apiVersion: v1 kind: ServiceAccount metadata: name: istio-reader-service-account namespace: istio-system labels: app: istio-reader release: istio --- apiVersion: v1 kind: ServiceAccount metadata: name: istiod-service-account namespace: istio-system labels: app: istiod release: istio --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: istio-reader-istio-system labels: app: istio-reader release: istio rules: - apiGroups: - "config.istio.io" - "security.istio.io" - "networking.istio.io" - "authentication.istio.io" resources: ["*"] verbs: ["get", "list", "watch"] - apiGroups: [""] resources: ["endpoints", "pods", "services", "nodes", "replicationcontrollers", "namespaces"] verbs: ["get", "list", "watch"] - apiGroups: ["apps"] resources: ["replicasets"] verbs: ["get", "list", "watch"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: istiod-istio-system labels: app: istiod release: istio rules: # sidecar injection controller - apiGroups: ["admissionregistration.k8s.io"] resources: ["mutatingwebhookconfigurations"] verbs: ["get", "list", "watch", "patch"] # configuration validation webhook controller - apiGroups: ["admissionregistration.k8s.io"] resources: ["validatingwebhookconfigurations"] verbs: ["get", "list", "watch", "update"] # istio configuration - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io"] verbs: ["get", "watch", "list"] resources: ["*"] # auto-detect installed CRD definitions - apiGroups: ["apiextensions.k8s.io"] resources: ["customresourcedefinitions"] verbs: ["get", "list", "watch"] # discovery and routing - apiGroups: [""] resources: ["pods", "nodes", "services", "namespaces", "endpoints"] verbs: ["get", "list", "watch"] - apiGroups: ["discovery.k8s.io"] resources: ["endpointslices"] verbs: ["get", "list", "watch"] # ingress controller - apiGroups: ["networking.k8s.io"] resources: ["ingresses", "ingressclasses"] verbs: ["get", "list", "watch"] - apiGroups: ["networking.k8s.io"] resources: ["ingresses/status"] verbs: ["*"] # required for CA's namespace controller - apiGroups: [""] resources: ["configmaps"] verbs: ["create", "get", "list", "watch", "update"] # Istiod and bootstrap. - apiGroups: ["certificates.k8s.io"] resources: - "certificatesigningrequests" - "certificatesigningrequests/approval" - "certificatesigningrequests/status" verbs: ["update", "create", "get", "delete", "watch"] - apiGroups: ["certificates.k8s.io"] resources: - "signers" resourceNames: - "kubernetes.io/legacy-unknown" verbs: ["approve"] # Used by Istiod to verify the JWT tokens - apiGroups: ["authentication.k8s.io"] resources: ["tokenreviews"] verbs: ["create"] # Use for Kubernetes Service APIs - apiGroups: ["networking.x-k8s.io"] resources: ["*"] verbs: ["get", "watch", "list"] # Needed for multicluster secret reading, possibly ingress certs in the future - apiGroups: [""] resources: ["secrets"] verbs: ["get", "watch", "list"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: istio-reader-istio-system labels: app: istio-reader release: istio roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: istio-reader-istio-system subjects: - kind: ServiceAccount name: istio-reader-service-account namespace: istio-system --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: istiod-pilot-istio-system labels: app: pilot release: istio roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: istiod-istio-system subjects: - kind: ServiceAccount name: istiod-service-account namespace: istio-system --- apiVersion: admissionregistration.k8s.io/v1beta1 kind: ValidatingWebhookConfiguration metadata: name: istiod-istio-system labels: app: istiod release: istio istio: istiod webhooks: - name: validation.istio.io clientConfig: service: name: istiod namespace: istio-system path: "/validate" caBundle: "" # patched at runtime when the webhook is ready. rules: - operations: - CREATE - UPDATE apiGroups: - config.istio.io - security.istio.io - authentication.istio.io - networking.istio.io apiVersions: - "*" resources: - "*" # Fail open until the validation webhook is ready. The webhook controller # will update this to `Fail` and patch in the `caBundle` when the webhook # endpoint is ready. failurePolicy: Ignore sideEffects: None admissionReviewVersions: ["v1beta1", "v1"] --- apiVersion: networking.istio.io/v1alpha3 kind: EnvoyFilter metadata: name: metadata-exchange-1.6 namespace: istio-system labels: istio.io/rev: default spec: configPatches: - applyTo: HTTP_FILTER match: context: ANY # inbound, outbound, and gateway proxy: proxyVersion: '^1\.6.*' listener: filterChain: filter: name: "envoy.http_connection_manager" patch: operation: INSERT_BEFORE value: name: istio.metadata_exchange typed_config: "@type": type.googleapis.com/udpa.type.v1.TypedStruct type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm value: config: configuration: | {} vm_config: runtime: envoy.wasm.runtime.null code: local: inline_string: envoy.wasm.metadata_exchange --- apiVersion: networking.istio.io/v1alpha3 kind: EnvoyFilter metadata: name: metadata-exchange-1.7 namespace: istio-system labels: istio.io/rev: default spec: configPatches: - applyTo: HTTP_FILTER match: context: SIDECAR_INBOUND proxy: proxyVersion: '^1\.7.*' listener: filterChain: filter: name: "envoy.http_connection_manager" patch: operation: INSERT_BEFORE value: name: istio.metadata_exchange typed_config: "@type": type.googleapis.com/udpa.type.v1.TypedStruct type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm value: config: configuration: "@type": "type.googleapis.com/google.protobuf.StringValue" value: | {} vm_config: runtime: envoy.wasm.runtime.null code: local: inline_string: envoy.wasm.metadata_exchange - applyTo: HTTP_FILTER match: context: SIDECAR_OUTBOUND proxy: proxyVersion: '^1\.7.*' listener: filterChain: filter: name: "envoy.http_connection_manager" patch: operation: INSERT_BEFORE value: name: istio.metadata_exchange typed_config: "@type": type.googleapis.com/udpa.type.v1.TypedStruct type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm value: config: configuration: "@type": "type.googleapis.com/google.protobuf.StringValue" value: | {} vm_config: runtime: envoy.wasm.runtime.null code: local: inline_string: envoy.wasm.metadata_exchange - applyTo: HTTP_FILTER match: context: GATEWAY proxy: proxyVersion: '^1\.7.*' listener: filterChain: filter: name: "envoy.http_connection_manager" patch: operation: INSERT_BEFORE value: name: istio.metadata_exchange typed_config: "@type": type.googleapis.com/udpa.type.v1.TypedStruct type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm value: config: configuration: "@type": "type.googleapis.com/google.protobuf.StringValue" value: | {} vm_config: runtime: envoy.wasm.runtime.null code: local: inline_string: envoy.wasm.metadata_exchange --- apiVersion: networking.istio.io/v1alpha3 kind: EnvoyFilter metadata: name: stats-filter-1.6 namespace: istio-system labels: istio.io/rev: default spec: configPatches: - applyTo: HTTP_FILTER match: context: SIDECAR_OUTBOUND proxy: proxyVersion: '^1\.6.*' listener: filterChain: filter: name: "envoy.http_connection_manager" subFilter: name: "envoy.router" patch: operation: INSERT_BEFORE value: name: istio.stats typed_config: "@type": type.googleapis.com/udpa.type.v1.TypedStruct type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm value: config: root_id: stats_outbound configuration: | { "debug": "false", "stat_prefix": "istio" } vm_config: vm_id: stats_outbound runtime: envoy.wasm.runtime.null code: local: inline_string: envoy.wasm.stats - applyTo: HTTP_FILTER match: context: SIDECAR_INBOUND proxy: proxyVersion: '^1\.6.*' listener: filterChain: filter: name: "envoy.http_connection_manager" subFilter: name: "envoy.router" patch: operation: INSERT_BEFORE value: name: istio.stats typed_config: "@type": type.googleapis.com/udpa.type.v1.TypedStruct type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm value: config: root_id: stats_inbound configuration: | { "debug": "false", "stat_prefix": "istio" } vm_config: vm_id: stats_inbound runtime: envoy.wasm.runtime.null code: local: inline_string: envoy.wasm.stats - applyTo: HTTP_FILTER match: context: GATEWAY proxy: proxyVersion: '^1\.6.*' listener: filterChain: filter: name: "envoy.http_connection_manager" subFilter: name: "envoy.router" patch: operation: INSERT_BEFORE value: name: istio.stats typed_config: "@type": type.googleapis.com/udpa.type.v1.TypedStruct type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm value: config: root_id: stats_outbound configuration: | { "debug": "false", "stat_prefix": "istio", "disable_host_header_fallback": true } vm_config: vm_id: stats_outbound runtime: envoy.wasm.runtime.null code: local: inline_string: envoy.wasm.stats --- apiVersion: networking.istio.io/v1alpha3 kind: EnvoyFilter metadata: name: stats-filter-1.7 namespace: istio-system labels: istio.io/rev: default spec: configPatches: - applyTo: HTTP_FILTER match: context: SIDECAR_OUTBOUND proxy: proxyVersion: '^1\.7.*' listener: filterChain: filter: name: "envoy.http_connection_manager" subFilter: name: "envoy.router" patch: operation: INSERT_BEFORE value: name: istio.stats typed_config: "@type": type.googleapis.com/udpa.type.v1.TypedStruct type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm value: config: root_id: stats_outbound configuration: "@type": "type.googleapis.com/google.protobuf.StringValue" value: | { "debug": "false", "stat_prefix": "istio" } vm_config: vm_id: stats_outbound runtime: envoy.wasm.runtime.null code: local: inline_string: envoy.wasm.stats - applyTo: HTTP_FILTER match: context: SIDECAR_INBOUND proxy: proxyVersion: '^1\.7.*' listener: filterChain: filter: name: "envoy.http_connection_manager" subFilter: name: "envoy.router" patch: operation: INSERT_BEFORE value: name: istio.stats typed_config: "@type": type.googleapis.com/udpa.type.v1.TypedStruct type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm value: config: root_id: stats_inbound configuration: "@type": "type.googleapis.com/google.protobuf.StringValue" value: | { "debug": "false", "stat_prefix": "istio" } vm_config: vm_id: stats_inbound runtime: envoy.wasm.runtime.null code: local: inline_string: envoy.wasm.stats - applyTo: HTTP_FILTER match: context: GATEWAY proxy: proxyVersion: '^1\.7.*' listener: filterChain: filter: name: "envoy.http_connection_manager" subFilter: name: "envoy.router" patch: operation: INSERT_BEFORE value: name: istio.stats typed_config: "@type": type.googleapis.com/udpa.type.v1.TypedStruct type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm value: config: root_id: stats_outbound configuration: "@type": "type.googleapis.com/google.protobuf.StringValue" value: | { "debug": "false", "stat_prefix": "istio", "disable_host_header_fallback": true } vm_config: vm_id: stats_outbound runtime: envoy.wasm.runtime.null code: local: inline_string: envoy.wasm.stats --- apiVersion: networking.istio.io/v1alpha3 kind: EnvoyFilter metadata: name: tcp-metadata-exchange-1.6 namespace: istio-system labels: istio.io/rev: default spec: configPatches: - applyTo: NETWORK_FILTER match: context: SIDECAR_INBOUND proxy: proxyVersion: '^1\.6.*' listener: {} patch: operation: INSERT_BEFORE value: name: istio.metadata_exchange typed_config: "@type": type.googleapis.com/udpa.type.v1.TypedStruct type_url: type.googleapis.com/envoy.tcp.metadataexchange.config.MetadataExchange value: protocol: istio-peer-exchange - applyTo: CLUSTER match: context: SIDECAR_OUTBOUND proxy: proxyVersion: '^1\.6.*' cluster: {} patch: operation: MERGE value: filters: - name: istio.metadata_exchange typed_config: "@type": type.googleapis.com/udpa.type.v1.TypedStruct type_url: type.googleapis.com/envoy.tcp.metadataexchange.config.MetadataExchange value: protocol: istio-peer-exchange - applyTo: CLUSTER match: context: GATEWAY proxy: proxyVersion: '^1\.6.*' cluster: {} patch: operation: MERGE value: filters: - name: istio.metadata_exchange typed_config: "@type": type.googleapis.com/udpa.type.v1.TypedStruct type_url: type.googleapis.com/envoy.tcp.metadataexchange.config.MetadataExchange value: protocol: istio-peer-exchange --- apiVersion: networking.istio.io/v1alpha3 kind: EnvoyFilter metadata: name: tcp-metadata-exchange-1.7 namespace: istio-system labels: istio.io/rev: default spec: configPatches: - applyTo: NETWORK_FILTER match: context: SIDECAR_INBOUND proxy: proxyVersion: '^1\.7.*' listener: {} patch: operation: INSERT_BEFORE value: name: istio.metadata_exchange typed_config: "@type": type.googleapis.com/udpa.type.v1.TypedStruct type_url: type.googleapis.com/envoy.tcp.metadataexchange.config.MetadataExchange value: protocol: istio-peer-exchange - applyTo: CLUSTER match: context: SIDECAR_OUTBOUND proxy: proxyVersion: '^1\.7.*' cluster: {} patch: operation: MERGE value: filters: - name: istio.metadata_exchange typed_config: "@type": type.googleapis.com/udpa.type.v1.TypedStruct type_url: type.googleapis.com/envoy.tcp.metadataexchange.config.MetadataExchange value: protocol: istio-peer-exchange - applyTo: CLUSTER match: context: GATEWAY proxy: proxyVersion: '^1\.7.*' cluster: {} patch: operation: MERGE value: filters: - name: istio.metadata_exchange typed_config: "@type": type.googleapis.com/udpa.type.v1.TypedStruct type_url: type.googleapis.com/envoy.tcp.metadataexchange.config.MetadataExchange value: protocol: istio-peer-exchange --- apiVersion: networking.istio.io/v1alpha3 kind: EnvoyFilter metadata: name: tcp-stats-filter-1.6 namespace: istio-system labels: istio.io/rev: default spec: configPatches: - applyTo: NETWORK_FILTER match: context: SIDECAR_INBOUND proxy: proxyVersion: '^1\.6.*' listener: filterChain: filter: name: "envoy.tcp_proxy" patch: operation: INSERT_BEFORE value: name: istio.stats typed_config: "@type": type.googleapis.com/udpa.type.v1.TypedStruct type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm value: config: root_id: stats_inbound configuration: | { "debug": "false", "stat_prefix": "istio" } vm_config: vm_id: tcp_stats_inbound runtime: envoy.wasm.runtime.null code: local: inline_string: "envoy.wasm.stats" - applyTo: NETWORK_FILTER match: context: SIDECAR_OUTBOUND proxy: proxyVersion: '^1\.6.*' listener: filterChain: filter: name: "envoy.tcp_proxy" patch: operation: INSERT_BEFORE value: name: istio.stats typed_config: "@type": type.googleapis.com/udpa.type.v1.TypedStruct type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm value: config: root_id: stats_outbound configuration: | { "debug": "false", "stat_prefix": "istio" } vm_config: vm_id: tcp_stats_outbound runtime: envoy.wasm.runtime.null code: local: inline_string: "envoy.wasm.stats" - applyTo: NETWORK_FILTER match: context: GATEWAY proxy: proxyVersion: '^1\.6.*' listener: filterChain: filter: name: "envoy.tcp_proxy" patch: operation: INSERT_BEFORE value: name: istio.stats typed_config: "@type": type.googleapis.com/udpa.type.v1.TypedStruct type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm value: config: root_id: stats_outbound configuration: | { "debug": "false", "stat_prefix": "istio" } vm_config: vm_id: tcp_stats_outbound runtime: envoy.wasm.runtime.null code: local: inline_string: "envoy.wasm.stats" --- apiVersion: networking.istio.io/v1alpha3 kind: EnvoyFilter metadata: name: tcp-stats-filter-1.7 namespace: istio-system labels: istio.io/rev: default spec: configPatches: - applyTo: NETWORK_FILTER match: context: SIDECAR_INBOUND proxy: proxyVersion: '^1\.7.*' listener: filterChain: filter: name: "envoy.tcp_proxy" patch: operation: INSERT_BEFORE value: name: istio.stats typed_config: "@type": type.googleapis.com/udpa.type.v1.TypedStruct type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm value: config: root_id: stats_inbound configuration: "@type": "type.googleapis.com/google.protobuf.StringValue" value: | { "debug": "false", "stat_prefix": "istio" } vm_config: vm_id: tcp_stats_inbound runtime: envoy.wasm.runtime.null code: local: inline_string: "envoy.wasm.stats" - applyTo: NETWORK_FILTER match: context: SIDECAR_OUTBOUND proxy: proxyVersion: '^1\.7.*' listener: filterChain: filter: name: "envoy.tcp_proxy" patch: operation: INSERT_BEFORE value: name: istio.stats typed_config: "@type": type.googleapis.com/udpa.type.v1.TypedStruct type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm value: config: root_id: stats_outbound configuration: "@type": "type.googleapis.com/google.protobuf.StringValue" value: | { "debug": "false", "stat_prefix": "istio" } vm_config: vm_id: tcp_stats_outbound runtime: envoy.wasm.runtime.null code: local: inline_string: "envoy.wasm.stats" - applyTo: NETWORK_FILTER match: context: GATEWAY proxy: proxyVersion: '^1\.7.*' listener: filterChain: filter: name: "envoy.tcp_proxy" patch: operation: INSERT_BEFORE value: name: istio.stats typed_config: "@type": type.googleapis.com/udpa.type.v1.TypedStruct type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm value: config: root_id: stats_outbound configuration: "@type": "type.googleapis.com/google.protobuf.StringValue" value: | { "debug": "false", "stat_prefix": "istio" } vm_config: vm_id: tcp_stats_outbound runtime: envoy.wasm.runtime.null code: local: inline_string: "envoy.wasm.stats" --- apiVersion: v1 kind: ConfigMap metadata: name: istio namespace: istio-system labels: istio.io/rev: default release: istio data: # Configuration file for the mesh networks to be used by the Split Horizon EDS. meshNetworks: |- networks: {} mesh: |- defaultConfig: discoveryAddress: istiod.istio-system.svc:15012 proxyMetadata: DNS_AGENT: "" tracing: zipkin: address: zipkin.istio-system:9411 disableMixerHttpReports: true enablePrometheusMerge: true rootNamespace: istio-system trustDomain: cluster.local --- apiVersion: v1 kind: ConfigMap metadata: name: istio-sidecar-injector namespace: istio-system labels: istio.io/rev: default release: istio data: values: |- { "global": { "arch": { "amd64": 2, "ppc64le": 2, "s390x": 2 }, "caAddress": "", "centralIstiod": false, "configValidation": true, "controlPlaneSecurityEnabled": true, "createRemoteSvcEndpoints": false, "defaultNodeSelector": {}, "defaultPodDisruptionBudget": { "enabled": true }, "defaultResources": { "requests": { "cpu": "10m" } }, "enableHelmTest": false, "enabled": true, "hub": "docker.io/istio", "imagePullPolicy": "", "imagePullSecrets": [], "istioNamespace": "istio-system", "istiod": { "enableAnalysis": false }, "jwtPolicy": "third-party-jwt", "logAsJson": false, "logging": { "level": "default:info" }, "meshExpansion": { "enabled": false, "useILB": false }, "meshID": "", "meshNetworks": {}, "mountMtlsCerts": false, "multiCluster": { "clusterName": "", "enabled": false }, "namespace": "istio-system", "network": "", "omitSidecarInjectorConfigMap": false, "oneNamespace": false, "operatorManageWebhooks": false, "pilotCertProvider": "istiod", "policyNamespace": "istio-system", "priorityClassName": "", "proxy": { "autoInject": "enabled", "clusterDomain": "cluster.local", "componentLogLevel": "misc:error", "enableCoreDump": false, "excludeIPRanges": "", "excludeInboundPorts": "", "excludeOutboundPorts": "", "holdApplicationUntilProxyStarts": false, "image": "proxyv2", "includeIPRanges": "*", "logLevel": "warning", "privileged": false, "readinessFailureThreshold": 30, "readinessInitialDelaySeconds": 1, "readinessPeriodSeconds": 2, "resources": { "limits": { "cpu": "2000m", "memory": "1024Mi" }, "requests": { "cpu": "100m", "memory": "128Mi" } }, "statusPort": 15020, "tracer": "zipkin" }, "proxy_init": { "image": "proxyv2", "resources": { "limits": { "cpu": "2000m", "memory": "1024Mi" }, "requests": { "cpu": "10m", "memory": "10Mi" } } }, "remotePilotAddress": "", "remotePolicyAddress": "", "remoteTelemetryAddress": "", "sds": { "token": { "aud": "istio-ca" } }, "sts": { "servicePort": 0 }, "tag": "1.7.5", "telemetryNamespace": "istio-system", "tracer": { "datadog": { "address": "$(HOST_IP):8126" }, "lightstep": { "accessToken": "", "address": "" }, "stackdriver": { "debug": false, "maxNumberOfAnnotations": 200, "maxNumberOfAttributes": 200, "maxNumberOfMessageEvents": 200 }, "zipkin": { "address": "" } }, "trustDomain": "cluster.local", "useMCP": false }, "istio_cni": { "enabled": false }, "revision": "", "sidecarInjectorWebhook": { "alwaysInjectSelector": [], "enableNamespacesByDefault": false, "injectLabel": "istio-injection", "injectedAnnotations": {}, "neverInjectSelector": [], "objectSelector": { "autoInject": true, "enabled": false }, "rewriteAppHTTPProbe": true } } # To disable injection: use omitSidecarInjectorConfigMap, which disables the webhook patching # and istiod webhook functionality. # # New fields should not use Values - it is a 'primary' config object, users should be able # to fine tune it or use it with kube-inject. config: |- policy: enabled alwaysInjectSelector: [] neverInjectSelector: [] injectedAnnotations: template: | rewriteAppHTTPProbe: {{ valueOrDefault .Values.sidecarInjectorWebhook.rewriteAppHTTPProbe false }} initContainers: {{ if ne (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE` }} {{ if .Values.istio_cni.enabled -}} - name: istio-validation {{ else -}} - name: istio-init {{ end -}} {{- if contains "/" .Values.global.proxy_init.image }} image: "{{ .Values.global.proxy_init.image }}" {{- else }} image: "{{ .Values.global.hub }}/{{ .Values.global.proxy_init.image }}:{{ .Values.global.tag }}" {{- end }} args: - istio-iptables - "-p" - 15001 - "-z" - "15006" - "-u" - 1337 - "-m" - "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}" - "-i" - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}" - "-x" - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}" - "-b" - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` `*` }}" - "-d" {{- if excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }} - "15090,15021,{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}" {{- else }} - "15090,15021" {{- end }} {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") -}} - "-q" - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}" {{ end -}} {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.excludeOutboundPorts "") "") -}} - "-o" - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}" {{ end -}} {{ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces`) -}} - "-k" - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}" {{ end -}} {{ if .Values.istio_cni.enabled -}} - "--run-validation" - "--skip-rule-apply" {{ end -}} imagePullPolicy: "{{ valueOrDefault .Values.global.imagePullPolicy `Always` }}" {{- if .ProxyConfig.ProxyMetadata }} env: {{- range $key, $value := .ProxyConfig.ProxyMetadata }} - name: {{ $key }} value: "{{ $value }}" {{- end }} {{- end }} {{- if .Values.global.proxy_init.resources }} resources: {{ toYaml .Values.global.proxy_init.resources | indent 4 }} {{- else }} resources: {} {{- end }} securityContext: allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} privileged: {{ .Values.global.proxy.privileged }} capabilities: {{- if not .Values.istio_cni.enabled }} add: - NET_ADMIN - NET_RAW {{- end }} drop: - ALL {{- if not .Values.istio_cni.enabled }} readOnlyRootFilesystem: false runAsGroup: 0 runAsNonRoot: false runAsUser: 0 {{- else }} readOnlyRootFilesystem: true runAsGroup: 1337 runAsUser: 1337 runAsNonRoot: true {{- end }} restartPolicy: Always {{ end -}} {{- if eq .Values.global.proxy.enableCoreDump true }} - name: enable-core-dump args: - -c - sysctl -w kernel.core_pattern=/var/lib/istio/data/core.proxy && ulimit -c unlimited command: - /bin/sh {{- if contains "/" .Values.global.proxy_init.image }} image: "{{ .Values.global.proxy_init.image }}" {{- else }} image: "{{ .Values.global.hub }}/{{ .Values.global.proxy_init.image }}:{{ .Values.global.tag }}" {{- end }} imagePullPolicy: "{{ valueOrDefault .Values.global.imagePullPolicy `Always` }}" resources: {} securityContext: allowPrivilegeEscalation: true capabilities: add: - SYS_ADMIN drop: - ALL privileged: true readOnlyRootFilesystem: false runAsGroup: 0 runAsNonRoot: false runAsUser: 0 {{ end }} containers: - name: istio-proxy {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" {{- else }} image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image }}:{{ .Values.global.tag }}" {{- end }} ports: - containerPort: 15090 protocol: TCP name: http-envoy-prom args: - proxy - sidecar - --domain - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} - --serviceCluster {{ if ne "" (index .ObjectMeta.Labels "app") -}} - "{{ index .ObjectMeta.Labels `app` }}.$(POD_NAMESPACE)" {{ else -}} - "{{ valueOrDefault .DeploymentMeta.Name `istio-proxy` }}.{{ valueOrDefault .DeploymentMeta.Namespace `default` }}" {{ end -}} - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel}} - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel}} {{- if .Values.global.sts.servicePort }} - --stsPort={{ .Values.global.sts.servicePort }} {{- end }} {{- if .Values.global.trustDomain }} - --trust-domain={{ .Values.global.trustDomain }} {{- end }} {{- if .Values.global.logAsJson }} - --log_as_json {{- end }} {{- if gt .ProxyConfig.Concurrency.GetValue 0 }} - --concurrency - "{{ .ProxyConfig.Concurrency.GetValue }}" {{- end -}} {{- if .Values.global.proxy.lifecycle }} lifecycle: {{ toYaml .Values.global.proxy.lifecycle | indent 4 }} {{- else if .Values.global.proxy.holdApplicationUntilProxyStarts}} lifecycle: postStart: exec: command: - pilot-agent - wait {{- end }} env: - name: JWT_POLICY value: {{ .Values.global.jwtPolicy }} - name: PILOT_CERT_PROVIDER value: {{ .Values.global.pilotCertProvider }} - name: CA_ADDR {{- if .Values.global.caAddress }} value: {{ .Values.global.caAddress }} {{- else }} value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 {{- end }} - name: POD_NAME valueFrom: fieldRef: fieldPath: metadata.name - name: POD_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: INSTANCE_IP valueFrom: fieldRef: fieldPath: status.podIP - name: SERVICE_ACCOUNT valueFrom: fieldRef: fieldPath: spec.serviceAccountName - name: HOST_IP valueFrom: fieldRef: fieldPath: status.hostIP - name: CANONICAL_SERVICE valueFrom: fieldRef: fieldPath: metadata.labels['service.istio.io/canonical-name'] - name: CANONICAL_REVISION valueFrom: fieldRef: fieldPath: metadata.labels['service.istio.io/canonical-revision'] - name: PROXY_CONFIG value: | {{ protoToJSON .ProxyConfig }} - name: ISTIO_META_POD_PORTS value: |- [ {{- $first := true }} {{- range $index1, $c := .Spec.Containers }} {{- range $index2, $p := $c.Ports }} {{- if (structToJSON $p) }} {{if not $first}},{{end}}{{ structToJSON $p }} {{- $first = false }} {{- end }} {{- end}} {{- end}} ] - name: ISTIO_META_APP_CONTAINERS value: "{{- range $index, $container := .Spec.Containers }}{{- if ne $index 0}},{{- end}}{{ $container.Name }}{{- end}}" - name: ISTIO_META_CLUSTER_ID value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" - name: ISTIO_META_INTERCEPTION_MODE value: "{{ or (index .ObjectMeta.Annotations `sidecar.istio.io/interceptionMode`) .ProxyConfig.InterceptionMode.String }}" {{- if .Values.global.network }} - name: ISTIO_META_NETWORK value: "{{ .Values.global.network }}" {{- end }} {{ if .ObjectMeta.Annotations }} - name: ISTIO_METAJSON_ANNOTATIONS value: | {{ toJSON .ObjectMeta.Annotations }} {{ end }} {{- if .DeploymentMeta.Name }} - name: ISTIO_META_WORKLOAD_NAME value: {{ .DeploymentMeta.Name }} {{ end }} {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} - name: ISTIO_META_OWNER value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} {{- end}} {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - name: ISTIO_BOOTSTRAP_OVERRIDE value: "/etc/istio/custom-bootstrap/custom_bootstrap.json" {{- end }} {{- if .Values.global.meshID }} - name: ISTIO_META_MESH_ID value: "{{ .Values.global.meshID }}" {{- else if .Values.global.trustDomain }} - name: ISTIO_META_MESH_ID value: "{{ .Values.global.trustDomain }}" {{- end }} {{- if and (eq .Values.global.proxy.tracer "datadog") (isset .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} {{- range $key, $value := fromJSON (index .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} - name: {{ $key }} value: "{{ $value }}" {{- end }} {{- end }} {{- range $key, $value := .ProxyConfig.ProxyMetadata }} - name: {{ $key }} value: "{{ $value }}" {{- end }} imagePullPolicy: "{{ valueOrDefault .Values.global.imagePullPolicy `Always` }}" {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }} readinessProbe: httpGet: path: /healthz/ready port: 15021 initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }} periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }} failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }} {{ end -}} securityContext: allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} capabilities: {{ if or (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}} add: {{ if eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY` -}} - NET_ADMIN {{- end }} {{ if eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true` -}} - NET_BIND_SERVICE {{- end }} {{- end }} drop: - ALL privileged: {{ .Values.global.proxy.privileged }} readOnlyRootFilesystem: {{ not .Values.global.proxy.enableCoreDump }} runAsGroup: 1337 fsGroup: 1337 {{ if or (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}} runAsNonRoot: false runAsUser: 0 {{- else -}} runAsNonRoot: true runAsUser: 1337 {{- end }} resources: {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }} requests: {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}} cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}" {{ end }} {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}} memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}" {{ end }} {{- end }} {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} limits: {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}} cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}" {{ end }} {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}} memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}" {{ end }} {{- end }} {{- else }} {{- if .Values.global.proxy.resources }} {{ toYaml .Values.global.proxy.resources | indent 4 }} {{- end }} {{- end }} volumeMounts: {{- if eq .Values.global.pilotCertProvider "istiod" }} - mountPath: /var/run/secrets/istio name: istiod-ca-cert {{- end }} - mountPath: /var/lib/istio/data name: istio-data {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - mountPath: /etc/istio/custom-bootstrap name: custom-bootstrap-volume {{- end }} # SDS channel between istioagent and Envoy - mountPath: /etc/istio/proxy name: istio-envoy {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} - mountPath: /var/run/secrets/tokens name: istio-token {{- end }} {{- if .Values.global.mountMtlsCerts }} # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - mountPath: /etc/certs/ name: istio-certs readOnly: true {{- end }} - name: istio-podinfo mountPath: /etc/istio/pod {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }} - mountPath: {{ directory .ProxyConfig.GetTracing.GetTlsSettings.GetCaCertificates }} name: lightstep-certs readOnly: true {{- end }} {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }} {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }} - name: "{{ $index }}" {{ toYaml $value | indent 4 }} {{ end }} {{- end }} {{- if .ProxyConfig.ProxyMetadata.ISTIO_META_DNS_CAPTURE }} dnsConfig: options: - name: "ndots" value: "4" {{- end }} volumes: {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - name: custom-bootstrap-volume configMap: name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }} {{- end }} # SDS channel between istioagent and Envoy - emptyDir: medium: Memory name: istio-envoy - name: istio-data emptyDir: {} - name: istio-podinfo downwardAPI: items: - path: "labels" fieldRef: fieldPath: metadata.labels - path: "annotations" fieldRef: fieldPath: metadata.annotations {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} - name: istio-token projected: sources: - serviceAccountToken: path: istio-token expirationSeconds: 43200 audience: {{ .Values.global.sds.token.aud }} {{- end }} {{- if eq .Values.global.pilotCertProvider "istiod" }} - name: istiod-ca-cert configMap: name: istio-ca-root-cert {{- end }} {{- if .Values.global.mountMtlsCerts }} # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - name: istio-certs secret: optional: true {{ if eq .Spec.ServiceAccountName "" }} secretName: istio.default {{ else -}} secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} {{ end -}} {{- end }} {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }} {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }} - name: "{{ $index }}" {{ toYaml $value | indent 2 }} {{ end }} {{ end }} {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }} - name: lightstep-certs secret: optional: true secretName: lightstep.cacert {{- end }} {{- if .Values.global.podDNSSearchNamespaces }} dnsConfig: searches: {{- range .Values.global.podDNSSearchNamespaces }} - {{ render . }} {{- end }} {{- end }} podRedirectAnnot: {{- if and (.Values.istio_cni.enabled) (not .Values.istio_cni.chained) }} {{ if isset .ObjectMeta.Annotations `k8s.v1.cni.cncf.io/networks` }} k8s.v1.cni.cncf.io/networks: "{{ index .ObjectMeta.Annotations `k8s.v1.cni.cncf.io/networks`}}, istio-cni" {{- else }} k8s.v1.cni.cncf.io/networks: "istio-cni" {{- end }} {{- end }} sidecar.istio.io/interceptionMode: "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}" traffic.sidecar.istio.io/includeOutboundIPRanges: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}" traffic.sidecar.istio.io/excludeOutboundIPRanges: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}" traffic.sidecar.istio.io/includeInboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` (includeInboundPorts .Spec.Containers) }}" traffic.sidecar.istio.io/excludeInboundPorts: "{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}" {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") }} traffic.sidecar.istio.io/includeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}" {{- end }} {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne .Values.global.proxy.excludeOutboundPorts "") }} traffic.sidecar.istio.io/excludeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}" {{- end }} traffic.sidecar.istio.io/kubevirtInterfaces: "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}" {{- if .Values.global.imagePullSecrets }} imagePullSecrets: {{- range .Values.global.imagePullSecrets }} - name: {{ . }} {{- end }} {{- end }} --- apiVersion: admissionregistration.k8s.io/v1beta1 kind: MutatingWebhookConfiguration metadata: name: istio-sidecar-injector labels: istio.io/rev: default app: sidecar-injector release: istio webhooks: - name: sidecar-injector.istio.io clientConfig: service: name: istiod namespace: istio-system path: "/inject" caBundle: "" sideEffects: None rules: - operations: [ "CREATE" ] apiGroups: [""] apiVersions: ["v1"] resources: ["pods"] failurePolicy: Fail admissionReviewVersions: ["v1beta1", "v1"] namespaceSelector: matchLabels: istio-injection: enabled --- apiVersion: apps/v1 kind: Deployment metadata: labels: app: istiod istio: pilot istio.io/rev: default release: istio name: istiod namespace: istio-system spec: selector: matchLabels: istio: pilot strategy: rollingUpdate: maxSurge: 100% maxUnavailable: 25% template: metadata: annotations: prometheus.io/port: "15014" prometheus.io/scrape: "true" sidecar.istio.io/inject: "false" labels: app: istiod istio: pilot istio.io/rev: default spec: containers: - args: - discovery - --monitoringAddr=:15014 - --log_output_level=default:info - --domain - cluster.local - --trust-domain=cluster.local - --keepaliveMaxServerConnectionAge - 30m env: - name: REVISION value: default - name: JWT_POLICY value: third-party-jwt - name: PILOT_CERT_PROVIDER value: istiod - name: POD_NAME valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.name - name: POD_NAMESPACE valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.namespace - name: SERVICE_ACCOUNT valueFrom: fieldRef: apiVersion: v1 fieldPath: spec.serviceAccountName - name: KUBECONFIG value: /var/run/secrets/remote/config - name: PILOT_TRACE_SAMPLING value: "1" - name: PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_OUTBOUND value: "true" - name: PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_INBOUND value: "true" - name: INJECTION_WEBHOOK_CONFIG_NAME value: istio-sidecar-injector - name: ISTIOD_ADDR value: istiod.istio-system.svc:15012 - name: PILOT_ENABLE_ANALYSIS value: "false" - name: CLUSTER_ID value: Kubernetes - name: CENTRAL_ISTIOD value: "false" image: docker.io/istio/pilot:1.7.5 name: discovery ports: - containerPort: 8080 - containerPort: 15010 - containerPort: 15017 - containerPort: 15053 readinessProbe: httpGet: path: /ready port: 8080 initialDelaySeconds: 1 periodSeconds: 3 timeoutSeconds: 5 resources: requests: cpu: 500m memory: 2048Mi securityContext: capabilities: drop: - ALL runAsGroup: 1337 runAsNonRoot: true runAsUser: 1337 volumeMounts: - mountPath: /etc/istio/config name: config-volume - mountPath: /var/run/secrets/tokens name: istio-token readOnly: true - mountPath: /var/run/secrets/istio-dns name: local-certs - mountPath: /etc/cacerts name: cacerts readOnly: true - mountPath: /var/run/secrets/remote name: istio-kubeconfig readOnly: true - mountPath: /var/lib/istio/inject name: inject readOnly: true securityContext: fsGroup: 1337 serviceAccountName: istiod-service-account volumes: - emptyDir: medium: Memory name: local-certs - name: istio-token projected: sources: - serviceAccountToken: audience: istio-ca expirationSeconds: 43200 path: istio-token - name: cacerts secret: optional: true secretName: cacerts - name: istio-kubeconfig secret: optional: true secretName: istio-kubeconfig - configMap: name: istio-sidecar-injector name: inject - configMap: name: istio name: config-volume --- apiVersion: policy/v1beta1 kind: PodDisruptionBudget metadata: name: istiod namespace: istio-system labels: app: istiod istio.io/rev: default release: istio istio: pilot spec: minAvailable: 1 selector: matchLabels: app: istiod istio: pilot --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: istiod-istio-system namespace: istio-system labels: app: istiod release: istio rules: - apiGroups: ["networking.istio.io"] verbs: ["create"] resources: ["gateways"] - apiGroups: [""] resources: ["secrets"] # TODO lock this down to istio-ca-cert if not using the DNS cert mesh config verbs: ["create", "get", "watch", "list", "update", "delete"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: istiod-istio-system namespace: istio-system labels: app: pilot release: istio roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: istiod-istio-system subjects: - kind: ServiceAccount name: istiod-service-account namespace: istio-system --- apiVersion: autoscaling/v2beta1 kind: HorizontalPodAutoscaler metadata: name: istiod namespace: istio-system labels: app: istiod release: istio istio.io/rev: default spec: maxReplicas: 5 minReplicas: 1 scaleTargetRef: apiVersion: apps/v1 kind: Deployment name: istiod metrics: - type: Resource resource: name: cpu targetAverageUtilization: 80 --- apiVersion: v1 kind: Service metadata: name: istiod namespace: istio-system labels: istio.io/rev: default app: istiod istio: pilot release: istio spec: ports: - port: 15010 name: grpc-xds # plaintext - port: 15012 name: https-dns # mTLS with k8s-signed cert - port: 443 name: https-webhook # validation and injection targetPort: 15017 - port: 15014 name: http-monitoring # prometheus stats - name: dns-tls port: 853 targetPort: 15053 protocol: TCP selector: app: istiod # Label used by the 'default' service. For versioned deployments we match with app and version. # This avoids default deployment picking the canary istio: pilot ---