Resource Annotations

When specified on a Pod enrolled in ambient mesh, only outbound traffic will be captured. This is intended to be used when enrolling a workload that only receives traffic from out-of-the-mesh clients, such as third party ingress controllers.

Automatically configured by Istio to indicate a Pod was successfully enrolled in ambient mode. This shows the actual state; to specify intent that a workload should be in ambient mode, see istio.io/dataplane-mode. User should not manually modify this annotation.

A comma separated list of configuration analysis message codes to suppress when Istio analyzers are run. For example, to suppress reporting of IST0103 (PodMissingProxy) and IST0108 (UnknownAnnotation) on a resource, apply the annotation ‘galley.istio.io/analyze-suppress=IST0108,IST0103’. If the value is ‘*’, then all configuration analysis messages are suppressed.

The name of the inject template(s) to use, as a comma separate list. See https://istio.io/latest/docs/setup/additional-setup/sidecar-injection/#custom-templates-experimental for more information.

Specifies whether or not the given resource is in dry-run mode. See https://istio.io/latest/docs/tasks/security/authorization/authz-dry-run/ for more information.

A comma separated list of virtual interfaces whose inbound traffic will be unconditionally treated as outbound. This allows workloads using virtualized networking (kubeVirt, VMs, docker-in-docker, etc) to function correctly with mesh traffic capture. Note: When using docker-in-docker container, the default bridge interface name is typically docker0. However, custom networks (often used with docker compose) are assigned a randomized interface name. To have a predictable name, you can configure the Docker option com.docker.network.bridge.name with a fixed value and use that name in the annotation.

Specifies a control plane revision to which a given proxy is connected. This annotation is added automatically, not set by a user. In contrary to the label istio.io/rev, it represents the actual revision, not the requested revision.

Annotation on an Ingress resources denoting the class of controllers responsible for it.

Specifies the namespaces to which this service should be exported to. A value of * indicates it is reachable within the mesh. . indicates it is reachable within its namespace. ‘~’ indicates it is hidden and exported to no namespaces. Additionally, a list of comma separated namespace names can be specified.

Controls how traffic is distributed across the set of available endpoints.

At this time, this annotation only impacts routing done by Ztunnel.

Accepted values:

• PreferClose: endpoints will be categorized by how “close” they are, consider network, region, zone, and subzone. Traffic will be prioritized to the closest healthy endpoints. For example, if I have a Service with PreferClose set, with endpoints in zones us-west,us-west,us-east. When sending traffic from a client in zone us-west, all traffic will go to the two us-west backends. If one those backends become unhealthy, all traffic will go to the remaining endpoint in us-west. If that backend becomes unhealthy, traffic will sent to us-east.

Specifies if application Prometheus metric will be merged with Envoy metrics for this workload.

Overrides for the proxy configuration for this specific proxy. Available options can be found at https://istio.io/docs/reference/config/istio.mesh.v1alpha1/#ProxyConfig.

Specifies the list of ports exposed by the application container. Used by the Envoy sidecar readiness probe to determine that Envoy is configured and ready to receive traffic.

Specifies the failure threshold for the Envoy sidecar readiness probe.

Specifies the initial delay (in seconds) for the Envoy sidecar readiness probe.

Specifies the period (in seconds) for the Envoy sidecar readiness probe.

Specifies the log output level for pilot-agent.

Specifies an alternative Envoy bootstrap configuration file.

Specifies the component log level for Envoy.

Specifies the XDS discovery address to be used by the Envoy sidecar.

An additional list of tags to extract from the in-proxy Istio Wasm telemetry. Each additional tag needs to be present in this list.

Specifies whether or not an Envoy sidecar should be automatically injected into the workload. This annotation has been deprecated in favor of the sidecar.istio.io/inject label documented here.

Specifies the mode used to redirect inbound connections to Envoy (REDIRECT or TPROXY).

Specifies the log level for Envoy.

Specifies if the istio-proxy sidecar should be injected as a native sidecar or not. Takes precedence over the ENABLE_NATIVE_SIDECARS environment variable.

Specifies the requested CPU setting for the Envoy sidecar.

Specifies the CPU limit for the Envoy sidecar.

Specifies the Docker image to be used by the Envoy sidecar.

Specifies the Docker image type to be used by the Envoy sidecar. Istio publishes debug and distroless image types for every release tag.

Specifies the requested memory setting for the Envoy sidecar.

Specifies the memory limit for the Envoy sidecar.

Rewrite HTTP readiness and liveness probes to be redirected to the Envoy sidecar.

Specifies the compression algorithm to use for stats emitted by the Envoy sidecar. Supported values are brotli, gzip, and zstd.

Specifies the expiration interval for the Istio standard metrics. This gets rounded to a multiple of the flush interval. A time series is expected to be evicted after 2 iterations of this interval from the last measurement.

Specifies the flush interval for push-based stat sinks, e.g. OTLP. Default interval is 5s.

Specifies the bin size per time series for the Istio standard metrics histograms. Reducing this value from the default 100 decreases overall memory usage for sparse and/or high cardinality histograms.

Specifies the custom histogram buckets with a prefix matcher to separate the Istio mesh metrics from the Envoy stats, e.g. {"istiocustom":[1,5,10,50,100,500,1000,5000,10000],"cluster.xds-grpc":[1,5,10,25,50,100,250,500,1000,2500,5000,10000]}. Default buckets are [0.5,1,5,10,25,50,100,250,500,1000,2500,5000,10000,30000,60000,300000,600000,1800000,3600000].

Specifies the comma separated list of prefixes of the stats to be emitted by Envoy.

Specifies the comma separated list of regexes the stats should match to be emitted by Envoy.

Specifies the comma separated list of suffixes of the stats to be emitted by Envoy.

Generated by Envoy sidecar injection that indicates the status of the operation. Includes a version hash of the executed template, as well as names of injected resources.

Specifies one or more user volumes (as a JSON array) to be added to the Envoy sidecar.

Specifies one or more user volume mounts (as a JSON array) to be added to the Envoy sidecar.

Specifies the HTTP status Port for the Envoy sidecar. If zero, the sidecar will not provide status.

A comma-separated list of clusters (or * for any) running istiod that should attempt leader election for a remote cluster thats system namespace includes this annotation. Istiod will not attempt to lead unannotated remote clusters.

This annotation is a set of node-labels (key1=value,key2=value). If the annotated Service is of type NodePort and is a multi-network gateway (see topology.istio.io/network), the addresses for selected nodes will be used for cross-network communication.

A comma separated list of inbound ports to be excluded from redirection to Envoy. Only applies when all inbound traffic (i.e. ‘*’) is being redirected.

A comma separated list of interfaces to be excluded from Istio traffic capture

A comma separated list of IP ranges in CIDR form to be excluded from redirection. Only applies when all outbound traffic (i.e. ‘*’) is being redirected.

A comma separated list of outbound ports to be excluded from redirection to Envoy.

A comma separated list of inbound ports for which traffic is to be redirected to Envoy. The wildcard character ‘*’ can be used to configure redirection for all ports. An empty list will disable all inbound redirection.

A comma separated list of IP ranges in CIDR form to redirect to Envoy (optional). The wildcard character ‘*’ can be used to redirect all outbound traffic. An empty list will disable all outbound redirection.

A comma separated list of outbound ports for which traffic is to be redirected to Envoy, regardless of the destination IP.

A comma separated list of virtual interfaces whose inbound traffic (from VM) will be treated as outbound. Deprecated in favor of istio.io/reroute-virtual-interfaces