3750 lines
147 KiB
YAML
3750 lines
147 KiB
YAML
---
|
|
# Source: crds/crd-all.gen.yaml
|
|
# DO NOT EDIT - Generated by Cue OpenAPI generator based on Istio APIs.
|
|
apiVersion: apiextensions.k8s.io/v1beta1
|
|
kind: CustomResourceDefinition
|
|
metadata:
|
|
annotations:
|
|
"helm.sh/resource-policy": keep
|
|
labels:
|
|
app: istio-pilot
|
|
chart: istio
|
|
heritage: Tiller
|
|
release: istio
|
|
name: destinationrules.networking.istio.io
|
|
spec:
|
|
additionalPrinterColumns:
|
|
- JSONPath: .spec.host
|
|
description: The name of a service from the service registry
|
|
name: Host
|
|
type: string
|
|
- JSONPath: .metadata.creationTimestamp
|
|
description: 'CreationTimestamp is a timestamp representing the server time when
|
|
this object was created. It is not guaranteed to be set in happens-before order
|
|
across separate operations. Clients may not set this value. It is represented
|
|
in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
|
|
lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
|
|
name: Age
|
|
type: date
|
|
group: networking.istio.io
|
|
names:
|
|
categories:
|
|
- istio-io
|
|
- networking-istio-io
|
|
kind: DestinationRule
|
|
listKind: DestinationRuleList
|
|
plural: destinationrules
|
|
shortNames:
|
|
- dr
|
|
singular: destinationrule
|
|
preserveUnknownFields: false
|
|
scope: Namespaced
|
|
subresources:
|
|
status: {}
|
|
validation:
|
|
openAPIV3Schema:
|
|
properties:
|
|
spec:
|
|
description: 'Configuration affecting load balancing, outlier detection,
|
|
etc. See more details at: https://istio.io/docs/reference/config/networking/destination-rule.html'
|
|
properties:
|
|
exportTo:
|
|
description: A list of namespaces to which this destination rule is
|
|
exported.
|
|
items:
|
|
format: string
|
|
type: string
|
|
type: array
|
|
host:
|
|
description: The name of a service from the service registry.
|
|
format: string
|
|
type: string
|
|
subsets:
|
|
items:
|
|
properties:
|
|
labels:
|
|
additionalProperties:
|
|
format: string
|
|
type: string
|
|
type: object
|
|
name:
|
|
description: Name of the subset.
|
|
format: string
|
|
type: string
|
|
trafficPolicy:
|
|
description: Traffic policies that apply to this subset.
|
|
properties:
|
|
connectionPool:
|
|
properties:
|
|
http:
|
|
description: HTTP connection pool settings.
|
|
properties:
|
|
h2UpgradePolicy:
|
|
description: Specify if http1.1 connection should
|
|
be upgraded to http2 for the associated destination.
|
|
enum:
|
|
- DEFAULT
|
|
- DO_NOT_UPGRADE
|
|
- UPGRADE
|
|
type: string
|
|
http1MaxPendingRequests:
|
|
description: Maximum number of pending HTTP requests
|
|
to a destination.
|
|
format: int32
|
|
type: integer
|
|
http2MaxRequests:
|
|
description: Maximum number of requests to a backend.
|
|
format: int32
|
|
type: integer
|
|
idleTimeout:
|
|
description: The idle timeout for upstream connection
|
|
pool connections.
|
|
type: string
|
|
maxRequestsPerConnection:
|
|
description: Maximum number of requests per connection
|
|
to a backend.
|
|
format: int32
|
|
type: integer
|
|
maxRetries:
|
|
format: int32
|
|
type: integer
|
|
useClientProtocol:
|
|
description: If set to true, client protocol will
|
|
be preserved while initiating connection to backend.
|
|
type: boolean
|
|
type: object
|
|
tcp:
|
|
description: Settings common to both HTTP and TCP upstream
|
|
connections.
|
|
properties:
|
|
connectTimeout:
|
|
description: TCP connection timeout.
|
|
type: string
|
|
maxConnections:
|
|
description: Maximum number of HTTP1 /TCP connections
|
|
to a destination host.
|
|
format: int32
|
|
type: integer
|
|
tcpKeepalive:
|
|
description: If set then set SO_KEEPALIVE on the socket
|
|
to enable TCP Keepalives.
|
|
properties:
|
|
interval:
|
|
description: The time duration between keep-alive
|
|
probes.
|
|
type: string
|
|
probes:
|
|
type: integer
|
|
time:
|
|
type: string
|
|
type: object
|
|
type: object
|
|
type: object
|
|
loadBalancer:
|
|
description: Settings controlling the load balancer algorithms.
|
|
oneOf:
|
|
- not:
|
|
anyOf:
|
|
- required:
|
|
- simple
|
|
- properties:
|
|
consistentHash:
|
|
oneOf:
|
|
- not:
|
|
anyOf:
|
|
- required:
|
|
- httpHeaderName
|
|
- required:
|
|
- httpCookie
|
|
- required:
|
|
- useSourceIp
|
|
- required:
|
|
- httpQueryParameterName
|
|
- required:
|
|
- httpHeaderName
|
|
- required:
|
|
- httpCookie
|
|
- required:
|
|
- useSourceIp
|
|
- required:
|
|
- httpQueryParameterName
|
|
required:
|
|
- consistentHash
|
|
- required:
|
|
- simple
|
|
- properties:
|
|
consistentHash:
|
|
oneOf:
|
|
- not:
|
|
anyOf:
|
|
- required:
|
|
- httpHeaderName
|
|
- required:
|
|
- httpCookie
|
|
- required:
|
|
- useSourceIp
|
|
- required:
|
|
- httpQueryParameterName
|
|
- required:
|
|
- httpHeaderName
|
|
- required:
|
|
- httpCookie
|
|
- required:
|
|
- useSourceIp
|
|
- required:
|
|
- httpQueryParameterName
|
|
required:
|
|
- consistentHash
|
|
properties:
|
|
consistentHash:
|
|
properties:
|
|
httpCookie:
|
|
description: Hash based on HTTP cookie.
|
|
properties:
|
|
name:
|
|
description: Name of the cookie.
|
|
format: string
|
|
type: string
|
|
path:
|
|
description: Path to set for the cookie.
|
|
format: string
|
|
type: string
|
|
ttl:
|
|
description: Lifetime of the cookie.
|
|
type: string
|
|
type: object
|
|
httpHeaderName:
|
|
description: Hash based on a specific HTTP header.
|
|
format: string
|
|
type: string
|
|
httpQueryParameterName:
|
|
description: Hash based on a specific HTTP query parameter.
|
|
format: string
|
|
type: string
|
|
minimumRingSize:
|
|
type: integer
|
|
useSourceIp:
|
|
description: Hash based on the source IP address.
|
|
type: boolean
|
|
type: object
|
|
localityLbSetting:
|
|
properties:
|
|
distribute:
|
|
description: 'Optional: only one of distribute or
|
|
failover can be set.'
|
|
items:
|
|
properties:
|
|
from:
|
|
description: Originating locality, '/' separated,
|
|
e.g.
|
|
format: string
|
|
type: string
|
|
to:
|
|
additionalProperties:
|
|
type: integer
|
|
description: Map of upstream localities to traffic
|
|
distribution weights.
|
|
type: object
|
|
type: object
|
|
type: array
|
|
enabled:
|
|
description: enable locality load balancing, this
|
|
is DestinationRule-level and will override mesh
|
|
wide settings in entirety.
|
|
nullable: true
|
|
type: boolean
|
|
failover:
|
|
description: 'Optional: only failover or distribute
|
|
can be set.'
|
|
items:
|
|
properties:
|
|
from:
|
|
description: Originating region.
|
|
format: string
|
|
type: string
|
|
to:
|
|
format: string
|
|
type: string
|
|
type: object
|
|
type: array
|
|
type: object
|
|
simple:
|
|
enum:
|
|
- ROUND_ROBIN
|
|
- LEAST_CONN
|
|
- RANDOM
|
|
- PASSTHROUGH
|
|
type: string
|
|
type: object
|
|
outlierDetection:
|
|
properties:
|
|
baseEjectionTime:
|
|
description: Minimum ejection duration.
|
|
type: string
|
|
consecutive5xxErrors:
|
|
description: Number of 5xx errors before a host is ejected
|
|
from the connection pool.
|
|
nullable: true
|
|
type: integer
|
|
consecutiveErrors:
|
|
format: int32
|
|
type: integer
|
|
consecutiveGatewayErrors:
|
|
description: Number of gateway errors before a host is
|
|
ejected from the connection pool.
|
|
nullable: true
|
|
type: integer
|
|
interval:
|
|
description: Time interval between ejection sweep analysis.
|
|
type: string
|
|
maxEjectionPercent:
|
|
format: int32
|
|
type: integer
|
|
minHealthPercent:
|
|
format: int32
|
|
type: integer
|
|
type: object
|
|
portLevelSettings:
|
|
description: Traffic policies specific to individual ports.
|
|
items:
|
|
properties:
|
|
connectionPool:
|
|
properties:
|
|
http:
|
|
description: HTTP connection pool settings.
|
|
properties:
|
|
h2UpgradePolicy:
|
|
description: Specify if http1.1 connection should
|
|
be upgraded to http2 for the associated destination.
|
|
enum:
|
|
- DEFAULT
|
|
- DO_NOT_UPGRADE
|
|
- UPGRADE
|
|
type: string
|
|
http1MaxPendingRequests:
|
|
description: Maximum number of pending HTTP
|
|
requests to a destination.
|
|
format: int32
|
|
type: integer
|
|
http2MaxRequests:
|
|
description: Maximum number of requests to a
|
|
backend.
|
|
format: int32
|
|
type: integer
|
|
idleTimeout:
|
|
description: The idle timeout for upstream connection
|
|
pool connections.
|
|
type: string
|
|
maxRequestsPerConnection:
|
|
description: Maximum number of requests per
|
|
connection to a backend.
|
|
format: int32
|
|
type: integer
|
|
maxRetries:
|
|
format: int32
|
|
type: integer
|
|
useClientProtocol:
|
|
description: If set to true, client protocol
|
|
will be preserved while initiating connection
|
|
to backend.
|
|
type: boolean
|
|
type: object
|
|
tcp:
|
|
description: Settings common to both HTTP and TCP
|
|
upstream connections.
|
|
properties:
|
|
connectTimeout:
|
|
description: TCP connection timeout.
|
|
type: string
|
|
maxConnections:
|
|
description: Maximum number of HTTP1 /TCP connections
|
|
to a destination host.
|
|
format: int32
|
|
type: integer
|
|
tcpKeepalive:
|
|
description: If set then set SO_KEEPALIVE on
|
|
the socket to enable TCP Keepalives.
|
|
properties:
|
|
interval:
|
|
description: The time duration between keep-alive
|
|
probes.
|
|
type: string
|
|
probes:
|
|
type: integer
|
|
time:
|
|
type: string
|
|
type: object
|
|
type: object
|
|
type: object
|
|
loadBalancer:
|
|
description: Settings controlling the load balancer
|
|
algorithms.
|
|
oneOf:
|
|
- not:
|
|
anyOf:
|
|
- required:
|
|
- simple
|
|
- properties:
|
|
consistentHash:
|
|
oneOf:
|
|
- not:
|
|
anyOf:
|
|
- required:
|
|
- httpHeaderName
|
|
- required:
|
|
- httpCookie
|
|
- required:
|
|
- useSourceIp
|
|
- required:
|
|
- httpQueryParameterName
|
|
- required:
|
|
- httpHeaderName
|
|
- required:
|
|
- httpCookie
|
|
- required:
|
|
- useSourceIp
|
|
- required:
|
|
- httpQueryParameterName
|
|
required:
|
|
- consistentHash
|
|
- required:
|
|
- simple
|
|
- properties:
|
|
consistentHash:
|
|
oneOf:
|
|
- not:
|
|
anyOf:
|
|
- required:
|
|
- httpHeaderName
|
|
- required:
|
|
- httpCookie
|
|
- required:
|
|
- useSourceIp
|
|
- required:
|
|
- httpQueryParameterName
|
|
- required:
|
|
- httpHeaderName
|
|
- required:
|
|
- httpCookie
|
|
- required:
|
|
- useSourceIp
|
|
- required:
|
|
- httpQueryParameterName
|
|
required:
|
|
- consistentHash
|
|
properties:
|
|
consistentHash:
|
|
properties:
|
|
httpCookie:
|
|
description: Hash based on HTTP cookie.
|
|
properties:
|
|
name:
|
|
description: Name of the cookie.
|
|
format: string
|
|
type: string
|
|
path:
|
|
description: Path to set for the cookie.
|
|
format: string
|
|
type: string
|
|
ttl:
|
|
description: Lifetime of the cookie.
|
|
type: string
|
|
type: object
|
|
httpHeaderName:
|
|
description: Hash based on a specific HTTP header.
|
|
format: string
|
|
type: string
|
|
httpQueryParameterName:
|
|
description: Hash based on a specific HTTP query
|
|
parameter.
|
|
format: string
|
|
type: string
|
|
minimumRingSize:
|
|
type: integer
|
|
useSourceIp:
|
|
description: Hash based on the source IP address.
|
|
type: boolean
|
|
type: object
|
|
localityLbSetting:
|
|
properties:
|
|
distribute:
|
|
description: 'Optional: only one of distribute
|
|
or failover can be set.'
|
|
items:
|
|
properties:
|
|
from:
|
|
description: Originating locality, '/'
|
|
separated, e.g.
|
|
format: string
|
|
type: string
|
|
to:
|
|
additionalProperties:
|
|
type: integer
|
|
description: Map of upstream localities
|
|
to traffic distribution weights.
|
|
type: object
|
|
type: object
|
|
type: array
|
|
enabled:
|
|
description: enable locality load balancing,
|
|
this is DestinationRule-level and will override
|
|
mesh wide settings in entirety.
|
|
nullable: true
|
|
type: boolean
|
|
failover:
|
|
description: 'Optional: only failover or distribute
|
|
can be set.'
|
|
items:
|
|
properties:
|
|
from:
|
|
description: Originating region.
|
|
format: string
|
|
type: string
|
|
to:
|
|
format: string
|
|
type: string
|
|
type: object
|
|
type: array
|
|
type: object
|
|
simple:
|
|
enum:
|
|
- ROUND_ROBIN
|
|
- LEAST_CONN
|
|
- RANDOM
|
|
- PASSTHROUGH
|
|
type: string
|
|
type: object
|
|
outlierDetection:
|
|
properties:
|
|
baseEjectionTime:
|
|
description: Minimum ejection duration.
|
|
type: string
|
|
consecutive5xxErrors:
|
|
description: Number of 5xx errors before a host
|
|
is ejected from the connection pool.
|
|
nullable: true
|
|
type: integer
|
|
consecutiveErrors:
|
|
format: int32
|
|
type: integer
|
|
consecutiveGatewayErrors:
|
|
description: Number of gateway errors before a host
|
|
is ejected from the connection pool.
|
|
nullable: true
|
|
type: integer
|
|
interval:
|
|
description: Time interval between ejection sweep
|
|
analysis.
|
|
type: string
|
|
maxEjectionPercent:
|
|
format: int32
|
|
type: integer
|
|
minHealthPercent:
|
|
format: int32
|
|
type: integer
|
|
type: object
|
|
port:
|
|
properties:
|
|
number:
|
|
type: integer
|
|
type: object
|
|
tls:
|
|
description: TLS related settings for connections to
|
|
the upstream service.
|
|
properties:
|
|
caCertificates:
|
|
format: string
|
|
type: string
|
|
clientCertificate:
|
|
description: REQUIRED if mode is `MUTUAL`.
|
|
format: string
|
|
type: string
|
|
credentialName:
|
|
format: string
|
|
type: string
|
|
mode:
|
|
enum:
|
|
- DISABLE
|
|
- SIMPLE
|
|
- MUTUAL
|
|
- ISTIO_MUTUAL
|
|
type: string
|
|
privateKey:
|
|
description: REQUIRED if mode is `MUTUAL`.
|
|
format: string
|
|
type: string
|
|
sni:
|
|
description: SNI string to present to the server
|
|
during TLS handshake.
|
|
format: string
|
|
type: string
|
|
subjectAltNames:
|
|
items:
|
|
format: string
|
|
type: string
|
|
type: array
|
|
type: object
|
|
type: object
|
|
type: array
|
|
tls:
|
|
description: TLS related settings for connections to the upstream
|
|
service.
|
|
properties:
|
|
caCertificates:
|
|
format: string
|
|
type: string
|
|
clientCertificate:
|
|
description: REQUIRED if mode is `MUTUAL`.
|
|
format: string
|
|
type: string
|
|
credentialName:
|
|
format: string
|
|
type: string
|
|
mode:
|
|
enum:
|
|
- DISABLE
|
|
- SIMPLE
|
|
- MUTUAL
|
|
- ISTIO_MUTUAL
|
|
type: string
|
|
privateKey:
|
|
description: REQUIRED if mode is `MUTUAL`.
|
|
format: string
|
|
type: string
|
|
sni:
|
|
description: SNI string to present to the server during
|
|
TLS handshake.
|
|
format: string
|
|
type: string
|
|
subjectAltNames:
|
|
items:
|
|
format: string
|
|
type: string
|
|
type: array
|
|
type: object
|
|
type: object
|
|
type: object
|
|
type: array
|
|
trafficPolicy:
|
|
properties:
|
|
connectionPool:
|
|
properties:
|
|
http:
|
|
description: HTTP connection pool settings.
|
|
properties:
|
|
h2UpgradePolicy:
|
|
description: Specify if http1.1 connection should be upgraded
|
|
to http2 for the associated destination.
|
|
enum:
|
|
- DEFAULT
|
|
- DO_NOT_UPGRADE
|
|
- UPGRADE
|
|
type: string
|
|
http1MaxPendingRequests:
|
|
description: Maximum number of pending HTTP requests to
|
|
a destination.
|
|
format: int32
|
|
type: integer
|
|
http2MaxRequests:
|
|
description: Maximum number of requests to a backend.
|
|
format: int32
|
|
type: integer
|
|
idleTimeout:
|
|
description: The idle timeout for upstream connection pool
|
|
connections.
|
|
type: string
|
|
maxRequestsPerConnection:
|
|
description: Maximum number of requests per connection to
|
|
a backend.
|
|
format: int32
|
|
type: integer
|
|
maxRetries:
|
|
format: int32
|
|
type: integer
|
|
useClientProtocol:
|
|
description: If set to true, client protocol will be preserved
|
|
while initiating connection to backend.
|
|
type: boolean
|
|
type: object
|
|
tcp:
|
|
description: Settings common to both HTTP and TCP upstream connections.
|
|
properties:
|
|
connectTimeout:
|
|
description: TCP connection timeout.
|
|
type: string
|
|
maxConnections:
|
|
description: Maximum number of HTTP1 /TCP connections to
|
|
a destination host.
|
|
format: int32
|
|
type: integer
|
|
tcpKeepalive:
|
|
description: If set then set SO_KEEPALIVE on the socket
|
|
to enable TCP Keepalives.
|
|
properties:
|
|
interval:
|
|
description: The time duration between keep-alive probes.
|
|
type: string
|
|
probes:
|
|
type: integer
|
|
time:
|
|
type: string
|
|
type: object
|
|
type: object
|
|
type: object
|
|
loadBalancer:
|
|
description: Settings controlling the load balancer algorithms.
|
|
oneOf:
|
|
- not:
|
|
anyOf:
|
|
- required:
|
|
- simple
|
|
- properties:
|
|
consistentHash:
|
|
oneOf:
|
|
- not:
|
|
anyOf:
|
|
- required:
|
|
- httpHeaderName
|
|
- required:
|
|
- httpCookie
|
|
- required:
|
|
- useSourceIp
|
|
- required:
|
|
- httpQueryParameterName
|
|
- required:
|
|
- httpHeaderName
|
|
- required:
|
|
- httpCookie
|
|
- required:
|
|
- useSourceIp
|
|
- required:
|
|
- httpQueryParameterName
|
|
required:
|
|
- consistentHash
|
|
- required:
|
|
- simple
|
|
- properties:
|
|
consistentHash:
|
|
oneOf:
|
|
- not:
|
|
anyOf:
|
|
- required:
|
|
- httpHeaderName
|
|
- required:
|
|
- httpCookie
|
|
- required:
|
|
- useSourceIp
|
|
- required:
|
|
- httpQueryParameterName
|
|
- required:
|
|
- httpHeaderName
|
|
- required:
|
|
- httpCookie
|
|
- required:
|
|
- useSourceIp
|
|
- required:
|
|
- httpQueryParameterName
|
|
required:
|
|
- consistentHash
|
|
properties:
|
|
consistentHash:
|
|
properties:
|
|
httpCookie:
|
|
description: Hash based on HTTP cookie.
|
|
properties:
|
|
name:
|
|
description: Name of the cookie.
|
|
format: string
|
|
type: string
|
|
path:
|
|
description: Path to set for the cookie.
|
|
format: string
|
|
type: string
|
|
ttl:
|
|
description: Lifetime of the cookie.
|
|
type: string
|
|
type: object
|
|
httpHeaderName:
|
|
description: Hash based on a specific HTTP header.
|
|
format: string
|
|
type: string
|
|
httpQueryParameterName:
|
|
description: Hash based on a specific HTTP query parameter.
|
|
format: string
|
|
type: string
|
|
minimumRingSize:
|
|
type: integer
|
|
useSourceIp:
|
|
description: Hash based on the source IP address.
|
|
type: boolean
|
|
type: object
|
|
localityLbSetting:
|
|
properties:
|
|
distribute:
|
|
description: 'Optional: only one of distribute or failover
|
|
can be set.'
|
|
items:
|
|
properties:
|
|
from:
|
|
description: Originating locality, '/' separated,
|
|
e.g.
|
|
format: string
|
|
type: string
|
|
to:
|
|
additionalProperties:
|
|
type: integer
|
|
description: Map of upstream localities to traffic
|
|
distribution weights.
|
|
type: object
|
|
type: object
|
|
type: array
|
|
enabled:
|
|
description: enable locality load balancing, this is DestinationRule-level
|
|
and will override mesh wide settings in entirety.
|
|
nullable: true
|
|
type: boolean
|
|
failover:
|
|
description: 'Optional: only failover or distribute can
|
|
be set.'
|
|
items:
|
|
properties:
|
|
from:
|
|
description: Originating region.
|
|
format: string
|
|
type: string
|
|
to:
|
|
format: string
|
|
type: string
|
|
type: object
|
|
type: array
|
|
type: object
|
|
simple:
|
|
enum:
|
|
- ROUND_ROBIN
|
|
- LEAST_CONN
|
|
- RANDOM
|
|
- PASSTHROUGH
|
|
type: string
|
|
type: object
|
|
outlierDetection:
|
|
properties:
|
|
baseEjectionTime:
|
|
description: Minimum ejection duration.
|
|
type: string
|
|
consecutive5xxErrors:
|
|
description: Number of 5xx errors before a host is ejected from
|
|
the connection pool.
|
|
nullable: true
|
|
type: integer
|
|
consecutiveErrors:
|
|
format: int32
|
|
type: integer
|
|
consecutiveGatewayErrors:
|
|
description: Number of gateway errors before a host is ejected
|
|
from the connection pool.
|
|
nullable: true
|
|
type: integer
|
|
interval:
|
|
description: Time interval between ejection sweep analysis.
|
|
type: string
|
|
maxEjectionPercent:
|
|
format: int32
|
|
type: integer
|
|
minHealthPercent:
|
|
format: int32
|
|
type: integer
|
|
type: object
|
|
portLevelSettings:
|
|
description: Traffic policies specific to individual ports.
|
|
items:
|
|
properties:
|
|
connectionPool:
|
|
properties:
|
|
http:
|
|
description: HTTP connection pool settings.
|
|
properties:
|
|
h2UpgradePolicy:
|
|
description: Specify if http1.1 connection should
|
|
be upgraded to http2 for the associated destination.
|
|
enum:
|
|
- DEFAULT
|
|
- DO_NOT_UPGRADE
|
|
- UPGRADE
|
|
type: string
|
|
http1MaxPendingRequests:
|
|
description: Maximum number of pending HTTP requests
|
|
to a destination.
|
|
format: int32
|
|
type: integer
|
|
http2MaxRequests:
|
|
description: Maximum number of requests to a backend.
|
|
format: int32
|
|
type: integer
|
|
idleTimeout:
|
|
description: The idle timeout for upstream connection
|
|
pool connections.
|
|
type: string
|
|
maxRequestsPerConnection:
|
|
description: Maximum number of requests per connection
|
|
to a backend.
|
|
format: int32
|
|
type: integer
|
|
maxRetries:
|
|
format: int32
|
|
type: integer
|
|
useClientProtocol:
|
|
description: If set to true, client protocol will
|
|
be preserved while initiating connection to backend.
|
|
type: boolean
|
|
type: object
|
|
tcp:
|
|
description: Settings common to both HTTP and TCP upstream
|
|
connections.
|
|
properties:
|
|
connectTimeout:
|
|
description: TCP connection timeout.
|
|
type: string
|
|
maxConnections:
|
|
description: Maximum number of HTTP1 /TCP connections
|
|
to a destination host.
|
|
format: int32
|
|
type: integer
|
|
tcpKeepalive:
|
|
description: If set then set SO_KEEPALIVE on the socket
|
|
to enable TCP Keepalives.
|
|
properties:
|
|
interval:
|
|
description: The time duration between keep-alive
|
|
probes.
|
|
type: string
|
|
probes:
|
|
type: integer
|
|
time:
|
|
type: string
|
|
type: object
|
|
type: object
|
|
type: object
|
|
loadBalancer:
|
|
description: Settings controlling the load balancer algorithms.
|
|
oneOf:
|
|
- not:
|
|
anyOf:
|
|
- required:
|
|
- simple
|
|
- properties:
|
|
consistentHash:
|
|
oneOf:
|
|
- not:
|
|
anyOf:
|
|
- required:
|
|
- httpHeaderName
|
|
- required:
|
|
- httpCookie
|
|
- required:
|
|
- useSourceIp
|
|
- required:
|
|
- httpQueryParameterName
|
|
- required:
|
|
- httpHeaderName
|
|
- required:
|
|
- httpCookie
|
|
- required:
|
|
- useSourceIp
|
|
- required:
|
|
- httpQueryParameterName
|
|
required:
|
|
- consistentHash
|
|
- required:
|
|
- simple
|
|
- properties:
|
|
consistentHash:
|
|
oneOf:
|
|
- not:
|
|
anyOf:
|
|
- required:
|
|
- httpHeaderName
|
|
- required:
|
|
- httpCookie
|
|
- required:
|
|
- useSourceIp
|
|
- required:
|
|
- httpQueryParameterName
|
|
- required:
|
|
- httpHeaderName
|
|
- required:
|
|
- httpCookie
|
|
- required:
|
|
- useSourceIp
|
|
- required:
|
|
- httpQueryParameterName
|
|
required:
|
|
- consistentHash
|
|
properties:
|
|
consistentHash:
|
|
properties:
|
|
httpCookie:
|
|
description: Hash based on HTTP cookie.
|
|
properties:
|
|
name:
|
|
description: Name of the cookie.
|
|
format: string
|
|
type: string
|
|
path:
|
|
description: Path to set for the cookie.
|
|
format: string
|
|
type: string
|
|
ttl:
|
|
description: Lifetime of the cookie.
|
|
type: string
|
|
type: object
|
|
httpHeaderName:
|
|
description: Hash based on a specific HTTP header.
|
|
format: string
|
|
type: string
|
|
httpQueryParameterName:
|
|
description: Hash based on a specific HTTP query parameter.
|
|
format: string
|
|
type: string
|
|
minimumRingSize:
|
|
type: integer
|
|
useSourceIp:
|
|
description: Hash based on the source IP address.
|
|
type: boolean
|
|
type: object
|
|
localityLbSetting:
|
|
properties:
|
|
distribute:
|
|
description: 'Optional: only one of distribute or
|
|
failover can be set.'
|
|
items:
|
|
properties:
|
|
from:
|
|
description: Originating locality, '/' separated,
|
|
e.g.
|
|
format: string
|
|
type: string
|
|
to:
|
|
additionalProperties:
|
|
type: integer
|
|
description: Map of upstream localities to traffic
|
|
distribution weights.
|
|
type: object
|
|
type: object
|
|
type: array
|
|
enabled:
|
|
description: enable locality load balancing, this
|
|
is DestinationRule-level and will override mesh
|
|
wide settings in entirety.
|
|
nullable: true
|
|
type: boolean
|
|
failover:
|
|
description: 'Optional: only failover or distribute
|
|
can be set.'
|
|
items:
|
|
properties:
|
|
from:
|
|
description: Originating region.
|
|
format: string
|
|
type: string
|
|
to:
|
|
format: string
|
|
type: string
|
|
type: object
|
|
type: array
|
|
type: object
|
|
simple:
|
|
enum:
|
|
- ROUND_ROBIN
|
|
- LEAST_CONN
|
|
- RANDOM
|
|
- PASSTHROUGH
|
|
type: string
|
|
type: object
|
|
outlierDetection:
|
|
properties:
|
|
baseEjectionTime:
|
|
description: Minimum ejection duration.
|
|
type: string
|
|
consecutive5xxErrors:
|
|
description: Number of 5xx errors before a host is ejected
|
|
from the connection pool.
|
|
nullable: true
|
|
type: integer
|
|
consecutiveErrors:
|
|
format: int32
|
|
type: integer
|
|
consecutiveGatewayErrors:
|
|
description: Number of gateway errors before a host is
|
|
ejected from the connection pool.
|
|
nullable: true
|
|
type: integer
|
|
interval:
|
|
description: Time interval between ejection sweep analysis.
|
|
type: string
|
|
maxEjectionPercent:
|
|
format: int32
|
|
type: integer
|
|
minHealthPercent:
|
|
format: int32
|
|
type: integer
|
|
type: object
|
|
port:
|
|
properties:
|
|
number:
|
|
type: integer
|
|
type: object
|
|
tls:
|
|
description: TLS related settings for connections to the upstream
|
|
service.
|
|
properties:
|
|
caCertificates:
|
|
format: string
|
|
type: string
|
|
clientCertificate:
|
|
description: REQUIRED if mode is `MUTUAL`.
|
|
format: string
|
|
type: string
|
|
credentialName:
|
|
format: string
|
|
type: string
|
|
mode:
|
|
enum:
|
|
- DISABLE
|
|
- SIMPLE
|
|
- MUTUAL
|
|
- ISTIO_MUTUAL
|
|
type: string
|
|
privateKey:
|
|
description: REQUIRED if mode is `MUTUAL`.
|
|
format: string
|
|
type: string
|
|
sni:
|
|
description: SNI string to present to the server during
|
|
TLS handshake.
|
|
format: string
|
|
type: string
|
|
subjectAltNames:
|
|
items:
|
|
format: string
|
|
type: string
|
|
type: array
|
|
type: object
|
|
type: object
|
|
type: array
|
|
tls:
|
|
description: TLS related settings for connections to the upstream
|
|
service.
|
|
properties:
|
|
caCertificates:
|
|
format: string
|
|
type: string
|
|
clientCertificate:
|
|
description: REQUIRED if mode is `MUTUAL`.
|
|
format: string
|
|
type: string
|
|
credentialName:
|
|
format: string
|
|
type: string
|
|
mode:
|
|
enum:
|
|
- DISABLE
|
|
- SIMPLE
|
|
- MUTUAL
|
|
- ISTIO_MUTUAL
|
|
type: string
|
|
privateKey:
|
|
description: REQUIRED if mode is `MUTUAL`.
|
|
format: string
|
|
type: string
|
|
sni:
|
|
description: SNI string to present to the server during TLS
|
|
handshake.
|
|
format: string
|
|
type: string
|
|
subjectAltNames:
|
|
items:
|
|
format: string
|
|
type: string
|
|
type: array
|
|
type: object
|
|
type: object
|
|
type: object
|
|
status:
|
|
type: object
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
versions:
|
|
- name: v1alpha3
|
|
served: true
|
|
storage: true
|
|
- name: v1beta1
|
|
served: true
|
|
storage: false
|
|
|
|
---
|
|
apiVersion: apiextensions.k8s.io/v1beta1
|
|
kind: CustomResourceDefinition
|
|
metadata:
|
|
annotations:
|
|
"helm.sh/resource-policy": keep
|
|
labels:
|
|
app: istio-pilot
|
|
chart: istio
|
|
heritage: Tiller
|
|
release: istio
|
|
name: envoyfilters.networking.istio.io
|
|
spec:
|
|
group: networking.istio.io
|
|
names:
|
|
categories:
|
|
- istio-io
|
|
- networking-istio-io
|
|
kind: EnvoyFilter
|
|
listKind: EnvoyFilterList
|
|
plural: envoyfilters
|
|
singular: envoyfilter
|
|
preserveUnknownFields: true
|
|
scope: Namespaced
|
|
subresources:
|
|
status: {}
|
|
validation:
|
|
openAPIV3Schema:
|
|
properties:
|
|
spec:
|
|
description: 'Customizing Envoy configuration generated by Istio. See more
|
|
details at: https://istio.io/docs/reference/config/networking/envoy-filter.html'
|
|
properties:
|
|
configPatches:
|
|
description: One or more patches with match conditions.
|
|
items:
|
|
properties:
|
|
applyTo:
|
|
enum:
|
|
- INVALID
|
|
- LISTENER
|
|
- FILTER_CHAIN
|
|
- NETWORK_FILTER
|
|
- HTTP_FILTER
|
|
- ROUTE_CONFIGURATION
|
|
- VIRTUAL_HOST
|
|
- HTTP_ROUTE
|
|
- CLUSTER
|
|
- EXTENSION_CONFIG
|
|
type: string
|
|
match:
|
|
description: Match on listener/route configuration/cluster.
|
|
oneOf:
|
|
- not:
|
|
anyOf:
|
|
- required:
|
|
- listener
|
|
- required:
|
|
- routeConfiguration
|
|
- required:
|
|
- cluster
|
|
- required:
|
|
- listener
|
|
- required:
|
|
- routeConfiguration
|
|
- required:
|
|
- cluster
|
|
properties:
|
|
cluster:
|
|
description: Match on envoy cluster attributes.
|
|
properties:
|
|
name:
|
|
description: The exact name of the cluster to match.
|
|
format: string
|
|
type: string
|
|
portNumber:
|
|
description: The service port for which this cluster was
|
|
generated.
|
|
type: integer
|
|
service:
|
|
description: The fully qualified service name for this
|
|
cluster.
|
|
format: string
|
|
type: string
|
|
subset:
|
|
description: The subset associated with the service.
|
|
format: string
|
|
type: string
|
|
type: object
|
|
context:
|
|
description: The specific config generation context to match
|
|
on.
|
|
enum:
|
|
- ANY
|
|
- SIDECAR_INBOUND
|
|
- SIDECAR_OUTBOUND
|
|
- GATEWAY
|
|
type: string
|
|
listener:
|
|
description: Match on envoy listener attributes.
|
|
properties:
|
|
filterChain:
|
|
description: Match a specific filter chain in a listener.
|
|
properties:
|
|
applicationProtocols:
|
|
description: Applies only to sidecars.
|
|
format: string
|
|
type: string
|
|
filter:
|
|
description: The name of a specific filter to apply
|
|
the patch to.
|
|
properties:
|
|
name:
|
|
description: The filter name to match on.
|
|
format: string
|
|
type: string
|
|
subFilter:
|
|
properties:
|
|
name:
|
|
description: The filter name to match on.
|
|
format: string
|
|
type: string
|
|
type: object
|
|
type: object
|
|
name:
|
|
description: The name assigned to the filter chain.
|
|
format: string
|
|
type: string
|
|
sni:
|
|
description: The SNI value used by a filter chain's
|
|
match condition.
|
|
format: string
|
|
type: string
|
|
transportProtocol:
|
|
description: Applies only to `SIDECAR_INBOUND` context.
|
|
format: string
|
|
type: string
|
|
type: object
|
|
name:
|
|
description: Match a specific listener by its name.
|
|
format: string
|
|
type: string
|
|
portName:
|
|
format: string
|
|
type: string
|
|
portNumber:
|
|
type: integer
|
|
type: object
|
|
proxy:
|
|
description: Match on properties associated with a proxy.
|
|
properties:
|
|
metadata:
|
|
additionalProperties:
|
|
format: string
|
|
type: string
|
|
type: object
|
|
proxyVersion:
|
|
format: string
|
|
type: string
|
|
type: object
|
|
routeConfiguration:
|
|
description: Match on envoy HTTP route configuration attributes.
|
|
properties:
|
|
gateway:
|
|
format: string
|
|
type: string
|
|
name:
|
|
description: Route configuration name to match on.
|
|
format: string
|
|
type: string
|
|
portName:
|
|
description: Applicable only for GATEWAY context.
|
|
format: string
|
|
type: string
|
|
portNumber:
|
|
type: integer
|
|
vhost:
|
|
properties:
|
|
name:
|
|
format: string
|
|
type: string
|
|
route:
|
|
description: Match a specific route within the virtual
|
|
host.
|
|
properties:
|
|
action:
|
|
description: Match a route with specific action
|
|
type.
|
|
enum:
|
|
- ANY
|
|
- ROUTE
|
|
- REDIRECT
|
|
- DIRECT_RESPONSE
|
|
type: string
|
|
name:
|
|
format: string
|
|
type: string
|
|
type: object
|
|
type: object
|
|
type: object
|
|
type: object
|
|
patch:
|
|
description: The patch to apply along with the operation.
|
|
properties:
|
|
filterClass:
|
|
description: Determines the filter insertion order.
|
|
enum:
|
|
- UNSPECIFIED
|
|
- AUTHN
|
|
- AUTHZ
|
|
- STATS
|
|
type: string
|
|
operation:
|
|
description: Determines how the patch should be applied.
|
|
enum:
|
|
- INVALID
|
|
- MERGE
|
|
- ADD
|
|
- REMOVE
|
|
- INSERT_BEFORE
|
|
- INSERT_AFTER
|
|
- INSERT_FIRST
|
|
- REPLACE
|
|
type: string
|
|
value:
|
|
description: The JSON config of the object being patched.
|
|
type: object
|
|
type: object
|
|
type: object
|
|
type: array
|
|
workloadSelector:
|
|
properties:
|
|
labels:
|
|
additionalProperties:
|
|
format: string
|
|
type: string
|
|
type: object
|
|
type: object
|
|
type: object
|
|
status:
|
|
type: object
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
versions:
|
|
- name: v1alpha3
|
|
served: true
|
|
storage: true
|
|
|
|
---
|
|
apiVersion: apiextensions.k8s.io/v1beta1
|
|
kind: CustomResourceDefinition
|
|
metadata:
|
|
annotations:
|
|
"helm.sh/resource-policy": keep
|
|
labels:
|
|
app: istio-pilot
|
|
chart: istio
|
|
heritage: Tiller
|
|
release: istio
|
|
name: gateways.networking.istio.io
|
|
spec:
|
|
group: networking.istio.io
|
|
names:
|
|
categories:
|
|
- istio-io
|
|
- networking-istio-io
|
|
kind: Gateway
|
|
listKind: GatewayList
|
|
plural: gateways
|
|
shortNames:
|
|
- gw
|
|
singular: gateway
|
|
preserveUnknownFields: false
|
|
scope: Namespaced
|
|
subresources:
|
|
status: {}
|
|
validation:
|
|
openAPIV3Schema:
|
|
properties:
|
|
spec:
|
|
description: 'Configuration affecting edge load balancer. See more details
|
|
at: https://istio.io/docs/reference/config/networking/gateway.html'
|
|
properties:
|
|
selector:
|
|
additionalProperties:
|
|
format: string
|
|
type: string
|
|
type: object
|
|
servers:
|
|
description: A list of server specifications.
|
|
items:
|
|
properties:
|
|
bind:
|
|
format: string
|
|
type: string
|
|
defaultEndpoint:
|
|
format: string
|
|
type: string
|
|
hosts:
|
|
description: One or more hosts exposed by this gateway.
|
|
items:
|
|
format: string
|
|
type: string
|
|
type: array
|
|
name:
|
|
description: An optional name of the server, when set must be
|
|
unique across all servers.
|
|
format: string
|
|
type: string
|
|
port:
|
|
properties:
|
|
name:
|
|
description: Label assigned to the port.
|
|
format: string
|
|
type: string
|
|
number:
|
|
description: A valid non-negative integer port number.
|
|
type: integer
|
|
protocol:
|
|
description: The protocol exposed on the port.
|
|
format: string
|
|
type: string
|
|
targetPort:
|
|
type: integer
|
|
type: object
|
|
tls:
|
|
description: Set of TLS related options that govern the server's
|
|
behavior.
|
|
properties:
|
|
caCertificates:
|
|
description: REQUIRED if mode is `MUTUAL`.
|
|
format: string
|
|
type: string
|
|
cipherSuites:
|
|
description: 'Optional: If specified, only support the specified
|
|
cipher list.'
|
|
items:
|
|
format: string
|
|
type: string
|
|
type: array
|
|
credentialName:
|
|
format: string
|
|
type: string
|
|
httpsRedirect:
|
|
type: boolean
|
|
maxProtocolVersion:
|
|
description: 'Optional: Maximum TLS protocol version.'
|
|
enum:
|
|
- TLS_AUTO
|
|
- TLSV1_0
|
|
- TLSV1_1
|
|
- TLSV1_2
|
|
- TLSV1_3
|
|
type: string
|
|
minProtocolVersion:
|
|
description: 'Optional: Minimum TLS protocol version.'
|
|
enum:
|
|
- TLS_AUTO
|
|
- TLSV1_0
|
|
- TLSV1_1
|
|
- TLSV1_2
|
|
- TLSV1_3
|
|
type: string
|
|
mode:
|
|
enum:
|
|
- PASSTHROUGH
|
|
- SIMPLE
|
|
- MUTUAL
|
|
- AUTO_PASSTHROUGH
|
|
- ISTIO_MUTUAL
|
|
type: string
|
|
privateKey:
|
|
description: REQUIRED if mode is `SIMPLE` or `MUTUAL`.
|
|
format: string
|
|
type: string
|
|
serverCertificate:
|
|
description: REQUIRED if mode is `SIMPLE` or `MUTUAL`.
|
|
format: string
|
|
type: string
|
|
subjectAltNames:
|
|
items:
|
|
format: string
|
|
type: string
|
|
type: array
|
|
verifyCertificateHash:
|
|
items:
|
|
format: string
|
|
type: string
|
|
type: array
|
|
verifyCertificateSpki:
|
|
items:
|
|
format: string
|
|
type: string
|
|
type: array
|
|
type: object
|
|
type: object
|
|
type: array
|
|
type: object
|
|
status:
|
|
type: object
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
versions:
|
|
- name: v1alpha3
|
|
served: true
|
|
storage: true
|
|
- name: v1beta1
|
|
served: true
|
|
storage: false
|
|
|
|
---
|
|
apiVersion: apiextensions.k8s.io/v1beta1
|
|
kind: CustomResourceDefinition
|
|
metadata:
|
|
annotations:
|
|
"helm.sh/resource-policy": keep
|
|
labels:
|
|
app: istio-pilot
|
|
chart: istio
|
|
heritage: Tiller
|
|
release: istio
|
|
name: serviceentries.networking.istio.io
|
|
spec:
|
|
additionalPrinterColumns:
|
|
- JSONPath: .spec.hosts
|
|
description: The hosts associated with the ServiceEntry
|
|
name: Hosts
|
|
type: string
|
|
- JSONPath: .spec.location
|
|
description: Whether the service is external to the mesh or part of the mesh (MESH_EXTERNAL
|
|
or MESH_INTERNAL)
|
|
name: Location
|
|
type: string
|
|
- JSONPath: .spec.resolution
|
|
description: Service discovery mode for the hosts (NONE, STATIC, or DNS)
|
|
name: Resolution
|
|
type: string
|
|
- JSONPath: .metadata.creationTimestamp
|
|
description: 'CreationTimestamp is a timestamp representing the server time when
|
|
this object was created. It is not guaranteed to be set in happens-before order
|
|
across separate operations. Clients may not set this value. It is represented
|
|
in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
|
|
lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
|
|
name: Age
|
|
type: date
|
|
group: networking.istio.io
|
|
names:
|
|
categories:
|
|
- istio-io
|
|
- networking-istio-io
|
|
kind: ServiceEntry
|
|
listKind: ServiceEntryList
|
|
plural: serviceentries
|
|
shortNames:
|
|
- se
|
|
singular: serviceentry
|
|
preserveUnknownFields: false
|
|
scope: Namespaced
|
|
subresources:
|
|
status: {}
|
|
validation:
|
|
openAPIV3Schema:
|
|
properties:
|
|
spec:
|
|
description: 'Configuration affecting service registry. See more details
|
|
at: https://istio.io/docs/reference/config/networking/service-entry.html'
|
|
properties:
|
|
addresses:
|
|
description: The virtual IP addresses associated with the service.
|
|
items:
|
|
format: string
|
|
type: string
|
|
type: array
|
|
endpoints:
|
|
description: One or more endpoints associated with the service.
|
|
items:
|
|
properties:
|
|
address:
|
|
format: string
|
|
type: string
|
|
labels:
|
|
additionalProperties:
|
|
format: string
|
|
type: string
|
|
description: One or more labels associated with the endpoint.
|
|
type: object
|
|
locality:
|
|
description: The locality associated with the endpoint.
|
|
format: string
|
|
type: string
|
|
network:
|
|
format: string
|
|
type: string
|
|
ports:
|
|
additionalProperties:
|
|
type: integer
|
|
description: Set of ports associated with the endpoint.
|
|
type: object
|
|
serviceAccount:
|
|
format: string
|
|
type: string
|
|
weight:
|
|
description: The load balancing weight associated with the endpoint.
|
|
type: integer
|
|
type: object
|
|
type: array
|
|
exportTo:
|
|
description: A list of namespaces to which this service is exported.
|
|
items:
|
|
format: string
|
|
type: string
|
|
type: array
|
|
hosts:
|
|
description: The hosts associated with the ServiceEntry.
|
|
items:
|
|
format: string
|
|
type: string
|
|
type: array
|
|
location:
|
|
enum:
|
|
- MESH_EXTERNAL
|
|
- MESH_INTERNAL
|
|
type: string
|
|
ports:
|
|
description: The ports associated with the external service.
|
|
items:
|
|
properties:
|
|
name:
|
|
description: Label assigned to the port.
|
|
format: string
|
|
type: string
|
|
number:
|
|
description: A valid non-negative integer port number.
|
|
type: integer
|
|
protocol:
|
|
description: The protocol exposed on the port.
|
|
format: string
|
|
type: string
|
|
targetPort:
|
|
type: integer
|
|
type: object
|
|
type: array
|
|
resolution:
|
|
description: Service discovery mode for the hosts.
|
|
enum:
|
|
- NONE
|
|
- STATIC
|
|
- DNS
|
|
type: string
|
|
subjectAltNames:
|
|
items:
|
|
format: string
|
|
type: string
|
|
type: array
|
|
workloadSelector:
|
|
description: Applicable only for MESH_INTERNAL services.
|
|
properties:
|
|
labels:
|
|
additionalProperties:
|
|
format: string
|
|
type: string
|
|
type: object
|
|
type: object
|
|
type: object
|
|
status:
|
|
type: object
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
versions:
|
|
- name: v1alpha3
|
|
served: true
|
|
storage: true
|
|
- name: v1beta1
|
|
served: true
|
|
storage: false
|
|
|
|
---
|
|
apiVersion: apiextensions.k8s.io/v1beta1
|
|
kind: CustomResourceDefinition
|
|
metadata:
|
|
annotations:
|
|
"helm.sh/resource-policy": keep
|
|
labels:
|
|
app: istio-pilot
|
|
chart: istio
|
|
heritage: Tiller
|
|
release: istio
|
|
name: sidecars.networking.istio.io
|
|
spec:
|
|
group: networking.istio.io
|
|
names:
|
|
categories:
|
|
- istio-io
|
|
- networking-istio-io
|
|
kind: Sidecar
|
|
listKind: SidecarList
|
|
plural: sidecars
|
|
singular: sidecar
|
|
preserveUnknownFields: false
|
|
scope: Namespaced
|
|
subresources:
|
|
status: {}
|
|
validation:
|
|
openAPIV3Schema:
|
|
properties:
|
|
spec:
|
|
description: 'Configuration affecting network reachability of a sidecar.
|
|
See more details at: https://istio.io/docs/reference/config/networking/sidecar.html'
|
|
properties:
|
|
egress:
|
|
items:
|
|
properties:
|
|
bind:
|
|
format: string
|
|
type: string
|
|
captureMode:
|
|
enum:
|
|
- DEFAULT
|
|
- IPTABLES
|
|
- NONE
|
|
type: string
|
|
hosts:
|
|
items:
|
|
format: string
|
|
type: string
|
|
type: array
|
|
port:
|
|
description: The port associated with the listener.
|
|
properties:
|
|
name:
|
|
description: Label assigned to the port.
|
|
format: string
|
|
type: string
|
|
number:
|
|
description: A valid non-negative integer port number.
|
|
type: integer
|
|
protocol:
|
|
description: The protocol exposed on the port.
|
|
format: string
|
|
type: string
|
|
targetPort:
|
|
type: integer
|
|
type: object
|
|
type: object
|
|
type: array
|
|
ingress:
|
|
items:
|
|
properties:
|
|
bind:
|
|
description: The IP to which the listener should be bound.
|
|
format: string
|
|
type: string
|
|
captureMode:
|
|
enum:
|
|
- DEFAULT
|
|
- IPTABLES
|
|
- NONE
|
|
type: string
|
|
defaultEndpoint:
|
|
format: string
|
|
type: string
|
|
port:
|
|
description: The port associated with the listener.
|
|
properties:
|
|
name:
|
|
description: Label assigned to the port.
|
|
format: string
|
|
type: string
|
|
number:
|
|
description: A valid non-negative integer port number.
|
|
type: integer
|
|
protocol:
|
|
description: The protocol exposed on the port.
|
|
format: string
|
|
type: string
|
|
targetPort:
|
|
type: integer
|
|
type: object
|
|
type: object
|
|
type: array
|
|
outboundTrafficPolicy:
|
|
description: Configuration for the outbound traffic policy.
|
|
properties:
|
|
egressProxy:
|
|
properties:
|
|
host:
|
|
description: The name of a service from the service registry.
|
|
format: string
|
|
type: string
|
|
port:
|
|
description: Specifies the port on the host that is being addressed.
|
|
properties:
|
|
number:
|
|
type: integer
|
|
type: object
|
|
subset:
|
|
description: The name of a subset within the service.
|
|
format: string
|
|
type: string
|
|
type: object
|
|
mode:
|
|
enum:
|
|
- REGISTRY_ONLY
|
|
- ALLOW_ANY
|
|
type: string
|
|
type: object
|
|
workloadSelector:
|
|
properties:
|
|
labels:
|
|
additionalProperties:
|
|
format: string
|
|
type: string
|
|
type: object
|
|
type: object
|
|
type: object
|
|
status:
|
|
type: object
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
versions:
|
|
- name: v1alpha3
|
|
served: true
|
|
storage: true
|
|
- name: v1beta1
|
|
served: true
|
|
storage: false
|
|
|
|
---
|
|
apiVersion: apiextensions.k8s.io/v1beta1
|
|
kind: CustomResourceDefinition
|
|
metadata:
|
|
annotations:
|
|
"helm.sh/resource-policy": keep
|
|
labels:
|
|
app: istio-pilot
|
|
chart: istio
|
|
heritage: Tiller
|
|
release: istio
|
|
name: virtualservices.networking.istio.io
|
|
spec:
|
|
additionalPrinterColumns:
|
|
- JSONPath: .spec.gateways
|
|
description: The names of gateways and sidecars that should apply these routes
|
|
name: Gateways
|
|
type: string
|
|
- JSONPath: .spec.hosts
|
|
description: The destination hosts to which traffic is being sent
|
|
name: Hosts
|
|
type: string
|
|
- JSONPath: .metadata.creationTimestamp
|
|
description: 'CreationTimestamp is a timestamp representing the server time when
|
|
this object was created. It is not guaranteed to be set in happens-before order
|
|
across separate operations. Clients may not set this value. It is represented
|
|
in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
|
|
lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
|
|
name: Age
|
|
type: date
|
|
group: networking.istio.io
|
|
names:
|
|
categories:
|
|
- istio-io
|
|
- networking-istio-io
|
|
kind: VirtualService
|
|
listKind: VirtualServiceList
|
|
plural: virtualservices
|
|
shortNames:
|
|
- vs
|
|
singular: virtualservice
|
|
preserveUnknownFields: false
|
|
scope: Namespaced
|
|
subresources:
|
|
status: {}
|
|
validation:
|
|
openAPIV3Schema:
|
|
properties:
|
|
spec:
|
|
description: 'Configuration affecting label/content routing, sni routing,
|
|
etc. See more details at: https://istio.io/docs/reference/config/networking/virtual-service.html'
|
|
properties:
|
|
exportTo:
|
|
description: A list of namespaces to which this virtual service is exported.
|
|
items:
|
|
format: string
|
|
type: string
|
|
type: array
|
|
gateways:
|
|
description: The names of gateways and sidecars that should apply these
|
|
routes.
|
|
items:
|
|
format: string
|
|
type: string
|
|
type: array
|
|
hosts:
|
|
description: The destination hosts to which traffic is being sent.
|
|
items:
|
|
format: string
|
|
type: string
|
|
type: array
|
|
http:
|
|
description: An ordered list of route rules for HTTP traffic.
|
|
items:
|
|
properties:
|
|
corsPolicy:
|
|
description: Cross-Origin Resource Sharing policy (CORS).
|
|
properties:
|
|
allowCredentials:
|
|
nullable: true
|
|
type: boolean
|
|
allowHeaders:
|
|
items:
|
|
format: string
|
|
type: string
|
|
type: array
|
|
allowMethods:
|
|
description: List of HTTP methods allowed to access the resource.
|
|
items:
|
|
format: string
|
|
type: string
|
|
type: array
|
|
allowOrigin:
|
|
description: The list of origins that are allowed to perform
|
|
CORS requests.
|
|
items:
|
|
format: string
|
|
type: string
|
|
type: array
|
|
allowOrigins:
|
|
description: String patterns that match allowed origins.
|
|
items:
|
|
oneOf:
|
|
- not:
|
|
anyOf:
|
|
- required:
|
|
- exact
|
|
- required:
|
|
- prefix
|
|
- required:
|
|
- regex
|
|
- required:
|
|
- exact
|
|
- required:
|
|
- prefix
|
|
- required:
|
|
- regex
|
|
properties:
|
|
exact:
|
|
format: string
|
|
type: string
|
|
prefix:
|
|
format: string
|
|
type: string
|
|
regex:
|
|
description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
|
|
format: string
|
|
type: string
|
|
type: object
|
|
type: array
|
|
exposeHeaders:
|
|
items:
|
|
format: string
|
|
type: string
|
|
type: array
|
|
maxAge:
|
|
type: string
|
|
type: object
|
|
delegate:
|
|
properties:
|
|
name:
|
|
description: Name specifies the name of the delegate VirtualService.
|
|
format: string
|
|
type: string
|
|
namespace:
|
|
description: Namespace specifies the namespace where the delegate
|
|
VirtualService resides.
|
|
format: string
|
|
type: string
|
|
type: object
|
|
fault:
|
|
description: Fault injection policy to apply on HTTP traffic at
|
|
the client side.
|
|
properties:
|
|
abort:
|
|
oneOf:
|
|
- not:
|
|
anyOf:
|
|
- required:
|
|
- httpStatus
|
|
- required:
|
|
- grpcStatus
|
|
- required:
|
|
- http2Error
|
|
- required:
|
|
- httpStatus
|
|
- required:
|
|
- grpcStatus
|
|
- required:
|
|
- http2Error
|
|
properties:
|
|
grpcStatus:
|
|
format: string
|
|
type: string
|
|
http2Error:
|
|
format: string
|
|
type: string
|
|
httpStatus:
|
|
description: HTTP status code to use to abort the Http
|
|
request.
|
|
format: int32
|
|
type: integer
|
|
percentage:
|
|
description: Percentage of requests to be aborted with
|
|
the error code provided.
|
|
properties:
|
|
value:
|
|
format: double
|
|
type: number
|
|
type: object
|
|
type: object
|
|
delay:
|
|
oneOf:
|
|
- not:
|
|
anyOf:
|
|
- required:
|
|
- fixedDelay
|
|
- required:
|
|
- exponentialDelay
|
|
- required:
|
|
- fixedDelay
|
|
- required:
|
|
- exponentialDelay
|
|
properties:
|
|
exponentialDelay:
|
|
type: string
|
|
fixedDelay:
|
|
description: Add a fixed delay before forwarding the request.
|
|
type: string
|
|
percent:
|
|
description: Percentage of requests on which the delay
|
|
will be injected (0-100).
|
|
format: int32
|
|
type: integer
|
|
percentage:
|
|
description: Percentage of requests on which the delay
|
|
will be injected.
|
|
properties:
|
|
value:
|
|
format: double
|
|
type: number
|
|
type: object
|
|
type: object
|
|
type: object
|
|
headers:
|
|
properties:
|
|
request:
|
|
properties:
|
|
add:
|
|
additionalProperties:
|
|
format: string
|
|
type: string
|
|
type: object
|
|
remove:
|
|
items:
|
|
format: string
|
|
type: string
|
|
type: array
|
|
set:
|
|
additionalProperties:
|
|
format: string
|
|
type: string
|
|
type: object
|
|
type: object
|
|
response:
|
|
properties:
|
|
add:
|
|
additionalProperties:
|
|
format: string
|
|
type: string
|
|
type: object
|
|
remove:
|
|
items:
|
|
format: string
|
|
type: string
|
|
type: array
|
|
set:
|
|
additionalProperties:
|
|
format: string
|
|
type: string
|
|
type: object
|
|
type: object
|
|
type: object
|
|
match:
|
|
items:
|
|
properties:
|
|
authority:
|
|
oneOf:
|
|
- not:
|
|
anyOf:
|
|
- required:
|
|
- exact
|
|
- required:
|
|
- prefix
|
|
- required:
|
|
- regex
|
|
- required:
|
|
- exact
|
|
- required:
|
|
- prefix
|
|
- required:
|
|
- regex
|
|
properties:
|
|
exact:
|
|
format: string
|
|
type: string
|
|
prefix:
|
|
format: string
|
|
type: string
|
|
regex:
|
|
description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
|
|
format: string
|
|
type: string
|
|
type: object
|
|
gateways:
|
|
description: Names of gateways where the rule should be
|
|
applied.
|
|
items:
|
|
format: string
|
|
type: string
|
|
type: array
|
|
headers:
|
|
additionalProperties:
|
|
oneOf:
|
|
- not:
|
|
anyOf:
|
|
- required:
|
|
- exact
|
|
- required:
|
|
- prefix
|
|
- required:
|
|
- regex
|
|
- required:
|
|
- exact
|
|
- required:
|
|
- prefix
|
|
- required:
|
|
- regex
|
|
properties:
|
|
exact:
|
|
format: string
|
|
type: string
|
|
prefix:
|
|
format: string
|
|
type: string
|
|
regex:
|
|
description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
|
|
format: string
|
|
type: string
|
|
type: object
|
|
type: object
|
|
ignoreUriCase:
|
|
description: Flag to specify whether the URI matching should
|
|
be case-insensitive.
|
|
type: boolean
|
|
method:
|
|
oneOf:
|
|
- not:
|
|
anyOf:
|
|
- required:
|
|
- exact
|
|
- required:
|
|
- prefix
|
|
- required:
|
|
- regex
|
|
- required:
|
|
- exact
|
|
- required:
|
|
- prefix
|
|
- required:
|
|
- regex
|
|
properties:
|
|
exact:
|
|
format: string
|
|
type: string
|
|
prefix:
|
|
format: string
|
|
type: string
|
|
regex:
|
|
description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
|
|
format: string
|
|
type: string
|
|
type: object
|
|
name:
|
|
description: The name assigned to a match.
|
|
format: string
|
|
type: string
|
|
port:
|
|
description: Specifies the ports on the host that is being
|
|
addressed.
|
|
type: integer
|
|
queryParams:
|
|
additionalProperties:
|
|
oneOf:
|
|
- not:
|
|
anyOf:
|
|
- required:
|
|
- exact
|
|
- required:
|
|
- prefix
|
|
- required:
|
|
- regex
|
|
- required:
|
|
- exact
|
|
- required:
|
|
- prefix
|
|
- required:
|
|
- regex
|
|
properties:
|
|
exact:
|
|
format: string
|
|
type: string
|
|
prefix:
|
|
format: string
|
|
type: string
|
|
regex:
|
|
description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
|
|
format: string
|
|
type: string
|
|
type: object
|
|
description: Query parameters for matching.
|
|
type: object
|
|
scheme:
|
|
oneOf:
|
|
- not:
|
|
anyOf:
|
|
- required:
|
|
- exact
|
|
- required:
|
|
- prefix
|
|
- required:
|
|
- regex
|
|
- required:
|
|
- exact
|
|
- required:
|
|
- prefix
|
|
- required:
|
|
- regex
|
|
properties:
|
|
exact:
|
|
format: string
|
|
type: string
|
|
prefix:
|
|
format: string
|
|
type: string
|
|
regex:
|
|
description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
|
|
format: string
|
|
type: string
|
|
type: object
|
|
sourceLabels:
|
|
additionalProperties:
|
|
format: string
|
|
type: string
|
|
type: object
|
|
sourceNamespace:
|
|
description: Source namespace constraining the applicability
|
|
of a rule to workloads in that namespace.
|
|
format: string
|
|
type: string
|
|
uri:
|
|
oneOf:
|
|
- not:
|
|
anyOf:
|
|
- required:
|
|
- exact
|
|
- required:
|
|
- prefix
|
|
- required:
|
|
- regex
|
|
- required:
|
|
- exact
|
|
- required:
|
|
- prefix
|
|
- required:
|
|
- regex
|
|
properties:
|
|
exact:
|
|
format: string
|
|
type: string
|
|
prefix:
|
|
format: string
|
|
type: string
|
|
regex:
|
|
description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
|
|
format: string
|
|
type: string
|
|
type: object
|
|
withoutHeaders:
|
|
additionalProperties:
|
|
oneOf:
|
|
- not:
|
|
anyOf:
|
|
- required:
|
|
- exact
|
|
- required:
|
|
- prefix
|
|
- required:
|
|
- regex
|
|
- required:
|
|
- exact
|
|
- required:
|
|
- prefix
|
|
- required:
|
|
- regex
|
|
properties:
|
|
exact:
|
|
format: string
|
|
type: string
|
|
prefix:
|
|
format: string
|
|
type: string
|
|
regex:
|
|
description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
|
|
format: string
|
|
type: string
|
|
type: object
|
|
description: withoutHeader has the same syntax with the
|
|
header, but has opposite meaning.
|
|
type: object
|
|
type: object
|
|
type: array
|
|
mirror:
|
|
properties:
|
|
host:
|
|
description: The name of a service from the service registry.
|
|
format: string
|
|
type: string
|
|
port:
|
|
description: Specifies the port on the host that is being
|
|
addressed.
|
|
properties:
|
|
number:
|
|
type: integer
|
|
type: object
|
|
subset:
|
|
description: The name of a subset within the service.
|
|
format: string
|
|
type: string
|
|
type: object
|
|
mirror_percent:
|
|
description: Percentage of the traffic to be mirrored by the `mirror`
|
|
field.
|
|
nullable: true
|
|
type: integer
|
|
mirrorPercent:
|
|
description: Percentage of the traffic to be mirrored by the `mirror`
|
|
field.
|
|
nullable: true
|
|
type: integer
|
|
mirrorPercentage:
|
|
description: Percentage of the traffic to be mirrored by the `mirror`
|
|
field.
|
|
properties:
|
|
value:
|
|
format: double
|
|
type: number
|
|
type: object
|
|
name:
|
|
description: The name assigned to the route for debugging purposes.
|
|
format: string
|
|
type: string
|
|
redirect:
|
|
description: A HTTP rule can either redirect or forward (default)
|
|
traffic.
|
|
properties:
|
|
authority:
|
|
format: string
|
|
type: string
|
|
redirectCode:
|
|
type: integer
|
|
uri:
|
|
format: string
|
|
type: string
|
|
type: object
|
|
retries:
|
|
description: Retry policy for HTTP requests.
|
|
properties:
|
|
attempts:
|
|
description: Number of retries to be allowed for a given request.
|
|
format: int32
|
|
type: integer
|
|
perTryTimeout:
|
|
description: Timeout per retry attempt for a given request.
|
|
type: string
|
|
retryOn:
|
|
description: Specifies the conditions under which retry takes
|
|
place.
|
|
format: string
|
|
type: string
|
|
retryRemoteLocalities:
|
|
description: Flag to specify whether the retries should retry
|
|
to other localities.
|
|
nullable: true
|
|
type: boolean
|
|
type: object
|
|
rewrite:
|
|
description: Rewrite HTTP URIs and Authority headers.
|
|
properties:
|
|
authority:
|
|
description: rewrite the Authority/Host header with this value.
|
|
format: string
|
|
type: string
|
|
uri:
|
|
format: string
|
|
type: string
|
|
type: object
|
|
route:
|
|
description: A HTTP rule can either redirect or forward (default)
|
|
traffic.
|
|
items:
|
|
properties:
|
|
destination:
|
|
properties:
|
|
host:
|
|
description: The name of a service from the service
|
|
registry.
|
|
format: string
|
|
type: string
|
|
port:
|
|
description: Specifies the port on the host that is
|
|
being addressed.
|
|
properties:
|
|
number:
|
|
type: integer
|
|
type: object
|
|
subset:
|
|
description: The name of a subset within the service.
|
|
format: string
|
|
type: string
|
|
type: object
|
|
headers:
|
|
properties:
|
|
request:
|
|
properties:
|
|
add:
|
|
additionalProperties:
|
|
format: string
|
|
type: string
|
|
type: object
|
|
remove:
|
|
items:
|
|
format: string
|
|
type: string
|
|
type: array
|
|
set:
|
|
additionalProperties:
|
|
format: string
|
|
type: string
|
|
type: object
|
|
type: object
|
|
response:
|
|
properties:
|
|
add:
|
|
additionalProperties:
|
|
format: string
|
|
type: string
|
|
type: object
|
|
remove:
|
|
items:
|
|
format: string
|
|
type: string
|
|
type: array
|
|
set:
|
|
additionalProperties:
|
|
format: string
|
|
type: string
|
|
type: object
|
|
type: object
|
|
type: object
|
|
weight:
|
|
format: int32
|
|
type: integer
|
|
type: object
|
|
type: array
|
|
timeout:
|
|
description: Timeout for HTTP requests, default is disabled.
|
|
type: string
|
|
type: object
|
|
type: array
|
|
tcp:
|
|
description: An ordered list of route rules for opaque TCP traffic.
|
|
items:
|
|
properties:
|
|
match:
|
|
items:
|
|
properties:
|
|
destinationSubnets:
|
|
description: IPv4 or IPv6 ip addresses of destination with
|
|
optional subnet.
|
|
items:
|
|
format: string
|
|
type: string
|
|
type: array
|
|
gateways:
|
|
description: Names of gateways where the rule should be
|
|
applied.
|
|
items:
|
|
format: string
|
|
type: string
|
|
type: array
|
|
port:
|
|
description: Specifies the port on the host that is being
|
|
addressed.
|
|
type: integer
|
|
sourceLabels:
|
|
additionalProperties:
|
|
format: string
|
|
type: string
|
|
type: object
|
|
sourceNamespace:
|
|
description: Source namespace constraining the applicability
|
|
of a rule to workloads in that namespace.
|
|
format: string
|
|
type: string
|
|
sourceSubnet:
|
|
description: IPv4 or IPv6 ip address of source with optional
|
|
subnet.
|
|
format: string
|
|
type: string
|
|
type: object
|
|
type: array
|
|
route:
|
|
description: The destination to which the connection should be
|
|
forwarded to.
|
|
items:
|
|
properties:
|
|
destination:
|
|
properties:
|
|
host:
|
|
description: The name of a service from the service
|
|
registry.
|
|
format: string
|
|
type: string
|
|
port:
|
|
description: Specifies the port on the host that is
|
|
being addressed.
|
|
properties:
|
|
number:
|
|
type: integer
|
|
type: object
|
|
subset:
|
|
description: The name of a subset within the service.
|
|
format: string
|
|
type: string
|
|
type: object
|
|
weight:
|
|
format: int32
|
|
type: integer
|
|
type: object
|
|
type: array
|
|
type: object
|
|
type: array
|
|
tls:
|
|
items:
|
|
properties:
|
|
match:
|
|
items:
|
|
properties:
|
|
destinationSubnets:
|
|
description: IPv4 or IPv6 ip addresses of destination with
|
|
optional subnet.
|
|
items:
|
|
format: string
|
|
type: string
|
|
type: array
|
|
gateways:
|
|
description: Names of gateways where the rule should be
|
|
applied.
|
|
items:
|
|
format: string
|
|
type: string
|
|
type: array
|
|
port:
|
|
description: Specifies the port on the host that is being
|
|
addressed.
|
|
type: integer
|
|
sniHosts:
|
|
description: SNI (server name indicator) to match on.
|
|
items:
|
|
format: string
|
|
type: string
|
|
type: array
|
|
sourceLabels:
|
|
additionalProperties:
|
|
format: string
|
|
type: string
|
|
type: object
|
|
sourceNamespace:
|
|
description: Source namespace constraining the applicability
|
|
of a rule to workloads in that namespace.
|
|
format: string
|
|
type: string
|
|
type: object
|
|
type: array
|
|
route:
|
|
description: The destination to which the connection should be
|
|
forwarded to.
|
|
items:
|
|
properties:
|
|
destination:
|
|
properties:
|
|
host:
|
|
description: The name of a service from the service
|
|
registry.
|
|
format: string
|
|
type: string
|
|
port:
|
|
description: Specifies the port on the host that is
|
|
being addressed.
|
|
properties:
|
|
number:
|
|
type: integer
|
|
type: object
|
|
subset:
|
|
description: The name of a subset within the service.
|
|
format: string
|
|
type: string
|
|
type: object
|
|
weight:
|
|
format: int32
|
|
type: integer
|
|
type: object
|
|
type: array
|
|
type: object
|
|
type: array
|
|
type: object
|
|
status:
|
|
type: object
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
versions:
|
|
- name: v1alpha3
|
|
served: true
|
|
storage: true
|
|
- name: v1beta1
|
|
served: true
|
|
storage: false
|
|
|
|
---
|
|
apiVersion: apiextensions.k8s.io/v1beta1
|
|
kind: CustomResourceDefinition
|
|
metadata:
|
|
annotations:
|
|
"helm.sh/resource-policy": keep
|
|
labels:
|
|
app: istio-pilot
|
|
chart: istio
|
|
heritage: Tiller
|
|
release: istio
|
|
name: workloadentries.networking.istio.io
|
|
spec:
|
|
additionalPrinterColumns:
|
|
- JSONPath: .metadata.creationTimestamp
|
|
description: 'CreationTimestamp is a timestamp representing the server time when
|
|
this object was created. It is not guaranteed to be set in happens-before order
|
|
across separate operations. Clients may not set this value. It is represented
|
|
in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
|
|
lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
|
|
name: Age
|
|
type: date
|
|
- JSONPath: .spec.address
|
|
description: Address associated with the network endpoint.
|
|
name: Address
|
|
type: string
|
|
group: networking.istio.io
|
|
names:
|
|
categories:
|
|
- istio-io
|
|
- networking-istio-io
|
|
kind: WorkloadEntry
|
|
listKind: WorkloadEntryList
|
|
plural: workloadentries
|
|
shortNames:
|
|
- we
|
|
singular: workloadentry
|
|
preserveUnknownFields: false
|
|
scope: Namespaced
|
|
subresources:
|
|
status: {}
|
|
validation:
|
|
openAPIV3Schema:
|
|
properties:
|
|
spec:
|
|
description: 'Configuration affecting VMs onboarded into the mesh. See more
|
|
details at: https://istio.io/docs/reference/config/networking/workload-entry.html'
|
|
properties:
|
|
address:
|
|
format: string
|
|
type: string
|
|
labels:
|
|
additionalProperties:
|
|
format: string
|
|
type: string
|
|
description: One or more labels associated with the endpoint.
|
|
type: object
|
|
locality:
|
|
description: The locality associated with the endpoint.
|
|
format: string
|
|
type: string
|
|
network:
|
|
format: string
|
|
type: string
|
|
ports:
|
|
additionalProperties:
|
|
type: integer
|
|
description: Set of ports associated with the endpoint.
|
|
type: object
|
|
serviceAccount:
|
|
format: string
|
|
type: string
|
|
weight:
|
|
description: The load balancing weight associated with the endpoint.
|
|
type: integer
|
|
type: object
|
|
status:
|
|
type: object
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
versions:
|
|
- name: v1alpha3
|
|
served: true
|
|
storage: true
|
|
- name: v1beta1
|
|
served: true
|
|
storage: false
|
|
|
|
---
|
|
apiVersion: apiextensions.k8s.io/v1beta1
|
|
kind: CustomResourceDefinition
|
|
metadata:
|
|
name: workloadgroups.networking.istio.io
|
|
spec:
|
|
additionalPrinterColumns:
|
|
- JSONPath: .metadata.creationTimestamp
|
|
description: 'CreationTimestamp is a timestamp representing the server time when
|
|
this object was created. It is not guaranteed to be set in happens-before order
|
|
across separate operations. Clients may not set this value. It is represented
|
|
in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
|
|
lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
|
|
name: Age
|
|
type: date
|
|
group: networking.istio.io
|
|
names:
|
|
categories:
|
|
- istio-io
|
|
- networking-istio-io
|
|
kind: WorkloadGroup
|
|
listKind: WorkloadGroupList
|
|
plural: workloadgroups
|
|
shortNames:
|
|
- wg
|
|
singular: workloadgroup
|
|
preserveUnknownFields: false
|
|
scope: Namespaced
|
|
subresources:
|
|
status: {}
|
|
validation:
|
|
openAPIV3Schema:
|
|
properties:
|
|
spec:
|
|
description: 'Describes a collection of workload instances. See more details
|
|
at: https://istio.io/docs/reference/config/networking/workload-group.html'
|
|
properties:
|
|
metadata:
|
|
description: Metadata that will be used for all corresponding `WorkloadEntries`.
|
|
properties:
|
|
annotations:
|
|
additionalProperties:
|
|
format: string
|
|
type: string
|
|
type: object
|
|
labels:
|
|
additionalProperties:
|
|
format: string
|
|
type: string
|
|
type: object
|
|
type: object
|
|
probe:
|
|
description: '`ReadinessProbe` describes the configuration the user
|
|
must provide for healthchecking on their workload.'
|
|
oneOf:
|
|
- not:
|
|
anyOf:
|
|
- required:
|
|
- httpGet
|
|
- required:
|
|
- tcpSocket
|
|
- required:
|
|
- exec
|
|
- required:
|
|
- httpGet
|
|
- required:
|
|
- tcpSocket
|
|
- required:
|
|
- exec
|
|
properties:
|
|
exec:
|
|
description: health is determined by how the command that is executed
|
|
exited.
|
|
properties:
|
|
command:
|
|
description: command to run.
|
|
items:
|
|
format: string
|
|
type: string
|
|
type: array
|
|
type: object
|
|
failureThreshold:
|
|
description: Minimum consecutive failures for the probe to be considered
|
|
failed after having succeeded.
|
|
format: int32
|
|
type: integer
|
|
httpGet:
|
|
properties:
|
|
host:
|
|
description: Host name to connect to, defaults to the pod IP.
|
|
format: string
|
|
type: string
|
|
httpHeaders:
|
|
description: headers the proxy will pass on to make the request.
|
|
items:
|
|
properties:
|
|
name:
|
|
format: string
|
|
type: string
|
|
value:
|
|
format: string
|
|
type: string
|
|
type: object
|
|
type: array
|
|
path:
|
|
description: Path to access on the HTTP server.
|
|
format: string
|
|
type: string
|
|
port:
|
|
description: port on which the endpoint lives.
|
|
type: integer
|
|
scheme:
|
|
format: string
|
|
type: string
|
|
type: object
|
|
initialDelaySeconds:
|
|
description: Number of seconds after the container has started before
|
|
readiness probes are initiated.
|
|
format: int32
|
|
type: integer
|
|
periodSeconds:
|
|
description: How often (in seconds) to perform the probe.
|
|
format: int32
|
|
type: integer
|
|
successThreshold:
|
|
description: Minimum consecutive successes for the probe to be considered
|
|
successful after having failed.
|
|
format: int32
|
|
type: integer
|
|
tcpSocket:
|
|
description: health is determined by if the proxy is able to connect.
|
|
properties:
|
|
host:
|
|
format: string
|
|
type: string
|
|
port:
|
|
type: integer
|
|
type: object
|
|
timeoutSeconds:
|
|
description: Number of seconds after which the probe times out.
|
|
format: int32
|
|
type: integer
|
|
type: object
|
|
template:
|
|
description: Template to be used for the generation of `WorkloadEntry`
|
|
resources that belong to this `WorkloadGroup`.
|
|
properties:
|
|
address:
|
|
format: string
|
|
type: string
|
|
labels:
|
|
additionalProperties:
|
|
format: string
|
|
type: string
|
|
description: One or more labels associated with the endpoint.
|
|
type: object
|
|
locality:
|
|
description: The locality associated with the endpoint.
|
|
format: string
|
|
type: string
|
|
network:
|
|
format: string
|
|
type: string
|
|
ports:
|
|
additionalProperties:
|
|
type: integer
|
|
description: Set of ports associated with the endpoint.
|
|
type: object
|
|
serviceAccount:
|
|
format: string
|
|
type: string
|
|
weight:
|
|
description: The load balancing weight associated with the endpoint.
|
|
type: integer
|
|
type: object
|
|
type: object
|
|
status:
|
|
type: object
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
versions:
|
|
- name: v1alpha3
|
|
served: true
|
|
storage: true
|
|
|
|
---
|
|
apiVersion: apiextensions.k8s.io/v1beta1
|
|
kind: CustomResourceDefinition
|
|
metadata:
|
|
annotations:
|
|
"helm.sh/resource-policy": keep
|
|
labels:
|
|
app: istio-pilot
|
|
chart: istio
|
|
heritage: Tiller
|
|
istio: security
|
|
release: istio
|
|
name: authorizationpolicies.security.istio.io
|
|
spec:
|
|
group: security.istio.io
|
|
names:
|
|
categories:
|
|
- istio-io
|
|
- security-istio-io
|
|
kind: AuthorizationPolicy
|
|
listKind: AuthorizationPolicyList
|
|
plural: authorizationpolicies
|
|
singular: authorizationpolicy
|
|
preserveUnknownFields: false
|
|
scope: Namespaced
|
|
subresources:
|
|
status: {}
|
|
validation:
|
|
openAPIV3Schema:
|
|
properties:
|
|
spec:
|
|
description: 'Configuration for access control on workloads. See more details
|
|
at: https://istio.io/docs/reference/config/security/authorization-policy.html'
|
|
oneOf:
|
|
- not:
|
|
anyOf:
|
|
- required:
|
|
- provider
|
|
- required:
|
|
- provider
|
|
properties:
|
|
action:
|
|
description: Optional.
|
|
enum:
|
|
- ALLOW
|
|
- DENY
|
|
- AUDIT
|
|
- CUSTOM
|
|
type: string
|
|
provider:
|
|
description: Specifies detailed configuration of the CUSTOM action.
|
|
properties:
|
|
name:
|
|
description: Specifies the name of the extension provider.
|
|
format: string
|
|
type: string
|
|
type: object
|
|
rules:
|
|
description: Optional.
|
|
items:
|
|
properties:
|
|
from:
|
|
description: Optional.
|
|
items:
|
|
properties:
|
|
source:
|
|
description: Source specifies the source of a request.
|
|
properties:
|
|
ipBlocks:
|
|
description: Optional.
|
|
items:
|
|
format: string
|
|
type: string
|
|
type: array
|
|
namespaces:
|
|
description: Optional.
|
|
items:
|
|
format: string
|
|
type: string
|
|
type: array
|
|
notIpBlocks:
|
|
description: Optional.
|
|
items:
|
|
format: string
|
|
type: string
|
|
type: array
|
|
notNamespaces:
|
|
description: Optional.
|
|
items:
|
|
format: string
|
|
type: string
|
|
type: array
|
|
notPrincipals:
|
|
description: Optional.
|
|
items:
|
|
format: string
|
|
type: string
|
|
type: array
|
|
notRemoteIpBlocks:
|
|
description: Optional.
|
|
items:
|
|
format: string
|
|
type: string
|
|
type: array
|
|
notRequestPrincipals:
|
|
description: Optional.
|
|
items:
|
|
format: string
|
|
type: string
|
|
type: array
|
|
principals:
|
|
description: Optional.
|
|
items:
|
|
format: string
|
|
type: string
|
|
type: array
|
|
remoteIpBlocks:
|
|
description: Optional.
|
|
items:
|
|
format: string
|
|
type: string
|
|
type: array
|
|
requestPrincipals:
|
|
description: Optional.
|
|
items:
|
|
format: string
|
|
type: string
|
|
type: array
|
|
type: object
|
|
type: object
|
|
type: array
|
|
to:
|
|
description: Optional.
|
|
items:
|
|
properties:
|
|
operation:
|
|
description: Operation specifies the operation of a request.
|
|
properties:
|
|
hosts:
|
|
description: Optional.
|
|
items:
|
|
format: string
|
|
type: string
|
|
type: array
|
|
methods:
|
|
description: Optional.
|
|
items:
|
|
format: string
|
|
type: string
|
|
type: array
|
|
notHosts:
|
|
description: Optional.
|
|
items:
|
|
format: string
|
|
type: string
|
|
type: array
|
|
notMethods:
|
|
description: Optional.
|
|
items:
|
|
format: string
|
|
type: string
|
|
type: array
|
|
notPaths:
|
|
description: Optional.
|
|
items:
|
|
format: string
|
|
type: string
|
|
type: array
|
|
notPorts:
|
|
description: Optional.
|
|
items:
|
|
format: string
|
|
type: string
|
|
type: array
|
|
paths:
|
|
description: Optional.
|
|
items:
|
|
format: string
|
|
type: string
|
|
type: array
|
|
ports:
|
|
description: Optional.
|
|
items:
|
|
format: string
|
|
type: string
|
|
type: array
|
|
type: object
|
|
type: object
|
|
type: array
|
|
when:
|
|
description: Optional.
|
|
items:
|
|
properties:
|
|
key:
|
|
description: The name of an Istio attribute.
|
|
format: string
|
|
type: string
|
|
notValues:
|
|
description: Optional.
|
|
items:
|
|
format: string
|
|
type: string
|
|
type: array
|
|
values:
|
|
description: Optional.
|
|
items:
|
|
format: string
|
|
type: string
|
|
type: array
|
|
type: object
|
|
type: array
|
|
type: object
|
|
type: array
|
|
selector:
|
|
description: Optional.
|
|
properties:
|
|
matchLabels:
|
|
additionalProperties:
|
|
format: string
|
|
type: string
|
|
type: object
|
|
type: object
|
|
type: object
|
|
status:
|
|
type: object
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
versions:
|
|
- name: v1beta1
|
|
served: true
|
|
storage: true
|
|
|
|
---
|
|
apiVersion: apiextensions.k8s.io/v1beta1
|
|
kind: CustomResourceDefinition
|
|
metadata:
|
|
annotations:
|
|
"helm.sh/resource-policy": keep
|
|
labels:
|
|
app: istio-pilot
|
|
chart: istio
|
|
heritage: Tiller
|
|
istio: security
|
|
release: istio
|
|
name: peerauthentications.security.istio.io
|
|
spec:
|
|
group: security.istio.io
|
|
names:
|
|
categories:
|
|
- istio-io
|
|
- security-istio-io
|
|
kind: PeerAuthentication
|
|
listKind: PeerAuthenticationList
|
|
plural: peerauthentications
|
|
shortNames:
|
|
- pa
|
|
singular: peerauthentication
|
|
preserveUnknownFields: false
|
|
scope: Namespaced
|
|
subresources:
|
|
status: {}
|
|
validation:
|
|
openAPIV3Schema:
|
|
properties:
|
|
spec:
|
|
description: PeerAuthentication defines how traffic will be tunneled (or
|
|
not) to the sidecar.
|
|
properties:
|
|
mtls:
|
|
description: Mutual TLS settings for workload.
|
|
properties:
|
|
mode:
|
|
description: Defines the mTLS mode used for peer authentication.
|
|
enum:
|
|
- UNSET
|
|
- DISABLE
|
|
- PERMISSIVE
|
|
- STRICT
|
|
type: string
|
|
type: object
|
|
portLevelMtls:
|
|
additionalProperties:
|
|
properties:
|
|
mode:
|
|
description: Defines the mTLS mode used for peer authentication.
|
|
enum:
|
|
- UNSET
|
|
- DISABLE
|
|
- PERMISSIVE
|
|
- STRICT
|
|
type: string
|
|
type: object
|
|
description: Port specific mutual TLS settings.
|
|
type: object
|
|
selector:
|
|
description: The selector determines the workloads to apply the ChannelAuthentication
|
|
on.
|
|
properties:
|
|
matchLabels:
|
|
additionalProperties:
|
|
format: string
|
|
type: string
|
|
type: object
|
|
type: object
|
|
type: object
|
|
status:
|
|
type: object
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
versions:
|
|
- name: v1beta1
|
|
served: true
|
|
storage: true
|
|
|
|
---
|
|
apiVersion: apiextensions.k8s.io/v1beta1
|
|
kind: CustomResourceDefinition
|
|
metadata:
|
|
annotations:
|
|
"helm.sh/resource-policy": keep
|
|
labels:
|
|
app: istio-pilot
|
|
chart: istio
|
|
heritage: Tiller
|
|
istio: security
|
|
release: istio
|
|
name: requestauthentications.security.istio.io
|
|
spec:
|
|
group: security.istio.io
|
|
names:
|
|
categories:
|
|
- istio-io
|
|
- security-istio-io
|
|
kind: RequestAuthentication
|
|
listKind: RequestAuthenticationList
|
|
plural: requestauthentications
|
|
shortNames:
|
|
- ra
|
|
singular: requestauthentication
|
|
preserveUnknownFields: false
|
|
scope: Namespaced
|
|
subresources:
|
|
status: {}
|
|
validation:
|
|
openAPIV3Schema:
|
|
properties:
|
|
spec:
|
|
description: RequestAuthentication defines what request authentication methods
|
|
are supported by a workload.
|
|
properties:
|
|
jwtRules:
|
|
description: Define the list of JWTs that can be validated at the selected
|
|
workloads' proxy.
|
|
items:
|
|
properties:
|
|
audiences:
|
|
items:
|
|
format: string
|
|
type: string
|
|
type: array
|
|
forwardOriginalToken:
|
|
description: If set to true, the orginal token will be kept for
|
|
the ustream request.
|
|
type: boolean
|
|
fromHeaders:
|
|
description: List of header locations from which JWT is expected.
|
|
items:
|
|
properties:
|
|
name:
|
|
description: The HTTP header name.
|
|
format: string
|
|
type: string
|
|
prefix:
|
|
description: The prefix that should be stripped before decoding
|
|
the token.
|
|
format: string
|
|
type: string
|
|
type: object
|
|
type: array
|
|
fromParams:
|
|
description: List of query parameters from which JWT is expected.
|
|
items:
|
|
format: string
|
|
type: string
|
|
type: array
|
|
issuer:
|
|
description: Identifies the issuer that issued the JWT.
|
|
format: string
|
|
type: string
|
|
jwks:
|
|
description: JSON Web Key Set of public keys to validate signature
|
|
of the JWT.
|
|
format: string
|
|
type: string
|
|
jwks_uri:
|
|
format: string
|
|
type: string
|
|
jwksUri:
|
|
format: string
|
|
type: string
|
|
outputPayloadToHeader:
|
|
format: string
|
|
type: string
|
|
type: object
|
|
type: array
|
|
selector:
|
|
description: The selector determines the workloads to apply the RequestAuthentication
|
|
on.
|
|
properties:
|
|
matchLabels:
|
|
additionalProperties:
|
|
format: string
|
|
type: string
|
|
type: object
|
|
type: object
|
|
type: object
|
|
status:
|
|
type: object
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
versions:
|
|
- name: v1beta1
|
|
served: true
|
|
storage: true
|
|
|
|
---
|
|
|
|
---
|
|
# Source: crds/crd-operator.yaml
|
|
# SYNC WITH manifests/charts/istio-operator/templates
|
|
apiVersion: apiextensions.k8s.io/v1beta1
|
|
kind: CustomResourceDefinition
|
|
metadata:
|
|
name: istiooperators.install.istio.io
|
|
labels:
|
|
release: istio
|
|
spec:
|
|
additionalPrinterColumns:
|
|
- JSONPath: .spec.revision
|
|
description: Istio control plane revision
|
|
name: Revision
|
|
type: string
|
|
- JSONPath: .status.status
|
|
description: IOP current state
|
|
type: string
|
|
name: Status
|
|
- JSONPath: .metadata.creationTimestamp
|
|
description: 'CreationTimestamp is a timestamp representing the server time when
|
|
this object was created. It is not guaranteed to be set in happens-before order
|
|
across separate operations. Clients may not set this value. It is represented
|
|
in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
|
|
lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
|
|
name: Age
|
|
type: date
|
|
group: install.istio.io
|
|
names:
|
|
kind: IstioOperator
|
|
plural: istiooperators
|
|
singular: istiooperator
|
|
shortNames:
|
|
- iop
|
|
- io
|
|
scope: Namespaced
|
|
subresources:
|
|
status: {}
|
|
validation:
|
|
openAPIV3Schema:
|
|
properties:
|
|
apiVersion:
|
|
description: 'APIVersion defines the versioned schema of this representation
|
|
of an object. Servers should convert recognized schemas to the latest
|
|
internal value, and may reject unrecognized values.
|
|
More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#resources'
|
|
type: string
|
|
kind:
|
|
description: 'Kind is a string value representing the REST resource this
|
|
object represents. Servers may infer this from the endpoint the client
|
|
submits requests to. Cannot be updated. In CamelCase.
|
|
More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
|
|
type: string
|
|
spec:
|
|
description: 'Specification of the desired state of the istio control plane resource.
|
|
More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status'
|
|
type: object
|
|
status:
|
|
description: 'Status describes each of istio control plane component status at the current time.
|
|
0 means NONE, 1 means UPDATING, 2 means HEALTHY, 3 means ERROR, 4 means RECONCILING.
|
|
More info: https://github.com/istio/api/blob/master/operator/v1alpha1/istio.operator.v1alpha1.pb.html &
|
|
https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status'
|
|
type: object
|
|
versions:
|
|
- name: v1alpha1
|
|
served: true
|
|
storage: true
|
|
---
|
|
|
|
---
|
|
# Source: base/templates/serviceaccount.yaml
|
|
apiVersion: v1
|
|
kind: ServiceAccount
|
|
metadata:
|
|
name: istio-reader-service-account
|
|
namespace: istio-system
|
|
labels:
|
|
app: istio-reader
|
|
release: istio
|
|
---
|
|
# Source: base/templates/serviceaccount.yaml
|
|
apiVersion: v1
|
|
kind: ServiceAccount
|
|
metadata:
|
|
name: istiod-service-account
|
|
namespace: istio-system
|
|
labels:
|
|
app: istiod
|
|
release: istio
|
|
---
|
|
# Source: base/templates/clusterrole.yaml
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRole
|
|
metadata:
|
|
name: istiod-istio-system
|
|
labels:
|
|
app: istiod
|
|
release: istio
|
|
rules:
|
|
# sidecar injection controller
|
|
- apiGroups: ["admissionregistration.k8s.io"]
|
|
resources: ["mutatingwebhookconfigurations"]
|
|
verbs: ["get", "list", "watch", "patch"]
|
|
|
|
# configuration validation webhook controller
|
|
- apiGroups: ["admissionregistration.k8s.io"]
|
|
resources: ["validatingwebhookconfigurations"]
|
|
verbs: ["get", "list", "watch", "update"]
|
|
|
|
# istio configuration
|
|
- apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io"]
|
|
verbs: ["get", "watch", "list"]
|
|
resources: ["*"]
|
|
- apiGroups: ["networking.istio.io"]
|
|
verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
|
|
resources: [ "workloadentries" ]
|
|
- apiGroups: ["networking.istio.io"]
|
|
verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
|
|
resources: [ "workloadentries/status" ]
|
|
|
|
# auto-detect installed CRD definitions
|
|
- apiGroups: ["apiextensions.k8s.io"]
|
|
resources: ["customresourcedefinitions"]
|
|
verbs: ["get", "list", "watch"]
|
|
|
|
# discovery and routing
|
|
- apiGroups: [""]
|
|
resources: ["pods", "nodes", "services", "namespaces", "endpoints"]
|
|
verbs: ["get", "list", "watch"]
|
|
- apiGroups: ["discovery.k8s.io"]
|
|
resources: ["endpointslices"]
|
|
verbs: ["get", "list", "watch"]
|
|
|
|
# ingress controller
|
|
- apiGroups: ["networking.k8s.io"]
|
|
resources: ["ingresses", "ingressclasses"]
|
|
verbs: ["get", "list", "watch"]
|
|
- apiGroups: ["networking.k8s.io"]
|
|
resources: ["ingresses/status"]
|
|
verbs: ["*"]
|
|
|
|
# required for CA's namespace controller
|
|
- apiGroups: [""]
|
|
resources: ["configmaps"]
|
|
verbs: ["create", "get", "list", "watch", "update"]
|
|
|
|
# Istiod and bootstrap.
|
|
- apiGroups: ["certificates.k8s.io"]
|
|
resources:
|
|
- "certificatesigningrequests"
|
|
- "certificatesigningrequests/approval"
|
|
- "certificatesigningrequests/status"
|
|
verbs: ["update", "create", "get", "delete", "watch"]
|
|
- apiGroups: ["certificates.k8s.io"]
|
|
resources:
|
|
- "signers"
|
|
resourceNames:
|
|
- "kubernetes.io/legacy-unknown"
|
|
verbs: ["approve"]
|
|
|
|
# Used by Istiod to verify the JWT tokens
|
|
- apiGroups: ["authentication.k8s.io"]
|
|
resources: ["tokenreviews"]
|
|
verbs: ["create"]
|
|
|
|
# Used by Istiod to verify gateway SDS
|
|
- apiGroups: ["authorization.k8s.io"]
|
|
resources: ["subjectaccessreviews"]
|
|
verbs: ["create"]
|
|
|
|
# Use for Kubernetes Service APIs
|
|
- apiGroups: ["networking.x-k8s.io"]
|
|
resources: ["*"]
|
|
verbs: ["get", "watch", "list"]
|
|
|
|
# Needed for multicluster secret reading, possibly ingress certs in the future
|
|
- apiGroups: [""]
|
|
resources: ["secrets"]
|
|
verbs: ["get", "watch", "list"]
|
|
---
|
|
# Source: base/templates/clusterrole.yaml
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRole
|
|
metadata:
|
|
name: istio-reader-istio-system
|
|
labels:
|
|
app: istio-reader
|
|
release: istio
|
|
rules:
|
|
- apiGroups:
|
|
- "config.istio.io"
|
|
- "security.istio.io"
|
|
- "networking.istio.io"
|
|
- "authentication.istio.io"
|
|
resources: ["*"]
|
|
verbs: ["get", "list", "watch"]
|
|
- apiGroups: [""]
|
|
resources: ["endpoints", "pods", "services", "nodes", "replicationcontrollers", "namespaces", "secrets"]
|
|
verbs: ["get", "list", "watch"]
|
|
- apiGroups: ["discovery.k8s.io"]
|
|
resources: ["endpointslices"]
|
|
verbs: ["get", "list", "watch"]
|
|
- apiGroups: ["apps"]
|
|
resources: ["replicasets"]
|
|
verbs: ["get", "list", "watch"]
|
|
- apiGroups: ["authentication.k8s.io"]
|
|
resources: ["tokenreviews"]
|
|
verbs: ["create"]
|
|
- apiGroups: ["authorization.k8s.io"]
|
|
resources: ["subjectaccessreviews"]
|
|
verbs: ["create"]
|
|
---
|
|
# Source: base/templates/clusterrolebinding.yaml
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRoleBinding
|
|
metadata:
|
|
name: istio-reader-istio-system
|
|
labels:
|
|
app: istio-reader
|
|
release: istio
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: ClusterRole
|
|
name: istio-reader-istio-system
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: istio-reader-service-account
|
|
namespace: istio-system
|
|
---
|
|
# Source: base/templates/clusterrolebinding.yaml
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRoleBinding
|
|
metadata:
|
|
name: istiod-istio-system
|
|
labels:
|
|
app: istiod
|
|
release: istio
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: ClusterRole
|
|
name: istiod-istio-system
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: istiod-service-account
|
|
namespace: istio-system
|
|
---
|
|
# Source: base/templates/role.yaml
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: Role
|
|
metadata:
|
|
name: istiod-istio-system
|
|
namespace: istio-system
|
|
labels:
|
|
app: istiod
|
|
release: istio
|
|
rules:
|
|
# permissions to verify the webhook is ready and rejecting
|
|
# invalid config. We use --server-dry-run so no config is persisted.
|
|
- apiGroups: ["networking.istio.io"]
|
|
verbs: ["create"]
|
|
resources: ["gateways"]
|
|
|
|
# For storing CA secret
|
|
- apiGroups: [""]
|
|
resources: ["secrets"]
|
|
# TODO lock this down to istio-ca-cert if not using the DNS cert mesh config
|
|
verbs: ["create", "get", "watch", "list", "update", "delete"]
|
|
---
|
|
# Source: base/templates/rolebinding.yaml
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: RoleBinding
|
|
metadata:
|
|
name: istiod-istio-system
|
|
namespace: istio-system
|
|
labels:
|
|
app: istiod
|
|
release: istio
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: Role
|
|
name: istiod-istio-system
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: istiod-service-account
|
|
namespace: istio-system
|
|
---
|
|
# Source: base/templates/validatingwebhookconfiguration.yaml
|
|
apiVersion: admissionregistration.k8s.io/v1beta1
|
|
kind: ValidatingWebhookConfiguration
|
|
metadata:
|
|
name: istiod-istio-system
|
|
labels:
|
|
app: istiod
|
|
release: istio
|
|
istio: istiod
|
|
webhooks:
|
|
- name: validation.istio.io
|
|
clientConfig:
|
|
service:
|
|
name: istiod
|
|
namespace: istio-system
|
|
path: "/validate"
|
|
caBundle: "" # patched at runtime when the webhook is ready.
|
|
rules:
|
|
- operations:
|
|
- CREATE
|
|
- UPDATE
|
|
apiGroups:
|
|
- security.istio.io
|
|
- networking.istio.io
|
|
apiVersions:
|
|
- "*"
|
|
resources:
|
|
- "*"
|
|
# Fail open until the validation webhook is ready. The webhook controller
|
|
# will update this to `Fail` and patch in the `caBundle` when the webhook
|
|
# endpoint is ready.
|
|
failurePolicy: Ignore
|
|
sideEffects: None
|
|
admissionReviewVersions: ["v1beta1", "v1"]
|