pilot-agent
Istio Pilot agent runs in the sidecar or gateway container and bootstraps Envoy.
Flags | Description |
---|---|
--log_as_json | Whether to format output as JSON or in plain console-friendly format |
--log_caller <string> | Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, all, ca, cache, citadelclient, default, dns, gcecred, grpc, healthcheck, iptables, klog, mockcred, monitoring, sds, security, spiffe, validation, wasm, xdsproxy] (default ``) |
--log_output_level <string> | Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, ca, cache, citadelclient, default, dns, gcecred, grpc, healthcheck, iptables, klog, mockcred, monitoring, sds, security, spiffe, validation, wasm, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default ``) |
--log_stacktrace_level <string> | Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, all, ca, cache, citadelclient, default, dns, gcecred, grpc, healthcheck, iptables, klog, mockcred, monitoring, sds, security, spiffe, validation, wasm, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`) |
--log_target <stringArray> | The set of paths where to output the log. This can be any path as well as the special values stdout and stderr (default `[stdout]`) |
--vklog <Level> | number for the log level verbosity. Like -v flag. ex: --vklog=9 (default `0`) |
pilot-agent completion
Generate the autocompletion script for pilot-agent for the specified shell. See each sub-command's help for details on how to use the generated script.
Flags | Description |
---|---|
--log_as_json | Whether to format output as JSON or in plain console-friendly format |
--log_caller <string> | Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, all, ca, cache, citadelclient, default, dns, gcecred, grpc, healthcheck, iptables, klog, mockcred, monitoring, sds, security, spiffe, validation, wasm, xdsproxy] (default ``) |
--log_output_level <string> | Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, ca, cache, citadelclient, default, dns, gcecred, grpc, healthcheck, iptables, klog, mockcred, monitoring, sds, security, spiffe, validation, wasm, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default ``) |
--log_stacktrace_level <string> | Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, all, ca, cache, citadelclient, default, dns, gcecred, grpc, healthcheck, iptables, klog, mockcred, monitoring, sds, security, spiffe, validation, wasm, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`) |
--log_target <stringArray> | The set of paths where to output the log. This can be any path as well as the special values stdout and stderr (default `[stdout]`) |
--vklog <Level> | number for the log level verbosity. Like -v flag. ex: --vklog=9 (default `0`) |
pilot-agent completion bash
Generate the autocompletion script for the bash shell.
This script depends on the 'bash-completion' package. If it is not installed already, you can install it via your OS's package manager.
To load completions in your current shell session:
source <(pilot-agent completion bash)
To load completions for every new session, execute once:
Linux:
pilot-agent completion bash > /etc/bash_completion.d/pilot-agent
macOS:
pilot-agent completion bash > /usr/local/etc/bash_completion.d/pilot-agent
You will need to start a new shell for this setup to take effect.
pilot-agent completion bash
Flags | Description |
---|---|
--log_as_json | Whether to format output as JSON or in plain console-friendly format |
--log_caller <string> | Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, all, ca, cache, citadelclient, default, dns, gcecred, grpc, healthcheck, iptables, klog, mockcred, monitoring, sds, security, spiffe, validation, wasm, xdsproxy] (default ``) |
--log_output_level <string> | Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, ca, cache, citadelclient, default, dns, gcecred, grpc, healthcheck, iptables, klog, mockcred, monitoring, sds, security, spiffe, validation, wasm, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default ``) |
--log_stacktrace_level <string> | Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, all, ca, cache, citadelclient, default, dns, gcecred, grpc, healthcheck, iptables, klog, mockcred, monitoring, sds, security, spiffe, validation, wasm, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`) |
--log_target <stringArray> | The set of paths where to output the log. This can be any path as well as the special values stdout and stderr (default `[stdout]`) |
--no-descriptions | disable completion descriptions |
--vklog <Level> | number for the log level verbosity. Like -v flag. ex: --vklog=9 (default `0`) |
pilot-agent completion fish
Generate the autocompletion script for the fish shell.
To load completions in your current shell session:
pilot-agent completion fish | source
To load completions for every new session, execute once:
pilot-agent completion bash > ~/.config/fish/completions/pilot-agent.fish
You will need to start a new shell for this setup to take effect.
pilot-agent completion fish [flags]
Flags | Description |
---|---|
--log_as_json | Whether to format output as JSON or in plain console-friendly format |
--log_caller <string> | Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, all, ca, cache, citadelclient, default, dns, gcecred, grpc, healthcheck, iptables, klog, mockcred, monitoring, sds, security, spiffe, validation, wasm, xdsproxy] (default ``) |
--log_output_level <string> | Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, ca, cache, citadelclient, default, dns, gcecred, grpc, healthcheck, iptables, klog, mockcred, monitoring, sds, security, spiffe, validation, wasm, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default ``) |
--log_stacktrace_level <string> | Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, all, ca, cache, citadelclient, default, dns, gcecred, grpc, healthcheck, iptables, klog, mockcred, monitoring, sds, security, spiffe, validation, wasm, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`) |
--log_target <stringArray> | The set of paths where to output the log. This can be any path as well as the special values stdout and stderr (default `[stdout]`) |
--no-descriptions | disable completion descriptions |
--vklog <Level> | number for the log level verbosity. Like -v flag. ex: --vklog=9 (default `0`) |
pilot-agent completion powershell
Generate the autocompletion script for PowerShell.
To load completions in your current shell session:
pilot-agent completion powershell | Out-String | Invoke-Expression
To load completions for every new session, add the output of the above command to your powershell profile.
pilot-agent completion powershell [flags]
Flags | Description |
---|---|
--log_as_json | Whether to format output as JSON or in plain console-friendly format |
--log_caller <string> | Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, all, ca, cache, citadelclient, default, dns, gcecred, grpc, healthcheck, iptables, klog, mockcred, monitoring, sds, security, spiffe, validation, wasm, xdsproxy] (default ``) |
--log_output_level <string> | Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, ca, cache, citadelclient, default, dns, gcecred, grpc, healthcheck, iptables, klog, mockcred, monitoring, sds, security, spiffe, validation, wasm, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default ``) |
--log_stacktrace_level <string> | Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, all, ca, cache, citadelclient, default, dns, gcecred, grpc, healthcheck, iptables, klog, mockcred, monitoring, sds, security, spiffe, validation, wasm, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`) |
--log_target <stringArray> | The set of paths where to output the log. This can be any path as well as the special values stdout and stderr (default `[stdout]`) |
--no-descriptions | disable completion descriptions |
--vklog <Level> | number for the log level verbosity. Like -v flag. ex: --vklog=9 (default `0`) |
pilot-agent completion zsh
Generate the autocompletion script for the zsh shell.
If shell completion is not already enabled in your environment you will need to enable it. You can execute the following once:
echo "autoload -U compinit; compinit" >> ~/.zshrc
To load completions in your current shell session:
source <(pilot-agent completion zsh)
To load completions for every new session, execute once:
Linux:
pilot-agent completion zsh > "${fpath[1]}/_pilot-agent"
macOS:
pilot-agent completion zsh > $(brew --prefix)/share/zsh/site-functions/_pilot-agent
You will need to start a new shell for this setup to take effect.
pilot-agent completion zsh [flags]
Flags | Description |
---|---|
--log_as_json | Whether to format output as JSON or in plain console-friendly format |
--log_caller <string> | Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, all, ca, cache, citadelclient, default, dns, gcecred, grpc, healthcheck, iptables, klog, mockcred, monitoring, sds, security, spiffe, validation, wasm, xdsproxy] (default ``) |
--log_output_level <string> | Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, ca, cache, citadelclient, default, dns, gcecred, grpc, healthcheck, iptables, klog, mockcred, monitoring, sds, security, spiffe, validation, wasm, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default ``) |
--log_stacktrace_level <string> | Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, all, ca, cache, citadelclient, default, dns, gcecred, grpc, healthcheck, iptables, klog, mockcred, monitoring, sds, security, spiffe, validation, wasm, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`) |
--log_target <stringArray> | The set of paths where to output the log. This can be any path as well as the special values stdout and stderr (default `[stdout]`) |
--no-descriptions | disable completion descriptions |
--vklog <Level> | number for the log level verbosity. Like -v flag. ex: --vklog=9 (default `0`) |
pilot-agent istio-iptables
istio-iptables is responsible for setting up port forwarding for Istio Sidecar.
pilot-agent istio-iptables [flags]
Flags | Shorthand | Description |
---|---|---|
--capture-all-dns | Instead of only capturing DNS traffic to DNS server IP, capture all DNS traffic at port 53. This setting is only effective when redirect dns is enabled. | |
--cleanup-only | Perform a forced cleanup without creating new iptables chains or rules. | |
--cni-mode | Whether to run as CNI plugin. | |
--drop-invalid | Enable invalid drop in the iptables rules. | |
--dry-run | -n | Do not call any external dependencies like iptables. |
--dual-stack | Enable ipv4/ipv6 redirects for dual-stack. | |
--envoy-port <string> | -p | Specify the envoy port to which redirect all TCP traffic. (default `15001`) |
--force-apply | Apply iptables changes even if they appear to already be in place. | |
--inbound-capture-port <string> | -z | Port to which all inbound TCP traffic to the pod/VM should be redirected to. (default `15006`) |
--inbound-tunnel-port <string> | -e | Specify the istio tunnel port for inbound tcp traffic. (default `15008`) |
--iptables-probe-port <uint16> | Set listen port for failure detection. (default `15002`) | |
--iptables-trace-logging | Insert tracing logs for each iptables rules, using the LOG chain. | |
--istio-exclude-interfaces <string> | -c | Comma separated list of NIC (optional). Neither inbound nor outbound traffic will be captured. (default ``) |
--istio-inbound-interception-mode <string> | -m | The mode used to redirect inbound connections to Envoy, either "REDIRECT" or "TPROXY". (default ``) |
--istio-inbound-ports <string> | -b | Comma separated list of inbound ports for which traffic is to be redirected to Envoy (optional). The wildcard character "*" can be used to configure redirection for all ports. An empty list will disable. (default ``) |
--istio-inbound-tproxy-mark <string> | -t | (default `1337`) |
--istio-inbound-tproxy-route-table <string> | -r | (default `133`) |
--istio-local-exclude-ports <string> | -d | Comma separated list of inbound ports to be excluded from redirection to Envoy (optional). Only applies when all inbound traffic (i.e. "*") is being redirected. (default ``) |
--istio-local-outbound-ports-exclude <string> | -o | Comma separated list of outbound ports to be excluded from redirection to Envoy. (default ``) |
--istio-outbound-ports <string> | -q | Comma separated list of outbound ports to be explicitly included for redirection to Envoy. (default ``) |
--istio-service-cidr <string> | -i | Comma separated list of IP ranges in CIDR form to redirect to envoy (optional). The wildcard character "*" can be used to redirect all outbound traffic. An empty list will disable all outbound. (default ``) |
--istio-service-exclude-cidr <string> | -x | Comma separated list of IP ranges in CIDR form to be excluded from redirection. Only applies when all outbound traffic (i.e. "*") is being redirected. (default ``) |
--kube-virt-interfaces <string> | -k | Comma separated list of virtual interfaces whose inbound traffic (from VM) will be treated as outbound. (default ``) |
--log_as_json | Whether to format output as JSON or in plain console-friendly format | |
--log_caller <string> | Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, all, ca, cache, citadelclient, default, dns, gcecred, grpc, healthcheck, iptables, klog, mockcred, monitoring, sds, security, spiffe, validation, wasm, xdsproxy] (default ``) | |
--log_output_level <string> | Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, ca, cache, citadelclient, default, dns, gcecred, grpc, healthcheck, iptables, klog, mockcred, monitoring, sds, security, spiffe, validation, wasm, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default ``) | |
--log_stacktrace_level <string> | Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, all, ca, cache, citadelclient, default, dns, gcecred, grpc, healthcheck, iptables, klog, mockcred, monitoring, sds, security, spiffe, validation, wasm, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`) | |
--log_target <stringArray> | The set of paths where to output the log. This can be any path as well as the special values stdout and stderr (default `[stdout]`) | |
--network-namespace <string> | The network namespace that iptables rules should be applied to. (default ``) | |
--probe-timeout <duration> | Failure detection timeout. (default `5s`) | |
--proxy-gid <string> | -g | Specify the GID of the user for which the redirection is not applied (same default value as -u param). (default ``) |
--proxy-uid <string> | -u | Specify the UID of the user for which the redirection is not applied. Typically, this is the UID of the proxy container. (default ``) |
--reconcile | Reconcile pre-existing and incompatible iptables rules instead of failing if drift is detected. | |
--redirect-dns | Enable capture of dns traffic by istio-agent. | |
--run-validation | Validate iptables. | |
--skip-rule-apply | Skip iptables apply. | |
--vklog <Level> | number for the log level verbosity. Like -v flag. ex: --vklog=9 (default `0`) |
pilot-agent proxy
XDS proxy agent
pilot-agent proxy [flags]
Flags | Description |
---|---|
--concurrency <int> | number of worker threads to run (default `0`) |
--domain <string> | DNS domain suffix. If not provided uses ${POD_NAMESPACE}.svc.cluster.local (default ``) |
--log_as_json | Whether to format output as JSON or in plain console-friendly format |
--log_caller <string> | Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, all, ca, cache, citadelclient, default, dns, gcecred, grpc, healthcheck, iptables, klog, mockcred, monitoring, sds, security, spiffe, validation, wasm, xdsproxy] (default ``) |
--log_output_level <string> | Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, ca, cache, citadelclient, default, dns, gcecred, grpc, healthcheck, iptables, klog, mockcred, monitoring, sds, security, spiffe, validation, wasm, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default ``) |
--log_stacktrace_level <string> | Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, all, ca, cache, citadelclient, default, dns, gcecred, grpc, healthcheck, iptables, klog, mockcred, monitoring, sds, security, spiffe, validation, wasm, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`) |
--log_target <stringArray> | The set of paths where to output the log. This can be any path as well as the special values stdout and stderr (default `[stdout]`) |
--meshConfig <string> | File name for Istio mesh configuration. If not specified, a default mesh will be used. This may be overridden by PROXY_CONFIG environment variable or proxy.istio.io/config annotation. (default `./etc/istio/config/mesh`) |
--outlierLogPath <string> | The log path for outlier detection (default ``) |
--profiling | Enable profiling via web interface host:port/debug/pprof/. |
--proxyComponentLogLevel <string> | The component log level used to start the Envoy proxy. Deprecated, use proxyLogLevel instead (default ``) |
--proxyLogLevel <string> | The log level used to start the Envoy proxy (choose from {trace, debug, info, warning, error, critical, off}).Level may also include one or more scopes, such as 'info,misc:error,upstream:debug' (default `warning,misc:error`) |
--serviceCluster <string> | Service cluster (default `istio-proxy`) |
--stsPort <int> | HTTP Port on which to serve Security Token Service (STS). If zero, STS service will not be provided. (default `0`) |
--templateFile <string> | Go template bootstrap config (default ``) |
--tokenManagerPlugin <string> | Token provider specific plugin name. (default ``) |
--vklog <Level> | number for the log level verbosity. Like -v flag. ex: --vklog=9 (default `0`) |
pilot-agent request
Makes an HTTP request to the Envoy admin API
pilot-agent request <method> <path> [<body>] [flags]
Flags | Description |
---|---|
--debug-port <int32> | Set the port to make a local request to. The default points to the Envoy admin API. (default `15000`) |
--log_as_json | Whether to format output as JSON or in plain console-friendly format |
--log_caller <string> | Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, all, ca, cache, citadelclient, default, dns, gcecred, grpc, healthcheck, iptables, klog, mockcred, monitoring, sds, security, spiffe, validation, wasm, xdsproxy] (default ``) |
--log_output_level <string> | Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, ca, cache, citadelclient, default, dns, gcecred, grpc, healthcheck, iptables, klog, mockcred, monitoring, sds, security, spiffe, validation, wasm, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default ``) |
--log_stacktrace_level <string> | Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, all, ca, cache, citadelclient, default, dns, gcecred, grpc, healthcheck, iptables, klog, mockcred, monitoring, sds, security, spiffe, validation, wasm, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`) |
--log_target <stringArray> | The set of paths where to output the log. This can be any path as well as the special values stdout and stderr (default `[stdout]`) |
--vklog <Level> | number for the log level verbosity. Like -v flag. ex: --vklog=9 (default `0`) |
pilot-agent version
Prints out build version information
pilot-agent version [flags]
Flags | Shorthand | Description |
---|---|---|
--log_as_json | Whether to format output as JSON or in plain console-friendly format | |
--log_caller <string> | Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, all, ca, cache, citadelclient, default, dns, gcecred, grpc, healthcheck, iptables, klog, mockcred, monitoring, sds, security, spiffe, validation, wasm, xdsproxy] (default ``) | |
--log_output_level <string> | Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, ca, cache, citadelclient, default, dns, gcecred, grpc, healthcheck, iptables, klog, mockcred, monitoring, sds, security, spiffe, validation, wasm, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default ``) | |
--log_stacktrace_level <string> | Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, all, ca, cache, citadelclient, default, dns, gcecred, grpc, healthcheck, iptables, klog, mockcred, monitoring, sds, security, spiffe, validation, wasm, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`) | |
--log_target <stringArray> | The set of paths where to output the log. This can be any path as well as the special values stdout and stderr (default `[stdout]`) | |
--output <string> | -o | One of 'yaml' or 'json'. (default ``) |
--short | -s | Use --short=false to generate full version information |
--vklog <Level> | number for the log level verbosity. Like -v flag. ex: --vklog=9 (default `0`) |
pilot-agent wait
Waits until the Envoy proxy is ready
pilot-agent wait [flags]
Flags | Description |
---|---|
--log_as_json | Whether to format output as JSON or in plain console-friendly format |
--log_caller <string> | Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, all, ca, cache, citadelclient, default, dns, gcecred, grpc, healthcheck, iptables, klog, mockcred, monitoring, sds, security, spiffe, validation, wasm, xdsproxy] (default ``) |
--log_output_level <string> | Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, ca, cache, citadelclient, default, dns, gcecred, grpc, healthcheck, iptables, klog, mockcred, monitoring, sds, security, spiffe, validation, wasm, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default ``) |
--log_stacktrace_level <string> | Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, all, ca, cache, citadelclient, default, dns, gcecred, grpc, healthcheck, iptables, klog, mockcred, monitoring, sds, security, spiffe, validation, wasm, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`) |
--log_target <stringArray> | The set of paths where to output the log. This can be any path as well as the special values stdout and stderr (default `[stdout]`) |
--periodMillis <int> | number of milliseconds to wait between attempts (default `500`) |
--requestTimeoutMillis <int> | number of milliseconds to wait for response (default `500`) |
--timeoutSeconds <int> | maximum number of seconds to wait for Envoy to be ready (default `60`) |
--url <string> | URL to use in requests (default `http://localhost:15021/healthz/ready`) |
--vklog <Level> | number for the log level verbosity. Like -v flag. ex: --vklog=9 (default `0`) |
Environment variables
These environment variables affect the behavior of thepilot-agent
command.Variable Name | Type | Default Value | Description |
---|---|---|---|
AMBIENT_ENABLE_STATUS | Boolean | false | If enabled, status messages for ambient mode will be written to resources. Currently, this does not do leader election, so may be unsafe to enable with multiple replicas. |
BYPASS_OVERLOAD_MANAGER_FOR_STATIC_LISTENERS | Boolean | true | If enabled, overload manager will not be applied to static listeners |
CA_ADDR | String |
| Address of the spiffe certificate provider. Defaults to discoveryAddress |
CA_PROVIDER | String | Citadel | name of authentication provider |
CA_ROOT_CA | String |
| Explicitly set the root CA to expect for the CA connection. |
CA_TRUSTED_NODE_ACCOUNTS | String |
| If set, the list of service accounts that are allowed to use node authentication for CSRs. Node authentication allows an identity to create CSRs on behalf of other identities, but only if there is a pod running on the same node with that identity. This is intended for use with node proxies. |
CERT_SIGNER_DOMAIN | String |
| The cert signer domain info |
CLOUD_PLATFORM | String |
| Cloud Platform on which proxy is running, if not specified, Istio will try to discover the platform. Valid platform values are aws, azure, gcp, none |
CLUSTER_ID | String | Kubernetes | Defines the cluster and service registry that this Istiod instance belongs to |
COMPLIANCE_POLICY | String |
| If set, applies policy-specific restrictions over all existing TLS settings, including in-mesh mTLS and external TLS. Valid values are: * '' or unset places no additional restrictions. * 'fips-140-2' which enforces a version of the TLS protocol and a subset of cipher suites overriding any user preferences or defaults for all runtime components, including Envoy, gRPC Go SDK, and gRPC C++ SDK. WARNING: Setting compliance policy in the control plane is a necessary but not a sufficient requirement to achieve compliance. There are additional steps necessary to claim compliance, including using the validated cryptograhic modules (please consult https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/security/ssl#fips-140-2). |
CREDENTIAL_FETCHER_TYPE | String | JWT | The type of the credential fetcher. Currently supported types include GoogleComputeEngine |
CREDENTIAL_IDENTITY_PROVIDER | String | GoogleComputeEngine | The identity provider for credential. Currently default supported identity provider is GoogleComputeEngine |
DISABLE_ENVOY | Boolean | false | Disables all Envoy agent features. |
DNS_FORWARD_PARALLEL | Boolean | false | If set to true, agent will send parallel DNS queries to all upstream nameservers |
DNS_PROXY_ADDR | String | localhost:15053 | Custom address for the DNS proxy. If it ends with :53 and running as root allows running without iptable DNS capture |
DRY_RUN_FILE_PATH | String |
| If provided, StdoutStubDependencies will write the input from stdin to the given file. |
ECC_CURVE | String | P256 | The elliptic curve to use when ECC_SIGNATURE_ALGORITHM is set to ECDSA |
ECC_SIGNATURE_ALGORITHM | String |
| The type of ECC signature algorithm to use when generating private keys |
ENABLE_100_CONTINUE_HEADERS | Boolean | true | If enabled, istiod will proxy 100-continue headers as is |
ENABLE_AUTO_SNI | Boolean | true | If enabled, automatically set SNI when `DestinationRules` do not specify the same |
ENABLE_CA_SERVER | Boolean | true | If this is set to false, will not create CA server in istiod. |
ENABLE_DEBUG_ON_HTTP | Boolean | true | If this is set to false, the debug interface will not be enabled, recommended for production |
ENABLE_DEFERRED_CLUSTER_CREATION | Boolean | true | If enabled, Istio will create clusters only when there are requests. This will save memory and CPU cycles in cases where there are lots of inactive clusters and > 1 worker thread |
ENABLE_DEFERRED_STATS_CREATION | Boolean | true | If enabled, Istio will lazily initialize a subset of the stats |
ENABLE_DELIMITED_STATS_TAG_REGEX | Boolean | true | If true, pilot will use the new delimited stat tag regex to generate Envoy stats tags. |
ENABLE_ENHANCED_DESTINATIONRULE_MERGE | Boolean | true | If enabled, Istio merge destinationrules considering their exportTo fields, they will be kept as independent rules if the exportTos are not equal. |
ENABLE_ENHANCED_RESOURCE_SCOPING | Boolean | true | If enabled, meshConfig.discoverySelectors will limit the CustomResource configurations(like Gateway,VirtualService,DestinationRule,Ingress, etc)that can be processed by pilot. This will also restrict the root-ca certificate distribution. |
ENABLE_HCM_INTERNAL_NETWORKS | Boolean | false | If enable, endpoints defined in mesh networks will be configured as internal addresses in Http Connection Manager |
ENABLE_INBOUND_RETRY_POLICY | Boolean | true | If true, enables retry policy for inbound routes which automatically retries requests that were reset before it reaches the service. |
ENABLE_INGRESS_WAYPOINT_ROUTING | Boolean | false | If true, Gateways will call service waypoints if the 'istio.io/ingress-use-waypoint' label set on the Service. |
ENABLE_LEADER_ELECTION | Boolean | true | If enabled (default), starts a leader election client and gains leadership before executing controllers. If false, it assumes that only one instance of istiod is running and skips leader election. |
ENABLE_LOCALITY_WEIGHTED_LB_CONFIG | Boolean | false | If enabled, always set LocalityWeightedLbConfig for a cluster, otherwise only apply it when locality lb is specified by DestinationRule for a service |
ENABLE_MCS_AUTO_EXPORT | Boolean | false | If enabled, istiod will automatically generate Kubernetes Multi-Cluster Services (MCS) ServiceExport resources for every service in the mesh. Services defined to be cluster-local in MeshConfig are excluded. |
ENABLE_MCS_CLUSTER_LOCAL | Boolean | false | If enabled, istiod will treat the host `<svc>.<namespace>.svc.cluster.local` as defined by the Kubernetes Multi-Cluster Services (MCS) spec. In this mode, requests to `cluster.local` will be routed to only those endpoints residing within the same cluster as the client. Requires that both ENABLE_MCS_SERVICE_DISCOVERY and ENABLE_MCS_HOST also be enabled. |
ENABLE_MCS_HOST | Boolean | false | If enabled, istiod will configure a Kubernetes Multi-Cluster Services (MCS) host (<svc>.<namespace>.svc.clusterset.local) for each service exported (via ServiceExport) in at least one cluster. Clients must, however, be able to successfully lookup these DNS hosts. That means that either Istio DNS interception must be enabled or an MCS controller must be used. Requires that ENABLE_MCS_SERVICE_DISCOVERY also be enabled. |
ENABLE_MCS_SERVICE_DISCOVERY | Boolean | false | If enabled, istiod will enable Kubernetes Multi-Cluster Services (MCS) service discovery mode. In this mode, service endpoints in a cluster will only be discoverable within the same cluster unless explicitly exported via ServiceExport. |
ENABLE_MULTICLUSTER_HEADLESS | Boolean | true | If true, the DNS name table for a headless service will resolve to same-network endpoints in any cluster. |
ENABLE_NATIVE_SIDECARS | Boolean | false | If set, used Kubernetes native Sidecar container support. Requires SidecarContainer feature flag. |
ENABLE_PROBE_KEEPALIVE_CONNECTIONS | Boolean | false | If enabled, readiness probes will keep the connection from pilot-agent to the application alive. This mirrors older Istio versions' behaviors, but not kubelet's. |
ENABLE_RESOLUTION_NONE_TARGET_PORT | Boolean | true | If enabled, targetPort will be supported for resolution=NONE ServiceEntry |
ENABLE_SELECTOR_BASED_K8S_GATEWAY_POLICY | Boolean | true | If disabled, Gateway API gateways will ignore workloadSelector policies, onlyapplying policies that select the gateway with a targetRef. |
ENABLE_TLS_ON_SIDECAR_INGRESS | Boolean | false | If enabled, the TLS configuration on Sidecar.ingress will take effect |
ENABLE_VTPROTOBUF | Boolean | true | If true, will use optimized vtprotobuf based marshaling. Requires a build with -tags=vtprotobuf. |
ENVOY_PROMETHEUS_PORT | Integer | 15090 | Envoy prometheus redirection port value |
ENVOY_STATUS_PORT | Integer | 15021 | Envoy health status port value |
ENVOY_USER | String | istio-proxy | Envoy proxy username |
EXCLUDE_UNSAFE_503_FROM_DEFAULT_RETRY | Boolean | true | If true, excludes unsafe retry on 503 from default retry policy. |
EXIT_ON_ZERO_ACTIVE_CONNECTIONS | Boolean | false | When set to true, terminates proxy when number of active connections become zero during draining |
EXTERNAL_ISTIOD | Boolean | false | If this is set to true, one Istiod will control remote clusters including CA. |
FILE_DEBOUNCE_DURATION | Time Duration | 100ms | The duration for which the file read operation is delayed once file update is detected |
FILE_MOUNTED_CERTS | Boolean | false | |
GCP_METADATA | String |
| Pipe separated GCP metadata, schemed as PROJECT_ID|PROJECT_NUMBER|CLUSTER_NAME|CLUSTER_ZONE |
GCP_QUOTA_PROJECT | String |
| Allows specification of a quota project to be used in requests to GCP APIs. |
GCP_ZONE | String |
| GCP Zone where the workload is running on. |
GRPC_KEEPALIVE_INTERVAL | Time Duration | 30s | gRPC Keepalive Interval |
GRPC_KEEPALIVE_TIMEOUT | Time Duration | 10s | gRPC Keepalive Timeout |
GRPC_XDS_BOOTSTRAP | String | etc/istio/proxy/grpc-bootstrap.json | Path where gRPC expects to read a bootstrap file. Agent will generate one if set. |
HTTP_STRIP_FRAGMENT_FROM_PATH_UNSAFE_IF_DISABLED | Boolean | true | |
INBOUND_INTERCEPTION_MODE | String |
| The mode used to redirect inbound connections to Envoy, either "REDIRECT" or "TPROXY" |
INBOUND_TPROXY_MARK | String |
| |
INJECTION_WEBHOOK_CONFIG_NAME | String | istio-sidecar-injector | Name of the mutatingwebhookconfiguration to patch, if istioctl is not used. |
INSTANCE_IP | String |
| |
IPTABLES_TRACE_LOGGING | Boolean | false | When enable, all iptables actions will be logged. This requires NET_ADMIN privilege and has noisy logs; as a result, this is intended for debugging only |
ISTIOD_CUSTOM_HOST | String |
| Custom host name of istiod that istiod signs the server cert. Multiple custom host names are supported, and multiple values are separated by commas. |
ISTIOD_SAN | String |
| Override the ServerName used to validate Istiod certificate. Can be used as an alternative to setting /etc/hosts for VMs - discovery address will be an IP:port |
ISTIO_AGENT_ENABLE_WASM_REMOTE_LOAD_CONVERSION | Boolean | true | If enabled, Istio agent will intercept ECDS resource update, downloads Wasm module, and replaces Wasm module remote load with downloaded local module file. |
ISTIO_BOOTSTRAP | String |
| |
ISTIO_BOOTSTRAP_OVERRIDE | String |
| |
ISTIO_CPU_LIMIT | Integer | 0 | CPU limit for the current process. Expressed as an integer value, rounded up. |
ISTIO_DELTA_XDS | Boolean | true | If enabled, pilot will only send the delta configs as opposed to the state of the world configuration on a Resource Request. While this feature uses the delta xds api, it may still occasionally send unchanged configurations instead of just the actual deltas. |
ISTIO_DUAL_STACK | Boolean | false | If true, Istio will enable the Dual Stack feature. |
ISTIO_ENABLE_CONTROLLER_QUEUE_METRICS | Boolean | false | If enabled, publishes metrics for queue depth, latency and processing times. |
ISTIO_ENABLE_HTTP2_PROBING | Boolean | true | If enabled, HTTP2 probes will be enabled for HTTPS probes, following Kubernetes |
ISTIO_ENABLE_IPV4_OUTBOUND_LISTENER_FOR_IPV6_CLUSTERS | Boolean | false | If true, pilot will configure an additional IPv4 listener for outbound traffic in IPv6 only clusters, e.g. AWS EKS IPv6 only clusters. |
ISTIO_ENVOY_ENABLE_CORE_DUMP | Boolean | false | |
ISTIO_GPRC_MAXRECVMSGSIZE | Integer | 4194304 | Sets the max receive buffer size of gRPC stream in bytes. |
ISTIO_GPRC_MAXSTREAMS | Integer | 100000 | Sets the maximum number of concurrent grpc streams. |
ISTIO_KUBE_APP_PROBERS | String |
| |
ISTIO_KUBE_CLIENT_CONTENT_TYPE | String | protobuf | The content type to use for Kubernetes clients. Defaults to protobuf. Valid options: [protobuf, json] |
ISTIO_META_CERT_SIGNER | String |
| The cert signer info for workload cert |
ISTIO_META_CLUSTER_ID | String |
| |
ISTIO_META_DNS_CAPTURE | Boolean | false | If set to true, enable the capture of outgoing DNS packets on port 53, redirecting to istio-agent on :15053 |
ISTIO_META_ENABLE_DNS_SERVER | Boolean | false | If set to true, starts the DNS server on :15053. This won't automatically capture the DNS traffic and can be used when we want Gateways to resolve DNS using this as Resolver for use cases like Dynamic Forward Proxy |
ISTIO_MULTIROOT_MESH | Boolean | false | If enabled, mesh will support certificates signed by more than one trustAnchor for ISTIO_MUTUAL mTLS |
ISTIO_OUTBOUND_IPV4_LOOPBACK_CIDR | String | 127.0.0.1/32 | IPv4 CIDR range used to identify outbound traffic on loopback interface intended for application container |
ISTIO_OUTBOUND_OWNER_GROUPS | String | * | Comma separated list of groups whose outgoing traffic is to be redirected to Envoy. A group can be specified either by name or by a numeric GID. The wildcard character "*" can be used to configure redirection of traffic from all groups. |
ISTIO_OUTBOUND_OWNER_GROUPS_EXCLUDE | String |
| Comma separated list of groups whose outgoing traffic is to be excluded from redirection to Envoy. A group can be specified either by name or by a numeric GID. Only applies when traffic from all groups (i.e. "*") is being redirected to Envoy. |
ISTIO_PROMETHEUS_ANNOTATIONS | String |
| |
ISTIO_WATCH_NAMESPACE | String |
| If set, limit Kubernetes watches to a single namespace. Warning: only a single namespace can be set. |
ISTIO_WORKLOAD_ENTRY_VALIDATE_IDENTITY | Boolean | true | If enabled, will validate the identity of a workload matches the identity of the WorkloadEntry it is associating with for health checks and auto registration. This flag is added for backwards compatibility only and will be removed in future releases |
JWKS_RESOLVER_INSECURE_SKIP_VERIFY | Boolean | false | If enabled, istiod will skip verifying the certificate of the JWKS server. |
JWT_POLICY | String | third-party-jwt | The JWT validation policy. |
KUBERNETES_SERVICE_HOST | String |
| Kubernetes service host, set automatically when running in-cluster |
LABEL_CANONICAL_SERVICES_FOR_MESH_EXTERNAL_SERVICE_ENTRIES | Boolean | false | If enabled, metadata representing canonical services for ServiceEntry resources with a location of mesh_external will be populatedin the cluster metadata for those endpoints. |
LOCAL_CLUSTER_SECRET_WATCHER | Boolean | false | If enabled, the cluster secret watcher will watch the namespace of the external cluster instead of config cluster |
MCS_API_GROUP | String | multicluster.x-k8s.io | The group to be used for the Kubernetes Multi-Cluster Services (MCS) API. |
MCS_API_VERSION | String | v1alpha1 | The version to be used for the Kubernetes Multi-Cluster Services (MCS) API. |
METRICS_LOCALHOST_ACCESS_ONLY | Boolean | false | This will disable metrics endpoint from outside of the pod, allowing only localhost access. |
METRIC_GRACEFUL_DELETION_INTERVAL | Time Duration | 5m0s | Metric expiry graceful deletion interval. No-op if METRIC_ROTATION_INTERVAL is disabled. |
METRIC_ROTATION_INTERVAL | Time Duration | 0s | Metric scope rotation interval, set to 0 to disable the metric scope rotation |
MINIMUM_DRAIN_DURATION | Time Duration | 5s | The minimum duration for which agent waits before it checks for active connections and terminates proxy when number of active connections become zero |
MUTEX_PROFILE_FRACTION | Integer | 1000 | If set to a non-zero value, enables mutex profiling a rate of 1/MUTEX_PROFILE_FRACTION events. For example, '1000' will record 0.1% of events. Set to 0 to disable entirely. |
OUTPUT_CERTS | String |
| The output directory for the key and certificate. If empty, key and certificate will not be saved. Must be set for VMs using provisioning certificates. |
PEER_METADATA_DISCOVERY | Boolean | false | If set to true, enable the peer metadata discovery extension in Envoy |
PILOT_ALLOW_SIDECAR_SERVICE_INBOUND_LISTENER_MERGE | Boolean | false | If set, it allows creating inbound listeners for service ports and sidecar ingress listeners |
PILOT_ANALYSIS_INTERVAL | Time Duration | 10s | If analysis is enabled, pilot will run istio analyzers using this value as interval in seconds Istio Resources |
PILOT_AUTO_ALLOW_WAYPOINT_POLICY | Boolean | false | If enabled, zTunnel will receive synthetic authorization policies for each workload ALLOW the Waypoint's identity. Unless other ALLOW policies are created, this effectively denies traffic that doesn't go through the waypoint. |
PILOT_CERT_PROVIDER | String | istiod | The provider of Pilot DNS certificate. K8S RA will be used for k8s.io/NAME. 'istiod' value will sign using Istio build in CA. Other values will not not generate TLS certs, but still distribute ./etc/certs/root-cert.pem. Only used if custom certificates are not mounted. |
PILOT_CONVERT_SIDECAR_SCOPE_CONCURRENCY | Integer | 1 | Used to adjust the concurrency of SidecarScope conversions. When istiod is deployed on a multi-core CPU server, increasing this value will help to use the CPU to accelerate configuration push, but it also means that istiod will consume more CPU resources. |
PILOT_DEBOUNCE_AFTER | Time Duration | 100ms | The delay added to config/registry events for debouncing. This will delay the push by at least this interval. If no change is detected within this period, the push will happen, otherwise we'll keep delaying until things settle, up to a max of PILOT_DEBOUNCE_MAX. |
PILOT_DEBOUNCE_MAX | Time Duration | 10s | The maximum amount of time to wait for events while debouncing. If events keep showing up with no breaks for this time, we'll trigger a push. |
PILOT_DISABLE_MX_ALPN | Boolean | false | If true, pilot will not put istio-peer-exchange ALPN into TLS handshake configuration. |
PILOT_DNS_CARES_UDP_MAX_QUERIES | String | 100 | Sets the `udp_max_queries` option in Envoy for the Cares DNS resolver. Defaults to 0, an unlimited number of queries. See `extensions.network.dns_resolver.cares.v3.CaresDnsResolverConfig` in https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/network/dns_resolver/cares/v3/cares_dns_resolver.proto and `ARES_OPT_UDP_MAX_QUERIES` in https://c-ares.org/docs/ares_init.html |
PILOT_DNS_JITTER_DURATION | Time Duration | 100ms | Jitter added to periodic DNS resolution |
PILOT_DRAINING_LABEL | String | istio.io/draining | If not empty, endpoints with the label value present will be sent with status DRAINING. |
PILOT_ENABLE_ALPHA_GATEWAY_API | Boolean | false | If this is set to true, support for alpha APIs in the Kubernetes gateway-api (github.com/kubernetes-sigs/gateway-api) will be enabled. In addition to this being enabled, the gateway-api CRDs need to be installed. |
PILOT_ENABLE_ALPN_FILTER | Boolean | true | If true, pilot will add Istio ALPN filters, required for proper protocol sniffing. |
PILOT_ENABLE_AMBIENT | Boolean | false | If enabled, ambient mode can be used. Individual flags configure fine grained enablement; this must be enabled for any ambient functionality. |
PILOT_ENABLE_AMBIENT_WAYPOINTS | Boolean | false | If enabled, controllers required for ambient will run. This is required to run ambient mesh. |
PILOT_ENABLE_ANALYSIS | Boolean | false | If enabled, pilot will run istio analyzers and write analysis errors to the Status field of any Istio Resources |
PILOT_ENABLE_CDS_CACHE | Boolean | true | If true, Pilot will cache CDS responses. Note: this depends on PILOT_ENABLE_XDS_CACHE. |
PILOT_ENABLE_CROSS_CLUSTER_WORKLOAD_ENTRY | Boolean | true | If enabled, pilot will read WorkloadEntry from other clusters, selectable by Services in that cluster. |
PILOT_ENABLE_EDS_DEBOUNCE | Boolean | true | If enabled, Pilot will include EDS pushes in the push debouncing, configured by PILOT_DEBOUNCE_AFTER and PILOT_DEBOUNCE_MAX. EDS pushes may be delayed, but there will be fewer pushes. By default this is enabled |
PILOT_ENABLE_EDS_FOR_HEADLESS_SERVICES | Boolean | false | If enabled, for headless service in Kubernetes, pilot will send endpoints over EDS, allowing the sidecar to load balance among pods in the headless service. This feature should be enabled if applications access all services explicitly via a HTTP proxy port in the sidecar. |
PILOT_ENABLE_GATEWAY_API | Boolean | true | If this is set to true, support for Kubernetes gateway-api (github.com/kubernetes-sigs/gateway-api) will be enabled. In addition to this being enabled, the gateway-api CRDs need to be installed. |
PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER | Boolean | true | If this is set to true, gateway-api resources will automatically provision in cluster deployment, services, etc |
PILOT_ENABLE_GATEWAY_API_GATEWAYCLASS_CONTROLLER | Boolean | true | If this is set to true, istiod will create and manage its default GatewayClasses |
PILOT_ENABLE_GATEWAY_API_STATUS | Boolean | true | If this is set to true, gateway-api resources will have status written to them |
PILOT_ENABLE_IP_AUTOALLOCATE | Boolean | true | If enabled, pilot will start a controller that assigns IP addresses to ServiceEntry which do not have a user-supplied IP. This, when combined with DNS capture allows for tcp routing of traffic sent to the ServiceEntry. |
PILOT_ENABLE_K8S_SELECT_WORKLOAD_ENTRIES | Boolean | true | If enabled, Kubernetes services with selectors will select workload entries with matching labels. It is safe to disable it if you are quite sure you don't need this feature |
PILOT_ENABLE_METADATA_EXCHANGE | Boolean | true | If true, pilot will add metadata exchange filters, which will be consumed by telemetry filter. |
PILOT_ENABLE_MONGO_FILTER | Boolean | true | EnableMongoFilter enables injection of `envoy.filters.network.mongo_proxy` in the filter chain. |
PILOT_ENABLE_MYSQL_FILTER | Boolean | false | EnableMysqlFilter enables injection of `envoy.filters.network.mysql_proxy` in the filter chain. |
PILOT_ENABLE_NODE_UNTAINT_CONTROLLERS | Boolean | false | If enabled, controller that untaints nodes with cni pods ready will run. This should be enabled if you disabled ambient init containers. |
PILOT_ENABLE_PERSISTENT_SESSION_FILTER | Boolean | false | If enabled, Istiod sets up persistent session filter for listeners, if services have 'PILOT_PERSISTENT_SESSION_LABEL' set. |
PILOT_ENABLE_QUIC_LISTENERS | Boolean | false | If true, QUIC listeners will be generated wherever there are listeners terminating TLS on gateways if the gateway service exposes a UDP port with the same number (for example 443/TCP and 443/UDP) |
PILOT_ENABLE_RDS_CACHE | Boolean | true | If true, Pilot will cache RDS responses. Note: this depends on PILOT_ENABLE_XDS_CACHE. |
PILOT_ENABLE_REDIS_FILTER | Boolean | false | EnableRedisFilter enables injection of `envoy.filters.network.redis_proxy` in the filter chain. |
PILOT_ENABLE_ROUTE_COLLAPSE_OPTIMIZATION | Boolean | true | If true, Pilot will merge virtual hosts with the same routes into a single virtual host, as an optimization. |
PILOT_ENABLE_SENDING_HBONE | Boolean | false | If enabled, HBONE will be allowed when sending to destinations. |
PILOT_ENABLE_SERVICEENTRY_SELECT_PODS | Boolean | true | If enabled, service entries with selectors will select pods from the cluster. It is safe to disable it if you are quite sure you don't need this feature |
PILOT_ENABLE_SIDECAR_LISTENING_HBONE | Boolean | false | If enabled, HBONE support can be configured for proxies. |
PILOT_ENABLE_TELEMETRY_LABEL | Boolean | true | If true, pilot will add telemetry related metadata to cluster and endpoint resources, which will be consumed by telemetry filter. |
PILOT_ENABLE_WORKLOAD_ENTRY_AUTOREGISTRATION | Boolean | true | Enables auto-registering WorkloadEntries based on associated WorkloadGroups upon XDS connection by the workload. |
PILOT_ENABLE_WORKLOAD_ENTRY_HEALTHCHECKS | Boolean | true | Enables automatic health checks of WorkloadEntries based on the config provided in the associated WorkloadGroup |
PILOT_ENABLE_XDS_CACHE | Boolean | true | If true, Pilot will cache XDS responses. |
PILOT_ENABLE_XDS_IDENTITY_CHECK | Boolean | true | If enabled, pilot will authorize XDS clients, to ensure they are acting only as namespaces they have permissions for. |
PILOT_ENDPOINT_TELEMETRY_LABEL | Boolean | true | If true, pilot will add telemetry related metadata to Endpoint resource, which will be consumed by telemetry filter. |
PILOT_ENVOY_FILTER_STATS | Boolean | false | If true, Pilot will collect metrics for envoy filter operations. |
PILOT_FILTER_GATEWAY_CLUSTER_CONFIG | Boolean | false | If enabled, Pilot will send only clusters that referenced in gateway virtual services attached to gateway |
PILOT_GATEWAY_API_CONTROLLER_NAME | String | istio.io/gateway-controller | Gateway API controller name. istiod will only reconcile Gateway API resources referencing a GatewayClass with this controller name |
PILOT_GATEWAY_API_DEFAULT_GATEWAYCLASS_NAME | String | istio | Name of the default GatewayClass |
PILOT_HTTP10 | Boolean | false | Enables the use of HTTP 1.0 in the outbound HTTP listeners, to support legacy applications. |
PILOT_INSECURE_MULTICLUSTER_KUBECONFIG_OPTIONS | String |
| Comma separated list of potentially insecure kubeconfig authentication options that are allowed for multicluster authentication.Support values: all authProviders (`gcp`, `azure`, `exec`, `openstack`), `clientKey`, `clientCertificate`, `tokenFile`, and `exec`. |
PILOT_JWT_ENABLE_REMOTE_JWKS | String | false | Mode of fetching JWKs from JwksUri in RequestAuthentication. Supported value: istiod, false, hybrid, true, envoy. The client fetching JWKs is as following: istiod/false - Istiod; hybrid/true - Envoy and fallback to Istiod if JWKs server is external; envoy - Envoy. |
PILOT_JWT_PUB_KEY_REFRESH_INTERVAL | Time Duration | 20m0s | The interval for istiod to fetch the jwks_uri for the jwks public key. |
PILOT_MAX_REQUESTS_PER_SECOND | Floating-Point | 0 | Limits the number of incoming XDS requests per second. On larger machines this can be increased to handle more proxies concurrently. If set to 0 or unset, the max will be automatically determined based on the machine size |
PILOT_MULTI_NETWORK_DISCOVER_GATEWAY_API | Boolean | true | If true, Pilot will discover labeled Kubernetes gateway objects as multi-network gateways. |
PILOT_PERSISTENT_SESSION_HEADER_LABEL | String | istio.io/persistent-session-header | If not empty, services with this label will use header based persistent sessions |
PILOT_PERSISTENT_SESSION_LABEL | String | istio.io/persistent-session | If not empty, services with this label will use cookie based persistent sessions |
PILOT_PREFER_SENDING_HBONE | Boolean | false | If enabled, HBONE will be preferred when sending to destinations. |
PILOT_PUSH_THROTTLE | Integer | 0 | Limits the number of concurrent pushes allowed. On larger machines this can be increased for faster pushes. If set to 0 or unset, the max will be automatically determined based on the machine size |
PILOT_REMOTE_CLUSTER_TIMEOUT | Time Duration | 30s | After this timeout expires, pilot can become ready without syncing data from clusters added via remote-secrets. Setting the timeout to 0 disables this behavior. |
PILOT_SCOPE_GATEWAY_TO_NAMESPACE | Boolean | false | If enabled, a gateway workload can only select gateway resources in the same namespace. Gateways with same selectors in different namespaces will not be applicable. |
PILOT_SEND_UNHEALTHY_ENDPOINTS | Boolean | false | If enabled, Pilot will include unhealthy endpoints in EDS pushes and even if they are sent Envoy does not use them for load balancing. To avoid, sending traffic to non ready endpoints, enabling this flag, disables panic threshold in Envoy i.e. Envoy does not load balance requests to unhealthy/non-ready hosts even if the percentage of healthy hosts fall below minimum health percentage(panic threshold). |
PILOT_SIDECAR_USE_REMOTE_ADDRESS | Boolean | false | UseRemoteAddress sets useRemoteAddress to true for sidecar outbound listeners. |
PILOT_SKIP_VALIDATE_TRUST_DOMAIN | Boolean | false | Skip validating the peer is from the same trust domain when mTLS is enabled in authentication policy |
PILOT_STATUS_BURST | Integer | 500 | If status is enabled, controls the Burst rate with which status will be updated. See https://godoc.org/k8s.io/client-go/rest#Config Burst |
PILOT_STATUS_MAX_WORKERS | Integer | 100 | The maximum number of workers Pilot will use to keep configuration status up to date. Smaller numbers will result in higher status latency, but larger numbers may impact CPU in high scale environments. |
PILOT_STATUS_QPS | Integer | 100 | If status is enabled, controls the QPS with which status will be updated. See https://godoc.org/k8s.io/client-go/rest#Config QPS |
PILOT_STATUS_UPDATE_INTERVAL | Time Duration | 500ms | Interval to update the XDS distribution status. |
PILOT_TRACE_SAMPLING | Floating-Point | 1 | Sets the mesh-wide trace sampling percentage. Should be 0.0 - 100.0. Precision to 0.01. Default is 1.0. |
PILOT_UNIFIED_SIDECAR_SCOPE | Boolean | true | If true, unified SidecarScope creation will be used. This is only intended as a temporary feature flag for backwards compatibility. |
PILOT_WORKLOAD_ENTRY_GRACE_PERIOD | Time Duration | 10s | The amount of time an auto-registered workload can remain disconnected from all Pilot instances before the associated WorkloadEntry is cleaned up. |
PILOT_XDS_CACHE_INDEX_CLEAR_INTERVAL | Time Duration | 5s | The interval for xds cache index clearing. |
PILOT_XDS_CACHE_SIZE | Integer | 60000 | The maximum number of cache entries for the XDS cache. |
PILOT_XDS_CACHE_STATS | Boolean | false | If true, Pilot will collect metrics for XDS cache efficiency. |
PKCS8_KEY | Boolean | false | Whether to generate PKCS#8 private keys |
POD_NAME | String |
| |
POD_NAMESPACE | String |
| |
PREFER_DESTINATIONRULE_TLS_FOR_EXTERNAL_SERVICES | Boolean | true | If true, external services will prefer the TLS settings from DestinationRules over the metadata TLS settings. |
PROV_CERT | String |
| Set to a directory containing provisioned certs, for VMs |
PROXY_CONFIG | String |
| The proxy configuration. This will be set by the injection - gateways will use file mounts. |
PROXY_CONFIG_XDS_AGENT | Boolean | false | If set to true, agent retrieves dynamic proxy-config updates via xds channel |
PROXY_XDS_DEBUG_VIA_AGENT | Boolean | true | If set to true, the agent will listen on tap port and offer pilot's XDS istio.io/debug debug API there. |
PROXY_XDS_DEBUG_VIA_AGENT_PORT | Integer | 15004 | Agent debugging port. |
RESOLVE_HOSTNAME_GATEWAYS | Boolean | true | If true, hostnames in the LoadBalancer addresses of a Service will be resolved at the control plane for use in cross-network gateways. |
REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION | Boolean | false | If enabled, readiness probes will be sent to 'localhost'. Otherwise, they will be sent to the Pod's IP, matching Kubernetes' behavior. |
SECRET_GRACE_PERIOD_RATIO | Floating-Point | 0.5 | The grace period ratio for the cert rotation, by default 0.5. |
SECRET_GRACE_PERIOD_RATIO_JITTER | Floating-Point | 0.01 | Randomize the grace period ratio up or down by this amount to stagger cert renewals, by default .01 (~15 minutes over 24 hours). |
SECRET_TTL | Time Duration | 24h0m0s | The cert lifetime requested by istio agent |
SERVICE_ACCOUNT | String |
| Name of service account |
SHARED_MESH_CONFIG | String |
| Additional config map to load for shared MeshConfig settings. The standard mesh config will take precedence. |
TOKEN_AUDIENCES | String | istio-ca | A list of comma separated audiences to check in the JWT token before issuing a certificate. The token is accepted if it matches with one of the audiences |
TRUSTED_GATEWAY_CIDR | String |
| If set, any connections from gateway to Istiod with this CIDR range are treated as trusted for using authentication mechanisms like XFCC. This can only be used when the network where Istiod and the authenticating gateways are running in a trusted/secure network |
TRUST_DOMAIN | String | cluster.local | The trust domain for spiffe certificates |
UNSAFE_ENABLE_ADMIN_ENDPOINTS | Boolean | false | If this is set to true, dangerous admin endpoints will be exposed on the debug interface. Not recommended for production. |
UNSAFE_PILOT_ENABLE_DELTA_TEST | Boolean | false | If enabled, addition runtime tests for Delta XDS efficiency are added. These checks are extremely expensive, so this should be used only for testing, not production. |
UNSAFE_PILOT_ENABLE_RUNTIME_ASSERTIONS | Boolean | false | If enabled, addition runtime asserts will be performed. These checks are both expensive and panic on failure. As a result, this should be used only for testing. |
USE_CACERTS_FOR_SELF_SIGNED_CA | Boolean | false | If enabled, istiod will use a secret named cacerts to store its self-signed istio-generated root certificate. |
VALIDATION_WEBHOOK_CONFIG_NAME | String | istio-istio-system | If not empty, the controller will automatically patch validatingwebhookconfiguration when the CA certificate changes. Only works in kubernetes environment. |
WASM_HTTP_REQUEST_MAX_RETRIES | Integer | 5 | maximum number of HTTP/HTTPS request retries for pulling a Wasm module via http/https |
WASM_HTTP_REQUEST_TIMEOUT | Time Duration | 15s | timeout per a HTTP request for pulling a Wasm module via http/https |
WASM_INSECURE_REGISTRIES | String |
| allow agent pull wasm plugin from insecure registries or https server, for example: 'localhost:5000,docker-registry:5000' |
WASM_MODULE_EXPIRY | Time Duration | 24h0m0s | cache expiration duration for a wasm module. |
WASM_PURGE_INTERVAL | Time Duration | 1h0m0s | interval between checking the expiration of wasm modules |
WORKLOAD_IDENTITY_SOCKET_FILE | String | socket | SPIRE workload identity SDS socket filename. If set, an SDS socket with this name must exist at ./var/run/secrets/workload-spiffe-uds |
WORKLOAD_RSA_KEY_SIZE | Integer | 2048 | Specify the RSA key size to use for workload certificates. |
XDS_AUTH | Boolean | true | If true, will authenticate XDS clients. |
XDS_AUTH_PLAINTEXT | Boolean | false | authenticate plain text requests - used if Istiod is running on a secure/trusted network |
XDS_AUTH_PROVIDER | String |
| Provider for XDS auth |
XDS_ROOT_CA | String |
| Explicitly set the root CA to expect for the XDS connection. |
Exported metrics
Metric Name | Type | Description |
---|---|---|
cert_expiry_seconds | LastValue | The time remaining, in seconds, before the certificate chain will expire. A negative value indicates the cert is expired. |
dns_requests_total | Sum | Total number of DNS requests. |
dns_upstream_failures_total | Sum | Total number of DNS failures. |
dns_upstream_request_duration_seconds | Distribution | Total time in seconds Istio takes to get DNS response from upstream. |
dns_upstream_requests_total | Sum | Total number of DNS requests forwarded to upstream. |
envoy_connection_terminations | Sum | The total number of connection errors from envoy |
istio_build | LastValue | Istio component build info |
istiod_connection_failures | Sum | The total number of connection failures to Istiod |
istiod_connection_terminations | Sum | The total number of connection errors to Istiod |
num_failed_outgoing_requests | Sum | Number of failed outgoing requests (e.g. to a token exchange server, CA, etc.) |
num_file_secret_failures_total | Sum | Number of times secret generation failed for files |
num_file_watcher_failures_total | Sum | Number of times file watcher failed to add watchers |
num_outgoing_requests | Sum | Number of total outgoing requests (e.g. to a token exchange server, CA, etc.) |
num_outgoing_retries | Sum | Number of outgoing retry requests (e.g. to a token exchange server, CA, etc.) |
outgoing_latency | Sum | The latency of outgoing requests (e.g. to a token exchange server, CA, etc.) in milliseconds. |
pilot_total_xds_internal_errors | Sum | Total number of internal XDS errors in pilot. |
pilot_total_xds_rejects | Sum | Total number of XDS responses from pilot rejected by proxy. |
pilot_worker_queue_depth | LastValue | Depth of the controller queues |
pilot_worker_queue_duration | Distribution | Time taken to process an item |
pilot_worker_queue_latency | Distribution | Latency before the item is processed |
pilot_xds_cds_reject | LastValue | Pilot rejected CDS configs. |
pilot_xds_eds_reject | LastValue | Pilot rejected EDS. |
pilot_xds_expired_nonce | Sum | Total number of XDS requests with an expired nonce. |
pilot_xds_lds_reject | LastValue | Pilot rejected LDS. |
pilot_xds_rds_reject | LastValue | Pilot rejected RDS. |
pilot_xds_send_time | Distribution | Total time in seconds Pilot takes to send generated configuration. |
pilot_xds_write_timeout | Sum | Pilot XDS response write timeouts. |
scrape_failures_total | Sum | The total number of failed scrapes. |
scrapes_total | Sum | The total number of scrapes. |
startup_duration_seconds | LastValue | The time from the process starting to being marked ready. |
wasm_cache_entries | LastValue | number of Wasm remote fetch cache entries. |
wasm_cache_lookup_count | Sum | number of Wasm remote fetch cache lookups. |
wasm_config_conversion_count | Sum | number of Wasm config conversion count and results, including success, no remote load, marshal failure, remote fetch failure, miss remote fetch hint. |
wasm_config_conversion_duration | Distribution | Total time in milliseconds istio-agent spends on converting remote load in Wasm config. |
wasm_remote_fetch_count | Sum | number of Wasm remote fetches and results, including success, download failure, and checksum mismatch. |
xds_proxy_requests | Sum | The total number of Xds Proxy Requests |
xds_proxy_responses | Sum | The total number of Xds Proxy Responses |