kind: CustomResourceDefinition apiVersion: apiextensions.k8s.io/v1 metadata: name: adapters.config.istio.io labels: app: mixer package: adapter istio: mixer-adapter chart: istio heritage: Tiller release: istio annotations: "helm.sh/resource-policy": keep spec: group: config.istio.io names: kind: adapter plural: adapters singular: adapter categories: - istio-io - policy-istio-io scope: Namespaced versions: - name: v1alpha2 schema: openAPIV3Schema: properties: spec: x-kubernetes-preserve-unknown-fields: true type: object status: x-kubernetes-preserve-unknown-fields: true type: object type: object served: true storage: true subresources: status: {} --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: "helm.sh/resource-policy": keep labels: app: mixer chart: istio heritage: Tiller istio: core package: istio.io.mixer release: istio name: attributemanifests.config.istio.io spec: group: config.istio.io names: categories: - istio-io - policy-istio-io kind: attributemanifest listKind: attributemanifestList plural: attributemanifests singular: attributemanifest scope: Namespaced versions: - name: v1alpha2 schema: openAPIV3Schema: properties: spec: description: 'Describes the rules used to configure Mixer''s policy and telemetry features. See more details at: https://istio.io/docs/reference/config/policy-and-telemetry/istio.policy.v1beta1.html' properties: attributes: additionalProperties: properties: description: description: A human-readable description of the attribute's purpose. format: string type: string valueType: description: The type of data carried by this attribute. enum: - VALUE_TYPE_UNSPECIFIED - STRING - INT64 - DOUBLE - BOOL - TIMESTAMP - IP_ADDRESS - EMAIL_ADDRESS - URI - DNS_NAME - DURATION - STRING_MAP type: string type: object description: The set of attributes this Istio component will be responsible for producing at runtime. type: object name: description: Name of the component producing these attributes. format: string type: string revision: description: The revision of this document. format: string type: string type: object status: type: object x-kubernetes-preserve-unknown-fields: true type: object served: true storage: true subresources: status: {} --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: "helm.sh/resource-policy": keep labels: app: istio-pilot chart: istio heritage: Tiller istio: security release: istio name: authorizationpolicies.security.istio.io spec: group: security.istio.io names: categories: - istio-io - security-istio-io kind: AuthorizationPolicy listKind: AuthorizationPolicyList plural: authorizationpolicies singular: authorizationpolicy scope: Namespaced versions: - name: v1beta1 schema: openAPIV3Schema: properties: spec: description: 'Configuration for access control on workloads. See more details at: https://istio.io/docs/reference/config/security/authorization-policy.html' properties: action: description: Optional. enum: - ALLOW - DENY - AUDIT type: string rules: description: Optional. items: properties: from: description: Optional. items: properties: source: description: Source specifies the source of a request. properties: ipBlocks: description: Optional. items: format: string type: string type: array namespaces: description: Optional. items: format: string type: string type: array notIpBlocks: description: Optional. items: format: string type: string type: array notNamespaces: description: Optional. items: format: string type: string type: array notPrincipals: description: Optional. items: format: string type: string type: array notRequestPrincipals: description: Optional. items: format: string type: string type: array principals: description: Optional. items: format: string type: string type: array requestPrincipals: description: Optional. items: format: string type: string type: array type: object type: object type: array to: description: Optional. items: properties: operation: description: Operation specifies the operation of a request. properties: hosts: description: Optional. items: format: string type: string type: array methods: description: Optional. items: format: string type: string type: array notHosts: description: Optional. items: format: string type: string type: array notMethods: description: Optional. items: format: string type: string type: array notPaths: description: Optional. items: format: string type: string type: array notPorts: description: Optional. items: format: string type: string type: array paths: description: Optional. items: format: string type: string type: array ports: description: Optional. items: format: string type: string type: array type: object type: object type: array when: description: Optional. items: properties: key: description: The name of an Istio attribute. format: string type: string notValues: description: Optional. items: format: string type: string type: array values: description: Optional. items: format: string type: string type: array type: object type: array type: object type: array selector: description: Optional. properties: matchLabels: additionalProperties: format: string type: string type: object type: object type: object status: type: object x-kubernetes-preserve-unknown-fields: true type: object served: true storage: true subresources: status: {} --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: "helm.sh/resource-policy": keep labels: app: istio-pilot chart: istio heritage: Tiller release: istio name: destinationrules.networking.istio.io spec: group: networking.istio.io names: categories: - istio-io - networking-istio-io kind: DestinationRule listKind: DestinationRuleList plural: destinationrules shortNames: - dr singular: destinationrule scope: Namespaced versions: - additionalPrinterColumns: - description: The name of a service from the service registry jsonPath: .spec.host name: Host type: string - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' jsonPath: .metadata.creationTimestamp name: Age type: date name: v1alpha3 schema: openAPIV3Schema: properties: spec: description: 'Configuration affecting load balancing, outlier detection, etc. See more details at: https://istio.io/docs/reference/config/networking/destination-rule.html' properties: exportTo: description: A list of namespaces to which this destination rule is exported. items: format: string type: string type: array host: description: The name of a service from the service registry. format: string type: string subsets: items: properties: labels: additionalProperties: format: string type: string type: object name: description: Name of the subset. format: string type: string trafficPolicy: description: Traffic policies that apply to this subset. properties: connectionPool: properties: http: description: HTTP connection pool settings. properties: h2UpgradePolicy: description: Specify if http1.1 connection should be upgraded to http2 for the associated destination. enum: - DEFAULT - DO_NOT_UPGRADE - UPGRADE type: string http1MaxPendingRequests: description: Maximum number of pending HTTP requests to a destination. format: int32 type: integer http2MaxRequests: description: Maximum number of requests to a backend. format: int32 type: integer idleTimeout: description: The idle timeout for upstream connection pool connections. type: string maxRequestsPerConnection: description: Maximum number of requests per connection to a backend. format: int32 type: integer maxRetries: format: int32 type: integer type: object tcp: description: Settings common to both HTTP and TCP upstream connections. properties: connectTimeout: description: TCP connection timeout. type: string maxConnections: description: Maximum number of HTTP1 /TCP connections to a destination host. format: int32 type: integer tcpKeepalive: description: If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives. properties: interval: description: The time duration between keep-alive probes. type: string probes: type: integer time: type: string type: object type: object type: object loadBalancer: description: Settings controlling the load balancer algorithms. oneOf: - not: anyOf: - required: - simple - properties: consistentHash: oneOf: - not: anyOf: - required: - httpHeaderName - required: - httpCookie - required: - useSourceIp - required: - httpQueryParameterName - required: - httpHeaderName - required: - httpCookie - required: - useSourceIp - required: - httpQueryParameterName required: - consistentHash - required: - simple - properties: consistentHash: oneOf: - not: anyOf: - required: - httpHeaderName - required: - httpCookie - required: - useSourceIp - required: - httpQueryParameterName - required: - httpHeaderName - required: - httpCookie - required: - useSourceIp - required: - httpQueryParameterName required: - consistentHash properties: consistentHash: properties: httpCookie: description: Hash based on HTTP cookie. properties: name: description: Name of the cookie. format: string type: string path: description: Path to set for the cookie. format: string type: string ttl: description: Lifetime of the cookie. type: string type: object httpHeaderName: description: Hash based on a specific HTTP header. format: string type: string httpQueryParameterName: description: Hash based on a specific HTTP query parameter. format: string type: string minimumRingSize: type: integer useSourceIp: description: Hash based on the source IP address. type: boolean type: object localityLbSetting: properties: distribute: description: 'Optional: only one of distribute or failover can be set.' items: properties: from: description: Originating locality, '/' separated, e.g. format: string type: string to: additionalProperties: type: integer description: Map of upstream localities to traffic distribution weights. type: object type: object type: array enabled: description: enable locality load balancing, this is DestinationRule-level and will override mesh wide settings in entirety. nullable: true type: boolean failover: description: 'Optional: only failover or distribute can be set.' items: properties: from: description: Originating region. format: string type: string to: format: string type: string type: object type: array type: object simple: enum: - ROUND_ROBIN - LEAST_CONN - RANDOM - PASSTHROUGH type: string type: object outlierDetection: properties: baseEjectionTime: description: Minimum ejection duration. type: string consecutive5xxErrors: description: Number of 5xx errors before a host is ejected from the connection pool. nullable: true type: integer consecutiveErrors: format: int32 type: integer consecutiveGatewayErrors: description: Number of gateway errors before a host is ejected from the connection pool. nullable: true type: integer interval: description: Time interval between ejection sweep analysis. type: string maxEjectionPercent: format: int32 type: integer minHealthPercent: format: int32 type: integer type: object portLevelSettings: description: Traffic policies specific to individual ports. items: properties: connectionPool: properties: http: description: HTTP connection pool settings. properties: h2UpgradePolicy: description: Specify if http1.1 connection should be upgraded to http2 for the associated destination. enum: - DEFAULT - DO_NOT_UPGRADE - UPGRADE type: string http1MaxPendingRequests: description: Maximum number of pending HTTP requests to a destination. format: int32 type: integer http2MaxRequests: description: Maximum number of requests to a backend. format: int32 type: integer idleTimeout: description: The idle timeout for upstream connection pool connections. type: string maxRequestsPerConnection: description: Maximum number of requests per connection to a backend. format: int32 type: integer maxRetries: format: int32 type: integer type: object tcp: description: Settings common to both HTTP and TCP upstream connections. properties: connectTimeout: description: TCP connection timeout. type: string maxConnections: description: Maximum number of HTTP1 /TCP connections to a destination host. format: int32 type: integer tcpKeepalive: description: If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives. properties: interval: description: The time duration between keep-alive probes. type: string probes: type: integer time: type: string type: object type: object type: object loadBalancer: description: Settings controlling the load balancer algorithms. oneOf: - not: anyOf: - required: - simple - properties: consistentHash: oneOf: - not: anyOf: - required: - httpHeaderName - required: - httpCookie - required: - useSourceIp - required: - httpQueryParameterName - required: - httpHeaderName - required: - httpCookie - required: - useSourceIp - required: - httpQueryParameterName required: - consistentHash - required: - simple - properties: consistentHash: oneOf: - not: anyOf: - required: - httpHeaderName - required: - httpCookie - required: - useSourceIp - required: - httpQueryParameterName - required: - httpHeaderName - required: - httpCookie - required: - useSourceIp - required: - httpQueryParameterName required: - consistentHash properties: consistentHash: properties: httpCookie: description: Hash based on HTTP cookie. properties: name: description: Name of the cookie. format: string type: string path: description: Path to set for the cookie. format: string type: string ttl: description: Lifetime of the cookie. type: string type: object httpHeaderName: description: Hash based on a specific HTTP header. format: string type: string httpQueryParameterName: description: Hash based on a specific HTTP query parameter. format: string type: string minimumRingSize: type: integer useSourceIp: description: Hash based on the source IP address. type: boolean type: object localityLbSetting: properties: distribute: description: 'Optional: only one of distribute or failover can be set.' items: properties: from: description: Originating locality, '/' separated, e.g. format: string type: string to: additionalProperties: type: integer description: Map of upstream localities to traffic distribution weights. type: object type: object type: array enabled: description: enable locality load balancing, this is DestinationRule-level and will override mesh wide settings in entirety. nullable: true type: boolean failover: description: 'Optional: only failover or distribute can be set.' items: properties: from: description: Originating region. format: string type: string to: format: string type: string type: object type: array type: object simple: enum: - ROUND_ROBIN - LEAST_CONN - RANDOM - PASSTHROUGH type: string type: object outlierDetection: properties: baseEjectionTime: description: Minimum ejection duration. type: string consecutive5xxErrors: description: Number of 5xx errors before a host is ejected from the connection pool. nullable: true type: integer consecutiveErrors: format: int32 type: integer consecutiveGatewayErrors: description: Number of gateway errors before a host is ejected from the connection pool. nullable: true type: integer interval: description: Time interval between ejection sweep analysis. type: string maxEjectionPercent: format: int32 type: integer minHealthPercent: format: int32 type: integer type: object port: properties: number: type: integer type: object tls: description: TLS related settings for connections to the upstream service. properties: caCertificates: format: string type: string clientCertificate: description: REQUIRED if mode is `MUTUAL`. format: string type: string credentialName: format: string type: string mode: enum: - DISABLE - SIMPLE - MUTUAL - ISTIO_MUTUAL type: string privateKey: description: REQUIRED if mode is `MUTUAL`. format: string type: string sni: description: SNI string to present to the server during TLS handshake. format: string type: string subjectAltNames: items: format: string type: string type: array type: object type: object type: array tls: description: TLS related settings for connections to the upstream service. properties: caCertificates: format: string type: string clientCertificate: description: REQUIRED if mode is `MUTUAL`. format: string type: string credentialName: format: string type: string mode: enum: - DISABLE - SIMPLE - MUTUAL - ISTIO_MUTUAL type: string privateKey: description: REQUIRED if mode is `MUTUAL`. format: string type: string sni: description: SNI string to present to the server during TLS handshake. format: string type: string subjectAltNames: items: format: string type: string type: array type: object type: object type: object type: array trafficPolicy: properties: connectionPool: properties: http: description: HTTP connection pool settings. properties: h2UpgradePolicy: description: Specify if http1.1 connection should be upgraded to http2 for the associated destination. enum: - DEFAULT - DO_NOT_UPGRADE - UPGRADE type: string http1MaxPendingRequests: description: Maximum number of pending HTTP requests to a destination. format: int32 type: integer http2MaxRequests: description: Maximum number of requests to a backend. format: int32 type: integer idleTimeout: description: The idle timeout for upstream connection pool connections. type: string maxRequestsPerConnection: description: Maximum number of requests per connection to a backend. format: int32 type: integer maxRetries: format: int32 type: integer type: object tcp: description: Settings common to both HTTP and TCP upstream connections. properties: connectTimeout: description: TCP connection timeout. type: string maxConnections: description: Maximum number of HTTP1 /TCP connections to a destination host. format: int32 type: integer tcpKeepalive: description: If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives. properties: interval: description: The time duration between keep-alive probes. type: string probes: type: integer time: type: string type: object type: object type: object loadBalancer: description: Settings controlling the load balancer algorithms. oneOf: - not: anyOf: - required: - simple - properties: consistentHash: oneOf: - not: anyOf: - required: - httpHeaderName - required: - httpCookie - required: - useSourceIp - required: - httpQueryParameterName - required: - httpHeaderName - required: - httpCookie - required: - useSourceIp - required: - httpQueryParameterName required: - consistentHash - required: - simple - properties: consistentHash: oneOf: - not: anyOf: - required: - httpHeaderName - required: - httpCookie - required: - useSourceIp - required: - httpQueryParameterName - required: - httpHeaderName - required: - httpCookie - required: - useSourceIp - required: - httpQueryParameterName required: - consistentHash properties: consistentHash: properties: httpCookie: description: Hash based on HTTP cookie. properties: name: description: Name of the cookie. format: string type: string path: description: Path to set for the cookie. format: string type: string ttl: description: Lifetime of the cookie. type: string type: object httpHeaderName: description: Hash based on a specific HTTP header. format: string type: string httpQueryParameterName: description: Hash based on a specific HTTP query parameter. format: string type: string minimumRingSize: type: integer useSourceIp: description: Hash based on the source IP address. type: boolean type: object localityLbSetting: properties: distribute: description: 'Optional: only one of distribute or failover can be set.' items: properties: from: description: Originating locality, '/' separated, e.g. format: string type: string to: additionalProperties: type: integer description: Map of upstream localities to traffic distribution weights. type: object type: object type: array enabled: description: enable locality load balancing, this is DestinationRule-level and will override mesh wide settings in entirety. nullable: true type: boolean failover: description: 'Optional: only failover or distribute can be set.' items: properties: from: description: Originating region. format: string type: string to: format: string type: string type: object type: array type: object simple: enum: - ROUND_ROBIN - LEAST_CONN - RANDOM - PASSTHROUGH type: string type: object outlierDetection: properties: baseEjectionTime: description: Minimum ejection duration. type: string consecutive5xxErrors: description: Number of 5xx errors before a host is ejected from the connection pool. nullable: true type: integer consecutiveErrors: format: int32 type: integer consecutiveGatewayErrors: description: Number of gateway errors before a host is ejected from the connection pool. nullable: true type: integer interval: description: Time interval between ejection sweep analysis. type: string maxEjectionPercent: format: int32 type: integer minHealthPercent: format: int32 type: integer type: object portLevelSettings: description: Traffic policies specific to individual ports. items: properties: connectionPool: properties: http: description: HTTP connection pool settings. properties: h2UpgradePolicy: description: Specify if http1.1 connection should be upgraded to http2 for the associated destination. enum: - DEFAULT - DO_NOT_UPGRADE - UPGRADE type: string http1MaxPendingRequests: description: Maximum number of pending HTTP requests to a destination. format: int32 type: integer http2MaxRequests: description: Maximum number of requests to a backend. format: int32 type: integer idleTimeout: description: The idle timeout for upstream connection pool connections. type: string maxRequestsPerConnection: description: Maximum number of requests per connection to a backend. format: int32 type: integer maxRetries: format: int32 type: integer type: object tcp: description: Settings common to both HTTP and TCP upstream connections. properties: connectTimeout: description: TCP connection timeout. type: string maxConnections: description: Maximum number of HTTP1 /TCP connections to a destination host. format: int32 type: integer tcpKeepalive: description: If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives. properties: interval: description: The time duration between keep-alive probes. type: string probes: type: integer time: type: string type: object type: object type: object loadBalancer: description: Settings controlling the load balancer algorithms. oneOf: - not: anyOf: - required: - simple - properties: consistentHash: oneOf: - not: anyOf: - required: - httpHeaderName - required: - httpCookie - required: - useSourceIp - required: - httpQueryParameterName - required: - httpHeaderName - required: - httpCookie - required: - useSourceIp - required: - httpQueryParameterName required: - consistentHash - required: - simple - properties: consistentHash: oneOf: - not: anyOf: - required: - httpHeaderName - required: - httpCookie - required: - useSourceIp - required: - httpQueryParameterName - required: - httpHeaderName - required: - httpCookie - required: - useSourceIp - required: - httpQueryParameterName required: - consistentHash properties: consistentHash: properties: httpCookie: description: Hash based on HTTP cookie. properties: name: description: Name of the cookie. format: string type: string path: description: Path to set for the cookie. format: string type: string ttl: description: Lifetime of the cookie. type: string type: object httpHeaderName: description: Hash based on a specific HTTP header. format: string type: string httpQueryParameterName: description: Hash based on a specific HTTP query parameter. format: string type: string minimumRingSize: type: integer useSourceIp: description: Hash based on the source IP address. type: boolean type: object localityLbSetting: properties: distribute: description: 'Optional: only one of distribute or failover can be set.' items: properties: from: description: Originating locality, '/' separated, e.g. format: string type: string to: additionalProperties: type: integer description: Map of upstream localities to traffic distribution weights. type: object type: object type: array enabled: description: enable locality load balancing, this is DestinationRule-level and will override mesh wide settings in entirety. nullable: true type: boolean failover: description: 'Optional: only failover or distribute can be set.' items: properties: from: description: Originating region. format: string type: string to: format: string type: string type: object type: array type: object simple: enum: - ROUND_ROBIN - LEAST_CONN - RANDOM - PASSTHROUGH type: string type: object outlierDetection: properties: baseEjectionTime: description: Minimum ejection duration. type: string consecutive5xxErrors: description: Number of 5xx errors before a host is ejected from the connection pool. nullable: true type: integer consecutiveErrors: format: int32 type: integer consecutiveGatewayErrors: description: Number of gateway errors before a host is ejected from the connection pool. nullable: true type: integer interval: description: Time interval between ejection sweep analysis. type: string maxEjectionPercent: format: int32 type: integer minHealthPercent: format: int32 type: integer type: object port: properties: number: type: integer type: object tls: description: TLS related settings for connections to the upstream service. properties: caCertificates: format: string type: string clientCertificate: description: REQUIRED if mode is `MUTUAL`. format: string type: string credentialName: format: string type: string mode: enum: - DISABLE - SIMPLE - MUTUAL - ISTIO_MUTUAL type: string privateKey: description: REQUIRED if mode is `MUTUAL`. format: string type: string sni: description: SNI string to present to the server during TLS handshake. format: string type: string subjectAltNames: items: format: string type: string type: array type: object type: object type: array tls: description: TLS related settings for connections to the upstream service. properties: caCertificates: format: string type: string clientCertificate: description: REQUIRED if mode is `MUTUAL`. format: string type: string credentialName: format: string type: string mode: enum: - DISABLE - SIMPLE - MUTUAL - ISTIO_MUTUAL type: string privateKey: description: REQUIRED if mode is `MUTUAL`. format: string type: string sni: description: SNI string to present to the server during TLS handshake. format: string type: string subjectAltNames: items: format: string type: string type: array type: object type: object type: object status: type: object x-kubernetes-preserve-unknown-fields: true type: object served: true storage: true subresources: status: {} - additionalPrinterColumns: - description: The name of a service from the service registry jsonPath: .spec.host name: Host type: string - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' jsonPath: .metadata.creationTimestamp name: Age type: date name: v1beta1 schema: openAPIV3Schema: properties: spec: description: 'Configuration affecting load balancing, outlier detection, etc. See more details at: https://istio.io/docs/reference/config/networking/destination-rule.html' properties: exportTo: description: A list of namespaces to which this destination rule is exported. items: format: string type: string type: array host: description: The name of a service from the service registry. format: string type: string subsets: items: properties: labels: additionalProperties: format: string type: string type: object name: description: Name of the subset. format: string type: string trafficPolicy: description: Traffic policies that apply to this subset. properties: connectionPool: properties: http: description: HTTP connection pool settings. properties: h2UpgradePolicy: description: Specify if http1.1 connection should be upgraded to http2 for the associated destination. enum: - DEFAULT - DO_NOT_UPGRADE - UPGRADE type: string http1MaxPendingRequests: description: Maximum number of pending HTTP requests to a destination. format: int32 type: integer http2MaxRequests: description: Maximum number of requests to a backend. format: int32 type: integer idleTimeout: description: The idle timeout for upstream connection pool connections. type: string maxRequestsPerConnection: description: Maximum number of requests per connection to a backend. format: int32 type: integer maxRetries: format: int32 type: integer type: object tcp: description: Settings common to both HTTP and TCP upstream connections. properties: connectTimeout: description: TCP connection timeout. type: string maxConnections: description: Maximum number of HTTP1 /TCP connections to a destination host. format: int32 type: integer tcpKeepalive: description: If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives. properties: interval: description: The time duration between keep-alive probes. type: string probes: type: integer time: type: string type: object type: object type: object loadBalancer: description: Settings controlling the load balancer algorithms. oneOf: - not: anyOf: - required: - simple - properties: consistentHash: oneOf: - not: anyOf: - required: - httpHeaderName - required: - httpCookie - required: - useSourceIp - required: - httpQueryParameterName - required: - httpHeaderName - required: - httpCookie - required: - useSourceIp - required: - httpQueryParameterName required: - consistentHash - required: - simple - properties: consistentHash: oneOf: - not: anyOf: - required: - httpHeaderName - required: - httpCookie - required: - useSourceIp - required: - httpQueryParameterName - required: - httpHeaderName - required: - httpCookie - required: - useSourceIp - required: - httpQueryParameterName required: - consistentHash properties: consistentHash: properties: httpCookie: description: Hash based on HTTP cookie. properties: name: description: Name of the cookie. format: string type: string path: description: Path to set for the cookie. format: string type: string ttl: description: Lifetime of the cookie. type: string type: object httpHeaderName: description: Hash based on a specific HTTP header. format: string type: string httpQueryParameterName: description: Hash based on a specific HTTP query parameter. format: string type: string minimumRingSize: type: integer useSourceIp: description: Hash based on the source IP address. type: boolean type: object localityLbSetting: properties: distribute: description: 'Optional: only one of distribute or failover can be set.' items: properties: from: description: Originating locality, '/' separated, e.g. format: string type: string to: additionalProperties: type: integer description: Map of upstream localities to traffic distribution weights. type: object type: object type: array enabled: description: enable locality load balancing, this is DestinationRule-level and will override mesh wide settings in entirety. nullable: true type: boolean failover: description: 'Optional: only failover or distribute can be set.' items: properties: from: description: Originating region. format: string type: string to: format: string type: string type: object type: array type: object simple: enum: - ROUND_ROBIN - LEAST_CONN - RANDOM - PASSTHROUGH type: string type: object outlierDetection: properties: baseEjectionTime: description: Minimum ejection duration. type: string consecutive5xxErrors: description: Number of 5xx errors before a host is ejected from the connection pool. nullable: true type: integer consecutiveErrors: format: int32 type: integer consecutiveGatewayErrors: description: Number of gateway errors before a host is ejected from the connection pool. nullable: true type: integer interval: description: Time interval between ejection sweep analysis. type: string maxEjectionPercent: format: int32 type: integer minHealthPercent: format: int32 type: integer type: object portLevelSettings: description: Traffic policies specific to individual ports. items: properties: connectionPool: properties: http: description: HTTP connection pool settings. properties: h2UpgradePolicy: description: Specify if http1.1 connection should be upgraded to http2 for the associated destination. enum: - DEFAULT - DO_NOT_UPGRADE - UPGRADE type: string http1MaxPendingRequests: description: Maximum number of pending HTTP requests to a destination. format: int32 type: integer http2MaxRequests: description: Maximum number of requests to a backend. format: int32 type: integer idleTimeout: description: The idle timeout for upstream connection pool connections. type: string maxRequestsPerConnection: description: Maximum number of requests per connection to a backend. format: int32 type: integer maxRetries: format: int32 type: integer type: object tcp: description: Settings common to both HTTP and TCP upstream connections. properties: connectTimeout: description: TCP connection timeout. type: string maxConnections: description: Maximum number of HTTP1 /TCP connections to a destination host. format: int32 type: integer tcpKeepalive: description: If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives. properties: interval: description: The time duration between keep-alive probes. type: string probes: type: integer time: type: string type: object type: object type: object loadBalancer: description: Settings controlling the load balancer algorithms. oneOf: - not: anyOf: - required: - simple - properties: consistentHash: oneOf: - not: anyOf: - required: - httpHeaderName - required: - httpCookie - required: - useSourceIp - required: - httpQueryParameterName - required: - httpHeaderName - required: - httpCookie - required: - useSourceIp - required: - httpQueryParameterName required: - consistentHash - required: - simple - properties: consistentHash: oneOf: - not: anyOf: - required: - httpHeaderName - required: - httpCookie - required: - useSourceIp - required: - httpQueryParameterName - required: - httpHeaderName - required: - httpCookie - required: - useSourceIp - required: - httpQueryParameterName required: - consistentHash properties: consistentHash: properties: httpCookie: description: Hash based on HTTP cookie. properties: name: description: Name of the cookie. format: string type: string path: description: Path to set for the cookie. format: string type: string ttl: description: Lifetime of the cookie. type: string type: object httpHeaderName: description: Hash based on a specific HTTP header. format: string type: string httpQueryParameterName: description: Hash based on a specific HTTP query parameter. format: string type: string minimumRingSize: type: integer useSourceIp: description: Hash based on the source IP address. type: boolean type: object localityLbSetting: properties: distribute: description: 'Optional: only one of distribute or failover can be set.' items: properties: from: description: Originating locality, '/' separated, e.g. format: string type: string to: additionalProperties: type: integer description: Map of upstream localities to traffic distribution weights. type: object type: object type: array enabled: description: enable locality load balancing, this is DestinationRule-level and will override mesh wide settings in entirety. nullable: true type: boolean failover: description: 'Optional: only failover or distribute can be set.' items: properties: from: description: Originating region. format: string type: string to: format: string type: string type: object type: array type: object simple: enum: - ROUND_ROBIN - LEAST_CONN - RANDOM - PASSTHROUGH type: string type: object outlierDetection: properties: baseEjectionTime: description: Minimum ejection duration. type: string consecutive5xxErrors: description: Number of 5xx errors before a host is ejected from the connection pool. nullable: true type: integer consecutiveErrors: format: int32 type: integer consecutiveGatewayErrors: description: Number of gateway errors before a host is ejected from the connection pool. nullable: true type: integer interval: description: Time interval between ejection sweep analysis. type: string maxEjectionPercent: format: int32 type: integer minHealthPercent: format: int32 type: integer type: object port: properties: number: type: integer type: object tls: description: TLS related settings for connections to the upstream service. properties: caCertificates: format: string type: string clientCertificate: description: REQUIRED if mode is `MUTUAL`. format: string type: string credentialName: format: string type: string mode: enum: - DISABLE - SIMPLE - MUTUAL - ISTIO_MUTUAL type: string privateKey: description: REQUIRED if mode is `MUTUAL`. format: string type: string sni: description: SNI string to present to the server during TLS handshake. format: string type: string subjectAltNames: items: format: string type: string type: array type: object type: object type: array tls: description: TLS related settings for connections to the upstream service. properties: caCertificates: format: string type: string clientCertificate: description: REQUIRED if mode is `MUTUAL`. format: string type: string credentialName: format: string type: string mode: enum: - DISABLE - SIMPLE - MUTUAL - ISTIO_MUTUAL type: string privateKey: description: REQUIRED if mode is `MUTUAL`. format: string type: string sni: description: SNI string to present to the server during TLS handshake. format: string type: string subjectAltNames: items: format: string type: string type: array type: object type: object type: object type: array trafficPolicy: properties: connectionPool: properties: http: description: HTTP connection pool settings. properties: h2UpgradePolicy: description: Specify if http1.1 connection should be upgraded to http2 for the associated destination. enum: - DEFAULT - DO_NOT_UPGRADE - UPGRADE type: string http1MaxPendingRequests: description: Maximum number of pending HTTP requests to a destination. format: int32 type: integer http2MaxRequests: description: Maximum number of requests to a backend. format: int32 type: integer idleTimeout: description: The idle timeout for upstream connection pool connections. type: string maxRequestsPerConnection: description: Maximum number of requests per connection to a backend. format: int32 type: integer maxRetries: format: int32 type: integer type: object tcp: description: Settings common to both HTTP and TCP upstream connections. properties: connectTimeout: description: TCP connection timeout. type: string maxConnections: description: Maximum number of HTTP1 /TCP connections to a destination host. format: int32 type: integer tcpKeepalive: description: If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives. properties: interval: description: The time duration between keep-alive probes. type: string probes: type: integer time: type: string type: object type: object type: object loadBalancer: description: Settings controlling the load balancer algorithms. oneOf: - not: anyOf: - required: - simple - properties: consistentHash: oneOf: - not: anyOf: - required: - httpHeaderName - required: - httpCookie - required: - useSourceIp - required: - httpQueryParameterName - required: - httpHeaderName - required: - httpCookie - required: - useSourceIp - required: - httpQueryParameterName required: - consistentHash - required: - simple - properties: consistentHash: oneOf: - not: anyOf: - required: - httpHeaderName - required: - httpCookie - required: - useSourceIp - required: - httpQueryParameterName - required: - httpHeaderName - required: - httpCookie - required: - useSourceIp - required: - httpQueryParameterName required: - consistentHash properties: consistentHash: properties: httpCookie: description: Hash based on HTTP cookie. properties: name: description: Name of the cookie. format: string type: string path: description: Path to set for the cookie. format: string type: string ttl: description: Lifetime of the cookie. type: string type: object httpHeaderName: description: Hash based on a specific HTTP header. format: string type: string httpQueryParameterName: description: Hash based on a specific HTTP query parameter. format: string type: string minimumRingSize: type: integer useSourceIp: description: Hash based on the source IP address. type: boolean type: object localityLbSetting: properties: distribute: description: 'Optional: only one of distribute or failover can be set.' items: properties: from: description: Originating locality, '/' separated, e.g. format: string type: string to: additionalProperties: type: integer description: Map of upstream localities to traffic distribution weights. type: object type: object type: array enabled: description: enable locality load balancing, this is DestinationRule-level and will override mesh wide settings in entirety. nullable: true type: boolean failover: description: 'Optional: only failover or distribute can be set.' items: properties: from: description: Originating region. format: string type: string to: format: string type: string type: object type: array type: object simple: enum: - ROUND_ROBIN - LEAST_CONN - RANDOM - PASSTHROUGH type: string type: object outlierDetection: properties: baseEjectionTime: description: Minimum ejection duration. type: string consecutive5xxErrors: description: Number of 5xx errors before a host is ejected from the connection pool. nullable: true type: integer consecutiveErrors: format: int32 type: integer consecutiveGatewayErrors: description: Number of gateway errors before a host is ejected from the connection pool. nullable: true type: integer interval: description: Time interval between ejection sweep analysis. type: string maxEjectionPercent: format: int32 type: integer minHealthPercent: format: int32 type: integer type: object portLevelSettings: description: Traffic policies specific to individual ports. items: properties: connectionPool: properties: http: description: HTTP connection pool settings. properties: h2UpgradePolicy: description: Specify if http1.1 connection should be upgraded to http2 for the associated destination. enum: - DEFAULT - DO_NOT_UPGRADE - UPGRADE type: string http1MaxPendingRequests: description: Maximum number of pending HTTP requests to a destination. format: int32 type: integer http2MaxRequests: description: Maximum number of requests to a backend. format: int32 type: integer idleTimeout: description: The idle timeout for upstream connection pool connections. type: string maxRequestsPerConnection: description: Maximum number of requests per connection to a backend. format: int32 type: integer maxRetries: format: int32 type: integer type: object tcp: description: Settings common to both HTTP and TCP upstream connections. properties: connectTimeout: description: TCP connection timeout. type: string maxConnections: description: Maximum number of HTTP1 /TCP connections to a destination host. format: int32 type: integer tcpKeepalive: description: If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives. properties: interval: description: The time duration between keep-alive probes. type: string probes: type: integer time: type: string type: object type: object type: object loadBalancer: description: Settings controlling the load balancer algorithms. oneOf: - not: anyOf: - required: - simple - properties: consistentHash: oneOf: - not: anyOf: - required: - httpHeaderName - required: - httpCookie - required: - useSourceIp - required: - httpQueryParameterName - required: - httpHeaderName - required: - httpCookie - required: - useSourceIp - required: - httpQueryParameterName required: - consistentHash - required: - simple - properties: consistentHash: oneOf: - not: anyOf: - required: - httpHeaderName - required: - httpCookie - required: - useSourceIp - required: - httpQueryParameterName - required: - httpHeaderName - required: - httpCookie - required: - useSourceIp - required: - httpQueryParameterName required: - consistentHash properties: consistentHash: properties: httpCookie: description: Hash based on HTTP cookie. properties: name: description: Name of the cookie. format: string type: string path: description: Path to set for the cookie. format: string type: string ttl: description: Lifetime of the cookie. type: string type: object httpHeaderName: description: Hash based on a specific HTTP header. format: string type: string httpQueryParameterName: description: Hash based on a specific HTTP query parameter. format: string type: string minimumRingSize: type: integer useSourceIp: description: Hash based on the source IP address. type: boolean type: object localityLbSetting: properties: distribute: description: 'Optional: only one of distribute or failover can be set.' items: properties: from: description: Originating locality, '/' separated, e.g. format: string type: string to: additionalProperties: type: integer description: Map of upstream localities to traffic distribution weights. type: object type: object type: array enabled: description: enable locality load balancing, this is DestinationRule-level and will override mesh wide settings in entirety. nullable: true type: boolean failover: description: 'Optional: only failover or distribute can be set.' items: properties: from: description: Originating region. format: string type: string to: format: string type: string type: object type: array type: object simple: enum: - ROUND_ROBIN - LEAST_CONN - RANDOM - PASSTHROUGH type: string type: object outlierDetection: properties: baseEjectionTime: description: Minimum ejection duration. type: string consecutive5xxErrors: description: Number of 5xx errors before a host is ejected from the connection pool. nullable: true type: integer consecutiveErrors: format: int32 type: integer consecutiveGatewayErrors: description: Number of gateway errors before a host is ejected from the connection pool. nullable: true type: integer interval: description: Time interval between ejection sweep analysis. type: string maxEjectionPercent: format: int32 type: integer minHealthPercent: format: int32 type: integer type: object port: properties: number: type: integer type: object tls: description: TLS related settings for connections to the upstream service. properties: caCertificates: format: string type: string clientCertificate: description: REQUIRED if mode is `MUTUAL`. format: string type: string credentialName: format: string type: string mode: enum: - DISABLE - SIMPLE - MUTUAL - ISTIO_MUTUAL type: string privateKey: description: REQUIRED if mode is `MUTUAL`. format: string type: string sni: description: SNI string to present to the server during TLS handshake. format: string type: string subjectAltNames: items: format: string type: string type: array type: object type: object type: array tls: description: TLS related settings for connections to the upstream service. properties: caCertificates: format: string type: string clientCertificate: description: REQUIRED if mode is `MUTUAL`. format: string type: string credentialName: format: string type: string mode: enum: - DISABLE - SIMPLE - MUTUAL - ISTIO_MUTUAL type: string privateKey: description: REQUIRED if mode is `MUTUAL`. format: string type: string sni: description: SNI string to present to the server during TLS handshake. format: string type: string subjectAltNames: items: format: string type: string type: array type: object type: object type: object status: type: object x-kubernetes-preserve-unknown-fields: true type: object served: true storage: false subresources: status: {} --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: "helm.sh/resource-policy": keep labels: app: istio-pilot chart: istio heritage: Tiller release: istio name: envoyfilters.networking.istio.io spec: group: networking.istio.io names: categories: - istio-io - networking-istio-io kind: EnvoyFilter listKind: EnvoyFilterList plural: envoyfilters singular: envoyfilter scope: Namespaced versions: - name: v1alpha3 schema: openAPIV3Schema: properties: spec: description: 'Customizing Envoy configuration generated by Istio. See more details at: https://istio.io/docs/reference/config/networking/envoy-filter.html' properties: configPatches: description: One or more patches with match conditions. items: properties: applyTo: enum: - INVALID - LISTENER - FILTER_CHAIN - NETWORK_FILTER - HTTP_FILTER - ROUTE_CONFIGURATION - VIRTUAL_HOST - HTTP_ROUTE - CLUSTER type: string match: description: Match on listener/route configuration/cluster. oneOf: - not: anyOf: - required: - listener - required: - routeConfiguration - required: - cluster - required: - listener - required: - routeConfiguration - required: - cluster properties: cluster: description: Match on envoy cluster attributes. properties: name: description: The exact name of the cluster to match. format: string type: string portNumber: description: The service port for which this cluster was generated. type: integer service: description: The fully qualified service name for this cluster. format: string type: string subset: description: The subset associated with the service. format: string type: string type: object context: description: The specific config generation context to match on. enum: - ANY - SIDECAR_INBOUND - SIDECAR_OUTBOUND - GATEWAY type: string listener: description: Match on envoy listener attributes. properties: filterChain: description: Match a specific filter chain in a listener. properties: applicationProtocols: description: Applies only to sidecars. format: string type: string filter: description: The name of a specific filter to apply the patch to. properties: name: description: The filter name to match on. format: string type: string subFilter: properties: name: description: The filter name to match on. format: string type: string type: object type: object name: description: The name assigned to the filter chain. format: string type: string sni: description: The SNI value used by a filter chain's match condition. format: string type: string transportProtocol: description: Applies only to SIDECAR_INBOUND context. format: string type: string type: object name: description: Match a specific listener by its name. format: string type: string portName: format: string type: string portNumber: type: integer type: object proxy: description: Match on properties associated with a proxy. properties: metadata: additionalProperties: format: string type: string type: object proxyVersion: format: string type: string type: object routeConfiguration: description: Match on envoy HTTP route configuration attributes. properties: gateway: format: string type: string name: description: Route configuration name to match on. format: string type: string portName: description: Applicable only for GATEWAY context. format: string type: string portNumber: type: integer vhost: properties: name: format: string type: string route: description: Match a specific route within the virtual host. properties: action: description: Match a route with specific action type. enum: - ANY - ROUTE - REDIRECT - DIRECT_RESPONSE type: string name: format: string type: string type: object type: object type: object type: object patch: description: The patch to apply along with the operation. properties: operation: description: Determines how the patch should be applied. enum: - INVALID - MERGE - ADD - REMOVE - INSERT_BEFORE - INSERT_AFTER - INSERT_FIRST type: string value: description: The JSON config of the object being patched. type: object x-kubernetes-preserve-unknown-fields: true type: object type: object type: array workloadSelector: properties: labels: additionalProperties: format: string type: string type: object type: object type: object status: type: object x-kubernetes-preserve-unknown-fields: true type: object served: true storage: true subresources: status: {} --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: "helm.sh/resource-policy": keep labels: app: istio-pilot chart: istio heritage: Tiller release: istio name: gateways.networking.istio.io spec: group: networking.istio.io names: categories: - istio-io - networking-istio-io kind: Gateway listKind: GatewayList plural: gateways shortNames: - gw singular: gateway scope: Namespaced versions: - name: v1alpha3 schema: openAPIV3Schema: properties: spec: description: 'Configuration affecting edge load balancer. See more details at: https://istio.io/docs/reference/config/networking/gateway.html' properties: selector: additionalProperties: format: string type: string type: object servers: description: A list of server specifications. items: properties: bind: format: string type: string defaultEndpoint: format: string type: string hosts: description: One or more hosts exposed by this gateway. items: format: string type: string type: array name: description: An optional name of the server, when set must be unique across all servers. format: string type: string port: properties: name: description: Label assigned to the port. format: string type: string number: description: A valid non-negative integer port number. type: integer protocol: description: The protocol exposed on the port. format: string type: string targetPort: type: integer type: object tls: description: Set of TLS related options that govern the server's behavior. properties: caCertificates: description: REQUIRED if mode is `MUTUAL`. format: string type: string cipherSuites: description: 'Optional: If specified, only support the specified cipher list.' items: format: string type: string type: array credentialName: format: string type: string httpsRedirect: type: boolean maxProtocolVersion: description: 'Optional: Maximum TLS protocol version.' enum: - TLS_AUTO - TLSV1_0 - TLSV1_1 - TLSV1_2 - TLSV1_3 type: string minProtocolVersion: description: 'Optional: Minimum TLS protocol version.' enum: - TLS_AUTO - TLSV1_0 - TLSV1_1 - TLSV1_2 - TLSV1_3 type: string mode: enum: - PASSTHROUGH - SIMPLE - MUTUAL - AUTO_PASSTHROUGH - ISTIO_MUTUAL type: string privateKey: description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. format: string type: string serverCertificate: description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. format: string type: string subjectAltNames: items: format: string type: string type: array verifyCertificateHash: items: format: string type: string type: array verifyCertificateSpki: items: format: string type: string type: array type: object type: object type: array type: object status: type: object x-kubernetes-preserve-unknown-fields: true type: object served: true storage: true subresources: status: {} - name: v1beta1 schema: openAPIV3Schema: properties: spec: description: 'Configuration affecting edge load balancer. See more details at: https://istio.io/docs/reference/config/networking/gateway.html' properties: selector: additionalProperties: format: string type: string type: object servers: description: A list of server specifications. items: properties: bind: format: string type: string defaultEndpoint: format: string type: string hosts: description: One or more hosts exposed by this gateway. items: format: string type: string type: array name: description: An optional name of the server, when set must be unique across all servers. format: string type: string port: properties: name: description: Label assigned to the port. format: string type: string number: description: A valid non-negative integer port number. type: integer protocol: description: The protocol exposed on the port. format: string type: string targetPort: type: integer type: object tls: description: Set of TLS related options that govern the server's behavior. properties: caCertificates: description: REQUIRED if mode is `MUTUAL`. format: string type: string cipherSuites: description: 'Optional: If specified, only support the specified cipher list.' items: format: string type: string type: array credentialName: format: string type: string httpsRedirect: type: boolean maxProtocolVersion: description: 'Optional: Maximum TLS protocol version.' enum: - TLS_AUTO - TLSV1_0 - TLSV1_1 - TLSV1_2 - TLSV1_3 type: string minProtocolVersion: description: 'Optional: Minimum TLS protocol version.' enum: - TLS_AUTO - TLSV1_0 - TLSV1_1 - TLSV1_2 - TLSV1_3 type: string mode: enum: - PASSTHROUGH - SIMPLE - MUTUAL - AUTO_PASSTHROUGH - ISTIO_MUTUAL type: string privateKey: description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. format: string type: string serverCertificate: description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. format: string type: string subjectAltNames: items: format: string type: string type: array verifyCertificateHash: items: format: string type: string type: array verifyCertificateSpki: items: format: string type: string type: array type: object type: object type: array type: object status: type: object x-kubernetes-preserve-unknown-fields: true type: object served: true storage: false subresources: status: {} --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: "helm.sh/resource-policy": keep labels: app: mixer chart: istio heritage: Tiller istio: mixer-handler package: handler release: istio name: handlers.config.istio.io spec: group: config.istio.io names: categories: - istio-io - policy-istio-io kind: handler listKind: handlerList plural: handlers singular: handler scope: Namespaced versions: - name: v1alpha2 schema: openAPIV3Schema: properties: spec: description: Handler allows the operator to configure a specific adapter implementation. properties: adapter: description: The name of a specific adapter implementation. format: string type: string compiledAdapter: description: The name of the compiled in adapter this handler instantiates. format: string type: string connection: description: Information on how to connect to the out-of-process adapter. properties: address: description: The address of the backend. format: string type: string authentication: description: Auth config for the connection to the backend. oneOf: - not: anyOf: - properties: tls: allOf: - oneOf: - not: anyOf: - required: - tokenPath - required: - oauth - required: - tokenPath - required: - oauth - oneOf: - not: anyOf: - required: - authHeader - required: - customHeader - required: - authHeader - required: - customHeader required: - tls - required: - mutual - properties: tls: allOf: - oneOf: - not: anyOf: - required: - tokenPath - required: - oauth - required: - tokenPath - required: - oauth - oneOf: - not: anyOf: - required: - authHeader - required: - customHeader - required: - authHeader - required: - customHeader required: - tls - required: - mutual properties: mutual: properties: caCertificates: format: string type: string clientCertificate: description: The path to the file holding client certificate for mutual TLS. format: string type: string privateKey: description: The path to the file holding the private key for mutual TLS. format: string type: string serverName: description: Used to configure mixer mutual TLS client to supply server name for SNI. format: string type: string type: object tls: properties: authHeader: description: Access token is passed as authorization header. enum: - PLAIN - BEARER type: string caCertificates: format: string type: string customHeader: description: Customized header key to hold access token, e.g. format: string type: string oauth: description: Oauth config to fetch access token from auth provider. properties: clientId: description: OAuth client id for mixer. format: string type: string clientSecret: description: The path to the file holding the client secret for oauth. format: string type: string endpointParams: additionalProperties: format: string type: string description: Additional parameters for requests to the token endpoint. type: object scopes: description: List of requested permissions. items: format: string type: string type: array tokenUrl: description: The Resource server's token endpoint URL. format: string type: string type: object serverName: format: string type: string tokenPath: format: string type: string type: object type: object timeout: description: Timeout for remote calls to the backend. type: string type: object name: description: Must be unique in the entire Mixer configuration. format: string type: string params: description: Depends on adapter implementation. type: object x-kubernetes-preserve-unknown-fields: true type: object status: type: object x-kubernetes-preserve-unknown-fields: true type: object served: true storage: true subresources: status: {} --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: "helm.sh/resource-policy": keep labels: app: istio-mixer chart: istio heritage: Tiller release: istio name: httpapispecbindings.config.istio.io spec: group: config.istio.io names: categories: - istio-io - apim-istio-io kind: HTTPAPISpecBinding listKind: HTTPAPISpecBindingList plural: httpapispecbindings singular: httpapispecbinding scope: Namespaced versions: - name: v1alpha2 schema: openAPIV3Schema: properties: spec: properties: api_specs: items: properties: name: description: The short name of the HTTPAPISpec. format: string type: string namespace: description: Optional namespace of the HTTPAPISpec. format: string type: string type: object type: array apiSpecs: items: properties: name: description: The short name of the HTTPAPISpec. format: string type: string namespace: description: Optional namespace of the HTTPAPISpec. format: string type: string type: object type: array services: description: One or more services to map the listed HTTPAPISpec onto. items: properties: domain: description: Domain suffix used to construct the service FQDN in implementations that support such specification. format: string type: string labels: additionalProperties: format: string type: string description: Optional one or more labels that uniquely identify the service version. type: object name: description: The short name of the service such as "foo". format: string type: string namespace: description: Optional namespace of the service. format: string type: string service: description: The service FQDN. format: string type: string type: object type: array type: object status: type: object x-kubernetes-preserve-unknown-fields: true type: object served: true storage: true subresources: status: {} --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: "helm.sh/resource-policy": keep labels: app: istio-mixer chart: istio heritage: Tiller release: istio name: httpapispecs.config.istio.io spec: group: config.istio.io names: categories: - istio-io - apim-istio-io kind: HTTPAPISpec listKind: HTTPAPISpecList plural: httpapispecs singular: httpapispec scope: Namespaced versions: - name: v1alpha2 schema: openAPIV3Schema: properties: spec: properties: api_keys: items: oneOf: - not: anyOf: - required: - query - required: - header - required: - cookie - required: - query - required: - header - required: - cookie properties: cookie: format: string type: string header: description: API key is sent in a request header. format: string type: string query: description: API Key is sent as a query parameter. format: string type: string type: object type: array apiKeys: items: oneOf: - not: anyOf: - required: - query - required: - header - required: - cookie - required: - query - required: - header - required: - cookie properties: cookie: format: string type: string header: description: API key is sent in a request header. format: string type: string query: description: API Key is sent as a query parameter. format: string type: string type: object type: array attributes: properties: attributes: additionalProperties: oneOf: - not: anyOf: - required: - stringValue - required: - int64Value - required: - doubleValue - required: - boolValue - required: - bytesValue - required: - timestampValue - required: - durationValue - required: - stringMapValue - required: - stringValue - required: - int64Value - required: - doubleValue - required: - boolValue - required: - bytesValue - required: - timestampValue - required: - durationValue - required: - stringMapValue properties: boolValue: type: boolean bytesValue: format: binary type: string doubleValue: format: double type: number durationValue: type: string int64Value: format: int64 type: integer stringMapValue: properties: entries: additionalProperties: format: string type: string description: Holds a set of name/value pairs. type: object type: object stringValue: format: string type: string timestampValue: format: dateTime type: string type: object description: A map of attribute name to its value. type: object type: object patterns: description: List of HTTP patterns to match. items: oneOf: - not: anyOf: - required: - uriTemplate - required: - regex - required: - uriTemplate - required: - regex properties: attributes: properties: attributes: additionalProperties: oneOf: - not: anyOf: - required: - stringValue - required: - int64Value - required: - doubleValue - required: - boolValue - required: - bytesValue - required: - timestampValue - required: - durationValue - required: - stringMapValue - required: - stringValue - required: - int64Value - required: - doubleValue - required: - boolValue - required: - bytesValue - required: - timestampValue - required: - durationValue - required: - stringMapValue properties: boolValue: type: boolean bytesValue: format: binary type: string doubleValue: format: double type: number durationValue: type: string int64Value: format: int64 type: integer stringMapValue: properties: entries: additionalProperties: format: string type: string description: Holds a set of name/value pairs. type: object type: object stringValue: format: string type: string timestampValue: format: dateTime type: string type: object description: A map of attribute name to its value. type: object type: object httpMethod: format: string type: string regex: format: string type: string uriTemplate: format: string type: string type: object type: array type: object status: type: object x-kubernetes-preserve-unknown-fields: true type: object served: true storage: true subresources: status: {} --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: "helm.sh/resource-policy": keep labels: app: mixer chart: istio heritage: Tiller istio: mixer-instance package: instance release: istio name: instances.config.istio.io spec: group: config.istio.io names: categories: - istio-io - policy-istio-io kind: instance listKind: instanceList plural: instances singular: instance scope: Namespaced versions: - name: v1alpha2 schema: openAPIV3Schema: properties: spec: description: An Instance tells Mixer how to create instances for particular template. properties: attributeBindings: additionalProperties: format: string type: string type: object compiledTemplate: description: The name of the compiled in template this instance creates instances for. format: string type: string name: format: string type: string params: description: Depends on referenced template. type: object x-kubernetes-preserve-unknown-fields: true template: description: The name of the template this instance creates instances for. format: string type: string type: object status: type: object x-kubernetes-preserve-unknown-fields: true type: object served: true storage: true subresources: status: {} --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: istiooperators.install.istio.io labels: release: istio spec: group: install.istio.io names: kind: IstioOperator plural: istiooperators singular: istiooperator shortNames: - iop scope: Namespaced versions: - additionalPrinterColumns: - description: Istio control plane revision jsonPath: .spec.revision name: Revision type: string - description: IOP current state jsonPath: .status.status type: string name: Status - jsonPath: .metadata.creationTimestamp description: "CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata" name: Age type: date name: v1alpha1 schema: openAPIV3Schema: properties: apiVersion: description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#resources" type: string kind: description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#types-kinds" type: string spec: description: "Specification of the desired state of the istio control plane resource. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status" x-kubernetes-preserve-unknown-fields: true type: object status: description: "Status describes each of istio control plane component status at the current time. 0 means NONE, 1 means UPDATING, 2 means HEALTHY, 3 means ERROR, 4 means RECONCILING. More info: https://github.com/istio/api/blob/master/operator/v1alpha1/istio.operator.v1alpha1.pb.html & https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status" x-kubernetes-preserve-unknown-fields: true type: object type: object served: true storage: true subresources: status: {} --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: "helm.sh/resource-policy": keep labels: app: istio-pilot chart: istio heritage: Tiller istio: security release: istio name: peerauthentications.security.istio.io spec: group: security.istio.io names: categories: - istio-io - security-istio-io kind: PeerAuthentication listKind: PeerAuthenticationList plural: peerauthentications shortNames: - pa singular: peerauthentication scope: Namespaced versions: - name: v1beta1 schema: openAPIV3Schema: properties: spec: description: PeerAuthentication defines how traffic will be tunneled (or not) to the sidecar. properties: mtls: description: Mutual TLS settings for workload. properties: mode: description: Defines the mTLS mode used for peer authentication. enum: - UNSET - DISABLE - PERMISSIVE - STRICT type: string type: object portLevelMtls: additionalProperties: properties: mode: description: Defines the mTLS mode used for peer authentication. enum: - UNSET - DISABLE - PERMISSIVE - STRICT type: string type: object description: Port specific mutual TLS settings. type: object selector: description: The selector determines the workloads to apply the ChannelAuthentication on. properties: matchLabels: additionalProperties: format: string type: string type: object type: object type: object status: type: object x-kubernetes-preserve-unknown-fields: true type: object served: true storage: true subresources: status: {} --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: "helm.sh/resource-policy": keep labels: app: istio-mixer chart: istio heritage: Tiller release: istio name: quotaspecbindings.config.istio.io spec: group: config.istio.io names: categories: - istio-io - apim-istio-io kind: QuotaSpecBinding listKind: QuotaSpecBindingList plural: quotaspecbindings singular: quotaspecbinding scope: Namespaced versions: - name: v1alpha2 schema: openAPIV3Schema: properties: spec: properties: quotaSpecs: items: properties: name: description: The short name of the QuotaSpec. format: string type: string namespace: description: Optional namespace of the QuotaSpec. format: string type: string type: object type: array services: description: One or more services to map the listed QuotaSpec onto. items: properties: domain: description: Domain suffix used to construct the service FQDN in implementations that support such specification. format: string type: string labels: additionalProperties: format: string type: string description: Optional one or more labels that uniquely identify the service version. type: object name: description: The short name of the service such as "foo". format: string type: string namespace: description: Optional namespace of the service. format: string type: string service: description: The service FQDN. format: string type: string type: object type: array type: object status: type: object x-kubernetes-preserve-unknown-fields: true type: object served: true storage: true subresources: status: {} --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: "helm.sh/resource-policy": keep labels: app: istio-mixer chart: istio heritage: Tiller release: istio name: quotaspecs.config.istio.io spec: group: config.istio.io names: categories: - istio-io - apim-istio-io kind: QuotaSpec listKind: QuotaSpecList plural: quotaspecs singular: quotaspec scope: Namespaced versions: - name: v1alpha2 schema: openAPIV3Schema: properties: spec: description: Determines the quotas used for individual requests. properties: rules: description: A list of Quota rules. items: properties: match: description: If empty, match all request. items: properties: clause: additionalProperties: oneOf: - not: anyOf: - required: - exact - required: - prefix - required: - regex - required: - exact - required: - prefix - required: - regex properties: exact: format: string type: string prefix: format: string type: string regex: description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). format: string type: string type: object description: Map of attribute names to StringMatch type. type: object type: object type: array quotas: description: The list of quotas to charge. items: properties: charge: format: int32 type: integer quota: format: string type: string type: object type: array type: object type: array type: object status: type: object x-kubernetes-preserve-unknown-fields: true type: object served: true storage: true subresources: status: {} --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: "helm.sh/resource-policy": keep labels: app: istio-pilot chart: istio heritage: Tiller istio: security release: istio name: requestauthentications.security.istio.io spec: group: security.istio.io names: categories: - istio-io - security-istio-io kind: RequestAuthentication listKind: RequestAuthenticationList plural: requestauthentications shortNames: - ra singular: requestauthentication scope: Namespaced versions: - name: v1beta1 schema: openAPIV3Schema: properties: spec: description: RequestAuthentication defines what request authentication methods are supported by a workload. properties: jwtRules: description: Define the list of JWTs that can be validated at the selected workloads' proxy. items: properties: audiences: items: format: string type: string type: array forwardOriginalToken: description: If set to true, the orginal token will be kept for the ustream request. type: boolean fromHeaders: description: List of header locations from which JWT is expected. items: properties: name: description: The HTTP header name. format: string type: string prefix: description: The prefix that should be stripped before decoding the token. format: string type: string type: object type: array fromParams: description: List of query parameters from which JWT is expected. items: format: string type: string type: array issuer: description: Identifies the issuer that issued the JWT. format: string type: string jwks: description: JSON Web Key Set of public keys to validate signature of the JWT. format: string type: string jwks_uri: format: string type: string jwksUri: format: string type: string outputPayloadToHeader: format: string type: string type: object type: array selector: description: The selector determines the workloads to apply the RequestAuthentication on. properties: matchLabels: additionalProperties: format: string type: string type: object type: object type: object status: type: object x-kubernetes-preserve-unknown-fields: true type: object served: true storage: true subresources: status: {} --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: "helm.sh/resource-policy": keep labels: app: mixer chart: istio heritage: Tiller istio: core package: istio.io.mixer release: istio name: rules.config.istio.io spec: group: config.istio.io names: categories: - istio-io - policy-istio-io kind: rule listKind: ruleList plural: rules singular: rule scope: Namespaced versions: - name: v1alpha2 schema: openAPIV3Schema: properties: spec: description: 'Describes the rules used to configure Mixer''s policy and telemetry features. See more details at: https://istio.io/docs/reference/config/policy-and-telemetry/istio.policy.v1beta1.html' properties: actions: description: The actions that will be executed when match evaluates to `true`. items: properties: handler: description: Fully qualified name of the handler to invoke. format: string type: string instances: items: format: string type: string type: array name: description: A handle to refer to the results of the action. format: string type: string type: object type: array match: description: Match is an attribute based predicate. format: string type: string requestHeaderOperations: items: properties: name: description: Header name literal value. format: string type: string operation: description: Header operation type. enum: - REPLACE - REMOVE - APPEND type: string values: description: Header value expressions. items: format: string type: string type: array type: object type: array responseHeaderOperations: items: properties: name: description: Header name literal value. format: string type: string operation: description: Header operation type. enum: - REPLACE - REMOVE - APPEND type: string values: description: Header value expressions. items: format: string type: string type: array type: object type: array sampling: properties: random: description: Provides filtering of actions based on random selection per request. properties: attributeExpression: description: Specifies an attribute expression to use to override the numerator in the `percent_sampled` field. format: string type: string percentSampled: description: The default sampling rate, expressed as a percentage. properties: denominator: description: Specifies the denominator. enum: - HUNDRED - TEN_THOUSAND type: string numerator: description: Specifies the numerator. type: integer type: object useIndependentRandomness: description: By default sampling will be based on the value of the request header `x-request-id`. type: boolean type: object rateLimit: properties: maxUnsampledEntries: description: Number of entries to allow during the `sampling_duration` before sampling is enforced. format: int64 type: integer samplingDuration: description: Window in which to enforce the sampling rate. type: string samplingRate: description: The rate at which to sample entries once the unsampled limit has been reached. format: int64 type: integer type: object type: object type: object status: type: object x-kubernetes-preserve-unknown-fields: true type: object served: true storage: true subresources: status: {} --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: "helm.sh/resource-policy": keep labels: app: istio-pilot chart: istio heritage: Tiller release: istio name: serviceentries.networking.istio.io spec: group: networking.istio.io names: categories: - istio-io - networking-istio-io kind: ServiceEntry listKind: ServiceEntryList plural: serviceentries shortNames: - se singular: serviceentry scope: Namespaced versions: - additionalPrinterColumns: - description: The hosts associated with the ServiceEntry jsonPath: .spec.hosts name: Hosts type: string - description: Whether the service is external to the mesh or part of the mesh (MESH_EXTERNAL or MESH_INTERNAL) jsonPath: .spec.location name: Location type: string - description: Service discovery mode for the hosts (NONE, STATIC, or DNS) jsonPath: .spec.resolution name: Resolution type: string - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' jsonPath: .metadata.creationTimestamp name: Age type: date name: v1alpha3 schema: openAPIV3Schema: properties: spec: description: 'Configuration affecting service registry. See more details at: https://istio.io/docs/reference/config/networking/service-entry.html' properties: addresses: description: The virtual IP addresses associated with the service. items: format: string type: string type: array endpoints: description: One or more endpoints associated with the service. items: properties: address: format: string type: string labels: additionalProperties: format: string type: string description: One or more labels associated with the endpoint. type: object locality: description: The locality associated with the endpoint. format: string type: string network: format: string type: string ports: additionalProperties: type: integer description: Set of ports associated with the endpoint. type: object serviceAccount: format: string type: string weight: description: The load balancing weight associated with the endpoint. type: integer type: object type: array exportTo: description: A list of namespaces to which this service is exported. items: format: string type: string type: array hosts: description: The hosts associated with the ServiceEntry. items: format: string type: string type: array location: enum: - MESH_EXTERNAL - MESH_INTERNAL type: string ports: description: The ports associated with the external service. items: properties: name: description: Label assigned to the port. format: string type: string number: description: A valid non-negative integer port number. type: integer protocol: description: The protocol exposed on the port. format: string type: string targetPort: type: integer type: object type: array resolution: description: Service discovery mode for the hosts. enum: - NONE - STATIC - DNS type: string subjectAltNames: items: format: string type: string type: array workloadSelector: description: Applicable only for MESH_INTERNAL services. properties: labels: additionalProperties: format: string type: string type: object type: object type: object status: type: object x-kubernetes-preserve-unknown-fields: true type: object served: true storage: true subresources: status: {} - additionalPrinterColumns: - description: The hosts associated with the ServiceEntry jsonPath: .spec.hosts name: Hosts type: string - description: Whether the service is external to the mesh or part of the mesh (MESH_EXTERNAL or MESH_INTERNAL) jsonPath: .spec.location name: Location type: string - description: Service discovery mode for the hosts (NONE, STATIC, or DNS) jsonPath: .spec.resolution name: Resolution type: string - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' jsonPath: .metadata.creationTimestamp name: Age type: date name: v1beta1 schema: openAPIV3Schema: properties: spec: description: 'Configuration affecting service registry. See more details at: https://istio.io/docs/reference/config/networking/service-entry.html' properties: addresses: description: The virtual IP addresses associated with the service. items: format: string type: string type: array endpoints: description: One or more endpoints associated with the service. items: properties: address: format: string type: string labels: additionalProperties: format: string type: string description: One or more labels associated with the endpoint. type: object locality: description: The locality associated with the endpoint. format: string type: string network: format: string type: string ports: additionalProperties: type: integer description: Set of ports associated with the endpoint. type: object serviceAccount: format: string type: string weight: description: The load balancing weight associated with the endpoint. type: integer type: object type: array exportTo: description: A list of namespaces to which this service is exported. items: format: string type: string type: array hosts: description: The hosts associated with the ServiceEntry. items: format: string type: string type: array location: enum: - MESH_EXTERNAL - MESH_INTERNAL type: string ports: description: The ports associated with the external service. items: properties: name: description: Label assigned to the port. format: string type: string number: description: A valid non-negative integer port number. type: integer protocol: description: The protocol exposed on the port. format: string type: string targetPort: type: integer type: object type: array resolution: description: Service discovery mode for the hosts. enum: - NONE - STATIC - DNS type: string subjectAltNames: items: format: string type: string type: array workloadSelector: description: Applicable only for MESH_INTERNAL services. properties: labels: additionalProperties: format: string type: string type: object type: object type: object status: type: object x-kubernetes-preserve-unknown-fields: true type: object served: true storage: false subresources: status: {} --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: "helm.sh/resource-policy": keep labels: app: istio-pilot chart: istio heritage: Tiller release: istio name: sidecars.networking.istio.io spec: group: networking.istio.io names: categories: - istio-io - networking-istio-io kind: Sidecar listKind: SidecarList plural: sidecars singular: sidecar scope: Namespaced versions: - name: v1alpha3 schema: openAPIV3Schema: properties: spec: description: 'Configuration affecting network reachability of a sidecar. See more details at: https://istio.io/docs/reference/config/networking/sidecar.html' properties: egress: items: properties: bind: format: string type: string captureMode: enum: - DEFAULT - IPTABLES - NONE type: string hosts: items: format: string type: string type: array port: description: The port associated with the listener. properties: name: description: Label assigned to the port. format: string type: string number: description: A valid non-negative integer port number. type: integer protocol: description: The protocol exposed on the port. format: string type: string targetPort: type: integer type: object type: object type: array ingress: items: properties: bind: description: The IP to which the listener should be bound. format: string type: string captureMode: enum: - DEFAULT - IPTABLES - NONE type: string defaultEndpoint: format: string type: string port: description: The port associated with the listener. properties: name: description: Label assigned to the port. format: string type: string number: description: A valid non-negative integer port number. type: integer protocol: description: The protocol exposed on the port. format: string type: string targetPort: type: integer type: object type: object type: array outboundTrafficPolicy: description: Configuration for the outbound traffic policy. properties: egressProxy: properties: host: description: The name of a service from the service registry. format: string type: string port: description: Specifies the port on the host that is being addressed. properties: number: type: integer type: object subset: description: The name of a subset within the service. format: string type: string type: object mode: enum: - REGISTRY_ONLY - ALLOW_ANY type: string type: object workloadSelector: properties: labels: additionalProperties: format: string type: string type: object type: object type: object status: type: object x-kubernetes-preserve-unknown-fields: true type: object served: true storage: true subresources: status: {} - name: v1beta1 schema: openAPIV3Schema: properties: spec: description: 'Configuration affecting network reachability of a sidecar. See more details at: https://istio.io/docs/reference/config/networking/sidecar.html' properties: egress: items: properties: bind: format: string type: string captureMode: enum: - DEFAULT - IPTABLES - NONE type: string hosts: items: format: string type: string type: array port: description: The port associated with the listener. properties: name: description: Label assigned to the port. format: string type: string number: description: A valid non-negative integer port number. type: integer protocol: description: The protocol exposed on the port. format: string type: string targetPort: type: integer type: object type: object type: array ingress: items: properties: bind: description: The IP to which the listener should be bound. format: string type: string captureMode: enum: - DEFAULT - IPTABLES - NONE type: string defaultEndpoint: format: string type: string port: description: The port associated with the listener. properties: name: description: Label assigned to the port. format: string type: string number: description: A valid non-negative integer port number. type: integer protocol: description: The protocol exposed on the port. format: string type: string targetPort: type: integer type: object type: object type: array outboundTrafficPolicy: description: Configuration for the outbound traffic policy. properties: egressProxy: properties: host: description: The name of a service from the service registry. format: string type: string port: description: Specifies the port on the host that is being addressed. properties: number: type: integer type: object subset: description: The name of a subset within the service. format: string type: string type: object mode: enum: - REGISTRY_ONLY - ALLOW_ANY type: string type: object workloadSelector: properties: labels: additionalProperties: format: string type: string type: object type: object type: object status: type: object x-kubernetes-preserve-unknown-fields: true type: object served: true storage: false subresources: status: {} --- kind: CustomResourceDefinition apiVersion: apiextensions.k8s.io/v1 metadata: name: templates.config.istio.io labels: app: mixer package: template istio: mixer-template chart: istio heritage: Tiller release: istio annotations: "helm.sh/resource-policy": keep spec: group: config.istio.io names: kind: template plural: templates singular: template categories: - istio-io - policy-istio-io scope: Namespaced versions: - name: v1alpha2 schema: openAPIV3Schema: properties: spec: x-kubernetes-preserve-unknown-fields: true type: object status: x-kubernetes-preserve-unknown-fields: true type: object type: object served: true storage: true subresources: status: {} --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: "helm.sh/resource-policy": keep labels: app: istio-pilot chart: istio heritage: Tiller release: istio name: virtualservices.networking.istio.io spec: group: networking.istio.io names: categories: - istio-io - networking-istio-io kind: VirtualService listKind: VirtualServiceList plural: virtualservices shortNames: - vs singular: virtualservice scope: Namespaced versions: - additionalPrinterColumns: - description: The names of gateways and sidecars that should apply these routes jsonPath: .spec.gateways name: Gateways type: string - description: The destination hosts to which traffic is being sent jsonPath: .spec.hosts name: Hosts type: string - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' jsonPath: .metadata.creationTimestamp name: Age type: date name: v1alpha3 schema: openAPIV3Schema: properties: spec: description: 'Configuration affecting label/content routing, sni routing, etc. See more details at: https://istio.io/docs/reference/config/networking/virtual-service.html' properties: exportTo: description: A list of namespaces to which this virtual service is exported. items: format: string type: string type: array gateways: description: The names of gateways and sidecars that should apply these routes. items: format: string type: string type: array hosts: description: The destination hosts to which traffic is being sent. items: format: string type: string type: array http: description: An ordered list of route rules for HTTP traffic. items: properties: corsPolicy: description: Cross-Origin Resource Sharing policy (CORS). properties: allowCredentials: nullable: true type: boolean allowHeaders: items: format: string type: string type: array allowMethods: description: List of HTTP methods allowed to access the resource. items: format: string type: string type: array allowOrigin: description: The list of origins that are allowed to perform CORS requests. items: format: string type: string type: array allowOrigins: description: String patterns that match allowed origins. items: oneOf: - not: anyOf: - required: - exact - required: - prefix - required: - regex - required: - exact - required: - prefix - required: - regex properties: exact: format: string type: string prefix: format: string type: string regex: description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). format: string type: string type: object type: array exposeHeaders: items: format: string type: string type: array maxAge: type: string type: object delegate: properties: name: description: Name specifies the name of the delegate VirtualService. format: string type: string namespace: description: Namespace specifies the namespace where the delegate VirtualService resides. format: string type: string type: object fault: description: Fault injection policy to apply on HTTP traffic at the client side. properties: abort: oneOf: - not: anyOf: - required: - httpStatus - required: - grpcStatus - required: - http2Error - required: - httpStatus - required: - grpcStatus - required: - http2Error properties: grpcStatus: format: string type: string http2Error: format: string type: string httpStatus: description: HTTP status code to use to abort the Http request. format: int32 type: integer percentage: description: Percentage of requests to be aborted with the error code provided. properties: value: format: double type: number type: object type: object delay: oneOf: - not: anyOf: - required: - fixedDelay - required: - exponentialDelay - required: - fixedDelay - required: - exponentialDelay properties: exponentialDelay: type: string fixedDelay: description: Add a fixed delay before forwarding the request. type: string percent: description: Percentage of requests on which the delay will be injected (0-100). format: int32 type: integer percentage: description: Percentage of requests on which the delay will be injected. properties: value: format: double type: number type: object type: object type: object headers: properties: request: properties: add: additionalProperties: format: string type: string type: object remove: items: format: string type: string type: array set: additionalProperties: format: string type: string type: object type: object response: properties: add: additionalProperties: format: string type: string type: object remove: items: format: string type: string type: array set: additionalProperties: format: string type: string type: object type: object type: object match: items: properties: authority: oneOf: - not: anyOf: - required: - exact - required: - prefix - required: - regex - required: - exact - required: - prefix - required: - regex properties: exact: format: string type: string prefix: format: string type: string regex: description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). format: string type: string type: object gateways: description: Names of gateways where the rule should be applied. items: format: string type: string type: array headers: additionalProperties: oneOf: - not: anyOf: - required: - exact - required: - prefix - required: - regex - required: - exact - required: - prefix - required: - regex properties: exact: format: string type: string prefix: format: string type: string regex: description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). format: string type: string type: object type: object ignoreUriCase: description: Flag to specify whether the URI matching should be case-insensitive. type: boolean method: oneOf: - not: anyOf: - required: - exact - required: - prefix - required: - regex - required: - exact - required: - prefix - required: - regex properties: exact: format: string type: string prefix: format: string type: string regex: description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). format: string type: string type: object name: description: The name assigned to a match. format: string type: string port: description: Specifies the ports on the host that is being addressed. type: integer queryParams: additionalProperties: oneOf: - not: anyOf: - required: - exact - required: - prefix - required: - regex - required: - exact - required: - prefix - required: - regex properties: exact: format: string type: string prefix: format: string type: string regex: description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). format: string type: string type: object description: Query parameters for matching. type: object scheme: oneOf: - not: anyOf: - required: - exact - required: - prefix - required: - regex - required: - exact - required: - prefix - required: - regex properties: exact: format: string type: string prefix: format: string type: string regex: description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). format: string type: string type: object sourceLabels: additionalProperties: format: string type: string type: object sourceNamespace: description: Source namespace constraining the applicability of a rule to workloads in that namespace. format: string type: string uri: oneOf: - not: anyOf: - required: - exact - required: - prefix - required: - regex - required: - exact - required: - prefix - required: - regex properties: exact: format: string type: string prefix: format: string type: string regex: description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). format: string type: string type: object withoutHeaders: additionalProperties: oneOf: - not: anyOf: - required: - exact - required: - prefix - required: - regex - required: - exact - required: - prefix - required: - regex properties: exact: format: string type: string prefix: format: string type: string regex: description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). format: string type: string type: object description: withoutHeader has the same syntax with the header, but has opposite meaning. type: object type: object type: array mirror: properties: host: description: The name of a service from the service registry. format: string type: string port: description: Specifies the port on the host that is being addressed. properties: number: type: integer type: object subset: description: The name of a subset within the service. format: string type: string type: object mirror_percent: description: Percentage of the traffic to be mirrored by the `mirror` field. nullable: true type: integer mirrorPercent: description: Percentage of the traffic to be mirrored by the `mirror` field. nullable: true type: integer mirrorPercentage: description: Percentage of the traffic to be mirrored by the `mirror` field. properties: value: format: double type: number type: object name: description: The name assigned to the route for debugging purposes. format: string type: string redirect: description: A HTTP rule can either redirect or forward (default) traffic. properties: authority: format: string type: string redirectCode: type: integer uri: format: string type: string type: object retries: description: Retry policy for HTTP requests. properties: attempts: description: Number of retries for a given request. format: int32 type: integer perTryTimeout: description: Timeout per retry attempt for a given request. type: string retryOn: description: Specifies the conditions under which retry takes place. format: string type: string retryRemoteLocalities: description: Flag to specify whether the retries should retry to other localities. nullable: true type: boolean type: object rewrite: description: Rewrite HTTP URIs and Authority headers. properties: authority: description: rewrite the Authority/Host header with this value. format: string type: string uri: format: string type: string type: object route: description: A HTTP rule can either redirect or forward (default) traffic. items: properties: destination: properties: host: description: The name of a service from the service registry. format: string type: string port: description: Specifies the port on the host that is being addressed. properties: number: type: integer type: object subset: description: The name of a subset within the service. format: string type: string type: object headers: properties: request: properties: add: additionalProperties: format: string type: string type: object remove: items: format: string type: string type: array set: additionalProperties: format: string type: string type: object type: object response: properties: add: additionalProperties: format: string type: string type: object remove: items: format: string type: string type: array set: additionalProperties: format: string type: string type: object type: object type: object weight: format: int32 type: integer type: object type: array timeout: description: Timeout for HTTP requests, default is disabled. type: string type: object type: array tcp: description: An ordered list of route rules for opaque TCP traffic. items: properties: match: items: properties: destinationSubnets: description: IPv4 or IPv6 ip addresses of destination with optional subnet. items: format: string type: string type: array gateways: description: Names of gateways where the rule should be applied. items: format: string type: string type: array port: description: Specifies the port on the host that is being addressed. type: integer sourceLabels: additionalProperties: format: string type: string type: object sourceNamespace: description: Source namespace constraining the applicability of a rule to workloads in that namespace. format: string type: string sourceSubnet: description: IPv4 or IPv6 ip address of source with optional subnet. format: string type: string type: object type: array route: description: The destination to which the connection should be forwarded to. items: properties: destination: properties: host: description: The name of a service from the service registry. format: string type: string port: description: Specifies the port on the host that is being addressed. properties: number: type: integer type: object subset: description: The name of a subset within the service. format: string type: string type: object weight: format: int32 type: integer type: object type: array type: object type: array tls: items: properties: match: items: properties: destinationSubnets: description: IPv4 or IPv6 ip addresses of destination with optional subnet. items: format: string type: string type: array gateways: description: Names of gateways where the rule should be applied. items: format: string type: string type: array port: description: Specifies the port on the host that is being addressed. type: integer sniHosts: description: SNI (server name indicator) to match on. items: format: string type: string type: array sourceLabels: additionalProperties: format: string type: string type: object sourceNamespace: description: Source namespace constraining the applicability of a rule to workloads in that namespace. format: string type: string type: object type: array route: description: The destination to which the connection should be forwarded to. items: properties: destination: properties: host: description: The name of a service from the service registry. format: string type: string port: description: Specifies the port on the host that is being addressed. properties: number: type: integer type: object subset: description: The name of a subset within the service. format: string type: string type: object weight: format: int32 type: integer type: object type: array type: object type: array type: object status: type: object x-kubernetes-preserve-unknown-fields: true type: object served: true storage: true subresources: status: {} - additionalPrinterColumns: - description: The names of gateways and sidecars that should apply these routes jsonPath: .spec.gateways name: Gateways type: string - description: The destination hosts to which traffic is being sent jsonPath: .spec.hosts name: Hosts type: string - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' jsonPath: .metadata.creationTimestamp name: Age type: date name: v1beta1 schema: openAPIV3Schema: properties: spec: description: 'Configuration affecting label/content routing, sni routing, etc. See more details at: https://istio.io/docs/reference/config/networking/virtual-service.html' properties: exportTo: description: A list of namespaces to which this virtual service is exported. items: format: string type: string type: array gateways: description: The names of gateways and sidecars that should apply these routes. items: format: string type: string type: array hosts: description: The destination hosts to which traffic is being sent. items: format: string type: string type: array http: description: An ordered list of route rules for HTTP traffic. items: properties: corsPolicy: description: Cross-Origin Resource Sharing policy (CORS). properties: allowCredentials: nullable: true type: boolean allowHeaders: items: format: string type: string type: array allowMethods: description: List of HTTP methods allowed to access the resource. items: format: string type: string type: array allowOrigin: description: The list of origins that are allowed to perform CORS requests. items: format: string type: string type: array allowOrigins: description: String patterns that match allowed origins. items: oneOf: - not: anyOf: - required: - exact - required: - prefix - required: - regex - required: - exact - required: - prefix - required: - regex properties: exact: format: string type: string prefix: format: string type: string regex: description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). format: string type: string type: object type: array exposeHeaders: items: format: string type: string type: array maxAge: type: string type: object delegate: properties: name: description: Name specifies the name of the delegate VirtualService. format: string type: string namespace: description: Namespace specifies the namespace where the delegate VirtualService resides. format: string type: string type: object fault: description: Fault injection policy to apply on HTTP traffic at the client side. properties: abort: oneOf: - not: anyOf: - required: - httpStatus - required: - grpcStatus - required: - http2Error - required: - httpStatus - required: - grpcStatus - required: - http2Error properties: grpcStatus: format: string type: string http2Error: format: string type: string httpStatus: description: HTTP status code to use to abort the Http request. format: int32 type: integer percentage: description: Percentage of requests to be aborted with the error code provided. properties: value: format: double type: number type: object type: object delay: oneOf: - not: anyOf: - required: - fixedDelay - required: - exponentialDelay - required: - fixedDelay - required: - exponentialDelay properties: exponentialDelay: type: string fixedDelay: description: Add a fixed delay before forwarding the request. type: string percent: description: Percentage of requests on which the delay will be injected (0-100). format: int32 type: integer percentage: description: Percentage of requests on which the delay will be injected. properties: value: format: double type: number type: object type: object type: object headers: properties: request: properties: add: additionalProperties: format: string type: string type: object remove: items: format: string type: string type: array set: additionalProperties: format: string type: string type: object type: object response: properties: add: additionalProperties: format: string type: string type: object remove: items: format: string type: string type: array set: additionalProperties: format: string type: string type: object type: object type: object match: items: properties: authority: oneOf: - not: anyOf: - required: - exact - required: - prefix - required: - regex - required: - exact - required: - prefix - required: - regex properties: exact: format: string type: string prefix: format: string type: string regex: description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). format: string type: string type: object gateways: description: Names of gateways where the rule should be applied. items: format: string type: string type: array headers: additionalProperties: oneOf: - not: anyOf: - required: - exact - required: - prefix - required: - regex - required: - exact - required: - prefix - required: - regex properties: exact: format: string type: string prefix: format: string type: string regex: description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). format: string type: string type: object type: object ignoreUriCase: description: Flag to specify whether the URI matching should be case-insensitive. type: boolean method: oneOf: - not: anyOf: - required: - exact - required: - prefix - required: - regex - required: - exact - required: - prefix - required: - regex properties: exact: format: string type: string prefix: format: string type: string regex: description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). format: string type: string type: object name: description: The name assigned to a match. format: string type: string port: description: Specifies the ports on the host that is being addressed. type: integer queryParams: additionalProperties: oneOf: - not: anyOf: - required: - exact - required: - prefix - required: - regex - required: - exact - required: - prefix - required: - regex properties: exact: format: string type: string prefix: format: string type: string regex: description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). format: string type: string type: object description: Query parameters for matching. type: object scheme: oneOf: - not: anyOf: - required: - exact - required: - prefix - required: - regex - required: - exact - required: - prefix - required: - regex properties: exact: format: string type: string prefix: format: string type: string regex: description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). format: string type: string type: object sourceLabels: additionalProperties: format: string type: string type: object sourceNamespace: description: Source namespace constraining the applicability of a rule to workloads in that namespace. format: string type: string uri: oneOf: - not: anyOf: - required: - exact - required: - prefix - required: - regex - required: - exact - required: - prefix - required: - regex properties: exact: format: string type: string prefix: format: string type: string regex: description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). format: string type: string type: object withoutHeaders: additionalProperties: oneOf: - not: anyOf: - required: - exact - required: - prefix - required: - regex - required: - exact - required: - prefix - required: - regex properties: exact: format: string type: string prefix: format: string type: string regex: description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). format: string type: string type: object description: withoutHeader has the same syntax with the header, but has opposite meaning. type: object type: object type: array mirror: properties: host: description: The name of a service from the service registry. format: string type: string port: description: Specifies the port on the host that is being addressed. properties: number: type: integer type: object subset: description: The name of a subset within the service. format: string type: string type: object mirror_percent: description: Percentage of the traffic to be mirrored by the `mirror` field. nullable: true type: integer mirrorPercent: description: Percentage of the traffic to be mirrored by the `mirror` field. nullable: true type: integer mirrorPercentage: description: Percentage of the traffic to be mirrored by the `mirror` field. properties: value: format: double type: number type: object name: description: The name assigned to the route for debugging purposes. format: string type: string redirect: description: A HTTP rule can either redirect or forward (default) traffic. properties: authority: format: string type: string redirectCode: type: integer uri: format: string type: string type: object retries: description: Retry policy for HTTP requests. properties: attempts: description: Number of retries for a given request. format: int32 type: integer perTryTimeout: description: Timeout per retry attempt for a given request. type: string retryOn: description: Specifies the conditions under which retry takes place. format: string type: string retryRemoteLocalities: description: Flag to specify whether the retries should retry to other localities. nullable: true type: boolean type: object rewrite: description: Rewrite HTTP URIs and Authority headers. properties: authority: description: rewrite the Authority/Host header with this value. format: string type: string uri: format: string type: string type: object route: description: A HTTP rule can either redirect or forward (default) traffic. items: properties: destination: properties: host: description: The name of a service from the service registry. format: string type: string port: description: Specifies the port on the host that is being addressed. properties: number: type: integer type: object subset: description: The name of a subset within the service. format: string type: string type: object headers: properties: request: properties: add: additionalProperties: format: string type: string type: object remove: items: format: string type: string type: array set: additionalProperties: format: string type: string type: object type: object response: properties: add: additionalProperties: format: string type: string type: object remove: items: format: string type: string type: array set: additionalProperties: format: string type: string type: object type: object type: object weight: format: int32 type: integer type: object type: array timeout: description: Timeout for HTTP requests, default is disabled. type: string type: object type: array tcp: description: An ordered list of route rules for opaque TCP traffic. items: properties: match: items: properties: destinationSubnets: description: IPv4 or IPv6 ip addresses of destination with optional subnet. items: format: string type: string type: array gateways: description: Names of gateways where the rule should be applied. items: format: string type: string type: array port: description: Specifies the port on the host that is being addressed. type: integer sourceLabels: additionalProperties: format: string type: string type: object sourceNamespace: description: Source namespace constraining the applicability of a rule to workloads in that namespace. format: string type: string sourceSubnet: description: IPv4 or IPv6 ip address of source with optional subnet. format: string type: string type: object type: array route: description: The destination to which the connection should be forwarded to. items: properties: destination: properties: host: description: The name of a service from the service registry. format: string type: string port: description: Specifies the port on the host that is being addressed. properties: number: type: integer type: object subset: description: The name of a subset within the service. format: string type: string type: object weight: format: int32 type: integer type: object type: array type: object type: array tls: items: properties: match: items: properties: destinationSubnets: description: IPv4 or IPv6 ip addresses of destination with optional subnet. items: format: string type: string type: array gateways: description: Names of gateways where the rule should be applied. items: format: string type: string type: array port: description: Specifies the port on the host that is being addressed. type: integer sniHosts: description: SNI (server name indicator) to match on. items: format: string type: string type: array sourceLabels: additionalProperties: format: string type: string type: object sourceNamespace: description: Source namespace constraining the applicability of a rule to workloads in that namespace. format: string type: string type: object type: array route: description: The destination to which the connection should be forwarded to. items: properties: destination: properties: host: description: The name of a service from the service registry. format: string type: string port: description: Specifies the port on the host that is being addressed. properties: number: type: integer type: object subset: description: The name of a subset within the service. format: string type: string type: object weight: format: int32 type: integer type: object type: array type: object type: array type: object status: type: object x-kubernetes-preserve-unknown-fields: true type: object served: true storage: false subresources: status: {} --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: "helm.sh/resource-policy": keep labels: app: istio-pilot chart: istio heritage: Tiller release: istio name: workloadentries.networking.istio.io spec: group: networking.istio.io names: categories: - istio-io - networking-istio-io kind: WorkloadEntry listKind: WorkloadEntryList plural: workloadentries shortNames: - we singular: workloadentry scope: Namespaced versions: - additionalPrinterColumns: - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' jsonPath: .metadata.creationTimestamp name: Age type: date - description: Address associated with the network endpoint. jsonPath: .spec.address name: Address type: string name: v1alpha3 schema: openAPIV3Schema: properties: spec: description: 'Configuration affecting VMs onboarded into the mesh. See more details at: https://istio.io/docs/reference/config/networking/workload-entry.html' properties: address: format: string type: string labels: additionalProperties: format: string type: string description: One or more labels associated with the endpoint. type: object locality: description: The locality associated with the endpoint. format: string type: string network: format: string type: string ports: additionalProperties: type: integer description: Set of ports associated with the endpoint. type: object serviceAccount: format: string type: string weight: description: The load balancing weight associated with the endpoint. type: integer type: object status: type: object x-kubernetes-preserve-unknown-fields: true type: object served: true storage: true subresources: status: {} - additionalPrinterColumns: - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' jsonPath: .metadata.creationTimestamp name: Age type: date - description: Address associated with the network endpoint. jsonPath: .spec.address name: Address type: string name: v1beta1 schema: openAPIV3Schema: properties: spec: description: 'Configuration affecting VMs onboarded into the mesh. See more details at: https://istio.io/docs/reference/config/networking/workload-entry.html' properties: address: format: string type: string labels: additionalProperties: format: string type: string description: One or more labels associated with the endpoint. type: object locality: description: The locality associated with the endpoint. format: string type: string network: format: string type: string ports: additionalProperties: type: integer description: Set of ports associated with the endpoint. type: object serviceAccount: format: string type: string weight: description: The load balancing weight associated with the endpoint. type: integer type: object status: type: object x-kubernetes-preserve-unknown-fields: true type: object served: true storage: false subresources: status: {} --- apiVersion: v1 kind: ServiceAccount metadata: name: istio-reader-service-account namespace: istio-system labels: app: istio-reader release: istio --- apiVersion: v1 kind: ServiceAccount metadata: name: istiod-service-account namespace: istio-system labels: app: istiod release: istio --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: istio-reader-istio-system labels: app: istio-reader release: istio rules: - apiGroups: - "config.istio.io" - "security.istio.io" - "networking.istio.io" - "authentication.istio.io" resources: ["*"] verbs: ["get", "list", "watch"] - apiGroups: [""] resources: ["endpoints", "pods", "services", "nodes", "replicationcontrollers", "namespaces"] verbs: ["get", "list", "watch"] - apiGroups: ["apps"] resources: ["replicasets"] verbs: ["get", "list", "watch"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: istiod-istio-system labels: app: istiod release: istio rules: # sidecar injection controller - apiGroups: ["admissionregistration.k8s.io"] resources: ["mutatingwebhookconfigurations"] verbs: ["get", "list", "watch", "patch"] # configuration validation webhook controller - apiGroups: ["admissionregistration.k8s.io"] resources: ["validatingwebhookconfigurations"] verbs: ["get", "list", "watch", "update"] # istio configuration - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io"] verbs: ["get", "watch", "list"] resources: ["*"] # auto-detect installed CRD definitions - apiGroups: ["apiextensions.k8s.io"] resources: ["customresourcedefinitions"] verbs: ["get", "list", "watch"] # discovery and routing - apiGroups: [""] resources: ["pods", "nodes", "services", "namespaces", "endpoints"] verbs: ["get", "list", "watch"] - apiGroups: ["discovery.k8s.io"] resources: ["endpointslices"] verbs: ["get", "list", "watch"] # ingress controller - apiGroups: ["networking.k8s.io"] resources: ["ingresses", "ingressclasses"] verbs: ["get", "list", "watch"] - apiGroups: ["networking.k8s.io"] resources: ["ingresses/status"] verbs: ["*"] # required for CA's namespace controller - apiGroups: [""] resources: ["configmaps"] verbs: ["create", "get", "list", "watch", "update"] # Istiod and bootstrap. - apiGroups: ["certificates.k8s.io"] resources: - "certificatesigningrequests" - "certificatesigningrequests/approval" - "certificatesigningrequests/status" verbs: ["update", "create", "get", "delete", "watch"] - apiGroups: ["certificates.k8s.io"] resources: - "signers" resourceNames: - "kubernetes.io/legacy-unknown" verbs: ["approve"] # Used by Istiod to verify the JWT tokens - apiGroups: ["authentication.k8s.io"] resources: ["tokenreviews"] verbs: ["create"] # Use for Kubernetes Service APIs - apiGroups: ["networking.x-k8s.io"] resources: ["*"] verbs: ["get", "watch", "list"] # Needed for multicluster secret reading, possibly ingress certs in the future - apiGroups: [""] resources: ["secrets"] verbs: ["get", "watch", "list"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: istio-reader-istio-system labels: app: istio-reader release: istio roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: istio-reader-istio-system subjects: - kind: ServiceAccount name: istio-reader-service-account namespace: istio-system --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: istiod-pilot-istio-system labels: app: pilot release: istio roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: istiod-istio-system subjects: - kind: ServiceAccount name: istiod-service-account namespace: istio-system --- apiVersion: admissionregistration.k8s.io/v1beta1 kind: ValidatingWebhookConfiguration metadata: name: istiod-istio-system labels: app: istiod release: istio istio: istiod webhooks: - name: validation.istio.io clientConfig: service: name: istiod namespace: istio-system path: "/validate" caBundle: "" # patched at runtime when the webhook is ready. rules: - operations: - CREATE - UPDATE apiGroups: - config.istio.io - security.istio.io - authentication.istio.io - networking.istio.io apiVersions: - "*" resources: - "*" # Fail open until the validation webhook is ready. The webhook controller # will update this to `Fail` and patch in the `caBundle` when the webhook # endpoint is ready. failurePolicy: Ignore sideEffects: None admissionReviewVersions: ["v1beta1", "v1"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: istiod-istio-system namespace: istio-system labels: app: istiod release: istio rules: - apiGroups: ["networking.istio.io"] verbs: ["create"] resources: ["gateways"] - apiGroups: [""] resources: ["secrets"] # TODO lock this down to istio-ca-cert if not using the DNS cert mesh config verbs: ["create", "get", "watch", "list", "update", "delete"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: istiod-istio-system namespace: istio-system labels: app: pilot release: istio roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: istiod-istio-system subjects: - kind: ServiceAccount name: istiod-service-account namespace: istio-system ---