Resource Labels
This page presents the various resource labels that Istio supports to control its behavior.
| Label Name | Feature Status | Resource Types | Description |
|---|---|---|---|
istio.io/rev | Alpha | [Namespace] | Istio control plane revision associated with the resource; e.g. `canary` |
service.istio.io/canonical-name | Alpha | [Pod] | The name of the canonical service a workload belongs to |
service.istio.io/canonical-revision | Alpha | [Pod] | The name of a revision within a canonical service that the workload belongs to |
topology.istio.io/cluster | Alpha | [Pod] | A workload label that indicates the name of the cluster that contains the workload. This is typically configured during control plane installation, using either an auto-generated or admin-specified value. Setting this allows workload selection by cluster. For example, a service owner could create a DestinationRule containing a subset per cluster and then use these subsets to control traffic flow to each cluster independently. |
topology.istio.io/network | Beta | [Namespace Pod Service] | A label used to identify the network for one or more pods. This is used internally by Istio to group pods resident in the same L3 domain/network. Istio assumes that pods in the same network are directly reachable from one another. When pods are in different networks, an Istio Gateway (e.g. east-west gateway) is typically used to establish connectivity (with AUTO_PASSTHROUGH mode). This label can be applied to the following resources to help automate Istio's multi-network configuration. * Istio System Namespace: Applying this label to the system namespace establishes a default network for pods managed by the control plane. This is typically configured during control plane installation using an admin-specified value. * Pod: Applying this label to a pod allows overriding the default network on a per-pod basis. This is typically applied to the pod via webhook injection, but can also be manually specified on the pod by the service owner. The Istio installation in each cluster configures webhook injection using an admin-specified value. * Gateway Service: Applying this label to the Service for an Istio Gateway, indicates that Istio should use this service as the gateway for the network, when configuring cross-network traffic. Istio will configure pods residing outside of the network to access the Gateway service via `spec.externalIPs`, `status.loadBalancer.ingress[].ip`, or in the case of a NodePort service, the Node's address. The label is configured when installing the gateway (e.g. east-west gateway) and should match either the default network for the control plane (as specified by the Istio System Namespace label) or the network of the targeted pods. |
topology.istio.io/subzone | Beta | [Node] | User-provided node label for identifying the locality subzone of a workload. This allows admins to specify a more granular level of locality than what is offered by default with Kubernetes regions and zones. |