirect to Envoy. | |
# The "REDIRECT" mode loses source addresses during redirection. | |
# If "TPROXY", use iptables TPROXY to redirect to Envoy. | |
# The "TPROXY" mode preserves both the source and destination IP | |
# addresses and ports, so that they can be used for advanced filtering | |
# and manipulation. | |
# The "TPROXY" mode also configures the sidecar to run with the | |
# CAP_NET_ADMIN capability, which is required to use TPROXY. | |
#interceptionMode: REDIRECT | |
# | |
# Port where Envoy listens (on local host) for admin commands | |
# You can exec into the istio-proxy container in a pod and | |
# curl the admin port (curl http://localhost:15000/) to obtain | |
# diagnostic information from Envoy. See | |
# https://lyft.github.io/envoy/docs/operations/admin.html | |
# for more details | |
proxyAdminPort: 15000 | |
# | |
# Set concurrency to a specific number to control the number of Proxy worker threads. | |
# If set to 0 (default), then start worker thread for each CPU thread/core. | |
concurrency: 2 | |
# | |
tracing: | |
zipkin: | |
# Address of the Zipkin collector | |
address: jaeger-collector.jaeger:9411 | |
# | |
# Mutual TLS authentication between sidecars and istio control plane. | |
controlPlaneAuthPolicy: MUTUAL_TLS | |
# | |
# Address where istio Pilot service is running | |
discoveryAddress: istio-pilot.istio-system:15011 | |
# Configuration file for the mesh networks to be used by the Split Horizon EDS. | |
meshNetworks: |- | |
networks: {} | |
--- | |
# Source: istio/charts/istio/templates/sidecar-injector-configmap.yaml | |
apiVersion: v1 | |
kind: ConfigMap | |
metadata: | |
name: istio-sidecar-injector | |
namespace: istio-system | |
labels: | |
app: istio | |
chart: istio | |
heritage: Tiller | |
release: istio-system | |
istio: sidecar-injector | |
data: | |
values: |- | |
{"certmanager":{"enabled":false},"galley":{"enabled":true,"global":{"arch":{"amd64":2,"ppc64le":2,"s390x":2},"configValidation":true,"controlPlaneSecurityEnabled":true,"defaultNodeSelector":{},"defaultPodDisruptionBudget":{"enabled":true},"defaultResources":{"requests":{"cpu":"10m"}},"defaultTolerations":[],"disablePolicyChecks":true,"enableHelmTest":false,"enableTracing":true,"hub":"docker.io/istio","imagePullPolicy":"IfNotPresent","imagePullSecrets":[],"k8sIngress":{"enableHttps":false,"enabled":false,"gatewayName":"ingressgateway"},"localityLbSetting":{"enabled":true},"logging":{"level":"default:info"},"meshExpansion":{"enabled":false,"useILB":false},"meshID":"","meshNetworks":{},"monitoringPort":15014,"mtls":{"enabled":true},"multiCluster":{"clusterName":"","enabled":false},"oneNamespace":false,"outboundTrafficPolicy":{"mode":"ALLOW_ANY"},"policyCheckFailOpen":false,"priorityClassName":"","proxy":{"accessLogEncoding":"TEXT","accessLogFile":"","accessLogFormat":"","autoInject":"enabled","clusterDomain":"cluster.local","componentLogLevel":"","concurrency":2,"dnsRefreshRate":"300s","enableCoreDump":false,"enableCoreDumpImage":"ubuntu:xenial","envoyAccessLogService":{"enabled":false,"tcpKeepalive":{"interval":"10s","probes":3,"time":"10s"},"tlsSettings":{"mode":"DISABLE","subjectAltNames":[]}},"envoyMetricsService":{"enabled":false},"envoyStatsd":{"enabled":false},"excludeIPRanges":"","excludeInboundPorts":"","excludeOutboundPorts":"","image":"proxyv2","includeIPRanges":"*","includeInboundPorts":"*","init":{"resources":{"limits":{"cpu":"100m","memory":"50Mi"},"requests":{"cpu":"10m","memory":"10Mi"}}},"kubevirtInterfaces":"","logLevel":"","privileged":false,"protocolDetectionTimeout":"100ms","readinessFailureThreshold":30,"readinessInitialDelaySeconds":1,"readinessPeriodSeconds":2,"resources":{"limits":{"cpu":"2000m","memory":"1024Mi"},"requests":{"cpu":"100m","memory":"128Mi"}},"statusPort":15020,"tracer":"zipkin"},"proxy_init":{"image":"proxy_init"},"sds":{"enabled":false,"token":{"aud":"istio-ca"},"udsPath":""},"tag":"1.3.0","tracer":{"datadog":{"address":"$(HOST_IP):8126"},"lightstep":{"accessToken":"","address":"","cacertPath":"","secure":true},"zipkin":{"address":"jaeger-collector.jaeger:9411"}},"trustDomain":"","useMCP":true},"image":"galley","nodeSelector":{},"podAntiAffinityLabelSelector":[],"podAntiAffinityTermLabelSelector":[],"replicaCount":1,"rollingMaxSurge":"100%","rollingMaxUnavailable":"25%","tolerations":[]},"gateways":{"enabled":true,"global":{"arch":{"amd64":2,"ppc64le":2,"s390x":2},"configValidation":true,"controlPlaneSecurityEnabled":true,"defaultNodeSelector":{},"defaultPodDisruptionBudget":{"enabled":true},"defaultResources":{"requests":{"cpu":"10m"}},"defaultTolerations":[],"disablePolicyChecks":true,"enableHelmTest":false,"enableTracing":true,"hub":"docker.io/istio","imagePullPolicy":"IfNotPresent","imagePullSecrets":[],"k8sIngress":{"enableHttps":false,"enabled":false,"gatewayName":"ingressgateway"},"localityLbSetting":{"enabled":true},"logging":{"level":"default:info"},"meshExpansion":{"enabled":false,"useILB":false},"meshID":"","meshNetworks":{},"monitoringPort":15014,"mtls":{"enabled":true},"multiCluster":{"clusterName":"","enabled":false},"oneNamespace":false,"outboundTrafficPolicy":{"mode":"ALLOW_ANY"},"policyCheckFailOpen":false,"priorityClassName":"","proxy":{"accessLogEncoding":"TEXT","accessLogFile":"","accessLogFormat":"","autoInject":"enabled","clusterDomain":"cluster.local","componentLogLevel":"","concurrency":2,"dnsRefreshRate":"300s","enableCoreDump":false,"enableCoreDumpImage":"ubuntu:xenial","envoyAccessLogService":{"enabled":false,"tcpKeepalive":{"interval":"10s","probes":3,"time":"10s"},"tlsSettings":{"mode":"DISABLE","subjectAltNames":[]}},"envoyMetricsService":{"enabled":false},"envoyStatsd":{"enabled":false},"excludeIPRanges":"","excludeInboundPorts":"","excludeOutboundPorts":"","image":"proxyv2","includeIPRanges":"*","includeInboundPorts":"*","init":{"resources":{"limits":{"cpu":"100m","memory":"50Mi"},"requests":{"cpu":"10m","memory":"10Mi"}}},"kubevirtInterfaces":"","logLevel":"","privileged":false,"protocolDetectionTimeout":"100ms","readinessFailureThreshold":30,"readinessInitialDelaySeconds":1,"readinessPeriodSeconds":2,"resources":{"limits":{"cpu":"2000m","memory":"1024Mi"},"requests":{"cpu":"100m","memory":"128Mi"}},"statusPort":15020,"tracer":"zipkin"},"proxy_init":{"image":"proxy_init"},"sds":{"enabled":false,"token":{"aud":"istio-ca"},"udsPath":""},"tag":"1.3.0","tracer":{"datadog":{"address":"$(HOST_IP):8126"},"lightstep":{"accessToken":"","address":"","cacertPath":"","secure":true},"zipkin":{"address":"jaeger-collector.jaeger:9411"}},"trustDomain":"","useMCP":true},"istio-egressgateway":{"autoscaleEnabled":true,"autoscaleMax":5,"autoscaleMin":1,"cpu":{"targetAverageUtilization":80},"enabled":false,"env":{"ISTIO_META_ROUTER_MODE":"sni-dnat"},"labels":{"app":"istio-egressgateway","istio":"egressgateway"},"nodeSelector":{},"podAnnotations":{},"podAntiAffinityLabelSelector":[],"podAntiAffinityTermLabelSelector":[],"ports":[{"name":"http2","port":80},{"name":"https","port":443},{"name":"tls","port":15443,"targetPort":15443}],"resources":{"limits":{"cpu":"2000m","memory":"1024Mi"},"requests":{"cpu":"100m","memory":"128Mi"}},"rollingMaxSurge":"100%","rollingMaxUnavailable":"25%","secretVolumes":[{"mountPath":"/etc/istio/egressgateway-certs","name":"egressgateway-certs","secretName":"istio-egressgateway-certs"},{"mountPath":"/etc/istio/egressgateway-ca-certs","name":"egressgateway-ca-certs","secretName":"istio-egressgateway-ca-certs"}],"serviceAnnotations":{},"tolerations":[],"type":"ClusterIP"},"istio-ilbgateway":{"autoscaleEnabled":true,"autoscaleMax":5,"autoscaleMin":1,"cpu":{"targetAverageUtilization":80},"enabled":false,"labels":{"app":"istio-ilbgateway","istio":"ilbgateway"},"loadBalancerIP":"","nodeSelector":{},"podAnnotations":{},"ports":[{"name":"grpc-pilot-mtls","port":15011},{"name":"grpc-pilot","port":15010},{"name":"tcp-citadel-grpc-tls","port":8060,"targetPort":8060},{"name":"tcp-dns","port":5353}],"resources":{"requests":{"cpu":"800m","memory":"512Mi"}},"rollingMaxSurge":"100%","rollingMaxUnavailable":"25%","secretVolumes":[{"mountPath":"/etc/istio/ilbgateway-certs","name":"ilbgateway-certs","secretName":"istio-ilbgateway-certs"},{"mountPath":"/etc/istio/ilbgateway-ca-certs","name":"ilbgateway-ca-certs","secretName":"istio-ilbgateway-ca-certs"}],"serviceAnnotations":{"cloud.google.com/load-balancer-type":"internal"},"tolerations":[],"type":"LoadBalancer"},"istio-ingressgateway":{"applicationPorts":"","autoscaleEnabled":true,"autoscaleMax":5,"autoscaleMin":1,"cpu":{"targetAverageUtilization":80},"enabled":true,"env":{"ISTIO_META_ROUTER_MODE":"sni-dnat"},"externalIPs":[],"labels":{"app":"istio-ingressgateway","istio":"ingressgateway"},"loadBalancerIP":"","loadBalancerSourceRanges":[],"meshExpansionPorts":[{"name":"tcp-pilot-grpc-tls","port":15011,"targetPort":15011},{"name":"tcp-mixer-grpc-tls","port":15004,"targetPort":15004},{"name":"tcp-citadel-grpc-tls","port":8060,"targetPort":8060},{"name":"tcp-dns-tls","port":853,"targetPort":853}],"nodeSelector":{},"podAnnotations":{},"podAntiAffinityLabelSelector":[],"podAntiAffinityTermLabelSelector":[],"ports":[{"name":"status-port","port":15020,"targetPort":15020},{"name":"http2","nodePort":30500,"port":80,"targetPort":80},{"name":"https","nodePort":30501,"port":443},{"name":"tls","port":15443,"targetPort":15443},{"name":"mongo","nodePort":30502,"port":27017,"targetPort":27017},{"name":"mariadb","nodePort":30503,"port":3306,"targetPort":3306},{"name":"sftp","nodePort":30504,"port":22,"targetPort":22}],"resources":{"limits":{"cpu":"2000m","memory":"4096Mi"},"requests":{"cpu":"100m","memory":"128Mi"}},"rollingMaxSurge":"100%","rollingMaxUnavailable":"25%","sds":{"enabled":false,"image":"node-agent-k8s","resources":{"limits":{"cpu":"2000m","memory":"1024Mi"},"requests":{"cpu":"100m","memory":"128Mi"}}},"secretVolumes":[{"mountPath":"/etc/istio/ingressgateway-certs","name":"ingressgateway-certs","secretName":"istio-ingressgateway-certs"},{"mountPath":"/etc/istio/ingressgateway-ca-certs","name":"ingressgateway-ca-certs","secretName":"istio-ingressgateway-ca-certs"}],"serviceAnnotations":{},"tolerations":[],"type":"NodePort"}},"global":{"arch":{"amd64":2,"ppc64le":2,"s390x":2},"configValidation":true,"controlPlaneSecurityEnabled":true,"defaultNodeSelector":{},"defaultPodDisruptionBudget":{"enabled":true},"defaultResources":{"requests":{"cpu":"10m"}},"defaultTolerations":[],"disablePolicyChecks":true,"enableHelmTest":false,"enableTracing":true,"hub":"docker.io/istio","imagePullPolicy":"IfNotPresent","imagePullSecrets":[],"k8sIngress":{"enableHttps":false,"enabled":false,"gatewayName":"ingressgateway"},"localityLbSetting":{"enabled":true},"logging":{"level":"default:info"},"meshExpansion":{"enabled":false,"useILB":false},"meshID":"","meshNetworks":{},"monitoringPort":15014,"mtls":{"enabled":true},"multiCluster":{"clusterName":"","enabled":false},"oneNamespace":false,"outboundTrafficPolicy":{"mode":"ALLOW_ANY"},"policyCheckFailOpen":false,"priorityClassName":"","proxy":{"accessLogEncoding":"TEXT","accessLogFile":"","accessLogFormat":"","autoInject":"enabled","clusterDomain":"cluster.local","componentLogLevel":"","concurrency":2,"dnsRefreshRate":"300s","enableCoreDump":false,"enableCoreDumpImage":"ubuntu:xenial","envoyAccessLogService":{"enabled":false,"tcpKeepalive":{"interval":"10s","probes":3,"time":"10s"},"tlsSettings":{"mode":"DISABLE","subjectAltNames":[]}},"envoyMetricsService":{"enabled":false},"envoyStatsd":{"enabled":false},"excludeIPRanges":"","excludeInboundPorts":"","excludeOutboundPorts":"","image":"proxyv2","includeIPRanges":"*","includeInboundPorts":"*","init":{"resources":{"limits":{"cpu":"100m","memory":"50Mi"},"requests":{"cpu":"10m","memory":"10Mi"}}},"kubevirtInterfaces":"","logLevel":"","privileged":false,"protocolDetectionTimeout":"100ms","readinessFailureThreshold":30,"readinessInitialDelaySeconds":1,"readinessPeriodSeconds":2,"resources":{"limits":{"cpu":"2000m","memory":"1024Mi"},"requests":{"cpu":"100m","memory":"128Mi"}},"statusPort":15020,"tracer":"zipkin"},"proxy_init":{"image":"proxy_init"},"sds":{"enabled":false,"token":{"aud":"istio-ca"},"udsPath":""},"tag":"1.3.0","tracer":{"datadog":{"address":"$(HOST_IP):8126"},"lightstep":{"accessToken":"","address":"","cacertPath":"","secure":true},"zipkin":{"address":"jaeger-collector.jaeger:9411"}},"trustDomain":"","useMCP":true},"grafana":{"enabled":false},"istio_cni":{"enabled":false},"istiocoredns":{"enabled":false},"kiali":{"enabled":false},"mixer":{"adapters":{"kubernetesenv":{"enabled":true},"prometheus":{"enabled":true,"metricsExpiryDuration":"10m"},"stdio":{"enabled":false,"outputAsJson":true},"useAdapterCRDs":false},"env":{"GODEBUG":"gctrace=1","GOMAXPROCS":"6"},"global":{"arch":{"amd64":2,"ppc64le":2,"s390x":2},"configValidation":true,"controlPlaneSecurityEnabled":true,"defaultNodeSelector":{},"defaultPodDisruptionBudget":{"enabled":true},"defaultResources":{"requests":{"cpu":"10m"}},"defaultTolerations":[],"disablePolicyChecks":true,"enableHelmTest":false,"enableTracing":true,"hub":"docker.io/istio","imagePullPolicy":"IfNotPresent","imagePullSecrets":[],"k8sIngress":{"enableHttps":false,"enabled":false,"gatewayName":"ingressgateway"},"localityLbSetting":{"enabled":true},"logging":{"level":"default:info"},"meshExpansion":{"enabled":false,"useILB":false},"meshID":"","meshNetworks":{},"monitoringPort":15014,"mtls":{"enabled":true},"multiCluster":{"clusterName":"","enabled":false},"oneNamespace":false,"outboundTrafficPolicy":{"mode":"ALLOW_ANY"},"policyCheckFailOpen":false,"priorityClassName":"","proxy":{"accessLogEncoding":"TEXT","accessLogFile":"","accessLogFormat":"","autoInject":"enabled","clusterDomain":"cluster.local","componentLogLevel":"","concurrency":2,"dnsRefreshRate":"300s","enableCoreDump":false,"enableCoreDumpImage":"ubuntu:xenial","envoyAccessLogService":{"enabled":false,"tcpKeepalive":{"interval":"10s","probes":3,"time":"10s"},"tlsSettings":{"mode":"DISABLE","subjectAltNames":[]}},"envoyMetricsService":{"enabled":false},"envoyStatsd":{"enabled":false},"excludeIPRanges":"","excludeInboundPorts":"","excludeOutboundPorts":"","image":"proxyv2","includeIPRanges":"*","includeInboundPorts":"*","init":{"resources":{"limits":{"cpu":"100m","memory":"50Mi"},"requests":{"cpu":"10m","memory":"10Mi"}}},"kubevirtInterfaces":"","logLevel":"","privileged":false,"protocolDetectionTimeout":"100ms","readinessFailureThreshold":30,"readinessInitialDelaySeconds":1,"readinessPeriodSeconds":2,"resources":{"limits":{"cpu":"2000m","memory":"1024Mi"},"requests":{"cpu":"100m","memory":"128Mi"}},"statusPort":15020,"tracer":"zipkin"},"proxy_init":{"image":"proxy_init"},"sds":{"enabled":false,"token":{"aud":"istio-ca"},"udsPath":""},"tag":"1.3.0","tracer":{"datadog":{"address":"$(HOST_IP):8126"},"lightstep":{"accessToken":"","address":"","cacertPath":"","secure":true},"zipkin":{"address":"jaeger-collector.jaeger:9411"}},"trustDomain":"","useMCP":true},"image":"mixer","nodeSelector":{},"podAnnotations":{},"podAntiAffinityLabelSelector":[],"podAntiAffinityTermLabelSelector":[],"policy":{"autoscaleEnabled":true,"autoscaleMax":5,"autoscaleMin":1,"cpu":{"targetAverageUtilization":80},"enabled":true,"replicaCount":1,"rollingMaxSurge":"100%","rollingMaxUnavailable":"25%"},"telemetry":{"autoscaleEnabled":true,"autoscaleMax":5,"autoscaleMin":1,"cpu":{"targetAverageUtilization":80},"enabled":true,"loadshedding":{"latencyThreshold":"100ms","mode":"enforce"},"replicaCount":1,"reportBatchMaxEntries":100,"reportBatchMaxTime":"1s","resources":{"limits":{"cpu":"4800m","memory":"4G"},"requests":{"cpu":"1000m","memory":"1G"}},"rollingMaxSurge":"100%","rollingMaxUnavailable":"25%","sessionAffinityEnabled":false},"tolerations":[]},"nodeagent":{"enabled":false,"env":{"CA_ADDR":"istio-citadel:8060","CA_PROVIDER":"Citadel","VALID_TOKEN":true},"image":"node-agent-k8s"},"pilot":{"autoscaleEnabled":true,"autoscaleMax":5,"autoscaleMin":1,"cpu":{"targetAverageUtilization":80},"enableProtocolSniffingForInbound":false,"enableProtocolSniffingForOutbound":true,"enabled":true,"env":{"GODEBUG":"gctrace=1","PILOT_PUSH_THROTTLE":100},"global":{"arch":{"amd64":2,"ppc64le":2,"s390x":2},"configValidation":true,"controlPlaneSecurityEnabled":true,"defaultNodeSelector":{},"defaultPodDisruptionBudget":{"enabled":true},"defaultResources":{"requests":{"cpu":"10m"}},"defaultTolerations":[],"disablePolicyChecks":true,"enableHelmTest":false,"enableTracing":true,"hub":"docker.io/istio","imagePullPolicy":"IfNotPresent","imagePullSecrets":[],"k8sIngress":{"enableHttps":false,"enabled":false,"gatewayName":"ingressgateway"},"localityLbSetting":{"enabled":true},"logging":{"level":"default:info"},"meshExpansion":{"enabled":false,"useILB":false},"meshID":"","meshNetworks":{},"monitoringPort":15014,"mtls":{"enabled":true},"multiCluster":{"clusterName":"","enabled":false},"oneNamespace":false,"outboundTrafficPolicy":{"mode":"ALLOW_ANY"},"policyCheckFailOpen":false,"priorityClassName":"","proxy":{"accessLogEncoding":"TEXT","accessLogFile":"","accessLogFormat":"","autoInject":"enabled","clusterDomain":"cluster.local","componentLogLevel":"","concurrency":2,"dnsRefreshRate":"300s","enableCoreDump":false,"enableCoreDumpImage":"ubuntu:xenial","envoyAccessLogService":{"enabled":false,"tcpKeepalive":{"interval":"10s","probes":3,"time":"10s"},"tlsSettings":{"mode":"DISABLE","subjectAltNames":[]}},"envoyMetricsService":{"enabled":false},"envoyStatsd":{"enabled":false},"excludeIPRanges":"","excludeInboundPorts":"","excludeOutboundPorts":"","image":"proxyv2","includeIPRanges":"*","includeInboundPorts":"*","init":{"resources":{"limits":{"cpu":"100m","memory":"50Mi"},"requests":{"cpu":"10m","memory":"10Mi"}}},"kubevirtInterfaces":"","logLevel":"","privileged":false,"protocolDetectionTimeout":"100ms","readinessFailureThreshold":30,"readinessInitialDelaySeconds":1,"readinessPeriodSeconds":2,"resources":{"limits":{"cpu":"2000m","memory":"1024Mi"},"requests":{"cpu":"100m","memory":"128Mi"}},"statusPort":15020,"tracer":"zipkin"},"proxy_init":{"image":"proxy_init"},"sds":{"enabled":false,"token":{"aud":"istio-ca"},"udsPath":""},"tag":"1.3.0","tracer":{"datadog":{"address":"$(HOST_IP):8126"},"lightstep":{"accessToken":"","address":"","cacertPath":"","secure":true},"zipkin":{"address":"jaeger-collector.jaeger:9411"}},"trustDomain":"","useMCP":true},"image":"pilot","keepaliveMaxServerConnectionAge":"30m","nodeSelector":{},"podAntiAffinityLabelSelector":[],"podAntiAffinityTermLabelSelector":[],"resources":{"requests":{"cpu":"500m","memory":"2048Mi"}},"rollingMaxSurge":"100%","rollingMaxUnavailable":"25%","sidecar":true,"tolerations":[],"traceSampling":100},"prometheus":{"enabled":true},"sds":{"token":{"aud":"istio-ca"},"udsPath":"unix:/var/run/sds/uds_path","useNormalJwt":false,"useTrustworthyJwt":true},"security":{"citadelHealthCheck":false,"createMeshPolicy":true,"enableNamespacesByDefault":true,"enabled":true,"global":{"arch":{"amd64":2,"ppc64le":2,"s390x":2},"configValidation":true,"controlPlaneSecurityEnabled":true,"defaultNodeSelector":{},"defaultPodDisruptionBudget":{"enabled":true},"defaultResources":{"requests":{"cpu":"10m"}},"defaultTolerations":[],"disablePolicyChecks":true,"enableHelmTest":false,"enableTracing":true,"hub":"docker.io/istio","imagePullPolicy":"IfNotPresent","imagePullSecrets":[],"k8sIngress":{"enableHttps":false,"enabled":false,"gatewayName":"ingressgateway"},"localityLbSetting":{"enabled":true},"logging":{"level":"default:info"},"meshExpansion":{"enabled":false,"useILB":false},"meshID":"","meshNetworks":{},"monitoringPort":15014,"mtls":{"enabled":true},"multiCluster":{"clusterName":"","enabled":false},"oneNamespace":false,"outboundTrafficPolicy":{"mode":"ALLOW_ANY"},"policyCheckFailOpen":false,"priorityClassName":"","proxy":{"accessLogEncoding":"TEXT","accessLogFile":"","accessLogFormat":"","autoInject":"enabled","clusterDomain":"cluster.local","componentLogLevel":"","concurrency":2,"dnsRefreshRate":"300s","enableCoreDump":false,"enableCoreDumpImage":"ubuntu:xenial","envoyAccessLogService":{"enabled":false,"tcpKeepalive":{"interval":"10s","probes":3,"time":"10s"},"tlsSettings":{"mode":"DISABLE","subjectAltNames":[]}},"envoyMetricsService":{"enabled":false},"envoyStatsd":{"enabled":false},"excludeIPRanges":"","excludeInboundPorts":"","excludeOutboundPorts":"","image":"proxyv2","includeIPRanges":"*","includeInboundPorts":"*","init":{"resources":{"limits":{"cpu":"100m","memory":"50Mi"},"requests":{"cpu":"10m","memory":"10Mi"}}},"kubevirtInterfaces":"","logLevel":"","privileged":false,"protocolDetectionTimeout":"100ms","readinessFailureThreshold":30,"readinessInitialDelaySeconds":1,"readinessPeriodSeconds":2,"resources":{"limits":{"cpu":"2000m","memory":"1024Mi"},"requests":{"cpu":"100m","memory":"128Mi"}},"statusPort":15020,"tracer":"zipkin"},"proxy_init":{"image":"proxy_init"},"sds":{"enabled":false,"token":{"aud":"istio-ca"},"udsPath":""},"tag":"1.3.0","tracer":{"datadog":{"address":"$(HOST_IP):8126"},"lightstep":{"accessToken":"","address":"","cacertPath":"","secure":true},"zipkin":{"address":"jaeger-collector.jaeger:9411"}},"trustDomain":"","useMCP":true},"image":"citadel","nodeSelector":{},"podAntiAffinityLabelSelector":[],"podAntiAffinityTermLabelSelector":[],"replicaCount":1,"rollingMaxSurge":"100%","rollingMaxUnavailable":"25%","selfSigned":true,"tolerations":[],"workloadCertTtl":"2160h"},"sidecarInjectorWebhook":{"alwaysInjectSelector":[],"enableNamespacesByDefault":false,"enabled":true,"global":{"arch":{"amd64":2,"ppc64le":2,"s390x":2},"configValidation":true,"controlPlaneSecurityEnabled":true,"defaultNodeSelector":{},"defaultPodDisruptionBudget":{"enabled":true},"defaultResources":{"requests":{"cpu":"10m"}},"defaultTolerations":[],"disablePolicyChecks":true,"enableHelmTest":false,"enableTracing":true,"hub":"docker.io/istio","imagePullPolicy":"IfNotPresent","imagePullSecrets":[],"k8sIngress":{"enableHttps":false,"enabled":false,"gatewayName":"ingressgateway"},"localityLbSetting":{"enabled":true},"logging":{"level":"default:info"},"meshExpansion":{"enabled":false,"useILB":false},"meshID":"","meshNetworks":{},"monitoringPort":15014,"mtls":{"enabled":true},"multiCluster":{"clusterName":"","enabled":false},"oneNamespace":false,"outboundTrafficPolicy":{"mode":"ALLOW_ANY"},"policyCheckFailOpen":false,"priorityClassName":"","proxy":{"accessLogEncoding":"TEXT","accessLogFile":"","accessLogFormat":"","autoInject":"enabled","clusterDomain":"cluster.local","componentLogLevel":"","concurrency":2,"dnsRefreshRate":"300s","enableCoreDump":false,"enableCoreDumpImage":"ubuntu:xenial","envoyAccessLogService":{"enabled":false,"tcpKeepalive":{"interval":"10s","probes":3,"time":"10s"},"tlsSettings":{"mode":"DISABLE","subjectAltNames":[]}},"envoyMetricsService":{"enabled":false},"envoyStatsd":{"enabled":false},"excludeIPRanges":"","excludeInboundPorts":"","excludeOutboundPorts":"","image":"proxyv2","includeIPRanges":"*","includeInboundPorts":"*","init":{"resources":{"limits":{"cpu":"100m","memory":"50Mi"},"requests":{"cpu":"10m","memory":"10Mi"}}},"kubevirtInterfaces":"","logLevel":"","privileged":false,"protocolDetectionTimeout":"100ms","readinessFailureThreshold":30,"readinessInitialDelaySeconds":1,"readinessPeriodSeconds":2,"resources":{"limits":{"cpu":"2000m","memory":"1024Mi"},"requests":{"cpu":"100m","memory":"128Mi"}},"statusPort":15020,"tracer":"zipkin"},"proxy_init":{"image":"proxy_init"},"sds":{"enabled":false,"token":{"aud":"istio-ca"},"udsPath":""},"tag":"1.3.0","tracer":{"datadog":{"address":"$(HOST_IP):8126"},"lightstep":{"accessToken":"","address":"","cacertPath":"","secure":true},"zipkin":{"address":"jaeger-collector.jaeger:9411"}},"trustDomain":"","useMCP":true},"image":"sidecar_injector","neverInjectSelector":[],"nodeSelector":{},"podAntiAffinityLabelSelector":[],"podAntiAffinityTermLabelSelector":[],"replicaCount":1,"rewriteAppHTTPProbe":false,"rollingMaxSurge":"100%","rollingMaxUnavailable":"25%","tolerations":[]},"tracing":{"enabled":false}} | |
config: |- | |
policy: enabled | |
alwaysInjectSelector: | |
[] | |
neverInjectSelector: | |
[] | |
template: |- | |
rewriteAppHTTPProbe: {{ valueOrDefault .Values.sidecarInjectorWebhook.rewriteAppHTTPProbe false }} | |
{{- if or (not .Values.istio_cni.enabled) .Values.global.proxy.enableCoreDump }} | |
initContainers: | |
{{ if ne (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE` }} | |
{{- if not .Values.istio_cni.enabled }} | |
- name: istio-init | |
{{- if contains "/" .Values.global.proxy_init.image }} | |
image: "{{ .Values.global.proxy_init.image }}" | |
{{- else }} | |
image: "{{ .Values.global.hub }}/{{ .Values.global.proxy_init.image }}:{{ .Values.global.tag }}" | |
{{- end }} | |
args: | |
- "-p" | |
- "15001" | |
- "-z" | |
- "15006" | |
- "-u" | |
- 1337 | |
- "-m" | |
- "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}" | |
- "-i" | |
- "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}" | |
- "-x" | |
- "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}" | |
- "-b" | |
- "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` `*` }}" | |
- "-d" | |
- "{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}" | |
{{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne .Values.global.proxy.excludeOutboundPorts "") -}} | |
- "-o" | |
- "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}" | |
{{ end -}} | |
{{ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces`) -}} | |
- "-k" | |
- "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}" | |
{{ end -}} | |
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}" | |
{{- if .Values.global.proxy.init.resources }} | |
resources: | |
{{ toYaml .Values.global.proxy.init.resources | indent 4 }} | |
{{- else }} | |
resources: {} | |
{{- end }} | |
securityContext: | |
runAsUser: 0 | |
runAsNonRoot: false | |
capabilities: | |
add: | |
- NET_ADMIN | |
{{- if .Values.global.proxy.privileged }} | |
privileged: true | |
{{- end }} | |
restartPolicy: Always | |
{{- end }} | |
{{ end -}} | |
{{- if eq .Values.global.proxy.enableCoreDump true }} | |
- name: enable-core-dump | |
args: | |
- -c | |
- sysctl -w kernel.core_pattern=/var/lib/istio/core.proxy && ulimit -c unlimited | |
command: | |
- /bin/sh | |
image: {{ $.Values.global.proxy.enableCoreDumpImage }} | |
imagePullPolicy: IfNotPresent | |
resources: {} | |
securityContext: | |
runAsUser: 0 | |
runAsNonRoot: false | |
privileged: true | |
{{ end }} | |
{{- end }} | |
containers: | |
- name: istio-proxy | |
{{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} | |
image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" | |
{{- else }} | |
image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.hub }}/{{ .Values.global.proxy.image }}:{{ .Values.global.tag }}" | |
{{- end }} | |
ports: | |
- containerPort: 15090 | |
protocol: TCP | |
name: http-envoy-prom | |
args: | |
- proxy | |
- sidecar | |
- --domain | |
- $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} | |
- --configPath | |
- "{{ .ProxyConfig.ConfigPath }}" | |
- --binaryPath | |
- "{{ .ProxyConfig.BinaryPath }}" | |
- --serviceCluster | |
{{ if ne "" (index .ObjectMeta.Labels "app") -}} | |
- "{{ index .ObjectMeta.Labels `app` }}.$(POD_NAMESPACE)" | |
{{ else -}} | |
- "{{ valueOrDefault .DeploymentMeta.Name `istio-proxy` }}.{{ valueOrDefault .DeploymentMeta.Namespace `istio-system` }}" | |
{{ end -}} | |
- --drainDuration | |
- "{{ formatDuration .ProxyConfig.DrainDuration }}" | |
- --parentShutdownDuration | |
- "{{ formatDuration .ProxyConfig.ParentShutdownDuration }}" | |
- --discoveryAddress | |
- "{{ annotation .ObjectMeta `sidecar.istio.io/discoveryAddress` .ProxyConfig.DiscoveryAddress }}" | |
{{- if eq .Values.global.proxy.tracer "lightstep" }} | |
- --lightstepAddress | |
- "{{ .ProxyConfig.GetTracing.GetLightstep.GetAddress }}" | |
- --lightstepAccessToken | |
- "{{ .ProxyConfig.GetTracing.GetLightstep.GetAccessToken }}" | |
- --lightstepSecure={{ .ProxyConfig.GetTracing.GetLightstep.GetSecure }} | |
- --lightstepCacertPath | |
- "{{ .ProxyConfig.GetTracing.GetLightstep.GetCacertPath }}" | |
{{- else if eq .Values.global.proxy.tracer "zipkin" }} | |
- --zipkinAddress | |
- "{{ .ProxyConfig.GetTracing.GetZipkin.GetAddress }}" | |
{{- else if eq .Values.global.proxy.tracer "datadog" }} | |
- --datadogAgentAddress | |
- "{{ .ProxyConfig.GetTracing.GetDatadog.GetAddress }}" | |
{{- end }} | |
{{- if .Values.global.proxy.logLevel }} | |
- --proxyLogLevel={{ .Values.global.proxy.logLevel }} | |
{{- end}} | |
{{- if .Values.global.proxy.componentLogLevel }} | |
- --proxyComponentLogLevel={{ .Values.global.proxy.componentLogLevel }} | |
{{- end}} | |
- --dnsRefreshRate | |
- {{ .Values.global.proxy.dnsRefreshRate }} | |
- --connectTimeout | |
- "{{ formatDuration .ProxyConfig.ConnectTimeout }}" | |
{{- if .Values.global.proxy.envoyStatsd.enabled }} | |
- --statsdUdpAddress | |
- "{{ .ProxyConfig.StatsdUdpAddress }}" | |
{{- end }} | |
{{- if .Values.global.proxy.envoyMetricsService.enabled }} | |
- --envoyMetricsServiceAddress | |
- "{{ .ProxyConfig.GetEnvoyMetricsService.GetAddress }}" | |
{{- end }} | |
{{- if .Values.global.proxy.envoyAccessLogService.enabled }} | |
- --envoyAccessLogService | |
- '{{ structToJSON .ProxyConfig.EnvoyAccessLogService }}' | |
{{- end }} | |
- --proxyAdminPort | |
- "{{ .ProxyConfig.ProxyAdminPort }}" | |
{{ if gt .ProxyConfig.Concurrency 0 -}} | |
- --concurrency | |
- "{{ .ProxyConfig.Concurrency }}" | |
{{ end -}} | |
- --controlPlaneAuthPolicy | |
- "{{ annotation .ObjectMeta `sidecar.istio.io/controlPlaneAuthPolicy` .ProxyConfig.ControlPlaneAuthPolicy }}" | |
{{- if (ne (annotation .ObjectMeta "status.sidecar.istio.io/port" .Values.global.proxy.statusPort) "0") }} | |
- --statusPort | |
- "{{ annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort }}" | |
- --applicationPorts | |
- "{{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/applicationPorts` (applicationPorts .Spec.Containers) }}" | |
{{- end }} | |
{{- if .Values.global.trustDomain }} | |
- --trust-domain={{ .Values.global.trustDomain }} | |
{{- end }} | |
env: | |
- name: POD_NAME | |
valueFrom: | |
fieldRef: | |
fieldPath: metadata.name | |
- name: ISTIO_META_POD_PORTS | |
value: |- | |
[ | |
{{- range $index1, $c := .Spec.Containers }} | |
{{- range $index2, $p := $c.Ports }} | |
{{if or (ne $index1 0) (ne $index2 0)}},{{end}}{{ structToJSON $p }} | |
{{- end}} | |
{{- end}} | |
] | |
- name: ISTIO_META_CLUSTER_ID | |
value: "{{ valueOrDefault .Values.global.multicluster.clusterName `Kubernetes` }}" | |
- name: POD_NAMESPACE | |
valueFrom: | |
fieldRef: | |
fieldPath: metadata.namespace | |
- name: INSTANCE_IP | |
valueFrom: | |
fieldRef: | |
fieldPath: status.podIP | |
- name: SERVICE_ACCOUNT | |
valueFrom: | |
fieldRef: | |
fieldPath: spec.serviceAccountName | |
{{ if eq .Values.global.proxy.tracer "datadog" }} | |
- name: HOST_IP | |
valueFrom: | |
fieldRef: | |
fieldPath: status.hostIP | |
{{ end }} | |
- name: ISTIO_META_POD_NAME | |
valueFrom: | |
fieldRef: | |
fieldPath: metadata.name | |
- name: ISTIO_META_CONFIG_NAMESPACE | |
valueFrom: | |
fieldRef: | |
fieldPath: metadata.namespace | |
- name: SDS_ENABLED | |
value: {{ $.Values.global.sds.enabled }} | |
- name: ISTIO_META_INTERCEPTION_MODE | |
value: "{{ or (index .ObjectMeta.Annotations `sidecar.istio.io/interceptionMode`) .ProxyConfig.InterceptionMode.String }}" | |
- name: ISTIO_META_INCLUDE_INBOUND_PORTS | |
value: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` (applicationPorts .Spec.Containers) }}" | |
{{- if .Values.global.network }} | |
- name: ISTIO_META_NETWORK | |
value: "{{ .Values.global.network }}" | |
{{- end }} | |
{{ if .ObjectMeta.Annotations }} | |
- name: ISTIO_METAJSON_ANNOTATIONS | |
value: | | |
{{ toJSON .ObjectMeta.Annotations }} | |
{{ end }} | |
{{ if .ObjectMeta.Labels }} | |
- name: ISTIO_METAJSON_LABELS | |
value: | | |
{{ toJSON .ObjectMeta.Labels }} | |
{{ end }} | |
{{- if .DeploymentMeta.Name }} | |
- name: ISTIO_META_WORKLOAD_NAME | |
value: {{ .DeploymentMeta.Name }} | |
{{ end }} | |
{{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} | |
- name: ISTIO_META_OWNER | |
value: kubernetes://api/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `istio-system` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} | |
{{- end}} | |
{{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} | |
- name: ISTIO_BOOTSTRAP_OVERRIDE | |
value: "/etc/istio/custom-bootstrap/custom_bootstrap.json" | |
{{- end }} | |
{{- if .Values.global.sds.customTokenDirectory }} | |
- name: ISTIO_META_SDS_TOKEN_PATH | |
value: "{{ .Values.global.sds.customTokenDirectory -}}/sdstoken" | |
{{- end }} | |
{{- if .Values.global.meshID }} | |
- name: ISTIO_META_MESH_ID | |
value: "{{ .Values.global.meshID }}" | |
{{- else if .Values.global.trustDomain }} | |
- name: ISTIO_META_MESH_ID | |
value: "{{ .Values.global.trustDomain }}" | |
{{- end }} | |
imagePullPolicy: {{ .Values.global.imagePullPolicy }} | |
{{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }} | |
readinessProbe: | |
httpGet: | |
path: /healthz/ready | |
port: {{ annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort }} | |
initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }} | |
periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }} | |
failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }} | |
{{ end -}} | |
securityContext: | |
{{- if .Values.global.proxy.privileged }} | |
privileged: true | |
{{- end }} | |
{{- if ne .Values.global.proxy.enableCoreDump true }} | |
readOnlyRootFilesystem: true | |
{{- end }} | |
{{ if eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY` -}} | |
capabilities: | |
add: | |
- NET_ADMIN | |
runAsGroup: 1337 | |
{{ else -}} | |
{{ if .Values.global.sds.enabled }} | |
runAsGroup: 1337 | |
{{- end }} | |
runAsUser: 1337 | |
{{- end }} | |
resources: | |
{{ if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}} | |
requests: | |
{{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}} | |
cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}" | |
{{ end}} | |
{{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}} | |
memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}" | |
{{ end }} | |
{{ else -}} | |
{{- if .Values.global.proxy.resources }} | |
{{ toYaml .Values.global.proxy.resources | indent 4 }} | |
{{- end }} | |
{{ end -}} | |
volumeMounts: | |
{{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} | |
- mountPath: /etc/istio/custom-bootstrap | |
name: custom-bootstrap-volume | |
{{- end }} | |
- mountPath: /etc/istio/proxy | |
name: istio-envoy | |
{{- if .Values.global.sds.enabled }} | |
- mountPath: /var/run/sds | |
name: sds-uds-path | |
readOnly: true | |
- mountPath: /var/run/secrets/tokens | |
name: istio-token | |
{{- if .Values.global.sds.customTokenDirectory }} | |
- mountPath: "{{ .Values.global.sds.customTokenDirectory -}}" | |
name: custom-sds-token | |
readOnly: true | |
{{- end }} | |
{{- else }} | |
- mountPath: /etc/certs/ | |
name: istio-certs | |
readOnly: true | |
{{- end }} | |
{{- if and (eq .Values.global.proxy.tracer "lightstep") .Values.global.tracer.lightstep.cacertPath }} | |
- mountPath: {{ directory .ProxyConfig.GetTracing.GetLightstep.GetCacertPath }} | |
name: lightstep-certs | |
readOnly: true | |
{{- end }} | |
{{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }} | |
{{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }} | |
- name: "{{ $index }}" | |
{{ toYaml $value | indent 4 }} | |
{{ end }} | |
{{- end }} | |
volumes: | |
{{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} | |
- name: custom-bootstrap-volume | |
configMap: | |
name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }} | |
{{- end }} | |
- emptyDir: | |
medium: Memory | |
name: istio-envoy | |
{{- if .Values.global.sds.enabled }} | |
- name: sds-uds-path | |
hostPath: | |
path: /var/run/sds | |
- name: istio-token | |
projected: | |
sources: | |
- serviceAccountToken: | |
path: istio-token | |
expirationSeconds: 43200 | |
audience: {{ .Values.global.sds.token.aud }} | |
{{- if .Values.global.sds.customTokenDirectory }} | |
- name: custom-sds-token | |
secret: | |
secretName: sdstokensecret | |
{{- end }} | |
{{- else }} | |
- name: istio-certs | |
secret: | |
optional: true | |
{{ if eq .Spec.ServiceAccountName "" }} | |
secretName: istio.istio-system | |
{{ else -}} | |
secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} | |
{{ end -}} | |
{{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }} | |
{{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }} | |
- name: "{{ $index }}" | |
{{ toYaml $value | indent 2 }} | |
{{ end }} | |
{{ end }} | |
{{- end }} | |
{{- if and (eq .Values.global.proxy.tracer "lightstep") .Values.global.tracer.lightstep.cacertPath }} | |
- name: lightstep-certs | |
secret: | |
optional: true | |
secretName: lightstep.cacert | |
{{- end }} | |
{{- if .Values.global.podDNSSearchNamespaces }} | |
dnsConfig: | |
searches: | |
{{- range .Values.global.podDNSSearchNamespaces }} | |
- {{ render . }} | |
{{- end }} | |
{{- end }} | |
podRedirectAnnot: | |
sidecar.istio.io/interceptionMode: "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}" | |
traffic.sidecar.istio.io/includeOutboundIPRanges: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}" | |
traffic.sidecar.istio.io/excludeOutboundIPRanges: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}" | |
traffic.sidecar.istio.io/includeInboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` (includeInboundPorts .Spec.Containers) }}" | |
traffic.sidecar.istio.io/excludeInboundPorts: "{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}" | |
{{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne .Values.global.proxy.excludeOutboundPorts "") }} | |
traffic.sidecar.istio.io/excludeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}" | |
{{- end }} | |
traffic.sidecar.istio.io/kubevirtInterfaces: "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}" | |
--- | |
# Source: istio/charts/istio/charts/galley/templates/serviceaccount.yaml | |
apiVersion: v1 | |
kind: ServiceAccount | |
metadata: | |
name: istio-galley-service-account | |
namespace: istio-system | |
labels: | |
app: galley | |
chart: galley | |
heritage: Tiller | |
release: istio-system | |
--- | |
# Source: istio/charts/istio/charts/gateways/templates/serviceaccount.yaml | |
apiVersion: v1 | |
kind: ServiceAccount | |
metadata: | |
name: istio-ingressgateway-service-account | |
namespace: istio-system | |
labels: | |
app: istio-ingressgateway | |
chart: gateways | |
heritage: Tiller | |
release: istio-system | |
--- | |
--- | |
# Source: istio/charts/istio/charts/mixer/templates/serviceaccount.yaml | |
apiVersion: v1 | |
kind: ServiceAccount | |
metadata: | |
name: istio-mixer-service-account | |
namespace: istio-system | |
labels: | |
app: mixer | |
chart: mixer | |
heritage: Tiller | |
release: istio-system | |
--- | |
# Source: istio/charts/istio/charts/pilot/templates/serviceaccount.yaml | |
apiVersion: v1 | |
kind: ServiceAccount | |
metadata: | |
name: istio-pilot-service-account | |
namespace: istio-system | |
labels: | |
app: pilot | |
chart: pilot | |
heritage: Tiller | |
release: istio-system | |
--- | |
# Source: istio/charts/istio/charts/security/templates/cleanup-secrets.yaml | |
# The reason for creating a ServiceAccount and ClusterRole specifically for this | |
# post-delete hooked job is because the citadel ServiceAccount is being deleted | |
# before this hook is launched. On the other hand, running this hook before the | |
# deletion of the citadel (e.g. pre-delete) won't delete the secrets because they | |
# will be re-created immediately by the to-be-deleted citadel. | |
# | |
# It's also important that the ServiceAccount, ClusterRole and ClusterRoleBinding | |
# will be ready before running the hooked Job therefore the hook weights. | |
apiVersion: v1 | |
kind: ServiceAccount | |
metadata: | |
name: istio-cleanup-secrets-service-account | |
namespace: istio-system | |
annotations: | |
"helm.sh/hook": post-delete | |
"helm.sh/hook-delete-policy": hook-succeeded | |
"helm.sh/hook-weight": "1" | |
labels: | |
app: security | |
chart: security | |
heritage: Tiller | |
release: istio-system | |
--- | |
apiVersion: rbac.authorization.k8s.io/v1 | |
kind: ClusterRole | |
metadata: | |
name: istio-cleanup-secrets-istio-system | |
annotations: | |
"helm.sh/hook": post-delete | |
"helm.sh/hook-delete-policy": hook-succeeded | |
"helm.sh/hook-weight": "1" | |
labels: | |
app: security | |
chart: security | |
heritage: Tiller | |
release: istio-system | |
rules: | |
- apiGroups: [""] | |
resources: ["secrets"] | |
verbs: ["list", "delete"] | |
--- | |
apiVersion: rbac.authorization.k8s.io/v1 | |
kind: ClusterRoleBinding | |
metadata: | |
name: istio-cleanup-secrets-istio-system | |
annotations: | |
"helm.sh/hook": post-delete | |
"helm.sh/hook-delete-policy": hook-succeeded | |
"helm.sh/hook-weight": "2" | |
labels: | |
app: security | |
chart: security | |
heritage: Tiller | |
release: istio-system | |
roleRef: | |
apiGroup: rbac.authorization.k8s.io | |
kind: ClusterRole | |
name: istio-cleanup-secrets-istio-system | |
subjects: | |
- kind: ServiceAccount | |
name: istio-cleanup-secrets-service-account | |
namespace: istio-system | |
--- | |
apiVersion: batch/v1 | |
kind: Job | |
metadata: | |
name: istio-cleanup-secrets-1.3.0 | |
namespace: istio-system | |
annotations: | |
"helm.sh/hook": post-delete | |
"helm.sh/hook-delete-policy": hook-succeeded | |
"helm.sh/hook-weight": "3" | |
labels: | |
app: security | |
chart: security | |
heritage: Tiller | |
release: istio-system | |
spec: | |
template: | |
metadata: | |
name: istio-cleanup-secrets | |
labels: | |
app: security | |
chart: security | |
heritage: Tiller | |
release: istio-system | |
spec: | |
serviceAccountName: istio-cleanup-secrets-service-account | |
containers: | |
- name: kubectl | |
image: "docker.io/istio/kubectl:1.3.0" | |
imagePullPolicy: IfNotPresent | |
command: | |
- /bin/bash | |
- -c | |
- > | |
kubectl get secret --all-namespaces | grep "istio.io/key-and-cert" | while read -r entry; do | |
ns=$(echo $entry | awk '{print $1}'); | |
name=$(echo $entry | awk '{print $2}'); | |
kubectl delete secret $name -n $ns; | |
done | |
restartPolicy: OnFailure | |
affinity: | |
nodeAffinity: | |
requiredDuringSchedulingIgnoredDuringExecution: | |
nodeSelectorTerms: | |
- matchExpressions: | |
- key: beta.kubernetes.io/arch | |
operator: In | |
values: | |
- "amd64" | |
- "ppc64le" | |
- "s390x" | |
preferredDuringSchedulingIgnoredDuringExecution: | |
- weight: 2 | |
preference: | |
matchExpressions: | |
- key: beta.kubernetes.io/arch | |
operator: In | |
values: | |
- "amd64" | |
- weight: 2 | |
preference: | |
matchExpressions: | |
- key: beta.kubernetes.io/arch | |
operator: In | |
values: | |
- "ppc64le" | |
- weight: 2 | |
preference: | |
matchExpressions: | |
- key: beta.kubernetes.io/arch | |
operator: In | |
values: | |
- "s390x" | |
--- | |
# Source: istio/charts/istio/charts/security/templates/create-custom-resources-job.yaml | |
apiVersion: v1 | |
kind: ServiceAccount | |
metadata: | |
name: istio-security-post-install-account | |
namespace: istio-system | |
labels: | |
app: security | |
chart: security | |
heritage: Tiller | |
release: istio-system | |
--- | |
apiVersion: rbac.authorization.k8s.io/v1beta1 | |
kind: ClusterRole | |
metadata: | |
name: istio-security-post-install-istio-system | |
labels: | |
app: security | |
chart: security | |
heritage: Tiller | |
release: istio-system | |
rules: | |
- apiGroups: ["authentication.istio.io"] # needed to create default authn policy | |
resources: ["*"] | |
verbs: ["*"] | |
- apiGroups: ["networking.istio.io"] # needed to create security destination rules | |
resources: ["*"] | |
verbs: ["*"] | |
- apiGroups: ["admissionregistration.k8s.io"] | |
resources: ["validatingwebhookconfigurations"] | |
verbs: ["get"] | |
- apiGroups: ["extensions", "apps"] | |
resources: ["deployments", "replicasets"] | |
verbs: ["get", "list", "watch"] | |
--- | |
apiVersion: rbac.authorization.k8s.io/v1beta1 | |
kind: ClusterRoleBinding | |
metadata: | |
name: istio-security-post-install-role-binding-istio-system | |
labels: | |
app: security | |
chart: security | |
heritage: Tiller | |
release: istio-system | |
roleRef: | |
apiGroup: rbac.authorization.k8s.io | |
kind: ClusterRole | |
name: istio-security-post-install-istio-system | |
subjects: | |
- kind: ServiceAccount | |
name: istio-security-post-install-account | |
namespace: istio-system | |
--- | |
apiVersion: batch/v1 | |
kind: Job | |
metadata: | |
name: istio-security-post-install-1.3.0 | |
namespace: istio-system | |
annotations: | |
"helm.sh/hook": post-install | |
"helm.sh/hook-delete-policy": hook-succeeded | |
labels: | |
app: security | |
chart: security | |
heritage: Tiller | |
release: istio-system | |
spec: | |
template: | |
metadata: | |
name: istio-security-post-install | |
labels: | |
app: security | |
chart: security | |
heritage: Tiller | |
release: istio-system | |
spec: | |
serviceAccountName: istio-security-post-install-account | |
containers: | |
- name: kubectl | |
image: "docker.io/istio/kubectl:1.3.0" | |
imagePullPolicy: IfNotPresent | |
command: [ "/bin/bash", "/tmp/security/run.sh", "/tmp/security/custom-resources.yaml" ] | |
volumeMounts: | |
- mountPath: "/tmp/security" | |
name: tmp-configmap-security | |
volumes: | |
- name: tmp-configmap-security | |
configMap: | |
name: istio-security-custom-resources | |
restartPolicy: OnFailure | |
affinity: | |
nodeAffinity: | |
requiredDuringSchedulingIgnoredDuringExecution: | |
nodeSelectorTerms: | |
- matchExpressions: | |
- key: beta.kubernetes.io/arch | |
operator: In | |
values: | |
- "amd64" | |
- "ppc64le" | |
- "s390x" | |
preferredDuringSchedulingIgnoredDuringExecution: | |
- weight: 2 | |
preference: | |
matchExpressions: | |
- key: beta.kubernetes.io/arch | |
operator: In | |
values: | |
- "amd64" | |
- weight: 2 | |
preference: | |
matchExpressions: | |
- key: beta.kubernetes.io/arch | |
operator: In | |
values: | |
- "ppc64le" | |
- weight: 2 | |
preference: | |
matchExpressions: | |
- key: beta.kubernetes.io/arch | |
operator: In | |
values: | |
- "s390x" | |
--- | |
# Source: istio/charts/istio/charts/security/templates/serviceaccount.yaml | |
apiVersion: v1 | |
kind: ServiceAccount | |
metadata: | |
name: istio-citadel-service-account | |
namespace: istio-system | |
labels: | |
app: security | |
chart: security | |
heritage: Tiller | |
release: istio-system | |
--- | |
# Source: istio/charts/istio/charts/sidecarInjectorWebhook/templates/serviceaccount.yaml | |
apiVersion: v1 | |
kind: ServiceAccount | |
metadata: | |
name: istio-sidecar-injector-service-account | |
namespace: istio-system | |
labels: | |
app: sidecarInjectorWebhook | |
chart: sidecarInjectorWebhook | |
heritage: Tiller | |
release: istio-system | |
istio: sidecar-injector | |
--- | |
# Source: istio/charts/istio/templates/serviceaccount.yaml | |
apiVersion: v1 | |
kind: ServiceAccount | |
metadata: | |
name: istio-multi | |
namespace: istio-system | |
--- | |
# Source: istio/charts/istio/charts/galley/templates/clusterrole.yaml | |
apiVersion: rbac.authorization.k8s.io/v1 | |
kind: ClusterRole | |
metadata: | |
name: istio-galley-istio-system | |
labels: | |
app: galley | |
chart: galley | |
heritage: Tiller | |
release: istio-system | |
rules: | |
- apiGroups: ["admissionregistration.k8s.io"] | |
resources: ["validatingwebhookconfigurations"] | |
verbs: ["*"] | |
- apiGroups: ["config.istio.io"] # istio mixer CRD watcher | |
resources: ["*"] | |
verbs: ["get", "list", "watch"] | |
- apiGroups: ["networking.istio.io"] | |
resources: ["*"] | |
verbs: ["get", "list", "watch"] | |
- apiGroups: ["authentication.istio.io"] | |
resources: ["*"] | |
verbs: ["get", "list", "watch"] | |
- apiGroups: ["rbac.istio.io"] | |
resources: ["*"] | |
verbs: ["get", "list", "watch"] | |
- apiGroups: ["extensions","apps"] | |
resources: ["deployments"] | |
resourceNames: ["istio-galley"] | |
verbs: ["get"] | |
- apiGroups: [""] | |
resources: ["pods", "nodes", "services", "endpoints", "namespaces"] | |
verbs: ["get", "list", "watch"] | |
- apiGroups: ["extensions"] | |
resources: ["ingresses"] | |
verbs: ["get", "list", "watch"] | |
- apiGroups: ["extensions"] | |
resources: ["deployments/finalizers"] | |
resourceNames: ["istio-galley"] | |
verbs: ["update"] | |
- apiGroups: ["apiextensions.k8s.io"] | |
resources: ["customresourcedefinitions"] | |
verbs: ["get", "list", "watch"] | |
--- | |
# Source: istio/charts/istio/charts/mixer/templates/clusterrole.yaml | |
apiVersion: rbac.authorization.k8s.io/v1 | |
kind: ClusterRole | |
metadata: | |
name: istio-mixer-istio-system | |
labels: | |
app: mixer | |
chart: mixer | |
heritage: Tiller | |
release: istio-system | |
rules: | |
- apiGroups: ["config.istio.io"] # istio CRD watcher | |
resources: ["*"] | |
verbs: ["create", "get", "list", "watch", "patch"] | |
- apiGroups: ["apiextensions.k8s.io"] | |
resources: ["customresourcedefinitions"] | |
verbs: ["get", "list", "watch"] | |
- apiGroups: [""] | |
resources: ["configmaps", "endpoints", "pods", "services", "namespaces", "secrets", "replicationcontrollers"] | |
verbs: ["get", "list", "watch"] | |
- apiGroups: ["extensions", "apps"] | |
resources: ["replicasets"] | |
verbs: ["get", "list", "watch"] | |
--- | |
# Source: istio/charts/istio/charts/pilot/templates/clusterrole.yaml | |
apiVersion: rbac.authorization.k8s.io/v1 | |
kind: ClusterRole | |
metadata: | |
name: istio-pilot-istio-system | |
labels: | |
app: pilot | |
chart: pilot | |
heritage: Tiller | |
release: istio-system | |
rules: | |
- apiGroups: ["config.istio.io"] | |
resources: ["*"] | |
verbs: ["*"] | |
- apiGroups: ["rbac.istio.io"] | |
resources: ["*"] | |
verbs: ["get", "watch", "list"] | |
- apiGroups: ["networking.istio.io"] | |
resources: ["*"] | |
verbs: ["*"] | |
- apiGroups: ["authentication.istio.io"] | |
resources: ["*"] | |
verbs: ["*"] | |
- apiGroups: ["apiextensions.k8s.io"] | |
resources: ["customresourcedefinitions"] | |
verbs: ["*"] | |
- apiGroups: ["extensions"] | |
resources: ["ingresses", "ingresses/status"] | |
verbs: ["*"] | |
- apiGroups: [""] | |
resources: ["configmaps"] | |
verbs: ["create", "get", "list", "watch", "update"] | |
- apiGroups: [""] | |
resources: ["endpoints", "pods", "services", "namespaces", "nodes", "secrets"] | |
verbs: ["get", "list", "watch"] | |
--- | |
# Source: istio/charts/istio/charts/security/templates/clusterrole.yaml | |
apiVersion: rbac.authorization.k8s.io/v1 | |
kind: ClusterRole | |
metadata: | |
name: istio-citadel-istio-system | |
labels: | |
app: security | |
chart: security | |
heritage: Tiller | |
release: istio-system | |
rules: | |
- apiGroups: [""] | |
resources: ["configmaps"] | |
verbs: ["create", "get", "update"] | |
- apiGroups: [""] | |
resources: ["secrets"] | |
verbs: ["create", "get", "watch", "list", "update", "delete"] | |
- apiGroups: [""] | |
resources: ["serviceaccounts", "services", "namespaces"] | |
verbs: ["get", "watch", "list"] | |
- apiGroups: ["authentication.k8s.io"] | |
resources: ["tokenreviews"] | |
verbs: ["create"] | |
--- | |
# Source: istio/charts/istio/charts/sidecarInjectorWebhook/templates/clusterrole.yaml | |
apiVersion: rbac.authorization.k8s.io/v1 | |
kind: ClusterRole | |
metadata: | |
name: istio-sidecar-injector-istio-system | |
labels: | |
app: sidecarInjectorWebhook | |
chart: sidecarInjectorWebhook | |
heritage: Tiller | |
release: istio-system | |
istio: sidecar-injector | |
rules: | |
- apiGroups: [""] | |
resources: ["configmaps"] | |
verbs: ["get", "list", "watch"] | |
- apiGroups: ["admissionregistration.k8s.io"] | |
resources: ["mutatingwebhookconfigurations"] | |
verbs: ["get", "list", "watch", "patch"] | |
--- | |
# Source: istio/charts/istio/templates/clusterrole.yaml | |
kind: ClusterRole | |
apiVersion: rbac.authorization.k8s.io/v1 | |
metadata: | |
name: istio-reader | |
rules: | |
- apiGroups: [''] | |
resources: ['nodes', 'pods', 'services', 'endpoints', "replicationcontrollers"] | |
verbs: ['get', 'watch', 'list'] | |
- apiGroups: ["extensions", "apps"] | |
resources: ["replicasets"] | |
verbs: ["get", "list", "watch"] | |
--- | |
# Source: istio/templates/rbac-appidentityandaccessadapter.yaml | |
apiVersion: rbac.authorization.k8s.io/v1 | |
kind: ClusterRole | |
metadata: | |
name: cluster-role-appidentityandaccessadapter | |
rules: | |
- apiGroups: ["security.cloud.ibm.com"] | |
resources: ["*"] | |
verbs: ["*"] | |
- apiGroups: [""] | |
resources: ["secrets"] | |
verbs: ["*"] | |
--- | |
apiVersion: rbac.authorization.k8s.io/v1 | |
kind: ClusterRoleBinding | |
metadata: | |
name: cluster-rolebinding-appidentityandaccessadapter | |
roleRef: | |
apiGroup: rbac.authorization.k8s.io | |
kind: ClusterRole | |
name: cluster-role-appidentityandaccessadapter | |
subjects: | |
- kind: ServiceAccount | |
name: default | |
namespace: istio-system | |
--- | |
# Source: istio/charts/istio/charts/galley/templates/clusterrolebinding.yaml | |
apiVersion: rbac.authorization.k8s.io/v1 | |
kind: ClusterRoleBinding | |
metadata: | |
name: istio-galley-admin-role-binding-istio-system | |
labels: | |
app: galley | |
chart: galley | |
heritage: Tiller | |
release: istio-system | |
roleRef: | |
apiGroup: rbac.authorization.k8s.io | |
kind: ClusterRole | |
name: istio-galley-istio-system | |
subjects: | |
- kind: ServiceAccount | |
name: istio-galley-service-account | |
namespace: istio-system | |
--- | |
# Source: istio/charts/istio/charts/mixer/templates/clusterrolebinding.yaml | |
apiVersion: rbac.authorization.k8s.io/v1 | |
kind: ClusterRoleBinding | |
metadata: | |
name: istio-mixer-admin-role-binding-istio-system | |
labels: | |
app: mixer | |
chart: mixer | |
heritage: Tiller | |
release: istio-system | |
roleRef: | |
apiGroup: rbac.authorization.k8s.io | |
kind: ClusterRole | |
name: istio-mixer-istio-system | |
subjects: | |
- kind: ServiceAccount | |
name: istio-mixer-service-account | |
namespace: istio-system | |
--- | |
# Source: istio/charts/istio/charts/pilot/templates/clusterrolebinding.yaml | |
apiVersion: rbac.authorization.k8s.io/v1 | |
kind: ClusterRoleBinding | |
metadata: | |
name: istio-pilot-istio-system | |
labels: | |
app: pilot | |
chart: pilot | |
heritage: Tiller | |
release: istio-system | |
roleRef: | |
apiGroup: rbac.authorization.k8s.io | |
kind: ClusterRole | |
name: istio-pilot-istio-system | |
subjects: | |
- kind: ServiceAccount | |
name: istio-pilot-service-account | |
namespace: istio-system | |
--- | |
# Source: istio/charts/istio/charts/security/templates/clusterrolebinding.yaml | |
apiVersion: rbac.authorization.k8s.io/v1 | |
kind: ClusterRoleBinding | |
metadata: | |
name: istio-citadel-istio-system | |
labels: | |
app: security | |
chart: security | |
heritage: Tiller | |
release: istio-system | |
roleRef: | |
apiGroup: rbac.authorization.k8s.io | |
kind: ClusterRole | |
name: istio-citadel-istio-system | |
subjects: | |
- kind: ServiceAccount | |
name: istio-citadel-service-account | |
namespace: istio-system | |
--- | |
# Source: istio/charts/istio/charts/sidecarInjectorWebhook/templates/clusterrolebinding.yaml | |
apiVersion: rbac.authorization.k8s.io/v1 | |
kind: ClusterRoleBinding | |
metadata: | |
name: istio-sidecar-injector-admin-role-binding-istio-system | |
labels: | |
app: sidecarInjectorWebhook | |
chart: sidecarInjectorWebhook | |
heritage: Tiller | |
release: istio-system | |
istio: sidecar-injector | |
roleRef: | |
apiGroup: rbac.authorization.k8s.io | |
kind: ClusterRole | |
name: istio-sidecar-injector-istio-system | |
subjects: | |
- kind: ServiceAccount | |
name: istio-sidecar-injector-service-account | |
namespace: istio-system | |
--- | |
# Source: istio/charts/istio/templates/clusterrolebinding.yaml | |
apiVersion: rbac.authorization.k8s.io/v1 | |
kind: ClusterRoleBinding | |
metadata: | |
name: istio-multi | |
labels: | |
chart: istio-1.3.0 | |
roleRef: | |
apiGroup: rbac.authorization.k8s.io | |
kind: ClusterRole | |
name: istio-reader | |
subjects: | |
- kind: ServiceAccount | |
name: istio-multi | |
namespace: istio-system | |
--- | |
# Source: istio/charts/istio/charts/gateways/templates/role.yaml | |
apiVersion: rbac.authorization.k8s.io/v1 | |
kind: Role | |
metadata: | |
name: istio-ingressgateway-sds | |
namespace: istio-system | |
rules: | |
- apiGroups: [""] | |
resources: ["secrets"] | |
verbs: ["get", "watch", "list"] | |
--- | |
--- | |
# Source: istio/charts/istio/charts/gateways/templates/rolebindings.yaml | |
apiVersion: rbac.authorization.k8s.io/v1 | |
kind: RoleBinding | |
metadata: | |
name: istio-ingressgateway-sds | |
namespace: istio-system | |
roleRef: | |
apiGroup: rbac.authorization.k8s.io | |
kind: Role | |
name: istio-ingressgateway-sds | |
subjects: | |
- kind: ServiceAccount | |
name: istio-ingressgateway-service-account | |
--- | |
--- | |
# Source: istio/charts/istio/charts/galley/templates/service.yaml | |
apiVersion: v1 | |
kind: Service | |
metadata: | |
name: istio-galley | |
namespace: istio-system | |
labels: | |
app: galley | |
chart: galley | |
heritage: Tiller | |
release: istio-system | |
istio: galley | |
spec: | |
ports: | |
- port: 443 | |
name: https-validation | |
- port: 15014 | |
name: http-monitoring | |
- port: 9901 | |
name: grpc-mcp | |
selector: | |
istio: galley | |
--- | |
# Source: istio/charts/istio/charts/gateways/templates/service.yaml | |
apiVersion: v1 | |
kind: Service | |
metadata: | |
name: istio-ingressgateway | |
namespace: istio-system | |
annotations: | |
labels: | |
chart: gateways | |
heritage: Tiller | |
release: istio-system | |
app: istio-ingressgateway | |
istio: ingressgateway | |
spec: | |
type: NodePort | |
selector: | |
release: istio-system | |
app: istio-ingressgateway | |
istio: ingressgateway | |
ports: | |
- | |
name: status-port | |
port: 15020 | |
targetPort: 15020 | |
- | |
name: http2 | |
nodePort: 30500 | |
port: 80 | |
targetPort: 80 | |
- | |
name: https | |
nodePort: 30501 | |
port: 443 | |
- | |
name: tls | |
port: 15443 | |
targetPort: 15443 | |
- | |
name: mongo | |
nodePort: 30502 | |
port: 27017 | |
targetPort: 27017 | |
- | |
name: mariadb | |
nodePort: 30503 | |
port: 3306 | |
targetPort: 3306 | |
- | |
name: sftp | |
nodePort: 30504 | |
port: 22 | |
targetPort: 22 | |
--- | |
--- | |
# Source: istio/charts/istio/charts/mixer/templates/service.yaml | |
apiVersion: v1 | |
kind: Service | |
metadata: | |
name: istio-policy | |
namespace: istio-system | |
annotations: | |
networking.istio.io/exportTo: "*" | |
labels: | |
app: mixer | |
chart: mixer | |
heritage: Tiller | |
release: istio-system | |
istio: mixer | |
spec: | |
ports: | |
- name: grpc-mixer | |
port: 9091 | |
- name: grpc-mixer-mtls | |
port: 15004 | |
- name: http-monitoring | |
port: 15014 | |
selector: | |
istio: mixer | |
istio-mixer-type: policy | |
--- | |
apiVersion: v1 | |
kind: Service | |
metadata: | |
name: istio-telemetry | |
namespace: istio-system | |
annotations: | |
networking.istio.io/exportTo: "*" | |
labels: | |
app: mixer | |
chart: mixer | |
heritage: Tiller | |
release: istio-system | |
istio: mixer | |
spec: | |
ports: | |
- name: grpc-mixer | |
port: 9091 | |
- name: grpc-mixer-mtls | |
port: 15004 | |
- name: http-monitoring | |
port: 15014 | |
- name: prometheus | |
port: 42422 | |
selector: | |
istio: mixer | |
istio-mixer-type: telemetry | |
--- | |
--- | |
# Source: istio/charts/istio/charts/pilot/templates/service.yaml | |
apiVersion: v1 | |
kind: Service | |
metadata: | |
name: istio-pilot | |
namespace: istio-system | |
labels: | |
app: pilot | |
chart: pilot | |
heritage: Tiller | |
release: istio-system | |
istio: pilot | |
spec: | |
ports: | |
- port: 15010 | |
name: grpc-xds # direct | |
- port: 15011 | |
name: https-xds # mTLS | |
- port: 8080 | |
name: http-legacy-discovery # direct | |
- port: 15014 | |
name: http-monitoring | |
selector: | |
istio: pilot | |
--- | |
# Source: istio/charts/istio/charts/security/templates/service.yaml | |
apiVersion: v1 | |
kind: Service | |
metadata: | |
# we use the normal name here (e.g. 'prometheus') | |
# as grafana is configured to use this as a data source | |
name: istio-citadel | |
namespace: istio-system | |
labels: | |
app: security | |
chart: security | |
heritage: Tiller | |
release: istio-system | |
istio: citadel | |
spec: | |
ports: | |
- name: grpc-citadel | |
port: 8060 | |
targetPort: 8060 | |
protocol: TCP | |
- name: http-monitoring | |
port: 15014 | |
selector: | |
istio: citadel | |
--- | |
# Source: istio/charts/istio/charts/sidecarInjectorWebhook/templates/service.yaml | |
apiVersion: v1 | |
kind: Service | |
metadata: | |
name: istio-sidecar-injector | |
namespace: istio-system | |
labels: | |
app: sidecarInjectorWebhook | |
chart: sidecarInjectorWebhook | |
heritage: Tiller | |
release: istio-system | |
istio: sidecar-injector | |
spec: | |
ports: | |
- port: 443 | |
name: https-inject | |
- port: 15014 | |
name: http-monitoring | |
selector: | |
istio: sidecar-injector | |
--- | |
# Source: istio/charts/istio/charts/galley/templates/deployment.yaml | |
apiVersion: apps/v1 | |
kind: Deployment | |
metadata: | |
name: istio-galley | |
namespace: istio-system | |
labels: | |
app: galley | |
chart: galley | |
heritage: Tiller | |
release: istio-system | |
istio: galley | |
spec: | |
replicas: 1 | |
selector: | |
matchLabels: | |
istio: galley | |
strategy: | |
rollingUpdate: | |
maxSurge: 100% | |
maxUnavailable: 25% | |
template: | |
metadata: | |
labels: | |
app: galley | |
chart: galley | |
heritage: Tiller | |
release: istio-system | |
istio: galley | |
annotations: | |
sidecar.istio.io/inject: "false" | |
spec: | |
serviceAccountName: istio-galley-service-account | |
containers: | |
- name: galley | |
image: "docker.io/istio/galley:1.3.0" | |
imagePullPolicy: IfNotPresent | |
ports: | |
- containerPort: 443 | |
- containerPort: 15014 | |
- containerPort: 9901 | |
command: | |
- /usr/local/bin/galley | |
- server | |
- --meshConfigFile=/etc/mesh-config/mesh | |
- --livenessProbeInterval=1s | |
- --livenessProbePath=/healthliveness | |
- --readinessProbePath=/healthready | |
- --readinessProbeInterval=1s | |
- --deployment-namespace=istio-system | |
- --insecure=false | |
- --validation-webhook-config-file | |
- /etc/config/validatingwebhookconfiguration.yaml | |
- --monitoringPort=15014 | |
- --log_output_level=default:info | |
volumeMounts: | |
- name: certs | |
mountPath: /etc/certs | |
readOnly: true | |
- name: config | |
mountPath: /etc/config | |
readOnly: true | |
- name: mesh-config | |
mountPath: /etc/mesh-config | |
readOnly: true | |
livenessProbe: | |
exec: | |
command: | |
- /usr/local/bin/galley | |
- probe | |
- --probe-path=/healthliveness | |
- --interval=10s | |
initialDelaySeconds: 5 | |
periodSeconds: 5 | |
readinessProbe: | |
exec: | |
command: | |
- /usr/local/bin/galley | |
- probe | |
- --probe-path=/healthready | |
- --interval=10s | |
initialDelaySeconds: 5 | |
periodSeconds: 5 | |
resources: | |
requests: | |
cpu: 10m | |
volumes: | |
- name: certs | |
secret: | |
secretName: istio.istio-galley-service-account | |
- name: config | |
configMap: | |
name: istio-galley-configuration | |
- name: mesh-config | |
configMap: | |
name: istio | |
affinity: | |
nodeAffinity: | |
requiredDuringSchedulingIgnoredDuringExecution: | |
nodeSelectorTerms: | |
- matchExpressions: | |
- key: beta.kubernetes.io/arch | |
operator: In | |
values: | |
- "amd64" | |
- "ppc64le" | |
- "s390x" | |
preferredDuringSchedulingIgnoredDuringExecution: | |
- weight: 2 | |
preference: | |
matchExpressions: | |
- key: beta.kubernetes.io/arch | |
operator: In | |
values: | |
- "amd64" | |
- weight: 2 | |
preference: | |
matchExpressions: | |
- key: beta.kubernetes.io/arch | |
operator: In | |
values: | |
- "ppc64le" | |
- weight: 2 | |
preference: | |
matchExpressions: | |
- key: beta.kubernetes.io/arch | |
operator: In | |
values: | |
- "s390x" | |
--- | |
# Source: istio/charts/istio/charts/gateways/templates/deployment.yaml | |
apiVersion: apps/v1 | |
kind: Deployment | |
metadata: | |
name: istio-ingressgateway | |
namespace: istio-system | |
labels: | |
chart: gateways | |
heritage: Tiller | |
release: istio-system | |
app: istio-ingressgateway | |
istio: ingressgateway | |
spec: | |
selector: | |
matchLabels: | |
app: istio-ingressgateway | |
istio: ingressgateway | |
strategy: | |
rollingUpdate: | |
maxSurge: 100% | |
maxUnavailable: 25% | |
template: | |
metadata: | |
labels: | |
chart: gateways | |
heritage: Tiller | |
release: istio-system | |
app: istio-ingressgateway | |
istio: ingressgateway | |
annotations: | |
sidecar.istio.io/inject: "false" | |
spec: | |
serviceAccountName: istio-ingressgateway-service-account | |
containers: | |
- name: istio-proxy | |
image: "docker.io/istio/proxyv2:1.3.0" | |
imagePullPolicy: IfNotPresent | |
ports: | |
- containerPort: 15020 | |
- containerPort: 80 | |
- containerPort: 443 | |
- containerPort: 15443 | |
- containerPort: 27017 | |
- containerPort: 3306 | |
- containerPort: 22 | |
- containerPort: 15090 | |
protocol: TCP | |
name: http-envoy-prom | |
args: | |
- proxy | |
- router | |
- --domain | |
- $(POD_NAMESPACE).svc.cluster.local | |
- --log_output_level=default:info | |
- --drainDuration | |
- '45s' #drainDuration | |
- --parentShutdownDuration | |
- '1m0s' #parentShutdownDuration | |
- --connectTimeout | |
- '10s' #connectTimeout | |
- --serviceCluster | |
- istio-ingressgateway | |
- --zipkinAddress | |
- jaeger-collector.jaeger:9411 | |
- --proxyAdminPort | |
- "15000" | |
- --statusPort | |
- "15020" | |
- --controlPlaneAuthPolicy | |
- MUTUAL_TLS | |
- --discoveryAddress | |
- istio-pilot:15011 | |
readinessProbe: | |
failureThreshold: 30 | |
httpGet: | |
path: /healthz/ready | |
port: 15020 | |
scheme: HTTP | |
initialDelaySeconds: 1 | |
periodSeconds: 2 | |
successThreshold: 1 | |
timeoutSeconds: 1 | |
resources: | |
limits: | |
cpu: 2000m | |
memory: 4096Mi | |
requests: | |
cpu: 100m | |
memory: 128Mi | |
env: | |
- name: NODE_NAME | |
valueFrom: | |
fieldRef: | |
apiVersion: v1 | |
fieldPath: spec.nodeName | |
- name: POD_NAME | |
valueFrom: | |
fieldRef: | |
apiVersion: v1 | |
fieldPath: metadata.name | |
- name: POD_NAMESPACE | |
valueFrom: | |
fieldRef: | |
apiVersion: v1 | |
fieldPath: metadata.namespace | |
- name: INSTANCE_IP | |
valueFrom: | |
fieldRef: | |
apiVersion: v1 | |
fieldPath: status.podIP | |
- name: HOST_IP | |
valueFrom: | |
fieldRef: | |
apiVersion: v1 | |
fieldPath: status.hostIP | |
- name: SERVICE_ACCOUNT | |
valueFrom: | |
fieldRef: | |
fieldPath: spec.serviceAccountName | |
- name: ISTIO_META_POD_NAME | |
valueFrom: | |
fieldRef: | |
apiVersion: v1 | |
fieldPath: metadata.name | |
- name: ISTIO_META_CONFIG_NAMESPACE | |
valueFrom: | |
fieldRef: | |
fieldPath: metadata.namespace | |
- name: SDS_ENABLED | |
value: "false" | |
- name: ISTIO_META_WORKLOAD_NAME | |
value: istio-ingressgateway | |
- name: ISTIO_META_OWNER | |
value: kubernetes://api/apps/v1/namespaces/istio-system/deployments/istio-ingressgateway | |
- name: ISTIO_META_ROUTER_MODE | |
value: sni-dnat | |
volumeMounts: | |
- name: istio-certs | |
mountPath: /etc/certs | |
readOnly: true | |
- name: ingressgateway-certs | |
mountPath: "/etc/istio/ingressgateway-certs" | |
readOnly: true | |
- name: ingressgateway-ca-certs | |
mountPath: "/etc/istio/ingressgateway-ca-certs" | |
readOnly: true | |
volumes: | |
- name: istio-certs | |
secret: | |
secretName: istio.istio-ingressgateway-service-account | |
optional: true | |
- name: ingressgateway-certs | |
secret: | |
secretName: "istio-ingressgateway-certs" | |
optional: true | |
- name: ingressgateway-ca-certs | |
secret: | |
secretName: "istio-ingressgateway-ca-certs" | |
optional: true | |
affinity: | |
nodeAffinity: | |
requiredDuringSchedulingIgnoredDuringExecution: | |
nodeSelectorTerms: | |
- matchExpressions: | |
- key: beta.kubernetes.io/arch | |
operator: In | |
values: | |
- "amd64" | |
- "ppc64le" | |
- "s390x" | |
preferredDuringSchedulingIgnoredDuringExecution: | |
- weight: 2 | |
preference: | |
matchExpressions: | |
- key: beta.kubernetes.io/arch | |
operator: In | |
values: | |
- "amd64" | |
- weight: 2 | |
preference: | |
matchExpressions: | |
- key: beta.kubernetes.io/arch | |
operator: In | |
values: | |
- "ppc64le" | |
- weight: 2 | |
preference: | |
matchExpressions: | |
- key: beta.kubernetes.io/arch | |
operator: In | |
values: | |
- "s390x" | |
--- | |
--- | |
# Source: istio/charts/istio/charts/mixer/templates/deployment.yaml | |
apiVersion: apps/v1 | |
kind: Deployment | |
metadata: | |
name: istio-policy | |
namespace: istio-system | |
labels: | |
app: istio-mixer | |
chart: mixer | |
heritage: Tiller | |
release: istio-system | |
istio: mixer | |
spec: | |
strategy: | |
rollingUpdate: | |
maxSurge: 100% | |
maxUnavailable: 25% | |
selector: | |
matchLabels: | |
istio: mixer | |
istio-mixer-type: policy | |
template: | |
metadata: | |
labels: | |
app: policy | |
chart: mixer | |
heritage: Tiller | |
release: istio-system | |
istio: mixer | |
istio-mixer-type: policy | |
annotations: | |
sidecar.istio.io/inject: "false" | |
spec: | |
serviceAccountName: istio-mixer-service-account | |
volumes: | |
- name: istio-certs | |
secret: | |
secretName: istio.istio-mixer-service-account | |
optional: true | |
- name: uds-socket | |
emptyDir: {} | |
- name: policy-adapter-secret | |
secret: | |
secretName: policy-adapter-secret | |
optional: true | |
affinity: | |
nodeAffinity: | |
requiredDuringSchedulingIgnoredDuringExecution: | |
nodeSelectorTerms: | |
- matchExpressions: | |
- key: beta.kubernetes.io/arch | |
operator: In | |
values: | |
- "amd64" | |
- "ppc64le" | |
- "s390x" | |
preferredDuringSchedulingIgnoredDuringExecution: | |
- weight: 2 | |
preference: | |
matchExpressions: | |
- key: beta.kubernetes.io/arch | |
operator: In | |
values: | |
- "amd64" | |
- weight: 2 | |
preference: | |
matchExpressions: | |
- key: beta.kubernetes.io/arch | |
operator: In | |
values: | |
- "ppc64le" | |
- weight: 2 | |
preference: | |
matchExpressions: | |
- key: beta.kubernetes.io/arch | |
operator: In | |
values: | |
- "s390x" | |
containers: | |
- name: mixer | |
image: "docker.io/istio/mixer:1.3.0" | |
imagePullPolicy: IfNotPresent | |
ports: | |
- containerPort: 15014 | |
- containerPort: 42422 | |
args: | |
- --monitoringPort=15014 | |
- --address | |
- unix:///sock/mixer.socket | |
- --log_output_level=default:info | |
- --configStoreURL=mcps://istio-galley.istio-system.svc:9901 | |
- --configDefaultNamespace=istio-system | |
- --useAdapterCRDs=false | |
- --useTemplateCRDs=false | |
- --trace_zipkin_url=http://jaeger-collector.jaeger:9411/api/v1/spans | |
env: | |
- name: GODEBUG | |
value: "gctrace=1" | |
- name: GOMAXPROCS | |
value: "6" | |
resources: | |
requests: | |
cpu: 10m | |
volumeMounts: | |
- name: istio-certs | |
mountPath: /etc/certs | |
readOnly: true | |
- name: uds-socket | |
mountPath: /sock | |
livenessProbe: | |
httpGet: | |
path: /version | |
port: 15014 | |
initialDelaySeconds: 5 | |
periodSeconds: 5 | |
- name: istio-proxy | |
image: "docker.io/istio/proxyv2:1.3.0" | |
imagePullPolicy: IfNotPresent | |
ports: | |
- containerPort: 9091 | |
- containerPort: 15004 | |
- containerPort: 15090 | |
protocol: TCP | |
name: http-envoy-prom | |
args: | |
- proxy | |
- --domain | |
- $(POD_NAMESPACE).svc.cluster.local | |
- --serviceCluster | |
- istio-policy | |
- --templateFile | |
- /etc/istio/proxy/envoy_policy.yaml.tmpl | |
- --controlPlaneAuthPolicy | |
- MUTUAL_TLS | |
env: | |
- name: POD_NAME | |
valueFrom: | |
fieldRef: | |
apiVersion: v1 | |
fieldPath: metadata.name | |
- name: POD_NAMESPACE | |
valueFrom: | |
fieldRef: | |
apiVersion: v1 | |
fieldPath: metadata.namespace | |
- name: INSTANCE_IP | |
valueFrom: | |
fieldRef: | |
apiVersion: v1 | |
fieldPath: status.podIP | |
- name: SDS_ENABLED | |
value: "false" | |
resources: | |
limits: | |
cpu: 2000m | |
memory: 1024Mi | |
requests: | |
cpu: 100m | |
memory: 128Mi | |
volumeMounts: | |
- name: istio-certs | |
mountPath: /etc/certs | |
readOnly: true | |
- name: uds-socket | |
mountPath: /sock | |
- name: policy-adapter-secret | |
mountPath: /var/run/secrets/istio.io/policy/adapter | |
readOnly: true | |
--- | |
apiVersion: apps/v1 | |
kind: Deployment | |
metadata: | |
name: istio-telemetry | |
namespace: istio-system | |
labels: | |
app: istio-mixer | |
chart: mixer | |
heritage: Tiller | |
release: istio-system | |
istio: mixer | |
spec: | |
strategy: | |
rollingUpdate: | |
maxSurge: 100% | |
maxUnavailable: 25% | |
selector: | |
matchLabels: | |
istio: mixer | |
istio-mixer-type: telemetry | |
template: | |
metadata: | |
labels: | |
app: telemetry | |
chart: mixer | |
heritage: Tiller | |
release: istio-system | |
istio: mixer | |
istio-mixer-type: telemetry | |
annotations: | |
sidecar.istio.io/inject: "false" | |
spec: | |
serviceAccountName: istio-mixer-service-account | |
volumes: | |
- name: istio-certs | |
secret: | |
secretName: istio.istio-mixer-service-account | |
optional: true | |
- name: uds-socket | |
emptyDir: {} | |
- name: telemetry-adapter-secret | |
secret: | |
secretName: telemetry-adapter-secret | |
optional: true | |
affinity: | |
nodeAffinity: | |
requiredDuringSchedulingIgnoredDuringExecution: | |
nodeSelectorTerms: | |
- matchExpressions: | |
- key: beta.kubernetes.io/arch | |
operator: In | |
values: | |
- "amd64" | |
- "ppc64le" | |
- "s390x" | |
preferredDuringSchedulingIgnoredDuringExecution: | |
- weight: 2 | |
preference: | |
matchExpressions: | |
- key: beta.kubernetes.io/arch | |
operator: In | |
values: | |
- "amd64" | |
- weight: 2 | |
preference: | |
matchExpressions: | |
- key: beta.kubernetes.io/arch | |
operator: In | |
values: | |
- "ppc64le" | |
- weight: 2 | |
preference: | |
matchExpressions: | |
- key: beta.kubernetes.io/arch | |
operator: In | |
values: | |
- "s390x" | |
containers: | |
- name: mixer | |
image: "docker.io/istio/mixer:1.3.0" | |
imagePullPolicy: IfNotPresent | |
ports: | |
- containerPort: 15014 | |
- containerPort: 42422 | |
args: | |
- --monitoringPort=15014 | |
- --address | |
- unix:///sock/mixer.socket | |
- --log_output_level=default:info | |
- --configStoreURL=mcps://istio-galley.istio-system.svc:9901 | |
- --certFile=/etc/certs/cert-chain.pem | |
- --keyFile=/etc/certs/key.pem | |
- --caCertFile=/etc/certs/root-cert.pem | |
- --configDefaultNamespace=istio-system | |
- --useAdapterCRDs=false | |
- --trace_zipkin_url=http://jaeger-collector.jaeger:9411/api/v1/spans | |
- --averageLatencyThreshold | |
- 100ms | |
- --loadsheddingMode | |
- enforce | |
env: | |
- name: GODEBUG | |
value: "gctrace=1" | |
- name: GOMAXPROCS | |
value: "6" | |
resources: | |
limits: | |
cpu: 4800m | |
memory: 4G | |
requests: | |
cpu: 1000m | |
memory: 1G | |
volumeMounts: | |
- name: istio-certs | |
mountPath: /etc/certs | |
readOnly: true | |
- name: telemetry-adapter-secret | |
mountPath: /var/run/secrets/istio.io/telemetry/adapter | |
readOnly: true | |
- name: uds-socket | |
mountPath: /sock | |
livenessProbe: | |
httpGet: | |
path: /version | |
port: 15014 | |
initialDelaySeconds: 5 | |
periodSeconds: 5 | |
- name: istio-proxy | |
image: "docker.io/istio/proxyv2:1.3.0" | |
imagePullPolicy: IfNotPresent | |
ports: | |
- containerPort: 9091 | |
- containerPort: 15004 | |
- containerPort: 15090 | |
protocol: TCP | |
name: http-envoy-prom | |
args: | |
- proxy | |
- --domain | |
- $(POD_NAMESPACE).svc.cluster.local | |
- --serviceCluster | |
- istio-telemetry | |
- --templateFile | |
- /etc/istio/proxy/envoy_telemetry.yaml.tmpl | |
- --controlPlaneAuthPolicy | |
- MUTUAL_TLS | |
env: | |
- name: POD_NAME | |
valueFrom: | |
fieldRef: | |
apiVersion: v1 | |
fieldPath: metadata.name | |
- name: POD_NAMESPACE | |
valueFrom: | |
fieldRef: | |
apiVersion: v1 | |
fieldPath: metadata.namespace | |
- name: INSTANCE_IP | |
valueFrom: | |
fieldRef: | |
apiVersion: v1 | |
fieldPath: status.podIP | |
- name: SDS_ENABLED | |
value: "false" | |
resources: | |
limits: | |
cpu: 2000m | |
memory: 1024Mi | |
requests: | |
cpu: 100m | |
memory: 128Mi | |
volumeMounts: | |
- name: istio-certs | |
mountPath: /etc/certs | |
readOnly: true | |
- name: uds-socket | |
mountPath: /sock | |
--- | |
--- | |
# Source: istio/charts/istio/charts/pilot/templates/deployment.yaml | |
apiVersion: apps/v1 | |
kind: Deployment | |
metadata: | |
name: istio-pilot | |
namespace: istio-system | |
# TODO: default template doesn't have this, which one is right ? | |
labels: | |
app: pilot | |
chart: pilot | |
heritage: Tiller | |
release: istio-system | |
istio: pilot | |
annotations: | |
checksum/config-volume: dd14cf87624b25bd8fde6322a37610350f8c0445c57062fa721f825c62931a0f | |
spec: | |
strategy: | |
rollingUpdate: | |
maxSurge: 100% | |
maxUnavailable: 25% | |
selector: | |
matchLabels: | |
istio: pilot | |
template: | |
metadata: | |
labels: | |
app: pilot | |
chart: pilot | |
heritage: Tiller | |
release: istio-system | |
istio: pilot | |
annotations: | |
sidecar.istio.io/inject: "false" | |
spec: | |
serviceAccountName: istio-pilot-service-account | |
containers: | |
- name: discovery | |
image: "docker.io/istio/pilot:1.3.0" | |
imagePullPolicy: IfNotPresent | |
args: | |
- "discovery" | |
- --monitoringAddr=:15014 | |
- --log_output_level=default:info | |
- --domain | |
- cluster.local | |
- --secureGrpcAddr | |
- "" | |
- --keepaliveMaxServerConnectionAge | |
- "30m" | |
ports: | |
- containerPort: 8080 | |
- containerPort: 15010 | |
readinessProbe: | |
httpGet: | |
path: /ready | |
port: 8080 | |
initialDelaySeconds: 5 | |
periodSeconds: 30 | |
timeoutSeconds: 5 | |
env: | |
- name: POD_NAME | |
valueFrom: | |
fieldRef: | |
apiVersion: v1 | |
fieldPath: metadata.name | |
- name: POD_NAMESPACE | |
valueFrom: | |
fieldRef: | |
apiVersion: v1 | |
fieldPath: metadata.namespace | |
- name: GODEBUG | |
value: "gctrace=1" | |
- name: PILOT_PUSH_THROTTLE | |
value: "100" | |
- name: PILOT_TRACE_SAMPLING | |
value: "100" | |
- name: PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_OUTBOUND | |
value: "true" | |
- name: PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_INBOUND | |
value: "false" | |
resources: | |
requests: | |
cpu: 500m | |
memory: 2048Mi | |
volumeMounts: | |
- name: config-volume | |
mountPath: /etc/istio/config | |
- name: istio-certs | |
mountPath: /etc/certs | |
readOnly: true | |
- name: istio-proxy | |
image: "docker.io/istio/proxyv2:1.3.0" | |
imagePullPolicy: IfNotPresent | |
ports: | |
- containerPort: 15003 | |
- containerPort: 15005 | |
- containerPort: 15007 | |
- containerPort: 15011 | |
args: | |
- proxy | |
- --domain | |
- $(POD_NAMESPACE).svc.cluster.local | |
- --serviceCluster | |
- istio-pilot | |
- --templateFile | |
- /etc/istio/proxy/envoy_pilot.yaml.tmpl | |
- --controlPlaneAuthPolicy | |
- MUTUAL_TLS | |
env: | |
- name: POD_NAME | |
valueFrom: | |
fieldRef: | |
apiVersion: v1 | |
fieldPath: metadata.name | |
- name: POD_NAMESPACE | |
valueFrom: | |
fieldRef: | |
apiVersion: v1 | |
fieldPath: metadata.namespace | |
- name: INSTANCE_IP | |
valueFrom: | |
fieldRef: | |
apiVersion: v1 | |
fieldPath: status.podIP | |
- name: SDS_ENABLED | |
value: "false" | |
resources: | |
limits: | |
cpu: 2000m | |
memory: 1024Mi | |
requests: | |
cpu: 100m | |
memory: 128Mi | |
volumeMounts: | |
- name: istio-certs | |
mountPath: /etc/certs | |
readOnly: true | |
volumes: | |
- name: config-volume | |
configMap: | |
name: istio | |
- name: istio-certs | |
secret: | |
secretName: istio.istio-pilot-service-account | |
optional: true | |
affinity: | |
nodeAffinity: | |
requiredDuringSchedulingIgnoredDuringExecution: | |
nodeSelectorTerms: | |
- matchExpressions: | |
- key: beta.kubernetes.io/arch | |
operator: In | |
values: | |
- "amd64" | |
- "ppc64le" | |
- "s390x" | |
preferredDuringSchedulingIgnoredDuringExecution: | |
- weight: 2 | |
preference: | |
matchExpressions: | |
- key: beta.kubernetes.io/arch | |
operator: In | |
values: | |
- "amd64" | |
- weight: 2 | |
preference: | |
matchExpressions: | |
- key: beta.kubernetes.io/arch | |
operator: In | |
values: | |
- "ppc64le" | |
- weight: 2 | |
preference: | |
matchExpressions: | |
- key: beta.kubernetes.io/arch | |
operator: In | |
values: | |
- "s390x" | |
--- | |
# Source: istio/charts/istio/charts/security/templates/deployment.yaml | |
# istio CA watching all namespaces | |
apiVersion: apps/v1 | |
kind: Deployment | |
metadata: | |
name: istio-citadel | |
namespace: istio-system | |
labels: | |
app: security | |
chart: security | |
heritage: Tiller | |
release: istio-system | |
istio: citadel | |
spec: | |
replicas: 1 | |
selector: | |
matchLabels: | |
istio: citadel | |
strategy: | |
rollingUpdate: | |
maxSurge: 100% | |
maxUnavailable: 25% | |
template: | |
metadata: | |
labels: | |
app: security | |
chart: security | |
heritage: Tiller | |
release: istio-system | |
istio: citadel | |
annotations: | |
sidecar.istio.io/inject: "false" | |
spec: | |
serviceAccountName: istio-citadel-service-account | |
containers: | |
- name: citadel | |
image: "docker.io/istio/citadel:1.3.0" | |
imagePullPolicy: IfNotPresent | |
args: | |
- --append-dns-names=true | |
- --grpc-port=8060 | |
- --citadel-storage-namespace=istio-system | |
- --custom-dns-names=istio-pilot-service-account.istio-system:istio-pilot.istio-system | |
- --monitoring-port=15014 | |
- --self-signed-ca=true | |
- --workload-cert-ttl=2160h | |
env: | |
- name: CITADEL_ENABLE_NAMESPACES_BY_DEFAULT | |
value: "true" | |
resources: | |
requests: | |
cpu: 10m | |
affinity: | |
nodeAffinity: | |
requiredDuringSchedulingIgnoredDuringExecution: | |
nodeSelectorTerms: | |
- matchExpressions: | |
- key: beta.kubernetes.io/arch | |
operator: In | |
values: | |
- "amd64" | |
- "ppc64le" | |
- "s390x" | |
preferredDuringSchedulingIgnoredDuringExecution: | |
- weight: 2 | |
preference: | |
matchExpressions: | |
- key: beta.kubernetes.io/arch | |
operator: In | |
values: | |
- "amd64" | |
- weight: 2 | |
preference: | |
matchExpressions: | |
- key: beta.kubernetes.io/arch | |
operator: In | |
values: | |
- "ppc64le" | |
- weight: 2 | |
preference: | |
matchExpressions: | |
- key: beta.kubernetes.io/arch | |
operator: In | |
values: | |
- "s390x" | |
--- | |
# Source: istio/charts/istio/charts/sidecarInjectorWebhook/templates/deployment.yaml | |
apiVersion: apps/v1 | |
kind: Deployment | |
metadata: | |
name: istio-sidecar-injector | |
namespace: istio-system | |
labels: | |
app: sidecarInjectorWebhook | |
chart: sidecarInjectorWebhook | |
heritage: Tiller | |
release: istio-system | |
istio: sidecar-injector | |
spec: | |
replicas: 1 | |
selector: | |
matchLabels: | |
istio: sidecar-injector | |
strategy: | |
rollingUpdate: | |
maxSurge: 100% | |
maxUnavailable: 25% | |
template: | |
metadata: | |
labels: | |
app: sidecarInjectorWebhook | |
chart: sidecarInjectorWebhook | |
heritage: Tiller | |
release: istio-system | |
istio: sidecar-injector | |
annotations: | |
sidecar.istio.io/inject: "false" | |
spec: | |
serviceAccountName: istio-sidecar-injector-service-account | |
containers: | |
- name: sidecar-injector-webhook | |
image: "docker.io/istio/sidecar_injector:1.3.0" | |
imagePullPolicy: IfNotPresent | |
args: | |
- --caCertFile=/etc/istio/certs/root-cert.pem | |
- --tlsCertFile=/etc/istio/certs/cert-chain.pem | |
- --tlsKeyFile=/etc/istio/certs/key.pem | |
- --injectConfig=/etc/istio/inject/config | |
- --meshConfig=/etc/istio/config/mesh | |
- --healthCheckInterval=2s | |
- --healthCheckFile=/health | |
volumeMounts: | |
- name: config-volume | |
mountPath: /etc/istio/config | |
readOnly: true | |
- name: certs | |
mountPath: /etc/istio/certs | |
readOnly: true | |
- name: inject-config | |
mountPath: /etc/istio/inject | |
readOnly: true | |
livenessProbe: | |
exec: | |
command: | |
- /usr/local/bin/sidecar-injector | |
- probe | |
- --probe-path=/health | |
- --interval=4s | |
initialDelaySeconds: 4 | |
periodSeconds: 4 | |
readinessProbe: | |
exec: | |
command: | |
- /usr/local/bin/sidecar-injector | |
- probe | |
- --probe-path=/health | |
- --interval=4s | |
initialDelaySeconds: 4 | |
periodSeconds: 4 | |
resources: | |
requests: | |
cpu: 10m | |
volumes: | |
- name: config-volume | |
configMap: | |
name: istio | |
- name: certs | |
secret: | |
secretName: istio.istio-sidecar-injector-service-account | |
- name: inject-config | |
configMap: | |
name: istio-sidecar-injector | |
items: | |
- key: config | |
path: config | |
- key: values | |
path: values | |
affinity: | |
nodeAffinity: | |
requiredDuringSchedulingIgnoredDuringExecution: | |
nodeSelectorTerms: | |
- matchExpressions: | |
- key: beta.kubernetes.io/arch | |
operator: In | |
values: | |
- "amd64" | |
- "ppc64le" | |
- "s390x" | |
preferredDuringSchedulingIgnoredDuringExecution: | |
- weight: 2 | |
preference: | |
matchExpressions: | |
- key: beta.kubernetes.io/arch | |
operator: In | |
values: | |
- "amd64" | |
- weight: 2 | |
preference: | |
matchExpressions: | |
- key: beta.kubernetes.io/arch | |
operator: In | |
values: | |
- "ppc64le" | |
- weight: 2 | |
preference: | |
matchExpressions: | |
- key: beta.kubernetes.io/arch | |
operator: In | |
values: | |
- "s390x" | |
--- | |
# Source: istio/templates/metadata-exchange-filter.yaml | |
apiVersion: networking.istio.io/v1alpha3 | |
kind: EnvoyFilter | |
metadata: | |
name: metadata-exchange | |
namespace: istio-system | |
spec: | |
filters: | |
- filterConfig: | |
configuration: envoy.wasm.metadata_exchange | |
vm_config: | |
code: | |
inline_string: envoy.wasm.metadata_exchange | |
vm: envoy.wasm.vm.null | |
filterName: envoy.wasm | |
filterType: HTTP | |
insertPosition: | |
index: FIRST | |
listenerMatch: | |
listenerProtocol: HTTP | |
listenerType: SIDECAR_INBOUND | |
- filterConfig: | |
configuration: envoy.wasm.metadata_exchange | |
vm_config: | |
code: | |
inline_string: envoy.wasm.metadata_exchange | |
vm: envoy.wasm.vm.null | |
filterName: envoy.wasm | |
filterType: HTTP | |
insertPosition: | |
index: FIRST | |
listenerMatch: | |
listenerProtocol: HTTP | |
listenerType: SIDECAR_OUTBOUND | |
- filterConfig: | |
configuration: envoy.wasm.metadata_exchange | |
vm_config: | |
code: | |
inline_string: envoy.wasm.metadata_exchange | |
vm: envoy.wasm.vm.null | |
filterName: envoy.wasm | |
filterType: HTTP | |
insertPosition: | |
index: FIRST | |
listenerMatch: | |
listenerProtocol: HTTP | |
listenerType: GATEWAY | |
--- | |
# Source: istio/templates/stats-filter.yaml | |
apiVersion: networking.istio.io/v1alpha3 | |
kind: EnvoyFilter | |
metadata: | |
name: stats-filter | |
namespace: istio-system | |
spec: | |
filters: | |
- filterConfig: | |
configuration: | | |
{ | |
"debug": "false", | |
"stat_prefix": "istio", | |
} | |
vm_config: | |
code: | |
inline_string: envoy.wasm.stats | |
vm: envoy.wasm.vm.null | |
filterName: envoy.wasm | |
filterType: HTTP | |
insertPosition: | |
index: BEFORE | |
relativeTo: envoy.router | |
listenerMatch: | |
listenerProtocol: HTTP | |
listenerType: GATEWAY | |
- filterConfig: | |
configuration: | | |
{ | |
"debug": "false", | |
"stat_prefix": "istio", | |
} | |
vm_config: | |
code: | |
inline_string: envoy.wasm.stats | |
vm: envoy.wasm.vm.null | |
filterName: envoy.wasm | |
filterType: HTTP | |
insertPosition: | |
index: BEFORE | |
relativeTo: envoy.router | |
listenerMatch: | |
listenerProtocol: HTTP | |
listenerType: SIDECAR_INBOUND | |
- filterConfig: | |
configuration: | | |
{ | |
"debug": "false", | |
"stat_prefix": "istio", | |
} | |
vm_config: | |
code: | |
inline_string: envoy.wasm.stats | |
vm: envoy.wasm.vm.null | |
filterName: envoy.wasm | |
filterType: HTTP | |
insertPosition: | |
index: BEFORE | |
relativeTo: envoy.router | |
listenerMatch: | |
listenerProtocol: HTTP | |
listenerType: SIDECAR_OUTBOUND | |
--- | |
# Source: istio/charts/istio/charts/gateways/templates/autoscale.yaml | |
apiVersion: autoscaling/v2beta1 | |
kind: HorizontalPodAutoscaler | |
metadata: | |
name: istio-ingressgateway | |
namespace: istio-system | |
labels: | |
chart: gateways | |
heritage: Tiller | |
release: istio-system | |
app: istio-ingressgateway | |
istio: ingressgateway | |
spec: | |
maxReplicas: 5 | |
minReplicas: 1 | |
scaleTargetRef: | |
apiVersion: apps/v1 | |
kind: Deployment | |
name: istio-ingressgateway | |
metrics: | |
- type: Resource | |
resource: | |
name: cpu | |
targetAverageUtilization: 80 | |
--- | |
--- | |
# Source: istio/charts/istio/charts/mixer/templates/autoscale.yaml | |
apiVersion: autoscaling/v2beta1 | |
kind: HorizontalPodAutoscaler | |
metadata: | |
name: istio-policy | |
namespace: istio-system | |
labels: | |
app: mixer | |
chart: mixer | |
heritage: Tiller | |
release: istio-system | |
spec: | |
maxReplicas: 5 | |
minReplicas: 1 | |
scaleTargetRef: | |
apiVersion: apps/v1 | |
kind: Deployment | |
name: istio-policy | |
metrics: | |
- type: Resource | |
resource: | |
name: cpu | |
targetAverageUtilization: 80 | |
--- | |
apiVersion: autoscaling/v2beta1 | |
kind: HorizontalPodAutoscaler | |
metadata: | |
name: istio-telemetry | |
namespace: istio-system | |
labels: | |
app: mixer | |
chart: mixer | |
heritage: Tiller | |
release: istio-system | |
spec: | |
maxReplicas: 5 | |
minReplicas: 1 | |
scaleTargetRef: | |
apiVersion: apps/v1 | |
kind: Deployment | |
name: istio-telemetry | |
metrics: | |
- type: Resource | |
resource: | |
name: cpu | |
targetAverageUtilization: 80 | |
--- | |
--- | |
# Source: istio/charts/istio/charts/pilot/templates/autoscale.yaml | |
apiVersion: autoscaling/v2beta1 | |
kind: HorizontalPodAutoscaler | |
metadata: | |
name: istio-pilot | |
namespace: istio-system | |
labels: | |
app: pilot | |
chart: pilot | |
heritage: Tiller | |
release: istio-system | |
spec: | |
maxReplicas: 5 | |
minReplicas: 1 | |
scaleTargetRef: | |
apiVersion: apps/v1 | |
kind: Deployment | |
name: istio-pilot | |
metrics: | |
- type: Resource | |
resource: | |
name: cpu | |
targetAverageUtilization: 80 | |
--- | |
--- | |
# Source: istio/charts/istio/charts/sidecarInjectorWebhook/templates/mutatingwebhook.yaml | |
apiVersion: admissionregistration.k8s.io/v1beta1 | |
kind: MutatingWebhookConfiguration | |
metadata: | |
name: istio-sidecar-injector | |
labels: | |
app: sidecarInjectorWebhook | |
chart: sidecarInjectorWebhook | |
heritage: Tiller | |
release: istio-system | |
webhooks: | |
- name: sidecar-injector.istio.io | |
clientConfig: | |
service: | |
name: istio-sidecar-injector | |
namespace: istio-system | |
path: "/inject" | |
caBundle: "" | |
rules: | |
- operations: [ "CREATE" ] | |
apiGroups: [""] | |
apiVersions: ["v1"] | |
resources: ["pods"] | |
failurePolicy: Fail | |
namespaceSelector: | |
matchLabels: | |
istio-injection: enabled | |
--- | |
# Source: istio/charts/istio/charts/galley/templates/validatingwebhookconfiguration.yaml.tpl | |
--- | |
# Source: istio/charts/istio/charts/gateways/templates/preconfigured.yaml | |
--- | |
# Source: istio/charts/istio/charts/pilot/templates/meshexpansion.yaml | |
--- | |
# Source: istio/charts/istio/charts/security/templates/enable-mesh-mtls.yaml | |
--- | |
# Source: istio/charts/istio/charts/security/templates/enable-mesh-permissive.yaml | |
--- | |
# Source: istio/charts/istio/charts/security/templates/meshexpansion.yaml | |
--- | |
# Source: istio/charts/istio/charts/security/templates/tests/test-citadel-connection.yaml | |
--- | |
# Source: istio/charts/istio/templates/endpoints.yaml | |
--- | |
# Source: istio/charts/istio/templates/install-custom-resources.sh.tpl | |
--- | |
# Source: istio/charts/istio/templates/service.yaml | |
--- | |
# Source: istio/charts/istio/charts/mixer/templates/config.yaml | |
apiVersion: "config.istio.io/v1alpha2" | |
kind: attributemanifest | |
metadata: | |
name: istioproxy | |
namespace: istio-system | |
labels: | |
app: mixer | |
chart: mixer | |
heritage: Tiller | |
release: istio-system | |
spec: | |
attributes: | |
origin.ip: | |
valueType: IP_ADDRESS | |
origin.uid: | |
valueType: STRING | |
origin.user: | |
valueType: STRING | |
request.headers: | |
valueType: STRING_MAP | |
request.id: | |
valueType: STRING | |
request.host: | |
valueType: STRING | |
request.method: | |
valueType: STRING | |
request.path: | |
valueType: STRING | |
request.url_path: | |
valueType: STRING | |
request.query_params: | |
valueType: STRING_MAP | |
request.reason: | |
valueType: STRING | |
request.referer: | |
valueType: STRING | |
request.scheme: | |
valueType: STRING | |
request.total_size: | |
valueType: INT64 | |
request.size: | |
valueType: INT64 | |
request.time: | |
valueType: TIMESTAMP | |
request.useragent: | |
valueType: STRING | |
response.code: | |
valueType: INT64 | |
response.duration: | |
valueType: DURATION | |
response.headers: | |
valueType: STRING_MAP | |
response.total_size: | |
valueType: INT64 | |
response.size: | |
valueType: INT64 | |
response.time: | |
valueType: TIMESTAMP | |
response.grpc_status: | |
valueType: STRING | |
response.grpc_message: | |
valueType: STRING | |
source.uid: | |
valueType: STRING | |
source.user: # DEPRECATED | |
valueType: STRING | |
source.principal: | |
valueType: STRING | |
destination.uid: | |
valueType: STRING | |
destination.principal: | |
valueType: STRING | |
destination.port: | |
valueType: INT64 | |
connection.event: | |
valueType: STRING | |
connection.id: | |
valueType: STRING | |
connection.received.bytes: | |
valueType: INT64 | |
connection.received.bytes_total: | |
valueType: INT64 | |
connection.sent.bytes: | |
valueType: INT64 | |
connection.sent.bytes_total: | |
valueType: INT64 | |
connection.duration: | |
valueType: DURATION | |
connection.mtls: | |
valueType: BOOL | |
connection.requested_server_name: | |
valueType: STRING | |
context.protocol: | |
valueType: STRING | |
context.proxy_error_code: | |
valueType: STRING | |
context.timestamp: | |
valueType: TIMESTAMP | |
context.time: | |
valueType: TIMESTAMP | |
# Deprecated, kept for compatibility | |
context.reporter.local: | |
valueType: BOOL | |
context.reporter.kind: | |
valueType: STRING | |
context.reporter.uid: | |
valueType: STRING | |
api.service: | |
valueType: STRING | |
api.version: | |
valueType: STRING | |
api.operation: | |
valueType: STRING | |
api.protocol: | |
valueType: STRING | |
request.auth.principal: | |
valueType: STRING | |
request.auth.audiences: | |
valueType: STRING | |
request.auth.presenter: | |
valueType: STRING | |
request.auth.claims: | |
valueType: STRING_MAP | |
request.auth.raw_claims: | |
valueType: STRING | |
request.api_key: | |
valueType: STRING | |
rbac.permissive.response_code: | |
valueType: STRING | |
rbac.permissive.effective_policy_id: | |
valueType: STRING | |
check.error_code: | |
valueType: INT64 | |
check.error_message: | |
valueType: STRING | |
check.cache_hit: | |
valueType: BOOL | |
quota.cache_hit: | |
valueType: BOOL | |
context.proxy_version: | |
valueType: STRING | |
--- | |
apiVersion: "config.istio.io/v1alpha2" | |
kind: attributemanifest | |
metadata: | |
name: kubernetes | |
namespace: istio-system | |
labels: | |
app: mixer | |
chart: mixer | |
heritage: Tiller | |
release: istio-system | |
spec: | |
attributes: | |
source.ip: | |
valueType: IP_ADDRESS | |
source.labels: | |
valueType: STRING_MAP | |
source.metadata: | |
valueType: STRING_MAP | |
source.name: | |
valueType: STRING | |
source.namespace: | |
valueType: STRING | |
source.owner: | |
valueType: STRING | |
source.serviceAccount: | |
valueType: STRING | |
source.services: | |
valueType: STRING | |
source.workload.uid: | |
valueType: STRING | |
source.workload.name: | |
valueType: STRING | |
source.workload.namespace: | |
valueType: STRING | |
destination.ip: | |
valueType: IP_ADDRESS | |
destination.labels: | |
valueType: STRING_MAP | |
destination.metadata: | |
valueType: STRING_MAP | |
destination.owner: | |
valueType: STRING | |
destination.name: | |
valueType: STRING | |
destination.container.name: | |
valueType: STRING | |
destination.namespace: | |
valueType: STRING | |
destination.service.uid: | |
valueType: STRING | |
destination.service.name: | |
valueType: STRING | |
destination.service.namespace: | |
valueType: STRING | |
destination.service.host: | |
valueType: STRING | |
destination.serviceAccount: | |
valueType: STRING | |
destination.workload.uid: | |
valueType: STRING | |
destination.workload.name: | |
valueType: STRING | |
destination.workload.namespace: | |
valueType: STRING | |
--- | |
--- | |
apiVersion: "config.istio.io/v1alpha2" | |
kind: instance | |
metadata: | |
name: requestcount | |
namespace: istio-system | |
labels: | |
app: mixer | |
chart: mixer | |
heritage: Tiller | |
release: istio-system | |
spec: | |
compiledTemplate: metric | |
params: | |
value: "1" | |
dimensions: | |
reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") | |
source_workload: source.workload.name | "unknown" | |
source_workload_namespace: source.workload.namespace | "unknown" | |
source_principal: source.principal | "unknown" | |
source_app: source.labels["app"] | "unknown" | |
source_version: source.labels["version"] | "unknown" | |
destination_workload: destination.workload.name | "unknown" | |
destination_workload_namespace: destination.workload.namespace | "unknown" | |
destination_principal: destination.principal | "unknown" | |
destination_app: destination.labels["app"] | "unknown" | |
destination_version: destination.labels["version"] | "unknown" | |
destination_service: destination.service.host | "unknown" | |
destination_service_name: destination.service.name | "unknown" | |
destination_service_namespace: destination.service.namespace | "unknown" | |
request_protocol: api.protocol | context.protocol | "unknown" | |
response_code: response.code | 200 | |
response_flags: context.proxy_error_code | "-" | |
permissive_response_code: rbac.permissive.response_code | "none" | |
permissive_response_policyid: rbac.permissive.effective_policy_id | "none" | |
connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) | |
monitored_resource_type: '"UNSPECIFIED"' | |
--- | |
apiVersion: "config.istio.io/v1alpha2" | |
kind: instance | |
metadata: | |
name: requestduration | |
namespace: istio-system | |
labels: | |
app: mixer | |
chart: mixer | |
heritage: Tiller | |
release: istio-system | |
spec: | |
compiledTemplate: metric | |
params: | |
value: response.duration | "0ms" | |
dimensions: | |
reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") | |
source_workload: source.workload.name | "unknown" | |
source_workload_namespace: source.workload.namespace | "unknown" | |
source_principal: source.principal | "unknown" | |
source_app: source.labels["app"] | "unknown" | |
source_version: source.labels["version"] | "unknown" | |
destination_workload: destination.workload.name | "unknown" | |
destination_workload_namespace: destination.workload.namespace | "unknown" | |
destination_principal: destination.principal | "unknown" | |
destination_app: destination.labels["app"] | "unknown" | |
destination_version: destination.labels["version"] | "unknown" | |
destination_service: destination.service.host | "unknown" | |
destination_service_name: destination.service.name | "unknown" | |
destination_service_namespace: destination.service.namespace | "unknown" | |
request_protocol: api.protocol | context.protocol | "unknown" | |
response_code: response.code | 200 | |
response_flags: context.proxy_error_code | "-" | |
permissive_response_code: rbac.permissive.response_code | "none" | |
permissive_response_policyid: rbac.permissive.effective_policy_id | "none" | |
connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) | |
monitored_resource_type: '"UNSPECIFIED"' | |
--- | |
apiVersion: "config.istio.io/v1alpha2" | |
kind: instance | |
metadata: | |
name: requestsize | |
namespace: istio-system | |
labels: | |
app: mixer | |
chart: mixer | |
heritage: Tiller | |
release: istio-system | |
spec: | |
compiledTemplate: metric | |
params: | |
value: request.size | 0 | |
dimensions: | |
reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") | |
source_workload: source.workload.name | "unknown" | |
source_workload_namespace: source.workload.namespace | "unknown" | |
source_principal: source.principal | "unknown" | |
source_app: source.labels["app"] | "unknown" | |
source_version: source.labels["version"] | "unknown" | |
destination_workload: destination.workload.name | "unknown" | |
destination_workload_namespace: destination.workload.namespace | "unknown" | |
destination_principal: destination.principal | "unknown" | |
destination_app: destination.labels["app"] | "unknown" | |
destination_version: destination.labels["version"] | "unknown" | |
destination_service: destination.service.host | "unknown" | |
destination_service_name: destination.service.name | "unknown" | |
destination_service_namespace: destination.service.namespace | "unknown" | |
request_protocol: api.protocol | context.protocol | "unknown" | |
response_code: response.code | 200 | |
response_flags: context.proxy_error_code | "-" | |
permissive_response_code: rbac.permissive.response_code | "none" | |
permissive_response_policyid: rbac.permissive.effective_policy_id | "none" | |
connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) | |
monitored_resource_type: '"UNSPECIFIED"' | |
--- | |
apiVersion: "config.istio.io/v1alpha2" | |
kind: instance | |
metadata: | |
name: responsesize | |
namespace: istio-system | |
labels: | |
app: mixer | |
chart: mixer | |
heritage: Tiller | |
release: istio-system | |
spec: | |
compiledTemplate: metric | |
params: | |
value: response.size | 0 | |
dimensions: | |
reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") | |
source_workload: source.workload.name | "unknown" | |
source_workload_namespace: source.workload.namespace | "unknown" | |
source_principal: source.principal | "unknown" | |
source_app: source.labels["app"] | "unknown" | |
source_version: source.labels["version"] | "unknown" | |
destination_workload: destination.workload.name | "unknown" | |
destination_workload_namespace: destination.workload.namespace | "unknown" | |
destination_principal: destination.principal | "unknown" | |
destination_app: destination.labels["app"] | "unknown" | |
destination_version: destination.labels["version"] | "unknown" | |
destination_service: destination.service.host | "unknown" | |
destination_service_name: destination.service.name | "unknown" | |
destination_service_namespace: destination.service.namespace | "unknown" | |
request_protocol: api.protocol | context.protocol | "unknown" | |
response_code: response.code | 200 | |
response_flags: context.proxy_error_code | "-" | |
permissive_response_code: rbac.permissive.response_code | "none" | |
permissive_response_policyid: rbac.permissive.effective_policy_id | "none" | |
connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) | |
monitored_resource_type: '"UNSPECIFIED"' | |
--- | |
apiVersion: "config.istio.io/v1alpha2" | |
kind: instance | |
metadata: | |
name: tcpbytesent | |
namespace: istio-system | |
labels: | |
app: mixer | |
chart: mixer | |
heritage: Tiller | |
release: istio-system | |
spec: | |
compiledTemplate: metric | |
params: | |
value: connection.sent.bytes | 0 | |
dimensions: | |
reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") | |
source_workload: source.workload.name | "unknown" | |
source_workload_namespace: source.workload.namespace | "unknown" | |
source_principal: source.principal | "unknown" | |
source_app: source.labels["app"] | "unknown" | |
source_version: source.labels["version"] | "unknown" | |
destination_workload: destination.workload.name | "unknown" | |
destination_workload_namespace: destination.workload.namespace | "unknown" | |
destination_principal: destination.principal | "unknown" | |
destination_app: destination.labels["app"] | "unknown" | |
destination_version: destination.labels["version"] | "unknown" | |
destination_service: destination.service.host | "unknown" | |
destination_service_name: destination.service.name | "unknown" | |
destination_service_namespace: destination.service.namespace | "unknown" | |
connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) | |
response_flags: context.proxy_error_code | "-" | |
monitored_resource_type: '"UNSPECIFIED"' | |
--- | |
apiVersion: "config.istio.io/v1alpha2" | |
kind: instance | |
metadata: | |
name: tcpbytereceived | |
namespace: istio-system | |
labels: | |
app: mixer | |
chart: mixer | |
heritage: Tiller | |
release: istio-system | |
spec: | |
compiledTemplate: metric | |
params: | |
value: connection.received.bytes | 0 | |
dimensions: | |
reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") | |
source_workload: source.workload.name | "unknown" | |
source_workload_namespace: source.workload.namespace | "unknown" | |
source_principal: source.principal | "unknown" | |
source_app: source.labels["app"] | "unknown" | |
source_version: source.labels["version"] | "unknown" | |
destination_workload: destination.workload.name | "unknown" | |
destination_workload_namespace: destination.workload.namespace | "unknown" | |
destination_principal: destination.principal | "unknown" | |
destination_app: destination.labels["app"] | "unknown" | |
destination_version: destination.labels["version"] | "unknown" | |
destination_service: destination.service.host | "unknown" | |
destination_service_name: destination.service.name | "unknown" | |
destination_service_namespace: destination.service.namespace | "unknown" | |
connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) | |
response_flags: context.proxy_error_code | "-" | |
monitored_resource_type: '"UNSPECIFIED"' | |
--- | |
apiVersion: "config.istio.io/v1alpha2" | |
kind: instance | |
metadata: | |
name: tcpconnectionsopened | |
namespace: istio-system | |
labels: | |
app: mixer | |
chart: mixer | |
heritage: Tiller | |
release: istio-system | |
spec: | |
compiledTemplate: metric | |
params: | |
value: "1" | |
dimensions: | |
reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") | |
source_workload: source.workload.name | "unknown" | |
source_workload_namespace: source.workload.namespace | "unknown" | |
source_principal: source.principal | "unknown" | |
source_app: source.labels["app"] | "unknown" | |
source_version: source.labels["version"] | "unknown" | |
destination_workload: destination.workload.name | "unknown" | |
destination_workload_namespace: destination.workload.namespace | "unknown" | |
destination_principal: destination.principal | "unknown" | |
destination_app: destination.labels["app"] | "unknown" | |
destination_version: destination.labels["version"] | "unknown" | |
destination_service: destination.service.name | "unknown" | |
destination_service_name: destination.service.name | "unknown" | |
destination_service_namespace: destination.service.namespace | "unknown" | |
connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) | |
response_flags: context.proxy_error_code | "-" | |
monitored_resource_type: '"UNSPECIFIED"' | |
--- | |
apiVersion: "config.istio.io/v1alpha2" | |
kind: instance | |
metadata: | |
name: tcpconnectionsclosed | |
namespace: istio-system | |
labels: | |
app: mixer | |
chart: mixer | |
heritage: Tiller | |
release: istio-system | |
spec: | |
compiledTemplate: metric | |
params: | |
value: "1" | |
dimensions: | |
reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") | |
source_workload: source.workload.name | "unknown" | |
source_workload_namespace: source.workload.namespace | "unknown" | |
source_principal: source.principal | "unknown" | |
source_app: source.labels["app"] | "unknown" | |
source_version: source.labels["version"] | "unknown" | |
destination_workload: destination.workload.name | "unknown" | |
destination_workload_namespace: destination.workload.namespace | "unknown" | |
destination_principal: destination.principal | "unknown" | |
destination_app: destination.labels["app"] | "unknown" | |
destination_version: destination.labels["version"] | "unknown" | |
destination_service: destination.service.name | "unknown" | |
destination_service_name: destination.service.name | "unknown" | |
destination_service_namespace: destination.service.namespace | "unknown" | |
connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) | |
response_flags: context.proxy_error_code | "-" | |
monitored_resource_type: '"UNSPECIFIED"' | |
--- | |
apiVersion: "config.istio.io/v1alpha2" | |
kind: handler | |
metadata: | |
name: prometheus | |
namespace: istio-system | |
labels: | |
app: mixer | |
chart: mixer | |
heritage: Tiller | |
release: istio-system | |
spec: | |
compiledAdapter: prometheus | |
params: | |
metricsExpirationPolicy: | |
metricsExpiryDuration: "10m" | |
metrics: | |
- name: requests_total | |
instance_name: requestcount.instance.istio-system | |
kind: COUNTER | |
label_names: | |
- reporter | |
- source_app | |
- source_principal | |
- source_workload | |
- source_workload_namespace | |
- source_version | |
- destination_app | |
- destination_principal | |
- destination_workload | |
- destination_workload_namespace | |
- destination_version | |
- destination_service | |
- destination_service_name | |
- destination_service_namespace | |
- request_protocol | |
- response_code | |
- response_flags | |
- permissive_response_code | |
- permissive_response_policyid | |
- connection_security_policy | |
- name: request_duration_seconds | |
instance_name: requestduration.instance.istio-system | |
kind: DISTRIBUTION | |
label_names: | |
- reporter | |
- source_app | |
- source_principal | |
- source_workload | |
- source_workload_namespace | |
- source_version | |
- destination_app | |
- destination_principal | |
- destination_workload | |
- destination_workload_namespace | |
- destination_version | |
- destination_service | |
- destination_service_name | |
- destination_service_namespace | |
- request_protocol | |
- response_code | |
- response_flags | |
- permissive_response_code | |
- permissive_response_policyid | |
- connection_security_policy | |
buckets: | |
explicit_buckets: | |
bounds: [0.005, 0.01, 0.025, 0.05, 0.1, 0.25, 0.5, 1, 2.5, 5, 10] | |
- name: request_bytes | |
instance_name: requestsize.instance.istio-system | |
kind: DISTRIBUTION | |
label_names: | |
- reporter | |
- source_app | |
- source_principal | |
- source_workload | |
- source_workload_namespace | |
- source_version | |
- destination_app | |
- destination_principal | |
- destination_workload | |
- destination_workload_namespace | |
- destination_version | |
- destination_service | |
- destination_service_name | |
- destination_service_namespace | |
- request_protocol | |
- response_code | |
- response_flags | |
- permissive_response_code | |
- permissive_response_policyid | |
- connection_security_policy | |
buckets: | |
exponentialBuckets: | |
numFiniteBuckets: 8 | |
scale: 1 | |
growthFactor: 10 | |
- name: response_bytes | |
instance_name: responsesize.instance.istio-system | |
kind: DISTRIBUTION | |
label_names: | |
- reporter | |
- source_app | |
- source_principal | |
- source_workload | |
- source_workload_namespace | |
- source_version | |
- destination_app | |
- destination_principal | |
- destination_workload | |
- destination_workload_namespace | |
- destination_version | |
- destination_service | |
- destination_service_name | |
- destination_service_namespace | |
- request_protocol | |
- response_code | |
- response_flags | |
- permissive_response_code | |
- permissive_response_policyid | |
- connection_security_policy | |
buckets: | |
exponentialBuckets: | |
numFiniteBuckets: 8 | |
scale: 1 | |
growthFactor: 10 | |
- name: tcp_sent_bytes_total | |
instance_name: tcpbytesent.instance.istio-system | |
kind: COUNTER | |
label_names: | |
- reporter | |
- source_app | |
- source_principal | |
- source_workload | |
- source_workload_namespace | |
- source_version | |
- destination_app | |
- destination_principal | |
- destination_workload | |
- destination_workload_namespace | |
- destination_version | |
- destination_service | |
- destination_service_name | |
- destination_service_namespace | |
- connection_security_policy | |
- response_flags | |
- name: tcp_received_bytes_total | |
instance_name: tcpbytereceived.instance.istio-system | |
kind: COUNTER | |
label_names: | |
- reporter | |
- source_app | |
- source_principal | |
- source_workload | |
- source_workload_namespace | |
- source_version | |
- destination_app | |
- destination_principal | |
- destination_workload | |
- destination_workload_namespace | |
- destination_version | |
- destination_service | |
- destination_service_name | |
- destination_service_namespace | |
- connection_security_policy | |
- response_flags | |
- name: tcp_connections_opened_total | |
instance_name: tcpconnectionsopened.instance.istio-system | |
kind: COUNTER | |
label_names: | |
- reporter | |
- source_app | |
- source_principal | |
- source_workload | |
- source_workload_namespace | |
- source_version | |
- destination_app | |
- destination_principal | |
- destination_workload | |
- destination_workload_namespace | |
- destination_version | |
- destination_service | |
- destination_service_name | |
- destination_service_namespace | |
- connection_security_policy | |
- response_flags | |
- name: tcp_connections_closed_total | |
instance_name: tcpconnectionsclosed.instance.istio-system | |
kind: COUNTER | |
label_names: | |
- reporter | |
- source_app | |
- source_principal | |
- source_workload | |
- source_workload_namespace | |
- source_version | |
- destination_app | |
- destination_principal | |
- destination_workload | |
- destination_workload_namespace | |
- destination_version | |
- destination_service | |
- destination_service_name | |
- destination_service_namespace | |
- connection_security_policy | |
- response_flags | |
--- | |
apiVersion: "config.istio.io/v1alpha2" | |
kind: rule | |
metadata: | |
name: promhttp | |
namespace: istio-system | |
labels: | |
app: mixer | |
chart: mixer | |
heritage: Tiller | |
release: istio-system | |
spec: | |
match: (context.protocol == "http" || context.protocol == "grpc") && (match((request.useragent | "-"), "kube-probe*") == false) && (match((request.useragent | "-"), "Prometheus*") == false) | |
actions: | |
- handler: prometheus | |
instances: | |
- requestcount | |
- requestduration | |
- requestsize | |
- responsesize | |
--- | |
apiVersion: "config.istio.io/v1alpha2" | |
kind: rule | |
metadata: | |
name: promtcp | |
namespace: istio-system | |
labels: | |
app: mixer | |
chart: mixer | |
heritage: Tiller | |
release: istio-system | |
spec: | |
match: context.protocol == "tcp" | |
actions: | |
- handler: prometheus | |
instances: | |
- tcpbytesent | |
- tcpbytereceived | |
--- | |
apiVersion: "config.istio.io/v1alpha2" | |
kind: rule | |
metadata: | |
name: promtcpconnectionopen | |
namespace: istio-system | |
labels: | |
app: mixer | |
chart: mixer | |
heritage: Tiller | |
release: istio-system | |
spec: | |
match: context.protocol == "tcp" && ((connection.event | "na") == "open") | |
actions: | |
- handler: prometheus | |
instances: | |
- tcpconnectionsopened | |
--- | |
apiVersion: "config.istio.io/v1alpha2" | |
kind: rule | |
metadata: | |
name: promtcpconnectionclosed | |
namespace: istio-system | |
labels: | |
app: mixer | |
chart: mixer | |
heritage: Tiller | |
release: istio-system | |
spec: | |
match: context.protocol == "tcp" && ((connection.event | "na") == "close") | |
actions: | |
- handler: prometheus | |
instances: | |
- tcpconnectionsclosed | |
--- | |
apiVersion: "config.istio.io/v1alpha2" | |
kind: handler | |
metadata: | |
name: kubernetesenv | |
namespace: istio-system | |
labels: | |
app: mixer | |
chart: mixer | |
heritage: Tiller | |
release: istio-system | |
spec: | |
compiledAdapter: kubernetesenv | |
params: | |
# when running from mixer root, use the following config after adding a | |
# symbolic link to a kubernetes config file via: | |
# | |
# $ ln -s ~/.kube/config mixer/adapter/kubernetes/kubeconfig | |
# | |
# kubeconfig_path: "mixer/adapter/kubernetes/kubeconfig" | |
--- | |
apiVersion: "config.istio.io/v1alpha2" | |
kind: rule | |
metadata: | |
name: kubeattrgenrulerule | |
namespace: istio-system | |
labels: | |
app: mixer | |
chart: mixer | |
heritage: Tiller | |
release: istio-system | |
spec: | |
actions: | |
- handler: kubernetesenv | |
instances: | |
- attributes | |
--- | |
apiVersion: "config.istio.io/v1alpha2" | |
kind: rule | |
metadata: | |
name: tcpkubeattrgenrulerule | |
namespace: istio-system | |
labels: | |
app: mixer | |
chart: mixer | |
heritage: Tiller | |
release: istio-system | |
spec: | |
match: context.protocol == "tcp" | |
actions: | |
- handler: kubernetesenv | |
instances: | |
- attributes | |
--- | |
apiVersion: "config.istio.io/v1alpha2" | |
kind: instance | |
metadata: | |
name: attributes | |
namespace: istio-system | |
labels: | |
app: mixer | |
chart: mixer | |
heritage: Tiller | |
release: istio-system | |
spec: | |
compiledTemplate: kubernetes | |
params: | |
# Pass the required attribute data to the adapter | |
source_uid: source.uid | "" | |
source_ip: source.ip | ip("0.0.0.0") # default to unspecified ip addr | |
destination_uid: destination.uid | "" | |
destination_port: destination.port | 0 | |
attributeBindings: | |
# Fill the new attributes from the adapter produced output. | |
# $out refers to an instance of OutputTemplate message | |
source.ip: $out.source_pod_ip | ip("0.0.0.0") | |
source.uid: $out.source_pod_uid | "unknown" | |
source.labels: $out.source_labels | emptyStringMap() | |
source.name: $out.source_pod_name | "unknown" | |
source.namespace: $out.source_namespace | "istio-system" | |
source.owner: $out.source_owner | "unknown" | |
source.serviceAccount: $out.source_service_account_name | "unknown" | |
source.workload.uid: $out.source_workload_uid | "unknown" | |
source.workload.name: $out.source_workload_name | "unknown" | |
source.workload.namespace: $out.source_workload_namespace | "unknown" | |
destination.ip: $out.destination_pod_ip | ip("0.0.0.0") | |
destination.uid: $out.destination_pod_uid | "unknown" | |
destination.labels: $out.destination_labels | emptyStringMap() | |
destination.name: $out.destination_pod_name | "unknown" | |
destination.container.name: $out.destination_container_name | "unknown" | |
destination.namespace: $out.destination_namespace | "istio-system" | |
destination.owner: $out.destination_owner | "unknown" | |
destination.serviceAccount: $out.destination_service_account_name | "unknown" | |
destination.workload.uid: $out.destination_workload_uid | "unknown" | |
destination.workload.name: $out.destination_workload_name | "unknown" | |
destination.workload.namespace: $out.destination_workload_namespace | "unknown" | |
--- | |
# Configuration needed by Mixer. | |
# Mixer cluster is delivered via CDS | |
# Specify mixer cluster settings | |
apiVersion: networking.istio.io/v1alpha3 | |
kind: DestinationRule | |
metadata: | |
name: istio-policy | |
namespace: istio-system | |
labels: | |
app: mixer | |
chart: mixer | |
heritage: Tiller | |
release: istio-system | |
spec: | |
host: istio-policy.istio-system.svc.cluster.local | |
trafficPolicy: | |
portLevelSettings: | |
- port: | |
number: 15004 | |
tls: | |
mode: ISTIO_MUTUAL | |
connectionPool: | |
http: | |
http2MaxRequests: 10000 | |
maxRequestsPerConnection: 10000 | |
--- | |
apiVersion: networking.istio.io/v1alpha3 | |
kind: DestinationRule | |
metadata: | |
name: istio-telemetry | |
namespace: istio-system | |
labels: | |
app: mixer | |
chart: mixer | |
heritage: Tiller | |
release: istio-system | |
spec: | |
host: istio-telemetry.istio-system.svc.cluster.local | |
trafficPolicy: | |
portLevelSettings: | |
- port: | |
number: 15004 | |
tls: | |
mode: ISTIO_MUTUAL | |
connectionPool: | |
http: | |
http2MaxRequests: 10000 | |
maxRequestsPerConnection: 10000 | |
--- | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment