1
# DO NOT EDIT - Generated by Cue OpenAPI generator based on Istio APIs.
2
apiVersion: apiextensions.k8s.io/v1
3
kind: CustomResourceDefinition
6
"helm.sh/resource-policy": keep
12
name: wasmplugins.extensions.istio.io
14
group: extensions.istio.io
20
listKind: WasmPluginList
25
- additionalPrinterColumns:
26
- description: 'CreationTimestamp is a timestamp representing the server time
27
when this object was created. It is not guaranteed to be set in happens-before
28
order across separate operations. Clients may not set this value. It is represented
29
in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
30
lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
31
jsonPath: .metadata.creationTimestamp
39
description: 'Extend the functionality provided by the Istio proxy through
40
WebAssembly filters. See more details at: https://istio.io/docs/reference/config/proxy_extensions/wasm-plugin.html'
44
Specifies the failure behavior for the plugin due to fatal errors.
46
Valid Options: FAIL_CLOSE, FAIL_OPEN
53
The pull behaviour to be applied when fetching Wasm module by either OCI image or `http/https`.
55
Valid Options: IfNotPresent, Always
62
description: Credentials to use for OCI image pulling.
67
description: Specifies the criteria to determine which traffic is
73
Criteria for selecting traffic by their direction.
75
Valid Options: CLIENT, SERVER, CLIENT_AND_SERVER
83
description: Criteria for selecting traffic by their destination
95
x-kubernetes-list-map-keys:
97
x-kubernetes-list-type: map
102
Determines where in the filter chain this `WasmPlugin` is to be injected.
104
Valid Options: AUTHN, AUTHZ, STATS
112
description: The configuration that will be passed on to the plugin.
114
x-kubernetes-preserve-unknown-fields: true
116
description: The plugin name to be used in the Envoy configuration
117
(used to be called `rootID`).
122
description: Determines ordering of `WasmPlugins` in the same `phase`.
126
description: Criteria used to select the specific set of pods/VMs
127
on which this plugin configuration should be applied.
130
additionalProperties:
132
description: One or more labels that indicate a specific set of
133
pods/VMs on which a policy should be applied.
137
description: SHA256 checksum that will be used to verify Wasm module
139
pattern: (^$|^[a-f0-9]{64}$)142
description: Optional.
145
description: group is the group of the target resource.
148
description: kind is kind of the target resource.
151
description: name is the name of the target resource.
154
description: namespace is the namespace of the referent.
159
Specifies the type of Wasm Extension to be used.
161
Valid Options: HTTP, NETWORK
163
- UNSPECIFIED_PLUGIN_TYPE
168
description: URL of a Wasm module or OCI container.
171
x-kubernetes-validations:
172
- message: url must have schema one of [http, https, file, oci]
173
rule: 'isURL(self) ? (url(self).getScheme() in ['''', ''http'',
174
''https'', ''oci'', ''file'']) : (isURL(''http://'' + self) &&175
url(''http://'' +self).getScheme() in ['''', ''http'', ''https'',180
description: Configuration for a Wasm VM.
183
description: Specifies environment variables to be injected to
188
description: Name of the environment variable.
193
description: Value for the environment variable.
198
Source for the environment variable's value.
200
Valid Options: INLINE, HOST
208
x-kubernetes-validations:
209
- message: value may only be set when valueFrom is INLINE
210
rule: '(has(self.valueFrom) ? self.valueFrom : '''') != ''HOST''
214
x-kubernetes-list-map-keys:
216
x-kubernetes-list-type: map
223
x-kubernetes-preserve-unknown-fields: true
232
apiVersion: apiextensions.k8s.io/v1
233
kind: CustomResourceDefinition
236
"helm.sh/resource-policy": keep
242
name: destinationrules.networking.istio.io
244
group: networking.istio.io
248
- networking-istio-io
249
kind: DestinationRule
250
listKind: DestinationRuleList
251
plural: destinationrules
254
singular: destinationrule
257
- additionalPrinterColumns:
258
- description: The name of a service from the service registry
262
- description: 'CreationTimestamp is a timestamp representing the server time
263
when this object was created. It is not guaranteed to be set in happens-before
264
order across separate operations. Clients may not set this value. It is represented
265
in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
266
lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
267
jsonPath: .metadata.creationTimestamp
275
description: 'Configuration affecting load balancing, outlier detection,
276
etc. See more details at: https://istio.io/docs/reference/config/networking/destination-rule.html'
279
description: A list of namespaces to which this destination rule is
285
description: The name of a service from the service registry.
288
description: One or more named sets that represent individual versions
293
additionalProperties:
295
description: Labels apply a filter over the endpoints of a service
296
in the service registry.
299
description: Name of the subset.
302
description: Traffic policies that apply to this subset.
307
description: HTTP connection pool settings.
311
Specify if http1.1 connection should be upgraded to http2 for the associated destination.
313
Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE
319
http1MaxPendingRequests:
320
description: Maximum number of requests that will
321
be queued while waiting for a ready connection
326
description: Maximum number of active requests to
331
description: The idle timeout for upstream connection
334
maxConcurrentStreams:
335
description: The maximum number of concurrent streams
336
allowed for a peer on one HTTP/2 connection.
339
maxRequestsPerConnection:
340
description: Maximum number of requests per connection
345
description: Maximum number of retries that can
346
be outstanding to all hosts in a cluster at a
351
description: If set to true, client protocol will
352
be preserved while initiating connection to backend.
356
description: Settings common to both HTTP and TCP upstream
360
description: TCP connection timeout.
363
description: The idle timeout for TCP connections.
365
maxConnectionDuration:
366
description: The maximum duration of a connection.
369
description: Maximum number of HTTP1 /TCP connections
370
to a destination host.
374
description: If set then set SO_KEEPALIVE on the
375
socket to enable TCP Keepalives.
378
description: The time duration between keep-alive
382
description: Maximum number of keepalive probes
383
to send without response before deciding the
387
description: The time duration a connection
388
needs to be idle before keep-alive probes
395
description: Settings controlling the load balancer algorithms.
420
- httpQueryParameterName
428
- httpQueryParameterName
442
description: Hash based on HTTP cookie.
445
description: Name of the cookie.
448
description: Path to set for the cookie.
451
description: Lifetime of the cookie.
457
description: Hash based on a specific HTTP header.
459
httpQueryParameterName:
460
description: Hash based on a specific HTTP query
464
description: The Maglev load balancer implements
465
consistent hashing to backend hosts.
468
description: The table size for Maglev hashing.
472
description: Deprecated.
475
description: The ring/modulo hash load balancer
476
implements consistent hashing to backend hosts.
479
description: The minimum number of virtual nodes
480
to use for the hash ring.
484
description: Hash based on the source IP address.
490
description: 'Optional: only one of distribute,
491
failover or failoverPriority can be set.'
495
description: Originating locality, '/' separated,
499
additionalProperties:
501
description: Map of upstream localities to
502
traffic distribution weights.
507
description: enable locality load balancing, this
508
is DestinationRule-level and will override mesh
509
wide settings in entirety.
513
description: 'Optional: only one of distribute,
514
failover or failoverPriority can be set.'
518
description: Originating region.
521
description: Destination region the traffic
522
will fail over to when endpoints in the
523
'from' region becomes unhealthy.
528
description: failoverPriority is an ordered list
529
of labels used to sort endpoints to do priority
530
based load balancing.
539
Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST
549
description: Represents the warmup duration of Service.
555
description: Minimum ejection duration.
557
consecutive5xxErrors:
558
description: Number of 5xx errors before a host is ejected
559
from the connection pool.
565
consecutiveGatewayErrors:
566
description: Number of gateway errors before a host
567
is ejected from the connection pool.
570
consecutiveLocalOriginFailures:
571
description: The number of consecutive locally originated
572
failures before ejection occurs.
576
description: Time interval between ejection sweep analysis.
579
description: Maximum % of hosts in the load balancing
580
pool for the upstream service that can be ejected.
584
description: Outlier detection will be enabled as long
585
as the associated load balancing pool has at least
586
min_health_percent hosts in healthy mode.
589
splitExternalLocalOriginErrors:
590
description: Determines whether to distinguish local
591
origin failures from external errors.
595
description: Traffic policies specific to individual ports.
601
description: HTTP connection pool settings.
605
Specify if http1.1 connection should be upgraded to http2 for the associated destination.
607
Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE
613
http1MaxPendingRequests:
614
description: Maximum number of requests that
615
will be queued while waiting for a ready
616
connection pool connection.
620
description: Maximum number of active requests
625
description: The idle timeout for upstream
626
connection pool connections.
628
maxConcurrentStreams:
629
description: The maximum number of concurrent
630
streams allowed for a peer on one HTTP/2
634
maxRequestsPerConnection:
635
description: Maximum number of requests per
636
connection to a backend.
640
description: Maximum number of retries that
641
can be outstanding to all hosts in a cluster
646
description: If set to true, client protocol
647
will be preserved while initiating connection
652
description: Settings common to both HTTP and
653
TCP upstream connections.
656
description: TCP connection timeout.
659
description: The idle timeout for TCP connections.
661
maxConnectionDuration:
662
description: The maximum duration of a connection.
665
description: Maximum number of HTTP1 /TCP
666
connections to a destination host.
670
description: If set then set SO_KEEPALIVE
671
on the socket to enable TCP Keepalives.
674
description: The time duration between
678
description: Maximum number of keepalive
679
probes to send without response before
680
deciding the connection is dead.
683
description: The time duration a connection
684
needs to be idle before keep-alive probes
691
description: Settings controlling the load balancer
717
- httpQueryParameterName
725
- httpQueryParameterName
739
description: Hash based on HTTP cookie.
742
description: Name of the cookie.
745
description: Path to set for the cookie.
748
description: Lifetime of the cookie.
754
description: Hash based on a specific HTTP
757
httpQueryParameterName:
758
description: Hash based on a specific HTTP
762
description: The Maglev load balancer implements
763
consistent hashing to backend hosts.
766
description: The table size for Maglev
771
description: Deprecated.
774
description: The ring/modulo hash load balancer
775
implements consistent hashing to backend
779
description: The minimum number of virtual
780
nodes to use for the hash ring.
784
description: Hash based on the source IP address.
790
description: 'Optional: only one of distribute,
791
failover or failoverPriority can be set.'
795
description: Originating locality, '/'
799
additionalProperties:
801
description: Map of upstream localities
802
to traffic distribution weights.
807
description: enable locality load balancing,
808
this is DestinationRule-level and will override
809
mesh wide settings in entirety.
813
description: 'Optional: only one of distribute,
814
failover or failoverPriority can be set.'
818
description: Originating region.
821
description: Destination region the
822
traffic will fail over to when endpoints
823
in the 'from' region becomes unhealthy.
828
description: failoverPriority is an ordered
829
list of labels used to sort endpoints to
830
do priority based load balancing.
839
Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST
849
description: Represents the warmup duration of
856
description: Minimum ejection duration.
858
consecutive5xxErrors:
859
description: Number of 5xx errors before a host
860
is ejected from the connection pool.
866
consecutiveGatewayErrors:
867
description: Number of gateway errors before a
868
host is ejected from the connection pool.
871
consecutiveLocalOriginFailures:
872
description: The number of consecutive locally
873
originated failures before ejection occurs.
877
description: Time interval between ejection sweep
881
description: Maximum % of hosts in the load balancing
882
pool for the upstream service that can be ejected.
886
description: Outlier detection will be enabled
887
as long as the associated load balancing pool
888
has at least min_health_percent hosts in healthy
892
splitExternalLocalOriginErrors:
893
description: Determines whether to distinguish
894
local origin failures from external errors.
898
description: Specifies the number of a port on the
899
destination service on which this policy is being
906
description: TLS related settings for connections
907
to the upstream service.
910
description: 'OPTIONAL: The path to the file containing
911
certificate authority certificates to use in
912
verifying a presented server certificate.'
915
description: 'OPTIONAL: The path to the file containing
916
the certificate revocation list (CRL) to use
917
in verifying a presented server certificate.'
920
description: REQUIRED if mode is `MUTUAL`.
923
description: The name of the secret that holds
924
the TLS certs for the client including the CA
928
description: '`insecureSkipVerify` specifies whether
929
the proxy should skip verifying the CA signature
930
and SAN for the server certificate corresponding
936
Indicates whether connections to this port should be secured using TLS.
938
Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL
946
description: REQUIRED if mode is `MUTUAL`.
949
description: SNI string to present to the server
950
during TLS handshake.
953
description: A list of alternate names to verify
954
the subject identity in the certificate.
962
description: The upstream PROXY protocol settings.
966
The PROXY protocol version to use.
968
Valid Options: V1, V2
975
description: TLS related settings for connections to the
979
description: 'OPTIONAL: The path to the file containing
980
certificate authority certificates to use in verifying
981
a presented server certificate.'
984
description: 'OPTIONAL: The path to the file containing
985
the certificate revocation list (CRL) to use in verifying
986
a presented server certificate.'
989
description: REQUIRED if mode is `MUTUAL`.
992
description: The name of the secret that holds the TLS
993
certs for the client including the CA certificates.
996
description: '`insecureSkipVerify` specifies whether
997
the proxy should skip verifying the CA signature and
998
SAN for the server certificate corresponding to the
1004
Indicates whether connections to this port should be secured using TLS.
1006
Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL
1014
description: REQUIRED if mode is `MUTUAL`.
1017
description: SNI string to present to the server during
1021
description: A list of alternate names to verify the
1022
subject identity in the certificate.
1028
description: Configuration of tunneling TCP over other transport
1029
or application layers for the host configured in the DestinationRule.
1032
description: Specifies which protocol to use for tunneling
1033
the downstream connection.
1036
description: Specifies a host to which the downstream
1037
connection is tunneled.
1040
description: Specifies a port to which the downstream
1041
connection is tunneled.
1053
description: Traffic policies to apply (load balancing policy, connection
1054
pool sizes, outlier detection).
1059
description: HTTP connection pool settings.
1063
Specify if http1.1 connection should be upgraded to http2 for the associated destination.
1065
Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE
1071
http1MaxPendingRequests:
1072
description: Maximum number of requests that will be queued
1073
while waiting for a ready connection pool connection.
1077
description: Maximum number of active requests to a destination.
1081
description: The idle timeout for upstream connection
1084
maxConcurrentStreams:
1085
description: The maximum number of concurrent streams
1086
allowed for a peer on one HTTP/2 connection.
1089
maxRequestsPerConnection:
1090
description: Maximum number of requests per connection
1095
description: Maximum number of retries that can be outstanding
1096
to all hosts in a cluster at a given time.
1100
description: If set to true, client protocol will be preserved
1101
while initiating connection to backend.
1105
description: Settings common to both HTTP and TCP upstream
1109
description: TCP connection timeout.
1112
description: The idle timeout for TCP connections.
1114
maxConnectionDuration:
1115
description: The maximum duration of a connection.
1118
description: Maximum number of HTTP1 /TCP connections
1119
to a destination host.
1123
description: If set then set SO_KEEPALIVE on the socket
1124
to enable TCP Keepalives.
1127
description: The time duration between keep-alive
1131
description: Maximum number of keepalive probes to
1132
send without response before deciding the connection
1136
description: The time duration a connection needs
1137
to be idle before keep-alive probes start being
1144
description: Settings controlling the load balancer algorithms.
1169
- httpQueryParameterName
1177
- httpQueryParameterName
1191
description: Hash based on HTTP cookie.
1194
description: Name of the cookie.
1197
description: Path to set for the cookie.
1200
description: Lifetime of the cookie.
1206
description: Hash based on a specific HTTP header.
1208
httpQueryParameterName:
1209
description: Hash based on a specific HTTP query parameter.
1212
description: The Maglev load balancer implements consistent
1213
hashing to backend hosts.
1216
description: The table size for Maglev hashing.
1220
description: Deprecated.
1223
description: The ring/modulo hash load balancer implements
1224
consistent hashing to backend hosts.
1227
description: The minimum number of virtual nodes to
1228
use for the hash ring.
1232
description: Hash based on the source IP address.
1238
description: 'Optional: only one of distribute, failover
1239
or failoverPriority can be set.'
1243
description: Originating locality, '/' separated,
1247
additionalProperties:
1249
description: Map of upstream localities to traffic
1250
distribution weights.
1255
description: enable locality load balancing, this is DestinationRule-level
1256
and will override mesh wide settings in entirety.
1260
description: 'Optional: only one of distribute, failover
1261
or failoverPriority can be set.'
1265
description: Originating region.
1268
description: Destination region the traffic will
1269
fail over to when endpoints in the 'from' region
1275
description: failoverPriority is an ordered list of labels
1276
used to sort endpoints to do priority based load balancing.
1285
Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST
1295
description: Represents the warmup duration of Service.
1301
description: Minimum ejection duration.
1303
consecutive5xxErrors:
1304
description: Number of 5xx errors before a host is ejected
1305
from the connection pool.
1311
consecutiveGatewayErrors:
1312
description: Number of gateway errors before a host is ejected
1313
from the connection pool.
1316
consecutiveLocalOriginFailures:
1317
description: The number of consecutive locally originated
1318
failures before ejection occurs.
1322
description: Time interval between ejection sweep analysis.
1325
description: Maximum % of hosts in the load balancing pool
1326
for the upstream service that can be ejected.
1330
description: Outlier detection will be enabled as long as
1331
the associated load balancing pool has at least min_health_percent
1332
hosts in healthy mode.
1335
splitExternalLocalOriginErrors:
1336
description: Determines whether to distinguish local origin
1337
failures from external errors.
1341
description: Traffic policies specific to individual ports.
1347
description: HTTP connection pool settings.
1351
Specify if http1.1 connection should be upgraded to http2 for the associated destination.
1353
Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE
1359
http1MaxPendingRequests:
1360
description: Maximum number of requests that will
1361
be queued while waiting for a ready connection
1366
description: Maximum number of active requests to
1371
description: The idle timeout for upstream connection
1374
maxConcurrentStreams:
1375
description: The maximum number of concurrent streams
1376
allowed for a peer on one HTTP/2 connection.
1379
maxRequestsPerConnection:
1380
description: Maximum number of requests per connection
1385
description: Maximum number of retries that can
1386
be outstanding to all hosts in a cluster at a
1391
description: If set to true, client protocol will
1392
be preserved while initiating connection to backend.
1396
description: Settings common to both HTTP and TCP upstream
1400
description: TCP connection timeout.
1403
description: The idle timeout for TCP connections.
1405
maxConnectionDuration:
1406
description: The maximum duration of a connection.
1409
description: Maximum number of HTTP1 /TCP connections
1410
to a destination host.
1414
description: If set then set SO_KEEPALIVE on the
1415
socket to enable TCP Keepalives.
1418
description: The time duration between keep-alive
1422
description: Maximum number of keepalive probes
1423
to send without response before deciding the
1427
description: The time duration a connection
1428
needs to be idle before keep-alive probes
1435
description: Settings controlling the load balancer algorithms.
1460
- httpQueryParameterName
1468
- httpQueryParameterName
1482
description: Hash based on HTTP cookie.
1485
description: Name of the cookie.
1488
description: Path to set for the cookie.
1491
description: Lifetime of the cookie.
1497
description: Hash based on a specific HTTP header.
1499
httpQueryParameterName:
1500
description: Hash based on a specific HTTP query
1504
description: The Maglev load balancer implements
1505
consistent hashing to backend hosts.
1508
description: The table size for Maglev hashing.
1512
description: Deprecated.
1515
description: The ring/modulo hash load balancer
1516
implements consistent hashing to backend hosts.
1519
description: The minimum number of virtual nodes
1520
to use for the hash ring.
1524
description: Hash based on the source IP address.
1530
description: 'Optional: only one of distribute,
1531
failover or failoverPriority can be set.'
1535
description: Originating locality, '/' separated,
1539
additionalProperties:
1541
description: Map of upstream localities to
1542
traffic distribution weights.
1547
description: enable locality load balancing, this
1548
is DestinationRule-level and will override mesh
1549
wide settings in entirety.
1553
description: 'Optional: only one of distribute,
1554
failover or failoverPriority can be set.'
1558
description: Originating region.
1561
description: Destination region the traffic
1562
will fail over to when endpoints in the
1563
'from' region becomes unhealthy.
1568
description: failoverPriority is an ordered list
1569
of labels used to sort endpoints to do priority
1570
based load balancing.
1579
Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST
1589
description: Represents the warmup duration of Service.
1595
description: Minimum ejection duration.
1597
consecutive5xxErrors:
1598
description: Number of 5xx errors before a host is ejected
1599
from the connection pool.
1605
consecutiveGatewayErrors:
1606
description: Number of gateway errors before a host
1607
is ejected from the connection pool.
1610
consecutiveLocalOriginFailures:
1611
description: The number of consecutive locally originated
1612
failures before ejection occurs.
1616
description: Time interval between ejection sweep analysis.
1619
description: Maximum % of hosts in the load balancing
1620
pool for the upstream service that can be ejected.
1624
description: Outlier detection will be enabled as long
1625
as the associated load balancing pool has at least
1626
min_health_percent hosts in healthy mode.
1629
splitExternalLocalOriginErrors:
1630
description: Determines whether to distinguish local
1631
origin failures from external errors.
1635
description: Specifies the number of a port on the destination
1636
service on which this policy is being applied.
1642
description: TLS related settings for connections to the
1646
description: 'OPTIONAL: The path to the file containing
1647
certificate authority certificates to use in verifying
1648
a presented server certificate.'
1651
description: 'OPTIONAL: The path to the file containing
1652
the certificate revocation list (CRL) to use in verifying
1653
a presented server certificate.'
1656
description: REQUIRED if mode is `MUTUAL`.
1659
description: The name of the secret that holds the TLS
1660
certs for the client including the CA certificates.
1663
description: '`insecureSkipVerify` specifies whether
1664
the proxy should skip verifying the CA signature and
1665
SAN for the server certificate corresponding to the
1671
Indicates whether connections to this port should be secured using TLS.
1673
Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL
1681
description: REQUIRED if mode is `MUTUAL`.
1684
description: SNI string to present to the server during
1688
description: A list of alternate names to verify the
1689
subject identity in the certificate.
1697
description: The upstream PROXY protocol settings.
1701
The PROXY protocol version to use.
1703
Valid Options: V1, V2
1710
description: TLS related settings for connections to the upstream
1714
description: 'OPTIONAL: The path to the file containing certificate
1715
authority certificates to use in verifying a presented server
1719
description: 'OPTIONAL: The path to the file containing the
1720
certificate revocation list (CRL) to use in verifying a
1721
presented server certificate.'
1724
description: REQUIRED if mode is `MUTUAL`.
1727
description: The name of the secret that holds the TLS certs
1728
for the client including the CA certificates.
1731
description: '`insecureSkipVerify` specifies whether the proxy
1732
should skip verifying the CA signature and SAN for the server
1733
certificate corresponding to the host.'
1738
Indicates whether connections to this port should be secured using TLS.
1740
Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL
1748
description: REQUIRED if mode is `MUTUAL`.
1751
description: SNI string to present to the server during TLS
1755
description: A list of alternate names to verify the subject
1756
identity in the certificate.
1762
description: Configuration of tunneling TCP over other transport
1763
or application layers for the host configured in the DestinationRule.
1766
description: Specifies which protocol to use for tunneling
1767
the downstream connection.
1770
description: Specifies a host to which the downstream connection
1774
description: Specifies a port to which the downstream connection
1783
description: Criteria used to select the specific set of pods/VMs
1784
on which this `DestinationRule` configuration should be applied.
1787
additionalProperties:
1789
description: One or more labels that indicate a specific set of
1790
pods/VMs on which a policy should be applied.
1798
x-kubernetes-preserve-unknown-fields: true
1804
- additionalPrinterColumns:
1805
- description: The name of a service from the service registry
1806
jsonPath: .spec.host
1809
- description: 'CreationTimestamp is a timestamp representing the server time
1810
when this object was created. It is not guaranteed to be set in happens-before
1811
order across separate operations. Clients may not set this value. It is represented
1812
in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
1813
lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
1814
jsonPath: .metadata.creationTimestamp
1822
description: 'Configuration affecting load balancing, outlier detection,
1823
etc. See more details at: https://istio.io/docs/reference/config/networking/destination-rule.html'
1826
description: A list of namespaces to which this destination rule is
1832
description: The name of a service from the service registry.
1835
description: One or more named sets that represent individual versions
1840
additionalProperties:
1842
description: Labels apply a filter over the endpoints of a service
1843
in the service registry.
1846
description: Name of the subset.
1849
description: Traffic policies that apply to this subset.
1854
description: HTTP connection pool settings.
1858
Specify if http1.1 connection should be upgraded to http2 for the associated destination.
1860
Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE
1866
http1MaxPendingRequests:
1867
description: Maximum number of requests that will
1868
be queued while waiting for a ready connection
1873
description: Maximum number of active requests to
1878
description: The idle timeout for upstream connection
1881
maxConcurrentStreams:
1882
description: The maximum number of concurrent streams
1883
allowed for a peer on one HTTP/2 connection.
1886
maxRequestsPerConnection:
1887
description: Maximum number of requests per connection
1892
description: Maximum number of retries that can
1893
be outstanding to all hosts in a cluster at a
1898
description: If set to true, client protocol will
1899
be preserved while initiating connection to backend.
1903
description: Settings common to both HTTP and TCP upstream
1907
description: TCP connection timeout.
1910
description: The idle timeout for TCP connections.
1912
maxConnectionDuration:
1913
description: The maximum duration of a connection.
1916
description: Maximum number of HTTP1 /TCP connections
1917
to a destination host.
1921
description: If set then set SO_KEEPALIVE on the
1922
socket to enable TCP Keepalives.
1925
description: The time duration between keep-alive
1929
description: Maximum number of keepalive probes
1930
to send without response before deciding the
1934
description: The time duration a connection
1935
needs to be idle before keep-alive probes
1942
description: Settings controlling the load balancer algorithms.
1967
- httpQueryParameterName
1975
- httpQueryParameterName
1989
description: Hash based on HTTP cookie.
1992
description: Name of the cookie.
1995
description: Path to set for the cookie.
1998
description: Lifetime of the cookie.
2004
description: Hash based on a specific HTTP header.
2006
httpQueryParameterName:
2007
description: Hash based on a specific HTTP query
2011
description: The Maglev load balancer implements
2012
consistent hashing to backend hosts.
2015
description: The table size for Maglev hashing.
2019
description: Deprecated.
2022
description: The ring/modulo hash load balancer
2023
implements consistent hashing to backend hosts.
2026
description: The minimum number of virtual nodes
2027
to use for the hash ring.
2031
description: Hash based on the source IP address.
2037
description: 'Optional: only one of distribute,
2038
failover or failoverPriority can be set.'
2042
description: Originating locality, '/' separated,
2046
additionalProperties:
2048
description: Map of upstream localities to
2049
traffic distribution weights.
2054
description: enable locality load balancing, this
2055
is DestinationRule-level and will override mesh
2056
wide settings in entirety.
2060
description: 'Optional: only one of distribute,
2061
failover or failoverPriority can be set.'
2065
description: Originating region.
2068
description: Destination region the traffic
2069
will fail over to when endpoints in the
2070
'from' region becomes unhealthy.
2075
description: failoverPriority is an ordered list
2076
of labels used to sort endpoints to do priority
2077
based load balancing.
2086
Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST
2096
description: Represents the warmup duration of Service.
2102
description: Minimum ejection duration.
2104
consecutive5xxErrors:
2105
description: Number of 5xx errors before a host is ejected
2106
from the connection pool.
2112
consecutiveGatewayErrors:
2113
description: Number of gateway errors before a host
2114
is ejected from the connection pool.
2117
consecutiveLocalOriginFailures:
2118
description: The number of consecutive locally originated
2119
failures before ejection occurs.
2123
description: Time interval between ejection sweep analysis.
2126
description: Maximum % of hosts in the load balancing
2127
pool for the upstream service that can be ejected.
2131
description: Outlier detection will be enabled as long
2132
as the associated load balancing pool has at least
2133
min_health_percent hosts in healthy mode.
2136
splitExternalLocalOriginErrors:
2137
description: Determines whether to distinguish local
2138
origin failures from external errors.
2142
description: Traffic policies specific to individual ports.
2148
description: HTTP connection pool settings.
2152
Specify if http1.1 connection should be upgraded to http2 for the associated destination.
2154
Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE
2160
http1MaxPendingRequests:
2161
description: Maximum number of requests that
2162
will be queued while waiting for a ready
2163
connection pool connection.
2167
description: Maximum number of active requests
2172
description: The idle timeout for upstream
2173
connection pool connections.
2175
maxConcurrentStreams:
2176
description: The maximum number of concurrent
2177
streams allowed for a peer on one HTTP/2
2181
maxRequestsPerConnection:
2182
description: Maximum number of requests per
2183
connection to a backend.
2187
description: Maximum number of retries that
2188
can be outstanding to all hosts in a cluster
2193
description: If set to true, client protocol
2194
will be preserved while initiating connection
2199
description: Settings common to both HTTP and
2200
TCP upstream connections.
2203
description: TCP connection timeout.
2206
description: The idle timeout for TCP connections.
2208
maxConnectionDuration:
2209
description: The maximum duration of a connection.
2212
description: Maximum number of HTTP1 /TCP
2213
connections to a destination host.
2217
description: If set then set SO_KEEPALIVE
2218
on the socket to enable TCP Keepalives.
2221
description: The time duration between
2225
description: Maximum number of keepalive
2226
probes to send without response before
2227
deciding the connection is dead.
2230
description: The time duration a connection
2231
needs to be idle before keep-alive probes
2238
description: Settings controlling the load balancer
2264
- httpQueryParameterName
2272
- httpQueryParameterName
2286
description: Hash based on HTTP cookie.
2289
description: Name of the cookie.
2292
description: Path to set for the cookie.
2295
description: Lifetime of the cookie.
2301
description: Hash based on a specific HTTP
2304
httpQueryParameterName:
2305
description: Hash based on a specific HTTP
2309
description: The Maglev load balancer implements
2310
consistent hashing to backend hosts.
2313
description: The table size for Maglev
2318
description: Deprecated.
2321
description: The ring/modulo hash load balancer
2322
implements consistent hashing to backend
2326
description: The minimum number of virtual
2327
nodes to use for the hash ring.
2331
description: Hash based on the source IP address.
2337
description: 'Optional: only one of distribute,
2338
failover or failoverPriority can be set.'
2342
description: Originating locality, '/'
2346
additionalProperties:
2348
description: Map of upstream localities
2349
to traffic distribution weights.
2354
description: enable locality load balancing,
2355
this is DestinationRule-level and will override
2356
mesh wide settings in entirety.
2360
description: 'Optional: only one of distribute,
2361
failover or failoverPriority can be set.'
2365
description: Originating region.
2368
description: Destination region the
2369
traffic will fail over to when endpoints
2370
in the 'from' region becomes unhealthy.
2375
description: failoverPriority is an ordered
2376
list of labels used to sort endpoints to
2377
do priority based load balancing.
2386
Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST
2396
description: Represents the warmup duration of
2403
description: Minimum ejection duration.
2405
consecutive5xxErrors:
2406
description: Number of 5xx errors before a host
2407
is ejected from the connection pool.
2413
consecutiveGatewayErrors:
2414
description: Number of gateway errors before a
2415
host is ejected from the connection pool.
2418
consecutiveLocalOriginFailures:
2419
description: The number of consecutive locally
2420
originated failures before ejection occurs.
2424
description: Time interval between ejection sweep
2428
description: Maximum % of hosts in the load balancing
2429
pool for the upstream service that can be ejected.
2433
description: Outlier detection will be enabled
2434
as long as the associated load balancing pool
2435
has at least min_health_percent hosts in healthy
2439
splitExternalLocalOriginErrors:
2440
description: Determines whether to distinguish
2441
local origin failures from external errors.
2445
description: Specifies the number of a port on the
2446
destination service on which this policy is being
2453
description: TLS related settings for connections
2454
to the upstream service.
2457
description: 'OPTIONAL: The path to the file containing
2458
certificate authority certificates to use in
2459
verifying a presented server certificate.'
2462
description: 'OPTIONAL: The path to the file containing
2463
the certificate revocation list (CRL) to use
2464
in verifying a presented server certificate.'
2467
description: REQUIRED if mode is `MUTUAL`.
2470
description: The name of the secret that holds
2471
the TLS certs for the client including the CA
2475
description: '`insecureSkipVerify` specifies whether
2476
the proxy should skip verifying the CA signature
2477
and SAN for the server certificate corresponding
2483
Indicates whether connections to this port should be secured using TLS.
2485
Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL
2493
description: REQUIRED if mode is `MUTUAL`.
2496
description: SNI string to present to the server
2497
during TLS handshake.
2500
description: A list of alternate names to verify
2501
the subject identity in the certificate.
2509
description: The upstream PROXY protocol settings.
2513
The PROXY protocol version to use.
2515
Valid Options: V1, V2
2522
description: TLS related settings for connections to the
2526
description: 'OPTIONAL: The path to the file containing
2527
certificate authority certificates to use in verifying
2528
a presented server certificate.'
2531
description: 'OPTIONAL: The path to the file containing
2532
the certificate revocation list (CRL) to use in verifying
2533
a presented server certificate.'
2536
description: REQUIRED if mode is `MUTUAL`.
2539
description: The name of the secret that holds the TLS
2540
certs for the client including the CA certificates.
2543
description: '`insecureSkipVerify` specifies whether
2544
the proxy should skip verifying the CA signature and
2545
SAN for the server certificate corresponding to the
2551
Indicates whether connections to this port should be secured using TLS.
2553
Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL
2561
description: REQUIRED if mode is `MUTUAL`.
2564
description: SNI string to present to the server during
2568
description: A list of alternate names to verify the
2569
subject identity in the certificate.
2575
description: Configuration of tunneling TCP over other transport
2576
or application layers for the host configured in the DestinationRule.
2579
description: Specifies which protocol to use for tunneling
2580
the downstream connection.
2583
description: Specifies a host to which the downstream
2584
connection is tunneled.
2587
description: Specifies a port to which the downstream
2588
connection is tunneled.
2600
description: Traffic policies to apply (load balancing policy, connection
2601
pool sizes, outlier detection).
2606
description: HTTP connection pool settings.
2610
Specify if http1.1 connection should be upgraded to http2 for the associated destination.
2612
Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE
2618
http1MaxPendingRequests:
2619
description: Maximum number of requests that will be queued
2620
while waiting for a ready connection pool connection.
2624
description: Maximum number of active requests to a destination.
2628
description: The idle timeout for upstream connection
2631
maxConcurrentStreams:
2632
description: The maximum number of concurrent streams
2633
allowed for a peer on one HTTP/2 connection.
2636
maxRequestsPerConnection:
2637
description: Maximum number of requests per connection
2642
description: Maximum number of retries that can be outstanding
2643
to all hosts in a cluster at a given time.
2647
description: If set to true, client protocol will be preserved
2648
while initiating connection to backend.
2652
description: Settings common to both HTTP and TCP upstream
2656
description: TCP connection timeout.
2659
description: The idle timeout for TCP connections.
2661
maxConnectionDuration:
2662
description: The maximum duration of a connection.
2665
description: Maximum number of HTTP1 /TCP connections
2666
to a destination host.
2670
description: If set then set SO_KEEPALIVE on the socket
2671
to enable TCP Keepalives.
2674
description: The time duration between keep-alive
2678
description: Maximum number of keepalive probes to
2679
send without response before deciding the connection
2683
description: The time duration a connection needs
2684
to be idle before keep-alive probes start being
2691
description: Settings controlling the load balancer algorithms.
2716
- httpQueryParameterName
2724
- httpQueryParameterName
2738
description: Hash based on HTTP cookie.
2741
description: Name of the cookie.
2744
description: Path to set for the cookie.
2747
description: Lifetime of the cookie.
2753
description: Hash based on a specific HTTP header.
2755
httpQueryParameterName:
2756
description: Hash based on a specific HTTP query parameter.
2759
description: The Maglev load balancer implements consistent
2760
hashing to backend hosts.
2763
description: The table size for Maglev hashing.
2767
description: Deprecated.
2770
description: The ring/modulo hash load balancer implements
2771
consistent hashing to backend hosts.
2774
description: The minimum number of virtual nodes to
2775
use for the hash ring.
2779
description: Hash based on the source IP address.
2785
description: 'Optional: only one of distribute, failover
2786
or failoverPriority can be set.'
2790
description: Originating locality, '/' separated,
2794
additionalProperties:
2796
description: Map of upstream localities to traffic
2797
distribution weights.
2802
description: enable locality load balancing, this is DestinationRule-level
2803
and will override mesh wide settings in entirety.
2807
description: 'Optional: only one of distribute, failover
2808
or failoverPriority can be set.'
2812
description: Originating region.
2815
description: Destination region the traffic will
2816
fail over to when endpoints in the 'from' region
2822
description: failoverPriority is an ordered list of labels
2823
used to sort endpoints to do priority based load balancing.
2832
Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST
2842
description: Represents the warmup duration of Service.
2848
description: Minimum ejection duration.
2850
consecutive5xxErrors:
2851
description: Number of 5xx errors before a host is ejected
2852
from the connection pool.
2858
consecutiveGatewayErrors:
2859
description: Number of gateway errors before a host is ejected
2860
from the connection pool.
2863
consecutiveLocalOriginFailures:
2864
description: The number of consecutive locally originated
2865
failures before ejection occurs.
2869
description: Time interval between ejection sweep analysis.
2872
description: Maximum % of hosts in the load balancing pool
2873
for the upstream service that can be ejected.
2877
description: Outlier detection will be enabled as long as
2878
the associated load balancing pool has at least min_health_percent
2879
hosts in healthy mode.
2882
splitExternalLocalOriginErrors:
2883
description: Determines whether to distinguish local origin
2884
failures from external errors.
2888
description: Traffic policies specific to individual ports.
2894
description: HTTP connection pool settings.
2898
Specify if http1.1 connection should be upgraded to http2 for the associated destination.
2900
Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE
2906
http1MaxPendingRequests:
2907
description: Maximum number of requests that will
2908
be queued while waiting for a ready connection
2913
description: Maximum number of active requests to
2918
description: The idle timeout for upstream connection
2921
maxConcurrentStreams:
2922
description: The maximum number of concurrent streams
2923
allowed for a peer on one HTTP/2 connection.
2926
maxRequestsPerConnection:
2927
description: Maximum number of requests per connection
2932
description: Maximum number of retries that can
2933
be outstanding to all hosts in a cluster at a
2938
description: If set to true, client protocol will
2939
be preserved while initiating connection to backend.
2943
description: Settings common to both HTTP and TCP upstream
2947
description: TCP connection timeout.
2950
description: The idle timeout for TCP connections.
2952
maxConnectionDuration:
2953
description: The maximum duration of a connection.
2956
description: Maximum number of HTTP1 /TCP connections
2957
to a destination host.
2961
description: If set then set SO_KEEPALIVE on the
2962
socket to enable TCP Keepalives.
2965
description: The time duration between keep-alive
2969
description: Maximum number of keepalive probes
2970
to send without response before deciding the
2974
description: The time duration a connection
2975
needs to be idle before keep-alive probes
2982
description: Settings controlling the load balancer algorithms.
3007
- httpQueryParameterName
3015
- httpQueryParameterName
3029
description: Hash based on HTTP cookie.
3032
description: Name of the cookie.
3035
description: Path to set for the cookie.
3038
description: Lifetime of the cookie.
3044
description: Hash based on a specific HTTP header.
3046
httpQueryParameterName:
3047
description: Hash based on a specific HTTP query
3051
description: The Maglev load balancer implements
3052
consistent hashing to backend hosts.
3055
description: The table size for Maglev hashing.
3059
description: Deprecated.
3062
description: The ring/modulo hash load balancer
3063
implements consistent hashing to backend hosts.
3066
description: The minimum number of virtual nodes
3067
to use for the hash ring.
3071
description: Hash based on the source IP address.
3077
description: 'Optional: only one of distribute,
3078
failover or failoverPriority can be set.'
3082
description: Originating locality, '/' separated,
3086
additionalProperties:
3088
description: Map of upstream localities to
3089
traffic distribution weights.
3094
description: enable locality load balancing, this
3095
is DestinationRule-level and will override mesh
3096
wide settings in entirety.
3100
description: 'Optional: only one of distribute,
3101
failover or failoverPriority can be set.'
3105
description: Originating region.
3108
description: Destination region the traffic
3109
will fail over to when endpoints in the
3110
'from' region becomes unhealthy.
3115
description: failoverPriority is an ordered list
3116
of labels used to sort endpoints to do priority
3117
based load balancing.
3126
Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST
3136
description: Represents the warmup duration of Service.
3142
description: Minimum ejection duration.
3144
consecutive5xxErrors:
3145
description: Number of 5xx errors before a host is ejected
3146
from the connection pool.
3152
consecutiveGatewayErrors:
3153
description: Number of gateway errors before a host
3154
is ejected from the connection pool.
3157
consecutiveLocalOriginFailures:
3158
description: The number of consecutive locally originated
3159
failures before ejection occurs.
3163
description: Time interval between ejection sweep analysis.
3166
description: Maximum % of hosts in the load balancing
3167
pool for the upstream service that can be ejected.
3171
description: Outlier detection will be enabled as long
3172
as the associated load balancing pool has at least
3173
min_health_percent hosts in healthy mode.
3176
splitExternalLocalOriginErrors:
3177
description: Determines whether to distinguish local
3178
origin failures from external errors.
3182
description: Specifies the number of a port on the destination
3183
service on which this policy is being applied.
3189
description: TLS related settings for connections to the
3193
description: 'OPTIONAL: The path to the file containing
3194
certificate authority certificates to use in verifying
3195
a presented server certificate.'
3198
description: 'OPTIONAL: The path to the file containing
3199
the certificate revocation list (CRL) to use in verifying
3200
a presented server certificate.'
3203
description: REQUIRED if mode is `MUTUAL`.
3206
description: The name of the secret that holds the TLS
3207
certs for the client including the CA certificates.
3210
description: '`insecureSkipVerify` specifies whether
3211
the proxy should skip verifying the CA signature and
3212
SAN for the server certificate corresponding to the
3218
Indicates whether connections to this port should be secured using TLS.
3220
Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL
3228
description: REQUIRED if mode is `MUTUAL`.
3231
description: SNI string to present to the server during
3235
description: A list of alternate names to verify the
3236
subject identity in the certificate.
3244
description: The upstream PROXY protocol settings.
3248
The PROXY protocol version to use.
3250
Valid Options: V1, V2
3257
description: TLS related settings for connections to the upstream
3261
description: 'OPTIONAL: The path to the file containing certificate
3262
authority certificates to use in verifying a presented server
3266
description: 'OPTIONAL: The path to the file containing the
3267
certificate revocation list (CRL) to use in verifying a
3268
presented server certificate.'
3271
description: REQUIRED if mode is `MUTUAL`.
3274
description: The name of the secret that holds the TLS certs
3275
for the client including the CA certificates.
3278
description: '`insecureSkipVerify` specifies whether the proxy
3279
should skip verifying the CA signature and SAN for the server
3280
certificate corresponding to the host.'
3285
Indicates whether connections to this port should be secured using TLS.
3287
Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL
3295
description: REQUIRED if mode is `MUTUAL`.
3298
description: SNI string to present to the server during TLS
3302
description: A list of alternate names to verify the subject
3303
identity in the certificate.
3309
description: Configuration of tunneling TCP over other transport
3310
or application layers for the host configured in the DestinationRule.
3313
description: Specifies which protocol to use for tunneling
3314
the downstream connection.
3317
description: Specifies a host to which the downstream connection
3321
description: Specifies a port to which the downstream connection
3330
description: Criteria used to select the specific set of pods/VMs
3331
on which this `DestinationRule` configuration should be applied.
3334
additionalProperties:
3336
description: One or more labels that indicate a specific set of
3337
pods/VMs on which a policy should be applied.
3345
x-kubernetes-preserve-unknown-fields: true
3351
- additionalPrinterColumns:
3352
- description: The name of a service from the service registry
3353
jsonPath: .spec.host
3356
- description: 'CreationTimestamp is a timestamp representing the server time
3357
when this object was created. It is not guaranteed to be set in happens-before
3358
order across separate operations. Clients may not set this value. It is represented
3359
in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
3360
lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
3361
jsonPath: .metadata.creationTimestamp
3369
description: 'Configuration affecting load balancing, outlier detection,
3370
etc. See more details at: https://istio.io/docs/reference/config/networking/destination-rule.html'
3373
description: A list of namespaces to which this destination rule is
3379
description: The name of a service from the service registry.
3382
description: One or more named sets that represent individual versions
3387
additionalProperties:
3389
description: Labels apply a filter over the endpoints of a service
3390
in the service registry.
3393
description: Name of the subset.
3396
description: Traffic policies that apply to this subset.
3401
description: HTTP connection pool settings.
3405
Specify if http1.1 connection should be upgraded to http2 for the associated destination.
3407
Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE
3413
http1MaxPendingRequests:
3414
description: Maximum number of requests that will
3415
be queued while waiting for a ready connection
3420
description: Maximum number of active requests to
3425
description: The idle timeout for upstream connection
3428
maxConcurrentStreams:
3429
description: The maximum number of concurrent streams
3430
allowed for a peer on one HTTP/2 connection.
3433
maxRequestsPerConnection:
3434
description: Maximum number of requests per connection
3439
description: Maximum number of retries that can
3440
be outstanding to all hosts in a cluster at a
3445
description: If set to true, client protocol will
3446
be preserved while initiating connection to backend.
3450
description: Settings common to both HTTP and TCP upstream
3454
description: TCP connection timeout.
3457
description: The idle timeout for TCP connections.
3459
maxConnectionDuration:
3460
description: The maximum duration of a connection.
3463
description: Maximum number of HTTP1 /TCP connections
3464
to a destination host.
3468
description: If set then set SO_KEEPALIVE on the
3469
socket to enable TCP Keepalives.
3472
description: The time duration between keep-alive
3476
description: Maximum number of keepalive probes
3477
to send without response before deciding the
3481
description: The time duration a connection
3482
needs to be idle before keep-alive probes
3489
description: Settings controlling the load balancer algorithms.
3514
- httpQueryParameterName
3522
- httpQueryParameterName
3536
description: Hash based on HTTP cookie.
3539
description: Name of the cookie.
3542
description: Path to set for the cookie.
3545
description: Lifetime of the cookie.
3551
description: Hash based on a specific HTTP header.
3553
httpQueryParameterName:
3554
description: Hash based on a specific HTTP query
3558
description: The Maglev load balancer implements
3559
consistent hashing to backend hosts.
3562
description: The table size for Maglev hashing.
3566
description: Deprecated.
3569
description: The ring/modulo hash load balancer
3570
implements consistent hashing to backend hosts.
3573
description: The minimum number of virtual nodes
3574
to use for the hash ring.
3578
description: Hash based on the source IP address.
3584
description: 'Optional: only one of distribute,
3585
failover or failoverPriority can be set.'
3589
description: Originating locality, '/' separated,
3593
additionalProperties:
3595
description: Map of upstream localities to
3596
traffic distribution weights.
3601
description: enable locality load balancing, this
3602
is DestinationRule-level and will override mesh
3603
wide settings in entirety.
3607
description: 'Optional: only one of distribute,
3608
failover or failoverPriority can be set.'
3612
description: Originating region.
3615
description: Destination region the traffic
3616
will fail over to when endpoints in the
3617
'from' region becomes unhealthy.
3622
description: failoverPriority is an ordered list
3623
of labels used to sort endpoints to do priority
3624
based load balancing.
3633
Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST
3643
description: Represents the warmup duration of Service.
3649
description: Minimum ejection duration.
3651
consecutive5xxErrors:
3652
description: Number of 5xx errors before a host is ejected
3653
from the connection pool.
3659
consecutiveGatewayErrors:
3660
description: Number of gateway errors before a host
3661
is ejected from the connection pool.
3664
consecutiveLocalOriginFailures:
3665
description: The number of consecutive locally originated
3666
failures before ejection occurs.
3670
description: Time interval between ejection sweep analysis.
3673
description: Maximum % of hosts in the load balancing
3674
pool for the upstream service that can be ejected.
3678
description: Outlier detection will be enabled as long
3679
as the associated load balancing pool has at least
3680
min_health_percent hosts in healthy mode.
3683
splitExternalLocalOriginErrors:
3684
description: Determines whether to distinguish local
3685
origin failures from external errors.
3689
description: Traffic policies specific to individual ports.
3695
description: HTTP connection pool settings.
3699
Specify if http1.1 connection should be upgraded to http2 for the associated destination.
3701
Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE
3707
http1MaxPendingRequests:
3708
description: Maximum number of requests that
3709
will be queued while waiting for a ready
3710
connection pool connection.
3714
description: Maximum number of active requests
3719
description: The idle timeout for upstream
3720
connection pool connections.
3722
maxConcurrentStreams:
3723
description: The maximum number of concurrent
3724
streams allowed for a peer on one HTTP/2
3728
maxRequestsPerConnection:
3729
description: Maximum number of requests per
3730
connection to a backend.
3734
description: Maximum number of retries that
3735
can be outstanding to all hosts in a cluster
3740
description: If set to true, client protocol
3741
will be preserved while initiating connection
3746
description: Settings common to both HTTP and
3747
TCP upstream connections.
3750
description: TCP connection timeout.
3753
description: The idle timeout for TCP connections.
3755
maxConnectionDuration:
3756
description: The maximum duration of a connection.
3759
description: Maximum number of HTTP1 /TCP
3760
connections to a destination host.
3764
description: If set then set SO_KEEPALIVE
3765
on the socket to enable TCP Keepalives.
3768
description: The time duration between
3772
description: Maximum number of keepalive
3773
probes to send without response before
3774
deciding the connection is dead.
3777
description: The time duration a connection
3778
needs to be idle before keep-alive probes
3785
description: Settings controlling the load balancer
3811
- httpQueryParameterName
3819
- httpQueryParameterName
3833
description: Hash based on HTTP cookie.
3836
description: Name of the cookie.
3839
description: Path to set for the cookie.
3842
description: Lifetime of the cookie.
3848
description: Hash based on a specific HTTP
3851
httpQueryParameterName:
3852
description: Hash based on a specific HTTP
3856
description: The Maglev load balancer implements
3857
consistent hashing to backend hosts.
3860
description: The table size for Maglev
3865
description: Deprecated.
3868
description: The ring/modulo hash load balancer
3869
implements consistent hashing to backend
3873
description: The minimum number of virtual
3874
nodes to use for the hash ring.
3878
description: Hash based on the source IP address.
3884
description: 'Optional: only one of distribute,
3885
failover or failoverPriority can be set.'
3889
description: Originating locality, '/'
3893
additionalProperties:
3895
description: Map of upstream localities
3896
to traffic distribution weights.
3901
description: enable locality load balancing,
3902
this is DestinationRule-level and will override
3903
mesh wide settings in entirety.
3907
description: 'Optional: only one of distribute,
3908
failover or failoverPriority can be set.'
3912
description: Originating region.
3915
description: Destination region the
3916
traffic will fail over to when endpoints
3917
in the 'from' region becomes unhealthy.
3922
description: failoverPriority is an ordered
3923
list of labels used to sort endpoints to
3924
do priority based load balancing.
3933
Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST
3943
description: Represents the warmup duration of
3950
description: Minimum ejection duration.
3952
consecutive5xxErrors:
3953
description: Number of 5xx errors before a host
3954
is ejected from the connection pool.
3960
consecutiveGatewayErrors:
3961
description: Number of gateway errors before a
3962
host is ejected from the connection pool.
3965
consecutiveLocalOriginFailures:
3966
description: The number of consecutive locally
3967
originated failures before ejection occurs.
3971
description: Time interval between ejection sweep
3975
description: Maximum % of hosts in the load balancing
3976
pool for the upstream service that can be ejected.
3980
description: Outlier detection will be enabled
3981
as long as the associated load balancing pool
3982
has at least min_health_percent hosts in healthy
3986
splitExternalLocalOriginErrors:
3987
description: Determines whether to distinguish
3988
local origin failures from external errors.
3992
description: Specifies the number of a port on the
3993
destination service on which this policy is being
4000
description: TLS related settings for connections
4001
to the upstream service.
4004
description: 'OPTIONAL: The path to the file containing
4005
certificate authority certificates to use in
4006
verifying a presented server certificate.'
4009
description: 'OPTIONAL: The path to the file containing
4010
the certificate revocation list (CRL) to use
4011
in verifying a presented server certificate.'
4014
description: REQUIRED if mode is `MUTUAL`.
4017
description: The name of the secret that holds
4018
the TLS certs for the client including the CA
4022
description: '`insecureSkipVerify` specifies whether
4023
the proxy should skip verifying the CA signature
4024
and SAN for the server certificate corresponding
4030
Indicates whether connections to this port should be secured using TLS.
4032
Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL
4040
description: REQUIRED if mode is `MUTUAL`.
4043
description: SNI string to present to the server
4044
during TLS handshake.
4047
description: A list of alternate names to verify
4048
the subject identity in the certificate.
4056
description: The upstream PROXY protocol settings.
4060
The PROXY protocol version to use.
4062
Valid Options: V1, V2
4069
description: TLS related settings for connections to the
4073
description: 'OPTIONAL: The path to the file containing
4074
certificate authority certificates to use in verifying
4075
a presented server certificate.'
4078
description: 'OPTIONAL: The path to the file containing
4079
the certificate revocation list (CRL) to use in verifying
4080
a presented server certificate.'
4083
description: REQUIRED if mode is `MUTUAL`.
4086
description: The name of the secret that holds the TLS
4087
certs for the client including the CA certificates.
4090
description: '`insecureSkipVerify` specifies whether
4091
the proxy should skip verifying the CA signature and
4092
SAN for the server certificate corresponding to the
4098
Indicates whether connections to this port should be secured using TLS.
4100
Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL
4108
description: REQUIRED if mode is `MUTUAL`.
4111
description: SNI string to present to the server during
4115
description: A list of alternate names to verify the
4116
subject identity in the certificate.
4122
description: Configuration of tunneling TCP over other transport
4123
or application layers for the host configured in the DestinationRule.
4126
description: Specifies which protocol to use for tunneling
4127
the downstream connection.
4130
description: Specifies a host to which the downstream
4131
connection is tunneled.
4134
description: Specifies a port to which the downstream
4135
connection is tunneled.
4147
description: Traffic policies to apply (load balancing policy, connection
4148
pool sizes, outlier detection).
4153
description: HTTP connection pool settings.
4157
Specify if http1.1 connection should be upgraded to http2 for the associated destination.
4159
Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE
4165
http1MaxPendingRequests:
4166
description: Maximum number of requests that will be queued
4167
while waiting for a ready connection pool connection.
4171
description: Maximum number of active requests to a destination.
4175
description: The idle timeout for upstream connection
4178
maxConcurrentStreams:
4179
description: The maximum number of concurrent streams
4180
allowed for a peer on one HTTP/2 connection.
4183
maxRequestsPerConnection:
4184
description: Maximum number of requests per connection
4189
description: Maximum number of retries that can be outstanding
4190
to all hosts in a cluster at a given time.
4194
description: If set to true, client protocol will be preserved
4195
while initiating connection to backend.
4199
description: Settings common to both HTTP and TCP upstream
4203
description: TCP connection timeout.
4206
description: The idle timeout for TCP connections.
4208
maxConnectionDuration:
4209
description: The maximum duration of a connection.
4212
description: Maximum number of HTTP1 /TCP connections
4213
to a destination host.
4217
description: If set then set SO_KEEPALIVE on the socket
4218
to enable TCP Keepalives.
4221
description: The time duration between keep-alive
4225
description: Maximum number of keepalive probes to
4226
send without response before deciding the connection
4230
description: The time duration a connection needs
4231
to be idle before keep-alive probes start being
4238
description: Settings controlling the load balancer algorithms.
4263
- httpQueryParameterName
4271
- httpQueryParameterName
4285
description: Hash based on HTTP cookie.
4288
description: Name of the cookie.
4291
description: Path to set for the cookie.
4294
description: Lifetime of the cookie.
4300
description: Hash based on a specific HTTP header.
4302
httpQueryParameterName:
4303
description: Hash based on a specific HTTP query parameter.
4306
description: The Maglev load balancer implements consistent
4307
hashing to backend hosts.
4310
description: The table size for Maglev hashing.
4314
description: Deprecated.
4317
description: The ring/modulo hash load balancer implements
4318
consistent hashing to backend hosts.
4321
description: The minimum number of virtual nodes to
4322
use for the hash ring.
4326
description: Hash based on the source IP address.
4332
description: 'Optional: only one of distribute, failover
4333
or failoverPriority can be set.'
4337
description: Originating locality, '/' separated,
4341
additionalProperties:
4343
description: Map of upstream localities to traffic
4344
distribution weights.
4349
description: enable locality load balancing, this is DestinationRule-level
4350
and will override mesh wide settings in entirety.
4354
description: 'Optional: only one of distribute, failover
4355
or failoverPriority can be set.'
4359
description: Originating region.
4362
description: Destination region the traffic will
4363
fail over to when endpoints in the 'from' region
4369
description: failoverPriority is an ordered list of labels
4370
used to sort endpoints to do priority based load balancing.
4379
Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST
4389
description: Represents the warmup duration of Service.
4395
description: Minimum ejection duration.
4397
consecutive5xxErrors:
4398
description: Number of 5xx errors before a host is ejected
4399
from the connection pool.
4405
consecutiveGatewayErrors:
4406
description: Number of gateway errors before a host is ejected
4407
from the connection pool.
4410
consecutiveLocalOriginFailures:
4411
description: The number of consecutive locally originated
4412
failures before ejection occurs.
4416
description: Time interval between ejection sweep analysis.
4419
description: Maximum % of hosts in the load balancing pool
4420
for the upstream service that can be ejected.
4424
description: Outlier detection will be enabled as long as
4425
the associated load balancing pool has at least min_health_percent
4426
hosts in healthy mode.
4429
splitExternalLocalOriginErrors:
4430
description: Determines whether to distinguish local origin
4431
failures from external errors.
4435
description: Traffic policies specific to individual ports.
4441
description: HTTP connection pool settings.
4445
Specify if http1.1 connection should be upgraded to http2 for the associated destination.
4447
Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE
4453
http1MaxPendingRequests:
4454
description: Maximum number of requests that will
4455
be queued while waiting for a ready connection
4460
description: Maximum number of active requests to
4465
description: The idle timeout for upstream connection
4468
maxConcurrentStreams:
4469
description: The maximum number of concurrent streams
4470
allowed for a peer on one HTTP/2 connection.
4473
maxRequestsPerConnection:
4474
description: Maximum number of requests per connection
4479
description: Maximum number of retries that can
4480
be outstanding to all hosts in a cluster at a
4485
description: If set to true, client protocol will
4486
be preserved while initiating connection to backend.
4490
description: Settings common to both HTTP and TCP upstream
4494
description: TCP connection timeout.
4497
description: The idle timeout for TCP connections.
4499
maxConnectionDuration:
4500
description: The maximum duration of a connection.
4503
description: Maximum number of HTTP1 /TCP connections
4504
to a destination host.
4508
description: If set then set SO_KEEPALIVE on the
4509
socket to enable TCP Keepalives.
4512
description: The time duration between keep-alive
4516
description: Maximum number of keepalive probes
4517
to send without response before deciding the
4521
description: The time duration a connection
4522
needs to be idle before keep-alive probes
4529
description: Settings controlling the load balancer algorithms.
4554
- httpQueryParameterName
4562
- httpQueryParameterName
4576
description: Hash based on HTTP cookie.
4579
description: Name of the cookie.
4582
description: Path to set for the cookie.
4585
description: Lifetime of the cookie.
4591
description: Hash based on a specific HTTP header.
4593
httpQueryParameterName:
4594
description: Hash based on a specific HTTP query
4598
description: The Maglev load balancer implements
4599
consistent hashing to backend hosts.
4602
description: The table size for Maglev hashing.
4606
description: Deprecated.
4609
description: The ring/modulo hash load balancer
4610
implements consistent hashing to backend hosts.
4613
description: The minimum number of virtual nodes
4614
to use for the hash ring.
4618
description: Hash based on the source IP address.
4624
description: 'Optional: only one of distribute,
4625
failover or failoverPriority can be set.'
4629
description: Originating locality, '/' separated,
4633
additionalProperties:
4635
description: Map of upstream localities to
4636
traffic distribution weights.
4641
description: enable locality load balancing, this
4642
is DestinationRule-level and will override mesh
4643
wide settings in entirety.
4647
description: 'Optional: only one of distribute,
4648
failover or failoverPriority can be set.'
4652
description: Originating region.
4655
description: Destination region the traffic
4656
will fail over to when endpoints in the
4657
'from' region becomes unhealthy.
4662
description: failoverPriority is an ordered list
4663
of labels used to sort endpoints to do priority
4664
based load balancing.
4673
Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST
4683
description: Represents the warmup duration of Service.
4689
description: Minimum ejection duration.
4691
consecutive5xxErrors:
4692
description: Number of 5xx errors before a host is ejected
4693
from the connection pool.
4699
consecutiveGatewayErrors:
4700
description: Number of gateway errors before a host
4701
is ejected from the connection pool.
4704
consecutiveLocalOriginFailures:
4705
description: The number of consecutive locally originated
4706
failures before ejection occurs.
4710
description: Time interval between ejection sweep analysis.
4713
description: Maximum % of hosts in the load balancing
4714
pool for the upstream service that can be ejected.
4718
description: Outlier detection will be enabled as long
4719
as the associated load balancing pool has at least
4720
min_health_percent hosts in healthy mode.
4723
splitExternalLocalOriginErrors:
4724
description: Determines whether to distinguish local
4725
origin failures from external errors.
4729
description: Specifies the number of a port on the destination
4730
service on which this policy is being applied.
4736
description: TLS related settings for connections to the
4740
description: 'OPTIONAL: The path to the file containing
4741
certificate authority certificates to use in verifying
4742
a presented server certificate.'
4745
description: 'OPTIONAL: The path to the file containing
4746
the certificate revocation list (CRL) to use in verifying
4747
a presented server certificate.'
4750
description: REQUIRED if mode is `MUTUAL`.
4753
description: The name of the secret that holds the TLS
4754
certs for the client including the CA certificates.
4757
description: '`insecureSkipVerify` specifies whether
4758
the proxy should skip verifying the CA signature and
4759
SAN for the server certificate corresponding to the
4765
Indicates whether connections to this port should be secured using TLS.
4767
Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL
4775
description: REQUIRED if mode is `MUTUAL`.
4778
description: SNI string to present to the server during
4782
description: A list of alternate names to verify the
4783
subject identity in the certificate.
4791
description: The upstream PROXY protocol settings.
4795
The PROXY protocol version to use.
4797
Valid Options: V1, V2
4804
description: TLS related settings for connections to the upstream
4808
description: 'OPTIONAL: The path to the file containing certificate
4809
authority certificates to use in verifying a presented server
4813
description: 'OPTIONAL: The path to the file containing the
4814
certificate revocation list (CRL) to use in verifying a
4815
presented server certificate.'
4818
description: REQUIRED if mode is `MUTUAL`.
4821
description: The name of the secret that holds the TLS certs
4822
for the client including the CA certificates.
4825
description: '`insecureSkipVerify` specifies whether the proxy
4826
should skip verifying the CA signature and SAN for the server
4827
certificate corresponding to the host.'
4832
Indicates whether connections to this port should be secured using TLS.
4834
Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL
4842
description: REQUIRED if mode is `MUTUAL`.
4845
description: SNI string to present to the server during TLS
4849
description: A list of alternate names to verify the subject
4850
identity in the certificate.
4856
description: Configuration of tunneling TCP over other transport
4857
or application layers for the host configured in the DestinationRule.
4860
description: Specifies which protocol to use for tunneling
4861
the downstream connection.
4864
description: Specifies a host to which the downstream connection
4868
description: Specifies a port to which the downstream connection
4877
description: Criteria used to select the specific set of pods/VMs
4878
on which this `DestinationRule` configuration should be applied.
4881
additionalProperties:
4883
description: One or more labels that indicate a specific set of
4884
pods/VMs on which a policy should be applied.
4892
x-kubernetes-preserve-unknown-fields: true
4899
apiVersion: apiextensions.k8s.io/v1
4900
kind: CustomResourceDefinition
4903
"helm.sh/resource-policy": keep
4909
name: envoyfilters.networking.istio.io
4911
group: networking.istio.io
4915
- networking-istio-io
4917
listKind: EnvoyFilterList
4918
plural: envoyfilters
4919
singular: envoyfilter
4927
description: 'Customizing Envoy configuration generated by Istio. See
4928
more details at: https://istio.io/docs/reference/config/networking/envoy-filter.html'
4931
description: One or more patches with match conditions.
4936
Specifies where in the Envoy configuration, the patch should be applied.
4938
Valid Options: LISTENER, FILTER_CHAIN, NETWORK_FILTER, HTTP_FILTER, ROUTE_CONFIGURATION, VIRTUAL_HOST, HTTP_ROUTE, CLUSTER, EXTENSION_CONFIG, BOOTSTRAP, LISTENER_FILTER
4945
- ROUTE_CONFIGURATION
4954
description: Match on listener/route configuration/cluster.
4961
- routeConfiguration
4967
- routeConfiguration
4972
description: Match on envoy cluster attributes.
4975
description: The exact name of the cluster to match.
4978
description: The service port for which this cluster
4982
description: The fully qualified service name for this
4986
description: The subset associated with the service.
4991
The specific config generation context to match on.
4993
Valid Options: ANY, SIDECAR_INBOUND, SIDECAR_OUTBOUND, GATEWAY
5001
description: Match on envoy listener attributes.
5004
description: Match a specific filter chain in a listener.
5006
applicationProtocols:
5007
description: Applies only to sidecars.
5010
description: The destination_port value used by
5011
a filter chain's match condition.
5014
description: The name of a specific filter to apply
5018
description: The filter name to match on.
5021
description: The next level filter within this
5022
filter to match upon.
5025
description: The filter name to match on.
5030
description: The name assigned to the filter chain.
5033
description: The SNI value used by a filter chain's
5037
description: Applies only to `SIDECAR_INBOUND` context.
5041
description: Match a specific listener filter.
5044
description: Match a specific listener by its name.
5049
description: The service port/gateway port to which
5050
traffic is being sent/received.
5054
description: Match on properties associated with a proxy.
5057
additionalProperties:
5059
description: Match on the node metadata supplied by
5060
a proxy when connecting to Istio Pilot.
5063
description: A regular expression in golang regex format
5064
(RE2) that can be used to select proxies using a specific
5065
version of istio proxy.
5069
description: Match on envoy HTTP route configuration attributes.
5072
description: The Istio gateway config's namespace/name
5073
for which this route configuration was generated.
5076
description: Route configuration name to match on.
5079
description: Applicable only for GATEWAY context.
5082
description: The service port number or gateway server
5083
port number for which this route configuration was
5087
description: Match a specific virtual host in a route
5088
configuration and apply the patch to the virtual host.
5091
description: The VirtualHosts objects generated
5092
by Istio are named as host:port, where the host
5093
typically corresponds to the VirtualService's
5094
host field or the hostname of a service in the
5098
description: Match a specific route within the virtual
5103
Match a route with specific action type.
5105
Valid Options: ANY, ROUTE, REDIRECT, DIRECT_RESPONSE
5113
description: The Route objects generated by
5114
default are named as default.
5121
description: The patch to apply along with the operation.
5125
Determines the filter insertion order.
5127
Valid Options: AUTHN, AUTHZ, STATS
5136
Determines how the patch should be applied.
5138
Valid Options: MERGE, ADD, REMOVE, INSERT_BEFORE, INSERT_AFTER, INSERT_FIRST, REPLACE
5150
description: The JSON config of the object being patched.
5152
x-kubernetes-preserve-unknown-fields: true
5157
description: Priority defines the order in which patch sets are applied
5162
description: Criteria used to select the specific set of pods/VMs
5163
on which this patch configuration should be applied.
5166
additionalProperties:
5168
description: One or more labels that indicate a specific set of
5169
pods/VMs on which the configuration should be applied.
5175
x-kubernetes-preserve-unknown-fields: true
5182
apiVersion: apiextensions.k8s.io/v1
5183
kind: CustomResourceDefinition
5186
"helm.sh/resource-policy": keep
5192
name: gateways.networking.istio.io
5194
group: networking.istio.io
5198
- networking-istio-io
5200
listKind: GatewayList
5212
description: 'Configuration affecting edge load balancer. See more details
5213
at: https://istio.io/docs/reference/config/networking/gateway.html'
5216
additionalProperties:
5218
description: One or more labels that indicate a specific set of pods/VMs
5219
on which this gateway configuration should be applied.
5222
description: A list of server specifications.
5226
description: The ip or the Unix domain socket to which the listener
5232
description: One or more hosts exposed by this gateway.
5237
description: An optional name of the server, when set must be
5238
unique across all servers.
5241
description: The Port on which the proxy should listen for incoming
5245
description: Label assigned to the port.
5248
description: A valid non-negative integer port number.
5251
description: The protocol exposed on the port.
5261
description: Set of TLS related options that govern the server's
5265
description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`.
5268
description: 'OPTIONAL: The path to the file containing
5269
the certificate revocation list (CRL) to use in verifying
5270
a presented client side certificate.'
5273
description: 'Optional: If specified, only support the specified
5279
description: For gateways running on Kubernetes, the name
5280
of the secret that holds the TLS certs including the CA
5284
description: If set to true, the load balancer will send
5285
a 301 redirect for all http connections, asking the clients
5290
Optional: Maximum TLS protocol version.
5292
Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3
5302
Optional: Minimum TLS protocol version.
5304
Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3
5314
Optional: Indicates whether connections to this port should be secured using TLS.
5316
Valid Options: PASSTHROUGH, SIMPLE, MUTUAL, AUTO_PASSTHROUGH, ISTIO_MUTUAL, OPTIONAL_MUTUAL
5326
description: REQUIRED if mode is `SIMPLE` or `MUTUAL`.
5329
description: REQUIRED if mode is `SIMPLE` or `MUTUAL`.
5332
description: A list of alternate names to verify the subject
5333
identity in the certificate presented by the client.
5337
verifyCertificateHash:
5338
description: An optional list of hex-encoded SHA-256 hashes
5339
of the authorized client certificates.
5343
verifyCertificateSpki:
5344
description: An optional list of base64-encoded SHA-256
5345
hashes of the SPKIs of authorized client certificates.
5358
x-kubernetes-preserve-unknown-fields: true
5369
description: 'Configuration affecting edge load balancer. See more details
5370
at: https://istio.io/docs/reference/config/networking/gateway.html'
5373
additionalProperties:
5375
description: One or more labels that indicate a specific set of pods/VMs
5376
on which this gateway configuration should be applied.
5379
description: A list of server specifications.
5383
description: The ip or the Unix domain socket to which the listener
5389
description: One or more hosts exposed by this gateway.
5394
description: An optional name of the server, when set must be
5395
unique across all servers.
5398
description: The Port on which the proxy should listen for incoming
5402
description: Label assigned to the port.
5405
description: A valid non-negative integer port number.
5408
description: The protocol exposed on the port.
5418
description: Set of TLS related options that govern the server's
5422
description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`.
5425
description: 'OPTIONAL: The path to the file containing
5426
the certificate revocation list (CRL) to use in verifying
5427
a presented client side certificate.'
5430
description: 'Optional: If specified, only support the specified
5436
description: For gateways running on Kubernetes, the name
5437
of the secret that holds the TLS certs including the CA
5441
description: If set to true, the load balancer will send
5442
a 301 redirect for all http connections, asking the clients
5447
Optional: Maximum TLS protocol version.
5449
Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3
5459
Optional: Minimum TLS protocol version.
5461
Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3
5471
Optional: Indicates whether connections to this port should be secured using TLS.
5473
Valid Options: PASSTHROUGH, SIMPLE, MUTUAL, AUTO_PASSTHROUGH, ISTIO_MUTUAL, OPTIONAL_MUTUAL
5483
description: REQUIRED if mode is `SIMPLE` or `MUTUAL`.
5486
description: REQUIRED if mode is `SIMPLE` or `MUTUAL`.
5489
description: A list of alternate names to verify the subject
5490
identity in the certificate presented by the client.
5494
verifyCertificateHash:
5495
description: An optional list of hex-encoded SHA-256 hashes
5496
of the authorized client certificates.
5500
verifyCertificateSpki:
5501
description: An optional list of base64-encoded SHA-256
5502
hashes of the SPKIs of authorized client certificates.
5515
x-kubernetes-preserve-unknown-fields: true
5526
description: 'Configuration affecting edge load balancer. See more details
5527
at: https://istio.io/docs/reference/config/networking/gateway.html'
5530
additionalProperties:
5532
description: One or more labels that indicate a specific set of pods/VMs
5533
on which this gateway configuration should be applied.
5536
description: A list of server specifications.
5540
description: The ip or the Unix domain socket to which the listener
5546
description: One or more hosts exposed by this gateway.
5551
description: An optional name of the server, when set must be
5552
unique across all servers.
5555
description: The Port on which the proxy should listen for incoming
5559
description: Label assigned to the port.
5562
description: A valid non-negative integer port number.
5565
description: The protocol exposed on the port.
5575
description: Set of TLS related options that govern the server's
5579
description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`.
5582
description: 'OPTIONAL: The path to the file containing
5583
the certificate revocation list (CRL) to use in verifying
5584
a presented client side certificate.'
5587
description: 'Optional: If specified, only support the specified
5593
description: For gateways running on Kubernetes, the name
5594
of the secret that holds the TLS certs including the CA
5598
description: If set to true, the load balancer will send
5599
a 301 redirect for all http connections, asking the clients
5604
Optional: Maximum TLS protocol version.
5606
Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3
5616
Optional: Minimum TLS protocol version.
5618
Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3
5628
Optional: Indicates whether connections to this port should be secured using TLS.
5630
Valid Options: PASSTHROUGH, SIMPLE, MUTUAL, AUTO_PASSTHROUGH, ISTIO_MUTUAL, OPTIONAL_MUTUAL
5640
description: REQUIRED if mode is `SIMPLE` or `MUTUAL`.
5643
description: REQUIRED if mode is `SIMPLE` or `MUTUAL`.
5646
description: A list of alternate names to verify the subject
5647
identity in the certificate presented by the client.
5651
verifyCertificateHash:
5652
description: An optional list of hex-encoded SHA-256 hashes
5653
of the authorized client certificates.
5657
verifyCertificateSpki:
5658
description: An optional list of base64-encoded SHA-256
5659
hashes of the SPKIs of authorized client certificates.
5672
x-kubernetes-preserve-unknown-fields: true
5679
apiVersion: apiextensions.k8s.io/v1
5680
kind: CustomResourceDefinition
5683
"helm.sh/resource-policy": keep
5689
name: proxyconfigs.networking.istio.io
5691
group: networking.istio.io
5695
- networking-istio-io
5697
listKind: ProxyConfigList
5698
plural: proxyconfigs
5699
singular: proxyconfig
5707
description: 'Provides configuration for individual workloads. See more
5708
details at: https://istio.io/docs/reference/config/networking/proxy-config.html'
5711
description: The number of worker threads to run.
5714
environmentVariables:
5715
additionalProperties:
5717
description: Additional environment variables for the proxy.
5720
description: Specifies the details of the proxy image.
5723
description: The image type of the image.
5727
description: Optional.
5730
additionalProperties:
5732
description: One or more labels that indicate a specific set of
5733
pods/VMs on which a policy should be applied.
5739
x-kubernetes-preserve-unknown-fields: true
5746
apiVersion: apiextensions.k8s.io/v1
5747
kind: CustomResourceDefinition
5750
"helm.sh/resource-policy": keep
5756
name: serviceentries.networking.istio.io
5758
group: networking.istio.io
5762
- networking-istio-io
5764
listKind: ServiceEntryList
5765
plural: serviceentries
5768
singular: serviceentry
5771
- additionalPrinterColumns:
5772
- description: The hosts associated with the ServiceEntry
5773
jsonPath: .spec.hosts
5776
- description: Whether the service is external to the mesh or part of the mesh
5777
(MESH_EXTERNAL or MESH_INTERNAL)
5778
jsonPath: .spec.location
5781
- description: Service resolution mode for the hosts (NONE, STATIC, or DNS)
5782
jsonPath: .spec.resolution
5785
- description: 'CreationTimestamp is a timestamp representing the server time
5786
when this object was created. It is not guaranteed to be set in happens-before
5787
order across separate operations. Clients may not set this value. It is represented
5788
in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
5789
lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
5790
jsonPath: .metadata.creationTimestamp
5798
description: 'Configuration affecting service registry. See more details
5799
at: https://istio.io/docs/reference/config/networking/service-entry.html'
5802
description: The virtual IP addresses associated with the service.
5807
description: One or more endpoints associated with the service.
5811
description: Address associated with the network endpoint without
5815
additionalProperties:
5817
description: One or more labels associated with the endpoint.
5820
description: The locality associated with the endpoint.
5823
description: Network enables Istio to group endpoints resident
5824
in the same L3 domain/network.
5827
additionalProperties:
5829
description: Set of ports associated with the endpoint.
5832
description: The service account associated with the workload
5833
if a sidecar is present in the workload.
5836
description: The load balancing weight associated with the endpoint.
5841
description: A list of namespaces to which this service is exported.
5846
description: The hosts associated with the ServiceEntry.
5852
Specify whether the service should be considered external to the mesh or part of the mesh.
5854
Valid Options: MESH_EXTERNAL, MESH_INTERNAL
5860
description: The ports associated with the external service.
5864
description: Label assigned to the port.
5867
description: A valid non-negative integer port number.
5870
description: The protocol exposed on the port.
5873
description: The port number on the endpoint where the traffic
5883
Service resolution mode for the hosts.
5885
Valid Options: NONE, STATIC, DNS, DNS_ROUND_ROBIN
5893
description: If specified, the proxy will verify that the server certificate's
5894
subject alternate name matches one of the specified values.
5899
description: Applicable only for MESH_INTERNAL services.
5902
additionalProperties:
5904
description: One or more labels that indicate a specific set of
5905
pods/VMs on which the configuration should be applied.
5913
x-kubernetes-preserve-unknown-fields: true
5919
- additionalPrinterColumns:
5920
- description: The hosts associated with the ServiceEntry
5921
jsonPath: .spec.hosts
5924
- description: Whether the service is external to the mesh or part of the mesh
5925
(MESH_EXTERNAL or MESH_INTERNAL)
5926
jsonPath: .spec.location
5929
- description: Service resolution mode for the hosts (NONE, STATIC, or DNS)
5930
jsonPath: .spec.resolution
5933
- description: 'CreationTimestamp is a timestamp representing the server time
5934
when this object was created. It is not guaranteed to be set in happens-before
5935
order across separate operations. Clients may not set this value. It is represented
5936
in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
5937
lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
5938
jsonPath: .metadata.creationTimestamp
5946
description: 'Configuration affecting service registry. See more details
5947
at: https://istio.io/docs/reference/config/networking/service-entry.html'
5950
description: The virtual IP addresses associated with the service.
5955
description: One or more endpoints associated with the service.
5959
description: Address associated with the network endpoint without
5963
additionalProperties:
5965
description: One or more labels associated with the endpoint.
5968
description: The locality associated with the endpoint.
5971
description: Network enables Istio to group endpoints resident
5972
in the same L3 domain/network.
5975
additionalProperties:
5977
description: Set of ports associated with the endpoint.
5980
description: The service account associated with the workload
5981
if a sidecar is present in the workload.
5984
description: The load balancing weight associated with the endpoint.
5989
description: A list of namespaces to which this service is exported.
5994
description: The hosts associated with the ServiceEntry.
6000
Specify whether the service should be considered external to the mesh or part of the mesh.
6002
Valid Options: MESH_EXTERNAL, MESH_INTERNAL
6008
description: The ports associated with the external service.
6012
description: Label assigned to the port.
6015
description: A valid non-negative integer port number.
6018
description: The protocol exposed on the port.
6021
description: The port number on the endpoint where the traffic
6031
Service resolution mode for the hosts.
6033
Valid Options: NONE, STATIC, DNS, DNS_ROUND_ROBIN
6041
description: If specified, the proxy will verify that the server certificate's
6042
subject alternate name matches one of the specified values.
6047
description: Applicable only for MESH_INTERNAL services.
6050
additionalProperties:
6052
description: One or more labels that indicate a specific set of
6053
pods/VMs on which the configuration should be applied.
6061
x-kubernetes-preserve-unknown-fields: true
6067
- additionalPrinterColumns:
6068
- description: The hosts associated with the ServiceEntry
6069
jsonPath: .spec.hosts
6072
- description: Whether the service is external to the mesh or part of the mesh
6073
(MESH_EXTERNAL or MESH_INTERNAL)
6074
jsonPath: .spec.location
6077
- description: Service resolution mode for the hosts (NONE, STATIC, or DNS)
6078
jsonPath: .spec.resolution
6081
- description: 'CreationTimestamp is a timestamp representing the server time
6082
when this object was created. It is not guaranteed to be set in happens-before
6083
order across separate operations. Clients may not set this value. It is represented
6084
in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
6085
lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
6086
jsonPath: .metadata.creationTimestamp
6094
description: 'Configuration affecting service registry. See more details
6095
at: https://istio.io/docs/reference/config/networking/service-entry.html'
6098
description: The virtual IP addresses associated with the service.
6103
description: One or more endpoints associated with the service.
6107
description: Address associated with the network endpoint without
6111
additionalProperties:
6113
description: One or more labels associated with the endpoint.
6116
description: The locality associated with the endpoint.
6119
description: Network enables Istio to group endpoints resident
6120
in the same L3 domain/network.
6123
additionalProperties:
6125
description: Set of ports associated with the endpoint.
6128
description: The service account associated with the workload
6129
if a sidecar is present in the workload.
6132
description: The load balancing weight associated with the endpoint.
6137
description: A list of namespaces to which this service is exported.
6142
description: The hosts associated with the ServiceEntry.
6148
Specify whether the service should be considered external to the mesh or part of the mesh.
6150
Valid Options: MESH_EXTERNAL, MESH_INTERNAL
6156
description: The ports associated with the external service.
6160
description: Label assigned to the port.
6163
description: A valid non-negative integer port number.
6166
description: The protocol exposed on the port.
6169
description: The port number on the endpoint where the traffic
6179
Service resolution mode for the hosts.
6181
Valid Options: NONE, STATIC, DNS, DNS_ROUND_ROBIN
6189
description: If specified, the proxy will verify that the server certificate's
6190
subject alternate name matches one of the specified values.
6195
description: Applicable only for MESH_INTERNAL services.
6198
additionalProperties:
6200
description: One or more labels that indicate a specific set of
6201
pods/VMs on which the configuration should be applied.
6209
x-kubernetes-preserve-unknown-fields: true
6216
apiVersion: apiextensions.k8s.io/v1
6217
kind: CustomResourceDefinition
6220
"helm.sh/resource-policy": keep
6226
name: sidecars.networking.istio.io
6228
group: networking.istio.io
6232
- networking-istio-io
6234
listKind: SidecarList
6244
description: 'Configuration affecting network reachability of a sidecar.
6245
See more details at: https://istio.io/docs/reference/config/networking/sidecar.html'
6248
description: Egress specifies the configuration of the sidecar for
6249
processing outbound traffic from the attached workload instance
6250
to other services in the mesh.
6254
description: The IP(IPv4 or IPv6) or the Unix domain socket
6255
to which the listener should be bound to.
6259
When the bind address is an IP, the captureMode option dictates how traffic to the listener is expected to be captured (or not).
6261
Valid Options: DEFAULT, IPTABLES, NONE
6268
description: One or more service hosts exposed by the listener
6269
in `namespace/dnsName` format.
6274
description: The port associated with the listener.
6277
description: Label assigned to the port.
6280
description: A valid non-negative integer port number.
6283
description: The protocol exposed on the port.
6292
inboundConnectionPool:
6293
description: Settings controlling the volume of connections Envoy
6294
will accept from the network.
6297
description: HTTP connection pool settings.
6301
Specify if http1.1 connection should be upgraded to http2 for the associated destination.
6303
Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE
6309
http1MaxPendingRequests:
6310
description: Maximum number of requests that will be queued
6311
while waiting for a ready connection pool connection.
6315
description: Maximum number of active requests to a destination.
6319
description: The idle timeout for upstream connection pool
6322
maxConcurrentStreams:
6323
description: The maximum number of concurrent streams allowed
6324
for a peer on one HTTP/2 connection.
6327
maxRequestsPerConnection:
6328
description: Maximum number of requests per connection to
6333
description: Maximum number of retries that can be outstanding
6334
to all hosts in a cluster at a given time.
6338
description: If set to true, client protocol will be preserved
6339
while initiating connection to backend.
6343
description: Settings common to both HTTP and TCP upstream connections.
6346
description: TCP connection timeout.
6349
description: The idle timeout for TCP connections.
6351
maxConnectionDuration:
6352
description: The maximum duration of a connection.
6355
description: Maximum number of HTTP1 /TCP connections to a
6360
description: If set then set SO_KEEPALIVE on the socket to
6361
enable TCP Keepalives.
6364
description: The time duration between keep-alive probes.
6367
description: Maximum number of keepalive probes to send
6368
without response before deciding the connection is dead.
6371
description: The time duration a connection needs to be
6372
idle before keep-alive probes start being sent.
6378
description: Ingress specifies the configuration of the sidecar for
6379
processing inbound traffic to the attached workload instance.
6383
description: The IP(IPv4 or IPv6) to which the listener should
6388
The captureMode option dictates how traffic to the listener is expected to be captured (or not).
6390
Valid Options: DEFAULT, IPTABLES, NONE
6397
description: Settings controlling the volume of connections
6398
Envoy will accept from the network.
6401
description: HTTP connection pool settings.
6405
Specify if http1.1 connection should be upgraded to http2 for the associated destination.
6407
Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE
6413
http1MaxPendingRequests:
6414
description: Maximum number of requests that will be
6415
queued while waiting for a ready connection pool connection.
6419
description: Maximum number of active requests to a
6424
description: The idle timeout for upstream connection
6427
maxConcurrentStreams:
6428
description: The maximum number of concurrent streams
6429
allowed for a peer on one HTTP/2 connection.
6432
maxRequestsPerConnection:
6433
description: Maximum number of requests per connection
6438
description: Maximum number of retries that can be outstanding
6439
to all hosts in a cluster at a given time.
6443
description: If set to true, client protocol will be
6444
preserved while initiating connection to backend.
6448
description: Settings common to both HTTP and TCP upstream
6452
description: TCP connection timeout.
6455
description: The idle timeout for TCP connections.
6457
maxConnectionDuration:
6458
description: The maximum duration of a connection.
6461
description: Maximum number of HTTP1 /TCP connections
6462
to a destination host.
6466
description: If set then set SO_KEEPALIVE on the socket
6467
to enable TCP Keepalives.
6470
description: The time duration between keep-alive
6474
description: Maximum number of keepalive probes
6475
to send without response before deciding the connection
6479
description: The time duration a connection needs
6480
to be idle before keep-alive probes start being
6487
description: The IP endpoint or Unix domain socket to which
6488
traffic should be forwarded to.
6491
description: The port associated with the listener.
6494
description: Label assigned to the port.
6497
description: A valid non-negative integer port number.
6500
description: The protocol exposed on the port.
6506
description: Set of TLS related options that will enable TLS
6507
termination on the sidecar for requests originating from outside
6511
description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`.
6514
description: 'OPTIONAL: The path to the file containing
6515
the certificate revocation list (CRL) to use in verifying
6516
a presented client side certificate.'
6519
description: 'Optional: If specified, only support the specified
6525
description: For gateways running on Kubernetes, the name
6526
of the secret that holds the TLS certs including the CA
6530
description: If set to true, the load balancer will send
6531
a 301 redirect for all http connections, asking the clients
6536
Optional: Maximum TLS protocol version.
6538
Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3
6548
Optional: Minimum TLS protocol version.
6550
Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3
6560
Optional: Indicates whether connections to this port should be secured using TLS.
6562
Valid Options: PASSTHROUGH, SIMPLE, MUTUAL, AUTO_PASSTHROUGH, ISTIO_MUTUAL, OPTIONAL_MUTUAL
6572
description: REQUIRED if mode is `SIMPLE` or `MUTUAL`.
6575
description: REQUIRED if mode is `SIMPLE` or `MUTUAL`.
6578
description: A list of alternate names to verify the subject
6579
identity in the certificate presented by the client.
6583
verifyCertificateHash:
6584
description: An optional list of hex-encoded SHA-256 hashes
6585
of the authorized client certificates.
6589
verifyCertificateSpki:
6590
description: An optional list of base64-encoded SHA-256
6591
hashes of the SPKIs of authorized client certificates.
6600
outboundTrafficPolicy:
6601
description: Configuration for the outbound traffic policy.
6606
description: The name of a service from the service registry.
6609
description: Specifies the port on the host that is being
6616
description: The name of a subset within the service.
6625
Valid Options: REGISTRY_ONLY, ALLOW_ANY
6632
description: Criteria used to select the specific set of pods/VMs
6633
on which this `Sidecar` configuration should be applied.
6636
additionalProperties:
6638
description: One or more labels that indicate a specific set of
6639
pods/VMs on which the configuration should be applied.
6645
x-kubernetes-preserve-unknown-fields: true
6656
description: 'Configuration affecting network reachability of a sidecar.
6657
See more details at: https://istio.io/docs/reference/config/networking/sidecar.html'
6660
description: Egress specifies the configuration of the sidecar for
6661
processing outbound traffic from the attached workload instance
6662
to other services in the mesh.
6666
description: The IP(IPv4 or IPv6) or the Unix domain socket
6667
to which the listener should be bound to.
6671
When the bind address is an IP, the captureMode option dictates how traffic to the listener is expected to be captured (or not).
6673
Valid Options: DEFAULT, IPTABLES, NONE
6680
description: One or more service hosts exposed by the listener
6681
in `namespace/dnsName` format.
6686
description: The port associated with the listener.
6689
description: Label assigned to the port.
6692
description: A valid non-negative integer port number.
6695
description: The protocol exposed on the port.
6704
inboundConnectionPool:
6705
description: Settings controlling the volume of connections Envoy
6706
will accept from the network.
6709
description: HTTP connection pool settings.
6713
Specify if http1.1 connection should be upgraded to http2 for the associated destination.
6715
Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE
6721
http1MaxPendingRequests:
6722
description: Maximum number of requests that will be queued
6723
while waiting for a ready connection pool connection.
6727
description: Maximum number of active requests to a destination.
6731
description: The idle timeout for upstream connection pool
6734
maxConcurrentStreams:
6735
description: The maximum number of concurrent streams allowed
6736
for a peer on one HTTP/2 connection.
6739
maxRequestsPerConnection:
6740
description: Maximum number of requests per connection to
6745
description: Maximum number of retries that can be outstanding
6746
to all hosts in a cluster at a given time.
6750
description: If set to true, client protocol will be preserved
6751
while initiating connection to backend.
6755
description: Settings common to both HTTP and TCP upstream connections.
6758
description: TCP connection timeout.
6761
description: The idle timeout for TCP connections.
6763
maxConnectionDuration:
6764
description: The maximum duration of a connection.
6767
description: Maximum number of HTTP1 /TCP connections to a
6772
description: If set then set SO_KEEPALIVE on the socket to
6773
enable TCP Keepalives.
6776
description: The time duration between keep-alive probes.
6779
description: Maximum number of keepalive probes to send
6780
without response before deciding the connection is dead.
6783
description: The time duration a connection needs to be
6784
idle before keep-alive probes start being sent.
6790
description: Ingress specifies the configuration of the sidecar for
6791
processing inbound traffic to the attached workload instance.
6795
description: The IP(IPv4 or IPv6) to which the listener should
6800
The captureMode option dictates how traffic to the listener is expected to be captured (or not).
6802
Valid Options: DEFAULT, IPTABLES, NONE
6809
description: Settings controlling the volume of connections
6810
Envoy will accept from the network.
6813
description: HTTP connection pool settings.
6817
Specify if http1.1 connection should be upgraded to http2 for the associated destination.
6819
Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE
6825
http1MaxPendingRequests:
6826
description: Maximum number of requests that will be
6827
queued while waiting for a ready connection pool connection.
6831
description: Maximum number of active requests to a
6836
description: The idle timeout for upstream connection
6839
maxConcurrentStreams:
6840
description: The maximum number of concurrent streams
6841
allowed for a peer on one HTTP/2 connection.
6844
maxRequestsPerConnection:
6845
description: Maximum number of requests per connection
6850
description: Maximum number of retries that can be outstanding
6851
to all hosts in a cluster at a given time.
6855
description: If set to true, client protocol will be
6856
preserved while initiating connection to backend.
6860
description: Settings common to both HTTP and TCP upstream
6864
description: TCP connection timeout.
6867
description: The idle timeout for TCP connections.
6869
maxConnectionDuration:
6870
description: The maximum duration of a connection.
6873
description: Maximum number of HTTP1 /TCP connections
6874
to a destination host.
6878
description: If set then set SO_KEEPALIVE on the socket
6879
to enable TCP Keepalives.
6882
description: The time duration between keep-alive
6886
description: Maximum number of keepalive probes
6887
to send without response before deciding the connection
6891
description: The time duration a connection needs
6892
to be idle before keep-alive probes start being
6899
description: The IP endpoint or Unix domain socket to which
6900
traffic should be forwarded to.
6903
description: The port associated with the listener.
6906
description: Label assigned to the port.
6909
description: A valid non-negative integer port number.
6912
description: The protocol exposed on the port.
6918
description: Set of TLS related options that will enable TLS
6919
termination on the sidecar for requests originating from outside
6923
description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`.
6926
description: 'OPTIONAL: The path to the file containing
6927
the certificate revocation list (CRL) to use in verifying
6928
a presented client side certificate.'
6931
description: 'Optional: If specified, only support the specified
6937
description: For gateways running on Kubernetes, the name
6938
of the secret that holds the TLS certs including the CA
6942
description: If set to true, the load balancer will send
6943
a 301 redirect for all http connections, asking the clients
6948
Optional: Maximum TLS protocol version.
6950
Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3
6960
Optional: Minimum TLS protocol version.
6962
Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3
6972
Optional: Indicates whether connections to this port should be secured using TLS.
6974
Valid Options: PASSTHROUGH, SIMPLE, MUTUAL, AUTO_PASSTHROUGH, ISTIO_MUTUAL, OPTIONAL_MUTUAL
6984
description: REQUIRED if mode is `SIMPLE` or `MUTUAL`.
6987
description: REQUIRED if mode is `SIMPLE` or `MUTUAL`.
6990
description: A list of alternate names to verify the subject
6991
identity in the certificate presented by the client.
6995
verifyCertificateHash:
6996
description: An optional list of hex-encoded SHA-256 hashes
6997
of the authorized client certificates.
7001
verifyCertificateSpki:
7002
description: An optional list of base64-encoded SHA-256
7003
hashes of the SPKIs of authorized client certificates.
7012
outboundTrafficPolicy:
7013
description: Configuration for the outbound traffic policy.
7018
description: The name of a service from the service registry.
7021
description: Specifies the port on the host that is being
7028
description: The name of a subset within the service.
7037
Valid Options: REGISTRY_ONLY, ALLOW_ANY
7044
description: Criteria used to select the specific set of pods/VMs
7045
on which this `Sidecar` configuration should be applied.
7048
additionalProperties:
7050
description: One or more labels that indicate a specific set of
7051
pods/VMs on which the configuration should be applied.
7057
x-kubernetes-preserve-unknown-fields: true
7068
description: 'Configuration affecting network reachability of a sidecar.
7069
See more details at: https://istio.io/docs/reference/config/networking/sidecar.html'
7072
description: Egress specifies the configuration of the sidecar for
7073
processing outbound traffic from the attached workload instance
7074
to other services in the mesh.
7078
description: The IP(IPv4 or IPv6) or the Unix domain socket
7079
to which the listener should be bound to.
7083
When the bind address is an IP, the captureMode option dictates how traffic to the listener is expected to be captured (or not).
7085
Valid Options: DEFAULT, IPTABLES, NONE
7092
description: One or more service hosts exposed by the listener
7093
in `namespace/dnsName` format.
7098
description: The port associated with the listener.
7101
description: Label assigned to the port.
7104
description: A valid non-negative integer port number.
7107
description: The protocol exposed on the port.
7116
inboundConnectionPool:
7117
description: Settings controlling the volume of connections Envoy
7118
will accept from the network.
7121
description: HTTP connection pool settings.
7125
Specify if http1.1 connection should be upgraded to http2 for the associated destination.
7127
Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE
7133
http1MaxPendingRequests:
7134
description: Maximum number of requests that will be queued
7135
while waiting for a ready connection pool connection.
7139
description: Maximum number of active requests to a destination.
7143
description: The idle timeout for upstream connection pool
7146
maxConcurrentStreams:
7147
description: The maximum number of concurrent streams allowed
7148
for a peer on one HTTP/2 connection.
7151
maxRequestsPerConnection:
7152
description: Maximum number of requests per connection to
7157
description: Maximum number of retries that can be outstanding
7158
to all hosts in a cluster at a given time.
7162
description: If set to true, client protocol will be preserved
7163
while initiating connection to backend.
7167
description: Settings common to both HTTP and TCP upstream connections.
7170
description: TCP connection timeout.
7173
description: The idle timeout for TCP connections.
7175
maxConnectionDuration:
7176
description: The maximum duration of a connection.
7179
description: Maximum number of HTTP1 /TCP connections to a
7184
description: If set then set SO_KEEPALIVE on the socket to
7185
enable TCP Keepalives.
7188
description: The time duration between keep-alive probes.
7191
description: Maximum number of keepalive probes to send
7192
without response before deciding the connection is dead.
7195
description: The time duration a connection needs to be
7196
idle before keep-alive probes start being sent.
7202
description: Ingress specifies the configuration of the sidecar for
7203
processing inbound traffic to the attached workload instance.
7207
description: The IP(IPv4 or IPv6) to which the listener should
7212
The captureMode option dictates how traffic to the listener is expected to be captured (or not).
7214
Valid Options: DEFAULT, IPTABLES, NONE
7221
description: Settings controlling the volume of connections
7222
Envoy will accept from the network.
7225
description: HTTP connection pool settings.
7229
Specify if http1.1 connection should be upgraded to http2 for the associated destination.
7231
Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE
7237
http1MaxPendingRequests:
7238
description: Maximum number of requests that will be
7239
queued while waiting for a ready connection pool connection.
7243
description: Maximum number of active requests to a
7248
description: The idle timeout for upstream connection
7251
maxConcurrentStreams:
7252
description: The maximum number of concurrent streams
7253
allowed for a peer on one HTTP/2 connection.
7256
maxRequestsPerConnection:
7257
description: Maximum number of requests per connection
7262
description: Maximum number of retries that can be outstanding
7263
to all hosts in a cluster at a given time.
7267
description: If set to true, client protocol will be
7268
preserved while initiating connection to backend.
7272
description: Settings common to both HTTP and TCP upstream
7276
description: TCP connection timeout.
7279
description: The idle timeout for TCP connections.
7281
maxConnectionDuration:
7282
description: The maximum duration of a connection.
7285
description: Maximum number of HTTP1 /TCP connections
7286
to a destination host.
7290
description: If set then set SO_KEEPALIVE on the socket
7291
to enable TCP Keepalives.
7294
description: The time duration between keep-alive
7298
description: Maximum number of keepalive probes
7299
to send without response before deciding the connection
7303
description: The time duration a connection needs
7304
to be idle before keep-alive probes start being
7311
description: The IP endpoint or Unix domain socket to which
7312
traffic should be forwarded to.
7315
description: The port associated with the listener.
7318
description: Label assigned to the port.
7321
description: A valid non-negative integer port number.
7324
description: The protocol exposed on the port.
7330
description: Set of TLS related options that will enable TLS
7331
termination on the sidecar for requests originating from outside
7335
description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`.
7338
description: 'OPTIONAL: The path to the file containing
7339
the certificate revocation list (CRL) to use in verifying
7340
a presented client side certificate.'
7343
description: 'Optional: If specified, only support the specified
7349
description: For gateways running on Kubernetes, the name
7350
of the secret that holds the TLS certs including the CA
7354
description: If set to true, the load balancer will send
7355
a 301 redirect for all http connections, asking the clients
7360
Optional: Maximum TLS protocol version.
7362
Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3
7372
Optional: Minimum TLS protocol version.
7374
Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3
7384
Optional: Indicates whether connections to this port should be secured using TLS.
7386
Valid Options: PASSTHROUGH, SIMPLE, MUTUAL, AUTO_PASSTHROUGH, ISTIO_MUTUAL, OPTIONAL_MUTUAL
7396
description: REQUIRED if mode is `SIMPLE` or `MUTUAL`.
7399
description: REQUIRED if mode is `SIMPLE` or `MUTUAL`.
7402
description: A list of alternate names to verify the subject
7403
identity in the certificate presented by the client.
7407
verifyCertificateHash:
7408
description: An optional list of hex-encoded SHA-256 hashes
7409
of the authorized client certificates.
7413
verifyCertificateSpki:
7414
description: An optional list of base64-encoded SHA-256
7415
hashes of the SPKIs of authorized client certificates.
7424
outboundTrafficPolicy:
7425
description: Configuration for the outbound traffic policy.
7430
description: The name of a service from the service registry.
7433
description: Specifies the port on the host that is being
7440
description: The name of a subset within the service.
7449
Valid Options: REGISTRY_ONLY, ALLOW_ANY
7456
description: Criteria used to select the specific set of pods/VMs
7457
on which this `Sidecar` configuration should be applied.
7460
additionalProperties:
7462
description: One or more labels that indicate a specific set of
7463
pods/VMs on which the configuration should be applied.
7469
x-kubernetes-preserve-unknown-fields: true
7476
apiVersion: apiextensions.k8s.io/v1
7477
kind: CustomResourceDefinition
7480
"helm.sh/resource-policy": keep
7486
name: virtualservices.networking.istio.io
7488
group: networking.istio.io
7492
- networking-istio-io
7493
kind: VirtualService
7494
listKind: VirtualServiceList
7495
plural: virtualservices
7498
singular: virtualservice
7501
- additionalPrinterColumns:
7502
- description: The names of gateways and sidecars that should apply these routes
7503
jsonPath: .spec.gateways
7506
- description: The destination hosts to which traffic is being sent
7507
jsonPath: .spec.hosts
7510
- description: 'CreationTimestamp is a timestamp representing the server time
7511
when this object was created. It is not guaranteed to be set in happens-before
7512
order across separate operations. Clients may not set this value. It is represented
7513
in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
7514
lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
7515
jsonPath: .metadata.creationTimestamp
7523
description: 'Configuration affecting label/content routing, sni routing,
7524
etc. See more details at: https://istio.io/docs/reference/config/networking/virtual-service.html'
7527
description: A list of namespaces to which this virtual service is
7533
description: The names of gateways and sidecars that should apply
7539
description: The destination hosts to which traffic is being sent.
7544
description: An ordered list of route rules for HTTP traffic.
7548
description: Cross-Origin Resource Sharing policy (CORS).
7551
description: Indicates whether the caller is allowed to
7552
send the actual request (not the preflight) using credentials.
7556
description: List of HTTP headers that can be used when
7557
requesting the resource.
7562
description: List of HTTP methods allowed to access the
7572
description: String patterns that match allowed origins.
7595
description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
7600
description: A list of HTTP headers that the browsers are
7606
description: Specifies how long the results of a preflight
7607
request can be cached.
7611
description: Delegate is used to specify the particular VirtualService
7612
which can be used to define delegate HTTPRoute.
7615
description: Name specifies the name of the delegate VirtualService.
7618
description: Namespace specifies the namespace where the
7619
delegate VirtualService resides.
7623
description: A HTTP rule can either return a direct_response,
7624
redirect or forward (default) traffic.
7627
description: Specifies the content of the response body.
7641
description: response body as base64 encoded bytes.
7648
description: Specifies the HTTP response status to be returned.
7654
description: Fault injection policy to apply on HTTP traffic
7658
description: Abort Http request attempts and return error
7659
codes back to downstream service, giving the impression
7660
that the upstream service is faulty.
7678
description: GRPC status code to use to abort the request.
7683
description: HTTP status code to use to abort the Http
7688
description: Percentage of requests to be aborted with
7689
the error code provided.
7697
description: Delay requests before forwarding, emulating
7698
various failures such as network issues, overloaded upstream
7715
description: Add a fixed delay before forwarding the
7719
description: Percentage of requests on which the delay
7720
will be injected (0-100).
7724
description: Percentage of requests on which the delay
7738
additionalProperties:
7746
additionalProperties:
7753
additionalProperties:
7761
additionalProperties:
7767
description: Match conditions to be satisfied for the rule to
7772
description: 'HTTP Authority values are case-sensitive
7773
and formatted as follows: - `exact: "value"` for exact
7774
string match - `prefix: "value"` for prefix-based match
7775
- `regex: "value"` for RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).'
7797
description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
7801
description: Names of gateways where the rule should be
7807
additionalProperties:
7829
description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
7832
description: The header keys must be lowercase and use
7833
hyphen as the separator, e.g.
7836
description: Flag to specify whether the URI matching
7837
should be case-insensitive.
7840
description: 'HTTP Method values are case-sensitive and
7841
formatted as follows: - `exact: "value"` for exact string
7842
match - `prefix: "value"` for prefix-based match - `regex:
7843
"value"` for RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).'
7865
description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
7869
description: The name assigned to a match.
7872
description: Specifies the ports on the host that is being
7876
additionalProperties:
7898
description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
7901
description: Query parameters for matching.
7904
description: 'URI Scheme values are case-sensitive and
7905
formatted as follows: - `exact: "value"` for exact string
7906
match - `prefix: "value"` for prefix-based match - `regex:
7907
"value"` for RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).'
7929
description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
7933
additionalProperties:
7935
description: One or more labels that constrain the applicability
7936
of a rule to source (client) workloads with the given
7940
description: Source namespace constraining the applicability
7941
of a rule to workloads in that namespace.
7944
description: The human readable prefix to use when emitting
7945
statistics for this route.
7948
description: 'URI to match values are case-sensitive and
7949
formatted as follows: - `exact: "value"` for exact string
7950
match - `prefix: "value"` for prefix-based match - `regex:
7951
"value"` for RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).'
7973
description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
7977
additionalProperties:
7999
description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
8002
description: withoutHeader has the same syntax with the
8003
header, but has opposite meaning.
8008
description: Mirror HTTP traffic to a another destination in
8009
addition to forwarding the requests to the intended destination.
8012
description: The name of a service from the service registry.
8015
description: Specifies the port on the host that is being
8022
description: The name of a subset within the service.
8034
description: Percentage of the traffic to be mirrored by the
8042
description: Specifies the destinations to mirror HTTP traffic
8043
in addition to the original destination.
8047
description: Destination specifies the target of the mirror
8051
description: The name of a service from the service
8055
description: Specifies the port on the host that is
8062
description: The name of a subset within the service.
8068
description: Percentage of the traffic to be mirrored
8069
by the `destination` field.
8080
description: The name assigned to the route for debugging purposes.
8083
description: A HTTP rule can either return a direct_response,
8084
redirect or forward (default) traffic.
8098
description: On a redirect, overwrite the Authority/Host
8099
portion of the URL with this value.
8103
On a redirect, dynamically set the port: * FROM_PROTOCOL_DEFAULT: automatically set to 80 for HTTP and 443 for HTTPS.
8105
Valid Options: FROM_PROTOCOL_DEFAULT, FROM_REQUEST_PORT
8107
- FROM_PROTOCOL_DEFAULT
8111
description: On a redirect, overwrite the port portion of
8112
the URL with this value.
8115
description: On a redirect, Specifies the HTTP status code
8116
to use in the redirect response.
8119
description: On a redirect, overwrite the scheme portion
8120
of the URL with this value.
8123
description: On a redirect, overwrite the Path portion of
8124
the URL with this value.
8128
description: Retry policy for HTTP requests.
8131
description: Number of retries to be allowed for a given
8136
description: Timeout per attempt for a given request, including
8137
the initial call and any retries.
8140
description: Specifies the conditions under which retry
8143
retryRemoteLocalities:
8144
description: Flag to specify whether the retries should
8145
retry to other localities.
8150
description: Rewrite HTTP URIs and Authority headers.
8153
description: rewrite the Authority/Host header with this
8157
description: rewrite the path (or the prefix) portion of
8158
the URI with this value.
8161
description: rewrite the path portion of the URI with the
8165
description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
8168
description: The string that should replace into matching
8169
portions of original URI.
8174
description: A HTTP rule can either return a direct_response,
8175
redirect or forward (default) traffic.
8179
description: Destination uniquely identifies the instances
8180
of a service to which the request/connection should
8184
description: The name of a service from the service
8188
description: Specifies the port on the host that is
8195
description: The name of a subset within the service.
8205
additionalProperties:
8213
additionalProperties:
8220
additionalProperties:
8228
additionalProperties:
8234
description: Weight specifies the relative proportion
8235
of traffic to be forwarded to the destination.
8243
description: Timeout for HTTP requests, default is disabled.
8248
description: An ordered list of route rules for opaque TCP traffic.
8252
description: Match conditions to be satisfied for the rule to
8257
description: IPv4 or IPv6 ip addresses of destination
8258
with optional subnet.
8263
description: Names of gateways where the rule should be
8269
description: Specifies the port on the host that is being
8273
additionalProperties:
8275
description: One or more labels that constrain the applicability
8276
of a rule to workloads with the given labels.
8279
description: Source namespace constraining the applicability
8280
of a rule to workloads in that namespace.
8287
description: The destination to which the connection should
8292
description: Destination uniquely identifies the instances
8293
of a service to which the request/connection should
8297
description: The name of a service from the service
8301
description: Specifies the port on the host that is
8308
description: The name of a subset within the service.
8314
description: Weight specifies the relative proportion
8315
of traffic to be forwarded to the destination.
8325
description: An ordered list of route rule for non-terminated TLS
8330
description: Match conditions to be satisfied for the rule to
8335
description: IPv4 or IPv6 ip addresses of destination
8336
with optional subnet.
8341
description: Names of gateways where the rule should be
8347
description: Specifies the port on the host that is being
8351
description: SNI (server name indicator) to match on.
8356
additionalProperties:
8358
description: One or more labels that constrain the applicability
8359
of a rule to workloads with the given labels.
8362
description: Source namespace constraining the applicability
8363
of a rule to workloads in that namespace.
8370
description: The destination to which the connection should
8375
description: Destination uniquely identifies the instances
8376
of a service to which the request/connection should
8380
description: The name of a service from the service
8384
description: Specifies the port on the host that is
8391
description: The name of a subset within the service.
8397
description: Weight specifies the relative proportion
8398
of traffic to be forwarded to the destination.
8412
x-kubernetes-preserve-unknown-fields: true
8418
- additionalPrinterColumns:
8419
- description: The names of gateways and sidecars that should apply these routes
8420
jsonPath: .spec.gateways
8423
- description: The destination hosts to which traffic is being sent
8424
jsonPath: .spec.hosts
8427
- description: 'CreationTimestamp is a timestamp representing the server time
8428
when this object was created. It is not guaranteed to be set in happens-before
8429
order across separate operations. Clients may not set this value. It is represented
8430
in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
8431
lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
8432
jsonPath: .metadata.creationTimestamp
8440
description: 'Configuration affecting label/content routing, sni routing,
8441
etc. See more details at: https://istio.io/docs/reference/config/networking/virtual-service.html'
8444
description: A list of namespaces to which this virtual service is
8450
description: The names of gateways and sidecars that should apply
8456
description: The destination hosts to which traffic is being sent.
8461
description: An ordered list of route rules for HTTP traffic.
8465
description: Cross-Origin Resource Sharing policy (CORS).
8468
description: Indicates whether the caller is allowed to
8469
send the actual request (not the preflight) using credentials.
8473
description: List of HTTP headers that can be used when
8474
requesting the resource.
8479
description: List of HTTP methods allowed to access the
8489
description: String patterns that match allowed origins.
8512
description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
8517
description: A list of HTTP headers that the browsers are
8523
description: Specifies how long the results of a preflight
8524
request can be cached.
8528
description: Delegate is used to specify the particular VirtualService
8529
which can be used to define delegate HTTPRoute.
8532
description: Name specifies the name of the delegate VirtualService.
8535
description: Namespace specifies the namespace where the
8536
delegate VirtualService resides.
8540
description: A HTTP rule can either return a direct_response,
8541
redirect or forward (default) traffic.
8544
description: Specifies the content of the response body.
8558
description: response body as base64 encoded bytes.
8565
description: Specifies the HTTP response status to be returned.
8571
description: Fault injection policy to apply on HTTP traffic
8575
description: Abort Http request attempts and return error
8576
codes back to downstream service, giving the impression
8577
that the upstream service is faulty.
8595
description: GRPC status code to use to abort the request.
8600
description: HTTP status code to use to abort the Http
8605
description: Percentage of requests to be aborted with
8606
the error code provided.
8614
description: Delay requests before forwarding, emulating
8615
various failures such as network issues, overloaded upstream
8632
description: Add a fixed delay before forwarding the
8636
description: Percentage of requests on which the delay
8637
will be injected (0-100).
8641
description: Percentage of requests on which the delay
8655
additionalProperties:
8663
additionalProperties:
8670
additionalProperties:
8678
additionalProperties:
8684
description: Match conditions to be satisfied for the rule to
8689
description: 'HTTP Authority values are case-sensitive
8690
and formatted as follows: - `exact: "value"` for exact
8691
string match - `prefix: "value"` for prefix-based match
8692
- `regex: "value"` for RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).'
8714
description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
8718
description: Names of gateways where the rule should be
8724
additionalProperties:
8746
description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
8749
description: The header keys must be lowercase and use
8750
hyphen as the separator, e.g.
8753
description: Flag to specify whether the URI matching
8754
should be case-insensitive.
8757
description: 'HTTP Method values are case-sensitive and
8758
formatted as follows: - `exact: "value"` for exact string
8759
match - `prefix: "value"` for prefix-based match - `regex:
8760
"value"` for RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).'
8782
description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
8786
description: The name assigned to a match.
8789
description: Specifies the ports on the host that is being
8793
additionalProperties:
8815
description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
8818
description: Query parameters for matching.
8821
description: 'URI Scheme values are case-sensitive and
8822
formatted as follows: - `exact: "value"` for exact string
8823
match - `prefix: "value"` for prefix-based match - `regex:
8824
"value"` for RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).'
8846
description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
8850
additionalProperties:
8852
description: One or more labels that constrain the applicability
8853
of a rule to source (client) workloads with the given
8857
description: Source namespace constraining the applicability
8858
of a rule to workloads in that namespace.
8861
description: The human readable prefix to use when emitting
8862
statistics for this route.
8865
description: 'URI to match values are case-sensitive and
8866
formatted as follows: - `exact: "value"` for exact string
8867
match - `prefix: "value"` for prefix-based match - `regex:
8868
"value"` for RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).'
8890
description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
8894
additionalProperties:
8916
description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
8919
description: withoutHeader has the same syntax with the
8920
header, but has opposite meaning.
8925
description: Mirror HTTP traffic to a another destination in
8926
addition to forwarding the requests to the intended destination.
8929
description: The name of a service from the service registry.
8932
description: Specifies the port on the host that is being
8939
description: The name of a subset within the service.
8951
description: Percentage of the traffic to be mirrored by the
8959
description: Specifies the destinations to mirror HTTP traffic
8960
in addition to the original destination.
8964
description: Destination specifies the target of the mirror
8968
description: The name of a service from the service
8972
description: Specifies the port on the host that is
8979
description: The name of a subset within the service.
8985
description: Percentage of the traffic to be mirrored
8986
by the `destination` field.
8997
description: The name assigned to the route for debugging purposes.
9000
description: A HTTP rule can either return a direct_response,
9001
redirect or forward (default) traffic.
9015
description: On a redirect, overwrite the Authority/Host
9016
portion of the URL with this value.
9020
On a redirect, dynamically set the port: * FROM_PROTOCOL_DEFAULT: automatically set to 80 for HTTP and 443 for HTTPS.
9022
Valid Options: FROM_PROTOCOL_DEFAULT, FROM_REQUEST_PORT
9024
- FROM_PROTOCOL_DEFAULT
9028
description: On a redirect, overwrite the port portion of
9029
the URL with this value.
9032
description: On a redirect, Specifies the HTTP status code
9033
to use in the redirect response.
9036
description: On a redirect, overwrite the scheme portion
9037
of the URL with this value.
9040
description: On a redirect, overwrite the Path portion of
9041
the URL with this value.
9045
description: Retry policy for HTTP requests.
9048
description: Number of retries to be allowed for a given
9053
description: Timeout per attempt for a given request, including
9054
the initial call and any retries.
9057
description: Specifies the conditions under which retry
9060
retryRemoteLocalities:
9061
description: Flag to specify whether the retries should
9062
retry to other localities.
9067
description: Rewrite HTTP URIs and Authority headers.
9070
description: rewrite the Authority/Host header with this
9074
description: rewrite the path (or the prefix) portion of
9075
the URI with this value.
9078
description: rewrite the path portion of the URI with the
9082
description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
9085
description: The string that should replace into matching
9086
portions of original URI.
9091
description: A HTTP rule can either return a direct_response,
9092
redirect or forward (default) traffic.
9096
description: Destination uniquely identifies the instances
9097
of a service to which the request/connection should
9101
description: The name of a service from the service
9105
description: Specifies the port on the host that is
9112
description: The name of a subset within the service.
9122
additionalProperties:
9130
additionalProperties:
9137
additionalProperties:
9145
additionalProperties:
9151
description: Weight specifies the relative proportion
9152
of traffic to be forwarded to the destination.
9160
description: Timeout for HTTP requests, default is disabled.
9165
description: An ordered list of route rules for opaque TCP traffic.
9169
description: Match conditions to be satisfied for the rule to
9174
description: IPv4 or IPv6 ip addresses of destination
9175
with optional subnet.
9180
description: Names of gateways where the rule should be
9186
description: Specifies the port on the host that is being
9190
additionalProperties:
9192
description: One or more labels that constrain the applicability
9193
of a rule to workloads with the given labels.
9196
description: Source namespace constraining the applicability
9197
of a rule to workloads in that namespace.
9204
description: The destination to which the connection should
9209
description: Destination uniquely identifies the instances
9210
of a service to which the request/connection should
9214
description: The name of a service from the service
9218
description: Specifies the port on the host that is
9225
description: The name of a subset within the service.
9231
description: Weight specifies the relative proportion
9232
of traffic to be forwarded to the destination.
9242
description: An ordered list of route rule for non-terminated TLS
9247
description: Match conditions to be satisfied for the rule to
9252
description: IPv4 or IPv6 ip addresses of destination
9253
with optional subnet.
9258
description: Names of gateways where the rule should be
9264
description: Specifies the port on the host that is being
9268
description: SNI (server name indicator) to match on.
9273
additionalProperties:
9275
description: One or more labels that constrain the applicability
9276
of a rule to workloads with the given labels.
9279
description: Source namespace constraining the applicability
9280
of a rule to workloads in that namespace.
9287
description: The destination to which the connection should
9292
description: Destination uniquely identifies the instances
9293
of a service to which the request/connection should
9297
description: The name of a service from the service
9301
description: Specifies the port on the host that is
9308
description: The name of a subset within the service.
9314
description: Weight specifies the relative proportion
9315
of traffic to be forwarded to the destination.
9329
x-kubernetes-preserve-unknown-fields: true
9335
- additionalPrinterColumns:
9336
- description: The names of gateways and sidecars that should apply these routes
9337
jsonPath: .spec.gateways
9340
- description: The destination hosts to which traffic is being sent
9341
jsonPath: .spec.hosts
9344
- description: 'CreationTimestamp is a timestamp representing the server time
9345
when this object was created. It is not guaranteed to be set in happens-before
9346
order across separate operations. Clients may not set this value. It is represented
9347
in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
9348
lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
9349
jsonPath: .metadata.creationTimestamp
9357
description: 'Configuration affecting label/content routing, sni routing,
9358
etc. See more details at: https://istio.io/docs/reference/config/networking/virtual-service.html'
9361
description: A list of namespaces to which this virtual service is
9367
description: The names of gateways and sidecars that should apply
9373
description: The destination hosts to which traffic is being sent.
9378
description: An ordered list of route rules for HTTP traffic.
9382
description: Cross-Origin Resource Sharing policy (CORS).
9385
description: Indicates whether the caller is allowed to
9386
send the actual request (not the preflight) using credentials.
9390
description: List of HTTP headers that can be used when
9391
requesting the resource.
9396
description: List of HTTP methods allowed to access the
9406
description: String patterns that match allowed origins.
9429
description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
9434
description: A list of HTTP headers that the browsers are
9440
description: Specifies how long the results of a preflight
9441
request can be cached.
9445
description: Delegate is used to specify the particular VirtualService
9446
which can be used to define delegate HTTPRoute.
9449
description: Name specifies the name of the delegate VirtualService.
9452
description: Namespace specifies the namespace where the
9453
delegate VirtualService resides.
9457
description: A HTTP rule can either return a direct_response,
9458
redirect or forward (default) traffic.
9461
description: Specifies the content of the response body.
9475
description: response body as base64 encoded bytes.
9482
description: Specifies the HTTP response status to be returned.
9488
description: Fault injection policy to apply on HTTP traffic
9492
description: Abort Http request attempts and return error
9493
codes back to downstream service, giving the impression
9494
that the upstream service is faulty.
9512
description: GRPC status code to use to abort the request.
9517
description: HTTP status code to use to abort the Http
9522
description: Percentage of requests to be aborted with
9523
the error code provided.
9531
description: Delay requests before forwarding, emulating
9532
various failures such as network issues, overloaded upstream
9549
description: Add a fixed delay before forwarding the
9553
description: Percentage of requests on which the delay
9554
will be injected (0-100).
9558
description: Percentage of requests on which the delay
9572
additionalProperties:
9580
additionalProperties:
9587
additionalProperties:
9595
additionalProperties:
9601
description: Match conditions to be satisfied for the rule to
9606
description: 'HTTP Authority values are case-sensitive
9607
and formatted as follows: - `exact: "value"` for exact
9608
string match - `prefix: "value"` for prefix-based match
9609
- `regex: "value"` for RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).'
9631
description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
9635
description: Names of gateways where the rule should be
9641
additionalProperties:
9663
description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
9666
description: The header keys must be lowercase and use
9667
hyphen as the separator, e.g.
9670
description: Flag to specify whether the URI matching
9671
should be case-insensitive.
9674
description: 'HTTP Method values are case-sensitive and
9675
formatted as follows: - `exact: "value"` for exact string
9676
match - `prefix: "value"` for prefix-based match - `regex:
9677
"value"` for RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).'
9699
description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
9703
description: The name assigned to a match.
9706
description: Specifies the ports on the host that is being
9710
additionalProperties:
9732
description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
9735
description: Query parameters for matching.
9738
description: 'URI Scheme values are case-sensitive and
9739
formatted as follows: - `exact: "value"` for exact string
9740
match - `prefix: "value"` for prefix-based match - `regex:
9741
"value"` for RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).'
9763
description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
9767
additionalProperties:
9769
description: One or more labels that constrain the applicability
9770
of a rule to source (client) workloads with the given
9774
description: Source namespace constraining the applicability
9775
of a rule to workloads in that namespace.
9778
description: The human readable prefix to use when emitting
9779
statistics for this route.
9782
description: 'URI to match values are case-sensitive and
9783
formatted as follows: - `exact: "value"` for exact string
9784
match - `prefix: "value"` for prefix-based match - `regex:
9785
"value"` for RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).'
9807
description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
9811
additionalProperties:
9833
description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
9836
description: withoutHeader has the same syntax with the
9837
header, but has opposite meaning.
9842
description: Mirror HTTP traffic to a another destination in
9843
addition to forwarding the requests to the intended destination.
9846
description: The name of a service from the service registry.
9849
description: Specifies the port on the host that is being
9856
description: The name of a subset within the service.
9868
description: Percentage of the traffic to be mirrored by the
9876
description: Specifies the destinations to mirror HTTP traffic
9877
in addition to the original destination.
9881
description: Destination specifies the target of the mirror
9885
description: The name of a service from the service
9889
description: Specifies the port on the host that is
9896
description: The name of a subset within the service.
9902
description: Percentage of the traffic to be mirrored
9903
by the `destination` field.
9914
description: The name assigned to the route for debugging purposes.
9917
description: A HTTP rule can either return a direct_response,
9918
redirect or forward (default) traffic.
9932
description: On a redirect, overwrite the Authority/Host
9933
portion of the URL with this value.
9937
On a redirect, dynamically set the port: * FROM_PROTOCOL_DEFAULT: automatically set to 80 for HTTP and 443 for HTTPS.
9939
Valid Options: FROM_PROTOCOL_DEFAULT, FROM_REQUEST_PORT
9941
- FROM_PROTOCOL_DEFAULT
9945
description: On a redirect, overwrite the port portion of
9946
the URL with this value.
9949
description: On a redirect, Specifies the HTTP status code
9950
to use in the redirect response.
9953
description: On a redirect, overwrite the scheme portion
9954
of the URL with this value.
9957
description: On a redirect, overwrite the Path portion of
9958
the URL with this value.
9962
description: Retry policy for HTTP requests.
9965
description: Number of retries to be allowed for a given
9970
description: Timeout per attempt for a given request, including
9971
the initial call and any retries.
9974
description: Specifies the conditions under which retry
9977
retryRemoteLocalities:
9978
description: Flag to specify whether the retries should
9979
retry to other localities.
9984
description: Rewrite HTTP URIs and Authority headers.
9987
description: rewrite the Authority/Host header with this
9991
description: rewrite the path (or the prefix) portion of
9992
the URI with this value.
9995
description: rewrite the path portion of the URI with the
9999
description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
10002
description: The string that should replace into matching
10003
portions of original URI.
10008
description: A HTTP rule can either return a direct_response,
10009
redirect or forward (default) traffic.
10013
description: Destination uniquely identifies the instances
10014
of a service to which the request/connection should
10018
description: The name of a service from the service
10022
description: Specifies the port on the host that is
10029
description: The name of a subset within the service.
10039
additionalProperties:
10047
additionalProperties:
10054
additionalProperties:
10062
additionalProperties:
10068
description: Weight specifies the relative proportion
10069
of traffic to be forwarded to the destination.
10077
description: Timeout for HTTP requests, default is disabled.
10082
description: An ordered list of route rules for opaque TCP traffic.
10086
description: Match conditions to be satisfied for the rule to
10090
destinationSubnets:
10091
description: IPv4 or IPv6 ip addresses of destination
10092
with optional subnet.
10097
description: Names of gateways where the rule should be
10103
description: Specifies the port on the host that is being
10107
additionalProperties:
10109
description: One or more labels that constrain the applicability
10110
of a rule to workloads with the given labels.
10113
description: Source namespace constraining the applicability
10114
of a rule to workloads in that namespace.
10121
description: The destination to which the connection should
10126
description: Destination uniquely identifies the instances
10127
of a service to which the request/connection should
10131
description: The name of a service from the service
10135
description: Specifies the port on the host that is
10142
description: The name of a subset within the service.
10148
description: Weight specifies the relative proportion
10149
of traffic to be forwarded to the destination.
10159
description: An ordered list of route rule for non-terminated TLS
10164
description: Match conditions to be satisfied for the rule to
10168
destinationSubnets:
10169
description: IPv4 or IPv6 ip addresses of destination
10170
with optional subnet.
10175
description: Names of gateways where the rule should be
10181
description: Specifies the port on the host that is being
10185
description: SNI (server name indicator) to match on.
10190
additionalProperties:
10192
description: One or more labels that constrain the applicability
10193
of a rule to workloads with the given labels.
10196
description: Source namespace constraining the applicability
10197
of a rule to workloads in that namespace.
10204
description: The destination to which the connection should
10209
description: Destination uniquely identifies the instances
10210
of a service to which the request/connection should
10214
description: The name of a service from the service
10218
description: Specifies the port on the host that is
10225
description: The name of a subset within the service.
10231
description: Weight specifies the relative proportion
10232
of traffic to be forwarded to the destination.
10246
x-kubernetes-preserve-unknown-fields: true
10253
apiVersion: apiextensions.k8s.io/v1
10254
kind: CustomResourceDefinition
10257
"helm.sh/resource-policy": keep
10263
name: workloadentries.networking.istio.io
10265
group: networking.istio.io
10269
- networking-istio-io
10270
kind: WorkloadEntry
10271
listKind: WorkloadEntryList
10272
plural: workloadentries
10275
singular: workloadentry
10278
- additionalPrinterColumns:
10279
- description: 'CreationTimestamp is a timestamp representing the server time
10280
when this object was created. It is not guaranteed to be set in happens-before
10281
order across separate operations. Clients may not set this value. It is represented
10282
in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
10283
lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
10284
jsonPath: .metadata.creationTimestamp
10287
- description: Address associated with the network endpoint.
10288
jsonPath: .spec.address
10296
description: 'Configuration affecting VMs onboarded into the mesh. See
10297
more details at: https://istio.io/docs/reference/config/networking/workload-entry.html'
10300
description: Address associated with the network endpoint without
10304
additionalProperties:
10306
description: One or more labels associated with the endpoint.
10309
description: The locality associated with the endpoint.
10312
description: Network enables Istio to group endpoints resident in
10313
the same L3 domain/network.
10316
additionalProperties:
10318
description: Set of ports associated with the endpoint.
10321
description: The service account associated with the workload if a
10322
sidecar is present in the workload.
10325
description: The load balancing weight associated with the endpoint.
10330
x-kubernetes-preserve-unknown-fields: true
10336
- additionalPrinterColumns:
10337
- description: 'CreationTimestamp is a timestamp representing the server time
10338
when this object was created. It is not guaranteed to be set in happens-before
10339
order across separate operations. Clients may not set this value. It is represented
10340
in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
10341
lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
10342
jsonPath: .metadata.creationTimestamp
10345
- description: Address associated with the network endpoint.
10346
jsonPath: .spec.address
10354
description: 'Configuration affecting VMs onboarded into the mesh. See
10355
more details at: https://istio.io/docs/reference/config/networking/workload-entry.html'
10358
description: Address associated with the network endpoint without
10362
additionalProperties:
10364
description: One or more labels associated with the endpoint.
10367
description: The locality associated with the endpoint.
10370
description: Network enables Istio to group endpoints resident in
10371
the same L3 domain/network.
10374
additionalProperties:
10376
description: Set of ports associated with the endpoint.
10379
description: The service account associated with the workload if a
10380
sidecar is present in the workload.
10383
description: The load balancing weight associated with the endpoint.
10388
x-kubernetes-preserve-unknown-fields: true
10394
- additionalPrinterColumns:
10395
- description: 'CreationTimestamp is a timestamp representing the server time
10396
when this object was created. It is not guaranteed to be set in happens-before
10397
order across separate operations. Clients may not set this value. It is represented
10398
in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
10399
lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
10400
jsonPath: .metadata.creationTimestamp
10403
- description: Address associated with the network endpoint.
10404
jsonPath: .spec.address
10412
description: 'Configuration affecting VMs onboarded into the mesh. See
10413
more details at: https://istio.io/docs/reference/config/networking/workload-entry.html'
10416
description: Address associated with the network endpoint without
10420
additionalProperties:
10422
description: One or more labels associated with the endpoint.
10425
description: The locality associated with the endpoint.
10428
description: Network enables Istio to group endpoints resident in
10429
the same L3 domain/network.
10432
additionalProperties:
10434
description: Set of ports associated with the endpoint.
10437
description: The service account associated with the workload if a
10438
sidecar is present in the workload.
10441
description: The load balancing weight associated with the endpoint.
10446
x-kubernetes-preserve-unknown-fields: true
10453
apiVersion: apiextensions.k8s.io/v1
10454
kind: CustomResourceDefinition
10461
name: workloadgroups.networking.istio.io
10463
group: networking.istio.io
10467
- networking-istio-io
10468
kind: WorkloadGroup
10469
listKind: WorkloadGroupList
10470
plural: workloadgroups
10473
singular: workloadgroup
10476
- additionalPrinterColumns:
10477
- description: 'CreationTimestamp is a timestamp representing the server time
10478
when this object was created. It is not guaranteed to be set in happens-before
10479
order across separate operations. Clients may not set this value. It is represented
10480
in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
10481
lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
10482
jsonPath: .metadata.creationTimestamp
10490
description: '`WorkloadGroup` enables specifying the properties of a single
10491
workload for bootstrap and provides a template for `WorkloadEntry`,
10492
similar to how `Deployment` specifies properties of workloads via `Pod`
10496
description: Metadata that will be used for all corresponding `WorkloadEntries`.
10499
additionalProperties:
10503
additionalProperties:
10508
description: '`ReadinessProbe` describes the configuration the user
10509
must provide for healthchecking on their workload.'
10527
description: Health is determined by how the command that is executed
10531
description: Command to run.
10537
description: Minimum consecutive failures for the probe to be
10538
considered failed after having succeeded.
10542
description: '`httpGet` is performed to a given endpoint and the
10543
status/able to connect determines health.'
10546
description: Host name to connect to, defaults to the pod
10550
description: Headers the proxy will pass on to make the request.
10560
description: Path to access on the HTTP server.
10563
description: Port on which the endpoint lives.
10570
initialDelaySeconds:
10571
description: Number of seconds after the container has started
10572
before readiness probes are initiated.
10576
description: How often (in seconds) to perform the probe.
10580
description: Minimum consecutive successes for the probe to be
10581
considered successful after having failed.
10585
description: Health is determined by if the proxy is able to connect.
10595
description: Number of seconds after which the probe times out.
10600
description: Template to be used for the generation of `WorkloadEntry`
10601
resources that belong to this `WorkloadGroup`.
10604
description: Address associated with the network endpoint without
10608
additionalProperties:
10610
description: One or more labels associated with the endpoint.
10613
description: The locality associated with the endpoint.
10616
description: Network enables Istio to group endpoints resident
10617
in the same L3 domain/network.
10620
additionalProperties:
10622
description: Set of ports associated with the endpoint.
10625
description: The service account associated with the workload
10626
if a sidecar is present in the workload.
10629
description: The load balancing weight associated with the endpoint.
10637
x-kubernetes-preserve-unknown-fields: true
10643
- additionalPrinterColumns:
10644
- description: 'CreationTimestamp is a timestamp representing the server time
10645
when this object was created. It is not guaranteed to be set in happens-before
10646
order across separate operations. Clients may not set this value. It is represented
10647
in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
10648
lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
10649
jsonPath: .metadata.creationTimestamp
10657
description: 'Describes a collection of workload instances. See more details
10658
at: https://istio.io/docs/reference/config/networking/workload-group.html'
10661
description: Metadata that will be used for all corresponding `WorkloadEntries`.
10664
additionalProperties:
10668
additionalProperties:
10673
description: '`ReadinessProbe` describes the configuration the user
10674
must provide for healthchecking on their workload.'
10692
description: Health is determined by how the command that is executed
10696
description: Command to run.
10702
description: Minimum consecutive failures for the probe to be
10703
considered failed after having succeeded.
10707
description: '`httpGet` is performed to a given endpoint and the
10708
status/able to connect determines health.'
10711
description: Host name to connect to, defaults to the pod
10715
description: Headers the proxy will pass on to make the request.
10725
description: Path to access on the HTTP server.
10728
description: Port on which the endpoint lives.
10735
initialDelaySeconds:
10736
description: Number of seconds after the container has started
10737
before readiness probes are initiated.
10741
description: How often (in seconds) to perform the probe.
10745
description: Minimum consecutive successes for the probe to be
10746
considered successful after having failed.
10750
description: Health is determined by if the proxy is able to connect.
10760
description: Number of seconds after which the probe times out.
10765
description: Template to be used for the generation of `WorkloadEntry`
10766
resources that belong to this `WorkloadGroup`.
10769
description: Address associated with the network endpoint without
10773
additionalProperties:
10775
description: One or more labels associated with the endpoint.
10778
description: The locality associated with the endpoint.
10781
description: Network enables Istio to group endpoints resident
10782
in the same L3 domain/network.
10785
additionalProperties:
10787
description: Set of ports associated with the endpoint.
10790
description: The service account associated with the workload
10791
if a sidecar is present in the workload.
10794
description: The load balancing weight associated with the endpoint.
10802
x-kubernetes-preserve-unknown-fields: true
10808
- additionalPrinterColumns:
10809
- description: 'CreationTimestamp is a timestamp representing the server time
10810
when this object was created. It is not guaranteed to be set in happens-before
10811
order across separate operations. Clients may not set this value. It is represented
10812
in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
10813
lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
10814
jsonPath: .metadata.creationTimestamp
10822
description: '`WorkloadGroup` enables specifying the properties of a single
10823
workload for bootstrap and provides a template for `WorkloadEntry`,
10824
similar to how `Deployment` specifies properties of workloads via `Pod`
10828
description: Metadata that will be used for all corresponding `WorkloadEntries`.
10831
additionalProperties:
10835
additionalProperties:
10840
description: '`ReadinessProbe` describes the configuration the user
10841
must provide for healthchecking on their workload.'
10859
description: Health is determined by how the command that is executed
10863
description: Command to run.
10869
description: Minimum consecutive failures for the probe to be
10870
considered failed after having succeeded.
10874
description: '`httpGet` is performed to a given endpoint and the
10875
status/able to connect determines health.'
10878
description: Host name to connect to, defaults to the pod
10882
description: Headers the proxy will pass on to make the request.
10892
description: Path to access on the HTTP server.
10895
description: Port on which the endpoint lives.
10902
initialDelaySeconds:
10903
description: Number of seconds after the container has started
10904
before readiness probes are initiated.
10908
description: How often (in seconds) to perform the probe.
10912
description: Minimum consecutive successes for the probe to be
10913
considered successful after having failed.
10917
description: Health is determined by if the proxy is able to connect.
10927
description: Number of seconds after which the probe times out.
10932
description: Template to be used for the generation of `WorkloadEntry`
10933
resources that belong to this `WorkloadGroup`.
10936
description: Address associated with the network endpoint without
10940
additionalProperties:
10942
description: One or more labels associated with the endpoint.
10945
description: The locality associated with the endpoint.
10948
description: Network enables Istio to group endpoints resident
10949
in the same L3 domain/network.
10952
additionalProperties:
10954
description: Set of ports associated with the endpoint.
10957
description: The service account associated with the workload
10958
if a sidecar is present in the workload.
10961
description: The load balancing weight associated with the endpoint.
10969
x-kubernetes-preserve-unknown-fields: true
10976
apiVersion: apiextensions.k8s.io/v1
10977
kind: CustomResourceDefinition
10980
"helm.sh/resource-policy": keep
10987
name: authorizationpolicies.security.istio.io
10989
group: security.istio.io
10993
- security-istio-io
10994
kind: AuthorizationPolicy
10995
listKind: AuthorizationPolicyList
10996
plural: authorizationpolicies
10999
singular: authorizationpolicy
11002
- additionalPrinterColumns:
11003
- description: The operation to take.
11004
jsonPath: .spec.action
11007
- description: 'CreationTimestamp is a timestamp representing the server time
11008
when this object was created. It is not guaranteed to be set in happens-before
11009
order across separate operations. Clients may not set this value. It is represented
11010
in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
11011
lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
11012
jsonPath: .metadata.creationTimestamp
11020
description: 'Configuration for access control on workloads. See more
11021
details at: https://istio.io/docs/reference/config/security/authorization-policy.html'
11034
Valid Options: ALLOW, DENY, AUDIT, CUSTOM
11042
description: Specifies detailed configuration of the CUSTOM action.
11045
description: Specifies the name of the extension provider.
11049
description: Optional.
11053
description: Optional.
11057
description: Source specifies the source of a request.
11060
description: Optional.
11065
description: Optional.
11070
description: Optional.
11075
description: Optional.
11080
description: Optional.
11085
description: Optional.
11089
notRequestPrincipals:
11090
description: Optional.
11095
description: Optional.
11100
description: Optional.
11105
description: Optional.
11113
description: Optional.
11117
description: Operation specifies the operation of a request.
11120
description: Optional.
11125
description: Optional.
11130
description: Optional.
11135
description: Optional.
11140
description: Optional.
11145
description: Optional.
11150
description: Optional.
11155
description: Optional.
11163
description: Optional.
11167
description: The name of an Istio attribute.
11170
description: Optional.
11175
description: Optional.
11186
description: Optional.
11189
additionalProperties:
11191
description: One or more labels that indicate a specific set of
11192
pods/VMs on which a policy should be applied.
11196
description: Optional.
11199
description: group is the group of the target resource.
11202
description: kind is kind of the target resource.
11205
description: name is the name of the target resource.
11208
description: namespace is the namespace of the referent.
11214
x-kubernetes-preserve-unknown-fields: true
11220
- additionalPrinterColumns:
11221
- description: The operation to take.
11222
jsonPath: .spec.action
11225
- description: 'CreationTimestamp is a timestamp representing the server time
11226
when this object was created. It is not guaranteed to be set in happens-before
11227
order across separate operations. Clients may not set this value. It is represented
11228
in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
11229
lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
11230
jsonPath: .metadata.creationTimestamp
11238
description: 'Configuration for access control on workloads. See more
11239
details at: https://istio.io/docs/reference/config/security/authorization-policy.html'
11252
Valid Options: ALLOW, DENY, AUDIT, CUSTOM
11260
description: Specifies detailed configuration of the CUSTOM action.
11263
description: Specifies the name of the extension provider.
11267
description: Optional.
11271
description: Optional.
11275
description: Source specifies the source of a request.
11278
description: Optional.
11283
description: Optional.
11288
description: Optional.
11293
description: Optional.
11298
description: Optional.
11303
description: Optional.
11307
notRequestPrincipals:
11308
description: Optional.
11313
description: Optional.
11318
description: Optional.
11323
description: Optional.
11331
description: Optional.
11335
description: Operation specifies the operation of a request.
11338
description: Optional.
11343
description: Optional.
11348
description: Optional.
11353
description: Optional.
11358
description: Optional.
11363
description: Optional.
11368
description: Optional.
11373
description: Optional.
11381
description: Optional.
11385
description: The name of an Istio attribute.
11388
description: Optional.
11393
description: Optional.
11404
description: Optional.
11407
additionalProperties:
11409
description: One or more labels that indicate a specific set of
11410
pods/VMs on which a policy should be applied.
11414
description: Optional.
11417
description: group is the group of the target resource.
11420
description: kind is kind of the target resource.
11423
description: name is the name of the target resource.
11426
description: namespace is the namespace of the referent.
11432
x-kubernetes-preserve-unknown-fields: true
11439
apiVersion: apiextensions.k8s.io/v1
11440
kind: CustomResourceDefinition
11443
"helm.sh/resource-policy": keep
11450
name: peerauthentications.security.istio.io
11452
group: security.istio.io
11456
- security-istio-io
11457
kind: PeerAuthentication
11458
listKind: PeerAuthenticationList
11459
plural: peerauthentications
11462
singular: peerauthentication
11465
- additionalPrinterColumns:
11466
- description: Defines the mTLS mode used for peer authentication.
11467
jsonPath: .spec.mtls.mode
11470
- description: 'CreationTimestamp is a timestamp representing the server time
11471
when this object was created. It is not guaranteed to be set in happens-before
11472
order across separate operations. Clients may not set this value. It is represented
11473
in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
11474
lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
11475
jsonPath: .metadata.creationTimestamp
11483
description: 'Peer authentication configuration for workloads. See more
11484
details at: https://istio.io/docs/reference/config/security/peer_authentication.html'
11487
description: Mutual TLS settings for workload.
11491
Defines the mTLS mode used for peer authentication.
11493
Valid Options: DISABLE, PERMISSIVE, STRICT
11502
additionalProperties:
11506
Defines the mTLS mode used for peer authentication.
11508
Valid Options: DISABLE, PERMISSIVE, STRICT
11516
description: Port specific mutual TLS settings.
11519
description: The selector determines the workloads to apply the PeerAuthentication
11523
additionalProperties:
11525
description: One or more labels that indicate a specific set of
11526
pods/VMs on which a policy should be applied.
11532
x-kubernetes-preserve-unknown-fields: true
11538
- additionalPrinterColumns:
11539
- description: Defines the mTLS mode used for peer authentication.
11540
jsonPath: .spec.mtls.mode
11543
- description: 'CreationTimestamp is a timestamp representing the server time
11544
when this object was created. It is not guaranteed to be set in happens-before
11545
order across separate operations. Clients may not set this value. It is represented
11546
in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
11547
lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
11548
jsonPath: .metadata.creationTimestamp
11556
description: 'Peer authentication configuration for workloads. See more
11557
details at: https://istio.io/docs/reference/config/security/peer_authentication.html'
11560
description: Mutual TLS settings for workload.
11564
Defines the mTLS mode used for peer authentication.
11566
Valid Options: DISABLE, PERMISSIVE, STRICT
11575
additionalProperties:
11579
Defines the mTLS mode used for peer authentication.
11581
Valid Options: DISABLE, PERMISSIVE, STRICT
11589
description: Port specific mutual TLS settings.
11592
description: The selector determines the workloads to apply the PeerAuthentication
11596
additionalProperties:
11598
description: One or more labels that indicate a specific set of
11599
pods/VMs on which a policy should be applied.
11605
x-kubernetes-preserve-unknown-fields: true
11612
apiVersion: apiextensions.k8s.io/v1
11613
kind: CustomResourceDefinition
11616
"helm.sh/resource-policy": keep
11623
name: requestauthentications.security.istio.io
11625
group: security.istio.io
11629
- security-istio-io
11630
kind: RequestAuthentication
11631
listKind: RequestAuthenticationList
11632
plural: requestauthentications
11635
singular: requestauthentication
11643
description: 'Request authentication configuration for workloads. See
11644
more details at: https://istio.io/docs/reference/config/security/request_authentication.html'
11647
description: Define the list of JWTs that can be validated at the
11648
selected workloads' proxy.
11652
description: The list of JWT [audiences](https://tools.ietf.org/html/rfc7519#section-4.1.3)
11653
that are allowed to access.
11657
forwardOriginalToken:
11658
description: If set to true, the original token will be kept
11659
for the upstream request.
11662
description: List of cookie names from which JWT is expected.
11667
description: List of header locations from which JWT is expected.
11671
description: The HTTP header name.
11674
description: The prefix that should be stripped before
11675
decoding the token.
11682
description: List of query parameters from which JWT is expected.
11687
description: Identifies the issuer that issued the JWT.
11690
description: JSON Web Key Set of public keys to validate signature
11694
description: URL of the provider's public key set to validate
11695
signature of the JWT.
11698
description: URL of the provider's public key set to validate
11699
signature of the JWT.
11701
outputClaimToHeaders:
11702
description: This field specifies a list of operations to copy
11703
the claim to HTTP headers on a successfully verified token.
11707
description: The name of the claim to be copied from.
11710
description: The name of the header to be created.
11714
outputPayloadToHeader:
11715
description: This field specifies the header name to output
11716
a successfully verified JWT payload to the backend.
11719
description: The maximum amount of time that the resolver, determined
11720
by the PILOT_JWT_ENABLE_REMOTE_JWKS environment variable,
11721
will spend waiting for the JWKS to be fetched.
11728
description: Optional.
11731
additionalProperties:
11733
description: One or more labels that indicate a specific set of
11734
pods/VMs on which a policy should be applied.
11738
description: Optional.
11741
description: group is the group of the target resource.
11744
description: kind is kind of the target resource.
11747
description: name is the name of the target resource.
11750
description: namespace is the namespace of the referent.
11756
x-kubernetes-preserve-unknown-fields: true
11767
description: 'Request authentication configuration for workloads. See
11768
more details at: https://istio.io/docs/reference/config/security/request_authentication.html'
11771
description: Define the list of JWTs that can be validated at the
11772
selected workloads' proxy.
11776
description: The list of JWT [audiences](https://tools.ietf.org/html/rfc7519#section-4.1.3)
11777
that are allowed to access.
11781
forwardOriginalToken:
11782
description: If set to true, the original token will be kept
11783
for the upstream request.
11786
description: List of cookie names from which JWT is expected.
11791
description: List of header locations from which JWT is expected.
11795
description: The HTTP header name.
11798
description: The prefix that should be stripped before
11799
decoding the token.
11806
description: List of query parameters from which JWT is expected.
11811
description: Identifies the issuer that issued the JWT.
11814
description: JSON Web Key Set of public keys to validate signature
11818
description: URL of the provider's public key set to validate
11819
signature of the JWT.
11822
description: URL of the provider's public key set to validate
11823
signature of the JWT.
11825
outputClaimToHeaders:
11826
description: This field specifies a list of operations to copy
11827
the claim to HTTP headers on a successfully verified token.
11831
description: The name of the claim to be copied from.
11834
description: The name of the header to be created.
11838
outputPayloadToHeader:
11839
description: This field specifies the header name to output
11840
a successfully verified JWT payload to the backend.
11843
description: The maximum amount of time that the resolver, determined
11844
by the PILOT_JWT_ENABLE_REMOTE_JWKS environment variable,
11845
will spend waiting for the JWKS to be fetched.
11852
description: Optional.
11855
additionalProperties:
11857
description: One or more labels that indicate a specific set of
11858
pods/VMs on which a policy should be applied.
11862
description: Optional.
11865
description: group is the group of the target resource.
11868
description: kind is kind of the target resource.
11871
description: name is the name of the target resource.
11874
description: namespace is the namespace of the referent.
11880
x-kubernetes-preserve-unknown-fields: true
11887
apiVersion: apiextensions.k8s.io/v1
11888
kind: CustomResourceDefinition
11891
"helm.sh/resource-policy": keep
11898
name: telemetries.telemetry.istio.io
11900
group: telemetry.istio.io
11904
- telemetry-istio-io
11906
listKind: TelemetryList
11907
plural: telemetries
11910
singular: telemetry
11913
- additionalPrinterColumns:
11914
- description: 'CreationTimestamp is a timestamp representing the server time
11915
when this object was created. It is not guaranteed to be set in happens-before
11916
order across separate operations. Clients may not set this value. It is represented
11917
in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
11918
lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
11919
jsonPath: .metadata.creationTimestamp
11927
description: 'Telemetry configuration for workloads. See more details
11928
at: https://istio.io/docs/reference/config/telemetry.html'
11931
description: Optional.
11935
description: Controls logging.
11939
description: Optional.
11942
description: CEL expression for selecting when requests/connections
11947
description: Allows tailoring of logging behavior to specific
11952
This determines whether or not to apply the access logging configuration based on the direction of traffic relative to the proxied workload.
11954
Valid Options: CLIENT_AND_SERVER, CLIENT, SERVER
11956
- CLIENT_AND_SERVER
11962
description: Optional.
11966
description: Required.
11976
description: Optional.
11980
description: Optional.
11984
description: Optional.
11988
description: Match allows providing the scope of the override.
12002
description: Allows free-form specification of a metric.
12007
One of the well-known [Istio Standard Metrics](https://istio.io/latest/docs/reference/config/metrics/).
12009
Valid Options: ALL_METRICS, REQUEST_COUNT, REQUEST_DURATION, REQUEST_SIZE, RESPONSE_SIZE, TCP_OPENED_CONNECTIONS, TCP_CLOSED_CONNECTIONS, TCP_SENT_BYTES, TCP_RECEIVED_BYTES, GRPC_REQUEST_MESSAGES, GRPC_RESPONSE_MESSAGES
12016
- TCP_OPENED_CONNECTIONS
12017
- TCP_CLOSED_CONNECTIONS
12019
- TCP_RECEIVED_BYTES
12020
- GRPC_REQUEST_MESSAGES
12021
- GRPC_RESPONSE_MESSAGES
12025
Controls which mode of metrics generation is selected: `CLIENT`, `SERVER`, or `CLIENT_AND_SERVER`.
12027
Valid Options: CLIENT_AND_SERVER, CLIENT, SERVER
12029
- CLIENT_AND_SERVER
12035
additionalProperties:
12039
Operation controls whether or not to update/add a tag, or to remove it.
12041
Valid Options: UPSERT, REMOVE
12047
description: Value is only considered if the operation
12051
x-kubernetes-validations:
12052
- message: value must be set when operation is UPSERT
12053
rule: '((has(self.operation) ? self.operation : '''')
12054
== ''UPSERT'') ? self.value != '''' : true'
12055
- message: value must not be set when operation is REMOVE
12056
rule: '((has(self.operation) ? self.operation : '''')
12057
== ''REMOVE'') ? !has(self.value) : true'
12058
description: Optional.
12063
description: Optional.
12067
description: Required.
12075
description: Optional.
12080
description: Optional.
12083
additionalProperties:
12085
description: One or more labels that indicate a specific set of
12086
pods/VMs on which a policy should be applied.
12090
description: Optional.
12093
description: group is the group of the target resource.
12096
description: kind is kind of the target resource.
12099
description: name is the name of the target resource.
12102
description: namespace is the namespace of the referent.
12106
description: Optional.
12110
additionalProperties:
12128
description: Environment adds the value of an environment
12129
variable to each span.
12132
description: Optional.
12135
description: Name of the environment variable from
12136
which to extract the tag value.
12143
description: RequestHeader adds the value of an header
12144
from the request to each span.
12147
description: Optional.
12150
description: Name of the header from which to extract
12158
description: Literal adds the same, hard-coded value to
12162
description: The tag value to use.
12169
description: Optional.
12171
disableSpanReporting:
12172
description: Controls span reporting.
12176
description: Allows tailoring of behavior to specific conditions.
12180
This determines whether or not to apply the tracing configuration based on the direction of traffic relative to the proxied workload.
12182
Valid Options: CLIENT_AND_SERVER, CLIENT, SERVER
12184
- CLIENT_AND_SERVER
12190
description: Optional.
12194
description: Required.
12201
randomSamplingPercentage:
12202
description: Controls the rate at which traffic will be selected
12203
for tracing if no prior sampling decision has been made.
12208
useRequestIdForTraceSampling:
12216
x-kubernetes-preserve-unknown-fields: true