Skip to content

Instantly share code, notes, and snippets.

@fentas

fentas/gist:bab98a9559368c4fef3b2fcb33a3356c

Created April 18, 2019 22:20
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save fentas/bab98a9559368c4fef3b2fcb33a3356c to your computer and use it in GitHub Desktop.
Save fentas/bab98a9559368c4fef3b2fcb33a3356c to your computer and use it in GitHub Desktop.
Download ZIP
Raw
gistfile1.txt
apiVersion: v1
kind: Namespace
metadata:
labels:
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/stage: localism
istio-injection: enabled
name: project
---
apiVersion: v1
kind: Namespace
metadata:
labels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
name: istio-system
---
apiVersion: v1
kind: Namespace
metadata:
labels:
app: metallb
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/stage: localism
name: metallb-system
---
apiVersion: v1
kind: Namespace
metadata:
labels:
app.kubernetes.io/component: storage
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/stage: localism
name: rook-ceph-system
---
apiVersion: v1
kind: Namespace
metadata:
labels:
app.kubernetes.io/component: storage
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/stage: localism
name: rook-ceph
---
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
annotations:
storageclass.kubernetes.io/is-default-class: "true"
labels:
app.kubernetes.io/component: loadbalancer
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: metallb
app.kubernetes.io/part-of: project
app.kubernetes.io/stage: localism
name: rook-ceph-block
namespace: project
parameters:
blockPool: replicapool
clusterNamespace: rook-ceph
fstype: ext4
provisioner: ceph.rook.io/block
reclaimPolicy: Delete
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
annotations:
helm.sh/resource-policy: keep
labels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio-init
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
istio: mixer-adapter
package: adapter
name: adapters.config.istio.io
spec:
group: config.istio.io
names:
categories:
- istio-io
- policy-istio-io
kind: adapter
plural: adapters
singular: adapter
scope: Namespaced
version: v1alpha2
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
annotations:
helm.sh/resource-policy: keep
labels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio-init
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
istio: mixer-instance
package: apikey
name: apikeys.config.istio.io
spec:
group: config.istio.io
names:
categories:
- istio-io
- policy-istio-io
kind: apikey
plural: apikeys
singular: apikey
scope: Namespaced
version: v1alpha2
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
annotations:
helm.sh/resource-policy: keep
labels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio-init
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
istio: core
package: istio.io.mixer
name: attributemanifests.config.istio.io
spec:
group: config.istio.io
names:
categories:
- istio-io
- policy-istio-io
kind: attributemanifest
plural: attributemanifests
singular: attributemanifest
scope: Namespaced
version: v1alpha2
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
labels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio-init
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
istio: rbac
name: authorizationpolicies.rbac.istio.io
spec:
group: rbac.istio.io
names:
categories:
- istio-io
- rbac-istio-io
kind: AuthorizationPolicy
plural: authorizationpolicies
singular: authorizationpolicy
scope: Namespaced
version: v1alpha1
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
annotations:
helm.sh/resource-policy: keep
labels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio-init
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
istio: mixer-instance
package: authorization
name: authorizations.config.istio.io
spec:
group: config.istio.io
names:
categories:
- istio-io
- policy-istio-io
kind: authorization
plural: authorizations
singular: authorization
scope: Namespaced
version: v1alpha2
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
annotations:
helm.sh/resource-policy: keep
labels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio-init
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
istio: mixer-adapter
package: bypass
name: bypasses.config.istio.io
spec:
group: config.istio.io
names:
categories:
- istio-io
- policy-istio-io
kind: bypass
plural: bypasses
singular: bypass
scope: Namespaced
version: v1alpha2
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
labels:
app.kubernetes.io/component: storage
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/stage: localism
name: cephblockpools.ceph.rook.io
spec:
group: ceph.rook.io
names:
kind: CephBlockPool
listKind: CephBlockPoolList
plural: cephblockpools
singular: cephblockpool
scope: Namespaced
version: v1
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
labels:
app.kubernetes.io/component: storage
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/stage: localism
name: cephclusters.ceph.rook.io
spec:
additionalPrinterColumns:
- JSONPath: .spec.dataDirHostPath
description: Directory used on the K8s nodes
name: DataDirHostPath
type: string
- JSONPath: .spec.mon.count
description: Number of MONs
name: MonCount
type: string
- JSONPath: .metadata.creationTimestamp
name: Age
type: date
- JSONPath: .status.state
description: Current State
name: State
type: string
group: ceph.rook.io
names:
kind: CephCluster
listKind: CephClusterList
plural: cephclusters
singular: cephcluster
scope: Namespaced
validation:
openAPIV3Schema:
properties:
spec:
properties:
cephVersion:
properties:
allowUnsupported:
type: boolean
image:
type: string
name:
pattern: ^(luminous|mimic|nautilus)$
type: string
dashboard:
properties:
enabled:
type: boolean
port:
type: integer
urlPrefix:
type: string
dataDirHostPath:
pattern: ^/(\S+)
type: string
mon:
properties:
allowMultiplePerNode:
type: boolean
count:
maximum: 9
minimum: 1
type: integer
required:
- count
network:
properties:
hostNetwork:
type: boolean
storage:
properties:
nodes:
items: {}
type: array
useAllDevices: {}
useAllNodes:
type: boolean
required:
- mon
version: v1
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
labels:
app.kubernetes.io/component: storage
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/stage: localism
name: cephfilesystems.ceph.rook.io
spec:
additionalPrinterColumns:
- JSONPath: .spec.metadataServer.activeCount
description: Number of MDSs
name: MdsCount
type: string
- JSONPath: .metadata.creationTimestamp
name: Age
type: date
group: ceph.rook.io
names:
kind: CephFilesystem
listKind: CephFilesystemList
plural: cephfilesystems
singular: cephfilesystem
scope: Namespaced
version: v1
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
labels:
app.kubernetes.io/component: storage
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/stage: localism
name: cephnfses.ceph.rook.io
spec:
group: ceph.rook.io
names:
kind: CephNFS
listKind: CephNFSList
plural: cephnfses
shortNames:
- nfs
singular: cephnfs
scope: Namespaced
version: v1
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
labels:
app.kubernetes.io/component: storage
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/stage: localism
name: cephobjectstores.ceph.rook.io
spec:
group: ceph.rook.io
names:
kind: CephObjectStore
listKind: CephObjectStoreList
plural: cephobjectstores
singular: cephobjectstore
scope: Namespaced
version: v1
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
labels:
app.kubernetes.io/component: storage
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/stage: localism
name: cephobjectstoreusers.ceph.rook.io
spec:
group: ceph.rook.io
names:
kind: CephObjectStoreUser
listKind: CephObjectStoreUserList
plural: cephobjectstoreusers
singular: cephobjectstoreuser
scope: Namespaced
version: v1
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
annotations:
helm.sh/resource-policy: keep
labels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio-init
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
name: certificates.certmanager.k8s.io
spec:
additionalPrinterColumns:
- JSONPath: .status.conditions[?(@.type=="Ready")].status
name: Ready
type: string
- JSONPath: .spec.secretName
name: Secret
type: string
- JSONPath: .spec.issuerRef.name
name: Issuer
priority: 1
type: string
- JSONPath: .status.conditions[?(@.type=="Ready")].message
name: Status
priority: 1
type: string
- JSONPath: .metadata.creationTimestamp
description: |-
CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
name: Age
type: date
group: certmanager.k8s.io
names:
kind: Certificate
plural: certificates
shortNames:
- cert
- certs
scope: Namespaced
version: v1alpha1
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
annotations:
helm.sh/resource-policy: keep
labels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio-init
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
name: challenges.certmanager.k8s.io
spec:
additionalPrinterColumns:
- JSONPath: .status.state
name: State
type: string
- JSONPath: .spec.dnsName
name: Domain
type: string
- JSONPath: .status.reason
name: Reason
type: string
- JSONPath: .metadata.creationTimestamp
description: |-
CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
name: Age
type: date
group: certmanager.k8s.io
names:
kind: Challenge
plural: challenges
scope: Namespaced
version: v1alpha1
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
annotations:
helm.sh/resource-policy: keep
labels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio-init
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
istio: mixer-instance
package: checknothing
name: checknothings.config.istio.io
spec:
group: config.istio.io
names:
categories:
- istio-io
- policy-istio-io
kind: checknothing
plural: checknothings
singular: checknothing
scope: Namespaced
version: v1alpha2
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
annotations:
helm.sh/resource-policy: keep
labels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio-init
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
istio: mixer-adapter
package: circonus
name: circonuses.config.istio.io
spec:
group: config.istio.io
names:
categories:
- istio-io
- policy-istio-io
kind: circonus
plural: circonuses
singular: circonus
scope: Namespaced
version: v1alpha2
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
annotations:
helm.sh/resource-policy: keep
labels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio-init
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
istio: mixer-adapter
package: cloudwatch
name: cloudwatches.config.istio.io
spec:
group: config.istio.io
names:
categories:
- istio-io
- policy-istio-io
kind: cloudwatch
plural: cloudwatches
singular: cloudwatch
scope: Namespaced
version: v1alpha2
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
annotations:
helm.sh/resource-policy: keep
labels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio-init
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
name: clusterissuers.certmanager.k8s.io
spec:
group: certmanager.k8s.io
names:
kind: ClusterIssuer
plural: clusterissuers
scope: Cluster
version: v1alpha1
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
annotations:
helm.sh/resource-policy: keep
labels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio-init
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
istio: rbac
name: clusterrbacconfigs.rbac.istio.io
spec:
group: rbac.istio.io
names:
categories:
- istio-io
- rbac-istio-io
kind: ClusterRbacConfig
plural: clusterrbacconfigs
singular: clusterrbacconfig
scope: Cluster
version: v1alpha1
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
annotations:
helm.sh/resource-policy: keep
labels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio-init
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
istio: mixer-adapter
package: denier
name: deniers.config.istio.io
spec:
group: config.istio.io
names:
categories:
- istio-io
- policy-istio-io
kind: denier
plural: deniers
singular: denier
scope: Namespaced
version: v1alpha2
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
annotations:
helm.sh/resource-policy: keep
labels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio-init
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
name: destinationrules.networking.istio.io
spec:
additionalPrinterColumns:
- JSONPath: .spec.host
description: The name of a service from the service registry
name: Host
type: string
- JSONPath: .metadata.creationTimestamp
description: |-
CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
name: Age
type: date
group: networking.istio.io
names:
categories:
- istio-io
- networking-istio-io
kind: DestinationRule
listKind: DestinationRuleList
plural: destinationrules
shortNames:
- dr
singular: destinationrule
scope: Namespaced
version: v1alpha3
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
annotations:
helm.sh/resource-policy: keep
labels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio-init
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
istio: mixer-adapter
package: dogstatsd
name: dogstatsds.config.istio.io
spec:
group: config.istio.io
names:
categories:
- istio-io
- policy-istio-io
kind: dogstatsd
plural: dogstatsds
singular: dogstatsd
scope: Namespaced
version: v1alpha2
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
annotations:
helm.sh/resource-policy: keep
labels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio-init
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
istio: mixer-instance
package: edge
name: edges.config.istio.io
spec:
group: config.istio.io
names:
categories:
- istio-io
- policy-istio-io
kind: edge
plural: edges
singular: edge
scope: Namespaced
version: v1alpha2
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
annotations:
helm.sh/resource-policy: keep
labels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio-init
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
name: envoyfilters.networking.istio.io
spec:
group: networking.istio.io
names:
categories:
- istio-io
- networking-istio-io
kind: EnvoyFilter
plural: envoyfilters
singular: envoyfilter
scope: Namespaced
version: v1alpha3
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
annotations:
helm.sh/resource-policy: keep
labels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio-init
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
istio: mixer-adapter
package: fluentd
name: fluentds.config.istio.io
spec:
group: config.istio.io
names:
categories:
- istio-io
- policy-istio-io
kind: fluentd
plural: fluentds
singular: fluentd
scope: Namespaced
version: v1alpha2
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
annotations:
helm.sh/resource-policy: keep
labels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio-init
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
name: gateways.networking.istio.io
spec:
group: networking.istio.io
names:
categories:
- istio-io
- networking-istio-io
kind: Gateway
plural: gateways
shortNames:
- gw
singular: gateway
scope: Namespaced
version: v1alpha3
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
annotations:
helm.sh/resource-policy: keep
labels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio-init
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
istio: mixer-handler
package: handler
name: handlers.config.istio.io
spec:
group: config.istio.io
names:
categories:
- istio-io
- policy-istio-io
kind: handler
plural: handlers
singular: handler
scope: Namespaced
version: v1alpha2
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
annotations:
helm.sh/resource-policy: keep
labels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio-init
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
name: httpapispecbindings.config.istio.io
spec:
group: config.istio.io
names:
categories:
- istio-io
- apim-istio-io
kind: HTTPAPISpecBinding
plural: httpapispecbindings
singular: httpapispecbinding
scope: Namespaced
version: v1alpha2
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
annotations:
helm.sh/resource-policy: keep
labels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio-init
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
name: httpapispecs.config.istio.io
spec:
group: config.istio.io
names:
categories:
- istio-io
- apim-istio-io
kind: HTTPAPISpec
plural: httpapispecs
singular: httpapispec
scope: Namespaced
version: v1alpha2
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
annotations:
helm.sh/resource-policy: keep
labels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio-init
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
istio: mixer-instance
package: instance
name: instances.config.istio.io
spec:
group: config.istio.io
names:
categories:
- istio-io
- policy-istio-io
kind: instance
plural: instances
singular: instance
scope: Namespaced
version: v1alpha2
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
annotations:
helm.sh/resource-policy: keep
labels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio-init
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
name: issuers.certmanager.k8s.io
spec:
group: certmanager.k8s.io
names:
kind: Issuer
plural: issuers
scope: Namespaced
version: v1alpha1
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
annotations:
helm.sh/resource-policy: keep
labels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio-init
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
istio: mixer-adapter
package: kubernetesenv
name: kubernetesenvs.config.istio.io
spec:
group: config.istio.io
names:
categories:
- istio-io
- policy-istio-io
kind: kubernetesenv
plural: kubernetesenvs
singular: kubernetesenv
scope: Namespaced
version: v1alpha2
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
annotations:
helm.sh/resource-policy: keep
labels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio-init
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
istio: mixer-instance
package: adapter.template.kubernetes
name: kuberneteses.config.istio.io
spec:
group: config.istio.io
names:
categories:
- istio-io
- policy-istio-io
kind: kubernetes
plural: kuberneteses
singular: kubernetes
scope: Namespaced
version: v1alpha2
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
annotations:
helm.sh/resource-policy: keep
labels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio-init
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
istio: mixer-adapter
package: listchecker
name: listcheckers.config.istio.io
spec:
group: config.istio.io
names:
categories:
- istio-io
- policy-istio-io
kind: listchecker
plural: listcheckers
singular: listchecker
scope: Namespaced
version: v1alpha2
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
annotations:
helm.sh/resource-policy: keep
labels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio-init
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
istio: mixer-instance
package: listentry
name: listentries.config.istio.io
spec:
group: config.istio.io
names:
categories:
- istio-io
- policy-istio-io
kind: listentry
plural: listentries
singular: listentry
scope: Namespaced
version: v1alpha2
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
annotations:
helm.sh/resource-policy: keep
labels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio-init
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
istio: mixer-instance
package: logentry
name: logentries.config.istio.io
spec:
additionalPrinterColumns:
- JSONPath: .spec.severity
description: The importance of the log entry
name: Severity
type: string
- JSONPath: .spec.timestamp
description: The time value for the log entry
name: Timestamp
type: string
- JSONPath: .spec.monitored_resource_type
description: Optional expression to compute the type of the monitored resource
this log entry is being recorded on
name: Res Type
type: string
- JSONPath: .metadata.creationTimestamp
description: |-
CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
name: Age
type: date
group: config.istio.io
names:
categories:
- istio-io
- policy-istio-io
kind: logentry
plural: logentries
singular: logentry
scope: Namespaced
version: v1alpha2
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
annotations:
helm.sh/resource-policy: keep
labels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio-init
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
istio: mixer-adapter
package: memquota
name: memquotas.config.istio.io
spec:
group: config.istio.io
names:
categories:
- istio-io
- policy-istio-io
kind: memquota
plural: memquotas
singular: memquota
scope: Namespaced
version: v1alpha2
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
annotations:
helm.sh/resource-policy: keep
labels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio-init
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
name: meshpolicies.authentication.istio.io
spec:
group: authentication.istio.io
names:
categories:
- istio-io
- authentication-istio-io
kind: MeshPolicy
listKind: MeshPolicyList
plural: meshpolicies
singular: meshpolicy
scope: Cluster
version: v1alpha1
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
annotations:
helm.sh/resource-policy: keep
labels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio-init
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
istio: mixer-instance
package: metric
name: metrics.config.istio.io
spec:
group: config.istio.io
names:
categories:
- istio-io
- policy-istio-io
kind: metric
plural: metrics
singular: metric
scope: Namespaced
version: v1alpha2
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
annotations:
helm.sh/resource-policy: keep
labels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio-init
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
istio: mixer-adapter
package: noop
name: noops.config.istio.io
spec:
group: config.istio.io
names:
categories:
- istio-io
- policy-istio-io
kind: noop
plural: noops
singular: noop
scope: Namespaced
version: v1alpha2
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
annotations:
helm.sh/resource-policy: keep
labels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio-init
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
istio: mixer-adapter
package: opa
name: opas.config.istio.io
spec:
group: config.istio.io
names:
categories:
- istio-io
- policy-istio-io
kind: opa
plural: opas
singular: opa
scope: Namespaced
version: v1alpha2
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
annotations:
helm.sh/resource-policy: keep
labels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio-init
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
name: orders.certmanager.k8s.io
spec:
additionalPrinterColumns:
- JSONPath: .status.state
name: State
type: string
- JSONPath: .spec.issuerRef.name
name: Issuer
priority: 1
type: string
- JSONPath: .status.reason
name: Reason
priority: 1
type: string
- JSONPath: .metadata.creationTimestamp
description: |-
CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
name: Age
type: date
group: certmanager.k8s.io
names:
kind: Order
plural: orders
scope: Namespaced
version: v1alpha1
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
annotations:
helm.sh/resource-policy: keep
labels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio-init
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
name: policies.authentication.istio.io
spec:
group: authentication.istio.io
names:
categories:
- istio-io
- authentication-istio-io
kind: Policy
plural: policies
singular: policy
scope: Namespaced
version: v1alpha1
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
annotations:
helm.sh/resource-policy: keep
labels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio-init
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
istio: mixer-adapter
package: prometheus
name: prometheuses.config.istio.io
spec:
group: config.istio.io
names:
categories:
- istio-io
- policy-istio-io
kind: prometheus
plural: prometheuses
singular: prometheus
scope: Namespaced
version: v1alpha2
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
annotations:
helm.sh/resource-policy: keep
labels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio-init
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
istio: mixer-instance
package: quota
name: quotas.config.istio.io
spec:
group: config.istio.io
names:
categories:
- istio-io
- policy-istio-io
kind: quota
plural: quotas
singular: quota
scope: Namespaced
version: v1alpha2
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
annotations:
helm.sh/resource-policy: keep
labels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio-init
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
name: quotaspecbindings.config.istio.io
spec:
group: config.istio.io
names:
categories:
- istio-io
- apim-istio-io
kind: QuotaSpecBinding
plural: quotaspecbindings
singular: quotaspecbinding
scope: Namespaced
version: v1alpha2
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
annotations:
helm.sh/resource-policy: keep
labels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio-init
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
name: quotaspecs.config.istio.io
spec:
group: config.istio.io
names:
categories:
- istio-io
- apim-istio-io
kind: QuotaSpec
plural: quotaspecs
singular: quotaspec
scope: Namespaced
version: v1alpha2
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
annotations:
helm.sh/resource-policy: keep
labels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio-init
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
istio: rbac
package: istio.io.mixer
name: rbacconfigs.rbac.istio.io
spec:
group: rbac.istio.io
names:
categories:
- istio-io
- rbac-istio-io
kind: RbacConfig
plural: rbacconfigs
singular: rbacconfig
scope: Namespaced
version: v1alpha1
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
annotations:
helm.sh/resource-policy: keep
labels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio-init
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
istio: mixer-adapter
package: rbac
name: rbacs.config.istio.io
spec:
group: config.istio.io
names:
categories:
- istio-io
- policy-istio-io
kind: rbac
plural: rbacs
singular: rbac
scope: Namespaced
version: v1alpha2
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
annotations:
helm.sh/resource-policy: keep
labels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio-init
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
istio: mixer-adapter
package: redisquota
name: redisquotas.config.istio.io
spec:
group: config.istio.io
names:
kind: redisquota
plural: redisquotas
singular: redisquota
scope: Namespaced
version: v1alpha2
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
annotations:
helm.sh/resource-policy: keep
labels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio-init
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
istio: mixer-instance
package: reportnothing
name: reportnothings.config.istio.io
spec:
group: config.istio.io
names:
categories:
- istio-io
- policy-istio-io
kind: reportnothing
plural: reportnothings
singular: reportnothing
scope: Namespaced
version: v1alpha2
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
annotations:
helm.sh/resource-policy: keep
labels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio-init
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
istio: core
package: istio.io.mixer
name: rules.config.istio.io
spec:
group: config.istio.io
names:
categories:
- istio-io
- policy-istio-io
kind: rule
plural: rules
singular: rule
scope: Namespaced
version: v1alpha2
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
annotations:
helm.sh/resource-policy: keep
labels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio-init
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
name: serviceentries.networking.istio.io
spec:
additionalPrinterColumns:
- JSONPath: .spec.hosts
description: The hosts associated with the ServiceEntry
name: Hosts
type: string
- JSONPath: .spec.location
description: Whether the service is external to the mesh or part of the mesh (MESH_EXTERNAL
or MESH_INTERNAL)
name: Location
type: string
- JSONPath: .spec.resolution
description: Service discovery mode for the hosts (NONE, STATIC, or DNS)
name: Resolution
type: string
- JSONPath: .metadata.creationTimestamp
description: |-
CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
name: Age
type: date
group: networking.istio.io
names:
categories:
- istio-io
- networking-istio-io
kind: ServiceEntry
listKind: ServiceEntryList
plural: serviceentries
shortNames:
- se
singular: serviceentry
scope: Namespaced
version: v1alpha3
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
annotations:
helm.sh/resource-policy: keep
labels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio-init
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
istio: rbac
package: istio.io.mixer
name: servicerolebindings.rbac.istio.io
spec:
additionalPrinterColumns:
- JSONPath: .spec.roleRef.name
description: The name of the ServiceRole object being referenced
name: Reference
type: string
- JSONPath: .metadata.creationTimestamp
description: |-
CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
name: Age
type: date
group: rbac.istio.io
names:
categories:
- istio-io
- rbac-istio-io
kind: ServiceRoleBinding
plural: servicerolebindings
singular: servicerolebinding
scope: Namespaced
version: v1alpha1
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
annotations:
helm.sh/resource-policy: keep
labels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio-init
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
istio: rbac
package: istio.io.mixer
name: serviceroles.rbac.istio.io
spec:
group: rbac.istio.io
names:
categories:
- istio-io
- rbac-istio-io
kind: ServiceRole
plural: serviceroles
singular: servicerole
scope: Namespaced
version: v1alpha1
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
labels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio-init
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
name: sidecars.networking.istio.io
spec:
group: networking.istio.io
names:
categories:
- istio-io
- networking-istio-io
kind: Sidecar
plural: sidecars
singular: sidecar
scope: Namespaced
version: v1alpha3
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
annotations:
helm.sh/resource-policy: keep
labels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio-init
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
istio: mixer-adapter
package: signalfx
name: signalfxs.config.istio.io
spec:
group: config.istio.io
names:
categories:
- istio-io
- policy-istio-io
kind: signalfx
plural: signalfxs
singular: signalfx
scope: Namespaced
version: v1alpha2
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
annotations:
helm.sh/resource-policy: keep
labels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio-init
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
istio: mixer-adapter
package: solarwinds
name: solarwindses.config.istio.io
spec:
group: config.istio.io
names:
categories:
- istio-io
- policy-istio-io
kind: solarwinds
plural: solarwindses
singular: solarwinds
scope: Namespaced
version: v1alpha2
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
annotations:
helm.sh/resource-policy: keep
labels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio-init
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
istio: mixer-adapter
package: stackdriver
name: stackdrivers.config.istio.io
spec:
group: config.istio.io
names:
categories:
- istio-io
- policy-istio-io
kind: stackdriver
plural: stackdrivers
singular: stackdriver
scope: Namespaced
version: v1alpha2
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
annotations:
helm.sh/resource-policy: keep
labels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio-init
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
istio: mixer-adapter
package: statsd
name: statsds.config.istio.io
spec:
group: config.istio.io
names:
categories:
- istio-io
- policy-istio-io
kind: statsd
plural: statsds
singular: statsd
scope: Namespaced
version: v1alpha2
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
annotations:
helm.sh/resource-policy: keep
labels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio-init
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
istio: mixer-adapter
package: stdio
name: stdios.config.istio.io
spec:
group: config.istio.io
names:
categories:
- istio-io
- policy-istio-io
kind: stdio
plural: stdios
singular: stdio
scope: Namespaced
version: v1alpha2
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
annotations:
helm.sh/resource-policy: keep
labels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio-init
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
istio: mixer-template
package: template
name: templates.config.istio.io
spec:
group: config.istio.io
names:
categories:
- istio-io
- policy-istio-io
kind: template
plural: templates
singular: template
scope: Namespaced
version: v1alpha2
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
annotations:
helm.sh/resource-policy: keep
labels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio-init
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
istio: mixer-instance
package: tracespan
name: tracespans.config.istio.io
spec:
group: config.istio.io
names:
categories:
- istio-io
- policy-istio-io
kind: tracespan
plural: tracespans
singular: tracespan
scope: Namespaced
version: v1alpha2
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
annotations:
helm.sh/resource-policy: keep
labels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio-init
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
name: virtualservices.networking.istio.io
spec:
additionalPrinterColumns:
- JSONPath: .spec.gateways
description: The names of gateways and sidecars that should apply these routes
name: Gateways
type: string
- JSONPath: .spec.hosts
description: The destination hosts to which traffic is being sent
name: Hosts
type: string
- JSONPath: .metadata.creationTimestamp
description: |-
CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
name: Age
type: date
group: networking.istio.io
names:
categories:
- istio-io
- networking-istio-io
kind: VirtualService
listKind: VirtualServiceList
plural: virtualservices
shortNames:
- vs
singular: virtualservice
scope: Namespaced
version: v1alpha3
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
labels:
app.kubernetes.io/component: storage
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/stage: localism
name: volumes.rook.io
spec:
group: rook.io
names:
kind: Volume
listKind: VolumeList
plural: volumes
shortNames:
- rv
singular: volume
scope: Namespaced
version: v1alpha2
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
annotations:
helm.sh/resource-policy: keep
labels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio-init
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
istio: mixer-adapter
package: zipkin
name: zipkins.config.istio.io
spec:
group: config.istio.io
names:
categories:
- istio-io
- policy-istio-io
kind: zipkin
plural: zipkins
singular: zipkin
scope: Namespaced
version: v1alpha2
---
apiVersion: admissionregistration.k8s.io/v1beta1
kind: MutatingWebhookConfiguration
metadata:
labels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
name: istio-sidecar-injector
namespace: istio-system
webhooks:
- clientConfig:
caBundle: ""
service:
name: istio-sidecar-injector
namespace: default
path: /inject
failurePolicy: Fail
name: sidecar-injector.istio.io
namespaceSelector:
matchLabels:
istio-injection: enabled
rules:
- apiGroups:
- ""
apiVersions:
- v1
operations:
- CREATE
resources:
- pods
---
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio-init
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
istio: init
name: istio-init-service-account
namespace: istio-init
---
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
name: istio-citadel-service-account
namespace: istio-system
---
apiVersion: v1
kind: ServiceAccount
metadata:
annotations:
helm.sh/hook: post-delete
helm.sh/hook-delete-policy: hook-succeeded
helm.sh/hook-weight: "1"
labels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
name: istio-cleanup-secrets-service-account
namespace: istio-system
---
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
name: istio-egressgateway-service-account
namespace: istio-system
---
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
name: istio-galley-service-account
namespace: istio-system
---
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
name: istio-ingressgateway-service-account
namespace: istio-system
---
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
name: istio-mixer-service-account
namespace: istio-system
---
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
name: istio-multi
namespace: istio-system
---
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
name: istio-pilot-service-account
namespace: istio-system
---
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
name: istio-security-post-install-account
namespace: istio-system
---
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
istio: sidecar-injector
name: istio-sidecar-injector-service-account
namespace: istio-system
---
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
name: prometheus
namespace: istio-system
---
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app: metallb
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/stage: localism
name: controller
namespace: metallb-system
---
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app: metallb
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/stage: localism
name: speaker
namespace: metallb-system
---
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app.kubernetes.io/component: storage
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/stage: localism
operator: rook
storage-backend: ceph
name: rook-ceph-system
namespace: rook-ceph-system
---
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app.kubernetes.io/component: storage
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/stage: localism
name: rook-ceph-mgr
namespace: rook-ceph
---
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app.kubernetes.io/component: storage
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/stage: localism
name: rook-ceph-osd
namespace: rook-ceph
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
labels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
name: istio-ingressgateway-sds
namespace: istio-system
rules:
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- watch
- list
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
labels:
app: metallb
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/stage: localism
name: config-watcher
namespace: metallb-system
rules:
- apiGroups:
- ""
resources:
- configmaps
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- events
verbs:
- create
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: Role
metadata:
labels:
app.kubernetes.io/component: storage
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/stage: localism
operator: rook
storage-backend: ceph
name: rook-ceph-system
namespace: rook-ceph-system
rules:
- apiGroups:
- ""
resources:
- pods
- configmaps
verbs:
- get
- list
- watch
- patch
- create
- update
- delete
- apiGroups:
- apps
resources:
- daemonsets
verbs:
- get
- list
- watch
- create
- update
- delete
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: Role
metadata:
labels:
app.kubernetes.io/component: storage
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/stage: localism
name: rook-ceph-mgr-system
namespace: rook-ceph
rules:
- apiGroups:
- ""
resources:
- configmaps
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: Role
metadata:
labels:
app.kubernetes.io/component: storage
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/stage: localism
name: rook-ceph-mgr
namespace: rook-ceph
rules:
- apiGroups:
- ""
resources:
- pods
- services
verbs:
- get
- list
- watch
- apiGroups:
- batch
resources:
- jobs
verbs:
- get
- list
- watch
- create
- update
- delete
- apiGroups:
- ceph.rook.io
resources:
- '*'
verbs:
- '*'
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: Role
metadata:
labels:
app.kubernetes.io/component: storage
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/stage: localism
name: rook-ceph-osd
namespace: rook-ceph
rules:
- apiGroups:
- ""
resources:
- configmaps
verbs:
- get
- list
- watch
- create
- update
- delete
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
name: istio-citadel-default
rules:
- apiGroups:
- ""
resources:
- configmaps
verbs:
- create
- get
- update
- apiGroups:
- ""
resources:
- secrets
verbs:
- create
- get
- watch
- list
- update
- delete
- apiGroups:
- ""
resources:
- serviceaccounts
- services
verbs:
- get
- watch
- list
- apiGroups:
- authentication.k8s.io
resources:
- tokenreviews
verbs:
- create
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
helm.sh/hook: post-delete
helm.sh/hook-delete-policy: hook-succeeded
helm.sh/hook-weight: "1"
labels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
name: istio-cleanup-secrets-default
rules:
- apiGroups:
- ""
resources:
- secrets
verbs:
- list
- delete
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
name: istio-egressgateway-default
rules:
- apiGroups:
- networking.istio.io
resources:
- virtualservices
- destinationrules
- gateways
verbs:
- get
- watch
- list
- update
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
name: istio-galley-default
rules:
- apiGroups:
- admissionregistration.k8s.io
resources:
- validatingwebhookconfigurations
verbs:
- '*'
- apiGroups:
- config.istio.io
resources:
- '*'
verbs:
- get
- list
- watch
- apiGroups:
- networking.istio.io
resources:
- '*'
verbs:
- get
- list
- watch
- apiGroups:
- authentication.istio.io
resources:
- '*'
verbs:
- get
- list
- watch
- apiGroups:
- rbac.istio.io
resources:
- '*'
verbs:
- get
- list
- watch
- apiGroups:
- extensions
- apps
resourceNames:
- istio-galley
resources:
- deployments
verbs:
- get
- apiGroups:
- ""
resources:
- pods
- nodes
- services
- endpoints
verbs:
- get
- list
- watch
- apiGroups:
- extensions
resources:
- ingresses
verbs:
- get
- list
- watch
- apiGroups:
- extensions
resourceNames:
- istio-galley
resources:
- deployments/finalizers
verbs:
- update
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
name: istio-ingressgateway-default
rules:
- apiGroups:
- networking.istio.io
resources:
- virtualservices
- destinationrules
- gateways
verbs:
- get
- watch
- list
- update
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio-init
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
istio: istio-init
name: istio-init-default
rules:
- apiGroups:
- ""
resources:
- configmaps
verbs:
- get
- list
- create
- watch
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- create
- get
- list
- watch
- patch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
name: istio-mixer-default
rules:
- apiGroups:
- config.istio.io
resources:
- '*'
verbs:
- create
- get
- list
- watch
- patch
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- configmaps
- endpoints
- pods
- services
- namespaces
- secrets
- replicationcontrollers
verbs:
- get
- list
- watch
- apiGroups:
- extensions
- apps
resources:
- replicasets
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
name: istio-pilot-default
rules:
- apiGroups:
- config.istio.io
resources:
- '*'
verbs:
- '*'
- apiGroups:
- rbac.istio.io
resources:
- '*'
verbs:
- get
- watch
- list
- apiGroups:
- networking.istio.io
resources:
- '*'
verbs:
- '*'
- apiGroups:
- authentication.istio.io
resources:
- '*'
verbs:
- '*'
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- '*'
- apiGroups:
- extensions
resources:
- ingresses
- ingresses/status
verbs:
- '*'
- apiGroups:
- ""
resources:
- configmaps
verbs:
- create
- get
- list
- watch
- update
- apiGroups:
- ""
resources:
- endpoints
- pods
- services
- namespaces
- nodes
- secrets
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
name: istio-reader
rules:
- apiGroups:
- ""
resources:
- nodes
- pods
- services
- endpoints
- replicationcontrollers
verbs:
- get
- watch
- list
- apiGroups:
- extensions
- apps
resources:
- replicasets
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
istio: sidecar-injector
name: istio-sidecar-injector-default
rules:
- apiGroups:
- ""
resources:
- configmaps
verbs:
- get
- list
- watch
- apiGroups:
- admissionregistration.k8s.io
resources:
- mutatingwebhookconfigurations
verbs:
- get
- list
- watch
- patch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app: metallb
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/stage: localism
name: metallb-system:controller
rules:
- apiGroups:
- ""
resources:
- services
verbs:
- get
- list
- watch
- update
- apiGroups:
- ""
resources:
- services/status
verbs:
- update
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app: metallb
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/stage: localism
name: metallb-system:speaker
rules:
- apiGroups:
- ""
resources:
- services
- endpoints
- nodes
verbs:
- get
- list
- watch
- apiGroups:
- extensions
resourceNames:
- speaker
resources:
- podsecuritypolicies
verbs:
- use
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
name: prometheus-default
rules:
- apiGroups:
- ""
resources:
- nodes
- services
- endpoints
- pods
- nodes/proxy
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- configmaps
verbs:
- get
- nonResourceURLs:
- /metrics
verbs:
- get
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
labels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
name: istio-security-post-install-default
rules:
- apiGroups:
- authentication.istio.io
resources:
- '*'
verbs:
- '*'
- apiGroups:
- networking.istio.io
resources:
- '*'
verbs:
- '*'
- apiGroups:
- admissionregistration.k8s.io
resources:
- validatingwebhookconfigurations
verbs:
- get
- apiGroups:
- extensions
- apps
resources:
- deployments
- replicasets
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
labels:
app.kubernetes.io/component: storage
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/stage: localism
operator: rook
storage-backend: ceph
name: rook-ceph-cluster-mgmt
rules:
- apiGroups:
- ""
resources:
- secrets
- pods
- pods/log
- services
- configmaps
verbs:
- get
- list
- watch
- patch
- create
- update
- delete
- apiGroups:
- apps
resources:
- deployments
- daemonsets
- replicasets
verbs:
- get
- list
- watch
- create
- update
- delete
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
labels:
app.kubernetes.io/component: storage
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/stage: localism
operator: rook
storage-backend: ceph
name: rook-ceph-global
rules:
- apiGroups:
- ""
resources:
- pods
- nodes
- nodes/proxy
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- events
- persistentvolumes
- persistentvolumeclaims
- endpoints
verbs:
- get
- list
- watch
- patch
- create
- update
- delete
- apiGroups:
- storage.k8s.io
resources:
- storageclasses
verbs:
- get
- list
- watch
- apiGroups:
- batch
resources:
- jobs
verbs:
- get
- list
- watch
- create
- update
- delete
- apiGroups:
- ceph.rook.io
resources:
- '*'
verbs:
- '*'
- apiGroups:
- rook.io
resources:
- '*'
verbs:
- '*'
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
labels:
app.kubernetes.io/component: storage
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/stage: localism
operator: rook
storage-backend: ceph
name: rook-ceph-mgr-cluster
rules:
- apiGroups:
- ""
resources:
- configmaps
- nodes
- nodes/proxy
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
name: istio-ingressgateway-sds
namespace: istio-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: istio-ingressgateway-sds
subjects:
- kind: ServiceAccount
name: istio-ingressgateway-service-account
namespace: istio-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
app: metallb
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/stage: localism
name: config-watcher
namespace: metallb-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: config-watcher
subjects:
- kind: ServiceAccount
name: controller
- kind: ServiceAccount
name: speaker
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
labels:
app.kubernetes.io/component: storage
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/stage: localism
name: rook-ceph-mgr-system
namespace: rook-ceph-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: rook-ceph-mgr-system
subjects:
- kind: ServiceAccount
name: rook-ceph-mgr
namespace: rook-ceph
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
labels:
app.kubernetes.io/component: storage
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/stage: localism
operator: rook
storage-backend: ceph
name: rook-ceph-system
namespace: rook-ceph-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: rook-ceph-system
subjects:
- kind: ServiceAccount
name: rook-ceph-system
namespace: rook-ceph-system
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
labels:
app.kubernetes.io/component: storage
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/stage: localism
name: rook-ceph-cluster-mgmt
namespace: rook-ceph
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: rook-ceph-cluster-mgmt
subjects:
- kind: ServiceAccount
name: rook-ceph-system
namespace: rook-ceph-system
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
labels:
app.kubernetes.io/component: storage
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/stage: localism
name: rook-ceph-mgr-cluster
namespace: rook-ceph
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: rook-ceph-mgr-cluster
subjects:
- kind: ServiceAccount
name: rook-ceph-mgr
namespace: rook-ceph
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
labels:
app.kubernetes.io/component: storage
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/stage: localism
name: rook-ceph-mgr
namespace: rook-ceph
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: rook-ceph-mgr
subjects:
- kind: ServiceAccount
name: rook-ceph-mgr
namespace: rook-ceph
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
labels:
app.kubernetes.io/component: storage
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/stage: localism
name: rook-ceph-osd
namespace: rook-ceph
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: rook-ceph-osd
subjects:
- kind: ServiceAccount
name: rook-ceph-osd
namespace: rook-ceph
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
name: istio-citadel-default
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: istio-citadel-default
subjects:
- kind: ServiceAccount
name: istio-citadel-service-account
namespace: istio-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
annotations:
helm.sh/hook: post-delete
helm.sh/hook-delete-policy: hook-succeeded
helm.sh/hook-weight: "2"
labels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
name: istio-cleanup-secrets-default
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: istio-cleanup-secrets-default
subjects:
- kind: ServiceAccount
name: istio-cleanup-secrets-service-account
namespace: istio-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
name: istio-egressgateway-default
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: istio-egressgateway-default
subjects:
- kind: ServiceAccount
name: istio-egressgateway-service-account
namespace: istio-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
name: istio-galley-admin-role-binding-default
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: istio-galley-default
subjects:
- kind: ServiceAccount
name: istio-galley-service-account
namespace: istio-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
name: istio-ingressgateway-default
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: istio-ingressgateway-default
subjects:
- kind: ServiceAccount
name: istio-ingressgateway-service-account
namespace: istio-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio-init
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
istio: init
name: istio-init-admin-role-binding-default
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: istio-init-default
subjects:
- kind: ServiceAccount
name: istio-init-service-account
namespace: istio-init
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
name: istio-mixer-admin-role-binding-default
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: istio-mixer-default
subjects:
- kind: ServiceAccount
name: istio-mixer-service-account
namespace: istio-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
name: istio-multi
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: istio-reader
subjects:
- kind: ServiceAccount
name: istio-multi
namespace: istio-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
name: istio-pilot-default
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: istio-pilot-default
subjects:
- kind: ServiceAccount
name: istio-pilot-service-account
namespace: istio-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
istio: sidecar-injector
name: istio-sidecar-injector-admin-role-binding-default
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: istio-sidecar-injector-default
subjects:
- kind: ServiceAccount
name: istio-sidecar-injector-service-account
namespace: istio-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app: metallb
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/stage: localism
name: metallb-system:controller
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: metallb-system:controller
subjects:
- kind: ServiceAccount
name: controller
namespace: metallb-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app: metallb
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/stage: localism
name: metallb-system:speaker
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: metallb-system:speaker
subjects:
- kind: ServiceAccount
name: speaker
namespace: metallb-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
name: prometheus-default
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: prometheus-default
subjects:
- kind: ServiceAccount
name: prometheus
namespace: istio-system
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
labels:
app.kubernetes.io/component: storage
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/stage: localism
operator: rook
storage-backend: ceph
name: rook-ceph-global
namespace: rook-ceph-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: rook-ceph-global
subjects:
- kind: ServiceAccount
name: rook-ceph-system
namespace: rook-ceph-system
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
labels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
name: istio-security-post-install-role-binding-default
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: istio-security-post-install-default
subjects:
- kind: ServiceAccount
name: istio-security-post-install-account
namespace: istio-system
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
labels:
app.kubernetes.io/component: loadbalancer
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: metallb
app.kubernetes.io/part-of: project
app.kubernetes.io/stage: localism
operator: rook
storage-backend: ceph
name: rook-ceph-global
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: rook-ceph-global
subjects:
- kind: ServiceAccount
name: rook-ceph-system
namespace: rook-ceph-system
---
apiVersion: v1
data:
validatingwebhookconfiguration.yaml: |-
apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingWebhookConfiguration
metadata:
name: istio-galley
namespace: default
labels:
app: galley
chart: galley
heritage: Tiller
release: project
istio: galley
webhooks:
- name: pilot.validation.istio.io
clientConfig:
service:
name: istio-galley
namespace: default
path: "/admitpilot"
caBundle: ""
rules:
- operations:
- CREATE
- UPDATE
apiGroups:
- config.istio.io
apiVersions:
- v1alpha2
resources:
- httpapispecs
- httpapispecbindings
- quotaspecs
- quotaspecbindings
- operations:
- CREATE
- UPDATE
apiGroups:
- rbac.istio.io
apiVersions:
- "*"
resources:
- "*"
- operations:
- CREATE
- UPDATE
apiGroups:
- authentication.istio.io
apiVersions:
- "*"
resources:
- "*"
- operations:
- CREATE
- UPDATE
apiGroups:
- networking.istio.io
apiVersions:
- "*"
resources:
- destinationrules
- envoyfilters
- gateways
- serviceentries
- sidecars
- virtualservices
failurePolicy: Fail
sideEffects: None
- name: mixer.validation.istio.io
clientConfig:
service:
name: istio-galley
namespace: default
path: "/admitmixer"
caBundle: ""
rules:
- operations:
- CREATE
- UPDATE
apiGroups:
- config.istio.io
apiVersions:
- v1alpha2
resources:
- rules
- attributemanifests
- circonuses
- deniers
- fluentds
- kubernetesenvs
- listcheckers
- memquotas
- noops
- opas
- prometheuses
- rbacs
- solarwindses
- stackdrivers
- cloudwatches
- dogstatsds
- statsds
- stdios
- apikeys
- authorizations
- checknothings
# - kuberneteses
- listentries
- logentries
- metrics
- quotas
- reportnothings
- tracespans
failurePolicy: Fail
sideEffects: None
kind: ConfigMap
metadata:
labels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
istio: galley
name: istio-galley-configuration
namespace: istio-system
---
apiVersion: v1
data:
custom-resources.yaml: "# Authentication policy to enable permissive mode for all
services (that have sidecar) in the mesh.\napiVersion: \"authentication.istio.io/v1alpha1\"\nkind:
\"MeshPolicy\"\nmetadata:\n name: \"default\"\n labels:\n app: security\n
\ chart: security\n heritage: Tiller\n release: project\nspec:\n peers:\n
\ - mtls:\n mode: PERMISSIVE\t"
run.sh: |-
#!/bin/sh
set -x
if [ "$#" -ne "1" ]; then
echo "first argument should be path to custom resource yaml"
exit 1
fi
pathToResourceYAML=${1}
kubectl get validatingwebhookconfiguration istio-galley 2>/dev/null
if [ "$?" -eq 0 ]; then
echo "istio-galley validatingwebhookconfiguration found - waiting for istio-galley deployment to be ready"
while true; do
kubectl -n default get deployment istio-galley 2>/dev/null
if [ "$?" -eq 0 ]; then
break
fi
sleep 1
done
kubectl -n default rollout status deployment istio-galley
if [ "$?" -ne 0 ]; then
echo "istio-galley deployment rollout status check failed"
exit 1
fi
echo "istio-galley deployment ready for configuration validation"
fi
sleep 5
kubectl apply -f ${pathToResourceYAML}
kind: ConfigMap
metadata:
labels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
istio: citadel
name: istio-security-custom-resources
namespace: istio-system
---
apiVersion: v1
data:
config: "policy: enabled\ntemplate: |-\n rewriteAppHTTPProbe: false\n initContainers:\n
\ [[ if ne (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode)
\"NONE\" ]]\n - name: istio-init\n image: \"gcr.io/istio-release/proxy_init:master-latest-daily\"\n
\ args:\n - \"-p\"\n - [[ .MeshConfig.ProxyListenPort ]]\n - \"-u\"\n
\ - 1337\n - \"-m\"\n - [[ annotation .ObjectMeta `sidecar.istio.io/interceptionMode`
.ProxyConfig.InterceptionMode ]]\n - \"-i\"\n - \"[[ annotation .ObjectMeta
`traffic.sidecar.istio.io/includeOutboundIPRanges` \"*\" ]]\"\n - \"-x\"\n
\ - \"[[ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges`
\ \"\" ]]\"\n - \"-b\"\n - \"[[ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts`
(includeInboundPorts .Spec.Containers) ]]\"\n - \"-d\"\n - \"[[ excludeInboundPort
(annotation .ObjectMeta `status.sidecar.istio.io/port` 15020 ) (annotation .ObjectMeta
`traffic.sidecar.istio.io/excludeInboundPorts` \"\" ) ]]\"\n [[ if (isset
.ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces`) -]]\n -
\"-k\"\n - \"[[ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces`
]]\"\n [[ end -]]\n imagePullPolicy: IfNotPresent\n resources:\n requests:\n
\ cpu: 10m\n memory: 10Mi\n limits:\n cpu: 100m\n memory:
50Mi\n securityContext:\n capabilities:\n add:\n - NET_ADMIN\n
\ restartPolicy: Always\n [[ end -]]\n containers:\n - name: istio-proxy\n
\ image: [[ annotation .ObjectMeta `sidecar.istio.io/proxyImage` \"gcr.io/istio-release/proxyv2:master-latest-daily\"
\ ]]\n ports:\n - containerPort: 15090\n protocol: TCP\n name:
http-envoy-prom\n args:\n - proxy\n - sidecar\n - --domain\n -
$(POD_NAMESPACE).svc.cluster.local\n - --configPath\n - [[ .ProxyConfig.ConfigPath
]]\n - --binaryPath\n - [[ .ProxyConfig.BinaryPath ]]\n - --serviceCluster\n
\ [[ if ne \"\" (index .ObjectMeta.Labels \"app\") -]]\n - [[ index .ObjectMeta.Labels
\"app\" ]].$(POD_NAMESPACE)\n [[ else -]]\n - [[ valueOrDefault .DeploymentMeta.Name
\"istio-proxy\" ]].[[ valueOrDefault .DeploymentMeta.Namespace \"default\" ]]\n
\ [[ end -]]\n - --drainDuration\n - [[ formatDuration .ProxyConfig.DrainDuration
]]\n - --parentShutdownDuration\n - [[ formatDuration .ProxyConfig.ParentShutdownDuration
]]\n - --discoveryAddress\n - [[ annotation .ObjectMeta `sidecar.istio.io/discoveryAddress`
.ProxyConfig.DiscoveryAddress ]]\n - --zipkinAddress\n - [[ .ProxyConfig.GetTracing.GetZipkin.GetAddress
]]\n - --connectTimeout\n - [[ formatDuration .ProxyConfig.ConnectTimeout
]]\n - --proxyAdminPort\n - [[ .ProxyConfig.ProxyAdminPort ]]\n [[ if
gt .ProxyConfig.Concurrency 0 -]]\n - --concurrency\n - [[ .ProxyConfig.Concurrency
]]\n [[ end -]]\n - --controlPlaneAuthPolicy\n - [[ annotation .ObjectMeta
`sidecar.istio.io/controlPlaneAuthPolicy` .ProxyConfig.ControlPlaneAuthPolicy
]]\n [[- if (ne (annotation .ObjectMeta `status.sidecar.istio.io/port` 15020
) \"0\") ]]\n - --statusPort\n - [[ annotation .ObjectMeta `status.sidecar.istio.io/port`
\ 15020 ]]\n - --applicationPorts\n - \"[[ annotation .ObjectMeta `readiness.status.sidecar.istio.io/applicationPorts`
(applicationPorts .Spec.Containers) ]]\"\n [[- end ]]\n env:\n - name:
POD_NAME\n valueFrom:\n fieldRef:\n fieldPath: metadata.name\n
\ - name: POD_NAMESPACE\n valueFrom:\n fieldRef:\n fieldPath:
metadata.namespace\n - name: INSTANCE_IP\n valueFrom:\n fieldRef:\n
\ fieldPath: status.podIP\n - name: ISTIO_META_POD_NAME\n valueFrom:\n
\ fieldRef:\n fieldPath: metadata.name\n - name: ISTIO_META_CONFIG_NAMESPACE\n
\ valueFrom:\n fieldRef:\n fieldPath: metadata.namespace\n
\ - name: ISTIO_META_INTERCEPTION_MODE\n value: [[ or (index .ObjectMeta.Annotations
\"sidecar.istio.io/interceptionMode\") .ProxyConfig.InterceptionMode.String ]]\n
\ [[ if .ObjectMeta.Annotations ]]\n - name: ISTIO_METAJSON_ANNOTATIONS\n
\ value: |\n [[ toJSON .ObjectMeta.Annotations ]]\n [[ end
]]\n [[ if .ObjectMeta.Labels ]]\n - name: ISTIO_METAJSON_LABELS\n value:
|\n [[ toJSON .ObjectMeta.Labels ]]\n [[ end ]]\n [[- if (isset
.ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) ]]\n - name:
ISTIO_BOOTSTRAP_OVERRIDE\n value: \"/etc/istio/custom-bootstrap/custom_bootstrap.json\"\n
\ [[- end ]]\n imagePullPolicy: IfNotPresent\n [[ if (ne (annotation .ObjectMeta
`status.sidecar.istio.io/port` 15020 ) \"0\") ]]\n readinessProbe:\n httpGet:\n
\ path: /healthz/ready\n port: [[ annotation .ObjectMeta `status.sidecar.istio.io/port`
\ 15020 ]]\n initialDelaySeconds: [[ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds`
\ 1 ]]\n periodSeconds: [[ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds`
\ 2 ]]\n failureThreshold: [[ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold`
\ 30 ]]\n [[ end -]]securityContext:\n readOnlyRootFilesystem: true\n
\ [[ if eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode)
\"TPROXY\" -]]\n capabilities:\n add:\n - NET_ADMIN\n runAsGroup:
1337\n [[ else -]]\n \n runAsUser: 1337\n [[- end ]]\n resources:\n
\ [[ if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset
.ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -]]\n requests:\n
\ [[ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -]]\n
\ cpu: \"[[ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` ]]\"\n
\ [[ end ]]\n [[ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`)
-]]\n memory: \"[[ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`
]]\"\n [[ end ]]\n [[ else -]]\n limits:\n cpu: 2000m\n
\ memory: 128Mi\n requests:\n cpu: 100m\n memory: 128Mi\n
\ \n [[ end -]]\n volumeMounts:\n [[- if (isset .ObjectMeta.Annotations
`sidecar.istio.io/bootstrapOverride`) ]]\n - mountPath: /etc/istio/custom-bootstrap\n
\ name: custom-bootstrap-volume\n [[- end ]]\n - mountPath: /etc/istio/proxy\n
\ name: istio-envoy\n - mountPath: /etc/certs/\n name: istio-certs\n
\ readOnly: true\n [[- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`
]]\n [[ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`)
]]\n - name: \"[[ $index ]]\"\n [[ toYaml $value | indent 4 ]]\n [[
end ]]\n [[- end ]]\n volumes:\n [[- if (isset .ObjectMeta.Annotations
`sidecar.istio.io/bootstrapOverride`) ]]\n - name: custom-bootstrap-volume\n
\ configMap:\n name: [[ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride`
`` ]]\n [[- end ]]\n - emptyDir:\n medium: Memory\n name: istio-envoy\n
\ - name: istio-certs\n secret:\n optional: true\n [[ if eq .Spec.ServiceAccountName
\"\" -]]\n secretName: istio.default\n [[ else -]]\n secretName:
[[ printf \"istio.%s\" .Spec.ServiceAccountName ]]\n [[ end -]]\n [[-
if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` ]]\n [[ range
$index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`)
]]\n - name: \"[[ $index ]]\"\n [[ toYaml $value | indent 2 ]]\n [[ end
]]\n [[ end ]]"
kind: ConfigMap
metadata:
labels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
istio: sidecar-injector
name: istio-sidecar-injector
namespace: istio-system
---
apiVersion: v1
data:
mesh: "# Set the following variable to true to disable policy checks by the Mixer.\n#
Note that metrics will still be reported to the Mixer.\ndisablePolicyChecks: true\n#
Set enableTracing to false to disable request tracing.\nenableTracing: true\n#
Set accessLogFile to empty string to disable access log.\naccessLogFile: \"\"\n#
If accessLogEncoding is TEXT, value will be used directly as the log format\n#
example: \"[%START_TIME%] %REQ(:METHOD)% %REQ(X-ENVOY-ORIGINAL-PATH?:PATH)% %PROTOCOL%\\n\"\n#
If AccessLogEncoding is JSON, value will be parsed as map[string]string\n# example:
'{\"start_time\": \"%START_TIME%\", \"req_method\": \"%REQ(:METHOD)%\"}'\n# Leave
empty to use default log format\naccessLogFormat: \"\"\n# Set accessLogEncoding
to JSON or TEXT to configure sidecar access log\naccessLogEncoding: 'TEXT'\nmixerCheckServer:
istio-policy.default.svc.cluster.local:15004\nmixerReportServer: istio-telemetry.default.svc.cluster.local:15004\n#
policyCheckFailOpen allows traffic in cases when the mixer policy service cannot
be reached.\n# Default is false which means the traffic is denied when the client
is unable to connect to Mixer.\npolicyCheckFailOpen: false\n# Let Pilot give ingresses
the public IP of the Istio ingressgateway\ningressService: istio-ingressgateway\n#
DNS refresh rate for Envoy clusters of type STRICT_DNS\ndnsRefreshRate: 5s\n#
Unix Domain Socket through which envoy communicates with NodeAgent SDS to get\n#
key/cert for mTLS. Use secret-mount files instead of SDS if set to empty. \nsdsUdsPath:
\n# This flag is used by secret discovery service(SDS). \n# If set to true(prerequisite:
https://kubernetes.io/docs/concepts/storage/volumes/#projected), Istio will inject
volumes mount \n# for k8s service account JWT, so that K8s API server mounts k8s
service account JWT to envoy container, which \n# will be used to generate key/cert
eventually. This isn't supported for non-k8s case.\nenableSdsTokenMount: false\n#
This flag is used by secret discovery service(SDS). \n# If set to true, envoy
will fetch normal k8s service account JWT from '/var/run/secrets/kubernetes.io/serviceaccount/token'
\n# (https://kubernetes.io/docs/tasks/access-application-cluster/access-cluster/#accessing-the-api-from-a-pod)
\n# and pass to sds server, which will be used to request key/cert eventually.
\n# this flag is ignored if enableSdsTokenMount is set.\n# This isn't supported
for non-k8s case.\nsdsUseK8sSaJwt: false\n# The trust domain corresponds to the
trust root of a system.\n# Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain\ntrustDomain:
\n# Set the default behavior of the sidecar for handling outbound traffic from
the application:\n# ALLOW_ANY - outbound traffic to unknown destinations will
be allowed, in case there are no\n# services or ServiceEntries for the destination
port\n# REGISTRY_ONLY - restrict outbound traffic to services defined in the service
registry as well\n# as those defined through ServiceEntries \noutboundTrafficPolicy:\n
\ mode: ALLOW_ANY\n# The namespace to treat as the administrative root namespace
for istio\n# configuration. \nrootNamespace: default\nconfigSources:\n- address:
istio-galley.default.svc:9901\n tlsSettings:\n mode: ISTIO_MUTUAL\ndefaultConfig:\n
\ #\n # TCP connection timeout between Envoy & the application, and between Envoys.\n
\ connectTimeout: 10s\n #\n ### ADVANCED SETTINGS #############\n # Where should
envoy's configuration be stored in the istio-proxy container\n configPath: \"/etc/istio/proxy\"\n
\ binaryPath: \"/usr/local/bin/envoy\"\n # The pseudo service name used for Envoy.\n
\ serviceCluster: istio-proxy\n # These settings that determine how long an old
Envoy\n # process should be kept alive after an occasional reload.\n drainDuration:
45s\n parentShutdownDuration: 1m0s\n #\n # The mode used to redirect inbound
connections to Envoy. This setting\n # has no effect on outbound traffic: iptables
REDIRECT is always used for\n # outbound connections.\n # If \"REDIRECT\", use
iptables REDIRECT to NAT and redirect to Envoy.\n # The \"REDIRECT\" mode loses
source addresses during redirection.\n # If \"TPROXY\", use iptables TPROXY to
redirect to Envoy.\n # The \"TPROXY\" mode preserves both the source and destination
IP\n # addresses and ports, so that they can be used for advanced filtering\n
\ # and manipulation.\n # The \"TPROXY\" mode also configures the sidecar to
run with the\n # CAP_NET_ADMIN capability, which is required to use TPROXY.\n
\ #interceptionMode: REDIRECT\n #\n # Port where Envoy listens (on local host)
for admin commands\n # You can exec into the istio-proxy container in a pod and\n
\ # curl the admin port (curl http://localhost:15000/) to obtain\n # diagnostic
information from Envoy. See\n # https://lyft.github.io/envoy/docs/operations/admin.html\n
\ # for more details\n proxyAdminPort: 15000\n #\n # Set concurrency to a specific
number to control the number of Proxy worker threads.\n # If set to 0 (default),
then start worker thread for each CPU thread/core.\n concurrency: 2\n #\n tracing:\n
\ zipkin:\n # Address of the Zipkin collector\n address: zipkin.default:9411\n
\ #\n # Mutual TLS authentication between sidecars and istio control plane.\n
\ controlPlaneAuthPolicy: MUTUAL_TLS\n #\n # Address where istio Pilot service
is running\n discoveryAddress: istio-pilot.default:15011"
meshNetworks: 'networks: {}'
kind: ConfigMap
metadata:
labels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
name: istio
namespace: istio-system
---
apiVersion: v1
data:
prometheus.yml: |-
global:
scrape_interval: 15s
scrape_configs:
- job_name: 'istio-mesh'
kubernetes_sd_configs:
- role: endpoints
namespaces:
names:
- default
relabel_configs:
- source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name]
action: keep
regex: istio-telemetry;prometheus
# Scrape config for envoy stats
- job_name: 'envoy-stats'
metrics_path: /stats/prometheus
kubernetes_sd_configs:
- role: pod
relabel_configs:
- source_labels: [__meta_kubernetes_pod_container_port_name]
action: keep
regex: '.*-envoy-prom'
- source_labels: [__address__, __meta_kubernetes_pod_annotation_prometheus_io_port]
action: replace
regex: ([^:]+)(?::\d+)?;(\d+)
replacement: $1:15090
target_label: __address__
- action: labelmap
regex: __meta_kubernetes_pod_label_(.+)
- source_labels: [__meta_kubernetes_namespace]
action: replace
target_label: namespace
- source_labels: [__meta_kubernetes_pod_name]
action: replace
target_label: pod_name
metric_relabel_configs:
# Exclude some of the envoy metrics that have massive cardinality
# This list may need to be pruned further moving forward, as informed
# by performance and scalability testing.
- source_labels: [ cluster_name ]
regex: '(outbound|inbound|prometheus_stats).*'
action: drop
- source_labels: [ tcp_prefix ]
regex: '(outbound|inbound|prometheus_stats).*'
action: drop
- source_labels: [ listener_address ]
regex: '(.+)'
action: drop
- source_labels: [ http_conn_manager_listener_prefix ]
regex: '(.+)'
action: drop
- source_labels: [ http_conn_manager_prefix ]
regex: '(.+)'
action: drop
- source_labels: [ __name__ ]
regex: 'envoy_tls.*'
action: drop
- source_labels: [ __name__ ]
regex: 'envoy_tcp_downstream.*'
action: drop
- source_labels: [ __name__ ]
regex: 'envoy_http_(stats|admin).*'
action: drop
- source_labels: [ __name__ ]
regex: 'envoy_cluster_(lb|retry|bind|internal|max|original).*'
action: drop
- job_name: 'istio-policy'
kubernetes_sd_configs:
- role: endpoints
namespaces:
names:
- default
relabel_configs:
- source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name]
action: keep
regex: istio-policy;http-monitoring
- job_name: 'istio-telemetry'
kubernetes_sd_configs:
- role: endpoints
namespaces:
names:
- default
relabel_configs:
- source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name]
action: keep
regex: istio-telemetry;http-monitoring
- job_name: 'pilot'
kubernetes_sd_configs:
- role: endpoints
namespaces:
names:
- default
relabel_configs:
- source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name]
action: keep
regex: istio-pilot;http-monitoring
- job_name: 'galley'
kubernetes_sd_configs:
- role: endpoints
namespaces:
names:
- default
relabel_configs:
- source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name]
action: keep
regex: istio-galley;http-monitoring
- job_name: 'citadel'
kubernetes_sd_configs:
- role: endpoints
namespaces:
names:
- default
relabel_configs:
- source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name]
action: keep
regex: istio-citadel;http-monitoring
# scrape config for API servers
- job_name: 'kubernetes-apiservers'
kubernetes_sd_configs:
- role: endpoints
namespaces:
names:
- default
scheme: https
tls_config:
ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
relabel_configs:
- source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name]
action: keep
regex: kubernetes;https
# scrape config for nodes (kubelet)
- job_name: 'kubernetes-nodes'
scheme: https
tls_config:
ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
kubernetes_sd_configs:
- role: node
relabel_configs:
- action: labelmap
regex: __meta_kubernetes_node_label_(.+)
- target_label: __address__
replacement: kubernetes.default.svc:443
- source_labels: [__meta_kubernetes_node_name]
regex: (.+)
target_label: __metrics_path__
replacement: /api/v1/nodes/${1}/proxy/metrics
# Scrape config for Kubelet cAdvisor.
#
# This is required for Kubernetes 1.7.3 and later, where cAdvisor metrics
# (those whose names begin with 'container_') have been removed from the
# Kubelet metrics endpoint. This job scrapes the cAdvisor endpoint to
# retrieve those metrics.
#
# In Kubernetes 1.7.0-1.7.2, these metrics are only exposed on the cAdvisor
# HTTP endpoint; use "replacement: /api/v1/nodes/${1}:4194/proxy/metrics"
# in that case (and ensure cAdvisor's HTTP server hasn't been disabled with
# the --cadvisor-port=0 Kubelet flag).
#
# This job is not necessary and should be removed in Kubernetes 1.6 and
# earlier versions, or it will cause the metrics to be scraped twice.
- job_name: 'kubernetes-cadvisor'
scheme: https
tls_config:
ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
kubernetes_sd_configs:
- role: node
relabel_configs:
- action: labelmap
regex: __meta_kubernetes_node_label_(.+)
- target_label: __address__
replacement: kubernetes.default.svc:443
- source_labels: [__meta_kubernetes_node_name]
regex: (.+)
target_label: __metrics_path__
replacement: /api/v1/nodes/${1}/proxy/metrics/cadvisor
# scrape config for service endpoints.
- job_name: 'kubernetes-service-endpoints'
kubernetes_sd_configs:
- role: endpoints
relabel_configs:
- source_labels: [__meta_kubernetes_service_annotation_prometheus_io_scrape]
action: keep
regex: true
- source_labels: [__meta_kubernetes_service_annotation_prometheus_io_scheme]
action: replace
target_label: __scheme__
regex: (https?)
- source_labels: [__meta_kubernetes_service_annotation_prometheus_io_path]
action: replace
target_label: __metrics_path__
regex: (.+)
- source_labels: [__address__, __meta_kubernetes_service_annotation_prometheus_io_port]
action: replace
target_label: __address__
regex: ([^:]+)(?::\d+)?;(\d+)
replacement: $1:$2
- action: labelmap
regex: __meta_kubernetes_service_label_(.+)
- source_labels: [__meta_kubernetes_namespace]
action: replace
target_label: kubernetes_namespace
- source_labels: [__meta_kubernetes_service_name]
action: replace
target_label: kubernetes_name
- job_name: 'kubernetes-pods'
kubernetes_sd_configs:
- role: pod
relabel_configs: # If first two labels are present, pod should be scraped by the istio-secure job.
- source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_scrape]
action: keep
regex: true
# Keep target if there's no sidecar or if prometheus.io/scheme is explicitly set to "http"
- source_labels: [__meta_kubernetes_pod_annotation_sidecar_istio_io_status, __meta_kubernetes_pod_annotation_prometheus_io_scheme]
action: keep
regex: ((;.*)|(.*;http))
- source_labels: [__meta_kubernetes_pod_annotation_istio_mtls]
action: drop
regex: (true)
- source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_path]
action: replace
target_label: __metrics_path__
regex: (.+)
- source_labels: [__address__, __meta_kubernetes_pod_annotation_prometheus_io_port]
action: replace
regex: ([^:]+)(?::\d+)?;(\d+)
replacement: $1:$2
target_label: __address__
- action: labelmap
regex: __meta_kubernetes_pod_label_(.+)
- source_labels: [__meta_kubernetes_namespace]
action: replace
target_label: namespace
- source_labels: [__meta_kubernetes_pod_name]
action: replace
target_label: pod_name
- job_name: 'kubernetes-pods-istio-secure'
scheme: https
tls_config:
ca_file: /etc/istio-certs/root-cert.pem
cert_file: /etc/istio-certs/cert-chain.pem
key_file: /etc/istio-certs/key.pem
insecure_skip_verify: true # prometheus does not support secure naming.
kubernetes_sd_configs:
- role: pod
relabel_configs:
- source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_scrape]
action: keep
regex: true
# sidecar status annotation is added by sidecar injector and
# istio_workload_mtls_ability can be specifically placed on a pod to indicate its ability to receive mtls traffic.
- source_labels: [__meta_kubernetes_pod_annotation_sidecar_istio_io_status, __meta_kubernetes_pod_annotation_istio_mtls]
action: keep
regex: (([^;]+);([^;]*))|(([^;]*);(true))
- source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_scheme]
action: drop
regex: (http)
- source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_path]
action: replace
target_label: __metrics_path__
regex: (.+)
- source_labels: [__address__] # Only keep address that is host:port
action: keep # otherwise an extra target with ':443' is added for https scheme
regex: ([^:]+):(\d+)
- source_labels: [__address__, __meta_kubernetes_pod_annotation_prometheus_io_port]
action: replace
regex: ([^:]+)(?::\d+)?;(\d+)
replacement: $1:$2
target_label: __address__
- action: labelmap
regex: __meta_kubernetes_pod_label_(.+)
- source_labels: [__meta_kubernetes_namespace]
action: replace
target_label: namespace
- source_labels: [__meta_kubernetes_pod_name]
action: replace
target_label: pod_name
kind: ConfigMap
metadata:
labels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
name: prometheus
namespace: istio-system
---
apiVersion: v1
data:
config: |
address-pools:
- name: default
protocol: layer2
addresses:
- 172.17.255.1
kind: ConfigMap
metadata:
labels:
app.kubernetes.io/component: loadbalancer
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: metallb
app.kubernetes.io/part-of: project
app.kubernetes.io/stage: localism
name: config
namespace: metallb-system
---
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
istio: citadel
name: istio-citadel
namespace: istio-system
spec:
ports:
- name: grpc-citadel
port: 8060
protocol: TCP
targetPort: 8060
- name: http-monitoring
port: 15014
selector:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
istio: citadel
---
apiVersion: v1
kind: Service
metadata:
annotations: null
labels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
istio: egressgateway
name: istio-egressgateway
namespace: istio-system
spec:
ports:
- name: http2
port: 80
- name: https
port: 443
- name: tls
port: 15443
targetPort: 15443
selector:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
istio: egressgateway
type: ClusterIP
---
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
istio: galley
name: istio-galley
namespace: istio-system
spec:
ports:
- name: https-validation
port: 443
- name: http-monitoring
port: 15014
- name: grpc-mcp
port: 9901
selector:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
istio: galley
---
apiVersion: v1
kind: Service
metadata:
annotations: null
labels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
istio: ingressgateway
name: istio-ingressgateway
namespace: istio-system
spec:
ports:
- name: http2
nodePort: 31380
port: 80
targetPort: 80
- name: https
nodePort: 31390
port: 443
- name: tcp
nodePort: 31400
port: 31400
- name: https-kiali
port: 15029
targetPort: 15029
- name: https-prometheus
port: 15030
targetPort: 15030
- name: https-grafana
port: 15031
targetPort: 15031
- name: https-tracing
port: 15032
targetPort: 15032
- name: tls
port: 15443
targetPort: 15443
- name: status-port
port: 15020
targetPort: 15020
selector:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
istio: ingressgateway
type: LoadBalancer
---
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
istio: pilot
name: istio-pilot
namespace: istio-system
spec:
ports:
- name: grpc-xds
port: 15010
- name: https-xds
port: 15011
- name: http-legacy-discovery
port: 8080
- name: http-monitoring
port: 15014
selector:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
istio: pilot
---
apiVersion: v1
kind: Service
metadata:
annotations:
networking.istio.io/exportTo: '*'
labels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
istio: mixer
name: istio-policy
namespace: istio-system
spec:
ports:
- name: grpc-mixer
port: 9091
- name: grpc-mixer-mtls
port: 15004
- name: http-monitoring
port: 15014
selector:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
istio: mixer
istio-mixer-type: policy
---
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
istio: sidecar-injector
name: istio-sidecar-injector
namespace: istio-system
spec:
ports:
- port: 443
selector:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
istio: sidecar-injector
---
apiVersion: v1
kind: Service
metadata:
annotations:
networking.istio.io/exportTo: '*'
labels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
istio: mixer
name: istio-telemetry
namespace: istio-system
spec:
ports:
- name: grpc-mixer
port: 9091
- name: grpc-mixer-mtls
port: 15004
- name: http-monitoring
port: 15014
- name: prometheus
port: 42422
selector:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
istio: mixer
istio-mixer-type: telemetry
---
apiVersion: v1
kind: Service
metadata:
annotations:
prometheus.io/scrape: "true"
labels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
name: prometheus
namespace: istio-system
spec:
ports:
- name: http-prometheus
port: 9090
protocol: TCP
selector:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
---
apiVersion: apps/v1beta1
kind: Deployment
metadata:
labels:
app.kubernetes.io/component: storage
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/stage: localism
operator: rook
storage-backend: ceph
name: rook-ceph-operator
namespace: rook-ceph-system
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/component: storage
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/stage: localism
template:
metadata:
labels:
app: rook-ceph-operator
app.kubernetes.io/component: storage
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/stage: localism
spec:
containers:
- args:
- ceph
- operator
env:
- name: ROOK_ALLOW_MULTIPLE_FILESYSTEMS
value: "false"
- name: ROOK_LOG_LEVEL
value: INFO
- name: ROOK_MON_HEALTHCHECK_INTERVAL
value: 45s
- name: ROOK_MON_OUT_TIMEOUT
value: 600s
- name: ROOK_DISCOVER_DEVICES_INTERVAL
value: 60m
- name: ROOK_HOSTPATH_REQUIRES_PRIVILEGED
value: "false"
- name: ROOK_ENABLE_SELINUX_RELABELING
value: "true"
- name: ROOK_ENABLE_FSGROUP
value: "true"
- name: NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
image: rook/ceph:master
name: rook-ceph-operator
volumeMounts:
- mountPath: /var/lib/rook
name: rook-config
- mountPath: /etc/ceph
name: default-config-dir
serviceAccountName: rook-ceph-system
volumes:
- emptyDir: {}
name: rook-config
- emptyDir: {}
name: default-config-dir
---
apiVersion: apps/v1beta2
kind: Deployment
metadata:
labels:
app: metallb
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/stage: localism
component: controller
name: controller
namespace: metallb-system
spec:
revisionHistoryLimit: 3
selector:
matchLabels:
app: metallb
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/stage: localism
component: controller
template:
metadata:
annotations:
prometheus.io/port: "7472"
prometheus.io/scrape: "true"
labels:
app: metallb
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/stage: localism
component: controller
spec:
containers:
- args:
- --port=7472
- --config=config
image: metallb/controller:master
imagePullPolicy: Always
name: controller
ports:
- containerPort: 7472
name: monitoring
resources:
limits:
cpu: 100m
memory: 100Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- all
readOnlyRootFilesystem: true
nodeSelector:
beta.kubernetes.io/os: linux
securityContext:
runAsNonRoot: true
runAsUser: 65534
serviceAccountName: controller
terminationGracePeriodSeconds: 0
---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
labels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
istio: citadel
name: istio-citadel
namespace: istio-system
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
strategy:
rollingUpdate:
maxSurge: 1
maxUnavailable: 0
template:
metadata:
annotations:
scheduler.alpha.kubernetes.io/critical-pod: ""
sidecar.istio.io/inject: "false"
labels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
istio: citadel
spec:
affinity:
nodeAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- preference:
matchExpressions:
- key: beta.kubernetes.io/arch
operator: In
values:
- amd64
weight: 2
- preference:
matchExpressions:
- key: beta.kubernetes.io/arch
operator: In
values:
- ppc64le
weight: 2
- preference:
matchExpressions:
- key: beta.kubernetes.io/arch
operator: In
values:
- s390x
weight: 2
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: beta.kubernetes.io/arch
operator: In
values:
- amd64
- ppc64le
- s390x
containers:
- args:
- --append-dns-names=true
- --grpc-port=8060
- --citadel-storage-namespace=default
- --custom-dns-names=istio-pilot-service-account.default:istio-pilot.default
- --monitoring-port=15014
- --self-signed-ca=true
image: gcr.io/istio-release/citadel:master-latest-daily
imagePullPolicy: IfNotPresent
name: citadel
resources:
requests:
cpu: 10m
serviceAccountName: istio-citadel-service-account
---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
labels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
istio: egressgateway
name: istio-egressgateway
namespace: istio-system
spec:
selector:
matchLabels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
template:
metadata:
annotations:
scheduler.alpha.kubernetes.io/critical-pod: ""
sidecar.istio.io/inject: "false"
labels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
istio: egressgateway
spec:
affinity:
nodeAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- preference:
matchExpressions:
- key: beta.kubernetes.io/arch
operator: In
values:
- amd64
weight: 2
- preference:
matchExpressions:
- key: beta.kubernetes.io/arch
operator: In
values:
- ppc64le
weight: 2
- preference:
matchExpressions:
- key: beta.kubernetes.io/arch
operator: In
values:
- s390x
weight: 2
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: beta.kubernetes.io/arch
operator: In
values:
- amd64
- ppc64le
- s390x
containers:
- args:
- proxy
- router
- --domain
- $(POD_NAMESPACE).svc.cluster.local
- --log_output_level=default:info
- --drainDuration
- 45s
- --parentShutdownDuration
- 1m0s
- --connectTimeout
- 10s
- --serviceCluster
- istio-egressgateway
- --zipkinAddress
- zipkin:9411
- --proxyAdminPort
- "15000"
- --statusPort
- "15020"
- --controlPlaneAuthPolicy
- MUTUAL_TLS
- --discoveryAddress
- istio-pilot:15011
env:
- name: NODE_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: spec.nodeName
- name: POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: INSTANCE_IP
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: status.podIP
- name: ISTIO_META_POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
- name: ISTIO_META_CONFIG_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: ISTIO_META_ROUTER_MODE
value: sni-dnat
image: gcr.io/istio-release/proxyv2:master-latest-daily
imagePullPolicy: IfNotPresent
name: istio-proxy
ports:
- containerPort: 80
- containerPort: 443
- containerPort: 15443
- containerPort: 15090
name: http-envoy-prom
protocol: TCP
readinessProbe:
failureThreshold: 30
httpGet:
path: /healthz/ready
port: 15020
scheme: HTTP
initialDelaySeconds: 1
periodSeconds: 2
successThreshold: 1
timeoutSeconds: 1
resources:
requests:
cpu: 10m
volumeMounts:
- mountPath: /etc/certs
name: istio-certs
readOnly: true
- mountPath: /etc/istio/egressgateway-certs
name: egressgateway-certs
readOnly: true
- mountPath: /etc/istio/egressgateway-ca-certs
name: egressgateway-ca-certs
readOnly: true
serviceAccountName: istio-egressgateway-service-account
volumes:
- name: istio-certs
secret:
optional: true
secretName: istio.istio-egressgateway-service-account
- name: egressgateway-certs
secret:
optional: true
secretName: istio-egressgateway-certs
- name: egressgateway-ca-certs
secret:
optional: true
secretName: istio-egressgateway-ca-certs
---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
labels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
istio: galley
name: istio-galley
namespace: istio-system
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
strategy:
rollingUpdate:
maxSurge: 1
maxUnavailable: 0
template:
metadata:
annotations:
scheduler.alpha.kubernetes.io/critical-pod: ""
sidecar.istio.io/inject: "false"
labels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
istio: galley
spec:
affinity:
nodeAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- preference:
matchExpressions:
- key: beta.kubernetes.io/arch
operator: In
values:
- amd64
weight: 2
- preference:
matchExpressions:
- key: beta.kubernetes.io/arch
operator: In
values:
- ppc64le
weight: 2
- preference:
matchExpressions:
- key: beta.kubernetes.io/arch
operator: In
values:
- s390x
weight: 2
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: beta.kubernetes.io/arch
operator: In
values:
- amd64
- ppc64le
- s390x
containers:
- command:
- /usr/local/bin/galley
- server
- --meshConfigFile=/etc/mesh-config/mesh
- --livenessProbeInterval=1s
- --livenessProbePath=/healthliveness
- --readinessProbePath=/healthready
- --readinessProbeInterval=1s
- --insecure=false
- --validation-webhook-config-file
- /etc/config/validatingwebhookconfiguration.yaml
- --monitoringPort=15014
- --log_output_level=default:info
image: gcr.io/istio-release/galley:master-latest-daily
imagePullPolicy: IfNotPresent
livenessProbe:
exec:
command:
- /usr/local/bin/galley
- probe
- --probe-path=/healthliveness
- --interval=10s
initialDelaySeconds: 5
periodSeconds: 5
name: galley
ports:
- containerPort: 443
- containerPort: 15014
- containerPort: 9901
readinessProbe:
exec:
command:
- /usr/local/bin/galley
- probe
- --probe-path=/healthready
- --interval=10s
initialDelaySeconds: 5
periodSeconds: 5
resources:
requests:
cpu: 10m
volumeMounts:
- mountPath: /etc/certs
name: certs
readOnly: true
- mountPath: /etc/config
name: config
readOnly: true
- mountPath: /etc/mesh-config
name: mesh-config
readOnly: true
serviceAccountName: istio-galley-service-account
volumes:
- name: certs
secret:
secretName: istio.istio-galley-service-account
- configMap:
name: istio-galley-configuration
name: config
- configMap:
name: istio
name: mesh-config
---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
labels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
istio: ingressgateway
name: istio-ingressgateway
namespace: istio-system
spec:
selector:
matchLabels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
template:
metadata:
annotations:
scheduler.alpha.kubernetes.io/critical-pod: ""
sidecar.istio.io/inject: "false"
labels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
istio: ingressgateway
spec:
affinity:
nodeAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- preference:
matchExpressions:
- key: beta.kubernetes.io/arch
operator: In
values:
- amd64
weight: 2
- preference:
matchExpressions:
- key: beta.kubernetes.io/arch
operator: In
values:
- ppc64le
weight: 2
- preference:
matchExpressions:
- key: beta.kubernetes.io/arch
operator: In
values:
- s390x
weight: 2
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: beta.kubernetes.io/arch
operator: In
values:
- amd64
- ppc64le
- s390x
containers:
- args:
- proxy
- router
- --domain
- $(POD_NAMESPACE).svc.cluster.local
- --log_output_level=default:info
- --drainDuration
- 45s
- --parentShutdownDuration
- 1m0s
- --connectTimeout
- 10s
- --serviceCluster
- istio-ingressgateway
- --zipkinAddress
- zipkin:9411
- --proxyAdminPort
- "15000"
- --statusPort
- "15020"
- --controlPlaneAuthPolicy
- MUTUAL_TLS
- --discoveryAddress
- istio-pilot:15011
env:
- name: NODE_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: spec.nodeName
- name: POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: INSTANCE_IP
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: status.podIP
- name: ISTIO_META_POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
- name: ISTIO_META_CONFIG_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: ISTIO_META_ROUTER_MODE
value: sni-dnat
image: gcr.io/istio-release/proxyv2:master-latest-daily
imagePullPolicy: IfNotPresent
name: istio-proxy
ports:
- containerPort: 80
- containerPort: 443
- containerPort: 31400
- containerPort: 15029
- containerPort: 15030
- containerPort: 15031
- containerPort: 15032
- containerPort: 15443
- containerPort: 15020
- containerPort: 15090
name: http-envoy-prom
protocol: TCP
readinessProbe:
failureThreshold: 30
httpGet:
path: /healthz/ready
port: 15020
scheme: HTTP
initialDelaySeconds: 1
periodSeconds: 2
successThreshold: 1
timeoutSeconds: 1
resources:
requests:
cpu: 10m
volumeMounts:
- mountPath: /etc/certs
name: istio-certs
readOnly: true
- mountPath: /etc/istio/ingressgateway-certs
name: ingressgateway-certs
readOnly: true
- mountPath: /etc/istio/ingressgateway-ca-certs
name: ingressgateway-ca-certs
readOnly: true
serviceAccountName: istio-ingressgateway-service-account
volumes:
- name: istio-certs
secret:
optional: true
secretName: istio.istio-ingressgateway-service-account
- name: ingressgateway-certs
secret:
optional: true
secretName: istio-ingressgateway-certs
- name: ingressgateway-ca-certs
secret:
optional: true
secretName: istio-ingressgateway-ca-certs
---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
annotations:
checksum/config-volume: f8da08b6b8c170dde721efd680270b2901e750d4aa186ebb6c22bef5b78a43f9
labels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
istio: pilot
name: istio-pilot
namespace: istio-system
spec:
selector:
matchLabels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
istio: pilot
strategy:
rollingUpdate:
maxSurge: 1
maxUnavailable: 0
template:
metadata:
annotations:
scheduler.alpha.kubernetes.io/critical-pod: ""
sidecar.istio.io/inject: "false"
labels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
istio: pilot
spec:
affinity:
nodeAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- preference:
matchExpressions:
- key: beta.kubernetes.io/arch
operator: In
values:
- amd64
weight: 2
- preference:
matchExpressions:
- key: beta.kubernetes.io/arch
operator: In
values:
- ppc64le
weight: 2
- preference:
matchExpressions:
- key: beta.kubernetes.io/arch
operator: In
values:
- s390x
weight: 2
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: beta.kubernetes.io/arch
operator: In
values:
- amd64
- ppc64le
- s390x
containers:
- args:
- discovery
- --monitoringAddr=:15014
- --log_output_level=default:info
- --domain
- cluster.local
- --keepaliveMaxServerConnectionAge
- 30m
env:
- name: POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: GODEBUG
value: gctrace=1
- name: PILOT_PUSH_THROTTLE
value: "100"
- name: PILOT_TRACE_SAMPLING
value: "100"
- name: PILOT_DISABLE_XDS_MARSHALING_TO_ANY
value: "1"
image: gcr.io/istio-release/pilot:master-latest-daily
imagePullPolicy: IfNotPresent
name: discovery
ports:
- containerPort: 8080
- containerPort: 15010
readinessProbe:
httpGet:
path: /ready
port: 8080
initialDelaySeconds: 5
periodSeconds: 30
timeoutSeconds: 5
resources:
requests:
cpu: 500m
memory: 2048Mi
volumeMounts:
- mountPath: /etc/istio/config
name: config-volume
- mountPath: /etc/certs
name: istio-certs
readOnly: true
- args:
- proxy
- --domain
- $(POD_NAMESPACE).svc.cluster.local
- --serviceCluster
- istio-pilot
- --templateFile
- /etc/istio/proxy/envoy_pilot.yaml.tmpl
- --controlPlaneAuthPolicy
- MUTUAL_TLS
env:
- name: POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: INSTANCE_IP
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: status.podIP
image: gcr.io/istio-release/proxyv2:master-latest-daily
imagePullPolicy: IfNotPresent
name: istio-proxy
ports:
- containerPort: 15003
- containerPort: 15005
- containerPort: 15007
- containerPort: 15011
resources:
limits:
cpu: 2000m
memory: 128Mi
requests:
cpu: 100m
memory: 128Mi
volumeMounts:
- mountPath: /etc/certs
name: istio-certs
readOnly: true
serviceAccountName: istio-pilot-service-account
volumes:
- configMap:
name: istio
name: config-volume
- name: istio-certs
secret:
optional: true
secretName: istio.istio-pilot-service-account
---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
labels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
istio: mixer
name: istio-policy
namespace: istio-system
spec:
selector:
matchLabels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
istio: mixer
istio-mixer-type: policy
strategy:
rollingUpdate:
maxSurge: 1
maxUnavailable: 0
template:
metadata:
annotations:
scheduler.alpha.kubernetes.io/critical-pod: ""
sidecar.istio.io/inject: "false"
labels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
istio: mixer
istio-mixer-type: policy
spec:
affinity:
nodeAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- preference:
matchExpressions:
- key: beta.kubernetes.io/arch
operator: In
values:
- amd64
weight: 2
- preference:
matchExpressions:
- key: beta.kubernetes.io/arch
operator: In
values:
- ppc64le
weight: 2
- preference:
matchExpressions:
- key: beta.kubernetes.io/arch
operator: In
values:
- s390x
weight: 2
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: beta.kubernetes.io/arch
operator: In
values:
- amd64
- ppc64le
- s390x
containers:
- args:
- --monitoringPort=15014
- --address
- unix:///sock/mixer.socket
- --log_output_level=default:info
- --configStoreURL=mcps://istio-galley.default.svc:9901
- --configDefaultNamespace=default
- --useAdapterCRDs=false
- --trace_zipkin_url=http://zipkin.default:9411/api/v1/spans
env:
- name: GODEBUG
value: gctrace=1
- name: GOMAXPROCS
value: "6"
image: gcr.io/istio-release/mixer:master-latest-daily
imagePullPolicy: IfNotPresent
livenessProbe:
httpGet:
path: /version
port: 15014
initialDelaySeconds: 5
periodSeconds: 5
name: mixer
ports:
- containerPort: 15014
- containerPort: 42422
resources:
limits:
cpu: 100m
memory: 100Mi
requests:
cpu: 10m
memory: 100Mi
volumeMounts:
- mountPath: /etc/certs
name: istio-certs
readOnly: true
- mountPath: /sock
name: uds-socket
- args:
- proxy
- --domain
- $(POD_NAMESPACE).svc.cluster.local
- --serviceCluster
- istio-policy
- --templateFile
- /etc/istio/proxy/envoy_policy.yaml.tmpl
- --controlPlaneAuthPolicy
- MUTUAL_TLS
env:
- name: POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: INSTANCE_IP
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: status.podIP
image: gcr.io/istio-release/proxyv2:master-latest-daily
imagePullPolicy: IfNotPresent
name: istio-proxy
ports:
- containerPort: 9091
- containerPort: 15004
- containerPort: 15090
name: http-envoy-prom
protocol: TCP
resources:
limits:
cpu: 2000m
memory: 128Mi
requests:
cpu: 100m
memory: 128Mi
volumeMounts:
- mountPath: /etc/certs
name: istio-certs
readOnly: true
- mountPath: /sock
name: uds-socket
- mountPath: /var/run/secrets/istio.io/policy/adapter
name: policy-adapter-secret
readOnly: true
serviceAccountName: istio-mixer-service-account
volumes:
- name: istio-certs
secret:
optional: true
secretName: istio.istio-mixer-service-account
- emptyDir: {}
name: uds-socket
- name: policy-adapter-secret
secret:
optional: true
secretName: policy-adapter-secret
---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
labels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
istio: sidecar-injector
name: istio-sidecar-injector
namespace: istio-system
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
strategy:
rollingUpdate:
maxSurge: 1
maxUnavailable: 0
template:
metadata:
annotations:
scheduler.alpha.kubernetes.io/critical-pod: ""
sidecar.istio.io/inject: "false"
labels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
istio: sidecar-injector
spec:
affinity:
nodeAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- preference:
matchExpressions:
- key: beta.kubernetes.io/arch
operator: In
values:
- amd64
weight: 2
- preference:
matchExpressions:
- key: beta.kubernetes.io/arch
operator: In
values:
- ppc64le
weight: 2
- preference:
matchExpressions:
- key: beta.kubernetes.io/arch
operator: In
values:
- s390x
weight: 2
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: beta.kubernetes.io/arch
operator: In
values:
- amd64
- ppc64le
- s390x
containers:
- args:
- --caCertFile=/etc/istio/certs/root-cert.pem
- --tlsCertFile=/etc/istio/certs/cert-chain.pem
- --tlsKeyFile=/etc/istio/certs/key.pem
- --injectConfig=/etc/istio/inject/config
- --meshConfig=/etc/istio/config/mesh
- --healthCheckInterval=2s
- --healthCheckFile=/health
image: gcr.io/istio-release/sidecar_injector:master-latest-daily
imagePullPolicy: IfNotPresent
livenessProbe:
exec:
command:
- /usr/local/bin/sidecar-injector
- probe
- --probe-path=/health
- --interval=4s
initialDelaySeconds: 4
periodSeconds: 4
name: sidecar-injector-webhook
readinessProbe:
exec:
command:
- /usr/local/bin/sidecar-injector
- probe
- --probe-path=/health
- --interval=4s
initialDelaySeconds: 4
periodSeconds: 4
resources:
requests:
cpu: 10m
volumeMounts:
- mountPath: /etc/istio/config
name: config-volume
readOnly: true
- mountPath: /etc/istio/certs
name: certs
readOnly: true
- mountPath: /etc/istio/inject
name: inject-config
readOnly: true
serviceAccountName: istio-sidecar-injector-service-account
volumes:
- configMap:
name: istio
name: config-volume
- name: certs
secret:
secretName: istio.istio-sidecar-injector-service-account
- configMap:
items:
- key: config
path: config
name: istio-sidecar-injector
name: inject-config
---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
labels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
istio: mixer
name: istio-telemetry
namespace: istio-system
spec:
selector:
matchLabels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
istio: mixer
istio-mixer-type: telemetry
strategy:
rollingUpdate:
maxSurge: 1
maxUnavailable: 0
template:
metadata:
annotations:
scheduler.alpha.kubernetes.io/critical-pod: ""
sidecar.istio.io/inject: "false"
labels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
istio: mixer
istio-mixer-type: telemetry
spec:
affinity:
nodeAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- preference:
matchExpressions:
- key: beta.kubernetes.io/arch
operator: In
values:
- amd64
weight: 2
- preference:
matchExpressions:
- key: beta.kubernetes.io/arch
operator: In
values:
- ppc64le
weight: 2
- preference:
matchExpressions:
- key: beta.kubernetes.io/arch
operator: In
values:
- s390x
weight: 2
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: beta.kubernetes.io/arch
operator: In
values:
- amd64
- ppc64le
- s390x
containers:
- args:
- --monitoringPort=15014
- --address
- unix:///sock/mixer.socket
- --log_output_level=default:info
- --configStoreURL=mcps://istio-galley.default.svc:9901
- --certFile=/etc/certs/cert-chain.pem
- --keyFile=/etc/certs/key.pem
- --caCertFile=/etc/certs/root-cert.pem
- --configDefaultNamespace=default
- --useAdapterCRDs=false
- --trace_zipkin_url=http://zipkin.default:9411/api/v1/spans
- --averageLatencyThreshold
- 100ms
- --loadsheddingMode
- enforce
env:
- name: GODEBUG
value: gctrace=1
- name: GOMAXPROCS
value: "6"
image: gcr.io/istio-release/mixer:master-latest-daily
imagePullPolicy: IfNotPresent
livenessProbe:
httpGet:
path: /version
port: 15014
initialDelaySeconds: 5
periodSeconds: 5
name: mixer
ports:
- containerPort: 15014
- containerPort: 42422
resources:
limits:
cpu: 100m
memory: 100Mi
requests:
cpu: 50m
memory: 100Mi
volumeMounts:
- mountPath: /etc/certs
name: istio-certs
readOnly: true
- mountPath: /var/run/secrets/istio.io/telemetry/adapter
name: telemetry-adapter-secret
readOnly: true
- mountPath: /sock
name: uds-socket
- args:
- proxy
- --domain
- $(POD_NAMESPACE).svc.cluster.local
- --serviceCluster
- istio-telemetry
- --templateFile
- /etc/istio/proxy/envoy_telemetry.yaml.tmpl
- --controlPlaneAuthPolicy
- MUTUAL_TLS
env:
- name: POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: INSTANCE_IP
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: status.podIP
image: gcr.io/istio-release/proxyv2:master-latest-daily
imagePullPolicy: IfNotPresent
name: istio-proxy
ports:
- containerPort: 9091
- containerPort: 15004
- containerPort: 15090
name: http-envoy-prom
protocol: TCP
resources:
limits:
cpu: 2000m
memory: 128Mi
requests:
cpu: 100m
memory: 128Mi
volumeMounts:
- mountPath: /etc/certs
name: istio-certs
readOnly: true
- mountPath: /sock
name: uds-socket
serviceAccountName: istio-mixer-service-account
volumes:
- name: istio-certs
secret:
optional: true
secretName: istio.istio-mixer-service-account
- emptyDir: {}
name: uds-socket
- name: telemetry-adapter-secret
secret:
optional: true
secretName: telemetry-adapter-secret
---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
labels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
name: prometheus
namespace: istio-system
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
template:
metadata:
annotations:
scheduler.alpha.kubernetes.io/critical-pod: ""
sidecar.istio.io/inject: "false"
labels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
spec:
affinity:
nodeAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- preference:
matchExpressions:
- key: beta.kubernetes.io/arch
operator: In
values:
- amd64
weight: 2
- preference:
matchExpressions:
- key: beta.kubernetes.io/arch
operator: In
values:
- ppc64le
weight: 2
- preference:
matchExpressions:
- key: beta.kubernetes.io/arch
operator: In
values:
- s390x
weight: 2
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: beta.kubernetes.io/arch
operator: In
values:
- amd64
- ppc64le
- s390x
containers:
- args:
- --storage.tsdb.retention=6h
- --config.file=/etc/prometheus/prometheus.yml
image: docker.io/prom/prometheus:v2.8.0
imagePullPolicy: IfNotPresent
livenessProbe:
httpGet:
path: /-/healthy
port: 9090
name: prometheus
ports:
- containerPort: 9090
name: http
readinessProbe:
httpGet:
path: /-/ready
port: 9090
resources:
requests:
cpu: 10m
volumeMounts:
- mountPath: /etc/prometheus
name: config-volume
- mountPath: /etc/istio-certs
name: istio-certs
initContainers:
- command:
- sh
- -c
- counter=0; until [ "$counter" -ge 30 ]; do if [ -f /etc/istio-certs/key.pem
]; then exit 0; else echo waiting for istio certs && sleep 1 && counter=$((counter+1));
fi; done; exit 1;
image: busybox:1.30.1
imagePullPolicy: IfNotPresent
name: prom-init
volumeMounts:
- mountPath: /etc/istio-certs
name: istio-certs
serviceAccountName: prometheus
volumes:
- configMap:
name: prometheus
name: config-volume
- name: istio-certs
secret:
defaultMode: 420
optional: true
secretName: istio.default
---
apiVersion: policy/v1beta1
kind: PodDisruptionBudget
metadata:
labels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
istio: egressgateway
name: istio-egressgateway
namespace: istio-system
spec:
minAvailable: 1
selector:
matchLabels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
istio: egressgateway
---
apiVersion: policy/v1beta1
kind: PodDisruptionBudget
metadata:
labels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
istio: galley
name: istio-galley
namespace: istio-system
spec:
minAvailable: 1
selector:
matchLabels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
istio: galley
---
apiVersion: policy/v1beta1
kind: PodDisruptionBudget
metadata:
labels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
istio: ingressgateway
name: istio-ingressgateway
namespace: istio-system
spec:
minAvailable: 1
selector:
matchLabels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
istio: ingressgateway
---
apiVersion: policy/v1beta1
kind: PodDisruptionBudget
metadata:
labels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
istio: pilot
name: istio-pilot
namespace: istio-system
spec:
minAvailable: 1
selector:
matchLabels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
istio: pilot
---
apiVersion: policy/v1beta1
kind: PodDisruptionBudget
metadata:
labels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
istio: mixer
istio-mixer-type: policy
version: 1.1.0
name: istio-policy
namespace: istio-system
spec:
minAvailable: 1
selector:
matchLabels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
istio: mixer
istio-mixer-type: policy
---
apiVersion: policy/v1beta1
kind: PodDisruptionBudget
metadata:
labels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
istio: mixer
istio-mixer-type: telemetry
version: 1.1.0
name: istio-telemetry
namespace: istio-system
spec:
minAvailable: 1
selector:
matchLabels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
istio: mixer
istio-mixer-type: telemetry
---
apiVersion: apps/v1beta2
kind: DaemonSet
metadata:
labels:
app: metallb
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/stage: localism
component: speaker
name: speaker
namespace: metallb-system
spec:
selector:
matchLabels:
app: metallb
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/stage: localism
component: speaker
template:
metadata:
annotations:
prometheus.io/port: "7472"
prometheus.io/scrape: "true"
labels:
app: metallb
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/stage: localism
component: speaker
spec:
containers:
- args:
- --port=7472
- --config=config
env:
- name: METALLB_NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
image: metallb/speaker:master
imagePullPolicy: Always
name: speaker
ports:
- containerPort: 7472
name: monitoring
resources:
limits:
cpu: 100m
memory: 100Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
add:
- NET_ADMIN
- NET_RAW
- SYS_ADMIN
drop:
- ALL
readOnlyRootFilesystem: true
hostNetwork: true
nodeSelector:
beta.kubernetes.io/os: linux
serviceAccountName: speaker
terminationGracePeriodSeconds: 0
tolerations:
- effect: NoSchedule
key: node-role.kubernetes.io/master
---
apiVersion: autoscaling/v2beta1
kind: HorizontalPodAutoscaler
metadata:
labels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
name: istio-egressgateway
namespace: istio-system
spec:
maxReplicas: 5
metrics:
- resource:
name: cpu
targetAverageUtilization: 80
type: Resource
minReplicas: 1
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: istio-egressgateway
---
apiVersion: autoscaling/v2beta1
kind: HorizontalPodAutoscaler
metadata:
labels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
name: istio-ingressgateway
namespace: istio-system
spec:
maxReplicas: 5
metrics:
- resource:
name: cpu
targetAverageUtilization: 80
type: Resource
minReplicas: 1
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: istio-ingressgateway
---
apiVersion: autoscaling/v2beta1
kind: HorizontalPodAutoscaler
metadata:
labels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
name: istio-pilot
namespace: istio-system
spec:
maxReplicas: 5
metrics:
- resource:
name: cpu
targetAverageUtilization: 80
type: Resource
minReplicas: 1
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: istio-pilot
---
apiVersion: autoscaling/v2beta1
kind: HorizontalPodAutoscaler
metadata:
labels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
name: istio-policy
namespace: istio-system
spec:
maxReplicas: 5
metrics:
- resource:
name: cpu
targetAverageUtilization: 80
type: Resource
minReplicas: 1
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: istio-policy
---
apiVersion: autoscaling/v2beta1
kind: HorizontalPodAutoscaler
metadata:
labels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
name: istio-telemetry
namespace: istio-system
spec:
maxReplicas: 5
metrics:
- resource:
name: cpu
targetAverageUtilization: 80
type: Resource
minReplicas: 1
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: istio-telemetry
---
apiVersion: batch/v1
kind: Job
metadata:
annotations:
helm.sh/hook: post-delete
helm.sh/hook-delete-policy: hook-succeeded
helm.sh/hook-weight: "3"
labels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
name: istio-cleanup-secrets-master-latest-daily
namespace: istio-system
spec:
template:
metadata:
labels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
name: istio-cleanup-secrets
spec:
affinity:
nodeAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- preference:
matchExpressions:
- key: beta.kubernetes.io/arch
operator: In
values:
- amd64
weight: 2
- preference:
matchExpressions:
- key: beta.kubernetes.io/arch
operator: In
values:
- ppc64le
weight: 2
- preference:
matchExpressions:
- key: beta.kubernetes.io/arch
operator: In
values:
- s390x
weight: 2
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: beta.kubernetes.io/arch
operator: In
values:
- amd64
- ppc64le
- s390x
containers:
- command:
- /bin/bash
- -c
- |
kubectl get secret --all-namespaces | grep "istio.io/key-and-cert" | while read -r entry; do
ns=$(echo $entry | awk '{print $1}');
name=$(echo $entry | awk '{print $2}');
kubectl delete secret $name -n $ns;
done
image: gcr.io/istio-release/kubectl:master-latest-daily
imagePullPolicy: IfNotPresent
name: kubectl
restartPolicy: OnFailure
serviceAccountName: istio-cleanup-secrets-service-account
---
apiVersion: batch/v1
kind: Job
metadata:
annotations:
helm.sh/hook: post-install
helm.sh/hook-delete-policy: hook-succeeded
labels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
name: istio-security-post-install-master-latest-daily
namespace: istio-system
spec:
template:
metadata:
labels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
name: istio-security-post-install
spec:
affinity:
nodeAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- preference:
matchExpressions:
- key: beta.kubernetes.io/arch
operator: In
values:
- amd64
weight: 2
- preference:
matchExpressions:
- key: beta.kubernetes.io/arch
operator: In
values:
- ppc64le
weight: 2
- preference:
matchExpressions:
- key: beta.kubernetes.io/arch
operator: In
values:
- s390x
weight: 2
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: beta.kubernetes.io/arch
operator: In
values:
- amd64
- ppc64le
- s390x
containers:
- command:
- /bin/bash
- /tmp/security/run.sh
- /tmp/security/custom-resources.yaml
image: gcr.io/istio-release/kubectl:master-latest-daily
imagePullPolicy: IfNotPresent
name: kubectl
volumeMounts:
- mountPath: /tmp/security
name: tmp-configmap-security
restartPolicy: OnFailure
serviceAccountName: istio-security-post-install-account
volumes:
- configMap:
name: istio-security-custom-resources
name: tmp-configmap-security
---
apiVersion: ceph.rook.io/v1
kind: CephBlockPool
metadata:
labels:
app.kubernetes.io/component: loadbalancer
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: metallb
app.kubernetes.io/part-of: project
app.kubernetes.io/stage: localism
name: replicapool
namespace: rook-ceph
spec:
failureDomain: host
replicated:
size: 1
---
apiVersion: ceph.rook.io/v1
kind: CephCluster
metadata:
labels:
app.kubernetes.io/component: storage
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/stage: localism
name: rook-ceph
namespace: rook-ceph
spec:
cephVersion:
allowUnsupported: false
image: ceph/ceph:v13
dashboard:
enabled: true
dataDirHostPath: /var/lib/rook
mon:
allowMultiplePerNode: true
count: 3
network:
hostNetwork: false
rbdMirroring:
workers: 0
resources: null
storage:
config:
databaseSizeMB: "1024"
journalSizeMB: "1024"
osdsPerDevice: "1"
deviceFilter: null
directories:
- path: /var/lib/rook
location: null
useAllDevices: false
useAllNodes: true
---
apiVersion: config.istio.io/v1alpha2
kind: attributemanifest
metadata:
labels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
name: istioproxy
namespace: istio-system
spec:
attributes:
api.operation:
valueType: STRING
api.protocol:
valueType: STRING
api.service:
valueType: STRING
api.version:
valueType: STRING
check.cache_hit:
valueType: BOOL
check.error_code:
valueType: INT64
check.error_message:
valueType: STRING
connection.duration:
valueType: DURATION
connection.event:
valueType: STRING
connection.id:
valueType: STRING
connection.mtls:
valueType: BOOL
connection.received.bytes:
valueType: INT64
connection.received.bytes_total:
valueType: INT64
connection.requested_server_name:
valueType: STRING
connection.sent.bytes:
valueType: INT64
connection.sent.bytes_total:
valueType: INT64
context.protocol:
valueType: STRING
context.proxy_error_code:
valueType: STRING
context.reporter.kind:
valueType: STRING
context.reporter.local:
valueType: BOOL
context.reporter.uid:
valueType: STRING
context.time:
valueType: TIMESTAMP
context.timestamp:
valueType: TIMESTAMP
destination.port:
valueType: INT64
destination.principal:
valueType: STRING
destination.uid:
valueType: STRING
origin.ip:
valueType: IP_ADDRESS
origin.uid:
valueType: STRING
origin.user:
valueType: STRING
quota.cache_hit:
valueType: BOOL
rbac.permissive.effective_policy_id:
valueType: STRING
rbac.permissive.response_code:
valueType: STRING
request.api_key:
valueType: STRING
request.auth.audiences:
valueType: STRING
request.auth.claims:
valueType: STRING_MAP
request.auth.presenter:
valueType: STRING
request.auth.principal:
valueType: STRING
request.auth.raw_claims:
valueType: STRING
request.headers:
valueType: STRING_MAP
request.host:
valueType: STRING
request.id:
valueType: STRING
request.method:
valueType: STRING
request.path:
valueType: STRING
request.query_params:
valueType: STRING_MAP
request.reason:
valueType: STRING
request.referer:
valueType: STRING
request.scheme:
valueType: STRING
request.size:
valueType: INT64
request.time:
valueType: TIMESTAMP
request.total_size:
valueType: INT64
request.url_path:
valueType: STRING
request.useragent:
valueType: STRING
response.code:
valueType: INT64
response.duration:
valueType: DURATION
response.grpc_message:
valueType: STRING
response.grpc_status:
valueType: STRING
response.headers:
valueType: STRING_MAP
response.size:
valueType: INT64
response.time:
valueType: TIMESTAMP
response.total_size:
valueType: INT64
source.principal:
valueType: STRING
source.uid:
valueType: STRING
source.user:
valueType: STRING
---
apiVersion: config.istio.io/v1alpha2
kind: attributemanifest
metadata:
labels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
name: kubernetes
namespace: istio-system
spec:
attributes:
destination.container.name:
valueType: STRING
destination.ip:
valueType: IP_ADDRESS
destination.labels:
valueType: STRING_MAP
destination.metadata:
valueType: STRING_MAP
destination.name:
valueType: STRING
destination.namespace:
valueType: STRING
destination.owner:
valueType: STRING
destination.service.host:
valueType: STRING
destination.service.name:
valueType: STRING
destination.service.namespace:
valueType: STRING
destination.service.uid:
valueType: STRING
destination.serviceAccount:
valueType: STRING
destination.workload.name:
valueType: STRING
destination.workload.namespace:
valueType: STRING
destination.workload.uid:
valueType: STRING
source.ip:
valueType: IP_ADDRESS
source.labels:
valueType: STRING_MAP
source.metadata:
valueType: STRING_MAP
source.name:
valueType: STRING
source.namespace:
valueType: STRING
source.owner:
valueType: STRING
source.serviceAccount:
valueType: STRING
source.services:
valueType: STRING
source.workload.name:
valueType: STRING
source.workload.namespace:
valueType: STRING
source.workload.uid:
valueType: STRING
---
apiVersion: config.istio.io/v1alpha2
kind: handler
metadata:
labels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
name: kubernetesenv
namespace: istio-system
spec:
compiledAdapter: kubernetesenv
params: null
---
apiVersion: config.istio.io/v1alpha2
kind: handler
metadata:
labels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
name: prometheus
namespace: istio-system
spec:
compiledAdapter: prometheus
params:
metrics:
- instance_name: requestcount.instance.default
kind: COUNTER
label_names:
- reporter
- source_app
- source_principal
- source_workload
- source_workload_namespace
- source_version
- destination_app
- destination_principal
- destination_workload
- destination_workload_namespace
- destination_version
- destination_service
- destination_service_name
- destination_service_namespace
- request_protocol
- response_code
- response_flags
- permissive_response_code
- permissive_response_policyid
- connection_security_policy
name: requests_total
- buckets:
explicit_buckets:
bounds:
- 0.005
- 0.01
- 0.025
- 0.05
- 0.1
- 0.25
- 0.5
- 1
- 2.5
- 5
- 10
instance_name: requestduration.instance.default
kind: DISTRIBUTION
label_names:
- reporter
- source_app
- source_principal
- source_workload
- source_workload_namespace
- source_version
- destination_app
- destination_principal
- destination_workload
- destination_workload_namespace
- destination_version
- destination_service
- destination_service_name
- destination_service_namespace
- request_protocol
- response_code
- response_flags
- permissive_response_code
- permissive_response_policyid
- connection_security_policy
name: request_duration_seconds
- buckets:
exponentialBuckets:
growthFactor: 10
numFiniteBuckets: 8
scale: 1
instance_name: requestsize.instance.default
kind: DISTRIBUTION
label_names:
- reporter
- source_app
- source_principal
- source_workload
- source_workload_namespace
- source_version
- destination_app
- destination_principal
- destination_workload
- destination_workload_namespace
- destination_version
- destination_service
- destination_service_name
- destination_service_namespace
- request_protocol
- response_code
- response_flags
- permissive_response_code
- permissive_response_policyid
- connection_security_policy
name: request_bytes
- buckets:
exponentialBuckets:
growthFactor: 10
numFiniteBuckets: 8
scale: 1
instance_name: responsesize.instance.default
kind: DISTRIBUTION
label_names:
- reporter
- source_app
- source_principal
- source_workload
- source_workload_namespace
- source_version
- destination_app
- destination_principal
- destination_workload
- destination_workload_namespace
- destination_version
- destination_service
- destination_service_name
- destination_service_namespace
- request_protocol
- response_code
- response_flags
- permissive_response_code
- permissive_response_policyid
- connection_security_policy
name: response_bytes
- instance_name: tcpbytesent.instance.default
kind: COUNTER
label_names:
- reporter
- source_app
- source_principal
- source_workload
- source_workload_namespace
- source_version
- destination_app
- destination_principal
- destination_workload
- destination_workload_namespace
- destination_version
- destination_service
- destination_service_name
- destination_service_namespace
- connection_security_policy
- response_flags
name: tcp_sent_bytes_total
- instance_name: tcpbytereceived.instance.default
kind: COUNTER
label_names:
- reporter
- source_app
- source_principal
- source_workload
- source_workload_namespace
- source_version
- destination_app
- destination_principal
- destination_workload
- destination_workload_namespace
- destination_version
- destination_service
- destination_service_name
- destination_service_namespace
- connection_security_policy
- response_flags
name: tcp_received_bytes_total
- instance_name: tcpconnectionsopened.instance.default
kind: COUNTER
label_names:
- reporter
- source_app
- source_principal
- source_workload
- source_workload_namespace
- source_version
- destination_app
- destination_principal
- destination_workload
- destination_workload_namespace
- destination_version
- destination_service
- destination_service_name
- destination_service_namespace
- connection_security_policy
- response_flags
name: tcp_connections_opened_total
- instance_name: tcpconnectionsclosed.instance.default
kind: COUNTER
label_names:
- reporter
- source_app
- source_principal
- source_workload
- source_workload_namespace
- source_version
- destination_app
- destination_principal
- destination_workload
- destination_workload_namespace
- destination_version
- destination_service
- destination_service_name
- destination_service_namespace
- connection_security_policy
- response_flags
name: tcp_connections_closed_total
metricsExpirationPolicy:
metricsExpiryDuration: 10m
---
apiVersion: config.istio.io/v1alpha2
kind: handler
metadata:
labels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
name: stdio
namespace: istio-system
spec:
compiledAdapter: stdio
params:
outputAsJson: true
---
apiVersion: config.istio.io/v1alpha2
kind: instance
metadata:
labels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
name: accesslog
namespace: istio-system
spec:
compiledTemplate: logentry
params:
monitored_resource_type: '"global"'
severity: '"Info"'
timestamp: request.time
variables:
apiClaims: request.auth.raw_claims | ""
apiKey: request.api_key | request.headers["x-api-key"] | ""
clientTraceId: request.headers["x-client-trace-id"] | ""
connection_security_policy: conditional((context.reporter.kind | "inbound")
== "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls",
"none"))
destinationApp: destination.labels["app"] | ""
destinationIp: destination.ip | ip("0.0.0.0")
destinationName: destination.name | ""
destinationNamespace: destination.namespace | ""
destinationOwner: destination.owner | ""
destinationPrincipal: destination.principal | ""
destinationServiceHost: destination.service.host | ""
destinationWorkload: destination.workload.name | ""
grpcMessage: response.grpc_message | ""
grpcStatus: response.grpc_status | ""
httpAuthority: request.headers[":authority"] | request.host | ""
latency: response.duration | "0ms"
method: request.method | ""
permissiveResponseCode: rbac.permissive.response_code | "none"
permissiveResponsePolicyID: rbac.permissive.effective_policy_id | "none"
protocol: request.scheme | context.protocol | "http"
receivedBytes: request.total_size | 0
referer: request.referer | ""
reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source",
"destination")
requestId: request.headers["x-request-id"] | ""
requestSize: request.size | 0
requestedServerName: connection.requested_server_name | ""
responseCode: response.code | 0
responseFlags: context.proxy_error_code | ""
responseSize: response.size | 0
responseTimestamp: response.time
sentBytes: response.total_size | 0
sourceApp: source.labels["app"] | ""
sourceIp: source.ip | ip("0.0.0.0")
sourceName: source.name | ""
sourceNamespace: source.namespace | ""
sourceOwner: source.owner | ""
sourcePrincipal: source.principal | ""
sourceWorkload: source.workload.name | ""
url: request.path | ""
userAgent: request.useragent | ""
xForwardedFor: request.headers["x-forwarded-for"] | "0.0.0.0"
---
apiVersion: config.istio.io/v1alpha2
kind: instance
metadata:
labels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
name: attributes
namespace: istio-system
spec:
attributeBindings:
destination.container.name: $out.destination_container_name | "unknown"
destination.ip: $out.destination_pod_ip | ip("0.0.0.0")
destination.labels: $out.destination_labels | emptyStringMap()
destination.name: $out.destination_pod_name | "unknown"
destination.namespace: $out.destination_namespace | "default"
destination.owner: $out.destination_owner | "unknown"
destination.serviceAccount: $out.destination_service_account_name | "unknown"
destination.uid: $out.destination_pod_uid | "unknown"
destination.workload.name: $out.destination_workload_name | "unknown"
destination.workload.namespace: $out.destination_workload_namespace | "unknown"
destination.workload.uid: $out.destination_workload_uid | "unknown"
source.ip: $out.source_pod_ip | ip("0.0.0.0")
source.labels: $out.source_labels | emptyStringMap()
source.name: $out.source_pod_name | "unknown"
source.namespace: $out.source_namespace | "default"
source.owner: $out.source_owner | "unknown"
source.serviceAccount: $out.source_service_account_name | "unknown"
source.uid: $out.source_pod_uid | "unknown"
source.workload.name: $out.source_workload_name | "unknown"
source.workload.namespace: $out.source_workload_namespace | "unknown"
source.workload.uid: $out.source_workload_uid | "unknown"
compiledTemplate: kubernetes
params:
destination_port: destination.port | 0
destination_uid: destination.uid | ""
source_ip: source.ip | ip("0.0.0.0")
source_uid: source.uid | ""
---
apiVersion: config.istio.io/v1alpha2
kind: instance
metadata:
labels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
name: requestcount
namespace: istio-system
spec:
compiledTemplate: metric
params:
dimensions:
connection_security_policy: conditional((context.reporter.kind | "inbound")
== "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls",
"none"))
destination_app: destination.labels["app"] | "unknown"
destination_principal: destination.principal | "unknown"
destination_service: destination.service.host | "unknown"
destination_service_name: destination.service.name | "unknown"
destination_service_namespace: destination.service.namespace | "unknown"
destination_version: destination.labels["version"] | "unknown"
destination_workload: destination.workload.name | "unknown"
destination_workload_namespace: destination.workload.namespace | "unknown"
permissive_response_code: rbac.permissive.response_code | "none"
permissive_response_policyid: rbac.permissive.effective_policy_id | "none"
reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source",
"destination")
request_protocol: api.protocol | context.protocol | "unknown"
response_code: response.code | 200
response_flags: context.proxy_error_code | "-"
source_app: source.labels["app"] | "unknown"
source_principal: source.principal | "unknown"
source_version: source.labels["version"] | "unknown"
source_workload: source.workload.name | "unknown"
source_workload_namespace: source.workload.namespace | "unknown"
monitored_resource_type: '"UNSPECIFIED"'
value: "1"
---
apiVersion: config.istio.io/v1alpha2
kind: instance
metadata:
labels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
name: requestduration
namespace: istio-system
spec:
compiledTemplate: metric
params:
dimensions:
connection_security_policy: conditional((context.reporter.kind | "inbound")
== "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls",
"none"))
destination_app: destination.labels["app"] | "unknown"
destination_principal: destination.principal | "unknown"
destination_service: destination.service.host | "unknown"
destination_service_name: destination.service.name | "unknown"
destination_service_namespace: destination.service.namespace | "unknown"
destination_version: destination.labels["version"] | "unknown"
destination_workload: destination.workload.name | "unknown"
destination_workload_namespace: destination.workload.namespace | "unknown"
permissive_response_code: rbac.permissive.response_code | "none"
permissive_response_policyid: rbac.permissive.effective_policy_id | "none"
reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source",
"destination")
request_protocol: api.protocol | context.protocol | "unknown"
response_code: response.code | 200
response_flags: context.proxy_error_code | "-"
source_app: source.labels["app"] | "unknown"
source_principal: source.principal | "unknown"
source_version: source.labels["version"] | "unknown"
source_workload: source.workload.name | "unknown"
source_workload_namespace: source.workload.namespace | "unknown"
monitored_resource_type: '"UNSPECIFIED"'
value: response.duration | "0ms"
---
apiVersion: config.istio.io/v1alpha2
kind: instance
metadata:
labels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
name: requestsize
namespace: istio-system
spec:
compiledTemplate: metric
params:
dimensions:
connection_security_policy: conditional((context.reporter.kind | "inbound")
== "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls",
"none"))
destination_app: destination.labels["app"] | "unknown"
destination_principal: destination.principal | "unknown"
destination_service: destination.service.host | "unknown"
destination_service_name: destination.service.name | "unknown"
destination_service_namespace: destination.service.namespace | "unknown"
destination_version: destination.labels["version"] | "unknown"
destination_workload: destination.workload.name | "unknown"
destination_workload_namespace: destination.workload.namespace | "unknown"
permissive_response_code: rbac.permissive.response_code | "none"
permissive_response_policyid: rbac.permissive.effective_policy_id | "none"
reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source",
"destination")
request_protocol: api.protocol | context.protocol | "unknown"
response_code: response.code | 200
response_flags: context.proxy_error_code | "-"
source_app: source.labels["app"] | "unknown"
source_principal: source.principal | "unknown"
source_version: source.labels["version"] | "unknown"
source_workload: source.workload.name | "unknown"
source_workload_namespace: source.workload.namespace | "unknown"
monitored_resource_type: '"UNSPECIFIED"'
value: request.size | 0
---
apiVersion: config.istio.io/v1alpha2
kind: instance
metadata:
labels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
name: responsesize
namespace: istio-system
spec:
compiledTemplate: metric
params:
dimensions:
connection_security_policy: conditional((context.reporter.kind | "inbound")
== "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls",
"none"))
destination_app: destination.labels["app"] | "unknown"
destination_principal: destination.principal | "unknown"
destination_service: destination.service.host | "unknown"
destination_service_name: destination.service.name | "unknown"
destination_service_namespace: destination.service.namespace | "unknown"
destination_version: destination.labels["version"] | "unknown"
destination_workload: destination.workload.name | "unknown"
destination_workload_namespace: destination.workload.namespace | "unknown"
permissive_response_code: rbac.permissive.response_code | "none"
permissive_response_policyid: rbac.permissive.effective_policy_id | "none"
reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source",
"destination")
request_protocol: api.protocol | context.protocol | "unknown"
response_code: response.code | 200
response_flags: context.proxy_error_code | "-"
source_app: source.labels["app"] | "unknown"
source_principal: source.principal | "unknown"
source_version: source.labels["version"] | "unknown"
source_workload: source.workload.name | "unknown"
source_workload_namespace: source.workload.namespace | "unknown"
monitored_resource_type: '"UNSPECIFIED"'
value: response.size | 0
---
apiVersion: config.istio.io/v1alpha2
kind: instance
metadata:
labels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
name: tcpaccesslog
namespace: istio-system
spec:
compiledTemplate: logentry
params:
monitored_resource_type: '"global"'
severity: '"Info"'
timestamp: context.time | timestamp("2017-01-01T00:00:00Z")
variables:
connection_security_policy: conditional((context.reporter.kind | "inbound")
== "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls",
"none"))
connectionDuration: connection.duration | "0ms"
connectionEvent: connection.event | ""
destinationApp: destination.labels["app"] | ""
destinationIp: destination.ip | ip("0.0.0.0")
destinationName: destination.name | ""
destinationNamespace: destination.namespace | ""
destinationOwner: destination.owner | ""
destinationPrincipal: destination.principal | ""
destinationServiceHost: destination.service.host | ""
destinationWorkload: destination.workload.name | ""
protocol: context.protocol | "tcp"
receivedBytes: connection.received.bytes | 0
reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source",
"destination")
requestedServerName: connection.requested_server_name | ""
responseFlags: context.proxy_error_code | ""
sentBytes: connection.sent.bytes | 0
sourceApp: source.labels["app"] | ""
sourceIp: source.ip | ip("0.0.0.0")
sourceName: source.name | ""
sourceNamespace: source.namespace | ""
sourceOwner: source.owner | ""
sourcePrincipal: source.principal | ""
sourceWorkload: source.workload.name | ""
totalReceivedBytes: connection.received.bytes_total | 0
totalSentBytes: connection.sent.bytes_total | 0
---
apiVersion: config.istio.io/v1alpha2
kind: instance
metadata:
labels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
name: tcpbytereceived
namespace: istio-system
spec:
compiledTemplate: metric
params:
dimensions:
connection_security_policy: conditional((context.reporter.kind | "inbound")
== "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls",
"none"))
destination_app: destination.labels["app"] | "unknown"
destination_principal: destination.principal | "unknown"
destination_service: destination.service.host | "unknown"
destination_service_name: destination.service.name | "unknown"
destination_service_namespace: destination.service.namespace | "unknown"
destination_version: destination.labels["version"] | "unknown"
destination_workload: destination.workload.name | "unknown"
destination_workload_namespace: destination.workload.namespace | "unknown"
reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source",
"destination")
response_flags: context.proxy_error_code | "-"
source_app: source.labels["app"] | "unknown"
source_principal: source.principal | "unknown"
source_version: source.labels["version"] | "unknown"
source_workload: source.workload.name | "unknown"
source_workload_namespace: source.workload.namespace | "unknown"
monitored_resource_type: '"UNSPECIFIED"'
value: connection.received.bytes | 0
---
apiVersion: config.istio.io/v1alpha2
kind: instance
metadata:
labels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
name: tcpbytesent
namespace: istio-system
spec:
compiledTemplate: metric
params:
dimensions:
connection_security_policy: conditional((context.reporter.kind | "inbound")
== "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls",
"none"))
destination_app: destination.labels["app"] | "unknown"
destination_principal: destination.principal | "unknown"
destination_service: destination.service.host | "unknown"
destination_service_name: destination.service.name | "unknown"
destination_service_namespace: destination.service.namespace | "unknown"
destination_version: destination.labels["version"] | "unknown"
destination_workload: destination.workload.name | "unknown"
destination_workload_namespace: destination.workload.namespace | "unknown"
reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source",
"destination")
response_flags: context.proxy_error_code | "-"
source_app: source.labels["app"] | "unknown"
source_principal: source.principal | "unknown"
source_version: source.labels["version"] | "unknown"
source_workload: source.workload.name | "unknown"
source_workload_namespace: source.workload.namespace | "unknown"
monitored_resource_type: '"UNSPECIFIED"'
value: connection.sent.bytes | 0
---
apiVersion: config.istio.io/v1alpha2
kind: instance
metadata:
labels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
name: tcpconnectionsclosed
namespace: istio-system
spec:
compiledTemplate: metric
params:
dimensions:
connection_security_policy: conditional((context.reporter.kind | "inbound")
== "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls",
"none"))
destination_app: destination.labels["app"] | "unknown"
destination_principal: destination.principal | "unknown"
destination_service: destination.service.name | "unknown"
destination_service_name: destination.service.name | "unknown"
destination_service_namespace: destination.service.namespace | "unknown"
destination_version: destination.labels["version"] | "unknown"
destination_workload: destination.workload.name | "unknown"
destination_workload_namespace: destination.workload.namespace | "unknown"
reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source",
"destination")
response_flags: context.proxy_error_code | "-"
source_app: source.labels["app"] | "unknown"
source_principal: source.principal | "unknown"
source_version: source.labels["version"] | "unknown"
source_workload: source.workload.name | "unknown"
source_workload_namespace: source.workload.namespace | "unknown"
monitored_resource_type: '"UNSPECIFIED"'
value: "1"
---
apiVersion: config.istio.io/v1alpha2
kind: instance
metadata:
labels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
name: tcpconnectionsopened
namespace: istio-system
spec:
compiledTemplate: metric
params:
dimensions:
connection_security_policy: conditional((context.reporter.kind | "inbound")
== "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls",
"none"))
destination_app: destination.labels["app"] | "unknown"
destination_principal: destination.principal | "unknown"
destination_service: destination.service.name | "unknown"
destination_service_name: destination.service.name | "unknown"
destination_service_namespace: destination.service.namespace | "unknown"
destination_version: destination.labels["version"] | "unknown"
destination_workload: destination.workload.name | "unknown"
destination_workload_namespace: destination.workload.namespace | "unknown"
reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source",
"destination")
response_flags: context.proxy_error_code | "-"
source_app: source.labels["app"] | "unknown"
source_principal: source.principal | "unknown"
source_version: source.labels["version"] | "unknown"
source_workload: source.workload.name | "unknown"
source_workload_namespace: source.workload.namespace | "unknown"
monitored_resource_type: '"UNSPECIFIED"'
value: "1"
---
apiVersion: config.istio.io/v1alpha2
kind: rule
metadata:
labels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
name: kubeattrgenrulerule
namespace: istio-system
spec:
actions:
- handler: kubernetesenv
instances:
- attributes
---
apiVersion: config.istio.io/v1alpha2
kind: rule
metadata:
labels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
name: promhttp
namespace: istio-system
spec:
actions:
- handler: prometheus
instances:
- requestcount
- requestduration
- requestsize
- responsesize
match: (context.protocol == "http" || context.protocol == "grpc") && (match((request.useragent
| "-"), "kube-probe*") == false)
---
apiVersion: config.istio.io/v1alpha2
kind: rule
metadata:
labels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
name: promtcpconnectionclosed
namespace: istio-system
spec:
actions:
- handler: prometheus
instances:
- tcpconnectionsclosed
match: context.protocol == "tcp" && ((connection.event | "na") == "close")
---
apiVersion: config.istio.io/v1alpha2
kind: rule
metadata:
labels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
name: promtcpconnectionopen
namespace: istio-system
spec:
actions:
- handler: prometheus
instances:
- tcpconnectionsopened
match: context.protocol == "tcp" && ((connection.event | "na") == "open")
---
apiVersion: config.istio.io/v1alpha2
kind: rule
metadata:
labels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
name: promtcp
namespace: istio-system
spec:
actions:
- handler: prometheus
instances:
- tcpbytesent
- tcpbytereceived
match: context.protocol == "tcp"
---
apiVersion: config.istio.io/v1alpha2
kind: rule
metadata:
labels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
name: stdiotcp
namespace: istio-system
spec:
actions:
- handler: stdio
instances:
- tcpaccesslog
match: context.protocol == "tcp"
---
apiVersion: config.istio.io/v1alpha2
kind: rule
metadata:
labels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
name: stdio
namespace: istio-system
spec:
actions:
- handler: stdio
instances:
- accesslog
match: context.protocol == "http" || context.protocol == "grpc"
---
apiVersion: config.istio.io/v1alpha2
kind: rule
metadata:
labels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
name: tcpkubeattrgenrulerule
namespace: istio-system
spec:
actions:
- handler: kubernetesenv
instances:
- attributes
match: context.protocol == "tcp"
---
apiVersion: extensions/v1beta1
kind: PodSecurityPolicy
metadata:
labels:
app: metallb
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/stage: localism
name: speaker
namespace: metallb-system
spec:
allowPrivilegeEscalation: false
allowedCapabilities:
- NET_ADMIN
- NET_RAW
- SYS_ADMIN
fsGroup:
rule: RunAsAny
hostNetwork: true
hostPorts:
- max: 7472
min: 7472
privileged: true
runAsUser:
rule: RunAsAny
seLinux:
rule: RunAsAny
supplementalGroups:
rule: RunAsAny
volumes:
- '*'
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
labels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
name: istio-policy
namespace: istio-system
spec:
host: istio-policy.default.svc.cluster.local
trafficPolicy:
connectionPool:
http:
http2MaxRequests: 10000
maxRequestsPerConnection: 10000
portLevelSettings:
- port:
number: 15004
tls:
mode: ISTIO_MUTUAL
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
labels:
app.kubernetes.io/component: unknown
app.kubernetes.io/generated-by: helm
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: istio
app.kubernetes.io/part-of: unknown
app.kubernetes.io/stage: localism
name: istio-telemetry
namespace: istio-system
spec:
host: istio-telemetry.default.svc.cluster.local
trafficPolicy:
connectionPool:
http:
http2MaxRequests: 10000
maxRequestsPerConnection: 10000
portLevelSettings:
- port:
number: 15004
tls:
mode: ISTIO_MUTUAL
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment