· 6 years ago · Apr 02, 2020, 08:32 AM
1---
2# Source: istio/charts/galley/templates/poddisruptionbudget.yaml
3
4apiVersion: policy/v1beta1
5kind: PodDisruptionBudget
6metadata:
7 name: istio-galley
8 namespace: istio-system
9 labels:
10 app: galley
11 chart: galley
12 heritage: Tiller
13 release: release-name
14 istio: galley
15spec:
16
17 minAvailable: 1
18 selector:
19 matchLabels:
20 app: galley
21 release: release-name
22 istio: galley
23
24---
25# Source: istio/charts/gateways/templates/poddisruptionbudget.yaml
26
27apiVersion: policy/v1beta1
28kind: PodDisruptionBudget
29metadata:
30 name: istio-ingressgateway
31 namespace: istio-system
32 labels:
33 chart: gateways
34 heritage: Tiller
35 release: release-name
36 app: istio-ingressgateway
37 istio: ingressgateway
38spec:
39
40 minAvailable: 1
41 selector:
42 matchLabels:
43 release: release-name
44 app: istio-ingressgateway
45 istio: ingressgateway
46---
47
48---
49# Source: istio/charts/mixer/templates/poddisruptionbudget.yaml
50
51apiVersion: policy/v1beta1
52kind: PodDisruptionBudget
53metadata:
54 name: istio-policy
55 namespace: istio-system
56 labels:
57 app: policy
58 chart: mixer
59 heritage: Tiller
60 release: release-name
61 version: 1.4.6
62 istio: mixer
63 istio-mixer-type: policy
64spec:
65
66 minAvailable: 1
67 selector:
68 matchLabels:
69 app: policy
70 release: release-name
71 istio: mixer
72 istio-mixer-type: policy
73---
74apiVersion: policy/v1beta1
75kind: PodDisruptionBudget
76metadata:
77 name: istio-telemetry
78 namespace: istio-system
79 labels:
80 app: telemetry
81 chart: mixer
82 heritage: Tiller
83 release: release-name
84 version: 1.4.6
85 istio: mixer
86 istio-mixer-type: telemetry
87spec:
88
89 minAvailable: 1
90 selector:
91 matchLabels:
92 app: telemetry
93 release: release-name
94 istio: mixer
95 istio-mixer-type: telemetry
96---
97
98---
99# Source: istio/charts/pilot/templates/poddisruptionbudget.yaml
100
101apiVersion: policy/v1beta1
102kind: PodDisruptionBudget
103metadata:
104 name: istio-pilot
105 namespace: istio-system
106 labels:
107 app: pilot
108 chart: pilot
109 heritage: Tiller
110 release: release-name
111 istio: pilot
112spec:
113
114 minAvailable: 1
115 selector:
116 matchLabels:
117 app: pilot
118 release: release-name
119 istio: pilot
120
121---
122# Source: istio/charts/security/templates/poddisruptionbudget.yaml
123
124apiVersion: policy/v1beta1
125kind: PodDisruptionBudget
126metadata:
127 name: istio-citadel
128 namespace: istio-system
129 labels:
130 app: security
131 chart: security
132 heritage: Tiller
133 release: release-name
134 istio: citadel
135spec:
136
137 minAvailable: 1
138 selector:
139 matchLabels:
140 app: security
141 release: release-name
142 istio: citadel
143
144---
145# Source: istio/charts/sidecarInjectorWebhook/templates/poddisruptionbudget.yaml
146
147apiVersion: policy/v1beta1
148kind: PodDisruptionBudget
149metadata:
150 name: istio-sidecar-injector
151 namespace: istio-system
152 labels:
153 app: sidecarInjectorWebhook
154 release: release-name
155 istio: sidecar-injector
156spec:
157
158 minAvailable: 1
159 selector:
160 matchLabels:
161 app: sidecarInjectorWebhook
162 release: release-name
163 istio: sidecar-injector
164
165---
166# Source: istio/charts/galley/templates/configmap.yaml
167apiVersion: v1
168kind: ConfigMap
169metadata:
170 name: istio-galley-configuration
171 namespace: istio-system
172 labels:
173 app: galley
174 chart: galley
175 heritage: Tiller
176 release: release-name
177 istio: galley
178data:
179 validatingwebhookconfiguration.yaml: |-
180 apiVersion: admissionregistration.k8s.io/v1beta1
181 kind: ValidatingWebhookConfiguration
182 metadata:
183 name: istio-galley
184 labels:
185 app: galley
186 chart: galley
187 heritage: Tiller
188 release: release-name
189 istio: galley
190 webhooks:
191 - name: pilot.validation.istio.io
192 clientConfig:
193 service:
194 name: istio-galley
195 namespace: istio-system
196 path: "/admitpilot"
197 caBundle: ""
198 rules:
199 - operations:
200 - CREATE
201 - UPDATE
202 apiGroups:
203 - config.istio.io
204 apiVersions:
205 - v1alpha2
206 resources:
207 - httpapispecs
208 - httpapispecbindings
209 - quotaspecs
210 - quotaspecbindings
211 - operations:
212 - CREATE
213 - UPDATE
214 apiGroups:
215 - rbac.istio.io
216 apiVersions:
217 - "*"
218 resources:
219 - "*"
220 - operations:
221 - CREATE
222 - UPDATE
223 apiGroups:
224 - security.istio.io
225 apiVersions:
226 - "*"
227 resources:
228 - "*"
229 - operations:
230 - CREATE
231 - UPDATE
232 apiGroups:
233 - authentication.istio.io
234 apiVersions:
235 - "*"
236 resources:
237 - "*"
238 - operations:
239 - CREATE
240 - UPDATE
241 apiGroups:
242 - networking.istio.io
243 apiVersions:
244 - "*"
245 resources:
246 - destinationrules
247 - envoyfilters
248 - gateways
249 - serviceentries
250 - sidecars
251 - virtualservices
252 failurePolicy: Fail
253 sideEffects: None
254 - name: mixer.validation.istio.io
255 clientConfig:
256 service:
257 name: istio-galley
258 namespace: istio-system
259 path: "/admitmixer"
260 caBundle: ""
261 rules:
262 - operations:
263 - CREATE
264 - UPDATE
265 apiGroups:
266 - config.istio.io
267 apiVersions:
268 - v1alpha2
269 resources:
270 - rules
271 - attributemanifests
272 - circonuses
273 - deniers
274 - fluentds
275 - kubernetesenvs
276 - listcheckers
277 - memquotas
278 - noops
279 - opas
280 - prometheuses
281 - rbacs
282 - solarwindses
283 - stackdrivers
284 - cloudwatches
285 - dogstatsds
286 - statsds
287 - stdios
288 - apikeys
289 - authorizations
290 - checknothings
291 # - kuberneteses
292 - listentries
293 - logentries
294 - metrics
295 - quotas
296 - reportnothings
297 - tracespans
298 - adapters
299 - handlers
300 - instances
301 - templates
302 - zipkins
303 failurePolicy: Fail
304 sideEffects: None
305
306---
307# Source: istio/charts/prometheus/templates/configmap.yaml
308apiVersion: v1
309kind: ConfigMap
310metadata:
311 name: prometheus
312 namespace: istio-system
313 labels:
314 app: prometheus
315 chart: prometheus
316 heritage: Tiller
317 release: release-name
318data:
319 prometheus.yml: |-
320 global:
321 scrape_interval: 15s
322 scrape_configs:
323
324 - job_name: 'istio-mesh'
325 kubernetes_sd_configs:
326 - role: endpoints
327 namespaces:
328 names:
329 - istio-system
330
331 relabel_configs:
332 - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name]
333 action: keep
334 regex: istio-telemetry;prometheus
335
336 # Scrape config for envoy stats
337 - job_name: 'envoy-stats'
338 metrics_path: /stats/prometheus
339 kubernetes_sd_configs:
340 - role: pod
341
342 relabel_configs:
343 - source_labels: [__meta_kubernetes_pod_container_port_name]
344 action: keep
345 regex: '.*-envoy-prom'
346 - source_labels: [__address__, __meta_kubernetes_pod_annotation_prometheus_io_port]
347 action: replace
348 regex: ([^:]+)(?::\d+)?;(\d+)
349 replacement: $1:15090
350 target_label: __address__
351 - action: labelmap
352 regex: __meta_kubernetes_pod_label_(.+)
353 - source_labels: [__meta_kubernetes_namespace]
354 action: replace
355 target_label: namespace
356 - source_labels: [__meta_kubernetes_pod_name]
357 action: replace
358 target_label: pod_name
359
360 - job_name: 'istio-policy'
361 kubernetes_sd_configs:
362 - role: endpoints
363 namespaces:
364 names:
365 - istio-system
366
367
368 relabel_configs:
369 - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name]
370 action: keep
371 regex: istio-policy;http-monitoring
372
373 - job_name: 'istio-telemetry'
374 kubernetes_sd_configs:
375 - role: endpoints
376 namespaces:
377 names:
378 - istio-system
379
380 relabel_configs:
381 - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name]
382 action: keep
383 regex: istio-telemetry;http-monitoring
384
385 - job_name: 'pilot'
386 kubernetes_sd_configs:
387 - role: endpoints
388 namespaces:
389 names:
390 - istio-system
391
392 relabel_configs:
393 - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name]
394 action: keep
395 regex: istio-pilot;http-monitoring
396
397 - job_name: 'galley'
398 kubernetes_sd_configs:
399 - role: endpoints
400 namespaces:
401 names:
402 - istio-system
403
404 relabel_configs:
405 - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name]
406 action: keep
407 regex: istio-galley;http-monitoring
408
409 - job_name: 'citadel'
410 kubernetes_sd_configs:
411 - role: endpoints
412 namespaces:
413 names:
414 - istio-system
415
416 relabel_configs:
417 - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name]
418 action: keep
419 regex: istio-citadel;http-monitoring
420
421 # scrape config for API servers
422 - job_name: 'kubernetes-apiservers'
423 kubernetes_sd_configs:
424 - role: endpoints
425 namespaces:
426 names:
427 - default
428 scheme: https
429 tls_config:
430 ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
431 bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
432 relabel_configs:
433 - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name]
434 action: keep
435 regex: kubernetes;https
436
437 # scrape config for nodes (kubelet)
438 - job_name: 'kubernetes-nodes'
439 scheme: https
440 tls_config:
441 ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
442 bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
443 kubernetes_sd_configs:
444 - role: node
445 relabel_configs:
446 - action: labelmap
447 regex: __meta_kubernetes_node_label_(.+)
448 - target_label: __address__
449 replacement: kubernetes.default.svc:443
450 - source_labels: [__meta_kubernetes_node_name]
451 regex: (.+)
452 target_label: __metrics_path__
453 replacement: /api/v1/nodes/${1}/proxy/metrics
454
455 # Scrape config for Kubelet cAdvisor.
456 #
457 # This is required for Kubernetes 1.7.3 and later, where cAdvisor metrics
458 # (those whose names begin with 'container_') have been removed from the
459 # Kubelet metrics endpoint. This job scrapes the cAdvisor endpoint to
460 # retrieve those metrics.
461 #
462 # In Kubernetes 1.7.0-1.7.2, these metrics are only exposed on the cAdvisor
463 # HTTP endpoint; use "replacement: /api/v1/nodes/${1}:4194/proxy/metrics"
464 # in that case (and ensure cAdvisor's HTTP server hasn't been disabled with
465 # the --cadvisor-port=0 Kubelet flag).
466 #
467 # This job is not necessary and should be removed in Kubernetes 1.6 and
468 # earlier versions, or it will cause the metrics to be scraped twice.
469 - job_name: 'kubernetes-cadvisor'
470 scheme: https
471 tls_config:
472 ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
473 bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
474 kubernetes_sd_configs:
475 - role: node
476 relabel_configs:
477 - action: labelmap
478 regex: __meta_kubernetes_node_label_(.+)
479 - target_label: __address__
480 replacement: kubernetes.default.svc:443
481 - source_labels: [__meta_kubernetes_node_name]
482 regex: (.+)
483 target_label: __metrics_path__
484 replacement: /api/v1/nodes/${1}/proxy/metrics/cadvisor
485
486 # scrape config for service endpoints.
487 - job_name: 'kubernetes-service-endpoints'
488 kubernetes_sd_configs:
489 - role: endpoints
490 relabel_configs:
491 - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_scrape]
492 action: keep
493 regex: true
494 - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_scheme]
495 action: replace
496 target_label: __scheme__
497 regex: (https?)
498 - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_path]
499 action: replace
500 target_label: __metrics_path__
501 regex: (.+)
502 - source_labels: [__address__, __meta_kubernetes_service_annotation_prometheus_io_port]
503 action: replace
504 target_label: __address__
505 regex: ([^:]+)(?::\d+)?;(\d+)
506 replacement: $1:$2
507 - action: labelmap
508 regex: __meta_kubernetes_service_label_(.+)
509 - source_labels: [__meta_kubernetes_namespace]
510 action: replace
511 target_label: kubernetes_namespace
512 - source_labels: [__meta_kubernetes_service_name]
513 action: replace
514 target_label: kubernetes_name
515
516 - job_name: 'kubernetes-pods'
517 kubernetes_sd_configs:
518 - role: pod
519 relabel_configs: # If first two labels are present, pod should be scraped by the istio-secure job.
520 - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_scrape]
521 action: keep
522 regex: true
523 # Keep target if there's no sidecar or if prometheus.io/scheme is explicitly set to "http"
524 - source_labels: [__meta_kubernetes_pod_annotation_sidecar_istio_io_status, __meta_kubernetes_pod_annotation_prometheus_io_scheme]
525 action: keep
526 regex: ((;.*)|(.*;http))
527 - source_labels: [__meta_kubernetes_pod_annotation_istio_mtls]
528 action: drop
529 regex: (true)
530 - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_path]
531 action: replace
532 target_label: __metrics_path__
533 regex: (.+)
534 - source_labels: [__address__, __meta_kubernetes_pod_annotation_prometheus_io_port]
535 action: replace
536 regex: ([^:]+)(?::\d+)?;(\d+)
537 replacement: $1:$2
538 target_label: __address__
539 - action: labelmap
540 regex: __meta_kubernetes_pod_label_(.+)
541 - source_labels: [__meta_kubernetes_namespace]
542 action: replace
543 target_label: namespace
544 - source_labels: [__meta_kubernetes_pod_name]
545 action: replace
546 target_label: pod_name
547
548 - job_name: 'kubernetes-pods-istio-secure'
549 scheme: https
550 tls_config:
551 ca_file: /etc/istio-certs/root-cert.pem
552 cert_file: /etc/istio-certs/cert-chain.pem
553 key_file: /etc/istio-certs/key.pem
554 insecure_skip_verify: true # prometheus does not support secure naming.
555 kubernetes_sd_configs:
556 - role: pod
557 relabel_configs:
558 - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_scrape]
559 action: keep
560 regex: true
561 # sidecar status annotation is added by sidecar injector and
562 # istio_workload_mtls_ability can be specifically placed on a pod to indicate its ability to receive mtls traffic.
563 - source_labels: [__meta_kubernetes_pod_annotation_sidecar_istio_io_status, __meta_kubernetes_pod_annotation_istio_mtls]
564 action: keep
565 regex: (([^;]+);([^;]*))|(([^;]*);(true))
566 - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_scheme]
567 action: drop
568 regex: (http)
569 - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_path]
570 action: replace
571 target_label: __metrics_path__
572 regex: (.+)
573 - source_labels: [__address__] # Only keep address that is host:port
574 action: keep # otherwise an extra target with ':443' is added for https scheme
575 regex: ([^:]+):(\d+)
576 - source_labels: [__address__, __meta_kubernetes_pod_annotation_prometheus_io_port]
577 action: replace
578 regex: ([^:]+)(?::\d+)?;(\d+)
579 replacement: $1:$2
580 target_label: __address__
581 - action: labelmap
582 regex: __meta_kubernetes_pod_label_(.+)
583 - source_labels: [__meta_kubernetes_namespace]
584 action: replace
585 target_label: namespace
586 - source_labels: [__meta_kubernetes_pod_name]
587 action: replace
588 target_label: pod_name
589---
590# Source: istio/charts/security/templates/configmap.yaml
591apiVersion: v1
592kind: ConfigMap
593metadata:
594 name: istio-security-custom-resources
595 namespace: istio-system
596 labels:
597 app: security
598 chart: security
599 heritage: Tiller
600 release: release-name
601 istio: citadel
602data:
603 custom-resources.yaml: |-
604 # Authentication policy to enable permissive mode for all services (that have sidecar) in the mesh.
605 apiVersion: "authentication.istio.io/v1alpha1"
606 kind: "MeshPolicy"
607 metadata:
608 name: "default"
609 labels:
610 app: security
611 chart: security
612 heritage: Tiller
613 release: release-name
614 spec:
615 peers:
616 - mtls:
617 mode: PERMISSIVE
618 run.sh: |-
619 #!/bin/sh
620
621 set -x
622
623 if [ "$#" -ne "1" ]; then
624 echo "first argument should be path to custom resource yaml"
625 exit 1
626 fi
627
628 pathToResourceYAML=${1}
629
630 kubectl get validatingwebhookconfiguration istio-galley 2>/dev/null
631 if [ "$?" -eq 0 ]; then
632 echo "istio-galley validatingwebhookconfiguration found - waiting for istio-galley deployment to be ready"
633 while true; do
634 kubectl -n istio-system get deployment istio-galley 2>/dev/null
635 if [ "$?" -eq 0 ]; then
636 break
637 fi
638 sleep 1
639 done
640 kubectl -n istio-system rollout status deployment istio-galley
641 if [ "$?" -ne 0 ]; then
642 echo "istio-galley deployment rollout status check failed"
643 exit 1
644 fi
645 echo "istio-galley deployment ready for configuration validation"
646 fi
647 sleep 5
648 kubectl apply -f ${pathToResourceYAML}
649
650
651---
652# Source: istio/templates/configmap.yaml
653
654apiVersion: v1
655kind: ConfigMap
656metadata:
657 name: istio
658 namespace: istio-system
659 labels:
660 app: istio
661 chart: istio
662 heritage: Tiller
663 release: release-name
664data:
665 mesh: |-
666 # Set the following variable to true to disable policy checks by Mixer.
667 # Note that metrics will still be reported to Mixer.
668 disablePolicyChecks: true
669
670 disableMixerHttpReports: false
671 # reportBatchMaxEntries is the number of requests that are batched before telemetry data is sent to the mixer server
672 reportBatchMaxEntries: 100
673 # reportBatchMaxTime is the max waiting time before the telemetry data of a request is sent to the mixer server
674 reportBatchMaxTime: 1s
675
676 # Set enableTracing to false to disable request tracing.
677 enableTracing: true
678
679 # Set accessLogFile to empty string to disable access log.
680 accessLogFile: ""
681
682 # If accessLogEncoding is TEXT, value will be used directly as the log format
683 # example: "[%START_TIME%] %REQ(:METHOD)% %REQ(X-ENVOY-ORIGINAL-PATH?:PATH)% %PROTOCOL%\n"
684 # If AccessLogEncoding is JSON, value will be parsed as map[string]string
685 # example: '{"start_time": "%START_TIME%", "req_method": "%REQ(:METHOD)%"}'
686 # Leave empty to use default log format
687 accessLogFormat: ""
688
689 # Set accessLogEncoding to JSON or TEXT to configure sidecar access log
690 accessLogEncoding: 'TEXT'
691
692 enableEnvoyAccessLogService: false
693 mixerCheckServer: istio-policy.istio-system.svc.cluster.local:9091
694 mixerReportServer: istio-telemetry.istio-system.svc.cluster.local:9091
695 # policyCheckFailOpen allows traffic in cases when the mixer policy service cannot be reached.
696 # Default is false which means the traffic is denied when the client is unable to connect to Mixer.
697 policyCheckFailOpen: false
698 # Let Pilot give ingresses the public IP of the Istio ingressgateway
699 ingressService: istio-ingressgateway
700
701 # Default connect timeout for dynamic clusters generated by Pilot and returned via XDS
702 connectTimeout: 10s
703
704 # Automatic protocol detection uses a set of heuristics to
705 # determine whether the connection is using TLS or not (on the
706 # server side), as well as the application protocol being used
707 # (e.g., http vs tcp). These heuristics rely on the client sending
708 # the first bits of data. For server first protocols like MySQL,
709 # MongoDB, etc., Envoy will timeout on the protocol detection after
710 # the specified period, defaulting to non mTLS plain TCP
711 # traffic. Set this field to tweak the period that Envoy will wait
712 # for the client to send the first bits of data. (MUST BE >=1ms)
713 protocolDetectionTimeout: 100ms
714
715 # DNS refresh rate for Envoy clusters of type STRICT_DNS
716 dnsRefreshRate: 300s
717
718 # Unix Domain Socket through which envoy communicates with NodeAgent SDS to get
719 # key/cert for mTLS. Use secret-mount files instead of SDS if set to empty.
720 sdsUdsPath: ""
721
722 # The trust domain corresponds to the trust root of a system.
723 # Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain
724 trustDomain: ""
725
726 # The trust domain aliases represent the aliases of trust_domain.
727 # For example, if we have
728 # trustDomain: td1
729 # trustDomainAliases: [“td2”, "td3"]
730 # Any service with the identity "td1/ns/foo/sa/a-service-account", "td2/ns/foo/sa/a-service-account",
731 # or "td3/ns/foo/sa/a-service-account" will be treated the same in the Istio mesh.
732 trustDomainAliases:
733
734 # If true, automatically configure client side mTLS settings to match the corresponding service's
735 # server side mTLS authentication policy, when destination rule for that service does not specify
736 # TLS settings.
737 enableAutoMtls: false
738
739 # Set the default behavior of the sidecar for handling outbound traffic from the application:
740 # ALLOW_ANY - outbound traffic to unknown destinations will be allowed, in case there are no
741 # services or ServiceEntries for the destination port
742 # REGISTRY_ONLY - restrict outbound traffic to services defined in the service registry as well
743 # as those defined through ServiceEntries
744 outboundTrafficPolicy:
745 mode: ALLOW_ANY
746 localityLbSetting:
747 enabled: true
748 # The namespace to treat as the administrative root namespace for istio
749 # configuration.
750 rootNamespace: istio-system
751
752 # Configures DNS certificates provisioned through Chiron linked into Pilot.
753 certificates:
754 []
755 configSources:
756 - address: istio-galley.istio-system.svc:9901
757
758 defaultConfig:
759 #
760 # TCP connection timeout between Envoy & the application, and between Envoys. Used for static clusters
761 # defined in Envoy's configuration file
762 connectTimeout: 10s
763 #
764 ### ADVANCED SETTINGS #############
765 # Where should envoy's configuration be stored in the istio-proxy container
766 configPath: "/etc/istio/proxy"
767 binaryPath: "/usr/local/bin/envoy"
768 # The pseudo service name used for Envoy.
769 serviceCluster: istio-proxy
770 # These settings that determine how long an old Envoy
771 # process should be kept alive after an occasional reload.
772 drainDuration: 45s
773 parentShutdownDuration: 1m0s
774 #
775 # The mode used to redirect inbound connections to Envoy. This setting
776 # has no effect on outbound traffic: iptables REDIRECT is always used for
777 # outbound connections.
778 # If "REDIRECT", use iptables REDIRECT to NAT and redirect to Envoy.
779 # The "REDIRECT" mode loses source addresses during redirection.
780 # If "TPROXY", use iptables TPROXY to redirect to Envoy.
781 # The "TPROXY" mode preserves both the source and destination IP
782 # addresses and ports, so that they can be used for advanced filtering
783 # and manipulation.
784 # The "TPROXY" mode also configures the sidecar to run with the
785 # CAP_NET_ADMIN capability, which is required to use TPROXY.
786 #interceptionMode: REDIRECT
787 #
788 # Port where Envoy listens (on local host) for admin commands
789 # You can exec into the istio-proxy container in a pod and
790 # curl the admin port (curl http://localhost:15000/) to obtain
791 # diagnostic information from Envoy. See
792 # https://lyft.github.io/envoy/docs/operations/admin.html
793 # for more details
794 proxyAdminPort: 15000
795 #
796 # Set concurrency to a specific number to control the number of Proxy worker threads.
797 # If set to 0 (default), then start worker thread for each CPU thread/core.
798 concurrency: 2
799 #
800 tracing:
801 zipkin:
802 # Address of the Zipkin collector
803 address: zipkin.istio-system:9411
804 #
805 # Mutual TLS authentication between sidecars and istio control plane.
806 controlPlaneAuthPolicy: NONE
807 #
808 # Address where istio Pilot service is running
809 discoveryAddress: istio-pilot.istio-system:15010
810
811 # Configuration file for the mesh networks to be used by the Split Horizon EDS.
812 meshNetworks: |-
813 networks: {}
814
815---
816# Source: istio/templates/sidecar-injector-configmap.yaml
817
818apiVersion: v1
819kind: ConfigMap
820metadata:
821 name: istio-sidecar-injector
822 namespace: istio-system
823 labels:
824 app: istio
825 chart: istio
826 heritage: Tiller
827 release: release-name
828 istio: sidecar-injector
829data:
830 values: |-
831 {"certmanager":{"enabled":false},"galley":{"enableAnalysis":false,"enableServiceDiscovery":false,"enabled":true,"global":{"arch":{"amd64":2,"ppc64le":2,"s390x":2},"certificates":[],"configValidation":true,"controlPlaneSecurityEnabled":false,"defaultNodeSelector":{},"defaultPodDisruptionBudget":{"enabled":true},"defaultResources":{"requests":{"cpu":"10m"}},"defaultTolerations":[],"disablePolicyChecks":true,"enableHelmTest":false,"enableTracing":true,"hub":"docker.io/istio","imagePullPolicy":"IfNotPresent","imagePullSecrets":[],"k8sIngress":{"enableHttps":false,"enabled":false,"gatewayName":"ingressgateway"},"localityLbSetting":{"enabled":true},"logging":{"level":"default:info"},"meshExpansion":{"enabled":false,"useILB":false},"meshID":"","meshNetworks":{},"monitoringPort":15014,"mtls":{"auto":false,"enabled":false},"multiCluster":{"clusterName":"","enabled":false},"network":"","oneNamespace":false,"operatorManageWebhooks":false,"outboundTrafficPolicy":{"mode":"ALLOW_ANY"},"policyCheckFailOpen":false,"priorityClassName":"","proxy":{"accessLogEncoding":"TEXT","accessLogFile":"","accessLogFormat":"","autoInject":"enabled","clusterDomain":"cluster.local","componentLogLevel":"","concurrency":2,"dnsRefreshRate":"300s","enableCoreDump":false,"enableCoreDumpImage":"ubuntu:xenial","envoyAccessLogService":{"enabled":false,"tcpKeepalive":{"interval":"10s","probes":3,"time":"10s"},"tlsSettings":{"mode":"DISABLE","subjectAltNames":[]}},"envoyMetricsService":{"enabled":false,"tcpKeepalive":{"interval":"10s","probes":3,"time":"10s"},"tlsSettings":{"mode":"DISABLE","subjectAltNames":[]}},"envoyStatsd":{"enabled":false},"excludeIPRanges":"","excludeInboundPorts":"","excludeOutboundPorts":"","image":"proxyv2","includeIPRanges":"*","includeInboundPorts":"*","init":{"resources":{"limits":{"cpu":"100m","memory":"50Mi"},"requests":{"cpu":"10m","memory":"10Mi"}}},"kubevirtInterfaces":"","logLevel":"","privileged":false,"protocolDetectionTimeout":"100ms","readinessFailureThreshold":30,"readinessInitialDelaySeconds":1,"readinessPeriodSeconds":2,"resources":{"limits":{"cpu":"2000m","memory":"1024Mi"},"requests":{"cpu":"100m","memory":"128Mi"}},"statusPort":15020,"tracer":"zipkin"},"proxy_init":{"image":"proxyv2"},"sds":{"enabled":false,"token":{"aud":"istio-ca"},"udsPath":""},"tag":"1.4.6","tracer":{"datadog":{"address":"$(HOST_IP):8126"},"lightstep":{"accessToken":"","address":"","cacertPath":"","secure":true},"stackdriver":{"debug":false,"maxNumberOfAnnotations":200,"maxNumberOfAttributes":200,"maxNumberOfMessageEvents":200},"zipkin":{"address":""}},"trustDomain":"","trustDomainAliases":[],"useMCP":true},"image":"galley","nodeSelector":{},"podAnnotations":{},"podAntiAffinityLabelSelector":[],"podAntiAffinityTermLabelSelector":[],"replicaCount":1,"rollingMaxSurge":"100%","rollingMaxUnavailable":"25%","tolerations":[]},"gateways":{"enabled":true,"global":{"arch":{"amd64":2,"ppc64le":2,"s390x":2},"certificates":[],"configValidation":true,"controlPlaneSecurityEnabled":false,"defaultNodeSelector":{},"defaultPodDisruptionBudget":{"enabled":true},"defaultResources":{"requests":{"cpu":"10m"}},"defaultTolerations":[],"disablePolicyChecks":true,"enableHelmTest":false,"enableTracing":true,"hub":"docker.io/istio","imagePullPolicy":"IfNotPresent","imagePullSecrets":[],"k8sIngress":{"enableHttps":false,"enabled":false,"gatewayName":"ingressgateway"},"localityLbSetting":{"enabled":true},"logging":{"level":"default:info"},"meshExpansion":{"enabled":false,"useILB":false},"meshID":"","meshNetworks":{},"monitoringPort":15014,"mtls":{"auto":false,"enabled":false},"multiCluster":{"clusterName":"","enabled":false},"network":"","oneNamespace":false,"operatorManageWebhooks":false,"outboundTrafficPolicy":{"mode":"ALLOW_ANY"},"policyCheckFailOpen":false,"priorityClassName":"","proxy":{"accessLogEncoding":"TEXT","accessLogFile":"","accessLogFormat":"","autoInject":"enabled","clusterDomain":"cluster.local","componentLogLevel":"","concurrency":2,"dnsRefreshRate":"300s","enableCoreDump":false,"enableCoreDumpImage":"ubuntu:xenial","envoyAccessLogService":{"enabled":false,"tcpKeepalive":{"interval":"10s","probes":3,"time":"10s"},"tlsSettings":{"mode":"DISABLE","subjectAltNames":[]}},"envoyMetricsService":{"enabled":false,"tcpKeepalive":{"interval":"10s","probes":3,"time":"10s"},"tlsSettings":{"mode":"DISABLE","subjectAltNames":[]}},"envoyStatsd":{"enabled":false},"excludeIPRanges":"","excludeInboundPorts":"","excludeOutboundPorts":"","image":"proxyv2","includeIPRanges":"*","includeInboundPorts":"*","init":{"resources":{"limits":{"cpu":"100m","memory":"50Mi"},"requests":{"cpu":"10m","memory":"10Mi"}}},"kubevirtInterfaces":"","logLevel":"","privileged":false,"protocolDetectionTimeout":"100ms","readinessFailureThreshold":30,"readinessInitialDelaySeconds":1,"readinessPeriodSeconds":2,"resources":{"limits":{"cpu":"2000m","memory":"1024Mi"},"requests":{"cpu":"100m","memory":"128Mi"}},"statusPort":15020,"tracer":"zipkin"},"proxy_init":{"image":"proxyv2"},"sds":{"enabled":false,"token":{"aud":"istio-ca"},"udsPath":""},"tag":"1.4.6","tracer":{"datadog":{"address":"$(HOST_IP):8126"},"lightstep":{"accessToken":"","address":"","cacertPath":"","secure":true},"stackdriver":{"debug":false,"maxNumberOfAnnotations":200,"maxNumberOfAttributes":200,"maxNumberOfMessageEvents":200},"zipkin":{"address":""}},"trustDomain":"","trustDomainAliases":[],"useMCP":true},"istio-egressgateway":{"autoscaleEnabled":true,"autoscaleMax":5,"autoscaleMin":1,"cpu":{"targetAverageUtilization":80},"enabled":false,"env":{"ISTIO_META_ROUTER_MODE":"sni-dnat"},"labels":{"app":"istio-egressgateway","istio":"egressgateway"},"nodeSelector":{},"podAnnotations":{},"podAntiAffinityLabelSelector":[],"podAntiAffinityTermLabelSelector":[],"ports":[{"name":"http2","port":80},{"name":"https","port":443},{"name":"tls","port":15443,"targetPort":15443}],"resources":{"limits":{"cpu":"2000m","memory":"1024Mi"},"requests":{"cpu":"100m","memory":"128Mi"}},"rollingMaxSurge":"100%","rollingMaxUnavailable":"25%","secretVolumes":[{"mountPath":"/etc/istio/egressgateway-certs","name":"egressgateway-certs","secretName":"istio-egressgateway-certs"},{"mountPath":"/etc/istio/egressgateway-ca-certs","name":"egressgateway-ca-certs","secretName":"istio-egressgateway-ca-certs"}],"serviceAnnotations":{},"tolerations":[],"type":"ClusterIP"},"istio-ilbgateway":{"autoscaleEnabled":true,"autoscaleMax":5,"autoscaleMin":1,"cpu":{"targetAverageUtilization":80},"enabled":false,"labels":{"app":"istio-ilbgateway","istio":"ilbgateway"},"loadBalancerIP":"","nodeSelector":{},"podAnnotations":{},"ports":[{"name":"grpc-pilot-mtls","port":15011},{"name":"grpc-pilot","port":15010},{"name":"tcp-citadel-grpc-tls","port":8060,"targetPort":8060},{"name":"tcp-dns","port":5353}],"resources":{"requests":{"cpu":"800m","memory":"512Mi"}},"rollingMaxSurge":"100%","rollingMaxUnavailable":"25%","secretVolumes":[{"mountPath":"/etc/istio/ilbgateway-certs","name":"ilbgateway-certs","secretName":"istio-ilbgateway-certs"},{"mountPath":"/etc/istio/ilbgateway-ca-certs","name":"ilbgateway-ca-certs","secretName":"istio-ilbgateway-ca-certs"}],"serviceAnnotations":{"cloud.google.com/load-balancer-type":"internal"},"tolerations":[],"type":"LoadBalancer"},"istio-ingressgateway":{"applicationPorts":"","autoscaleEnabled":true,"autoscaleMax":5,"autoscaleMin":1,"cpu":{"targetAverageUtilization":80},"enabled":true,"env":{"ISTIO_META_ROUTER_MODE":"sni-dnat"},"externalIPs":[],"labels":{"app":"istio-ingressgateway","istio":"ingressgateway"},"loadBalancerIP":"","loadBalancerSourceRanges":[],"meshExpansionPorts":[{"name":"tcp-pilot-grpc-tls","port":15011,"targetPort":15011},{"name":"tcp-mixer-grpc-tls","port":15004,"targetPort":15004},{"name":"tcp-citadel-grpc-tls","port":8060,"targetPort":8060},{"name":"tcp-dns-tls","port":853,"targetPort":853}],"nodeSelector":{},"podAnnotations":{},"podAntiAffinityLabelSelector":[],"podAntiAffinityTermLabelSelector":[],"ports":[{"name":"status-port","port":15020,"targetPort":15020},{"name":"http2","nodePort":31380,"port":80,"targetPort":80},{"name":"https","nodePort":31390,"port":443},{"name":"tcp","nodePort":31400,"port":31400},{"name":"https-kiali","port":15029,"targetPort":15029},{"name":"https-prometheus","port":15030,"targetPort":15030},{"name":"https-grafana","port":15031,"targetPort":15031},{"name":"https-tracing","port":15032,"targetPort":15032},{"name":"tls","port":15443,"targetPort":15443}],"resources":{"limits":{"cpu":"2000m","memory":"1024Mi"},"requests":{"cpu":"100m","memory":"128Mi"}},"rollingMaxSurge":"100%","rollingMaxUnavailable":"25%","sds":{"enabled":false,"image":"node-agent-k8s","resources":{"limits":{"cpu":"2000m","memory":"1024Mi"},"requests":{"cpu":"100m","memory":"128Mi"}}},"secretVolumes":[{"mountPath":"/etc/istio/ingressgateway-certs","name":"ingressgateway-certs","secretName":"istio-ingressgateway-certs"},{"mountPath":"/etc/istio/ingressgateway-ca-certs","name":"ingressgateway-ca-certs","secretName":"istio-ingressgateway-ca-certs"}],"serviceAnnotations":{},"tolerations":[],"type":"LoadBalancer"}},"global":{"arch":{"amd64":2,"ppc64le":2,"s390x":2},"certificates":[],"configValidation":true,"controlPlaneSecurityEnabled":false,"defaultNodeSelector":{},"defaultPodDisruptionBudget":{"enabled":true},"defaultResources":{"requests":{"cpu":"10m"}},"defaultTolerations":[],"disablePolicyChecks":true,"enableHelmTest":false,"enableTracing":true,"hub":"docker.io/istio","imagePullPolicy":"IfNotPresent","imagePullSecrets":[],"k8sIngress":{"enableHttps":false,"enabled":false,"gatewayName":"ingressgateway"},"localityLbSetting":{"enabled":true},"logging":{"level":"default:info"},"meshExpansion":{"enabled":false,"useILB":false},"meshID":"","meshNetworks":{},"monitoringPort":15014,"mtls":{"auto":false,"enabled":false},"multiCluster":{"clusterName":"","enabled":false},"network":"","oneNamespace":false,"operatorManageWebhooks":false,"outboundTrafficPolicy":{"mode":"ALLOW_ANY"},"policyCheckFailOpen":false,"priorityClassName":"","proxy":{"accessLogEncoding":"TEXT","accessLogFile":"","accessLogFormat":"","autoInject":"enabled","clusterDomain":"cluster.local","componentLogLevel":"","concurrency":2,"dnsRefreshRate":"300s","enableCoreDump":false,"enableCoreDumpImage":"ubuntu:xenial","envoyAccessLogService":{"enabled":false,"host":null,"port":null,"tcpKeepalive":{"interval":"10s","probes":3,"time":"10s"},"tlsSettings":{"caCertificates":null,"clientCertificate":null,"mode":"DISABLE","privateKey":null,"sni":null,"subjectAltNames":[]}},"envoyMetricsService":{"enabled":false,"host":null,"port":null,"tcpKeepalive":{"interval":"10s","probes":3,"time":"10s"},"tlsSettings":{"caCertificates":null,"clientCertificate":null,"mode":"DISABLE","privateKey":null,"sni":null,"subjectAltNames":[]}},"envoyStatsd":{"enabled":false,"host":null,"port":null},"excludeIPRanges":"","excludeInboundPorts":"","excludeOutboundPorts":"","image":"proxyv2","includeIPRanges":"*","includeInboundPorts":"*","init":{"resources":{"limits":{"cpu":"100m","memory":"50Mi"},"requests":{"cpu":"10m","memory":"10Mi"}}},"kubevirtInterfaces":"","logLevel":"","privileged":false,"protocolDetectionTimeout":"100ms","readinessFailureThreshold":30,"readinessInitialDelaySeconds":1,"readinessPeriodSeconds":2,"resources":{"limits":{"cpu":"2000m","memory":"1024Mi"},"requests":{"cpu":"100m","memory":"128Mi"}},"statusPort":15020,"tracer":"zipkin"},"proxy_init":{"image":"proxyv2"},"sds":{"enabled":false,"token":{"aud":"istio-ca"},"udsPath":""},"tag":"1.4.6","tracer":{"datadog":{"address":"$(HOST_IP):8126"},"lightstep":{"accessToken":"","address":"","cacertPath":"","secure":true},"stackdriver":{"debug":false,"maxNumberOfAnnotations":200,"maxNumberOfAttributes":200,"maxNumberOfMessageEvents":200},"zipkin":{"address":""}},"trustDomain":"","trustDomainAliases":[],"useMCP":true},"grafana":{"enabled":false},"istio_cni":{"enabled":false,"repair":{"enabled":true}},"istiocoredns":{"enabled":false},"kiali":{"enabled":false},"mixer":{"adapters":{"kubernetesenv":{"enabled":true},"prometheus":{"enabled":true,"metricsExpiryDuration":"10m"},"stdio":{"enabled":false,"outputAsJson":true},"useAdapterCRDs":false},"env":{"GOMAXPROCS":"6"},"global":{"arch":{"amd64":2,"ppc64le":2,"s390x":2},"certificates":[],"configValidation":true,"controlPlaneSecurityEnabled":false,"defaultNodeSelector":{},"defaultPodDisruptionBudget":{"enabled":true},"defaultResources":{"requests":{"cpu":"10m"}},"defaultTolerations":[],"disablePolicyChecks":true,"enableHelmTest":false,"enableTracing":true,"hub":"docker.io/istio","imagePullPolicy":"IfNotPresent","imagePullSecrets":[],"k8sIngress":{"enableHttps":false,"enabled":false,"gatewayName":"ingressgateway"},"localityLbSetting":{"enabled":true},"logging":{"level":"default:info"},"meshExpansion":{"enabled":false,"useILB":false},"meshID":"","meshNetworks":{},"monitoringPort":15014,"mtls":{"auto":false,"enabled":false},"multiCluster":{"clusterName":"","enabled":false},"network":"","oneNamespace":false,"operatorManageWebhooks":false,"outboundTrafficPolicy":{"mode":"ALLOW_ANY"},"policyCheckFailOpen":false,"priorityClassName":"","proxy":{"accessLogEncoding":"TEXT","accessLogFile":"","accessLogFormat":"","autoInject":"enabled","clusterDomain":"cluster.local","componentLogLevel":"","concurrency":2,"dnsRefreshRate":"300s","enableCoreDump":false,"enableCoreDumpImage":"ubuntu:xenial","envoyAccessLogService":{"enabled":false,"tcpKeepalive":{"interval":"10s","probes":3,"time":"10s"},"tlsSettings":{"mode":"DISABLE","subjectAltNames":[]}},"envoyMetricsService":{"enabled":false,"tcpKeepalive":{"interval":"10s","probes":3,"time":"10s"},"tlsSettings":{"mode":"DISABLE","subjectAltNames":[]}},"envoyStatsd":{"enabled":false},"excludeIPRanges":"","excludeInboundPorts":"","excludeOutboundPorts":"","image":"proxyv2","includeIPRanges":"*","includeInboundPorts":"*","init":{"resources":{"limits":{"cpu":"100m","memory":"50Mi"},"requests":{"cpu":"10m","memory":"10Mi"}}},"kubevirtInterfaces":"","logLevel":"","privileged":false,"protocolDetectionTimeout":"100ms","readinessFailureThreshold":30,"readinessInitialDelaySeconds":1,"readinessPeriodSeconds":2,"resources":{"limits":{"cpu":"2000m","memory":"1024Mi"},"requests":{"cpu":"100m","memory":"128Mi"}},"statusPort":15020,"tracer":"zipkin"},"proxy_init":{"image":"proxyv2"},"sds":{"enabled":false,"token":{"aud":"istio-ca"},"udsPath":""},"tag":"1.4.6","tracer":{"datadog":{"address":"$(HOST_IP):8126"},"lightstep":{"accessToken":"","address":"","cacertPath":"","secure":true},"stackdriver":{"debug":false,"maxNumberOfAnnotations":200,"maxNumberOfAttributes":200,"maxNumberOfMessageEvents":200},"zipkin":{"address":""}},"trustDomain":"","trustDomainAliases":[],"useMCP":true},"image":"mixer","nodeSelector":{},"podAnnotations":{},"podAntiAffinityLabelSelector":[],"podAntiAffinityTermLabelSelector":[],"policy":{"autoscaleEnabled":true,"autoscaleMax":5,"autoscaleMin":1,"cpu":{"targetAverageUtilization":80},"enabled":true,"replicaCount":1,"rollingMaxSurge":"100%","rollingMaxUnavailable":"25%"},"telemetry":{"autoscaleEnabled":true,"autoscaleMax":5,"autoscaleMin":1,"cpu":{"targetAverageUtilization":80},"enabled":true,"loadshedding":{"latencyThreshold":"100ms","mode":"enforce"},"replicaCount":1,"reportBatchMaxEntries":100,"reportBatchMaxTime":"1s","resources":{"limits":{"cpu":"4800m","memory":"4G"},"requests":{"cpu":"1000m","memory":"1G"}},"rollingMaxSurge":"100%","rollingMaxUnavailable":"25%","sessionAffinityEnabled":false},"tolerations":[]},"nodeagent":{"enabled":false},"pilot":{"autoscaleEnabled":true,"autoscaleMax":5,"autoscaleMin":1,"configSource":{},"cpu":{"targetAverageUtilization":80},"enableProtocolSniffingForInbound":false,"enableProtocolSniffingForOutbound":true,"enabled":true,"env":{"PILOT_PUSH_THROTTLE":100},"global":{"arch":{"amd64":2,"ppc64le":2,"s390x":2},"certificates":[],"configValidation":true,"controlPlaneSecurityEnabled":false,"defaultNodeSelector":{},"defaultPodDisruptionBudget":{"enabled":true},"defaultResources":{"requests":{"cpu":"10m"}},"defaultTolerations":[],"disablePolicyChecks":true,"enableHelmTest":false,"enableTracing":true,"hub":"docker.io/istio","imagePullPolicy":"IfNotPresent","imagePullSecrets":[],"k8sIngress":{"enableHttps":false,"enabled":false,"gatewayName":"ingressgateway"},"localityLbSetting":{"enabled":true},"logging":{"level":"default:info"},"meshExpansion":{"enabled":false,"useILB":false},"meshID":"","meshNetworks":{},"monitoringPort":15014,"mtls":{"auto":false,"enabled":false},"multiCluster":{"clusterName":"","enabled":false},"network":"","oneNamespace":false,"operatorManageWebhooks":false,"outboundTrafficPolicy":{"mode":"ALLOW_ANY"},"policyCheckFailOpen":false,"priorityClassName":"","proxy":{"accessLogEncoding":"TEXT","accessLogFile":"","accessLogFormat":"","autoInject":"enabled","clusterDomain":"cluster.local","componentLogLevel":"","concurrency":2,"dnsRefreshRate":"300s","enableCoreDump":false,"enableCoreDumpImage":"ubuntu:xenial","envoyAccessLogService":{"enabled":false,"tcpKeepalive":{"interval":"10s","probes":3,"time":"10s"},"tlsSettings":{"mode":"DISABLE","subjectAltNames":[]}},"envoyMetricsService":{"enabled":false,"tcpKeepalive":{"interval":"10s","probes":3,"time":"10s"},"tlsSettings":{"mode":"DISABLE","subjectAltNames":[]}},"envoyStatsd":{"enabled":false},"excludeIPRanges":"","excludeInboundPorts":"","excludeOutboundPorts":"","image":"proxyv2","includeIPRanges":"*","includeInboundPorts":"*","init":{"resources":{"limits":{"cpu":"100m","memory":"50Mi"},"requests":{"cpu":"10m","memory":"10Mi"}}},"kubevirtInterfaces":"","logLevel":"","privileged":false,"protocolDetectionTimeout":"100ms","readinessFailureThreshold":30,"readinessInitialDelaySeconds":1,"readinessPeriodSeconds":2,"resources":{"limits":{"cpu":"2000m","memory":"1024Mi"},"requests":{"cpu":"100m","memory":"128Mi"}},"statusPort":15020,"tracer":"zipkin"},"proxy_init":{"image":"proxyv2"},"sds":{"enabled":false,"token":{"aud":"istio-ca"},"udsPath":""},"tag":"1.4.6","tracer":{"datadog":{"address":"$(HOST_IP):8126"},"lightstep":{"accessToken":"","address":"","cacertPath":"","secure":true},"stackdriver":{"debug":false,"maxNumberOfAnnotations":200,"maxNumberOfAttributes":200,"maxNumberOfMessageEvents":200},"zipkin":{"address":""}},"trustDomain":"","trustDomainAliases":[],"useMCP":true},"image":"pilot","keepaliveMaxServerConnectionAge":"30m","nodeSelector":{},"podAnnotations":{},"podAntiAffinityLabelSelector":[],"podAntiAffinityTermLabelSelector":[],"resources":{"requests":{"cpu":"500m","memory":"2048Mi"}},"rollingMaxSurge":"100%","rollingMaxUnavailable":"25%","sidecar":true,"tolerations":[],"traceSampling":1},"prometheus":{"contextPath":"/prometheus","enabled":true,"global":{"arch":{"amd64":2,"ppc64le":2,"s390x":2},"certificates":[],"configValidation":true,"controlPlaneSecurityEnabled":false,"defaultNodeSelector":{},"defaultPodDisruptionBudget":{"enabled":true},"defaultResources":{"requests":{"cpu":"10m"}},"defaultTolerations":[],"disablePolicyChecks":true,"enableHelmTest":false,"enableTracing":true,"hub":"docker.io/istio","imagePullPolicy":"IfNotPresent","imagePullSecrets":[],"k8sIngress":{"enableHttps":false,"enabled":false,"gatewayName":"ingressgateway"},"localityLbSetting":{"enabled":true},"logging":{"level":"default:info"},"meshExpansion":{"enabled":false,"useILB":false},"meshID":"","meshNetworks":{},"monitoringPort":15014,"mtls":{"auto":false,"enabled":false},"multiCluster":{"clusterName":"","enabled":false},"network":"","oneNamespace":false,"operatorManageWebhooks":false,"outboundTrafficPolicy":{"mode":"ALLOW_ANY"},"policyCheckFailOpen":false,"priorityClassName":"","proxy":{"accessLogEncoding":"TEXT","accessLogFile":"","accessLogFormat":"","autoInject":"enabled","clusterDomain":"cluster.local","componentLogLevel":"","concurrency":2,"dnsRefreshRate":"300s","enableCoreDump":false,"enableCoreDumpImage":"ubuntu:xenial","envoyAccessLogService":{"enabled":false,"tcpKeepalive":{"interval":"10s","probes":3,"time":"10s"},"tlsSettings":{"mode":"DISABLE","subjectAltNames":[]}},"envoyMetricsService":{"enabled":false,"tcpKeepalive":{"interval":"10s","probes":3,"time":"10s"},"tlsSettings":{"mode":"DISABLE","subjectAltNames":[]}},"envoyStatsd":{"enabled":false},"excludeIPRanges":"","excludeInboundPorts":"","excludeOutboundPorts":"","image":"proxyv2","includeIPRanges":"*","includeInboundPorts":"*","init":{"resources":{"limits":{"cpu":"100m","memory":"50Mi"},"requests":{"cpu":"10m","memory":"10Mi"}}},"kubevirtInterfaces":"","logLevel":"","privileged":false,"protocolDetectionTimeout":"100ms","readinessFailureThreshold":30,"readinessInitialDelaySeconds":1,"readinessPeriodSeconds":2,"resources":{"limits":{"cpu":"2000m","memory":"1024Mi"},"requests":{"cpu":"100m","memory":"128Mi"}},"statusPort":15020,"tracer":"zipkin"},"proxy_init":{"image":"proxyv2"},"sds":{"enabled":false,"token":{"aud":"istio-ca"},"udsPath":""},"tag":"1.4.6","tracer":{"datadog":{"address":"$(HOST_IP):8126"},"lightstep":{"accessToken":"","address":"","cacertPath":"","secure":true},"stackdriver":{"debug":false,"maxNumberOfAnnotations":200,"maxNumberOfAttributes":200,"maxNumberOfMessageEvents":200},"zipkin":{"address":""}},"trustDomain":"","trustDomainAliases":[],"useMCP":true},"hub":"docker.io/prom","image":"prometheus","ingress":{"enabled":false,"hosts":["prometheus.local"]},"nodeSelector":{},"podAntiAffinityLabelSelector":[],"podAntiAffinityTermLabelSelector":[],"replicaCount":1,"retention":"6h","scrapeInterval":"15s","security":{"enabled":true},"service":{"annotations":{},"nodePort":{"enabled":false,"port":32090}},"tag":"v2.12.0","tolerations":[]},"security":{"citadelHealthCheck":false,"createMeshPolicy":true,"enableNamespacesByDefault":true,"enabled":true,"env":{},"global":{"arch":{"amd64":2,"ppc64le":2,"s390x":2},"certificates":[],"configValidation":true,"controlPlaneSecurityEnabled":false,"defaultNodeSelector":{},"defaultPodDisruptionBudget":{"enabled":true},"defaultResources":{"requests":{"cpu":"10m"}},"defaultTolerations":[],"disablePolicyChecks":true,"enableHelmTest":false,"enableTracing":true,"hub":"docker.io/istio","imagePullPolicy":"IfNotPresent","imagePullSecrets":[],"k8sIngress":{"enableHttps":false,"enabled":false,"gatewayName":"ingressgateway"},"localityLbSetting":{"enabled":true},"logging":{"level":"default:info"},"meshExpansion":{"enabled":false,"useILB":false},"meshID":"","meshNetworks":{},"monitoringPort":15014,"mtls":{"auto":false,"enabled":false},"multiCluster":{"clusterName":"","enabled":false},"network":"","oneNamespace":false,"operatorManageWebhooks":false,"outboundTrafficPolicy":{"mode":"ALLOW_ANY"},"policyCheckFailOpen":false,"priorityClassName":"","proxy":{"accessLogEncoding":"TEXT","accessLogFile":"","accessLogFormat":"","autoInject":"enabled","clusterDomain":"cluster.local","componentLogLevel":"","concurrency":2,"dnsRefreshRate":"300s","enableCoreDump":false,"enableCoreDumpImage":"ubuntu:xenial","envoyAccessLogService":{"enabled":false,"tcpKeepalive":{"interval":"10s","probes":3,"time":"10s"},"tlsSettings":{"mode":"DISABLE","subjectAltNames":[]}},"envoyMetricsService":{"enabled":false,"tcpKeepalive":{"interval":"10s","probes":3,"time":"10s"},"tlsSettings":{"mode":"DISABLE","subjectAltNames":[]}},"envoyStatsd":{"enabled":false},"excludeIPRanges":"","excludeInboundPorts":"","excludeOutboundPorts":"","image":"proxyv2","includeIPRanges":"*","includeInboundPorts":"*","init":{"resources":{"limits":{"cpu":"100m","memory":"50Mi"},"requests":{"cpu":"10m","memory":"10Mi"}}},"kubevirtInterfaces":"","logLevel":"","privileged":false,"protocolDetectionTimeout":"100ms","readinessFailureThreshold":30,"readinessInitialDelaySeconds":1,"readinessPeriodSeconds":2,"resources":{"limits":{"cpu":"2000m","memory":"1024Mi"},"requests":{"cpu":"100m","memory":"128Mi"}},"statusPort":15020,"tracer":"zipkin"},"proxy_init":{"image":"proxyv2"},"sds":{"enabled":false,"token":{"aud":"istio-ca"},"udsPath":""},"tag":"1.4.6","tracer":{"datadog":{"address":"$(HOST_IP):8126"},"lightstep":{"accessToken":"","address":"","cacertPath":"","secure":true},"stackdriver":{"debug":false,"maxNumberOfAnnotations":200,"maxNumberOfAttributes":200,"maxNumberOfMessageEvents":200},"zipkin":{"address":""}},"trustDomain":"","trustDomainAliases":[],"useMCP":true},"image":"citadel","nodeSelector":{},"podAnnotations":{},"podAntiAffinityLabelSelector":[],"podAntiAffinityTermLabelSelector":[],"replicaCount":1,"rollingMaxSurge":"100%","rollingMaxUnavailable":"25%","selfSigned":true,"tolerations":[],"workloadCertTtl":"2160h"},"sidecarInjectorWebhook":{"alwaysInjectSelector":[],"enableNamespacesByDefault":false,"enabled":true,"global":{"arch":{"amd64":2,"ppc64le":2,"s390x":2},"certificates":[],"configValidation":true,"controlPlaneSecurityEnabled":false,"defaultNodeSelector":{},"defaultPodDisruptionBudget":{"enabled":true},"defaultResources":{"requests":{"cpu":"10m"}},"defaultTolerations":[],"disablePolicyChecks":true,"enableHelmTest":false,"enableTracing":true,"hub":"docker.io/istio","imagePullPolicy":"IfNotPresent","imagePullSecrets":[],"k8sIngress":{"enableHttps":false,"enabled":false,"gatewayName":"ingressgateway"},"localityLbSetting":{"enabled":true},"logging":{"level":"default:info"},"meshExpansion":{"enabled":false,"useILB":false},"meshID":"","meshNetworks":{},"monitoringPort":15014,"mtls":{"auto":false,"enabled":false},"multiCluster":{"clusterName":"","enabled":false},"network":"","oneNamespace":false,"operatorManageWebhooks":false,"outboundTrafficPolicy":{"mode":"ALLOW_ANY"},"policyCheckFailOpen":false,"priorityClassName":"","proxy":{"accessLogEncoding":"TEXT","accessLogFile":"","accessLogFormat":"","autoInject":"enabled","clusterDomain":"cluster.local","componentLogLevel":"","concurrency":2,"dnsRefreshRate":"300s","enableCoreDump":false,"enableCoreDumpImage":"ubuntu:xenial","envoyAccessLogService":{"enabled":false,"tcpKeepalive":{"interval":"10s","probes":3,"time":"10s"},"tlsSettings":{"mode":"DISABLE","subjectAltNames":[]}},"envoyMetricsService":{"enabled":false,"tcpKeepalive":{"interval":"10s","probes":3,"time":"10s"},"tlsSettings":{"mode":"DISABLE","subjectAltNames":[]}},"envoyStatsd":{"enabled":false},"excludeIPRanges":"","excludeInboundPorts":"","excludeOutboundPorts":"","image":"proxyv2","includeIPRanges":"*","includeInboundPorts":"*","init":{"resources":{"limits":{"cpu":"100m","memory":"50Mi"},"requests":{"cpu":"10m","memory":"10Mi"}}},"kubevirtInterfaces":"","logLevel":"","privileged":false,"protocolDetectionTimeout":"100ms","readinessFailureThreshold":30,"readinessInitialDelaySeconds":1,"readinessPeriodSeconds":2,"resources":{"limits":{"cpu":"2000m","memory":"1024Mi"},"requests":{"cpu":"100m","memory":"128Mi"}},"statusPort":15020,"tracer":"zipkin"},"proxy_init":{"image":"proxyv2"},"sds":{"enabled":false,"token":{"aud":"istio-ca"},"udsPath":""},"tag":"1.4.6","tracer":{"datadog":{"address":"$(HOST_IP):8126"},"lightstep":{"accessToken":"","address":"","cacertPath":"","secure":true},"stackdriver":{"debug":false,"maxNumberOfAnnotations":200,"maxNumberOfAttributes":200,"maxNumberOfMessageEvents":200},"zipkin":{"address":""}},"trustDomain":"","trustDomainAliases":[],"useMCP":true},"image":"sidecar_injector","injectedAnnotations":{},"neverInjectSelector":[],"nodeSelector":{},"podAnnotations":{},"podAntiAffinityLabelSelector":[],"podAntiAffinityTermLabelSelector":[],"replicaCount":1,"rewriteAppHTTPProbe":false,"rollingMaxSurge":"100%","rollingMaxUnavailable":"25%","tolerations":[]},"tracing":{"enabled":false}}
832
833 config: |-
834 policy: enabled
835 alwaysInjectSelector:
836 []
837 neverInjectSelector:
838 []
839 template: |-
840 {{- $cniDisabled := (not .Values.istio_cni.enabled) }}
841 {{- $cniRepairEnabled := (and .Values.istio_cni.enabled .Values.istio_cni.repair.enabled) }}
842 {{- $enableInitContainer := (or $cniDisabled $cniRepairEnabled .Values.global.proxy.enableCoreDump) }}
843 rewriteAppHTTPProbe: {{ valueOrDefault .Values.sidecarInjectorWebhook.rewriteAppHTTPProbe false }}
844 {{- if $enableInitContainer }}
845 initContainers:
846 {{- if ne (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE` }}
847 {{ if $cniRepairEnabled -}}
848 - name: istio-validation
849 {{ else -}}
850 - name: istio-init
851 {{ end -}}
852 {{- if contains "/" .Values.global.proxy_init.image }}
853 image: "{{ .Values.global.proxy_init.image }}"
854 {{- else }}
855 image: "{{ .Values.global.hub }}/{{ .Values.global.proxy_init.image }}:{{ .Values.global.tag }}"
856 {{- end }}
857 command:
858 {{- if $cniRepairEnabled }}
859 - istio-iptables-go
860 {{- else }}
861 - istio-iptables
862 {{- end }}
863 - "-p"
864 - "15001"
865 - "-z"
866 - "15006"
867 - "-u"
868 - 1337
869 - "-m"
870 - "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}"
871 - "-i"
872 - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}"
873 - "-x"
874 - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}"
875 - "-b"
876 - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` `*` }}"
877 - "-d"
878 - "{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}"
879 {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.excludeOutboundPorts "") "") -}}
880 - "-o"
881 - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}"
882 {{ end -}}
883 {{ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces`) -}}
884 - "-k"
885 - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}"
886 {{ end -}}
887 {{ if $cniRepairEnabled -}}
888 - "--run-validation"
889 - "--skip-rule-apply"
890 {{- end }}
891 imagePullPolicy: "{{ valueOrDefault .Values.global.imagePullPolicy `Always` }}"
892 {{- if .Values.global.proxy.init.resources }}
893 resources:
894 {{ toYaml .Values.global.proxy.init.resources | indent 4 }}
895 {{- else }}
896 resources: {}
897 {{- end }}
898 securityContext:
899 allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }}
900 privileged: {{ .Values.global.proxy.privileged }}
901 capabilities:
902 {{- if not $cniRepairEnabled }}
903 add:
904 - NET_ADMIN
905 - NET_RAW
906 {{- end }}
907 drop:
908 - ALL
909 readOnlyRootFilesystem: false
910 {{- if not $cniRepairEnabled }}
911 runAsGroup: 0
912 runAsNonRoot: false
913 runAsUser: 0
914 {{- else }}
915 runAsGroup: 1337
916 runAsUser: 1337
917 runAsNonRoot: true
918 {{- end }}
919 restartPolicy: Always
920 {{ end -}}
921 {{- if eq .Values.global.proxy.enableCoreDump true }}
922 - name: enable-core-dump
923 args:
924 - -c
925 - sysctl -w kernel.core_pattern=/var/lib/istio/core.proxy && ulimit -c unlimited
926 command:
927 - /bin/sh
928 image: {{ $.Values.global.proxy.enableCoreDumpImage }}
929 imagePullPolicy: IfNotPresent
930 resources: {}
931 securityContext:
932 allowPrivilegeEscalation: true
933 capabilities:
934 add:
935 - SYS_ADMIN
936 drop:
937 - ALL
938 privileged: true
939 readOnlyRootFilesystem: false
940 runAsGroup: 0
941 runAsNonRoot: false
942 runAsUser: 0
943 {{ end }}
944 {{ end }}
945 containers:
946 - name: istio-proxy
947 {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }}
948 image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}"
949 {{- else }}
950 image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.hub }}/{{ .Values.global.proxy.image }}:{{ .Values.global.tag }}"
951 {{- end }}
952 ports:
953 - containerPort: 15090
954 protocol: TCP
955 name: http-envoy-prom
956 args:
957 - proxy
958 - sidecar
959 - --domain
960 - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }}
961 - --configPath
962 - "{{ .ProxyConfig.ConfigPath }}"
963 - --binaryPath
964 - "{{ .ProxyConfig.BinaryPath }}"
965 - --serviceCluster
966 {{ if ne "" (index .ObjectMeta.Labels "app") -}}
967 - "{{ index .ObjectMeta.Labels `app` }}.$(POD_NAMESPACE)"
968 {{ else -}}
969 - "{{ valueOrDefault .DeploymentMeta.Name `istio-proxy` }}.{{ valueOrDefault .DeploymentMeta.Namespace `default` }}"
970 {{ end -}}
971 - --drainDuration
972 - "{{ formatDuration .ProxyConfig.DrainDuration }}"
973 - --parentShutdownDuration
974 - "{{ formatDuration .ProxyConfig.ParentShutdownDuration }}"
975 - --discoveryAddress
976 - "{{ annotation .ObjectMeta `sidecar.istio.io/discoveryAddress` .ProxyConfig.DiscoveryAddress }}"
977 {{- if eq .Values.global.proxy.tracer "lightstep" }}
978 - --lightstepAddress
979 - "{{ .ProxyConfig.GetTracing.GetLightstep.GetAddress }}"
980 - --lightstepAccessToken
981 - "{{ .ProxyConfig.GetTracing.GetLightstep.GetAccessToken }}"
982 - --lightstepSecure={{ .ProxyConfig.GetTracing.GetLightstep.GetSecure }}
983 - --lightstepCacertPath
984 - "{{ .ProxyConfig.GetTracing.GetLightstep.GetCacertPath }}"
985 {{- else if eq .Values.global.proxy.tracer "zipkin" }}
986 - --zipkinAddress
987 - "{{ .ProxyConfig.GetTracing.GetZipkin.GetAddress }}"
988 {{- else if eq .Values.global.proxy.tracer "datadog" }}
989 - --datadogAgentAddress
990 - "{{ .ProxyConfig.GetTracing.GetDatadog.GetAddress }}"
991 {{- end }}
992 {{- if .Values.global.proxy.logLevel }}
993 - --proxyLogLevel={{ .Values.global.proxy.logLevel }}
994 {{- end}}
995 {{- if .Values.global.proxy.componentLogLevel }}
996 - --proxyComponentLogLevel={{ .Values.global.proxy.componentLogLevel }}
997 {{- end}}
998 - --dnsRefreshRate
999 - {{ .Values.global.proxy.dnsRefreshRate }}
1000 - --connectTimeout
1001 - "{{ formatDuration .ProxyConfig.ConnectTimeout }}"
1002 {{- if .Values.global.proxy.envoyStatsd.enabled }}
1003 - --statsdUdpAddress
1004 - "{{ .ProxyConfig.StatsdUdpAddress }}"
1005 {{- end }}
1006 {{- if .Values.global.proxy.envoyMetricsService.enabled }}
1007 - --envoyMetricsService
1008 - '{{ protoToJSON .ProxyConfig.EnvoyMetricsService }}'
1009 {{- end }}
1010 {{- if .Values.global.proxy.envoyAccessLogService.enabled }}
1011 - --envoyAccessLogService
1012 - '{{ protoToJSON .ProxyConfig.EnvoyAccessLogService }}'
1013 {{- end }}
1014 - --proxyAdminPort
1015 - "{{ .ProxyConfig.ProxyAdminPort }}"
1016 {{ if gt .ProxyConfig.Concurrency 0 -}}
1017 - --concurrency
1018 - "{{ .ProxyConfig.Concurrency }}"
1019 {{ end -}}
1020 - --controlPlaneAuthPolicy
1021 - "{{ annotation .ObjectMeta `sidecar.istio.io/controlPlaneAuthPolicy` .ProxyConfig.ControlPlaneAuthPolicy }}"
1022 {{- if (ne (annotation .ObjectMeta "status.sidecar.istio.io/port" (valueOrDefault .Values.global.proxy.statusPort 0 )) `0`) }}
1023 - --statusPort
1024 - "{{ annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort }}"
1025 - --applicationPorts
1026 - "{{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/applicationPorts` (applicationPorts .Spec.Containers) }}"
1027 {{- end }}
1028 {{- if .Values.global.trustDomain }}
1029 - --trust-domain={{ .Values.global.trustDomain }}
1030 {{- end }}
1031 {{- if .Values.global.proxy.lifecycle }}
1032 lifecycle:
1033 {{ toYaml .Values.global.proxy.lifecycle | indent 4 }}
1034 {{- end }}
1035 env:
1036 - name: POD_NAME
1037 valueFrom:
1038 fieldRef:
1039 fieldPath: metadata.name
1040 - name: ISTIO_META_POD_PORTS
1041 value: |-
1042 [
1043 {{- $first := true }}
1044 {{- range $index1, $c := .Spec.Containers }}
1045 {{- range $index2, $p := $c.Ports }}
1046 {{- if (structToJSON $p) }}
1047 {{if not $first}},{{end}}{{ structToJSON $p }}
1048 {{- $first = false }}
1049 {{- end }}
1050 {{- end}}
1051 {{- end}}
1052 ]
1053 - name: ISTIO_META_CLUSTER_ID
1054 value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}"
1055 - name: POD_NAMESPACE
1056 valueFrom:
1057 fieldRef:
1058 fieldPath: metadata.namespace
1059 - name: INSTANCE_IP
1060 valueFrom:
1061 fieldRef:
1062 fieldPath: status.podIP
1063 - name: SERVICE_ACCOUNT
1064 valueFrom:
1065 fieldRef:
1066 fieldPath: spec.serviceAccountName
1067 {{- if .Values.global.mtls.auto }}
1068 - name: ISTIO_AUTO_MTLS_ENABLED
1069 value: "true"
1070 {{- end }}
1071 {{- if eq .Values.global.proxy.tracer "datadog" }}
1072 - name: HOST_IP
1073 valueFrom:
1074 fieldRef:
1075 fieldPath: status.hostIP
1076 {{- if isset .ObjectMeta.Annotations `apm.datadoghq.com/env` }}
1077 {{- range $key, $value := fromJSON (index .ObjectMeta.Annotations `apm.datadoghq.com/env`) }}
1078 - name: {{ $key }}
1079 value: "{{ $value }}"
1080 {{- end }}
1081 {{- end }}
1082 {{- end }}
1083 - name: ISTIO_META_POD_NAME
1084 valueFrom:
1085 fieldRef:
1086 fieldPath: metadata.name
1087 - name: ISTIO_META_CONFIG_NAMESPACE
1088 valueFrom:
1089 fieldRef:
1090 fieldPath: metadata.namespace
1091 - name: SDS_ENABLED
1092 value: {{ $.Values.global.sds.enabled }}
1093 - name: ISTIO_META_INTERCEPTION_MODE
1094 value: "{{ or (index .ObjectMeta.Annotations `sidecar.istio.io/interceptionMode`) .ProxyConfig.InterceptionMode.String }}"
1095 - name: ISTIO_META_INCLUDE_INBOUND_PORTS
1096 value: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` (applicationPorts .Spec.Containers) }}"
1097 {{- if .Values.global.network }}
1098 - name: ISTIO_META_NETWORK
1099 value: "{{ .Values.global.network }}"
1100 {{- end }}
1101 {{ if .ObjectMeta.Annotations }}
1102 - name: ISTIO_METAJSON_ANNOTATIONS
1103 value: |
1104 {{ toJSON .ObjectMeta.Annotations }}
1105 {{ end }}
1106 {{ if .ObjectMeta.Labels }}
1107 - name: ISTIO_METAJSON_LABELS
1108 value: |
1109 {{ toJSON .ObjectMeta.Labels }}
1110 {{ end }}
1111 {{- if .DeploymentMeta.Name }}
1112 - name: ISTIO_META_WORKLOAD_NAME
1113 value: {{ .DeploymentMeta.Name }}
1114 {{ end }}
1115 {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }}
1116 - name: ISTIO_META_OWNER
1117 value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }}
1118 {{- end}}
1119 {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }}
1120 - name: ISTIO_BOOTSTRAP_OVERRIDE
1121 value: "/etc/istio/custom-bootstrap/custom_bootstrap.json"
1122 {{- end }}
1123 {{- if .Values.global.sds.customTokenDirectory }}
1124 - name: ISTIO_META_SDS_TOKEN_PATH
1125 value: "{{ .Values.global.sds.customTokenDirectory -}}/sdstoken"
1126 {{- end }}
1127 {{- if .Values.global.meshID }}
1128 - name: ISTIO_META_MESH_ID
1129 value: "{{ .Values.global.meshID }}"
1130 {{- else if .Values.global.trustDomain }}
1131 - name: ISTIO_META_MESH_ID
1132 value: "{{ .Values.global.trustDomain }}"
1133 {{- end }}
1134 {{- if eq .Values.global.proxy.tracer "stackdriver" }}
1135 - name: STACKDRIVER_TRACING_ENABLED
1136 value: "true"
1137 - name: STACKDRIVER_TRACING_DEBUG
1138 value: "{{ .ProxyConfig.GetTracing.GetStackdriver.GetDebug }}"
1139 {{- if .ProxyConfig.GetTracing.GetStackdriver.GetMaxNumberOfAnnotations }}
1140 - name: STACKDRIVER_TRACING_MAX_NUMBER_OF_ANNOTATIONS
1141 value: "{{ .ProxyConfig.GetTracing.GetStackdriver.GetMaxNumberOfAnnotations.Value }}"
1142 {{- end }}
1143 {{- if .ProxyConfig.GetTracing.GetStackdriver.GetMaxNumberOfAttributes }}
1144 - name: STACKDRIVER_TRACING_MAX_NUMBER_OF_ATTRIBUTES
1145 value: "{{ .ProxyConfig.GetTracing.GetStackdriver.GetMaxNumberOfAttributes.Value }}"
1146 {{- end }}
1147 {{- if .ProxyConfig.GetTracing.GetStackdriver.GetMaxNumberOfMessageEvents }}
1148 - name: STACKDRIVER_TRACING_MAX_NUMBER_OF_MESSAGE_EVENTS
1149 value: "{{ .ProxyConfig.GetTracing.GetStackdriver.GetMaxNumberOfMessageEvents.Value }}"
1150 {{- end }}
1151 {{- end }}
1152 imagePullPolicy: {{ .Values.global.imagePullPolicy }}
1153 {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` (valueOrDefault .Values.global.proxy.statusPort 0 )) `0` }}
1154 readinessProbe:
1155 httpGet:
1156 path: /healthz/ready
1157 port: {{ annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort }}
1158 initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }}
1159 periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }}
1160 failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }}
1161 {{ end -}}
1162 securityContext:
1163 allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }}
1164 capabilities:
1165 {{ if eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY` -}}
1166 add:
1167 - NET_ADMIN
1168 {{- end }}
1169 drop:
1170 - ALL
1171 privileged: {{ .Values.global.proxy.privileged }}
1172 readOnlyRootFilesystem: {{ not .Values.global.proxy.enableCoreDump }}
1173 runAsGroup: 1337
1174 {{ if eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY` -}}
1175 runAsNonRoot: false
1176 runAsUser: 0
1177 {{- else }}
1178 runAsNonRoot: true
1179 runAsUser: 1337
1180 {{- end }}
1181 resources:
1182 {{ if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}}
1183 requests:
1184 {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}}
1185 cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}"
1186 {{ end}}
1187 {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}}
1188 memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}"
1189 {{ end }}
1190 {{ else -}}
1191 {{- if .Values.global.proxy.resources }}
1192 {{ toYaml .Values.global.proxy.resources | indent 4 }}
1193 {{- end }}
1194 {{ end -}}
1195 volumeMounts:
1196 {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }}
1197 - mountPath: /etc/istio/custom-bootstrap
1198 name: custom-bootstrap-volume
1199 {{- end }}
1200 - mountPath: /etc/istio/proxy
1201 name: istio-envoy
1202 {{- if .Values.global.sds.enabled }}
1203 - mountPath: /var/run/sds
1204 name: sds-uds-path
1205 readOnly: true
1206 - mountPath: /var/run/secrets/tokens
1207 name: istio-token
1208 {{- if .Values.global.sds.customTokenDirectory }}
1209 - mountPath: "{{ .Values.global.sds.customTokenDirectory -}}"
1210 name: custom-sds-token
1211 readOnly: true
1212 {{- end }}
1213 {{- else }}
1214 - mountPath: /etc/certs/
1215 name: istio-certs
1216 readOnly: true
1217 {{- end }}
1218 {{- if and (eq .Values.global.proxy.tracer "lightstep") .Values.global.tracer.lightstep.cacertPath }}
1219 - mountPath: {{ directory .ProxyConfig.GetTracing.GetLightstep.GetCacertPath }}
1220 name: lightstep-certs
1221 readOnly: true
1222 {{- end }}
1223 {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }}
1224 {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }}
1225 - name: "{{ $index }}"
1226 {{ toYaml $value | indent 4 }}
1227 {{ end }}
1228 {{- end }}
1229 volumes:
1230 {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }}
1231 - name: custom-bootstrap-volume
1232 configMap:
1233 name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }}
1234 {{- end }}
1235 - emptyDir:
1236 medium: Memory
1237 name: istio-envoy
1238 {{- if .Values.global.sds.enabled }}
1239 - name: sds-uds-path
1240 hostPath:
1241 path: /var/run/sds
1242 - name: istio-token
1243 projected:
1244 sources:
1245 - serviceAccountToken:
1246 path: istio-token
1247 expirationSeconds: 43200
1248 audience: {{ .Values.global.sds.token.aud }}
1249 {{- if .Values.global.sds.customTokenDirectory }}
1250 - name: custom-sds-token
1251 secret:
1252 secretName: sdstokensecret
1253 {{- end }}
1254 {{- else }}
1255 - name: istio-certs
1256 secret:
1257 optional: true
1258 {{ if eq .Spec.ServiceAccountName "" }}
1259 secretName: istio.default
1260 {{ else -}}
1261 secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }}
1262 {{ end -}}
1263 {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }}
1264 {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }}
1265 - name: "{{ $index }}"
1266 {{ toYaml $value | indent 2 }}
1267 {{ end }}
1268 {{ end }}
1269 {{- end }}
1270 {{- if and (eq .Values.global.proxy.tracer "lightstep") .Values.global.tracer.lightstep.cacertPath }}
1271 - name: lightstep-certs
1272 secret:
1273 optional: true
1274 secretName: lightstep.cacert
1275 {{- end }}
1276 {{- if .Values.global.podDNSSearchNamespaces }}
1277 dnsConfig:
1278 searches:
1279 {{- range .Values.global.podDNSSearchNamespaces }}
1280 - {{ render . }}
1281 {{- end }}
1282 {{- end }}
1283 podRedirectAnnot:
1284 sidecar.istio.io/interceptionMode: "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}"
1285 traffic.sidecar.istio.io/includeOutboundIPRanges: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}"
1286 traffic.sidecar.istio.io/excludeOutboundIPRanges: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}"
1287 traffic.sidecar.istio.io/includeInboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` (includeInboundPorts .Spec.Containers) }}"
1288 traffic.sidecar.istio.io/excludeInboundPorts: "{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}"
1289 {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne .Values.global.proxy.excludeOutboundPorts "") }}
1290 traffic.sidecar.istio.io/excludeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}"
1291 {{- end }}
1292 traffic.sidecar.istio.io/kubevirtInterfaces: "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}"
1293 injectedAnnotations:
1294
1295---
1296# Source: istio/charts/galley/templates/serviceaccount.yaml
1297apiVersion: v1
1298kind: ServiceAccount
1299metadata:
1300 name: istio-galley-service-account
1301 namespace: istio-system
1302 labels:
1303 app: galley
1304 chart: galley
1305 heritage: Tiller
1306 release: release-name
1307
1308---
1309# Source: istio/charts/gateways/templates/serviceaccount.yaml
1310
1311apiVersion: v1
1312kind: ServiceAccount
1313metadata:
1314 name: istio-ingressgateway-service-account
1315 namespace: istio-system
1316 labels:
1317 app: istio-ingressgateway
1318 chart: gateways
1319 heritage: Tiller
1320 release: release-name
1321---
1322
1323
1324---
1325# Source: istio/charts/mixer/templates/serviceaccount.yaml
1326
1327apiVersion: v1
1328kind: ServiceAccount
1329metadata:
1330 name: istio-mixer-service-account
1331 namespace: istio-system
1332 labels:
1333 app: mixer
1334 chart: mixer
1335 heritage: Tiller
1336 release: release-name
1337
1338---
1339# Source: istio/charts/pilot/templates/serviceaccount.yaml
1340apiVersion: v1
1341kind: ServiceAccount
1342metadata:
1343 name: istio-pilot-service-account
1344 namespace: istio-system
1345 labels:
1346 app: pilot
1347 chart: pilot
1348 heritage: Tiller
1349 release: release-name
1350
1351---
1352# Source: istio/charts/prometheus/templates/serviceaccount.yaml
1353apiVersion: v1
1354kind: ServiceAccount
1355metadata:
1356 name: prometheus
1357 namespace: istio-system
1358 labels:
1359 app: prometheus
1360 chart: prometheus
1361 heritage: Tiller
1362 release: release-name
1363
1364---
1365# Source: istio/charts/security/templates/create-custom-resources-job.yaml
1366
1367apiVersion: v1
1368kind: ServiceAccount
1369metadata:
1370 name: istio-security-post-install-account
1371 namespace: istio-system
1372 labels:
1373 app: security
1374 chart: security
1375 heritage: Tiller
1376 release: release-name
1377---
1378apiVersion: rbac.authorization.k8s.io/v1
1379kind: ClusterRole
1380metadata:
1381 name: istio-security-post-install-istio-system
1382 labels:
1383 app: security
1384 chart: security
1385 heritage: Tiller
1386 release: release-name
1387rules:
1388- apiGroups: ["authentication.istio.io"] # needed to create default authn policy
1389 resources: ["*"]
1390 verbs: ["*"]
1391- apiGroups: ["networking.istio.io"] # needed to create security destination rules
1392 resources: ["*"]
1393 verbs: ["*"]
1394- apiGroups: ["admissionregistration.k8s.io"]
1395 resources: ["validatingwebhookconfigurations"]
1396 verbs: ["get"]
1397- apiGroups: ["extensions", "apps"]
1398 resources: ["deployments", "replicasets"]
1399 verbs: ["get", "list", "watch"]
1400---
1401apiVersion: rbac.authorization.k8s.io/v1
1402kind: ClusterRoleBinding
1403metadata:
1404 name: istio-security-post-install-role-binding-istio-system
1405 labels:
1406 app: security
1407 chart: security
1408 heritage: Tiller
1409 release: release-name
1410roleRef:
1411 apiGroup: rbac.authorization.k8s.io
1412 kind: ClusterRole
1413 name: istio-security-post-install-istio-system
1414subjects:
1415 - kind: ServiceAccount
1416 name: istio-security-post-install-account
1417 namespace: istio-system
1418---
1419apiVersion: batch/v1
1420kind: Job
1421metadata:
1422 name: istio-security-post-install-1.4.6
1423 namespace: istio-system
1424 annotations:
1425 "helm.sh/hook": post-install,post-upgrade
1426 "helm.sh/hook-delete-policy": hook-succeeded
1427 labels:
1428 app: security
1429 chart: security
1430 heritage: Tiller
1431 release: release-name
1432spec:
1433 template:
1434 metadata:
1435 name: istio-security-post-install
1436 labels:
1437 app: security
1438 chart: security
1439 heritage: Tiller
1440 release: release-name
1441 annotations:
1442 sidecar.istio.io/inject: "false"
1443 spec:
1444 serviceAccountName: istio-security-post-install-account
1445 containers:
1446 - name: kubectl
1447 image: "docker.io/istio/kubectl:1.4.6"
1448 imagePullPolicy: IfNotPresent
1449 command: [ "/bin/bash", "/tmp/security/run.sh", "/tmp/security/custom-resources.yaml" ]
1450 volumeMounts:
1451 - mountPath: "/tmp/security"
1452 name: tmp-configmap-security
1453 volumes:
1454 - name: tmp-configmap-security
1455 configMap:
1456 name: istio-security-custom-resources
1457 restartPolicy: OnFailure
1458 affinity:
1459 nodeAffinity:
1460 requiredDuringSchedulingIgnoredDuringExecution:
1461 nodeSelectorTerms:
1462 - matchExpressions:
1463 - key: beta.kubernetes.io/arch
1464 operator: In
1465 values:
1466 - "amd64"
1467 - "ppc64le"
1468 - "s390x"
1469 preferredDuringSchedulingIgnoredDuringExecution:
1470 - weight: 2
1471 preference:
1472 matchExpressions:
1473 - key: beta.kubernetes.io/arch
1474 operator: In
1475 values:
1476 - "amd64"
1477 - weight: 2
1478 preference:
1479 matchExpressions:
1480 - key: beta.kubernetes.io/arch
1481 operator: In
1482 values:
1483 - "ppc64le"
1484 - weight: 2
1485 preference:
1486 matchExpressions:
1487 - key: beta.kubernetes.io/arch
1488 operator: In
1489 values:
1490 - "s390x"
1491
1492---
1493# Source: istio/charts/security/templates/serviceaccount.yaml
1494apiVersion: v1
1495kind: ServiceAccount
1496metadata:
1497 name: istio-citadel-service-account
1498 namespace: istio-system
1499 labels:
1500 app: security
1501 chart: security
1502 heritage: Tiller
1503 release: release-name
1504
1505---
1506# Source: istio/charts/sidecarInjectorWebhook/templates/serviceaccount.yaml
1507apiVersion: v1
1508kind: ServiceAccount
1509metadata:
1510 name: istio-sidecar-injector-service-account
1511 namespace: istio-system
1512 labels:
1513 app: sidecarInjectorWebhook
1514 chart: sidecarInjectorWebhook
1515 heritage: Tiller
1516 release: release-name
1517 istio: sidecar-injector
1518
1519---
1520# Source: istio/templates/serviceaccount.yaml
1521apiVersion: v1
1522kind: ServiceAccount
1523metadata:
1524 name: istio-multi
1525 namespace: istio-system
1526
1527---
1528# Source: istio/charts/galley/templates/clusterrole.yaml
1529apiVersion: rbac.authorization.k8s.io/v1
1530kind: ClusterRole
1531metadata:
1532 name: istio-galley-istio-system
1533 labels:
1534 app: galley
1535 chart: galley
1536 heritage: Tiller
1537 release: release-name
1538rules:
1539 # For reading Istio resources
1540- apiGroups: [
1541 "authentication.istio.io",
1542 "config.istio.io",
1543 "networking.istio.io",
1544 "rbac.istio.io",
1545 "security.istio.io"]
1546 resources: ["*"]
1547 verbs: ["get", "list", "watch"]
1548 # For updating Istio resource statuses
1549- apiGroups: [
1550 "authentication.istio.io",
1551 "config.istio.io",
1552 "networking.istio.io",
1553 "rbac.istio.io",
1554 "security.istio.io"]
1555 resources: ["*/status"]
1556 verbs: ["update"]
1557- apiGroups: ["admissionregistration.k8s.io"]
1558 resources: ["validatingwebhookconfigurations"]
1559 verbs: ["*"]
1560- apiGroups: ["extensions","apps"]
1561 resources: ["deployments"]
1562 resourceNames: ["istio-galley"]
1563 verbs: ["get"]
1564- apiGroups: [""]
1565 resources: ["pods", "nodes", "services", "endpoints", "namespaces"]
1566 verbs: ["get", "list", "watch"]
1567- apiGroups: ["extensions"]
1568 resources: ["ingresses"]
1569 verbs: ["get", "list", "watch"]
1570- apiGroups: [""]
1571 resources: ["namespaces/finalizers"]
1572 verbs: ["update"]
1573- apiGroups: ["apiextensions.k8s.io"]
1574 resources: ["customresourcedefinitions"]
1575 verbs: ["get", "list", "watch"]
1576
1577---
1578# Source: istio/charts/mixer/templates/clusterrole.yaml
1579
1580apiVersion: rbac.authorization.k8s.io/v1
1581kind: ClusterRole
1582metadata:
1583 name: istio-mixer-istio-system
1584 labels:
1585 app: mixer
1586 chart: mixer
1587 heritage: Tiller
1588 release: release-name
1589rules:
1590- apiGroups: ["config.istio.io"] # istio CRD watcher
1591 resources: ["*"]
1592 verbs: ["create", "get", "list", "watch", "patch"]
1593- apiGroups: ["apiextensions.k8s.io"]
1594 resources: ["customresourcedefinitions"]
1595 verbs: ["get", "list", "watch"]
1596- apiGroups: [""]
1597 resources: ["configmaps", "endpoints", "pods", "services", "namespaces", "secrets", "replicationcontrollers"]
1598 verbs: ["get", "list", "watch"]
1599- apiGroups: ["extensions", "apps"]
1600 resources: ["replicasets"]
1601 verbs: ["get", "list", "watch"]
1602
1603---
1604# Source: istio/charts/pilot/templates/clusterrole.yaml
1605apiVersion: rbac.authorization.k8s.io/v1
1606kind: ClusterRole
1607metadata:
1608 name: istio-pilot-istio-system
1609 labels:
1610 app: pilot
1611 chart: pilot
1612 heritage: Tiller
1613 release: release-name
1614rules:
1615- apiGroups: ["config.istio.io"]
1616 resources: ["*"]
1617 verbs: ["*"]
1618- apiGroups: ["rbac.istio.io"]
1619 resources: ["*"]
1620 verbs: ["get", "watch", "list"]
1621- apiGroups: ["security.istio.io"]
1622 resources: ["*"]
1623 verbs: ["get", "watch", "list"]
1624- apiGroups: ["networking.istio.io"]
1625 resources: ["*"]
1626 verbs: ["*"]
1627- apiGroups: ["authentication.istio.io"]
1628 resources: ["*"]
1629 verbs: ["*"]
1630- apiGroups: ["apiextensions.k8s.io"]
1631 resources: ["customresourcedefinitions"]
1632 verbs: ["*"]
1633- apiGroups: ["extensions"]
1634 resources: ["ingresses", "ingresses/status"]
1635 verbs: ["*"]
1636- apiGroups: [""]
1637 resources: ["configmaps"]
1638 verbs: ["create", "get", "list", "watch", "update"]
1639- apiGroups: [""]
1640 resources: ["endpoints", "pods", "services", "namespaces", "nodes"]
1641 verbs: ["get", "list", "watch"]
1642- apiGroups: [""]
1643 resources: ["secrets"]
1644 verbs: ["create", "get", "watch", "list", "update", "delete"]
1645- apiGroups: ["certificates.k8s.io"]
1646 resources:
1647 - "certificatesigningrequests"
1648 - "certificatesigningrequests/approval"
1649 - "certificatesigningrequests/status"
1650 verbs: ["update", "create", "get", "delete"]
1651
1652---
1653# Source: istio/charts/prometheus/templates/clusterrole.yaml
1654apiVersion: rbac.authorization.k8s.io/v1
1655kind: ClusterRole
1656metadata:
1657 name: prometheus-istio-system
1658 labels:
1659 app: prometheus
1660 chart: prometheus
1661 heritage: Tiller
1662 release: release-name
1663rules:
1664- apiGroups: [""]
1665 resources:
1666 - nodes
1667 - services
1668 - endpoints
1669 - pods
1670 - nodes/proxy
1671 verbs: ["get", "list", "watch"]
1672- apiGroups: [""]
1673 resources:
1674 - configmaps
1675 verbs: ["get"]
1676- nonResourceURLs: ["/metrics"]
1677 verbs: ["get"]
1678
1679---
1680# Source: istio/charts/security/templates/clusterrole.yaml
1681apiVersion: rbac.authorization.k8s.io/v1
1682kind: ClusterRole
1683metadata:
1684 name: istio-citadel-istio-system
1685 labels:
1686 app: security
1687 chart: security
1688 heritage: Tiller
1689 release: release-name
1690rules:
1691- apiGroups: [""]
1692 resources: ["configmaps"]
1693 verbs: ["create", "get", "update"]
1694- apiGroups: [""]
1695 resources: ["secrets"]
1696 verbs: ["create", "get", "watch", "list", "update", "delete"]
1697- apiGroups: [""]
1698 resources: ["serviceaccounts", "services", "namespaces"]
1699 verbs: ["get", "watch", "list"]
1700- apiGroups: ["authentication.k8s.io"]
1701 resources: ["tokenreviews"]
1702 verbs: ["create"]
1703
1704---
1705# Source: istio/charts/sidecarInjectorWebhook/templates/clusterrole.yaml
1706apiVersion: rbac.authorization.k8s.io/v1
1707kind: ClusterRole
1708metadata:
1709 name: istio-sidecar-injector-istio-system
1710 labels:
1711 app: sidecarInjectorWebhook
1712 chart: sidecarInjectorWebhook
1713 heritage: Tiller
1714 release: release-name
1715 istio: sidecar-injector
1716rules:
1717- apiGroups: [""]
1718 resources: ["configmaps"]
1719 verbs: ["get", "list", "watch"]
1720- apiGroups: ["admissionregistration.k8s.io"]
1721 resources: ["mutatingwebhookconfigurations"]
1722 verbs: ["get", "list", "watch", "patch"]
1723
1724---
1725# Source: istio/templates/clusterrole.yaml
1726kind: ClusterRole
1727apiVersion: rbac.authorization.k8s.io/v1
1728metadata:
1729 name: istio-reader
1730rules:
1731 - apiGroups: ['']
1732 resources: ['nodes', 'pods', 'services', 'endpoints', "replicationcontrollers"]
1733 verbs: ['get', 'watch', 'list']
1734 - apiGroups: ["extensions", "apps"]
1735 resources: ["replicasets"]
1736 verbs: ["get", "list", "watch"]
1737
1738---
1739# Source: istio/charts/galley/templates/clusterrolebinding.yaml
1740apiVersion: rbac.authorization.k8s.io/v1
1741kind: ClusterRoleBinding
1742metadata:
1743 name: istio-galley-admin-role-binding-istio-system
1744 labels:
1745 app: galley
1746 chart: galley
1747 heritage: Tiller
1748 release: release-name
1749roleRef:
1750 apiGroup: rbac.authorization.k8s.io
1751 kind: ClusterRole
1752 name: istio-galley-istio-system
1753subjects:
1754 - kind: ServiceAccount
1755 name: istio-galley-service-account
1756 namespace: istio-system
1757
1758---
1759# Source: istio/charts/mixer/templates/clusterrolebinding.yaml
1760
1761apiVersion: rbac.authorization.k8s.io/v1
1762kind: ClusterRoleBinding
1763metadata:
1764 name: istio-mixer-admin-role-binding-istio-system
1765 labels:
1766 app: mixer
1767 chart: mixer
1768 heritage: Tiller
1769 release: release-name
1770roleRef:
1771 apiGroup: rbac.authorization.k8s.io
1772 kind: ClusterRole
1773 name: istio-mixer-istio-system
1774subjects:
1775 - kind: ServiceAccount
1776 name: istio-mixer-service-account
1777 namespace: istio-system
1778
1779---
1780# Source: istio/charts/pilot/templates/clusterrolebinding.yaml
1781apiVersion: rbac.authorization.k8s.io/v1
1782kind: ClusterRoleBinding
1783metadata:
1784 name: istio-pilot-istio-system
1785 labels:
1786 app: pilot
1787 chart: pilot
1788 heritage: Tiller
1789 release: release-name
1790roleRef:
1791 apiGroup: rbac.authorization.k8s.io
1792 kind: ClusterRole
1793 name: istio-pilot-istio-system
1794subjects:
1795 - kind: ServiceAccount
1796 name: istio-pilot-service-account
1797 namespace: istio-system
1798
1799---
1800# Source: istio/charts/prometheus/templates/clusterrolebindings.yaml
1801apiVersion: rbac.authorization.k8s.io/v1
1802kind: ClusterRoleBinding
1803metadata:
1804 name: prometheus-istio-system
1805 labels:
1806 app: prometheus
1807 chart: prometheus
1808 heritage: Tiller
1809 release: release-name
1810roleRef:
1811 apiGroup: rbac.authorization.k8s.io
1812 kind: ClusterRole
1813 name: prometheus-istio-system
1814subjects:
1815- kind: ServiceAccount
1816 name: prometheus
1817 namespace: istio-system
1818
1819---
1820# Source: istio/charts/security/templates/clusterrolebinding.yaml
1821apiVersion: rbac.authorization.k8s.io/v1
1822kind: ClusterRoleBinding
1823metadata:
1824 name: istio-citadel-istio-system
1825 labels:
1826 app: security
1827 chart: security
1828 heritage: Tiller
1829 release: release-name
1830roleRef:
1831 apiGroup: rbac.authorization.k8s.io
1832 kind: ClusterRole
1833 name: istio-citadel-istio-system
1834subjects:
1835 - kind: ServiceAccount
1836 name: istio-citadel-service-account
1837 namespace: istio-system
1838
1839---
1840# Source: istio/charts/sidecarInjectorWebhook/templates/clusterrolebinding.yaml
1841apiVersion: rbac.authorization.k8s.io/v1
1842kind: ClusterRoleBinding
1843metadata:
1844 name: istio-sidecar-injector-admin-role-binding-istio-system
1845 labels:
1846 app: sidecarInjectorWebhook
1847 chart: sidecarInjectorWebhook
1848 heritage: Tiller
1849 release: release-name
1850 istio: sidecar-injector
1851roleRef:
1852 apiGroup: rbac.authorization.k8s.io
1853 kind: ClusterRole
1854 name: istio-sidecar-injector-istio-system
1855subjects:
1856 - kind: ServiceAccount
1857 name: istio-sidecar-injector-service-account
1858 namespace: istio-system
1859
1860---
1861# Source: istio/templates/clusterrolebinding.yaml
1862apiVersion: rbac.authorization.k8s.io/v1
1863kind: ClusterRoleBinding
1864metadata:
1865 name: istio-multi
1866 labels:
1867 chart: istio-1.4.6
1868roleRef:
1869 apiGroup: rbac.authorization.k8s.io
1870 kind: ClusterRole
1871 name: istio-reader
1872subjects:
1873- kind: ServiceAccount
1874 name: istio-multi
1875 namespace: istio-system
1876
1877---
1878# Source: istio/charts/gateways/templates/role.yaml
1879
1880apiVersion: rbac.authorization.k8s.io/v1
1881kind: Role
1882metadata:
1883 name: istio-ingressgateway-sds
1884 namespace: istio-system
1885rules:
1886- apiGroups: [""]
1887 resources: ["secrets"]
1888 verbs: ["get", "watch", "list"]
1889---
1890
1891---
1892# Source: istio/charts/gateways/templates/rolebindings.yaml
1893
1894apiVersion: rbac.authorization.k8s.io/v1
1895kind: RoleBinding
1896metadata:
1897 name: istio-ingressgateway-sds
1898 namespace: istio-system
1899roleRef:
1900 apiGroup: rbac.authorization.k8s.io
1901 kind: Role
1902 name: istio-ingressgateway-sds
1903subjects:
1904- kind: ServiceAccount
1905 name: istio-ingressgateway-service-account
1906---
1907
1908---
1909# Source: istio/charts/galley/templates/service.yaml
1910apiVersion: v1
1911kind: Service
1912metadata:
1913 name: istio-galley
1914 namespace: istio-system
1915 labels:
1916 app: galley
1917 chart: galley
1918 heritage: Tiller
1919 release: release-name
1920 istio: galley
1921spec:
1922 ports:
1923 - port: 443
1924 name: https-validation
1925 - port: 15014
1926 name: http-monitoring
1927 - port: 9901
1928 name: grpc-mcp
1929 selector:
1930 istio: galley
1931
1932---
1933# Source: istio/charts/gateways/templates/service.yaml
1934
1935apiVersion: v1
1936kind: Service
1937metadata:
1938 name: istio-ingressgateway
1939 namespace: istio-system
1940 annotations:
1941 labels:
1942 chart: gateways
1943 heritage: Tiller
1944 release: release-name
1945 app: istio-ingressgateway
1946 istio: ingressgateway
1947spec:
1948 type: LoadBalancer
1949 selector:
1950 release: release-name
1951 app: istio-ingressgateway
1952 istio: ingressgateway
1953 ports:
1954 -
1955 name: status-port
1956 port: 15020
1957 targetPort: 15020
1958 -
1959 name: http2
1960 nodePort: 31380
1961 port: 80
1962 targetPort: 80
1963 -
1964 name: https
1965 nodePort: 31390
1966 port: 443
1967 -
1968 name: tcp
1969 nodePort: 31400
1970 port: 31400
1971 -
1972 name: https-kiali
1973 port: 15029
1974 targetPort: 15029
1975 -
1976 name: https-prometheus
1977 port: 15030
1978 targetPort: 15030
1979 -
1980 name: https-grafana
1981 port: 15031
1982 targetPort: 15031
1983 -
1984 name: https-tracing
1985 port: 15032
1986 targetPort: 15032
1987 -
1988 name: tls
1989 port: 15443
1990 targetPort: 15443
1991---
1992
1993---
1994# Source: istio/charts/mixer/templates/service.yaml
1995
1996apiVersion: v1
1997kind: Service
1998metadata:
1999 name: istio-policy
2000 namespace: istio-system
2001 annotations:
2002 networking.istio.io/exportTo: "*"
2003 labels:
2004 app: mixer
2005 chart: mixer
2006 heritage: Tiller
2007 release: release-name
2008 istio: mixer
2009spec:
2010 ports:
2011 - name: grpc-mixer
2012 port: 9091
2013 - name: grpc-mixer-mtls
2014 port: 15004
2015 - name: http-monitoring
2016 port: 15014
2017 selector:
2018 istio: mixer
2019 istio-mixer-type: policy
2020---
2021apiVersion: v1
2022kind: Service
2023metadata:
2024 name: istio-telemetry
2025 namespace: istio-system
2026 annotations:
2027 networking.istio.io/exportTo: "*"
2028 labels:
2029 app: mixer
2030 chart: mixer
2031 heritage: Tiller
2032 release: release-name
2033 istio: mixer
2034spec:
2035 ports:
2036 - name: grpc-mixer
2037 port: 9091
2038 - name: grpc-mixer-mtls
2039 port: 15004
2040 - name: http-monitoring
2041 port: 15014
2042 - name: prometheus
2043 port: 42422
2044 selector:
2045 istio: mixer
2046 istio-mixer-type: telemetry
2047---
2048
2049
2050---
2051# Source: istio/charts/pilot/templates/service.yaml
2052apiVersion: v1
2053kind: Service
2054metadata:
2055 name: istio-pilot
2056 namespace: istio-system
2057 labels:
2058 app: pilot
2059 chart: pilot
2060 heritage: Tiller
2061 release: release-name
2062 istio: pilot
2063spec:
2064 ports:
2065 - port: 15010
2066 name: grpc-xds # direct
2067 - port: 15011
2068 name: https-xds # mTLS
2069 - port: 8080
2070 name: http-legacy-discovery # direct
2071 - port: 15014
2072 name: http-monitoring
2073 selector:
2074 istio: pilot
2075
2076---
2077# Source: istio/charts/prometheus/templates/service.yaml
2078apiVersion: v1
2079kind: Service
2080metadata:
2081 name: prometheus
2082 namespace: istio-system
2083 annotations:
2084 prometheus.io/scrape: 'true'
2085 labels:
2086 app: prometheus
2087 chart: prometheus
2088 heritage: Tiller
2089 release: release-name
2090spec:
2091 selector:
2092 app: prometheus
2093 ports:
2094 - name: http-prometheus
2095 protocol: TCP
2096 port: 9090
2097
2098---
2099# Source: istio/charts/security/templates/service.yaml
2100apiVersion: v1
2101kind: Service
2102metadata:
2103 # we use the normal name here (e.g. 'prometheus')
2104 # as grafana is configured to use this as a data source
2105 name: istio-citadel
2106 namespace: istio-system
2107 labels:
2108 app: security
2109 chart: security
2110 heritage: Tiller
2111 release: release-name
2112 istio: citadel
2113spec:
2114 ports:
2115 - name: grpc-citadel
2116 port: 8060
2117 targetPort: 8060
2118 protocol: TCP
2119 - name: http-monitoring
2120 port: 15014
2121 selector:
2122 istio: citadel
2123
2124---
2125# Source: istio/charts/sidecarInjectorWebhook/templates/service.yaml
2126apiVersion: v1
2127kind: Service
2128metadata:
2129 name: istio-sidecar-injector
2130 namespace: istio-system
2131 labels:
2132 app: sidecarInjectorWebhook
2133 chart: sidecarInjectorWebhook
2134 heritage: Tiller
2135 release: release-name
2136 istio: sidecar-injector
2137spec:
2138 ports:
2139 - port: 443
2140 name: https-inject
2141 - port: 15014
2142 name: http-monitoring
2143 selector:
2144 istio: sidecar-injector
2145
2146---
2147# Source: istio/charts/galley/templates/deployment.yaml
2148apiVersion: apps/v1
2149kind: Deployment
2150metadata:
2151 name: istio-galley
2152 namespace: istio-system
2153 labels:
2154 app: galley
2155 chart: galley
2156 heritage: Tiller
2157 release: release-name
2158 istio: galley
2159spec:
2160 replicas: 1
2161 selector:
2162 matchLabels:
2163 istio: galley
2164 strategy:
2165 rollingUpdate:
2166 maxSurge: 100%
2167 maxUnavailable: 25%
2168 template:
2169 metadata:
2170 labels:
2171 app: galley
2172 chart: galley
2173 heritage: Tiller
2174 release: release-name
2175 istio: galley
2176 annotations:
2177 sidecar.istio.io/inject: "false"
2178 spec:
2179 serviceAccountName: istio-galley-service-account
2180 containers:
2181 - name: galley
2182 image: "docker.io/istio/galley:1.4.6"
2183 imagePullPolicy: IfNotPresent
2184 ports:
2185 - containerPort: 443
2186 - containerPort: 15014
2187 - containerPort: 9901
2188 command:
2189 - /usr/local/bin/galley
2190 - server
2191 - --meshConfigFile=/etc/mesh-config/mesh
2192 - --livenessProbeInterval=1s
2193 - --livenessProbePath=/healthliveness
2194 - --readinessProbePath=/healthready
2195 - --readinessProbeInterval=1s
2196 - --deployment-namespace=istio-system
2197 - --insecure=true
2198 - --enable-reconcileWebhookConfiguration=true
2199 - --validation-webhook-config-file
2200 - /etc/config/validatingwebhookconfiguration.yaml
2201 - --monitoringPort=15014
2202 - --log_output_level=default:info
2203 volumeMounts:
2204 - name: certs
2205 mountPath: /etc/certs
2206 readOnly: true
2207 - name: config
2208 mountPath: /etc/config
2209 readOnly: true
2210 - name: mesh-config
2211 mountPath: /etc/mesh-config
2212 readOnly: true
2213 livenessProbe:
2214 exec:
2215 command:
2216 - /usr/local/bin/galley
2217 - probe
2218 - --probe-path=/healthliveness
2219 - --interval=10s
2220 initialDelaySeconds: 5
2221 periodSeconds: 5
2222 readinessProbe:
2223 exec:
2224 command:
2225 - /usr/local/bin/galley
2226 - probe
2227 - --probe-path=/healthready
2228 - --interval=10s
2229 initialDelaySeconds: 5
2230 periodSeconds: 5
2231 resources:
2232 requests:
2233 cpu: 10m
2234
2235 volumes:
2236 - name: certs
2237 secret:
2238 secretName: istio.istio-galley-service-account
2239 - name: config
2240 configMap:
2241 name: istio-galley-configuration
2242 - name: mesh-config
2243 configMap:
2244 name: istio
2245 affinity:
2246 nodeAffinity:
2247 requiredDuringSchedulingIgnoredDuringExecution:
2248 nodeSelectorTerms:
2249 - matchExpressions:
2250 - key: beta.kubernetes.io/arch
2251 operator: In
2252 values:
2253 - "amd64"
2254 - "ppc64le"
2255 - "s390x"
2256 preferredDuringSchedulingIgnoredDuringExecution:
2257 - weight: 2
2258 preference:
2259 matchExpressions:
2260 - key: beta.kubernetes.io/arch
2261 operator: In
2262 values:
2263 - "amd64"
2264 - weight: 2
2265 preference:
2266 matchExpressions:
2267 - key: beta.kubernetes.io/arch
2268 operator: In
2269 values:
2270 - "ppc64le"
2271 - weight: 2
2272 preference:
2273 matchExpressions:
2274 - key: beta.kubernetes.io/arch
2275 operator: In
2276 values:
2277 - "s390x"
2278---
2279# Source: istio/charts/gateways/templates/deployment.yaml
2280
2281apiVersion: apps/v1
2282kind: Deployment
2283metadata:
2284 name: istio-ingressgateway
2285 namespace: istio-system
2286 labels:
2287 app: istio-ingressgateway
2288 chart: gateways
2289 heritage: Tiller
2290 istio: ingressgateway
2291 release: release-name
2292
2293spec:
2294 selector:
2295 matchLabels:
2296 app: istio-ingressgateway
2297 istio: ingressgateway
2298 strategy:
2299 rollingUpdate:
2300 maxSurge: 100%
2301 maxUnavailable: 25%
2302 template:
2303 metadata:
2304 labels:
2305 app: istio-ingressgateway
2306 chart: gateways
2307 heritage: Tiller
2308 istio: ingressgateway
2309 release: release-name
2310
2311 annotations:
2312 sidecar.istio.io/inject: "false"
2313 spec:
2314 serviceAccountName: istio-ingressgateway-service-account
2315 containers:
2316 - name: istio-proxy
2317 image: "docker.io/istio/proxyv2:1.4.6"
2318 imagePullPolicy: IfNotPresent
2319 ports:
2320 - containerPort: 15020
2321 - containerPort: 80
2322 - containerPort: 443
2323 - containerPort: 31400
2324 - containerPort: 15029
2325 - containerPort: 15030
2326 - containerPort: 15031
2327 - containerPort: 15032
2328 - containerPort: 15443
2329 - containerPort: 15090
2330 protocol: TCP
2331 name: http-envoy-prom
2332 args:
2333 - proxy
2334 - router
2335 - --domain
2336 - $(POD_NAMESPACE).svc.cluster.local
2337 - --log_output_level=default:info
2338 - --drainDuration
2339 - '45s' #drainDuration
2340 - --parentShutdownDuration
2341 - '1m0s' #parentShutdownDuration
2342 - --connectTimeout
2343 - '10s' #connectTimeout
2344 - --serviceCluster
2345 - istio-ingressgateway
2346 - --zipkinAddress
2347 - zipkin:9411
2348 - --proxyAdminPort
2349 - "15000"
2350 - --statusPort
2351 - "15020"
2352 - --controlPlaneAuthPolicy
2353 - NONE
2354 - --discoveryAddress
2355 - istio-pilot:15010
2356 readinessProbe:
2357 failureThreshold: 30
2358 httpGet:
2359 path: /healthz/ready
2360 port: 15020
2361 scheme: HTTP
2362 initialDelaySeconds: 1
2363 periodSeconds: 2
2364 successThreshold: 1
2365 timeoutSeconds: 1
2366 resources:
2367 limits:
2368 cpu: 2000m
2369 memory: 1024Mi
2370 requests:
2371 cpu: 100m
2372 memory: 128Mi
2373
2374 env:
2375 - name: NODE_NAME
2376 valueFrom:
2377 fieldRef:
2378 apiVersion: v1
2379 fieldPath: spec.nodeName
2380 - name: POD_NAME
2381 valueFrom:
2382 fieldRef:
2383 apiVersion: v1
2384 fieldPath: metadata.name
2385 - name: POD_NAMESPACE
2386 valueFrom:
2387 fieldRef:
2388 apiVersion: v1
2389 fieldPath: metadata.namespace
2390 - name: INSTANCE_IP
2391 valueFrom:
2392 fieldRef:
2393 apiVersion: v1
2394 fieldPath: status.podIP
2395 - name: HOST_IP
2396 valueFrom:
2397 fieldRef:
2398 apiVersion: v1
2399 fieldPath: status.hostIP
2400 - name: SERVICE_ACCOUNT
2401 valueFrom:
2402 fieldRef:
2403 fieldPath: spec.serviceAccountName
2404 - name: ISTIO_META_POD_NAME
2405 valueFrom:
2406 fieldRef:
2407 apiVersion: v1
2408 fieldPath: metadata.name
2409 - name: ISTIO_META_CONFIG_NAMESPACE
2410 valueFrom:
2411 fieldRef:
2412 fieldPath: metadata.namespace
2413 - name: ISTIO_METAJSON_LABELS
2414 value: |
2415 {"app":"istio-ingressgateway","chart":"gateways","heritage":"Tiller","istio":"ingressgateway","release":"release-name"}
2416 - name: ISTIO_META_CLUSTER_ID
2417 value: "Kubernetes"
2418 - name: SDS_ENABLED
2419 value: "false"
2420 - name: ISTIO_META_WORKLOAD_NAME
2421 value: istio-ingressgateway
2422 - name: ISTIO_META_OWNER
2423 value: kubernetes://apis/apps/v1/namespaces/istio-system/deployments/istio-ingressgateway
2424 - name: ISTIO_META_ROUTER_MODE
2425 value: sni-dnat
2426
2427
2428 volumeMounts:
2429 - name: istio-certs
2430 mountPath: /etc/certs
2431 readOnly: true
2432 - name: ingressgateway-certs
2433 mountPath: "/etc/istio/ingressgateway-certs"
2434 readOnly: true
2435 - name: ingressgateway-ca-certs
2436 mountPath: "/etc/istio/ingressgateway-ca-certs"
2437 readOnly: true
2438 volumes:
2439 - name: istio-certs
2440 secret:
2441 secretName: istio.istio-ingressgateway-service-account
2442 optional: true
2443 - name: ingressgateway-certs
2444 secret:
2445 secretName: "istio-ingressgateway-certs"
2446 optional: true
2447 - name: ingressgateway-ca-certs
2448 secret:
2449 secretName: "istio-ingressgateway-ca-certs"
2450 optional: true
2451 affinity:
2452 nodeAffinity:
2453 requiredDuringSchedulingIgnoredDuringExecution:
2454 nodeSelectorTerms:
2455 - matchExpressions:
2456 - key: beta.kubernetes.io/arch
2457 operator: In
2458 values:
2459 - "amd64"
2460 - "ppc64le"
2461 - "s390x"
2462 preferredDuringSchedulingIgnoredDuringExecution:
2463 - weight: 2
2464 preference:
2465 matchExpressions:
2466 - key: beta.kubernetes.io/arch
2467 operator: In
2468 values:
2469 - "amd64"
2470 - weight: 2
2471 preference:
2472 matchExpressions:
2473 - key: beta.kubernetes.io/arch
2474 operator: In
2475 values:
2476 - "ppc64le"
2477 - weight: 2
2478 preference:
2479 matchExpressions:
2480 - key: beta.kubernetes.io/arch
2481 operator: In
2482 values:
2483 - "s390x"
2484---
2485
2486---
2487# Source: istio/charts/mixer/templates/deployment.yaml
2488
2489apiVersion: apps/v1
2490kind: Deployment
2491metadata:
2492 name: istio-policy
2493 namespace: istio-system
2494 labels:
2495 app: istio-mixer
2496 chart: mixer
2497 heritage: Tiller
2498 release: release-name
2499 istio: mixer
2500spec:
2501 strategy:
2502 rollingUpdate:
2503 maxSurge: 100%
2504 maxUnavailable: 25%
2505 selector:
2506 matchLabels:
2507 istio: mixer
2508 istio-mixer-type: policy
2509 template:
2510 metadata:
2511 labels:
2512 app: policy
2513 chart: mixer
2514 heritage: Tiller
2515 release: release-name
2516 security.istio.io/tlsMode: "istio"
2517 istio: mixer
2518 istio-mixer-type: policy
2519 annotations:
2520 sidecar.istio.io/inject: "false"
2521 spec:
2522 serviceAccountName: istio-mixer-service-account
2523 volumes:
2524 - name: istio-certs
2525 secret:
2526 secretName: istio.istio-mixer-service-account
2527 optional: true
2528 - name: uds-socket
2529 emptyDir: {}
2530 - name: policy-adapter-secret
2531 secret:
2532 secretName: policy-adapter-secret
2533 optional: true
2534 affinity:
2535 nodeAffinity:
2536 requiredDuringSchedulingIgnoredDuringExecution:
2537 nodeSelectorTerms:
2538 - matchExpressions:
2539 - key: beta.kubernetes.io/arch
2540 operator: In
2541 values:
2542 - "amd64"
2543 - "ppc64le"
2544 - "s390x"
2545 preferredDuringSchedulingIgnoredDuringExecution:
2546 - weight: 2
2547 preference:
2548 matchExpressions:
2549 - key: beta.kubernetes.io/arch
2550 operator: In
2551 values:
2552 - "amd64"
2553 - weight: 2
2554 preference:
2555 matchExpressions:
2556 - key: beta.kubernetes.io/arch
2557 operator: In
2558 values:
2559 - "ppc64le"
2560 - weight: 2
2561 preference:
2562 matchExpressions:
2563 - key: beta.kubernetes.io/arch
2564 operator: In
2565 values:
2566 - "s390x"
2567 containers:
2568 - name: mixer
2569 image: "docker.io/istio/mixer:1.4.6"
2570 imagePullPolicy: IfNotPresent
2571 ports:
2572 - containerPort: 15014
2573 - containerPort: 42422
2574 args:
2575 - --monitoringPort=15014
2576 - --address
2577 - unix:///sock/mixer.socket
2578 - --log_output_level=default:info
2579 - --configStoreURL=mcp://istio-galley.istio-system.svc:9901
2580 - --configDefaultNamespace=istio-system
2581 - --useAdapterCRDs=false
2582 - --useTemplateCRDs=false
2583 - --trace_zipkin_url=http://zipkin.istio-system:9411/api/v1/spans
2584 env:
2585 - name: POD_NAMESPACE
2586 valueFrom:
2587 fieldRef:
2588 apiVersion: v1
2589 fieldPath: metadata.namespace
2590 - name: GOMAXPROCS
2591 value: "6"
2592 resources:
2593 requests:
2594 cpu: 10m
2595
2596 volumeMounts:
2597 - name: istio-certs
2598 mountPath: /etc/certs
2599 readOnly: true
2600 - name: uds-socket
2601 mountPath: /sock
2602 livenessProbe:
2603 httpGet:
2604 path: /version
2605 port: 15014
2606 initialDelaySeconds: 5
2607 periodSeconds: 5
2608 - name: istio-proxy
2609 image: "docker.io/istio/proxyv2:1.4.6"
2610 imagePullPolicy: IfNotPresent
2611 ports:
2612 - containerPort: 9091
2613 - containerPort: 15004
2614 - containerPort: 15090
2615 protocol: TCP
2616 name: http-envoy-prom
2617 args:
2618 - proxy
2619 - --domain
2620 - $(POD_NAMESPACE).svc.cluster.local
2621 - --serviceCluster
2622 - istio-policy
2623 - --templateFile
2624 - /etc/istio/proxy/envoy_policy.yaml.tmpl
2625 - --controlPlaneAuthPolicy
2626 - NONE
2627 - --log_output_level=default:info
2628 env:
2629 - name: POD_NAME
2630 valueFrom:
2631 fieldRef:
2632 apiVersion: v1
2633 fieldPath: metadata.name
2634 - name: POD_NAMESPACE
2635 valueFrom:
2636 fieldRef:
2637 apiVersion: v1
2638 fieldPath: metadata.namespace
2639 - name: INSTANCE_IP
2640 valueFrom:
2641 fieldRef:
2642 apiVersion: v1
2643 fieldPath: status.podIP
2644 - name: SDS_ENABLED
2645 value: "false"
2646 resources:
2647 limits:
2648 cpu: 2000m
2649 memory: 1024Mi
2650 requests:
2651 cpu: 100m
2652 memory: 128Mi
2653
2654 volumeMounts:
2655 - name: istio-certs
2656 mountPath: /etc/certs
2657 readOnly: true
2658 - name: uds-socket
2659 mountPath: /sock
2660 - name: policy-adapter-secret
2661 mountPath: /var/run/secrets/istio.io/policy/adapter
2662 readOnly: true
2663
2664---
2665apiVersion: apps/v1
2666kind: Deployment
2667metadata:
2668 name: istio-telemetry
2669 namespace: istio-system
2670 labels:
2671 app: istio-mixer
2672 chart: mixer
2673 heritage: Tiller
2674 release: release-name
2675 istio: mixer
2676spec:
2677 strategy:
2678 rollingUpdate:
2679 maxSurge: 100%
2680 maxUnavailable: 25%
2681 selector:
2682 matchLabels:
2683 istio: mixer
2684 istio-mixer-type: telemetry
2685 template:
2686 metadata:
2687 labels:
2688 app: telemetry
2689 chart: mixer
2690 heritage: Tiller
2691 release: release-name
2692 security.istio.io/tlsMode: "istio"
2693 istio: mixer
2694 istio-mixer-type: telemetry
2695 annotations:
2696 sidecar.istio.io/inject: "false"
2697 spec:
2698 serviceAccountName: istio-mixer-service-account
2699 volumes:
2700 - name: istio-certs
2701 secret:
2702 secretName: istio.istio-mixer-service-account
2703 optional: true
2704 - name: uds-socket
2705 emptyDir: {}
2706 - name: telemetry-adapter-secret
2707 secret:
2708 secretName: telemetry-adapter-secret
2709 optional: true
2710 affinity:
2711 nodeAffinity:
2712 requiredDuringSchedulingIgnoredDuringExecution:
2713 nodeSelectorTerms:
2714 - matchExpressions:
2715 - key: beta.kubernetes.io/arch
2716 operator: In
2717 values:
2718 - "amd64"
2719 - "ppc64le"
2720 - "s390x"
2721 preferredDuringSchedulingIgnoredDuringExecution:
2722 - weight: 2
2723 preference:
2724 matchExpressions:
2725 - key: beta.kubernetes.io/arch
2726 operator: In
2727 values:
2728 - "amd64"
2729 - weight: 2
2730 preference:
2731 matchExpressions:
2732 - key: beta.kubernetes.io/arch
2733 operator: In
2734 values:
2735 - "ppc64le"
2736 - weight: 2
2737 preference:
2738 matchExpressions:
2739 - key: beta.kubernetes.io/arch
2740 operator: In
2741 values:
2742 - "s390x"
2743 containers:
2744 - name: mixer
2745 image: "docker.io/istio/mixer:1.4.6"
2746 imagePullPolicy: IfNotPresent
2747 ports:
2748 - containerPort: 15014
2749 - containerPort: 42422
2750 args:
2751 - --monitoringPort=15014
2752 - --address
2753 - unix:///sock/mixer.socket
2754 - --log_output_level=default:info
2755 - --configStoreURL=mcp://istio-galley.istio-system.svc:9901
2756 - --configDefaultNamespace=istio-system
2757 - --useAdapterCRDs=false
2758 - --trace_zipkin_url=http://zipkin.istio-system:9411/api/v1/spans
2759 - --averageLatencyThreshold
2760 - 100ms
2761 - --loadsheddingMode
2762 - enforce
2763 env:
2764 - name: POD_NAMESPACE
2765 valueFrom:
2766 fieldRef:
2767 apiVersion: v1
2768 fieldPath: metadata.namespace
2769 - name: GOMAXPROCS
2770 value: "6"
2771 resources:
2772 limits:
2773 cpu: 4800m
2774 memory: 4G
2775 requests:
2776 cpu: 1000m
2777 memory: 1G
2778
2779 volumeMounts:
2780 - name: istio-certs
2781 mountPath: /etc/certs
2782 readOnly: true
2783 - name: telemetry-adapter-secret
2784 mountPath: /var/run/secrets/istio.io/telemetry/adapter
2785 readOnly: true
2786 - name: uds-socket
2787 mountPath: /sock
2788 livenessProbe:
2789 httpGet:
2790 path: /version
2791 port: 15014
2792 initialDelaySeconds: 5
2793 periodSeconds: 5
2794 - name: istio-proxy
2795 image: "docker.io/istio/proxyv2:1.4.6"
2796 imagePullPolicy: IfNotPresent
2797 ports:
2798 - containerPort: 9091
2799 - containerPort: 15004
2800 - containerPort: 15090
2801 protocol: TCP
2802 name: http-envoy-prom
2803 args:
2804 - proxy
2805 - --domain
2806 - $(POD_NAMESPACE).svc.cluster.local
2807 - --serviceCluster
2808 - istio-telemetry
2809 - --templateFile
2810 - /etc/istio/proxy/envoy_telemetry.yaml.tmpl
2811 - --controlPlaneAuthPolicy
2812 - NONE
2813 - --log_output_level=default:info
2814 env:
2815 - name: POD_NAME
2816 valueFrom:
2817 fieldRef:
2818 apiVersion: v1
2819 fieldPath: metadata.name
2820 - name: POD_NAMESPACE
2821 valueFrom:
2822 fieldRef:
2823 apiVersion: v1
2824 fieldPath: metadata.namespace
2825 - name: INSTANCE_IP
2826 valueFrom:
2827 fieldRef:
2828 apiVersion: v1
2829 fieldPath: status.podIP
2830 - name: SDS_ENABLED
2831 value: "false"
2832 resources:
2833 limits:
2834 cpu: 2000m
2835 memory: 1024Mi
2836 requests:
2837 cpu: 100m
2838 memory: 128Mi
2839
2840 volumeMounts:
2841 - name: istio-certs
2842 mountPath: /etc/certs
2843 readOnly: true
2844 - name: uds-socket
2845 mountPath: /sock
2846
2847---
2848
2849---
2850# Source: istio/charts/pilot/templates/deployment.yaml
2851apiVersion: apps/v1
2852kind: Deployment
2853metadata:
2854 name: istio-pilot
2855 namespace: istio-system
2856 # TODO: default template doesn't have this, which one is right ?
2857 labels:
2858 app: pilot
2859 chart: pilot
2860 heritage: Tiller
2861 release: release-name
2862 istio: pilot
2863spec:
2864 strategy:
2865 rollingUpdate:
2866 maxSurge: 100%
2867 maxUnavailable: 25%
2868 selector:
2869 matchLabels:
2870 istio: pilot
2871 template:
2872 metadata:
2873 labels:
2874 app: pilot
2875 chart: pilot
2876 heritage: Tiller
2877 release: release-name
2878 istio: pilot
2879 annotations:
2880 sidecar.istio.io/inject: "false"
2881 spec:
2882 serviceAccountName: istio-pilot-service-account
2883 containers:
2884 - name: discovery
2885 image: "docker.io/istio/pilot:1.4.6"
2886 imagePullPolicy: IfNotPresent
2887 args:
2888 - "discovery"
2889 - --monitoringAddr=:15014
2890 - --log_output_level=default:info
2891 - --domain
2892 - cluster.local
2893 - --secureGrpcAddr
2894 - ""
2895 - --keepaliveMaxServerConnectionAge
2896 - "30m"
2897 ports:
2898 - containerPort: 8080
2899 - containerPort: 15010
2900 readinessProbe:
2901 httpGet:
2902 path: /ready
2903 port: 8080
2904 initialDelaySeconds: 5
2905 periodSeconds: 5
2906 timeoutSeconds: 5
2907 env:
2908 - name: POD_NAME
2909 valueFrom:
2910 fieldRef:
2911 apiVersion: v1
2912 fieldPath: metadata.name
2913 - name: POD_NAMESPACE
2914 valueFrom:
2915 fieldRef:
2916 apiVersion: v1
2917 fieldPath: metadata.namespace
2918 - name: PILOT_PUSH_THROTTLE
2919 value: "100"
2920 - name: PILOT_TRACE_SAMPLING
2921 value: "1"
2922 - name: PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_OUTBOUND
2923 value: "true"
2924 - name: PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_INBOUND
2925 value: "false"
2926 resources:
2927 requests:
2928 cpu: 500m
2929 memory: 2048Mi
2930
2931 volumeMounts:
2932 - name: config-volume
2933 mountPath: /etc/istio/config
2934 - name: istio-certs
2935 mountPath: /etc/certs
2936 readOnly: true
2937 - name: istio-proxy
2938 image: "docker.io/istio/proxyv2:1.4.6"
2939 imagePullPolicy: IfNotPresent
2940 ports:
2941 - containerPort: 15003
2942 - containerPort: 15005
2943 - containerPort: 15007
2944 - containerPort: 15011
2945 args:
2946 - proxy
2947 - --domain
2948 - $(POD_NAMESPACE).svc.cluster.local
2949 - --serviceCluster
2950 - istio-pilot
2951 - --templateFile
2952 - /etc/istio/proxy/envoy_pilot.yaml.tmpl
2953 - --controlPlaneAuthPolicy
2954 - NONE
2955 - --log_output_level=default:info
2956 env:
2957 - name: POD_NAME
2958 valueFrom:
2959 fieldRef:
2960 apiVersion: v1
2961 fieldPath: metadata.name
2962 - name: POD_NAMESPACE
2963 valueFrom:
2964 fieldRef:
2965 apiVersion: v1
2966 fieldPath: metadata.namespace
2967 - name: INSTANCE_IP
2968 valueFrom:
2969 fieldRef:
2970 apiVersion: v1
2971 fieldPath: status.podIP
2972 - name: SDS_ENABLED
2973 value: "false"
2974 resources:
2975 limits:
2976 cpu: 2000m
2977 memory: 1024Mi
2978 requests:
2979 cpu: 100m
2980 memory: 128Mi
2981
2982 volumeMounts:
2983 - name: istio-certs
2984 mountPath: /etc/certs
2985 readOnly: true
2986 volumes:
2987 - name: config-volume
2988 configMap:
2989 name: istio
2990 - name: istio-certs
2991 secret:
2992 secretName: istio.istio-pilot-service-account
2993 optional: true
2994 affinity:
2995 nodeAffinity:
2996 requiredDuringSchedulingIgnoredDuringExecution:
2997 nodeSelectorTerms:
2998 - matchExpressions:
2999 - key: beta.kubernetes.io/arch
3000 operator: In
3001 values:
3002 - "amd64"
3003 - "ppc64le"
3004 - "s390x"
3005 preferredDuringSchedulingIgnoredDuringExecution:
3006 - weight: 2
3007 preference:
3008 matchExpressions:
3009 - key: beta.kubernetes.io/arch
3010 operator: In
3011 values:
3012 - "amd64"
3013 - weight: 2
3014 preference:
3015 matchExpressions:
3016 - key: beta.kubernetes.io/arch
3017 operator: In
3018 values:
3019 - "ppc64le"
3020 - weight: 2
3021 preference:
3022 matchExpressions:
3023 - key: beta.kubernetes.io/arch
3024 operator: In
3025 values:
3026 - "s390x"
3027
3028---
3029# Source: istio/charts/prometheus/templates/deployment.yaml
3030# TODO: the original template has service account, roles, etc
3031apiVersion: apps/v1
3032kind: Deployment
3033metadata:
3034 name: prometheus
3035 namespace: istio-system
3036 labels:
3037 app: prometheus
3038 chart: prometheus
3039 heritage: Tiller
3040 release: release-name
3041spec:
3042 replicas: 1
3043 selector:
3044 matchLabels:
3045 app: prometheus
3046 template:
3047 metadata:
3048 labels:
3049 app: prometheus
3050 chart: prometheus
3051 heritage: Tiller
3052 release: release-name
3053 annotations:
3054 sidecar.istio.io/inject: "false"
3055 spec:
3056 serviceAccountName: prometheus
3057 containers:
3058 - name: prometheus
3059 image: "docker.io/prom/prometheus:v2.12.0"
3060 imagePullPolicy: IfNotPresent
3061 args:
3062 - '--storage.tsdb.retention=6h'
3063 - '--config.file=/etc/prometheus/prometheus.yml'
3064 ports:
3065 - containerPort: 9090
3066 name: http
3067 livenessProbe:
3068 httpGet:
3069 path: /-/healthy
3070 port: 9090
3071 readinessProbe:
3072 httpGet:
3073 path: /-/ready
3074 port: 9090
3075 resources:
3076 requests:
3077 cpu: 10m
3078
3079 volumeMounts:
3080 - name: config-volume
3081 mountPath: /etc/prometheus
3082 - mountPath: /etc/istio-certs
3083 name: istio-certs
3084 volumes:
3085 - name: config-volume
3086 configMap:
3087 name: prometheus
3088 - name: istio-certs
3089 secret:
3090 defaultMode: 420
3091 secretName: istio.default
3092 affinity:
3093 nodeAffinity:
3094 requiredDuringSchedulingIgnoredDuringExecution:
3095 nodeSelectorTerms:
3096 - matchExpressions:
3097 - key: beta.kubernetes.io/arch
3098 operator: In
3099 values:
3100 - "amd64"
3101 - "ppc64le"
3102 - "s390x"
3103 preferredDuringSchedulingIgnoredDuringExecution:
3104 - weight: 2
3105 preference:
3106 matchExpressions:
3107 - key: beta.kubernetes.io/arch
3108 operator: In
3109 values:
3110 - "amd64"
3111 - weight: 2
3112 preference:
3113 matchExpressions:
3114 - key: beta.kubernetes.io/arch
3115 operator: In
3116 values:
3117 - "ppc64le"
3118 - weight: 2
3119 preference:
3120 matchExpressions:
3121 - key: beta.kubernetes.io/arch
3122 operator: In
3123 values:
3124 - "s390x"
3125
3126---
3127# Source: istio/charts/security/templates/deployment.yaml
3128# istio CA watching all namespaces
3129apiVersion: apps/v1
3130kind: Deployment
3131metadata:
3132 name: istio-citadel
3133 namespace: istio-system
3134 labels:
3135 app: security
3136 chart: security
3137 heritage: Tiller
3138 release: release-name
3139 istio: citadel
3140spec:
3141 replicas: 1
3142 selector:
3143 matchLabels:
3144 istio: citadel
3145 strategy:
3146 rollingUpdate:
3147 maxSurge: 100%
3148 maxUnavailable: 25%
3149 template:
3150 metadata:
3151 labels:
3152 app: security
3153 chart: security
3154 heritage: Tiller
3155 release: release-name
3156 istio: citadel
3157 annotations:
3158 sidecar.istio.io/inject: "false"
3159 spec:
3160 serviceAccountName: istio-citadel-service-account
3161 containers:
3162 - name: citadel
3163 image: "docker.io/istio/citadel:1.4.6"
3164 imagePullPolicy: IfNotPresent
3165 args:
3166 - --append-dns-names=true
3167 - --grpc-port=8060
3168 - --citadel-storage-namespace=istio-system
3169 - --custom-dns-names=istio-pilot-service-account.istio-system:istio-pilot.istio-system
3170 - --monitoring-port=15014
3171 - --self-signed-ca=true
3172 - --workload-cert-ttl=2160h
3173 env:
3174 - name: CITADEL_ENABLE_NAMESPACES_BY_DEFAULT
3175 value: "true"
3176 resources:
3177 requests:
3178 cpu: 10m
3179
3180 affinity:
3181 nodeAffinity:
3182 requiredDuringSchedulingIgnoredDuringExecution:
3183 nodeSelectorTerms:
3184 - matchExpressions:
3185 - key: beta.kubernetes.io/arch
3186 operator: In
3187 values:
3188 - "amd64"
3189 - "ppc64le"
3190 - "s390x"
3191 preferredDuringSchedulingIgnoredDuringExecution:
3192 - weight: 2
3193 preference:
3194 matchExpressions:
3195 - key: beta.kubernetes.io/arch
3196 operator: In
3197 values:
3198 - "amd64"
3199 - weight: 2
3200 preference:
3201 matchExpressions:
3202 - key: beta.kubernetes.io/arch
3203 operator: In
3204 values:
3205 - "ppc64le"
3206 - weight: 2
3207 preference:
3208 matchExpressions:
3209 - key: beta.kubernetes.io/arch
3210 operator: In
3211 values:
3212 - "s390x"
3213
3214---
3215# Source: istio/charts/sidecarInjectorWebhook/templates/deployment.yaml
3216apiVersion: apps/v1
3217kind: Deployment
3218metadata:
3219 name: istio-sidecar-injector
3220 namespace: istio-system
3221 labels:
3222 app: sidecarInjectorWebhook
3223 chart: sidecarInjectorWebhook
3224 heritage: Tiller
3225 release: release-name
3226 istio: sidecar-injector
3227spec:
3228 replicas: 1
3229 selector:
3230 matchLabels:
3231 istio: sidecar-injector
3232 strategy:
3233 rollingUpdate:
3234 maxSurge: 100%
3235 maxUnavailable: 25%
3236 template:
3237 metadata:
3238 labels:
3239 app: sidecarInjectorWebhook
3240 chart: sidecarInjectorWebhook
3241 heritage: Tiller
3242 release: release-name
3243 istio: sidecar-injector
3244 annotations:
3245 sidecar.istio.io/inject: "false"
3246 spec:
3247 serviceAccountName: istio-sidecar-injector-service-account
3248 containers:
3249 - name: sidecar-injector-webhook
3250 image: "docker.io/istio/sidecar_injector:1.4.6"
3251 imagePullPolicy: IfNotPresent
3252 args:
3253 - --caCertFile=/etc/istio/certs/root-cert.pem
3254 - --tlsCertFile=/etc/istio/certs/cert-chain.pem
3255 - --tlsKeyFile=/etc/istio/certs/key.pem
3256 - --injectConfig=/etc/istio/inject/config
3257 - --meshConfig=/etc/istio/config/mesh
3258 - --healthCheckInterval=2s
3259 - --healthCheckFile=/health
3260 - --reconcileWebhookConfig=true
3261 volumeMounts:
3262 - name: config-volume
3263 mountPath: /etc/istio/config
3264 readOnly: true
3265 - name: certs
3266 mountPath: /etc/istio/certs
3267 readOnly: true
3268 - name: inject-config
3269 mountPath: /etc/istio/inject
3270 readOnly: true
3271 livenessProbe:
3272 exec:
3273 command:
3274 - /usr/local/bin/sidecar-injector
3275 - probe
3276 - --probe-path=/health
3277 - --interval=4s
3278 initialDelaySeconds: 4
3279 periodSeconds: 4
3280 readinessProbe:
3281 exec:
3282 command:
3283 - /usr/local/bin/sidecar-injector
3284 - probe
3285 - --probe-path=/health
3286 - --interval=4s
3287 initialDelaySeconds: 4
3288 periodSeconds: 4
3289 resources:
3290 requests:
3291 cpu: 10m
3292
3293 volumes:
3294 - name: config-volume
3295 configMap:
3296 name: istio
3297 - name: certs
3298 secret:
3299 secretName: istio.istio-sidecar-injector-service-account
3300 - name: inject-config
3301 configMap:
3302 name: istio-sidecar-injector
3303 items:
3304 - key: config
3305 path: config
3306 - key: values
3307 path: values
3308 affinity:
3309 nodeAffinity:
3310 requiredDuringSchedulingIgnoredDuringExecution:
3311 nodeSelectorTerms:
3312 - matchExpressions:
3313 - key: beta.kubernetes.io/arch
3314 operator: In
3315 values:
3316 - "amd64"
3317 - "ppc64le"
3318 - "s390x"
3319 preferredDuringSchedulingIgnoredDuringExecution:
3320 - weight: 2
3321 preference:
3322 matchExpressions:
3323 - key: beta.kubernetes.io/arch
3324 operator: In
3325 values:
3326 - "amd64"
3327 - weight: 2
3328 preference:
3329 matchExpressions:
3330 - key: beta.kubernetes.io/arch
3331 operator: In
3332 values:
3333 - "ppc64le"
3334 - weight: 2
3335 preference:
3336 matchExpressions:
3337 - key: beta.kubernetes.io/arch
3338 operator: In
3339 values:
3340 - "s390x"
3341
3342---
3343# Source: istio/charts/gateways/templates/autoscale.yaml
3344
3345apiVersion: autoscaling/v2beta1
3346kind: HorizontalPodAutoscaler
3347metadata:
3348 name: istio-ingressgateway
3349 namespace: istio-system
3350 labels:
3351 chart: gateways
3352 heritage: Tiller
3353 release: release-name
3354 app: istio-ingressgateway
3355 istio: ingressgateway
3356spec:
3357 maxReplicas: 5
3358 minReplicas: 1
3359 scaleTargetRef:
3360 apiVersion: apps/v1
3361 kind: Deployment
3362 name: istio-ingressgateway
3363 metrics:
3364 - type: Resource
3365 resource:
3366 name: cpu
3367 targetAverageUtilization: 80
3368---
3369
3370---
3371# Source: istio/charts/mixer/templates/autoscale.yaml
3372
3373apiVersion: autoscaling/v2beta1
3374kind: HorizontalPodAutoscaler
3375metadata:
3376 name: istio-policy
3377 namespace: istio-system
3378 labels:
3379 app: mixer
3380 chart: mixer
3381 heritage: Tiller
3382 release: release-name
3383spec:
3384 maxReplicas: 5
3385 minReplicas: 1
3386 scaleTargetRef:
3387 apiVersion: apps/v1
3388 kind: Deployment
3389 name: istio-policy
3390 metrics:
3391 - type: Resource
3392 resource:
3393 name: cpu
3394 targetAverageUtilization: 80
3395---
3396apiVersion: autoscaling/v2beta1
3397kind: HorizontalPodAutoscaler
3398metadata:
3399 name: istio-telemetry
3400 namespace: istio-system
3401 labels:
3402 app: mixer
3403 chart: mixer
3404 heritage: Tiller
3405 release: release-name
3406spec:
3407 maxReplicas: 5
3408 minReplicas: 1
3409 scaleTargetRef:
3410 apiVersion: apps/v1
3411 kind: Deployment
3412 name: istio-telemetry
3413 metrics:
3414 - type: Resource
3415 resource:
3416 name: cpu
3417 targetAverageUtilization: 80
3418---
3419
3420---
3421# Source: istio/charts/pilot/templates/autoscale.yaml
3422
3423apiVersion: autoscaling/v2beta1
3424kind: HorizontalPodAutoscaler
3425metadata:
3426 name: istio-pilot
3427 namespace: istio-system
3428 labels:
3429 app: pilot
3430 chart: pilot
3431 heritage: Tiller
3432 release: release-name
3433spec:
3434 maxReplicas: 5
3435 minReplicas: 1
3436 scaleTargetRef:
3437 apiVersion: apps/v1
3438 kind: Deployment
3439 name: istio-pilot
3440 metrics:
3441 - type: Resource
3442 resource:
3443 name: cpu
3444 targetAverageUtilization: 80
3445---
3446
3447---
3448# Source: istio/charts/sidecarInjectorWebhook/templates/mutatingwebhook.yaml
3449
3450apiVersion: admissionregistration.k8s.io/v1beta1
3451kind: MutatingWebhookConfiguration
3452metadata:
3453 name: istio-sidecar-injector
3454 labels:
3455 app: sidecarInjectorWebhook
3456 chart: sidecarInjectorWebhook
3457 heritage: Tiller
3458 release: release-name
3459webhooks:
3460 - name: sidecar-injector.istio.io
3461 clientConfig:
3462 service:
3463 name: istio-sidecar-injector
3464 namespace: istio-system
3465 path: "/inject"
3466 caBundle: ""
3467 rules:
3468 - operations: [ "CREATE" ]
3469 apiGroups: [""]
3470 apiVersions: ["v1"]
3471 resources: ["pods"]
3472 failurePolicy: Fail
3473 namespaceSelector:
3474 matchLabels:
3475 istio-injection: enabled
3476
3477---
3478# Source: istio/charts/galley/templates/validatingwebhookconfiguration.yaml.tpl
3479
3480
3481---
3482# Source: istio/charts/gateways/templates/preconfigured.yaml
3483
3484
3485---
3486# Source: istio/charts/pilot/templates/configmap.yaml
3487
3488
3489---
3490# Source: istio/charts/pilot/templates/meshexpansion.yaml
3491
3492
3493
3494---
3495# Source: istio/charts/prometheus/templates/ingress.yaml
3496
3497---
3498# Source: istio/charts/prometheus/templates/tests/test-prometheus-connection.yaml
3499
3500
3501---
3502# Source: istio/charts/security/templates/enable-mesh-mtls.yaml
3503
3504
3505---
3506# Source: istio/charts/security/templates/enable-mesh-permissive.yaml
3507
3508
3509---
3510# Source: istio/charts/security/templates/meshexpansion.yaml
3511
3512
3513---
3514# Source: istio/charts/security/templates/tests/test-citadel-connection.yaml
3515
3516
3517---
3518# Source: istio/templates/endpoints.yaml
3519
3520
3521---
3522# Source: istio/templates/install-custom-resources.sh.tpl
3523
3524
3525---
3526# Source: istio/templates/service.yaml
3527
3528
3529---
3530# Source: istio/charts/mixer/templates/config.yaml
3531
3532apiVersion: "config.istio.io/v1alpha2"
3533kind: attributemanifest
3534metadata:
3535 name: istioproxy
3536 namespace: istio-system
3537 labels:
3538 app: mixer
3539 chart: mixer
3540 heritage: Tiller
3541 release: release-name
3542spec:
3543 attributes:
3544 origin.ip:
3545 valueType: IP_ADDRESS
3546 origin.uid:
3547 valueType: STRING
3548 origin.user:
3549 valueType: STRING
3550 request.headers:
3551 valueType: STRING_MAP
3552 request.id:
3553 valueType: STRING
3554 request.host:
3555 valueType: STRING
3556 request.method:
3557 valueType: STRING
3558 request.path:
3559 valueType: STRING
3560 request.url_path:
3561 valueType: STRING
3562 request.query_params:
3563 valueType: STRING_MAP
3564 request.reason:
3565 valueType: STRING
3566 request.referer:
3567 valueType: STRING
3568 request.scheme:
3569 valueType: STRING
3570 request.total_size:
3571 valueType: INT64
3572 request.size:
3573 valueType: INT64
3574 request.time:
3575 valueType: TIMESTAMP
3576 request.useragent:
3577 valueType: STRING
3578 response.code:
3579 valueType: INT64
3580 response.duration:
3581 valueType: DURATION
3582 response.headers:
3583 valueType: STRING_MAP
3584 response.total_size:
3585 valueType: INT64
3586 response.size:
3587 valueType: INT64
3588 response.time:
3589 valueType: TIMESTAMP
3590 response.grpc_status:
3591 valueType: STRING
3592 response.grpc_message:
3593 valueType: STRING
3594 source.uid:
3595 valueType: STRING
3596 source.user: # DEPRECATED
3597 valueType: STRING
3598 source.principal:
3599 valueType: STRING
3600 destination.uid:
3601 valueType: STRING
3602 destination.principal:
3603 valueType: STRING
3604 destination.port:
3605 valueType: INT64
3606 connection.event:
3607 valueType: STRING
3608 connection.id:
3609 valueType: STRING
3610 connection.received.bytes:
3611 valueType: INT64
3612 connection.received.bytes_total:
3613 valueType: INT64
3614 connection.sent.bytes:
3615 valueType: INT64
3616 connection.sent.bytes_total:
3617 valueType: INT64
3618 connection.duration:
3619 valueType: DURATION
3620 connection.mtls:
3621 valueType: BOOL
3622 connection.requested_server_name:
3623 valueType: STRING
3624 context.protocol:
3625 valueType: STRING
3626 context.proxy_error_code:
3627 valueType: STRING
3628 context.timestamp:
3629 valueType: TIMESTAMP
3630 context.time:
3631 valueType: TIMESTAMP
3632 # Deprecated, kept for compatibility
3633 context.reporter.local:
3634 valueType: BOOL
3635 context.reporter.kind:
3636 valueType: STRING
3637 context.reporter.uid:
3638 valueType: STRING
3639 api.service:
3640 valueType: STRING
3641 api.version:
3642 valueType: STRING
3643 api.operation:
3644 valueType: STRING
3645 api.protocol:
3646 valueType: STRING
3647 request.auth.principal:
3648 valueType: STRING
3649 request.auth.audiences:
3650 valueType: STRING
3651 request.auth.presenter:
3652 valueType: STRING
3653 request.auth.claims:
3654 valueType: STRING_MAP
3655 request.auth.raw_claims:
3656 valueType: STRING
3657 request.api_key:
3658 valueType: STRING
3659 rbac.permissive.response_code:
3660 valueType: STRING
3661 rbac.permissive.effective_policy_id:
3662 valueType: STRING
3663 check.error_code:
3664 valueType: INT64
3665 check.error_message:
3666 valueType: STRING
3667 check.cache_hit:
3668 valueType: BOOL
3669 quota.cache_hit:
3670 valueType: BOOL
3671 context.proxy_version:
3672 valueType: STRING
3673
3674---
3675apiVersion: "config.istio.io/v1alpha2"
3676kind: attributemanifest
3677metadata:
3678 name: kubernetes
3679 namespace: istio-system
3680 labels:
3681 app: mixer
3682 chart: mixer
3683 heritage: Tiller
3684 release: release-name
3685spec:
3686 attributes:
3687 source.ip:
3688 valueType: IP_ADDRESS
3689 source.labels:
3690 valueType: STRING_MAP
3691 source.metadata:
3692 valueType: STRING_MAP
3693 source.name:
3694 valueType: STRING
3695 source.namespace:
3696 valueType: STRING
3697 source.owner:
3698 valueType: STRING
3699 source.serviceAccount:
3700 valueType: STRING
3701 source.services:
3702 valueType: STRING
3703 source.workload.uid:
3704 valueType: STRING
3705 source.workload.name:
3706 valueType: STRING
3707 source.workload.namespace:
3708 valueType: STRING
3709 destination.ip:
3710 valueType: IP_ADDRESS
3711 destination.labels:
3712 valueType: STRING_MAP
3713 destination.metadata:
3714 valueType: STRING_MAP
3715 destination.owner:
3716 valueType: STRING
3717 destination.name:
3718 valueType: STRING
3719 destination.container.name:
3720 valueType: STRING
3721 destination.namespace:
3722 valueType: STRING
3723 destination.service.uid:
3724 valueType: STRING
3725 destination.service.name:
3726 valueType: STRING
3727 destination.service.namespace:
3728 valueType: STRING
3729 destination.service.host:
3730 valueType: STRING
3731 destination.serviceAccount:
3732 valueType: STRING
3733 destination.workload.uid:
3734 valueType: STRING
3735 destination.workload.name:
3736 valueType: STRING
3737 destination.workload.namespace:
3738 valueType: STRING
3739---
3740---
3741apiVersion: "config.istio.io/v1alpha2"
3742kind: instance
3743metadata:
3744 name: requestcount
3745 namespace: istio-system
3746 labels:
3747 app: mixer
3748 chart: mixer
3749 heritage: Tiller
3750 release: release-name
3751spec:
3752 compiledTemplate: metric
3753 params:
3754 value: "1"
3755 dimensions:
3756 reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination")
3757 source_workload: source.workload.name | "unknown"
3758 source_workload_namespace: source.workload.namespace | "unknown"
3759 source_principal: source.principal | "unknown"
3760 source_app: source.labels["app"] | "unknown"
3761 source_version: source.labels["version"] | "unknown"
3762 destination_workload: destination.workload.name | "unknown"
3763 destination_workload_namespace: destination.workload.namespace | "unknown"
3764 destination_principal: destination.principal | "unknown"
3765 destination_app: destination.labels["app"] | "unknown"
3766 destination_version: destination.labels["version"] | "unknown"
3767 destination_service: destination.service.host | conditional((destination.service.name | "unknown") == "unknown", "unknown", request.host)
3768 destination_service_name: destination.service.name | "unknown"
3769 destination_service_namespace: destination.service.namespace | "unknown"
3770 request_protocol: api.protocol | context.protocol | "unknown"
3771 response_code: response.code | 200
3772 response_flags: context.proxy_error_code | "-"
3773 permissive_response_code: rbac.permissive.response_code | "none"
3774 permissive_response_policyid: rbac.permissive.effective_policy_id | "none"
3775 connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none"))
3776 monitored_resource_type: '"UNSPECIFIED"'
3777---
3778apiVersion: "config.istio.io/v1alpha2"
3779kind: instance
3780metadata:
3781 name: requestduration
3782 namespace: istio-system
3783 labels:
3784 app: mixer
3785 chart: mixer
3786 heritage: Tiller
3787 release: release-name
3788spec:
3789 compiledTemplate: metric
3790 params:
3791 value: response.duration | "0ms"
3792 dimensions:
3793 reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination")
3794 source_workload: source.workload.name | "unknown"
3795 source_workload_namespace: source.workload.namespace | "unknown"
3796 source_principal: source.principal | "unknown"
3797 source_app: source.labels["app"] | "unknown"
3798 source_version: source.labels["version"] | "unknown"
3799 destination_workload: destination.workload.name | "unknown"
3800 destination_workload_namespace: destination.workload.namespace | "unknown"
3801 destination_principal: destination.principal | "unknown"
3802 destination_app: destination.labels["app"] | "unknown"
3803 destination_version: destination.labels["version"] | "unknown"
3804 destination_service: destination.service.host | conditional((destination.service.name | "unknown") == "unknown", "unknown", request.host)
3805 destination_service_name: destination.service.name | "unknown"
3806 destination_service_namespace: destination.service.namespace | "unknown"
3807 request_protocol: api.protocol | context.protocol | "unknown"
3808 response_code: response.code | 200
3809 response_flags: context.proxy_error_code | "-"
3810 permissive_response_code: rbac.permissive.response_code | "none"
3811 permissive_response_policyid: rbac.permissive.effective_policy_id | "none"
3812 connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none"))
3813 monitored_resource_type: '"UNSPECIFIED"'
3814---
3815apiVersion: "config.istio.io/v1alpha2"
3816kind: instance
3817metadata:
3818 name: requestsize
3819 namespace: istio-system
3820 labels:
3821 app: mixer
3822 chart: mixer
3823 heritage: Tiller
3824 release: release-name
3825spec:
3826 compiledTemplate: metric
3827 params:
3828 value: request.size | 0
3829 dimensions:
3830 reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination")
3831 source_workload: source.workload.name | "unknown"
3832 source_workload_namespace: source.workload.namespace | "unknown"
3833 source_principal: source.principal | "unknown"
3834 source_app: source.labels["app"] | "unknown"
3835 source_version: source.labels["version"] | "unknown"
3836 destination_workload: destination.workload.name | "unknown"
3837 destination_workload_namespace: destination.workload.namespace | "unknown"
3838 destination_principal: destination.principal | "unknown"
3839 destination_app: destination.labels["app"] | "unknown"
3840 destination_version: destination.labels["version"] | "unknown"
3841 destination_service: destination.service.host | conditional((destination.service.name | "unknown") == "unknown", "unknown", request.host)
3842 destination_service_name: destination.service.name | "unknown"
3843 destination_service_namespace: destination.service.namespace | "unknown"
3844 request_protocol: api.protocol | context.protocol | "unknown"
3845 response_code: response.code | 200
3846 response_flags: context.proxy_error_code | "-"
3847 permissive_response_code: rbac.permissive.response_code | "none"
3848 permissive_response_policyid: rbac.permissive.effective_policy_id | "none"
3849 connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none"))
3850 monitored_resource_type: '"UNSPECIFIED"'
3851---
3852apiVersion: "config.istio.io/v1alpha2"
3853kind: instance
3854metadata:
3855 name: responsesize
3856 namespace: istio-system
3857 labels:
3858 app: mixer
3859 chart: mixer
3860 heritage: Tiller
3861 release: release-name
3862spec:
3863 compiledTemplate: metric
3864 params:
3865 value: response.size | 0
3866 dimensions:
3867 reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination")
3868 source_workload: source.workload.name | "unknown"
3869 source_workload_namespace: source.workload.namespace | "unknown"
3870 source_principal: source.principal | "unknown"
3871 source_app: source.labels["app"] | "unknown"
3872 source_version: source.labels["version"] | "unknown"
3873 destination_workload: destination.workload.name | "unknown"
3874 destination_workload_namespace: destination.workload.namespace | "unknown"
3875 destination_principal: destination.principal | "unknown"
3876 destination_app: destination.labels["app"] | "unknown"
3877 destination_version: destination.labels["version"] | "unknown"
3878 destination_service: destination.service.host | conditional((destination.service.name | "unknown") == "unknown", "unknown", request.host)
3879 destination_service_name: destination.service.name | "unknown"
3880 destination_service_namespace: destination.service.namespace | "unknown"
3881 request_protocol: api.protocol | context.protocol | "unknown"
3882 response_code: response.code | 200
3883 response_flags: context.proxy_error_code | "-"
3884 permissive_response_code: rbac.permissive.response_code | "none"
3885 permissive_response_policyid: rbac.permissive.effective_policy_id | "none"
3886 connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none"))
3887 monitored_resource_type: '"UNSPECIFIED"'
3888---
3889apiVersion: "config.istio.io/v1alpha2"
3890kind: instance
3891metadata:
3892 name: tcpbytesent
3893 namespace: istio-system
3894 labels:
3895 app: mixer
3896 chart: mixer
3897 heritage: Tiller
3898 release: release-name
3899spec:
3900 compiledTemplate: metric
3901 params:
3902 value: connection.sent.bytes | 0
3903 dimensions:
3904 reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination")
3905 source_workload: source.workload.name | "unknown"
3906 source_workload_namespace: source.workload.namespace | "unknown"
3907 source_principal: source.principal | "unknown"
3908 source_app: source.labels["app"] | "unknown"
3909 source_version: source.labels["version"] | "unknown"
3910 destination_workload: destination.workload.name | "unknown"
3911 destination_workload_namespace: destination.workload.namespace | "unknown"
3912 destination_principal: destination.principal | "unknown"
3913 destination_app: destination.labels["app"] | "unknown"
3914 destination_version: destination.labels["version"] | "unknown"
3915 destination_service: destination.service.host | "unknown"
3916 destination_service_name: destination.service.name | "unknown"
3917 destination_service_namespace: destination.service.namespace | "unknown"
3918 connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none"))
3919 response_flags: context.proxy_error_code | "-"
3920 monitored_resource_type: '"UNSPECIFIED"'
3921---
3922apiVersion: "config.istio.io/v1alpha2"
3923kind: instance
3924metadata:
3925 name: tcpbytereceived
3926 namespace: istio-system
3927 labels:
3928 app: mixer
3929 chart: mixer
3930 heritage: Tiller
3931 release: release-name
3932spec:
3933 compiledTemplate: metric
3934 params:
3935 value: connection.received.bytes | 0
3936 dimensions:
3937 reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination")
3938 source_workload: source.workload.name | "unknown"
3939 source_workload_namespace: source.workload.namespace | "unknown"
3940 source_principal: source.principal | "unknown"
3941 source_app: source.labels["app"] | "unknown"
3942 source_version: source.labels["version"] | "unknown"
3943 destination_workload: destination.workload.name | "unknown"
3944 destination_workload_namespace: destination.workload.namespace | "unknown"
3945 destination_principal: destination.principal | "unknown"
3946 destination_app: destination.labels["app"] | "unknown"
3947 destination_version: destination.labels["version"] | "unknown"
3948 destination_service: destination.service.host | "unknown"
3949 destination_service_name: destination.service.name | "unknown"
3950 destination_service_namespace: destination.service.namespace | "unknown"
3951 connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none"))
3952 response_flags: context.proxy_error_code | "-"
3953 monitored_resource_type: '"UNSPECIFIED"'
3954---
3955apiVersion: "config.istio.io/v1alpha2"
3956kind: instance
3957metadata:
3958 name: tcpconnectionsopened
3959 namespace: istio-system
3960 labels:
3961 app: mixer
3962 chart: mixer
3963 heritage: Tiller
3964 release: release-name
3965spec:
3966 compiledTemplate: metric
3967 params:
3968 value: "1"
3969 dimensions:
3970 reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination")
3971 source_workload: source.workload.name | "unknown"
3972 source_workload_namespace: source.workload.namespace | "unknown"
3973 source_principal: source.principal | "unknown"
3974 source_app: source.labels["app"] | "unknown"
3975 source_version: source.labels["version"] | "unknown"
3976 destination_workload: destination.workload.name | "unknown"
3977 destination_workload_namespace: destination.workload.namespace | "unknown"
3978 destination_principal: destination.principal | "unknown"
3979 destination_app: destination.labels["app"] | "unknown"
3980 destination_version: destination.labels["version"] | "unknown"
3981 destination_service: destination.service.host | "unknown"
3982 destination_service_name: destination.service.name | "unknown"
3983 destination_service_namespace: destination.service.namespace | "unknown"
3984 connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none"))
3985 response_flags: context.proxy_error_code | "-"
3986 monitored_resource_type: '"UNSPECIFIED"'
3987---
3988apiVersion: "config.istio.io/v1alpha2"
3989kind: instance
3990metadata:
3991 name: tcpconnectionsclosed
3992 namespace: istio-system
3993 labels:
3994 app: mixer
3995 chart: mixer
3996 heritage: Tiller
3997 release: release-name
3998spec:
3999 compiledTemplate: metric
4000 params:
4001 value: "1"
4002 dimensions:
4003 reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination")
4004 source_workload: source.workload.name | "unknown"
4005 source_workload_namespace: source.workload.namespace | "unknown"
4006 source_principal: source.principal | "unknown"
4007 source_app: source.labels["app"] | "unknown"
4008 source_version: source.labels["version"] | "unknown"
4009 destination_workload: destination.workload.name | "unknown"
4010 destination_workload_namespace: destination.workload.namespace | "unknown"
4011 destination_principal: destination.principal | "unknown"
4012 destination_app: destination.labels["app"] | "unknown"
4013 destination_version: destination.labels["version"] | "unknown"
4014 destination_service: destination.service.host | "unknown"
4015 destination_service_name: destination.service.name | "unknown"
4016 destination_service_namespace: destination.service.namespace | "unknown"
4017 connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none"))
4018 response_flags: context.proxy_error_code | "-"
4019 monitored_resource_type: '"UNSPECIFIED"'
4020---
4021apiVersion: "config.istio.io/v1alpha2"
4022kind: handler
4023metadata:
4024 name: prometheus
4025 namespace: istio-system
4026 labels:
4027 app: mixer
4028 chart: mixer
4029 heritage: Tiller
4030 release: release-name
4031spec:
4032 compiledAdapter: prometheus
4033 params:
4034 metricsExpirationPolicy:
4035 metricsExpiryDuration: "10m"
4036 metrics:
4037 - name: requests_total
4038 instance_name: requestcount.instance.istio-system
4039 kind: COUNTER
4040 label_names:
4041 - reporter
4042 - source_app
4043 - source_principal
4044 - source_workload
4045 - source_workload_namespace
4046 - source_version
4047 - destination_app
4048 - destination_principal
4049 - destination_workload
4050 - destination_workload_namespace
4051 - destination_version
4052 - destination_service
4053 - destination_service_name
4054 - destination_service_namespace
4055 - request_protocol
4056 - response_code
4057 - response_flags
4058 - permissive_response_code
4059 - permissive_response_policyid
4060 - connection_security_policy
4061 - name: request_duration_seconds
4062 instance_name: requestduration.instance.istio-system
4063 kind: DISTRIBUTION
4064 label_names:
4065 - reporter
4066 - source_app
4067 - source_principal
4068 - source_workload
4069 - source_workload_namespace
4070 - source_version
4071 - destination_app
4072 - destination_principal
4073 - destination_workload
4074 - destination_workload_namespace
4075 - destination_version
4076 - destination_service
4077 - destination_service_name
4078 - destination_service_namespace
4079 - request_protocol
4080 - response_code
4081 - response_flags
4082 - permissive_response_code
4083 - permissive_response_policyid
4084 - connection_security_policy
4085 buckets:
4086 explicit_buckets:
4087 bounds: [0.005, 0.01, 0.025, 0.05, 0.1, 0.25, 0.5, 1, 2.5, 5, 10]
4088 - name: request_bytes
4089 instance_name: requestsize.instance.istio-system
4090 kind: DISTRIBUTION
4091 label_names:
4092 - reporter
4093 - source_app
4094 - source_principal
4095 - source_workload
4096 - source_workload_namespace
4097 - source_version
4098 - destination_app
4099 - destination_principal
4100 - destination_workload
4101 - destination_workload_namespace
4102 - destination_version
4103 - destination_service
4104 - destination_service_name
4105 - destination_service_namespace
4106 - request_protocol
4107 - response_code
4108 - response_flags
4109 - permissive_response_code
4110 - permissive_response_policyid
4111 - connection_security_policy
4112 buckets:
4113 exponentialBuckets:
4114 numFiniteBuckets: 8
4115 scale: 1
4116 growthFactor: 10
4117 - name: response_bytes
4118 instance_name: responsesize.instance.istio-system
4119 kind: DISTRIBUTION
4120 label_names:
4121 - reporter
4122 - source_app
4123 - source_principal
4124 - source_workload
4125 - source_workload_namespace
4126 - source_version
4127 - destination_app
4128 - destination_principal
4129 - destination_workload
4130 - destination_workload_namespace
4131 - destination_version
4132 - destination_service
4133 - destination_service_name
4134 - destination_service_namespace
4135 - request_protocol
4136 - response_code
4137 - response_flags
4138 - permissive_response_code
4139 - permissive_response_policyid
4140 - connection_security_policy
4141 buckets:
4142 exponentialBuckets:
4143 numFiniteBuckets: 8
4144 scale: 1
4145 growthFactor: 10
4146 - name: tcp_sent_bytes_total
4147 instance_name: tcpbytesent.instance.istio-system
4148 kind: COUNTER
4149 label_names:
4150 - reporter
4151 - source_app
4152 - source_principal
4153 - source_workload
4154 - source_workload_namespace
4155 - source_version
4156 - destination_app
4157 - destination_principal
4158 - destination_workload
4159 - destination_workload_namespace
4160 - destination_version
4161 - destination_service
4162 - destination_service_name
4163 - destination_service_namespace
4164 - connection_security_policy
4165 - response_flags
4166 - name: tcp_received_bytes_total
4167 instance_name: tcpbytereceived.instance.istio-system
4168 kind: COUNTER
4169 label_names:
4170 - reporter
4171 - source_app
4172 - source_principal
4173 - source_workload
4174 - source_workload_namespace
4175 - source_version
4176 - destination_app
4177 - destination_principal
4178 - destination_workload
4179 - destination_workload_namespace
4180 - destination_version
4181 - destination_service
4182 - destination_service_name
4183 - destination_service_namespace
4184 - connection_security_policy
4185 - response_flags
4186 - name: tcp_connections_opened_total
4187 instance_name: tcpconnectionsopened.instance.istio-system
4188 kind: COUNTER
4189 label_names:
4190 - reporter
4191 - source_app
4192 - source_principal
4193 - source_workload
4194 - source_workload_namespace
4195 - source_version
4196 - destination_app
4197 - destination_principal
4198 - destination_workload
4199 - destination_workload_namespace
4200 - destination_version
4201 - destination_service
4202 - destination_service_name
4203 - destination_service_namespace
4204 - connection_security_policy
4205 - response_flags
4206 - name: tcp_connections_closed_total
4207 instance_name: tcpconnectionsclosed.instance.istio-system
4208 kind: COUNTER
4209 label_names:
4210 - reporter
4211 - source_app
4212 - source_principal
4213 - source_workload
4214 - source_workload_namespace
4215 - source_version
4216 - destination_app
4217 - destination_principal
4218 - destination_workload
4219 - destination_workload_namespace
4220 - destination_version
4221 - destination_service
4222 - destination_service_name
4223 - destination_service_namespace
4224 - connection_security_policy
4225 - response_flags
4226---
4227apiVersion: "config.istio.io/v1alpha2"
4228kind: rule
4229metadata:
4230 name: promhttp
4231 namespace: istio-system
4232 labels:
4233 app: mixer
4234 chart: mixer
4235 heritage: Tiller
4236 release: release-name
4237spec:
4238 match: (context.protocol == "http" || context.protocol == "grpc") && (match((request.useragent | "-"), "kube-probe*") == false) && (match((request.useragent | "-"), "Prometheus*") == false)
4239 actions:
4240 - handler: prometheus
4241 instances:
4242 - requestcount
4243 - requestduration
4244 - requestsize
4245 - responsesize
4246---
4247apiVersion: "config.istio.io/v1alpha2"
4248kind: rule
4249metadata:
4250 name: promtcp
4251 namespace: istio-system
4252 labels:
4253 app: mixer
4254 chart: mixer
4255 heritage: Tiller
4256 release: release-name
4257spec:
4258 match: context.protocol == "tcp"
4259 actions:
4260 - handler: prometheus
4261 instances:
4262 - tcpbytesent
4263 - tcpbytereceived
4264---
4265apiVersion: "config.istio.io/v1alpha2"
4266kind: rule
4267metadata:
4268 name: promtcpconnectionopen
4269 namespace: istio-system
4270 labels:
4271 app: mixer
4272 chart: mixer
4273 heritage: Tiller
4274 release: release-name
4275spec:
4276 match: context.protocol == "tcp" && ((connection.event | "na") == "open")
4277 actions:
4278 - handler: prometheus
4279 instances:
4280 - tcpconnectionsopened
4281---
4282apiVersion: "config.istio.io/v1alpha2"
4283kind: rule
4284metadata:
4285 name: promtcpconnectionclosed
4286 namespace: istio-system
4287 labels:
4288 app: mixer
4289 chart: mixer
4290 heritage: Tiller
4291 release: release-name
4292spec:
4293 match: context.protocol == "tcp" && ((connection.event | "na") == "close")
4294 actions:
4295 - handler: prometheus
4296 instances:
4297 - tcpconnectionsclosed
4298---
4299apiVersion: "config.istio.io/v1alpha2"
4300kind: handler
4301metadata:
4302 name: kubernetesenv
4303 namespace: istio-system
4304 labels:
4305 app: mixer
4306 chart: mixer
4307 heritage: Tiller
4308 release: release-name
4309spec:
4310 compiledAdapter: kubernetesenv
4311 params:
4312 # when running from mixer root, use the following config after adding a
4313 # symbolic link to a kubernetes config file via:
4314 #
4315 # $ ln -s ~/.kube/config mixer/adapter/kubernetes/kubeconfig
4316 #
4317 # kubeconfig_path: "mixer/adapter/kubernetes/kubeconfig"
4318
4319---
4320apiVersion: "config.istio.io/v1alpha2"
4321kind: rule
4322metadata:
4323 name: kubeattrgenrulerule
4324 namespace: istio-system
4325 labels:
4326 app: mixer
4327 chart: mixer
4328 heritage: Tiller
4329 release: release-name
4330spec:
4331 actions:
4332 - handler: kubernetesenv
4333 instances:
4334 - attributes
4335---
4336apiVersion: "config.istio.io/v1alpha2"
4337kind: rule
4338metadata:
4339 name: tcpkubeattrgenrulerule
4340 namespace: istio-system
4341 labels:
4342 app: mixer
4343 chart: mixer
4344 heritage: Tiller
4345 release: release-name
4346spec:
4347 match: context.protocol == "tcp"
4348 actions:
4349 - handler: kubernetesenv
4350 instances:
4351 - attributes
4352---
4353apiVersion: "config.istio.io/v1alpha2"
4354kind: instance
4355metadata:
4356 name: attributes
4357 namespace: istio-system
4358 labels:
4359 app: mixer
4360 chart: mixer
4361 heritage: Tiller
4362 release: release-name
4363spec:
4364 compiledTemplate: kubernetes
4365 params:
4366 # Pass the required attribute data to the adapter
4367 source_uid: source.uid | ""
4368 source_ip: source.ip | ip("0.0.0.0") # default to unspecified ip addr
4369 destination_uid: destination.uid | ""
4370 destination_port: destination.port | 0
4371 attributeBindings:
4372 # Fill the new attributes from the adapter produced output.
4373 # $out refers to an instance of OutputTemplate message
4374 source.ip: $out.source_pod_ip | ip("0.0.0.0")
4375 source.uid: $out.source_pod_uid | "unknown"
4376 source.labels: $out.source_labels | emptyStringMap()
4377 source.name: $out.source_pod_name | "unknown"
4378 source.namespace: $out.source_namespace | "default"
4379 source.owner: $out.source_owner | "unknown"
4380 source.serviceAccount: $out.source_service_account_name | "unknown"
4381 source.workload.uid: $out.source_workload_uid | "unknown"
4382 source.workload.name: $out.source_workload_name | "unknown"
4383 source.workload.namespace: $out.source_workload_namespace | "unknown"
4384 destination.ip: $out.destination_pod_ip | ip("0.0.0.0")
4385 destination.uid: $out.destination_pod_uid | "unknown"
4386 destination.labels: $out.destination_labels | emptyStringMap()
4387 destination.name: $out.destination_pod_name | "unknown"
4388 destination.container.name: $out.destination_container_name | "unknown"
4389 destination.namespace: $out.destination_namespace | "default"
4390 destination.owner: $out.destination_owner | "unknown"
4391 destination.serviceAccount: $out.destination_service_account_name | "unknown"
4392 destination.workload.uid: $out.destination_workload_uid | "unknown"
4393 destination.workload.name: $out.destination_workload_name | "unknown"
4394 destination.workload.namespace: $out.destination_workload_namespace | "unknown"
4395---
4396# Configuration needed by Mixer.
4397# Mixer cluster is delivered via CDS
4398# Specify mixer cluster settings
4399apiVersion: networking.istio.io/v1alpha3
4400kind: DestinationRule
4401metadata:
4402 name: istio-policy
4403 namespace: istio-system
4404 labels:
4405 app: mixer
4406 chart: mixer
4407 heritage: Tiller
4408 release: release-name
4409spec:
4410 host: istio-policy.istio-system.svc.cluster.local
4411 trafficPolicy:
4412 portLevelSettings:
4413 - port:
4414 number: 15004 # grpc-mixer-mtls
4415 tls:
4416 mode: ISTIO_MUTUAL
4417 - port:
4418 number: 9091 # grpc-mixer
4419 tls:
4420 mode: DISABLE
4421 connectionPool:
4422 http:
4423 http2MaxRequests: 10000
4424 maxRequestsPerConnection: 10000
4425---
4426apiVersion: networking.istio.io/v1alpha3
4427kind: DestinationRule
4428metadata:
4429 name: istio-telemetry
4430 namespace: istio-system
4431 labels:
4432 app: mixer
4433 chart: mixer
4434 heritage: Tiller
4435 release: release-name
4436spec:
4437 host: istio-telemetry.istio-system.svc.cluster.local
4438 trafficPolicy:
4439 portLevelSettings:
4440 - port:
4441 number: 15004 # grpc-mixer-mtls
4442 tls:
4443 mode: ISTIO_MUTUAL
4444 - port:
4445 number: 9091 # grpc-mixer
4446 tls:
4447 mode: DISABLE
4448 connectionPool:
4449 http:
4450 http2MaxRequests: 10000
4451 maxRequestsPerConnection: 10000
4452---