Istio control interface
Istio configuration command line utility.
Create, list, modify, and delete configuration resources in the Istio system.
Available routing and traffic management configuration types:
[destination-policy ingress-rule route-rule]
See here for an overview of routing rules and destination policies.
More information on Mixer’s API configuration can be found under the istioctl mixer command documentation.
--kube Use Kubernetes client to send API requests to Pilot service (default true)
-c, --kubeconfig string Use a Kubernetes configuration file instead of in-cluster configuration
--log_backtrace_at traceLocation when logging hits line file:N, emit a stack trace (default :0)
--configAPIservice string Name of Pilot service. When --kube=false this sets the address of the Pilot service (default "istio-pilot:8081")
-n, --namespace string Select a Kubernetes namespace (default "default")
-v, --v Level log level for V logs
--vmodule moduleSpec comma-separated list of pattern=N settings for file-filtered logging
Generate bash completion for Istioctl
Output shell completion code for the bash shell. The shell output must be evaluated to provide interactive completion of istioctl commands.
istioctl completion
# Add the following to .bash_profile.
source <(istioctl completion)
# Create a separate completion file and source that from .bash_profile
istioctl completion > ~/.istioctl-complete.bash
echo "source ~/.istioctl-complete.bash" >> ~/.bash_profile
--kube Use Kubernetes client to send API requests to Pilot service (default true)
-c, --kubeconfig string Use a Kubernetes configuration file instead of in-cluster configuration
--log_backtrace_at traceLocation when logging hits line file:N, emit a stack trace (default :0)
--configAPIservice string Name of Pilot service. When --kube=false this sets the address of the Pilot service (default "istio-pilot:8081")
-n, --namespace string Select a Kubernetes namespace (default "default")
-v, --v Level log level for V logs
--vmodule moduleSpec comma-separated list of pattern=N settings for file-filtered logging
Create policies and rules
Create policies and rules
istioctl create
istioctl create -f example-routing.yaml
-f, --file string Input file with the content of the configuration objects (if not set, command reads from the standard input)
--kube Use Kubernetes client to send API requests to Pilot service (default true)
-c, --kubeconfig string Use a Kubernetes configuration file instead of in-cluster configuration
--log_backtrace_at traceLocation when logging hits line file:N, emit a stack trace (default :0)
--configAPIservice string Name of Pilot service. When --kube=false this sets the address of the Pilot service (default "istio-pilot:8081")
-n, --namespace string Select a Kubernetes namespace (default "default")
-v, --v Level log level for V logs
--vmodule moduleSpec comma-separated list of pattern=N settings for file-filtered logging
Delete policies or rules
Delete policies or rules
istioctl delete
# Delete a rule using the definition in example-routing.yaml.
istioctl delete -f example-routing.yaml
# Delete the rule productpage-default
istioctl delete route-rule productpage-default
-f, --file string Input file with the content of the configuration objects (if not set, command reads from the standard input)
--kube Use Kubernetes client to send API requests to Pilot service (default true)
-c, --kubeconfig string Use a Kubernetes configuration file instead of in-cluster configuration
--log_backtrace_at traceLocation when logging hits line file:N, emit a stack trace (default :0)
--configAPIservice string Name of Pilot service. When --kube=false this sets the address of the Pilot service (default "istio-pilot:8081")
-n, --namespace string Select a Kubernetes namespace (default "default")
-v, --v Level log level for V logs
--vmodule moduleSpec comma-separated list of pattern=N settings for file-filtered logging
Retrieve policies and rules
Retrieve policies and rules
istioctl get
# List all route rules
istioctl get route-rules
# List all destination policies
istioctl get destination-policies
# Get a specific rule named productpage-default
istioctl get route-rule productpage-default
-o, --output string Output format. One of:yaml|short (default "short")
--kube Use Kubernetes client to send API requests to Pilot service (default true)
-c, --kubeconfig string Use a Kubernetes configuration file instead of in-cluster configuration
--log_backtrace_at traceLocation when logging hits line file:N, emit a stack trace (default :0)
--configAPIservice string Name of Pilot service. When --kube=false this sets the address of the Pilot service (default "istio-pilot:8081")
-n, --namespace string Select a Kubernetes namespace (default "default")
-v, --v Level log level for V logs
--vmodule moduleSpec comma-separated list of pattern=N settings for file-filtered logging
Inject Envoy sidecar into Kubernetes pod resources
Automatic Envoy sidecar injection via k8s admission controller is not ready yet. Instead, use kube-inject to manually inject Envoy sidecar into Kubernetes resource files. Unsupported resources are left unmodified so it is safe to run kube-inject over a single file that contains multiple Service, ConfigMap, Deployment, etc. definitions for a complex application. Its best to do this when the resource is initially created.
k8s.io/docs/concepts/workloads/pods/pod-overview/#pod-templates is updated for Job, DaemonSet, ReplicaSet, and Deployment YAML resource documents. Support for additional pod-based resource types can be added as necessary.
The Istio project is continually evolving so the Istio sidecar configuration may change unannounced. When in doubt re-run istioctl kube-inject on deployments to get the most up-to-date changes.
istioctl kube-inject
# Update resources on the fly before applying.
kubectl apply -f <(istioctl kube-inject -f <resource.yaml>)
# Create a persistent version of the deployment with Envoy sidecar
# injected. This is particularly useful to understand what is
# being injected before committing to Kubernetes API server.
istioctl kube-inject -f deployment.yaml -o deployment-with-istio.yaml
# Update an existing deployment.
kubectl get deployment -o yaml | istioctl kube-inject -f - | kubectl apply -f -
--coreDump Enable/Disable core dumps in injected Envoy sidecar (--coreDump=true affects all pods in a node and should only be used the cluster admin) (default true)
-f, --filename string Input Kubernetes resource filename
--hub string Docker hub
--includeIPRanges string Comma separated list of IP ranges in CIDR form. If set, only redirect outbound traffic to Envoy for IP ranges. Otherwise all outbound traffic is redirected
--meshConfig string ConfigMap name for Istio mesh configuration, key should be "mesh" (default "istio")
-o, --output string Modified output Kubernetes resource filename
--setVersionString string Override version info injected into resource
--sidecarProxyUID int Envoy sidecar UID (default 1337)
--tag string Docker tag
--verbosity int Runtime verbosity (default 2)
--kube Use Kubernetes client to send API requests to Pilot service (default true)
-c, --kubeconfig string Use a Kubernetes configuration file instead of in-cluster configuration
--log_backtrace_at traceLocation when logging hits line file:N, emit a stack trace (default :0)
--configAPIservice string Name of Pilot service. When --kube=false this sets the address of the Pilot service (default "istio-pilot:8081")
-n, --namespace string Select a Kubernetes namespace (default "default")
-v, --v Level log level for V logs
--vmodule moduleSpec comma-separated list of pattern=N settings for file-filtered logging
Istio Mixer configuration
The Mixer configuration API allows users to configure all facets of the Mixer.
See mixer-config for a description of Mixer configuration’s scope, subject, and rules.
--mixer string (deprecated) Address of the Mixer configuration server as <host>:<port>
--mixerAPIService string Name of istio-mixer service. When --kube=false this sets Mixer's address (default "istio-mixer:9094")
--kube Use Kubernetes client to send API requests to Pilot service (default true)
-c, --kubeconfig string Use a Kubernetes configuration file instead of in-cluster configuration
--log_backtrace_at traceLocation when logging hits line file:N, emit a stack trace (default :0)
--configAPIservice string Name of Pilot service. When --kube=false this sets the address of the Pilot service (default "istio-pilot:8081")
-n, --namespace string Select a Kubernetes namespace (default "default")
-v, --v Level log level for V logs
--vmodule moduleSpec comma-separated list of pattern=N settings for file-filtered logging
Create Istio Mixer rules
Create Istio Mixer rules
istioctl mixer rule create
# Create a new Mixer rule for the given scope and subject.
istioctl mixer rule create global myservice.ns.svc.cluster.local -f mixer-rule.yml
-f, --file string Input file with contents of the Mixer rule
--kube Use Kubernetes client to send API requests to Pilot service (default true)
-c, --kubeconfig string Use a Kubernetes configuration file instead of in-cluster configuration
--log_backtrace_at traceLocation when logging hits line file:N, emit a stack trace (default :0)
--configAPIservice string Name of Pilot service. When --kube=false this sets the address of the Pilot service (default "istio-pilot:8081")
--mixer string (deprecated) Address of the Mixer configuration server as <host>:<port>
--mixerAPIService string Name of istio-mixer service. When --kube=false this sets the Mixer's address (default
"istio-mixer:9094")
-n, --namespace string Select a Kubernetes namespace (default "default")
-v, --v Level log level for V logs
--vmodule moduleSpec comma-separated list of pattern=N settings for file-filtered logging
Get Istio Mixer rules
Get a Mixer rule for a given scope and subject.
istioctl mixer rule get
# Get the Mixer rule with scope='global' and subject='myservice.ns.svc.cluster.local'
istioctl mixer rule get global myservice.ns.svc.cluster.local
--kube Use Kubernetes client to send API requests to Pilot service (default true)
-c, --kubeconfig string Use a Kubernetes configuration file instead of in-cluster configuration
--log_backtrace_at traceLocation when logging hits line file:N, emit a stack trace (default :0)
--configAPIservice string Name of Pilot service. When --kube=false this sets the address of the Pilot service (default "istio-pilot:8081")
--mixer string (deprecated) Address of the Mixer configuration server as <host>:<port>
--mixerAPIService string Name of istio-mixer service. When --kube=false this sets Mixer's address (default
"istio-mixer:9094")
-n, --namespace string Select a Kubernetes namespace (default "default")
-v, --v Level log level for V logs
--vmodule moduleSpec comma-separated list of pattern=N settings for file-filtered logging
Istio Mixer Rule configuration
Create and list Mixer rules in the configuration server.
--kube Use Kubernetes client to send API requests to Pilot service (default true)
-c, --kubeconfig string Use a Kubernetes configuration file instead of in-cluster configuration
--log_backtrace_at traceLocation when logging hits line file:N, emit a stack trace (default :0)
--configAPIservice string Name of Pilot service. When --kube=false this sets the address of the Pilot service (default "istio-pilot:8081")
--mixer string (deprecated) Address of the Mixer configuration server as <host>:<port>
--mixerAPIService string Name of istio-mixer service. When --kube=false this sets Mixer's address (default "istio-mixer:9094")
-n, --namespace string Select a Kubernetes namespace (default "default")
-v, --v Level log level for V logs
--vmodule moduleSpec comma-separated list of pattern=N settings for file-filtered logging
Replace existing policies and rules
Replace existing policies and rules
istioctl replace
istioctl replace -f example-routing.yaml
-f, --file string Input file with the content of the configuration objects (if not set, command reads from the standard input)
--kube Use Kubernetes client to send API requests to Pilot service (default true)
-c, --kubeconfig string Use a Kubernetes configuration file instead of in-cluster configuration
--log_backtrace_at traceLocation when logging hits line file:N, emit a stack trace (default :0)
--configAPIservice string Name of Pilot service. When --kube=false this sets the address of the Pilot service (default "istio-pilot:8081")
-n, --namespace string Select a Kubernetes namespace (default "default")
-v, --v Level log level for V logs
--vmodule moduleSpec comma-separated list of pattern=N settings for file-filtered logging
Display version information and exit
Display version information and exit
istioctl version
--kube Use Kubernetes client to send API requests to Pilot service (default true)
-c, --kubeconfig string Use a Kubernetes configuration file instead of in-cluster configuration
--log_backtrace_at traceLocation when logging hits line file:N, emit a stack trace (default :0)
--configAPIservice string Name of Pilot service. When --kube=false this sets the address of the Pilot service (default "istio-pilot:8081")
-n, --namespace string Select a Kubernetes namespace (default "default")
-v, --v Level log level for V logs
--vmodule moduleSpec comma-separated list of pattern=N settings for file-filtered logging