· 6 years ago · Apr 02, 2020, 08:36 AM
1---
2# Source: istio/charts/galley/templates/poddisruptionbudget.yaml
3
4apiVersion: policy/v1beta1
5kind: PodDisruptionBudget
6metadata:
7 name: istio-galley
8 namespace: istio-system
9 labels:
10 app: galley
11 chart: galley
12 heritage: Tiller
13 release: release-name
14 istio: galley
15spec:
16
17 minAvailable: 1
18 selector:
19 matchLabels:
20 app: galley
21 release: release-name
22 istio: galley
23
24---
25# Source: istio/charts/gateways/templates/poddisruptionbudget.yaml
26
27apiVersion: policy/v1beta1
28kind: PodDisruptionBudget
29metadata:
30 name: istio-ilbgateway
31 namespace: istio-system
32 labels:
33 chart: gateways
34 heritage: Tiller
35 release: release-name
36 app: istio-ilbgateway
37 istio: ilbgateway
38spec:
39
40 minAvailable: 1
41 selector:
42 matchLabels:
43 release: release-name
44 app: istio-ilbgateway
45 istio: ilbgateway
46---
47apiVersion: policy/v1beta1
48kind: PodDisruptionBudget
49metadata:
50 name: istio-ingressgateway
51 namespace: istio-system
52 labels:
53 chart: gateways
54 heritage: Tiller
55 release: release-name
56 app: istio-ingressgateway
57 istio: ingressgateway
58spec:
59
60 minAvailable: 1
61 selector:
62 matchLabels:
63 release: release-name
64 app: istio-ingressgateway
65 istio: ingressgateway
66---
67
68---
69# Source: istio/charts/mixer/templates/poddisruptionbudget.yaml
70
71apiVersion: policy/v1beta1
72kind: PodDisruptionBudget
73metadata:
74 name: istio-policy
75 namespace: istio-system
76 labels:
77 app: policy
78 chart: mixer
79 heritage: Tiller
80 release: release-name
81 version: 1.4.6
82 istio: mixer
83 istio-mixer-type: policy
84spec:
85
86 minAvailable: 1
87 selector:
88 matchLabels:
89 app: policy
90 release: release-name
91 istio: mixer
92 istio-mixer-type: policy
93---
94apiVersion: policy/v1beta1
95kind: PodDisruptionBudget
96metadata:
97 name: istio-telemetry
98 namespace: istio-system
99 labels:
100 app: telemetry
101 chart: mixer
102 heritage: Tiller
103 release: release-name
104 version: 1.4.6
105 istio: mixer
106 istio-mixer-type: telemetry
107spec:
108
109 minAvailable: 1
110 selector:
111 matchLabels:
112 app: telemetry
113 release: release-name
114 istio: mixer
115 istio-mixer-type: telemetry
116---
117
118---
119# Source: istio/charts/pilot/templates/poddisruptionbudget.yaml
120
121apiVersion: policy/v1beta1
122kind: PodDisruptionBudget
123metadata:
124 name: istio-pilot
125 namespace: istio-system
126 labels:
127 app: pilot
128 chart: pilot
129 heritage: Tiller
130 release: release-name
131 istio: pilot
132spec:
133
134 minAvailable: 1
135 selector:
136 matchLabels:
137 app: pilot
138 release: release-name
139 istio: pilot
140
141---
142# Source: istio/charts/security/templates/poddisruptionbudget.yaml
143
144apiVersion: policy/v1beta1
145kind: PodDisruptionBudget
146metadata:
147 name: istio-citadel
148 namespace: istio-system
149 labels:
150 app: security
151 chart: security
152 heritage: Tiller
153 release: release-name
154 istio: citadel
155spec:
156
157 minAvailable: 1
158 selector:
159 matchLabels:
160 app: security
161 release: release-name
162 istio: citadel
163
164---
165# Source: istio/charts/sidecarInjectorWebhook/templates/poddisruptionbudget.yaml
166
167apiVersion: policy/v1beta1
168kind: PodDisruptionBudget
169metadata:
170 name: istio-sidecar-injector
171 namespace: istio-system
172 labels:
173 app: sidecarInjectorWebhook
174 release: release-name
175 istio: sidecar-injector
176spec:
177
178 minAvailable: 1
179 selector:
180 matchLabels:
181 app: sidecarInjectorWebhook
182 release: release-name
183 istio: sidecar-injector
184
185---
186# Source: istio/charts/galley/templates/configmap.yaml
187apiVersion: v1
188kind: ConfigMap
189metadata:
190 name: istio-galley-configuration
191 namespace: istio-system
192 labels:
193 app: galley
194 chart: galley
195 heritage: Tiller
196 release: release-name
197 istio: galley
198data:
199 validatingwebhookconfiguration.yaml: |-
200 apiVersion: admissionregistration.k8s.io/v1beta1
201 kind: ValidatingWebhookConfiguration
202 metadata:
203 name: istio-galley
204 labels:
205 app: galley
206 chart: galley
207 heritage: Tiller
208 release: release-name
209 istio: galley
210 webhooks:
211 - name: pilot.validation.istio.io
212 clientConfig:
213 service:
214 name: istio-galley
215 namespace: istio-system
216 path: "/admitpilot"
217 caBundle: ""
218 rules:
219 - operations:
220 - CREATE
221 - UPDATE
222 apiGroups:
223 - config.istio.io
224 apiVersions:
225 - v1alpha2
226 resources:
227 - httpapispecs
228 - httpapispecbindings
229 - quotaspecs
230 - quotaspecbindings
231 - operations:
232 - CREATE
233 - UPDATE
234 apiGroups:
235 - rbac.istio.io
236 apiVersions:
237 - "*"
238 resources:
239 - "*"
240 - operations:
241 - CREATE
242 - UPDATE
243 apiGroups:
244 - security.istio.io
245 apiVersions:
246 - "*"
247 resources:
248 - "*"
249 - operations:
250 - CREATE
251 - UPDATE
252 apiGroups:
253 - authentication.istio.io
254 apiVersions:
255 - "*"
256 resources:
257 - "*"
258 - operations:
259 - CREATE
260 - UPDATE
261 apiGroups:
262 - networking.istio.io
263 apiVersions:
264 - "*"
265 resources:
266 - destinationrules
267 - envoyfilters
268 - gateways
269 - serviceentries
270 - sidecars
271 - virtualservices
272 failurePolicy: Fail
273 sideEffects: None
274 - name: mixer.validation.istio.io
275 clientConfig:
276 service:
277 name: istio-galley
278 namespace: istio-system
279 path: "/admitmixer"
280 caBundle: ""
281 rules:
282 - operations:
283 - CREATE
284 - UPDATE
285 apiGroups:
286 - config.istio.io
287 apiVersions:
288 - v1alpha2
289 resources:
290 - rules
291 - attributemanifests
292 - circonuses
293 - deniers
294 - fluentds
295 - kubernetesenvs
296 - listcheckers
297 - memquotas
298 - noops
299 - opas
300 - prometheuses
301 - rbacs
302 - solarwindses
303 - stackdrivers
304 - cloudwatches
305 - dogstatsds
306 - statsds
307 - stdios
308 - apikeys
309 - authorizations
310 - checknothings
311 # - kuberneteses
312 - listentries
313 - logentries
314 - metrics
315 - quotas
316 - reportnothings
317 - tracespans
318 - adapters
319 - handlers
320 - instances
321 - templates
322 - zipkins
323 failurePolicy: Fail
324 sideEffects: None
325
326---
327# Source: istio/charts/prometheus/templates/configmap.yaml
328apiVersion: v1
329kind: ConfigMap
330metadata:
331 name: prometheus
332 namespace: istio-system
333 labels:
334 app: prometheus
335 chart: prometheus
336 heritage: Tiller
337 release: release-name
338data:
339 prometheus.yml: |-
340 global:
341 scrape_interval: 15s
342 scrape_configs:
343
344 - job_name: 'istio-mesh'
345 kubernetes_sd_configs:
346 - role: endpoints
347 namespaces:
348 names:
349 - istio-system
350
351 relabel_configs:
352 - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name]
353 action: keep
354 regex: istio-telemetry;prometheus
355
356 # Scrape config for envoy stats
357 - job_name: 'envoy-stats'
358 metrics_path: /stats/prometheus
359 kubernetes_sd_configs:
360 - role: pod
361
362 relabel_configs:
363 - source_labels: [__meta_kubernetes_pod_container_port_name]
364 action: keep
365 regex: '.*-envoy-prom'
366 - source_labels: [__address__, __meta_kubernetes_pod_annotation_prometheus_io_port]
367 action: replace
368 regex: ([^:]+)(?::\d+)?;(\d+)
369 replacement: $1:15090
370 target_label: __address__
371 - action: labelmap
372 regex: __meta_kubernetes_pod_label_(.+)
373 - source_labels: [__meta_kubernetes_namespace]
374 action: replace
375 target_label: namespace
376 - source_labels: [__meta_kubernetes_pod_name]
377 action: replace
378 target_label: pod_name
379
380 - job_name: 'istio-policy'
381 kubernetes_sd_configs:
382 - role: endpoints
383 namespaces:
384 names:
385 - istio-system
386
387
388 relabel_configs:
389 - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name]
390 action: keep
391 regex: istio-policy;http-monitoring
392
393 - job_name: 'istio-telemetry'
394 kubernetes_sd_configs:
395 - role: endpoints
396 namespaces:
397 names:
398 - istio-system
399
400 relabel_configs:
401 - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name]
402 action: keep
403 regex: istio-telemetry;http-monitoring
404
405 - job_name: 'pilot'
406 kubernetes_sd_configs:
407 - role: endpoints
408 namespaces:
409 names:
410 - istio-system
411
412 relabel_configs:
413 - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name]
414 action: keep
415 regex: istio-pilot;http-monitoring
416
417 - job_name: 'galley'
418 kubernetes_sd_configs:
419 - role: endpoints
420 namespaces:
421 names:
422 - istio-system
423
424 relabel_configs:
425 - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name]
426 action: keep
427 regex: istio-galley;http-monitoring
428
429 - job_name: 'citadel'
430 kubernetes_sd_configs:
431 - role: endpoints
432 namespaces:
433 names:
434 - istio-system
435
436 relabel_configs:
437 - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name]
438 action: keep
439 regex: istio-citadel;http-monitoring
440
441 # scrape config for API servers
442 - job_name: 'kubernetes-apiservers'
443 kubernetes_sd_configs:
444 - role: endpoints
445 namespaces:
446 names:
447 - default
448 scheme: https
449 tls_config:
450 ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
451 bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
452 relabel_configs:
453 - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name]
454 action: keep
455 regex: kubernetes;https
456
457 # scrape config for nodes (kubelet)
458 - job_name: 'kubernetes-nodes'
459 scheme: https
460 tls_config:
461 ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
462 bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
463 kubernetes_sd_configs:
464 - role: node
465 relabel_configs:
466 - action: labelmap
467 regex: __meta_kubernetes_node_label_(.+)
468 - target_label: __address__
469 replacement: kubernetes.default.svc:443
470 - source_labels: [__meta_kubernetes_node_name]
471 regex: (.+)
472 target_label: __metrics_path__
473 replacement: /api/v1/nodes/${1}/proxy/metrics
474
475 # Scrape config for Kubelet cAdvisor.
476 #
477 # This is required for Kubernetes 1.7.3 and later, where cAdvisor metrics
478 # (those whose names begin with 'container_') have been removed from the
479 # Kubelet metrics endpoint. This job scrapes the cAdvisor endpoint to
480 # retrieve those metrics.
481 #
482 # In Kubernetes 1.7.0-1.7.2, these metrics are only exposed on the cAdvisor
483 # HTTP endpoint; use "replacement: /api/v1/nodes/${1}:4194/proxy/metrics"
484 # in that case (and ensure cAdvisor's HTTP server hasn't been disabled with
485 # the --cadvisor-port=0 Kubelet flag).
486 #
487 # This job is not necessary and should be removed in Kubernetes 1.6 and
488 # earlier versions, or it will cause the metrics to be scraped twice.
489 - job_name: 'kubernetes-cadvisor'
490 scheme: https
491 tls_config:
492 ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
493 bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
494 kubernetes_sd_configs:
495 - role: node
496 relabel_configs:
497 - action: labelmap
498 regex: __meta_kubernetes_node_label_(.+)
499 - target_label: __address__
500 replacement: kubernetes.default.svc:443
501 - source_labels: [__meta_kubernetes_node_name]
502 regex: (.+)
503 target_label: __metrics_path__
504 replacement: /api/v1/nodes/${1}/proxy/metrics/cadvisor
505
506 # scrape config for service endpoints.
507 - job_name: 'kubernetes-service-endpoints'
508 kubernetes_sd_configs:
509 - role: endpoints
510 relabel_configs:
511 - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_scrape]
512 action: keep
513 regex: true
514 - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_scheme]
515 action: replace
516 target_label: __scheme__
517 regex: (https?)
518 - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_path]
519 action: replace
520 target_label: __metrics_path__
521 regex: (.+)
522 - source_labels: [__address__, __meta_kubernetes_service_annotation_prometheus_io_port]
523 action: replace
524 target_label: __address__
525 regex: ([^:]+)(?::\d+)?;(\d+)
526 replacement: $1:$2
527 - action: labelmap
528 regex: __meta_kubernetes_service_label_(.+)
529 - source_labels: [__meta_kubernetes_namespace]
530 action: replace
531 target_label: kubernetes_namespace
532 - source_labels: [__meta_kubernetes_service_name]
533 action: replace
534 target_label: kubernetes_name
535
536 - job_name: 'kubernetes-pods'
537 kubernetes_sd_configs:
538 - role: pod
539 relabel_configs: # If first two labels are present, pod should be scraped by the istio-secure job.
540 - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_scrape]
541 action: keep
542 regex: true
543 # Keep target if there's no sidecar or if prometheus.io/scheme is explicitly set to "http"
544 - source_labels: [__meta_kubernetes_pod_annotation_sidecar_istio_io_status, __meta_kubernetes_pod_annotation_prometheus_io_scheme]
545 action: keep
546 regex: ((;.*)|(.*;http))
547 - source_labels: [__meta_kubernetes_pod_annotation_istio_mtls]
548 action: drop
549 regex: (true)
550 - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_path]
551 action: replace
552 target_label: __metrics_path__
553 regex: (.+)
554 - source_labels: [__address__, __meta_kubernetes_pod_annotation_prometheus_io_port]
555 action: replace
556 regex: ([^:]+)(?::\d+)?;(\d+)
557 replacement: $1:$2
558 target_label: __address__
559 - action: labelmap
560 regex: __meta_kubernetes_pod_label_(.+)
561 - source_labels: [__meta_kubernetes_namespace]
562 action: replace
563 target_label: namespace
564 - source_labels: [__meta_kubernetes_pod_name]
565 action: replace
566 target_label: pod_name
567
568 - job_name: 'kubernetes-pods-istio-secure'
569 scheme: https
570 tls_config:
571 ca_file: /etc/istio-certs/root-cert.pem
572 cert_file: /etc/istio-certs/cert-chain.pem
573 key_file: /etc/istio-certs/key.pem
574 insecure_skip_verify: true # prometheus does not support secure naming.
575 kubernetes_sd_configs:
576 - role: pod
577 relabel_configs:
578 - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_scrape]
579 action: keep
580 regex: true
581 # sidecar status annotation is added by sidecar injector and
582 # istio_workload_mtls_ability can be specifically placed on a pod to indicate its ability to receive mtls traffic.
583 - source_labels: [__meta_kubernetes_pod_annotation_sidecar_istio_io_status, __meta_kubernetes_pod_annotation_istio_mtls]
584 action: keep
585 regex: (([^;]+);([^;]*))|(([^;]*);(true))
586 - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_scheme]
587 action: drop
588 regex: (http)
589 - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_path]
590 action: replace
591 target_label: __metrics_path__
592 regex: (.+)
593 - source_labels: [__address__] # Only keep address that is host:port
594 action: keep # otherwise an extra target with ':443' is added for https scheme
595 regex: ([^:]+):(\d+)
596 - source_labels: [__address__, __meta_kubernetes_pod_annotation_prometheus_io_port]
597 action: replace
598 regex: ([^:]+)(?::\d+)?;(\d+)
599 replacement: $1:$2
600 target_label: __address__
601 - action: labelmap
602 regex: __meta_kubernetes_pod_label_(.+)
603 - source_labels: [__meta_kubernetes_namespace]
604 action: replace
605 target_label: namespace
606 - source_labels: [__meta_kubernetes_pod_name]
607 action: replace
608 target_label: pod_name
609---
610# Source: istio/charts/security/templates/configmap.yaml
611apiVersion: v1
612kind: ConfigMap
613metadata:
614 name: istio-security-custom-resources
615 namespace: istio-system
616 labels:
617 app: security
618 chart: security
619 heritage: Tiller
620 release: release-name
621 istio: citadel
622data:
623 custom-resources.yaml: |-
624 # Authentication policy to enable permissive mode for all services (that have sidecar) in the mesh.
625 apiVersion: "authentication.istio.io/v1alpha1"
626 kind: "MeshPolicy"
627 metadata:
628 name: "default"
629 labels:
630 app: security
631 chart: security
632 heritage: Tiller
633 release: release-name
634 spec:
635 peers:
636 - mtls:
637 mode: PERMISSIVE
638 run.sh: |-
639 #!/bin/sh
640
641 set -x
642
643 if [ "$#" -ne "1" ]; then
644 echo "first argument should be path to custom resource yaml"
645 exit 1
646 fi
647
648 pathToResourceYAML=${1}
649
650 kubectl get validatingwebhookconfiguration istio-galley 2>/dev/null
651 if [ "$?" -eq 0 ]; then
652 echo "istio-galley validatingwebhookconfiguration found - waiting for istio-galley deployment to be ready"
653 while true; do
654 kubectl -n istio-system get deployment istio-galley 2>/dev/null
655 if [ "$?" -eq 0 ]; then
656 break
657 fi
658 sleep 1
659 done
660 kubectl -n istio-system rollout status deployment istio-galley
661 if [ "$?" -ne 0 ]; then
662 echo "istio-galley deployment rollout status check failed"
663 exit 1
664 fi
665 echo "istio-galley deployment ready for configuration validation"
666 fi
667 sleep 5
668 kubectl apply -f ${pathToResourceYAML}
669
670
671---
672# Source: istio/templates/configmap.yaml
673
674apiVersion: v1
675kind: ConfigMap
676metadata:
677 name: istio
678 namespace: istio-system
679 labels:
680 app: istio
681 chart: istio
682 heritage: Tiller
683 release: release-name
684data:
685 mesh: |-
686 # Set the following variable to true to disable policy checks by Mixer.
687 # Note that metrics will still be reported to Mixer.
688 disablePolicyChecks: true
689
690 disableMixerHttpReports: false
691 # reportBatchMaxEntries is the number of requests that are batched before telemetry data is sent to the mixer server
692 reportBatchMaxEntries: 100
693 # reportBatchMaxTime is the max waiting time before the telemetry data of a request is sent to the mixer server
694 reportBatchMaxTime: 1s
695
696 # Set enableTracing to false to disable request tracing.
697 enableTracing: true
698
699 # Set accessLogFile to empty string to disable access log.
700 accessLogFile: ""
701
702 # If accessLogEncoding is TEXT, value will be used directly as the log format
703 # example: "[%START_TIME%] %REQ(:METHOD)% %REQ(X-ENVOY-ORIGINAL-PATH?:PATH)% %PROTOCOL%\n"
704 # If AccessLogEncoding is JSON, value will be parsed as map[string]string
705 # example: '{"start_time": "%START_TIME%", "req_method": "%REQ(:METHOD)%"}'
706 # Leave empty to use default log format
707 accessLogFormat: ""
708
709 # Set accessLogEncoding to JSON or TEXT to configure sidecar access log
710 accessLogEncoding: 'TEXT'
711
712 enableEnvoyAccessLogService: false
713 mixerCheckServer: istio-policy.istio-system.svc.cluster.local:9091
714 mixerReportServer: istio-telemetry.istio-system.svc.cluster.local:9091
715 # policyCheckFailOpen allows traffic in cases when the mixer policy service cannot be reached.
716 # Default is false which means the traffic is denied when the client is unable to connect to Mixer.
717 policyCheckFailOpen: false
718 # Let Pilot give ingresses the public IP of the Istio ingressgateway
719 ingressService: istio-ingressgateway
720
721 # Default connect timeout for dynamic clusters generated by Pilot and returned via XDS
722 connectTimeout: 10s
723
724 # Automatic protocol detection uses a set of heuristics to
725 # determine whether the connection is using TLS or not (on the
726 # server side), as well as the application protocol being used
727 # (e.g., http vs tcp). These heuristics rely on the client sending
728 # the first bits of data. For server first protocols like MySQL,
729 # MongoDB, etc., Envoy will timeout on the protocol detection after
730 # the specified period, defaulting to non mTLS plain TCP
731 # traffic. Set this field to tweak the period that Envoy will wait
732 # for the client to send the first bits of data. (MUST BE >=1ms)
733 protocolDetectionTimeout: 100ms
734
735 # DNS refresh rate for Envoy clusters of type STRICT_DNS
736 dnsRefreshRate: 300s
737
738 # Unix Domain Socket through which envoy communicates with NodeAgent SDS to get
739 # key/cert for mTLS. Use secret-mount files instead of SDS if set to empty.
740 sdsUdsPath: ""
741
742 # The trust domain corresponds to the trust root of a system.
743 # Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain
744 trustDomain: ""
745
746 # The trust domain aliases represent the aliases of trust_domain.
747 # For example, if we have
748 # trustDomain: td1
749 # trustDomainAliases: [“td2”, "td3"]
750 # Any service with the identity "td1/ns/foo/sa/a-service-account", "td2/ns/foo/sa/a-service-account",
751 # or "td3/ns/foo/sa/a-service-account" will be treated the same in the Istio mesh.
752 trustDomainAliases:
753
754 # If true, automatically configure client side mTLS settings to match the corresponding service's
755 # server side mTLS authentication policy, when destination rule for that service does not specify
756 # TLS settings.
757 enableAutoMtls: false
758
759 # Set the default behavior of the sidecar for handling outbound traffic from the application:
760 # ALLOW_ANY - outbound traffic to unknown destinations will be allowed, in case there are no
761 # services or ServiceEntries for the destination port
762 # REGISTRY_ONLY - restrict outbound traffic to services defined in the service registry as well
763 # as those defined through ServiceEntries
764 outboundTrafficPolicy:
765 mode: ALLOW_ANY
766 localityLbSetting:
767 enabled: true
768 # The namespace to treat as the administrative root namespace for istio
769 # configuration.
770 rootNamespace: istio-system
771
772 # Configures DNS certificates provisioned through Chiron linked into Pilot.
773 certificates:
774 []
775 configSources:
776 - address: istio-galley.istio-system.svc:9901
777
778 defaultConfig:
779 #
780 # TCP connection timeout between Envoy & the application, and between Envoys. Used for static clusters
781 # defined in Envoy's configuration file
782 connectTimeout: 10s
783 #
784 ### ADVANCED SETTINGS #############
785 # Where should envoy's configuration be stored in the istio-proxy container
786 configPath: "/etc/istio/proxy"
787 binaryPath: "/usr/local/bin/envoy"
788 # The pseudo service name used for Envoy.
789 serviceCluster: istio-proxy
790 # These settings that determine how long an old Envoy
791 # process should be kept alive after an occasional reload.
792 drainDuration: 45s
793 parentShutdownDuration: 1m0s
794 #
795 # The mode used to redirect inbound connections to Envoy. This setting
796 # has no effect on outbound traffic: iptables REDIRECT is always used for
797 # outbound connections.
798 # If "REDIRECT", use iptables REDIRECT to NAT and redirect to Envoy.
799 # The "REDIRECT" mode loses source addresses during redirection.
800 # If "TPROXY", use iptables TPROXY to redirect to Envoy.
801 # The "TPROXY" mode preserves both the source and destination IP
802 # addresses and ports, so that they can be used for advanced filtering
803 # and manipulation.
804 # The "TPROXY" mode also configures the sidecar to run with the
805 # CAP_NET_ADMIN capability, which is required to use TPROXY.
806 #interceptionMode: REDIRECT
807 #
808 # Port where Envoy listens (on local host) for admin commands
809 # You can exec into the istio-proxy container in a pod and
810 # curl the admin port (curl http://localhost:15000/) to obtain
811 # diagnostic information from Envoy. See
812 # https://lyft.github.io/envoy/docs/operations/admin.html
813 # for more details
814 proxyAdminPort: 15000
815 #
816 # Set concurrency to a specific number to control the number of Proxy worker threads.
817 # If set to 0 (default), then start worker thread for each CPU thread/core.
818 concurrency: 2
819 #
820 tracing:
821 zipkin:
822 # Address of the Zipkin collector
823 address: zipkin.istio-system:9411
824 #
825 # Mutual TLS authentication between sidecars and istio control plane.
826 controlPlaneAuthPolicy: NONE
827 #
828 # Address where istio Pilot service is running
829 discoveryAddress: istio-pilot.istio-system:15010
830
831 # Configuration file for the mesh networks to be used by the Split Horizon EDS.
832 meshNetworks: |-
833 networks: {}
834
835---
836# Source: istio/templates/sidecar-injector-configmap.yaml
837
838apiVersion: v1
839kind: ConfigMap
840metadata:
841 name: istio-sidecar-injector
842 namespace: istio-system
843 labels:
844 app: istio
845 chart: istio
846 heritage: Tiller
847 release: release-name
848 istio: sidecar-injector
849data:
850 values: |-
851 {"certmanager":{"enabled":false},"galley":{"enableAnalysis":false,"enableServiceDiscovery":false,"enabled":true,"global":{"arch":{"amd64":2,"ppc64le":2,"s390x":2},"certificates":[],"configValidation":true,"controlPlaneSecurityEnabled":false,"defaultNodeSelector":{},"defaultPodDisruptionBudget":{"enabled":true},"defaultResources":{"requests":{"cpu":"10m"}},"defaultTolerations":[],"disablePolicyChecks":true,"enableHelmTest":false,"enableTracing":true,"hub":"docker.io/istio","imagePullPolicy":"IfNotPresent","imagePullSecrets":[],"k8sIngress":{"enableHttps":false,"enabled":false,"gatewayName":"ingressgateway"},"localityLbSetting":{"enabled":true},"logging":{"level":"default:info"},"meshExpansion":{"enabled":false,"useILB":false},"meshID":"","meshNetworks":{},"monitoringPort":15014,"mtls":{"auto":false,"enabled":false},"multiCluster":{"clusterName":"","enabled":false},"network":"","oneNamespace":false,"operatorManageWebhooks":false,"outboundTrafficPolicy":{"mode":"ALLOW_ANY"},"policyCheckFailOpen":false,"priorityClassName":"","proxy":{"accessLogEncoding":"TEXT","accessLogFile":"","accessLogFormat":"","autoInject":"enabled","clusterDomain":"cluster.local","componentLogLevel":"","concurrency":2,"dnsRefreshRate":"300s","enableCoreDump":false,"enableCoreDumpImage":"ubuntu:xenial","envoyAccessLogService":{"enabled":false,"tcpKeepalive":{"interval":"10s","probes":3,"time":"10s"},"tlsSettings":{"mode":"DISABLE","subjectAltNames":[]}},"envoyMetricsService":{"enabled":false,"tcpKeepalive":{"interval":"10s","probes":3,"time":"10s"},"tlsSettings":{"mode":"DISABLE","subjectAltNames":[]}},"envoyStatsd":{"enabled":false},"excludeIPRanges":"","excludeInboundPorts":"","excludeOutboundPorts":"","image":"proxyv2","includeIPRanges":"*","includeInboundPorts":"*","init":{"resources":{"limits":{"cpu":"100m","memory":"50Mi"},"requests":{"cpu":"10m","memory":"10Mi"}}},"kubevirtInterfaces":"","logLevel":"","privileged":false,"protocolDetectionTimeout":"100ms","readinessFailureThreshold":30,"readinessInitialDelaySeconds":1,"readinessPeriodSeconds":2,"resources":{"limits":{"cpu":"2000m","memory":"1024Mi"},"requests":{"cpu":"100m","memory":"128Mi"}},"statusPort":15020,"tracer":"zipkin"},"proxy_init":{"image":"proxyv2"},"sds":{"enabled":false,"token":{"aud":"istio-ca"},"udsPath":""},"tag":"1.4.6","tracer":{"datadog":{"address":"$(HOST_IP):8126"},"lightstep":{"accessToken":"","address":"","cacertPath":"","secure":true},"stackdriver":{"debug":false,"maxNumberOfAnnotations":200,"maxNumberOfAttributes":200,"maxNumberOfMessageEvents":200},"zipkin":{"address":""}},"trustDomain":"","trustDomainAliases":[],"useMCP":true},"image":"galley","nodeSelector":{},"podAnnotations":{},"podAntiAffinityLabelSelector":[],"podAntiAffinityTermLabelSelector":[],"replicaCount":1,"rollingMaxSurge":"100%","rollingMaxUnavailable":"25%","tolerations":[]},"gateways":{"enabled":true,"global":{"arch":{"amd64":2,"ppc64le":2,"s390x":2},"certificates":[],"configValidation":true,"controlPlaneSecurityEnabled":false,"defaultNodeSelector":{},"defaultPodDisruptionBudget":{"enabled":true},"defaultResources":{"requests":{"cpu":"10m"}},"defaultTolerations":[],"disablePolicyChecks":true,"enableHelmTest":false,"enableTracing":true,"hub":"docker.io/istio","imagePullPolicy":"IfNotPresent","imagePullSecrets":[],"k8sIngress":{"enableHttps":false,"enabled":false,"gatewayName":"ingressgateway"},"localityLbSetting":{"enabled":true},"logging":{"level":"default:info"},"meshExpansion":{"enabled":false,"useILB":false},"meshID":"","meshNetworks":{},"monitoringPort":15014,"mtls":{"auto":false,"enabled":false},"multiCluster":{"clusterName":"","enabled":false},"network":"","oneNamespace":false,"operatorManageWebhooks":false,"outboundTrafficPolicy":{"mode":"ALLOW_ANY"},"policyCheckFailOpen":false,"priorityClassName":"","proxy":{"accessLogEncoding":"TEXT","accessLogFile":"","accessLogFormat":"","autoInject":"enabled","clusterDomain":"cluster.local","componentLogLevel":"","concurrency":2,"dnsRefreshRate":"300s","enableCoreDump":false,"enableCoreDumpImage":"ubuntu:xenial","envoyAccessLogService":{"enabled":false,"tcpKeepalive":{"interval":"10s","probes":3,"time":"10s"},"tlsSettings":{"mode":"DISABLE","subjectAltNames":[]}},"envoyMetricsService":{"enabled":false,"tcpKeepalive":{"interval":"10s","probes":3,"time":"10s"},"tlsSettings":{"mode":"DISABLE","subjectAltNames":[]}},"envoyStatsd":{"enabled":false},"excludeIPRanges":"","excludeInboundPorts":"","excludeOutboundPorts":"","image":"proxyv2","includeIPRanges":"*","includeInboundPorts":"*","init":{"resources":{"limits":{"cpu":"100m","memory":"50Mi"},"requests":{"cpu":"10m","memory":"10Mi"}}},"kubevirtInterfaces":"","logLevel":"","privileged":false,"protocolDetectionTimeout":"100ms","readinessFailureThreshold":30,"readinessInitialDelaySeconds":1,"readinessPeriodSeconds":2,"resources":{"limits":{"cpu":"2000m","memory":"1024Mi"},"requests":{"cpu":"100m","memory":"128Mi"}},"statusPort":15020,"tracer":"zipkin"},"proxy_init":{"image":"proxyv2"},"sds":{"enabled":false,"token":{"aud":"istio-ca"},"udsPath":""},"tag":"1.4.6","tracer":{"datadog":{"address":"$(HOST_IP):8126"},"lightstep":{"accessToken":"","address":"","cacertPath":"","secure":true},"stackdriver":{"debug":false,"maxNumberOfAnnotations":200,"maxNumberOfAttributes":200,"maxNumberOfMessageEvents":200},"zipkin":{"address":""}},"trustDomain":"","trustDomainAliases":[],"useMCP":true},"istio-egressgateway":{"autoscaleEnabled":true,"autoscaleMax":5,"autoscaleMin":1,"cpu":{"targetAverageUtilization":80},"enabled":false,"env":{"ISTIO_META_ROUTER_MODE":"sni-dnat"},"labels":{"app":"istio-egressgateway","istio":"egressgateway"},"nodeSelector":{},"podAnnotations":{},"podAntiAffinityLabelSelector":[],"podAntiAffinityTermLabelSelector":[],"ports":[{"name":"http2","port":80},{"name":"https","port":443},{"name":"tls","port":15443,"targetPort":15443}],"resources":{"limits":{"cpu":"2000m","memory":"1024Mi"},"requests":{"cpu":"100m","memory":"128Mi"}},"rollingMaxSurge":"100%","rollingMaxUnavailable":"25%","secretVolumes":[{"mountPath":"/etc/istio/egressgateway-certs","name":"egressgateway-certs","secretName":"istio-egressgateway-certs"},{"mountPath":"/etc/istio/egressgateway-ca-certs","name":"egressgateway-ca-certs","secretName":"istio-egressgateway-ca-certs"}],"serviceAnnotations":{},"tolerations":[],"type":"ClusterIP"},"istio-ilbgateway":{"autoscaleEnabled":true,"autoscaleMax":5,"autoscaleMin":1,"cpu":{"targetAverageUtilization":80},"enabled":true,"labels":{"app":"istio-ilbgateway","istio":"ilbgateway"},"loadBalancerIP":"","nodeSelector":{},"podAnnotations":{},"ports":[{"name":"grpc-pilot-mtls","port":15011},{"name":"grpc-pilot","port":15010},{"name":"tcp-citadel-grpc-tls","port":8060,"targetPort":8060},{"name":"tcp-dns","port":5353}],"resources":{"requests":{"cpu":"800m","memory":"512Mi"}},"rollingMaxSurge":"100%","rollingMaxUnavailable":"25%","secretVolumes":[{"mountPath":"/etc/istio/ilbgateway-certs","name":"ilbgateway-certs","secretName":"istio-ilbgateway-certs"},{"mountPath":"/etc/istio/ilbgateway-ca-certs","name":"ilbgateway-ca-certs","secretName":"istio-ilbgateway-ca-certs"}],"serviceAnnotations":{"cloud.google.com/load-balancer-type":"internal"},"tolerations":[],"type":"LoadBalancer"},"istio-ingressgateway":{"applicationPorts":"","autoscaleEnabled":true,"autoscaleMax":5,"autoscaleMin":1,"cpu":{"targetAverageUtilization":80},"enabled":true,"env":{"ISTIO_META_ROUTER_MODE":"sni-dnat"},"externalIPs":[],"labels":{"app":"istio-ingressgateway","istio":"ingressgateway"},"loadBalancerIP":"","loadBalancerSourceRanges":[],"meshExpansionPorts":[{"name":"tcp-pilot-grpc-tls","port":15011,"targetPort":15011},{"name":"tcp-mixer-grpc-tls","port":15004,"targetPort":15004},{"name":"tcp-citadel-grpc-tls","port":8060,"targetPort":8060},{"name":"tcp-dns-tls","port":853,"targetPort":853}],"nodeSelector":{},"podAnnotations":{},"podAntiAffinityLabelSelector":[],"podAntiAffinityTermLabelSelector":[],"ports":[{"name":"status-port","port":15020,"targetPort":15020},{"name":"http2","nodePort":31380,"port":80,"targetPort":80},{"name":"https","nodePort":31390,"port":443},{"name":"tcp","nodePort":31400,"port":31400},{"name":"https-kiali","port":15029,"targetPort":15029},{"name":"https-prometheus","port":15030,"targetPort":15030},{"name":"https-grafana","port":15031,"targetPort":15031},{"name":"https-tracing","port":15032,"targetPort":15032},{"name":"tls","port":15443,"targetPort":15443}],"resources":{"limits":{"cpu":"2000m","memory":"1024Mi"},"requests":{"cpu":"100m","memory":"128Mi"}},"rollingMaxSurge":"100%","rollingMaxUnavailable":"25%","sds":{"enabled":false,"image":"node-agent-k8s","resources":{"limits":{"cpu":"2000m","memory":"1024Mi"},"requests":{"cpu":"100m","memory":"128Mi"}}},"secretVolumes":[{"mountPath":"/etc/istio/ingressgateway-certs","name":"ingressgateway-certs","secretName":"istio-ingressgateway-certs"},{"mountPath":"/etc/istio/ingressgateway-ca-certs","name":"ingressgateway-ca-certs","secretName":"istio-ingressgateway-ca-certs"}],"serviceAnnotations":{},"tolerations":[],"type":"LoadBalancer"}},"global":{"arch":{"amd64":2,"ppc64le":2,"s390x":2},"certificates":[],"configValidation":true,"controlPlaneSecurityEnabled":false,"defaultNodeSelector":{},"defaultPodDisruptionBudget":{"enabled":true},"defaultResources":{"requests":{"cpu":"10m"}},"defaultTolerations":[],"disablePolicyChecks":true,"enableHelmTest":false,"enableTracing":true,"hub":"docker.io/istio","imagePullPolicy":"IfNotPresent","imagePullSecrets":[],"k8sIngress":{"enableHttps":false,"enabled":false,"gatewayName":"ingressgateway"},"localityLbSetting":{"enabled":true},"logging":{"level":"default:info"},"meshExpansion":{"enabled":false,"useILB":false},"meshID":"","meshNetworks":{},"monitoringPort":15014,"mtls":{"auto":false,"enabled":false},"multiCluster":{"clusterName":"","enabled":false},"network":"","oneNamespace":false,"operatorManageWebhooks":false,"outboundTrafficPolicy":{"mode":"ALLOW_ANY"},"policyCheckFailOpen":false,"priorityClassName":"","proxy":{"accessLogEncoding":"TEXT","accessLogFile":"","accessLogFormat":"","autoInject":"enabled","clusterDomain":"cluster.local","componentLogLevel":"","concurrency":2,"dnsRefreshRate":"300s","enableCoreDump":false,"enableCoreDumpImage":"ubuntu:xenial","envoyAccessLogService":{"enabled":false,"host":null,"port":null,"tcpKeepalive":{"interval":"10s","probes":3,"time":"10s"},"tlsSettings":{"caCertificates":null,"clientCertificate":null,"mode":"DISABLE","privateKey":null,"sni":null,"subjectAltNames":[]}},"envoyMetricsService":{"enabled":false,"host":null,"port":null,"tcpKeepalive":{"interval":"10s","probes":3,"time":"10s"},"tlsSettings":{"caCertificates":null,"clientCertificate":null,"mode":"DISABLE","privateKey":null,"sni":null,"subjectAltNames":[]}},"envoyStatsd":{"enabled":false,"host":null,"port":null},"excludeIPRanges":"","excludeInboundPorts":"","excludeOutboundPorts":"","image":"proxyv2","includeIPRanges":"*","includeInboundPorts":"*","init":{"resources":{"limits":{"cpu":"100m","memory":"50Mi"},"requests":{"cpu":"10m","memory":"10Mi"}}},"kubevirtInterfaces":"","logLevel":"","privileged":false,"protocolDetectionTimeout":"100ms","readinessFailureThreshold":30,"readinessInitialDelaySeconds":1,"readinessPeriodSeconds":2,"resources":{"limits":{"cpu":"2000m","memory":"1024Mi"},"requests":{"cpu":"100m","memory":"128Mi"}},"statusPort":15020,"tracer":"zipkin"},"proxy_init":{"image":"proxyv2"},"sds":{"enabled":false,"token":{"aud":"istio-ca"},"udsPath":""},"tag":"1.4.6","tracer":{"datadog":{"address":"$(HOST_IP):8126"},"lightstep":{"accessToken":"","address":"","cacertPath":"","secure":true},"stackdriver":{"debug":false,"maxNumberOfAnnotations":200,"maxNumberOfAttributes":200,"maxNumberOfMessageEvents":200},"zipkin":{"address":""}},"trustDomain":"","trustDomainAliases":[],"useMCP":true},"grafana":{"enabled":false},"istio_cni":{"enabled":false,"repair":{"enabled":true}},"istiocoredns":{"enabled":false},"kiali":{"enabled":false},"mixer":{"adapters":{"kubernetesenv":{"enabled":true},"prometheus":{"enabled":true,"metricsExpiryDuration":"10m"},"stdio":{"enabled":false,"outputAsJson":true},"useAdapterCRDs":false},"env":{"GOMAXPROCS":"6"},"global":{"arch":{"amd64":2,"ppc64le":2,"s390x":2},"certificates":[],"configValidation":true,"controlPlaneSecurityEnabled":false,"defaultNodeSelector":{},"defaultPodDisruptionBudget":{"enabled":true},"defaultResources":{"requests":{"cpu":"10m"}},"defaultTolerations":[],"disablePolicyChecks":true,"enableHelmTest":false,"enableTracing":true,"hub":"docker.io/istio","imagePullPolicy":"IfNotPresent","imagePullSecrets":[],"k8sIngress":{"enableHttps":false,"enabled":false,"gatewayName":"ingressgateway"},"localityLbSetting":{"enabled":true},"logging":{"level":"default:info"},"meshExpansion":{"enabled":false,"useILB":false},"meshID":"","meshNetworks":{},"monitoringPort":15014,"mtls":{"auto":false,"enabled":false},"multiCluster":{"clusterName":"","enabled":false},"network":"","oneNamespace":false,"operatorManageWebhooks":false,"outboundTrafficPolicy":{"mode":"ALLOW_ANY"},"policyCheckFailOpen":false,"priorityClassName":"","proxy":{"accessLogEncoding":"TEXT","accessLogFile":"","accessLogFormat":"","autoInject":"enabled","clusterDomain":"cluster.local","componentLogLevel":"","concurrency":2,"dnsRefreshRate":"300s","enableCoreDump":false,"enableCoreDumpImage":"ubuntu:xenial","envoyAccessLogService":{"enabled":false,"tcpKeepalive":{"interval":"10s","probes":3,"time":"10s"},"tlsSettings":{"mode":"DISABLE","subjectAltNames":[]}},"envoyMetricsService":{"enabled":false,"tcpKeepalive":{"interval":"10s","probes":3,"time":"10s"},"tlsSettings":{"mode":"DISABLE","subjectAltNames":[]}},"envoyStatsd":{"enabled":false},"excludeIPRanges":"","excludeInboundPorts":"","excludeOutboundPorts":"","image":"proxyv2","includeIPRanges":"*","includeInboundPorts":"*","init":{"resources":{"limits":{"cpu":"100m","memory":"50Mi"},"requests":{"cpu":"10m","memory":"10Mi"}}},"kubevirtInterfaces":"","logLevel":"","privileged":false,"protocolDetectionTimeout":"100ms","readinessFailureThreshold":30,"readinessInitialDelaySeconds":1,"readinessPeriodSeconds":2,"resources":{"limits":{"cpu":"2000m","memory":"1024Mi"},"requests":{"cpu":"100m","memory":"128Mi"}},"statusPort":15020,"tracer":"zipkin"},"proxy_init":{"image":"proxyv2"},"sds":{"enabled":false,"token":{"aud":"istio-ca"},"udsPath":""},"tag":"1.4.6","tracer":{"datadog":{"address":"$(HOST_IP):8126"},"lightstep":{"accessToken":"","address":"","cacertPath":"","secure":true},"stackdriver":{"debug":false,"maxNumberOfAnnotations":200,"maxNumberOfAttributes":200,"maxNumberOfMessageEvents":200},"zipkin":{"address":""}},"trustDomain":"","trustDomainAliases":[],"useMCP":true},"image":"mixer","nodeSelector":{},"podAnnotations":{},"podAntiAffinityLabelSelector":[],"podAntiAffinityTermLabelSelector":[],"policy":{"autoscaleEnabled":true,"autoscaleMax":5,"autoscaleMin":1,"cpu":{"targetAverageUtilization":80},"enabled":true,"replicaCount":1,"rollingMaxSurge":"100%","rollingMaxUnavailable":"25%"},"telemetry":{"autoscaleEnabled":true,"autoscaleMax":5,"autoscaleMin":1,"cpu":{"targetAverageUtilization":80},"enabled":true,"loadshedding":{"latencyThreshold":"100ms","mode":"enforce"},"replicaCount":1,"reportBatchMaxEntries":100,"reportBatchMaxTime":"1s","resources":{"limits":{"cpu":"4800m","memory":"4G"},"requests":{"cpu":"1000m","memory":"1G"}},"rollingMaxSurge":"100%","rollingMaxUnavailable":"25%","sessionAffinityEnabled":false},"tolerations":[]},"nodeagent":{"enabled":false},"pilot":{"autoscaleEnabled":true,"autoscaleMax":5,"autoscaleMin":1,"configSource":{},"cpu":{"targetAverageUtilization":80},"enableProtocolSniffingForInbound":false,"enableProtocolSniffingForOutbound":true,"enabled":true,"env":{"PILOT_PUSH_THROTTLE":100},"global":{"arch":{"amd64":2,"ppc64le":2,"s390x":2},"certificates":[],"configValidation":true,"controlPlaneSecurityEnabled":false,"defaultNodeSelector":{},"defaultPodDisruptionBudget":{"enabled":true},"defaultResources":{"requests":{"cpu":"10m"}},"defaultTolerations":[],"disablePolicyChecks":true,"enableHelmTest":false,"enableTracing":true,"hub":"docker.io/istio","imagePullPolicy":"IfNotPresent","imagePullSecrets":[],"k8sIngress":{"enableHttps":false,"enabled":false,"gatewayName":"ingressgateway"},"localityLbSetting":{"enabled":true},"logging":{"level":"default:info"},"meshExpansion":{"enabled":false,"useILB":false},"meshID":"","meshNetworks":{},"monitoringPort":15014,"mtls":{"auto":false,"enabled":false},"multiCluster":{"clusterName":"","enabled":false},"network":"","oneNamespace":false,"operatorManageWebhooks":false,"outboundTrafficPolicy":{"mode":"ALLOW_ANY"},"policyCheckFailOpen":false,"priorityClassName":"","proxy":{"accessLogEncoding":"TEXT","accessLogFile":"","accessLogFormat":"","autoInject":"enabled","clusterDomain":"cluster.local","componentLogLevel":"","concurrency":2,"dnsRefreshRate":"300s","enableCoreDump":false,"enableCoreDumpImage":"ubuntu:xenial","envoyAccessLogService":{"enabled":false,"tcpKeepalive":{"interval":"10s","probes":3,"time":"10s"},"tlsSettings":{"mode":"DISABLE","subjectAltNames":[]}},"envoyMetricsService":{"enabled":false,"tcpKeepalive":{"interval":"10s","probes":3,"time":"10s"},"tlsSettings":{"mode":"DISABLE","subjectAltNames":[]}},"envoyStatsd":{"enabled":false},"excludeIPRanges":"","excludeInboundPorts":"","excludeOutboundPorts":"","image":"proxyv2","includeIPRanges":"*","includeInboundPorts":"*","init":{"resources":{"limits":{"cpu":"100m","memory":"50Mi"},"requests":{"cpu":"10m","memory":"10Mi"}}},"kubevirtInterfaces":"","logLevel":"","privileged":false,"protocolDetectionTimeout":"100ms","readinessFailureThreshold":30,"readinessInitialDelaySeconds":1,"readinessPeriodSeconds":2,"resources":{"limits":{"cpu":"2000m","memory":"1024Mi"},"requests":{"cpu":"100m","memory":"128Mi"}},"statusPort":15020,"tracer":"zipkin"},"proxy_init":{"image":"proxyv2"},"sds":{"enabled":false,"token":{"aud":"istio-ca"},"udsPath":""},"tag":"1.4.6","tracer":{"datadog":{"address":"$(HOST_IP):8126"},"lightstep":{"accessToken":"","address":"","cacertPath":"","secure":true},"stackdriver":{"debug":false,"maxNumberOfAnnotations":200,"maxNumberOfAttributes":200,"maxNumberOfMessageEvents":200},"zipkin":{"address":""}},"trustDomain":"","trustDomainAliases":[],"useMCP":true},"image":"pilot","keepaliveMaxServerConnectionAge":"30m","nodeSelector":{},"podAnnotations":{},"podAntiAffinityLabelSelector":[],"podAntiAffinityTermLabelSelector":[],"resources":{"requests":{"cpu":"500m","memory":"2048Mi"}},"rollingMaxSurge":"100%","rollingMaxUnavailable":"25%","sidecar":true,"tolerations":[],"traceSampling":1},"prometheus":{"contextPath":"/prometheus","enabled":true,"global":{"arch":{"amd64":2,"ppc64le":2,"s390x":2},"certificates":[],"configValidation":true,"controlPlaneSecurityEnabled":false,"defaultNodeSelector":{},"defaultPodDisruptionBudget":{"enabled":true},"defaultResources":{"requests":{"cpu":"10m"}},"defaultTolerations":[],"disablePolicyChecks":true,"enableHelmTest":false,"enableTracing":true,"hub":"docker.io/istio","imagePullPolicy":"IfNotPresent","imagePullSecrets":[],"k8sIngress":{"enableHttps":false,"enabled":false,"gatewayName":"ingressgateway"},"localityLbSetting":{"enabled":true},"logging":{"level":"default:info"},"meshExpansion":{"enabled":false,"useILB":false},"meshID":"","meshNetworks":{},"monitoringPort":15014,"mtls":{"auto":false,"enabled":false},"multiCluster":{"clusterName":"","enabled":false},"network":"","oneNamespace":false,"operatorManageWebhooks":false,"outboundTrafficPolicy":{"mode":"ALLOW_ANY"},"policyCheckFailOpen":false,"priorityClassName":"","proxy":{"accessLogEncoding":"TEXT","accessLogFile":"","accessLogFormat":"","autoInject":"enabled","clusterDomain":"cluster.local","componentLogLevel":"","concurrency":2,"dnsRefreshRate":"300s","enableCoreDump":false,"enableCoreDumpImage":"ubuntu:xenial","envoyAccessLogService":{"enabled":false,"tcpKeepalive":{"interval":"10s","probes":3,"time":"10s"},"tlsSettings":{"mode":"DISABLE","subjectAltNames":[]}},"envoyMetricsService":{"enabled":false,"tcpKeepalive":{"interval":"10s","probes":3,"time":"10s"},"tlsSettings":{"mode":"DISABLE","subjectAltNames":[]}},"envoyStatsd":{"enabled":false},"excludeIPRanges":"","excludeInboundPorts":"","excludeOutboundPorts":"","image":"proxyv2","includeIPRanges":"*","includeInboundPorts":"*","init":{"resources":{"limits":{"cpu":"100m","memory":"50Mi"},"requests":{"cpu":"10m","memory":"10Mi"}}},"kubevirtInterfaces":"","logLevel":"","privileged":false,"protocolDetectionTimeout":"100ms","readinessFailureThreshold":30,"readinessInitialDelaySeconds":1,"readinessPeriodSeconds":2,"resources":{"limits":{"cpu":"2000m","memory":"1024Mi"},"requests":{"cpu":"100m","memory":"128Mi"}},"statusPort":15020,"tracer":"zipkin"},"proxy_init":{"image":"proxyv2"},"sds":{"enabled":false,"token":{"aud":"istio-ca"},"udsPath":""},"tag":"1.4.6","tracer":{"datadog":{"address":"$(HOST_IP):8126"},"lightstep":{"accessToken":"","address":"","cacertPath":"","secure":true},"stackdriver":{"debug":false,"maxNumberOfAnnotations":200,"maxNumberOfAttributes":200,"maxNumberOfMessageEvents":200},"zipkin":{"address":""}},"trustDomain":"","trustDomainAliases":[],"useMCP":true},"hub":"docker.io/prom","image":"prometheus","ingress":{"enabled":false,"hosts":["prometheus.local"]},"nodeSelector":{},"podAntiAffinityLabelSelector":[],"podAntiAffinityTermLabelSelector":[],"replicaCount":1,"retention":"6h","scrapeInterval":"15s","security":{"enabled":true},"service":{"annotations":{},"nodePort":{"enabled":false,"port":32090}},"tag":"v2.12.0","tolerations":[]},"security":{"citadelHealthCheck":false,"createMeshPolicy":true,"enableNamespacesByDefault":true,"enabled":true,"env":{},"global":{"arch":{"amd64":2,"ppc64le":2,"s390x":2},"certificates":[],"configValidation":true,"controlPlaneSecurityEnabled":false,"defaultNodeSelector":{},"defaultPodDisruptionBudget":{"enabled":true},"defaultResources":{"requests":{"cpu":"10m"}},"defaultTolerations":[],"disablePolicyChecks":true,"enableHelmTest":false,"enableTracing":true,"hub":"docker.io/istio","imagePullPolicy":"IfNotPresent","imagePullSecrets":[],"k8sIngress":{"enableHttps":false,"enabled":false,"gatewayName":"ingressgateway"},"localityLbSetting":{"enabled":true},"logging":{"level":"default:info"},"meshExpansion":{"enabled":false,"useILB":false},"meshID":"","meshNetworks":{},"monitoringPort":15014,"mtls":{"auto":false,"enabled":false},"multiCluster":{"clusterName":"","enabled":false},"network":"","oneNamespace":false,"operatorManageWebhooks":false,"outboundTrafficPolicy":{"mode":"ALLOW_ANY"},"policyCheckFailOpen":false,"priorityClassName":"","proxy":{"accessLogEncoding":"TEXT","accessLogFile":"","accessLogFormat":"","autoInject":"enabled","clusterDomain":"cluster.local","componentLogLevel":"","concurrency":2,"dnsRefreshRate":"300s","enableCoreDump":false,"enableCoreDumpImage":"ubuntu:xenial","envoyAccessLogService":{"enabled":false,"tcpKeepalive":{"interval":"10s","probes":3,"time":"10s"},"tlsSettings":{"mode":"DISABLE","subjectAltNames":[]}},"envoyMetricsService":{"enabled":false,"tcpKeepalive":{"interval":"10s","probes":3,"time":"10s"},"tlsSettings":{"mode":"DISABLE","subjectAltNames":[]}},"envoyStatsd":{"enabled":false},"excludeIPRanges":"","excludeInboundPorts":"","excludeOutboundPorts":"","image":"proxyv2","includeIPRanges":"*","includeInboundPorts":"*","init":{"resources":{"limits":{"cpu":"100m","memory":"50Mi"},"requests":{"cpu":"10m","memory":"10Mi"}}},"kubevirtInterfaces":"","logLevel":"","privileged":false,"protocolDetectionTimeout":"100ms","readinessFailureThreshold":30,"readinessInitialDelaySeconds":1,"readinessPeriodSeconds":2,"resources":{"limits":{"cpu":"2000m","memory":"1024Mi"},"requests":{"cpu":"100m","memory":"128Mi"}},"statusPort":15020,"tracer":"zipkin"},"proxy_init":{"image":"proxyv2"},"sds":{"enabled":false,"token":{"aud":"istio-ca"},"udsPath":""},"tag":"1.4.6","tracer":{"datadog":{"address":"$(HOST_IP):8126"},"lightstep":{"accessToken":"","address":"","cacertPath":"","secure":true},"stackdriver":{"debug":false,"maxNumberOfAnnotations":200,"maxNumberOfAttributes":200,"maxNumberOfMessageEvents":200},"zipkin":{"address":""}},"trustDomain":"","trustDomainAliases":[],"useMCP":true},"image":"citadel","nodeSelector":{},"podAnnotations":{},"podAntiAffinityLabelSelector":[],"podAntiAffinityTermLabelSelector":[],"replicaCount":1,"rollingMaxSurge":"100%","rollingMaxUnavailable":"25%","selfSigned":true,"tolerations":[],"workloadCertTtl":"2160h"},"sidecarInjectorWebhook":{"alwaysInjectSelector":[],"enableNamespacesByDefault":false,"enabled":true,"global":{"arch":{"amd64":2,"ppc64le":2,"s390x":2},"certificates":[],"configValidation":true,"controlPlaneSecurityEnabled":false,"defaultNodeSelector":{},"defaultPodDisruptionBudget":{"enabled":true},"defaultResources":{"requests":{"cpu":"10m"}},"defaultTolerations":[],"disablePolicyChecks":true,"enableHelmTest":false,"enableTracing":true,"hub":"docker.io/istio","imagePullPolicy":"IfNotPresent","imagePullSecrets":[],"k8sIngress":{"enableHttps":false,"enabled":false,"gatewayName":"ingressgateway"},"localityLbSetting":{"enabled":true},"logging":{"level":"default:info"},"meshExpansion":{"enabled":false,"useILB":false},"meshID":"","meshNetworks":{},"monitoringPort":15014,"mtls":{"auto":false,"enabled":false},"multiCluster":{"clusterName":"","enabled":false},"network":"","oneNamespace":false,"operatorManageWebhooks":false,"outboundTrafficPolicy":{"mode":"ALLOW_ANY"},"policyCheckFailOpen":false,"priorityClassName":"","proxy":{"accessLogEncoding":"TEXT","accessLogFile":"","accessLogFormat":"","autoInject":"enabled","clusterDomain":"cluster.local","componentLogLevel":"","concurrency":2,"dnsRefreshRate":"300s","enableCoreDump":false,"enableCoreDumpImage":"ubuntu:xenial","envoyAccessLogService":{"enabled":false,"tcpKeepalive":{"interval":"10s","probes":3,"time":"10s"},"tlsSettings":{"mode":"DISABLE","subjectAltNames":[]}},"envoyMetricsService":{"enabled":false,"tcpKeepalive":{"interval":"10s","probes":3,"time":"10s"},"tlsSettings":{"mode":"DISABLE","subjectAltNames":[]}},"envoyStatsd":{"enabled":false},"excludeIPRanges":"","excludeInboundPorts":"","excludeOutboundPorts":"","image":"proxyv2","includeIPRanges":"*","includeInboundPorts":"*","init":{"resources":{"limits":{"cpu":"100m","memory":"50Mi"},"requests":{"cpu":"10m","memory":"10Mi"}}},"kubevirtInterfaces":"","logLevel":"","privileged":false,"protocolDetectionTimeout":"100ms","readinessFailureThreshold":30,"readinessInitialDelaySeconds":1,"readinessPeriodSeconds":2,"resources":{"limits":{"cpu":"2000m","memory":"1024Mi"},"requests":{"cpu":"100m","memory":"128Mi"}},"statusPort":15020,"tracer":"zipkin"},"proxy_init":{"image":"proxyv2"},"sds":{"enabled":false,"token":{"aud":"istio-ca"},"udsPath":""},"tag":"1.4.6","tracer":{"datadog":{"address":"$(HOST_IP):8126"},"lightstep":{"accessToken":"","address":"","cacertPath":"","secure":true},"stackdriver":{"debug":false,"maxNumberOfAnnotations":200,"maxNumberOfAttributes":200,"maxNumberOfMessageEvents":200},"zipkin":{"address":""}},"trustDomain":"","trustDomainAliases":[],"useMCP":true},"image":"sidecar_injector","injectedAnnotations":{},"neverInjectSelector":[],"nodeSelector":{},"podAnnotations":{},"podAntiAffinityLabelSelector":[],"podAntiAffinityTermLabelSelector":[],"replicaCount":1,"rewriteAppHTTPProbe":false,"rollingMaxSurge":"100%","rollingMaxUnavailable":"25%","tolerations":[]},"tracing":{"enabled":false}}
852
853 config: |-
854 policy: enabled
855 alwaysInjectSelector:
856 []
857 neverInjectSelector:
858 []
859 template: |-
860 {{- $cniDisabled := (not .Values.istio_cni.enabled) }}
861 {{- $cniRepairEnabled := (and .Values.istio_cni.enabled .Values.istio_cni.repair.enabled) }}
862 {{- $enableInitContainer := (or $cniDisabled $cniRepairEnabled .Values.global.proxy.enableCoreDump) }}
863 rewriteAppHTTPProbe: {{ valueOrDefault .Values.sidecarInjectorWebhook.rewriteAppHTTPProbe false }}
864 {{- if $enableInitContainer }}
865 initContainers:
866 {{- if ne (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE` }}
867 {{ if $cniRepairEnabled -}}
868 - name: istio-validation
869 {{ else -}}
870 - name: istio-init
871 {{ end -}}
872 {{- if contains "/" .Values.global.proxy_init.image }}
873 image: "{{ .Values.global.proxy_init.image }}"
874 {{- else }}
875 image: "{{ .Values.global.hub }}/{{ .Values.global.proxy_init.image }}:{{ .Values.global.tag }}"
876 {{- end }}
877 command:
878 {{- if $cniRepairEnabled }}
879 - istio-iptables-go
880 {{- else }}
881 - istio-iptables
882 {{- end }}
883 - "-p"
884 - "15001"
885 - "-z"
886 - "15006"
887 - "-u"
888 - 1337
889 - "-m"
890 - "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}"
891 - "-i"
892 - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}"
893 - "-x"
894 - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}"
895 - "-b"
896 - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` `*` }}"
897 - "-d"
898 - "{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}"
899 {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.excludeOutboundPorts "") "") -}}
900 - "-o"
901 - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}"
902 {{ end -}}
903 {{ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces`) -}}
904 - "-k"
905 - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}"
906 {{ end -}}
907 {{ if $cniRepairEnabled -}}
908 - "--run-validation"
909 - "--skip-rule-apply"
910 {{- end }}
911 imagePullPolicy: "{{ valueOrDefault .Values.global.imagePullPolicy `Always` }}"
912 {{- if .Values.global.proxy.init.resources }}
913 resources:
914 {{ toYaml .Values.global.proxy.init.resources | indent 4 }}
915 {{- else }}
916 resources: {}
917 {{- end }}
918 securityContext:
919 allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }}
920 privileged: {{ .Values.global.proxy.privileged }}
921 capabilities:
922 {{- if not $cniRepairEnabled }}
923 add:
924 - NET_ADMIN
925 - NET_RAW
926 {{- end }}
927 drop:
928 - ALL
929 readOnlyRootFilesystem: false
930 {{- if not $cniRepairEnabled }}
931 runAsGroup: 0
932 runAsNonRoot: false
933 runAsUser: 0
934 {{- else }}
935 runAsGroup: 1337
936 runAsUser: 1337
937 runAsNonRoot: true
938 {{- end }}
939 restartPolicy: Always
940 {{ end -}}
941 {{- if eq .Values.global.proxy.enableCoreDump true }}
942 - name: enable-core-dump
943 args:
944 - -c
945 - sysctl -w kernel.core_pattern=/var/lib/istio/core.proxy && ulimit -c unlimited
946 command:
947 - /bin/sh
948 image: {{ $.Values.global.proxy.enableCoreDumpImage }}
949 imagePullPolicy: IfNotPresent
950 resources: {}
951 securityContext:
952 allowPrivilegeEscalation: true
953 capabilities:
954 add:
955 - SYS_ADMIN
956 drop:
957 - ALL
958 privileged: true
959 readOnlyRootFilesystem: false
960 runAsGroup: 0
961 runAsNonRoot: false
962 runAsUser: 0
963 {{ end }}
964 {{ end }}
965 containers:
966 - name: istio-proxy
967 {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }}
968 image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}"
969 {{- else }}
970 image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.hub }}/{{ .Values.global.proxy.image }}:{{ .Values.global.tag }}"
971 {{- end }}
972 ports:
973 - containerPort: 15090
974 protocol: TCP
975 name: http-envoy-prom
976 args:
977 - proxy
978 - sidecar
979 - --domain
980 - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }}
981 - --configPath
982 - "{{ .ProxyConfig.ConfigPath }}"
983 - --binaryPath
984 - "{{ .ProxyConfig.BinaryPath }}"
985 - --serviceCluster
986 {{ if ne "" (index .ObjectMeta.Labels "app") -}}
987 - "{{ index .ObjectMeta.Labels `app` }}.$(POD_NAMESPACE)"
988 {{ else -}}
989 - "{{ valueOrDefault .DeploymentMeta.Name `istio-proxy` }}.{{ valueOrDefault .DeploymentMeta.Namespace `default` }}"
990 {{ end -}}
991 - --drainDuration
992 - "{{ formatDuration .ProxyConfig.DrainDuration }}"
993 - --parentShutdownDuration
994 - "{{ formatDuration .ProxyConfig.ParentShutdownDuration }}"
995 - --discoveryAddress
996 - "{{ annotation .ObjectMeta `sidecar.istio.io/discoveryAddress` .ProxyConfig.DiscoveryAddress }}"
997 {{- if eq .Values.global.proxy.tracer "lightstep" }}
998 - --lightstepAddress
999 - "{{ .ProxyConfig.GetTracing.GetLightstep.GetAddress }}"
1000 - --lightstepAccessToken
1001 - "{{ .ProxyConfig.GetTracing.GetLightstep.GetAccessToken }}"
1002 - --lightstepSecure={{ .ProxyConfig.GetTracing.GetLightstep.GetSecure }}
1003 - --lightstepCacertPath
1004 - "{{ .ProxyConfig.GetTracing.GetLightstep.GetCacertPath }}"
1005 {{- else if eq .Values.global.proxy.tracer "zipkin" }}
1006 - --zipkinAddress
1007 - "{{ .ProxyConfig.GetTracing.GetZipkin.GetAddress }}"
1008 {{- else if eq .Values.global.proxy.tracer "datadog" }}
1009 - --datadogAgentAddress
1010 - "{{ .ProxyConfig.GetTracing.GetDatadog.GetAddress }}"
1011 {{- end }}
1012 {{- if .Values.global.proxy.logLevel }}
1013 - --proxyLogLevel={{ .Values.global.proxy.logLevel }}
1014 {{- end}}
1015 {{- if .Values.global.proxy.componentLogLevel }}
1016 - --proxyComponentLogLevel={{ .Values.global.proxy.componentLogLevel }}
1017 {{- end}}
1018 - --dnsRefreshRate
1019 - {{ .Values.global.proxy.dnsRefreshRate }}
1020 - --connectTimeout
1021 - "{{ formatDuration .ProxyConfig.ConnectTimeout }}"
1022 {{- if .Values.global.proxy.envoyStatsd.enabled }}
1023 - --statsdUdpAddress
1024 - "{{ .ProxyConfig.StatsdUdpAddress }}"
1025 {{- end }}
1026 {{- if .Values.global.proxy.envoyMetricsService.enabled }}
1027 - --envoyMetricsService
1028 - '{{ protoToJSON .ProxyConfig.EnvoyMetricsService }}'
1029 {{- end }}
1030 {{- if .Values.global.proxy.envoyAccessLogService.enabled }}
1031 - --envoyAccessLogService
1032 - '{{ protoToJSON .ProxyConfig.EnvoyAccessLogService }}'
1033 {{- end }}
1034 - --proxyAdminPort
1035 - "{{ .ProxyConfig.ProxyAdminPort }}"
1036 {{ if gt .ProxyConfig.Concurrency 0 -}}
1037 - --concurrency
1038 - "{{ .ProxyConfig.Concurrency }}"
1039 {{ end -}}
1040 - --controlPlaneAuthPolicy
1041 - "{{ annotation .ObjectMeta `sidecar.istio.io/controlPlaneAuthPolicy` .ProxyConfig.ControlPlaneAuthPolicy }}"
1042 {{- if (ne (annotation .ObjectMeta "status.sidecar.istio.io/port" (valueOrDefault .Values.global.proxy.statusPort 0 )) `0`) }}
1043 - --statusPort
1044 - "{{ annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort }}"
1045 - --applicationPorts
1046 - "{{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/applicationPorts` (applicationPorts .Spec.Containers) }}"
1047 {{- end }}
1048 {{- if .Values.global.trustDomain }}
1049 - --trust-domain={{ .Values.global.trustDomain }}
1050 {{- end }}
1051 {{- if .Values.global.proxy.lifecycle }}
1052 lifecycle:
1053 {{ toYaml .Values.global.proxy.lifecycle | indent 4 }}
1054 {{- end }}
1055 env:
1056 - name: POD_NAME
1057 valueFrom:
1058 fieldRef:
1059 fieldPath: metadata.name
1060 - name: ISTIO_META_POD_PORTS
1061 value: |-
1062 [
1063 {{- $first := true }}
1064 {{- range $index1, $c := .Spec.Containers }}
1065 {{- range $index2, $p := $c.Ports }}
1066 {{- if (structToJSON $p) }}
1067 {{if not $first}},{{end}}{{ structToJSON $p }}
1068 {{- $first = false }}
1069 {{- end }}
1070 {{- end}}
1071 {{- end}}
1072 ]
1073 - name: ISTIO_META_CLUSTER_ID
1074 value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}"
1075 - name: POD_NAMESPACE
1076 valueFrom:
1077 fieldRef:
1078 fieldPath: metadata.namespace
1079 - name: INSTANCE_IP
1080 valueFrom:
1081 fieldRef:
1082 fieldPath: status.podIP
1083 - name: SERVICE_ACCOUNT
1084 valueFrom:
1085 fieldRef:
1086 fieldPath: spec.serviceAccountName
1087 {{- if .Values.global.mtls.auto }}
1088 - name: ISTIO_AUTO_MTLS_ENABLED
1089 value: "true"
1090 {{- end }}
1091 {{- if eq .Values.global.proxy.tracer "datadog" }}
1092 - name: HOST_IP
1093 valueFrom:
1094 fieldRef:
1095 fieldPath: status.hostIP
1096 {{- if isset .ObjectMeta.Annotations `apm.datadoghq.com/env` }}
1097 {{- range $key, $value := fromJSON (index .ObjectMeta.Annotations `apm.datadoghq.com/env`) }}
1098 - name: {{ $key }}
1099 value: "{{ $value }}"
1100 {{- end }}
1101 {{- end }}
1102 {{- end }}
1103 - name: ISTIO_META_POD_NAME
1104 valueFrom:
1105 fieldRef:
1106 fieldPath: metadata.name
1107 - name: ISTIO_META_CONFIG_NAMESPACE
1108 valueFrom:
1109 fieldRef:
1110 fieldPath: metadata.namespace
1111 - name: SDS_ENABLED
1112 value: {{ $.Values.global.sds.enabled }}
1113 - name: ISTIO_META_INTERCEPTION_MODE
1114 value: "{{ or (index .ObjectMeta.Annotations `sidecar.istio.io/interceptionMode`) .ProxyConfig.InterceptionMode.String }}"
1115 - name: ISTIO_META_INCLUDE_INBOUND_PORTS
1116 value: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` (applicationPorts .Spec.Containers) }}"
1117 {{- if .Values.global.network }}
1118 - name: ISTIO_META_NETWORK
1119 value: "{{ .Values.global.network }}"
1120 {{- end }}
1121 {{ if .ObjectMeta.Annotations }}
1122 - name: ISTIO_METAJSON_ANNOTATIONS
1123 value: |
1124 {{ toJSON .ObjectMeta.Annotations }}
1125 {{ end }}
1126 {{ if .ObjectMeta.Labels }}
1127 - name: ISTIO_METAJSON_LABELS
1128 value: |
1129 {{ toJSON .ObjectMeta.Labels }}
1130 {{ end }}
1131 {{- if .DeploymentMeta.Name }}
1132 - name: ISTIO_META_WORKLOAD_NAME
1133 value: {{ .DeploymentMeta.Name }}
1134 {{ end }}
1135 {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }}
1136 - name: ISTIO_META_OWNER
1137 value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }}
1138 {{- end}}
1139 {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }}
1140 - name: ISTIO_BOOTSTRAP_OVERRIDE
1141 value: "/etc/istio/custom-bootstrap/custom_bootstrap.json"
1142 {{- end }}
1143 {{- if .Values.global.sds.customTokenDirectory }}
1144 - name: ISTIO_META_SDS_TOKEN_PATH
1145 value: "{{ .Values.global.sds.customTokenDirectory -}}/sdstoken"
1146 {{- end }}
1147 {{- if .Values.global.meshID }}
1148 - name: ISTIO_META_MESH_ID
1149 value: "{{ .Values.global.meshID }}"
1150 {{- else if .Values.global.trustDomain }}
1151 - name: ISTIO_META_MESH_ID
1152 value: "{{ .Values.global.trustDomain }}"
1153 {{- end }}
1154 {{- if eq .Values.global.proxy.tracer "stackdriver" }}
1155 - name: STACKDRIVER_TRACING_ENABLED
1156 value: "true"
1157 - name: STACKDRIVER_TRACING_DEBUG
1158 value: "{{ .ProxyConfig.GetTracing.GetStackdriver.GetDebug }}"
1159 {{- if .ProxyConfig.GetTracing.GetStackdriver.GetMaxNumberOfAnnotations }}
1160 - name: STACKDRIVER_TRACING_MAX_NUMBER_OF_ANNOTATIONS
1161 value: "{{ .ProxyConfig.GetTracing.GetStackdriver.GetMaxNumberOfAnnotations.Value }}"
1162 {{- end }}
1163 {{- if .ProxyConfig.GetTracing.GetStackdriver.GetMaxNumberOfAttributes }}
1164 - name: STACKDRIVER_TRACING_MAX_NUMBER_OF_ATTRIBUTES
1165 value: "{{ .ProxyConfig.GetTracing.GetStackdriver.GetMaxNumberOfAttributes.Value }}"
1166 {{- end }}
1167 {{- if .ProxyConfig.GetTracing.GetStackdriver.GetMaxNumberOfMessageEvents }}
1168 - name: STACKDRIVER_TRACING_MAX_NUMBER_OF_MESSAGE_EVENTS
1169 value: "{{ .ProxyConfig.GetTracing.GetStackdriver.GetMaxNumberOfMessageEvents.Value }}"
1170 {{- end }}
1171 {{- end }}
1172 imagePullPolicy: {{ .Values.global.imagePullPolicy }}
1173 {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` (valueOrDefault .Values.global.proxy.statusPort 0 )) `0` }}
1174 readinessProbe:
1175 httpGet:
1176 path: /healthz/ready
1177 port: {{ annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort }}
1178 initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }}
1179 periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }}
1180 failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }}
1181 {{ end -}}
1182 securityContext:
1183 allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }}
1184 capabilities:
1185 {{ if eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY` -}}
1186 add:
1187 - NET_ADMIN
1188 {{- end }}
1189 drop:
1190 - ALL
1191 privileged: {{ .Values.global.proxy.privileged }}
1192 readOnlyRootFilesystem: {{ not .Values.global.proxy.enableCoreDump }}
1193 runAsGroup: 1337
1194 {{ if eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY` -}}
1195 runAsNonRoot: false
1196 runAsUser: 0
1197 {{- else }}
1198 runAsNonRoot: true
1199 runAsUser: 1337
1200 {{- end }}
1201 resources:
1202 {{ if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}}
1203 requests:
1204 {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}}
1205 cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}"
1206 {{ end}}
1207 {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}}
1208 memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}"
1209 {{ end }}
1210 {{ else -}}
1211 {{- if .Values.global.proxy.resources }}
1212 {{ toYaml .Values.global.proxy.resources | indent 4 }}
1213 {{- end }}
1214 {{ end -}}
1215 volumeMounts:
1216 {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }}
1217 - mountPath: /etc/istio/custom-bootstrap
1218 name: custom-bootstrap-volume
1219 {{- end }}
1220 - mountPath: /etc/istio/proxy
1221 name: istio-envoy
1222 {{- if .Values.global.sds.enabled }}
1223 - mountPath: /var/run/sds
1224 name: sds-uds-path
1225 readOnly: true
1226 - mountPath: /var/run/secrets/tokens
1227 name: istio-token
1228 {{- if .Values.global.sds.customTokenDirectory }}
1229 - mountPath: "{{ .Values.global.sds.customTokenDirectory -}}"
1230 name: custom-sds-token
1231 readOnly: true
1232 {{- end }}
1233 {{- else }}
1234 - mountPath: /etc/certs/
1235 name: istio-certs
1236 readOnly: true
1237 {{- end }}
1238 {{- if and (eq .Values.global.proxy.tracer "lightstep") .Values.global.tracer.lightstep.cacertPath }}
1239 - mountPath: {{ directory .ProxyConfig.GetTracing.GetLightstep.GetCacertPath }}
1240 name: lightstep-certs
1241 readOnly: true
1242 {{- end }}
1243 {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }}
1244 {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }}
1245 - name: "{{ $index }}"
1246 {{ toYaml $value | indent 4 }}
1247 {{ end }}
1248 {{- end }}
1249 volumes:
1250 {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }}
1251 - name: custom-bootstrap-volume
1252 configMap:
1253 name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }}
1254 {{- end }}
1255 - emptyDir:
1256 medium: Memory
1257 name: istio-envoy
1258 {{- if .Values.global.sds.enabled }}
1259 - name: sds-uds-path
1260 hostPath:
1261 path: /var/run/sds
1262 - name: istio-token
1263 projected:
1264 sources:
1265 - serviceAccountToken:
1266 path: istio-token
1267 expirationSeconds: 43200
1268 audience: {{ .Values.global.sds.token.aud }}
1269 {{- if .Values.global.sds.customTokenDirectory }}
1270 - name: custom-sds-token
1271 secret:
1272 secretName: sdstokensecret
1273 {{- end }}
1274 {{- else }}
1275 - name: istio-certs
1276 secret:
1277 optional: true
1278 {{ if eq .Spec.ServiceAccountName "" }}
1279 secretName: istio.default
1280 {{ else -}}
1281 secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }}
1282 {{ end -}}
1283 {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }}
1284 {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }}
1285 - name: "{{ $index }}"
1286 {{ toYaml $value | indent 2 }}
1287 {{ end }}
1288 {{ end }}
1289 {{- end }}
1290 {{- if and (eq .Values.global.proxy.tracer "lightstep") .Values.global.tracer.lightstep.cacertPath }}
1291 - name: lightstep-certs
1292 secret:
1293 optional: true
1294 secretName: lightstep.cacert
1295 {{- end }}
1296 {{- if .Values.global.podDNSSearchNamespaces }}
1297 dnsConfig:
1298 searches:
1299 {{- range .Values.global.podDNSSearchNamespaces }}
1300 - {{ render . }}
1301 {{- end }}
1302 {{- end }}
1303 podRedirectAnnot:
1304 sidecar.istio.io/interceptionMode: "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}"
1305 traffic.sidecar.istio.io/includeOutboundIPRanges: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}"
1306 traffic.sidecar.istio.io/excludeOutboundIPRanges: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}"
1307 traffic.sidecar.istio.io/includeInboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` (includeInboundPorts .Spec.Containers) }}"
1308 traffic.sidecar.istio.io/excludeInboundPorts: "{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}"
1309 {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne .Values.global.proxy.excludeOutboundPorts "") }}
1310 traffic.sidecar.istio.io/excludeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}"
1311 {{- end }}
1312 traffic.sidecar.istio.io/kubevirtInterfaces: "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}"
1313 injectedAnnotations:
1314
1315---
1316# Source: istio/charts/galley/templates/serviceaccount.yaml
1317apiVersion: v1
1318kind: ServiceAccount
1319metadata:
1320 name: istio-galley-service-account
1321 namespace: istio-system
1322 labels:
1323 app: galley
1324 chart: galley
1325 heritage: Tiller
1326 release: release-name
1327
1328---
1329# Source: istio/charts/gateways/templates/serviceaccount.yaml
1330
1331apiVersion: v1
1332kind: ServiceAccount
1333metadata:
1334 name: istio-ilbgateway-service-account
1335 namespace: istio-system
1336 labels:
1337 app: istio-ilbgateway
1338 chart: gateways
1339 heritage: Tiller
1340 release: release-name
1341---
1342apiVersion: v1
1343kind: ServiceAccount
1344metadata:
1345 name: istio-ingressgateway-service-account
1346 namespace: istio-system
1347 labels:
1348 app: istio-ingressgateway
1349 chart: gateways
1350 heritage: Tiller
1351 release: release-name
1352---
1353
1354
1355---
1356# Source: istio/charts/mixer/templates/serviceaccount.yaml
1357
1358apiVersion: v1
1359kind: ServiceAccount
1360metadata:
1361 name: istio-mixer-service-account
1362 namespace: istio-system
1363 labels:
1364 app: mixer
1365 chart: mixer
1366 heritage: Tiller
1367 release: release-name
1368
1369---
1370# Source: istio/charts/pilot/templates/serviceaccount.yaml
1371apiVersion: v1
1372kind: ServiceAccount
1373metadata:
1374 name: istio-pilot-service-account
1375 namespace: istio-system
1376 labels:
1377 app: pilot
1378 chart: pilot
1379 heritage: Tiller
1380 release: release-name
1381
1382---
1383# Source: istio/charts/prometheus/templates/serviceaccount.yaml
1384apiVersion: v1
1385kind: ServiceAccount
1386metadata:
1387 name: prometheus
1388 namespace: istio-system
1389 labels:
1390 app: prometheus
1391 chart: prometheus
1392 heritage: Tiller
1393 release: release-name
1394
1395---
1396# Source: istio/charts/security/templates/create-custom-resources-job.yaml
1397
1398apiVersion: v1
1399kind: ServiceAccount
1400metadata:
1401 name: istio-security-post-install-account
1402 namespace: istio-system
1403 labels:
1404 app: security
1405 chart: security
1406 heritage: Tiller
1407 release: release-name
1408---
1409apiVersion: rbac.authorization.k8s.io/v1
1410kind: ClusterRole
1411metadata:
1412 name: istio-security-post-install-istio-system
1413 labels:
1414 app: security
1415 chart: security
1416 heritage: Tiller
1417 release: release-name
1418rules:
1419- apiGroups: ["authentication.istio.io"] # needed to create default authn policy
1420 resources: ["*"]
1421 verbs: ["*"]
1422- apiGroups: ["networking.istio.io"] # needed to create security destination rules
1423 resources: ["*"]
1424 verbs: ["*"]
1425- apiGroups: ["admissionregistration.k8s.io"]
1426 resources: ["validatingwebhookconfigurations"]
1427 verbs: ["get"]
1428- apiGroups: ["extensions", "apps"]
1429 resources: ["deployments", "replicasets"]
1430 verbs: ["get", "list", "watch"]
1431---
1432apiVersion: rbac.authorization.k8s.io/v1
1433kind: ClusterRoleBinding
1434metadata:
1435 name: istio-security-post-install-role-binding-istio-system
1436 labels:
1437 app: security
1438 chart: security
1439 heritage: Tiller
1440 release: release-name
1441roleRef:
1442 apiGroup: rbac.authorization.k8s.io
1443 kind: ClusterRole
1444 name: istio-security-post-install-istio-system
1445subjects:
1446 - kind: ServiceAccount
1447 name: istio-security-post-install-account
1448 namespace: istio-system
1449---
1450apiVersion: batch/v1
1451kind: Job
1452metadata:
1453 name: istio-security-post-install-1.4.6
1454 namespace: istio-system
1455 annotations:
1456 "helm.sh/hook": post-install,post-upgrade
1457 "helm.sh/hook-delete-policy": hook-succeeded
1458 labels:
1459 app: security
1460 chart: security
1461 heritage: Tiller
1462 release: release-name
1463spec:
1464 template:
1465 metadata:
1466 name: istio-security-post-install
1467 labels:
1468 app: security
1469 chart: security
1470 heritage: Tiller
1471 release: release-name
1472 annotations:
1473 sidecar.istio.io/inject: "false"
1474 spec:
1475 serviceAccountName: istio-security-post-install-account
1476 containers:
1477 - name: kubectl
1478 image: "docker.io/istio/kubectl:1.4.6"
1479 imagePullPolicy: IfNotPresent
1480 command: [ "/bin/bash", "/tmp/security/run.sh", "/tmp/security/custom-resources.yaml" ]
1481 volumeMounts:
1482 - mountPath: "/tmp/security"
1483 name: tmp-configmap-security
1484 volumes:
1485 - name: tmp-configmap-security
1486 configMap:
1487 name: istio-security-custom-resources
1488 restartPolicy: OnFailure
1489 affinity:
1490 nodeAffinity:
1491 requiredDuringSchedulingIgnoredDuringExecution:
1492 nodeSelectorTerms:
1493 - matchExpressions:
1494 - key: beta.kubernetes.io/arch
1495 operator: In
1496 values:
1497 - "amd64"
1498 - "ppc64le"
1499 - "s390x"
1500 preferredDuringSchedulingIgnoredDuringExecution:
1501 - weight: 2
1502 preference:
1503 matchExpressions:
1504 - key: beta.kubernetes.io/arch
1505 operator: In
1506 values:
1507 - "amd64"
1508 - weight: 2
1509 preference:
1510 matchExpressions:
1511 - key: beta.kubernetes.io/arch
1512 operator: In
1513 values:
1514 - "ppc64le"
1515 - weight: 2
1516 preference:
1517 matchExpressions:
1518 - key: beta.kubernetes.io/arch
1519 operator: In
1520 values:
1521 - "s390x"
1522
1523---
1524# Source: istio/charts/security/templates/serviceaccount.yaml
1525apiVersion: v1
1526kind: ServiceAccount
1527metadata:
1528 name: istio-citadel-service-account
1529 namespace: istio-system
1530 labels:
1531 app: security
1532 chart: security
1533 heritage: Tiller
1534 release: release-name
1535
1536---
1537# Source: istio/charts/sidecarInjectorWebhook/templates/serviceaccount.yaml
1538apiVersion: v1
1539kind: ServiceAccount
1540metadata:
1541 name: istio-sidecar-injector-service-account
1542 namespace: istio-system
1543 labels:
1544 app: sidecarInjectorWebhook
1545 chart: sidecarInjectorWebhook
1546 heritage: Tiller
1547 release: release-name
1548 istio: sidecar-injector
1549
1550---
1551# Source: istio/templates/serviceaccount.yaml
1552apiVersion: v1
1553kind: ServiceAccount
1554metadata:
1555 name: istio-multi
1556 namespace: istio-system
1557
1558---
1559# Source: istio/charts/galley/templates/clusterrole.yaml
1560apiVersion: rbac.authorization.k8s.io/v1
1561kind: ClusterRole
1562metadata:
1563 name: istio-galley-istio-system
1564 labels:
1565 app: galley
1566 chart: galley
1567 heritage: Tiller
1568 release: release-name
1569rules:
1570 # For reading Istio resources
1571- apiGroups: [
1572 "authentication.istio.io",
1573 "config.istio.io",
1574 "networking.istio.io",
1575 "rbac.istio.io",
1576 "security.istio.io"]
1577 resources: ["*"]
1578 verbs: ["get", "list", "watch"]
1579 # For updating Istio resource statuses
1580- apiGroups: [
1581 "authentication.istio.io",
1582 "config.istio.io",
1583 "networking.istio.io",
1584 "rbac.istio.io",
1585 "security.istio.io"]
1586 resources: ["*/status"]
1587 verbs: ["update"]
1588- apiGroups: ["admissionregistration.k8s.io"]
1589 resources: ["validatingwebhookconfigurations"]
1590 verbs: ["*"]
1591- apiGroups: ["extensions","apps"]
1592 resources: ["deployments"]
1593 resourceNames: ["istio-galley"]
1594 verbs: ["get"]
1595- apiGroups: [""]
1596 resources: ["pods", "nodes", "services", "endpoints", "namespaces"]
1597 verbs: ["get", "list", "watch"]
1598- apiGroups: ["extensions"]
1599 resources: ["ingresses"]
1600 verbs: ["get", "list", "watch"]
1601- apiGroups: [""]
1602 resources: ["namespaces/finalizers"]
1603 verbs: ["update"]
1604- apiGroups: ["apiextensions.k8s.io"]
1605 resources: ["customresourcedefinitions"]
1606 verbs: ["get", "list", "watch"]
1607
1608---
1609# Source: istio/charts/mixer/templates/clusterrole.yaml
1610
1611apiVersion: rbac.authorization.k8s.io/v1
1612kind: ClusterRole
1613metadata:
1614 name: istio-mixer-istio-system
1615 labels:
1616 app: mixer
1617 chart: mixer
1618 heritage: Tiller
1619 release: release-name
1620rules:
1621- apiGroups: ["config.istio.io"] # istio CRD watcher
1622 resources: ["*"]
1623 verbs: ["create", "get", "list", "watch", "patch"]
1624- apiGroups: ["apiextensions.k8s.io"]
1625 resources: ["customresourcedefinitions"]
1626 verbs: ["get", "list", "watch"]
1627- apiGroups: [""]
1628 resources: ["configmaps", "endpoints", "pods", "services", "namespaces", "secrets", "replicationcontrollers"]
1629 verbs: ["get", "list", "watch"]
1630- apiGroups: ["extensions", "apps"]
1631 resources: ["replicasets"]
1632 verbs: ["get", "list", "watch"]
1633
1634---
1635# Source: istio/charts/pilot/templates/clusterrole.yaml
1636apiVersion: rbac.authorization.k8s.io/v1
1637kind: ClusterRole
1638metadata:
1639 name: istio-pilot-istio-system
1640 labels:
1641 app: pilot
1642 chart: pilot
1643 heritage: Tiller
1644 release: release-name
1645rules:
1646- apiGroups: ["config.istio.io"]
1647 resources: ["*"]
1648 verbs: ["*"]
1649- apiGroups: ["rbac.istio.io"]
1650 resources: ["*"]
1651 verbs: ["get", "watch", "list"]
1652- apiGroups: ["security.istio.io"]
1653 resources: ["*"]
1654 verbs: ["get", "watch", "list"]
1655- apiGroups: ["networking.istio.io"]
1656 resources: ["*"]
1657 verbs: ["*"]
1658- apiGroups: ["authentication.istio.io"]
1659 resources: ["*"]
1660 verbs: ["*"]
1661- apiGroups: ["apiextensions.k8s.io"]
1662 resources: ["customresourcedefinitions"]
1663 verbs: ["*"]
1664- apiGroups: ["extensions"]
1665 resources: ["ingresses", "ingresses/status"]
1666 verbs: ["*"]
1667- apiGroups: [""]
1668 resources: ["configmaps"]
1669 verbs: ["create", "get", "list", "watch", "update"]
1670- apiGroups: [""]
1671 resources: ["endpoints", "pods", "services", "namespaces", "nodes"]
1672 verbs: ["get", "list", "watch"]
1673- apiGroups: [""]
1674 resources: ["secrets"]
1675 verbs: ["create", "get", "watch", "list", "update", "delete"]
1676- apiGroups: ["certificates.k8s.io"]
1677 resources:
1678 - "certificatesigningrequests"
1679 - "certificatesigningrequests/approval"
1680 - "certificatesigningrequests/status"
1681 verbs: ["update", "create", "get", "delete"]
1682
1683---
1684# Source: istio/charts/prometheus/templates/clusterrole.yaml
1685apiVersion: rbac.authorization.k8s.io/v1
1686kind: ClusterRole
1687metadata:
1688 name: prometheus-istio-system
1689 labels:
1690 app: prometheus
1691 chart: prometheus
1692 heritage: Tiller
1693 release: release-name
1694rules:
1695- apiGroups: [""]
1696 resources:
1697 - nodes
1698 - services
1699 - endpoints
1700 - pods
1701 - nodes/proxy
1702 verbs: ["get", "list", "watch"]
1703- apiGroups: [""]
1704 resources:
1705 - configmaps
1706 verbs: ["get"]
1707- nonResourceURLs: ["/metrics"]
1708 verbs: ["get"]
1709
1710---
1711# Source: istio/charts/security/templates/clusterrole.yaml
1712apiVersion: rbac.authorization.k8s.io/v1
1713kind: ClusterRole
1714metadata:
1715 name: istio-citadel-istio-system
1716 labels:
1717 app: security
1718 chart: security
1719 heritage: Tiller
1720 release: release-name
1721rules:
1722- apiGroups: [""]
1723 resources: ["configmaps"]
1724 verbs: ["create", "get", "update"]
1725- apiGroups: [""]
1726 resources: ["secrets"]
1727 verbs: ["create", "get", "watch", "list", "update", "delete"]
1728- apiGroups: [""]
1729 resources: ["serviceaccounts", "services", "namespaces"]
1730 verbs: ["get", "watch", "list"]
1731- apiGroups: ["authentication.k8s.io"]
1732 resources: ["tokenreviews"]
1733 verbs: ["create"]
1734
1735---
1736# Source: istio/charts/sidecarInjectorWebhook/templates/clusterrole.yaml
1737apiVersion: rbac.authorization.k8s.io/v1
1738kind: ClusterRole
1739metadata:
1740 name: istio-sidecar-injector-istio-system
1741 labels:
1742 app: sidecarInjectorWebhook
1743 chart: sidecarInjectorWebhook
1744 heritage: Tiller
1745 release: release-name
1746 istio: sidecar-injector
1747rules:
1748- apiGroups: [""]
1749 resources: ["configmaps"]
1750 verbs: ["get", "list", "watch"]
1751- apiGroups: ["admissionregistration.k8s.io"]
1752 resources: ["mutatingwebhookconfigurations"]
1753 verbs: ["get", "list", "watch", "patch"]
1754
1755---
1756# Source: istio/templates/clusterrole.yaml
1757kind: ClusterRole
1758apiVersion: rbac.authorization.k8s.io/v1
1759metadata:
1760 name: istio-reader
1761rules:
1762 - apiGroups: ['']
1763 resources: ['nodes', 'pods', 'services', 'endpoints', "replicationcontrollers"]
1764 verbs: ['get', 'watch', 'list']
1765 - apiGroups: ["extensions", "apps"]
1766 resources: ["replicasets"]
1767 verbs: ["get", "list", "watch"]
1768
1769---
1770# Source: istio/charts/galley/templates/clusterrolebinding.yaml
1771apiVersion: rbac.authorization.k8s.io/v1
1772kind: ClusterRoleBinding
1773metadata:
1774 name: istio-galley-admin-role-binding-istio-system
1775 labels:
1776 app: galley
1777 chart: galley
1778 heritage: Tiller
1779 release: release-name
1780roleRef:
1781 apiGroup: rbac.authorization.k8s.io
1782 kind: ClusterRole
1783 name: istio-galley-istio-system
1784subjects:
1785 - kind: ServiceAccount
1786 name: istio-galley-service-account
1787 namespace: istio-system
1788
1789---
1790# Source: istio/charts/mixer/templates/clusterrolebinding.yaml
1791
1792apiVersion: rbac.authorization.k8s.io/v1
1793kind: ClusterRoleBinding
1794metadata:
1795 name: istio-mixer-admin-role-binding-istio-system
1796 labels:
1797 app: mixer
1798 chart: mixer
1799 heritage: Tiller
1800 release: release-name
1801roleRef:
1802 apiGroup: rbac.authorization.k8s.io
1803 kind: ClusterRole
1804 name: istio-mixer-istio-system
1805subjects:
1806 - kind: ServiceAccount
1807 name: istio-mixer-service-account
1808 namespace: istio-system
1809
1810---
1811# Source: istio/charts/pilot/templates/clusterrolebinding.yaml
1812apiVersion: rbac.authorization.k8s.io/v1
1813kind: ClusterRoleBinding
1814metadata:
1815 name: istio-pilot-istio-system
1816 labels:
1817 app: pilot
1818 chart: pilot
1819 heritage: Tiller
1820 release: release-name
1821roleRef:
1822 apiGroup: rbac.authorization.k8s.io
1823 kind: ClusterRole
1824 name: istio-pilot-istio-system
1825subjects:
1826 - kind: ServiceAccount
1827 name: istio-pilot-service-account
1828 namespace: istio-system
1829
1830---
1831# Source: istio/charts/prometheus/templates/clusterrolebindings.yaml
1832apiVersion: rbac.authorization.k8s.io/v1
1833kind: ClusterRoleBinding
1834metadata:
1835 name: prometheus-istio-system
1836 labels:
1837 app: prometheus
1838 chart: prometheus
1839 heritage: Tiller
1840 release: release-name
1841roleRef:
1842 apiGroup: rbac.authorization.k8s.io
1843 kind: ClusterRole
1844 name: prometheus-istio-system
1845subjects:
1846- kind: ServiceAccount
1847 name: prometheus
1848 namespace: istio-system
1849
1850---
1851# Source: istio/charts/security/templates/clusterrolebinding.yaml
1852apiVersion: rbac.authorization.k8s.io/v1
1853kind: ClusterRoleBinding
1854metadata:
1855 name: istio-citadel-istio-system
1856 labels:
1857 app: security
1858 chart: security
1859 heritage: Tiller
1860 release: release-name
1861roleRef:
1862 apiGroup: rbac.authorization.k8s.io
1863 kind: ClusterRole
1864 name: istio-citadel-istio-system
1865subjects:
1866 - kind: ServiceAccount
1867 name: istio-citadel-service-account
1868 namespace: istio-system
1869
1870---
1871# Source: istio/charts/sidecarInjectorWebhook/templates/clusterrolebinding.yaml
1872apiVersion: rbac.authorization.k8s.io/v1
1873kind: ClusterRoleBinding
1874metadata:
1875 name: istio-sidecar-injector-admin-role-binding-istio-system
1876 labels:
1877 app: sidecarInjectorWebhook
1878 chart: sidecarInjectorWebhook
1879 heritage: Tiller
1880 release: release-name
1881 istio: sidecar-injector
1882roleRef:
1883 apiGroup: rbac.authorization.k8s.io
1884 kind: ClusterRole
1885 name: istio-sidecar-injector-istio-system
1886subjects:
1887 - kind: ServiceAccount
1888 name: istio-sidecar-injector-service-account
1889 namespace: istio-system
1890
1891---
1892# Source: istio/templates/clusterrolebinding.yaml
1893apiVersion: rbac.authorization.k8s.io/v1
1894kind: ClusterRoleBinding
1895metadata:
1896 name: istio-multi
1897 labels:
1898 chart: istio-1.4.6
1899roleRef:
1900 apiGroup: rbac.authorization.k8s.io
1901 kind: ClusterRole
1902 name: istio-reader
1903subjects:
1904- kind: ServiceAccount
1905 name: istio-multi
1906 namespace: istio-system
1907
1908---
1909# Source: istio/charts/gateways/templates/role.yaml
1910
1911apiVersion: rbac.authorization.k8s.io/v1
1912kind: Role
1913metadata:
1914 name: istio-ingressgateway-sds
1915 namespace: istio-system
1916rules:
1917- apiGroups: [""]
1918 resources: ["secrets"]
1919 verbs: ["get", "watch", "list"]
1920---
1921
1922---
1923# Source: istio/charts/gateways/templates/rolebindings.yaml
1924
1925apiVersion: rbac.authorization.k8s.io/v1
1926kind: RoleBinding
1927metadata:
1928 name: istio-ingressgateway-sds
1929 namespace: istio-system
1930roleRef:
1931 apiGroup: rbac.authorization.k8s.io
1932 kind: Role
1933 name: istio-ingressgateway-sds
1934subjects:
1935- kind: ServiceAccount
1936 name: istio-ingressgateway-service-account
1937---
1938
1939---
1940# Source: istio/charts/galley/templates/service.yaml
1941apiVersion: v1
1942kind: Service
1943metadata:
1944 name: istio-galley
1945 namespace: istio-system
1946 labels:
1947 app: galley
1948 chart: galley
1949 heritage: Tiller
1950 release: release-name
1951 istio: galley
1952spec:
1953 ports:
1954 - port: 443
1955 name: https-validation
1956 - port: 15014
1957 name: http-monitoring
1958 - port: 9901
1959 name: grpc-mcp
1960 selector:
1961 istio: galley
1962
1963---
1964# Source: istio/charts/gateways/templates/service.yaml
1965
1966apiVersion: v1
1967kind: Service
1968metadata:
1969 name: istio-ilbgateway
1970 namespace: istio-system
1971 annotations:
1972 cloud.google.com/load-balancer-type: "internal"
1973 labels:
1974 chart: gateways
1975 heritage: Tiller
1976 release: release-name
1977 app: istio-ilbgateway
1978 istio: ilbgateway
1979spec:
1980 type: LoadBalancer
1981 selector:
1982 release: release-name
1983 app: istio-ilbgateway
1984 istio: ilbgateway
1985 ports:
1986 -
1987 name: grpc-pilot-mtls
1988 port: 15011
1989 -
1990 name: grpc-pilot
1991 port: 15010
1992 -
1993 name: tcp-citadel-grpc-tls
1994 port: 8060
1995 targetPort: 8060
1996 -
1997 name: tcp-dns
1998 port: 5353
1999---
2000apiVersion: v1
2001kind: Service
2002metadata:
2003 name: istio-ingressgateway
2004 namespace: istio-system
2005 annotations:
2006 labels:
2007 chart: gateways
2008 heritage: Tiller
2009 release: release-name
2010 app: istio-ingressgateway
2011 istio: ingressgateway
2012spec:
2013 type: LoadBalancer
2014 selector:
2015 release: release-name
2016 app: istio-ingressgateway
2017 istio: ingressgateway
2018 ports:
2019 -
2020 name: status-port
2021 port: 15020
2022 targetPort: 15020
2023 -
2024 name: http2
2025 nodePort: 31380
2026 port: 80
2027 targetPort: 80
2028 -
2029 name: https
2030 nodePort: 31390
2031 port: 443
2032 -
2033 name: tcp
2034 nodePort: 31400
2035 port: 31400
2036 -
2037 name: https-kiali
2038 port: 15029
2039 targetPort: 15029
2040 -
2041 name: https-prometheus
2042 port: 15030
2043 targetPort: 15030
2044 -
2045 name: https-grafana
2046 port: 15031
2047 targetPort: 15031
2048 -
2049 name: https-tracing
2050 port: 15032
2051 targetPort: 15032
2052 -
2053 name: tls
2054 port: 15443
2055 targetPort: 15443
2056---
2057
2058---
2059# Source: istio/charts/mixer/templates/service.yaml
2060
2061apiVersion: v1
2062kind: Service
2063metadata:
2064 name: istio-policy
2065 namespace: istio-system
2066 annotations:
2067 networking.istio.io/exportTo: "*"
2068 labels:
2069 app: mixer
2070 chart: mixer
2071 heritage: Tiller
2072 release: release-name
2073 istio: mixer
2074spec:
2075 ports:
2076 - name: grpc-mixer
2077 port: 9091
2078 - name: grpc-mixer-mtls
2079 port: 15004
2080 - name: http-monitoring
2081 port: 15014
2082 selector:
2083 istio: mixer
2084 istio-mixer-type: policy
2085---
2086apiVersion: v1
2087kind: Service
2088metadata:
2089 name: istio-telemetry
2090 namespace: istio-system
2091 annotations:
2092 networking.istio.io/exportTo: "*"
2093 labels:
2094 app: mixer
2095 chart: mixer
2096 heritage: Tiller
2097 release: release-name
2098 istio: mixer
2099spec:
2100 ports:
2101 - name: grpc-mixer
2102 port: 9091
2103 - name: grpc-mixer-mtls
2104 port: 15004
2105 - name: http-monitoring
2106 port: 15014
2107 - name: prometheus
2108 port: 42422
2109 selector:
2110 istio: mixer
2111 istio-mixer-type: telemetry
2112---
2113
2114
2115---
2116# Source: istio/charts/pilot/templates/service.yaml
2117apiVersion: v1
2118kind: Service
2119metadata:
2120 name: istio-pilot
2121 namespace: istio-system
2122 labels:
2123 app: pilot
2124 chart: pilot
2125 heritage: Tiller
2126 release: release-name
2127 istio: pilot
2128spec:
2129 ports:
2130 - port: 15010
2131 name: grpc-xds # direct
2132 - port: 15011
2133 name: https-xds # mTLS
2134 - port: 8080
2135 name: http-legacy-discovery # direct
2136 - port: 15014
2137 name: http-monitoring
2138 selector:
2139 istio: pilot
2140
2141---
2142# Source: istio/charts/prometheus/templates/service.yaml
2143apiVersion: v1
2144kind: Service
2145metadata:
2146 name: prometheus
2147 namespace: istio-system
2148 annotations:
2149 prometheus.io/scrape: 'true'
2150 labels:
2151 app: prometheus
2152 chart: prometheus
2153 heritage: Tiller
2154 release: release-name
2155spec:
2156 selector:
2157 app: prometheus
2158 ports:
2159 - name: http-prometheus
2160 protocol: TCP
2161 port: 9090
2162
2163---
2164# Source: istio/charts/security/templates/service.yaml
2165apiVersion: v1
2166kind: Service
2167metadata:
2168 # we use the normal name here (e.g. 'prometheus')
2169 # as grafana is configured to use this as a data source
2170 name: istio-citadel
2171 namespace: istio-system
2172 labels:
2173 app: security
2174 chart: security
2175 heritage: Tiller
2176 release: release-name
2177 istio: citadel
2178spec:
2179 ports:
2180 - name: grpc-citadel
2181 port: 8060
2182 targetPort: 8060
2183 protocol: TCP
2184 - name: http-monitoring
2185 port: 15014
2186 selector:
2187 istio: citadel
2188
2189---
2190# Source: istio/charts/sidecarInjectorWebhook/templates/service.yaml
2191apiVersion: v1
2192kind: Service
2193metadata:
2194 name: istio-sidecar-injector
2195 namespace: istio-system
2196 labels:
2197 app: sidecarInjectorWebhook
2198 chart: sidecarInjectorWebhook
2199 heritage: Tiller
2200 release: release-name
2201 istio: sidecar-injector
2202spec:
2203 ports:
2204 - port: 443
2205 name: https-inject
2206 - port: 15014
2207 name: http-monitoring
2208 selector:
2209 istio: sidecar-injector
2210
2211---
2212# Source: istio/charts/galley/templates/deployment.yaml
2213apiVersion: apps/v1
2214kind: Deployment
2215metadata:
2216 name: istio-galley
2217 namespace: istio-system
2218 labels:
2219 app: galley
2220 chart: galley
2221 heritage: Tiller
2222 release: release-name
2223 istio: galley
2224spec:
2225 replicas: 1
2226 selector:
2227 matchLabels:
2228 istio: galley
2229 strategy:
2230 rollingUpdate:
2231 maxSurge: 100%
2232 maxUnavailable: 25%
2233 template:
2234 metadata:
2235 labels:
2236 app: galley
2237 chart: galley
2238 heritage: Tiller
2239 release: release-name
2240 istio: galley
2241 annotations:
2242 sidecar.istio.io/inject: "false"
2243 spec:
2244 serviceAccountName: istio-galley-service-account
2245 containers:
2246 - name: galley
2247 image: "docker.io/istio/galley:1.4.6"
2248 imagePullPolicy: IfNotPresent
2249 ports:
2250 - containerPort: 443
2251 - containerPort: 15014
2252 - containerPort: 9901
2253 command:
2254 - /usr/local/bin/galley
2255 - server
2256 - --meshConfigFile=/etc/mesh-config/mesh
2257 - --livenessProbeInterval=1s
2258 - --livenessProbePath=/healthliveness
2259 - --readinessProbePath=/healthready
2260 - --readinessProbeInterval=1s
2261 - --deployment-namespace=istio-system
2262 - --insecure=true
2263 - --enable-reconcileWebhookConfiguration=true
2264 - --validation-webhook-config-file
2265 - /etc/config/validatingwebhookconfiguration.yaml
2266 - --monitoringPort=15014
2267 - --log_output_level=default:info
2268 volumeMounts:
2269 - name: certs
2270 mountPath: /etc/certs
2271 readOnly: true
2272 - name: config
2273 mountPath: /etc/config
2274 readOnly: true
2275 - name: mesh-config
2276 mountPath: /etc/mesh-config
2277 readOnly: true
2278 livenessProbe:
2279 exec:
2280 command:
2281 - /usr/local/bin/galley
2282 - probe
2283 - --probe-path=/healthliveness
2284 - --interval=10s
2285 initialDelaySeconds: 5
2286 periodSeconds: 5
2287 readinessProbe:
2288 exec:
2289 command:
2290 - /usr/local/bin/galley
2291 - probe
2292 - --probe-path=/healthready
2293 - --interval=10s
2294 initialDelaySeconds: 5
2295 periodSeconds: 5
2296 resources:
2297 requests:
2298 cpu: 10m
2299
2300 volumes:
2301 - name: certs
2302 secret:
2303 secretName: istio.istio-galley-service-account
2304 - name: config
2305 configMap:
2306 name: istio-galley-configuration
2307 - name: mesh-config
2308 configMap:
2309 name: istio
2310 affinity:
2311 nodeAffinity:
2312 requiredDuringSchedulingIgnoredDuringExecution:
2313 nodeSelectorTerms:
2314 - matchExpressions:
2315 - key: beta.kubernetes.io/arch
2316 operator: In
2317 values:
2318 - "amd64"
2319 - "ppc64le"
2320 - "s390x"
2321 preferredDuringSchedulingIgnoredDuringExecution:
2322 - weight: 2
2323 preference:
2324 matchExpressions:
2325 - key: beta.kubernetes.io/arch
2326 operator: In
2327 values:
2328 - "amd64"
2329 - weight: 2
2330 preference:
2331 matchExpressions:
2332 - key: beta.kubernetes.io/arch
2333 operator: In
2334 values:
2335 - "ppc64le"
2336 - weight: 2
2337 preference:
2338 matchExpressions:
2339 - key: beta.kubernetes.io/arch
2340 operator: In
2341 values:
2342 - "s390x"
2343---
2344# Source: istio/charts/gateways/templates/deployment.yaml
2345
2346apiVersion: apps/v1
2347kind: Deployment
2348metadata:
2349 name: istio-ilbgateway
2350 namespace: istio-system
2351 labels:
2352 app: istio-ilbgateway
2353 chart: gateways
2354 heritage: Tiller
2355 istio: ilbgateway
2356 release: release-name
2357
2358spec:
2359 selector:
2360 matchLabels:
2361 app: istio-ilbgateway
2362 istio: ilbgateway
2363 strategy:
2364 rollingUpdate:
2365 maxSurge: 100%
2366 maxUnavailable: 25%
2367 template:
2368 metadata:
2369 labels:
2370 app: istio-ilbgateway
2371 chart: gateways
2372 heritage: Tiller
2373 istio: ilbgateway
2374 release: release-name
2375
2376 annotations:
2377 sidecar.istio.io/inject: "false"
2378 spec:
2379 serviceAccountName: istio-ilbgateway-service-account
2380 containers:
2381 - name: istio-proxy
2382 image: "docker.io/istio/proxyv2:1.4.6"
2383 imagePullPolicy: IfNotPresent
2384 ports:
2385 - containerPort: 15011
2386 - containerPort: 15010
2387 - containerPort: 8060
2388 - containerPort: 5353
2389 - containerPort: 15090
2390 protocol: TCP
2391 name: http-envoy-prom
2392 args:
2393 - proxy
2394 - router
2395 - --domain
2396 - $(POD_NAMESPACE).svc.cluster.local
2397 - --log_output_level=default:info
2398 - --drainDuration
2399 - '45s' #drainDuration
2400 - --parentShutdownDuration
2401 - '1m0s' #parentShutdownDuration
2402 - --connectTimeout
2403 - '10s' #connectTimeout
2404 - --serviceCluster
2405 - istio-ilbgateway
2406 - --zipkinAddress
2407 - zipkin:9411
2408 - --proxyAdminPort
2409 - "15000"
2410 - --statusPort
2411 - "15020"
2412 - --controlPlaneAuthPolicy
2413 - NONE
2414 - --discoveryAddress
2415 - istio-pilot:15010
2416 readinessProbe:
2417 failureThreshold: 30
2418 httpGet:
2419 path: /healthz/ready
2420 port: 15020
2421 scheme: HTTP
2422 initialDelaySeconds: 1
2423 periodSeconds: 2
2424 successThreshold: 1
2425 timeoutSeconds: 1
2426 resources:
2427 requests:
2428 cpu: 800m
2429 memory: 512Mi
2430
2431 env:
2432 - name: NODE_NAME
2433 valueFrom:
2434 fieldRef:
2435 apiVersion: v1
2436 fieldPath: spec.nodeName
2437 - name: POD_NAME
2438 valueFrom:
2439 fieldRef:
2440 apiVersion: v1
2441 fieldPath: metadata.name
2442 - name: POD_NAMESPACE
2443 valueFrom:
2444 fieldRef:
2445 apiVersion: v1
2446 fieldPath: metadata.namespace
2447 - name: INSTANCE_IP
2448 valueFrom:
2449 fieldRef:
2450 apiVersion: v1
2451 fieldPath: status.podIP
2452 - name: HOST_IP
2453 valueFrom:
2454 fieldRef:
2455 apiVersion: v1
2456 fieldPath: status.hostIP
2457 - name: SERVICE_ACCOUNT
2458 valueFrom:
2459 fieldRef:
2460 fieldPath: spec.serviceAccountName
2461 - name: ISTIO_META_POD_NAME
2462 valueFrom:
2463 fieldRef:
2464 apiVersion: v1
2465 fieldPath: metadata.name
2466 - name: ISTIO_META_CONFIG_NAMESPACE
2467 valueFrom:
2468 fieldRef:
2469 fieldPath: metadata.namespace
2470 - name: ISTIO_METAJSON_LABELS
2471 value: |
2472 {"app":"istio-ilbgateway","chart":"gateways","heritage":"Tiller","istio":"ilbgateway","release":"release-name"}
2473 - name: ISTIO_META_CLUSTER_ID
2474 value: "Kubernetes"
2475 - name: SDS_ENABLED
2476 value: "false"
2477 - name: ISTIO_META_WORKLOAD_NAME
2478 value: istio-ilbgateway
2479 - name: ISTIO_META_OWNER
2480 value: kubernetes://apis/apps/v1/namespaces/istio-system/deployments/istio-ilbgateway
2481
2482 volumeMounts:
2483 - name: istio-certs
2484 mountPath: /etc/certs
2485 readOnly: true
2486 - name: ilbgateway-certs
2487 mountPath: "/etc/istio/ilbgateway-certs"
2488 readOnly: true
2489 - name: ilbgateway-ca-certs
2490 mountPath: "/etc/istio/ilbgateway-ca-certs"
2491 readOnly: true
2492 volumes:
2493 - name: istio-certs
2494 secret:
2495 secretName: istio.istio-ilbgateway-service-account
2496 optional: true
2497 - name: ilbgateway-certs
2498 secret:
2499 secretName: "istio-ilbgateway-certs"
2500 optional: true
2501 - name: ilbgateway-ca-certs
2502 secret:
2503 secretName: "istio-ilbgateway-ca-certs"
2504 optional: true
2505 affinity:
2506 nodeAffinity:
2507 requiredDuringSchedulingIgnoredDuringExecution:
2508 nodeSelectorTerms:
2509 - matchExpressions:
2510 - key: beta.kubernetes.io/arch
2511 operator: In
2512 values:
2513 - "amd64"
2514 - "ppc64le"
2515 - "s390x"
2516 preferredDuringSchedulingIgnoredDuringExecution:
2517 - weight: 2
2518 preference:
2519 matchExpressions:
2520 - key: beta.kubernetes.io/arch
2521 operator: In
2522 values:
2523 - "amd64"
2524 - weight: 2
2525 preference:
2526 matchExpressions:
2527 - key: beta.kubernetes.io/arch
2528 operator: In
2529 values:
2530 - "ppc64le"
2531 - weight: 2
2532 preference:
2533 matchExpressions:
2534 - key: beta.kubernetes.io/arch
2535 operator: In
2536 values:
2537 - "s390x"
2538---
2539apiVersion: apps/v1
2540kind: Deployment
2541metadata:
2542 name: istio-ingressgateway
2543 namespace: istio-system
2544 labels:
2545 app: istio-ingressgateway
2546 chart: gateways
2547 heritage: Tiller
2548 istio: ingressgateway
2549 release: release-name
2550
2551spec:
2552 selector:
2553 matchLabels:
2554 app: istio-ingressgateway
2555 istio: ingressgateway
2556 strategy:
2557 rollingUpdate:
2558 maxSurge: 100%
2559 maxUnavailable: 25%
2560 template:
2561 metadata:
2562 labels:
2563 app: istio-ingressgateway
2564 chart: gateways
2565 heritage: Tiller
2566 istio: ingressgateway
2567 release: release-name
2568
2569 annotations:
2570 sidecar.istio.io/inject: "false"
2571 spec:
2572 serviceAccountName: istio-ingressgateway-service-account
2573 containers:
2574 - name: istio-proxy
2575 image: "docker.io/istio/proxyv2:1.4.6"
2576 imagePullPolicy: IfNotPresent
2577 ports:
2578 - containerPort: 15020
2579 - containerPort: 80
2580 - containerPort: 443
2581 - containerPort: 31400
2582 - containerPort: 15029
2583 - containerPort: 15030
2584 - containerPort: 15031
2585 - containerPort: 15032
2586 - containerPort: 15443
2587 - containerPort: 15090
2588 protocol: TCP
2589 name: http-envoy-prom
2590 args:
2591 - proxy
2592 - router
2593 - --domain
2594 - $(POD_NAMESPACE).svc.cluster.local
2595 - --log_output_level=default:info
2596 - --drainDuration
2597 - '45s' #drainDuration
2598 - --parentShutdownDuration
2599 - '1m0s' #parentShutdownDuration
2600 - --connectTimeout
2601 - '10s' #connectTimeout
2602 - --serviceCluster
2603 - istio-ingressgateway
2604 - --zipkinAddress
2605 - zipkin:9411
2606 - --proxyAdminPort
2607 - "15000"
2608 - --statusPort
2609 - "15020"
2610 - --controlPlaneAuthPolicy
2611 - NONE
2612 - --discoveryAddress
2613 - istio-pilot:15010
2614 readinessProbe:
2615 failureThreshold: 30
2616 httpGet:
2617 path: /healthz/ready
2618 port: 15020
2619 scheme: HTTP
2620 initialDelaySeconds: 1
2621 periodSeconds: 2
2622 successThreshold: 1
2623 timeoutSeconds: 1
2624 resources:
2625 limits:
2626 cpu: 2000m
2627 memory: 1024Mi
2628 requests:
2629 cpu: 100m
2630 memory: 128Mi
2631
2632 env:
2633 - name: NODE_NAME
2634 valueFrom:
2635 fieldRef:
2636 apiVersion: v1
2637 fieldPath: spec.nodeName
2638 - name: POD_NAME
2639 valueFrom:
2640 fieldRef:
2641 apiVersion: v1
2642 fieldPath: metadata.name
2643 - name: POD_NAMESPACE
2644 valueFrom:
2645 fieldRef:
2646 apiVersion: v1
2647 fieldPath: metadata.namespace
2648 - name: INSTANCE_IP
2649 valueFrom:
2650 fieldRef:
2651 apiVersion: v1
2652 fieldPath: status.podIP
2653 - name: HOST_IP
2654 valueFrom:
2655 fieldRef:
2656 apiVersion: v1
2657 fieldPath: status.hostIP
2658 - name: SERVICE_ACCOUNT
2659 valueFrom:
2660 fieldRef:
2661 fieldPath: spec.serviceAccountName
2662 - name: ISTIO_META_POD_NAME
2663 valueFrom:
2664 fieldRef:
2665 apiVersion: v1
2666 fieldPath: metadata.name
2667 - name: ISTIO_META_CONFIG_NAMESPACE
2668 valueFrom:
2669 fieldRef:
2670 fieldPath: metadata.namespace
2671 - name: ISTIO_METAJSON_LABELS
2672 value: |
2673 {"app":"istio-ingressgateway","chart":"gateways","heritage":"Tiller","istio":"ingressgateway","release":"release-name"}
2674 - name: ISTIO_META_CLUSTER_ID
2675 value: "Kubernetes"
2676 - name: SDS_ENABLED
2677 value: "false"
2678 - name: ISTIO_META_WORKLOAD_NAME
2679 value: istio-ingressgateway
2680 - name: ISTIO_META_OWNER
2681 value: kubernetes://apis/apps/v1/namespaces/istio-system/deployments/istio-ingressgateway
2682 - name: ISTIO_META_ROUTER_MODE
2683 value: sni-dnat
2684
2685
2686 volumeMounts:
2687 - name: istio-certs
2688 mountPath: /etc/certs
2689 readOnly: true
2690 - name: ingressgateway-certs
2691 mountPath: "/etc/istio/ingressgateway-certs"
2692 readOnly: true
2693 - name: ingressgateway-ca-certs
2694 mountPath: "/etc/istio/ingressgateway-ca-certs"
2695 readOnly: true
2696 volumes:
2697 - name: istio-certs
2698 secret:
2699 secretName: istio.istio-ingressgateway-service-account
2700 optional: true
2701 - name: ingressgateway-certs
2702 secret:
2703 secretName: "istio-ingressgateway-certs"
2704 optional: true
2705 - name: ingressgateway-ca-certs
2706 secret:
2707 secretName: "istio-ingressgateway-ca-certs"
2708 optional: true
2709 affinity:
2710 nodeAffinity:
2711 requiredDuringSchedulingIgnoredDuringExecution:
2712 nodeSelectorTerms:
2713 - matchExpressions:
2714 - key: beta.kubernetes.io/arch
2715 operator: In
2716 values:
2717 - "amd64"
2718 - "ppc64le"
2719 - "s390x"
2720 preferredDuringSchedulingIgnoredDuringExecution:
2721 - weight: 2
2722 preference:
2723 matchExpressions:
2724 - key: beta.kubernetes.io/arch
2725 operator: In
2726 values:
2727 - "amd64"
2728 - weight: 2
2729 preference:
2730 matchExpressions:
2731 - key: beta.kubernetes.io/arch
2732 operator: In
2733 values:
2734 - "ppc64le"
2735 - weight: 2
2736 preference:
2737 matchExpressions:
2738 - key: beta.kubernetes.io/arch
2739 operator: In
2740 values:
2741 - "s390x"
2742---
2743
2744---
2745# Source: istio/charts/mixer/templates/deployment.yaml
2746
2747apiVersion: apps/v1
2748kind: Deployment
2749metadata:
2750 name: istio-policy
2751 namespace: istio-system
2752 labels:
2753 app: istio-mixer
2754 chart: mixer
2755 heritage: Tiller
2756 release: release-name
2757 istio: mixer
2758spec:
2759 strategy:
2760 rollingUpdate:
2761 maxSurge: 100%
2762 maxUnavailable: 25%
2763 selector:
2764 matchLabels:
2765 istio: mixer
2766 istio-mixer-type: policy
2767 template:
2768 metadata:
2769 labels:
2770 app: policy
2771 chart: mixer
2772 heritage: Tiller
2773 release: release-name
2774 security.istio.io/tlsMode: "istio"
2775 istio: mixer
2776 istio-mixer-type: policy
2777 annotations:
2778 sidecar.istio.io/inject: "false"
2779 spec:
2780 serviceAccountName: istio-mixer-service-account
2781 volumes:
2782 - name: istio-certs
2783 secret:
2784 secretName: istio.istio-mixer-service-account
2785 optional: true
2786 - name: uds-socket
2787 emptyDir: {}
2788 - name: policy-adapter-secret
2789 secret:
2790 secretName: policy-adapter-secret
2791 optional: true
2792 affinity:
2793 nodeAffinity:
2794 requiredDuringSchedulingIgnoredDuringExecution:
2795 nodeSelectorTerms:
2796 - matchExpressions:
2797 - key: beta.kubernetes.io/arch
2798 operator: In
2799 values:
2800 - "amd64"
2801 - "ppc64le"
2802 - "s390x"
2803 preferredDuringSchedulingIgnoredDuringExecution:
2804 - weight: 2
2805 preference:
2806 matchExpressions:
2807 - key: beta.kubernetes.io/arch
2808 operator: In
2809 values:
2810 - "amd64"
2811 - weight: 2
2812 preference:
2813 matchExpressions:
2814 - key: beta.kubernetes.io/arch
2815 operator: In
2816 values:
2817 - "ppc64le"
2818 - weight: 2
2819 preference:
2820 matchExpressions:
2821 - key: beta.kubernetes.io/arch
2822 operator: In
2823 values:
2824 - "s390x"
2825 containers:
2826 - name: mixer
2827 image: "docker.io/istio/mixer:1.4.6"
2828 imagePullPolicy: IfNotPresent
2829 ports:
2830 - containerPort: 15014
2831 - containerPort: 42422
2832 args:
2833 - --monitoringPort=15014
2834 - --address
2835 - unix:///sock/mixer.socket
2836 - --log_output_level=default:info
2837 - --configStoreURL=mcp://istio-galley.istio-system.svc:9901
2838 - --configDefaultNamespace=istio-system
2839 - --useAdapterCRDs=false
2840 - --useTemplateCRDs=false
2841 - --trace_zipkin_url=http://zipkin.istio-system:9411/api/v1/spans
2842 env:
2843 - name: POD_NAMESPACE
2844 valueFrom:
2845 fieldRef:
2846 apiVersion: v1
2847 fieldPath: metadata.namespace
2848 - name: GOMAXPROCS
2849 value: "6"
2850 resources:
2851 requests:
2852 cpu: 10m
2853
2854 volumeMounts:
2855 - name: istio-certs
2856 mountPath: /etc/certs
2857 readOnly: true
2858 - name: uds-socket
2859 mountPath: /sock
2860 livenessProbe:
2861 httpGet:
2862 path: /version
2863 port: 15014
2864 initialDelaySeconds: 5
2865 periodSeconds: 5
2866 - name: istio-proxy
2867 image: "docker.io/istio/proxyv2:1.4.6"
2868 imagePullPolicy: IfNotPresent
2869 ports:
2870 - containerPort: 9091
2871 - containerPort: 15004
2872 - containerPort: 15090
2873 protocol: TCP
2874 name: http-envoy-prom
2875 args:
2876 - proxy
2877 - --domain
2878 - $(POD_NAMESPACE).svc.cluster.local
2879 - --serviceCluster
2880 - istio-policy
2881 - --templateFile
2882 - /etc/istio/proxy/envoy_policy.yaml.tmpl
2883 - --controlPlaneAuthPolicy
2884 - NONE
2885 - --log_output_level=default:info
2886 env:
2887 - name: POD_NAME
2888 valueFrom:
2889 fieldRef:
2890 apiVersion: v1
2891 fieldPath: metadata.name
2892 - name: POD_NAMESPACE
2893 valueFrom:
2894 fieldRef:
2895 apiVersion: v1
2896 fieldPath: metadata.namespace
2897 - name: INSTANCE_IP
2898 valueFrom:
2899 fieldRef:
2900 apiVersion: v1
2901 fieldPath: status.podIP
2902 - name: SDS_ENABLED
2903 value: "false"
2904 resources:
2905 limits:
2906 cpu: 2000m
2907 memory: 1024Mi
2908 requests:
2909 cpu: 100m
2910 memory: 128Mi
2911
2912 volumeMounts:
2913 - name: istio-certs
2914 mountPath: /etc/certs
2915 readOnly: true
2916 - name: uds-socket
2917 mountPath: /sock
2918 - name: policy-adapter-secret
2919 mountPath: /var/run/secrets/istio.io/policy/adapter
2920 readOnly: true
2921
2922---
2923apiVersion: apps/v1
2924kind: Deployment
2925metadata:
2926 name: istio-telemetry
2927 namespace: istio-system
2928 labels:
2929 app: istio-mixer
2930 chart: mixer
2931 heritage: Tiller
2932 release: release-name
2933 istio: mixer
2934spec:
2935 strategy:
2936 rollingUpdate:
2937 maxSurge: 100%
2938 maxUnavailable: 25%
2939 selector:
2940 matchLabels:
2941 istio: mixer
2942 istio-mixer-type: telemetry
2943 template:
2944 metadata:
2945 labels:
2946 app: telemetry
2947 chart: mixer
2948 heritage: Tiller
2949 release: release-name
2950 security.istio.io/tlsMode: "istio"
2951 istio: mixer
2952 istio-mixer-type: telemetry
2953 annotations:
2954 sidecar.istio.io/inject: "false"
2955 spec:
2956 serviceAccountName: istio-mixer-service-account
2957 volumes:
2958 - name: istio-certs
2959 secret:
2960 secretName: istio.istio-mixer-service-account
2961 optional: true
2962 - name: uds-socket
2963 emptyDir: {}
2964 - name: telemetry-adapter-secret
2965 secret:
2966 secretName: telemetry-adapter-secret
2967 optional: true
2968 affinity:
2969 nodeAffinity:
2970 requiredDuringSchedulingIgnoredDuringExecution:
2971 nodeSelectorTerms:
2972 - matchExpressions:
2973 - key: beta.kubernetes.io/arch
2974 operator: In
2975 values:
2976 - "amd64"
2977 - "ppc64le"
2978 - "s390x"
2979 preferredDuringSchedulingIgnoredDuringExecution:
2980 - weight: 2
2981 preference:
2982 matchExpressions:
2983 - key: beta.kubernetes.io/arch
2984 operator: In
2985 values:
2986 - "amd64"
2987 - weight: 2
2988 preference:
2989 matchExpressions:
2990 - key: beta.kubernetes.io/arch
2991 operator: In
2992 values:
2993 - "ppc64le"
2994 - weight: 2
2995 preference:
2996 matchExpressions:
2997 - key: beta.kubernetes.io/arch
2998 operator: In
2999 values:
3000 - "s390x"
3001 containers:
3002 - name: mixer
3003 image: "docker.io/istio/mixer:1.4.6"
3004 imagePullPolicy: IfNotPresent
3005 ports:
3006 - containerPort: 15014
3007 - containerPort: 42422
3008 args:
3009 - --monitoringPort=15014
3010 - --address
3011 - unix:///sock/mixer.socket
3012 - --log_output_level=default:info
3013 - --configStoreURL=mcp://istio-galley.istio-system.svc:9901
3014 - --configDefaultNamespace=istio-system
3015 - --useAdapterCRDs=false
3016 - --trace_zipkin_url=http://zipkin.istio-system:9411/api/v1/spans
3017 - --averageLatencyThreshold
3018 - 100ms
3019 - --loadsheddingMode
3020 - enforce
3021 env:
3022 - name: POD_NAMESPACE
3023 valueFrom:
3024 fieldRef:
3025 apiVersion: v1
3026 fieldPath: metadata.namespace
3027 - name: GOMAXPROCS
3028 value: "6"
3029 resources:
3030 limits:
3031 cpu: 4800m
3032 memory: 4G
3033 requests:
3034 cpu: 1000m
3035 memory: 1G
3036
3037 volumeMounts:
3038 - name: istio-certs
3039 mountPath: /etc/certs
3040 readOnly: true
3041 - name: telemetry-adapter-secret
3042 mountPath: /var/run/secrets/istio.io/telemetry/adapter
3043 readOnly: true
3044 - name: uds-socket
3045 mountPath: /sock
3046 livenessProbe:
3047 httpGet:
3048 path: /version
3049 port: 15014
3050 initialDelaySeconds: 5
3051 periodSeconds: 5
3052 - name: istio-proxy
3053 image: "docker.io/istio/proxyv2:1.4.6"
3054 imagePullPolicy: IfNotPresent
3055 ports:
3056 - containerPort: 9091
3057 - containerPort: 15004
3058 - containerPort: 15090
3059 protocol: TCP
3060 name: http-envoy-prom
3061 args:
3062 - proxy
3063 - --domain
3064 - $(POD_NAMESPACE).svc.cluster.local
3065 - --serviceCluster
3066 - istio-telemetry
3067 - --templateFile
3068 - /etc/istio/proxy/envoy_telemetry.yaml.tmpl
3069 - --controlPlaneAuthPolicy
3070 - NONE
3071 - --log_output_level=default:info
3072 env:
3073 - name: POD_NAME
3074 valueFrom:
3075 fieldRef:
3076 apiVersion: v1
3077 fieldPath: metadata.name
3078 - name: POD_NAMESPACE
3079 valueFrom:
3080 fieldRef:
3081 apiVersion: v1
3082 fieldPath: metadata.namespace
3083 - name: INSTANCE_IP
3084 valueFrom:
3085 fieldRef:
3086 apiVersion: v1
3087 fieldPath: status.podIP
3088 - name: SDS_ENABLED
3089 value: "false"
3090 resources:
3091 limits:
3092 cpu: 2000m
3093 memory: 1024Mi
3094 requests:
3095 cpu: 100m
3096 memory: 128Mi
3097
3098 volumeMounts:
3099 - name: istio-certs
3100 mountPath: /etc/certs
3101 readOnly: true
3102 - name: uds-socket
3103 mountPath: /sock
3104
3105---
3106
3107---
3108# Source: istio/charts/pilot/templates/deployment.yaml
3109apiVersion: apps/v1
3110kind: Deployment
3111metadata:
3112 name: istio-pilot
3113 namespace: istio-system
3114 # TODO: default template doesn't have this, which one is right ?
3115 labels:
3116 app: pilot
3117 chart: pilot
3118 heritage: Tiller
3119 release: release-name
3120 istio: pilot
3121spec:
3122 strategy:
3123 rollingUpdate:
3124 maxSurge: 100%
3125 maxUnavailable: 25%
3126 selector:
3127 matchLabels:
3128 istio: pilot
3129 template:
3130 metadata:
3131 labels:
3132 app: pilot
3133 chart: pilot
3134 heritage: Tiller
3135 release: release-name
3136 istio: pilot
3137 annotations:
3138 sidecar.istio.io/inject: "false"
3139 spec:
3140 serviceAccountName: istio-pilot-service-account
3141 containers:
3142 - name: discovery
3143 image: "docker.io/istio/pilot:1.4.6"
3144 imagePullPolicy: IfNotPresent
3145 args:
3146 - "discovery"
3147 - --monitoringAddr=:15014
3148 - --log_output_level=default:info
3149 - --domain
3150 - cluster.local
3151 - --secureGrpcAddr
3152 - ""
3153 - --keepaliveMaxServerConnectionAge
3154 - "30m"
3155 ports:
3156 - containerPort: 8080
3157 - containerPort: 15010
3158 readinessProbe:
3159 httpGet:
3160 path: /ready
3161 port: 8080
3162 initialDelaySeconds: 5
3163 periodSeconds: 5
3164 timeoutSeconds: 5
3165 env:
3166 - name: POD_NAME
3167 valueFrom:
3168 fieldRef:
3169 apiVersion: v1
3170 fieldPath: metadata.name
3171 - name: POD_NAMESPACE
3172 valueFrom:
3173 fieldRef:
3174 apiVersion: v1
3175 fieldPath: metadata.namespace
3176 - name: PILOT_PUSH_THROTTLE
3177 value: "100"
3178 - name: PILOT_TRACE_SAMPLING
3179 value: "1"
3180 - name: PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_OUTBOUND
3181 value: "true"
3182 - name: PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_INBOUND
3183 value: "false"
3184 resources:
3185 requests:
3186 cpu: 500m
3187 memory: 2048Mi
3188
3189 volumeMounts:
3190 - name: config-volume
3191 mountPath: /etc/istio/config
3192 - name: istio-certs
3193 mountPath: /etc/certs
3194 readOnly: true
3195 - name: istio-proxy
3196 image: "docker.io/istio/proxyv2:1.4.6"
3197 imagePullPolicy: IfNotPresent
3198 ports:
3199 - containerPort: 15003
3200 - containerPort: 15005
3201 - containerPort: 15007
3202 - containerPort: 15011
3203 args:
3204 - proxy
3205 - --domain
3206 - $(POD_NAMESPACE).svc.cluster.local
3207 - --serviceCluster
3208 - istio-pilot
3209 - --templateFile
3210 - /etc/istio/proxy/envoy_pilot.yaml.tmpl
3211 - --controlPlaneAuthPolicy
3212 - NONE
3213 - --log_output_level=default:info
3214 env:
3215 - name: POD_NAME
3216 valueFrom:
3217 fieldRef:
3218 apiVersion: v1
3219 fieldPath: metadata.name
3220 - name: POD_NAMESPACE
3221 valueFrom:
3222 fieldRef:
3223 apiVersion: v1
3224 fieldPath: metadata.namespace
3225 - name: INSTANCE_IP
3226 valueFrom:
3227 fieldRef:
3228 apiVersion: v1
3229 fieldPath: status.podIP
3230 - name: SDS_ENABLED
3231 value: "false"
3232 resources:
3233 limits:
3234 cpu: 2000m
3235 memory: 1024Mi
3236 requests:
3237 cpu: 100m
3238 memory: 128Mi
3239
3240 volumeMounts:
3241 - name: istio-certs
3242 mountPath: /etc/certs
3243 readOnly: true
3244 volumes:
3245 - name: config-volume
3246 configMap:
3247 name: istio
3248 - name: istio-certs
3249 secret:
3250 secretName: istio.istio-pilot-service-account
3251 optional: true
3252 affinity:
3253 nodeAffinity:
3254 requiredDuringSchedulingIgnoredDuringExecution:
3255 nodeSelectorTerms:
3256 - matchExpressions:
3257 - key: beta.kubernetes.io/arch
3258 operator: In
3259 values:
3260 - "amd64"
3261 - "ppc64le"
3262 - "s390x"
3263 preferredDuringSchedulingIgnoredDuringExecution:
3264 - weight: 2
3265 preference:
3266 matchExpressions:
3267 - key: beta.kubernetes.io/arch
3268 operator: In
3269 values:
3270 - "amd64"
3271 - weight: 2
3272 preference:
3273 matchExpressions:
3274 - key: beta.kubernetes.io/arch
3275 operator: In
3276 values:
3277 - "ppc64le"
3278 - weight: 2
3279 preference:
3280 matchExpressions:
3281 - key: beta.kubernetes.io/arch
3282 operator: In
3283 values:
3284 - "s390x"
3285
3286---
3287# Source: istio/charts/prometheus/templates/deployment.yaml
3288# TODO: the original template has service account, roles, etc
3289apiVersion: apps/v1
3290kind: Deployment
3291metadata:
3292 name: prometheus
3293 namespace: istio-system
3294 labels:
3295 app: prometheus
3296 chart: prometheus
3297 heritage: Tiller
3298 release: release-name
3299spec:
3300 replicas: 1
3301 selector:
3302 matchLabels:
3303 app: prometheus
3304 template:
3305 metadata:
3306 labels:
3307 app: prometheus
3308 chart: prometheus
3309 heritage: Tiller
3310 release: release-name
3311 annotations:
3312 sidecar.istio.io/inject: "false"
3313 spec:
3314 serviceAccountName: prometheus
3315 containers:
3316 - name: prometheus
3317 image: "docker.io/prom/prometheus:v2.12.0"
3318 imagePullPolicy: IfNotPresent
3319 args:
3320 - '--storage.tsdb.retention=6h'
3321 - '--config.file=/etc/prometheus/prometheus.yml'
3322 ports:
3323 - containerPort: 9090
3324 name: http
3325 livenessProbe:
3326 httpGet:
3327 path: /-/healthy
3328 port: 9090
3329 readinessProbe:
3330 httpGet:
3331 path: /-/ready
3332 port: 9090
3333 resources:
3334 requests:
3335 cpu: 10m
3336
3337 volumeMounts:
3338 - name: config-volume
3339 mountPath: /etc/prometheus
3340 - mountPath: /etc/istio-certs
3341 name: istio-certs
3342 volumes:
3343 - name: config-volume
3344 configMap:
3345 name: prometheus
3346 - name: istio-certs
3347 secret:
3348 defaultMode: 420
3349 secretName: istio.default
3350 affinity:
3351 nodeAffinity:
3352 requiredDuringSchedulingIgnoredDuringExecution:
3353 nodeSelectorTerms:
3354 - matchExpressions:
3355 - key: beta.kubernetes.io/arch
3356 operator: In
3357 values:
3358 - "amd64"
3359 - "ppc64le"
3360 - "s390x"
3361 preferredDuringSchedulingIgnoredDuringExecution:
3362 - weight: 2
3363 preference:
3364 matchExpressions:
3365 - key: beta.kubernetes.io/arch
3366 operator: In
3367 values:
3368 - "amd64"
3369 - weight: 2
3370 preference:
3371 matchExpressions:
3372 - key: beta.kubernetes.io/arch
3373 operator: In
3374 values:
3375 - "ppc64le"
3376 - weight: 2
3377 preference:
3378 matchExpressions:
3379 - key: beta.kubernetes.io/arch
3380 operator: In
3381 values:
3382 - "s390x"
3383
3384---
3385# Source: istio/charts/security/templates/deployment.yaml
3386# istio CA watching all namespaces
3387apiVersion: apps/v1
3388kind: Deployment
3389metadata:
3390 name: istio-citadel
3391 namespace: istio-system
3392 labels:
3393 app: security
3394 chart: security
3395 heritage: Tiller
3396 release: release-name
3397 istio: citadel
3398spec:
3399 replicas: 1
3400 selector:
3401 matchLabels:
3402 istio: citadel
3403 strategy:
3404 rollingUpdate:
3405 maxSurge: 100%
3406 maxUnavailable: 25%
3407 template:
3408 metadata:
3409 labels:
3410 app: security
3411 chart: security
3412 heritage: Tiller
3413 release: release-name
3414 istio: citadel
3415 annotations:
3416 sidecar.istio.io/inject: "false"
3417 spec:
3418 serviceAccountName: istio-citadel-service-account
3419 containers:
3420 - name: citadel
3421 image: "docker.io/istio/citadel:1.4.6"
3422 imagePullPolicy: IfNotPresent
3423 args:
3424 - --append-dns-names=true
3425 - --grpc-port=8060
3426 - --citadel-storage-namespace=istio-system
3427 - --custom-dns-names=istio-pilot-service-account.istio-system:istio-pilot.istio-system
3428 - --monitoring-port=15014
3429 - --self-signed-ca=true
3430 - --workload-cert-ttl=2160h
3431 env:
3432 - name: CITADEL_ENABLE_NAMESPACES_BY_DEFAULT
3433 value: "true"
3434 resources:
3435 requests:
3436 cpu: 10m
3437
3438 affinity:
3439 nodeAffinity:
3440 requiredDuringSchedulingIgnoredDuringExecution:
3441 nodeSelectorTerms:
3442 - matchExpressions:
3443 - key: beta.kubernetes.io/arch
3444 operator: In
3445 values:
3446 - "amd64"
3447 - "ppc64le"
3448 - "s390x"
3449 preferredDuringSchedulingIgnoredDuringExecution:
3450 - weight: 2
3451 preference:
3452 matchExpressions:
3453 - key: beta.kubernetes.io/arch
3454 operator: In
3455 values:
3456 - "amd64"
3457 - weight: 2
3458 preference:
3459 matchExpressions:
3460 - key: beta.kubernetes.io/arch
3461 operator: In
3462 values:
3463 - "ppc64le"
3464 - weight: 2
3465 preference:
3466 matchExpressions:
3467 - key: beta.kubernetes.io/arch
3468 operator: In
3469 values:
3470 - "s390x"
3471
3472---
3473# Source: istio/charts/sidecarInjectorWebhook/templates/deployment.yaml
3474apiVersion: apps/v1
3475kind: Deployment
3476metadata:
3477 name: istio-sidecar-injector
3478 namespace: istio-system
3479 labels:
3480 app: sidecarInjectorWebhook
3481 chart: sidecarInjectorWebhook
3482 heritage: Tiller
3483 release: release-name
3484 istio: sidecar-injector
3485spec:
3486 replicas: 1
3487 selector:
3488 matchLabels:
3489 istio: sidecar-injector
3490 strategy:
3491 rollingUpdate:
3492 maxSurge: 100%
3493 maxUnavailable: 25%
3494 template:
3495 metadata:
3496 labels:
3497 app: sidecarInjectorWebhook
3498 chart: sidecarInjectorWebhook
3499 heritage: Tiller
3500 release: release-name
3501 istio: sidecar-injector
3502 annotations:
3503 sidecar.istio.io/inject: "false"
3504 spec:
3505 serviceAccountName: istio-sidecar-injector-service-account
3506 containers:
3507 - name: sidecar-injector-webhook
3508 image: "docker.io/istio/sidecar_injector:1.4.6"
3509 imagePullPolicy: IfNotPresent
3510 args:
3511 - --caCertFile=/etc/istio/certs/root-cert.pem
3512 - --tlsCertFile=/etc/istio/certs/cert-chain.pem
3513 - --tlsKeyFile=/etc/istio/certs/key.pem
3514 - --injectConfig=/etc/istio/inject/config
3515 - --meshConfig=/etc/istio/config/mesh
3516 - --healthCheckInterval=2s
3517 - --healthCheckFile=/health
3518 - --reconcileWebhookConfig=true
3519 volumeMounts:
3520 - name: config-volume
3521 mountPath: /etc/istio/config
3522 readOnly: true
3523 - name: certs
3524 mountPath: /etc/istio/certs
3525 readOnly: true
3526 - name: inject-config
3527 mountPath: /etc/istio/inject
3528 readOnly: true
3529 livenessProbe:
3530 exec:
3531 command:
3532 - /usr/local/bin/sidecar-injector
3533 - probe
3534 - --probe-path=/health
3535 - --interval=4s
3536 initialDelaySeconds: 4
3537 periodSeconds: 4
3538 readinessProbe:
3539 exec:
3540 command:
3541 - /usr/local/bin/sidecar-injector
3542 - probe
3543 - --probe-path=/health
3544 - --interval=4s
3545 initialDelaySeconds: 4
3546 periodSeconds: 4
3547 resources:
3548 requests:
3549 cpu: 10m
3550
3551 volumes:
3552 - name: config-volume
3553 configMap:
3554 name: istio
3555 - name: certs
3556 secret:
3557 secretName: istio.istio-sidecar-injector-service-account
3558 - name: inject-config
3559 configMap:
3560 name: istio-sidecar-injector
3561 items:
3562 - key: config
3563 path: config
3564 - key: values
3565 path: values
3566 affinity:
3567 nodeAffinity:
3568 requiredDuringSchedulingIgnoredDuringExecution:
3569 nodeSelectorTerms:
3570 - matchExpressions:
3571 - key: beta.kubernetes.io/arch
3572 operator: In
3573 values:
3574 - "amd64"
3575 - "ppc64le"
3576 - "s390x"
3577 preferredDuringSchedulingIgnoredDuringExecution:
3578 - weight: 2
3579 preference:
3580 matchExpressions:
3581 - key: beta.kubernetes.io/arch
3582 operator: In
3583 values:
3584 - "amd64"
3585 - weight: 2
3586 preference:
3587 matchExpressions:
3588 - key: beta.kubernetes.io/arch
3589 operator: In
3590 values:
3591 - "ppc64le"
3592 - weight: 2
3593 preference:
3594 matchExpressions:
3595 - key: beta.kubernetes.io/arch
3596 operator: In
3597 values:
3598 - "s390x"
3599
3600---
3601# Source: istio/charts/gateways/templates/autoscale.yaml
3602
3603apiVersion: autoscaling/v2beta1
3604kind: HorizontalPodAutoscaler
3605metadata:
3606 name: istio-ilbgateway
3607 namespace: istio-system
3608 labels:
3609 chart: gateways
3610 heritage: Tiller
3611 release: release-name
3612 app: istio-ilbgateway
3613 istio: ilbgateway
3614spec:
3615 maxReplicas: 5
3616 minReplicas: 1
3617 scaleTargetRef:
3618 apiVersion: apps/v1
3619 kind: Deployment
3620 name: istio-ilbgateway
3621 metrics:
3622 - type: Resource
3623 resource:
3624 name: cpu
3625 targetAverageUtilization: 80
3626---
3627apiVersion: autoscaling/v2beta1
3628kind: HorizontalPodAutoscaler
3629metadata:
3630 name: istio-ingressgateway
3631 namespace: istio-system
3632 labels:
3633 chart: gateways
3634 heritage: Tiller
3635 release: release-name
3636 app: istio-ingressgateway
3637 istio: ingressgateway
3638spec:
3639 maxReplicas: 5
3640 minReplicas: 1
3641 scaleTargetRef:
3642 apiVersion: apps/v1
3643 kind: Deployment
3644 name: istio-ingressgateway
3645 metrics:
3646 - type: Resource
3647 resource:
3648 name: cpu
3649 targetAverageUtilization: 80
3650---
3651
3652---
3653# Source: istio/charts/mixer/templates/autoscale.yaml
3654
3655apiVersion: autoscaling/v2beta1
3656kind: HorizontalPodAutoscaler
3657metadata:
3658 name: istio-policy
3659 namespace: istio-system
3660 labels:
3661 app: mixer
3662 chart: mixer
3663 heritage: Tiller
3664 release: release-name
3665spec:
3666 maxReplicas: 5
3667 minReplicas: 1
3668 scaleTargetRef:
3669 apiVersion: apps/v1
3670 kind: Deployment
3671 name: istio-policy
3672 metrics:
3673 - type: Resource
3674 resource:
3675 name: cpu
3676 targetAverageUtilization: 80
3677---
3678apiVersion: autoscaling/v2beta1
3679kind: HorizontalPodAutoscaler
3680metadata:
3681 name: istio-telemetry
3682 namespace: istio-system
3683 labels:
3684 app: mixer
3685 chart: mixer
3686 heritage: Tiller
3687 release: release-name
3688spec:
3689 maxReplicas: 5
3690 minReplicas: 1
3691 scaleTargetRef:
3692 apiVersion: apps/v1
3693 kind: Deployment
3694 name: istio-telemetry
3695 metrics:
3696 - type: Resource
3697 resource:
3698 name: cpu
3699 targetAverageUtilization: 80
3700---
3701
3702---
3703# Source: istio/charts/pilot/templates/autoscale.yaml
3704
3705apiVersion: autoscaling/v2beta1
3706kind: HorizontalPodAutoscaler
3707metadata:
3708 name: istio-pilot
3709 namespace: istio-system
3710 labels:
3711 app: pilot
3712 chart: pilot
3713 heritage: Tiller
3714 release: release-name
3715spec:
3716 maxReplicas: 5
3717 minReplicas: 1
3718 scaleTargetRef:
3719 apiVersion: apps/v1
3720 kind: Deployment
3721 name: istio-pilot
3722 metrics:
3723 - type: Resource
3724 resource:
3725 name: cpu
3726 targetAverageUtilization: 80
3727---
3728
3729---
3730# Source: istio/charts/sidecarInjectorWebhook/templates/mutatingwebhook.yaml
3731
3732apiVersion: admissionregistration.k8s.io/v1beta1
3733kind: MutatingWebhookConfiguration
3734metadata:
3735 name: istio-sidecar-injector
3736 labels:
3737 app: sidecarInjectorWebhook
3738 chart: sidecarInjectorWebhook
3739 heritage: Tiller
3740 release: release-name
3741webhooks:
3742 - name: sidecar-injector.istio.io
3743 clientConfig:
3744 service:
3745 name: istio-sidecar-injector
3746 namespace: istio-system
3747 path: "/inject"
3748 caBundle: ""
3749 rules:
3750 - operations: [ "CREATE" ]
3751 apiGroups: [""]
3752 apiVersions: ["v1"]
3753 resources: ["pods"]
3754 failurePolicy: Fail
3755 namespaceSelector:
3756 matchLabels:
3757 istio-injection: enabled
3758
3759---
3760# Source: istio/charts/galley/templates/validatingwebhookconfiguration.yaml.tpl
3761
3762
3763---
3764# Source: istio/charts/gateways/templates/preconfigured.yaml
3765
3766
3767---
3768# Source: istio/charts/pilot/templates/configmap.yaml
3769
3770
3771---
3772# Source: istio/charts/pilot/templates/meshexpansion.yaml
3773
3774
3775
3776---
3777# Source: istio/charts/prometheus/templates/ingress.yaml
3778
3779---
3780# Source: istio/charts/prometheus/templates/tests/test-prometheus-connection.yaml
3781
3782
3783---
3784# Source: istio/charts/security/templates/enable-mesh-mtls.yaml
3785
3786
3787---
3788# Source: istio/charts/security/templates/enable-mesh-permissive.yaml
3789
3790
3791---
3792# Source: istio/charts/security/templates/meshexpansion.yaml
3793
3794
3795---
3796# Source: istio/charts/security/templates/tests/test-citadel-connection.yaml
3797
3798
3799---
3800# Source: istio/templates/endpoints.yaml
3801
3802
3803---
3804# Source: istio/templates/install-custom-resources.sh.tpl
3805
3806
3807---
3808# Source: istio/templates/service.yaml
3809
3810
3811---
3812# Source: istio/charts/mixer/templates/config.yaml
3813
3814apiVersion: "config.istio.io/v1alpha2"
3815kind: attributemanifest
3816metadata:
3817 name: istioproxy
3818 namespace: istio-system
3819 labels:
3820 app: mixer
3821 chart: mixer
3822 heritage: Tiller
3823 release: release-name
3824spec:
3825 attributes:
3826 origin.ip:
3827 valueType: IP_ADDRESS
3828 origin.uid:
3829 valueType: STRING
3830 origin.user:
3831 valueType: STRING
3832 request.headers:
3833 valueType: STRING_MAP
3834 request.id:
3835 valueType: STRING
3836 request.host:
3837 valueType: STRING
3838 request.method:
3839 valueType: STRING
3840 request.path:
3841 valueType: STRING
3842 request.url_path:
3843 valueType: STRING
3844 request.query_params:
3845 valueType: STRING_MAP
3846 request.reason:
3847 valueType: STRING
3848 request.referer:
3849 valueType: STRING
3850 request.scheme:
3851 valueType: STRING
3852 request.total_size:
3853 valueType: INT64
3854 request.size:
3855 valueType: INT64
3856 request.time:
3857 valueType: TIMESTAMP
3858 request.useragent:
3859 valueType: STRING
3860 response.code:
3861 valueType: INT64
3862 response.duration:
3863 valueType: DURATION
3864 response.headers:
3865 valueType: STRING_MAP
3866 response.total_size:
3867 valueType: INT64
3868 response.size:
3869 valueType: INT64
3870 response.time:
3871 valueType: TIMESTAMP
3872 response.grpc_status:
3873 valueType: STRING
3874 response.grpc_message:
3875 valueType: STRING
3876 source.uid:
3877 valueType: STRING
3878 source.user: # DEPRECATED
3879 valueType: STRING
3880 source.principal:
3881 valueType: STRING
3882 destination.uid:
3883 valueType: STRING
3884 destination.principal:
3885 valueType: STRING
3886 destination.port:
3887 valueType: INT64
3888 connection.event:
3889 valueType: STRING
3890 connection.id:
3891 valueType: STRING
3892 connection.received.bytes:
3893 valueType: INT64
3894 connection.received.bytes_total:
3895 valueType: INT64
3896 connection.sent.bytes:
3897 valueType: INT64
3898 connection.sent.bytes_total:
3899 valueType: INT64
3900 connection.duration:
3901 valueType: DURATION
3902 connection.mtls:
3903 valueType: BOOL
3904 connection.requested_server_name:
3905 valueType: STRING
3906 context.protocol:
3907 valueType: STRING
3908 context.proxy_error_code:
3909 valueType: STRING
3910 context.timestamp:
3911 valueType: TIMESTAMP
3912 context.time:
3913 valueType: TIMESTAMP
3914 # Deprecated, kept for compatibility
3915 context.reporter.local:
3916 valueType: BOOL
3917 context.reporter.kind:
3918 valueType: STRING
3919 context.reporter.uid:
3920 valueType: STRING
3921 api.service:
3922 valueType: STRING
3923 api.version:
3924 valueType: STRING
3925 api.operation:
3926 valueType: STRING
3927 api.protocol:
3928 valueType: STRING
3929 request.auth.principal:
3930 valueType: STRING
3931 request.auth.audiences:
3932 valueType: STRING
3933 request.auth.presenter:
3934 valueType: STRING
3935 request.auth.claims:
3936 valueType: STRING_MAP
3937 request.auth.raw_claims:
3938 valueType: STRING
3939 request.api_key:
3940 valueType: STRING
3941 rbac.permissive.response_code:
3942 valueType: STRING
3943 rbac.permissive.effective_policy_id:
3944 valueType: STRING
3945 check.error_code:
3946 valueType: INT64
3947 check.error_message:
3948 valueType: STRING
3949 check.cache_hit:
3950 valueType: BOOL
3951 quota.cache_hit:
3952 valueType: BOOL
3953 context.proxy_version:
3954 valueType: STRING
3955
3956---
3957apiVersion: "config.istio.io/v1alpha2"
3958kind: attributemanifest
3959metadata:
3960 name: kubernetes
3961 namespace: istio-system
3962 labels:
3963 app: mixer
3964 chart: mixer
3965 heritage: Tiller
3966 release: release-name
3967spec:
3968 attributes:
3969 source.ip:
3970 valueType: IP_ADDRESS
3971 source.labels:
3972 valueType: STRING_MAP
3973 source.metadata:
3974 valueType: STRING_MAP
3975 source.name:
3976 valueType: STRING
3977 source.namespace:
3978 valueType: STRING
3979 source.owner:
3980 valueType: STRING
3981 source.serviceAccount:
3982 valueType: STRING
3983 source.services:
3984 valueType: STRING
3985 source.workload.uid:
3986 valueType: STRING
3987 source.workload.name:
3988 valueType: STRING
3989 source.workload.namespace:
3990 valueType: STRING
3991 destination.ip:
3992 valueType: IP_ADDRESS
3993 destination.labels:
3994 valueType: STRING_MAP
3995 destination.metadata:
3996 valueType: STRING_MAP
3997 destination.owner:
3998 valueType: STRING
3999 destination.name:
4000 valueType: STRING
4001 destination.container.name:
4002 valueType: STRING
4003 destination.namespace:
4004 valueType: STRING
4005 destination.service.uid:
4006 valueType: STRING
4007 destination.service.name:
4008 valueType: STRING
4009 destination.service.namespace:
4010 valueType: STRING
4011 destination.service.host:
4012 valueType: STRING
4013 destination.serviceAccount:
4014 valueType: STRING
4015 destination.workload.uid:
4016 valueType: STRING
4017 destination.workload.name:
4018 valueType: STRING
4019 destination.workload.namespace:
4020 valueType: STRING
4021---
4022---
4023apiVersion: "config.istio.io/v1alpha2"
4024kind: instance
4025metadata:
4026 name: requestcount
4027 namespace: istio-system
4028 labels:
4029 app: mixer
4030 chart: mixer
4031 heritage: Tiller
4032 release: release-name
4033spec:
4034 compiledTemplate: metric
4035 params:
4036 value: "1"
4037 dimensions:
4038 reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination")
4039 source_workload: source.workload.name | "unknown"
4040 source_workload_namespace: source.workload.namespace | "unknown"
4041 source_principal: source.principal | "unknown"
4042 source_app: source.labels["app"] | "unknown"
4043 source_version: source.labels["version"] | "unknown"
4044 destination_workload: destination.workload.name | "unknown"
4045 destination_workload_namespace: destination.workload.namespace | "unknown"
4046 destination_principal: destination.principal | "unknown"
4047 destination_app: destination.labels["app"] | "unknown"
4048 destination_version: destination.labels["version"] | "unknown"
4049 destination_service: destination.service.host | conditional((destination.service.name | "unknown") == "unknown", "unknown", request.host)
4050 destination_service_name: destination.service.name | "unknown"
4051 destination_service_namespace: destination.service.namespace | "unknown"
4052 request_protocol: api.protocol | context.protocol | "unknown"
4053 response_code: response.code | 200
4054 response_flags: context.proxy_error_code | "-"
4055 permissive_response_code: rbac.permissive.response_code | "none"
4056 permissive_response_policyid: rbac.permissive.effective_policy_id | "none"
4057 connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none"))
4058 monitored_resource_type: '"UNSPECIFIED"'
4059---
4060apiVersion: "config.istio.io/v1alpha2"
4061kind: instance
4062metadata:
4063 name: requestduration
4064 namespace: istio-system
4065 labels:
4066 app: mixer
4067 chart: mixer
4068 heritage: Tiller
4069 release: release-name
4070spec:
4071 compiledTemplate: metric
4072 params:
4073 value: response.duration | "0ms"
4074 dimensions:
4075 reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination")
4076 source_workload: source.workload.name | "unknown"
4077 source_workload_namespace: source.workload.namespace | "unknown"
4078 source_principal: source.principal | "unknown"
4079 source_app: source.labels["app"] | "unknown"
4080 source_version: source.labels["version"] | "unknown"
4081 destination_workload: destination.workload.name | "unknown"
4082 destination_workload_namespace: destination.workload.namespace | "unknown"
4083 destination_principal: destination.principal | "unknown"
4084 destination_app: destination.labels["app"] | "unknown"
4085 destination_version: destination.labels["version"] | "unknown"
4086 destination_service: destination.service.host | conditional((destination.service.name | "unknown") == "unknown", "unknown", request.host)
4087 destination_service_name: destination.service.name | "unknown"
4088 destination_service_namespace: destination.service.namespace | "unknown"
4089 request_protocol: api.protocol | context.protocol | "unknown"
4090 response_code: response.code | 200
4091 response_flags: context.proxy_error_code | "-"
4092 permissive_response_code: rbac.permissive.response_code | "none"
4093 permissive_response_policyid: rbac.permissive.effective_policy_id | "none"
4094 connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none"))
4095 monitored_resource_type: '"UNSPECIFIED"'
4096---
4097apiVersion: "config.istio.io/v1alpha2"
4098kind: instance
4099metadata:
4100 name: requestsize
4101 namespace: istio-system
4102 labels:
4103 app: mixer
4104 chart: mixer
4105 heritage: Tiller
4106 release: release-name
4107spec:
4108 compiledTemplate: metric
4109 params:
4110 value: request.size | 0
4111 dimensions:
4112 reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination")
4113 source_workload: source.workload.name | "unknown"
4114 source_workload_namespace: source.workload.namespace | "unknown"
4115 source_principal: source.principal | "unknown"
4116 source_app: source.labels["app"] | "unknown"
4117 source_version: source.labels["version"] | "unknown"
4118 destination_workload: destination.workload.name | "unknown"
4119 destination_workload_namespace: destination.workload.namespace | "unknown"
4120 destination_principal: destination.principal | "unknown"
4121 destination_app: destination.labels["app"] | "unknown"
4122 destination_version: destination.labels["version"] | "unknown"
4123 destination_service: destination.service.host | conditional((destination.service.name | "unknown") == "unknown", "unknown", request.host)
4124 destination_service_name: destination.service.name | "unknown"
4125 destination_service_namespace: destination.service.namespace | "unknown"
4126 request_protocol: api.protocol | context.protocol | "unknown"
4127 response_code: response.code | 200
4128 response_flags: context.proxy_error_code | "-"
4129 permissive_response_code: rbac.permissive.response_code | "none"
4130 permissive_response_policyid: rbac.permissive.effective_policy_id | "none"
4131 connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none"))
4132 monitored_resource_type: '"UNSPECIFIED"'
4133---
4134apiVersion: "config.istio.io/v1alpha2"
4135kind: instance
4136metadata:
4137 name: responsesize
4138 namespace: istio-system
4139 labels:
4140 app: mixer
4141 chart: mixer
4142 heritage: Tiller
4143 release: release-name
4144spec:
4145 compiledTemplate: metric
4146 params:
4147 value: response.size | 0
4148 dimensions:
4149 reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination")
4150 source_workload: source.workload.name | "unknown"
4151 source_workload_namespace: source.workload.namespace | "unknown"
4152 source_principal: source.principal | "unknown"
4153 source_app: source.labels["app"] | "unknown"
4154 source_version: source.labels["version"] | "unknown"
4155 destination_workload: destination.workload.name | "unknown"
4156 destination_workload_namespace: destination.workload.namespace | "unknown"
4157 destination_principal: destination.principal | "unknown"
4158 destination_app: destination.labels["app"] | "unknown"
4159 destination_version: destination.labels["version"] | "unknown"
4160 destination_service: destination.service.host | conditional((destination.service.name | "unknown") == "unknown", "unknown", request.host)
4161 destination_service_name: destination.service.name | "unknown"
4162 destination_service_namespace: destination.service.namespace | "unknown"
4163 request_protocol: api.protocol | context.protocol | "unknown"
4164 response_code: response.code | 200
4165 response_flags: context.proxy_error_code | "-"
4166 permissive_response_code: rbac.permissive.response_code | "none"
4167 permissive_response_policyid: rbac.permissive.effective_policy_id | "none"
4168 connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none"))
4169 monitored_resource_type: '"UNSPECIFIED"'
4170---
4171apiVersion: "config.istio.io/v1alpha2"
4172kind: instance
4173metadata:
4174 name: tcpbytesent
4175 namespace: istio-system
4176 labels:
4177 app: mixer
4178 chart: mixer
4179 heritage: Tiller
4180 release: release-name
4181spec:
4182 compiledTemplate: metric
4183 params:
4184 value: connection.sent.bytes | 0
4185 dimensions:
4186 reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination")
4187 source_workload: source.workload.name | "unknown"
4188 source_workload_namespace: source.workload.namespace | "unknown"
4189 source_principal: source.principal | "unknown"
4190 source_app: source.labels["app"] | "unknown"
4191 source_version: source.labels["version"] | "unknown"
4192 destination_workload: destination.workload.name | "unknown"
4193 destination_workload_namespace: destination.workload.namespace | "unknown"
4194 destination_principal: destination.principal | "unknown"
4195 destination_app: destination.labels["app"] | "unknown"
4196 destination_version: destination.labels["version"] | "unknown"
4197 destination_service: destination.service.host | "unknown"
4198 destination_service_name: destination.service.name | "unknown"
4199 destination_service_namespace: destination.service.namespace | "unknown"
4200 connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none"))
4201 response_flags: context.proxy_error_code | "-"
4202 monitored_resource_type: '"UNSPECIFIED"'
4203---
4204apiVersion: "config.istio.io/v1alpha2"
4205kind: instance
4206metadata:
4207 name: tcpbytereceived
4208 namespace: istio-system
4209 labels:
4210 app: mixer
4211 chart: mixer
4212 heritage: Tiller
4213 release: release-name
4214spec:
4215 compiledTemplate: metric
4216 params:
4217 value: connection.received.bytes | 0
4218 dimensions:
4219 reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination")
4220 source_workload: source.workload.name | "unknown"
4221 source_workload_namespace: source.workload.namespace | "unknown"
4222 source_principal: source.principal | "unknown"
4223 source_app: source.labels["app"] | "unknown"
4224 source_version: source.labels["version"] | "unknown"
4225 destination_workload: destination.workload.name | "unknown"
4226 destination_workload_namespace: destination.workload.namespace | "unknown"
4227 destination_principal: destination.principal | "unknown"
4228 destination_app: destination.labels["app"] | "unknown"
4229 destination_version: destination.labels["version"] | "unknown"
4230 destination_service: destination.service.host | "unknown"
4231 destination_service_name: destination.service.name | "unknown"
4232 destination_service_namespace: destination.service.namespace | "unknown"
4233 connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none"))
4234 response_flags: context.proxy_error_code | "-"
4235 monitored_resource_type: '"UNSPECIFIED"'
4236---
4237apiVersion: "config.istio.io/v1alpha2"
4238kind: instance
4239metadata:
4240 name: tcpconnectionsopened
4241 namespace: istio-system
4242 labels:
4243 app: mixer
4244 chart: mixer
4245 heritage: Tiller
4246 release: release-name
4247spec:
4248 compiledTemplate: metric
4249 params:
4250 value: "1"
4251 dimensions:
4252 reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination")
4253 source_workload: source.workload.name | "unknown"
4254 source_workload_namespace: source.workload.namespace | "unknown"
4255 source_principal: source.principal | "unknown"
4256 source_app: source.labels["app"] | "unknown"
4257 source_version: source.labels["version"] | "unknown"
4258 destination_workload: destination.workload.name | "unknown"
4259 destination_workload_namespace: destination.workload.namespace | "unknown"
4260 destination_principal: destination.principal | "unknown"
4261 destination_app: destination.labels["app"] | "unknown"
4262 destination_version: destination.labels["version"] | "unknown"
4263 destination_service: destination.service.host | "unknown"
4264 destination_service_name: destination.service.name | "unknown"
4265 destination_service_namespace: destination.service.namespace | "unknown"
4266 connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none"))
4267 response_flags: context.proxy_error_code | "-"
4268 monitored_resource_type: '"UNSPECIFIED"'
4269---
4270apiVersion: "config.istio.io/v1alpha2"
4271kind: instance
4272metadata:
4273 name: tcpconnectionsclosed
4274 namespace: istio-system
4275 labels:
4276 app: mixer
4277 chart: mixer
4278 heritage: Tiller
4279 release: release-name
4280spec:
4281 compiledTemplate: metric
4282 params:
4283 value: "1"
4284 dimensions:
4285 reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination")
4286 source_workload: source.workload.name | "unknown"
4287 source_workload_namespace: source.workload.namespace | "unknown"
4288 source_principal: source.principal | "unknown"
4289 source_app: source.labels["app"] | "unknown"
4290 source_version: source.labels["version"] | "unknown"
4291 destination_workload: destination.workload.name | "unknown"
4292 destination_workload_namespace: destination.workload.namespace | "unknown"
4293 destination_principal: destination.principal | "unknown"
4294 destination_app: destination.labels["app"] | "unknown"
4295 destination_version: destination.labels["version"] | "unknown"
4296 destination_service: destination.service.host | "unknown"
4297 destination_service_name: destination.service.name | "unknown"
4298 destination_service_namespace: destination.service.namespace | "unknown"
4299 connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none"))
4300 response_flags: context.proxy_error_code | "-"
4301 monitored_resource_type: '"UNSPECIFIED"'
4302---
4303apiVersion: "config.istio.io/v1alpha2"
4304kind: handler
4305metadata:
4306 name: prometheus
4307 namespace: istio-system
4308 labels:
4309 app: mixer
4310 chart: mixer
4311 heritage: Tiller
4312 release: release-name
4313spec:
4314 compiledAdapter: prometheus
4315 params:
4316 metricsExpirationPolicy:
4317 metricsExpiryDuration: "10m"
4318 metrics:
4319 - name: requests_total
4320 instance_name: requestcount.instance.istio-system
4321 kind: COUNTER
4322 label_names:
4323 - reporter
4324 - source_app
4325 - source_principal
4326 - source_workload
4327 - source_workload_namespace
4328 - source_version
4329 - destination_app
4330 - destination_principal
4331 - destination_workload
4332 - destination_workload_namespace
4333 - destination_version
4334 - destination_service
4335 - destination_service_name
4336 - destination_service_namespace
4337 - request_protocol
4338 - response_code
4339 - response_flags
4340 - permissive_response_code
4341 - permissive_response_policyid
4342 - connection_security_policy
4343 - name: request_duration_seconds
4344 instance_name: requestduration.instance.istio-system
4345 kind: DISTRIBUTION
4346 label_names:
4347 - reporter
4348 - source_app
4349 - source_principal
4350 - source_workload
4351 - source_workload_namespace
4352 - source_version
4353 - destination_app
4354 - destination_principal
4355 - destination_workload
4356 - destination_workload_namespace
4357 - destination_version
4358 - destination_service
4359 - destination_service_name
4360 - destination_service_namespace
4361 - request_protocol
4362 - response_code
4363 - response_flags
4364 - permissive_response_code
4365 - permissive_response_policyid
4366 - connection_security_policy
4367 buckets:
4368 explicit_buckets:
4369 bounds: [0.005, 0.01, 0.025, 0.05, 0.1, 0.25, 0.5, 1, 2.5, 5, 10]
4370 - name: request_bytes
4371 instance_name: requestsize.instance.istio-system
4372 kind: DISTRIBUTION
4373 label_names:
4374 - reporter
4375 - source_app
4376 - source_principal
4377 - source_workload
4378 - source_workload_namespace
4379 - source_version
4380 - destination_app
4381 - destination_principal
4382 - destination_workload
4383 - destination_workload_namespace
4384 - destination_version
4385 - destination_service
4386 - destination_service_name
4387 - destination_service_namespace
4388 - request_protocol
4389 - response_code
4390 - response_flags
4391 - permissive_response_code
4392 - permissive_response_policyid
4393 - connection_security_policy
4394 buckets:
4395 exponentialBuckets:
4396 numFiniteBuckets: 8
4397 scale: 1
4398 growthFactor: 10
4399 - name: response_bytes
4400 instance_name: responsesize.instance.istio-system
4401 kind: DISTRIBUTION
4402 label_names:
4403 - reporter
4404 - source_app
4405 - source_principal
4406 - source_workload
4407 - source_workload_namespace
4408 - source_version
4409 - destination_app
4410 - destination_principal
4411 - destination_workload
4412 - destination_workload_namespace
4413 - destination_version
4414 - destination_service
4415 - destination_service_name
4416 - destination_service_namespace
4417 - request_protocol
4418 - response_code
4419 - response_flags
4420 - permissive_response_code
4421 - permissive_response_policyid
4422 - connection_security_policy
4423 buckets:
4424 exponentialBuckets:
4425 numFiniteBuckets: 8
4426 scale: 1
4427 growthFactor: 10
4428 - name: tcp_sent_bytes_total
4429 instance_name: tcpbytesent.instance.istio-system
4430 kind: COUNTER
4431 label_names:
4432 - reporter
4433 - source_app
4434 - source_principal
4435 - source_workload
4436 - source_workload_namespace
4437 - source_version
4438 - destination_app
4439 - destination_principal
4440 - destination_workload
4441 - destination_workload_namespace
4442 - destination_version
4443 - destination_service
4444 - destination_service_name
4445 - destination_service_namespace
4446 - connection_security_policy
4447 - response_flags
4448 - name: tcp_received_bytes_total
4449 instance_name: tcpbytereceived.instance.istio-system
4450 kind: COUNTER
4451 label_names:
4452 - reporter
4453 - source_app
4454 - source_principal
4455 - source_workload
4456 - source_workload_namespace
4457 - source_version
4458 - destination_app
4459 - destination_principal
4460 - destination_workload
4461 - destination_workload_namespace
4462 - destination_version
4463 - destination_service
4464 - destination_service_name
4465 - destination_service_namespace
4466 - connection_security_policy
4467 - response_flags
4468 - name: tcp_connections_opened_total
4469 instance_name: tcpconnectionsopened.instance.istio-system
4470 kind: COUNTER
4471 label_names:
4472 - reporter
4473 - source_app
4474 - source_principal
4475 - source_workload
4476 - source_workload_namespace
4477 - source_version
4478 - destination_app
4479 - destination_principal
4480 - destination_workload
4481 - destination_workload_namespace
4482 - destination_version
4483 - destination_service
4484 - destination_service_name
4485 - destination_service_namespace
4486 - connection_security_policy
4487 - response_flags
4488 - name: tcp_connections_closed_total
4489 instance_name: tcpconnectionsclosed.instance.istio-system
4490 kind: COUNTER
4491 label_names:
4492 - reporter
4493 - source_app
4494 - source_principal
4495 - source_workload
4496 - source_workload_namespace
4497 - source_version
4498 - destination_app
4499 - destination_principal
4500 - destination_workload
4501 - destination_workload_namespace
4502 - destination_version
4503 - destination_service
4504 - destination_service_name
4505 - destination_service_namespace
4506 - connection_security_policy
4507 - response_flags
4508---
4509apiVersion: "config.istio.io/v1alpha2"
4510kind: rule
4511metadata:
4512 name: promhttp
4513 namespace: istio-system
4514 labels:
4515 app: mixer
4516 chart: mixer
4517 heritage: Tiller
4518 release: release-name
4519spec:
4520 match: (context.protocol == "http" || context.protocol == "grpc") && (match((request.useragent | "-"), "kube-probe*") == false) && (match((request.useragent | "-"), "Prometheus*") == false)
4521 actions:
4522 - handler: prometheus
4523 instances:
4524 - requestcount
4525 - requestduration
4526 - requestsize
4527 - responsesize
4528---
4529apiVersion: "config.istio.io/v1alpha2"
4530kind: rule
4531metadata:
4532 name: promtcp
4533 namespace: istio-system
4534 labels:
4535 app: mixer
4536 chart: mixer
4537 heritage: Tiller
4538 release: release-name
4539spec:
4540 match: context.protocol == "tcp"
4541 actions:
4542 - handler: prometheus
4543 instances:
4544 - tcpbytesent
4545 - tcpbytereceived
4546---
4547apiVersion: "config.istio.io/v1alpha2"
4548kind: rule
4549metadata:
4550 name: promtcpconnectionopen
4551 namespace: istio-system
4552 labels:
4553 app: mixer
4554 chart: mixer
4555 heritage: Tiller
4556 release: release-name
4557spec:
4558 match: context.protocol == "tcp" && ((connection.event | "na") == "open")
4559 actions:
4560 - handler: prometheus
4561 instances:
4562 - tcpconnectionsopened
4563---
4564apiVersion: "config.istio.io/v1alpha2"
4565kind: rule
4566metadata:
4567 name: promtcpconnectionclosed
4568 namespace: istio-system
4569 labels:
4570 app: mixer
4571 chart: mixer
4572 heritage: Tiller
4573 release: release-name
4574spec:
4575 match: context.protocol == "tcp" && ((connection.event | "na") == "close")
4576 actions:
4577 - handler: prometheus
4578 instances:
4579 - tcpconnectionsclosed
4580---
4581apiVersion: "config.istio.io/v1alpha2"
4582kind: handler
4583metadata:
4584 name: kubernetesenv
4585 namespace: istio-system
4586 labels:
4587 app: mixer
4588 chart: mixer
4589 heritage: Tiller
4590 release: release-name
4591spec:
4592 compiledAdapter: kubernetesenv
4593 params:
4594 # when running from mixer root, use the following config after adding a
4595 # symbolic link to a kubernetes config file via:
4596 #
4597 # $ ln -s ~/.kube/config mixer/adapter/kubernetes/kubeconfig
4598 #
4599 # kubeconfig_path: "mixer/adapter/kubernetes/kubeconfig"
4600
4601---
4602apiVersion: "config.istio.io/v1alpha2"
4603kind: rule
4604metadata:
4605 name: kubeattrgenrulerule
4606 namespace: istio-system
4607 labels:
4608 app: mixer
4609 chart: mixer
4610 heritage: Tiller
4611 release: release-name
4612spec:
4613 actions:
4614 - handler: kubernetesenv
4615 instances:
4616 - attributes
4617---
4618apiVersion: "config.istio.io/v1alpha2"
4619kind: rule
4620metadata:
4621 name: tcpkubeattrgenrulerule
4622 namespace: istio-system
4623 labels:
4624 app: mixer
4625 chart: mixer
4626 heritage: Tiller
4627 release: release-name
4628spec:
4629 match: context.protocol == "tcp"
4630 actions:
4631 - handler: kubernetesenv
4632 instances:
4633 - attributes
4634---
4635apiVersion: "config.istio.io/v1alpha2"
4636kind: instance
4637metadata:
4638 name: attributes
4639 namespace: istio-system
4640 labels:
4641 app: mixer
4642 chart: mixer
4643 heritage: Tiller
4644 release: release-name
4645spec:
4646 compiledTemplate: kubernetes
4647 params:
4648 # Pass the required attribute data to the adapter
4649 source_uid: source.uid | ""
4650 source_ip: source.ip | ip("0.0.0.0") # default to unspecified ip addr
4651 destination_uid: destination.uid | ""
4652 destination_port: destination.port | 0
4653 attributeBindings:
4654 # Fill the new attributes from the adapter produced output.
4655 # $out refers to an instance of OutputTemplate message
4656 source.ip: $out.source_pod_ip | ip("0.0.0.0")
4657 source.uid: $out.source_pod_uid | "unknown"
4658 source.labels: $out.source_labels | emptyStringMap()
4659 source.name: $out.source_pod_name | "unknown"
4660 source.namespace: $out.source_namespace | "default"
4661 source.owner: $out.source_owner | "unknown"
4662 source.serviceAccount: $out.source_service_account_name | "unknown"
4663 source.workload.uid: $out.source_workload_uid | "unknown"
4664 source.workload.name: $out.source_workload_name | "unknown"
4665 source.workload.namespace: $out.source_workload_namespace | "unknown"
4666 destination.ip: $out.destination_pod_ip | ip("0.0.0.0")
4667 destination.uid: $out.destination_pod_uid | "unknown"
4668 destination.labels: $out.destination_labels | emptyStringMap()
4669 destination.name: $out.destination_pod_name | "unknown"
4670 destination.container.name: $out.destination_container_name | "unknown"
4671 destination.namespace: $out.destination_namespace | "default"
4672 destination.owner: $out.destination_owner | "unknown"
4673 destination.serviceAccount: $out.destination_service_account_name | "unknown"
4674 destination.workload.uid: $out.destination_workload_uid | "unknown"
4675 destination.workload.name: $out.destination_workload_name | "unknown"
4676 destination.workload.namespace: $out.destination_workload_namespace | "unknown"
4677---
4678# Configuration needed by Mixer.
4679# Mixer cluster is delivered via CDS
4680# Specify mixer cluster settings
4681apiVersion: networking.istio.io/v1alpha3
4682kind: DestinationRule
4683metadata:
4684 name: istio-policy
4685 namespace: istio-system
4686 labels:
4687 app: mixer
4688 chart: mixer
4689 heritage: Tiller
4690 release: release-name
4691spec:
4692 host: istio-policy.istio-system.svc.cluster.local
4693 trafficPolicy:
4694 portLevelSettings:
4695 - port:
4696 number: 15004 # grpc-mixer-mtls
4697 tls:
4698 mode: ISTIO_MUTUAL
4699 - port:
4700 number: 9091 # grpc-mixer
4701 tls:
4702 mode: DISABLE
4703 connectionPool:
4704 http:
4705 http2MaxRequests: 10000
4706 maxRequestsPerConnection: 10000
4707---
4708apiVersion: networking.istio.io/v1alpha3
4709kind: DestinationRule
4710metadata:
4711 name: istio-telemetry
4712 namespace: istio-system
4713 labels:
4714 app: mixer
4715 chart: mixer
4716 heritage: Tiller
4717 release: release-name
4718spec:
4719 host: istio-telemetry.istio-system.svc.cluster.local
4720 trafficPolicy:
4721 portLevelSettings:
4722 - port:
4723 number: 15004 # grpc-mixer-mtls
4724 tls:
4725 mode: ISTIO_MUTUAL
4726 - port:
4727 number: 9091 # grpc-mixer
4728 tls:
4729 mode: DISABLE
4730 connectionPool:
4731 http:
4732 http2MaxRequests: 10000
4733 maxRequestsPerConnection: 10000
4734---