CLUSTER_ID | String | Kubernetes | Defines the cluster and service registry that this Istiod instance is belongs to |
ENABLE_ADMIN_ENDPOINTS | Boolean | false | If this is set to true, dangerous admin endpoins will be exposed on the debug interface. Not recommended for production. |
ENABLE_CA_SERVER | Boolean | true | If this is set to false, will not create CA server in istiod. |
ENABLE_DEBUG_ON_HTTP | Boolean | true | If this is set to false, the debug interface will not be ebabled on Http, recommended for production |
ENABLE_LEGACY_FSGROUP_INJECTION | Boolean | true | If true, Istiod will set the pod fsGroup to 1337 on injection. This is required for Kubernetes 1.18 and older (see https://github.com/kubernetes/kubernetes/issues/57923 for details) unless JWT_POLICY is "first-party-jwt". |
ENABLE_WASM_TELEMETRY | Boolean | false | If enabled, Wasm-based telemetry will be enabled. |
EXTERNAL_ISTIOD | Boolean | false | If this is set to true, one Istiod will control remote clusters including CA. |
INJECTION_WEBHOOK_CONFIG_NAME | String | istio-sidecar-injector | Name of the mutatingwebhookconfiguration to patch, if istioctl is not used. |
ISTIOD_CUSTOM_HOST | String |
| Custom host name of istiod that istiod signs the server cert. |
ISTIOD_ENABLE_SDS_SERVER | Boolean | true | If enabled, Istiod will serve SDS for credentialName secrets (rather than in-proxy). To ensure proper security, PILOT_ENABLE_XDS_IDENTITY_CHECK=true is required as well. |
ISTIO_AGENT_ENABLE_WASM_REMOTE_LOAD_CONVERSION | Boolean | true | If enabled, Istio agent will intercept ECDS resource update, downloads Wasm module, and replaces Wasm module remote load with downloaded local module file. |
ISTIO_DEFAULT_REQUEST_TIMEOUT | Time Duration | 0s | Default Http and gRPC Request timeout |
ISTIO_GPRC_MAXRECVMSGSIZE | Integer | 4194304 | Sets the max receive buffer size of gRPC stream in bytes. |
ISTIO_GPRC_MAXSTREAMS | Integer | 100000 | Sets the maximum number of concurrent grpc streams. |
JWT_POLICY | String | third-party-jwt | The JWT validation policy. |
K8S_INGRESS_NS | String |
| |
KUBERNETES_SERVICE_HOST | String |
| Kuberenetes service host, set automatically when running in-cluster |
PILOT_ALLOW_METADATA_CERTS_DR_MUTUAL_TLS | Boolean | false | If true, Pilot will allow certs specified in Metadata to override DR certs in MUTUAL TLS mode. This is only enabled for migration and will be removed soon. |
PILOT_CERT_PROVIDER | String | istiod | The provider of Pilot DNS certificate. |
PILOT_DEBOUNCE_AFTER | Time Duration | 100ms | The delay added to config/registry events for debouncing. This will delay the push by at least this internal. If no change is detected within this period, the push will happen, otherwise we'll keep delaying until things settle, up to a max of PILOT_DEBOUNCE_MAX. |
PILOT_DEBOUNCE_MAX | Time Duration | 10s | The maximum amount of time to wait for events while debouncing. If events keep showing up with no breaks for this time, we'll trigger a push. |
PILOT_DISTRIBUTION_HISTORY_RETENTION | Time Duration | 1m0s | If enabled, Pilot will keep track of old versions of distributed config for this duration. |
PILOT_ENABLED_SERVICE_APIS | Boolean | false | If this is set to true, support for Kubernetes service-apis (github.com/kubernetes-sigs/service-apis) will be enabled. This feature is currently experimental, and is off by default. |
PILOT_ENABLE_ANALYSIS | Boolean | false | If enabled, pilot will run istio analyzers and write analysis errors to the Status field of any Istio Resources |
PILOT_ENABLE_CONFIG_DISTRIBUTION_TRACKING | Boolean | true | If enabled, Pilot will assign meaningful nonces to each Envoy configuration message, and allow users to interrogate which envoy has which config from the debug interface. |
PILOT_ENABLE_CRD_VALIDATION | Boolean | false | If enabled, pilot will validate CRDs while retrieving CRDs from kubernetes cache.Use this flag to enable validation of CRDs in Pilot, especially in deployments that do not have galley installed. |
PILOT_ENABLE_CROSS_CLUSTER_WORKLOAD_ENTRY | Boolean | false | If enabled, pilot will read WorkloadEntry from other clusters, selectable by Services in that cluster. |
PILOT_ENABLE_DESTINATION_RULE_INHERITANCE | Boolean | false | If set, workload specific DestinationRules will inherit configurations settings from mesh and namespace level rules |
PILOT_ENABLE_EDS_DEBOUNCE | Boolean | true | If enabled, Pilot will include EDS pushes in the push debouncing, configured by PILOT_DEBOUNCE_AFTER and PILOT_DEBOUNCE_MAX. EDS pushes may be delayed, but there will be fewer pushes. By default this is enabled |
PILOT_ENABLE_EDS_FOR_HEADLESS_SERVICES | Boolean | false | If enabled, for headless service in Kubernetes, pilot will send endpoints over EDS, allowing the sidecar to load balance among pods in the headless service. This feature should be enabled if applications access all services explicitly via a HTTP proxy port in the sidecar. |
PILOT_ENABLE_FLOW_CONTROL | Boolean | false | If enabled, pilot will wait for the completion of a receive operation beforeexecuting a push operation. This is a form of flow control and is useful inenvironments with high rates of push requests to each gateway. By default,this is false. |
PILOT_ENABLE_HEADLESS_SERVICE_POD_LISTENERS | Boolean | true | If enabled, for a headless service/stateful set in Kubernetes, pilot will generate an outbound listener for each pod in a headless service. This feature should be disabled if headless services have a large number of pods. |
PILOT_ENABLE_ISTIO_TAGS | Boolean | true | Determines whether or not trace spans generated by Envoy will include Istio-specific tags. |
PILOT_ENABLE_K8S_SELECT_WORKLOAD_ENTRIES | Boolean | true | If enabled, Kubernetes services with selectors will select workload entries with matching labels. It is safe to disable it if you are quite sure you don't need this feature |
PILOT_ENABLE_LEGACY_AUTO_PASSTHROUGH | Boolean | false | If enabled, pilot will allow any upstream cluster to be used with AUTO_PASSTHROUGH. This option is intended for backwards compatibility only and is not secure with untrusted downstreams; it will be removed in the future. |
PILOT_ENABLE_LOOP_BLOCKER | Boolean | true | If enabled, Envoy will be configured to prevent traffic directly the the inbound/outbound ports (15001/15006). This prevents traffic loops. This option will be removed, and considered always enabled, in 1.9. |
PILOT_ENABLE_MYSQL_FILTER | Boolean | false | EnableMysqlFilter enables injection of `envoy.filters.network.mysql_proxy` in the filter chain. |
PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_INBOUND | Boolean | true | If enabled, protocol sniffing will be used for inbound listeners whose port protocol is not specified or unsupported |
PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_OUTBOUND | Boolean | true | If enabled, protocol sniffing will be used for outbound listeners whose port protocol is not specified or unsupported |
PILOT_ENABLE_REDIS_FILTER | Boolean | false | EnableRedisFilter enables injection of `envoy.filters.network.redis_proxy` in the filter chain. |
PILOT_ENABLE_SERVICEENTRY_SELECT_PODS | Boolean | true | If enabled, service entries with selectors will select pods from the cluster. It is safe to disable it if you are quite sure you don't need this feature |
PILOT_ENABLE_STATUS | Boolean | false | If enabled, pilot will update the CRD Status field of all istio resources with reconciliation status. |
PILOT_ENABLE_THRIFT_FILTER | Boolean | false | EnableThriftFilter enables injection of `envoy.filters.network.thrift_proxy` in the filter chain. |
PILOT_ENABLE_UNSAFE_RUNTIME_ASSERTIONS | Boolean | false | If enabled, addition runtime asserts will be performed. These checks are both expensive and panic on failure. As a result, this should be used only for testing. |
PILOT_ENABLE_VIRTUAL_SERVICE_DELEGATE | Boolean | true | If set to false, virtualService delegate will not be supported. |
PILOT_ENABLE_WORKLOAD_ENTRY_AUTOREGISTRATION | Boolean | false | Enables auto-registering WorkloadEntries based on associated WorkloadGroups upon XDS connection by the workload. |
PILOT_ENABLE_WORKLOAD_ENTRY_HEALTHCHECKS | Boolean | false | Enables automatic health checks of WorkloadEntries based on the config provided in the associated WorkloadGroup |
PILOT_ENABLE_XDS_CACHE | Boolean | true | If true, Pilot will cache XDS responses. |
PILOT_ENABLE_XDS_IDENTITY_CHECK | Boolean | true | If enabled, pilot will authorize XDS clients, to ensure they are acting only as namespaces they have permissions for. |
PILOT_ENDPOINT_TELEMETRY_LABEL | Boolean | true | If true, pilot will add telemetry related metadata to Endpoint resource, which will be consumed by telemetry filter. |
PILOT_FILTER_GATEWAY_CLUSTER_CONFIG | Boolean | false | |
PILOT_FLOW_CONTROL_TIMEOUT | Time Duration | 15s | If set, the max amount of time to delay a push by. Depends on PILOT_ENABLE_FLOW_CONTROL. |
PILOT_HTTP10 | Boolean | false | Enables the use of HTTP 1.0 in the outbound HTTP listeners, to support legacy applications. |
PILOT_INBOUND_PROTOCOL_DETECTION_TIMEOUT | Time Duration | 1s | Protocol detection timeout for inbound listener |
PILOT_INITIAL_FETCH_TIMEOUT | Time Duration | 0s | Specifies the initial_fetch_timeout for config. If this time is reached without a response to the config requested by Envoy, the Envoy will move on with the init phase. This prevents envoy from getting stuck waiting on config during startup. |
PILOT_PUSH_THROTTLE | Integer | 100 | Limits the number of concurrent pushes allowed. On larger machines this can be increased for faster pushes |
PILOT_REMOTE_CLUSTER_TIMEOUT | Time Duration | 30s | After this timeout expires, pilot can become ready without syncing data from clusters added via remote-secrets. Setting the timeout to 0 disables this behavior. |
PILOT_SCOPE_GATEWAY_TO_NAMESPACE | Boolean | false | If enabled, a gateway workload can only select gateway resources in the same namespace. Gateways with same selectors in different namespaces will not be applicable. |
PILOT_SIDECAR_ENABLE_INBOUND_TLS_V2 | Boolean | true | If true, Pilot will set the TLS version on server side as TLSv1_2 and also enforce strong cipher suites |
PILOT_SIDECAR_USE_REMOTE_ADDRESS | Boolean | false | UseRemoteAddress sets useRemoteAddress to true for side car outbound listeners. |
PILOT_SKIP_VALIDATE_TRUST_DOMAIN | Boolean | false | Skip validating the peer is from the same trust domain when mTLS is enabled in authentication policy |
PILOT_STATUS_BURST | Integer | 500 | If status is enabled, controls the Burst rate with which status will be updated. See https://godoc.org/k8s.io/client-go/rest#Config Burst |
PILOT_STATUS_MAX_WORKERS | Integer | 100 | The maximum number of workers Pilot will use to keep configuration status up to date. Smaller numbers will result in higher status latency, but larger numbers may impact CPU in high scale environments. |
PILOT_STATUS_QPS | Floating-Point | 100 | If status is enabled, controls the QPS with which status will be updated. See https://godoc.org/k8s.io/client-go/rest#Config QPS |
PILOT_TRACE_SAMPLING | Floating-Point | 1 | Sets the mesh-wide trace sampling percentage. Should be 0.0 - 100.0. Precision to 0.01. Default is 1.0. |
PILOT_USE_ENDPOINT_SLICE | Boolean | false | If enabled, Pilot will use EndpointSlices as the source of endpoints for Kubernetes services. By default, this is false, and Endpoints will be used. This requires the Kubernetes EndpointSlice controller to be enabled. Currently this is mutual exclusive - either Endpoints or EndpointSlices will be used |
PILOT_WORKLOAD_ENTRY_GRACE_PERIOD | Time Duration | 10s | The amount of time an auto-registered workload can remain disconnected from all Pilot instances before the associated WorkloadEntry is cleaned up. |
PILOT_XDS_CACHE_SIZE | Integer | 20000 | The maximum number of cache entries for the XDS cache. |
PILOT_XDS_CACHE_STATS | Boolean | false | If true, Pilot will collect metrics for XDS cache efficiency. |
PILOT_XDS_SEND_TIMEOUT | Time Duration | 5s | The timeout to send the XDS configuration to proxies. After this timeout is reached, Pilot will discard that push. |
POD_NAME | String |
| |
REQUIRE_3P_TOKEN | Boolean | false | Reject k8s default tokens, without audience. If false, default K8S token will be accepted |
SPIFFE_BUNDLE_ENDPOINTS | String |
| The SPIFFE bundle trust domain to endpoint mappings. Istiod retrieves the root certificate from each SPIFFE bundle endpoint and uses it to verify client certifiates from that trust domain. The endpoint must be compliant to the SPIFFE Bundle Endpoint standard. For details, please refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE_Trust_Domain_and_Bundle.md . No need to configure this for root certificates issued via Istiod or web-PKI based root certificates. Use || between <trustdomain, endpoint> tuples. Use | as delimiter between trust domain and endpoint in each tuple. For example: foo|https://url/for/foo||bar|https://url/for/bar |
TERMINATION_DRAIN_DURATION_SECONDS | Integer | 5 | The amount of time allowed for connections to complete on pilot-agent shutdown. On receiving SIGTERM or SIGINT, pilot-agent tells the active Envoy to start draining, preventing any new connections and allowing existing connections to complete. It then sleeps for the TerminationDrainDuration and then kills any remaining active Envoy processes. |
TOKEN_AUDIENCES | String | istio-ca | A list of comma separated audiences to check in the JWT token before issuing a certificate. The token is accepted if it matches with one of the audiences |
XDS_AUTH | Boolean | true | If true, will authenticate XDS clients. |