Service Mesh

Address of the server that will be used by the proxies for policy check calls. By using different names for mixerCheckServer and mixerReportServer, it is possible to have one set of mixer servers handle policy check calls while another set of mixer servers handle telemetry calls.

NOTE: Omitting mixerCheckServer while specifying mixerReportServer is equivalent to setting disablePolicyChecks to true.

Address of the server that will be used by the proxies for policy report calls.

Disable policy checks by the mixer service. Default is false, i.e. mixer policy check is enabled by default.

Port on which Envoy should listen for incoming connections from other services.

Port on which Envoy should listen for HTTP PROXY requests if set.

Connection timeout used by Envoy. (MUST BE >=1ms)

Class of ingress resources to be processed by Istio ingress controller. This corresponds to the value of “kubernetes.io/ingress.class” annotation.

Name of the kubernetes service used for the istio ingress controller.

Defines whether to use Istio ingress controller for annotated or all ingress resources.

Polling interval for RDS (MUST BE >=1ms)

Flag to control generation of trace spans and request IDs. Requires a trace span collector defined in the proxy configuration.

File address for the proxy access log (e.g. /dev/stdout). Empty value disables access logging.

Default proxy config used by the proxy injection mechanism operating in the mesh (e.g. Kubernetes admission controller) In case of Kubernetes, the proxy config is applied once during the injection process, and remain constant for the duration of the pod. The rest of the mesh config can be changed at runtime and config gets distributed dynamically.

List of remote services for which mTLS authentication should not be expected by Istio . Typically, these are control services (e.g kubernetes API server) that don’t have Istio sidecar to transparently terminate mTLS authentication. It has no effect if the authentication policy is already ‘NONE’. DO NOT use this setting for services that are managed by Istio (i.e. using Istio sidecar). Instead, use service-level annotations to overwrite the authentication policy.

DEPRECATED. Mixer address. This option will be removed soon. Please use mixercheck and mixerreport.

Path to the generated configuration file directory. Proxy agent generates the actual configuration and stores it in this directory.

Path to the proxy binary

Service cluster defines the name for the service_cluster that is shared by all Envoy instances. This setting corresponds to –service-cluster flag in Envoy. In a typical Envoy deployment, the service-cluster flag is used to identify the caller, for source-based routing scenarios.

Since Istio does not assign a local service/service version to each Envoy instance, the name is same for all of them. However, the source/caller’s identity (e.g., IP address) is encoded in the –service-node flag when launching Envoy. When the RDS service receives API calls from Envoy, it uses the value of the service-node flag to compute routes that are relative to the service instances located at that IP address.

The time in seconds that Envoy will drain connections during a hot restart. MUST be >=1s (e.g., 1s/1m/1h)

The time in seconds that Envoy will wait before shutting down the parent process during a hot restart. MUST be >=1s (e.g., 1s/1m/1h). MUST BE greater than drainduration_ parameter.

Address of the discovery service exposing xDS with mTLS connection.

Polling interval for service discovery (used by EDS, CDS, LDS, but not RDS). (MUST BE >=1ms)

Address of the Zipkin service (e.g. zipkin:9411).

Connection timeout used by Envoy for supporting services. (MUST BE >=1ms)

IP Address and Port of a statsd UDP listener (e.g. 10.75.241.127:9125).

Port on which Envoy should listen for administrative commands.

The availability zone where this Envoy instance is running. When running Envoy as a sidecar in Kubernetes, this flag must be one of the availability zones assigned to a node using failure-domain.beta.kubernetes.io/zone annotation.

Authentication policy defines the global switch to control authentication for Envoy-to-Envoy communication for istio components Mixer and Pilot.

File path of custom proxy configuration, currently used by proxies in front of Mixer and Pilot.

Maximum length of name field in Envoy’s metrics. The length of the name field is determined by the length of a name field in a service and the set of labels that comprise a particular version of the service. The default value is set to 189 characters. Envoy’s internal metrics take up 67 characters, for a total of 256 character name per metric. Increase the value of this field if you find that the metrics from Envoys are truncated.

The number of worker threads to run. Default value is number of cores on the machine.

Path to the proxy bootstrap template file