Attribute Vocabulary

Attributes are a central concept used throughout Istio. You can find a description of what attributes are and what they are used for here.

A given Istio deployment has a fixed vocabulary of attributes that it understands. The specific vocabulary is determined by the set of attribute producers being used in the deployment. The primary attribute producer in Istio is Envoy, although Mixer and services can also introduce attributes.

The table below shows the set of canonical attributes and their respective types. Most Istio deployments will have agents (Envoy or Mixer adapters) that produce these attributes.

NameTypeDescriptionKubernetes Example
source.uidstringPlatform-specific unique identifier for the source workload instance.kubernetes://redis-master-2353460263-1ecey.my-namespace
source.ipip_addressSource workload instance IP address.10.0.0.117
source.labelsmap[string, string]A map of key-value pairs attached to the source instance.version => v1
source.namestringSource workload instance name.redis-master-2353460263-1ecey
source.namespacestringSource workload instance namespace.my-namespace
source.principalstringAuthority under which the source workload instance is running.service-account-foo
source.ownerstringReference to the workload controlling the source workload instance.kubernetes://apis/extensions/v1beta1/namespaces/istio-system/deployments/istio-policy
source.workload.uidstringUnique identifier of the source workload.istio://istio-system/workloads/istio-policy
source.workload.namestringSource workload name.istio-policy
source.workload.namespacestringSource workload namespace.istio-system
destination.uidstringPlatform-specific unique identifier for the server instance.kubernetes://my-svc-234443-5sffe.my-namespace
destination.ipip_addressServer IP address.10.0.0.104
destination.portint64The recipient port on the server IP address.8080
destination.labelsmap[string, string]A map of key-value pairs attached to the server instance.version => v2
destination.namestringDestination workload instance name.istio-telemetry-2359333
destination.namespacestringDestination workload instance namespace.istio-system
destination.principalstringAuthority under which the destination workload instance is running.service-account
destination.ownerstringReference to the workload controlling the destination workload instance.kubernetes://apis/extensions/v1beta1/namespaces/istio-system/deployments/istio-telemetry
destination.workload.uidstringUnique identifier of the destination workload.istio://istio-system/workloads/istio-telemetry
destination.workload.namestringDestination workload name.istio-telemetry
destination.workload.namespacestringDestination workload namespace.istio-system
destination.container.namestringName of the destination workload instance’s container.mixer
destination.container.imagestringImage of the destination workload instance’s container.gcr.io/istio-testing/mixer:0.8.0
destination.service.hoststringDestination host address.istio-telemetry.istio-system.svc.cluster.local
destination.service.uidstringUnique identifier of the destination service.istio://istio-system/services/istio-telemetry
destination.service.namestringDestination service name.istio-telemetry
destination.service.namespacestringDestination service namespace.istio-system
origin.ipip_addressIP address of the proxy client, e.g. origin for the ingress proxies.127.0.0.1
request.headersmap[string, string]HTTP request headers with lowercase keys. For gRPC, its metadata will be here.
request.idstringAn ID for the request with statistically low probability of collision.
request.pathstringThe HTTP URL path including query string
request.url_pathstringThe path part of HTTP URL, with query string being stripped
request.query_paramsmap[string, string]A map of query parameters extracted from the HTTP URL.
request.hoststringHTTP/1.x host header or HTTP/2 authority header.redis-master:3337
request.methodstringThe HTTP method.
request.reasonstringThe request reason used by auditing systems.
request.refererstringThe HTTP referer header.
request.schemestringURI Scheme of the request
request.sizeint64Size of the request in bytes. For HTTP requests this is equivalent to the Content-Length header.
request.total_sizeint64Total size of HTTP request in bytes, including request headers, body and trailers.
request.timetimestampThe timestamp when the destination receives the request. This should be equivalent to Firebase “now”.
request.useragentstringThe HTTP User-Agent header.
response.headersmap[string, string]HTTP response headers with lowercase keys.
response.sizeint64Size of the response body in bytes
response.total_sizeint64Total size of HTTP response in bytes, including response headers and body.
response.timetimestampThe timestamp when the destination produced the response.
response.durationdurationThe amount of time the response took to generate.
response.codeint64The response’s HTTP status code.
response.grpc_statusstringThe response’s gRPC status.
response.grpc_messagestringThe response’s gRPC status message.
connection.idstringAn ID for a TCP connection with statistically low probability of collision.
connection.eventstringStatus of a TCP connection, its value is one of “open”, “continue” and “close”.
connection.received.bytesint64Number of bytes received by a destination service on a connection since the last Report() for a connection.
connection.received.bytes_totalint64Total number of bytes received by a destination service during the lifetime of a connection.
connection.sent.bytesint64Number of bytes sent by a destination service on a connection since the last Report() for a connection.
connection.sent.bytes_totalint64Total number of bytes sent by a destination service during the lifetime of a connection.
connection.durationdurationThe total amount of time a connection has been open.
connection.mtlsbooleanIndicates whether a request is received over a mutual TLS enabled downstream connection.
connection.requested_server_namestringThe requested server name (SNI) of the connection
context.protocolstringProtocol of the request or connection being proxied.tcp
context.timetimestampThe timestamp of Mixer operation.
context.reporter.kindstringContextualizes the reported attribute set. Set to inbound for the server-side calls from sidecars and outbound for the client-side calls from sidecars and gatewaysinbound
context.reporter.uidstringPlatform-specific identifier of the attribute reporter.kubernetes://my-svc-234443-5sffe.my-namespace
context.proxy_error_codestringAdditional details about the response or connection from proxy. In case of Envoy, see %RESPONSE_FLAGS% in Envoy Access Log for more detailUH
api.servicestringThe public service name. This is different than the in-mesh service identity and reflects the name of the service exposed to the client.my-svc.com
api.versionstringThe API version.v1alpha1
api.operationstringUnique string used to identify the operation. The id is unique among all operations described in a specific <service, version>.getPetsById
api.protocolstringThe protocol type of the API call. Mainly for monitoring/analytics. Note that this is the frontend protocol exposed to the client, not the protocol implemented by the backend service.http, https, or grpc
request.auth.principalstringThe authenticated principal of the request. This is a string of the issuer (iss) and subject (sub) claims within a JWT concatenated with “/” with a percent-encoded subject value. This attribute may come from the peer or the origin in the Istio authentication policy, depending on the binding rule defined in the Istio authentication policy.issuer@foo.com/sub@foo.com
request.auth.audiencesstringThe intended audience(s) for this authentication information. This should reflect the audience (aud) claim within a JWT.aud1
request.auth.presenterstringThe authorized presenter of the credential. This value should reflect the optional Authorized Presenter (azp) claim within a JWT or the OAuth2 client id.123456789012.my-svc.com
request.auth.claimsmap[string, string]all raw string claims from the origin JWTiss: issuer@foo.com, sub: sub@foo.com, aud: aud1
request.api_keystringThe API key used for the request.abcde12345
check.error_codeint64The error code for Mixer Check call.5
check.error_messagestringThe error message for Mixer Check call.Could not find the resource
check.cache_hitbooleanIndicates whether Mixer check call hits local cache.
quota.cache_hitbooleanIndicates whether Mixer quota call hits local cache.

Timestamp and duration attributes format

Timestamp attributes are represented in the RFC 3339 format. When operating with timestamp attributes, you can use the timestamp function defined in CEXL to convert a textual timestamp in RFC 3339 format into the TIMESTAMP type, for example: request.time | timestamp("2018-01-01T22:08:41+00:00"), response.time > timestamp("2020-02-29T00:00:00-08:00").

Duration attributes represent an amount of time, expressed as a series of decimal numbers with an optional fractional part denoted with a period, and a unit value. The possible unit values are ns for nanoseconds, us (or µs) for microseconds, ms for milliseconds, s for seconds, m for minutes, h for hours. For example:

  • 1ms represents 1 millisecond
  • 2.3s represents 2.3 seconds
  • 4m represents 4 minutes
  • 5h10m represents 5 hours and 10 minutes
Esta informação foi útil?
Você tem alguma sugestão de melhoria?

Obrigado pelo seu feedback!