Address of the server implementing the Istio Mesh Configuration protocol (MCP). Can be IP address or a fully qualified DNS name. Use fs:/// to specify a file-based backend with absolute path to the directory.

Use the tls_settings to specify the tls mode to use. If the MCP server uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS mode as ISTIO_MUTUAL.

Describes the source of configuration, if nothing is specified default is MCP

Name of the secret the certificate and its key will be stored into. If it is empty, it will not be stored into a secret. Instead, the certificate and its key will be stored into a hard-coded directory.

The DNS names for the certificate. A certificate may contain multiple DNS names.

The PEM data of the certificate.

The SPIFFE bundle endpoint URL that complies to: TrustDomainandBundle.md#the-spiffe-trust-domain-and-bundle The endpoint should support authentication based on Web PKI: https://github.com/spiffe/spiffe/blob/master/standards/SPIFFETrustDomainandBundle.md#521-web-pki The certificate is retrieved from the endpoint.

Specify thrift rate limit service URL. If pilot has thrift protocol support enabled, this will enable the rate limit service for destinations that have matching rate limit configurations.

Specify thrift rate limit service timeout, in milliseconds. Default is 50ms

REQUIRED. Address of the CA server implementing the Istio CA gRPC API. Can be IP address or a fully qualified DNS name with port Eg: custom-ca.default.svc.cluster.local:8932, 192.168.23.2:9000

Use the tlssettings to specify the tls mode to use. Regarding tlssettings: - DISABLE MODE is legitimate for the case Istiod is making the request via an Envoy sidecar. DISABLE MODE can also be used for testing - TLS MUTUAL MODE be on by default. If the CA certificates (cert bundle to verify the CA server’s certificate) is omitted, Istiod will use the system root certs to verify the CA server’s certificate.

timeout for forward CSR requests from Istiod to External CA Default: 10s

Use istiod_side to specify CA Server integrate to Istiod side or Agent side Default: true

REQUIRED. A unique name identifying the extension provider.

Configures an external authorizer that implements the Envoy ext_authz filter authorization check service using the HTTP API.

Configures an external authorizer that implements the Envoy ext_authz filter authorization check service using the gRPC API.

Configures a tracing provider that uses the Zipkin API.

Configures a Lightstep tracing provider.

Configures a Datadog tracing provider.

Configures a Stackdriver provider.

Configures an OpenCensusAgent tracing provider.

Name of the default provider for tracing. This must match a provider defined in extension_providers that is one of the support tracing providers.

If true, specifies that the client and service endpoints must reside in the same cluster. By default, in multi-cluster deployments, the Istio control plane assumes all service endpoints to be reachable from any client in any of the clusters which are part of the mesh. This configuration option limits the set of service endpoints visible to a client to be cluster scoped.

• A service (or group of services) is inherently local to the cluster and has local storage for that cluster. For example, the kube-system namespace (e.g. the Kube API Server).
• A mesh administrator wants to slowly migrate services to Istio. They might start by first having services cluster-local and then slowly transition them to mesh-wide. They could do this service-by-service (e.g. mysvc.myns.svc.cluster.local) or as a group (e.g. *.myns.svc.cluster.local).

By default Istio will consider kubernetes.default.svc (i.e. the API Server) as well as all services in the kube-system namespace to be cluster-local, unless explicitly overridden here.

Sets the maximum size of a message body that the ext-authz filter will hold in memory. If maxrequestbytes is reached, and allowpartialmessage is false, Envoy will return a 413 (Payload Too Large). Otherwise the request will be sent to the provider with a partial message. Note that this setting will have precedence over the failopen field, the 413 will be returned even when the failopen is set to true.

When this field is true, ext-authz filter will buffer the message until maxrequestbytes is reached. The authorization request will be dispatched and no 413 HTTP error will be returned by the filter. A “x-envoy-auth-partial-body: false|true” metadata header will be added to the authorization request message indicating if the body data is partial.

If true, the body sent to the external authorization service in the gRPC authorization request is set with raw bytes in the rawbody field (https://github.com/envoyproxy/envoy/blame/cffb095d59d7935abda12b9509bcd136808367bb/api/envoy/service/auth/v3/attributecontext.proto#L153). Otherwise, it will be filled with UTF-8 string in the body field (context.proto#L147). This field only works with the envoyextauthzgrpc provider and has no effect for the envoyextauthz_http provider.

REQUIRED. Specifies the service that implements the Envoy ext_authz HTTP authorization service. The format is “[/]”. The specification of is required only when it is insufficient to unambiguously resolve a service in the service registry. The is a fully qualified host name of a service defined by the Kubernetes service or ServiceEntry.

Example: “my-ext-authz.foo.svc.cluster.local” or “bar/my-ext-authz.example.com”.

REQUIRED. Specifies the port of the service.

The maximum duration that the proxy will wait for a response from the provider (default timeout: 600s). When this timeout condition is met, the proxy marks the communication to the authorization service as failure. In this situation, the response sent back to the client will depend on the configured fail_open field.

Sets a prefix to the value of authorization request header Path. For example, setting this to “/check” for an original user request at path “/admin” will cause the authorization check request to be sent to the authorization service at the path “/check/admin” instead of “/admin”.

If true, the user request will be allowed even if the communication with the authorization service has failed, or if the authorization service has returned a HTTP 5xx error. Default is false and the request will be rejected with “Forbidden” response.

Sets the HTTP status that is returned to the client when there is a network error to the authorization service. The default status is “403” (HTTP Forbidden).

DEPRECATED. Use includerequestheadersincheck instead.

List of client request headers that should be included in the authorization request sent to the authorization service. Note that in addition to the headers specified here following headers are included by default: 1. Host, Method, Path and Content-Length are automatically sent. 2. Content-Length will be set to 0 and the request will not have a message body. However, the authorization request can include the buffered client request body (controlled by includerequestbodyincheck setting), consequently the value of Content-Length of the authorization request reflects the size of its payload size.

Exact, prefix and suffix matches are supported (similar to the authorization policy rule syntax except the presence match ): - Exact match: “abc” will match on value “abc”. - Prefix match: “abc” will match on value “abc” and “abcd”. - Suffix match: “abc” will match on value “abc” and “xabc”.

Set of additional fixed headers that should be included in the authorization request sent to the authorization service. Key is the header name and value is the header value. Note that client request of the same key or headers specified in includerequestheadersincheck will be overridden.

If set, the client request body will be included in the authorization request sent to the authorization service.

List of headers from the authorization service that should be added or overridden in the original request and forwarded to the upstream when the authorization check result is allowed (HTTP code 200). If not specified, the original request will not be modified and forwarded to backend as-is. Note, any existing headers will be overridden.

Exact, prefix and suffix matches are supported (similar to the authorization policy rule syntax except the presence match ): - Exact match: “abc” will match on value “abc”. - Prefix match: “abc” will match on value “abc” and “abcd”. - Suffix match: “abc” will match on value “abc” and “xabc”.

List of headers from the authorization service that should be forwarded to downstream when the authorization check result is not allowed (HTTP code other than 200). If not specified, all the authorization response headers, except Authority (Host) will be in the response to the downstream. When a header is included in this list, Path, Status, Content-Length, WWWAuthenticate and Location are automatically added. Note, the body from the authorization service is always included in the response to downstream.

Exact, prefix and suffix matches are supported (similar to the authorization policy rule syntax except the presence match https://istio.io/latest/docs/reference/config/security/authorization-policy/#Rule): - Exact match: “abc” will match on value “abc”. - Prefix match: “abc” will match on value “abc” and “abcd”. - Suffix match: “abc” will match on value “abc” and “xabc”.

REQUIRED. Specifies the service that implements the Envoy ext_authz gRPC authorization service. The format is “[/]”. The specification of is required only when it is insufficient to unambiguously resolve a service in the service registry. The is a fully qualified host name of a service defined by the Kubernetes service or ServiceEntry.

Example: “my-ext-authz.foo.svc.cluster.local” or “bar/my-ext-authz.example.com”.

REQUIRED. Specifies the port of the service.

The maximum duration that the proxy will wait for a response from the provider, this is the timeout for a specific request (default timeout: 600s). When this timeout condition is met, the proxy marks the communication to the authorization service as failure. In this situation, the response sent back to the client will depend on the configured fail_open field.

If true, the HTTP request or TCP connection will be allowed even if the communication with the authorization service has failed, or if the authorization service has returned a HTTP 5xx error. Default is false. For HTTP request, it will be rejected with 403 (HTTP Forbidden). For TCP connection, it will be closed immediately.

Sets the HTTP status that is returned to the client when there is a network error to the authorization service. The default status is “403” (HTTP Forbidden).

If set, the client request body will be included in the authorization request sent to the authorization service.

REQUIRED. Specifies the service for the Lightstep collector. The format is “[/]”. The specification of is required only when it is insufficient to unambiguously resolve a service in the service registry. The is a fully qualified host name of a service defined by the Kubernetes service or ServiceEntry.

Example: “lightstep.default.svc.cluster.local” or “bar/lightstep.example.com”.

REQUIRED. Specifies the port of the service.

The Lightstep access token.

Optional. Controls the overall path length allowed in a reported span. NOTE: currently only controls max length of the path tag.

REQUIRED. Specifies the service for the Datadog agent. The format is “[/]”. The specification of is required only when it is insufficient to unambiguously resolve a service in the service registry. The is a fully qualified host name of a service defined by the Kubernetes service or ServiceEntry.

Example: “datadog.default.svc.cluster.local” or “bar/datadog.example.com”.

REQUIRED. Specifies the port of the service.

Optional. Controls the overall path length allowed in a reported span. NOTE: currently only controls max length of the path tag.

Optional. Controls the overall path length allowed in a reported span. NOTE: currently only controls max length of the path tag.

REQUIRED. Specifies the service for the OpenCensusAgent. The format is “[/]”. The specification of is required only when it is insufficient to unambiguously resolve a service in the service registry. The is a fully qualified host name of a service defined by the Kubernetes service or ServiceEntry.

Example: “ocagent.default.svc.cluster.local” or “bar/ocagent.example.com”.

REQUIRED. Specifies the port of the service.

Specifies the set of context propagation headers used for distributed tracing. Default is [“W3C_TRACE_CONTEXT”]. If multiple values are specified, the proxy will attempt to read each header for each request and will write all headers.

Optional. Controls the overall path length allowed in a reported span. NOTE: currently only controls max length of the path tag.

matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is “key”, the operator is “In”, and the values array contains only “value”. The requirements are ANDed. +optional

matchExpressions is a list of label selector requirements. The requirements are ANDed. +optional

Use a Zipkin tracer.

Use a Lightstep tracer.

Use a Datadog tracer.

Use a Stackdriver tracer.

Use an OpenCensus tracer exporting to an OpenCensus agent.

The percentage of requests (0.0 - 100.0) that will be randomly selected for trace generation, if not requested by the client or not forced. Default is 1.0.

Use the tls_settings to specify the tls mode to use. If the remote tracing service uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS mode as ISTIO_MUTUAL.

True if SDS is enabled.

Path of k8s service account JWT path.

Path to the generated configuration file directory. Proxy agent generates the actual configuration and stores it in this directory.

Path to the proxy binary

Service cluster defines the name for the servicecluster that is shared by all Envoy instances. This setting corresponds to —service-cluster flag in Envoy. In a typical Envoy deployment, the service-cluster flag is used to identify the caller, for source-based routing scenarios.

Since Istio does not assign a local service/service version to each Envoy instance, the name is same for all of them. However, the source/caller’s identity (e.g., IP address) is encoded in the —service-node flag when launching Envoy. When the RDS service receives API calls from Envoy, it uses the value of the service-node flag to compute routes that are relative to the service instances located at that IP address.

The time in seconds that Envoy will drain connections during a hot restart. MUST be >=1s (e.g., 1s/1m/1h) Default drain duration is 45s.

The time in seconds that Envoy will wait before shutting down the parent process during a hot restart. MUST be >=1s (e.g., 1s/1m/1h). MUST BE greater than drain_duration parameter. Default shutdown duration is 60s.

Address of the discovery service exposing xDS with mTLS connection. The inject configuration may override this value.

IP Address and Port of a statsd UDP listener (e.g. 10.75.241.127:9125).

Port on which Envoy should listen for administrative commands. Default port is 15000.

AuthenticationPolicy defines how the proxy is authenticated when it connects to the control plane. Default is set to MUTUAL_TLS.

File path of custom proxy configuration, currently used by proxies in front of Mixer and Pilot.

Maximum length of name field in Envoy’s metrics. The length of the name field is determined by the length of a name field in a service and the set of labels that comprise a particular version of the service. The default value is set to 189 characters. Envoy’s internal metrics take up 67 characters, for a total of 256 character name per metric. Increase the value of this field if you find that the metrics from Envoys are truncated.

The number of worker threads to run. If unset, this will be automatically determined based on CPU requests/limits. If set to 0, all cores on the machine will be used. Default is 2 worker threads.

Path to the proxy bootstrap template file

The mode used to redirect inbound traffic to Envoy.

Tracing configuration to be used by the proxy.

Secret Discovery Service(SDS) configuration to be used by the proxy.

Address of the Envoy Metrics Service implementation (e.g. metrics-service:15000). See Metric Service for details about Envoy’s Metrics Service API.

Additional environment variables for the proxy. Names starting with ISTIO_META will be included in the generated bootstrap and sent to the XDS server.

Port on which the agent should listen for administrative commands such as readiness probe. Default is set to port 15020.

An additional list of tags to extract from the in-proxy Istio telemetry. These extra tags can be added by configuring the telemetry extension. Each additional tag needs to be present in this list. Extra tags emitted by the telemetry extensions must be listed here so that they can be processed and exposed as Prometheus metrics.

The amount of time allowed for connections to complete on proxy shutdown. On receiving SIGTERM or SIGINT, istio-agent tells the active Envoy to start draining, preventing any new connections and allowing existing connections to complete. It then sleeps for the termination_drain_duration and then kills any remaining active Envoy processes. If not set, a default of 5s will be applied.

The unique identifier for the service mesh All control planes running in the same service mesh should specify the same mesh ID. Mesh ID is used to label telemetry reports for cases where telemetry from multiple meshes is mixed together.

VM Health Checking readiness probe. This health check config exactly mirrors the kubernetes readiness probe configuration both in schema and logic. Only one health check method of 3 can be set at a time.

Proxy stats matcher defines configuration for reporting custom Envoy stats. To reduce memory and CPU overhead from Envoy stats system, Istio proxies by default create and expose only a subset of Envoy stats. This option is to control creation of additional Envoy stats with prefix, suffix, and regex expressions match on the name of the stats. This replaces the stats inclusion annotations (sidecar.istio.io/statsInclusionPrefixes, sidecar.istio.io/statsInclusionRegexps, and sidecar.istio.io/statsInclusionSuffixes). For example, to enable stats for circuit breaker, retry, and upstream connections, you can specify stats matcher as follow:

proxyStatsMatcher:
  inclusionRegexps:
    - .circuit_breakers.
  inclusionPrefixes:
    - upstream_rq_retry
    - upstream_cx

Note including more Envoy stats might increase number of time series collected by prometheus significantly. Care needs to be taken on Prometheus resource provision and configuration to reduce cardinality.

Boolean flag for enabling/disabling the holdApplicationUntilProxyStarts behavior. This feature adds hooks to delay application startup until the pod proxy is ready to accept traffic, mitigating some startup race conditions. Default value is ‘false’.

The PEM data of the extra root certificates for workload-to-workload communication. This includes the certificates defined in MeshConfig and any other certificates that Istiod uses as CA. The plugin certificates (the ‘cacerts’ secret), self-signed certificates (the ‘istio-ca-secret’ secret) are added automatically by Istiod.

Address of the Zipkin service (e.g. zipkin:9411). DEPRECATED: Use tracing instead.

Address of a remove service used for various purposes (access log receiver, metrics receiver, etc.). Can be IP address or a fully qualified DNS name.

Use the tls_settings to specify the tls mode to use. If the remote service uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS mode as ISTIO_MUTUAL.

If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives.

Address of the Zipkin service (e.g. zipkin:9411).

Address of the Lightstep Satellite pool.

The Lightstep access token.

Address of the Datadog Agent.

Proxy stats name prefix matcher for inclusion.

Proxy stats name suffix matcher for inclusion.

Proxy stats name regexps matcher for inclusion.

The list of endpoints in the network (obtained through the constituent service registries or from CIDR ranges). All endpoints in the network are directly accessible to one another.

Set of gateways associated with the network.

The set of networks inside this mesh. Each network should have a unique name and information about how to infer the endpoints in the network as well as the gateways associated with the network.

A CIDR range for the set of endpoints in this network. The CIDR ranges for endpoints from different networks must not overlap.

Add all endpoints from the specified registry into this network. The names of the registries should correspond to the kubeconfig file name inside the secret that was used to configure the registry (Kubernetes multicluster) or supplied by MCP server.

A fully qualified domain name of the gateway service. Pilot will lookup the service from the service registries in the network and obtain the endpoint IPs of the gateway from the service registry. Note that while the service name is a fully qualified domain name, it need not be resolvable outside the orchestration platform for the registry. e.g., this could be istio-ingressgateway.istio-system.svc.cluster.local.

IP address or externally resolvable DNS address associated with the gateway.

The port associated with the gateway.

The locality associated with an explicitly specified gateway (i.e. ip)

outbound traffic will be restricted to services defined in the service registry as well as those defined through ServiceEntries

outbound traffic to unknown destinations will be allowed, in case there are no services or ServiceEntries for the destination port

Use W3C Trace Context propagation using the traceparent HTTP header. See the Trace Context documentation for details.

Use gRPC binary context propagation using the grpc-trace-bin http header.

Use Cloud Trace context propagation using the X-Cloud-Trace-Context http header.

Use multi-header B3 context propagation using the X-B3-TraceId, X-B3-SpanId, and X-B3-Sampled HTTP headers. See for details.

Apply default normalizations. Currently, this is BASE.

No normalization, paths are used as is.

Normalize according to RFC 3986. For Envoy proxies, this is the option. For example, /a/../b normalizes to /b.

In addition to the BASE normalization, consecutive slashes are also merged. For example, /a//b normalizes to a/b.

In addition to normalization in MERGE_SLASHES, slash characters are UTF-8 decoded (case insensitive) prior to merging. This means %2F, %2f, %5C, and %5c sequences in the request path will be rewritten to / or \. For example, /a%2f/b normalizes to a/b.

Unspecified Istio ingress controller.

Disables Istio ingress controller.

Istio ingress controller will act on ingress resources that do not contain any annotation or whose annotations match the value specified in the ingress_class parameter described earlier. Use this mode if Istio ingress controller will be the default ingress controller for the entire Kubernetes cluster.

Istio ingress controller will only act on ingress resources whose annotations match the value specified in the ingress_class parameter described earlier. Use this mode if Istio ingress controller will be a secondary ingress controller (e.g., in addition to a cloud-provided ingress controller).

text encoding for the proxy access log

json encoding for the proxy access log

Do not upgrade connections to http2.

Upgrade the connections to http2.

Set to only receive service entries that are generated by the platform. These auto generated service entries are combination of services and endpoints that are generated by a specific platform e.g. k8

Use W3C Trace Context propagation using the traceparent HTTP header. See the Trace Context documentation for details.

Use gRPC binary context propagation using the grpc-trace-bin http header.

Use Cloud Trace context propagation using the X-Cloud-Trace-Context http header.

Use multi-header B3 context propagation using the X-B3-TraceId, X-B3-SpanId, and X-B3-Sampled HTTP headers. See for details.

Do not encrypt proxy to control plane traffic.

Proxy to control plane traffic is wrapped into mutual TLS connections.