6 istio-injection: disabled
8 # Source: istio/charts/galley/templates/configmap.yaml
12 name: istio-galley-configuration
13 namespace: istio-system
21 validatingwebhookconfiguration.yaml: |-
22 apiVersion: admissionregistration.k8s.io/v1beta1
23 kind: ValidatingWebhookConfiguration
26 namespace: istio-system
33 - name: pilot.validation.istio.io
37 namespace: istio-system
66 - authentication.istio.io
82 # disabled per @costinm's request
86 - name: mixer.validation.istio.io
90 namespace: istio-system
128 - servicecontrolreports
134 # Source: istio/charts/grafana/templates/configmap.yaml
138 name: istio-grafana-custom-resources
139 namespace: istio-system
143 release: RELEASE-NAME
147 custom-resources.yaml: |-
148 apiVersion: authentication.istio.io/v1alpha1
151 name: grafana-ports-mtls-disabled
152 namespace: istio-system
163 if [ "$#" -ne "1" ]; then
164 echo "first argument should be path to custom resource yaml"
168 pathToResourceYAML=${1}
170 /kubectl get validatingwebhookconfiguration istio-galley 2>/dev/null
171 if [ "$?" -eq 0 ]; then
172 echo "istio-galley validatingwebhookconfiguration found - waiting for istio-galley deployment to be ready"
174 /kubectl -n istio-system get deployment istio-galley 2>/dev/null
175 if [ "$?" -eq 0 ]; then
180 /kubectl -n istio-system rollout status deployment istio-galley
181 if [ "$?" -ne 0 ]; then
182 echo "istio-galley deployment rollout status check failed"
185 echo "istio-galley deployment ready for configuration validation"
188 /kubectl apply -f ${pathToResourceYAML}
192 # Source: istio/charts/mixer/templates/configmap.yaml
196 name: istio-statsd-prom-bridge
197 namespace: istio-system
199 app: istio-statsd-prom-bridge
201 release: RELEASE-NAME
208 # Source: istio/charts/prometheus/templates/configmap.yaml
213 namespace: istio-system
216 chart: prometheus-0.1.0
217 release: RELEASE-NAME
225 - job_name: 'istio-mesh'
226 # Override the global default and scrape targets from this job every 5 seconds.
229 kubernetes_sd_configs:
236 - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name]
238 regex: istio-telemetry;prometheus
241 # Override the global default and scrape targets from this job every 5 seconds.
243 # metrics_path defaults to '/metrics'
244 # scheme defaults to 'http'.
246 kubernetes_sd_configs:
253 - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name]
255 regex: istio-statsd-prom-bridge;statsd-prom
257 - job_name: 'istio-policy'
258 # Override the global default and scrape targets from this job every 5 seconds.
260 # metrics_path defaults to '/metrics'
261 # scheme defaults to 'http'.
263 kubernetes_sd_configs:
271 - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name]
273 regex: istio-policy;http-monitoring
275 - job_name: 'istio-telemetry'
276 # Override the global default and scrape targets from this job every 5 seconds.
278 # metrics_path defaults to '/metrics'
279 # scheme defaults to 'http'.
281 kubernetes_sd_configs:
288 - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name]
290 regex: istio-telemetry;http-monitoring
293 # Override the global default and scrape targets from this job every 5 seconds.
295 # metrics_path defaults to '/metrics'
296 # scheme defaults to 'http'.
298 kubernetes_sd_configs:
305 - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name]
307 regex: istio-pilot;http-monitoring
310 # Override the global default and scrape targets from this job every 5 seconds.
312 # metrics_path defaults to '/metrics'
313 # scheme defaults to 'http'.
315 kubernetes_sd_configs:
322 - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name]
324 regex: istio-galley;http-monitoring
326 # scrape config for API servers
327 - job_name: 'kubernetes-apiservers'
328 kubernetes_sd_configs:
335 ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
336 bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
338 - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name]
340 regex: kubernetes;https
342 # scrape config for nodes (kubelet)
343 - job_name: 'kubernetes-nodes'
346 ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
347 bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
348 kubernetes_sd_configs:
352 regex: __meta_kubernetes_node_label_(.+)
353 - target_label: __address__
354 replacement: kubernetes.default.svc:443
355 - source_labels: [__meta_kubernetes_node_name]
357 target_label: __metrics_path__
358 replacement: /api/v1/nodes/${1}/proxy/metrics
360 # Scrape config for Kubelet cAdvisor.
362 # This is required for Kubernetes 1.7.3 and later, where cAdvisor metrics
363 # (those whose names begin with 'container_') have been removed from the
364 # Kubelet metrics endpoint. This job scrapes the cAdvisor endpoint to
365 # retrieve those metrics.
367 # In Kubernetes 1.7.0-1.7.2, these metrics are only exposed on the cAdvisor
368 # HTTP endpoint; use "replacement: /api/v1/nodes/${1}:4194/proxy/metrics"
369 # in that case (and ensure cAdvisor's HTTP server hasn't been disabled with
370 # the --cadvisor-port=0 Kubelet flag).
372 # This job is not necessary and should be removed in Kubernetes 1.6 and
373 # earlier versions, or it will cause the metrics to be scraped twice.
374 - job_name: 'kubernetes-cadvisor'
377 ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
378 bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
379 kubernetes_sd_configs:
383 regex: __meta_kubernetes_node_label_(.+)
384 - target_label: __address__
385 replacement: kubernetes.default.svc:443
386 - source_labels: [__meta_kubernetes_node_name]
388 target_label: __metrics_path__
389 replacement: /api/v1/nodes/${1}/proxy/metrics/cadvisor
391 # scrape config for service endpoints.
392 - job_name: 'kubernetes-service-endpoints'
393 kubernetes_sd_configs:
396 - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_scrape]
399 - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_scheme]
401 target_label: __scheme__
403 - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_path]
405 target_label: __metrics_path__
407 - source_labels: [__address__, __meta_kubernetes_service_annotation_prometheus_io_port]
409 target_label: __address__
410 regex: ([^:]+)(?::\d+)?;(\d+)
413 regex: __meta_kubernetes_service_label_(.+)
414 - source_labels: [__meta_kubernetes_namespace]
416 target_label: kubernetes_namespace
417 - source_labels: [__meta_kubernetes_service_name]
419 target_label: kubernetes_name
421 # Example scrape config for pods
422 - job_name: 'kubernetes-pods'
423 kubernetes_sd_configs:
427 - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_scrape]
430 - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_path]
432 target_label: __metrics_path__
434 - source_labels: [__address__, __meta_kubernetes_pod_annotation_prometheus_io_port]
436 regex: ([^:]+)(?::\d+)?;(\d+)
438 target_label: __address__
440 regex: __meta_kubernetes_pod_label_(.+)
441 - source_labels: [__meta_kubernetes_namespace]
443 target_label: namespace
444 - source_labels: [__meta_kubernetes_pod_name]
446 target_label: pod_name
449 # Source: istio/charts/security/templates/configmap.yaml
453 name: istio-security-custom-resources
454 namespace: istio-system
457 chart: security-1.0.0
458 release: RELEASE-NAME
462 custom-resources.yaml: |-
468 if [ "$#" -ne "1" ]; then
469 echo "first argument should be path to custom resource yaml"
473 pathToResourceYAML=${1}
475 /kubectl get validatingwebhookconfiguration istio-galley 2>/dev/null
476 if [ "$?" -eq 0 ]; then
477 echo "istio-galley validatingwebhookconfiguration found - waiting for istio-galley deployment to be ready"
479 /kubectl -n istio-system get deployment istio-galley 2>/dev/null
480 if [ "$?" -eq 0 ]; then
485 /kubectl -n istio-system rollout status deployment istio-galley
486 if [ "$?" -ne 0 ]; then
487 echo "istio-galley deployment rollout status check failed"
490 echo "istio-galley deployment ready for configuration validation"
493 /kubectl apply -f ${pathToResourceYAML}
497 # Source: istio/templates/configmap.yaml
503 namespace: istio-system
507 release: RELEASE-NAME
511 # Set the following variable to true to disable policy checks by the Mixer.
512 # Note that metrics will still be reported to the Mixer.
513 disablePolicyChecks: false
515 # Set enableTracing to false to disable request tracing.
518 # Set accessLogFile to empty string to disable access log.
519 accessLogFile: "/dev/stdout"
521 # Deprecated: mixer is using EDS
522 mixerCheckServer: istio-policy.istio-system.svc.cluster.local:9091
523 mixerReportServer: istio-telemetry.istio-system.svc.cluster.local:9091
525 # Unix Domain Socket through which envoy communicates with NodeAgent SDS to get
526 # key/cert for mTLS. Use secret-mount files instead of SDS if set to empty.
529 # How frequently should Envoy fetch key/cert from NodeAgent.
535 # TCP connection timeout between Envoy & the application, and between Envoys.
538 ### ADVANCED SETTINGS #############
539 # Where should envoy's configuration be stored in the istio-proxy container
540 configPath: "/etc/istio/proxy"
541 binaryPath: "/usr/local/bin/envoy"
542 # The pseudo service name used for Envoy.
543 serviceCluster: istio-proxy
544 # These settings that determine how long an old Envoy
545 # process should be kept alive after an occasional reload.
547 parentShutdownDuration: 1m0s
549 # The mode used to redirect inbound connections to Envoy. This setting
550 # has no effect on outbound traffic: iptables REDIRECT is always used for
551 # outbound connections.
552 # If "REDIRECT", use iptables REDIRECT to NAT and redirect to Envoy.
553 # The "REDIRECT" mode loses source addresses during redirection.
554 # If "TPROXY", use iptables TPROXY to redirect to Envoy.
555 # The "TPROXY" mode preserves both the source and destination IP
556 # addresses and ports, so that they can be used for advanced filtering
558 # The "TPROXY" mode also configures the sidecar to run with the
559 # CAP_NET_ADMIN capability, which is required to use TPROXY.
560 #interceptionMode: REDIRECT
562 # Port where Envoy listens (on local host) for admin commands
563 # You can exec into the istio-proxy container in a pod and
564 # curl the admin port (curl http://localhost:15000/) to obtain
565 # diagnostic information from Envoy. See
566 # https://lyft.github.io/envoy/docs/operations/admin.html
568 proxyAdminPort: 15000
570 # Zipkin trace collector
571 zipkinAddress: zipkin.istio-system:9411
573 # Statsd metrics collector converts statsd metrics into Prometheus metrics.
574 statsdUdpAddress: istio-statsd-prom-bridge.istio-system:9125
576 # Mutual TLS authentication between sidecars and istio control plane.
577 controlPlaneAuthPolicy: NONE
579 # Address where istio Pilot service is running
580 discoveryAddress: istio-pilot.istio-system:15007
583 # Source: istio/templates/sidecar-injector-configmap.yaml
588 name: istio-sidecar-injector
589 namespace: istio-system
593 release: RELEASE-NAME
595 istio: sidecar-injector
602 image: "gcr.io/istio-release/proxy_init:1.0.0"
605 - [[ .MeshConfig.ProxyListenPort ]]
609 - [[ or (index .ObjectMeta.Annotations "sidecar.istio.io/interceptionMode") .ProxyConfig.InterceptionMode.String ]]
611 [[ if (isset .ObjectMeta.Annotations "traffic.sidecar.istio.io/includeOutboundIPRanges") -]]
612 - "[[ index .ObjectMeta.Annotations "traffic.sidecar.istio.io/includeOutboundIPRanges" ]]"
617 [[ if (isset .ObjectMeta.Annotations "traffic.sidecar.istio.io/excludeOutboundIPRanges") -]]
618 - "[[ index .ObjectMeta.Annotations "traffic.sidecar.istio.io/excludeOutboundIPRanges" ]]"
623 [[ if (isset .ObjectMeta.Annotations "traffic.sidecar.istio.io/includeInboundPorts") -]]
624 - "[[ index .ObjectMeta.Annotations "traffic.sidecar.istio.io/includeInboundPorts" ]]"
626 - [[ range .Spec.Containers -]][[ range .Ports -]][[ .ContainerPort -]], [[ end -]][[ end -]][[ end]]
628 [[ if (isset .ObjectMeta.Annotations "traffic.sidecar.istio.io/excludeInboundPorts") -]]
629 - "[[ index .ObjectMeta.Annotations "traffic.sidecar.istio.io/excludeInboundPorts" ]]"
633 imagePullPolicy: IfNotPresent
639 restartPolicy: Always
643 image: [[ if (isset .ObjectMeta.Annotations "sidecar.istio.io/proxyImage") -]]
644 "[[ index .ObjectMeta.Annotations "sidecar.istio.io/proxyImage" ]]"
646 gcr.io/istio-release/proxy_debug:1.0.0
652 - [[ .ProxyConfig.ConfigPath ]]
654 - [[ .ProxyConfig.BinaryPath ]]
656 [[ if ne "" (index .ObjectMeta.Labels "app") -]]
657 - [[ index .ObjectMeta.Labels "app" ]]
662 - [[ formatDuration .ProxyConfig.DrainDuration ]]
663 - --parentShutdownDuration
664 - [[ formatDuration .ProxyConfig.ParentShutdownDuration ]]
666 - [[ .ProxyConfig.DiscoveryAddress ]]
667 - --discoveryRefreshDelay
668 - [[ formatDuration .ProxyConfig.DiscoveryRefreshDelay ]]
670 - [[ .ProxyConfig.ZipkinAddress ]]
672 - [[ formatDuration .ProxyConfig.ConnectTimeout ]]
674 - [[ .ProxyConfig.StatsdUdpAddress ]]
676 - [[ .ProxyConfig.ProxyAdminPort ]]
677 - --controlPlaneAuthPolicy
678 - [[ or (index .ObjectMeta.Annotations "sidecar.istio.io/controlPlaneAuthPolicy") .ProxyConfig.ControlPlaneAuthPolicy ]]
683 fieldPath: metadata.name
684 - name: POD_NAMESPACE
687 fieldPath: metadata.namespace
691 fieldPath: status.podIP
692 - name: ISTIO_META_POD_NAME
695 fieldPath: metadata.name
696 - name: ISTIO_META_INTERCEPTION_MODE
697 value: [[ or (index .ObjectMeta.Annotations "sidecar.istio.io/interceptionMode") .ProxyConfig.InterceptionMode.String ]]
698 imagePullPolicy: IfNotPresent
701 readOnlyRootFilesystem: true
702 [[ if eq (or (index .ObjectMeta.Annotations "sidecar.istio.io/interceptionMode") .ProxyConfig.InterceptionMode.String) "TPROXY" -]]
710 restartPolicy: Always
712 [[ if (isset .ObjectMeta.Annotations "sidecar.istio.io/proxyCPU") -]]
714 cpu: "[[ index .ObjectMeta.Annotations "sidecar.istio.io/proxyCPU" ]]"
715 memory: "[[ index .ObjectMeta.Annotations "sidecar.istio.io/proxyMemory" ]]"
722 - mountPath: /etc/istio/proxy
724 - mountPath: /etc/certs/
734 [[ if eq .Spec.ServiceAccountName "" -]]
735 secretName: istio.default
737 secretName: [[ printf "istio.%s" .Spec.ServiceAccountName ]]
741 # Source: istio/charts/galley/templates/serviceaccount.yaml
745 name: istio-galley-service-account
746 namespace: istio-system
751 release: RELEASE-NAME
754 # Source: istio/charts/gateways/templates/serviceaccount.yaml
759 name: istio-egressgateway-service-account
760 namespace: istio-system
763 chart: gateways-1.0.0
765 release: RELEASE-NAME
770 name: istio-ingressgateway-service-account
771 namespace: istio-system
774 chart: gateways-1.0.0
776 release: RELEASE-NAME
780 # Source: istio/charts/grafana/templates/create-custom-resources-job.yaml
784 name: istio-grafana-post-install-account
785 namespace: istio-system
790 release: RELEASE-NAME
792 apiVersion: rbac.authorization.k8s.io/v1beta1
795 name: istio-grafana-post-install-istio-system
800 release: RELEASE-NAME
802 - apiGroups: ["authentication.istio.io"] # needed to create default authn policy
806 apiVersion: rbac.authorization.k8s.io/v1beta1
807 kind: ClusterRoleBinding
809 name: istio-grafana-post-install-role-binding-istio-system
814 release: RELEASE-NAME
816 apiGroup: rbac.authorization.k8s.io
818 name: istio-grafana-post-install-istio-system
820 - kind: ServiceAccount
821 name: istio-grafana-post-install-account
822 namespace: istio-system
827 name: istio-grafana-post-install
828 namespace: istio-system
830 "helm.sh/hook": post-install
831 "helm.sh/hook-delete-policy": hook-succeeded
835 release: RELEASE-NAME
840 name: istio-grafana-post-install
843 release: RELEASE-NAME
845 serviceAccountName: istio-grafana-post-install-account
848 image: "quay.io/coreos/hyperkube:v1.7.6_coreos.0"
849 command: [ "/bin/bash", "/tmp/grafana/run.sh", "/tmp/grafana/custom-resources.yaml" ]
851 - mountPath: "/tmp/grafana"
852 name: tmp-configmap-grafana
854 - name: tmp-configmap-grafana
856 name: istio-grafana-custom-resources
857 restartPolicy: OnFailure
860 # Source: istio/charts/mixer/templates/serviceaccount.yaml
864 name: istio-mixer-service-account
865 namespace: istio-system
870 release: RELEASE-NAME
873 # Source: istio/charts/pilot/templates/serviceaccount.yaml
877 name: istio-pilot-service-account
878 namespace: istio-system
883 release: RELEASE-NAME
886 # Source: istio/charts/prometheus/templates/serviceaccount.yaml
891 namespace: istio-system
894 # Source: istio/charts/security/templates/cleanup-secrets.yaml
895 # The reason for creating a ServiceAccount and ClusterRole specifically for this
896 # post-delete hooked job is because the citadel ServiceAccount is being deleted
897 # before this hook is launched. On the other hand, running this hook before the
898 # deletion of the citadel (e.g. pre-delete) won't delete the secrets because they
899 # will be re-created immediately by the to-be-deleted citadel.
901 # It's also important that the ServiceAccount, ClusterRole and ClusterRoleBinding
902 # will be ready before running the hooked Job therefore the hook weights.
907 name: istio-cleanup-secrets-service-account
908 namespace: istio-system
910 "helm.sh/hook": post-delete
911 "helm.sh/hook-delete-policy": hook-succeeded
912 "helm.sh/hook-weight": "1"
915 chart: security-1.0.0
917 release: RELEASE-NAME
919 apiVersion: rbac.authorization.k8s.io/v1beta1
922 name: istio-cleanup-secrets-istio-system
924 "helm.sh/hook": post-delete
925 "helm.sh/hook-delete-policy": hook-succeeded
926 "helm.sh/hook-weight": "1"
929 chart: security-1.0.0
931 release: RELEASE-NAME
934 resources: ["secrets"]
935 verbs: ["list", "delete"]
937 apiVersion: rbac.authorization.k8s.io/v1beta1
938 kind: ClusterRoleBinding
940 name: istio-cleanup-secrets-istio-system
942 "helm.sh/hook": post-delete
943 "helm.sh/hook-delete-policy": hook-succeeded
944 "helm.sh/hook-weight": "2"
947 chart: security-1.0.0
949 release: RELEASE-NAME
951 apiGroup: rbac.authorization.k8s.io
953 name: istio-cleanup-secrets-istio-system
955 - kind: ServiceAccount
956 name: istio-cleanup-secrets-service-account
957 namespace: istio-system
962 name: istio-cleanup-secrets
963 namespace: istio-system
965 "helm.sh/hook": post-delete
966 "helm.sh/hook-delete-policy": hook-succeeded
967 "helm.sh/hook-weight": "3"
970 chart: security-1.0.0
971 release: RELEASE-NAME
976 name: istio-cleanup-secrets
979 release: RELEASE-NAME
981 serviceAccountName: istio-cleanup-secrets-service-account
984 image: "quay.io/coreos/hyperkube:v1.7.6_coreos.0"
989 kubectl get secret --all-namespaces | grep "istio.io/key-and-cert" | while read -r entry; do
990 ns=$(echo $entry | awk '{print $1}');
991 name=$(echo $entry | awk '{print $2}');
992 kubectl delete secret $name -n $ns;
994 restartPolicy: OnFailure
997 # Source: istio/charts/security/templates/serviceaccount.yaml
1001 name: istio-citadel-service-account
1002 namespace: istio-system
1005 chart: security-1.0.0
1007 release: RELEASE-NAME
1010 # Source: istio/charts/sidecarInjectorWebhook/templates/serviceaccount.yaml
1012 kind: ServiceAccount
1014 name: istio-sidecar-injector-service-account
1015 namespace: istio-system
1017 app: istio-sidecar-injector
1018 chart: sidecarInjectorWebhook-1.0.0
1020 release: RELEASE-NAME
1023 # Source: istio/templates/crds.yaml
1025 # these CRDs only make sense when pilot is enabled
1027 apiVersion: apiextensions.k8s.io/v1beta1
1028 kind: CustomResourceDefinition
1030 name: virtualservices.networking.istio.io
1032 "helm.sh/hook": crd-install
1036 group: networking.istio.io
1038 kind: VirtualService
1039 listKind: VirtualServiceList
1040 plural: virtualservices
1041 singular: virtualservice
1044 - networking-istio-io
1048 apiVersion: apiextensions.k8s.io/v1beta1
1049 kind: CustomResourceDefinition
1051 name: destinationrules.networking.istio.io
1053 "helm.sh/hook": crd-install
1057 group: networking.istio.io
1059 kind: DestinationRule
1060 listKind: DestinationRuleList
1061 plural: destinationrules
1062 singular: destinationrule
1065 - networking-istio-io
1069 apiVersion: apiextensions.k8s.io/v1beta1
1070 kind: CustomResourceDefinition
1072 name: serviceentries.networking.istio.io
1074 "helm.sh/hook": crd-install
1078 group: networking.istio.io
1081 listKind: ServiceEntryList
1082 plural: serviceentries
1083 singular: serviceentry
1086 - networking-istio-io
1090 apiVersion: apiextensions.k8s.io/v1beta1
1091 kind: CustomResourceDefinition
1093 name: gateways.networking.istio.io
1095 "helm.sh/hook": crd-install
1096 "helm.sh/hook-weight": "-5"
1100 group: networking.istio.io
1107 - networking-istio-io
1111 apiVersion: apiextensions.k8s.io/v1beta1
1112 kind: CustomResourceDefinition
1114 name: envoyfilters.networking.istio.io
1116 "helm.sh/hook": crd-install
1120 group: networking.istio.io
1123 plural: envoyfilters
1124 singular: envoyfilter
1127 - networking-istio-io
1133 # these CRDs only make sense when security is enabled
1137 kind: CustomResourceDefinition
1138 apiVersion: apiextensions.k8s.io/v1beta1
1141 "helm.sh/hook": crd-install
1142 name: httpapispecbindings.config.istio.io
1144 group: config.istio.io
1146 kind: HTTPAPISpecBinding
1147 plural: httpapispecbindings
1148 singular: httpapispecbinding
1155 kind: CustomResourceDefinition
1156 apiVersion: apiextensions.k8s.io/v1beta1
1159 "helm.sh/hook": crd-install
1160 name: httpapispecs.config.istio.io
1162 group: config.istio.io
1165 plural: httpapispecs
1166 singular: httpapispec
1173 kind: CustomResourceDefinition
1174 apiVersion: apiextensions.k8s.io/v1beta1
1177 "helm.sh/hook": crd-install
1178 name: quotaspecbindings.config.istio.io
1180 group: config.istio.io
1182 kind: QuotaSpecBinding
1183 plural: quotaspecbindings
1184 singular: quotaspecbinding
1191 kind: CustomResourceDefinition
1192 apiVersion: apiextensions.k8s.io/v1beta1
1195 "helm.sh/hook": crd-install
1196 name: quotaspecs.config.istio.io
1198 group: config.istio.io
1211 kind: CustomResourceDefinition
1212 apiVersion: apiextensions.k8s.io/v1beta1
1214 name: rules.config.istio.io
1216 "helm.sh/hook": crd-install
1219 package: istio.io.mixer
1222 group: config.istio.io
1234 kind: CustomResourceDefinition
1235 apiVersion: apiextensions.k8s.io/v1beta1
1237 name: attributemanifests.config.istio.io
1239 "helm.sh/hook": crd-install
1242 package: istio.io.mixer
1245 group: config.istio.io
1247 kind: attributemanifest
1248 plural: attributemanifests
1249 singular: attributemanifest
1257 kind: CustomResourceDefinition
1258 apiVersion: apiextensions.k8s.io/v1beta1
1260 name: bypasses.config.istio.io
1262 "helm.sh/hook": crd-install
1266 istio: mixer-adapter
1268 group: config.istio.io
1280 kind: CustomResourceDefinition
1281 apiVersion: apiextensions.k8s.io/v1beta1
1283 name: circonuses.config.istio.io
1285 "helm.sh/hook": crd-install
1289 istio: mixer-adapter
1291 group: config.istio.io
1303 kind: CustomResourceDefinition
1304 apiVersion: apiextensions.k8s.io/v1beta1
1306 name: deniers.config.istio.io
1308 "helm.sh/hook": crd-install
1312 istio: mixer-adapter
1314 group: config.istio.io
1326 kind: CustomResourceDefinition
1327 apiVersion: apiextensions.k8s.io/v1beta1
1329 name: fluentds.config.istio.io
1331 "helm.sh/hook": crd-install
1335 istio: mixer-adapter
1337 group: config.istio.io
1349 kind: CustomResourceDefinition
1350 apiVersion: apiextensions.k8s.io/v1beta1
1352 name: kubernetesenvs.config.istio.io
1354 "helm.sh/hook": crd-install
1357 package: kubernetesenv
1358 istio: mixer-adapter
1360 group: config.istio.io
1363 plural: kubernetesenvs
1364 singular: kubernetesenv
1372 kind: CustomResourceDefinition
1373 apiVersion: apiextensions.k8s.io/v1beta1
1375 name: listcheckers.config.istio.io
1377 "helm.sh/hook": crd-install
1380 package: listchecker
1381 istio: mixer-adapter
1383 group: config.istio.io
1386 plural: listcheckers
1387 singular: listchecker
1395 kind: CustomResourceDefinition
1396 apiVersion: apiextensions.k8s.io/v1beta1
1398 name: memquotas.config.istio.io
1400 "helm.sh/hook": crd-install
1404 istio: mixer-adapter
1406 group: config.istio.io
1418 kind: CustomResourceDefinition
1419 apiVersion: apiextensions.k8s.io/v1beta1
1421 name: noops.config.istio.io
1423 "helm.sh/hook": crd-install
1427 istio: mixer-adapter
1429 group: config.istio.io
1441 kind: CustomResourceDefinition
1442 apiVersion: apiextensions.k8s.io/v1beta1
1444 name: opas.config.istio.io
1446 "helm.sh/hook": crd-install
1450 istio: mixer-adapter
1452 group: config.istio.io
1464 kind: CustomResourceDefinition
1465 apiVersion: apiextensions.k8s.io/v1beta1
1467 name: prometheuses.config.istio.io
1469 "helm.sh/hook": crd-install
1473 istio: mixer-adapter
1475 group: config.istio.io
1478 plural: prometheuses
1479 singular: prometheus
1487 kind: CustomResourceDefinition
1488 apiVersion: apiextensions.k8s.io/v1beta1
1490 name: rbacs.config.istio.io
1492 "helm.sh/hook": crd-install
1496 istio: mixer-adapter
1498 group: config.istio.io
1510 kind: CustomResourceDefinition
1511 apiVersion: apiextensions.k8s.io/v1beta1
1513 name: redisquotas.config.istio.io
1515 "helm.sh/hook": crd-install
1518 istio: mixer-adapter
1520 group: config.istio.io
1524 singular: redisquota
1529 kind: CustomResourceDefinition
1530 apiVersion: apiextensions.k8s.io/v1beta1
1532 name: servicecontrols.config.istio.io
1534 "helm.sh/hook": crd-install
1537 package: servicecontrol
1538 istio: mixer-adapter
1540 group: config.istio.io
1542 kind: servicecontrol
1543 plural: servicecontrols
1544 singular: servicecontrol
1553 kind: CustomResourceDefinition
1554 apiVersion: apiextensions.k8s.io/v1beta1
1556 name: signalfxs.config.istio.io
1558 "helm.sh/hook": crd-install
1562 istio: mixer-adapter
1564 group: config.istio.io
1576 kind: CustomResourceDefinition
1577 apiVersion: apiextensions.k8s.io/v1beta1
1579 name: solarwindses.config.istio.io
1581 "helm.sh/hook": crd-install
1585 istio: mixer-adapter
1587 group: config.istio.io
1590 plural: solarwindses
1591 singular: solarwinds
1599 kind: CustomResourceDefinition
1600 apiVersion: apiextensions.k8s.io/v1beta1
1602 name: stackdrivers.config.istio.io
1604 "helm.sh/hook": crd-install
1607 package: stackdriver
1608 istio: mixer-adapter
1610 group: config.istio.io
1613 plural: stackdrivers
1614 singular: stackdriver
1622 kind: CustomResourceDefinition
1623 apiVersion: apiextensions.k8s.io/v1beta1
1625 name: statsds.config.istio.io
1627 "helm.sh/hook": crd-install
1631 istio: mixer-adapter
1633 group: config.istio.io
1645 kind: CustomResourceDefinition
1646 apiVersion: apiextensions.k8s.io/v1beta1
1648 name: stdios.config.istio.io
1650 "helm.sh/hook": crd-install
1654 istio: mixer-adapter
1656 group: config.istio.io
1668 kind: CustomResourceDefinition
1669 apiVersion: apiextensions.k8s.io/v1beta1
1671 name: apikeys.config.istio.io
1673 "helm.sh/hook": crd-install
1677 istio: mixer-instance
1679 group: config.istio.io
1691 kind: CustomResourceDefinition
1692 apiVersion: apiextensions.k8s.io/v1beta1
1694 name: authorizations.config.istio.io
1696 "helm.sh/hook": crd-install
1699 package: authorization
1700 istio: mixer-instance
1702 group: config.istio.io
1705 plural: authorizations
1706 singular: authorization
1714 kind: CustomResourceDefinition
1715 apiVersion: apiextensions.k8s.io/v1beta1
1717 name: checknothings.config.istio.io
1719 "helm.sh/hook": crd-install
1722 package: checknothing
1723 istio: mixer-instance
1725 group: config.istio.io
1728 plural: checknothings
1729 singular: checknothing
1737 kind: CustomResourceDefinition
1738 apiVersion: apiextensions.k8s.io/v1beta1
1740 name: kuberneteses.config.istio.io
1742 "helm.sh/hook": crd-install
1745 package: adapter.template.kubernetes
1746 istio: mixer-instance
1748 group: config.istio.io
1751 plural: kuberneteses
1752 singular: kubernetes
1760 kind: CustomResourceDefinition
1761 apiVersion: apiextensions.k8s.io/v1beta1
1763 name: listentries.config.istio.io
1765 "helm.sh/hook": crd-install
1769 istio: mixer-instance
1771 group: config.istio.io
1783 kind: CustomResourceDefinition
1784 apiVersion: apiextensions.k8s.io/v1beta1
1786 name: logentries.config.istio.io
1788 "helm.sh/hook": crd-install
1792 istio: mixer-instance
1794 group: config.istio.io
1806 kind: CustomResourceDefinition
1807 apiVersion: apiextensions.k8s.io/v1beta1
1809 name: edges.config.istio.io
1811 "helm.sh/hook": crd-install
1815 istio: mixer-instance
1817 group: config.istio.io
1829 kind: CustomResourceDefinition
1830 apiVersion: apiextensions.k8s.io/v1beta1
1832 name: metrics.config.istio.io
1834 "helm.sh/hook": crd-install
1838 istio: mixer-instance
1840 group: config.istio.io
1852 kind: CustomResourceDefinition
1853 apiVersion: apiextensions.k8s.io/v1beta1
1855 name: quotas.config.istio.io
1857 "helm.sh/hook": crd-install
1861 istio: mixer-instance
1863 group: config.istio.io
1875 kind: CustomResourceDefinition
1876 apiVersion: apiextensions.k8s.io/v1beta1
1878 name: reportnothings.config.istio.io
1880 "helm.sh/hook": crd-install
1883 package: reportnothing
1884 istio: mixer-instance
1886 group: config.istio.io
1889 plural: reportnothings
1890 singular: reportnothing
1898 kind: CustomResourceDefinition
1899 apiVersion: apiextensions.k8s.io/v1beta1
1901 name: servicecontrolreports.config.istio.io
1903 "helm.sh/hook": crd-install
1906 package: servicecontrolreport
1907 istio: mixer-instance
1909 group: config.istio.io
1911 kind: servicecontrolreport
1912 plural: servicecontrolreports
1913 singular: servicecontrolreport
1921 kind: CustomResourceDefinition
1922 apiVersion: apiextensions.k8s.io/v1beta1
1924 name: tracespans.config.istio.io
1926 "helm.sh/hook": crd-install
1930 istio: mixer-instance
1932 group: config.istio.io
1944 kind: CustomResourceDefinition
1945 apiVersion: apiextensions.k8s.io/v1beta1
1947 name: rbacconfigs.rbac.istio.io
1949 "helm.sh/hook": crd-install
1952 package: istio.io.mixer
1955 group: rbac.istio.io
1959 singular: rbacconfig
1967 kind: CustomResourceDefinition
1968 apiVersion: apiextensions.k8s.io/v1beta1
1970 name: serviceroles.rbac.istio.io
1972 "helm.sh/hook": crd-install
1975 package: istio.io.mixer
1978 group: rbac.istio.io
1981 plural: serviceroles
1982 singular: servicerole
1990 kind: CustomResourceDefinition
1991 apiVersion: apiextensions.k8s.io/v1beta1
1993 name: servicerolebindings.rbac.istio.io
1995 "helm.sh/hook": crd-install
1998 package: istio.io.mixer
2001 group: rbac.istio.io
2003 kind: ServiceRoleBinding
2004 plural: servicerolebindings
2005 singular: servicerolebinding
2012 kind: CustomResourceDefinition
2013 apiVersion: apiextensions.k8s.io/v1beta1
2015 name: adapters.config.istio.io
2017 "helm.sh/hook": crd-install
2021 istio: mixer-adapter
2023 group: config.istio.io
2034 kind: CustomResourceDefinition
2035 apiVersion: apiextensions.k8s.io/v1beta1
2037 name: instances.config.istio.io
2039 "helm.sh/hook": crd-install
2043 istio: mixer-instance
2045 group: config.istio.io
2056 kind: CustomResourceDefinition
2057 apiVersion: apiextensions.k8s.io/v1beta1
2059 name: templates.config.istio.io
2061 "helm.sh/hook": crd-install
2065 istio: mixer-template
2067 group: config.istio.io
2078 kind: CustomResourceDefinition
2079 apiVersion: apiextensions.k8s.io/v1beta1
2081 name: handlers.config.istio.io
2083 "helm.sh/hook": crd-install
2087 istio: mixer-handler
2089 group: config.istio.io
2103 # Source: istio/charts/galley/templates/clusterrole.yaml
2104 apiVersion: rbac.authorization.k8s.io/v1beta1
2107 name: istio-galley-istio-system
2112 release: RELEASE-NAME
2114 - apiGroups: ["admissionregistration.k8s.io"]
2115 resources: ["validatingwebhookconfigurations"]
2117 - apiGroups: ["config.istio.io"] # istio mixer CRD watcher
2119 verbs: ["get", "list", "watch"]
2121 resources: ["deployments"]
2122 resourceNames: ["istio-galley"]
2126 # Source: istio/charts/gateways/templates/clusterrole.yaml
2128 apiVersion: rbac.authorization.k8s.io/v1beta1
2133 chart: gateways-1.0.0
2135 release: RELEASE-NAME
2136 name: istio-egressgateway-istio-system
2138 - apiGroups: ["extensions"]
2139 resources: ["thirdpartyresources", "virtualservices", "destinationrules", "gateways"]
2140 verbs: ["get", "watch", "list", "update"]
2142 apiVersion: rbac.authorization.k8s.io/v1beta1
2147 chart: gateways-1.0.0
2149 release: RELEASE-NAME
2150 name: istio-ingressgateway-istio-system
2152 - apiGroups: ["extensions"]
2153 resources: ["thirdpartyresources", "virtualservices", "destinationrules", "gateways"]
2154 verbs: ["get", "watch", "list", "update"]
2158 # Source: istio/charts/mixer/templates/clusterrole.yaml
2159 apiVersion: rbac.authorization.k8s.io/v1beta1
2162 name: istio-mixer-istio-system
2167 release: RELEASE-NAME
2169 - apiGroups: ["config.istio.io"] # istio CRD watcher
2171 verbs: ["create", "get", "list", "watch", "patch"]
2172 - apiGroups: ["rbac.istio.io"] # istio RBAC watcher
2174 verbs: ["get", "list", "watch"]
2175 - apiGroups: ["apiextensions.k8s.io"]
2176 resources: ["customresourcedefinitions"]
2177 verbs: ["get", "list", "watch"]
2179 resources: ["configmaps", "endpoints", "pods", "services", "namespaces", "secrets"]
2180 verbs: ["get", "list", "watch"]
2181 - apiGroups: ["extensions"]
2182 resources: ["replicasets"]
2183 verbs: ["get", "list", "watch"]
2184 - apiGroups: ["apps"]
2185 resources: ["replicasets"]
2186 verbs: ["get", "list", "watch"]
2189 # Source: istio/charts/pilot/templates/clusterrole.yaml
2190 apiVersion: rbac.authorization.k8s.io/v1beta1
2193 name: istio-pilot-istio-system
2198 release: RELEASE-NAME
2200 - apiGroups: ["config.istio.io"]
2203 - apiGroups: ["rbac.istio.io"]
2205 verbs: ["get", "watch", "list"]
2206 - apiGroups: ["networking.istio.io"]
2209 - apiGroups: ["authentication.istio.io"]
2212 - apiGroups: ["apiextensions.k8s.io"]
2213 resources: ["customresourcedefinitions"]
2215 - apiGroups: ["extensions"]
2216 resources: ["thirdpartyresources", "thirdpartyresources.extensions", "ingresses", "ingresses/status"]
2219 resources: ["configmaps"]
2220 verbs: ["create", "get", "list", "watch", "update"]
2222 resources: ["endpoints", "pods", "services"]
2223 verbs: ["get", "list", "watch"]
2225 resources: ["namespaces", "nodes", "secrets"]
2226 verbs: ["get", "list", "watch"]
2229 # Source: istio/charts/prometheus/templates/clusterrole.yaml
2230 apiVersion: rbac.authorization.k8s.io/v1beta1
2233 name: prometheus-istio-system
2242 verbs: ["get", "list", "watch"]
2247 - nonResourceURLs: ["/metrics"]
2251 # Source: istio/charts/security/templates/clusterrole.yaml
2252 apiVersion: rbac.authorization.k8s.io/v1beta1
2255 name: istio-citadel-istio-system
2258 chart: security-1.0.0
2260 release: RELEASE-NAME
2263 resources: ["secrets"]
2264 verbs: ["create", "get", "watch", "list", "update", "delete"]
2266 resources: ["serviceaccounts"]
2267 verbs: ["get", "watch", "list"]
2269 resources: ["services"]
2270 verbs: ["get", "watch", "list"]
2273 # Source: istio/charts/sidecarInjectorWebhook/templates/clusterrole.yaml
2274 apiVersion: rbac.authorization.k8s.io/v1beta1
2277 name: istio-sidecar-injector-istio-system
2279 app: istio-sidecar-injector
2280 chart: sidecarInjectorWebhook-1.0.0
2282 release: RELEASE-NAME
2285 resources: ["configmaps"]
2286 verbs: ["get", "list", "watch"]
2287 - apiGroups: ["admissionregistration.k8s.io"]
2288 resources: ["mutatingwebhookconfigurations"]
2289 verbs: ["get", "list", "watch", "patch"]
2292 # Source: istio/charts/galley/templates/clusterrolebinding.yaml
2293 apiVersion: rbac.authorization.k8s.io/v1beta1
2294 kind: ClusterRoleBinding
2296 name: istio-galley-admin-role-binding-istio-system
2301 release: RELEASE-NAME
2303 apiGroup: rbac.authorization.k8s.io
2305 name: istio-galley-istio-system
2307 - kind: ServiceAccount
2308 name: istio-galley-service-account
2309 namespace: istio-system
2312 # Source: istio/charts/gateways/templates/clusterrolebindings.yaml
2314 apiVersion: rbac.authorization.k8s.io/v1beta1
2315 kind: ClusterRoleBinding
2317 name: istio-egressgateway-istio-system
2319 apiGroup: rbac.authorization.k8s.io
2321 name: istio-egressgateway-istio-system
2323 - kind: ServiceAccount
2324 name: istio-egressgateway-service-account
2325 namespace: istio-system
2327 apiVersion: rbac.authorization.k8s.io/v1beta1
2328 kind: ClusterRoleBinding
2330 name: istio-ingressgateway-istio-system
2332 apiGroup: rbac.authorization.k8s.io
2334 name: istio-ingressgateway-istio-system
2336 - kind: ServiceAccount
2337 name: istio-ingressgateway-service-account
2338 namespace: istio-system
2342 # Source: istio/charts/mixer/templates/clusterrolebinding.yaml
2343 apiVersion: rbac.authorization.k8s.io/v1beta1
2344 kind: ClusterRoleBinding
2346 name: istio-mixer-admin-role-binding-istio-system
2351 release: RELEASE-NAME
2353 apiGroup: rbac.authorization.k8s.io
2355 name: istio-mixer-istio-system
2357 - kind: ServiceAccount
2358 name: istio-mixer-service-account
2359 namespace: istio-system
2362 # Source: istio/charts/pilot/templates/clusterrolebinding.yaml
2363 apiVersion: rbac.authorization.k8s.io/v1beta1
2364 kind: ClusterRoleBinding
2366 name: istio-pilot-istio-system
2371 release: RELEASE-NAME
2373 apiGroup: rbac.authorization.k8s.io
2375 name: istio-pilot-istio-system
2377 - kind: ServiceAccount
2378 name: istio-pilot-service-account
2379 namespace: istio-system
2382 # Source: istio/charts/prometheus/templates/clusterrolebindings.yaml
2383 apiVersion: rbac.authorization.k8s.io/v1beta1
2384 kind: ClusterRoleBinding
2386 name: prometheus-istio-system
2388 apiGroup: rbac.authorization.k8s.io
2390 name: prometheus-istio-system
2392 - kind: ServiceAccount
2394 namespace: istio-system
2397 # Source: istio/charts/security/templates/clusterrolebinding.yaml
2398 apiVersion: rbac.authorization.k8s.io/v1beta1
2399 kind: ClusterRoleBinding
2401 name: istio-citadel-istio-system
2404 chart: security-1.0.0
2406 release: RELEASE-NAME
2408 apiGroup: rbac.authorization.k8s.io
2410 name: istio-citadel-istio-system
2412 - kind: ServiceAccount
2413 name: istio-citadel-service-account
2414 namespace: istio-system
2417 # Source: istio/charts/sidecarInjectorWebhook/templates/clusterrolebinding.yaml
2418 apiVersion: rbac.authorization.k8s.io/v1beta1
2419 kind: ClusterRoleBinding
2421 name: istio-sidecar-injector-admin-role-binding-istio-system
2423 app: istio-sidecar-injector
2424 chart: sidecarInjectorWebhook-1.0.0
2426 release: RELEASE-NAME
2428 apiGroup: rbac.authorization.k8s.io
2430 name: istio-sidecar-injector-istio-system
2432 - kind: ServiceAccount
2433 name: istio-sidecar-injector-service-account
2434 namespace: istio-system
2437 # Source: istio/charts/galley/templates/service.yaml
2442 namespace: istio-system
2448 name: https-validation
2450 name: http-monitoring
2455 # Source: istio/charts/gateways/templates/service.yaml
2460 name: istio-egressgateway
2461 namespace: istio-system
2464 chart: gateways-1.0.0
2465 release: RELEASE-NAME
2467 app: istio-egressgateway
2468 istio: egressgateway
2472 app: istio-egressgateway
2473 istio: egressgateway
2485 name: istio-ingressgateway
2486 namespace: istio-system
2489 chart: gateways-1.0.0
2490 release: RELEASE-NAME
2492 app: istio-ingressgateway
2493 istio: ingressgateway
2497 app: istio-ingressgateway
2498 istio: ingressgateway
2514 name: tcp-pilot-grpc-tls
2518 name: tcp-citadel-grpc-tls
2522 name: http2-prometheus
2532 # Source: istio/charts/grafana/templates/service.yaml
2537 namespace: istio-system
2541 chart: grafana-0.1.0
2542 release: RELEASE-NAME
2556 # Source: istio/charts/mixer/templates/service.yaml
2562 namespace: istio-system
2565 release: RELEASE-NAME
2571 - name: grpc-mixer-mtls
2573 - name: http-monitoring
2577 istio-mixer-type: policy
2582 name: istio-telemetry
2583 namespace: istio-system
2586 release: RELEASE-NAME
2592 - name: grpc-mixer-mtls
2594 - name: http-monitoring
2600 istio-mixer-type: telemetry
2604 # Source: istio/charts/mixer/templates/statsdtoprom.yaml
2610 name: istio-statsd-prom-bridge
2611 namespace: istio-system
2614 release: RELEASE-NAME
2615 istio: statsd-prom-bridge
2624 istio: statsd-prom-bridge
2628 apiVersion: extensions/v1beta1
2631 name: istio-statsd-prom-bridge
2632 namespace: istio-system
2635 release: RELEASE-NAME
2641 istio: statsd-prom-bridge
2643 sidecar.istio.io/inject: "false"
2645 serviceAccountName: istio-mixer-service-account
2647 - name: config-volume
2649 name: istio-statsd-prom-bridge
2651 - name: statsd-prom-bridge
2652 image: "docker.io/prom/statsd-exporter:v0.6.0"
2653 imagePullPolicy: IfNotPresent
2655 - containerPort: 9102
2656 - containerPort: 9125
2659 - '-statsd.mapping-config=/etc/statsd/mapping.conf'
2665 - name: config-volume
2666 mountPath: /etc/statsd
2669 # Source: istio/charts/pilot/templates/service.yaml
2674 namespace: istio-system
2678 release: RELEASE-NAME
2683 name: grpc-xds # direct
2685 name: https-xds # mTLS
2687 name: http-legacy-discovery # direct
2689 name: http-monitoring
2694 # Source: istio/charts/prometheus/templates/service.yaml
2699 namespace: istio-system
2701 prometheus.io/scrape: 'true'
2708 - name: http-prometheus
2713 # Source: istio/charts/security/templates/service.yaml
2717 # we use the normal name here (e.g. 'prometheus')
2718 # as grafana is configured to use this as a data source
2720 namespace: istio-system
2725 - name: grpc-citadel
2729 - name: http-monitoring
2735 # Source: istio/charts/servicegraph/templates/service.yaml
2740 namespace: istio-system
2744 chart: servicegraph-0.1.0
2745 release: RELEASE-NAME
2759 # Source: istio/charts/sidecarInjectorWebhook/templates/service.yaml
2763 name: istio-sidecar-injector
2764 namespace: istio-system
2766 istio: sidecar-injector
2771 istio: sidecar-injector
2774 # Source: istio/charts/galley/templates/deployment.yaml
2775 apiVersion: extensions/v1beta1
2779 namespace: istio-system
2783 release: RELEASE-NAME
2797 sidecar.istio.io/inject: "false"
2798 scheduler.alpha.kubernetes.io/critical-pod: ""
2800 serviceAccountName: istio-galley-service-account
2803 image: "gcr.io/istio-release/galley:1.0.0"
2804 imagePullPolicy: IfNotPresent
2806 - containerPort: 443
2807 - containerPort: 9093
2809 - /usr/local/bin/galley
2811 - --deployment-namespace=istio-system
2812 - --caCertFile=/etc/istio/certs/root-cert.pem
2813 - --tlsCertFile=/etc/istio/certs/cert-chain.pem
2814 - --tlsKeyFile=/etc/istio/certs/key.pem
2815 - --healthCheckInterval=2s
2816 - --healthCheckFile=/health
2817 - --webhook-config-file
2818 - /etc/istio/config/validatingwebhookconfiguration.yaml
2821 mountPath: /etc/istio/certs
2824 mountPath: /etc/istio/config
2829 - /usr/local/bin/galley
2831 - --probe-path=/health
2833 initialDelaySeconds: 4
2838 - /usr/local/bin/galley
2840 - --probe-path=/health
2842 initialDelaySeconds: 4
2851 secretName: istio.istio-galley-service-account
2854 name: istio-galley-configuration
2857 requiredDuringSchedulingIgnoredDuringExecution:
2860 - key: beta.kubernetes.io/arch
2866 preferredDuringSchedulingIgnoredDuringExecution:
2870 - key: beta.kubernetes.io/arch
2877 - key: beta.kubernetes.io/arch
2884 - key: beta.kubernetes.io/arch
2890 # Source: istio/charts/gateways/templates/deployment.yaml
2892 apiVersion: extensions/v1beta1
2895 name: istio-egressgateway
2896 namespace: istio-system
2899 chart: gateways-1.0.0
2900 release: RELEASE-NAME
2902 app: istio-egressgateway
2903 istio: egressgateway
2909 app: istio-egressgateway
2910 istio: egressgateway
2912 sidecar.istio.io/inject: "false"
2913 scheduler.alpha.kubernetes.io/critical-pod: ""
2915 serviceAccountName: istio-egressgateway-service-account
2917 - name: egressgateway
2918 image: "gcr.io/istio-release/proxyv2:1.0.0"
2919 imagePullPolicy: IfNotPresent
2922 - containerPort: 443
2928 - --discoveryRefreshDelay
2929 - '1s' #discoveryRefreshDelay
2931 - '45s' #drainDuration
2932 - --parentShutdownDuration
2933 - '1m0s' #parentShutdownDuration
2935 - '10s' #connectTimeout
2937 - istio-egressgateway
2940 - --statsdUdpAddress
2941 - istio-statsd-prom-bridge:9125
2944 - --controlPlaneAuthPolicy
2946 - --discoveryAddress
2947 - istio-pilot.istio-system:8080
2957 fieldPath: metadata.name
2958 - name: POD_NAMESPACE
2962 fieldPath: metadata.namespace
2967 fieldPath: status.podIP
2968 - name: ISTIO_META_POD_NAME
2971 fieldPath: metadata.name
2974 mountPath: /etc/certs
2976 - name: egressgateway-certs
2977 mountPath: "/etc/istio/egressgateway-certs"
2979 - name: egressgateway-ca-certs
2980 mountPath: "/etc/istio/egressgateway-ca-certs"
2985 secretName: istio.istio-egressgateway-service-account
2987 - name: egressgateway-certs
2989 secretName: "istio-egressgateway-certs"
2991 - name: egressgateway-ca-certs
2993 secretName: "istio-egressgateway-ca-certs"
2997 requiredDuringSchedulingIgnoredDuringExecution:
3000 - key: beta.kubernetes.io/arch
3006 preferredDuringSchedulingIgnoredDuringExecution:
3010 - key: beta.kubernetes.io/arch
3017 - key: beta.kubernetes.io/arch
3024 - key: beta.kubernetes.io/arch
3029 apiVersion: extensions/v1beta1
3032 name: istio-ingressgateway
3033 namespace: istio-system
3036 chart: gateways-1.0.0
3037 release: RELEASE-NAME
3039 app: istio-ingressgateway
3040 istio: ingressgateway
3046 app: istio-ingressgateway
3047 istio: ingressgateway
3049 sidecar.istio.io/inject: "false"
3050 scheduler.alpha.kubernetes.io/critical-pod: ""
3052 serviceAccountName: istio-ingressgateway-service-account
3054 - name: ingressgateway
3055 image: "gcr.io/istio-release/proxyv2:1.0.0"
3056 imagePullPolicy: IfNotPresent
3059 - containerPort: 443
3060 - containerPort: 31400
3061 - containerPort: 15011
3062 - containerPort: 8060
3063 - containerPort: 15030
3064 - containerPort: 15031
3070 - --discoveryRefreshDelay
3071 - '1s' #discoveryRefreshDelay
3073 - '45s' #drainDuration
3074 - --parentShutdownDuration
3075 - '1m0s' #parentShutdownDuration
3077 - '10s' #connectTimeout
3079 - istio-ingressgateway
3082 - --statsdUdpAddress
3083 - istio-statsd-prom-bridge:9125
3086 - --controlPlaneAuthPolicy
3088 - --discoveryAddress
3089 - istio-pilot.istio-system:8080
3099 fieldPath: metadata.name
3100 - name: POD_NAMESPACE
3104 fieldPath: metadata.namespace
3109 fieldPath: status.podIP
3110 - name: ISTIO_META_POD_NAME
3113 fieldPath: metadata.name
3116 mountPath: /etc/certs
3118 - name: ingressgateway-certs
3119 mountPath: "/etc/istio/ingressgateway-certs"
3121 - name: ingressgateway-ca-certs
3122 mountPath: "/etc/istio/ingressgateway-ca-certs"
3127 secretName: istio.istio-ingressgateway-service-account
3129 - name: ingressgateway-certs
3131 secretName: "istio-ingressgateway-certs"
3133 - name: ingressgateway-ca-certs
3135 secretName: "istio-ingressgateway-ca-certs"
3139 requiredDuringSchedulingIgnoredDuringExecution:
3142 - key: beta.kubernetes.io/arch
3148 preferredDuringSchedulingIgnoredDuringExecution:
3152 - key: beta.kubernetes.io/arch
3159 - key: beta.kubernetes.io/arch
3166 - key: beta.kubernetes.io/arch
3173 # Source: istio/charts/grafana/templates/deployment.yaml
3174 apiVersion: extensions/v1beta1
3178 namespace: istio-system
3181 chart: grafana-0.1.0
3182 release: RELEASE-NAME
3191 sidecar.istio.io/inject: "false"
3192 scheduler.alpha.kubernetes.io/critical-pod: ""
3196 image: "gcr.io/istio-release/grafana:1.0.0"
3197 imagePullPolicy: IfNotPresent
3199 - containerPort: 3000
3205 - name: GRAFANA_PORT
3207 - name: GF_AUTH_BASIC_ENABLED
3209 - name: GF_AUTH_ANONYMOUS_ENABLED
3211 - name: GF_AUTH_ANONYMOUS_ORG_ROLE
3213 - name: GF_PATHS_DATA
3214 value: /data/grafana
3221 mountPath: /data/grafana
3224 requiredDuringSchedulingIgnoredDuringExecution:
3227 - key: beta.kubernetes.io/arch
3233 preferredDuringSchedulingIgnoredDuringExecution:
3237 - key: beta.kubernetes.io/arch
3244 - key: beta.kubernetes.io/arch
3251 - key: beta.kubernetes.io/arch
3260 # Source: istio/charts/mixer/templates/deployment.yaml
3262 apiVersion: extensions/v1beta1
3266 namespace: istio-system
3269 release: RELEASE-NAME
3278 istio-mixer-type: policy
3280 sidecar.istio.io/inject: "false"
3281 scheduler.alpha.kubernetes.io/critical-pod: ""
3283 serviceAccountName: istio-mixer-service-account
3287 secretName: istio.istio-mixer-service-account
3293 requiredDuringSchedulingIgnoredDuringExecution:
3296 - key: beta.kubernetes.io/arch
3302 preferredDuringSchedulingIgnoredDuringExecution:
3306 - key: beta.kubernetes.io/arch
3313 - key: beta.kubernetes.io/arch
3320 - key: beta.kubernetes.io/arch
3326 image: "gcr.io/istio-release/mixer:1.0.0"
3327 imagePullPolicy: IfNotPresent
3329 - containerPort: 9093
3330 - containerPort: 42422
3333 - unix:///sock/mixer.socket
3334 - --configStoreURL=k8s://
3335 - --configDefaultNamespace=istio-system
3336 - --trace_zipkin_url=http://zipkin:9411/api/v1/spans
3348 initialDelaySeconds: 5
3351 image: "gcr.io/istio-release/proxyv2:1.0.0"
3352 imagePullPolicy: IfNotPresent
3354 - containerPort: 9091
3355 - containerPort: 15004
3361 - /etc/istio/proxy/envoy_policy.yaml.tmpl
3362 - --controlPlaneAuthPolicy
3369 fieldPath: metadata.name
3370 - name: POD_NAMESPACE
3374 fieldPath: metadata.namespace
3379 fieldPath: status.podIP
3386 mountPath: /etc/certs
3392 apiVersion: extensions/v1beta1
3395 name: istio-telemetry
3396 namespace: istio-system
3399 release: RELEASE-NAME
3408 istio-mixer-type: telemetry
3410 sidecar.istio.io/inject: "false"
3411 scheduler.alpha.kubernetes.io/critical-pod: ""
3413 serviceAccountName: istio-mixer-service-account
3417 secretName: istio.istio-mixer-service-account
3423 image: "gcr.io/istio-release/mixer:1.0.0"
3424 imagePullPolicy: IfNotPresent
3426 - containerPort: 9093
3427 - containerPort: 42422
3430 - unix:///sock/mixer.socket
3431 - --configStoreURL=k8s://
3432 - --configDefaultNamespace=istio-system
3433 - --trace_zipkin_url=http://zipkin:9411/api/v1/spans
3445 initialDelaySeconds: 5
3448 image: "gcr.io/istio-release/proxyv2:1.0.0"
3449 imagePullPolicy: IfNotPresent
3451 - containerPort: 9091
3452 - containerPort: 15004
3458 - /etc/istio/proxy/envoy_telemetry.yaml.tmpl
3459 - --controlPlaneAuthPolicy
3466 fieldPath: metadata.name
3467 - name: POD_NAMESPACE
3471 fieldPath: metadata.namespace
3476 fieldPath: status.podIP
3483 mountPath: /etc/certs
3491 # Source: istio/charts/pilot/templates/deployment.yaml
3492 apiVersion: extensions/v1beta1
3496 namespace: istio-system
3497 # TODO: default template doesn't have this, which one is right ?
3501 release: RELEASE-NAME
3505 checksum/config-volume: f8da08b6b8c170dde721efd680270b2901e750d4aa186ebb6c22bef5b78a43f9
3514 sidecar.istio.io/inject: "false"
3515 scheduler.alpha.kubernetes.io/critical-pod: ""
3517 serviceAccountName: istio-pilot-service-account
3520 image: "gcr.io/istio-release/pilot:1.0.0"
3521 imagePullPolicy: IfNotPresent
3525 - containerPort: 8080
3526 - containerPort: 15010
3529 path: /debug/endpointz
3531 initialDelaySeconds: 30
3539 fieldPath: metadata.name
3540 - name: POD_NAMESPACE
3544 fieldPath: metadata.namespace
3545 - name: PILOT_THROTTLE
3547 - name: PILOT_CACHE_SQUASH
3549 - name: PILOT_TRACE_SAMPLING
3557 - name: config-volume
3558 mountPath: /etc/istio/config
3560 mountPath: /etc/certs
3563 image: "gcr.io/istio-release/proxyv2:1.0.0"
3564 imagePullPolicy: IfNotPresent
3566 - containerPort: 15003
3567 - containerPort: 15005
3568 - containerPort: 15007
3569 - containerPort: 15011
3575 - /etc/istio/proxy/envoy_pilot.yaml.tmpl
3576 - --controlPlaneAuthPolicy
3583 fieldPath: metadata.name
3584 - name: POD_NAMESPACE
3588 fieldPath: metadata.namespace
3593 fieldPath: status.podIP
3600 mountPath: /etc/certs
3603 - name: config-volume
3608 secretName: istio.istio-pilot-service-account
3611 requiredDuringSchedulingIgnoredDuringExecution:
3614 - key: beta.kubernetes.io/arch
3620 preferredDuringSchedulingIgnoredDuringExecution:
3624 - key: beta.kubernetes.io/arch
3631 - key: beta.kubernetes.io/arch
3638 - key: beta.kubernetes.io/arch
3644 # Source: istio/charts/prometheus/templates/deployment.yaml
3645 # TODO: the original template has service account, roles, etc
3646 apiVersion: extensions/v1beta1
3650 namespace: istio-system
3653 chart: prometheus-0.1.0
3654 release: RELEASE-NAME
3666 sidecar.istio.io/inject: "false"
3667 scheduler.alpha.kubernetes.io/critical-pod: ""
3669 serviceAccountName: prometheus
3672 image: "docker.io/prom/prometheus:v2.3.1"
3673 imagePullPolicy: IfNotPresent
3675 - '--storage.tsdb.retention=6h'
3676 - '--config.file=/etc/prometheus/prometheus.yml'
3678 - containerPort: 9090
3693 - name: config-volume
3694 mountPath: /etc/prometheus
3696 - name: config-volume
3701 requiredDuringSchedulingIgnoredDuringExecution:
3704 - key: beta.kubernetes.io/arch
3710 preferredDuringSchedulingIgnoredDuringExecution:
3714 - key: beta.kubernetes.io/arch
3721 - key: beta.kubernetes.io/arch
3728 - key: beta.kubernetes.io/arch
3734 # Source: istio/charts/security/templates/deployment.yaml
3735 # istio CA watching all namespaces
3736 apiVersion: extensions/v1beta1
3740 namespace: istio-system
3743 chart: security-1.0.0
3744 release: RELEASE-NAME
3754 sidecar.istio.io/inject: "false"
3755 scheduler.alpha.kubernetes.io/critical-pod: ""
3757 serviceAccountName: istio-citadel-service-account
3760 image: "gcr.io/istio-release/citadel:1.0.0"
3761 imagePullPolicy: IfNotPresent
3763 - --append-dns-names=true
3765 - --grpc-hostname=citadel
3766 - --citadel-storage-namespace=istio-system
3767 - --self-signed-ca=true
3774 requiredDuringSchedulingIgnoredDuringExecution:
3777 - key: beta.kubernetes.io/arch
3783 preferredDuringSchedulingIgnoredDuringExecution:
3787 - key: beta.kubernetes.io/arch
3794 - key: beta.kubernetes.io/arch
3801 - key: beta.kubernetes.io/arch
3807 # Source: istio/charts/servicegraph/templates/deployment.yaml
3808 apiVersion: extensions/v1beta1
3812 namespace: istio-system
3815 chart: servicegraph-0.1.0
3816 release: RELEASE-NAME
3825 sidecar.istio.io/inject: "false"
3826 scheduler.alpha.kubernetes.io/critical-pod: ""
3829 - name: servicegraph
3830 image: "gcr.io/istio-release/servicegraph:1.0.0"
3831 imagePullPolicy: IfNotPresent
3833 - containerPort: 8088
3835 - --prometheusAddr=http://prometheus:9090
3850 requiredDuringSchedulingIgnoredDuringExecution:
3853 - key: beta.kubernetes.io/arch
3859 preferredDuringSchedulingIgnoredDuringExecution:
3863 - key: beta.kubernetes.io/arch
3870 - key: beta.kubernetes.io/arch
3877 - key: beta.kubernetes.io/arch
3883 # Source: istio/charts/sidecarInjectorWebhook/templates/deployment.yaml
3884 apiVersion: extensions/v1beta1
3887 name: istio-sidecar-injector
3888 namespace: istio-system
3890 app: sidecarInjectorWebhook
3891 chart: sidecarInjectorWebhook-1.0.0
3892 release: RELEASE-NAME
3894 istio: sidecar-injector
3900 istio: sidecar-injector
3902 sidecar.istio.io/inject: "false"
3903 scheduler.alpha.kubernetes.io/critical-pod: ""
3905 serviceAccountName: istio-sidecar-injector-service-account
3907 - name: sidecar-injector-webhook
3908 image: "gcr.io/istio-release/sidecar_injector:1.0.0"
3909 imagePullPolicy: IfNotPresent
3911 - --caCertFile=/etc/istio/certs/root-cert.pem
3912 - --tlsCertFile=/etc/istio/certs/cert-chain.pem
3913 - --tlsKeyFile=/etc/istio/certs/key.pem
3914 - --injectConfig=/etc/istio/inject/config
3915 - --meshConfig=/etc/istio/config/mesh
3916 - --healthCheckInterval=2s
3917 - --healthCheckFile=/health
3919 - name: config-volume
3920 mountPath: /etc/istio/config
3923 mountPath: /etc/istio/certs
3925 - name: inject-config
3926 mountPath: /etc/istio/inject
3931 - /usr/local/bin/sidecar-injector
3933 - --probe-path=/health
3935 initialDelaySeconds: 4
3940 - /usr/local/bin/sidecar-injector
3942 - --probe-path=/health
3944 initialDelaySeconds: 4
3951 - name: config-volume
3956 secretName: istio.istio-sidecar-injector-service-account
3957 - name: inject-config
3959 name: istio-sidecar-injector
3965 requiredDuringSchedulingIgnoredDuringExecution:
3968 - key: beta.kubernetes.io/arch
3974 preferredDuringSchedulingIgnoredDuringExecution:
3978 - key: beta.kubernetes.io/arch
3985 - key: beta.kubernetes.io/arch
3992 - key: beta.kubernetes.io/arch
3998 # Source: istio/charts/tracing/templates/deployment.yaml
3999 apiVersion: extensions/v1beta1
4003 namespace: istio-system
4006 chart: tracing-0.1.0
4007 release: RELEASE-NAME
4016 sidecar.istio.io/inject: "false"
4017 scheduler.alpha.kubernetes.io/critical-pod: ""
4021 image: "docker.io/jaegertracing/all-in-one:1.5"
4022 imagePullPolicy: IfNotPresent
4024 - containerPort: 9411
4025 - containerPort: 16686
4026 - containerPort: 5775
4028 - containerPort: 6831
4030 - containerPort: 6832
4033 - name: POD_NAMESPACE
4037 fieldPath: metadata.namespace
4038 - name: COLLECTOR_ZIPKIN_HTTP_PORT
4040 - name: MEMORY_MAX_TRACES
4056 requiredDuringSchedulingIgnoredDuringExecution:
4059 - key: beta.kubernetes.io/arch
4065 preferredDuringSchedulingIgnoredDuringExecution:
4069 - key: beta.kubernetes.io/arch
4076 - key: beta.kubernetes.io/arch
4083 - key: beta.kubernetes.io/arch
4089 # Source: istio/charts/pilot/templates/gateway.yaml
4090 apiVersion: networking.istio.io/v1alpha3
4093 name: istio-autogenerated-k8s-ingress
4094 namespace: istio-system
4109 # Source: istio/charts/gateways/templates/autoscale.yaml
4111 apiVersion: autoscaling/v2beta1
4112 kind: HorizontalPodAutoscaler
4114 name: istio-egressgateway
4115 namespace: istio-system
4120 apiVersion: apps/v1beta1
4122 name: istio-egressgateway
4127 targetAverageUtilization: 60
4129 apiVersion: autoscaling/v2beta1
4130 kind: HorizontalPodAutoscaler
4132 name: istio-ingressgateway
4133 namespace: istio-system
4138 apiVersion: apps/v1beta1
4140 name: istio-ingressgateway
4145 targetAverageUtilization: 60
4149 # Source: istio/charts/mixer/templates/autoscale.yaml
4151 apiVersion: autoscaling/v2beta1
4152 kind: HorizontalPodAutoscaler
4155 namespace: istio-system
4160 apiVersion: apps/v1beta1
4167 targetAverageUtilization: 80
4169 apiVersion: autoscaling/v2beta1
4170 kind: HorizontalPodAutoscaler
4172 name: istio-telemetry
4173 namespace: istio-system
4178 apiVersion: apps/v1beta1
4180 name: istio-telemetry
4185 targetAverageUtilization: 80
4189 # Source: istio/charts/pilot/templates/autoscale.yaml
4191 apiVersion: autoscaling/v2beta1
4192 kind: HorizontalPodAutoscaler
4199 apiVersion: apps/v1beta1
4206 targetAverageUtilization: 55
4210 # Source: istio/charts/tracing/templates/service-jaeger.yaml
4220 namespace: istio-system
4224 jaeger-infra: jaeger-service
4225 chart: tracing-0.1.0
4226 release: RELEASE-NAME
4241 name: jaeger-collector
4242 namespace: istio-system
4245 jaeger-infra: collector-service
4246 chart: tracing-0.1.0
4247 release: RELEASE-NAME
4251 - name: jaeger-collector-tchannel
4255 - name: jaeger-collector-http
4266 namespace: istio-system
4269 jaeger-infra: agent-service
4270 chart: tracing-0.1.0
4271 release: RELEASE-NAME
4275 - name: agent-zipkin-thrift
4279 - name: agent-compact
4283 - name: agent-binary
4294 # Source: istio/charts/tracing/templates/service.yaml
4302 namespace: istio-system
4305 chart: tracing-0.1.0
4306 release: RELEASE-NAME
4322 namespace: istio-system
4326 chart: tracing-0.1.0
4327 release: RELEASE-NAME
4339 # Source: istio/charts/sidecarInjectorWebhook/templates/mutatingwebhook.yaml
4340 apiVersion: admissionregistration.k8s.io/v1beta1
4341 kind: MutatingWebhookConfiguration
4343 name: istio-sidecar-injector
4344 namespace: istio-system
4346 app: istio-sidecar-injector
4347 chart: sidecarInjectorWebhook-1.0.0
4348 release: RELEASE-NAME
4351 - name: sidecar-injector.istio.io
4354 name: istio-sidecar-injector
4355 namespace: istio-system
4359 - operations: [ "CREATE" ]
4366 istio-injection: enabled
4370 # Source: istio/charts/galley/templates/validatingwehookconfiguration.yaml.tpl
4374 # Source: istio/charts/grafana/templates/grafana-ports-mtls.yaml
4378 # Source: istio/charts/grafana/templates/secret.yaml
4381 # Source: istio/charts/pilot/templates/meshexpansion.yaml
4385 # Source: istio/charts/security/templates/create-custom-resources-job.yaml
4389 # Source: istio/charts/security/templates/enable-mesh-mtls.yaml
4393 # Source: istio/charts/security/templates/meshexpansion.yaml
4399 # Source: istio/charts/servicegraph/templates/ingress.yaml
4402 # Source: istio/charts/telemetry-gateway/templates/gateway.yaml
4406 # Source: istio/charts/tracing/templates/ingress-jaeger.yaml
4409 # Source: istio/charts/tracing/templates/ingress.yaml
4412 # Source: istio/templates/install-custom-resources.sh.tpl
4416 # Source: istio/charts/mixer/templates/config.yaml
4417 apiVersion: "config.istio.io/v1alpha2"
4418 kind: attributemanifest
4421 namespace: istio-system
4425 valueType: IP_ADDRESS
4431 valueType: STRING_MAP
4451 valueType: TIMESTAMP
4459 valueType: STRING_MAP
4460 response.total_size:
4465 valueType: TIMESTAMP
4468 source.user: # DEPRECATED
4474 destination.principal:
4482 connection.received.bytes:
4484 connection.received.bytes_total:
4486 connection.sent.bytes:
4488 connection.sent.bytes_total:
4490 connection.duration:
4497 valueType: TIMESTAMP
4499 valueType: TIMESTAMP
4500 # Deprecated, kept for compatibility
4501 context.reporter.local:
4503 context.reporter.kind:
4505 context.reporter.uid:
4515 request.auth.principal:
4517 request.auth.audiences:
4519 request.auth.presenter:
4521 request.auth.claims:
4522 valueType: STRING_MAP
4523 request.auth.raw_claims:
4529 apiVersion: "config.istio.io/v1alpha2"
4530 kind: attributemanifest
4533 namespace: istio-system
4537 valueType: IP_ADDRESS
4539 valueType: STRING_MAP
4541 valueType: STRING_MAP
4548 source.service: # DEPRECATED
4550 source.serviceAccount:
4554 source.workload.uid:
4556 source.workload.name:
4558 source.workload.namespace:
4561 valueType: IP_ADDRESS
4563 valueType: STRING_MAP
4564 destination.metadata:
4565 valueType: STRING_MAP
4570 destination.container.name:
4572 destination.namespace:
4574 destination.service: # DEPRECATED
4576 destination.service.uid:
4578 destination.service.name:
4580 destination.service.namespace:
4582 destination.service.host:
4584 destination.serviceAccount:
4586 destination.workload.uid:
4588 destination.workload.name:
4590 destination.workload.namespace:
4593 apiVersion: "config.istio.io/v1alpha2"
4597 namespace: istio-system
4601 apiVersion: "config.istio.io/v1alpha2"
4605 namespace: istio-system
4608 timestamp: request.time
4610 sourceIp: source.ip | ip("0.0.0.0")
4611 sourceApp: source.labels["app"] | ""
4612 sourcePrincipal: source.principal | ""
4613 sourceName: source.name | ""
4614 sourceWorkload: source.workload.name | ""
4615 sourceNamespace: source.namespace | ""
4616 sourceOwner: source.owner | ""
4617 destinationApp: destination.labels["app"] | ""
4618 destinationIp: destination.ip | ip("0.0.0.0")
4619 destinationServiceHost: destination.service.host | ""
4620 destinationWorkload: destination.workload.name | ""
4621 destinationName: destination.name | ""
4622 destinationNamespace: destination.namespace | ""
4623 destinationOwner: destination.owner | ""
4624 destinationPrincipal: destination.principal | ""
4625 apiClaims: request.auth.raw_claims | ""
4626 apiKey: request.api_key | request.headers["x-api-key"] | ""
4627 protocol: request.scheme | context.protocol | "http"
4628 method: request.method | ""
4629 url: request.path | ""
4630 responseCode: response.code | 0
4631 responseSize: response.size | 0
4632 requestSize: request.size | 0
4633 requestId: request.headers["x-request-id"] | ""
4634 clientTraceId: request.headers["x-client-trace-id"] | ""
4635 latency: response.duration | "0ms"
4636 connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none"))
4637 userAgent: request.useragent | ""
4638 responseTimestamp: response.time
4639 receivedBytes: request.total_size | 0
4640 sentBytes: response.total_size | 0
4641 referer: request.referer | ""
4642 httpAuthority: request.headers[":authority"] | request.host | ""
4643 xForwardedFor: request.headers["x-forwarded-for"] | "0.0.0.0"
4644 reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination")
4645 monitored_resource_type: '"global"'
4647 apiVersion: "config.istio.io/v1alpha2"
4651 namespace: istio-system
4654 timestamp: context.time | timestamp("2017-01-01T00:00:00Z")
4656 connectionEvent: connection.event | ""
4657 sourceIp: source.ip | ip("0.0.0.0")
4658 sourceApp: source.labels["app"] | ""
4659 sourcePrincipal: source.principal | ""
4660 sourceName: source.name | ""
4661 sourceWorkload: source.workload.name | ""
4662 sourceNamespace: source.namespace | ""
4663 sourceOwner: source.owner | ""
4664 destinationApp: destination.labels["app"] | ""
4665 destinationIp: destination.ip | ip("0.0.0.0")
4666 destinationServiceHost: destination.service.host | ""
4667 destinationWorkload: destination.workload.name | ""
4668 destinationName: destination.name | ""
4669 destinationNamespace: destination.namespace | ""
4670 destinationOwner: destination.owner | ""
4671 destinationPrincipal: destination.principal | ""
4672 protocol: context.protocol | "tcp"
4673 connectionDuration: connection.duration | "0ms"
4674 connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none"))
4675 receivedBytes: connection.received.bytes | 0
4676 sentBytes: connection.sent.bytes | 0
4677 totalReceivedBytes: connection.received.bytes_total | 0
4678 totalSentBytes: connection.sent.bytes_total | 0
4679 reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination")
4680 monitored_resource_type: '"global"'
4682 apiVersion: "config.istio.io/v1alpha2"
4686 namespace: istio-system
4688 match: context.protocol == "http" || context.protocol == "grpc"
4690 - handler: handler.stdio
4692 - accesslog.logentry
4694 apiVersion: "config.istio.io/v1alpha2"
4698 namespace: istio-system
4700 match: context.protocol == "tcp"
4702 - handler: handler.stdio
4704 - tcpaccesslog.logentry
4706 apiVersion: "config.istio.io/v1alpha2"
4710 namespace: istio-system
4714 reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination")
4715 source_workload: source.workload.name | "unknown"
4716 source_workload_namespace: source.workload.namespace | "unknown"
4717 source_principal: source.principal | "unknown"
4718 source_app: source.labels["app"] | "unknown"
4719 source_version: source.labels["version"] | "unknown"
4720 destination_workload: destination.workload.name | "unknown"
4721 destination_workload_namespace: destination.workload.namespace | "unknown"
4722 destination_principal: destination.principal | "unknown"
4723 destination_app: destination.labels["app"] | "unknown"
4724 destination_version: destination.labels["version"] | "unknown"
4725 destination_service: destination.service.host | "unknown"
4726 destination_service_name: destination.service.name | "unknown"
4727 destination_service_namespace: destination.service.namespace | "unknown"
4728 request_protocol: api.protocol | context.protocol | "unknown"
4729 response_code: response.code | 200
4730 connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none"))
4731 monitored_resource_type: '"UNSPECIFIED"'
4733 apiVersion: "config.istio.io/v1alpha2"
4736 name: requestduration
4737 namespace: istio-system
4739 value: response.duration | "0ms"
4741 reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination")
4742 source_workload: source.workload.name | "unknown"
4743 source_workload_namespace: source.workload.namespace | "unknown"
4744 source_principal: source.principal | "unknown"
4745 source_app: source.labels["app"] | "unknown"
4746 source_version: source.labels["version"] | "unknown"
4747 destination_workload: destination.workload.name | "unknown"
4748 destination_workload_namespace: destination.workload.namespace | "unknown"
4749 destination_principal: destination.principal | "unknown"
4750 destination_app: destination.labels["app"] | "unknown"
4751 destination_version: destination.labels["version"] | "unknown"
4752 destination_service: destination.service.host | "unknown"
4753 destination_service_name: destination.service.name | "unknown"
4754 destination_service_namespace: destination.service.namespace | "unknown"
4755 request_protocol: api.protocol | context.protocol | "unknown"
4756 response_code: response.code | 200
4757 connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none"))
4758 monitored_resource_type: '"UNSPECIFIED"'
4760 apiVersion: "config.istio.io/v1alpha2"
4764 namespace: istio-system
4766 value: request.size | 0
4768 reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination")
4769 source_workload: source.workload.name | "unknown"
4770 source_workload_namespace: source.workload.namespace | "unknown"
4771 source_principal: source.principal | "unknown"
4772 source_app: source.labels["app"] | "unknown"
4773 source_version: source.labels["version"] | "unknown"
4774 destination_workload: destination.workload.name | "unknown"
4775 destination_workload_namespace: destination.workload.namespace | "unknown"
4776 destination_principal: destination.principal | "unknown"
4777 destination_app: destination.labels["app"] | "unknown"
4778 destination_version: destination.labels["version"] | "unknown"
4779 destination_service: destination.service.host | "unknown"
4780 destination_service_name: destination.service.name | "unknown"
4781 destination_service_namespace: destination.service.namespace | "unknown"
4782 request_protocol: api.protocol | context.protocol | "unknown"
4783 response_code: response.code | 200
4784 connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none"))
4785 monitored_resource_type: '"UNSPECIFIED"'
4787 apiVersion: "config.istio.io/v1alpha2"
4791 namespace: istio-system
4793 value: response.size | 0
4795 reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination")
4796 source_workload: source.workload.name | "unknown"
4797 source_workload_namespace: source.workload.namespace | "unknown"
4798 source_principal: source.principal | "unknown"
4799 source_app: source.labels["app"] | "unknown"
4800 source_version: source.labels["version"] | "unknown"
4801 destination_workload: destination.workload.name | "unknown"
4802 destination_workload_namespace: destination.workload.namespace | "unknown"
4803 destination_principal: destination.principal | "unknown"
4804 destination_app: destination.labels["app"] | "unknown"
4805 destination_version: destination.labels["version"] | "unknown"
4806 destination_service: destination.service.host | "unknown"
4807 destination_service_name: destination.service.name | "unknown"
4808 destination_service_namespace: destination.service.namespace | "unknown"
4809 request_protocol: api.protocol | context.protocol | "unknown"
4810 response_code: response.code | 200
4811 connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none"))
4812 monitored_resource_type: '"UNSPECIFIED"'
4814 apiVersion: "config.istio.io/v1alpha2"
4818 namespace: istio-system
4820 value: connection.sent.bytes | 0
4822 reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination")
4823 source_workload: source.workload.name | "unknown"
4824 source_workload_namespace: source.workload.namespace | "unknown"
4825 source_principal: source.principal | "unknown"
4826 source_app: source.labels["app"] | "unknown"
4827 source_version: source.labels["version"] | "unknown"
4828 destination_workload: destination.workload.name | "unknown"
4829 destination_workload_namespace: destination.workload.namespace | "unknown"
4830 destination_principal: destination.principal | "unknown"
4831 destination_app: destination.labels["app"] | "unknown"
4832 destination_version: destination.labels["version"] | "unknown"
4833 destination_service: destination.service.name | "unknown"
4834 destination_service_name: destination.service.name | "unknown"
4835 destination_service_namespace: destination.service.namespace | "unknown"
4836 connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none"))
4837 monitored_resource_type: '"UNSPECIFIED"'
4839 apiVersion: "config.istio.io/v1alpha2"
4842 name: tcpbytereceived
4843 namespace: istio-system
4845 value: connection.received.bytes | 0
4847 reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination")
4848 source_workload: source.workload.name | "unknown"
4849 source_workload_namespace: source.workload.namespace | "unknown"
4850 source_principal: source.principal | "unknown"
4851 source_app: source.labels["app"] | "unknown"
4852 source_version: source.labels["version"] | "unknown"
4853 destination_workload: destination.workload.name | "unknown"
4854 destination_workload_namespace: destination.workload.namespace | "unknown"
4855 destination_principal: destination.principal | "unknown"
4856 destination_app: destination.labels["app"] | "unknown"
4857 destination_version: destination.labels["version"] | "unknown"
4858 destination_service: destination.service.name | "unknown"
4859 destination_service_name: destination.service.name | "unknown"
4860 destination_service_namespace: destination.service.namespace | "unknown"
4861 connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none"))
4862 monitored_resource_type: '"UNSPECIFIED"'
4864 apiVersion: "config.istio.io/v1alpha2"
4868 namespace: istio-system
4871 - name: requests_total
4872 instance_name: requestcount.metric.istio-system
4879 - source_workload_namespace
4882 - destination_principal
4883 - destination_workload
4884 - destination_workload_namespace
4885 - destination_version
4886 - destination_service
4887 - destination_service_name
4888 - destination_service_namespace
4891 - connection_security_policy
4892 - name: request_duration_seconds
4893 instance_name: requestduration.metric.istio-system
4900 - source_workload_namespace
4903 - destination_principal
4904 - destination_workload
4905 - destination_workload_namespace
4906 - destination_version
4907 - destination_service
4908 - destination_service_name
4909 - destination_service_namespace
4912 - connection_security_policy
4915 bounds: [0.005, 0.01, 0.025, 0.05, 0.1, 0.25, 0.5, 1, 2.5, 5, 10]
4916 - name: request_bytes
4917 instance_name: requestsize.metric.istio-system
4924 - source_workload_namespace
4927 - destination_principal
4928 - destination_workload
4929 - destination_workload_namespace
4930 - destination_version
4931 - destination_service
4932 - destination_service_name
4933 - destination_service_namespace
4936 - connection_security_policy
4942 - name: response_bytes
4943 instance_name: responsesize.metric.istio-system
4950 - source_workload_namespace
4953 - destination_principal
4954 - destination_workload
4955 - destination_workload_namespace
4956 - destination_version
4957 - destination_service
4958 - destination_service_name
4959 - destination_service_namespace
4962 - connection_security_policy
4968 - name: tcp_sent_bytes_total
4969 instance_name: tcpbytesent.metric.istio-system
4976 - source_workload_namespace
4979 - destination_principal
4980 - destination_workload
4981 - destination_workload_namespace
4982 - destination_version
4983 - destination_service
4984 - destination_service_name
4985 - destination_service_namespace
4986 - connection_security_policy
4987 - name: tcp_received_bytes_total
4988 instance_name: tcpbytereceived.metric.istio-system
4995 - source_workload_namespace
4998 - destination_principal
4999 - destination_workload
5000 - destination_workload_namespace
5001 - destination_version
5002 - destination_service
5003 - destination_service_name
5004 - destination_service_namespace
5005 - connection_security_policy
5007 apiVersion: "config.istio.io/v1alpha2"
5011 namespace: istio-system
5013 match: context.protocol == "http" || context.protocol == "grpc"
5015 - handler: handler.prometheus
5017 - requestcount.metric
5018 - requestduration.metric
5019 - requestsize.metric
5020 - responsesize.metric
5022 apiVersion: "config.istio.io/v1alpha2"
5026 namespace: istio-system
5028 match: context.protocol == "tcp"
5030 - handler: handler.prometheus
5032 - tcpbytesent.metric
5033 - tcpbytereceived.metric
5036 apiVersion: "config.istio.io/v1alpha2"
5040 namespace: istio-system
5042 # when running from mixer root, use the following config after adding a
5043 # symbolic link to a kubernetes config file via:
5045 # $ ln -s ~/.kube/config mixer/adapter/kubernetes/kubeconfig
5047 # kubeconfig_path: "mixer/adapter/kubernetes/kubeconfig"
5050 apiVersion: "config.istio.io/v1alpha2"
5053 name: kubeattrgenrulerule
5054 namespace: istio-system
5057 - handler: handler.kubernetesenv
5059 - attributes.kubernetes
5061 apiVersion: "config.istio.io/v1alpha2"
5064 name: tcpkubeattrgenrulerule
5065 namespace: istio-system
5067 match: context.protocol == "tcp"
5069 - handler: handler.kubernetesenv
5071 - attributes.kubernetes
5073 apiVersion: "config.istio.io/v1alpha2"
5077 namespace: istio-system
5079 # Pass the required attribute data to the adapter
5080 source_uid: source.uid | ""
5081 source_ip: source.ip | ip("0.0.0.0") # default to unspecified ip addr
5082 destination_uid: destination.uid | ""
5083 destination_port: destination.port | 0
5085 # Fill the new attributes from the adapter produced output.
5086 # $out refers to an instance of OutputTemplate message
5087 source.ip: $out.source_pod_ip | ip("0.0.0.0")
5088 source.uid: $out.source_pod_uid | "unknown"
5089 source.labels: $out.source_labels | emptyStringMap()
5090 source.name: $out.source_pod_name | "unknown"
5091 source.namespace: $out.source_namespace | "default"
5092 source.owner: $out.source_owner | "unknown"
5093 source.serviceAccount: $out.source_service_account_name | "unknown"
5094 source.workload.uid: $out.source_workload_uid | "unknown"
5095 source.workload.name: $out.source_workload_name | "unknown"
5096 source.workload.namespace: $out.source_workload_namespace | "unknown"
5097 destination.ip: $out.destination_pod_ip | ip("0.0.0.0")
5098 destination.uid: $out.destination_pod_uid | "unknown"
5099 destination.labels: $out.destination_labels | emptyStringMap()
5100 destination.name: $out.destination_pod_name | "unknown"
5101 destination.container.name: $out.destination_container_name | "unknown"
5102 destination.namespace: $out.destination_namespace | "default"
5103 destination.owner: $out.destination_owner | "unknown"
5104 destination.serviceAccount: $out.destination_service_account_name | "unknown"
5105 destination.workload.uid: $out.destination_workload_uid | "unknown"
5106 destination.workload.name: $out.destination_workload_name | "unknown"
5107 destination.workload.namespace: $out.destination_workload_namespace | "unknown"
5110 # Configuration needed by Mixer.
5111 # Mixer cluster is delivered via CDS
5112 # Specify mixer cluster settings
5113 apiVersion: networking.istio.io/v1alpha3
5114 kind: DestinationRule
5117 namespace: istio-system
5119 host: istio-policy.istio-system.svc.cluster.local
5123 http2MaxRequests: 10000
5124 maxRequestsPerConnection: 10000
5126 apiVersion: networking.istio.io/v1alpha3
5127 kind: DestinationRule
5129 name: istio-telemetry
5130 namespace: istio-system
5132 host: istio-telemetry.istio-system.svc.cluster.local
5136 http2MaxRequests: 10000
5137 maxRequestsPerConnection: 10000