pilot-agent

Istio Pilot agent runs in the sidecar or gateway container and bootstraps Envoy.

FlagsDescription
--log_as_jsonWhether to format output as JSON or in plain console-friendly format
--log_caller <string>Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, all, authn, ca, cache, citadelclient, controllers, default, delta, dns, gcecred, googleca, googlecas, healthcheck, iptables, klog, mockcred, model, monitoring, sds, security, spiffe, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] (default ``)
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, authn, ca, cache, citadelclient, controllers, default, delta, dns, gcecred, googleca, googlecas, healthcheck, iptables, klog, mockcred, model, monitoring, sds, security, spiffe, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)
--log_rotate <string>The path for the optional rotating log file (default ``)
--log_rotate_max_age <int>The maximum age in days of a log file beyond which the file is rotated (0 indicates no limit) (default `30`)
--log_rotate_max_backups <int>The maximum number of log file backups to keep before older files are deleted (0 indicates no limit) (default `1000`)
--log_rotate_max_size <int>The maximum size in megabytes of a log file beyond which the file is rotated (default `104857600`)
--log_stacktrace_level <string>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, all, authn, ca, cache, citadelclient, controllers, default, delta, dns, gcecred, googleca, googlecas, healthcheck, iptables, klog, mockcred, model, monitoring, sds, security, spiffe, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)
--log_target <stringArray>The set of paths where to output the log. This can be any path as well as the special values stdout and stderr (default `[stdout]`)
--vklog <Level>number for the log level verbosity. Like -v flag. ex: --vklog=9 (default `0`)

pilot-agent completion

Generate the autocompletion script for pilot-agent for the specified shell. See each sub-command's help for details on how to use the generated script.

FlagsDescription
--log_as_jsonWhether to format output as JSON or in plain console-friendly format
--log_caller <string>Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, all, authn, ca, cache, citadelclient, controllers, default, delta, dns, gcecred, googleca, googlecas, healthcheck, iptables, klog, mockcred, model, monitoring, sds, security, spiffe, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] (default ``)
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, authn, ca, cache, citadelclient, controllers, default, delta, dns, gcecred, googleca, googlecas, healthcheck, iptables, klog, mockcred, model, monitoring, sds, security, spiffe, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)
--log_rotate <string>The path for the optional rotating log file (default ``)
--log_rotate_max_age <int>The maximum age in days of a log file beyond which the file is rotated (0 indicates no limit) (default `30`)
--log_rotate_max_backups <int>The maximum number of log file backups to keep before older files are deleted (0 indicates no limit) (default `1000`)
--log_rotate_max_size <int>The maximum size in megabytes of a log file beyond which the file is rotated (default `104857600`)
--log_stacktrace_level <string>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, all, authn, ca, cache, citadelclient, controllers, default, delta, dns, gcecred, googleca, googlecas, healthcheck, iptables, klog, mockcred, model, monitoring, sds, security, spiffe, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)
--log_target <stringArray>The set of paths where to output the log. This can be any path as well as the special values stdout and stderr (default `[stdout]`)
--vklog <Level>number for the log level verbosity. Like -v flag. ex: --vklog=9 (default `0`)

pilot-agent completion bash

Generate the autocompletion script for the bash shell.

This script depends on the 'bash-completion' package. If it is not installed already, you can install it via your OS's package manager.

To load completions in your current shell session:

source <(pilot-agent completion bash)

To load completions for every new session, execute once:

#### Linux:

pilot-agent completion bash > /etc/bash_completion.d/pilot-agent

#### macOS:

pilot-agent completion bash > $(brew --prefix)/etc/bash_completion.d/pilot-agent

You will need to start a new shell for this setup to take effect.

pilot-agent completion bash
FlagsDescription
--log_as_jsonWhether to format output as JSON or in plain console-friendly format
--log_caller <string>Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, all, authn, ca, cache, citadelclient, controllers, default, delta, dns, gcecred, googleca, googlecas, healthcheck, iptables, klog, mockcred, model, monitoring, sds, security, spiffe, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] (default ``)
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, authn, ca, cache, citadelclient, controllers, default, delta, dns, gcecred, googleca, googlecas, healthcheck, iptables, klog, mockcred, model, monitoring, sds, security, spiffe, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)
--log_rotate <string>The path for the optional rotating log file (default ``)
--log_rotate_max_age <int>The maximum age in days of a log file beyond which the file is rotated (0 indicates no limit) (default `30`)
--log_rotate_max_backups <int>The maximum number of log file backups to keep before older files are deleted (0 indicates no limit) (default `1000`)
--log_rotate_max_size <int>The maximum size in megabytes of a log file beyond which the file is rotated (default `104857600`)
--log_stacktrace_level <string>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, all, authn, ca, cache, citadelclient, controllers, default, delta, dns, gcecred, googleca, googlecas, healthcheck, iptables, klog, mockcred, model, monitoring, sds, security, spiffe, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)
--log_target <stringArray>The set of paths where to output the log. This can be any path as well as the special values stdout and stderr (default `[stdout]`)
--no-descriptionsdisable completion descriptions
--vklog <Level>number for the log level verbosity. Like -v flag. ex: --vklog=9 (default `0`)

pilot-agent completion fish

Generate the autocompletion script for the fish shell.

To load completions in your current shell session:

pilot-agent completion fish | source

To load completions for every new session, execute once:

pilot-agent completion fish > ~/.config/fish/completions/pilot-agent.fish

You will need to start a new shell for this setup to take effect.

pilot-agent completion fish [flags]
FlagsDescription
--log_as_jsonWhether to format output as JSON or in plain console-friendly format
--log_caller <string>Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, all, authn, ca, cache, citadelclient, controllers, default, delta, dns, gcecred, googleca, googlecas, healthcheck, iptables, klog, mockcred, model, monitoring, sds, security, spiffe, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] (default ``)
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, authn, ca, cache, citadelclient, controllers, default, delta, dns, gcecred, googleca, googlecas, healthcheck, iptables, klog, mockcred, model, monitoring, sds, security, spiffe, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)
--log_rotate <string>The path for the optional rotating log file (default ``)
--log_rotate_max_age <int>The maximum age in days of a log file beyond which the file is rotated (0 indicates no limit) (default `30`)
--log_rotate_max_backups <int>The maximum number of log file backups to keep before older files are deleted (0 indicates no limit) (default `1000`)
--log_rotate_max_size <int>The maximum size in megabytes of a log file beyond which the file is rotated (default `104857600`)
--log_stacktrace_level <string>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, all, authn, ca, cache, citadelclient, controllers, default, delta, dns, gcecred, googleca, googlecas, healthcheck, iptables, klog, mockcred, model, monitoring, sds, security, spiffe, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)
--log_target <stringArray>The set of paths where to output the log. This can be any path as well as the special values stdout and stderr (default `[stdout]`)
--no-descriptionsdisable completion descriptions
--vklog <Level>number for the log level verbosity. Like -v flag. ex: --vklog=9 (default `0`)

pilot-agent completion powershell

Generate the autocompletion script for powershell.

To load completions in your current shell session:

pilot-agent completion powershell | Out-String | Invoke-Expression

To load completions for every new session, add the output of the above command to your powershell profile.

pilot-agent completion powershell [flags]
FlagsDescription
--log_as_jsonWhether to format output as JSON or in plain console-friendly format
--log_caller <string>Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, all, authn, ca, cache, citadelclient, controllers, default, delta, dns, gcecred, googleca, googlecas, healthcheck, iptables, klog, mockcred, model, monitoring, sds, security, spiffe, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] (default ``)
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, authn, ca, cache, citadelclient, controllers, default, delta, dns, gcecred, googleca, googlecas, healthcheck, iptables, klog, mockcred, model, monitoring, sds, security, spiffe, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)
--log_rotate <string>The path for the optional rotating log file (default ``)
--log_rotate_max_age <int>The maximum age in days of a log file beyond which the file is rotated (0 indicates no limit) (default `30`)
--log_rotate_max_backups <int>The maximum number of log file backups to keep before older files are deleted (0 indicates no limit) (default `1000`)
--log_rotate_max_size <int>The maximum size in megabytes of a log file beyond which the file is rotated (default `104857600`)
--log_stacktrace_level <string>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, all, authn, ca, cache, citadelclient, controllers, default, delta, dns, gcecred, googleca, googlecas, healthcheck, iptables, klog, mockcred, model, monitoring, sds, security, spiffe, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)
--log_target <stringArray>The set of paths where to output the log. This can be any path as well as the special values stdout and stderr (default `[stdout]`)
--no-descriptionsdisable completion descriptions
--vklog <Level>number for the log level verbosity. Like -v flag. ex: --vklog=9 (default `0`)

pilot-agent completion zsh

Generate the autocompletion script for the zsh shell.

If shell completion is not already enabled in your environment you will need to enable it. You can execute the following once:

echo "autoload -U compinit; compinit" >> ~/.zshrc

To load completions in your current shell session:

source <(pilot-agent completion zsh)

To load completions for every new session, execute once:

#### Linux:

pilot-agent completion zsh > "${fpath[1]}/_pilot-agent"

#### macOS:

pilot-agent completion zsh > $(brew --prefix)/share/zsh/site-functions/_pilot-agent

You will need to start a new shell for this setup to take effect.

pilot-agent completion zsh [flags]
FlagsDescription
--log_as_jsonWhether to format output as JSON or in plain console-friendly format
--log_caller <string>Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, all, authn, ca, cache, citadelclient, controllers, default, delta, dns, gcecred, googleca, googlecas, healthcheck, iptables, klog, mockcred, model, monitoring, sds, security, spiffe, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] (default ``)
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, authn, ca, cache, citadelclient, controllers, default, delta, dns, gcecred, googleca, googlecas, healthcheck, iptables, klog, mockcred, model, monitoring, sds, security, spiffe, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)
--log_rotate <string>The path for the optional rotating log file (default ``)
--log_rotate_max_age <int>The maximum age in days of a log file beyond which the file is rotated (0 indicates no limit) (default `30`)
--log_rotate_max_backups <int>The maximum number of log file backups to keep before older files are deleted (0 indicates no limit) (default `1000`)
--log_rotate_max_size <int>The maximum size in megabytes of a log file beyond which the file is rotated (default `104857600`)
--log_stacktrace_level <string>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, all, authn, ca, cache, citadelclient, controllers, default, delta, dns, gcecred, googleca, googlecas, healthcheck, iptables, klog, mockcred, model, monitoring, sds, security, spiffe, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)
--log_target <stringArray>The set of paths where to output the log. This can be any path as well as the special values stdout and stderr (default `[stdout]`)
--no-descriptionsdisable completion descriptions
--vklog <Level>number for the log level verbosity. Like -v flag. ex: --vklog=9 (default `0`)

pilot-agent istio-clean-iptables

Script responsible for cleaning up iptables rules

pilot-agent istio-clean-iptables [flags]
FlagsShorthandDescription
--capture-all-dnsInstead of only capturing DNS traffic to DNS server IP, capture all DNS traffic at port 53. This setting is only effective when redirect dns is enabled.
--dry-run-nDo not call any external dependencies like iptables.
--istio-inbound-interception-mode <string>-mThe mode used to redirect inbound connections to Envoy, either "REDIRECT" or "TPROXY". (default ``)
--istio-inbound-tproxy-mark <string>-t(default ``)
--log_as_jsonWhether to format output as JSON or in plain console-friendly format
--log_caller <string>Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, all, authn, ca, cache, citadelclient, controllers, default, delta, dns, gcecred, googleca, googlecas, healthcheck, iptables, klog, mockcred, model, monitoring, sds, security, spiffe, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] (default ``)
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, authn, ca, cache, citadelclient, controllers, default, delta, dns, gcecred, googleca, googlecas, healthcheck, iptables, klog, mockcred, model, monitoring, sds, security, spiffe, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)
--log_rotate <string>The path for the optional rotating log file (default ``)
--log_rotate_max_age <int>The maximum age in days of a log file beyond which the file is rotated (0 indicates no limit) (default `30`)
--log_rotate_max_backups <int>The maximum number of log file backups to keep before older files are deleted (0 indicates no limit) (default `1000`)
--log_rotate_max_size <int>The maximum size in megabytes of a log file beyond which the file is rotated (default `104857600`)
--log_stacktrace_level <string>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, all, authn, ca, cache, citadelclient, controllers, default, delta, dns, gcecred, googleca, googlecas, healthcheck, iptables, klog, mockcred, model, monitoring, sds, security, spiffe, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)
--log_target <stringArray>The set of paths where to output the log. This can be any path as well as the special values stdout and stderr (default `[stdout]`)
--proxy-gid <string>-gSpecify the GID of the user for which the redirection is not applied (same default value as -u param). (default ``)
--proxy-uid <string>-uSpecify the UID of the user for which the redirection is not applied. Typically, this is the UID of the proxy container. (default ``)
--redirect-dnsEnable capture of dns traffic by istio-agent.
--vklog <Level>number for the log level verbosity. Like -v flag. ex: --vklog=9 (default `0`)

pilot-agent istio-iptables

istio-iptables is responsible for setting up port forwarding for Istio Sidecar.

pilot-agent istio-iptables [flags]
FlagsShorthandDescription
--capture-all-dnsInstead of only capturing DNS traffic to DNS server IP, capture all DNS traffic at port 53. This setting is only effective when redirect dns is enabled.
--cni-modeWhether to run as CNI plugin.
--drop-invalidEnable invalid drop in the iptables rules.
--dry-run-nDo not call any external dependencies like iptables.
--dual-stackEnable ipv4/ipv6 redirects for dual-stack.
--envoy-port <string>-pSpecify the envoy port to which redirect all TCP traffic. (default `15001`)
--inbound-capture-port <string>-zPort to which all inbound TCP traffic to the pod/VM should be redirected to. (default `15006`)
--inbound-tunnel-port <string>-eSpecify the istio tunnel port for inbound tcp traffic. (default `15008`)
--iptables-probe-port <uint16>Set listen port for failure detection. (default `15002`)
--iptables-trace-loggingInsert tracing logs for each iptables rules, using the LOG chain.
--iptables-version <string>version of iptables command. If not set, this is automatically detected. (default ``)
--istio-exclude-interfaces <string>-cComma separated list of NIC (optional). Neither inbound nor outbound traffic will be captured. (default ``)
--istio-inbound-interception-mode <string>-mThe mode used to redirect inbound connections to Envoy, either "REDIRECT" or "TPROXY". (default ``)
--istio-inbound-ports <string>-bComma separated list of inbound ports for which traffic is to be redirected to Envoy (optional). The wildcard character "*" can be used to configure redirection for all ports. An empty list will disable. (default ``)
--istio-inbound-tproxy-mark <string>-t(default `1337`)
--istio-inbound-tproxy-route-table <string>-r(default `133`)
--istio-local-exclude-ports <string>-dComma separated list of inbound ports to be excluded from redirection to Envoy (optional). Only applies when all inbound traffic (i.e. "*") is being redirected. (default ``)
--istio-local-outbound-ports-exclude <string>-oComma separated list of outbound ports to be excluded from redirection to Envoy. (default ``)
--istio-outbound-ports <string>-qComma separated list of outbound ports to be explicitly included for redirection to Envoy. (default ``)
--istio-service-cidr <string>-iComma separated list of IP ranges in CIDR form to redirect to envoy (optional). The wildcard character "*" can be used to redirect all outbound traffic. An empty list will disable all outbound. (default ``)
--istio-service-exclude-cidr <string>-xComma separated list of IP ranges in CIDR form to be excluded from redirection. Only applies when all outbound traffic (i.e. "*") is being redirected. (default ``)
--kube-virt-interfaces <string>-kComma separated list of virtual interfaces whose inbound traffic (from VM) will be treated as outbound. (default ``)
--log_as_jsonWhether to format output as JSON or in plain console-friendly format
--log_caller <string>Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, all, authn, ca, cache, citadelclient, controllers, default, delta, dns, gcecred, googleca, googlecas, healthcheck, iptables, klog, mockcred, model, monitoring, sds, security, spiffe, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] (default ``)
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, authn, ca, cache, citadelclient, controllers, default, delta, dns, gcecred, googleca, googlecas, healthcheck, iptables, klog, mockcred, model, monitoring, sds, security, spiffe, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)
--log_rotate <string>The path for the optional rotating log file (default ``)
--log_rotate_max_age <int>The maximum age in days of a log file beyond which the file is rotated (0 indicates no limit) (default `30`)
--log_rotate_max_backups <int>The maximum number of log file backups to keep before older files are deleted (0 indicates no limit) (default `1000`)
--log_rotate_max_size <int>The maximum size in megabytes of a log file beyond which the file is rotated (default `104857600`)
--log_stacktrace_level <string>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, all, authn, ca, cache, citadelclient, controllers, default, delta, dns, gcecred, googleca, googlecas, healthcheck, iptables, klog, mockcred, model, monitoring, sds, security, spiffe, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)
--log_target <stringArray>The set of paths where to output the log. This can be any path as well as the special values stdout and stderr (default `[stdout]`)
--network-namespace <string>The network namespace that iptables rules should be applied to. (default ``)
--probe-timeout <duration>Failure detection timeout. (default `5s`)
--proxy-gid <string>-gSpecify the GID of the user for which the redirection is not applied (same default value as -u param). (default ``)
--proxy-uid <string>-uSpecify the UID of the user for which the redirection is not applied. Typically, this is the UID of the proxy container. (default ``)
--redirect-dnsEnable capture of dns traffic by istio-agent.
--restore-format-fPrint iptables rules in iptables-restore interpretable format.
--run-validationValidate iptables.
--skip-rule-applySkip iptables apply.
--vklog <Level>number for the log level verbosity. Like -v flag. ex: --vklog=9 (default `0`)

pilot-agent proxy

XDS proxy agent

pilot-agent proxy [flags]
FlagsDescription
--concurrency <int>number of worker threads to run (default `0`)
--domain <string>DNS domain suffix. If not provided uses ${POD_NAMESPACE}.svc.cluster.local (default ``)
--log_as_jsonWhether to format output as JSON or in plain console-friendly format
--log_caller <string>Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, all, authn, ca, cache, citadelclient, controllers, default, delta, dns, gcecred, googleca, googlecas, healthcheck, iptables, klog, mockcred, model, monitoring, sds, security, spiffe, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] (default ``)
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, authn, ca, cache, citadelclient, controllers, default, delta, dns, gcecred, googleca, googlecas, healthcheck, iptables, klog, mockcred, model, monitoring, sds, security, spiffe, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)
--log_rotate <string>The path for the optional rotating log file (default ``)
--log_rotate_max_age <int>The maximum age in days of a log file beyond which the file is rotated (0 indicates no limit) (default `30`)
--log_rotate_max_backups <int>The maximum number of log file backups to keep before older files are deleted (0 indicates no limit) (default `1000`)
--log_rotate_max_size <int>The maximum size in megabytes of a log file beyond which the file is rotated (default `104857600`)
--log_stacktrace_level <string>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, all, authn, ca, cache, citadelclient, controllers, default, delta, dns, gcecred, googleca, googlecas, healthcheck, iptables, klog, mockcred, model, monitoring, sds, security, spiffe, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)
--log_target <stringArray>The set of paths where to output the log. This can be any path as well as the special values stdout and stderr (default `[stdout]`)
--meshConfig <string>File name for Istio mesh configuration. If not specified, a default mesh will be used. This may be overridden by PROXY_CONFIG environment variable or proxy.istio.io/config annotation. (default `./etc/istio/config/mesh`)
--outlierLogPath <string>The log path for outlier detection (default ``)
--profilingEnable profiling via web interface host:port/debug/pprof/.
--proxyComponentLogLevel <string>The component log level used to start the Envoy proxy. Deprecated, use proxyLogLevel instead (default ``)
--proxyLogLevel <string>The log level used to start the Envoy proxy (choose from {trace, debug, info, warning, error, critical, off}).Level may also include one or more scopes, such as 'info,misc:error,upstream:debug' (default `warning,misc:error`)
--serviceCluster <string>Service cluster (default `istio-proxy`)
--stsPort <int>HTTP Port on which to serve Security Token Service (STS). If zero, STS service will not be provided. (default `0`)
--templateFile <string>Go template bootstrap config (default ``)
--tokenManagerPlugin <string>Token provider specific plugin name. (default `GoogleTokenExchange`)
--vklog <Level>number for the log level verbosity. Like -v flag. ex: --vklog=9 (default `0`)

pilot-agent request

Makes an HTTP request to the Envoy admin API

pilot-agent request <method> <path> [<body>] [flags]
FlagsDescription
--debug-port <int32>Set the port to make a local request to. The default points to the Envoy admin API. (default `15000`)
--log_as_jsonWhether to format output as JSON or in plain console-friendly format
--log_caller <string>Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, all, authn, ca, cache, citadelclient, controllers, default, delta, dns, gcecred, googleca, googlecas, healthcheck, iptables, klog, mockcred, model, monitoring, sds, security, spiffe, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] (default ``)
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, authn, ca, cache, citadelclient, controllers, default, delta, dns, gcecred, googleca, googlecas, healthcheck, iptables, klog, mockcred, model, monitoring, sds, security, spiffe, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)
--log_rotate <string>The path for the optional rotating log file (default ``)
--log_rotate_max_age <int>The maximum age in days of a log file beyond which the file is rotated (0 indicates no limit) (default `30`)
--log_rotate_max_backups <int>The maximum number of log file backups to keep before older files are deleted (0 indicates no limit) (default `1000`)
--log_rotate_max_size <int>The maximum size in megabytes of a log file beyond which the file is rotated (default `104857600`)
--log_stacktrace_level <string>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, all, authn, ca, cache, citadelclient, controllers, default, delta, dns, gcecred, googleca, googlecas, healthcheck, iptables, klog, mockcred, model, monitoring, sds, security, spiffe, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)
--log_target <stringArray>The set of paths where to output the log. This can be any path as well as the special values stdout and stderr (default `[stdout]`)
--vklog <Level>number for the log level verbosity. Like -v flag. ex: --vklog=9 (default `0`)

pilot-agent version

Prints out build version information

pilot-agent version [flags]
FlagsShorthandDescription
--log_as_jsonWhether to format output as JSON or in plain console-friendly format
--log_caller <string>Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, all, authn, ca, cache, citadelclient, controllers, default, delta, dns, gcecred, googleca, googlecas, healthcheck, iptables, klog, mockcred, model, monitoring, sds, security, spiffe, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] (default ``)
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, authn, ca, cache, citadelclient, controllers, default, delta, dns, gcecred, googleca, googlecas, healthcheck, iptables, klog, mockcred, model, monitoring, sds, security, spiffe, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)
--log_rotate <string>The path for the optional rotating log file (default ``)
--log_rotate_max_age <int>The maximum age in days of a log file beyond which the file is rotated (0 indicates no limit) (default `30`)
--log_rotate_max_backups <int>The maximum number of log file backups to keep before older files are deleted (0 indicates no limit) (default `1000`)
--log_rotate_max_size <int>The maximum size in megabytes of a log file beyond which the file is rotated (default `104857600`)
--log_stacktrace_level <string>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, all, authn, ca, cache, citadelclient, controllers, default, delta, dns, gcecred, googleca, googlecas, healthcheck, iptables, klog, mockcred, model, monitoring, sds, security, spiffe, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)
--log_target <stringArray>The set of paths where to output the log. This can be any path as well as the special values stdout and stderr (default `[stdout]`)
--output <string>-oOne of 'yaml' or 'json'. (default ``)
--short-sUse --short=false to generate full version information
--vklog <Level>number for the log level verbosity. Like -v flag. ex: --vklog=9 (default `0`)

pilot-agent wait

Waits until the Envoy proxy is ready

pilot-agent wait [flags]
FlagsDescription
--log_as_jsonWhether to format output as JSON or in plain console-friendly format
--log_caller <string>Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, all, authn, ca, cache, citadelclient, controllers, default, delta, dns, gcecred, googleca, googlecas, healthcheck, iptables, klog, mockcred, model, monitoring, sds, security, spiffe, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] (default ``)
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, authn, ca, cache, citadelclient, controllers, default, delta, dns, gcecred, googleca, googlecas, healthcheck, iptables, klog, mockcred, model, monitoring, sds, security, spiffe, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)
--log_rotate <string>The path for the optional rotating log file (default ``)
--log_rotate_max_age <int>The maximum age in days of a log file beyond which the file is rotated (0 indicates no limit) (default `30`)
--log_rotate_max_backups <int>The maximum number of log file backups to keep before older files are deleted (0 indicates no limit) (default `1000`)
--log_rotate_max_size <int>The maximum size in megabytes of a log file beyond which the file is rotated (default `104857600`)
--log_stacktrace_level <string>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, all, authn, ca, cache, citadelclient, controllers, default, delta, dns, gcecred, googleca, googlecas, healthcheck, iptables, klog, mockcred, model, monitoring, sds, security, spiffe, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)
--log_target <stringArray>The set of paths where to output the log. This can be any path as well as the special values stdout and stderr (default `[stdout]`)
--periodMillis <int>number of milliseconds to wait between attempts (default `500`)
--requestTimeoutMillis <int>number of milliseconds to wait for response (default `500`)
--timeoutSeconds <int>maximum number of seconds to wait for Envoy to be ready (default `60`)
--url <string>URL to use in requests (default `http://localhost:15021/healthz/ready`)
--vklog <Level>number for the log level verbosity. Like -v flag. ex: --vklog=9 (default `0`)

Environment variables

These environment variables affect the behavior of the pilot-agent command. Please use with caution as these environment variables are experimental and can change anytime.
Variable NameTypeDefault ValueDescription
CA_ADDRStringAddress of the spiffe certificate provider. Defaults to discoveryAddress
CA_PROVIDERStringCitadelname of authentication provider
CA_ROOT_CAStringExplicitly set the root CA to expect for the CA connection.
CA_TRUSTED_NODE_ACCOUNTSStringIf set, the list of service accounts that are allowed to use node authentication for CSRs. Node authentication allows an identity to create CSRs on behalf of other identities, but only if there is a pod running on the same node with that identity. This is intended for use with node proxies.
CERT_SIGNER_DOMAINStringThe cert signer domain info
CLOUD_PLATFORMStringCloud Platform on which proxy is running, if not specified, Istio will try to discover the platform. Valid platform values are aws, azure, gcp, none
CLUSTER_IDStringKubernetesDefines the cluster and service registry that this Istiod instance belongs to
COMPLIANCE_POLICYStringIf set, applies policy-specific restrictions over all existing TLS settings, including in-mesh mTLS and external TLS. Valid values are: * '' or unset places no additional restrictions. * 'fips-140-2' which enforces a version of the TLS protocol and a subset of cipher suites overriding any user preferences or defaults for all runtime components, including Envoy, gRPC Go SDK, and gRPC C++ SDK. WARNING: Setting compliance policy in the control plane is a necessary but not a sufficient requirement to achieve compliance. There are additional steps necessary to claim compliance, including using the validated cryptograhic modules (please consult https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/security/ssl#fips-140-2).
CREDENTIAL_FETCHER_TYPEStringJWTThe type of the credential fetcher. Currently supported types include GoogleComputeEngine
CREDENTIAL_IDENTITY_PROVIDERStringGoogleComputeEngineThe identity provider for credential. Currently default supported identity provider is GoogleComputeEngine
DISABLE_ENVOYBooleanfalseDisables all Envoy agent features.
DNS_FORWARD_PARALLELBooleanfalseIf set to true, agent will send parallel DNS queries to all upstream nameservers
DNS_PROXY_ADDRStringlocalhost:15053Custom address for the DNS proxy. If it ends with :53 and running as root allows running without iptable DNS capture
DRY_RUN_FILE_PATHStringIf provided, StdoutStubDependencies will write the input from stdin to the given file.
ECC_CURVEStringP256The elliptic curve to use when ECC_SIGNATURE_ALGORITHM is set to ECDSA
ECC_SIGNATURE_ALGORITHMStringThe type of ECC signature algorithm to use when generating private keys
ENABLE_AUTO_SNIBooleantrueIf enabled, automatically set SNI when `DestinationRules` do not specify the same
ENABLE_CA_SERVERBooleantrueIf this is set to false, will not create CA server in istiod.
ENABLE_DEBUG_ON_HTTPBooleantrueIf this is set to false, the debug interface will not be enabled, recommended for production
ENABLE_ENHANCED_RESOURCE_SCOPINGBooleanfalseIf enabled, meshConfig.discoverySelectors will limit the CustomResource configurations(like Gateway,VirtualService,DestinationRule,Ingress, etc)that can be processed by pilot. This will also restrict the root-ca certificate distribution.
ENABLE_EXTERNAL_NAME_ALIASBooleantrueIf enabled, ExternalName Services will be treated as simple aliases: anywhere where we would match the concrete service, we also match the ExternalName. In general, this mirrors Kubernetes behavior more closely. However, it means that policies (routes and DestinationRule) cannot be applied to the ExternalName service. If disabled, ExternalName behaves in fairly unexpected manner. Port matters, while it does not in Kubernetes. If it is a TCP port, all traffic on that port will be matched, which can have disastrous consequences. Additionally, the destination is seen as an opaque destination; even if it is another service in the mesh, policies such as mTLS and load balancing will not be used when connecting to it.
ENABLE_HCM_INTERNAL_NETWORKSBooleanfalseIf enable, endpoints defined in mesh networks will be configured as internal addresses in Http Connection Manager
ENABLE_LEADER_ELECTIONBooleantrueIf enabled (default), starts a leader election client and gains leadership before executing controllers. If false, it assumes that only one instance of istiod is running and skips leader election.
ENABLE_MCS_AUTO_EXPORTBooleanfalseIf enabled, istiod will automatically generate Kubernetes Multi-Cluster Services (MCS) ServiceExport resources for every service in the mesh. Services defined to be cluster-local in MeshConfig are excluded.
ENABLE_MCS_CLUSTER_LOCALBooleanfalseIf enabled, istiod will treat the host `<svc>.<namespace>.svc.cluster.local` as defined by the Kubernetes Multi-Cluster Services (MCS) spec. In this mode, requests to `cluster.local` will be routed to only those endpoints residing within the same cluster as the client. Requires that both ENABLE_MCS_SERVICE_DISCOVERY and ENABLE_MCS_HOST also be enabled.
ENABLE_MCS_HOSTBooleanfalseIf enabled, istiod will configure a Kubernetes Multi-Cluster Services (MCS) host (<svc>.<namespace>.svc.clusterset.local) for each service exported (via ServiceExport) in at least one cluster. Clients must, however, be able to successfully lookup these DNS hosts. That means that either Istio DNS interception must be enabled or an MCS controller must be used. Requires that ENABLE_MCS_SERVICE_DISCOVERY also be enabled.
ENABLE_MCS_SERVICE_DISCOVERYBooleanfalseIf enabled, istiod will enable Kubernetes Multi-Cluster Services (MCS) service discovery mode. In this mode, service endpoints in a cluster will only be discoverable within the same cluster unless explicitly exported via ServiceExport.
ENABLE_MULTICLUSTER_HEADLESSBooleantrueIf true, the DNS name table for a headless service will resolve to same-network endpoints in any cluster.
ENABLE_NATIVE_SIDECARSBooleanfalseIf set, used Kubernetes native Sidecar container support. Requires SidecarContainer feature flag.
ENABLE_OPTIMIZED_CONFIG_REBUILDBooleantrueIf enabled, pilot will only rebuild config for resources that have changed
ENABLE_OTEL_BUILTIN_RESOURCE_LABELSBooleanfalseIf enabled, envoy will send builtin labels(e.g. node_name) via OTel sink.
ENABLE_PROBE_KEEPALIVE_CONNECTIONSBooleanfalseIf enabled, readiness probes will keep the connection from pilot-agent to the application alive. This mirrors older Istio versions' behaviors, but not kubelet's.
ENABLE_SELECTOR_BASED_K8S_GATEWAY_POLICYBooleantrueIf disabled, Gateway API gateways will ignore workloadSelector policies, onlyapplying policies that select the gateway with a targetRef.
ENABLE_TLS_ON_SIDECAR_INGRESSBooleanfalseIf enabled, the TLS configuration on Sidecar.ingress will take effect
ENVOY_PROMETHEUS_PORTInteger15090Envoy prometheus redirection port value
ENVOY_STATUS_PORTInteger15021Envoy health status port value
ENVOY_USERStringistio-proxyEnvoy proxy username
EXIT_ON_ZERO_ACTIVE_CONNECTIONSBooleanfalseWhen set to true, terminates proxy when number of active connections become zero during draining
EXTERNAL_ISTIODBooleanfalseIf this is set to true, one Istiod will control remote clusters including CA.
FILE_DEBOUNCE_DURATIONTime Duration100msThe duration for which the file read operation is delayed once file update is detected
FILE_MOUNTED_CERTSBooleanfalse
GCP_METADATAStringPipe separated GCP metadata, schemed as PROJECT_ID|PROJECT_NUMBER|CLUSTER_NAME|CLUSTER_ZONE
GCP_QUOTA_PROJECTStringAllows specification of a quota project to be used in requests to GCP APIs.
GKE_CLUSTER_URLStringThe url of GKE cluster
GRPC_KEEPALIVE_INTERVALTime Duration30sgRPC Keepalive Interval
GRPC_KEEPALIVE_TIMEOUTTime Duration10sgRPC Keepalive Timeout
GRPC_XDS_BOOTSTRAPStringetc/istio/proxy/grpc-bootstrap.jsonPath where gRPC expects to read a bootstrap file. Agent will generate one if set.
HTTP_STRIP_FRAGMENT_FROM_PATH_UNSAFE_IF_DISABLEDBooleantrue
INBOUND_INTERCEPTION_MODEStringThe mode used to redirect inbound connections to Envoy, either "REDIRECT" or "TPROXY"
INBOUND_TPROXY_MARKString
INJECTION_WEBHOOK_CONFIG_NAMEStringistio-sidecar-injectorName of the mutatingwebhookconfiguration to patch, if istioctl is not used.
INSTANCE_IPString
IPTABLES_TRACE_LOGGINGBooleanfalseWhen enable, all iptables actions will be logged. This requires NET_ADMIN privilege and has noisy logs; as a result, this is intended for debugging only
ISTIOD_CUSTOM_HOSTStringCustom host name of istiod that istiod signs the server cert. Multiple custom host names are supported, and multiple values are separated by commas.
ISTIOD_SANStringOverride the ServerName used to validate Istiod certificate. Can be used as an alternative to setting /etc/hosts for VMs - discovery address will be an IP:port
ISTIO_AGENT_ENABLE_WASM_REMOTE_LOAD_CONVERSIONBooleantrueIf enabled, Istio agent will intercept ECDS resource update, downloads Wasm module, and replaces Wasm module remote load with downloaded local module file.
ISTIO_BOOTSTRAPString
ISTIO_BOOTSTRAP_OVERRIDEString
ISTIO_CPU_LIMITInteger0CPU limit for the current process. Expressed as an integer value, rounded up.
ISTIO_DELTA_XDSBooleanfalseIf enabled, pilot will only send the delta configs as opposed to the state of the world on a Resource Request. This feature uses the delta xds api, but does not currently send the actual deltas.
ISTIO_DUAL_STACKBooleanfalseIf true, Istio will enable the Dual Stack feature.
ISTIO_ENABLE_CONTROLLER_QUEUE_METRICSBooleanfalseIf enabled, publishes metrics for queue depth, latency and processing times.
ISTIO_ENABLE_HTTP2_PROBINGBooleantrueIf enabled, HTTP2 probes will be enabled for HTTPS probes, following Kubernetes
ISTIO_ENABLE_IPV4_OUTBOUND_LISTENER_FOR_IPV6_CLUSTERSBooleanfalseIf true, pilot will configure an additional IPv4 listener for outbound traffic in IPv6 only clusters, e.g. AWS EKS IPv6 only clusters.
ISTIO_ENABLE_OPTIMIZED_SERVICE_PUSHBooleantrueIf enabled, Istiod will not push changes on arbitrary annotation change.
ISTIO_ENVOY_ENABLE_CORE_DUMPBooleanfalse
ISTIO_GPRC_MAXRECVMSGSIZEInteger4194304Sets the max receive buffer size of gRPC stream in bytes.
ISTIO_GPRC_MAXSTREAMSInteger100000Sets the maximum number of concurrent grpc streams.
ISTIO_KUBE_APP_PROBERSString
ISTIO_KUBE_CLIENT_CONTENT_TYPEStringprotobufThe content type to use for Kubernetes clients. Defaults to protobuf. Valid options: [protobuf, json]
ISTIO_META_CERT_SIGNERStringThe cert signer info for workload cert
ISTIO_META_CLUSTER_IDString
ISTIO_META_DNS_CAPTUREBooleanfalseIf set to true, enable the capture of outgoing DNS packets on port 53, redirecting to istio-agent on :15053
ISTIO_MULTIROOT_MESHBooleanfalseIf enabled, mesh will support certificates signed by more than one trustAnchor for ISTIO_MUTUAL mTLS
ISTIO_OUTBOUND_IPV4_LOOPBACK_CIDRString127.0.0.1/32IPv4 CIDR range used to identify outbound traffic on loopback interface intended for application container
ISTIO_OUTBOUND_OWNER_GROUPSString*Comma separated list of groups whose outgoing traffic is to be redirected to Envoy. A group can be specified either by name or by a numeric GID. The wildcard character "*" can be used to configure redirection of traffic from all groups.
ISTIO_OUTBOUND_OWNER_GROUPS_EXCLUDEStringComma separated list of groups whose outgoing traffic is to be excluded from redirection to Envoy. A group can be specified either by name or by a numeric GID. Only applies when traffic from all groups (i.e. "*") is being redirected to Envoy.
ISTIO_PROMETHEUS_ANNOTATIONSString
ISTIO_WATCH_NAMESPACEStringIf set, limit Kubernetes watches to a single namespace. Warning: only a single namespace can be set.
ISTIO_WORKLOAD_ENTRY_VALIDATE_IDENTITYBooleantrueIf enabled, will validate the identity of a workload matches the identity of the WorkloadEntry it is associating with for health checks and auto registration. This flag is added for backwards compatibility only and will be removed in future releases
JWKS_RESOLVER_INSECURE_SKIP_VERIFYBooleanfalseIf enabled, istiod will skip verifying the certificate of the JWKS server.
JWT_POLICYStringthird-party-jwtThe JWT validation policy.
KUBERNETES_SERVICE_HOSTStringKubernetes service host, set automatically when running in-cluster
K_REVISIONStringKNative revision, set if running in knative
LABEL_CANONICAL_SERVICES_FOR_MESH_EXTERNAL_SERVICE_ENTRIESBooleanfalseIf enabled, metadata representing canonical services for ServiceEntry resources with a location of mesh_external will be populatedin the cluster metadata for those endpoints.
LOCAL_CLUSTER_SECRET_WATCHERBooleanfalseIf enabled, the cluster secret watcher will watch the namespace of the external cluster instead of config cluster
MCS_API_GROUPStringmulticluster.x-k8s.ioThe group to be used for the Kubernetes Multi-Cluster Services (MCS) API.
MCS_API_VERSIONStringv1alpha1The version to be used for the Kubernetes Multi-Cluster Services (MCS) API.
METRIC_GRACEFUL_DELETION_INTERVALTime Duration5m0sMetric expiry graceful deletion interval. No-op if METRIC_ROTATION_INTERVAL is disabled.
METRIC_ROTATION_INTERVALTime Duration0sMetric scope rotation interval, set to 0 to disable the metric scope rotation
MINIMUM_DRAIN_DURATIONTime Duration5sThe minimum duration for which agent waits before it checks for active connections and terminates proxy when number of active connections become zero
MUTEX_PROFILE_FRACTIONInteger1000If set to a non-zero value, enables mutex profiling a rate of 1/MUTEX_PROFILE_FRACTION events. For example, '1000' will record 0.1% of events. Set to 0 to disable entirely.
NATIVE_METADATA_EXCHANGEBooleantrueIf set, uses a native implementation of the HTTP metadata exchange filter
OUTPUT_CERTSStringThe output directory for the key and certificate. If empty, key and certificate will not be saved. Must be set for VMs using provisioning certificates.
PEER_METADATA_DISCOVERYBooleanfalseIf set to true, enable the peer metadata discovery extension in Envoy
PERSIST_OLDEST_FIRST_HEURISTIC_FOR_VIRTUAL_SERVICE_HOST_MATCHINGBooleanfalseIf enabled, istiod will persist the oldest first heuristic for subtly conflicting traffic policy selection(such as with overlapping wildcard hosts)
PILOT_ALLOW_SIDECAR_SERVICE_INBOUND_LISTENER_MERGEBooleanfalseIf set, it allows creating inbound listeners for service ports and sidecar ingress listeners
PILOT_ANALYSIS_INTERVALTime Duration10sIf analysis is enabled, pilot will run istio analyzers using this value as interval in seconds Istio Resources
PILOT_CERT_PROVIDERStringistiodThe provider of Pilot DNS certificate.
PILOT_CONVERT_SIDECAR_SCOPE_CONCURRENCYInteger1Used to adjust the concurrency of SidecarScope conversions. When istiod is deployed on a multi-core CPU server, increasing this value will help to use the CPU to accelerate configuration push, but it also means that istiod will consume more CPU resources.
PILOT_DEBOUNCE_AFTERTime Duration100msThe delay added to config/registry events for debouncing. This will delay the push by at least this interval. If no change is detected within this period, the push will happen, otherwise we'll keep delaying until things settle, up to a max of PILOT_DEBOUNCE_MAX.
PILOT_DEBOUNCE_MAXTime Duration10sThe maximum amount of time to wait for events while debouncing. If events keep showing up with no breaks for this time, we'll trigger a push.
PILOT_DISABLE_MX_ALPNBooleanfalseIf true, pilot will not put istio-peer-exchange ALPN into TLS handshake configuration.
PILOT_DISTRIBUTION_HISTORY_RETENTIONTime Duration1m0sIf enabled, Pilot will keep track of old versions of distributed config for this duration.
PILOT_DRAINING_LABELStringistio.io/drainingIf not empty, endpoints with the label value present will be sent with status DRAINING.
PILOT_ENABLE_ALPHA_GATEWAY_APIBooleanfalseIf this is set to true, support for alpha APIs in the Kubernetes gateway-api (github.com/kubernetes-sigs/gateway-api) will be enabled. In addition to this being enabled, the gateway-api CRDs need to be installed.
PILOT_ENABLE_ALPN_FILTERBooleantrueIf true, pilot will add Istio ALPN filters, required for proper protocol sniffing.
PILOT_ENABLE_AMBIENT_CONTROLLERSBooleanfalseIf enabled, controllers required for ambient will run. This is required to run ambient mesh.
PILOT_ENABLE_ANALYSISBooleanfalseIf enabled, pilot will run istio analyzers and write analysis errors to the Status field of any Istio Resources
PILOT_ENABLE_CDS_CACHEBooleantrueIf true, Pilot will cache CDS responses. Note: this depends on PILOT_ENABLE_XDS_CACHE.
PILOT_ENABLE_CONFIG_DISTRIBUTION_TRACKINGBooleanfalseIf enabled, Pilot will assign meaningful nonces to each Envoy configuration message, and allow users to interrogate which envoy has which config from the debug interface.
PILOT_ENABLE_CROSS_CLUSTER_WORKLOAD_ENTRYBooleantrueIf enabled, pilot will read WorkloadEntry from other clusters, selectable by Services in that cluster.
PILOT_ENABLE_EDS_DEBOUNCEBooleantrueIf enabled, Pilot will include EDS pushes in the push debouncing, configured by PILOT_DEBOUNCE_AFTER and PILOT_DEBOUNCE_MAX. EDS pushes may be delayed, but there will be fewer pushes. By default this is enabled
PILOT_ENABLE_EDS_FOR_HEADLESS_SERVICESBooleanfalseIf enabled, for headless service in Kubernetes, pilot will send endpoints over EDS, allowing the sidecar to load balance among pods in the headless service. This feature should be enabled if applications access all services explicitly via a HTTP proxy port in the sidecar.
PILOT_ENABLE_GATEWAY_APIBooleantrueIf this is set to true, support for Kubernetes gateway-api (github.com/kubernetes-sigs/gateway-api) will be enabled. In addition to this being enabled, the gateway-api CRDs need to be installed.
PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLERBooleantrueIf this is set to true, gateway-api resources will automatically provision in cluster deployment, services, etc
PILOT_ENABLE_GATEWAY_API_GATEWAYCLASS_CONTROLLERBooleantrueIf this is set to true, istiod will create and manage its default GatewayClasses
PILOT_ENABLE_GATEWAY_API_STATUSBooleantrueIf this is set to true, gateway-api resources will have status written to them
PILOT_ENABLE_HBONEBooleanfalseIf enabled, HBONE support can be configured for proxies. Note: proxies must opt in on a per-proxy basis with ENABLE_HBONE to actually get HBONE config, in addition to this flag.
PILOT_ENABLE_HEADLESS_SERVICE_POD_LISTENERSBooleantrueIf enabled, for a headless service/stateful set in Kubernetes, pilot will generate an outbound listener for each pod in a headless service. This feature should be disabled if headless services have a large number of pods.
PILOT_ENABLE_K8S_SELECT_WORKLOAD_ENTRIESBooleantrueIf enabled, Kubernetes services with selectors will select workload entries with matching labels. It is safe to disable it if you are quite sure you don't need this feature
PILOT_ENABLE_METADATA_EXCHANGEBooleantrueIf true, pilot will add metadata exchange filters, which will be consumed by telemetry filter.
PILOT_ENABLE_MONGO_FILTERBooleantrueEnableMongoFilter enables injection of `envoy.filters.network.mongo_proxy` in the filter chain.
PILOT_ENABLE_MYSQL_FILTERBooleanfalseEnableMysqlFilter enables injection of `envoy.filters.network.mysql_proxy` in the filter chain.
PILOT_ENABLE_PERSISTENT_SESSION_FILTERBooleanfalseIf enabled, Istiod sets up persistent session filter for listeners, if services have 'PILOT_PERSISTENT_SESSION_LABEL' set.
PILOT_ENABLE_QUIC_LISTENERSBooleanfalseIf true, QUIC listeners will be generated wherever there are listeners terminating TLS on gateways if the gateway service exposes a UDP port with the same number (for example 443/TCP and 443/UDP)
PILOT_ENABLE_RDS_CACHEBooleantrueIf true, Pilot will cache RDS responses. Note: this depends on PILOT_ENABLE_XDS_CACHE.
PILOT_ENABLE_REDIS_FILTERBooleanfalseEnableRedisFilter enables injection of `envoy.filters.network.redis_proxy` in the filter chain.
PILOT_ENABLE_ROUTE_COLLAPSE_OPTIMIZATIONBooleantrueIf true, Pilot will merge virtual hosts with the same routes into a single virtual host, as an optimization.
PILOT_ENABLE_SERVICEENTRY_SELECT_PODSBooleantrueIf enabled, service entries with selectors will select pods from the cluster. It is safe to disable it if you are quite sure you don't need this feature
PILOT_ENABLE_STATUSBooleanfalseIf enabled, pilot will update the CRD Status field of all istio resources with reconciliation status.
PILOT_ENABLE_TELEMETRY_LABELBooleantrueIf true, pilot will add telemetry related metadata to cluster and endpoint resources, which will be consumed by telemetry filter.
PILOT_ENABLE_WORKLOAD_ENTRY_AUTOREGISTRATIONBooleantrueEnables auto-registering WorkloadEntries based on associated WorkloadGroups upon XDS connection by the workload.
PILOT_ENABLE_WORKLOAD_ENTRY_HEALTHCHECKSBooleantrueEnables automatic health checks of WorkloadEntries based on the config provided in the associated WorkloadGroup
PILOT_ENABLE_XDS_CACHEBooleantrueIf true, Pilot will cache XDS responses.
PILOT_ENABLE_XDS_IDENTITY_CHECKBooleantrueIf enabled, pilot will authorize XDS clients, to ensure they are acting only as namespaces they have permissions for.
PILOT_ENDPOINT_TELEMETRY_LABELBooleantrueIf true, pilot will add telemetry related metadata to Endpoint resource, which will be consumed by telemetry filter.
PILOT_ENVOY_FILTER_STATSBooleanfalseIf true, Pilot will collect metrics for envoy filter operations.
PILOT_FILTER_GATEWAY_CLUSTER_CONFIGBooleanfalseIf enabled, Pilot will send only clusters that referenced in gateway virtual services attached to gateway
PILOT_HTTP10BooleanfalseEnables the use of HTTP 1.0 in the outbound HTTP listeners, to support legacy applications.
PILOT_INSECURE_MULTICLUSTER_KUBECONFIG_OPTIONSStringComma separated list of potentially insecure kubeconfig authentication options that are allowed for multicluster authentication.Support values: all authProviders (`gcp`, `azure`, `exec`, `openstack`), `clientKey`, `clientCertificate`, `tokenFile`, and `exec`.
PILOT_JWT_ENABLE_REMOTE_JWKSStringfalseMode of fetching JWKs from JwksUri in RequestAuthentication. Supported value: istiod, false, hybrid, true, envoy. The client fetching JWKs is as following: istiod/false - Istiod; hybrid/true - Envoy and fallback to Istiod if JWKs server is external; envoy - Envoy.
PILOT_JWT_PUB_KEY_REFRESH_INTERVALTime Duration20m0sThe interval for istiod to fetch the jwks_uri for the jwks public key.
PILOT_MAX_REQUESTS_PER_SECONDFloating-Point0Limits the number of incoming XDS requests per second. On larger machines this can be increased to handle more proxies concurrently. If set to 0 or unset, the max will be automatically determined based on the machine size
PILOT_MULTI_NETWORK_DISCOVER_GATEWAY_APIBooleanfalseIf true, Pilot will discover labeled Kubernetes gateway objects as multi-network gateways.
PILOT_PERSISTENT_SESSION_HEADER_LABELStringistio.io/persistent-session-headerIf not empty, services with this label will use header based persistent sessions
PILOT_PERSISTENT_SESSION_LABELStringistio.io/persistent-sessionIf not empty, services with this label will use cookie based persistent sessions
PILOT_PUSH_THROTTLEInteger0Limits the number of concurrent pushes allowed. On larger machines this can be increased for faster pushes. If set to 0 or unset, the max will be automatically determined based on the machine size
PILOT_REMOTE_CLUSTER_TIMEOUTTime Duration30sAfter this timeout expires, pilot can become ready without syncing data from clusters added via remote-secrets. Setting the timeout to 0 disables this behavior.
PILOT_SCOPE_GATEWAY_TO_NAMESPACEBooleanfalseIf enabled, a gateway workload can only select gateway resources in the same namespace. Gateways with same selectors in different namespaces will not be applicable.
PILOT_SEND_UNHEALTHY_ENDPOINTSBooleanfalseIf enabled, Pilot will include unhealthy endpoints in EDS pushes and even if they are sent Envoy does not use them for load balancing. To avoid, sending traffic to non ready endpoints, enabling this flag, disables panic threshold in Envoy i.e. Envoy does not load balance requests to unhealthy/non-ready hosts even if the percentage of healthy hosts fall below minimum health percentage(panic threshold).
PILOT_SIDECAR_USE_REMOTE_ADDRESSBooleanfalseUseRemoteAddress sets useRemoteAddress to true for sidecar outbound listeners.
PILOT_SKIP_VALIDATE_TRUST_DOMAINBooleanfalseSkip validating the peer is from the same trust domain when mTLS is enabled in authentication policy
PILOT_STATUS_BURSTInteger500If status is enabled, controls the Burst rate with which status will be updated. See https://godoc.org/k8s.io/client-go/rest#Config Burst
PILOT_STATUS_MAX_WORKERSInteger100The maximum number of workers Pilot will use to keep configuration status up to date. Smaller numbers will result in higher status latency, but larger numbers may impact CPU in high scale environments.
PILOT_STATUS_QPSInteger100If status is enabled, controls the QPS with which status will be updated. See https://godoc.org/k8s.io/client-go/rest#Config QPS
PILOT_STATUS_UPDATE_INTERVALTime Duration500msInterval to update the XDS distribution status.
PILOT_TRACE_SAMPLINGFloating-Point1Sets the mesh-wide trace sampling percentage. Should be 0.0 - 100.0. Precision to 0.01. Default is 1.0.
PILOT_WORKLOAD_ENTRY_GRACE_PERIODTime Duration10sThe amount of time an auto-registered workload can remain disconnected from all Pilot instances before the associated WorkloadEntry is cleaned up.
PILOT_XDS_CACHE_INDEX_CLEAR_INTERVALTime Duration5sThe interval for xds cache index clearing.
PILOT_XDS_CACHE_SIZEInteger60000The maximum number of cache entries for the XDS cache.
PILOT_XDS_CACHE_STATSBooleanfalseIf true, Pilot will collect metrics for XDS cache efficiency.
PILOT_XDS_SEND_TIMEOUTTime Duration0sThe timeout to send the XDS configuration to proxies. After this timeout is reached, Pilot will discard that push.
PKCS8_KEYBooleanfalseWhether to generate PKCS#8 private keys
POD_NAMEString
POD_NAMESPACEString
PROV_CERTStringSet to a directory containing provisioned certs, for VMs
PROXY_CONFIGStringThe proxy configuration. This will be set by the injection - gateways will use file mounts.
PROXY_CONFIG_XDS_AGENTBooleanfalseIf set to true, agent retrieves dynamic proxy-config updates via xds channel
PROXY_XDS_DEBUG_VIA_AGENTBooleantrueIf set to true, the agent will listen on tap port and offer pilot's XDS istio.io/debug debug API there.
PROXY_XDS_DEBUG_VIA_AGENT_PORTInteger15004Agent debugging port.
REQUIRE_3P_TOKENBooleanfalseReject k8s default tokens, without audience. If false, default K8S token will be accepted
RESOLVE_HOSTNAME_GATEWAYSBooleantrueIf true, hostnames in the LoadBalancer addresses of a Service will be resolved at the control plane for use in cross-network gateways.
REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATIONBooleanfalseIf enabled, readiness probes will be sent to 'localhost'. Otherwise, they will be sent to the Pod's IP, matching Kubernetes' behavior.
SECRET_GRACE_PERIOD_RATIOFloating-Point0.5The grace period ratio for the cert rotation, by default 0.5.
SECRET_TTLTime Duration24h0m0sThe cert lifetime requested by istio agent
SERVICE_ACCOUNTStringName of service account
SHARED_MESH_CONFIGStringAdditional config map to load for shared MeshConfig settings. The standard mesh config will take precedence.
STACKDRIVER_AUDIT_LOGBooleanfalseIf enabled, StackDriver audit logging will be enabled.
TOKEN_AUDIENCESStringistio-caA list of comma separated audiences to check in the JWT token before issuing a certificate. The token is accepted if it matches with one of the audiences
TRUSTED_GATEWAY_CIDRStringIf set, any connections from gateway to Istiod with this CIDR range are treated as trusted for using authentication mechanisms like XFCC. This can only be used when the network where Istiod and the authenticating gateways are running in a trusted/secure network
TRUST_DOMAINStringcluster.localThe trust domain for spiffe certificates
UNSAFE_ENABLE_ADMIN_ENDPOINTSBooleanfalseIf this is set to true, dangerous admin endpoints will be exposed on the debug interface. Not recommended for production.
UNSAFE_PILOT_ENABLE_DELTA_TESTBooleanfalseIf enabled, addition runtime tests for Delta XDS efficiency are added. These checks are extremely expensive, so this should be used only for testing, not production.
UNSAFE_PILOT_ENABLE_RUNTIME_ASSERTIONSBooleanfalseIf enabled, addition runtime asserts will be performed. These checks are both expensive and panic on failure. As a result, this should be used only for testing.
USE_CACERTS_FOR_SELF_SIGNED_CABooleanfalseIf enabled, istiod will use a secret named cacerts to store its self-signed istio-generated root certificate.
USE_EXTERNAL_WORKLOAD_SDSBooleanfalseWhen set to true, the istio-agent will require an external SDS and will throw an error if the workload SDS socket is not found
VALIDATION_WEBHOOK_CONFIG_NAMEStringistio-istio-systemIf not empty, the controller will automatically patch validatingwebhookconfiguration when the CA certificate changes. Only works in kubernetes environment.
VERIFY_CERTIFICATE_AT_CLIENTBooleantrueIf enabled, certificates received by the proxy will be verified against the OS CA certificate bundle.
VERIFY_SDS_CERTIFICATEBooleantrueIf enabled, certificates fetched from SDS server will be verified before sending back to proxy.
WASM_HTTP_REQUEST_MAX_RETRIESInteger5maximum number of HTTP/HTTPS request retries for pulling a Wasm module via http/https
WASM_HTTP_REQUEST_TIMEOUTTime Duration15stimeout per a HTTP request for pulling a Wasm module via http/https
WASM_INSECURE_REGISTRIESStringallow agent pull wasm plugin from insecure registries or https server, for example: 'localhost:5000,docker-registry:5000'
WASM_MODULE_EXPIRYTime Duration24h0m0scache expiration duration for a wasm module.
WASM_PURGE_INTERVALTime Duration1h0m0sinterval between checking the expiration of wasm modules
WORKLOAD_RSA_KEY_SIZEInteger2048Specify the RSA key size to use for workload certificates.
XDS_AUTHBooleantrueIf true, will authenticate XDS clients.
XDS_AUTH_PLAINTEXTBooleanfalseauthenticate plain text requests - used if Istiod is running on a secure/trusted network
XDS_AUTH_PROVIDERStringProvider for XDS auth
XDS_ROOT_CAStringExplicitly set the root CA to expect for the XDS connection.

Exported metrics

Metric NameTypeDescription
auto_registration_deletes_totalSumTotal number of auto registration cleaned up by periodic timer.
auto_registration_errors_totalSumTotal number of auto registration errors.
auto_registration_success_totalSumTotal number of successful auto registrations.
auto_registration_unregister_totalSumTotal number of unregistrations.
auto_registration_updates_totalSumTotal number of auto registration updates.
cert_expiry_secondsLastValueThe time remaining, in seconds, before the certificate chain will expire. A negative value indicates the cert is expired.
dns_requests_totalSumTotal number of DNS requests.
dns_upstream_failures_totalSumTotal number of DNS failures.
dns_upstream_request_duration_secondsDistributionTotal time in seconds Istio takes to get DNS response from upstream.
dns_upstream_requests_totalSumTotal number of DNS requests forwarded to upstream.
endpoint_no_podLastValueEndpoints without an associated pod.
envoy_connection_terminationsSumThe total number of connection errors from envoy
istio_buildLastValueIstio component build info
istiod_connection_failuresSumThe total number of connection failures to Istiod
istiod_connection_terminationsSumThe total number of connection errors to Istiod
num_failed_outgoing_requestsSumNumber of failed outgoing requests (e.g. to a token exchange server, CA, etc.)
num_file_secret_failures_totalSumNumber of times secret generation failed for files
num_file_watcher_failures_totalSumNumber of times file watcher failed to add watchers
num_outgoing_requestsSumNumber of total outgoing requests (e.g. to a token exchange server, CA, etc.)
num_outgoing_retriesSumNumber of outgoing retry requests (e.g. to a token exchange server, CA, etc.)
outgoing_latencySumThe latency of outgoing requests (e.g. to a token exchange server, CA, etc.) in milliseconds.
pilot_conflict_inbound_listenerLastValueNumber of conflicting inbound listeners.
pilot_conflict_outbound_listener_tcp_over_current_tcpLastValueNumber of conflicting tcp listeners with current tcp listener.
pilot_debounce_timeDistributionDelay in seconds between the first config enters debouncing and the merged push request is pushed into the push queue.
pilot_destrule_subsetsLastValueDuplicate subsets across destination rules for same host
pilot_dns_cluster_without_endpointsLastValueDNS clusters without endpoints caused by the endpoint field in STRICT_DNS type cluster is not set or the corresponding subset cannot select any endpoint
pilot_duplicate_envoy_clustersLastValueDuplicate envoy clusters caused by service entries with same hostname
pilot_eds_no_instancesLastValueNumber of clusters without instances.
pilot_endpoint_not_readyLastValueEndpoint found in unready state.
pilot_envoy_filter_statusLastValueStatus of Envoy filters whether it was applied or errored.
pilot_inbound_updatesSumTotal number of updates received by pilot.
pilot_jwks_resolver_network_fetch_fail_totalSumTotal number of failed network fetch by pilot jwks resolver
pilot_jwks_resolver_network_fetch_success_totalSumTotal number of successfully network fetch by pilot jwks resolver
pilot_no_ipLastValuePods not found in the endpoint table, possibly invalid.
pilot_proxy_convergence_timeDistributionDelay in seconds between config change and a proxy receiving all required configuration.
pilot_proxy_queue_timeDistributionTime in seconds, a proxy is in the push queue before being dequeued.
pilot_push_triggersSumTotal number of times a push was triggered, labeled by reason for the push.
pilot_pushcontext_init_secondsDistributionTotal time in seconds Pilot takes to init pushContext.
pilot_sds_certificate_errors_totalSumTotal number of failures to fetch SDS key and certificate.
pilot_servicesLastValueTotal services known to pilot.
pilot_total_rejected_configsSumTotal number of configs that Pilot had to reject or ignore.
pilot_total_xds_internal_errorsSumTotal number of internal XDS errors in pilot.
pilot_total_xds_rejectsSumTotal number of XDS responses from pilot rejected by proxy.
pilot_virt_servicesLastValueTotal virtual services known to pilot.
pilot_vservice_dup_domainLastValueVirtual services with dup domains.
pilot_worker_queue_depthLastValueDepth of the controller queues
pilot_worker_queue_durationDistributionTime taken to process an item
pilot_worker_queue_latencyDistributionLatency before the item is processed
pilot_xdsLastValueNumber of endpoints connected to this pilot using XDS.
pilot_xds_cds_rejectLastValuePilot rejected CDS configs.
pilot_xds_config_size_bytesDistributionDistribution of configuration sizes pushed to clients
pilot_xds_eds_rejectLastValuePilot rejected EDS.
pilot_xds_expired_nonceSumTotal number of XDS requests with an expired nonce.
pilot_xds_lds_rejectLastValuePilot rejected LDS.
pilot_xds_push_context_errorsSumNumber of errors (timeouts) initiating push context.
pilot_xds_push_timeDistributionTotal time in seconds Pilot takes to push lds, rds, cds and eds.
pilot_xds_pushesSumPilot build and send errors for lds, rds, cds and eds.
pilot_xds_rds_rejectLastValuePilot rejected RDS.
pilot_xds_send_timeDistributionTotal time in seconds Pilot takes to send generated configuration.
pilot_xds_write_timeoutSumPilot XDS response write timeouts.
provider_lookup_cluster_failuresSumNumber of times a cluster lookup failed
scrape_failures_totalSumThe total number of failed scrapes.
scrapes_totalSumThe total number of scrapes.
startup_duration_secondsLastValueThe time from the process starting to being marked ready.
wasm_cache_entriesLastValuenumber of Wasm remote fetch cache entries.
wasm_cache_lookup_countSumnumber of Wasm remote fetch cache lookups.
wasm_config_conversion_countSumnumber of Wasm config conversion count and results, including success, no remote load, marshal failure, remote fetch failure, miss remote fetch hint.
wasm_config_conversion_durationDistributionTotal time in milliseconds istio-agent spends on converting remote load in Wasm config.
wasm_remote_fetch_countSumnumber of Wasm remote fetches and results, including success, download failure, and checksum mismatch.
xds_cache_dependent_config_sizeLastValueCurrent size of dependent configs
xds_cache_evictionsSumTotal number of xds cache evictions.
xds_cache_readsSumTotal number of xds cache xdsCacheReads.
xds_cache_sizeLastValueCurrent size of xds cache
xds_proxy_requestsSumThe total number of Xds Proxy Requests
xds_proxy_responsesSumThe total number of Xds Proxy Responses
这些信息有用吗?
您是否有更多建议和改进意见?

感谢您的反馈!