pilot-agent
Istio Pilot agent runs in the sidecar or gateway container and bootstraps Envoy.
| Flags | Description |
|---|---|
--log_as_json | Whether to format output as JSON or in plain console-friendly format |
--log_caller <string> | Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, adsc, all, authn, authorization, cache, citadelclient, default, gcecred, googleca, mockcred, model, sds, secretfetcher, spiffe, stsclient, stsserver, token, validation, validationController] (default ``) |
--log_output_level <string> | Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, adsc, all, authn, authorization, cache, citadelclient, default, gcecred, googleca, mockcred, model, sds, secretfetcher, spiffe, stsclient, stsserver, token, validation, validationController] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`) |
--log_rotate <string> | The path for the optional rotating log file (default ``) |
--log_rotate_max_age <int> | The maximum age in days of a log file beyond which the file is rotated (0 indicates no limit) (default `30`) |
--log_rotate_max_backups <int> | The maximum number of log file backups to keep before older files are deleted (0 indicates no limit) (default `1000`) |
--log_rotate_max_size <int> | The maximum size in megabytes of a log file beyond which the file is rotated (default `104857600`) |
--log_stacktrace_level <string> | Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, adsc, all, authn, authorization, cache, citadelclient, default, gcecred, googleca, mockcred, model, sds, secretfetcher, spiffe, stsclient, stsserver, token, validation, validationController] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`) |
--log_target <stringArray> | The set of paths where to output the log. This can be any path as well as the special values stdout and stderr (default `[stdout]`) |
pilot-agent istio-clean-iptables
Script responsible for cleaning up iptables rules
pilot-agent istio-clean-iptables [flags]
| Flags | Shorthand | Description |
|---|---|---|
--dry-run | -n | Do not call any external dependencies like iptables |
--log_as_json | Whether to format output as JSON or in plain console-friendly format | |
--log_caller <string> | Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, adsc, all, authn, authorization, cache, citadelclient, default, gcecred, googleca, mockcred, model, sds, secretfetcher, spiffe, stsclient, stsserver, token, validation, validationController] (default ``) | |
--log_output_level <string> | Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, adsc, all, authn, authorization, cache, citadelclient, default, gcecred, googleca, mockcred, model, sds, secretfetcher, spiffe, stsclient, stsserver, token, validation, validationController] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`) | |
--log_rotate <string> | The path for the optional rotating log file (default ``) | |
--log_rotate_max_age <int> | The maximum age in days of a log file beyond which the file is rotated (0 indicates no limit) (default `30`) | |
--log_rotate_max_backups <int> | The maximum number of log file backups to keep before older files are deleted (0 indicates no limit) (default `1000`) | |
--log_rotate_max_size <int> | The maximum size in megabytes of a log file beyond which the file is rotated (default `104857600`) | |
--log_stacktrace_level <string> | Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, adsc, all, authn, authorization, cache, citadelclient, default, gcecred, googleca, mockcred, model, sds, secretfetcher, spiffe, stsclient, stsserver, token, validation, validationController] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`) | |
--log_target <stringArray> | The set of paths where to output the log. This can be any path as well as the special values stdout and stderr (default `[stdout]`) |
pilot-agent istio-iptables
Script responsible for setting up port forwarding for Istio sidecar.
pilot-agent istio-iptables [flags]
| Flags | Shorthand | Description |
|---|---|---|
--dry-run | -n | Do not call any external dependencies like iptables |
--envoy-port <string> | -p | Specify the envoy port to which redirect all TCP traffic (default $ENVOY_PORT = 15001) (default ``) |
--inbound-capture-port <string> | -z | Port to which all inbound TCP traffic to the pod/VM should be redirected to (default $INBOUND_CAPTURE_PORT = 15006) (default ``) |
--inbound-tunnel-port <string> | -e | Specify the istio tunnel port for inbound tcp traffic (default $INBOUND_TUNNEL_PORT = 15008) (default ``) |
--iptables-probe-port <string> | set listen port for failure detection (default `15002`) | |
--istio-inbound-interception-mode <string> | -m | The mode used to redirect inbound connections to Envoy, either "REDIRECT" or "TPROXY" (default ``) |
--istio-inbound-ports <string> | -b | Comma separated list of inbound ports for which traffic is to be redirected to Envoy (optional). The wildcard character "*" can be used to configure redirection for all ports. An empty list will disable (default ``) |
--istio-inbound-tproxy-mark <string> | -t | (default ``) |
--istio-inbound-tproxy-route-table <string> | -r | (default ``) |
--istio-local-exclude-ports <string> | -d | Comma separated list of inbound ports to be excluded from redirection to Envoy (optional). Only applies when all inbound traffic (i.e. "*") is being redirected (default to $ISTIO_LOCAL_EXCLUDE_PORTS) (default ``) |
--istio-local-outbound-ports-exclude <string> | -o | Comma separated list of outbound ports to be excluded from redirection to Envoy (default ``) |
--istio-outbound-ports <string> | -q | Comma separated list of outbound ports to be explicitly included for redirection to Envoy (default ``) |
--istio-service-cidr <string> | -i | Comma separated list of IP ranges in CIDR form to redirect to envoy (optional). The wildcard character "*" can be used to redirect all outbound traffic. An empty list will disable all outbound (default ``) |
--istio-service-exclude-cidr <string> | -x | Comma separated list of IP ranges in CIDR form to be excluded from redirection. Only applies when all outbound traffic (i.e. "*") is being redirected (default to $ISTIO_SERVICE_EXCLUDE_CIDR) (default ``) |
--kube-virt-interfaces <string> | -k | Comma separated list of virtual interfaces whose inbound traffic (from VM) will be treated as outbound (default ``) |
--log_as_json | Whether to format output as JSON or in plain console-friendly format | |
--log_caller <string> | Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, adsc, all, authn, authorization, cache, citadelclient, default, gcecred, googleca, mockcred, model, sds, secretfetcher, spiffe, stsclient, stsserver, token, validation, validationController] (default ``) | |
--log_output_level <string> | Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, adsc, all, authn, authorization, cache, citadelclient, default, gcecred, googleca, mockcred, model, sds, secretfetcher, spiffe, stsclient, stsserver, token, validation, validationController] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`) | |
--log_rotate <string> | The path for the optional rotating log file (default ``) | |
--log_rotate_max_age <int> | The maximum age in days of a log file beyond which the file is rotated (0 indicates no limit) (default `30`) | |
--log_rotate_max_backups <int> | The maximum number of log file backups to keep before older files are deleted (0 indicates no limit) (default `1000`) | |
--log_rotate_max_size <int> | The maximum size in megabytes of a log file beyond which the file is rotated (default `104857600`) | |
--log_stacktrace_level <string> | Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, adsc, all, authn, authorization, cache, citadelclient, default, gcecred, googleca, mockcred, model, sds, secretfetcher, spiffe, stsclient, stsserver, token, validation, validationController] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`) | |
--log_target <stringArray> | The set of paths where to output the log. This can be any path as well as the special values stdout and stderr (default `[stdout]`) | |
--probe-timeout <duration> | failure detection timeout (default `5s`) | |
--proxy-gid <string> | -g | Specify the GID of the user for which the redirection is not applied. (same default value as -u param) (default ``) |
--proxy-uid <string> | -u | Specify the UID of the user for which the redirection is not applied. Typically, this is the UID of the proxy container (default ``) |
--restore-format | -f | Print iptables rules in iptables-restore interpretable format |
--run-validation | Validate iptables | |
--skip-rule-apply | Skip iptables apply |
pilot-agent proxy
Envoy proxy agent
pilot-agent proxy [flags]
| Flags | Description |
|---|---|
--concurrency <int> | number of worker threads to run (default `0`) |
--disableInternalTelemetry | Disable internal telemetry |
--domain <string> | DNS domain suffix. If not provided uses ${POD_NAMESPACE}.svc.cluster.local (default ``) |
--id <string> | Proxy unique ID. If not provided uses ${POD_NAME}.${POD_NAMESPACE} from environment variables (default ``) |
--ip <string> | Proxy IP address. If not provided uses ${INSTANCE_IP} environment variable. (default ``) |
--log_as_json | Whether to format output as JSON or in plain console-friendly format |
--log_caller <string> | Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, adsc, all, authn, authorization, cache, citadelclient, default, gcecred, googleca, mockcred, model, sds, secretfetcher, spiffe, stsclient, stsserver, token, validation, validationController] (default ``) |
--log_output_level <string> | Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, adsc, all, authn, authorization, cache, citadelclient, default, gcecred, googleca, mockcred, model, sds, secretfetcher, spiffe, stsclient, stsserver, token, validation, validationController] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`) |
--log_rotate <string> | The path for the optional rotating log file (default ``) |
--log_rotate_max_age <int> | The maximum age in days of a log file beyond which the file is rotated (0 indicates no limit) (default `30`) |
--log_rotate_max_backups <int> | The maximum number of log file backups to keep before older files are deleted (0 indicates no limit) (default `1000`) |
--log_rotate_max_size <int> | The maximum size in megabytes of a log file beyond which the file is rotated (default `104857600`) |
--log_stacktrace_level <string> | Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, adsc, all, authn, authorization, cache, citadelclient, default, gcecred, googleca, mockcred, model, sds, secretfetcher, spiffe, stsclient, stsserver, token, validation, validationController] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`) |
--log_target <stringArray> | The set of paths where to output the log. This can be any path as well as the special values stdout and stderr (default `[stdout]`) |
--meshConfig <string> | File name for Istio mesh configuration. If not specified, a default mesh will be used. This may be overridden by PROXY_CONFIG environment variable or proxy.istio.io/config annotation. (default `./etc/istio/config/mesh`) |
--mixerIdentity <string> | The identity used as the suffix for mixer's spiffe SAN. This would only be used by pilot all other proxy would get this value from pilot (default ``) |
--outlierLogPath <string> | The log path for outlier detection (default ``) |
--proxyComponentLogLevel <string> | The component log level used to start the Envoy proxy (default `misc:error`) |
--proxyLogLevel <string> | The log level used to start the Envoy proxy (choose from {trace, debug, info, warning, error, critical, off}) (default `warning`) |
--serviceCluster <string> | Service cluster (default `istio-proxy`) |
--serviceregistry <string> | Select the platform for service registry, options are {Kubernetes, Consul, Mock} (default `Kubernetes`) |
--stsPort <int> | HTTP Port on which to serve Security Token Service (STS). If zero, STS service will not be provided. (default `0`) |
--templateFile <string> | Go template bootstrap config (default ``) |
--tokenManagerPlugin <string> | Token provider specific plugin name. (default `GoogleTokenExchange`) |
--trust-domain <string> | The domain to use for identities (default ``) |
pilot-agent request
Makes an HTTP request to the Envoy admin API
pilot-agent request <method> <path> [<body>] [flags]
| Flags | Description |
|---|---|
--log_as_json | Whether to format output as JSON or in plain console-friendly format |
--log_caller <string> | Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, adsc, all, authn, authorization, cache, citadelclient, default, gcecred, googleca, mockcred, model, sds, secretfetcher, spiffe, stsclient, stsserver, token, validation, validationController] (default ``) |
--log_output_level <string> | Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, adsc, all, authn, authorization, cache, citadelclient, default, gcecred, googleca, mockcred, model, sds, secretfetcher, spiffe, stsclient, stsserver, token, validation, validationController] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`) |
--log_rotate <string> | The path for the optional rotating log file (default ``) |
--log_rotate_max_age <int> | The maximum age in days of a log file beyond which the file is rotated (0 indicates no limit) (default `30`) |
--log_rotate_max_backups <int> | The maximum number of log file backups to keep before older files are deleted (0 indicates no limit) (default `1000`) |
--log_rotate_max_size <int> | The maximum size in megabytes of a log file beyond which the file is rotated (default `104857600`) |
--log_stacktrace_level <string> | Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, adsc, all, authn, authorization, cache, citadelclient, default, gcecred, googleca, mockcred, model, sds, secretfetcher, spiffe, stsclient, stsserver, token, validation, validationController] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`) |
--log_target <stringArray> | The set of paths where to output the log. This can be any path as well as the special values stdout and stderr (default `[stdout]`) |
pilot-agent version
Prints out build version information
pilot-agent version [flags]
| Flags | Shorthand | Description |
|---|---|---|
--log_as_json | Whether to format output as JSON or in plain console-friendly format | |
--log_caller <string> | Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, adsc, all, authn, authorization, cache, citadelclient, default, gcecred, googleca, mockcred, model, sds, secretfetcher, spiffe, stsclient, stsserver, token, validation, validationController] (default ``) | |
--log_output_level <string> | Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, adsc, all, authn, authorization, cache, citadelclient, default, gcecred, googleca, mockcred, model, sds, secretfetcher, spiffe, stsclient, stsserver, token, validation, validationController] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`) | |
--log_rotate <string> | The path for the optional rotating log file (default ``) | |
--log_rotate_max_age <int> | The maximum age in days of a log file beyond which the file is rotated (0 indicates no limit) (default `30`) | |
--log_rotate_max_backups <int> | The maximum number of log file backups to keep before older files are deleted (0 indicates no limit) (default `1000`) | |
--log_rotate_max_size <int> | The maximum size in megabytes of a log file beyond which the file is rotated (default `104857600`) | |
--log_stacktrace_level <string> | Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, adsc, all, authn, authorization, cache, citadelclient, default, gcecred, googleca, mockcred, model, sds, secretfetcher, spiffe, stsclient, stsserver, token, validation, validationController] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`) | |
--log_target <stringArray> | The set of paths where to output the log. This can be any path as well as the special values stdout and stderr (default `[stdout]`) | |
--output <string> | -o | One of 'yaml' or 'json'. (default ``) |
--short | -s | Use --short=false to generate full version information |
pilot-agent wait
Waits until the Envoy proxy is ready
pilot-agent wait [flags]
| Flags | Description |
|---|---|
--log_as_json | Whether to format output as JSON or in plain console-friendly format |
--log_caller <string> | Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, adsc, all, authn, authorization, cache, citadelclient, default, gcecred, googleca, mockcred, model, sds, secretfetcher, spiffe, stsclient, stsserver, token, validation, validationController] (default ``) |
--log_output_level <string> | Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, adsc, all, authn, authorization, cache, citadelclient, default, gcecred, googleca, mockcred, model, sds, secretfetcher, spiffe, stsclient, stsserver, token, validation, validationController] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`) |
--log_rotate <string> | The path for the optional rotating log file (default ``) |
--log_rotate_max_age <int> | The maximum age in days of a log file beyond which the file is rotated (0 indicates no limit) (default `30`) |
--log_rotate_max_backups <int> | The maximum number of log file backups to keep before older files are deleted (0 indicates no limit) (default `1000`) |
--log_rotate_max_size <int> | The maximum size in megabytes of a log file beyond which the file is rotated (default `104857600`) |
--log_stacktrace_level <string> | Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, adsc, all, authn, authorization, cache, citadelclient, default, gcecred, googleca, mockcred, model, sds, secretfetcher, spiffe, stsclient, stsserver, token, validation, validationController] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`) |
--log_target <stringArray> | The set of paths where to output the log. This can be any path as well as the special values stdout and stderr (default `[stdout]`) |
--periodMillis <int> | number of milliseconds to wait between attempts (default `500`) |
--requestTimeoutMillis <int> | number of milliseconds to wait for response (default `500`) |
--timeoutSeconds <int> | maximum number of seconds to wait for Envoy to be ready (default `60`) |
--url <string> | URL to use in requests (default `http://localhost:15021/healthz/ready`) |
Environment variables
These environment variables affect the behavior of thepilot-agent command.| Variable Name | Type | Default Value | Description |
|---|---|---|---|
CA_ADDR | String | | Address of the spiffee certificate provider. Defaults to discoveryAddress |
CA_PROVIDER | String | Citadel | name of authentication provider |
CENTRAL_ISTIOD | Boolean | false | If this is set to true, one Istiod will control remote clusters including CA. |
CLUSTER_ID | String | Kubernetes | Defines the cluster and service registry that this Istiod instance is belongs to |
CREDENTIAL_FETCHER_TYPE | String | | The type of the credential fetcher. Currently supported types include GoogleComputeEngine |
DNS_ADDR | String | :15053 | DNS listen address |
DNS_AGENT | String | | If set, enable the capture of outgoing DNS packets on port 53, redirecting to istio-agent on :15053 |
DNS_SERVER | String | | Protocol and DNS server to use. Currently only tcp-tls: is supported. |
ECC_SIGNATURE_ALGORITHM | String | | The type of ECC signature algorithm to use when generating private keys |
ENABLE_CA_SERVER | Boolean | true | If this is set to false, will not create CA server in istiod. |
ENABLE_INGRESS_GATEWAY_SDS | Boolean | false | Enable provisioning gateway secrets. Requires Secret read permission |
ENVOY_READINESS_CHECK_TIMEOUT | Time Duration | 5s | |
ENVOY_USER | String | istio-proxy | Envoy proxy username |
FILE_MOUNTED_CERTS | Boolean | false | |
GCP_METADATA | String | | Pipe separted GCP metadata, schemed as PROJECT_ID|PROJECT_NUMBER|CLUSTER_NAME|CLUSTER_ZONE |
GKE_CLUSTER_URL | String | | The url of GKE cluster |
INGRESS_GATEWAY_NAMESPACE | String | | |
INITIAL_BACKOFF_MSEC | Integer | 0 | |
INJECTION_WEBHOOK_CONFIG_NAME | String | istio-sidecar-injector | Name of the mutatingwebhookconfiguration to patch, if istioctl is not used. |
INSTANCE_IP | String | | |
ISTIOD_CUSTOM_HOST | String | | Custom host name of istiod that istiod signs the server cert. |
ISTIO_BOOTSTRAP | String | | |
ISTIO_BOOTSTRAP_OVERRIDE | String | | |
ISTIO_DEFAULT_REQUEST_TIMEOUT | Time Duration | 0s | Default Http and gRPC Request timeout |
ISTIO_GPRC_MAXRECVMSGSIZE | Integer | 4194304 | Sets the max receive buffer size of gRPC stream in bytes. |
ISTIO_GPRC_MAXSTREAMS | Integer | 100000 | Sets the maximum number of concurrent grpc streams. |
ISTIO_KUBE_APP_PROBERS | String | | |
ISTIO_META_CLUSTER_ID | String | | |
ISTIO_META_DNS_CAPTURE | String | | If set, enable the capture of outgoing DNS packets on port 53, redirecting to envoy on :15013 |
ISTIO_NAMESPACE | String | | |
ISTIO_PROMETHEUS_ANNOTATIONS | String | | |
JWT_POLICY | String | third-party-jwt | The JWT validation policy. |
OUTPUT_CERTS | String | | The output directory for the key and certificate. If empty, key and certificate will not be saved. Must be set for VMs using provisioning certificates. |
PILOT_CERT_PROVIDER | String | istiod | the provider of Pilot DNS certificate. |
PILOT_DEBOUNCE_AFTER | Time Duration | 100ms | The delay added to config/registry events for debouncing. This will delay the push by at least this internal. If no change is detected within this period, the push will happen, otherwise we'll keep delaying until things settle, up to a max of PILOT_DEBOUNCE_MAX. |
PILOT_DEBOUNCE_MAX | Time Duration | 10s | The maximum amount of time to wait for events while debouncing. If events keep showing up with no breaks for this time, we'll trigger a push. |
PILOT_DEBUG_ADSZ_CONFIG | Boolean | false | |
PILOT_DISTRIBUTION_HISTORY_RETENTION | Time Duration | 1m0s | If enabled, Pilot will keep track of old versions of distributed config for this duration. |
PILOT_ENABLED_SERVICE_APIS | Boolean | false | If this is set to true, support for Kubernetes service-apis (github.com/kubernetes-sigs/service-apis) will be enabled. This feature is currently experimental, and is off by default. |
PILOT_ENABLE_ANALYSIS | Boolean | false | If enabled, pilot will run istio analyzers and write analysis errors to the Status field of any Istio Resources |
PILOT_ENABLE_CONFIG_DISTRIBUTION_TRACKING | Boolean | true | If enabled, Pilot will assign meaningful nonces to each Envoy configuration message, and allow users to interrogate which envoy has which config from the debug interface. |
PILOT_ENABLE_CRD_VALIDATION | Boolean | false | If enabled, pilot will validate CRDs while retrieving CRDs from kubernetes cache.Use this flag to enable validation of CRDs in Pilot, especially in deployments that do not have galley installed. |
PILOT_ENABLE_EDS_DEBOUNCE | Boolean | true | If enabled, Pilot will include EDS pushes in the push debouncing, configured by PILOT_DEBOUNCE_AFTER and PILOT_DEBOUNCE_MAX. EDS pushes may be delayed, but there will be fewer pushes. By default this is enabled |
PILOT_ENABLE_EDS_FOR_HEADLESS_SERVICES | Boolean | false | If enabled, for headless service in Kubernetes, pilot will send endpoints over EDS, allowing the sidecar to load balance among pods in the headless service. This feature should be enabled if applications access all services explicitly via a HTTP proxy port in the sidecar. |
PILOT_ENABLE_HEADLESS_SERVICE_POD_LISTENERS | Boolean | true | If enabled, for a headless service/stateful set in Kubernetes, pilot will generate an outbound listener for each pod in a headless service. This feature should be disabled if headless services have a large number of pods. |
PILOT_ENABLE_INCREMENTAL_MCP | Boolean | false | If enabled, pilot will set the incremental flag of the options in the mcp controller to true, and then galley may push data incrementally, it depends on whether the resource supports incremental. By default, this is false. |
PILOT_ENABLE_K8S_SELECT_WORKLOAD_ENTRIES | Boolean | true | If enabled, Kubernetes services with selectors will select workload entries with matching labels. It is safe to disable it if you are quite sure you don't need this feature |
PILOT_ENABLE_MYSQL_FILTER | Boolean | false | EnableMysqlFilter enables injection of `envoy.filters.network.mysql_proxy` in the filter chain. |
PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_INBOUND | Boolean | true | If enabled, protocol sniffing will be used for inbound listeners whose port protocol is not specified or unsupported |
PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_OUTBOUND | Boolean | true | If enabled, protocol sniffing will be used for outbound listeners whose port protocol is not specified or unsupported |
PILOT_ENABLE_REDIS_FILTER | Boolean | false | EnableRedisFilter enables injection of `envoy.filters.network.redis_proxy` in the filter chain. |
PILOT_ENABLE_SERVICEENTRY_SELECT_PODS | Boolean | true | If enabled, service entries with selectors will select pods from the cluster. It is safe to disable it if you are quite sure you don't need this feature |
PILOT_ENABLE_STATUS | Boolean | false | If enabled, pilot will update the CRD Status field of all istio resources with reconciliation status. |
PILOT_ENABLE_TCP_METADATA_EXCHANGE | Boolean | true | If enabled, metadata exchange will be enabled for TCP using ALPN and Network Metadata Exchange filters in Envoy |
PILOT_ENABLE_THRIFT_FILTER | Boolean | false | EnableThriftFilter enables injection of `envoy.filters.network.thrift_proxy` in the filter chain. |
PILOT_ENABLE_VIRTUAL_SERVICE_DELEGATE | Boolean | false | If enabled, Pilot will merge virtual services with delegates. By default, this is false, and virtualService with delegate will be ignored |
PILOT_FILTER_GATEWAY_CLUSTER_CONFIG | Boolean | false | |
PILOT_HTTP10 | Boolean | false | Enables the use of HTTP 1.0 in the outbound HTTP listeners, to support legacy applications. |
PILOT_INBOUND_PROTOCOL_DETECTION_TIMEOUT | Time Duration | 1s | Protocol detection timeout for inbound listener |
PILOT_INITIAL_FETCH_TIMEOUT | Time Duration | 0s | Specifies the initial_fetch_timeout for config. If this time is reached without a response to the config requested by Envoy, the Envoy will move on with the init phase. This prevents envoy from getting stuck waiting on config during startup. |
PILOT_PUSH_THROTTLE | Integer | 100 | Limits the number of concurrent pushes allowed. On larger machines this can be increased for faster pushes |
PILOT_SCOPE_GATEWAY_TO_NAMESPACE | Boolean | false | If enabled, a gateway workload can only select gateway resources in the same namespace. Gateways with same selectors in different namespaces will not be applicable. |
PILOT_SIDECAR_USE_REMOTE_ADDRESS | Boolean | false | UseRemoteAddress sets useRemoteAddress to true for side car outbound listeners. |
PILOT_SKIP_VALIDATE_TRUST_DOMAIN | Boolean | false | Skip validating the peer is from the same trust domain when mTLS is enabled in authentication policy |
PILOT_STATUS_BURST | Integer | 500 | If status is enabled, controls the Burst rate with which status will be updated. See https://godoc.org/k8s.io/client-go/rest#Config Burst |
PILOT_STATUS_QPS | Floating-Point | 100 | If status is enabled, controls the QPS with which status will be updated. See https://godoc.org/k8s.io/client-go/rest#Config QPS |
PILOT_TRACE_SAMPLING | Floating-Point | 100 | Sets the mesh-wide trace sampling percentage. Should be 0.0 - 100.0. Precision to 0.01. Default is 100, not recommended for production use. |
PILOT_USE_ENDPOINT_SLICE | Boolean | false | If enabled, Pilot will use EndpointSlices as the source of endpoints for Kubernetes services. By default, this is false, and Endpoints will be used. This requires the Kubernetes EndpointSlice controller to be enabled. Currently this is mutual exclusive - either Endpoints or EndpointSlices will be used |
PKCS8_KEY | Boolean | false | Whether to generate PKCS#8 private keys |
PLUGINS | String | | Token exchange plugins |
POD_NAME | String | | |
POD_NAMESPACE | String | | |
PROV_CERT | String | | Set to a directory containing provisioned certs, for VMs |
PROXY_CONFIG | String | | The proxy configuration. This will be set by the injection - gateways will use file mounts. |
SECRET_GRACE_PERIOD_RATIO | Floating-Point | 0.5 | The grace period ratio for the cert rotation, by default 0.5. |
SECRET_ROTATION_CHECK_INTERVAL | Time Duration | 5m0s | The ticker to detect and rotate the certificates, by default 5 minutes |
SECRET_TTL | Time Duration | 24h0m0s | The cert lifetime requested by istio agent |
SECRET_WATCHER_RESYNC_PERIOD | String | | |
SKIP_PARSE_TOKEN | Boolean | false | Skip Parse token to inspect information like expiration time in proxy. This may be possible for example in vm we don't use token to rotate cert. |
SPIFFE_BUNDLE_ENDPOINTS | String | | The SPIFFE bundle trust domain to endpoint mappings. Istiod retrieves the root certificate from each SPIFFE bundle endpoint and uses it to verify client certifiates from that trust domain. The endpoint must be compliant to the SPIFFE Bundle Endpoint standard. For details, please refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE_Trust_Domain_and_Bundle.md . No need to configure this for root certificates issued via Istiod or web-PKI based root certificates. Use || between <trustdomain, endpoint> tuples. Use | as delimiter between trust domain and endpoint in each tuple. For example: foo|https://url/for/foo||bar|https://url/for/bar |
STALED_CONNECTION_RECYCLE_RUN_INTERVAL | Time Duration | 5m0s | The ticker to detect and close stale connections |
TERMINATION_DRAIN_DURATION_SECONDS | Integer | 5 | The amount of time allowed for connections to complete on pilot-agent shutdown. On receiving SIGTERM or SIGINT, pilot-agent tells the active Envoy to start draining, preventing any new connections and allowing existing connections to complete. It then sleeps for the TerminationDrainDuration and then kills any remaining active Envoy processes. |
TRUST_DOMAIN | String | | The trust domain for spiffe certificates |
USE_TOKEN_FOR_CSR | Boolean | false | CSR requires a token |
XDS_AUTH | Boolean | true | If true, will authenticate XDS clients. |
XDS_LOCAL | String | | Address for a local XDS proxy. If empty, the proxy is disabled |
XDS_SAVE | String | | If set, the XDS proxy will save a snapshot of the received config |
XDS_UPSTREAM | String | | Address for upstream XDS server. If not set, discoveryAddress is used |
Exported metrics
| Metric Name | Type | Description |
|---|---|---|
endpoint_no_pod | LastValue | Endpoints without an associated pod. |
galley_validation_config_delete_error | Count | k8s webhook configuration delete error |
galley_validation_config_load | Count | k8s webhook configuration (re)loads |
galley_validation_config_load_error | Count | k8s webhook configuration (re)load error |
galley_validation_config_update_error | Count | k8s webhook configuration update error |
galley_validation_config_updates | Count | k8s webhook configuration updates |
istio_build | LastValue | Istio component build info |
num_failed_outgoing_requests | Sum | Number of failed outgoing requests (e.g. to a token exchange server, CA, etc.) |
num_outgoing_requests | Sum | Number of total outgoing requests (e.g. to a token exchange server, CA, etc.) |
num_outgoing_retries | Sum | Number of outgoing retry requests (e.g. to a token exchange server, CA, etc.) |
outgoing_latency | Sum | The latency of outgoing requests (e.g. to a token exchange server, CA, etc.) in milliseconds. |
pilot_conflict_inbound_listener | LastValue | Number of conflicting inbound listeners. |
pilot_conflict_outbound_listener_http_over_current_tcp | LastValue | Number of conflicting wildcard http listeners with current wildcard tcp listener. |
pilot_conflict_outbound_listener_tcp_over_current_http | LastValue | Number of conflicting wildcard tcp listeners with current wildcard http listener. |
pilot_conflict_outbound_listener_tcp_over_current_tcp | LastValue | Number of conflicting tcp listeners with current tcp listener. |
pilot_destrule_subsets | LastValue | Duplicate subsets across destination rules for same host |
pilot_duplicate_envoy_clusters | LastValue | Duplicate envoy clusters caused by service entries with same hostname |
pilot_eds_no_instances | LastValue | Number of clusters without instances. |
pilot_endpoint_not_ready | LastValue | Endpoint found in unready state. |
pilot_inbound_updates | Sum | Total number of updates received by pilot. |
pilot_invalid_out_listeners | LastValue | Number of invalid outbound listeners. |
pilot_jwks_resolver_network_fetch_fail_total | Sum | Total number of failed network fetch by pilot jwks resolver |
pilot_jwks_resolver_network_fetch_success_total | Sum | Total number of successfully network fetch by pilot jwks resolver |
pilot_k8s_endpoints_pending_pod | LastValue | Number of endpoints that do not currently have any corresponding pods. |
pilot_k8s_endpoints_with_no_pods | Sum | Endpoints that does not have any corresponding pods. |
pilot_k8s_reg_events | Sum | Events from k8s registry. |
pilot_no_ip | LastValue | Pods not found in the endpoint table, possibly invalid. |
pilot_proxy_convergence_time | Distribution | Delay in seconds between config change and a proxy receiving all required configuration. |
pilot_proxy_queue_time | Distribution | Time in seconds, a proxy is in the push queue before being dequeued. |
pilot_push_triggers | Sum | Total number of times a push was triggered, labeled by reason for the push. |
pilot_services | LastValue | Total services known to pilot. |
pilot_total_rejected_configs | Sum | Total number of configs that Pilot had to reject or ignore. |
pilot_total_xds_internal_errors | Sum | Total number of internal XDS errors in pilot. |
pilot_total_xds_rejects | Sum | Total number of XDS responses from pilot rejected by proxy. |
pilot_virt_services | LastValue | Total virtual services known to pilot. |
pilot_vservice_dup_domain | LastValue | Virtual services with dup domains. |
pilot_xds | LastValue | Number of endpoints connected to this pilot using XDS. |
pilot_xds_cds_reject | LastValue | Pilot rejected CDS configs. |
pilot_xds_eds_reject | LastValue | Pilot rejected EDS. |
pilot_xds_expired_nonce | Sum | Total number of XDS requests with an expired nonce. |
pilot_xds_lds_reject | LastValue | Pilot rejected LDS. |
pilot_xds_push_context_errors | Sum | Number of errors (timeouts) initiating push context. |
pilot_xds_push_time | Distribution | Total time in seconds Pilot takes to push lds, rds, cds and eds. |
pilot_xds_pushes | Sum | Pilot build and send errors for lds, rds, cds and eds. |
pilot_xds_rds_reject | LastValue | Pilot rejected RDS. |
pilot_xds_write_timeout | Sum | Pilot XDS response write timeouts. |
scrape_failures_total | Sum | The total number of failed scrapes. |
scrapes_total | Sum | The total number of scrapes. |
sidecar_injection_failure_total | Sum | Total number of failed sidecar injection requests. |
sidecar_injection_requests_total | Sum | Total number of sidecar injection requests. |
sidecar_injection_skip_total | Sum | Total number of skipped sidecar injection requests. |
sidecar_injection_success_total | Sum | Total number of successful sidecar injection requests. |
total_active_connections | Sum | The total number of active SDS connections. |
total_push_errors | Sum | The total number of failed SDS pushes. |
total_pushes | Sum | The total number of SDS pushes. |
total_secret_update_failures | Sum | The total number of dynamic secret update failures reported by proxy. |
total_stale_connections | Sum | The total number of stale SDS connections. |