Istio Pilot provides fleet-wide traffic management capabilities in the Istio Service Mesh.

--vklog <Level>number for the log level verbosity. Like -v flag. ex: --vklog=9 (default `0`)

pilot-discovery completion

Generate the autocompletion script for pilot-discovery for the specified shell. See each sub-command's help for details on how to use the generated script.

--vklog <Level>number for the log level verbosity. Like -v flag. ex: --vklog=9 (default `0`)

pilot-discovery completion bash

Generate the autocompletion script for the bash shell.

This script depends on the 'bash-completion' package. If it is not installed already, you can install it via your OS's package manager.

To load completions in your current shell session:

source <(pilot-discovery completion bash)

To load completions for every new session, execute once:

#### Linux:

pilot-discovery completion bash > /etc/bash_completion.d/pilot-discovery

#### macOS:

pilot-discovery completion bash > /usr/local/etc/bash_completion.d/pilot-discovery

You will need to start a new shell for this setup to take effect.

pilot-discovery completion bash
--no-descriptionsdisable completion descriptions
--vklog <Level>number for the log level verbosity. Like -v flag. ex: --vklog=9 (default `0`)

pilot-discovery completion fish

Generate the autocompletion script for the fish shell.

To load completions in your current shell session:

pilot-discovery completion fish | source

To load completions for every new session, execute once:

pilot-discovery completion fish > ~/.config/fish/completions/pilot-discovery.fish

You will need to start a new shell for this setup to take effect.

pilot-discovery completion fish [flags]
--no-descriptionsdisable completion descriptions
--vklog <Level>number for the log level verbosity. Like -v flag. ex: --vklog=9 (default `0`)

pilot-discovery completion powershell

Generate the autocompletion script for powershell.

To load completions in your current shell session:

pilot-discovery completion powershell | Out-String | Invoke-Expression

To load completions for every new session, add the output of the above command to your powershell profile.

pilot-discovery completion powershell [flags]
--no-descriptionsdisable completion descriptions
--vklog <Level>number for the log level verbosity. Like -v flag. ex: --vklog=9 (default `0`)

pilot-discovery completion zsh

Generate the autocompletion script for the zsh shell.

If shell completion is not already enabled in your environment you will need to enable it. You can execute the following once:

echo "autoload -U compinit; compinit" >> ~/.zshrc

To load completions for every new session, execute once:

#### Linux:

pilot-discovery completion zsh > "${fpath[1]}/_pilot-discovery"

#### macOS:

pilot-discovery completion zsh > /usr/local/share/zsh/site-functions/_pilot-discovery

You will need to start a new shell for this setup to take effect.

pilot-discovery completion zsh [flags]
--no-descriptionsdisable completion descriptions
--vklog <Level>number for the log level verbosity. Like -v flag. ex: --vklog=9 (default `0`)

pilot-discovery discovery

Start Istio proxy discovery service.

pilot-discovery discovery [flags]
--caCertFile <string>File containing the x509 Server CA Certificate (default ``)
--clusterAliases <stringToString>Alias names for clusters (default `[]`)
--clusterID <string>The ID of the cluster that this Istiod instance resides (default `Kubernetes`)
--clusterRegistriesNamespace <string>Namespace for ConfigMap which stores clusters configs (default `istio-system`)
--configDir <string>Directory to watch for updates to config yaml files. If specified, the files will be used as the source of config, rather than a CRD client. (default ``)
--ctrlz_address <string>The IP Address to listen on for the ControlZ introspection facility. Use '*' to indicate all addresses. (default `localhost`)
--ctrlz_port <uint16>The IP port to use for the ControlZ introspection facility (default `9876`)
--domain <string>DNS domain suffix (default `cluster.local`)
--grpcAddr <string>Discovery service gRPC address (default `:15010`)
--httpAddr <string>Discovery service HTTP address (default `:8080`)
--httpsAddr <string>Injection and validation service HTTPS address (default `:15017`)
--keepaliveInterval <duration>The time interval if no activity on the connection it pings the peer to see if the transport is alive (default `30s`)
--keepaliveMaxServerConnectionAge <duration>Maximum duration a connection will be kept open on the server before a graceful close. (default `2562047h47m16.854775807s`)
--keepaliveTimeout <duration>After having pinged for keepalive check, the client/server waits for a duration of keepaliveTimeout and if no activity is seen even after that the connection is closed. (default `10s`)
--kubeconfig <string>Use a Kubernetes configuration file instead of in-cluster configuration (default ``)
--kubernetesApiBurst <int>Maximum burst for throttle when communicating with the kubernetes API (default `160`)
--kubernetesApiQPS <float32>Maximum QPS when communicating with the kubernetes API (default `80`)
--log_as_jsonWhether to format output as JSON or in plain console-friendly format
--log_caller <string>Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, adsc, all, analysis, authn, authorization, ca, controllers, default, delta, file, gateway, grpcgen, installer, klog, kube, model, monitor, pkica, pkira, processing, proxyconfig, retry, rootcertrotator, secretcontroller, serverca, serviceentry, spiffe, status, telemetry, tpath, trustBundle, util, validation, validationController, validationServer, wasm, wle] (default ``)
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, adsc, all, analysis, authn, authorization, ca, controllers, default, delta, file, gateway, grpcgen, installer, klog, kube, model, monitor, pkica, pkira, processing, proxyconfig, retry, rootcertrotator, secretcontroller, serverca, serviceentry, spiffe, status, telemetry, tpath, trustBundle, util, validation, validationController, validationServer, wasm, wle] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)
--log_rotate <string>The path for the optional rotating log file (default ``)
--log_rotate_max_age <int>The maximum age in days of a log file beyond which the file is rotated (0 indicates no limit) (default `30`)
--log_rotate_max_backups <int>The maximum number of log file backups to keep before older files are deleted (0 indicates no limit) (default `1000`)
--log_rotate_max_size <int>The maximum size in megabytes of a log file beyond which the file is rotated (default `104857600`)
--log_stacktrace_level <string>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, adsc, all, analysis, authn, authorization, ca, controllers, default, delta, file, gateway, grpcgen, installer, klog, kube, model, monitor, pkica, pkira, processing, proxyconfig, retry, rootcertrotator, secretcontroller, serverca, serviceentry, spiffe, status, telemetry, tpath, trustBundle, util, validation, validationController, validationServer, wasm, wle] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)
--log_target <stringArray>The set of paths where to output the log. This can be any path as well as the special values stdout and stderr (default `[stdout]`)
--meshConfig <string>File name for Istio mesh configuration. If not specified, a default mesh will be used. (default `./etc/istio/config/mesh`)
--monitoringAddr <string>HTTP address to use for pilot's self-monitoring information (default `:15014`)
--namespace <string>-nSelect a namespace where the controller resides. If not set, uses ${POD_NAMESPACE} environment variable (default `istio-system`)
--networksConfig <string>File name for Istio mesh networks configuration. If not specified, a default mesh networks will be used. (default `./etc/istio/config/meshNetworks`)
--profileEnable profiling via web interface host:port/debug/pprof
--registries <stringSlice>Comma separated list of platform service registries to read from (choose one or more from {Kubernetes, Mock}) (default `[Kubernetes]`)
--secureGRPCAddr <string>Discovery service secured gRPC address (default `:15012`)
--shutdownDuration <duration>Duration the discovery server needs to terminate gracefully (default `10s`)
--tlsCertFile <string>File containing the x509 Server Certificate (default ``)
--tlsKeyFile <string>File containing the x509 private key matching --tlsCertFile (default ``)
--vklog <Level>number for the log level verbosity. Like -v flag. ex: --vklog=9 (default `0`)

pilot-discovery request

Makes an HTTP request to Pilot metrics/debug endpoint

pilot-discovery request <method> <path> [<body>] [flags]
--vklog <Level>number for the log level verbosity. Like -v flag. ex: --vklog=9 (default `0`)

pilot-discovery version

Prints out build version information

pilot-discovery version [flags]
--output <string>-oOne of 'yaml' or 'json'. (default ``)
--short-sUse --short=false to generate full version information
--vklog <Level>number for the log level verbosity. Like -v flag. ex: --vklog=9 (default `0`)

Environment variables

These environment variables affect the behavior of the pilot-discovery command. Please use with caution as these environment variables are experimental and can change anytime.
Variable NameTypeDefault ValueDescription
AUDIENCEStringExpected audience in the tokens.
AUTO_RELOAD_PLUGIN_CERTSBooleanfalseIf enabled, if user introduces new intermediate plug-in CA, user need not to restart istiod to pick up certs.Istiod picks newly added intermediate plug-in CA certs and updates it. Plug-in new Root-CA not supported.
CERT_SIGNER_DOMAINStringThe cert signer domain info
CITADEL_ENABLE_JITTER_FOR_ROOT_CERT_ROTATORBooleantrueIf true, set up a jitter to start root cert rotator. Jitter selects a backoff time in seconds to start root cert rotator, and the back off time is below root cert check interval.
CITADEL_SELF_SIGNED_CA_CERT_TTLTime Duration87600h0m0sThe TTL of self-signed CA root certificate.
CITADEL_SELF_SIGNED_CA_RSA_KEY_SIZEInteger2048Specify the RSA key size to use for self-signed Istio CA certificates.
CITADEL_SELF_SIGNED_ROOT_CERT_CHECK_INTERVALTime Duration1h0m0sThe interval that self-signed CA checks its root certificate expiration time and rotates root certificate. Setting this interval to zero or a negative value disables automated root cert check and rotation. This interval is suggested to be larger than 10 minutes.
CITADEL_SELF_SIGNED_ROOT_CERT_GRACE_PERIOD_PERCENTILEInteger20Grace period percentile for self-signed root cert.
CLOUD_PLATFORMStringCloud Platform on which proxy is running, if not specified, Istio will try to discover the platform. Valid platform values are aws, azure, gcp, none
CLUSTER_IDStringKubernetesDefines the cluster and service registry that this Istiod instance is belongs to
DEFAULT_WORKLOAD_CERT_TTLTime Duration24h0m0sThe default TTL of issued workload certificates. Applied when the client sets a non-positive TTL in the CSR.
ENABLE_AUTO_MTLS_CHECK_POLICIESBooleantrueEnable the auto mTLS EDS output to consult the PeerAuthentication Policy, only set the {tlsMode: istio} when server side policy enables mTLS PERMISSIVE or STRICT.
ENABLE_AUTO_SNIBooleanfalseIf enabled, automatically set SNI when `DestinationRules` do not specify the same
ENABLE_CA_SERVERBooleantrueIf this is set to false, will not create CA server in istiod.
ENABLE_DEBUG_ON_HTTPBooleantrueIf this is set to false, the debug interface will not be enabled, recommended for production
ENABLE_LEGACY_FSGROUP_INJECTIONBooleantrueIf true, Istiod will set the pod fsGroup to 1337 on injection. This is required for Kubernetes 1.18 and older (see https://github.com/kubernetes/kubernetes/issues/57923 for details) unless JWT_POLICY is "first-party-jwt".
ENABLE_LEGACY_LB_ALGORITHM_DEFAULTBooleanfalseIf enabled, destinations for which no LB algorithm is specified will use the legacy default, ROUND_ROBIN. Care should be taken when using ROUND_ROBIN in general as it can overburden endpoints, especially when weights are used.
ENABLE_MCS_AUTO_EXPORTBooleanfalseIf enabled, istiod will automatically generate Kubernetes Multi-Cluster Services (MCS) ServiceExport resources for every service in the mesh. Services defined to be cluster-local in MeshConfig are excluded.
ENABLE_MCS_CLUSTER_LOCALBooleanfalseIf enabled, istiod will treat the host `<svc>.<namespace>.svc.cluster.local` as defined by the Kubernetes Multi-Cluster Services (MCS) spec. In this mode, requests to `cluster.local` will be routed to only those endpoints residing within the same cluster as the client. Requires that both ENABLE_MCS_SERVICE_DISCOVERY and ENABLE_MCS_HOST also be enabled.
ENABLE_MCS_HOSTBooleanfalseIf enabled, istiod will configure a Kubernetes Multi-Cluster Services (MCS) host (<svc>.<namespace>.svc.clusterset.local) for each service exported (via ServiceExport) in at least one cluster. Clients must, however, be able to successfully lookup these DNS hosts. That means that either Istio DNS interception must be enabled or an MCS controller must be used. Requires that ENABLE_MCS_SERVICE_DISCOVERY also be enabled.
ENABLE_MCS_SERVICE_DISCOVERYBooleanfalseIf enabled, istiod will enable Kubernetes Multi-Cluster Services (MCS) service discovery mode. In this mode, service endpoints in a cluster will only be discoverable within the same cluster unless explicitly exported via ServiceExport.
ENABLE_MULTICLUSTER_HEADLESSBooleantrueIf true, the DNS name table for a headless service will resolve to same-network endpoints in any cluster.
ENABLE_PROBE_KEEPALIVE_CONNECTIONSBooleanfalseIf enabled, readiness probes will keep the connection from pilot-agent to the application alive. This mirrors older Istio versions' behaviors, but not kubelet's.
ENABLE_TLS_ON_SIDECAR_INGRESSBooleanfalseIf enabled, the TLS configuration on Sidecar.ingress will take effect
ENABLE_WASM_TELEMETRYBooleanfalseIf enabled, Wasm-based telemetry will be enabled.
EXTERNAL_CAStringExternal CA Integration Type. Permitted Values are ISTIOD_RA_KUBERNETES_API or ISTIOD_RA_ISTIO_API
EXTERNAL_ISTIODBooleanfalseIf this is set to true, one Istiod will control remote clusters including CA.
GCP_QUOTA_PROJECTStringAllows specification of a quota project to be used in requests to GCP APIs.
INJECTION_WEBHOOK_CONFIG_NAMEStringistio-sidecar-injectorName of the mutatingwebhookconfiguration to patch, if istioctl is not used.
INJECT_ENABLEDBooleantrueEnable mutating webhook handler.
ISTIOD_CUSTOM_HOSTStringCustom host name of istiod that istiod signs the server cert. Multiple custom host names are supported, and multiple values are separated by commas.
ISTIO_AGENT_ENABLE_WASM_REMOTE_LOAD_CONVERSIONBooleantrueIf enabled, Istio agent will intercept ECDS resource update, downloads Wasm module, and replaces Wasm module remote load with downloaded local module file.
ISTIO_DEFAULT_REQUEST_TIMEOUTTime Duration0sDefault Http and gRPC Request timeout
ISTIO_DELTA_XDSBooleanfalseIf enabled, pilot will only send the delta configs as opposed to the state of the world on a Resource Request. This feature uses the delta xds api, but does not currently send the actual deltas.
ISTIO_GATEWAY_STRIP_HOST_PORTBooleanfalseIf enabled, Gateway will remove any port from host/authority header before any processing of request by HTTP filters or routing.
ISTIO_GPRC_MAXRECVMSGSIZEInteger4194304Sets the max receive buffer size of gRPC stream in bytes.
ISTIO_GPRC_MAXSTREAMSInteger100000Sets the maximum number of concurrent grpc streams.
ISTIO_MULTIROOT_MESHBooleanfalseIf enabled, mesh will support certificates signed by more than one trustAnchor for ISTIO_MUTUAL mTLS
JWT_POLICYStringthird-party-jwtThe JWT validation policy.
JWT_RULEStringThe JWT rule used by istiod authentication
K8S_SIGNERStringKubernates CA Signer type. Valid from Kubernates 1.18
KUBERNETES_SERVICE_HOSTStringKubernetes service host, set automatically when running in-cluster
K_REVISIONStringKNative revision, set if running in knative
LABEL_CANONICAL_SERVICES_FOR_MESH_EXTERNAL_SERVICE_ENTRIESBooleanfalseIf enabled, metadata representing canonical services for ServiceEntry resources with a location of mesh_external will be populatedin the cluster metadata for those endpoints.
MAX_WORKLOAD_CERT_TTLTime Duration2160h0m0sThe max TTL of issued workload certificates.
MCS_API_GROUPStringmulticluster.x-k8s.ioThe group to be used for the Kubernetes Multi-Cluster Services (MCS) API.
MCS_API_VERSIONStringv1alpha1The version to be used for the Kubernets Multi-Cluster Services (MCS) API.
PILOT_ANALYSIS_INTERVALTime Duration10sIf analysis is enabled, pilot will run istio analyzers using this value as interval in seconds Istio Resources
PILOT_CERT_PROVIDERStringistiodThe provider of Pilot DNS certificate.
PILOT_DEBOUNCE_AFTERTime Duration100msThe delay added to config/registry events for debouncing. This will delay the push by at least this interval. If no change is detected within this period, the push will happen, otherwise we'll keep delaying until things settle, up to a max of PILOT_DEBOUNCE_MAX.
PILOT_DEBOUNCE_MAXTime Duration10sThe maximum amount of time to wait for events while debouncing. If events keep showing up with no breaks for this time, we'll trigger a push.
PILOT_DISTRIBUTION_HISTORY_RETENTIONTime Duration1m0sIf enabled, Pilot will keep track of old versions of distributed config for this duration.
PILOT_ENABLE_ALPN_FILTERBooleantrueIf true, pilot will add Istio ALPN filters, required for proper protocol sniffing.
PILOT_ENABLE_ANALYSISBooleanfalseIf enabled, pilot will run istio analyzers and write analysis errors to the Status field of any Istio Resources
PILOT_ENABLE_CDS_CACHEBooleantrueIf true, Pilot will cache CDS responses. Note: this depends on PILOT_ENABLE_XDS_CACHE.
PILOT_ENABLE_CONFIG_DISTRIBUTION_TRACKINGBooleantrueIf enabled, Pilot will assign meaningful nonces to each Envoy configuration message, and allow users to interrogate which envoy has which config from the debug interface.
PILOT_ENABLE_CROSS_CLUSTER_WORKLOAD_ENTRYBooleantrueIf enabled, pilot will read WorkloadEntry from other clusters, selectable by Services in that cluster.
PILOT_ENABLE_DESTINATION_RULE_INHERITANCEBooleanfalseIf set, workload specific DestinationRules will inherit configurations settings from mesh and namespace level rules
PILOT_ENABLE_EDS_DEBOUNCEBooleantrueIf enabled, Pilot will include EDS pushes in the push debouncing, configured by PILOT_DEBOUNCE_AFTER and PILOT_DEBOUNCE_MAX. EDS pushes may be delayed, but there will be fewer pushes. By default this is enabled
PILOT_ENABLE_EDS_FOR_HEADLESS_SERVICESBooleanfalseIf enabled, for headless service in Kubernetes, pilot will send endpoints over EDS, allowing the sidecar to load balance among pods in the headless service. This feature should be enabled if applications access all services explicitly via a HTTP proxy port in the sidecar.
PILOT_ENABLE_GATEWAY_APIBooleantrueIf this is set to true, support for Kubernetes gateway-api (github.com/kubernetes-sigs/gateway-api) will be enabled. In addition to this being enabled, the gateway-api CRDs need to be installed.
PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLERBooleantrueIf this is set to true, gateway-api resources will automatically provision in cluster deployment, services, etc
PILOT_ENABLE_GATEWAY_API_STATUSBooleantrueIf this is set to true, gateway-api resources will have status written to them
PILOT_ENABLE_HEADLESS_SERVICE_POD_LISTENERSBooleantrueIf enabled, for a headless service/stateful set in Kubernetes, pilot will generate an outbound listener for each pod in a headless service. This feature should be disabled if headless services have a large number of pods.
PILOT_ENABLE_INBOUND_PASSTHROUGHBooleantrueIf enabled, inbound clusters will be configured as ORIGINAL_DST clusters. When disabled, requests are always sent to localhost. The primary implication of this is that when enabled, binding to POD_IP will work while localhost will not; when disable, bind to POD_IP will not work, while localhost will. The enabled behavior matches the behavior without Istio enabled at all; this flag exists only for backwards compatibility. Regardless of this setting, the configuration can be overridden with the Sidecar.Ingress.DefaultEndpoint configuration.
PILOT_ENABLE_ISTIO_TAGSBooleantrueDetermines whether or not trace spans generated by Envoy will include Istio-specific tags.
PILOT_ENABLE_LEGACY_AUTO_PASSTHROUGHBooleanfalseIf enabled, pilot will allow any upstream cluster to be used with AUTO_PASSTHROUGH. This option is intended for backwards compatibility only and is not secure with untrusted downstreams; it will be removed in the future.
PILOT_ENABLE_LEGACY_ISTIO_MUTUAL_CREDENTIAL_NAMEBooleanfalseIf enabled, Gateway's with ISTIO_MUTUAL mode and credentialName configured will use simple TLS. This is to retain legacy behavior only and not recommended for use beyond migration.
PILOT_ENABLE_METADATA_EXCHANGEBooleantrueIf true, pilot will add metadata exchange filters, which will be consumed by telemetry filter.
PILOT_ENABLE_MONGO_FILTERBooleantrueEnableMongoFilter enables injection of `envoy.filters.network.mongo_proxy` in the filter chain.
PILOT_ENABLE_MYSQL_FILTERBooleanfalseEnableMysqlFilter enables injection of `envoy.filters.network.mysql_proxy` in the filter chain.
PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_INBOUNDBooleantrueIf enabled, protocol sniffing will be used for inbound listeners whose port protocol is not specified or unsupported
PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_OUTBOUNDBooleantrueIf enabled, protocol sniffing will be used for outbound listeners whose port protocol is not specified or unsupported
PILOT_ENABLE_QUIC_LISTENERSBooleanfalseIf true, QUIC listeners will be generated wherever there are listeners terminating TLS on gateways if the gateway service exposes a UDP port with the same number (for example 443/TCP and 443/UDP)
PILOT_ENABLE_RDS_CACHEBooleantrueIf true, Pilot will cache RDS responses. Note: this depends on PILOT_ENABLE_XDS_CACHE.
PILOT_ENABLE_REDIS_FILTERBooleanfalseEnableRedisFilter enables injection of `envoy.filters.network.redis_proxy` in the filter chain.
PILOT_ENABLE_ROUTE_COLLAPSE_OPTIMIZATIONBooleantrueIf true, Pilot will merge virtual hosts with the same routes into a single virtual host, as an optimization.
PILOT_ENABLE_SERVICEENTRY_SELECT_PODSBooleantrueIf enabled, service entries with selectors will select pods from the cluster. It is safe to disable it if you are quite sure you don't need this feature
PILOT_ENABLE_STATUSBooleanfalseIf enabled, pilot will update the CRD Status field of all istio resources with reconciliation status.
PILOT_ENABLE_TELEMETRY_LABELBooleantrueIf true, pilot will add telemetry related metadata to cluster and endpoint resources, which will be consumed by telemetry filter.
PILOT_ENABLE_WORKLOAD_ENTRY_AUTOREGISTRATIONBooleantrueEnables auto-registering WorkloadEntries based on associated WorkloadGroups upon XDS connection by the workload.
PILOT_ENABLE_WORKLOAD_ENTRY_HEALTHCHECKSBooleantrueEnables automatic health checks of WorkloadEntries based on the config provided in the associated WorkloadGroup
PILOT_ENABLE_XDS_CACHEBooleantrueIf true, Pilot will cache XDS responses.
PILOT_ENABLE_XDS_IDENTITY_CHECKBooleantrueIf enabled, pilot will authorize XDS clients, to ensure they are acting only as namespaces they have permissions for.
PILOT_ENDPOINT_TELEMETRY_LABELBooleantrueIf true, pilot will add telemetry related metadata to Endpoint resource, which will be consumed by telemetry filter.
PILOT_ENVOY_FILTER_STATSBooleanfalseIf true, Pilot will collect metrics for envoy filter operations.
PILOT_FILTER_GATEWAY_CLUSTER_CONFIGBooleanfalseIf enabled, Pilot will send only clusters that referenced in gateway virtual services attached to gateway
PILOT_FLOW_CONTROL_TIMEOUTTime Duration15sIf set, the max amount of time to delay a push by. Depends on PILOT_ENABLE_FLOW_CONTROL.
PILOT_HTTP10BooleanfalseEnables the use of HTTP 1.0 in the outbound HTTP listeners, to support legacy applications.
PILOT_INBOUND_PROTOCOL_DETECTION_TIMEOUTTime Duration1sProtocol detection timeout for inbound listener
PILOT_INSECURE_MULTICLUSTER_KUBECONFIG_OPTIONSStringComma separated list of potentially insecure kubeconfig authentication options that are allowed for multicluster authentication.Support values: all authProviders (`gcp`, `azure`, `exec`, `openstack`), `clientKey`, `clientCertificate`, `tokenFile`, and `exec`.
PILOT_JWT_ENABLE_REMOTE_JWKSBooleanfalseIf enabled, checks to see if the configured JwksUri in RequestAuthentication is a mesh cluster URL and configures remote Jwks to let Envoy fetch the Jwks instead of Istiod.
PILOT_JWT_PUB_KEY_REFRESH_INTERVALTime Duration20m0sThe interval for istiod to fetch the jwks_uri for the jwks public key.
PILOT_LEGACY_INGRESS_BEHAVIORBooleanfalseIf this is set to true, istio ingress will perform the legacy behavior, which does not meet https://kubernetes.io/docs/concepts/services-networking/ingress/#multiple-matches.
PILOT_MAX_REQUESTS_PER_SECONDFloating-Point25Limits the number of incoming XDS requests per second. On larger machines this can be increased to handle more proxies concurrently.
PILOT_PARTIAL_FULL_PUSHESBooleantrueIf enabled, pilot will send partial pushes in for child resources (RDS, EDS, etc) when possible. This occurs for EDS in many cases regardless of this setting.
PILOT_PUSH_THROTTLEInteger100Limits the number of concurrent pushes allowed. On larger machines this can be increased for faster pushes
PILOT_REMOTE_CLUSTER_TIMEOUTTime Duration30sAfter this timeout expires, pilot can become ready without syncing data from clusters added via remote-secrets. Setting the timeout to 0 disables this behavior.
PILOT_SCOPE_GATEWAY_TO_NAMESPACEBooleanfalseIf enabled, a gateway workload can only select gateway resources in the same namespace. Gateways with same selectors in different namespaces will not be applicable.
PILOT_SEND_UNHEALTHY_ENDPOINTSBooleantrueIf enabled, Pilot will include unhealthy endpoints in EDS pushes and even if they are sent Envoy does not use them for load balancing.
PILOT_SIDECAR_USE_REMOTE_ADDRESSBooleanfalseUseRemoteAddress sets useRemoteAddress to true for side car outbound listeners.
PILOT_SKIP_VALIDATE_TRUST_DOMAINBooleanfalseSkip validating the peer is from the same trust domain when mTLS is enabled in authentication policy
PILOT_STATUS_BURSTInteger500If status is enabled, controls the Burst rate with which status will be updated. See https://godoc.org/k8s.io/client-go/rest#Config Burst
PILOT_STATUS_MAX_WORKERSInteger100The maximum number of workers Pilot will use to keep configuration status up to date. Smaller numbers will result in higher status latency, but larger numbers may impact CPU in high scale environments.
PILOT_STATUS_QPSFloating-Point100If status is enabled, controls the QPS with which status will be updated. See https://godoc.org/k8s.io/client-go/rest#Config QPS
PILOT_STATUS_UPDATE_INTERVALTime Duration500msInterval to update the XDS distribution status.
PILOT_TRACE_SAMPLINGFloating-Point1Sets the mesh-wide trace sampling percentage. Should be 0.0 - 100.0. Precision to 0.01. Default is 1.0.
PILOT_USE_ENDPOINT_SLICEBooleanfalseIf enabled, Pilot will use EndpointSlices as the source of endpoints for Kubernetes services. By default, this is false, and Endpoints will be used. This requires the Kubernetes EndpointSlice controller to be enabled. Currently this is mutual exclusive - either Endpoints or EndpointSlices will be used
PILOT_WORKLOAD_ENTRY_GRACE_PERIODTime Duration10sThe amount of time an auto-registered workload can remain disconnected from all Pilot instances before the associated WorkloadEntry is cleaned up.
PILOT_XDS_CACHE_SIZEInteger60000The maximum number of cache entries for the XDS cache.
PILOT_XDS_CACHE_STATSBooleanfalseIf true, Pilot will collect metrics for XDS cache efficiency.
PILOT_XDS_SEND_TIMEOUTTime Duration0sThe timeout to send the XDS configuration to proxies. After this timeout is reached, Pilot will discard that push.
PRIORITIZED_LEADER_ELECTIONBooleantrueIf enabled, the default revision will steal leader locks from non-default revisions
REQUIRE_3P_TOKENBooleanfalseReject k8s default tokens, without audience. If false, default K8S token will be accepted
RESOLVE_HOSTNAME_GATEWAYSBooleantrueIf true, hostnames in the LoadBalancer addresses of a Service will be resolved at the control plane for use in cross-network gateways.
REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATIONBooleanfalseIf enabled, readiness probes will be sent to 'localhost'. Otherwise, they will be sent to the Pod's IP, matching Kubernetes' behavior.
REWRITE_TCP_PROBESBooleantrueIf false, TCP probes will not be rewritten and therefor always succeed when a sidecar is used.
ROOT_CA_DIRString./etc/cacertsLocation of a local or mounted CA root
SHARED_MESH_CONFIGStringAdditional config map to load for shared MeshConfig settings. The standard mesh config will take precedence.
SPIFFE_BUNDLE_ENDPOINTSStringThe SPIFFE bundle trust domain to endpoint mappings. Istiod retrieves the root certificate from each SPIFFE bundle endpoint and uses it to verify client certifiates from that trust domain. The endpoint must be compliant to the SPIFFE Bundle Endpoint standard. For details, please refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE_Trust_Domain_and_Bundle.md . No need to configure this for root certificates issued via Istiod or web-PKI based root certificates. Use || between <trustdomain, endpoint> tuples. Use | as delimiter between trust domain and endpoint in each tuple. For example: foo|https://url/for/foo||bar|https://url/for/bar
TOKEN_AUDIENCESStringistio-caA list of comma separated audiences to check in the JWT token before issuing a certificate. The token is accepted if it matches with one of the audiences
TOKEN_ISSUERStringOIDC token issuer. If set, will be used to check the tokens.
UNSAFE_ENABLE_ADMIN_ENDPOINTSBooleanfalseIf this is set to true, dangerous admin endpoints will be exposed on the debug interface. Not recommended for production.
UNSAFE_PILOT_ENABLE_DELTA_TESTBooleanfalseIf enabled, addition runtime tests for Delta XDS efficiency are added. These checks are extremely expensive, so this should be used only for testing, not production.
UNSAFE_PILOT_ENABLE_RUNTIME_ASSERTIONSBooleanfalseIf enabled, addition runtime asserts will be performed. These checks are both expensive and panic on failure. As a result, this should be used only for testing.
USE_REMOTE_CERTSBooleanfalseWhether to try to load CA certs from a remote Kubernetes cluster. Used for external Istiod.
VALIDATION_WEBHOOK_CONFIG_NAMEStringistio-istio-systemName of the validatingwebhookconfiguration to patch. Empty will skip using cluster admin to patch.
VERIFY_CERTIFICATE_AT_CLIENTBooleanfalseIf enabled, certificates received by the proxy will be verified against the OS CA certificate bundle.
VERIFY_SDS_CERTIFICATEBooleantrueIf enabled, certificates fetched from SDS server will be verified before sending back to proxy.
XDS_AUTHBooleantrueIf true, will authenticate XDS clients.
XDS_AUTH_PLAINTEXTBooleanfalseAuthenticate plain text requests - used if Istiod is behind a gateway handling TLS

Exported metrics

Metric NameTypeDescription
auto_registration_deletes_totalSumTotal number of auto registration cleaned up by periodic timer.
auto_registration_errors_totalSumTotal number of auto registration errors.
auto_registration_success_totalSumTotal number of successful auto registrations.
auto_registration_unregister_totalSumTotal number of unregistrations.
auto_registration_updates_totalSumTotal number of auto registration updates.
citadel_server_authentication_failure_countSumThe number of authentication failures.
citadel_server_cert_chain_expiry_timestampLastValueThe unix timestamp, in seconds, when Citadel cert chain will expire. A negative time indicates the cert is expired.
citadel_server_csr_countSumThe number of CSRs received by Citadel server.
citadel_server_csr_parsing_err_countSumThe number of errors occurred when parsing the CSR.
citadel_server_csr_sign_err_countSumThe number of errors occurred when signing the CSR.
citadel_server_id_extraction_err_countSumThe number of errors occurred when extracting the ID from CSR.
citadel_server_root_cert_expiry_timestampLastValueThe unix timestamp, in seconds, when Citadel root cert will expire. A negative time indicates the cert is expired.
citadel_server_success_cert_issuance_countSumThe number of certificates issuances that have succeeded.
controller_sync_errors_totalSumTotal number of errorMetric syncing controllers.
endpoint_no_podLastValueEndpoints without an associated pod.
galley_validation_config_delete_errorCountk8s webhook configuration delete error
galley_validation_config_loadCountk8s webhook configuration (re)loads
galley_validation_config_load_errorCountk8s webhook configuration (re)load error
galley_validation_config_update_errorCountk8s webhook configuration update error
galley_validation_config_updatesCountk8s webhook configuration updates
galley_validation_failedSumResource validation failed
galley_validation_http_errorSumResource validation http serve errors
galley_validation_passedSumResource is valid
istio_buildLastValueIstio component build info
istiod_managed_clustersLastValueNumber of clusters managed by istiod
num_outgoing_retriesSumNumber of outgoing retry requests (e.g. to a token exchange server, CA, etc.)
pilot_conflict_inbound_listenerLastValueNumber of conflicting inbound listeners.
pilot_conflict_outbound_listener_http_over_current_tcpLastValueNumber of conflicting wildcard http listeners with current wildcard tcp listener.
pilot_conflict_outbound_listener_tcp_over_current_httpLastValueNumber of conflicting wildcard tcp listeners with current wildcard http listener.
pilot_conflict_outbound_listener_tcp_over_current_tcpLastValueNumber of conflicting tcp listeners with current tcp listener.
pilot_destrule_subsetsLastValueDuplicate subsets across destination rules for same host
pilot_duplicate_envoy_clustersLastValueDuplicate envoy clusters caused by service entries with same hostname
pilot_eds_no_instancesLastValueNumber of clusters without instances.
pilot_endpoint_not_readyLastValueEndpoint found in unready state.
pilot_inbound_updatesSumTotal number of updates received by pilot.
pilot_jwks_resolver_network_fetch_fail_totalSumTotal number of failed network fetch by pilot jwks resolver
pilot_jwks_resolver_network_fetch_success_totalSumTotal number of successfully network fetch by pilot jwks resolver
pilot_k8s_cfg_eventsSumEvents from k8s config.
pilot_k8s_endpoints_pending_podLastValueNumber of endpoints that do not currently have any corresponding pods.
pilot_k8s_endpoints_with_no_podsSumEndpoints that does not have any corresponding pods.
pilot_k8s_reg_eventsSumEvents from k8s registry.
pilot_no_ipLastValuePods not found in the endpoint table, possibly invalid.
pilot_proxy_convergence_timeDistributionDelay in seconds between config change and a proxy receiving all required configuration.
pilot_proxy_queue_timeDistributionTime in seconds, a proxy is in the push queue before being dequeued.
pilot_push_triggersSumTotal number of times a push was triggered, labeled by reason for the push.
pilot_sds_certificate_errors_totalSumTotal number of failures to fetch SDS key and certificate.
pilot_servicesLastValueTotal services known to pilot.
pilot_total_rejected_configsSumTotal number of configs that Pilot had to reject or ignore.
pilot_total_xds_internal_errorsSumTotal number of internal XDS errors in pilot.
pilot_total_xds_rejectsSumTotal number of XDS responses from pilot rejected by proxy.
pilot_virt_servicesLastValueTotal virtual services known to pilot.
pilot_vservice_dup_domainLastValueVirtual services with dup domains.
pilot_xdsLastValueNumber of endpoints connected to this pilot using XDS.
pilot_xds_cds_rejectLastValuePilot rejected CDS configs.
pilot_xds_config_size_bytesDistributionDistribution of configuration sizes pushed to clients
pilot_xds_delayed_push_timeouts_totalSumTotal number of XDS pushes that are delayed and timed out
pilot_xds_delayed_pushes_totalSumTotal number of XDS pushes that are delayed.
pilot_xds_eds_rejectLastValuePilot rejected EDS.
pilot_xds_expired_nonceSumTotal number of XDS requests with an expired nonce.
pilot_xds_lds_rejectLastValuePilot rejected LDS.
pilot_xds_push_context_errorsSumNumber of errors (timeouts) initiating push context.
pilot_xds_push_timeDistributionTotal time in seconds Pilot takes to push lds, rds, cds and eds.
pilot_xds_pushesSumPilot build and send errors for lds, rds, cds and eds.
pilot_xds_rds_rejectLastValuePilot rejected RDS.
pilot_xds_send_timeDistributionTotal time in seconds Pilot takes to send generated configuration.
pilot_xds_write_timeoutSumPilot XDS response write timeouts.
remote_cluster_sync_timeouts_totalSumNumber of times remote clusters took too long to sync, causing slow startup that excludes remote clusters.
scrape_failures_totalSumThe total number of failed scrapes.
scrapes_totalSumThe total number of scrapes.
sidecar_injection_failure_totalSumTotal number of failed sidecar injection requests.
sidecar_injection_requests_totalSumTotal number of sidecar injection requests.
sidecar_injection_skip_totalSumTotal number of skipped sidecar injection requests.
sidecar_injection_success_totalSumTotal number of successful sidecar injection requests.
startup_duration_secondsLastValueThe time from the process starting to being marked ready.
wasm_cache_entriesLastValuenumber of Wasm remote fetch cache entries.
wasm_cache_lookup_countSumnumber of Wasm remote fetch cache lookups.
wasm_config_conversion_countSumnumber of Wasm config conversion count and results, including success, no remote load, marshal failure, remote fetch failure, miss remote fetch hint.
wasm_config_conversion_durationDistributionTotal time in milliseconds istio-agent spends on converting remote load in Wasm config.
wasm_remote_fetch_countSumnumber of Wasm remote fetches and results, including success, download failure, and checksum mismatch.
webhook_patch_attempts_totalSumWebhook patching attempts
webhook_patch_failures_totalSumWebhook patching total failures
webhook_patch_retries_totalSumWebhook patching retries
xds_cache_evictionsSumTotal number of xds cache evictions.
xds_cache_readsSumTotal number of xds cache xdsCacheReads.
xds_cache_sizeLastValueCurrent size of xds cache
Was this information useful?
Do you have any suggestions for improvement?

Thanks for your feedback!