Workload Selector
WorkloadSelector
WorkloadSelector specifies the criteria used to determine if a policy can be applied to a proxy. The matching criteria includes the metadata associated with a proxy, workload instance info such as labels attached to the pod/VM, or any other info that the proxy provides to Istio during the initial handshake. If multiple conditions are specified, all conditions need to match in order for the workload instance to be selected. Currently, only label based selection mechanism is supported.
| Field | Type | Description | Required |
|---|---|---|---|
matchLabels | map<string, string> | One or more labels that indicate a specific set of pods/VMs on which a policy should be applied. The scope of label search is restricted to the configuration namespace in which the resource is present. | Yes |
PortSelector
PortSelector is the criteria for specifying if a policy can be applied to a listener having a specific port.
| Field | Type | Description | Required |
|---|---|---|---|
number | uint32 | Port number | No |
WorkloadMode
WorkloadMode allows selection of the role of the underlying workload in network traffic. A workload is considered as acting as a SERVER if it is the destination of the traffic (that is, traffic direction, from the perspective of the workload is inbound). If the workload is the source of the network traffic, it is considered to be in CLIENT mode (traffic is outbound from the workload).
| Name | Description |
|---|---|
UNDEFINED | Default value, which will be interpreted by its own usage. |
CLIENT | Selects for scenarios when the workload is the source of the network traffic. In addition, if the workload is a gateway, selects this. |
SERVER | Selects for scenarios when the workload is the destination of the network traffic. |
CLIENT_AND_SERVER | Selects for scenarios when the workload is either the source or destination of the network traffic. |