6 istio-injection: disabled
8 # Source: istio/charts/galley/templates/configmap.yaml
12 name: istio-galley-configuration
13 namespace: istio-system
21 validatingwebhookconfiguration.yaml: |-
22 apiVersion: admissionregistration.k8s.io/v1beta1
23 kind: ValidatingWebhookConfiguration
26 namespace: istio-system
33 - name: pilot.validation.istio.io
37 namespace: istio-system
66 - authentication.istio.io
82 # disabled per @costinm's request
86 - name: mixer.validation.istio.io
90 namespace: istio-system
128 - servicecontrolreports
134 # Source: istio/charts/grafana/templates/configmap.yaml
138 name: istio-grafana-custom-resources
139 namespace: istio-system
143 release: RELEASE-NAME
147 custom-resources.yaml: |-
148 apiVersion: authentication.istio.io/v1alpha1
151 name: grafana-ports-mtls-disabled
152 namespace: istio-system
163 if [ "$#" -ne "1" ]; then
164 echo "first argument should be path to custom resource yaml"
168 pathToResourceYAML=${1}
170 /kubectl get validatingwebhookconfiguration istio-galley 2>/dev/null
171 if [ "$?" -eq 0 ]; then
172 echo "istio-galley validatingwebhookconfiguration found - waiting for istio-galley deployment to be ready"
174 /kubectl -n istio-system get deployment istio-galley 2>/dev/null
175 if [ "$?" -eq 0 ]; then
180 /kubectl -n istio-system rollout status deployment istio-galley
181 if [ "$?" -ne 0 ]; then
182 echo "istio-galley deployment rollout status check failed"
185 echo "istio-galley deployment ready for configuration validation"
188 /kubectl apply -f ${pathToResourceYAML}
192 # Source: istio/charts/mixer/templates/configmap.yaml
196 name: istio-statsd-prom-bridge
197 namespace: istio-system
199 app: istio-statsd-prom-bridge
201 release: RELEASE-NAME
208 # Source: istio/charts/prometheus/templates/configmap.yaml
213 namespace: istio-system
216 chart: prometheus-0.1.0
217 release: RELEASE-NAME
225 - job_name: 'istio-mesh'
226 # Override the global default and scrape targets from this job every 5 seconds.
229 kubernetes_sd_configs:
236 - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name]
238 regex: istio-telemetry;prometheus
241 # Override the global default and scrape targets from this job every 5 seconds.
243 # metrics_path defaults to '/metrics'
244 # scheme defaults to 'http'.
246 kubernetes_sd_configs:
253 - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name]
255 regex: istio-statsd-prom-bridge;statsd-prom
257 - job_name: 'istio-policy'
258 # Override the global default and scrape targets from this job every 5 seconds.
260 # metrics_path defaults to '/metrics'
261 # scheme defaults to 'http'.
263 kubernetes_sd_configs:
271 - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name]
273 regex: istio-policy;http-monitoring
275 - job_name: 'istio-telemetry'
276 # Override the global default and scrape targets from this job every 5 seconds.
278 # metrics_path defaults to '/metrics'
279 # scheme defaults to 'http'.
281 kubernetes_sd_configs:
288 - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name]
290 regex: istio-telemetry;http-monitoring
293 # Override the global default and scrape targets from this job every 5 seconds.
295 # metrics_path defaults to '/metrics'
296 # scheme defaults to 'http'.
298 kubernetes_sd_configs:
305 - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name]
307 regex: istio-pilot;http-monitoring
310 # Override the global default and scrape targets from this job every 5 seconds.
312 # metrics_path defaults to '/metrics'
313 # scheme defaults to 'http'.
315 kubernetes_sd_configs:
322 - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name]
324 regex: istio-galley;http-monitoring
326 # scrape config for API servers
327 - job_name: 'kubernetes-apiservers'
328 kubernetes_sd_configs:
335 ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
336 bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
338 - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name]
340 regex: kubernetes;https
342 # scrape config for nodes (kubelet)
343 - job_name: 'kubernetes-nodes'
346 ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
347 bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
348 kubernetes_sd_configs:
352 regex: __meta_kubernetes_node_label_(.+)
353 - target_label: __address__
354 replacement: kubernetes.default.svc:443
355 - source_labels: [__meta_kubernetes_node_name]
357 target_label: __metrics_path__
358 replacement: /api/v1/nodes/${1}/proxy/metrics
360 # Scrape config for Kubelet cAdvisor.
362 # This is required for Kubernetes 1.7.3 and later, where cAdvisor metrics
363 # (those whose names begin with 'container_') have been removed from the
364 # Kubelet metrics endpoint. This job scrapes the cAdvisor endpoint to
365 # retrieve those metrics.
367 # In Kubernetes 1.7.0-1.7.2, these metrics are only exposed on the cAdvisor
368 # HTTP endpoint; use "replacement: /api/v1/nodes/${1}:4194/proxy/metrics"
369 # in that case (and ensure cAdvisor's HTTP server hasn't been disabled with
370 # the --cadvisor-port=0 Kubelet flag).
372 # This job is not necessary and should be removed in Kubernetes 1.6 and
373 # earlier versions, or it will cause the metrics to be scraped twice.
374 - job_name: 'kubernetes-cadvisor'
377 ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
378 bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
379 kubernetes_sd_configs:
383 regex: __meta_kubernetes_node_label_(.+)
384 - target_label: __address__
385 replacement: kubernetes.default.svc:443
386 - source_labels: [__meta_kubernetes_node_name]
388 target_label: __metrics_path__
389 replacement: /api/v1/nodes/${1}/proxy/metrics/cadvisor
391 # scrape config for service endpoints.
392 - job_name: 'kubernetes-service-endpoints'
393 kubernetes_sd_configs:
396 - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_scrape]
399 - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_scheme]
401 target_label: __scheme__
403 - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_path]
405 target_label: __metrics_path__
407 - source_labels: [__address__, __meta_kubernetes_service_annotation_prometheus_io_port]
409 target_label: __address__
410 regex: ([^:]+)(?::\d+)?;(\d+)
413 regex: __meta_kubernetes_service_label_(.+)
414 - source_labels: [__meta_kubernetes_namespace]
416 target_label: kubernetes_namespace
417 - source_labels: [__meta_kubernetes_service_name]
419 target_label: kubernetes_name
421 # Example scrape config for pods
422 - job_name: 'kubernetes-pods'
423 kubernetes_sd_configs:
427 - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_scrape]
430 - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_path]
432 target_label: __metrics_path__
434 - source_labels: [__address__, __meta_kubernetes_pod_annotation_prometheus_io_port]
436 regex: ([^:]+)(?::\d+)?;(\d+)
438 target_label: __address__
440 regex: __meta_kubernetes_pod_label_(.+)
441 - source_labels: [__meta_kubernetes_namespace]
443 target_label: namespace
444 - source_labels: [__meta_kubernetes_pod_name]
446 target_label: pod_name
449 # Source: istio/charts/security/templates/configmap.yaml
453 name: istio-security-custom-resources
454 namespace: istio-system
457 chart: security-1.0.0
458 release: RELEASE-NAME
462 custom-resources.yaml: |-
463 # These policy and destination rules effectively enable mTLS for all services in the mesh. For now,
464 # they are added to Istio installation yaml for backward compatible. In future, they should be in
465 # a separated yaml file so that customer can enable mTLS independent from installation.
467 # Authentication policy to enable mutual TLS for all services (that have sidecar) in the mesh.
468 apiVersion: "authentication.istio.io/v1alpha1"
474 chart: security-1.0.0
475 release: RELEASE-NAME
481 # Corresponding destination rule to configure client side to use mutual TLS when talking to
482 # any service (host) in the mesh.
483 apiVersion: networking.istio.io/v1alpha3
484 kind: DestinationRule
489 chart: security-1.0.0
490 release: RELEASE-NAME
498 # Destination rule to dislabe (m)TLS when talking to API server, as API server doesn't have sidecar.
499 # Customer should add similar destination rules for other services that dont' have sidecar.
500 apiVersion: networking.istio.io/v1alpha3
501 kind: DestinationRule
506 chart: security-1.0.0
507 release: RELEASE-NAME
510 host: "kubernetes.default.svc.cluster.local"
519 if [ "$#" -ne "1" ]; then
520 echo "first argument should be path to custom resource yaml"
524 pathToResourceYAML=${1}
526 /kubectl get validatingwebhookconfiguration istio-galley 2>/dev/null
527 if [ "$?" -eq 0 ]; then
528 echo "istio-galley validatingwebhookconfiguration found - waiting for istio-galley deployment to be ready"
530 /kubectl -n istio-system get deployment istio-galley 2>/dev/null
531 if [ "$?" -eq 0 ]; then
536 /kubectl -n istio-system rollout status deployment istio-galley
537 if [ "$?" -ne 0 ]; then
538 echo "istio-galley deployment rollout status check failed"
541 echo "istio-galley deployment ready for configuration validation"
544 /kubectl apply -f ${pathToResourceYAML}
548 # Source: istio/templates/configmap.yaml
554 namespace: istio-system
558 release: RELEASE-NAME
562 # Set the following variable to true to disable policy checks by the Mixer.
563 # Note that metrics will still be reported to the Mixer.
564 disablePolicyChecks: false
566 # Set enableTracing to false to disable request tracing.
569 # Set accessLogFile to empty string to disable access log.
570 accessLogFile: "/dev/stdout"
572 # Deprecated: mixer is using EDS
573 mixerCheckServer: istio-policy.istio-system.svc.cluster.local:15004
574 mixerReportServer: istio-telemetry.istio-system.svc.cluster.local:15004
576 # Unix Domain Socket through which envoy communicates with NodeAgent SDS to get
577 # key/cert for mTLS. Use secret-mount files instead of SDS if set to empty.
580 # How frequently should Envoy fetch key/cert from NodeAgent.
586 # TCP connection timeout between Envoy & the application, and between Envoys.
589 ### ADVANCED SETTINGS #############
590 # Where should envoy's configuration be stored in the istio-proxy container
591 configPath: "/etc/istio/proxy"
592 binaryPath: "/usr/local/bin/envoy"
593 # The pseudo service name used for Envoy.
594 serviceCluster: istio-proxy
595 # These settings that determine how long an old Envoy
596 # process should be kept alive after an occasional reload.
598 parentShutdownDuration: 1m0s
600 # The mode used to redirect inbound connections to Envoy. This setting
601 # has no effect on outbound traffic: iptables REDIRECT is always used for
602 # outbound connections.
603 # If "REDIRECT", use iptables REDIRECT to NAT and redirect to Envoy.
604 # The "REDIRECT" mode loses source addresses during redirection.
605 # If "TPROXY", use iptables TPROXY to redirect to Envoy.
606 # The "TPROXY" mode preserves both the source and destination IP
607 # addresses and ports, so that they can be used for advanced filtering
609 # The "TPROXY" mode also configures the sidecar to run with the
610 # CAP_NET_ADMIN capability, which is required to use TPROXY.
611 #interceptionMode: REDIRECT
613 # Port where Envoy listens (on local host) for admin commands
614 # You can exec into the istio-proxy container in a pod and
615 # curl the admin port (curl http://localhost:15000/) to obtain
616 # diagnostic information from Envoy. See
617 # https://lyft.github.io/envoy/docs/operations/admin.html
619 proxyAdminPort: 15000
621 # Zipkin trace collector
622 zipkinAddress: zipkin.istio-system:9411
624 # Statsd metrics collector converts statsd metrics into Prometheus metrics.
625 statsdUdpAddress: istio-statsd-prom-bridge.istio-system:9125
627 # Mutual TLS authentication between sidecars and istio control plane.
628 controlPlaneAuthPolicy: MUTUAL_TLS
630 # Address where istio Pilot service is running
631 discoveryAddress: istio-pilot.istio-system:15005
634 # Source: istio/templates/sidecar-injector-configmap.yaml
639 name: istio-sidecar-injector
640 namespace: istio-system
644 release: RELEASE-NAME
646 istio: sidecar-injector
653 image: "gcr.io/istio-release/proxy_init:1.0.0"
656 - [[ .MeshConfig.ProxyListenPort ]]
660 - [[ or (index .ObjectMeta.Annotations "sidecar.istio.io/interceptionMode") .ProxyConfig.InterceptionMode.String ]]
662 [[ if (isset .ObjectMeta.Annotations "traffic.sidecar.istio.io/includeOutboundIPRanges") -]]
663 - "[[ index .ObjectMeta.Annotations "traffic.sidecar.istio.io/includeOutboundIPRanges" ]]"
668 [[ if (isset .ObjectMeta.Annotations "traffic.sidecar.istio.io/excludeOutboundIPRanges") -]]
669 - "[[ index .ObjectMeta.Annotations "traffic.sidecar.istio.io/excludeOutboundIPRanges" ]]"
674 [[ if (isset .ObjectMeta.Annotations "traffic.sidecar.istio.io/includeInboundPorts") -]]
675 - "[[ index .ObjectMeta.Annotations "traffic.sidecar.istio.io/includeInboundPorts" ]]"
677 - [[ range .Spec.Containers -]][[ range .Ports -]][[ .ContainerPort -]], [[ end -]][[ end -]][[ end]]
679 [[ if (isset .ObjectMeta.Annotations "traffic.sidecar.istio.io/excludeInboundPorts") -]]
680 - "[[ index .ObjectMeta.Annotations "traffic.sidecar.istio.io/excludeInboundPorts" ]]"
684 imagePullPolicy: IfNotPresent
690 restartPolicy: Always
694 image: [[ if (isset .ObjectMeta.Annotations "sidecar.istio.io/proxyImage") -]]
695 "[[ index .ObjectMeta.Annotations "sidecar.istio.io/proxyImage" ]]"
697 gcr.io/istio-release/proxy_debug:1.0.0
703 - [[ .ProxyConfig.ConfigPath ]]
705 - [[ .ProxyConfig.BinaryPath ]]
707 [[ if ne "" (index .ObjectMeta.Labels "app") -]]
708 - [[ index .ObjectMeta.Labels "app" ]]
713 - [[ formatDuration .ProxyConfig.DrainDuration ]]
714 - --parentShutdownDuration
715 - [[ formatDuration .ProxyConfig.ParentShutdownDuration ]]
717 - [[ .ProxyConfig.DiscoveryAddress ]]
718 - --discoveryRefreshDelay
719 - [[ formatDuration .ProxyConfig.DiscoveryRefreshDelay ]]
721 - [[ .ProxyConfig.ZipkinAddress ]]
723 - [[ formatDuration .ProxyConfig.ConnectTimeout ]]
725 - [[ .ProxyConfig.StatsdUdpAddress ]]
727 - [[ .ProxyConfig.ProxyAdminPort ]]
728 - --controlPlaneAuthPolicy
729 - [[ or (index .ObjectMeta.Annotations "sidecar.istio.io/controlPlaneAuthPolicy") .ProxyConfig.ControlPlaneAuthPolicy ]]
734 fieldPath: metadata.name
735 - name: POD_NAMESPACE
738 fieldPath: metadata.namespace
742 fieldPath: status.podIP
743 - name: ISTIO_META_POD_NAME
746 fieldPath: metadata.name
747 - name: ISTIO_META_INTERCEPTION_MODE
748 value: [[ or (index .ObjectMeta.Annotations "sidecar.istio.io/interceptionMode") .ProxyConfig.InterceptionMode.String ]]
749 imagePullPolicy: IfNotPresent
752 readOnlyRootFilesystem: true
753 [[ if eq (or (index .ObjectMeta.Annotations "sidecar.istio.io/interceptionMode") .ProxyConfig.InterceptionMode.String) "TPROXY" -]]
761 restartPolicy: Always
763 [[ if (isset .ObjectMeta.Annotations "sidecar.istio.io/proxyCPU") -]]
765 cpu: "[[ index .ObjectMeta.Annotations "sidecar.istio.io/proxyCPU" ]]"
766 memory: "[[ index .ObjectMeta.Annotations "sidecar.istio.io/proxyMemory" ]]"
773 - mountPath: /etc/istio/proxy
775 - mountPath: /etc/certs/
785 [[ if eq .Spec.ServiceAccountName "" -]]
786 secretName: istio.default
788 secretName: [[ printf "istio.%s" .Spec.ServiceAccountName ]]
792 # Source: istio/charts/galley/templates/serviceaccount.yaml
796 name: istio-galley-service-account
797 namespace: istio-system
802 release: RELEASE-NAME
805 # Source: istio/charts/gateways/templates/serviceaccount.yaml
810 name: istio-egressgateway-service-account
811 namespace: istio-system
814 chart: gateways-1.0.0
816 release: RELEASE-NAME
821 name: istio-ingressgateway-service-account
822 namespace: istio-system
825 chart: gateways-1.0.0
827 release: RELEASE-NAME
831 # Source: istio/charts/grafana/templates/create-custom-resources-job.yaml
835 name: istio-grafana-post-install-account
836 namespace: istio-system
841 release: RELEASE-NAME
843 apiVersion: rbac.authorization.k8s.io/v1beta1
846 name: istio-grafana-post-install-istio-system
851 release: RELEASE-NAME
853 - apiGroups: ["authentication.istio.io"] # needed to create default authn policy
857 apiVersion: rbac.authorization.k8s.io/v1beta1
858 kind: ClusterRoleBinding
860 name: istio-grafana-post-install-role-binding-istio-system
865 release: RELEASE-NAME
867 apiGroup: rbac.authorization.k8s.io
869 name: istio-grafana-post-install-istio-system
871 - kind: ServiceAccount
872 name: istio-grafana-post-install-account
873 namespace: istio-system
878 name: istio-grafana-post-install
879 namespace: istio-system
881 "helm.sh/hook": post-install
882 "helm.sh/hook-delete-policy": hook-succeeded
886 release: RELEASE-NAME
891 name: istio-grafana-post-install
894 release: RELEASE-NAME
896 serviceAccountName: istio-grafana-post-install-account
899 image: "quay.io/coreos/hyperkube:v1.7.6_coreos.0"
900 command: [ "/bin/bash", "/tmp/grafana/run.sh", "/tmp/grafana/custom-resources.yaml" ]
902 - mountPath: "/tmp/grafana"
903 name: tmp-configmap-grafana
905 - name: tmp-configmap-grafana
907 name: istio-grafana-custom-resources
908 restartPolicy: OnFailure
911 # Source: istio/charts/mixer/templates/serviceaccount.yaml
915 name: istio-mixer-service-account
916 namespace: istio-system
921 release: RELEASE-NAME
924 # Source: istio/charts/pilot/templates/serviceaccount.yaml
928 name: istio-pilot-service-account
929 namespace: istio-system
934 release: RELEASE-NAME
937 # Source: istio/charts/prometheus/templates/serviceaccount.yaml
942 namespace: istio-system
945 # Source: istio/charts/security/templates/cleanup-secrets.yaml
946 # The reason for creating a ServiceAccount and ClusterRole specifically for this
947 # post-delete hooked job is because the citadel ServiceAccount is being deleted
948 # before this hook is launched. On the other hand, running this hook before the
949 # deletion of the citadel (e.g. pre-delete) won't delete the secrets because they
950 # will be re-created immediately by the to-be-deleted citadel.
952 # It's also important that the ServiceAccount, ClusterRole and ClusterRoleBinding
953 # will be ready before running the hooked Job therefore the hook weights.
958 name: istio-cleanup-secrets-service-account
959 namespace: istio-system
961 "helm.sh/hook": post-delete
962 "helm.sh/hook-delete-policy": hook-succeeded
963 "helm.sh/hook-weight": "1"
966 chart: security-1.0.0
968 release: RELEASE-NAME
970 apiVersion: rbac.authorization.k8s.io/v1beta1
973 name: istio-cleanup-secrets-istio-system
975 "helm.sh/hook": post-delete
976 "helm.sh/hook-delete-policy": hook-succeeded
977 "helm.sh/hook-weight": "1"
980 chart: security-1.0.0
982 release: RELEASE-NAME
985 resources: ["secrets"]
986 verbs: ["list", "delete"]
988 apiVersion: rbac.authorization.k8s.io/v1beta1
989 kind: ClusterRoleBinding
991 name: istio-cleanup-secrets-istio-system
993 "helm.sh/hook": post-delete
994 "helm.sh/hook-delete-policy": hook-succeeded
995 "helm.sh/hook-weight": "2"
998 chart: security-1.0.0
1000 release: RELEASE-NAME
1002 apiGroup: rbac.authorization.k8s.io
1004 name: istio-cleanup-secrets-istio-system
1006 - kind: ServiceAccount
1007 name: istio-cleanup-secrets-service-account
1008 namespace: istio-system
1010 apiVersion: batch/v1
1013 name: istio-cleanup-secrets
1014 namespace: istio-system
1016 "helm.sh/hook": post-delete
1017 "helm.sh/hook-delete-policy": hook-succeeded
1018 "helm.sh/hook-weight": "3"
1021 chart: security-1.0.0
1022 release: RELEASE-NAME
1027 name: istio-cleanup-secrets
1030 release: RELEASE-NAME
1032 serviceAccountName: istio-cleanup-secrets-service-account
1035 image: "quay.io/coreos/hyperkube:v1.7.6_coreos.0"
1040 kubectl get secret --all-namespaces | grep "istio.io/key-and-cert" | while read -r entry; do
1041 ns=$(echo $entry | awk '{print $1}');
1042 name=$(echo $entry | awk '{print $2}');
1043 kubectl delete secret $name -n $ns;
1045 restartPolicy: OnFailure
1048 # Source: istio/charts/security/templates/create-custom-resources-job.yaml
1051 kind: ServiceAccount
1053 name: istio-security-post-install-account
1054 namespace: istio-system
1057 chart: security-1.0.0
1059 release: RELEASE-NAME
1061 apiVersion: rbac.authorization.k8s.io/v1beta1
1064 name: istio-security-post-install-istio-system
1067 chart: security-1.0.0
1069 release: RELEASE-NAME
1071 - apiGroups: ["authentication.istio.io"] # needed to create default authn policy
1074 - apiGroups: ["networking.istio.io"] # needed to create security destination rules
1077 - apiGroups: ["admissionregistration.k8s.io"]
1078 resources: ["validatingwebhookconfigurations"]
1080 - apiGroups: ["extensions"]
1081 resources: ["deployments", "replicasets"]
1082 verbs: ["get", "list", "watch"]
1084 apiVersion: rbac.authorization.k8s.io/v1beta1
1085 kind: ClusterRoleBinding
1087 name: istio-security-post-install-role-binding-istio-system
1090 chart: security-1.0.0
1092 release: RELEASE-NAME
1094 apiGroup: rbac.authorization.k8s.io
1096 name: istio-security-post-install-istio-system
1098 - kind: ServiceAccount
1099 name: istio-security-post-install-account
1100 namespace: istio-system
1103 apiVersion: batch/v1
1106 name: istio-security-post-install
1107 namespace: istio-system
1109 "helm.sh/hook": post-install
1110 "helm.sh/hook-delete-policy": hook-succeeded
1113 chart: security-1.0.0
1114 release: RELEASE-NAME
1119 name: istio-security-post-install
1122 release: RELEASE-NAME
1124 serviceAccountName: istio-security-post-install-account
1127 image: "quay.io/coreos/hyperkube:v1.7.6_coreos.0"
1128 command: [ "/bin/bash", "/tmp/security/run.sh", "/tmp/security/custom-resources.yaml" ]
1130 - mountPath: "/tmp/security"
1131 name: tmp-configmap-security
1133 - name: tmp-configmap-security
1135 name: istio-security-custom-resources
1136 restartPolicy: OnFailure
1139 # Source: istio/charts/security/templates/serviceaccount.yaml
1141 kind: ServiceAccount
1143 name: istio-citadel-service-account
1144 namespace: istio-system
1147 chart: security-1.0.0
1149 release: RELEASE-NAME
1152 # Source: istio/charts/sidecarInjectorWebhook/templates/serviceaccount.yaml
1154 kind: ServiceAccount
1156 name: istio-sidecar-injector-service-account
1157 namespace: istio-system
1159 app: istio-sidecar-injector
1160 chart: sidecarInjectorWebhook-1.0.0
1162 release: RELEASE-NAME
1165 # Source: istio/templates/crds.yaml
1167 # these CRDs only make sense when pilot is enabled
1169 apiVersion: apiextensions.k8s.io/v1beta1
1170 kind: CustomResourceDefinition
1172 name: virtualservices.networking.istio.io
1174 "helm.sh/hook": crd-install
1178 group: networking.istio.io
1180 kind: VirtualService
1181 listKind: VirtualServiceList
1182 plural: virtualservices
1183 singular: virtualservice
1186 - networking-istio-io
1190 apiVersion: apiextensions.k8s.io/v1beta1
1191 kind: CustomResourceDefinition
1193 name: destinationrules.networking.istio.io
1195 "helm.sh/hook": crd-install
1199 group: networking.istio.io
1201 kind: DestinationRule
1202 listKind: DestinationRuleList
1203 plural: destinationrules
1204 singular: destinationrule
1207 - networking-istio-io
1211 apiVersion: apiextensions.k8s.io/v1beta1
1212 kind: CustomResourceDefinition
1214 name: serviceentries.networking.istio.io
1216 "helm.sh/hook": crd-install
1220 group: networking.istio.io
1223 listKind: ServiceEntryList
1224 plural: serviceentries
1225 singular: serviceentry
1228 - networking-istio-io
1232 apiVersion: apiextensions.k8s.io/v1beta1
1233 kind: CustomResourceDefinition
1235 name: gateways.networking.istio.io
1237 "helm.sh/hook": crd-install
1238 "helm.sh/hook-weight": "-5"
1242 group: networking.istio.io
1249 - networking-istio-io
1253 apiVersion: apiextensions.k8s.io/v1beta1
1254 kind: CustomResourceDefinition
1256 name: envoyfilters.networking.istio.io
1258 "helm.sh/hook": crd-install
1262 group: networking.istio.io
1265 plural: envoyfilters
1266 singular: envoyfilter
1269 - networking-istio-io
1275 # these CRDs only make sense when security is enabled
1279 kind: CustomResourceDefinition
1280 apiVersion: apiextensions.k8s.io/v1beta1
1283 "helm.sh/hook": crd-install
1284 name: httpapispecbindings.config.istio.io
1286 group: config.istio.io
1288 kind: HTTPAPISpecBinding
1289 plural: httpapispecbindings
1290 singular: httpapispecbinding
1297 kind: CustomResourceDefinition
1298 apiVersion: apiextensions.k8s.io/v1beta1
1301 "helm.sh/hook": crd-install
1302 name: httpapispecs.config.istio.io
1304 group: config.istio.io
1307 plural: httpapispecs
1308 singular: httpapispec
1315 kind: CustomResourceDefinition
1316 apiVersion: apiextensions.k8s.io/v1beta1
1319 "helm.sh/hook": crd-install
1320 name: quotaspecbindings.config.istio.io
1322 group: config.istio.io
1324 kind: QuotaSpecBinding
1325 plural: quotaspecbindings
1326 singular: quotaspecbinding
1333 kind: CustomResourceDefinition
1334 apiVersion: apiextensions.k8s.io/v1beta1
1337 "helm.sh/hook": crd-install
1338 name: quotaspecs.config.istio.io
1340 group: config.istio.io
1353 kind: CustomResourceDefinition
1354 apiVersion: apiextensions.k8s.io/v1beta1
1356 name: rules.config.istio.io
1358 "helm.sh/hook": crd-install
1361 package: istio.io.mixer
1364 group: config.istio.io
1376 kind: CustomResourceDefinition
1377 apiVersion: apiextensions.k8s.io/v1beta1
1379 name: attributemanifests.config.istio.io
1381 "helm.sh/hook": crd-install
1384 package: istio.io.mixer
1387 group: config.istio.io
1389 kind: attributemanifest
1390 plural: attributemanifests
1391 singular: attributemanifest
1399 kind: CustomResourceDefinition
1400 apiVersion: apiextensions.k8s.io/v1beta1
1402 name: bypasses.config.istio.io
1404 "helm.sh/hook": crd-install
1408 istio: mixer-adapter
1410 group: config.istio.io
1422 kind: CustomResourceDefinition
1423 apiVersion: apiextensions.k8s.io/v1beta1
1425 name: circonuses.config.istio.io
1427 "helm.sh/hook": crd-install
1431 istio: mixer-adapter
1433 group: config.istio.io
1445 kind: CustomResourceDefinition
1446 apiVersion: apiextensions.k8s.io/v1beta1
1448 name: deniers.config.istio.io
1450 "helm.sh/hook": crd-install
1454 istio: mixer-adapter
1456 group: config.istio.io
1468 kind: CustomResourceDefinition
1469 apiVersion: apiextensions.k8s.io/v1beta1
1471 name: fluentds.config.istio.io
1473 "helm.sh/hook": crd-install
1477 istio: mixer-adapter
1479 group: config.istio.io
1491 kind: CustomResourceDefinition
1492 apiVersion: apiextensions.k8s.io/v1beta1
1494 name: kubernetesenvs.config.istio.io
1496 "helm.sh/hook": crd-install
1499 package: kubernetesenv
1500 istio: mixer-adapter
1502 group: config.istio.io
1505 plural: kubernetesenvs
1506 singular: kubernetesenv
1514 kind: CustomResourceDefinition
1515 apiVersion: apiextensions.k8s.io/v1beta1
1517 name: listcheckers.config.istio.io
1519 "helm.sh/hook": crd-install
1522 package: listchecker
1523 istio: mixer-adapter
1525 group: config.istio.io
1528 plural: listcheckers
1529 singular: listchecker
1537 kind: CustomResourceDefinition
1538 apiVersion: apiextensions.k8s.io/v1beta1
1540 name: memquotas.config.istio.io
1542 "helm.sh/hook": crd-install
1546 istio: mixer-adapter
1548 group: config.istio.io
1560 kind: CustomResourceDefinition
1561 apiVersion: apiextensions.k8s.io/v1beta1
1563 name: noops.config.istio.io
1565 "helm.sh/hook": crd-install
1569 istio: mixer-adapter
1571 group: config.istio.io
1583 kind: CustomResourceDefinition
1584 apiVersion: apiextensions.k8s.io/v1beta1
1586 name: opas.config.istio.io
1588 "helm.sh/hook": crd-install
1592 istio: mixer-adapter
1594 group: config.istio.io
1606 kind: CustomResourceDefinition
1607 apiVersion: apiextensions.k8s.io/v1beta1
1609 name: prometheuses.config.istio.io
1611 "helm.sh/hook": crd-install
1615 istio: mixer-adapter
1617 group: config.istio.io
1620 plural: prometheuses
1621 singular: prometheus
1629 kind: CustomResourceDefinition
1630 apiVersion: apiextensions.k8s.io/v1beta1
1632 name: rbacs.config.istio.io
1634 "helm.sh/hook": crd-install
1638 istio: mixer-adapter
1640 group: config.istio.io
1652 kind: CustomResourceDefinition
1653 apiVersion: apiextensions.k8s.io/v1beta1
1655 name: redisquotas.config.istio.io
1657 "helm.sh/hook": crd-install
1660 istio: mixer-adapter
1662 group: config.istio.io
1666 singular: redisquota
1671 kind: CustomResourceDefinition
1672 apiVersion: apiextensions.k8s.io/v1beta1
1674 name: servicecontrols.config.istio.io
1676 "helm.sh/hook": crd-install
1679 package: servicecontrol
1680 istio: mixer-adapter
1682 group: config.istio.io
1684 kind: servicecontrol
1685 plural: servicecontrols
1686 singular: servicecontrol
1695 kind: CustomResourceDefinition
1696 apiVersion: apiextensions.k8s.io/v1beta1
1698 name: signalfxs.config.istio.io
1700 "helm.sh/hook": crd-install
1704 istio: mixer-adapter
1706 group: config.istio.io
1718 kind: CustomResourceDefinition
1719 apiVersion: apiextensions.k8s.io/v1beta1
1721 name: solarwindses.config.istio.io
1723 "helm.sh/hook": crd-install
1727 istio: mixer-adapter
1729 group: config.istio.io
1732 plural: solarwindses
1733 singular: solarwinds
1741 kind: CustomResourceDefinition
1742 apiVersion: apiextensions.k8s.io/v1beta1
1744 name: stackdrivers.config.istio.io
1746 "helm.sh/hook": crd-install
1749 package: stackdriver
1750 istio: mixer-adapter
1752 group: config.istio.io
1755 plural: stackdrivers
1756 singular: stackdriver
1764 kind: CustomResourceDefinition
1765 apiVersion: apiextensions.k8s.io/v1beta1
1767 name: statsds.config.istio.io
1769 "helm.sh/hook": crd-install
1773 istio: mixer-adapter
1775 group: config.istio.io
1787 kind: CustomResourceDefinition
1788 apiVersion: apiextensions.k8s.io/v1beta1
1790 name: stdios.config.istio.io
1792 "helm.sh/hook": crd-install
1796 istio: mixer-adapter
1798 group: config.istio.io
1810 kind: CustomResourceDefinition
1811 apiVersion: apiextensions.k8s.io/v1beta1
1813 name: apikeys.config.istio.io
1815 "helm.sh/hook": crd-install
1819 istio: mixer-instance
1821 group: config.istio.io
1833 kind: CustomResourceDefinition
1834 apiVersion: apiextensions.k8s.io/v1beta1
1836 name: authorizations.config.istio.io
1838 "helm.sh/hook": crd-install
1841 package: authorization
1842 istio: mixer-instance
1844 group: config.istio.io
1847 plural: authorizations
1848 singular: authorization
1856 kind: CustomResourceDefinition
1857 apiVersion: apiextensions.k8s.io/v1beta1
1859 name: checknothings.config.istio.io
1861 "helm.sh/hook": crd-install
1864 package: checknothing
1865 istio: mixer-instance
1867 group: config.istio.io
1870 plural: checknothings
1871 singular: checknothing
1879 kind: CustomResourceDefinition
1880 apiVersion: apiextensions.k8s.io/v1beta1
1882 name: kuberneteses.config.istio.io
1884 "helm.sh/hook": crd-install
1887 package: adapter.template.kubernetes
1888 istio: mixer-instance
1890 group: config.istio.io
1893 plural: kuberneteses
1894 singular: kubernetes
1902 kind: CustomResourceDefinition
1903 apiVersion: apiextensions.k8s.io/v1beta1
1905 name: listentries.config.istio.io
1907 "helm.sh/hook": crd-install
1911 istio: mixer-instance
1913 group: config.istio.io
1925 kind: CustomResourceDefinition
1926 apiVersion: apiextensions.k8s.io/v1beta1
1928 name: logentries.config.istio.io
1930 "helm.sh/hook": crd-install
1934 istio: mixer-instance
1936 group: config.istio.io
1948 kind: CustomResourceDefinition
1949 apiVersion: apiextensions.k8s.io/v1beta1
1951 name: edges.config.istio.io
1953 "helm.sh/hook": crd-install
1957 istio: mixer-instance
1959 group: config.istio.io
1971 kind: CustomResourceDefinition
1972 apiVersion: apiextensions.k8s.io/v1beta1
1974 name: metrics.config.istio.io
1976 "helm.sh/hook": crd-install
1980 istio: mixer-instance
1982 group: config.istio.io
1994 kind: CustomResourceDefinition
1995 apiVersion: apiextensions.k8s.io/v1beta1
1997 name: quotas.config.istio.io
1999 "helm.sh/hook": crd-install
2003 istio: mixer-instance
2005 group: config.istio.io
2017 kind: CustomResourceDefinition
2018 apiVersion: apiextensions.k8s.io/v1beta1
2020 name: reportnothings.config.istio.io
2022 "helm.sh/hook": crd-install
2025 package: reportnothing
2026 istio: mixer-instance
2028 group: config.istio.io
2031 plural: reportnothings
2032 singular: reportnothing
2040 kind: CustomResourceDefinition
2041 apiVersion: apiextensions.k8s.io/v1beta1
2043 name: servicecontrolreports.config.istio.io
2045 "helm.sh/hook": crd-install
2048 package: servicecontrolreport
2049 istio: mixer-instance
2051 group: config.istio.io
2053 kind: servicecontrolreport
2054 plural: servicecontrolreports
2055 singular: servicecontrolreport
2063 kind: CustomResourceDefinition
2064 apiVersion: apiextensions.k8s.io/v1beta1
2066 name: tracespans.config.istio.io
2068 "helm.sh/hook": crd-install
2072 istio: mixer-instance
2074 group: config.istio.io
2086 kind: CustomResourceDefinition
2087 apiVersion: apiextensions.k8s.io/v1beta1
2089 name: rbacconfigs.rbac.istio.io
2091 "helm.sh/hook": crd-install
2094 package: istio.io.mixer
2097 group: rbac.istio.io
2101 singular: rbacconfig
2109 kind: CustomResourceDefinition
2110 apiVersion: apiextensions.k8s.io/v1beta1
2112 name: serviceroles.rbac.istio.io
2114 "helm.sh/hook": crd-install
2117 package: istio.io.mixer
2120 group: rbac.istio.io
2123 plural: serviceroles
2124 singular: servicerole
2132 kind: CustomResourceDefinition
2133 apiVersion: apiextensions.k8s.io/v1beta1
2135 name: servicerolebindings.rbac.istio.io
2137 "helm.sh/hook": crd-install
2140 package: istio.io.mixer
2143 group: rbac.istio.io
2145 kind: ServiceRoleBinding
2146 plural: servicerolebindings
2147 singular: servicerolebinding
2154 kind: CustomResourceDefinition
2155 apiVersion: apiextensions.k8s.io/v1beta1
2157 name: adapters.config.istio.io
2159 "helm.sh/hook": crd-install
2163 istio: mixer-adapter
2165 group: config.istio.io
2176 kind: CustomResourceDefinition
2177 apiVersion: apiextensions.k8s.io/v1beta1
2179 name: instances.config.istio.io
2181 "helm.sh/hook": crd-install
2185 istio: mixer-instance
2187 group: config.istio.io
2198 kind: CustomResourceDefinition
2199 apiVersion: apiextensions.k8s.io/v1beta1
2201 name: templates.config.istio.io
2203 "helm.sh/hook": crd-install
2207 istio: mixer-template
2209 group: config.istio.io
2220 kind: CustomResourceDefinition
2221 apiVersion: apiextensions.k8s.io/v1beta1
2223 name: handlers.config.istio.io
2225 "helm.sh/hook": crd-install
2229 istio: mixer-handler
2231 group: config.istio.io
2245 # Source: istio/charts/galley/templates/clusterrole.yaml
2246 apiVersion: rbac.authorization.k8s.io/v1beta1
2249 name: istio-galley-istio-system
2254 release: RELEASE-NAME
2256 - apiGroups: ["admissionregistration.k8s.io"]
2257 resources: ["validatingwebhookconfigurations"]
2259 - apiGroups: ["config.istio.io"] # istio mixer CRD watcher
2261 verbs: ["get", "list", "watch"]
2263 resources: ["deployments"]
2264 resourceNames: ["istio-galley"]
2268 # Source: istio/charts/gateways/templates/clusterrole.yaml
2270 apiVersion: rbac.authorization.k8s.io/v1beta1
2275 chart: gateways-1.0.0
2277 release: RELEASE-NAME
2278 name: istio-egressgateway-istio-system
2280 - apiGroups: ["extensions"]
2281 resources: ["thirdpartyresources", "virtualservices", "destinationrules", "gateways"]
2282 verbs: ["get", "watch", "list", "update"]
2284 apiVersion: rbac.authorization.k8s.io/v1beta1
2289 chart: gateways-1.0.0
2291 release: RELEASE-NAME
2292 name: istio-ingressgateway-istio-system
2294 - apiGroups: ["extensions"]
2295 resources: ["thirdpartyresources", "virtualservices", "destinationrules", "gateways"]
2296 verbs: ["get", "watch", "list", "update"]
2300 # Source: istio/charts/mixer/templates/clusterrole.yaml
2301 apiVersion: rbac.authorization.k8s.io/v1beta1
2304 name: istio-mixer-istio-system
2309 release: RELEASE-NAME
2311 - apiGroups: ["config.istio.io"] # istio CRD watcher
2313 verbs: ["create", "get", "list", "watch", "patch"]
2314 - apiGroups: ["rbac.istio.io"] # istio RBAC watcher
2316 verbs: ["get", "list", "watch"]
2317 - apiGroups: ["apiextensions.k8s.io"]
2318 resources: ["customresourcedefinitions"]
2319 verbs: ["get", "list", "watch"]
2321 resources: ["configmaps", "endpoints", "pods", "services", "namespaces", "secrets"]
2322 verbs: ["get", "list", "watch"]
2323 - apiGroups: ["extensions"]
2324 resources: ["replicasets"]
2325 verbs: ["get", "list", "watch"]
2326 - apiGroups: ["apps"]
2327 resources: ["replicasets"]
2328 verbs: ["get", "list", "watch"]
2331 # Source: istio/charts/pilot/templates/clusterrole.yaml
2332 apiVersion: rbac.authorization.k8s.io/v1beta1
2335 name: istio-pilot-istio-system
2340 release: RELEASE-NAME
2342 - apiGroups: ["config.istio.io"]
2345 - apiGroups: ["rbac.istio.io"]
2347 verbs: ["get", "watch", "list"]
2348 - apiGroups: ["networking.istio.io"]
2351 - apiGroups: ["authentication.istio.io"]
2354 - apiGroups: ["apiextensions.k8s.io"]
2355 resources: ["customresourcedefinitions"]
2357 - apiGroups: ["extensions"]
2358 resources: ["thirdpartyresources", "thirdpartyresources.extensions", "ingresses", "ingresses/status"]
2361 resources: ["configmaps"]
2362 verbs: ["create", "get", "list", "watch", "update"]
2364 resources: ["endpoints", "pods", "services"]
2365 verbs: ["get", "list", "watch"]
2367 resources: ["namespaces", "nodes", "secrets"]
2368 verbs: ["get", "list", "watch"]
2371 # Source: istio/charts/prometheus/templates/clusterrole.yaml
2372 apiVersion: rbac.authorization.k8s.io/v1beta1
2375 name: prometheus-istio-system
2384 verbs: ["get", "list", "watch"]
2389 - nonResourceURLs: ["/metrics"]
2393 # Source: istio/charts/security/templates/clusterrole.yaml
2394 apiVersion: rbac.authorization.k8s.io/v1beta1
2397 name: istio-citadel-istio-system
2400 chart: security-1.0.0
2402 release: RELEASE-NAME
2405 resources: ["secrets"]
2406 verbs: ["create", "get", "watch", "list", "update", "delete"]
2408 resources: ["serviceaccounts"]
2409 verbs: ["get", "watch", "list"]
2411 resources: ["services"]
2412 verbs: ["get", "watch", "list"]
2415 # Source: istio/charts/sidecarInjectorWebhook/templates/clusterrole.yaml
2416 apiVersion: rbac.authorization.k8s.io/v1beta1
2419 name: istio-sidecar-injector-istio-system
2421 app: istio-sidecar-injector
2422 chart: sidecarInjectorWebhook-1.0.0
2424 release: RELEASE-NAME
2427 resources: ["configmaps"]
2428 verbs: ["get", "list", "watch"]
2429 - apiGroups: ["admissionregistration.k8s.io"]
2430 resources: ["mutatingwebhookconfigurations"]
2431 verbs: ["get", "list", "watch", "patch"]
2434 # Source: istio/charts/galley/templates/clusterrolebinding.yaml
2435 apiVersion: rbac.authorization.k8s.io/v1beta1
2436 kind: ClusterRoleBinding
2438 name: istio-galley-admin-role-binding-istio-system
2443 release: RELEASE-NAME
2445 apiGroup: rbac.authorization.k8s.io
2447 name: istio-galley-istio-system
2449 - kind: ServiceAccount
2450 name: istio-galley-service-account
2451 namespace: istio-system
2454 # Source: istio/charts/gateways/templates/clusterrolebindings.yaml
2456 apiVersion: rbac.authorization.k8s.io/v1beta1
2457 kind: ClusterRoleBinding
2459 name: istio-egressgateway-istio-system
2461 apiGroup: rbac.authorization.k8s.io
2463 name: istio-egressgateway-istio-system
2465 - kind: ServiceAccount
2466 name: istio-egressgateway-service-account
2467 namespace: istio-system
2469 apiVersion: rbac.authorization.k8s.io/v1beta1
2470 kind: ClusterRoleBinding
2472 name: istio-ingressgateway-istio-system
2474 apiGroup: rbac.authorization.k8s.io
2476 name: istio-ingressgateway-istio-system
2478 - kind: ServiceAccount
2479 name: istio-ingressgateway-service-account
2480 namespace: istio-system
2484 # Source: istio/charts/mixer/templates/clusterrolebinding.yaml
2485 apiVersion: rbac.authorization.k8s.io/v1beta1
2486 kind: ClusterRoleBinding
2488 name: istio-mixer-admin-role-binding-istio-system
2493 release: RELEASE-NAME
2495 apiGroup: rbac.authorization.k8s.io
2497 name: istio-mixer-istio-system
2499 - kind: ServiceAccount
2500 name: istio-mixer-service-account
2501 namespace: istio-system
2504 # Source: istio/charts/pilot/templates/clusterrolebinding.yaml
2505 apiVersion: rbac.authorization.k8s.io/v1beta1
2506 kind: ClusterRoleBinding
2508 name: istio-pilot-istio-system
2513 release: RELEASE-NAME
2515 apiGroup: rbac.authorization.k8s.io
2517 name: istio-pilot-istio-system
2519 - kind: ServiceAccount
2520 name: istio-pilot-service-account
2521 namespace: istio-system
2524 # Source: istio/charts/prometheus/templates/clusterrolebindings.yaml
2525 apiVersion: rbac.authorization.k8s.io/v1beta1
2526 kind: ClusterRoleBinding
2528 name: prometheus-istio-system
2530 apiGroup: rbac.authorization.k8s.io
2532 name: prometheus-istio-system
2534 - kind: ServiceAccount
2536 namespace: istio-system
2539 # Source: istio/charts/security/templates/clusterrolebinding.yaml
2540 apiVersion: rbac.authorization.k8s.io/v1beta1
2541 kind: ClusterRoleBinding
2543 name: istio-citadel-istio-system
2546 chart: security-1.0.0
2548 release: RELEASE-NAME
2550 apiGroup: rbac.authorization.k8s.io
2552 name: istio-citadel-istio-system
2554 - kind: ServiceAccount
2555 name: istio-citadel-service-account
2556 namespace: istio-system
2559 # Source: istio/charts/sidecarInjectorWebhook/templates/clusterrolebinding.yaml
2560 apiVersion: rbac.authorization.k8s.io/v1beta1
2561 kind: ClusterRoleBinding
2563 name: istio-sidecar-injector-admin-role-binding-istio-system
2565 app: istio-sidecar-injector
2566 chart: sidecarInjectorWebhook-1.0.0
2568 release: RELEASE-NAME
2570 apiGroup: rbac.authorization.k8s.io
2572 name: istio-sidecar-injector-istio-system
2574 - kind: ServiceAccount
2575 name: istio-sidecar-injector-service-account
2576 namespace: istio-system
2579 # Source: istio/charts/galley/templates/service.yaml
2584 namespace: istio-system
2590 name: https-validation
2592 name: http-monitoring
2597 # Source: istio/charts/gateways/templates/service.yaml
2602 name: istio-egressgateway
2603 namespace: istio-system
2606 chart: gateways-1.0.0
2607 release: RELEASE-NAME
2609 app: istio-egressgateway
2610 istio: egressgateway
2614 app: istio-egressgateway
2615 istio: egressgateway
2627 name: istio-ingressgateway
2628 namespace: istio-system
2631 chart: gateways-1.0.0
2632 release: RELEASE-NAME
2634 app: istio-ingressgateway
2635 istio: ingressgateway
2639 app: istio-ingressgateway
2640 istio: ingressgateway
2656 name: tcp-pilot-grpc-tls
2660 name: tcp-citadel-grpc-tls
2664 name: http2-prometheus
2674 # Source: istio/charts/grafana/templates/service.yaml
2679 namespace: istio-system
2683 chart: grafana-0.1.0
2684 release: RELEASE-NAME
2698 # Source: istio/charts/mixer/templates/service.yaml
2704 namespace: istio-system
2707 release: RELEASE-NAME
2713 - name: grpc-mixer-mtls
2715 - name: http-monitoring
2719 istio-mixer-type: policy
2724 name: istio-telemetry
2725 namespace: istio-system
2728 release: RELEASE-NAME
2734 - name: grpc-mixer-mtls
2736 - name: http-monitoring
2742 istio-mixer-type: telemetry
2746 # Source: istio/charts/mixer/templates/statsdtoprom.yaml
2752 name: istio-statsd-prom-bridge
2753 namespace: istio-system
2756 release: RELEASE-NAME
2757 istio: statsd-prom-bridge
2766 istio: statsd-prom-bridge
2770 apiVersion: extensions/v1beta1
2773 name: istio-statsd-prom-bridge
2774 namespace: istio-system
2777 release: RELEASE-NAME
2783 istio: statsd-prom-bridge
2785 sidecar.istio.io/inject: "false"
2787 serviceAccountName: istio-mixer-service-account
2789 - name: config-volume
2791 name: istio-statsd-prom-bridge
2793 - name: statsd-prom-bridge
2794 image: "docker.io/prom/statsd-exporter:v0.6.0"
2795 imagePullPolicy: IfNotPresent
2797 - containerPort: 9102
2798 - containerPort: 9125
2801 - '-statsd.mapping-config=/etc/statsd/mapping.conf'
2807 - name: config-volume
2808 mountPath: /etc/statsd
2811 # Source: istio/charts/pilot/templates/service.yaml
2816 namespace: istio-system
2820 release: RELEASE-NAME
2825 name: grpc-xds # direct
2827 name: https-xds # mTLS
2829 name: http-legacy-discovery # direct
2831 name: http-monitoring
2836 # Source: istio/charts/prometheus/templates/service.yaml
2841 namespace: istio-system
2843 prometheus.io/scrape: 'true'
2850 - name: http-prometheus
2855 # Source: istio/charts/security/templates/service.yaml
2859 # we use the normal name here (e.g. 'prometheus')
2860 # as grafana is configured to use this as a data source
2862 namespace: istio-system
2867 - name: grpc-citadel
2871 - name: http-monitoring
2877 # Source: istio/charts/servicegraph/templates/service.yaml
2882 namespace: istio-system
2886 chart: servicegraph-0.1.0
2887 release: RELEASE-NAME
2901 # Source: istio/charts/sidecarInjectorWebhook/templates/service.yaml
2905 name: istio-sidecar-injector
2906 namespace: istio-system
2908 istio: sidecar-injector
2913 istio: sidecar-injector
2916 # Source: istio/charts/galley/templates/deployment.yaml
2917 apiVersion: extensions/v1beta1
2921 namespace: istio-system
2925 release: RELEASE-NAME
2939 sidecar.istio.io/inject: "false"
2940 scheduler.alpha.kubernetes.io/critical-pod: ""
2942 serviceAccountName: istio-galley-service-account
2945 image: "gcr.io/istio-release/galley:1.0.0"
2946 imagePullPolicy: IfNotPresent
2948 - containerPort: 443
2949 - containerPort: 9093
2951 - /usr/local/bin/galley
2953 - --deployment-namespace=istio-system
2954 - --caCertFile=/etc/istio/certs/root-cert.pem
2955 - --tlsCertFile=/etc/istio/certs/cert-chain.pem
2956 - --tlsKeyFile=/etc/istio/certs/key.pem
2957 - --healthCheckInterval=2s
2958 - --healthCheckFile=/health
2959 - --webhook-config-file
2960 - /etc/istio/config/validatingwebhookconfiguration.yaml
2963 mountPath: /etc/istio/certs
2966 mountPath: /etc/istio/config
2971 - /usr/local/bin/galley
2973 - --probe-path=/health
2975 initialDelaySeconds: 4
2980 - /usr/local/bin/galley
2982 - --probe-path=/health
2984 initialDelaySeconds: 4
2993 secretName: istio.istio-galley-service-account
2996 name: istio-galley-configuration
2999 requiredDuringSchedulingIgnoredDuringExecution:
3002 - key: beta.kubernetes.io/arch
3008 preferredDuringSchedulingIgnoredDuringExecution:
3012 - key: beta.kubernetes.io/arch
3019 - key: beta.kubernetes.io/arch
3026 - key: beta.kubernetes.io/arch
3032 # Source: istio/charts/gateways/templates/deployment.yaml
3034 apiVersion: extensions/v1beta1
3037 name: istio-egressgateway
3038 namespace: istio-system
3041 chart: gateways-1.0.0
3042 release: RELEASE-NAME
3044 app: istio-egressgateway
3045 istio: egressgateway
3051 app: istio-egressgateway
3052 istio: egressgateway
3054 sidecar.istio.io/inject: "false"
3055 scheduler.alpha.kubernetes.io/critical-pod: ""
3057 serviceAccountName: istio-egressgateway-service-account
3059 - name: egressgateway
3060 image: "gcr.io/istio-release/proxyv2:1.0.0"
3061 imagePullPolicy: IfNotPresent
3064 - containerPort: 443
3070 - --discoveryRefreshDelay
3071 - '1s' #discoveryRefreshDelay
3073 - '45s' #drainDuration
3074 - --parentShutdownDuration
3075 - '1m0s' #parentShutdownDuration
3077 - '10s' #connectTimeout
3079 - istio-egressgateway
3082 - --statsdUdpAddress
3083 - istio-statsd-prom-bridge:9125
3086 - --controlPlaneAuthPolicy
3088 - --discoveryAddress
3089 - istio-pilot.istio-system:15005
3099 fieldPath: metadata.name
3100 - name: POD_NAMESPACE
3104 fieldPath: metadata.namespace
3109 fieldPath: status.podIP
3110 - name: ISTIO_META_POD_NAME
3113 fieldPath: metadata.name
3116 mountPath: /etc/certs
3118 - name: egressgateway-certs
3119 mountPath: "/etc/istio/egressgateway-certs"
3121 - name: egressgateway-ca-certs
3122 mountPath: "/etc/istio/egressgateway-ca-certs"
3127 secretName: istio.istio-egressgateway-service-account
3129 - name: egressgateway-certs
3131 secretName: "istio-egressgateway-certs"
3133 - name: egressgateway-ca-certs
3135 secretName: "istio-egressgateway-ca-certs"
3139 requiredDuringSchedulingIgnoredDuringExecution:
3142 - key: beta.kubernetes.io/arch
3148 preferredDuringSchedulingIgnoredDuringExecution:
3152 - key: beta.kubernetes.io/arch
3159 - key: beta.kubernetes.io/arch
3166 - key: beta.kubernetes.io/arch
3171 apiVersion: extensions/v1beta1
3174 name: istio-ingressgateway
3175 namespace: istio-system
3178 chart: gateways-1.0.0
3179 release: RELEASE-NAME
3181 app: istio-ingressgateway
3182 istio: ingressgateway
3188 app: istio-ingressgateway
3189 istio: ingressgateway
3191 sidecar.istio.io/inject: "false"
3192 scheduler.alpha.kubernetes.io/critical-pod: ""
3194 serviceAccountName: istio-ingressgateway-service-account
3196 - name: ingressgateway
3197 image: "gcr.io/istio-release/proxyv2:1.0.0"
3198 imagePullPolicy: IfNotPresent
3201 - containerPort: 443
3202 - containerPort: 31400
3203 - containerPort: 15011
3204 - containerPort: 8060
3205 - containerPort: 15030
3206 - containerPort: 15031
3212 - --discoveryRefreshDelay
3213 - '1s' #discoveryRefreshDelay
3215 - '45s' #drainDuration
3216 - --parentShutdownDuration
3217 - '1m0s' #parentShutdownDuration
3219 - '10s' #connectTimeout
3221 - istio-ingressgateway
3224 - --statsdUdpAddress
3225 - istio-statsd-prom-bridge:9125
3228 - --controlPlaneAuthPolicy
3230 - --discoveryAddress
3231 - istio-pilot.istio-system:15005
3241 fieldPath: metadata.name
3242 - name: POD_NAMESPACE
3246 fieldPath: metadata.namespace
3251 fieldPath: status.podIP
3252 - name: ISTIO_META_POD_NAME
3255 fieldPath: metadata.name
3258 mountPath: /etc/certs
3260 - name: ingressgateway-certs
3261 mountPath: "/etc/istio/ingressgateway-certs"
3263 - name: ingressgateway-ca-certs
3264 mountPath: "/etc/istio/ingressgateway-ca-certs"
3269 secretName: istio.istio-ingressgateway-service-account
3271 - name: ingressgateway-certs
3273 secretName: "istio-ingressgateway-certs"
3275 - name: ingressgateway-ca-certs
3277 secretName: "istio-ingressgateway-ca-certs"
3281 requiredDuringSchedulingIgnoredDuringExecution:
3284 - key: beta.kubernetes.io/arch
3290 preferredDuringSchedulingIgnoredDuringExecution:
3294 - key: beta.kubernetes.io/arch
3301 - key: beta.kubernetes.io/arch
3308 - key: beta.kubernetes.io/arch
3315 # Source: istio/charts/grafana/templates/deployment.yaml
3316 apiVersion: extensions/v1beta1
3320 namespace: istio-system
3323 chart: grafana-0.1.0
3324 release: RELEASE-NAME
3333 sidecar.istio.io/inject: "false"
3334 scheduler.alpha.kubernetes.io/critical-pod: ""
3338 image: "gcr.io/istio-release/grafana:1.0.0"
3339 imagePullPolicy: IfNotPresent
3341 - containerPort: 3000
3347 - name: GRAFANA_PORT
3349 - name: GF_AUTH_BASIC_ENABLED
3351 - name: GF_AUTH_ANONYMOUS_ENABLED
3353 - name: GF_AUTH_ANONYMOUS_ORG_ROLE
3355 - name: GF_PATHS_DATA
3356 value: /data/grafana
3363 mountPath: /data/grafana
3366 requiredDuringSchedulingIgnoredDuringExecution:
3369 - key: beta.kubernetes.io/arch
3375 preferredDuringSchedulingIgnoredDuringExecution:
3379 - key: beta.kubernetes.io/arch
3386 - key: beta.kubernetes.io/arch
3393 - key: beta.kubernetes.io/arch
3402 # Source: istio/charts/mixer/templates/deployment.yaml
3404 apiVersion: extensions/v1beta1
3408 namespace: istio-system
3411 release: RELEASE-NAME
3420 istio-mixer-type: policy
3422 sidecar.istio.io/inject: "false"
3423 scheduler.alpha.kubernetes.io/critical-pod: ""
3425 serviceAccountName: istio-mixer-service-account
3429 secretName: istio.istio-mixer-service-account
3435 requiredDuringSchedulingIgnoredDuringExecution:
3438 - key: beta.kubernetes.io/arch
3444 preferredDuringSchedulingIgnoredDuringExecution:
3448 - key: beta.kubernetes.io/arch
3455 - key: beta.kubernetes.io/arch
3462 - key: beta.kubernetes.io/arch
3468 image: "gcr.io/istio-release/mixer:1.0.0"
3469 imagePullPolicy: IfNotPresent
3471 - containerPort: 9093
3472 - containerPort: 42422
3475 - unix:///sock/mixer.socket
3476 - --configStoreURL=k8s://
3477 - --configDefaultNamespace=istio-system
3478 - --trace_zipkin_url=http://zipkin:9411/api/v1/spans
3490 initialDelaySeconds: 5
3493 image: "gcr.io/istio-release/proxyv2:1.0.0"
3494 imagePullPolicy: IfNotPresent
3496 - containerPort: 9091
3497 - containerPort: 15004
3503 - /etc/istio/proxy/envoy_policy.yaml.tmpl
3504 - --controlPlaneAuthPolicy
3511 fieldPath: metadata.name
3512 - name: POD_NAMESPACE
3516 fieldPath: metadata.namespace
3521 fieldPath: status.podIP
3528 mountPath: /etc/certs
3534 apiVersion: extensions/v1beta1
3537 name: istio-telemetry
3538 namespace: istio-system
3541 release: RELEASE-NAME
3550 istio-mixer-type: telemetry
3552 sidecar.istio.io/inject: "false"
3553 scheduler.alpha.kubernetes.io/critical-pod: ""
3555 serviceAccountName: istio-mixer-service-account
3559 secretName: istio.istio-mixer-service-account
3565 image: "gcr.io/istio-release/mixer:1.0.0"
3566 imagePullPolicy: IfNotPresent
3568 - containerPort: 9093
3569 - containerPort: 42422
3572 - unix:///sock/mixer.socket
3573 - --configStoreURL=k8s://
3574 - --configDefaultNamespace=istio-system
3575 - --trace_zipkin_url=http://zipkin:9411/api/v1/spans
3587 initialDelaySeconds: 5
3590 image: "gcr.io/istio-release/proxyv2:1.0.0"
3591 imagePullPolicy: IfNotPresent
3593 - containerPort: 9091
3594 - containerPort: 15004
3600 - /etc/istio/proxy/envoy_telemetry.yaml.tmpl
3601 - --controlPlaneAuthPolicy
3608 fieldPath: metadata.name
3609 - name: POD_NAMESPACE
3613 fieldPath: metadata.namespace
3618 fieldPath: status.podIP
3625 mountPath: /etc/certs
3633 # Source: istio/charts/pilot/templates/deployment.yaml
3634 apiVersion: extensions/v1beta1
3638 namespace: istio-system
3639 # TODO: default template doesn't have this, which one is right ?
3643 release: RELEASE-NAME
3647 checksum/config-volume: f8da08b6b8c170dde721efd680270b2901e750d4aa186ebb6c22bef5b78a43f9
3656 sidecar.istio.io/inject: "false"
3657 scheduler.alpha.kubernetes.io/critical-pod: ""
3659 serviceAccountName: istio-pilot-service-account
3662 image: "gcr.io/istio-release/pilot:1.0.0"
3663 imagePullPolicy: IfNotPresent
3667 - containerPort: 8080
3668 - containerPort: 15010
3671 path: /debug/endpointz
3673 initialDelaySeconds: 30
3681 fieldPath: metadata.name
3682 - name: POD_NAMESPACE
3686 fieldPath: metadata.namespace
3687 - name: PILOT_THROTTLE
3689 - name: PILOT_CACHE_SQUASH
3691 - name: PILOT_TRACE_SAMPLING
3699 - name: config-volume
3700 mountPath: /etc/istio/config
3702 mountPath: /etc/certs
3705 image: "gcr.io/istio-release/proxyv2:1.0.0"
3706 imagePullPolicy: IfNotPresent
3708 - containerPort: 15003
3709 - containerPort: 15005
3710 - containerPort: 15007
3711 - containerPort: 15011
3717 - /etc/istio/proxy/envoy_pilot.yaml.tmpl
3718 - --controlPlaneAuthPolicy
3725 fieldPath: metadata.name
3726 - name: POD_NAMESPACE
3730 fieldPath: metadata.namespace
3735 fieldPath: status.podIP
3742 mountPath: /etc/certs
3745 - name: config-volume
3750 secretName: istio.istio-pilot-service-account
3753 requiredDuringSchedulingIgnoredDuringExecution:
3756 - key: beta.kubernetes.io/arch
3762 preferredDuringSchedulingIgnoredDuringExecution:
3766 - key: beta.kubernetes.io/arch
3773 - key: beta.kubernetes.io/arch
3780 - key: beta.kubernetes.io/arch
3786 # Source: istio/charts/prometheus/templates/deployment.yaml
3787 # TODO: the original template has service account, roles, etc
3788 apiVersion: extensions/v1beta1
3792 namespace: istio-system
3795 chart: prometheus-0.1.0
3796 release: RELEASE-NAME
3808 sidecar.istio.io/inject: "false"
3809 scheduler.alpha.kubernetes.io/critical-pod: ""
3811 serviceAccountName: prometheus
3814 image: "docker.io/prom/prometheus:v2.3.1"
3815 imagePullPolicy: IfNotPresent
3817 - '--storage.tsdb.retention=6h'
3818 - '--config.file=/etc/prometheus/prometheus.yml'
3820 - containerPort: 9090
3835 - name: config-volume
3836 mountPath: /etc/prometheus
3838 - name: config-volume
3843 requiredDuringSchedulingIgnoredDuringExecution:
3846 - key: beta.kubernetes.io/arch
3852 preferredDuringSchedulingIgnoredDuringExecution:
3856 - key: beta.kubernetes.io/arch
3863 - key: beta.kubernetes.io/arch
3870 - key: beta.kubernetes.io/arch
3876 # Source: istio/charts/security/templates/deployment.yaml
3877 # istio CA watching all namespaces
3878 apiVersion: extensions/v1beta1
3882 namespace: istio-system
3885 chart: security-1.0.0
3886 release: RELEASE-NAME
3896 sidecar.istio.io/inject: "false"
3897 scheduler.alpha.kubernetes.io/critical-pod: ""
3899 serviceAccountName: istio-citadel-service-account
3902 image: "gcr.io/istio-release/citadel:1.0.0"
3903 imagePullPolicy: IfNotPresent
3905 - --append-dns-names=true
3907 - --grpc-hostname=citadel
3908 - --citadel-storage-namespace=istio-system
3909 - --self-signed-ca=true
3916 requiredDuringSchedulingIgnoredDuringExecution:
3919 - key: beta.kubernetes.io/arch
3925 preferredDuringSchedulingIgnoredDuringExecution:
3929 - key: beta.kubernetes.io/arch
3936 - key: beta.kubernetes.io/arch
3943 - key: beta.kubernetes.io/arch
3949 # Source: istio/charts/servicegraph/templates/deployment.yaml
3950 apiVersion: extensions/v1beta1
3954 namespace: istio-system
3957 chart: servicegraph-0.1.0
3958 release: RELEASE-NAME
3967 sidecar.istio.io/inject: "false"
3968 scheduler.alpha.kubernetes.io/critical-pod: ""
3971 - name: servicegraph
3972 image: "gcr.io/istio-release/servicegraph:1.0.0"
3973 imagePullPolicy: IfNotPresent
3975 - containerPort: 8088
3977 - --prometheusAddr=http://prometheus:9090
3992 requiredDuringSchedulingIgnoredDuringExecution:
3995 - key: beta.kubernetes.io/arch
4001 preferredDuringSchedulingIgnoredDuringExecution:
4005 - key: beta.kubernetes.io/arch
4012 - key: beta.kubernetes.io/arch
4019 - key: beta.kubernetes.io/arch
4025 # Source: istio/charts/sidecarInjectorWebhook/templates/deployment.yaml
4026 apiVersion: extensions/v1beta1
4029 name: istio-sidecar-injector
4030 namespace: istio-system
4032 app: sidecarInjectorWebhook
4033 chart: sidecarInjectorWebhook-1.0.0
4034 release: RELEASE-NAME
4036 istio: sidecar-injector
4042 istio: sidecar-injector
4044 sidecar.istio.io/inject: "false"
4045 scheduler.alpha.kubernetes.io/critical-pod: ""
4047 serviceAccountName: istio-sidecar-injector-service-account
4049 - name: sidecar-injector-webhook
4050 image: "gcr.io/istio-release/sidecar_injector:1.0.0"
4051 imagePullPolicy: IfNotPresent
4053 - --caCertFile=/etc/istio/certs/root-cert.pem
4054 - --tlsCertFile=/etc/istio/certs/cert-chain.pem
4055 - --tlsKeyFile=/etc/istio/certs/key.pem
4056 - --injectConfig=/etc/istio/inject/config
4057 - --meshConfig=/etc/istio/config/mesh
4058 - --healthCheckInterval=2s
4059 - --healthCheckFile=/health
4061 - name: config-volume
4062 mountPath: /etc/istio/config
4065 mountPath: /etc/istio/certs
4067 - name: inject-config
4068 mountPath: /etc/istio/inject
4073 - /usr/local/bin/sidecar-injector
4075 - --probe-path=/health
4077 initialDelaySeconds: 4
4082 - /usr/local/bin/sidecar-injector
4084 - --probe-path=/health
4086 initialDelaySeconds: 4
4093 - name: config-volume
4098 secretName: istio.istio-sidecar-injector-service-account
4099 - name: inject-config
4101 name: istio-sidecar-injector
4107 requiredDuringSchedulingIgnoredDuringExecution:
4110 - key: beta.kubernetes.io/arch
4116 preferredDuringSchedulingIgnoredDuringExecution:
4120 - key: beta.kubernetes.io/arch
4127 - key: beta.kubernetes.io/arch
4134 - key: beta.kubernetes.io/arch
4140 # Source: istio/charts/tracing/templates/deployment.yaml
4141 apiVersion: extensions/v1beta1
4145 namespace: istio-system
4148 chart: tracing-0.1.0
4149 release: RELEASE-NAME
4158 sidecar.istio.io/inject: "false"
4159 scheduler.alpha.kubernetes.io/critical-pod: ""
4163 image: "docker.io/jaegertracing/all-in-one:1.5"
4164 imagePullPolicy: IfNotPresent
4166 - containerPort: 9411
4167 - containerPort: 16686
4168 - containerPort: 5775
4170 - containerPort: 6831
4172 - containerPort: 6832
4175 - name: POD_NAMESPACE
4179 fieldPath: metadata.namespace
4180 - name: COLLECTOR_ZIPKIN_HTTP_PORT
4182 - name: MEMORY_MAX_TRACES
4198 requiredDuringSchedulingIgnoredDuringExecution:
4201 - key: beta.kubernetes.io/arch
4207 preferredDuringSchedulingIgnoredDuringExecution:
4211 - key: beta.kubernetes.io/arch
4218 - key: beta.kubernetes.io/arch
4225 - key: beta.kubernetes.io/arch
4231 # Source: istio/charts/pilot/templates/gateway.yaml
4232 apiVersion: networking.istio.io/v1alpha3
4235 name: istio-autogenerated-k8s-ingress
4236 namespace: istio-system
4251 # Source: istio/charts/gateways/templates/autoscale.yaml
4253 apiVersion: autoscaling/v2beta1
4254 kind: HorizontalPodAutoscaler
4256 name: istio-egressgateway
4257 namespace: istio-system
4262 apiVersion: apps/v1beta1
4264 name: istio-egressgateway
4269 targetAverageUtilization: 60
4271 apiVersion: autoscaling/v2beta1
4272 kind: HorizontalPodAutoscaler
4274 name: istio-ingressgateway
4275 namespace: istio-system
4280 apiVersion: apps/v1beta1
4282 name: istio-ingressgateway
4287 targetAverageUtilization: 60
4291 # Source: istio/charts/mixer/templates/autoscale.yaml
4293 apiVersion: autoscaling/v2beta1
4294 kind: HorizontalPodAutoscaler
4297 namespace: istio-system
4302 apiVersion: apps/v1beta1
4309 targetAverageUtilization: 80
4311 apiVersion: autoscaling/v2beta1
4312 kind: HorizontalPodAutoscaler
4314 name: istio-telemetry
4315 namespace: istio-system
4320 apiVersion: apps/v1beta1
4322 name: istio-telemetry
4327 targetAverageUtilization: 80
4331 # Source: istio/charts/pilot/templates/autoscale.yaml
4333 apiVersion: autoscaling/v2beta1
4334 kind: HorizontalPodAutoscaler
4341 apiVersion: apps/v1beta1
4348 targetAverageUtilization: 55
4352 # Source: istio/charts/tracing/templates/service-jaeger.yaml
4362 namespace: istio-system
4366 jaeger-infra: jaeger-service
4367 chart: tracing-0.1.0
4368 release: RELEASE-NAME
4383 name: jaeger-collector
4384 namespace: istio-system
4387 jaeger-infra: collector-service
4388 chart: tracing-0.1.0
4389 release: RELEASE-NAME
4393 - name: jaeger-collector-tchannel
4397 - name: jaeger-collector-http
4408 namespace: istio-system
4411 jaeger-infra: agent-service
4412 chart: tracing-0.1.0
4413 release: RELEASE-NAME
4417 - name: agent-zipkin-thrift
4421 - name: agent-compact
4425 - name: agent-binary
4436 # Source: istio/charts/tracing/templates/service.yaml
4444 namespace: istio-system
4447 chart: tracing-0.1.0
4448 release: RELEASE-NAME
4463 namespace: istio-system
4467 chart: tracing-0.1.0
4468 release: RELEASE-NAME
4480 # Source: istio/charts/sidecarInjectorWebhook/templates/mutatingwebhook.yaml
4481 apiVersion: admissionregistration.k8s.io/v1beta1
4482 kind: MutatingWebhookConfiguration
4484 name: istio-sidecar-injector
4485 namespace: istio-system
4487 app: istio-sidecar-injector
4488 chart: sidecarInjectorWebhook-1.0.0
4489 release: RELEASE-NAME
4492 - name: sidecar-injector.istio.io
4495 name: istio-sidecar-injector
4496 namespace: istio-system
4500 - operations: [ "CREATE" ]
4507 istio-injection: enabled
4511 # Source: istio/charts/galley/templates/validatingwehookconfiguration.yaml.tpl
4515 # Source: istio/charts/grafana/templates/grafana-ports-mtls.yaml
4519 # Source: istio/charts/grafana/templates/secret.yaml
4522 # Source: istio/charts/pilot/templates/meshexpansion.yaml
4526 # Source: istio/charts/security/templates/enable-mesh-mtls.yaml
4530 # Source: istio/charts/security/templates/meshexpansion.yaml
4536 # Source: istio/charts/servicegraph/templates/ingress.yaml
4539 # Source: istio/charts/telemetry-gateway/templates/gateway.yaml
4543 # Source: istio/charts/tracing/templates/ingress-jaeger.yaml
4546 # Source: istio/charts/tracing/templates/ingress.yaml
4549 # Source: istio/templates/install-custom-resources.sh.tpl
4553 # Source: istio/charts/mixer/templates/config.yaml
4554 apiVersion: "config.istio.io/v1alpha2"
4555 kind: attributemanifest
4558 namespace: istio-system
4562 valueType: IP_ADDRESS
4568 valueType: STRING_MAP
4588 valueType: TIMESTAMP
4596 valueType: STRING_MAP
4597 response.total_size:
4602 valueType: TIMESTAMP
4605 source.user: # DEPRECATED
4611 destination.principal:
4619 connection.received.bytes:
4621 connection.received.bytes_total:
4623 connection.sent.bytes:
4625 connection.sent.bytes_total:
4627 connection.duration:
4634 valueType: TIMESTAMP
4636 valueType: TIMESTAMP
4637 # Deprecated, kept for compatibility
4638 context.reporter.local:
4640 context.reporter.kind:
4642 context.reporter.uid:
4652 request.auth.principal:
4654 request.auth.audiences:
4656 request.auth.presenter:
4658 request.auth.claims:
4659 valueType: STRING_MAP
4660 request.auth.raw_claims:
4666 apiVersion: "config.istio.io/v1alpha2"
4667 kind: attributemanifest
4670 namespace: istio-system
4674 valueType: IP_ADDRESS
4676 valueType: STRING_MAP
4678 valueType: STRING_MAP
4685 source.service: # DEPRECATED
4687 source.serviceAccount:
4691 source.workload.uid:
4693 source.workload.name:
4695 source.workload.namespace:
4698 valueType: IP_ADDRESS
4700 valueType: STRING_MAP
4701 destination.metadata:
4702 valueType: STRING_MAP
4707 destination.container.name:
4709 destination.namespace:
4711 destination.service: # DEPRECATED
4713 destination.service.uid:
4715 destination.service.name:
4717 destination.service.namespace:
4719 destination.service.host:
4721 destination.serviceAccount:
4723 destination.workload.uid:
4725 destination.workload.name:
4727 destination.workload.namespace:
4730 apiVersion: "config.istio.io/v1alpha2"
4734 namespace: istio-system
4738 apiVersion: "config.istio.io/v1alpha2"
4742 namespace: istio-system
4745 timestamp: request.time
4747 sourceIp: source.ip | ip("0.0.0.0")
4748 sourceApp: source.labels["app"] | ""
4749 sourcePrincipal: source.principal | ""
4750 sourceName: source.name | ""
4751 sourceWorkload: source.workload.name | ""
4752 sourceNamespace: source.namespace | ""
4753 sourceOwner: source.owner | ""
4754 destinationApp: destination.labels["app"] | ""
4755 destinationIp: destination.ip | ip("0.0.0.0")
4756 destinationServiceHost: destination.service.host | ""
4757 destinationWorkload: destination.workload.name | ""
4758 destinationName: destination.name | ""
4759 destinationNamespace: destination.namespace | ""
4760 destinationOwner: destination.owner | ""
4761 destinationPrincipal: destination.principal | ""
4762 apiClaims: request.auth.raw_claims | ""
4763 apiKey: request.api_key | request.headers["x-api-key"] | ""
4764 protocol: request.scheme | context.protocol | "http"
4765 method: request.method | ""
4766 url: request.path | ""
4767 responseCode: response.code | 0
4768 responseSize: response.size | 0
4769 requestSize: request.size | 0
4770 requestId: request.headers["x-request-id"] | ""
4771 clientTraceId: request.headers["x-client-trace-id"] | ""
4772 latency: response.duration | "0ms"
4773 connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none"))
4774 userAgent: request.useragent | ""
4775 responseTimestamp: response.time
4776 receivedBytes: request.total_size | 0
4777 sentBytes: response.total_size | 0
4778 referer: request.referer | ""
4779 httpAuthority: request.headers[":authority"] | request.host | ""
4780 xForwardedFor: request.headers["x-forwarded-for"] | "0.0.0.0"
4781 reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination")
4782 monitored_resource_type: '"global"'
4784 apiVersion: "config.istio.io/v1alpha2"
4788 namespace: istio-system
4791 timestamp: context.time | timestamp("2017-01-01T00:00:00Z")
4793 connectionEvent: connection.event | ""
4794 sourceIp: source.ip | ip("0.0.0.0")
4795 sourceApp: source.labels["app"] | ""
4796 sourcePrincipal: source.principal | ""
4797 sourceName: source.name | ""
4798 sourceWorkload: source.workload.name | ""
4799 sourceNamespace: source.namespace | ""
4800 sourceOwner: source.owner | ""
4801 destinationApp: destination.labels["app"] | ""
4802 destinationIp: destination.ip | ip("0.0.0.0")
4803 destinationServiceHost: destination.service.host | ""
4804 destinationWorkload: destination.workload.name | ""
4805 destinationName: destination.name | ""
4806 destinationNamespace: destination.namespace | ""
4807 destinationOwner: destination.owner | ""
4808 destinationPrincipal: destination.principal | ""
4809 protocol: context.protocol | "tcp"
4810 connectionDuration: connection.duration | "0ms"
4811 connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none"))
4812 receivedBytes: connection.received.bytes | 0
4813 sentBytes: connection.sent.bytes | 0
4814 totalReceivedBytes: connection.received.bytes_total | 0
4815 totalSentBytes: connection.sent.bytes_total | 0
4816 reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination")
4817 monitored_resource_type: '"global"'
4819 apiVersion: "config.istio.io/v1alpha2"
4823 namespace: istio-system
4825 match: context.protocol == "http" || context.protocol == "grpc"
4827 - handler: handler.stdio
4829 - accesslog.logentry
4831 apiVersion: "config.istio.io/v1alpha2"
4835 namespace: istio-system
4837 match: context.protocol == "tcp"
4839 - handler: handler.stdio
4841 - tcpaccesslog.logentry
4843 apiVersion: "config.istio.io/v1alpha2"
4847 namespace: istio-system
4851 reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination")
4852 source_workload: source.workload.name | "unknown"
4853 source_workload_namespace: source.workload.namespace | "unknown"
4854 source_principal: source.principal | "unknown"
4855 source_app: source.labels["app"] | "unknown"
4856 source_version: source.labels["version"] | "unknown"
4857 destination_workload: destination.workload.name | "unknown"
4858 destination_workload_namespace: destination.workload.namespace | "unknown"
4859 destination_principal: destination.principal | "unknown"
4860 destination_app: destination.labels["app"] | "unknown"
4861 destination_version: destination.labels["version"] | "unknown"
4862 destination_service: destination.service.host | "unknown"
4863 destination_service_name: destination.service.name | "unknown"
4864 destination_service_namespace: destination.service.namespace | "unknown"
4865 request_protocol: api.protocol | context.protocol | "unknown"
4866 response_code: response.code | 200
4867 connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none"))
4868 monitored_resource_type: '"UNSPECIFIED"'
4870 apiVersion: "config.istio.io/v1alpha2"
4873 name: requestduration
4874 namespace: istio-system
4876 value: response.duration | "0ms"
4878 reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination")
4879 source_workload: source.workload.name | "unknown"
4880 source_workload_namespace: source.workload.namespace | "unknown"
4881 source_principal: source.principal | "unknown"
4882 source_app: source.labels["app"] | "unknown"
4883 source_version: source.labels["version"] | "unknown"
4884 destination_workload: destination.workload.name | "unknown"
4885 destination_workload_namespace: destination.workload.namespace | "unknown"
4886 destination_principal: destination.principal | "unknown"
4887 destination_app: destination.labels["app"] | "unknown"
4888 destination_version: destination.labels["version"] | "unknown"
4889 destination_service: destination.service.host | "unknown"
4890 destination_service_name: destination.service.name | "unknown"
4891 destination_service_namespace: destination.service.namespace | "unknown"
4892 request_protocol: api.protocol | context.protocol | "unknown"
4893 response_code: response.code | 200
4894 connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none"))
4895 monitored_resource_type: '"UNSPECIFIED"'
4897 apiVersion: "config.istio.io/v1alpha2"
4901 namespace: istio-system
4903 value: request.size | 0
4905 reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination")
4906 source_workload: source.workload.name | "unknown"
4907 source_workload_namespace: source.workload.namespace | "unknown"
4908 source_principal: source.principal | "unknown"
4909 source_app: source.labels["app"] | "unknown"
4910 source_version: source.labels["version"] | "unknown"
4911 destination_workload: destination.workload.name | "unknown"
4912 destination_workload_namespace: destination.workload.namespace | "unknown"
4913 destination_principal: destination.principal | "unknown"
4914 destination_app: destination.labels["app"] | "unknown"
4915 destination_version: destination.labels["version"] | "unknown"
4916 destination_service: destination.service.host | "unknown"
4917 destination_service_name: destination.service.name | "unknown"
4918 destination_service_namespace: destination.service.namespace | "unknown"
4919 request_protocol: api.protocol | context.protocol | "unknown"
4920 response_code: response.code | 200
4921 connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none"))
4922 monitored_resource_type: '"UNSPECIFIED"'
4924 apiVersion: "config.istio.io/v1alpha2"
4928 namespace: istio-system
4930 value: response.size | 0
4932 reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination")
4933 source_workload: source.workload.name | "unknown"
4934 source_workload_namespace: source.workload.namespace | "unknown"
4935 source_principal: source.principal | "unknown"
4936 source_app: source.labels["app"] | "unknown"
4937 source_version: source.labels["version"] | "unknown"
4938 destination_workload: destination.workload.name | "unknown"
4939 destination_workload_namespace: destination.workload.namespace | "unknown"
4940 destination_principal: destination.principal | "unknown"
4941 destination_app: destination.labels["app"] | "unknown"
4942 destination_version: destination.labels["version"] | "unknown"
4943 destination_service: destination.service.host | "unknown"
4944 destination_service_name: destination.service.name | "unknown"
4945 destination_service_namespace: destination.service.namespace | "unknown"
4946 request_protocol: api.protocol | context.protocol | "unknown"
4947 response_code: response.code | 200
4948 connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none"))
4949 monitored_resource_type: '"UNSPECIFIED"'
4951 apiVersion: "config.istio.io/v1alpha2"
4955 namespace: istio-system
4957 value: connection.sent.bytes | 0
4959 reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination")
4960 source_workload: source.workload.name | "unknown"
4961 source_workload_namespace: source.workload.namespace | "unknown"
4962 source_principal: source.principal | "unknown"
4963 source_app: source.labels["app"] | "unknown"
4964 source_version: source.labels["version"] | "unknown"
4965 destination_workload: destination.workload.name | "unknown"
4966 destination_workload_namespace: destination.workload.namespace | "unknown"
4967 destination_principal: destination.principal | "unknown"
4968 destination_app: destination.labels["app"] | "unknown"
4969 destination_version: destination.labels["version"] | "unknown"
4970 destination_service: destination.service.name | "unknown"
4971 destination_service_name: destination.service.name | "unknown"
4972 destination_service_namespace: destination.service.namespace | "unknown"
4973 connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none"))
4974 monitored_resource_type: '"UNSPECIFIED"'
4976 apiVersion: "config.istio.io/v1alpha2"
4979 name: tcpbytereceived
4980 namespace: istio-system
4982 value: connection.received.bytes | 0
4984 reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination")
4985 source_workload: source.workload.name | "unknown"
4986 source_workload_namespace: source.workload.namespace | "unknown"
4987 source_principal: source.principal | "unknown"
4988 source_app: source.labels["app"] | "unknown"
4989 source_version: source.labels["version"] | "unknown"
4990 destination_workload: destination.workload.name | "unknown"
4991 destination_workload_namespace: destination.workload.namespace | "unknown"
4992 destination_principal: destination.principal | "unknown"
4993 destination_app: destination.labels["app"] | "unknown"
4994 destination_version: destination.labels["version"] | "unknown"
4995 destination_service: destination.service.name | "unknown"
4996 destination_service_name: destination.service.name | "unknown"
4997 destination_service_namespace: destination.service.namespace | "unknown"
4998 connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none"))
4999 monitored_resource_type: '"UNSPECIFIED"'
5001 apiVersion: "config.istio.io/v1alpha2"
5005 namespace: istio-system
5008 - name: requests_total
5009 instance_name: requestcount.metric.istio-system
5016 - source_workload_namespace
5019 - destination_principal
5020 - destination_workload
5021 - destination_workload_namespace
5022 - destination_version
5023 - destination_service
5024 - destination_service_name
5025 - destination_service_namespace
5028 - connection_security_policy
5029 - name: request_duration_seconds
5030 instance_name: requestduration.metric.istio-system
5037 - source_workload_namespace
5040 - destination_principal
5041 - destination_workload
5042 - destination_workload_namespace
5043 - destination_version
5044 - destination_service
5045 - destination_service_name
5046 - destination_service_namespace
5049 - connection_security_policy
5052 bounds: [0.005, 0.01, 0.025, 0.05, 0.1, 0.25, 0.5, 1, 2.5, 5, 10]
5053 - name: request_bytes
5054 instance_name: requestsize.metric.istio-system
5061 - source_workload_namespace
5064 - destination_principal
5065 - destination_workload
5066 - destination_workload_namespace
5067 - destination_version
5068 - destination_service
5069 - destination_service_name
5070 - destination_service_namespace
5073 - connection_security_policy
5079 - name: response_bytes
5080 instance_name: responsesize.metric.istio-system
5087 - source_workload_namespace
5090 - destination_principal
5091 - destination_workload
5092 - destination_workload_namespace
5093 - destination_version
5094 - destination_service
5095 - destination_service_name
5096 - destination_service_namespace
5099 - connection_security_policy
5105 - name: tcp_sent_bytes_total
5106 instance_name: tcpbytesent.metric.istio-system
5113 - source_workload_namespace
5116 - destination_principal
5117 - destination_workload
5118 - destination_workload_namespace
5119 - destination_version
5120 - destination_service
5121 - destination_service_name
5122 - destination_service_namespace
5123 - connection_security_policy
5124 - name: tcp_received_bytes_total
5125 instance_name: tcpbytereceived.metric.istio-system
5132 - source_workload_namespace
5135 - destination_principal
5136 - destination_workload
5137 - destination_workload_namespace
5138 - destination_version
5139 - destination_service
5140 - destination_service_name
5141 - destination_service_namespace
5142 - connection_security_policy
5144 apiVersion: "config.istio.io/v1alpha2"
5148 namespace: istio-system
5150 match: context.protocol == "http" || context.protocol == "grpc"
5152 - handler: handler.prometheus
5154 - requestcount.metric
5155 - requestduration.metric
5156 - requestsize.metric
5157 - responsesize.metric
5159 apiVersion: "config.istio.io/v1alpha2"
5163 namespace: istio-system
5165 match: context.protocol == "tcp"
5167 - handler: handler.prometheus
5169 - tcpbytesent.metric
5170 - tcpbytereceived.metric
5173 apiVersion: "config.istio.io/v1alpha2"
5177 namespace: istio-system
5179 # when running from mixer root, use the following config after adding a
5180 # symbolic link to a kubernetes config file via:
5182 # $ ln -s ~/.kube/config mixer/adapter/kubernetes/kubeconfig
5184 # kubeconfig_path: "mixer/adapter/kubernetes/kubeconfig"
5187 apiVersion: "config.istio.io/v1alpha2"
5190 name: kubeattrgenrulerule
5191 namespace: istio-system
5194 - handler: handler.kubernetesenv
5196 - attributes.kubernetes
5198 apiVersion: "config.istio.io/v1alpha2"
5201 name: tcpkubeattrgenrulerule
5202 namespace: istio-system
5204 match: context.protocol == "tcp"
5206 - handler: handler.kubernetesenv
5208 - attributes.kubernetes
5210 apiVersion: "config.istio.io/v1alpha2"
5214 namespace: istio-system
5216 # Pass the required attribute data to the adapter
5217 source_uid: source.uid | ""
5218 source_ip: source.ip | ip("0.0.0.0") # default to unspecified ip addr
5219 destination_uid: destination.uid | ""
5220 destination_port: destination.port | 0
5222 # Fill the new attributes from the adapter produced output.
5223 # $out refers to an instance of OutputTemplate message
5224 source.ip: $out.source_pod_ip | ip("0.0.0.0")
5225 source.uid: $out.source_pod_uid | "unknown"
5226 source.labels: $out.source_labels | emptyStringMap()
5227 source.name: $out.source_pod_name | "unknown"
5228 source.namespace: $out.source_namespace | "default"
5229 source.owner: $out.source_owner | "unknown"
5230 source.serviceAccount: $out.source_service_account_name | "unknown"
5231 source.workload.uid: $out.source_workload_uid | "unknown"
5232 source.workload.name: $out.source_workload_name | "unknown"
5233 source.workload.namespace: $out.source_workload_namespace | "unknown"
5234 destination.ip: $out.destination_pod_ip | ip("0.0.0.0")
5235 destination.uid: $out.destination_pod_uid | "unknown"
5236 destination.labels: $out.destination_labels | emptyStringMap()
5237 destination.name: $out.destination_pod_name | "unknown"
5238 destination.container.name: $out.destination_container_name | "unknown"
5239 destination.namespace: $out.destination_namespace | "default"
5240 destination.owner: $out.destination_owner | "unknown"
5241 destination.serviceAccount: $out.destination_service_account_name | "unknown"
5242 destination.workload.uid: $out.destination_workload_uid | "unknown"
5243 destination.workload.name: $out.destination_workload_name | "unknown"
5244 destination.workload.namespace: $out.destination_workload_namespace | "unknown"
5247 # Configuration needed by Mixer.
5248 # Mixer cluster is delivered via CDS
5249 # Specify mixer cluster settings
5250 apiVersion: networking.istio.io/v1alpha3
5251 kind: DestinationRule
5254 namespace: istio-system
5256 host: istio-policy.istio-system.svc.cluster.local
5265 http2MaxRequests: 10000
5266 maxRequestsPerConnection: 10000
5268 apiVersion: networking.istio.io/v1alpha3
5269 kind: DestinationRule
5271 name: istio-telemetry
5272 namespace: istio-system
5274 host: istio-telemetry.istio-system.svc.cluster.local
5283 http2MaxRequests: 10000
5284 maxRequestsPerConnection: 10000