pilot-discovery
Istio Pilot provides fleet-wide traffic management capabilities in the Istio Service Mesh.
Flags | Description |
---|---|
--vklog <Level> | number for the log level verbosity. Like -v flag. ex: --vklog=9 (default `0`) |
pilot-discovery completion
Generate the autocompletion script for pilot-discovery for the specified shell. See each sub-command's help for details on how to use the generated script.
Flags | Description |
---|---|
--vklog <Level> | number for the log level verbosity. Like -v flag. ex: --vklog=9 (default `0`) |
pilot-discovery completion bash
Generate the autocompletion script for the bash shell.
This script depends on the 'bash-completion' package. If it is not installed already, you can install it via your OS's package manager.
To load completions in your current shell session:
source <(pilot-discovery completion bash)
To load completions for every new session, execute once:
#### Linux:
pilot-discovery completion bash > /etc/bash_completion.d/pilot-discovery
#### macOS:
pilot-discovery completion bash > $(brew --prefix)/etc/bash_completion.d/pilot-discovery
You will need to start a new shell for this setup to take effect.
pilot-discovery completion bash
Flags | Description |
---|---|
--no-descriptions | disable completion descriptions |
--vklog <Level> | number for the log level verbosity. Like -v flag. ex: --vklog=9 (default `0`) |
pilot-discovery completion fish
Generate the autocompletion script for the fish shell.
To load completions in your current shell session:
pilot-discovery completion fish | source
To load completions for every new session, execute once:
pilot-discovery completion fish > ~/.config/fish/completions/pilot-discovery.fish
You will need to start a new shell for this setup to take effect.
pilot-discovery completion fish [flags]
Flags | Description |
---|---|
--no-descriptions | disable completion descriptions |
--vklog <Level> | number for the log level verbosity. Like -v flag. ex: --vklog=9 (default `0`) |
pilot-discovery completion powershell
Generate the autocompletion script for powershell.
To load completions in your current shell session:
pilot-discovery completion powershell | Out-String | Invoke-Expression
To load completions for every new session, add the output of the above command to your powershell profile.
pilot-discovery completion powershell [flags]
Flags | Description |
---|---|
--no-descriptions | disable completion descriptions |
--vklog <Level> | number for the log level verbosity. Like -v flag. ex: --vklog=9 (default `0`) |
pilot-discovery completion zsh
Generate the autocompletion script for the zsh shell.
If shell completion is not already enabled in your environment you will need to enable it. You can execute the following once:
echo "autoload -U compinit; compinit" >> ~/.zshrc
To load completions in your current shell session:
source <(pilot-discovery completion zsh); compdef _pilot-discovery pilot-discovery
To load completions for every new session, execute once:
#### Linux:
pilot-discovery completion zsh > "${fpath[1]}/_pilot-discovery"
#### macOS:
pilot-discovery completion zsh > $(brew --prefix)/share/zsh/site-functions/_pilot-discovery
You will need to start a new shell for this setup to take effect.
pilot-discovery completion zsh [flags]
Flags | Description |
---|---|
--no-descriptions | disable completion descriptions |
--vklog <Level> | number for the log level verbosity. Like -v flag. ex: --vklog=9 (default `0`) |
pilot-discovery discovery
Start Istio proxy discovery service.
pilot-discovery discovery [flags]
Flags | Shorthand | Description |
---|---|---|
--caCertFile <string> | File containing the x509 Server CA Certificate (default ``) | |
--clusterAliases <stringToString> | Alias names for clusters (default `[]`) | |
--clusterID <string> | The ID of the cluster that this Istiod instance resides (default `Kubernetes`) | |
--clusterRegistriesNamespace <string> | Namespace for ConfigMap which stores clusters configs (default `istio-system`) | |
--configDir <string> | Directory to watch for updates to config yaml files. If specified, the files will be used as the source of config, rather than a CRD client. (default ``) | |
--ctrlz_address <string> | The IP Address to listen on for the ControlZ introspection facility. Use '*' to indicate all addresses. (default `localhost`) | |
--ctrlz_port <uint16> | The IP port to use for the ControlZ introspection facility (default `9876`) | |
--domain <string> | DNS domain suffix (default `cluster.local`) | |
--grpcAddr <string> | Discovery service gRPC address (default `:15010`) | |
--httpAddr <string> | Discovery service HTTP address (default `:8080`) | |
--httpsAddr <string> | Injection and validation service HTTPS address (default `:15017`) | |
--keepaliveInterval <duration> | The time interval if no activity on the connection it pings the peer to see if the transport is alive (default `30s`) | |
--keepaliveMaxServerConnectionAge <duration> | Maximum duration a connection will be kept open on the server before a graceful close. (default `2562047h47m16.854775807s`) | |
--keepaliveTimeout <duration> | After having pinged for keepalive check, the client/server waits for a duration of keepaliveTimeout and if no activity is seen even after that the connection is closed. (default `10s`) | |
--kubeconfig <string> | Use a Kubernetes configuration file instead of in-cluster configuration (default ``) | |
--kubernetesApiBurst <int> | Maximum burst for throttle when communicating with the kubernetes API (default `160`) | |
--kubernetesApiQPS <float32> | Maximum QPS when communicating with the kubernetes API (default `80`) | |
--log_as_json | Whether to format output as JSON or in plain console-friendly format | |
--log_caller <string> | Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, adsc, all, analysis, authn, authorization, ca, controllers, default, delta, file, gateway, grpcgen, installer, klog, kube, model, monitor, pkica, pkira, processing, proxyconfig, retry, rootcertrotator, secretcontroller, security, serverca, serviceentry, spiffe, status, telemetry, tpath, trustBundle, util, validation, validationController, validationServer, wasm, wle] (default ``) | |
--log_output_level <string> | Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, adsc, all, analysis, authn, authorization, ca, controllers, default, delta, file, gateway, grpcgen, installer, klog, kube, model, monitor, pkica, pkira, processing, proxyconfig, retry, rootcertrotator, secretcontroller, security, serverca, serviceentry, spiffe, status, telemetry, tpath, trustBundle, util, validation, validationController, validationServer, wasm, wle] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`) | |
--log_rotate <string> | The path for the optional rotating log file (default ``) | |
--log_rotate_max_age <int> | The maximum age in days of a log file beyond which the file is rotated (0 indicates no limit) (default `30`) | |
--log_rotate_max_backups <int> | The maximum number of log file backups to keep before older files are deleted (0 indicates no limit) (default `1000`) | |
--log_rotate_max_size <int> | The maximum size in megabytes of a log file beyond which the file is rotated (default `104857600`) | |
--log_stacktrace_level <string> | Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, adsc, all, analysis, authn, authorization, ca, controllers, default, delta, file, gateway, grpcgen, installer, klog, kube, model, monitor, pkica, pkira, processing, proxyconfig, retry, rootcertrotator, secretcontroller, security, serverca, serviceentry, spiffe, status, telemetry, tpath, trustBundle, util, validation, validationController, validationServer, wasm, wle] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`) | |
--log_target <stringArray> | The set of paths where to output the log. This can be any path as well as the special values stdout and stderr (default `[stdout]`) | |
--meshConfig <string> | File name for Istio mesh configuration. If not specified, a default mesh will be used. (default `./etc/istio/config/mesh`) | |
--monitoringAddr <string> | HTTP address to use for pilot's self-monitoring information (default `:15014`) | |
--namespace <string> | -n | Select a namespace where the controller resides. If not set, uses ${POD_NAMESPACE} environment variable (default `istio-system`) |
--networksConfig <string> | File name for Istio mesh networks configuration. If not specified, a default mesh networks will be used. (default `./etc/istio/config/meshNetworks`) | |
--profile | Enable profiling via web interface host:port/debug/pprof | |
--registries <stringSlice> | Comma separated list of platform service registries to read from (choose one or more from {Kubernetes, Mock}) (default `[Kubernetes]`) | |
--secureGRPCAddr <string> | Discovery service secured gRPC address (default `:15012`) | |
--shutdownDuration <duration> | Duration the discovery server needs to terminate gracefully (default `10s`) | |
--tls-cipher-suites <stringSlice> | Comma-separated list of cipher suites for istiod TLS server. If omitted, the default Go cipher suites will be used. Preferred values: TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384, TLS_CHACHA20_POLY1305_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_GCM_SHA384. Insecure values: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_3DES_EDE_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_RC4_128_SHA. (default `[]`) | |
--tlsCertFile <string> | File containing the x509 Server Certificate (default ``) | |
--tlsKeyFile <string> | File containing the x509 private key matching --tlsCertFile (default ``) | |
--vklog <Level> | number for the log level verbosity. Like -v flag. ex: --vklog=9 (default `0`) |
pilot-discovery request
Makes an HTTP request to Pilot metrics/debug endpoint
pilot-discovery request <method> <path> [<body>] [flags]
Flags | Description |
---|---|
--vklog <Level> | number for the log level verbosity. Like -v flag. ex: --vklog=9 (default `0`) |
pilot-discovery version
Prints out build version information
pilot-discovery version [flags]
Flags | Shorthand | Description |
---|---|---|
--output <string> | -o | One of 'yaml' or 'json'. (default ``) |
--short | -s | Use --short=false to generate full version information |
--vklog <Level> | number for the log level verbosity. Like -v flag. ex: --vklog=9 (default `0`) |
Environment variables
These environment variables affect the behavior of thepilot-discovery
command. Please use with caution as these environment variables are experimental and can change anytime.Variable Name | Type | Default Value | Description |
---|---|---|---|
AUDIENCE | String |
| Expected audience in the tokens. |
AUTO_RELOAD_PLUGIN_CERTS | Boolean | false | If enabled, if user introduces new intermediate plug-in CA, user need not to restart istiod to pick up certs.Istiod picks newly added intermediate plug-in CA certs and updates it. Plug-in new Root-CA not supported. |
CERT_SIGNER_DOMAIN | String |
| The cert signer domain info |
CITADEL_ENABLE_JITTER_FOR_ROOT_CERT_ROTATOR | Boolean | true | If true, set up a jitter to start root cert rotator. Jitter selects a backoff time in seconds to start root cert rotator, and the back off time is below root cert check interval. |
CITADEL_SELF_SIGNED_CA_CERT_TTL | Time Duration | 87600h0m0s | The TTL of self-signed CA root certificate. |
CITADEL_SELF_SIGNED_CA_RSA_KEY_SIZE | Integer | 2048 | Specify the RSA key size to use for self-signed Istio CA certificates. |
CITADEL_SELF_SIGNED_ROOT_CERT_CHECK_INTERVAL | Time Duration | 1h0m0s | The interval that self-signed CA checks its root certificate expiration time and rotates root certificate. Setting this interval to zero or a negative value disables automated root cert check and rotation. This interval is suggested to be larger than 10 minutes. |
CITADEL_SELF_SIGNED_ROOT_CERT_GRACE_PERIOD_PERCENTILE | Integer | 20 | Grace period percentile for self-signed root cert. |
CLOUD_PLATFORM | String |
| Cloud Platform on which proxy is running, if not specified, Istio will try to discover the platform. Valid platform values are aws, azure, gcp, none |
CLUSTER_ID | String | Kubernetes | Defines the cluster and service registry that this Istiod instance is belongs to |
DEFAULT_WORKLOAD_CERT_TTL | Time Duration | 24h0m0s | The default TTL of issued workload certificates. Applied when the client sets a non-positive TTL in the CSR. |
ENABLE_AUTO_MTLS_CHECK_POLICIES | Boolean | true | Enable the auto mTLS EDS output to consult the PeerAuthentication Policy, only set the {tlsMode: istio} when server side policy enables mTLS PERMISSIVE or STRICT. |
ENABLE_AUTO_SNI | Boolean | false | If enabled, automatically set SNI when `DestinationRules` do not specify the same |
ENABLE_CA_SERVER | Boolean | true | If this is set to false, will not create CA server in istiod. |
ENABLE_DEBUG_ON_HTTP | Boolean | true | If this is set to false, the debug interface will not be enabled, recommended for production |
ENABLE_ENHANCED_RESOURCE_SCOPING | Boolean | false | If enabled, meshConfig.discoverySelectors will limit the CustomResource configurations(like Gateway,VirtualService,DestinationRule,Ingress, etc)that can be processed by pilot. This will also restrict the root-ca certificate distribution. |
ENABLE_HCM_INTERNAL_NETWORKS | Boolean | false | If enable, endpoints defined in mesh networks will be configured as internal addresses in Http Connection Manager |
ENABLE_LEADER_ELECTION | Boolean | true | If enabled (default), starts a leader election client and gains leadership before executing controllers. If false, it assumes that only one instance of istiod is running and skips leader election. |
ENABLE_LEGACY_FSGROUP_INJECTION | Boolean | false | If true, Istiod will set the pod fsGroup to 1337 on injection. This is required for Kubernetes 1.18 and older (see https://github.com/kubernetes/kubernetes/issues/57923 for details) unless JWT_POLICY is "first-party-jwt". |
ENABLE_LEGACY_LB_ALGORITHM_DEFAULT | Boolean | false | If enabled, destinations for which no LB algorithm is specified will use the legacy default, ROUND_ROBIN. Care should be taken when using ROUND_ROBIN in general as it can overburden endpoints, especially when weights are used. |
ENABLE_MCS_AUTO_EXPORT | Boolean | false | If enabled, istiod will automatically generate Kubernetes Multi-Cluster Services (MCS) ServiceExport resources for every service in the mesh. Services defined to be cluster-local in MeshConfig are excluded. |
ENABLE_MCS_CLUSTER_LOCAL | Boolean | false | If enabled, istiod will treat the host `<svc>.<namespace>.svc.cluster.local` as defined by the Kubernetes Multi-Cluster Services (MCS) spec. In this mode, requests to `cluster.local` will be routed to only those endpoints residing within the same cluster as the client. Requires that both ENABLE_MCS_SERVICE_DISCOVERY and ENABLE_MCS_HOST also be enabled. |
ENABLE_MCS_HOST | Boolean | false | If enabled, istiod will configure a Kubernetes Multi-Cluster Services (MCS) host (<svc>.<namespace>.svc.clusterset.local) for each service exported (via ServiceExport) in at least one cluster. Clients must, however, be able to successfully lookup these DNS hosts. That means that either Istio DNS interception must be enabled or an MCS controller must be used. Requires that ENABLE_MCS_SERVICE_DISCOVERY also be enabled. |
ENABLE_MCS_SERVICE_DISCOVERY | Boolean | false | If enabled, istiod will enable Kubernetes Multi-Cluster Services (MCS) service discovery mode. In this mode, service endpoints in a cluster will only be discoverable within the same cluster unless explicitly exported via ServiceExport. |
ENABLE_MULTICLUSTER_HEADLESS | Boolean | true | If true, the DNS name table for a headless service will resolve to same-network endpoints in any cluster. |
ENABLE_PROBE_KEEPALIVE_CONNECTIONS | Boolean | false | If enabled, readiness probes will keep the connection from pilot-agent to the application alive. This mirrors older Istio versions' behaviors, but not kubelet's. |
ENABLE_TLS_ON_SIDECAR_INGRESS | Boolean | false | If enabled, the TLS configuration on Sidecar.ingress will take effect |
ENABLE_WASM_TELEMETRY | Boolean | false | If enabled, Wasm-based telemetry will be enabled. |
EXTERNAL_CA | String |
| External CA Integration Type. Permitted Values are ISTIOD_RA_KUBERNETES_API or ISTIOD_RA_ISTIO_API |
EXTERNAL_ISTIOD | Boolean | false | If this is set to true, one Istiod will control remote clusters including CA. |
GCP_METADATA | String |
| Pipe separated GCP metadata, schemed as PROJECT_ID|PROJECT_NUMBER|CLUSTER_NAME|CLUSTER_ZONE |
GCP_QUOTA_PROJECT | String |
| Allows specification of a quota project to be used in requests to GCP APIs. |
GRPC_KEEPALIVE_INTERVAL | Time Duration | 30s | gRPC Keepalive Interval |
GRPC_KEEPALIVE_TIMEOUT | Time Duration | 10s | gRPC Keepalive Timeout |
HTTP_STRIP_FRAGMENT_FROM_PATH_UNSAFE_IF_DISABLED | Boolean | true | |
INJECTION_WEBHOOK_CONFIG_NAME | String | istio-sidecar-injector | Name of the mutatingwebhookconfiguration to patch, if istioctl is not used. |
INJECT_ENABLED | Boolean | true | Enable mutating webhook handler. |
ISTIOD_CUSTOM_HOST | String |
| Custom host name of istiod that istiod signs the server cert. Multiple custom host names are supported, and multiple values are separated by commas. |
ISTIO_AGENT_ENABLE_WASM_REMOTE_LOAD_CONVERSION | Boolean | true | If enabled, Istio agent will intercept ECDS resource update, downloads Wasm module, and replaces Wasm module remote load with downloaded local module file. |
ISTIO_BOOTSTRAP | String |
| |
ISTIO_DEFAULT_REQUEST_TIMEOUT | Time Duration | 0s | Default Http and gRPC Request timeout |
ISTIO_DELTA_XDS | Boolean | false | If enabled, pilot will only send the delta configs as opposed to the state of the world on a Resource Request. This feature uses the delta xds api, but does not currently send the actual deltas. |
ISTIO_DUAL_STACK | Boolean | false | If enabled, pilot will configure clusters/listeners/routes for dual stack capability. |
ISTIO_ENABLE_HTTP2_PROBING | Boolean | true | If enabled, HTTP2 probes will be enabled for HTTPS probes, following Kubernetes |
ISTIO_ENABLE_OPTIMIZED_SERVICE_PUSH | Boolean | true | If enabled, Istiod will not push changes on arbitraty annotation change. |
ISTIO_GATEWAY_STRIP_HOST_PORT | Boolean | false | If enabled, Gateway will remove any port from host/authority header before any processing of request by HTTP filters or routing. Deprecated: in Istio 1.15+ port is ignored in domain matching. |
ISTIO_GPRC_MAXRECVMSGSIZE | Integer | 4194304 | Sets the max receive buffer size of gRPC stream in bytes. |
ISTIO_GPRC_MAXSTREAMS | Integer | 100000 | Sets the maximum number of concurrent grpc streams. |
ISTIO_MULTIROOT_MESH | Boolean | false | If enabled, mesh will support certificates signed by more than one trustAnchor for ISTIO_MUTUAL mTLS |
ISTIO_PROMETHEUS_ANNOTATIONS | String |
| |
JWT_POLICY | String | third-party-jwt | The JWT validation policy. |
JWT_RULE | String |
| The JWT rule used by istiod authentication |
K8S_INGRESS_NS | String |
| |
K8S_SIGNER | String |
| Kubernates CA Signer type. Valid from Kubernates 1.18 |
KUBERNETES_SERVICE_HOST | String |
| Kubernetes service host, set automatically when running in-cluster |
K_REVISION | String |
| KNative revision, set if running in knative |
LABEL_CANONICAL_SERVICES_FOR_MESH_EXTERNAL_SERVICE_ENTRIES | Boolean | false | If enabled, metadata representing canonical services for ServiceEntry resources with a location of mesh_external will be populatedin the cluster metadata for those endpoints. |
LOCAL_CLUSTER_SECRET_WATCHER | Boolean | false | If enabled, the cluster secret watcher will watch the namespace of the external cluster instead of config cluster |
MAX_WORKLOAD_CERT_TTL | Time Duration | 2160h0m0s | The max TTL of issued workload certificates. |
MCS_API_GROUP | String | multicluster.x-k8s.io | The group to be used for the Kubernetes Multi-Cluster Services (MCS) API. |
MCS_API_VERSION | String | v1alpha1 | The version to be used for the Kubernets Multi-Cluster Services (MCS) API. |
PILOT_ALLOW_SIDECAR_SERVICE_INBOUND_LISTENER_MERGE | Boolean | false | If set, it allows creating inbound listeners for service ports and sidecar ingress listeners |
PILOT_ANALYSIS_INTERVAL | Time Duration | 10s | If analysis is enabled, pilot will run istio analyzers using this value as interval in seconds Istio Resources |
PILOT_CERT_PROVIDER | String | istiod | The provider of Pilot DNS certificate. |
PILOT_DEBOUNCE_AFTER | Time Duration | 100ms | The delay added to config/registry events for debouncing. This will delay the push by at least this interval. If no change is detected within this period, the push will happen, otherwise we'll keep delaying until things settle, up to a max of PILOT_DEBOUNCE_MAX. |
PILOT_DEBOUNCE_MAX | Time Duration | 10s | The maximum amount of time to wait for events while debouncing. If events keep showing up with no breaks for this time, we'll trigger a push. |
PILOT_DISTRIBUTION_HISTORY_RETENTION | Time Duration | 1m0s | If enabled, Pilot will keep track of old versions of distributed config for this duration. |
PILOT_DRAINING_LABEL | String | istio.io/draining | If not empty, endpoints with the label value present will be sent with status DRAINING. |
PILOT_ENABLE_ALPN_FILTER | Boolean | true | If true, pilot will add Istio ALPN filters, required for proper protocol sniffing. |
PILOT_ENABLE_ANALYSIS | Boolean | false | If enabled, pilot will run istio analyzers and write analysis errors to the Status field of any Istio Resources |
PILOT_ENABLE_CDS_CACHE | Boolean | true | If true, Pilot will cache CDS responses. Note: this depends on PILOT_ENABLE_XDS_CACHE. |
PILOT_ENABLE_CONFIG_DISTRIBUTION_TRACKING | Boolean | false | If enabled, Pilot will assign meaningful nonces to each Envoy configuration message, and allow users to interrogate which envoy has which config from the debug interface. |
PILOT_ENABLE_CROSS_CLUSTER_WORKLOAD_ENTRY | Boolean | true | If enabled, pilot will read WorkloadEntry from other clusters, selectable by Services in that cluster. |
PILOT_ENABLE_DESTINATION_RULE_INHERITANCE | Boolean | false | If set, workload specific DestinationRules will inherit configurations settings from mesh and namespace level rules |
PILOT_ENABLE_EDS_DEBOUNCE | Boolean | true | If enabled, Pilot will include EDS pushes in the push debouncing, configured by PILOT_DEBOUNCE_AFTER and PILOT_DEBOUNCE_MAX. EDS pushes may be delayed, but there will be fewer pushes. By default this is enabled |
PILOT_ENABLE_EDS_FOR_HEADLESS_SERVICES | Boolean | false | If enabled, for headless service in Kubernetes, pilot will send endpoints over EDS, allowing the sidecar to load balance among pods in the headless service. This feature should be enabled if applications access all services explicitly via a HTTP proxy port in the sidecar. |
PILOT_ENABLE_GATEWAY_API | Boolean | true | If this is set to true, support for Kubernetes gateway-api (github.com/kubernetes-sigs/gateway-api) will be enabled. In addition to this being enabled, the gateway-api CRDs need to be installed. |
PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER | Boolean | true | If this is set to true, gateway-api resources will automatically provision in cluster deployment, services, etc |
PILOT_ENABLE_GATEWAY_API_STATUS | Boolean | true | If this is set to true, gateway-api resources will have status written to them |
PILOT_ENABLE_HBONE | Boolean | false | If enabled, HBONE support can be configured for proxies. Note: proxies must opt in on a per-proxy basis with ENABLE_HBONE to actually get HBONE config, in addition to this flag. |
PILOT_ENABLE_HEADLESS_SERVICE_POD_LISTENERS | Boolean | true | If enabled, for a headless service/stateful set in Kubernetes, pilot will generate an outbound listener for each pod in a headless service. This feature should be disabled if headless services have a large number of pods. |
PILOT_ENABLE_INBOUND_PASSTHROUGH | Boolean | true | If enabled, inbound clusters will be configured as ORIGINAL_DST clusters. When disabled, requests are always sent to localhost. The primary implication of this is that when enabled, binding to POD_IP will work while localhost will not; when disable, bind to POD_IP will not work, while localhost will. The enabled behavior matches the behavior without Istio enabled at all; this flag exists only for backwards compatibility. Regardless of this setting, the configuration can be overridden with the Sidecar.Ingress.DefaultEndpoint configuration. |
PILOT_ENABLE_ISTIO_TAGS | Boolean | true | Determines whether or not trace spans generated by Envoy will include Istio-specific tags. |
PILOT_ENABLE_K8S_SELECT_WORKLOAD_ENTRIES | Boolean | true | If enabled, Kubernetes services with selectors will select workload entries with matching labels. It is safe to disable it if you are quite sure you don't need this feature |
PILOT_ENABLE_LEGACY_AUTO_PASSTHROUGH | Boolean | false | If enabled, pilot will allow any upstream cluster to be used with AUTO_PASSTHROUGH. This option is intended for backwards compatibility only and is not secure with untrusted downstreams; it will be removed in the future. |
PILOT_ENABLE_LEGACY_ISTIO_MUTUAL_CREDENTIAL_NAME | Boolean | false | If enabled, Gateway's with ISTIO_MUTUAL mode and credentialName configured will use simple TLS. This is to retain legacy behavior only and not recommended for use beyond migration. |
PILOT_ENABLE_METADATA_EXCHANGE | Boolean | true | If true, pilot will add metadata exchange filters, which will be consumed by telemetry filter. |
PILOT_ENABLE_MONGO_FILTER | Boolean | true | EnableMongoFilter enables injection of `envoy.filters.network.mongo_proxy` in the filter chain. |
PILOT_ENABLE_MYSQL_FILTER | Boolean | false | EnableMysqlFilter enables injection of `envoy.filters.network.mysql_proxy` in the filter chain. |
PILOT_ENABLE_PERSISTENT_SESSION_FILTER | Boolean | false | If enabled, Istiod sets up persistent session filter for listeners, if services have 'PILOT_PERSISTENT_SESSION_LABEL' set. |
PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_INBOUND | Boolean | true | If enabled, protocol sniffing will be used for inbound listeners whose port protocol is not specified or unsupported |
PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_OUTBOUND | Boolean | true | If enabled, protocol sniffing will be used for outbound listeners whose port protocol is not specified or unsupported |
PILOT_ENABLE_QUIC_LISTENERS | Boolean | false | If true, QUIC listeners will be generated wherever there are listeners terminating TLS on gateways if the gateway service exposes a UDP port with the same number (for example 443/TCP and 443/UDP) |
PILOT_ENABLE_RDS_CACHE | Boolean | true | If true, Pilot will cache RDS responses. Note: this depends on PILOT_ENABLE_XDS_CACHE. |
PILOT_ENABLE_REDIS_FILTER | Boolean | false | EnableRedisFilter enables injection of `envoy.filters.network.redis_proxy` in the filter chain. |
PILOT_ENABLE_ROUTE_COLLAPSE_OPTIMIZATION | Boolean | true | If true, Pilot will merge virtual hosts with the same routes into a single virtual host, as an optimization. |
PILOT_ENABLE_SERVICEENTRY_SELECT_PODS | Boolean | true | If enabled, service entries with selectors will select pods from the cluster. It is safe to disable it if you are quite sure you don't need this feature |
PILOT_ENABLE_STATUS | Boolean | false | If enabled, pilot will update the CRD Status field of all istio resources with reconciliation status. |
PILOT_ENABLE_TELEMETRY_LABEL | Boolean | true | If true, pilot will add telemetry related metadata to cluster and endpoint resources, which will be consumed by telemetry filter. |
PILOT_ENABLE_WORKLOAD_ENTRY_AUTOREGISTRATION | Boolean | true | Enables auto-registering WorkloadEntries based on associated WorkloadGroups upon XDS connection by the workload. |
PILOT_ENABLE_WORKLOAD_ENTRY_HEALTHCHECKS | Boolean | true | Enables automatic health checks of WorkloadEntries based on the config provided in the associated WorkloadGroup |
PILOT_ENABLE_XDS_CACHE | Boolean | true | If true, Pilot will cache XDS responses. |
PILOT_ENABLE_XDS_IDENTITY_CHECK | Boolean | true | If enabled, pilot will authorize XDS clients, to ensure they are acting only as namespaces they have permissions for. |
PILOT_ENDPOINT_TELEMETRY_LABEL | Boolean | true | If true, pilot will add telemetry related metadata to Endpoint resource, which will be consumed by telemetry filter. |
PILOT_ENVOY_FILTER_STATS | Boolean | false | If true, Pilot will collect metrics for envoy filter operations. |
PILOT_FILTER_GATEWAY_CLUSTER_CONFIG | Boolean | false | If enabled, Pilot will send only clusters that referenced in gateway virtual services attached to gateway |
PILOT_HTTP10 | Boolean | false | Enables the use of HTTP 1.0 in the outbound HTTP listeners, to support legacy applications. |
PILOT_INBOUND_PROTOCOL_DETECTION_TIMEOUT | Time Duration | 1s | Protocol detection timeout for inbound listener |
PILOT_INSECURE_MULTICLUSTER_KUBECONFIG_OPTIONS | String |
| Comma separated list of potentially insecure kubeconfig authentication options that are allowed for multicluster authentication.Support values: all authProviders (`gcp`, `azure`, `exec`, `openstack`), `clientKey`, `clientCertificate`, `tokenFile`, and `exec`. |
PILOT_JWT_ENABLE_REMOTE_JWKS | Boolean | false | If enabled, checks to see if the configured JwksUri in RequestAuthentication is a mesh cluster URL and configures remote Jwks to let Envoy fetch the Jwks instead of Istiod. |
PILOT_JWT_PUB_KEY_REFRESH_INTERVAL | Time Duration | 20m0s | The interval for istiod to fetch the jwks_uri for the jwks public key. |
PILOT_LEGACY_INGRESS_BEHAVIOR | Boolean | false | If this is set to true, istio ingress will perform the legacy behavior, which does not meet https://kubernetes.io/docs/concepts/services-networking/ingress/#multiple-matches. |
PILOT_MAX_REQUESTS_PER_SECOND | Floating-Point | 25 | Limits the number of incoming XDS requests per second. On larger machines this can be increased to handle more proxies concurrently. |
PILOT_PARTIAL_FULL_PUSHES | Boolean | true | If enabled, pilot will send partial pushes in for child resources (RDS, EDS, etc) when possible. This occurs for EDS in many cases regardless of this setting. |
PILOT_PERSISTENT_SESSION_LABEL | String | istio.io/persistent-session | If not empty, services with this label will use persistent sessions |
PILOT_PUSH_THROTTLE | Integer | 100 | Limits the number of concurrent pushes allowed. On larger machines this can be increased for faster pushes |
PILOT_REMOTE_CLUSTER_TIMEOUT | Time Duration | 30s | After this timeout expires, pilot can become ready without syncing data from clusters added via remote-secrets. Setting the timeout to 0 disables this behavior. |
PILOT_SCOPE_GATEWAY_TO_NAMESPACE | Boolean | false | If enabled, a gateway workload can only select gateway resources in the same namespace. Gateways with same selectors in different namespaces will not be applicable. |
PILOT_SEND_UNHEALTHY_ENDPOINTS | Boolean | false | If enabled, Pilot will include unhealthy endpoints in EDS pushes and even if they are sent Envoy does not use them for load balancing. To avoid, sending traffic to non ready endpoints, enabling this flag, disables panic threshold in Envoy i.e. Envoy does not load balance requests to unhealthy/non-ready hosts even if the percentage of healthy hosts fall below minimum health percentage(panic threshold). |
PILOT_SIDECAR_USE_REMOTE_ADDRESS | Boolean | false | UseRemoteAddress sets useRemoteAddress to true for side car outbound listeners. |
PILOT_SKIP_VALIDATE_TRUST_DOMAIN | Boolean | false | Skip validating the peer is from the same trust domain when mTLS is enabled in authentication policy |
PILOT_STATUS_BURST | Integer | 500 | If status is enabled, controls the Burst rate with which status will be updated. See https://godoc.org/k8s.io/client-go/rest#Config Burst |
PILOT_STATUS_MAX_WORKERS | Integer | 100 | The maximum number of workers Pilot will use to keep configuration status up to date. Smaller numbers will result in higher status latency, but larger numbers may impact CPU in high scale environments. |
PILOT_STATUS_QPS | Integer | 100 | If status is enabled, controls the QPS with which status will be updated. See https://godoc.org/k8s.io/client-go/rest#Config QPS |
PILOT_STATUS_UPDATE_INTERVAL | Time Duration | 500ms | Interval to update the XDS distribution status. |
PILOT_TRACE_SAMPLING | Floating-Point | 1 | Sets the mesh-wide trace sampling percentage. Should be 0.0 - 100.0. Precision to 0.01. Default is 1.0. |
PILOT_USE_ENDPOINT_SLICE | Boolean | false | If enabled, Pilot will use EndpointSlices as the source of endpoints for Kubernetes services. By default, this is false, and Endpoints will be used. This requires the Kubernetes EndpointSlice controller to be enabled. Currently this is mutual exclusive - either Endpoints or EndpointSlices will be used |
PILOT_WORKLOAD_ENTRY_GRACE_PERIOD | Time Duration | 10s | The amount of time an auto-registered workload can remain disconnected from all Pilot instances before the associated WorkloadEntry is cleaned up. |
PILOT_XDS_CACHE_SIZE | Integer | 60000 | The maximum number of cache entries for the XDS cache. |
PILOT_XDS_CACHE_STATS | Boolean | false | If true, Pilot will collect metrics for XDS cache efficiency. |
PILOT_XDS_SEND_TIMEOUT | Time Duration | 0s | The timeout to send the XDS configuration to proxies. After this timeout is reached, Pilot will discard that push. |
POD_NAME | String |
| |
POD_NAMESPACE | String | istio-system | |
PRIORITIZED_LEADER_ELECTION | Boolean | true | If enabled, the default revision will steal leader locks from non-default revisions |
REQUIRE_3P_TOKEN | Boolean | false | Reject k8s default tokens, without audience. If false, default K8S token will be accepted |
RESOLVE_HOSTNAME_GATEWAYS | Boolean | true | If true, hostnames in the LoadBalancer addresses of a Service will be resolved at the control plane for use in cross-network gateways. |
REVISION | String |
| |
REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION | Boolean | false | If enabled, readiness probes will be sent to 'localhost'. Otherwise, they will be sent to the Pod's IP, matching Kubernetes' behavior. |
REWRITE_TCP_PROBES | Boolean | true | If false, TCP probes will not be rewritten and therefor always succeed when a sidecar is used. |
ROOT_CA_DIR | String | ./etc/cacerts | Location of a local or mounted CA root |
SHARED_MESH_CONFIG | String |
| Additional config map to load for shared MeshConfig settings. The standard mesh config will take precedence. |
SIDECAR_IGNORE_PORT_IN_HOST_MATCH | Boolean | true | If enabled, port will not be used in vhost domain matches. |
SPIFFE_BUNDLE_ENDPOINTS | String |
| The SPIFFE bundle trust domain to endpoint mappings. Istiod retrieves the root certificate from each SPIFFE bundle endpoint and uses it to verify client certifiates from that trust domain. The endpoint must be compliant to the SPIFFE Bundle Endpoint standard. For details, please refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE_Trust_Domain_and_Bundle.md . No need to configure this for root certificates issued via Istiod or web-PKI based root certificates. Use || between <trustdomain, endpoint> tuples. Use | as delimiter between trust domain and endpoint in each tuple. For example: foo|https://url/for/foo||bar|https://url/for/bar |
TOKEN_AUDIENCES | String | istio-ca | A list of comma separated audiences to check in the JWT token before issuing a certificate. The token is accepted if it matches with one of the audiences |
TOKEN_ISSUER | String |
| OIDC token issuer. If set, will be used to check the tokens. |
TRUSTED_GATEWAY_CIDR | String |
| If set, any connections from gateway to Istiod with this CIDR range are treated as trusted for using authentication mechanisms like XFCC. This can only be used when the network where Istiod and the authenticating gateways are running in a trusted/secure network |
UNSAFE_ENABLE_ADMIN_ENDPOINTS | Boolean | false | If this is set to true, dangerous admin endpoints will be exposed on the debug interface. Not recommended for production. |
UNSAFE_PILOT_ENABLE_DELTA_TEST | Boolean | false | If enabled, addition runtime tests for Delta XDS efficiency are added. These checks are extremely expensive, so this should be used only for testing, not production. |
UNSAFE_PILOT_ENABLE_RUNTIME_ASSERTIONS | Boolean | false | If enabled, addition runtime asserts will be performed. These checks are both expensive and panic on failure. As a result, this should be used only for testing. |
USE_REMOTE_CERTS | Boolean | false | Whether to try to load CA certs from config Kubernetes cluster. Used for external Istiod. |
VALIDATION_WEBHOOK_CONFIG_NAME | String | istio-istio-system | If not empty, the controller will automatically patch validatingwebhookconfiguration when the CA certificate changes. Only works in kubernetes environment. |
VERIFY_CERTIFICATE_AT_CLIENT | Boolean | false | If enabled, certificates received by the proxy will be verified against the OS CA certificate bundle. |
VERIFY_SDS_CERTIFICATE | Boolean | true | If enabled, certificates fetched from SDS server will be verified before sending back to proxy. |
XDS_AUTH | Boolean | true | If true, will authenticate XDS clients. |
XDS_AUTH_PLAINTEXT | Boolean | false | Authenticate plain text requests - used if Istiod is running on a secure/trusted network |
Exported metrics
Metric Name | Type | Description |
---|---|---|
auto_registration_deletes_total | Sum | Total number of auto registration cleaned up by periodic timer. |
auto_registration_errors_total | Sum | Total number of auto registration errors. |
auto_registration_success_total | Sum | Total number of successful auto registrations. |
auto_registration_unregister_total | Sum | Total number of unregistrations. |
auto_registration_updates_total | Sum | Total number of auto registration updates. |
citadel_server_authentication_failure_count | Sum | The number of authentication failures. |
citadel_server_cert_chain_expiry_timestamp | LastValue | The unix timestamp, in seconds, when Citadel cert chain will expire. A negative time indicates the cert is expired. |
citadel_server_csr_count | Sum | The number of CSRs received by Citadel server. |
citadel_server_csr_parsing_err_count | Sum | The number of errors occurred when parsing the CSR. |
citadel_server_csr_sign_err_count | Sum | The number of errors occurred when signing the CSR. |
citadel_server_id_extraction_err_count | Sum | The number of errors occurred when extracting the ID from CSR. |
citadel_server_root_cert_expiry_timestamp | LastValue | The unix timestamp, in seconds, when Citadel root cert will expire. A negative time indicates the cert is expired. |
citadel_server_success_cert_issuance_count | Sum | The number of certificates issuances that have succeeded. |
controller_sync_errors_total | Sum | Total number of errorMetric syncing controllers. |
endpoint_no_pod | LastValue | Endpoints without an associated pod. |
galley_validation_config_delete_error | Count | k8s webhook configuration delete error |
galley_validation_config_load | Count | k8s webhook configuration (re)loads |
galley_validation_config_load_error | Count | k8s webhook configuration (re)load error |
galley_validation_config_update_error | Count | k8s webhook configuration update error |
galley_validation_config_updates | Count | k8s webhook configuration updates |
galley_validation_failed | Sum | Resource validation failed |
galley_validation_http_error | Sum | Resource validation http serve errors |
galley_validation_passed | Sum | Resource is valid |
istio_build | LastValue | Istio component build info |
istiod_managed_clusters | LastValue | Number of clusters managed by istiod |
num_outgoing_retries | Sum | Number of outgoing retry requests (e.g. to a token exchange server, CA, etc.) |
pilot_conflict_inbound_listener | LastValue | Number of conflicting inbound listeners. |
pilot_conflict_outbound_listener_http_over_current_tcp | LastValue | Number of conflicting wildcard http listeners with current wildcard tcp listener. |
pilot_conflict_outbound_listener_tcp_over_current_http | LastValue | Number of conflicting wildcard tcp listeners with current wildcard http listener. |
pilot_conflict_outbound_listener_tcp_over_current_tcp | LastValue | Number of conflicting tcp listeners with current tcp listener. |
pilot_debounce_time | Distribution | Delay in seconds between the first config enters debouncing and the merged push request is pushed into the push queue. |
pilot_destrule_subsets | LastValue | Duplicate subsets across destination rules for same host |
pilot_duplicate_envoy_clusters | LastValue | Duplicate envoy clusters caused by service entries with same hostname |
pilot_eds_no_instances | LastValue | Number of clusters without instances. |
pilot_endpoint_not_ready | LastValue | Endpoint found in unready state. |
pilot_inbound_updates | Sum | Total number of updates received by pilot. |
pilot_jwks_resolver_network_fetch_fail_total | Sum | Total number of failed network fetch by pilot jwks resolver |
pilot_jwks_resolver_network_fetch_success_total | Sum | Total number of successfully network fetch by pilot jwks resolver |
pilot_k8s_cfg_events | Sum | Events from k8s config. |
pilot_k8s_endpoints_pending_pod | LastValue | Number of endpoints that do not currently have any corresponding pods. |
pilot_k8s_endpoints_with_no_pods | Sum | Endpoints that does not have any corresponding pods. |
pilot_k8s_reg_events | Sum | Events from k8s registry. |
pilot_no_ip | LastValue | Pods not found in the endpoint table, possibly invalid. |
pilot_proxy_convergence_time | Distribution | Delay in seconds between config change and a proxy receiving all required configuration. |
pilot_proxy_queue_time | Distribution | Time in seconds, a proxy is in the push queue before being dequeued. |
pilot_push_triggers | Sum | Total number of times a push was triggered, labeled by reason for the push. |
pilot_pushcontext_init_seconds | Distribution | Total time in seconds Pilot takes to init pushContext. |
pilot_sds_certificate_errors_total | Sum | Total number of failures to fetch SDS key and certificate. |
pilot_services | LastValue | Total services known to pilot. |
pilot_total_rejected_configs | Sum | Total number of configs that Pilot had to reject or ignore. |
pilot_total_xds_internal_errors | Sum | Total number of internal XDS errors in pilot. |
pilot_total_xds_rejects | Sum | Total number of XDS responses from pilot rejected by proxy. |
pilot_virt_services | LastValue | Total virtual services known to pilot. |
pilot_vservice_dup_domain | LastValue | Virtual services with dup domains. |
pilot_xds | LastValue | Number of endpoints connected to this pilot using XDS. |
pilot_xds_cds_reject | LastValue | Pilot rejected CDS configs. |
pilot_xds_config_size_bytes | Distribution | Distribution of configuration sizes pushed to clients |
pilot_xds_eds_reject | LastValue | Pilot rejected EDS. |
pilot_xds_expired_nonce | Sum | Total number of XDS requests with an expired nonce. |
pilot_xds_lds_reject | LastValue | Pilot rejected LDS. |
pilot_xds_push_context_errors | Sum | Number of errors (timeouts) initiating push context. |
pilot_xds_push_time | Distribution | Total time in seconds Pilot takes to push lds, rds, cds and eds. |
pilot_xds_pushes | Sum | Pilot build and send errors for lds, rds, cds and eds. |
pilot_xds_rds_reject | LastValue | Pilot rejected RDS. |
pilot_xds_send_time | Distribution | Total time in seconds Pilot takes to send generated configuration. |
pilot_xds_write_timeout | Sum | Pilot XDS response write timeouts. |
remote_cluster_sync_timeouts_total | Sum | Number of times remote clusters took too long to sync, causing slow startup that excludes remote clusters. |
scrape_failures_total | Sum | The total number of failed scrapes. |
scrapes_total | Sum | The total number of scrapes. |
sidecar_injection_failure_total | Sum | Total number of failed sidecar injection requests. |
sidecar_injection_requests_total | Sum | Total number of sidecar injection requests. |
sidecar_injection_skip_total | Sum | Total number of skipped sidecar injection requests. |
sidecar_injection_success_total | Sum | Total number of successful sidecar injection requests. |
startup_duration_seconds | LastValue | The time from the process starting to being marked ready. |
wasm_cache_entries | LastValue | number of Wasm remote fetch cache entries. |
wasm_cache_lookup_count | Sum | number of Wasm remote fetch cache lookups. |
wasm_config_conversion_count | Sum | number of Wasm config conversion count and results, including success, no remote load, marshal failure, remote fetch failure, miss remote fetch hint. |
wasm_config_conversion_duration | Distribution | Total time in milliseconds istio-agent spends on converting remote load in Wasm config. |
wasm_remote_fetch_count | Sum | number of Wasm remote fetches and results, including success, download failure, and checksum mismatch. |
webhook_patch_attempts_total | Sum | Webhook patching attempts |
webhook_patch_failures_total | Sum | Webhook patching total failures |
webhook_patch_retries_total | Sum | Webhook patching retries |