# DO NOT EDIT - Generated by Cue OpenAPI generator based on Istio APIs. apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: "helm.sh/resource-policy": keep labels: app: istio-pilot chart: istio heritage: Tiller release: istio name: wasmplugins.extensions.istio.io spec: group: extensions.istio.io names: categories: - istio-io - extensions-istio-io kind: WasmPlugin listKind: WasmPluginList plural: wasmplugins singular: wasmplugin scope: Namespaced versions: - additionalPrinterColumns: - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' jsonPath: .metadata.creationTimestamp name: Age type: date name: v1alpha1 schema: openAPIV3Schema: properties: spec: description: 'Extend the functionality provided by the Istio proxy through WebAssembly filters. See more details at: https://istio.io/docs/reference/config/proxy_extensions/wasm-plugin.html' properties: failStrategy: description: |- Specifies the failure behavior for the plugin due to fatal errors. Valid Options: FAIL_CLOSE, FAIL_OPEN enum: - FAIL_CLOSE - FAIL_OPEN type: string imagePullPolicy: description: |- The pull behaviour to be applied when fetching Wasm module by either OCI image or `http/https`. Valid Options: IfNotPresent, Always enum: - UNSPECIFIED_POLICY - IfNotPresent - Always type: string imagePullSecret: description: Credentials to use for OCI image pulling. maxLength: 253 minLength: 1 type: string match: description: Specifies the criteria to determine which traffic is passed to WasmPlugin. items: properties: mode: description: |- Criteria for selecting traffic by their direction. Valid Options: CLIENT, SERVER, CLIENT_AND_SERVER enum: - UNDEFINED - CLIENT - SERVER - CLIENT_AND_SERVER type: string ports: description: Criteria for selecting traffic by their destination port. items: properties: number: maximum: 65535 minimum: 1 type: integer required: - number type: object type: array x-kubernetes-list-map-keys: - number x-kubernetes-list-type: map type: object type: array phase: description: |- Determines where in the filter chain this `WasmPlugin` is to be injected. Valid Options: AUTHN, AUTHZ, STATS enum: - UNSPECIFIED_PHASE - AUTHN - AUTHZ - STATS type: string pluginConfig: description: The configuration that will be passed on to the plugin. type: object x-kubernetes-preserve-unknown-fields: true pluginName: description: The plugin name to be used in the Envoy configuration (used to be called `rootID`). maxLength: 256 minLength: 1 type: string priority: description: Determines ordering of `WasmPlugins` in the same `phase`. format: int32 nullable: true type: integer selector: description: Criteria used to select the specific set of pods/VMs on which this plugin configuration should be applied. properties: matchLabels: additionalProperties: maxLength: 63 type: string x-kubernetes-validations: - message: wildcard not allowed in label value match rule: '!self.contains(''*'')' description: One or more labels that indicate a specific set of pods/VMs on which a policy should be applied. maxProperties: 4096 type: object x-kubernetes-validations: - message: wildcard not allowed in label key match rule: self.all(key, !key.contains('*')) - message: key must not be empty rule: self.all(key, key.size() != 0) type: object sha256: description: SHA256 checksum that will be used to verify Wasm module or OCI container. pattern: (^$|^[a-f0-9]{64}$) type: string targetRef: properties: group: description: group is the group of the target resource. maxLength: 253 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string kind: description: kind is kind of the target resource. maxLength: 63 minLength: 1 pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ type: string name: description: name is the name of the target resource. maxLength: 253 minLength: 1 type: string namespace: description: namespace is the namespace of the referent. type: string x-kubernetes-validations: - message: cross namespace referencing is not currently supported rule: self.size() == 0 required: - kind - name type: object x-kubernetes-validations: - message: Support kinds are core/Service and gateway.networking.k8s.io/Gateway rule: '[self.group, self.kind] in [[''core'',''Service''], ['''',''Service''], [''gateway.networking.k8s.io'',''Gateway'']]' targetRefs: description: Optional. items: properties: group: description: group is the group of the target resource. maxLength: 253 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string kind: description: kind is kind of the target resource. maxLength: 63 minLength: 1 pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ type: string name: description: name is the name of the target resource. maxLength: 253 minLength: 1 type: string namespace: description: namespace is the namespace of the referent. type: string x-kubernetes-validations: - message: cross namespace referencing is not currently supported rule: self.size() == 0 required: - kind - name type: object x-kubernetes-validations: - message: Support kinds are core/Service and gateway.networking.k8s.io/Gateway rule: '[self.group, self.kind] in [[''core'',''Service''], ['''',''Service''], [''gateway.networking.k8s.io'',''Gateway'']]' type: array type: description: |- Specifies the type of Wasm Extension to be used. Valid Options: HTTP, NETWORK enum: - UNSPECIFIED_PLUGIN_TYPE - HTTP - NETWORK type: string url: description: URL of a Wasm module or OCI container. minLength: 1 type: string x-kubernetes-validations: - message: url must have schema one of [http, https, file, oci] rule: 'isURL(self) ? (url(self).getScheme() in ['''', ''http'', ''https'', ''oci'', ''file'']) : (isURL(''http://'' + self) && url(''http://'' +self).getScheme() in ['''', ''http'', ''https'', ''oci'', ''file''])' verificationKey: type: string vmConfig: description: Configuration for a Wasm VM. properties: env: description: Specifies environment variables to be injected to this VM. items: properties: name: description: Name of the environment variable. maxLength: 256 minLength: 1 type: string value: description: Value for the environment variable. maxLength: 2048 type: string valueFrom: description: |- Source for the environment variable's value. Valid Options: INLINE, HOST enum: - INLINE - HOST type: string required: - name type: object x-kubernetes-validations: - message: value may only be set when valueFrom is INLINE rule: '(has(self.valueFrom) ? self.valueFrom : '''') != ''HOST'' || !has(self.value)' maxItems: 256 type: array x-kubernetes-list-map-keys: - name x-kubernetes-list-type: map type: object required: - url type: object status: type: object x-kubernetes-preserve-unknown-fields: true required: - spec type: object served: true storage: true subresources: status: {} --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: "helm.sh/resource-policy": keep labels: app: istio-pilot chart: istio heritage: Tiller release: istio name: destinationrules.networking.istio.io spec: group: networking.istio.io names: categories: - istio-io - networking-istio-io kind: DestinationRule listKind: DestinationRuleList plural: destinationrules shortNames: - dr singular: destinationrule scope: Namespaced versions: - additionalPrinterColumns: - description: The name of a service from the service registry jsonPath: .spec.host name: Host type: string - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' jsonPath: .metadata.creationTimestamp name: Age type: date name: v1 schema: openAPIV3Schema: properties: spec: description: 'Configuration affecting load balancing, outlier detection, etc. See more details at: https://istio.io/docs/reference/config/networking/destination-rule.html' properties: exportTo: description: A list of namespaces to which this destination rule is exported. items: type: string type: array host: description: The name of a service from the service registry. type: string subsets: description: One or more named sets that represent individual versions of a service. items: properties: labels: additionalProperties: type: string description: Labels apply a filter over the endpoints of a service in the service registry. type: object name: description: Name of the subset. type: string trafficPolicy: description: Traffic policies that apply to this subset. properties: connectionPool: properties: http: description: HTTP connection pool settings. properties: h2UpgradePolicy: description: |- Specify if http1.1 connection should be upgraded to http2 for the associated destination. Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE enum: - DEFAULT - DO_NOT_UPGRADE - UPGRADE type: string http1MaxPendingRequests: description: Maximum number of requests that will be queued while waiting for a ready connection pool connection. format: int32 type: integer http2MaxRequests: description: Maximum number of active requests to a destination. format: int32 type: integer idleTimeout: description: The idle timeout for upstream connection pool connections. type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms rule: duration(self) >= duration('1ms') maxConcurrentStreams: description: The maximum number of concurrent streams allowed for a peer on one HTTP/2 connection. format: int32 type: integer maxRequestsPerConnection: description: Maximum number of requests per connection to a backend. format: int32 type: integer maxRetries: description: Maximum number of retries that can be outstanding to all hosts in a cluster at a given time. format: int32 type: integer useClientProtocol: description: If set to true, client protocol will be preserved while initiating connection to backend. type: boolean type: object tcp: description: Settings common to both HTTP and TCP upstream connections. properties: connectTimeout: description: TCP connection timeout. type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms rule: duration(self) >= duration('1ms') idleTimeout: description: The idle timeout for TCP connections. type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms rule: duration(self) >= duration('1ms') maxConnectionDuration: description: The maximum duration of a connection. type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms rule: duration(self) >= duration('1ms') maxConnections: description: Maximum number of HTTP1 /TCP connections to a destination host. format: int32 type: integer tcpKeepalive: description: If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives. properties: interval: description: The time duration between keep-alive probes. type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms rule: duration(self) >= duration('1ms') probes: description: Maximum number of keepalive probes to send without response before deciding the connection is dead. maximum: 4294967295 minimum: 0 type: integer time: description: The time duration a connection needs to be idle before keep-alive probes start being sent. type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms rule: duration(self) >= duration('1ms') type: object type: object type: object loadBalancer: description: Settings controlling the load balancer algorithms. oneOf: - not: anyOf: - required: - simple - required: - consistentHash - required: - simple - required: - consistentHash properties: consistentHash: allOf: - oneOf: - not: anyOf: - required: - httpHeaderName - required: - httpCookie - required: - useSourceIp - required: - httpQueryParameterName - required: - httpHeaderName - required: - httpCookie - required: - useSourceIp - required: - httpQueryParameterName - oneOf: - not: anyOf: - required: - ringHash - required: - maglev - required: - ringHash - required: - maglev properties: httpCookie: description: Hash based on HTTP cookie. properties: name: description: Name of the cookie. type: string path: description: Path to set for the cookie. type: string ttl: description: Lifetime of the cookie. type: string required: - name type: object httpHeaderName: description: Hash based on a specific HTTP header. type: string httpQueryParameterName: description: Hash based on a specific HTTP query parameter. type: string maglev: description: The Maglev load balancer implements consistent hashing to backend hosts. properties: tableSize: description: The table size for Maglev hashing. minimum: 0 type: integer type: object minimumRingSize: description: Deprecated. minimum: 0 type: integer ringHash: description: The ring/modulo hash load balancer implements consistent hashing to backend hosts. properties: minimumRingSize: description: The minimum number of virtual nodes to use for the hash ring. minimum: 0 type: integer type: object useSourceIp: description: Hash based on the source IP address. type: boolean type: object localityLbSetting: properties: distribute: description: 'Optional: only one of distribute, failover or failoverPriority can be set.' items: properties: from: description: Originating locality, '/' separated, e.g. type: string to: additionalProperties: maximum: 4294967295 minimum: 0 type: integer description: Map of upstream localities to traffic distribution weights. type: object type: object type: array enabled: description: enable locality load balancing, this is DestinationRule-level and will override mesh wide settings in entirety. nullable: true type: boolean failover: description: 'Optional: only one of distribute, failover or failoverPriority can be set.' items: properties: from: description: Originating region. type: string to: description: Destination region the traffic will fail over to when endpoints in the 'from' region becomes unhealthy. type: string type: object type: array failoverPriority: description: failoverPriority is an ordered list of labels used to sort endpoints to do priority based load balancing. items: type: string type: array type: object simple: description: |2- Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST enum: - UNSPECIFIED - LEAST_CONN - RANDOM - PASSTHROUGH - ROUND_ROBIN - LEAST_REQUEST type: string warmupDurationSecs: description: Represents the warmup duration of Service. type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms rule: duration(self) >= duration('1ms') type: object outlierDetection: properties: baseEjectionTime: description: Minimum ejection duration. type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms rule: duration(self) >= duration('1ms') consecutive5xxErrors: description: Number of 5xx errors before a host is ejected from the connection pool. maximum: 4294967295 minimum: 0 nullable: true type: integer consecutiveErrors: format: int32 type: integer consecutiveGatewayErrors: description: Number of gateway errors before a host is ejected from the connection pool. maximum: 4294967295 minimum: 0 nullable: true type: integer consecutiveLocalOriginFailures: description: The number of consecutive locally originated failures before ejection occurs. maximum: 4294967295 minimum: 0 nullable: true type: integer interval: description: Time interval between ejection sweep analysis. type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms rule: duration(self) >= duration('1ms') maxEjectionPercent: description: Maximum % of hosts in the load balancing pool for the upstream service that can be ejected. format: int32 type: integer minHealthPercent: description: Outlier detection will be enabled as long as the associated load balancing pool has at least min_health_percent hosts in healthy mode. format: int32 type: integer splitExternalLocalOriginErrors: description: Determines whether to distinguish local origin failures from external errors. type: boolean type: object portLevelSettings: description: Traffic policies specific to individual ports. items: properties: connectionPool: properties: http: description: HTTP connection pool settings. properties: h2UpgradePolicy: description: |- Specify if http1.1 connection should be upgraded to http2 for the associated destination. Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE enum: - DEFAULT - DO_NOT_UPGRADE - UPGRADE type: string http1MaxPendingRequests: description: Maximum number of requests that will be queued while waiting for a ready connection pool connection. format: int32 type: integer http2MaxRequests: description: Maximum number of active requests to a destination. format: int32 type: integer idleTimeout: description: The idle timeout for upstream connection pool connections. type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms rule: duration(self) >= duration('1ms') maxConcurrentStreams: description: The maximum number of concurrent streams allowed for a peer on one HTTP/2 connection. format: int32 type: integer maxRequestsPerConnection: description: Maximum number of requests per connection to a backend. format: int32 type: integer maxRetries: description: Maximum number of retries that can be outstanding to all hosts in a cluster at a given time. format: int32 type: integer useClientProtocol: description: If set to true, client protocol will be preserved while initiating connection to backend. type: boolean type: object tcp: description: Settings common to both HTTP and TCP upstream connections. properties: connectTimeout: description: TCP connection timeout. type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms rule: duration(self) >= duration('1ms') idleTimeout: description: The idle timeout for TCP connections. type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms rule: duration(self) >= duration('1ms') maxConnectionDuration: description: The maximum duration of a connection. type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms rule: duration(self) >= duration('1ms') maxConnections: description: Maximum number of HTTP1 /TCP connections to a destination host. format: int32 type: integer tcpKeepalive: description: If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives. properties: interval: description: The time duration between keep-alive probes. type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms rule: duration(self) >= duration('1ms') probes: description: Maximum number of keepalive probes to send without response before deciding the connection is dead. maximum: 4294967295 minimum: 0 type: integer time: description: The time duration a connection needs to be idle before keep-alive probes start being sent. type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms rule: duration(self) >= duration('1ms') type: object type: object type: object loadBalancer: description: Settings controlling the load balancer algorithms. oneOf: - not: anyOf: - required: - simple - required: - consistentHash - required: - simple - required: - consistentHash properties: consistentHash: allOf: - oneOf: - not: anyOf: - required: - httpHeaderName - required: - httpCookie - required: - useSourceIp - required: - httpQueryParameterName - required: - httpHeaderName - required: - httpCookie - required: - useSourceIp - required: - httpQueryParameterName - oneOf: - not: anyOf: - required: - ringHash - required: - maglev - required: - ringHash - required: - maglev properties: httpCookie: description: Hash based on HTTP cookie. properties: name: description: Name of the cookie. type: string path: description: Path to set for the cookie. type: string ttl: description: Lifetime of the cookie. type: string required: - name type: object httpHeaderName: description: Hash based on a specific HTTP header. type: string httpQueryParameterName: description: Hash based on a specific HTTP query parameter. type: string maglev: description: The Maglev load balancer implements consistent hashing to backend hosts. properties: tableSize: description: The table size for Maglev hashing. minimum: 0 type: integer type: object minimumRingSize: description: Deprecated. minimum: 0 type: integer ringHash: description: The ring/modulo hash load balancer implements consistent hashing to backend hosts. properties: minimumRingSize: description: The minimum number of virtual nodes to use for the hash ring. minimum: 0 type: integer type: object useSourceIp: description: Hash based on the source IP address. type: boolean type: object localityLbSetting: properties: distribute: description: 'Optional: only one of distribute, failover or failoverPriority can be set.' items: properties: from: description: Originating locality, '/' separated, e.g. type: string to: additionalProperties: maximum: 4294967295 minimum: 0 type: integer description: Map of upstream localities to traffic distribution weights. type: object type: object type: array enabled: description: enable locality load balancing, this is DestinationRule-level and will override mesh wide settings in entirety. nullable: true type: boolean failover: description: 'Optional: only one of distribute, failover or failoverPriority can be set.' items: properties: from: description: Originating region. type: string to: description: Destination region the traffic will fail over to when endpoints in the 'from' region becomes unhealthy. type: string type: object type: array failoverPriority: description: failoverPriority is an ordered list of labels used to sort endpoints to do priority based load balancing. items: type: string type: array type: object simple: description: |2- Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST enum: - UNSPECIFIED - LEAST_CONN - RANDOM - PASSTHROUGH - ROUND_ROBIN - LEAST_REQUEST type: string warmupDurationSecs: description: Represents the warmup duration of Service. type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms rule: duration(self) >= duration('1ms') type: object outlierDetection: properties: baseEjectionTime: description: Minimum ejection duration. type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms rule: duration(self) >= duration('1ms') consecutive5xxErrors: description: Number of 5xx errors before a host is ejected from the connection pool. maximum: 4294967295 minimum: 0 nullable: true type: integer consecutiveErrors: format: int32 type: integer consecutiveGatewayErrors: description: Number of gateway errors before a host is ejected from the connection pool. maximum: 4294967295 minimum: 0 nullable: true type: integer consecutiveLocalOriginFailures: description: The number of consecutive locally originated failures before ejection occurs. maximum: 4294967295 minimum: 0 nullable: true type: integer interval: description: Time interval between ejection sweep analysis. type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms rule: duration(self) >= duration('1ms') maxEjectionPercent: description: Maximum % of hosts in the load balancing pool for the upstream service that can be ejected. format: int32 type: integer minHealthPercent: description: Outlier detection will be enabled as long as the associated load balancing pool has at least min_health_percent hosts in healthy mode. format: int32 type: integer splitExternalLocalOriginErrors: description: Determines whether to distinguish local origin failures from external errors. type: boolean type: object port: description: Specifies the number of a port on the destination service on which this policy is being applied. properties: number: maximum: 4294967295 minimum: 0 type: integer type: object tls: description: TLS related settings for connections to the upstream service. properties: caCertificates: description: 'OPTIONAL: The path to the file containing certificate authority certificates to use in verifying a presented server certificate.' type: string caCrl: description: 'OPTIONAL: The path to the file containing the certificate revocation list (CRL) to use in verifying a presented server certificate.' type: string clientCertificate: description: REQUIRED if mode is `MUTUAL`. type: string credentialName: description: The name of the secret that holds the TLS certs for the client including the CA certificates. type: string insecureSkipVerify: description: '`insecureSkipVerify` specifies whether the proxy should skip verifying the CA signature and SAN for the server certificate corresponding to the host.' nullable: true type: boolean mode: description: |- Indicates whether connections to this port should be secured using TLS. Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL enum: - DISABLE - SIMPLE - MUTUAL - ISTIO_MUTUAL type: string privateKey: description: REQUIRED if mode is `MUTUAL`. type: string sni: description: SNI string to present to the server during TLS handshake. type: string subjectAltNames: description: A list of alternate names to verify the subject identity in the certificate. items: type: string type: array type: object type: object maxItems: 4096 type: array proxyProtocol: description: The upstream PROXY protocol settings. properties: version: description: |- The PROXY protocol version to use. Valid Options: V1, V2 enum: - V1 - V2 type: string type: object tls: description: TLS related settings for connections to the upstream service. properties: caCertificates: description: 'OPTIONAL: The path to the file containing certificate authority certificates to use in verifying a presented server certificate.' type: string caCrl: description: 'OPTIONAL: The path to the file containing the certificate revocation list (CRL) to use in verifying a presented server certificate.' type: string clientCertificate: description: REQUIRED if mode is `MUTUAL`. type: string credentialName: description: The name of the secret that holds the TLS certs for the client including the CA certificates. type: string insecureSkipVerify: description: '`insecureSkipVerify` specifies whether the proxy should skip verifying the CA signature and SAN for the server certificate corresponding to the host.' nullable: true type: boolean mode: description: |- Indicates whether connections to this port should be secured using TLS. Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL enum: - DISABLE - SIMPLE - MUTUAL - ISTIO_MUTUAL type: string privateKey: description: REQUIRED if mode is `MUTUAL`. type: string sni: description: SNI string to present to the server during TLS handshake. type: string subjectAltNames: description: A list of alternate names to verify the subject identity in the certificate. items: type: string type: array type: object tunnel: description: Configuration of tunneling TCP over other transport or application layers for the host configured in the DestinationRule. properties: protocol: description: Specifies which protocol to use for tunneling the downstream connection. type: string targetHost: description: Specifies a host to which the downstream connection is tunneled. type: string targetPort: description: Specifies a port to which the downstream connection is tunneled. maximum: 4294967295 minimum: 0 type: integer required: - targetHost - targetPort type: object type: object required: - name type: object type: array trafficPolicy: description: Traffic policies to apply (load balancing policy, connection pool sizes, outlier detection). properties: connectionPool: properties: http: description: HTTP connection pool settings. properties: h2UpgradePolicy: description: |- Specify if http1.1 connection should be upgraded to http2 for the associated destination. Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE enum: - DEFAULT - DO_NOT_UPGRADE - UPGRADE type: string http1MaxPendingRequests: description: Maximum number of requests that will be queued while waiting for a ready connection pool connection. format: int32 type: integer http2MaxRequests: description: Maximum number of active requests to a destination. format: int32 type: integer idleTimeout: description: The idle timeout for upstream connection pool connections. type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms rule: duration(self) >= duration('1ms') maxConcurrentStreams: description: The maximum number of concurrent streams allowed for a peer on one HTTP/2 connection. format: int32 type: integer maxRequestsPerConnection: description: Maximum number of requests per connection to a backend. format: int32 type: integer maxRetries: description: Maximum number of retries that can be outstanding to all hosts in a cluster at a given time. format: int32 type: integer useClientProtocol: description: If set to true, client protocol will be preserved while initiating connection to backend. type: boolean type: object tcp: description: Settings common to both HTTP and TCP upstream connections. properties: connectTimeout: description: TCP connection timeout. type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms rule: duration(self) >= duration('1ms') idleTimeout: description: The idle timeout for TCP connections. type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms rule: duration(self) >= duration('1ms') maxConnectionDuration: description: The maximum duration of a connection. type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms rule: duration(self) >= duration('1ms') maxConnections: description: Maximum number of HTTP1 /TCP connections to a destination host. format: int32 type: integer tcpKeepalive: description: If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives. properties: interval: description: The time duration between keep-alive probes. type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms rule: duration(self) >= duration('1ms') probes: description: Maximum number of keepalive probes to send without response before deciding the connection is dead. maximum: 4294967295 minimum: 0 type: integer time: description: The time duration a connection needs to be idle before keep-alive probes start being sent. type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms rule: duration(self) >= duration('1ms') type: object type: object type: object loadBalancer: description: Settings controlling the load balancer algorithms. oneOf: - not: anyOf: - required: - simple - required: - consistentHash - required: - simple - required: - consistentHash properties: consistentHash: allOf: - oneOf: - not: anyOf: - required: - httpHeaderName - required: - httpCookie - required: - useSourceIp - required: - httpQueryParameterName - required: - httpHeaderName - required: - httpCookie - required: - useSourceIp - required: - httpQueryParameterName - oneOf: - not: anyOf: - required: - ringHash - required: - maglev - required: - ringHash - required: - maglev properties: httpCookie: description: Hash based on HTTP cookie. properties: name: description: Name of the cookie. type: string path: description: Path to set for the cookie. type: string ttl: description: Lifetime of the cookie. type: string required: - name type: object httpHeaderName: description: Hash based on a specific HTTP header. type: string httpQueryParameterName: description: Hash based on a specific HTTP query parameter. type: string maglev: description: The Maglev load balancer implements consistent hashing to backend hosts. properties: tableSize: description: The table size for Maglev hashing. minimum: 0 type: integer type: object minimumRingSize: description: Deprecated. minimum: 0 type: integer ringHash: description: The ring/modulo hash load balancer implements consistent hashing to backend hosts. properties: minimumRingSize: description: The minimum number of virtual nodes to use for the hash ring. minimum: 0 type: integer type: object useSourceIp: description: Hash based on the source IP address. type: boolean type: object localityLbSetting: properties: distribute: description: 'Optional: only one of distribute, failover or failoverPriority can be set.' items: properties: from: description: Originating locality, '/' separated, e.g. type: string to: additionalProperties: maximum: 4294967295 minimum: 0 type: integer description: Map of upstream localities to traffic distribution weights. type: object type: object type: array enabled: description: enable locality load balancing, this is DestinationRule-level and will override mesh wide settings in entirety. nullable: true type: boolean failover: description: 'Optional: only one of distribute, failover or failoverPriority can be set.' items: properties: from: description: Originating region. type: string to: description: Destination region the traffic will fail over to when endpoints in the 'from' region becomes unhealthy. type: string type: object type: array failoverPriority: description: failoverPriority is an ordered list of labels used to sort endpoints to do priority based load balancing. items: type: string type: array type: object simple: description: |2- Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST enum: - UNSPECIFIED - LEAST_CONN - RANDOM - PASSTHROUGH - ROUND_ROBIN - LEAST_REQUEST type: string warmupDurationSecs: description: Represents the warmup duration of Service. type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms rule: duration(self) >= duration('1ms') type: object outlierDetection: properties: baseEjectionTime: description: Minimum ejection duration. type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms rule: duration(self) >= duration('1ms') consecutive5xxErrors: description: Number of 5xx errors before a host is ejected from the connection pool. maximum: 4294967295 minimum: 0 nullable: true type: integer consecutiveErrors: format: int32 type: integer consecutiveGatewayErrors: description: Number of gateway errors before a host is ejected from the connection pool. maximum: 4294967295 minimum: 0 nullable: true type: integer consecutiveLocalOriginFailures: description: The number of consecutive locally originated failures before ejection occurs. maximum: 4294967295 minimum: 0 nullable: true type: integer interval: description: Time interval between ejection sweep analysis. type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms rule: duration(self) >= duration('1ms') maxEjectionPercent: description: Maximum % of hosts in the load balancing pool for the upstream service that can be ejected. format: int32 type: integer minHealthPercent: description: Outlier detection will be enabled as long as the associated load balancing pool has at least min_health_percent hosts in healthy mode. format: int32 type: integer splitExternalLocalOriginErrors: description: Determines whether to distinguish local origin failures from external errors. type: boolean type: object portLevelSettings: description: Traffic policies specific to individual ports. items: properties: connectionPool: properties: http: description: HTTP connection pool settings. properties: h2UpgradePolicy: description: |- Specify if http1.1 connection should be upgraded to http2 for the associated destination. Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE enum: - DEFAULT - DO_NOT_UPGRADE - UPGRADE type: string http1MaxPendingRequests: description: Maximum number of requests that will be queued while waiting for a ready connection pool connection. format: int32 type: integer http2MaxRequests: description: Maximum number of active requests to a destination. format: int32 type: integer idleTimeout: description: The idle timeout for upstream connection pool connections. type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms rule: duration(self) >= duration('1ms') maxConcurrentStreams: description: The maximum number of concurrent streams allowed for a peer on one HTTP/2 connection. format: int32 type: integer maxRequestsPerConnection: description: Maximum number of requests per connection to a backend. format: int32 type: integer maxRetries: description: Maximum number of retries that can be outstanding to all hosts in a cluster at a given time. format: int32 type: integer useClientProtocol: description: If set to true, client protocol will be preserved while initiating connection to backend. type: boolean type: object tcp: description: Settings common to both HTTP and TCP upstream connections. properties: connectTimeout: description: TCP connection timeout. type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms rule: duration(self) >= duration('1ms') idleTimeout: description: The idle timeout for TCP connections. type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms rule: duration(self) >= duration('1ms') maxConnectionDuration: description: The maximum duration of a connection. type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms rule: duration(self) >= duration('1ms') maxConnections: description: Maximum number of HTTP1 /TCP connections to a destination host. format: int32 type: integer tcpKeepalive: description: If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives. properties: interval: description: The time duration between keep-alive probes. type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms rule: duration(self) >= duration('1ms') probes: description: Maximum number of keepalive probes to send without response before deciding the connection is dead. maximum: 4294967295 minimum: 0 type: integer time: description: The time duration a connection needs to be idle before keep-alive probes start being sent. type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms rule: duration(self) >= duration('1ms') type: object type: object type: object loadBalancer: description: Settings controlling the load balancer algorithms. oneOf: - not: anyOf: - required: - simple - required: - consistentHash - required: - simple - required: - consistentHash properties: consistentHash: allOf: - oneOf: - not: anyOf: - required: - httpHeaderName - required: - httpCookie - required: - useSourceIp - required: - httpQueryParameterName - required: - httpHeaderName - required: - httpCookie - required: - useSourceIp - required: - httpQueryParameterName - oneOf: - not: anyOf: - required: - ringHash - required: - maglev - required: - ringHash - required: - maglev properties: httpCookie: description: Hash based on HTTP cookie. properties: name: description: Name of the cookie. type: string path: description: Path to set for the cookie. type: string ttl: description: Lifetime of the cookie. type: string required: - name type: object httpHeaderName: description: Hash based on a specific HTTP header. type: string httpQueryParameterName: description: Hash based on a specific HTTP query parameter. type: string maglev: description: The Maglev load balancer implements consistent hashing to backend hosts. properties: tableSize: description: The table size for Maglev hashing. minimum: 0 type: integer type: object minimumRingSize: description: Deprecated. minimum: 0 type: integer ringHash: description: The ring/modulo hash load balancer implements consistent hashing to backend hosts. properties: minimumRingSize: description: The minimum number of virtual nodes to use for the hash ring. minimum: 0 type: integer type: object useSourceIp: description: Hash based on the source IP address. type: boolean type: object localityLbSetting: properties: distribute: description: 'Optional: only one of distribute, failover or failoverPriority can be set.' items: properties: from: description: Originating locality, '/' separated, e.g. type: string to: additionalProperties: maximum: 4294967295 minimum: 0 type: integer description: Map of upstream localities to traffic distribution weights. type: object type: object type: array enabled: description: enable locality load balancing, this is DestinationRule-level and will override mesh wide settings in entirety. nullable: true type: boolean failover: description: 'Optional: only one of distribute, failover or failoverPriority can be set.' items: properties: from: description: Originating region. type: string to: description: Destination region the traffic will fail over to when endpoints in the 'from' region becomes unhealthy. type: string type: object type: array failoverPriority: description: failoverPriority is an ordered list of labels used to sort endpoints to do priority based load balancing. items: type: string type: array type: object simple: description: |2- Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST enum: - UNSPECIFIED - LEAST_CONN - RANDOM - PASSTHROUGH - ROUND_ROBIN - LEAST_REQUEST type: string warmupDurationSecs: description: Represents the warmup duration of Service. type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms rule: duration(self) >= duration('1ms') type: object outlierDetection: properties: baseEjectionTime: description: Minimum ejection duration. type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms rule: duration(self) >= duration('1ms') consecutive5xxErrors: description: Number of 5xx errors before a host is ejected from the connection pool. maximum: 4294967295 minimum: 0 nullable: true type: integer consecutiveErrors: format: int32 type: integer consecutiveGatewayErrors: description: Number of gateway errors before a host is ejected from the connection pool. maximum: 4294967295 minimum: 0 nullable: true type: integer consecutiveLocalOriginFailures: description: The number of consecutive locally originated failures before ejection occurs. maximum: 4294967295 minimum: 0 nullable: true type: integer interval: description: Time interval between ejection sweep analysis. type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms rule: duration(self) >= duration('1ms') maxEjectionPercent: description: Maximum % of hosts in the load balancing pool for the upstream service that can be ejected. format: int32 type: integer minHealthPercent: description: Outlier detection will be enabled as long as the associated load balancing pool has at least min_health_percent hosts in healthy mode. format: int32 type: integer splitExternalLocalOriginErrors: description: Determines whether to distinguish local origin failures from external errors. type: boolean type: object port: description: Specifies the number of a port on the destination service on which this policy is being applied. properties: number: maximum: 4294967295 minimum: 0 type: integer type: object tls: description: TLS related settings for connections to the upstream service. properties: caCertificates: description: 'OPTIONAL: The path to the file containing certificate authority certificates to use in verifying a presented server certificate.' type: string caCrl: description: 'OPTIONAL: The path to the file containing the certificate revocation list (CRL) to use in verifying a presented server certificate.' type: string clientCertificate: description: REQUIRED if mode is `MUTUAL`. type: string credentialName: description: The name of the secret that holds the TLS certs for the client including the CA certificates. type: string insecureSkipVerify: description: '`insecureSkipVerify` specifies whether the proxy should skip verifying the CA signature and SAN for the server certificate corresponding to the host.' nullable: true type: boolean mode: description: |- Indicates whether connections to this port should be secured using TLS. Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL enum: - DISABLE - SIMPLE - MUTUAL - ISTIO_MUTUAL type: string privateKey: description: REQUIRED if mode is `MUTUAL`. type: string sni: description: SNI string to present to the server during TLS handshake. type: string subjectAltNames: description: A list of alternate names to verify the subject identity in the certificate. items: type: string type: array type: object type: object maxItems: 4096 type: array proxyProtocol: description: The upstream PROXY protocol settings. properties: version: description: |- The PROXY protocol version to use. Valid Options: V1, V2 enum: - V1 - V2 type: string type: object tls: description: TLS related settings for connections to the upstream service. properties: caCertificates: description: 'OPTIONAL: The path to the file containing certificate authority certificates to use in verifying a presented server certificate.' type: string caCrl: description: 'OPTIONAL: The path to the file containing the certificate revocation list (CRL) to use in verifying a presented server certificate.' type: string clientCertificate: description: REQUIRED if mode is `MUTUAL`. type: string credentialName: description: The name of the secret that holds the TLS certs for the client including the CA certificates. type: string insecureSkipVerify: description: '`insecureSkipVerify` specifies whether the proxy should skip verifying the CA signature and SAN for the server certificate corresponding to the host.' nullable: true type: boolean mode: description: |- Indicates whether connections to this port should be secured using TLS. Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL enum: - DISABLE - SIMPLE - MUTUAL - ISTIO_MUTUAL type: string privateKey: description: REQUIRED if mode is `MUTUAL`. type: string sni: description: SNI string to present to the server during TLS handshake. type: string subjectAltNames: description: A list of alternate names to verify the subject identity in the certificate. items: type: string type: array type: object tunnel: description: Configuration of tunneling TCP over other transport or application layers for the host configured in the DestinationRule. properties: protocol: description: Specifies which protocol to use for tunneling the downstream connection. type: string targetHost: description: Specifies a host to which the downstream connection is tunneled. type: string targetPort: description: Specifies a port to which the downstream connection is tunneled. maximum: 4294967295 minimum: 0 type: integer required: - targetHost - targetPort type: object type: object workloadSelector: description: Criteria used to select the specific set of pods/VMs on which this `DestinationRule` configuration should be applied. properties: matchLabels: additionalProperties: maxLength: 63 type: string x-kubernetes-validations: - message: wildcard not allowed in label value match rule: '!self.contains(''*'')' description: One or more labels that indicate a specific set of pods/VMs on which a policy should be applied. maxProperties: 4096 type: object x-kubernetes-validations: - message: wildcard not allowed in label key match rule: self.all(key, !key.contains('*')) - message: key must not be empty rule: self.all(key, key.size() != 0) type: object required: - host type: object status: type: object x-kubernetes-preserve-unknown-fields: true type: object served: true storage: false subresources: status: {} - additionalPrinterColumns: - description: The name of a service from the service registry jsonPath: .spec.host name: Host type: string - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' jsonPath: .metadata.creationTimestamp name: Age type: date name: v1alpha3 schema: openAPIV3Schema: properties: spec: description: 'Configuration affecting load balancing, outlier detection, etc. See more details at: https://istio.io/docs/reference/config/networking/destination-rule.html' properties: exportTo: description: A list of namespaces to which this destination rule is exported. items: type: string type: array host: description: The name of a service from the service registry. type: string subsets: description: One or more named sets that represent individual versions of a service. items: properties: labels: additionalProperties: type: string description: Labels apply a filter over the endpoints of a service in the service registry. type: object name: description: Name of the subset. type: string trafficPolicy: description: Traffic policies that apply to this subset. properties: connectionPool: properties: http: description: HTTP connection pool settings. properties: h2UpgradePolicy: description: |- Specify if http1.1 connection should be upgraded to http2 for the associated destination. Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE enum: - DEFAULT - DO_NOT_UPGRADE - UPGRADE type: string http1MaxPendingRequests: description: Maximum number of requests that will be queued while waiting for a ready connection pool connection. format: int32 type: integer http2MaxRequests: description: Maximum number of active requests to a destination. format: int32 type: integer idleTimeout: description: The idle timeout for upstream connection pool connections. type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms rule: duration(self) >= duration('1ms') maxConcurrentStreams: description: The maximum number of concurrent streams allowed for a peer on one HTTP/2 connection. format: int32 type: integer maxRequestsPerConnection: description: Maximum number of requests per connection to a backend. format: int32 type: integer maxRetries: description: Maximum number of retries that can be outstanding to all hosts in a cluster at a given time. format: int32 type: integer useClientProtocol: description: If set to true, client protocol will be preserved while initiating connection to backend. type: boolean type: object tcp: description: Settings common to both HTTP and TCP upstream connections. properties: connectTimeout: description: TCP connection timeout. type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms rule: duration(self) >= duration('1ms') idleTimeout: description: The idle timeout for TCP connections. type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms rule: duration(self) >= duration('1ms') maxConnectionDuration: description: The maximum duration of a connection. type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms rule: duration(self) >= duration('1ms') maxConnections: description: Maximum number of HTTP1 /TCP connections to a destination host. format: int32 type: integer tcpKeepalive: description: If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives. properties: interval: description: The time duration between keep-alive probes. type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms rule: duration(self) >= duration('1ms') probes: description: Maximum number of keepalive probes to send without response before deciding the connection is dead. maximum: 4294967295 minimum: 0 type: integer time: description: The time duration a connection needs to be idle before keep-alive probes start being sent. type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms rule: duration(self) >= duration('1ms') type: object type: object type: object loadBalancer: description: Settings controlling the load balancer algorithms. oneOf: - not: anyOf: - required: - simple - required: - consistentHash - required: - simple - required: - consistentHash properties: consistentHash: allOf: - oneOf: - not: anyOf: - required: - httpHeaderName - required: - httpCookie - required: - useSourceIp - required: - httpQueryParameterName - required: - httpHeaderName - required: - httpCookie - required: - useSourceIp - required: - httpQueryParameterName - oneOf: - not: anyOf: - required: - ringHash - required: - maglev - required: - ringHash - required: - maglev properties: httpCookie: description: Hash based on HTTP cookie. properties: name: description: Name of the cookie. type: string path: description: Path to set for the cookie. type: string ttl: description: Lifetime of the cookie. type: string required: - name type: object httpHeaderName: description: Hash based on a specific HTTP header. type: string httpQueryParameterName: description: Hash based on a specific HTTP query parameter. type: string maglev: description: The Maglev load balancer implements consistent hashing to backend hosts. properties: tableSize: description: The table size for Maglev hashing. minimum: 0 type: integer type: object minimumRingSize: description: Deprecated. minimum: 0 type: integer ringHash: description: The ring/modulo hash load balancer implements consistent hashing to backend hosts. properties: minimumRingSize: description: The minimum number of virtual nodes to use for the hash ring. minimum: 0 type: integer type: object useSourceIp: description: Hash based on the source IP address. type: boolean type: object localityLbSetting: properties: distribute: description: 'Optional: only one of distribute, failover or failoverPriority can be set.' items: properties: from: description: Originating locality, '/' separated, e.g. type: string to: additionalProperties: maximum: 4294967295 minimum: 0 type: integer description: Map of upstream localities to traffic distribution weights. type: object type: object type: array enabled: description: enable locality load balancing, this is DestinationRule-level and will override mesh wide settings in entirety. nullable: true type: boolean failover: description: 'Optional: only one of distribute, failover or failoverPriority can be set.' items: properties: from: description: Originating region. type: string to: description: Destination region the traffic will fail over to when endpoints in the 'from' region becomes unhealthy. type: string type: object type: array failoverPriority: description: failoverPriority is an ordered list of labels used to sort endpoints to do priority based load balancing. items: type: string type: array type: object simple: description: |2- Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST enum: - UNSPECIFIED - LEAST_CONN - RANDOM - PASSTHROUGH - ROUND_ROBIN - LEAST_REQUEST type: string warmupDurationSecs: description: Represents the warmup duration of Service. type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms rule: duration(self) >= duration('1ms') type: object outlierDetection: properties: baseEjectionTime: description: Minimum ejection duration. type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms rule: duration(self) >= duration('1ms') consecutive5xxErrors: description: Number of 5xx errors before a host is ejected from the connection pool. maximum: 4294967295 minimum: 0 nullable: true type: integer consecutiveErrors: format: int32 type: integer consecutiveGatewayErrors: description: Number of gateway errors before a host is ejected from the connection pool. maximum: 4294967295 minimum: 0 nullable: true type: integer consecutiveLocalOriginFailures: description: The number of consecutive locally originated failures before ejection occurs. maximum: 4294967295 minimum: 0 nullable: true type: integer interval: description: Time interval between ejection sweep analysis. type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms rule: duration(self) >= duration('1ms') maxEjectionPercent: description: Maximum % of hosts in the load balancing pool for the upstream service that can be ejected. format: int32 type: integer minHealthPercent: description: Outlier detection will be enabled as long as the associated load balancing pool has at least min_health_percent hosts in healthy mode. format: int32 type: integer splitExternalLocalOriginErrors: description: Determines whether to distinguish local origin failures from external errors. type: boolean type: object portLevelSettings: description: Traffic policies specific to individual ports. items: properties: connectionPool: properties: http: description: HTTP connection pool settings. properties: h2UpgradePolicy: description: |- Specify if http1.1 connection should be upgraded to http2 for the associated destination. Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE enum: - DEFAULT - DO_NOT_UPGRADE - UPGRADE type: string http1MaxPendingRequests: description: Maximum number of requests that will be queued while waiting for a ready connection pool connection. format: int32 type: integer http2MaxRequests: description: Maximum number of active requests to a destination. format: int32 type: integer idleTimeout: description: The idle timeout for upstream connection pool connections. type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms rule: duration(self) >= duration('1ms') maxConcurrentStreams: description: The maximum number of concurrent streams allowed for a peer on one HTTP/2 connection. format: int32 type: integer maxRequestsPerConnection: description: Maximum number of requests per connection to a backend. format: int32 type: integer maxRetries: description: Maximum number of retries that can be outstanding to all hosts in a cluster at a given time. format: int32 type: integer useClientProtocol: description: If set to true, client protocol will be preserved while initiating connection to backend. type: boolean type: object tcp: description: Settings common to both HTTP and TCP upstream connections. properties: connectTimeout: description: TCP connection timeout. type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms rule: duration(self) >= duration('1ms') idleTimeout: description: The idle timeout for TCP connections. type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms rule: duration(self) >= duration('1ms') maxConnectionDuration: description: The maximum duration of a connection. type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms rule: duration(self) >= duration('1ms') maxConnections: description: Maximum number of HTTP1 /TCP connections to a destination host. format: int32 type: integer tcpKeepalive: description: If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives. properties: interval: description: The time duration between keep-alive probes. type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms rule: duration(self) >= duration('1ms') probes: description: Maximum number of keepalive probes to send without response before deciding the connection is dead. maximum: 4294967295 minimum: 0 type: integer time: description: The time duration a connection needs to be idle before keep-alive probes start being sent. type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms rule: duration(self) >= duration('1ms') type: object type: object type: object loadBalancer: description: Settings controlling the load balancer algorithms. oneOf: - not: anyOf: - required: - simple - required: - consistentHash - required: - simple - required: - consistentHash properties: consistentHash: allOf: - oneOf: - not: anyOf: - required: - httpHeaderName - required: - httpCookie - required: - useSourceIp - required: - httpQueryParameterName - required: - httpHeaderName - required: - httpCookie - required: - useSourceIp - required: - httpQueryParameterName - oneOf: - not: anyOf: - required: - ringHash - required: - maglev - required: - ringHash - required: - maglev properties: httpCookie: description: Hash based on HTTP cookie. properties: name: description: Name of the cookie. type: string path: description: Path to set for the cookie. type: string ttl: description: Lifetime of the cookie. type: string required: - name type: object httpHeaderName: description: Hash based on a specific HTTP header. type: string httpQueryParameterName: description: Hash based on a specific HTTP query parameter. type: string maglev: description: The Maglev load balancer implements consistent hashing to backend hosts. properties: tableSize: description: The table size for Maglev hashing. minimum: 0 type: integer type: object minimumRingSize: description: Deprecated. minimum: 0 type: integer ringHash: description: The ring/modulo hash load balancer implements consistent hashing to backend hosts. properties: minimumRingSize: description: The minimum number of virtual nodes to use for the hash ring. minimum: 0 type: integer type: object useSourceIp: description: Hash based on the source IP address. type: boolean type: object localityLbSetting: properties: distribute: description: 'Optional: only one of distribute, failover or failoverPriority can be set.' items: properties: from: description: Originating locality, '/' separated, e.g. type: string to: additionalProperties: maximum: 4294967295 minimum: 0 type: integer description: Map of upstream localities to traffic distribution weights. type: object type: object type: array enabled: description: enable locality load balancing, this is DestinationRule-level and will override mesh wide settings in entirety. nullable: true type: boolean failover: description: 'Optional: only one of distribute, failover or failoverPriority can be set.' items: properties: from: description: Originating region. type: string to: description: Destination region the traffic will fail over to when endpoints in the 'from' region becomes unhealthy. type: string type: object type: array failoverPriority: description: failoverPriority is an ordered list of labels used to sort endpoints to do priority based load balancing. items: type: string type: array type: object simple: description: |2- Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST enum: - UNSPECIFIED - LEAST_CONN - RANDOM - PASSTHROUGH - ROUND_ROBIN - LEAST_REQUEST type: string warmupDurationSecs: description: Represents the warmup duration of Service. type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms rule: duration(self) >= duration('1ms') type: object outlierDetection: properties: baseEjectionTime: description: Minimum ejection duration. type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms rule: duration(self) >= duration('1ms') consecutive5xxErrors: description: Number of 5xx errors before a host is ejected from the connection pool. maximum: 4294967295 minimum: 0 nullable: true type: integer consecutiveErrors: format: int32 type: integer consecutiveGatewayErrors: description: Number of gateway errors before a host is ejected from the connection pool. maximum: 4294967295 minimum: 0 nullable: true type: integer consecutiveLocalOriginFailures: description: The number of consecutive locally originated failures before ejection occurs. maximum: 4294967295 minimum: 0 nullable: true type: integer interval: description: Time interval between ejection sweep analysis. type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms rule: duration(self) >= duration('1ms') maxEjectionPercent: description: Maximum % of hosts in the load balancing pool for the upstream service that can be ejected. format: int32 type: integer minHealthPercent: description: Outlier detection will be enabled as long as the associated load balancing pool has at least min_health_percent hosts in healthy mode. format: int32 type: integer splitExternalLocalOriginErrors: description: Determines whether to distinguish local origin failures from external errors. type: boolean type: object port: description: Specifies the number of a port on the destination service on which this policy is being applied. properties: number: maximum: 4294967295 minimum: 0 type: integer type: object tls: description: TLS related settings for connections to the upstream service. properties: caCertificates: description: 'OPTIONAL: The path to the file containing certificate authority certificates to use in verifying a presented server certificate.' type: string caCrl: description: 'OPTIONAL: The path to the file containing the certificate revocation list (CRL) to use in verifying a presented server certificate.' type: string clientCertificate: description: REQUIRED if mode is `MUTUAL`. type: string credentialName: description: The name of the secret that holds the TLS certs for the client including the CA certificates. type: string insecureSkipVerify: description: '`insecureSkipVerify` specifies whether the proxy should skip verifying the CA signature and SAN for the server certificate corresponding to the host.' nullable: true type: boolean mode: description: |- Indicates whether connections to this port should be secured using TLS. Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL enum: - DISABLE - SIMPLE - MUTUAL - ISTIO_MUTUAL type: string privateKey: description: REQUIRED if mode is `MUTUAL`. type: string sni: description: SNI string to present to the server during TLS handshake. type: string subjectAltNames: description: A list of alternate names to verify the subject identity in the certificate. items: type: string type: array type: object type: object maxItems: 4096 type: array proxyProtocol: description: The upstream PROXY protocol settings. properties: version: description: |- The PROXY protocol version to use. Valid Options: V1, V2 enum: - V1 - V2 type: string type: object tls: description: TLS related settings for connections to the upstream service. properties: caCertificates: description: 'OPTIONAL: The path to the file containing certificate authority certificates to use in verifying a presented server certificate.' type: string caCrl: description: 'OPTIONAL: The path to the file containing the certificate revocation list (CRL) to use in verifying a presented server certificate.' type: string clientCertificate: description: REQUIRED if mode is `MUTUAL`. type: string credentialName: description: The name of the secret that holds the TLS certs for the client including the CA certificates. type: string insecureSkipVerify: description: '`insecureSkipVerify` specifies whether the proxy should skip verifying the CA signature and SAN for the server certificate corresponding to the host.' nullable: true type: boolean mode: description: |- Indicates whether connections to this port should be secured using TLS. Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL enum: - DISABLE - SIMPLE - MUTUAL - ISTIO_MUTUAL type: string privateKey: description: REQUIRED if mode is `MUTUAL`. type: string sni: description: SNI string to present to the server during TLS handshake. type: string subjectAltNames: description: A list of alternate names to verify the subject identity in the certificate. items: type: string type: array type: object tunnel: description: Configuration of tunneling TCP over other transport or application layers for the host configured in the DestinationRule. properties: protocol: description: Specifies which protocol to use for tunneling the downstream connection. type: string targetHost: description: Specifies a host to which the downstream connection is tunneled. type: string targetPort: description: Specifies a port to which the downstream connection is tunneled. maximum: 4294967295 minimum: 0 type: integer required: - targetHost - targetPort type: object type: object required: - name type: object type: array trafficPolicy: description: Traffic policies to apply (load balancing policy, connection pool sizes, outlier detection). properties: connectionPool: properties: http: description: HTTP connection pool settings. properties: h2UpgradePolicy: description: |- Specify if http1.1 connection should be upgraded to http2 for the associated destination. Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE enum: - DEFAULT - DO_NOT_UPGRADE - UPGRADE type: string http1MaxPendingRequests: description: Maximum number of requests that will be queued while waiting for a ready connection pool connection. format: int32 type: integer http2MaxRequests: description: Maximum number of active requests to a destination. format: int32 type: integer idleTimeout: description: The idle timeout for upstream connection pool connections. type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms rule: duration(self) >= duration('1ms') maxConcurrentStreams: description: The maximum number of concurrent streams allowed for a peer on one HTTP/2 connection. format: int32 type: integer maxRequestsPerConnection: description: Maximum number of requests per connection to a backend. format: int32 type: integer maxRetries: description: Maximum number of retries that can be outstanding to all hosts in a cluster at a given time. format: int32 type: integer useClientProtocol: description: If set to true, client protocol will be preserved while initiating connection to backend. type: boolean type: object tcp: description: Settings common to both HTTP and TCP upstream connections. properties: connectTimeout: description: TCP connection timeout. type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms rule: duration(self) >= duration('1ms') idleTimeout: description: The idle timeout for TCP connections. type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms rule: duration(self) >= duration('1ms') maxConnectionDuration: description: The maximum duration of a connection. type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms rule: duration(self) >= duration('1ms') maxConnections: description: Maximum number of HTTP1 /TCP connections to a destination host. format: int32 type: integer tcpKeepalive: description: If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives. properties: interval: description: The time duration between keep-alive probes. type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms rule: duration(self) >= duration('1ms') probes: description: Maximum number of keepalive probes to send without response before deciding the connection is dead. maximum: 4294967295 minimum: 0 type: integer time: description: The time duration a connection needs to be idle before keep-alive probes start being sent. type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms rule: duration(self) >= duration('1ms') type: object type: object type: object loadBalancer: description: Settings controlling the load balancer algorithms. oneOf: - not: anyOf: - required: - simple - required: - consistentHash - required: - simple - required: - consistentHash properties: consistentHash: allOf: - oneOf: - not: anyOf: - required: - httpHeaderName - required: - httpCookie - required: - useSourceIp - required: - httpQueryParameterName - required: - httpHeaderName - required: - httpCookie - required: - useSourceIp - required: - httpQueryParameterName - oneOf: - not: anyOf: - required: - ringHash - required: - maglev - required: - ringHash - required: - maglev properties: httpCookie: description: Hash based on HTTP cookie. properties: name: description: Name of the cookie. type: string path: description: Path to set for the cookie. type: string ttl: description: Lifetime of the cookie. type: string required: - name type: object httpHeaderName: description: Hash based on a specific HTTP header. type: string httpQueryParameterName: description: Hash based on a specific HTTP query parameter. type: string maglev: description: The Maglev load balancer implements consistent hashing to backend hosts. properties: tableSize: description: The table size for Maglev hashing. minimum: 0 type: integer type: object minimumRingSize: description: Deprecated. minimum: 0 type: integer ringHash: description: The ring/modulo hash load balancer implements consistent hashing to backend hosts. properties: minimumRingSize: description: The minimum number of virtual nodes to use for the hash ring. minimum: 0 type: integer type: object useSourceIp: description: Hash based on the source IP address. type: boolean type: object localityLbSetting: properties: distribute: description: 'Optional: only one of distribute, failover or failoverPriority can be set.' items: properties: from: description: Originating locality, '/' separated, e.g. type: string to: additionalProperties: maximum: 4294967295 minimum: 0 type: integer description: Map of upstream localities to traffic distribution weights. type: object type: object type: array enabled: description: enable locality load balancing, this is DestinationRule-level and will override mesh wide settings in entirety. nullable: true type: boolean failover: description: 'Optional: only one of distribute, failover or failoverPriority can be set.' items: properties: from: description: Originating region. type: string to: description: Destination region the traffic will fail over to when endpoints in the 'from' region becomes unhealthy. type: string type: object type: array failoverPriority: description: failoverPriority is an ordered list of labels used to sort endpoints to do priority based load balancing. items: type: string type: array type: object simple: description: |2- Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST enum: - UNSPECIFIED - LEAST_CONN - RANDOM - PASSTHROUGH - ROUND_ROBIN - LEAST_REQUEST type: string warmupDurationSecs: description: Represents the warmup duration of Service. type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms rule: duration(self) >= duration('1ms') type: object outlierDetection: properties: baseEjectionTime: description: Minimum ejection duration. type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms rule: duration(self) >= duration('1ms') consecutive5xxErrors: description: Number of 5xx errors before a host is ejected from the connection pool. maximum: 4294967295 minimum: 0 nullable: true type: integer consecutiveErrors: format: int32 type: integer consecutiveGatewayErrors: description: Number of gateway errors before a host is ejected from the connection pool. maximum: 4294967295 minimum: 0 nullable: true type: integer consecutiveLocalOriginFailures: description: The number of consecutive locally originated failures before ejection occurs. maximum: 4294967295 minimum: 0 nullable: true type: integer interval: description: Time interval between ejection sweep analysis. type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms rule: duration(self) >= duration('1ms') maxEjectionPercent: description: Maximum % of hosts in the load balancing pool for the upstream service that can be ejected. format: int32 type: integer minHealthPercent: description: Outlier detection will be enabled as long as the associated load balancing pool has at least min_health_percent hosts in healthy mode. format: int32 type: integer splitExternalLocalOriginErrors: description: Determines whether to distinguish local origin failures from external errors. type: boolean type: object portLevelSettings: description: Traffic policies specific to individual ports. items: properties: connectionPool: properties: http: description: HTTP connection pool settings. properties: h2UpgradePolicy: description: |- Specify if http1.1 connection should be upgraded to http2 for the associated destination. Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE enum: - DEFAULT - DO_NOT_UPGRADE - UPGRADE type: string http1MaxPendingRequests: description: Maximum number of requests that will be queued while waiting for a ready connection pool connection. format: int32 type: integer http2MaxRequests: description: Maximum number of active requests to a destination. format: int32 type: integer idleTimeout: description: The idle timeout for upstream connection pool connections. type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms rule: duration(self) >= duration('1ms') maxConcurrentStreams: description: The maximum number of concurrent streams allowed for a peer on one HTTP/2 connection. format: int32 type: integer maxRequestsPerConnection: description: Maximum number of requests per connection to a backend. format: int32 type: integer maxRetries: description: Maximum number of retries that can be outstanding to all hosts in a cluster at a given time. format: int32 type: integer useClientProtocol: description: If set to true, client protocol will be preserved while initiating connection to backend. type: boolean type: object tcp: description: Settings common to both HTTP and TCP upstream connections. properties: connectTimeout: description: TCP connection timeout. type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms rule: duration(self) >= duration('1ms') idleTimeout: description: The idle timeout for TCP connections. type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms rule: duration(self) >= duration('1ms') maxConnectionDuration: description: The maximum duration of a connection. type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms rule: duration(self) >= duration('1ms') maxConnections: description: Maximum number of HTTP1 /TCP connections to a destination host. format: int32 type: integer tcpKeepalive: description: If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives. properties: interval: description: The time duration between keep-alive probes. type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms rule: duration(self) >= duration('1ms') probes: description: Maximum number of keepalive probes to send without response before deciding the connection is dead. maximum: 4294967295 minimum: 0 type: integer time: description: The time duration a connection needs to be idle before keep-alive probes start being sent. type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms rule: duration(self) >= duration('1ms') type: object type: object type: object loadBalancer: description: Settings controlling the load balancer algorithms. oneOf: - not: anyOf: - required: - simple - required: - consistentHash - required: - simple - required: - consistentHash properties: consistentHash: allOf: - oneOf: - not: anyOf: - required: - httpHeaderName - required: - httpCookie - required: - useSourceIp - required: - httpQueryParameterName - required: - httpHeaderName - required: - httpCookie - required: - useSourceIp - required: - httpQueryParameterName - oneOf: - not: anyOf: - required: - ringHash - required: - maglev - required: - ringHash - required: - maglev properties: httpCookie: description: Hash based on HTTP cookie. properties: name: description: Name of the cookie. type: string path: description: Path to set for the cookie. type: string ttl: description: Lifetime of the cookie. type: string required: - name type: object httpHeaderName: description: Hash based on a specific HTTP header. type: string httpQueryParameterName: description: Hash based on a specific HTTP query parameter. type: string maglev: description: The Maglev load balancer implements consistent hashing to backend hosts. properties: tableSize: description: The table size for Maglev hashing. minimum: 0 type: integer type: object minimumRingSize: description: Deprecated. minimum: 0 type: integer ringHash: description: The ring/modulo hash load balancer implements consistent hashing to backend hosts. properties: minimumRingSize: description: The minimum number of virtual nodes to use for the hash ring. minimum: 0 type: integer type: object useSourceIp: description: Hash based on the source IP address. type: boolean type: object localityLbSetting: properties: distribute: description: 'Optional: only one of distribute, failover or failoverPriority can be set.' items: properties: from: description: Originating locality, '/' separated, e.g. type: string to: additionalProperties: maximum: 4294967295 minimum: 0 type: integer description: Map of upstream localities to traffic distribution weights. type: object type: object type: array enabled: description: enable locality load balancing, this is DestinationRule-level and will override mesh wide settings in entirety. nullable: true type: boolean failover: description: 'Optional: only one of distribute, failover or failoverPriority can be set.' items: properties: from: description: Originating region. type: string to: description: Destination region the traffic will fail over to when endpoints in the 'from' region becomes unhealthy. type: string type: object type: array failoverPriority: description: failoverPriority is an ordered list of labels used to sort endpoints to do priority based load balancing. items: type: string type: array type: object simple: description: |2- Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST enum: - UNSPECIFIED - LEAST_CONN - RANDOM - PASSTHROUGH - ROUND_ROBIN - LEAST_REQUEST type: string warmupDurationSecs: description: Represents the warmup duration of Service. type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms rule: duration(self) >= duration('1ms') type: object outlierDetection: properties: baseEjectionTime: description: Minimum ejection duration. type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms rule: duration(self) >= duration('1ms') consecutive5xxErrors: description: Number of 5xx errors before a host is ejected from the connection pool. maximum: 4294967295 minimum: 0 nullable: true type: integer consecutiveErrors: format: int32 type: integer consecutiveGatewayErrors: description: Number of gateway errors before a host is ejected from the connection pool. maximum: 4294967295 minimum: 0 nullable: true type: integer consecutiveLocalOriginFailures: description: The number of consecutive locally originated failures before ejection occurs. maximum: 4294967295 minimum: 0 nullable: true type: integer interval: description: Time interval between ejection sweep analysis. type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms rule: duration(self) >= duration('1ms') maxEjectionPercent: description: Maximum % of hosts in the load balancing pool for the upstream service that can be ejected. format: int32 type: integer minHealthPercent: description: Outlier detection will be enabled as long as the associated load balancing pool has at least min_health_percent hosts in healthy mode. format: int32 type: integer splitExternalLocalOriginErrors: description: Determines whether to distinguish local origin failures from external errors. type: boolean type: object port: description: Specifies the number of a port on the destination service on which this policy is being applied. properties: number: maximum: 4294967295 minimum: 0 type: integer type: object tls: description: TLS related settings for connections to the upstream service. properties: caCertificates: description: 'OPTIONAL: The path to the file containing certificate authority certificates to use in verifying a presented server certificate.' type: string caCrl: description: 'OPTIONAL: The path to the file containing the certificate revocation list (CRL) to use in verifying a presented server certificate.' type: string clientCertificate: description: REQUIRED if mode is `MUTUAL`. type: string credentialName: description: The name of the secret that holds the TLS certs for the client including the CA certificates. type: string insecureSkipVerify: description: '`insecureSkipVerify` specifies whether the proxy should skip verifying the CA signature and SAN for the server certificate corresponding to the host.' nullable: true type: boolean mode: description: |- Indicates whether connections to this port should be secured using TLS. Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL enum: - DISABLE - SIMPLE - MUTUAL - ISTIO_MUTUAL type: string privateKey: description: REQUIRED if mode is `MUTUAL`. type: string sni: description: SNI string to present to the server during TLS handshake. type: string subjectAltNames: description: A list of alternate names to verify the subject identity in the certificate. items: type: string type: array type: object type: object maxItems: 4096 type: array proxyProtocol: description: The upstream PROXY protocol settings. properties: version: description: |- The PROXY protocol version to use. Valid Options: V1, V2 enum: - V1 - V2 type: string type: object tls: description: TLS related settings for connections to the upstream service. properties: caCertificates: description: 'OPTIONAL: The path to the file containing certificate authority certificates to use in verifying a presented server certificate.' type: string caCrl: description: 'OPTIONAL: The path to the file containing the certificate revocation list (CRL) to use in verifying a presented server certificate.' type: string clientCertificate: description: REQUIRED if mode is `MUTUAL`. type: string credentialName: description: The name of the secret that holds the TLS certs for the client including the CA certificates. type: string insecureSkipVerify: description: '`insecureSkipVerify` specifies whether the proxy should skip verifying the CA signature and SAN for the server certificate corresponding to the host.' nullable: true type: boolean mode: description: |- Indicates whether connections to this port should be secured using TLS. Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL enum: - DISABLE - SIMPLE - MUTUAL - ISTIO_MUTUAL type: string privateKey: description: REQUIRED if mode is `MUTUAL`. type: string sni: description: SNI string to present to the server during TLS handshake. type: string subjectAltNames: description: A list of alternate names to verify the subject identity in the certificate. items: type: string type: array type: object tunnel: description: Configuration of tunneling TCP over other transport or application layers for the host configured in the DestinationRule. properties: protocol: description: Specifies which protocol to use for tunneling the downstream connection. type: string targetHost: description: Specifies a host to which the downstream connection is tunneled. type: string targetPort: description: Specifies a port to which the downstream connection is tunneled. maximum: 4294967295 minimum: 0 type: integer required: - targetHost - targetPort type: object type: object workloadSelector: description: Criteria used to select the specific set of pods/VMs on which this `DestinationRule` configuration should be applied. properties: matchLabels: additionalProperties: maxLength: 63 type: string x-kubernetes-validations: - message: wildcard not allowed in label value match rule: '!self.contains(''*'')' description: One or more labels that indicate a specific set of pods/VMs on which a policy should be applied. maxProperties: 4096 type: object x-kubernetes-validations: - message: wildcard not allowed in label key match rule: self.all(key, !key.contains('*')) - message: key must not be empty rule: self.all(key, key.size() != 0) type: object required: - host type: object status: type: object x-kubernetes-preserve-unknown-fields: true type: object served: true storage: false subresources: status: {} - additionalPrinterColumns: - description: The name of a service from the service registry jsonPath: .spec.host name: Host type: string - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' jsonPath: .metadata.creationTimestamp name: Age type: date name: v1beta1 schema: openAPIV3Schema: properties: spec: description: 'Configuration affecting load balancing, outlier detection, etc. See more details at: https://istio.io/docs/reference/config/networking/destination-rule.html' properties: exportTo: description: A list of namespaces to which this destination rule is exported. items: type: string type: array host: description: The name of a service from the service registry. type: string subsets: description: One or more named sets that represent individual versions of a service. items: properties: labels: additionalProperties: type: string description: Labels apply a filter over the endpoints of a service in the service registry. type: object name: description: Name of the subset. type: string trafficPolicy: description: Traffic policies that apply to this subset. properties: connectionPool: properties: http: description: HTTP connection pool settings. properties: h2UpgradePolicy: description: |- Specify if http1.1 connection should be upgraded to http2 for the associated destination. Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE enum: - DEFAULT - DO_NOT_UPGRADE - UPGRADE type: string http1MaxPendingRequests: description: Maximum number of requests that will be queued while waiting for a ready connection pool connection. format: int32 type: integer http2MaxRequests: description: Maximum number of active requests to a destination. format: int32 type: integer idleTimeout: description: The idle timeout for upstream connection pool connections. type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms rule: duration(self) >= duration('1ms') maxConcurrentStreams: description: The maximum number of concurrent streams allowed for a peer on one HTTP/2 connection. format: int32 type: integer maxRequestsPerConnection: description: Maximum number of requests per connection to a backend. format: int32 type: integer maxRetries: description: Maximum number of retries that can be outstanding to all hosts in a cluster at a given time. format: int32 type: integer useClientProtocol: description: If set to true, client protocol will be preserved while initiating connection to backend. type: boolean type: object tcp: description: Settings common to both HTTP and TCP upstream connections. properties: connectTimeout: description: TCP connection timeout. type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms rule: duration(self) >= duration('1ms') idleTimeout: description: The idle timeout for TCP connections. type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms rule: duration(self) >= duration('1ms') maxConnectionDuration: description: The maximum duration of a connection. type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms rule: duration(self) >= duration('1ms') maxConnections: description: Maximum number of HTTP1 /TCP connections to a destination host. format: int32 type: integer tcpKeepalive: description: If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives. properties: interval: description: The time duration between keep-alive probes. type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms rule: duration(self) >= duration('1ms') probes: description: Maximum number of keepalive probes to send without response before deciding the connection is dead. maximum: 4294967295 minimum: 0 type: integer time: description: The time duration a connection needs to be idle before keep-alive probes start being sent. type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms rule: duration(self) >= duration('1ms') type: object type: object type: object loadBalancer: description: Settings controlling the load balancer algorithms. oneOf: - not: anyOf: - required: - simple - required: - consistentHash - required: - simple - required: - consistentHash properties: consistentHash: allOf: - oneOf: - not: anyOf: - required: - httpHeaderName - required: - httpCookie - required: - useSourceIp - required: - httpQueryParameterName - required: - httpHeaderName - required: - httpCookie - required: - useSourceIp - required: - httpQueryParameterName - oneOf: - not: anyOf: - required: - ringHash - required: - maglev - required: - ringHash - required: - maglev properties: httpCookie: description: Hash based on HTTP cookie. properties: name: description: Name of the cookie. type: string path: description: Path to set for the cookie. type: string ttl: description: Lifetime of the cookie. type: string required: - name type: object httpHeaderName: description: Hash based on a specific HTTP header. type: string httpQueryParameterName: description: Hash based on a specific HTTP query parameter. type: string maglev: description: The Maglev load balancer implements consistent hashing to backend hosts. properties: tableSize: description: The table size for Maglev hashing. minimum: 0 type: integer type: object minimumRingSize: description: Deprecated. minimum: 0 type: integer ringHash: description: The ring/modulo hash load balancer implements consistent hashing to backend hosts. properties: minimumRingSize: description: The minimum number of virtual nodes to use for the hash ring. minimum: 0 type: integer type: object useSourceIp: description: Hash based on the source IP address. type: boolean type: object localityLbSetting: properties: distribute: description: 'Optional: only one of distribute, failover or failoverPriority can be set.' items: properties: from: description: Originating locality, '/' separated, e.g. type: string to: additionalProperties: maximum: 4294967295 minimum: 0 type: integer description: Map of upstream localities to traffic distribution weights. type: object type: object type: array enabled: description: enable locality load balancing, this is DestinationRule-level and will override mesh wide settings in entirety. nullable: true type: boolean failover: description: 'Optional: only one of distribute, failover or failoverPriority can be set.' items: properties: from: description: Originating region. type: string to: description: Destination region the traffic will fail over to when endpoints in the 'from' region becomes unhealthy. type: string type: object type: array failoverPriority: description: failoverPriority is an ordered list of labels used to sort endpoints to do priority based load balancing. items: type: string type: array type: object simple: description: |2- Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST enum: - UNSPECIFIED - LEAST_CONN - RANDOM - PASSTHROUGH - ROUND_ROBIN - LEAST_REQUEST type: string warmupDurationSecs: description: Represents the warmup duration of Service. type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms rule: duration(self) >= duration('1ms') type: object outlierDetection: properties: baseEjectionTime: description: Minimum ejection duration. type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms rule: duration(self) >= duration('1ms') consecutive5xxErrors: description: Number of 5xx errors before a host is ejected from the connection pool. maximum: 4294967295 minimum: 0 nullable: true type: integer consecutiveErrors: format: int32 type: integer consecutiveGatewayErrors: description: Number of gateway errors before a host is ejected from the connection pool. maximum: 4294967295 minimum: 0 nullable: true type: integer consecutiveLocalOriginFailures: description: The number of consecutive locally originated failures before ejection occurs. maximum: 4294967295 minimum: 0 nullable: true type: integer interval: description: Time interval between ejection sweep analysis. type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms rule: duration(self) >= duration('1ms') maxEjectionPercent: description: Maximum % of hosts in the load balancing pool for the upstream service that can be ejected. format: int32 type: integer minHealthPercent: description: Outlier detection will be enabled as long as the associated load balancing pool has at least min_health_percent hosts in healthy mode. format: int32 type: integer splitExternalLocalOriginErrors: description: Determines whether to distinguish local origin failures from external errors. type: boolean type: object portLevelSettings: description: Traffic policies specific to individual ports. items: properties: connectionPool: properties: http: description: HTTP connection pool settings. properties: h2UpgradePolicy: description: |- Specify if http1.1 connection should be upgraded to http2 for the associated destination. Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE enum: - DEFAULT - DO_NOT_UPGRADE - UPGRADE type: string http1MaxPendingRequests: description: Maximum number of requests that will be queued while waiting for a ready connection pool connection. format: int32 type: integer http2MaxRequests: description: Maximum number of active requests to a destination. format: int32 type: integer idleTimeout: description: The idle timeout for upstream connection pool connections. type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms rule: duration(self) >= duration('1ms') maxConcurrentStreams: description: The maximum number of concurrent streams allowed for a peer on one HTTP/2 connection. format: int32 type: integer maxRequestsPerConnection: description: Maximum number of requests per connection to a backend. format: int32 type: integer maxRetries: description: Maximum number of retries that can be outstanding to all hosts in a cluster at a given time. format: int32 type: integer useClientProtocol: description: If set to true, client protocol will be preserved while initiating connection to backend. type: boolean type: object tcp: description: Settings common to both HTTP and TCP upstream connections. properties: connectTimeout: description: TCP connection timeout. type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms rule: duration(self) >= duration('1ms') idleTimeout: description: The idle timeout for TCP connections. type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms rule: duration(self) >= duration('1ms') maxConnectionDuration: description: The maximum duration of a connection. type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms rule: duration(self) >= duration('1ms') maxConnections: description: Maximum number of HTTP1 /TCP connections to a destination host. format: int32 type: integer tcpKeepalive: description: If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives. properties: interval: description: The time duration between keep-alive probes. type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms rule: duration(self) >= duration('1ms') probes: description: Maximum number of keepalive probes to send without response before deciding the connection is dead. maximum: 4294967295 minimum: 0 type: integer time: description: The time duration a connection needs to be idle before keep-alive probes start being sent. type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms rule: duration(self) >= duration('1ms') type: object type: object type: object loadBalancer: description: Settings controlling the load balancer algorithms. oneOf: - not: anyOf: - required: - simple - required: - consistentHash - required: - simple - required: - consistentHash properties: consistentHash: allOf: - oneOf: - not: anyOf: - required: - httpHeaderName - required: - httpCookie - required: - useSourceIp - required: - httpQueryParameterName - required: - httpHeaderName - required: - httpCookie - required: - useSourceIp - required: - httpQueryParameterName - oneOf: - not: anyOf: - required: - ringHash - required: - maglev - required: - ringHash - required: - maglev properties: httpCookie: description: Hash based on HTTP cookie. properties: name: description: Name of the cookie. type: string path: description: Path to set for the cookie. type: string ttl: description: Lifetime of the cookie. type: string required: - name type: object httpHeaderName: description: Hash based on a specific HTTP header. type: string httpQueryParameterName: description: Hash based on a specific HTTP query parameter. type: string maglev: description: The Maglev load balancer implements consistent hashing to backend hosts. properties: tableSize: description: The table size for Maglev hashing. minimum: 0 type: integer type: object minimumRingSize: description: Deprecated. minimum: 0 type: integer ringHash: description: The ring/modulo hash load balancer implements consistent hashing to backend hosts. properties: minimumRingSize: description: The minimum number of virtual nodes to use for the hash ring. minimum: 0 type: integer type: object useSourceIp: description: Hash based on the source IP address. type: boolean type: object localityLbSetting: properties: distribute: description: 'Optional: only one of distribute, failover or failoverPriority can be set.' items: properties: from: description: Originating locality, '/' separated, e.g. type: string to: additionalProperties: maximum: 4294967295 minimum: 0 type: integer description: Map of upstream localities to traffic distribution weights. type: object type: object type: array enabled: description: enable locality load balancing, this is DestinationRule-level and will override mesh wide settings in entirety. nullable: true type: boolean failover: description: 'Optional: only one of distribute, failover or failoverPriority can be set.' items: properties: from: description: Originating region. type: string to: description: Destination region the traffic will fail over to when endpoints in the 'from' region becomes unhealthy. type: string type: object type: array failoverPriority: description: failoverPriority is an ordered list of labels used to sort endpoints to do priority based load balancing. items: type: string type: array type: object simple: description: |2- Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST enum: - UNSPECIFIED - LEAST_CONN - RANDOM - PASSTHROUGH - ROUND_ROBIN - LEAST_REQUEST type: string warmupDurationSecs: description: Represents the warmup duration of Service. type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms rule: duration(self) >= duration('1ms') type: object outlierDetection: properties: baseEjectionTime: description: Minimum ejection duration. type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms rule: duration(self) >= duration('1ms') consecutive5xxErrors: description: Number of 5xx errors before a host is ejected from the connection pool. maximum: 4294967295 minimum: 0 nullable: true type: integer consecutiveErrors: format: int32 type: integer consecutiveGatewayErrors: description: Number of gateway errors before a host is ejected from the connection pool. maximum: 4294967295 minimum: 0 nullable: true type: integer consecutiveLocalOriginFailures: description: The number of consecutive locally originated failures before ejection occurs. maximum: 4294967295 minimum: 0 nullable: true type: integer interval: description: Time interval between ejection sweep analysis. type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms rule: duration(self) >= duration('1ms') maxEjectionPercent: description: Maximum % of hosts in the load balancing pool for the upstream service that can be ejected. format: int32 type: integer minHealthPercent: description: Outlier detection will be enabled as long as the associated load balancing pool has at least min_health_percent hosts in healthy mode. format: int32 type: integer splitExternalLocalOriginErrors: description: Determines whether to distinguish local origin failures from external errors. type: boolean type: object port: description: Specifies the number of a port on the destination service on which this policy is being applied. properties: number: maximum: 4294967295 minimum: 0 type: integer type: object tls: description: TLS related settings for connections to the upstream service. properties: caCertificates: description: 'OPTIONAL: The path to the file containing certificate authority certificates to use in verifying a presented server certificate.' type: string caCrl: description: 'OPTIONAL: The path to the file containing the certificate revocation list (CRL) to use in verifying a presented server certificate.' type: string clientCertificate: description: REQUIRED if mode is `MUTUAL`. type: string credentialName: description: The name of the secret that holds the TLS certs for the client including the CA certificates. type: string insecureSkipVerify: description: '`insecureSkipVerify` specifies whether the proxy should skip verifying the CA signature and SAN for the server certificate corresponding to the host.' nullable: true type: boolean mode: description: |- Indicates whether connections to this port should be secured using TLS. Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL enum: - DISABLE - SIMPLE - MUTUAL - ISTIO_MUTUAL type: string privateKey: description: REQUIRED if mode is `MUTUAL`. type: string sni: description: SNI string to present to the server during TLS handshake. type: string subjectAltNames: description: A list of alternate names to verify the subject identity in the certificate. items: type: string type: array type: object type: object maxItems: 4096 type: array proxyProtocol: description: The upstream PROXY protocol settings. properties: version: description: |- The PROXY protocol version to use. Valid Options: V1, V2 enum: - V1 - V2 type: string type: object tls: description: TLS related settings for connections to the upstream service. properties: caCertificates: description: 'OPTIONAL: The path to the file containing certificate authority certificates to use in verifying a presented server certificate.' type: string caCrl: description: 'OPTIONAL: The path to the file containing the certificate revocation list (CRL) to use in verifying a presented server certificate.' type: string clientCertificate: description: REQUIRED if mode is `MUTUAL`. type: string credentialName: description: The name of the secret that holds the TLS certs for the client including the CA certificates. type: string insecureSkipVerify: description: '`insecureSkipVerify` specifies whether the proxy should skip verifying the CA signature and SAN for the server certificate corresponding to the host.' nullable: true type: boolean mode: description: |- Indicates whether connections to this port should be secured using TLS. Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL enum: - DISABLE - SIMPLE - MUTUAL - ISTIO_MUTUAL type: string privateKey: description: REQUIRED if mode is `MUTUAL`. type: string sni: description: SNI string to present to the server during TLS handshake. type: string subjectAltNames: description: A list of alternate names to verify the subject identity in the certificate. items: type: string type: array type: object tunnel: description: Configuration of tunneling TCP over other transport or application layers for the host configured in the DestinationRule. properties: protocol: description: Specifies which protocol to use for tunneling the downstream connection. type: string targetHost: description: Specifies a host to which the downstream connection is tunneled. type: string targetPort: description: Specifies a port to which the downstream connection is tunneled. maximum: 4294967295 minimum: 0 type: integer required: - targetHost - targetPort type: object type: object required: - name type: object type: array trafficPolicy: description: Traffic policies to apply (load balancing policy, connection pool sizes, outlier detection). properties: connectionPool: properties: http: description: HTTP connection pool settings. properties: h2UpgradePolicy: description: |- Specify if http1.1 connection should be upgraded to http2 for the associated destination. Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE enum: - DEFAULT - DO_NOT_UPGRADE - UPGRADE type: string http1MaxPendingRequests: description: Maximum number of requests that will be queued while waiting for a ready connection pool connection. format: int32 type: integer http2MaxRequests: description: Maximum number of active requests to a destination. format: int32 type: integer idleTimeout: description: The idle timeout for upstream connection pool connections. type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms rule: duration(self) >= duration('1ms') maxConcurrentStreams: description: The maximum number of concurrent streams allowed for a peer on one HTTP/2 connection. format: int32 type: integer maxRequestsPerConnection: description: Maximum number of requests per connection to a backend. format: int32 type: integer maxRetries: description: Maximum number of retries that can be outstanding to all hosts in a cluster at a given time. format: int32 type: integer useClientProtocol: description: If set to true, client protocol will be preserved while initiating connection to backend. type: boolean type: object tcp: description: Settings common to both HTTP and TCP upstream connections. properties: connectTimeout: description: TCP connection timeout. type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms rule: duration(self) >= duration('1ms') idleTimeout: description: The idle timeout for TCP connections. type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms rule: duration(self) >= duration('1ms') maxConnectionDuration: description: The maximum duration of a connection. type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms rule: duration(self) >= duration('1ms') maxConnections: description: Maximum number of HTTP1 /TCP connections to a destination host. format: int32 type: integer tcpKeepalive: description: If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives. properties: interval: description: The time duration between keep-alive probes. type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms rule: duration(self) >= duration('1ms') probes: description: Maximum number of keepalive probes to send without response before deciding the connection is dead. maximum: 4294967295 minimum: 0 type: integer time: description: The time duration a connection needs to be idle before keep-alive probes start being sent. type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms rule: duration(self) >= duration('1ms') type: object type: object type: object loadBalancer: description: Settings controlling the load balancer algorithms. oneOf: - not: anyOf: - required: - simple - required: - consistentHash - required: - simple - required: - consistentHash properties: consistentHash: allOf: - oneOf: - not: anyOf: - required: - httpHeaderName - required: - httpCookie - required: - useSourceIp - required: - httpQueryParameterName - required: - httpHeaderName - required: - httpCookie - required: - useSourceIp - required: - httpQueryParameterName - oneOf: - not: anyOf: - required: - ringHash - required: - maglev - required: - ringHash - required: - maglev properties: httpCookie: description: Hash based on HTTP cookie. properties: name: description: Name of the cookie. type: string path: description: Path to set for the cookie. type: string ttl: description: Lifetime of the cookie. type: string required: - name type: object httpHeaderName: description: Hash based on a specific HTTP header. type: string httpQueryParameterName: description: Hash based on a specific HTTP query parameter. type: string maglev: description: The Maglev load balancer implements consistent hashing to backend hosts. properties: tableSize: description: The table size for Maglev hashing. minimum: 0 type: integer type: object minimumRingSize: description: Deprecated. minimum: 0 type: integer ringHash: description: The ring/modulo hash load balancer implements consistent hashing to backend hosts. properties: minimumRingSize: description: The minimum number of virtual nodes to use for the hash ring. minimum: 0 type: integer type: object useSourceIp: description: Hash based on the source IP address. type: boolean type: object localityLbSetting: properties: distribute: description: 'Optional: only one of distribute, failover or failoverPriority can be set.' items: properties: from: description: Originating locality, '/' separated, e.g. type: string to: additionalProperties: maximum: 4294967295 minimum: 0 type: integer description: Map of upstream localities to traffic distribution weights. type: object type: object type: array enabled: description: enable locality load balancing, this is DestinationRule-level and will override mesh wide settings in entirety. nullable: true type: boolean failover: description: 'Optional: only one of distribute, failover or failoverPriority can be set.' items: properties: from: description: Originating region. type: string to: description: Destination region the traffic will fail over to when endpoints in the 'from' region becomes unhealthy. type: string type: object type: array failoverPriority: description: failoverPriority is an ordered list of labels used to sort endpoints to do priority based load balancing. items: type: string type: array type: object simple: description: |2- Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST enum: - UNSPECIFIED - LEAST_CONN - RANDOM - PASSTHROUGH - ROUND_ROBIN - LEAST_REQUEST type: string warmupDurationSecs: description: Represents the warmup duration of Service. type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms rule: duration(self) >= duration('1ms') type: object outlierDetection: properties: baseEjectionTime: description: Minimum ejection duration. type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms rule: duration(self) >= duration('1ms') consecutive5xxErrors: description: Number of 5xx errors before a host is ejected from the connection pool. maximum: 4294967295 minimum: 0 nullable: true type: integer consecutiveErrors: format: int32 type: integer consecutiveGatewayErrors: description: Number of gateway errors before a host is ejected from the connection pool. maximum: 4294967295 minimum: 0 nullable: true type: integer consecutiveLocalOriginFailures: description: The number of consecutive locally originated failures before ejection occurs. maximum: 4294967295 minimum: 0 nullable: true type: integer interval: description: Time interval between ejection sweep analysis. type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms rule: duration(self) >= duration('1ms') maxEjectionPercent: description: Maximum % of hosts in the load balancing pool for the upstream service that can be ejected. format: int32 type: integer minHealthPercent: description: Outlier detection will be enabled as long as the associated load balancing pool has at least min_health_percent hosts in healthy mode. format: int32 type: integer splitExternalLocalOriginErrors: description: Determines whether to distinguish local origin failures from external errors. type: boolean type: object portLevelSettings: description: Traffic policies specific to individual ports. items: properties: connectionPool: properties: http: description: HTTP connection pool settings. properties: h2UpgradePolicy: description: |- Specify if http1.1 connection should be upgraded to http2 for the associated destination. Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE enum: - DEFAULT - DO_NOT_UPGRADE - UPGRADE type: string http1MaxPendingRequests: description: Maximum number of requests that will be queued while waiting for a ready connection pool connection. format: int32 type: integer http2MaxRequests: description: Maximum number of active requests to a destination. format: int32 type: integer idleTimeout: description: The idle timeout for upstream connection pool connections. type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms rule: duration(self) >= duration('1ms') maxConcurrentStreams: description: The maximum number of concurrent streams allowed for a peer on one HTTP/2 connection. format: int32 type: integer maxRequestsPerConnection: description: Maximum number of requests per connection to a backend. format: int32 type: integer maxRetries: description: Maximum number of retries that can be outstanding to all hosts in a cluster at a given time. format: int32 type: integer useClientProtocol: description: If set to true, client protocol will be preserved while initiating connection to backend. type: boolean type: object tcp: description: Settings common to both HTTP and TCP upstream connections. properties: connectTimeout: description: TCP connection timeout. type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms rule: duration(self) >= duration('1ms') idleTimeout: description: The idle timeout for TCP connections. type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms rule: duration(self) >= duration('1ms') maxConnectionDuration: description: The maximum duration of a connection. type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms rule: duration(self) >= duration('1ms') maxConnections: description: Maximum number of HTTP1 /TCP connections to a destination host. format: int32 type: integer tcpKeepalive: description: If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives. properties: interval: description: The time duration between keep-alive probes. type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms rule: duration(self) >= duration('1ms') probes: description: Maximum number of keepalive probes to send without response before deciding the connection is dead. maximum: 4294967295 minimum: 0 type: integer time: description: The time duration a connection needs to be idle before keep-alive probes start being sent. type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms rule: duration(self) >= duration('1ms') type: object type: object type: object loadBalancer: description: Settings controlling the load balancer algorithms. oneOf: - not: anyOf: - required: - simple - required: - consistentHash - required: - simple - required: - consistentHash properties: consistentHash: allOf: - oneOf: - not: anyOf: - required: - httpHeaderName - required: - httpCookie - required: - useSourceIp - required: - httpQueryParameterName - required: - httpHeaderName - required: - httpCookie - required: - useSourceIp - required: - httpQueryParameterName - oneOf: - not: anyOf: - required: - ringHash - required: - maglev - required: - ringHash - required: - maglev properties: httpCookie: description: Hash based on HTTP cookie. properties: name: description: Name of the cookie. type: string path: description: Path to set for the cookie. type: string ttl: description: Lifetime of the cookie. type: string required: - name type: object httpHeaderName: description: Hash based on a specific HTTP header. type: string httpQueryParameterName: description: Hash based on a specific HTTP query parameter. type: string maglev: description: The Maglev load balancer implements consistent hashing to backend hosts. properties: tableSize: description: The table size for Maglev hashing. minimum: 0 type: integer type: object minimumRingSize: description: Deprecated. minimum: 0 type: integer ringHash: description: The ring/modulo hash load balancer implements consistent hashing to backend hosts. properties: minimumRingSize: description: The minimum number of virtual nodes to use for the hash ring. minimum: 0 type: integer type: object useSourceIp: description: Hash based on the source IP address. type: boolean type: object localityLbSetting: properties: distribute: description: 'Optional: only one of distribute, failover or failoverPriority can be set.' items: properties: from: description: Originating locality, '/' separated, e.g. type: string to: additionalProperties: maximum: 4294967295 minimum: 0 type: integer description: Map of upstream localities to traffic distribution weights. type: object type: object type: array enabled: description: enable locality load balancing, this is DestinationRule-level and will override mesh wide settings in entirety. nullable: true type: boolean failover: description: 'Optional: only one of distribute, failover or failoverPriority can be set.' items: properties: from: description: Originating region. type: string to: description: Destination region the traffic will fail over to when endpoints in the 'from' region becomes unhealthy. type: string type: object type: array failoverPriority: description: failoverPriority is an ordered list of labels used to sort endpoints to do priority based load balancing. items: type: string type: array type: object simple: description: |2- Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST enum: - UNSPECIFIED - LEAST_CONN - RANDOM - PASSTHROUGH - ROUND_ROBIN - LEAST_REQUEST type: string warmupDurationSecs: description: Represents the warmup duration of Service. type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms rule: duration(self) >= duration('1ms') type: object outlierDetection: properties: baseEjectionTime: description: Minimum ejection duration. type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms rule: duration(self) >= duration('1ms') consecutive5xxErrors: description: Number of 5xx errors before a host is ejected from the connection pool. maximum: 4294967295 minimum: 0 nullable: true type: integer consecutiveErrors: format: int32 type: integer consecutiveGatewayErrors: description: Number of gateway errors before a host is ejected from the connection pool. maximum: 4294967295 minimum: 0 nullable: true type: integer consecutiveLocalOriginFailures: description: The number of consecutive locally originated failures before ejection occurs. maximum: 4294967295 minimum: 0 nullable: true type: integer interval: description: Time interval between ejection sweep analysis. type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms rule: duration(self) >= duration('1ms') maxEjectionPercent: description: Maximum % of hosts in the load balancing pool for the upstream service that can be ejected. format: int32 type: integer minHealthPercent: description: Outlier detection will be enabled as long as the associated load balancing pool has at least min_health_percent hosts in healthy mode. format: int32 type: integer splitExternalLocalOriginErrors: description: Determines whether to distinguish local origin failures from external errors. type: boolean type: object port: description: Specifies the number of a port on the destination service on which this policy is being applied. properties: number: maximum: 4294967295 minimum: 0 type: integer type: object tls: description: TLS related settings for connections to the upstream service. properties: caCertificates: description: 'OPTIONAL: The path to the file containing certificate authority certificates to use in verifying a presented server certificate.' type: string caCrl: description: 'OPTIONAL: The path to the file containing the certificate revocation list (CRL) to use in verifying a presented server certificate.' type: string clientCertificate: description: REQUIRED if mode is `MUTUAL`. type: string credentialName: description: The name of the secret that holds the TLS certs for the client including the CA certificates. type: string insecureSkipVerify: description: '`insecureSkipVerify` specifies whether the proxy should skip verifying the CA signature and SAN for the server certificate corresponding to the host.' nullable: true type: boolean mode: description: |- Indicates whether connections to this port should be secured using TLS. Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL enum: - DISABLE - SIMPLE - MUTUAL - ISTIO_MUTUAL type: string privateKey: description: REQUIRED if mode is `MUTUAL`. type: string sni: description: SNI string to present to the server during TLS handshake. type: string subjectAltNames: description: A list of alternate names to verify the subject identity in the certificate. items: type: string type: array type: object type: object maxItems: 4096 type: array proxyProtocol: description: The upstream PROXY protocol settings. properties: version: description: |- The PROXY protocol version to use. Valid Options: V1, V2 enum: - V1 - V2 type: string type: object tls: description: TLS related settings for connections to the upstream service. properties: caCertificates: description: 'OPTIONAL: The path to the file containing certificate authority certificates to use in verifying a presented server certificate.' type: string caCrl: description: 'OPTIONAL: The path to the file containing the certificate revocation list (CRL) to use in verifying a presented server certificate.' type: string clientCertificate: description: REQUIRED if mode is `MUTUAL`. type: string credentialName: description: The name of the secret that holds the TLS certs for the client including the CA certificates. type: string insecureSkipVerify: description: '`insecureSkipVerify` specifies whether the proxy should skip verifying the CA signature and SAN for the server certificate corresponding to the host.' nullable: true type: boolean mode: description: |- Indicates whether connections to this port should be secured using TLS. Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL enum: - DISABLE - SIMPLE - MUTUAL - ISTIO_MUTUAL type: string privateKey: description: REQUIRED if mode is `MUTUAL`. type: string sni: description: SNI string to present to the server during TLS handshake. type: string subjectAltNames: description: A list of alternate names to verify the subject identity in the certificate. items: type: string type: array type: object tunnel: description: Configuration of tunneling TCP over other transport or application layers for the host configured in the DestinationRule. properties: protocol: description: Specifies which protocol to use for tunneling the downstream connection. type: string targetHost: description: Specifies a host to which the downstream connection is tunneled. type: string targetPort: description: Specifies a port to which the downstream connection is tunneled. maximum: 4294967295 minimum: 0 type: integer required: - targetHost - targetPort type: object type: object workloadSelector: description: Criteria used to select the specific set of pods/VMs on which this `DestinationRule` configuration should be applied. properties: matchLabels: additionalProperties: maxLength: 63 type: string x-kubernetes-validations: - message: wildcard not allowed in label value match rule: '!self.contains(''*'')' description: One or more labels that indicate a specific set of pods/VMs on which a policy should be applied. maxProperties: 4096 type: object x-kubernetes-validations: - message: wildcard not allowed in label key match rule: self.all(key, !key.contains('*')) - message: key must not be empty rule: self.all(key, key.size() != 0) type: object required: - host type: object status: type: object x-kubernetes-preserve-unknown-fields: true type: object served: true storage: true subresources: status: {} --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: "helm.sh/resource-policy": keep labels: app: istio-pilot chart: istio heritage: Tiller release: istio name: envoyfilters.networking.istio.io spec: group: networking.istio.io names: categories: - istio-io - networking-istio-io kind: EnvoyFilter listKind: EnvoyFilterList plural: envoyfilters singular: envoyfilter scope: Namespaced versions: - name: v1alpha3 schema: openAPIV3Schema: properties: spec: description: 'Customizing Envoy configuration generated by Istio. See more details at: https://istio.io/docs/reference/config/networking/envoy-filter.html' properties: configPatches: description: One or more patches with match conditions. items: properties: applyTo: description: |- Specifies where in the Envoy configuration, the patch should be applied. Valid Options: LISTENER, FILTER_CHAIN, NETWORK_FILTER, HTTP_FILTER, ROUTE_CONFIGURATION, VIRTUAL_HOST, HTTP_ROUTE, CLUSTER, EXTENSION_CONFIG, BOOTSTRAP, LISTENER_FILTER enum: - INVALID - LISTENER - FILTER_CHAIN - NETWORK_FILTER - HTTP_FILTER - ROUTE_CONFIGURATION - VIRTUAL_HOST - HTTP_ROUTE - CLUSTER - EXTENSION_CONFIG - BOOTSTRAP - LISTENER_FILTER type: string match: description: Match on listener/route configuration/cluster. oneOf: - not: anyOf: - required: - listener - required: - routeConfiguration - required: - cluster - required: - listener - required: - routeConfiguration - required: - cluster properties: cluster: description: Match on envoy cluster attributes. properties: name: description: The exact name of the cluster to match. type: string portNumber: description: The service port for which this cluster was generated. maximum: 4294967295 minimum: 0 type: integer service: description: The fully qualified service name for this cluster. type: string subset: description: The subset associated with the service. type: string type: object context: description: |- The specific config generation context to match on. Valid Options: ANY, SIDECAR_INBOUND, SIDECAR_OUTBOUND, GATEWAY enum: - ANY - SIDECAR_INBOUND - SIDECAR_OUTBOUND - GATEWAY type: string listener: description: Match on envoy listener attributes. properties: filterChain: description: Match a specific filter chain in a listener. properties: applicationProtocols: description: Applies only to sidecars. type: string destinationPort: description: The destination_port value used by a filter chain's match condition. maximum: 4294967295 minimum: 0 type: integer filter: description: The name of a specific filter to apply the patch to. properties: name: description: The filter name to match on. type: string subFilter: description: The next level filter within this filter to match upon. properties: name: description: The filter name to match on. type: string type: object type: object name: description: The name assigned to the filter chain. type: string sni: description: The SNI value used by a filter chain's match condition. type: string transportProtocol: description: Applies only to `SIDECAR_INBOUND` context. type: string type: object listenerFilter: description: Match a specific listener filter. type: string name: description: Match a specific listener by its name. type: string portName: type: string portNumber: description: The service port/gateway port to which traffic is being sent/received. maximum: 4294967295 minimum: 0 type: integer type: object proxy: description: Match on properties associated with a proxy. properties: metadata: additionalProperties: type: string description: Match on the node metadata supplied by a proxy when connecting to Istio Pilot. type: object proxyVersion: description: A regular expression in golang regex format (RE2) that can be used to select proxies using a specific version of istio proxy. type: string type: object routeConfiguration: description: Match on envoy HTTP route configuration attributes. properties: gateway: description: The Istio gateway config's namespace/name for which this route configuration was generated. type: string name: description: Route configuration name to match on. type: string portName: description: Applicable only for GATEWAY context. type: string portNumber: description: The service port number or gateway server port number for which this route configuration was generated. maximum: 4294967295 minimum: 0 type: integer vhost: description: Match a specific virtual host in a route configuration and apply the patch to the virtual host. properties: name: description: The VirtualHosts objects generated by Istio are named as host:port, where the host typically corresponds to the VirtualService's host field or the hostname of a service in the registry. type: string route: description: Match a specific route within the virtual host. properties: action: description: |- Match a route with specific action type. Valid Options: ANY, ROUTE, REDIRECT, DIRECT_RESPONSE enum: - ANY - ROUTE - REDIRECT - DIRECT_RESPONSE type: string name: description: The Route objects generated by default are named as default. type: string type: object type: object type: object type: object patch: description: The patch to apply along with the operation. properties: filterClass: description: |- Determines the filter insertion order. Valid Options: AUTHN, AUTHZ, STATS enum: - UNSPECIFIED - AUTHN - AUTHZ - STATS type: string operation: description: |- Determines how the patch should be applied. Valid Options: MERGE, ADD, REMOVE, INSERT_BEFORE, INSERT_AFTER, INSERT_FIRST, REPLACE enum: - INVALID - MERGE - ADD - REMOVE - INSERT_BEFORE - INSERT_AFTER - INSERT_FIRST - REPLACE type: string value: description: The JSON config of the object being patched. type: object x-kubernetes-preserve-unknown-fields: true type: object type: object type: array priority: description: Priority defines the order in which patch sets are applied within a context. format: int32 type: integer targetRefs: description: Optional. items: properties: group: description: group is the group of the target resource. maxLength: 253 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string kind: description: kind is kind of the target resource. maxLength: 63 minLength: 1 pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ type: string name: description: name is the name of the target resource. maxLength: 253 minLength: 1 type: string namespace: description: namespace is the namespace of the referent. type: string x-kubernetes-validations: - message: cross namespace referencing is not currently supported rule: self.size() == 0 required: - kind - name type: object x-kubernetes-validations: - message: Support kinds are core/Service and gateway.networking.k8s.io/Gateway rule: '[self.group, self.kind] in [[''core'',''Service''], ['''',''Service''], [''gateway.networking.k8s.io'',''Gateway'']]' type: array workloadSelector: description: Criteria used to select the specific set of pods/VMs on which this patch configuration should be applied. properties: labels: additionalProperties: type: string description: One or more labels that indicate a specific set of pods/VMs on which the configuration should be applied. type: object type: object type: object status: type: object x-kubernetes-preserve-unknown-fields: true type: object served: true storage: true subresources: status: {} --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: "helm.sh/resource-policy": keep labels: app: istio-pilot chart: istio heritage: Tiller release: istio name: gateways.networking.istio.io spec: group: networking.istio.io names: categories: - istio-io - networking-istio-io kind: Gateway listKind: GatewayList plural: gateways shortNames: - gw singular: gateway scope: Namespaced versions: - name: v1 schema: openAPIV3Schema: properties: spec: description: 'Configuration affecting edge load balancer. See more details at: https://istio.io/docs/reference/config/networking/gateway.html' properties: selector: additionalProperties: type: string description: One or more labels that indicate a specific set of pods/VMs on which this gateway configuration should be applied. type: object servers: description: A list of server specifications. items: properties: bind: description: The ip or the Unix domain socket to which the listener should be bound to. type: string defaultEndpoint: type: string hosts: description: One or more hosts exposed by this gateway. items: type: string type: array name: description: An optional name of the server, when set must be unique across all servers. type: string port: description: The Port on which the proxy should listen for incoming connections. properties: name: description: Label assigned to the port. type: string number: description: A valid non-negative integer port number. maximum: 4294967295 minimum: 0 type: integer protocol: description: The protocol exposed on the port. type: string targetPort: maximum: 4294967295 minimum: 0 type: integer required: - number - protocol - name type: object tls: description: Set of TLS related options that govern the server's behavior. properties: caCertificates: description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`. type: string caCrl: description: 'OPTIONAL: The path to the file containing the certificate revocation list (CRL) to use in verifying a presented client side certificate.' type: string cipherSuites: description: 'Optional: If specified, only support the specified cipher list.' items: type: string type: array credentialName: description: For gateways running on Kubernetes, the name of the secret that holds the TLS certs including the CA certificates. type: string httpsRedirect: description: If set to true, the load balancer will send a 301 redirect for all http connections, asking the clients to use HTTPS. type: boolean maxProtocolVersion: description: |- Optional: Maximum TLS protocol version. Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 enum: - TLS_AUTO - TLSV1_0 - TLSV1_1 - TLSV1_2 - TLSV1_3 type: string minProtocolVersion: description: |- Optional: Minimum TLS protocol version. Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 enum: - TLS_AUTO - TLSV1_0 - TLSV1_1 - TLSV1_2 - TLSV1_3 type: string mode: description: |- Optional: Indicates whether connections to this port should be secured using TLS. Valid Options: PASSTHROUGH, SIMPLE, MUTUAL, AUTO_PASSTHROUGH, ISTIO_MUTUAL, OPTIONAL_MUTUAL enum: - PASSTHROUGH - SIMPLE - MUTUAL - AUTO_PASSTHROUGH - ISTIO_MUTUAL - OPTIONAL_MUTUAL type: string privateKey: description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. type: string serverCertificate: description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. type: string subjectAltNames: description: A list of alternate names to verify the subject identity in the certificate presented by the client. items: type: string type: array verifyCertificateHash: description: An optional list of hex-encoded SHA-256 hashes of the authorized client certificates. items: type: string type: array verifyCertificateSpki: description: An optional list of base64-encoded SHA-256 hashes of the SPKIs of authorized client certificates. items: type: string type: array type: object required: - port - hosts type: object type: array type: object status: type: object x-kubernetes-preserve-unknown-fields: true type: object served: true storage: false subresources: status: {} - name: v1alpha3 schema: openAPIV3Schema: properties: spec: description: 'Configuration affecting edge load balancer. See more details at: https://istio.io/docs/reference/config/networking/gateway.html' properties: selector: additionalProperties: type: string description: One or more labels that indicate a specific set of pods/VMs on which this gateway configuration should be applied. type: object servers: description: A list of server specifications. items: properties: bind: description: The ip or the Unix domain socket to which the listener should be bound to. type: string defaultEndpoint: type: string hosts: description: One or more hosts exposed by this gateway. items: type: string type: array name: description: An optional name of the server, when set must be unique across all servers. type: string port: description: The Port on which the proxy should listen for incoming connections. properties: name: description: Label assigned to the port. type: string number: description: A valid non-negative integer port number. maximum: 4294967295 minimum: 0 type: integer protocol: description: The protocol exposed on the port. type: string targetPort: maximum: 4294967295 minimum: 0 type: integer required: - number - protocol - name type: object tls: description: Set of TLS related options that govern the server's behavior. properties: caCertificates: description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`. type: string caCrl: description: 'OPTIONAL: The path to the file containing the certificate revocation list (CRL) to use in verifying a presented client side certificate.' type: string cipherSuites: description: 'Optional: If specified, only support the specified cipher list.' items: type: string type: array credentialName: description: For gateways running on Kubernetes, the name of the secret that holds the TLS certs including the CA certificates. type: string httpsRedirect: description: If set to true, the load balancer will send a 301 redirect for all http connections, asking the clients to use HTTPS. type: boolean maxProtocolVersion: description: |- Optional: Maximum TLS protocol version. Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 enum: - TLS_AUTO - TLSV1_0 - TLSV1_1 - TLSV1_2 - TLSV1_3 type: string minProtocolVersion: description: |- Optional: Minimum TLS protocol version. Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 enum: - TLS_AUTO - TLSV1_0 - TLSV1_1 - TLSV1_2 - TLSV1_3 type: string mode: description: |- Optional: Indicates whether connections to this port should be secured using TLS. Valid Options: PASSTHROUGH, SIMPLE, MUTUAL, AUTO_PASSTHROUGH, ISTIO_MUTUAL, OPTIONAL_MUTUAL enum: - PASSTHROUGH - SIMPLE - MUTUAL - AUTO_PASSTHROUGH - ISTIO_MUTUAL - OPTIONAL_MUTUAL type: string privateKey: description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. type: string serverCertificate: description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. type: string subjectAltNames: description: A list of alternate names to verify the subject identity in the certificate presented by the client. items: type: string type: array verifyCertificateHash: description: An optional list of hex-encoded SHA-256 hashes of the authorized client certificates. items: type: string type: array verifyCertificateSpki: description: An optional list of base64-encoded SHA-256 hashes of the SPKIs of authorized client certificates. items: type: string type: array type: object required: - port - hosts type: object type: array type: object status: type: object x-kubernetes-preserve-unknown-fields: true type: object served: true storage: false subresources: status: {} - name: v1beta1 schema: openAPIV3Schema: properties: spec: description: 'Configuration affecting edge load balancer. See more details at: https://istio.io/docs/reference/config/networking/gateway.html' properties: selector: additionalProperties: type: string description: One or more labels that indicate a specific set of pods/VMs on which this gateway configuration should be applied. type: object servers: description: A list of server specifications. items: properties: bind: description: The ip or the Unix domain socket to which the listener should be bound to. type: string defaultEndpoint: type: string hosts: description: One or more hosts exposed by this gateway. items: type: string type: array name: description: An optional name of the server, when set must be unique across all servers. type: string port: description: The Port on which the proxy should listen for incoming connections. properties: name: description: Label assigned to the port. type: string number: description: A valid non-negative integer port number. maximum: 4294967295 minimum: 0 type: integer protocol: description: The protocol exposed on the port. type: string targetPort: maximum: 4294967295 minimum: 0 type: integer required: - number - protocol - name type: object tls: description: Set of TLS related options that govern the server's behavior. properties: caCertificates: description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`. type: string caCrl: description: 'OPTIONAL: The path to the file containing the certificate revocation list (CRL) to use in verifying a presented client side certificate.' type: string cipherSuites: description: 'Optional: If specified, only support the specified cipher list.' items: type: string type: array credentialName: description: For gateways running on Kubernetes, the name of the secret that holds the TLS certs including the CA certificates. type: string httpsRedirect: description: If set to true, the load balancer will send a 301 redirect for all http connections, asking the clients to use HTTPS. type: boolean maxProtocolVersion: description: |- Optional: Maximum TLS protocol version. Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 enum: - TLS_AUTO - TLSV1_0 - TLSV1_1 - TLSV1_2 - TLSV1_3 type: string minProtocolVersion: description: |- Optional: Minimum TLS protocol version. Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 enum: - TLS_AUTO - TLSV1_0 - TLSV1_1 - TLSV1_2 - TLSV1_3 type: string mode: description: |- Optional: Indicates whether connections to this port should be secured using TLS. Valid Options: PASSTHROUGH, SIMPLE, MUTUAL, AUTO_PASSTHROUGH, ISTIO_MUTUAL, OPTIONAL_MUTUAL enum: - PASSTHROUGH - SIMPLE - MUTUAL - AUTO_PASSTHROUGH - ISTIO_MUTUAL - OPTIONAL_MUTUAL type: string privateKey: description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. type: string serverCertificate: description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. type: string subjectAltNames: description: A list of alternate names to verify the subject identity in the certificate presented by the client. items: type: string type: array verifyCertificateHash: description: An optional list of hex-encoded SHA-256 hashes of the authorized client certificates. items: type: string type: array verifyCertificateSpki: description: An optional list of base64-encoded SHA-256 hashes of the SPKIs of authorized client certificates. items: type: string type: array type: object required: - port - hosts type: object type: array type: object status: type: object x-kubernetes-preserve-unknown-fields: true type: object served: true storage: true subresources: status: {} --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: "helm.sh/resource-policy": keep labels: app: istio-pilot chart: istio heritage: Tiller release: istio name: proxyconfigs.networking.istio.io spec: group: networking.istio.io names: categories: - istio-io - networking-istio-io kind: ProxyConfig listKind: ProxyConfigList plural: proxyconfigs singular: proxyconfig scope: Namespaced versions: - name: v1beta1 schema: openAPIV3Schema: properties: spec: description: 'Provides configuration for individual workloads. See more details at: https://istio.io/docs/reference/config/networking/proxy-config.html' properties: concurrency: description: The number of worker threads to run. format: int32 minimum: 0 nullable: true type: integer environmentVariables: additionalProperties: maxLength: 2048 type: string description: Additional environment variables for the proxy. type: object image: description: Specifies the details of the proxy image. properties: imageType: description: The image type of the image. type: string type: object selector: description: Optional. properties: matchLabels: additionalProperties: maxLength: 63 type: string x-kubernetes-validations: - message: wildcard not allowed in label value match rule: '!self.contains(''*'')' description: One or more labels that indicate a specific set of pods/VMs on which a policy should be applied. maxProperties: 4096 type: object x-kubernetes-validations: - message: wildcard not allowed in label key match rule: self.all(key, !key.contains('*')) - message: key must not be empty rule: self.all(key, key.size() != 0) type: object type: object status: type: object x-kubernetes-preserve-unknown-fields: true type: object served: true storage: true subresources: status: {} --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: "helm.sh/resource-policy": keep labels: app: istio-pilot chart: istio heritage: Tiller release: istio name: serviceentries.networking.istio.io spec: group: networking.istio.io names: categories: - istio-io - networking-istio-io kind: ServiceEntry listKind: ServiceEntryList plural: serviceentries shortNames: - se singular: serviceentry scope: Namespaced versions: - additionalPrinterColumns: - description: The hosts associated with the ServiceEntry jsonPath: .spec.hosts name: Hosts type: string - description: Whether the service is external to the mesh or part of the mesh (MESH_EXTERNAL or MESH_INTERNAL) jsonPath: .spec.location name: Location type: string - description: Service resolution mode for the hosts (NONE, STATIC, or DNS) jsonPath: .spec.resolution name: Resolution type: string - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' jsonPath: .metadata.creationTimestamp name: Age type: date name: v1 schema: openAPIV3Schema: properties: spec: description: 'Configuration affecting service registry. See more details at: https://istio.io/docs/reference/config/networking/service-entry.html' properties: addresses: description: The virtual IP addresses associated with the service. items: type: string type: array endpoints: description: One or more endpoints associated with the service. items: properties: address: description: Address associated with the network endpoint without the port. maxLength: 256 type: string x-kubernetes-validations: - message: UDS must be an absolute path or abstract socket rule: 'self.startsWith(''unix://'') ? (self.substring(7,8) == ''/'' || self.substring(7,8) == ''@'') : true' - message: UDS may not be a dir rule: 'self.startsWith(''unix://'') ? !self.endsWith(''/'') : true' labels: additionalProperties: type: string description: One or more labels associated with the endpoint. maxProperties: 256 type: object locality: description: The locality associated with the endpoint. maxLength: 2048 type: string network: description: Network enables Istio to group endpoints resident in the same L3 domain/network. maxLength: 2048 type: string ports: additionalProperties: maximum: 4294967295 minimum: 0 type: integer x-kubernetes-validations: - message: port must be between 1-65535 rule: 0 < self && self <= 65535 description: Set of ports associated with the endpoint. maxProperties: 128 type: object x-kubernetes-validations: - message: port name must be valid rule: self.all(key, size(key) < 63 && key.matches('^[a-zA-Z0-9](?:[-a-zA-Z0-9]*[a-zA-Z0-9])?$')) serviceAccount: description: The service account associated with the workload if a sidecar is present in the workload. maxLength: 253 type: string weight: description: The load balancing weight associated with the endpoint. maximum: 4294967295 minimum: 0 type: integer type: object x-kubernetes-validations: - message: Address is required rule: has(self.address) || has(self.network) - message: UDS may not include ports rule: '(has(self.address) && self.address.startsWith(''unix://'')) ? !has(self.ports) : true' maxItems: 4096 type: array exportTo: description: A list of namespaces to which this service is exported. items: type: string type: array hosts: description: The hosts associated with the ServiceEntry. items: type: string type: array location: description: |- Specify whether the service should be considered external to the mesh or part of the mesh. Valid Options: MESH_EXTERNAL, MESH_INTERNAL enum: - MESH_EXTERNAL - MESH_INTERNAL type: string ports: description: The ports associated with the external service. items: properties: name: description: Label assigned to the port. type: string number: description: A valid non-negative integer port number. maximum: 4294967295 minimum: 0 type: integer protocol: description: The protocol exposed on the port. type: string targetPort: description: The port number on the endpoint where the traffic will be received. maximum: 4294967295 minimum: 0 type: integer required: - number - name type: object type: array resolution: description: |- Service resolution mode for the hosts. Valid Options: NONE, STATIC, DNS, DNS_ROUND_ROBIN enum: - NONE - STATIC - DNS - DNS_ROUND_ROBIN type: string subjectAltNames: description: If specified, the proxy will verify that the server certificate's subject alternate name matches one of the specified values. items: type: string type: array workloadSelector: description: Applicable only for MESH_INTERNAL services. properties: labels: additionalProperties: type: string description: One or more labels that indicate a specific set of pods/VMs on which the configuration should be applied. type: object type: object required: - hosts type: object status: type: object x-kubernetes-preserve-unknown-fields: true type: object served: true storage: false subresources: status: {} - additionalPrinterColumns: - description: The hosts associated with the ServiceEntry jsonPath: .spec.hosts name: Hosts type: string - description: Whether the service is external to the mesh or part of the mesh (MESH_EXTERNAL or MESH_INTERNAL) jsonPath: .spec.location name: Location type: string - description: Service resolution mode for the hosts (NONE, STATIC, or DNS) jsonPath: .spec.resolution name: Resolution type: string - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' jsonPath: .metadata.creationTimestamp name: Age type: date name: v1alpha3 schema: openAPIV3Schema: properties: spec: description: 'Configuration affecting service registry. See more details at: https://istio.io/docs/reference/config/networking/service-entry.html' properties: addresses: description: The virtual IP addresses associated with the service. items: type: string type: array endpoints: description: One or more endpoints associated with the service. items: properties: address: description: Address associated with the network endpoint without the port. maxLength: 256 type: string x-kubernetes-validations: - message: UDS must be an absolute path or abstract socket rule: 'self.startsWith(''unix://'') ? (self.substring(7,8) == ''/'' || self.substring(7,8) == ''@'') : true' - message: UDS may not be a dir rule: 'self.startsWith(''unix://'') ? !self.endsWith(''/'') : true' labels: additionalProperties: type: string description: One or more labels associated with the endpoint. maxProperties: 256 type: object locality: description: The locality associated with the endpoint. maxLength: 2048 type: string network: description: Network enables Istio to group endpoints resident in the same L3 domain/network. maxLength: 2048 type: string ports: additionalProperties: maximum: 4294967295 minimum: 0 type: integer x-kubernetes-validations: - message: port must be between 1-65535 rule: 0 < self && self <= 65535 description: Set of ports associated with the endpoint. maxProperties: 128 type: object x-kubernetes-validations: - message: port name must be valid rule: self.all(key, size(key) < 63 && key.matches('^[a-zA-Z0-9](?:[-a-zA-Z0-9]*[a-zA-Z0-9])?$')) serviceAccount: description: The service account associated with the workload if a sidecar is present in the workload. maxLength: 253 type: string weight: description: The load balancing weight associated with the endpoint. maximum: 4294967295 minimum: 0 type: integer type: object x-kubernetes-validations: - message: Address is required rule: has(self.address) || has(self.network) - message: UDS may not include ports rule: '(has(self.address) && self.address.startsWith(''unix://'')) ? !has(self.ports) : true' maxItems: 4096 type: array exportTo: description: A list of namespaces to which this service is exported. items: type: string type: array hosts: description: The hosts associated with the ServiceEntry. items: type: string type: array location: description: |- Specify whether the service should be considered external to the mesh or part of the mesh. Valid Options: MESH_EXTERNAL, MESH_INTERNAL enum: - MESH_EXTERNAL - MESH_INTERNAL type: string ports: description: The ports associated with the external service. items: properties: name: description: Label assigned to the port. type: string number: description: A valid non-negative integer port number. maximum: 4294967295 minimum: 0 type: integer protocol: description: The protocol exposed on the port. type: string targetPort: description: The port number on the endpoint where the traffic will be received. maximum: 4294967295 minimum: 0 type: integer required: - number - name type: object type: array resolution: description: |- Service resolution mode for the hosts. Valid Options: NONE, STATIC, DNS, DNS_ROUND_ROBIN enum: - NONE - STATIC - DNS - DNS_ROUND_ROBIN type: string subjectAltNames: description: If specified, the proxy will verify that the server certificate's subject alternate name matches one of the specified values. items: type: string type: array workloadSelector: description: Applicable only for MESH_INTERNAL services. properties: labels: additionalProperties: type: string description: One or more labels that indicate a specific set of pods/VMs on which the configuration should be applied. type: object type: object required: - hosts type: object status: type: object x-kubernetes-preserve-unknown-fields: true type: object served: true storage: false subresources: status: {} - additionalPrinterColumns: - description: The hosts associated with the ServiceEntry jsonPath: .spec.hosts name: Hosts type: string - description: Whether the service is external to the mesh or part of the mesh (MESH_EXTERNAL or MESH_INTERNAL) jsonPath: .spec.location name: Location type: string - description: Service resolution mode for the hosts (NONE, STATIC, or DNS) jsonPath: .spec.resolution name: Resolution type: string - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' jsonPath: .metadata.creationTimestamp name: Age type: date name: v1beta1 schema: openAPIV3Schema: properties: spec: description: 'Configuration affecting service registry. See more details at: https://istio.io/docs/reference/config/networking/service-entry.html' properties: addresses: description: The virtual IP addresses associated with the service. items: type: string type: array endpoints: description: One or more endpoints associated with the service. items: properties: address: description: Address associated with the network endpoint without the port. maxLength: 256 type: string x-kubernetes-validations: - message: UDS must be an absolute path or abstract socket rule: 'self.startsWith(''unix://'') ? (self.substring(7,8) == ''/'' || self.substring(7,8) == ''@'') : true' - message: UDS may not be a dir rule: 'self.startsWith(''unix://'') ? !self.endsWith(''/'') : true' labels: additionalProperties: type: string description: One or more labels associated with the endpoint. maxProperties: 256 type: object locality: description: The locality associated with the endpoint. maxLength: 2048 type: string network: description: Network enables Istio to group endpoints resident in the same L3 domain/network. maxLength: 2048 type: string ports: additionalProperties: maximum: 4294967295 minimum: 0 type: integer x-kubernetes-validations: - message: port must be between 1-65535 rule: 0 < self && self <= 65535 description: Set of ports associated with the endpoint. maxProperties: 128 type: object x-kubernetes-validations: - message: port name must be valid rule: self.all(key, size(key) < 63 && key.matches('^[a-zA-Z0-9](?:[-a-zA-Z0-9]*[a-zA-Z0-9])?$')) serviceAccount: description: The service account associated with the workload if a sidecar is present in the workload. maxLength: 253 type: string weight: description: The load balancing weight associated with the endpoint. maximum: 4294967295 minimum: 0 type: integer type: object x-kubernetes-validations: - message: Address is required rule: has(self.address) || has(self.network) - message: UDS may not include ports rule: '(has(self.address) && self.address.startsWith(''unix://'')) ? !has(self.ports) : true' maxItems: 4096 type: array exportTo: description: A list of namespaces to which this service is exported. items: type: string type: array hosts: description: The hosts associated with the ServiceEntry. items: type: string type: array location: description: |- Specify whether the service should be considered external to the mesh or part of the mesh. Valid Options: MESH_EXTERNAL, MESH_INTERNAL enum: - MESH_EXTERNAL - MESH_INTERNAL type: string ports: description: The ports associated with the external service. items: properties: name: description: Label assigned to the port. type: string number: description: A valid non-negative integer port number. maximum: 4294967295 minimum: 0 type: integer protocol: description: The protocol exposed on the port. type: string targetPort: description: The port number on the endpoint where the traffic will be received. maximum: 4294967295 minimum: 0 type: integer required: - number - name type: object type: array resolution: description: |- Service resolution mode for the hosts. Valid Options: NONE, STATIC, DNS, DNS_ROUND_ROBIN enum: - NONE - STATIC - DNS - DNS_ROUND_ROBIN type: string subjectAltNames: description: If specified, the proxy will verify that the server certificate's subject alternate name matches one of the specified values. items: type: string type: array workloadSelector: description: Applicable only for MESH_INTERNAL services. properties: labels: additionalProperties: type: string description: One or more labels that indicate a specific set of pods/VMs on which the configuration should be applied. type: object type: object required: - hosts type: object status: type: object x-kubernetes-preserve-unknown-fields: true type: object served: true storage: true subresources: status: {} --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: "helm.sh/resource-policy": keep labels: app: istio-pilot chart: istio heritage: Tiller release: istio name: sidecars.networking.istio.io spec: group: networking.istio.io names: categories: - istio-io - networking-istio-io kind: Sidecar listKind: SidecarList plural: sidecars singular: sidecar scope: Namespaced versions: - name: v1 schema: openAPIV3Schema: properties: spec: description: 'Configuration affecting network reachability of a sidecar. See more details at: https://istio.io/docs/reference/config/networking/sidecar.html' properties: egress: description: Egress specifies the configuration of the sidecar for processing outbound traffic from the attached workload instance to other services in the mesh. items: properties: bind: description: The IP(IPv4 or IPv6) or the Unix domain socket to which the listener should be bound to. type: string captureMode: description: |- When the bind address is an IP, the captureMode option dictates how traffic to the listener is expected to be captured (or not). Valid Options: DEFAULT, IPTABLES, NONE enum: - DEFAULT - IPTABLES - NONE type: string hosts: description: One or more service hosts exposed by the listener in `namespace/dnsName` format. items: type: string type: array port: description: The port associated with the listener. properties: name: description: Label assigned to the port. type: string number: description: A valid non-negative integer port number. maximum: 4294967295 minimum: 0 type: integer protocol: description: The protocol exposed on the port. type: string targetPort: maximum: 4294967295 minimum: 0 type: integer type: object required: - hosts type: object type: array inboundConnectionPool: description: Settings controlling the volume of connections Envoy will accept from the network. properties: http: description: HTTP connection pool settings. properties: h2UpgradePolicy: description: |- Specify if http1.1 connection should be upgraded to http2 for the associated destination. Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE enum: - DEFAULT - DO_NOT_UPGRADE - UPGRADE type: string http1MaxPendingRequests: description: Maximum number of requests that will be queued while waiting for a ready connection pool connection. format: int32 type: integer http2MaxRequests: description: Maximum number of active requests to a destination. format: int32 type: integer idleTimeout: description: The idle timeout for upstream connection pool connections. type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms rule: duration(self) >= duration('1ms') maxConcurrentStreams: description: The maximum number of concurrent streams allowed for a peer on one HTTP/2 connection. format: int32 type: integer maxRequestsPerConnection: description: Maximum number of requests per connection to a backend. format: int32 type: integer maxRetries: description: Maximum number of retries that can be outstanding to all hosts in a cluster at a given time. format: int32 type: integer useClientProtocol: description: If set to true, client protocol will be preserved while initiating connection to backend. type: boolean type: object tcp: description: Settings common to both HTTP and TCP upstream connections. properties: connectTimeout: description: TCP connection timeout. type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms rule: duration(self) >= duration('1ms') idleTimeout: description: The idle timeout for TCP connections. type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms rule: duration(self) >= duration('1ms') maxConnectionDuration: description: The maximum duration of a connection. type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms rule: duration(self) >= duration('1ms') maxConnections: description: Maximum number of HTTP1 /TCP connections to a destination host. format: int32 type: integer tcpKeepalive: description: If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives. properties: interval: description: The time duration between keep-alive probes. type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms rule: duration(self) >= duration('1ms') probes: description: Maximum number of keepalive probes to send without response before deciding the connection is dead. maximum: 4294967295 minimum: 0 type: integer time: description: The time duration a connection needs to be idle before keep-alive probes start being sent. type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms rule: duration(self) >= duration('1ms') type: object type: object type: object ingress: description: Ingress specifies the configuration of the sidecar for processing inbound traffic to the attached workload instance. items: properties: bind: description: The IP(IPv4 or IPv6) to which the listener should be bound. type: string captureMode: description: |- The captureMode option dictates how traffic to the listener is expected to be captured (or not). Valid Options: DEFAULT, IPTABLES, NONE enum: - DEFAULT - IPTABLES - NONE type: string connectionPool: description: Settings controlling the volume of connections Envoy will accept from the network. properties: http: description: HTTP connection pool settings. properties: h2UpgradePolicy: description: |- Specify if http1.1 connection should be upgraded to http2 for the associated destination. Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE enum: - DEFAULT - DO_NOT_UPGRADE - UPGRADE type: string http1MaxPendingRequests: description: Maximum number of requests that will be queued while waiting for a ready connection pool connection. format: int32 type: integer http2MaxRequests: description: Maximum number of active requests to a destination. format: int32 type: integer idleTimeout: description: The idle timeout for upstream connection pool connections. type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms rule: duration(self) >= duration('1ms') maxConcurrentStreams: description: The maximum number of concurrent streams allowed for a peer on one HTTP/2 connection. format: int32 type: integer maxRequestsPerConnection: description: Maximum number of requests per connection to a backend. format: int32 type: integer maxRetries: description: Maximum number of retries that can be outstanding to all hosts in a cluster at a given time. format: int32 type: integer useClientProtocol: description: If set to true, client protocol will be preserved while initiating connection to backend. type: boolean type: object tcp: description: Settings common to both HTTP and TCP upstream connections. properties: connectTimeout: description: TCP connection timeout. type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms rule: duration(self) >= duration('1ms') idleTimeout: description: The idle timeout for TCP connections. type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms rule: duration(self) >= duration('1ms') maxConnectionDuration: description: The maximum duration of a connection. type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms rule: duration(self) >= duration('1ms') maxConnections: description: Maximum number of HTTP1 /TCP connections to a destination host. format: int32 type: integer tcpKeepalive: description: If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives. properties: interval: description: The time duration between keep-alive probes. type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms rule: duration(self) >= duration('1ms') probes: description: Maximum number of keepalive probes to send without response before deciding the connection is dead. maximum: 4294967295 minimum: 0 type: integer time: description: The time duration a connection needs to be idle before keep-alive probes start being sent. type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms rule: duration(self) >= duration('1ms') type: object type: object type: object defaultEndpoint: description: The IP endpoint or Unix domain socket to which traffic should be forwarded to. type: string port: description: The port associated with the listener. properties: name: description: Label assigned to the port. type: string number: description: A valid non-negative integer port number. maximum: 4294967295 minimum: 0 type: integer protocol: description: The protocol exposed on the port. type: string targetPort: maximum: 4294967295 minimum: 0 type: integer type: object tls: description: Set of TLS related options that will enable TLS termination on the sidecar for requests originating from outside the mesh. properties: caCertificates: description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`. type: string caCrl: description: 'OPTIONAL: The path to the file containing the certificate revocation list (CRL) to use in verifying a presented client side certificate.' type: string cipherSuites: description: 'Optional: If specified, only support the specified cipher list.' items: type: string type: array credentialName: description: For gateways running on Kubernetes, the name of the secret that holds the TLS certs including the CA certificates. type: string httpsRedirect: description: If set to true, the load balancer will send a 301 redirect for all http connections, asking the clients to use HTTPS. type: boolean maxProtocolVersion: description: |- Optional: Maximum TLS protocol version. Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 enum: - TLS_AUTO - TLSV1_0 - TLSV1_1 - TLSV1_2 - TLSV1_3 type: string minProtocolVersion: description: |- Optional: Minimum TLS protocol version. Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 enum: - TLS_AUTO - TLSV1_0 - TLSV1_1 - TLSV1_2 - TLSV1_3 type: string mode: description: |- Optional: Indicates whether connections to this port should be secured using TLS. Valid Options: PASSTHROUGH, SIMPLE, MUTUAL, AUTO_PASSTHROUGH, ISTIO_MUTUAL, OPTIONAL_MUTUAL enum: - PASSTHROUGH - SIMPLE - MUTUAL - AUTO_PASSTHROUGH - ISTIO_MUTUAL - OPTIONAL_MUTUAL type: string privateKey: description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. type: string serverCertificate: description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. type: string subjectAltNames: description: A list of alternate names to verify the subject identity in the certificate presented by the client. items: type: string type: array verifyCertificateHash: description: An optional list of hex-encoded SHA-256 hashes of the authorized client certificates. items: type: string type: array verifyCertificateSpki: description: An optional list of base64-encoded SHA-256 hashes of the SPKIs of authorized client certificates. items: type: string type: array type: object required: - port type: object type: array outboundTrafficPolicy: description: Configuration for the outbound traffic policy. properties: egressProxy: properties: host: description: The name of a service from the service registry. type: string port: description: Specifies the port on the host that is being addressed. properties: number: maximum: 4294967295 minimum: 0 type: integer type: object subset: description: The name of a subset within the service. type: string required: - host type: object mode: description: |2- Valid Options: REGISTRY_ONLY, ALLOW_ANY enum: - REGISTRY_ONLY - ALLOW_ANY type: string type: object workloadSelector: description: Criteria used to select the specific set of pods/VMs on which this `Sidecar` configuration should be applied. properties: labels: additionalProperties: type: string description: One or more labels that indicate a specific set of pods/VMs on which the configuration should be applied. type: object type: object type: object status: type: object x-kubernetes-preserve-unknown-fields: true type: object served: true storage: false subresources: status: {} - name: v1alpha3 schema: openAPIV3Schema: properties: spec: description: 'Configuration affecting network reachability of a sidecar. See more details at: https://istio.io/docs/reference/config/networking/sidecar.html' properties: egress: description: Egress specifies the configuration of the sidecar for processing outbound traffic from the attached workload instance to other services in the mesh. items: properties: bind: description: The IP(IPv4 or IPv6) or the Unix domain socket to which the listener should be bound to. type: string captureMode: description: |- When the bind address is an IP, the captureMode option dictates how traffic to the listener is expected to be captured (or not). Valid Options: DEFAULT, IPTABLES, NONE enum: - DEFAULT - IPTABLES - NONE type: string hosts: description: One or more service hosts exposed by the listener in `namespace/dnsName` format. items: type: string type: array port: description: The port associated with the listener. properties: name: description: Label assigned to the port. type: string number: description: A valid non-negative integer port number. maximum: 4294967295 minimum: 0 type: integer protocol: description: The protocol exposed on the port. type: string targetPort: maximum: 4294967295 minimum: 0 type: integer type: object required: - hosts type: object type: array inboundConnectionPool: description: Settings controlling the volume of connections Envoy will accept from the network. properties: http: description: HTTP connection pool settings. properties: h2UpgradePolicy: description: |- Specify if http1.1 connection should be upgraded to http2 for the associated destination. Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE enum: - DEFAULT - DO_NOT_UPGRADE - UPGRADE type: string http1MaxPendingRequests: description: Maximum number of requests that will be queued while waiting for a ready connection pool connection. format: int32 type: integer http2MaxRequests: description: Maximum number of active requests to a destination. format: int32 type: integer idleTimeout: description: The idle timeout for upstream connection pool connections. type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms rule: duration(self) >= duration('1ms') maxConcurrentStreams: description: The maximum number of concurrent streams allowed for a peer on one HTTP/2 connection. format: int32 type: integer maxRequestsPerConnection: description: Maximum number of requests per connection to a backend. format: int32 type: integer maxRetries: description: Maximum number of retries that can be outstanding to all hosts in a cluster at a given time. format: int32 type: integer useClientProtocol: description: If set to true, client protocol will be preserved while initiating connection to backend. type: boolean type: object tcp: description: Settings common to both HTTP and TCP upstream connections. properties: connectTimeout: description: TCP connection timeout. type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms rule: duration(self) >= duration('1ms') idleTimeout: description: The idle timeout for TCP connections. type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms rule: duration(self) >= duration('1ms') maxConnectionDuration: description: The maximum duration of a connection. type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms rule: duration(self) >= duration('1ms') maxConnections: description: Maximum number of HTTP1 /TCP connections to a destination host. format: int32 type: integer tcpKeepalive: description: If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives. properties: interval: description: The time duration between keep-alive probes. type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms rule: duration(self) >= duration('1ms') probes: description: Maximum number of keepalive probes to send without response before deciding the connection is dead. maximum: 4294967295 minimum: 0 type: integer time: description: The time duration a connection needs to be idle before keep-alive probes start being sent. type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms rule: duration(self) >= duration('1ms') type: object type: object type: object ingress: description: Ingress specifies the configuration of the sidecar for processing inbound traffic to the attached workload instance. items: properties: bind: description: The IP(IPv4 or IPv6) to which the listener should be bound. type: string captureMode: description: |- The captureMode option dictates how traffic to the listener is expected to be captured (or not). Valid Options: DEFAULT, IPTABLES, NONE enum: - DEFAULT - IPTABLES - NONE type: string connectionPool: description: Settings controlling the volume of connections Envoy will accept from the network. properties: http: description: HTTP connection pool settings. properties: h2UpgradePolicy: description: |- Specify if http1.1 connection should be upgraded to http2 for the associated destination. Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE enum: - DEFAULT - DO_NOT_UPGRADE - UPGRADE type: string http1MaxPendingRequests: description: Maximum number of requests that will be queued while waiting for a ready connection pool connection. format: int32 type: integer http2MaxRequests: description: Maximum number of active requests to a destination. format: int32 type: integer idleTimeout: description: The idle timeout for upstream connection pool connections. type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms rule: duration(self) >= duration('1ms') maxConcurrentStreams: description: The maximum number of concurrent streams allowed for a peer on one HTTP/2 connection. format: int32 type: integer maxRequestsPerConnection: description: Maximum number of requests per connection to a backend. format: int32 type: integer maxRetries: description: Maximum number of retries that can be outstanding to all hosts in a cluster at a given time. format: int32 type: integer useClientProtocol: description: If set to true, client protocol will be preserved while initiating connection to backend. type: boolean type: object tcp: description: Settings common to both HTTP and TCP upstream connections. properties: connectTimeout: description: TCP connection timeout. type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms rule: duration(self) >= duration('1ms') idleTimeout: description: The idle timeout for TCP connections. type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms rule: duration(self) >= duration('1ms') maxConnectionDuration: description: The maximum duration of a connection. type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms rule: duration(self) >= duration('1ms') maxConnections: description: Maximum number of HTTP1 /TCP connections to a destination host. format: int32 type: integer tcpKeepalive: description: If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives. properties: interval: description: The time duration between keep-alive probes. type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms rule: duration(self) >= duration('1ms') probes: description: Maximum number of keepalive probes to send without response before deciding the connection is dead. maximum: 4294967295 minimum: 0 type: integer time: description: The time duration a connection needs to be idle before keep-alive probes start being sent. type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms rule: duration(self) >= duration('1ms') type: object type: object type: object defaultEndpoint: description: The IP endpoint or Unix domain socket to which traffic should be forwarded to. type: string port: description: The port associated with the listener. properties: name: description: Label assigned to the port. type: string number: description: A valid non-negative integer port number. maximum: 4294967295 minimum: 0 type: integer protocol: description: The protocol exposed on the port. type: string targetPort: maximum: 4294967295 minimum: 0 type: integer type: object tls: description: Set of TLS related options that will enable TLS termination on the sidecar for requests originating from outside the mesh. properties: caCertificates: description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`. type: string caCrl: description: 'OPTIONAL: The path to the file containing the certificate revocation list (CRL) to use in verifying a presented client side certificate.' type: string cipherSuites: description: 'Optional: If specified, only support the specified cipher list.' items: type: string type: array credentialName: description: For gateways running on Kubernetes, the name of the secret that holds the TLS certs including the CA certificates. type: string httpsRedirect: description: If set to true, the load balancer will send a 301 redirect for all http connections, asking the clients to use HTTPS. type: boolean maxProtocolVersion: description: |- Optional: Maximum TLS protocol version. Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 enum: - TLS_AUTO - TLSV1_0 - TLSV1_1 - TLSV1_2 - TLSV1_3 type: string minProtocolVersion: description: |- Optional: Minimum TLS protocol version. Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 enum: - TLS_AUTO - TLSV1_0 - TLSV1_1 - TLSV1_2 - TLSV1_3 type: string mode: description: |- Optional: Indicates whether connections to this port should be secured using TLS. Valid Options: PASSTHROUGH, SIMPLE, MUTUAL, AUTO_PASSTHROUGH, ISTIO_MUTUAL, OPTIONAL_MUTUAL enum: - PASSTHROUGH - SIMPLE - MUTUAL - AUTO_PASSTHROUGH - ISTIO_MUTUAL - OPTIONAL_MUTUAL type: string privateKey: description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. type: string serverCertificate: description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. type: string subjectAltNames: description: A list of alternate names to verify the subject identity in the certificate presented by the client. items: type: string type: array verifyCertificateHash: description: An optional list of hex-encoded SHA-256 hashes of the authorized client certificates. items: type: string type: array verifyCertificateSpki: description: An optional list of base64-encoded SHA-256 hashes of the SPKIs of authorized client certificates. items: type: string type: array type: object required: - port type: object type: array outboundTrafficPolicy: description: Configuration for the outbound traffic policy. properties: egressProxy: properties: host: description: The name of a service from the service registry. type: string port: description: Specifies the port on the host that is being addressed. properties: number: maximum: 4294967295 minimum: 0 type: integer type: object subset: description: The name of a subset within the service. type: string required: - host type: object mode: description: |2- Valid Options: REGISTRY_ONLY, ALLOW_ANY enum: - REGISTRY_ONLY - ALLOW_ANY type: string type: object workloadSelector: description: Criteria used to select the specific set of pods/VMs on which this `Sidecar` configuration should be applied. properties: labels: additionalProperties: type: string description: One or more labels that indicate a specific set of pods/VMs on which the configuration should be applied. type: object type: object type: object status: type: object x-kubernetes-preserve-unknown-fields: true type: object served: true storage: false subresources: status: {} - name: v1beta1 schema: openAPIV3Schema: properties: spec: description: 'Configuration affecting network reachability of a sidecar. See more details at: https://istio.io/docs/reference/config/networking/sidecar.html' properties: egress: description: Egress specifies the configuration of the sidecar for processing outbound traffic from the attached workload instance to other services in the mesh. items: properties: bind: description: The IP(IPv4 or IPv6) or the Unix domain socket to which the listener should be bound to. type: string captureMode: description: |- When the bind address is an IP, the captureMode option dictates how traffic to the listener is expected to be captured (or not). Valid Options: DEFAULT, IPTABLES, NONE enum: - DEFAULT - IPTABLES - NONE type: string hosts: description: One or more service hosts exposed by the listener in `namespace/dnsName` format. items: type: string type: array port: description: The port associated with the listener. properties: name: description: Label assigned to the port. type: string number: description: A valid non-negative integer port number. maximum: 4294967295 minimum: 0 type: integer protocol: description: The protocol exposed on the port. type: string targetPort: maximum: 4294967295 minimum: 0 type: integer type: object required: - hosts type: object type: array inboundConnectionPool: description: Settings controlling the volume of connections Envoy will accept from the network. properties: http: description: HTTP connection pool settings. properties: h2UpgradePolicy: description: |- Specify if http1.1 connection should be upgraded to http2 for the associated destination. Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE enum: - DEFAULT - DO_NOT_UPGRADE - UPGRADE type: string http1MaxPendingRequests: description: Maximum number of requests that will be queued while waiting for a ready connection pool connection. format: int32 type: integer http2MaxRequests: description: Maximum number of active requests to a destination. format: int32 type: integer idleTimeout: description: The idle timeout for upstream connection pool connections. type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms rule: duration(self) >= duration('1ms') maxConcurrentStreams: description: The maximum number of concurrent streams allowed for a peer on one HTTP/2 connection. format: int32 type: integer maxRequestsPerConnection: description: Maximum number of requests per connection to a backend. format: int32 type: integer maxRetries: description: Maximum number of retries that can be outstanding to all hosts in a cluster at a given time. format: int32 type: integer useClientProtocol: description: If set to true, client protocol will be preserved while initiating connection to backend. type: boolean type: object tcp: description: Settings common to both HTTP and TCP upstream connections. properties: connectTimeout: description: TCP connection timeout. type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms rule: duration(self) >= duration('1ms') idleTimeout: description: The idle timeout for TCP connections. type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms rule: duration(self) >= duration('1ms') maxConnectionDuration: description: The maximum duration of a connection. type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms rule: duration(self) >= duration('1ms') maxConnections: description: Maximum number of HTTP1 /TCP connections to a destination host. format: int32 type: integer tcpKeepalive: description: If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives. properties: interval: description: The time duration between keep-alive probes. type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms rule: duration(self) >= duration('1ms') probes: description: Maximum number of keepalive probes to send without response before deciding the connection is dead. maximum: 4294967295 minimum: 0 type: integer time: description: The time duration a connection needs to be idle before keep-alive probes start being sent. type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms rule: duration(self) >= duration('1ms') type: object type: object type: object ingress: description: Ingress specifies the configuration of the sidecar for processing inbound traffic to the attached workload instance. items: properties: bind: description: The IP(IPv4 or IPv6) to which the listener should be bound. type: string captureMode: description: |- The captureMode option dictates how traffic to the listener is expected to be captured (or not). Valid Options: DEFAULT, IPTABLES, NONE enum: - DEFAULT - IPTABLES - NONE type: string connectionPool: description: Settings controlling the volume of connections Envoy will accept from the network. properties: http: description: HTTP connection pool settings. properties: h2UpgradePolicy: description: |- Specify if http1.1 connection should be upgraded to http2 for the associated destination. Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE enum: - DEFAULT - DO_NOT_UPGRADE - UPGRADE type: string http1MaxPendingRequests: description: Maximum number of requests that will be queued while waiting for a ready connection pool connection. format: int32 type: integer http2MaxRequests: description: Maximum number of active requests to a destination. format: int32 type: integer idleTimeout: description: The idle timeout for upstream connection pool connections. type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms rule: duration(self) >= duration('1ms') maxConcurrentStreams: description: The maximum number of concurrent streams allowed for a peer on one HTTP/2 connection. format: int32 type: integer maxRequestsPerConnection: description: Maximum number of requests per connection to a backend. format: int32 type: integer maxRetries: description: Maximum number of retries that can be outstanding to all hosts in a cluster at a given time. format: int32 type: integer useClientProtocol: description: If set to true, client protocol will be preserved while initiating connection to backend. type: boolean type: object tcp: description: Settings common to both HTTP and TCP upstream connections. properties: connectTimeout: description: TCP connection timeout. type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms rule: duration(self) >= duration('1ms') idleTimeout: description: The idle timeout for TCP connections. type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms rule: duration(self) >= duration('1ms') maxConnectionDuration: description: The maximum duration of a connection. type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms rule: duration(self) >= duration('1ms') maxConnections: description: Maximum number of HTTP1 /TCP connections to a destination host. format: int32 type: integer tcpKeepalive: description: If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives. properties: interval: description: The time duration between keep-alive probes. type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms rule: duration(self) >= duration('1ms') probes: description: Maximum number of keepalive probes to send without response before deciding the connection is dead. maximum: 4294967295 minimum: 0 type: integer time: description: The time duration a connection needs to be idle before keep-alive probes start being sent. type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms rule: duration(self) >= duration('1ms') type: object type: object type: object defaultEndpoint: description: The IP endpoint or Unix domain socket to which traffic should be forwarded to. type: string port: description: The port associated with the listener. properties: name: description: Label assigned to the port. type: string number: description: A valid non-negative integer port number. maximum: 4294967295 minimum: 0 type: integer protocol: description: The protocol exposed on the port. type: string targetPort: maximum: 4294967295 minimum: 0 type: integer type: object tls: description: Set of TLS related options that will enable TLS termination on the sidecar for requests originating from outside the mesh. properties: caCertificates: description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`. type: string caCrl: description: 'OPTIONAL: The path to the file containing the certificate revocation list (CRL) to use in verifying a presented client side certificate.' type: string cipherSuites: description: 'Optional: If specified, only support the specified cipher list.' items: type: string type: array credentialName: description: For gateways running on Kubernetes, the name of the secret that holds the TLS certs including the CA certificates. type: string httpsRedirect: description: If set to true, the load balancer will send a 301 redirect for all http connections, asking the clients to use HTTPS. type: boolean maxProtocolVersion: description: |- Optional: Maximum TLS protocol version. Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 enum: - TLS_AUTO - TLSV1_0 - TLSV1_1 - TLSV1_2 - TLSV1_3 type: string minProtocolVersion: description: |- Optional: Minimum TLS protocol version. Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 enum: - TLS_AUTO - TLSV1_0 - TLSV1_1 - TLSV1_2 - TLSV1_3 type: string mode: description: |- Optional: Indicates whether connections to this port should be secured using TLS. Valid Options: PASSTHROUGH, SIMPLE, MUTUAL, AUTO_PASSTHROUGH, ISTIO_MUTUAL, OPTIONAL_MUTUAL enum: - PASSTHROUGH - SIMPLE - MUTUAL - AUTO_PASSTHROUGH - ISTIO_MUTUAL - OPTIONAL_MUTUAL type: string privateKey: description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. type: string serverCertificate: description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. type: string subjectAltNames: description: A list of alternate names to verify the subject identity in the certificate presented by the client. items: type: string type: array verifyCertificateHash: description: An optional list of hex-encoded SHA-256 hashes of the authorized client certificates. items: type: string type: array verifyCertificateSpki: description: An optional list of base64-encoded SHA-256 hashes of the SPKIs of authorized client certificates. items: type: string type: array type: object required: - port type: object type: array outboundTrafficPolicy: description: Configuration for the outbound traffic policy. properties: egressProxy: properties: host: description: The name of a service from the service registry. type: string port: description: Specifies the port on the host that is being addressed. properties: number: maximum: 4294967295 minimum: 0 type: integer type: object subset: description: The name of a subset within the service. type: string required: - host type: object mode: description: |2- Valid Options: REGISTRY_ONLY, ALLOW_ANY enum: - REGISTRY_ONLY - ALLOW_ANY type: string type: object workloadSelector: description: Criteria used to select the specific set of pods/VMs on which this `Sidecar` configuration should be applied. properties: labels: additionalProperties: type: string description: One or more labels that indicate a specific set of pods/VMs on which the configuration should be applied. type: object type: object type: object status: type: object x-kubernetes-preserve-unknown-fields: true type: object served: true storage: true subresources: status: {} --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: "helm.sh/resource-policy": keep labels: app: istio-pilot chart: istio heritage: Tiller release: istio name: virtualservices.networking.istio.io spec: group: networking.istio.io names: categories: - istio-io - networking-istio-io kind: VirtualService listKind: VirtualServiceList plural: virtualservices shortNames: - vs singular: virtualservice scope: Namespaced versions: - additionalPrinterColumns: - description: The names of gateways and sidecars that should apply these routes jsonPath: .spec.gateways name: Gateways type: string - description: The destination hosts to which traffic is being sent jsonPath: .spec.hosts name: Hosts type: string - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' jsonPath: .metadata.creationTimestamp name: Age type: date name: v1 schema: openAPIV3Schema: properties: spec: description: 'Configuration affecting label/content routing, sni routing, etc. See more details at: https://istio.io/docs/reference/config/networking/virtual-service.html' properties: exportTo: description: A list of namespaces to which this virtual service is exported. items: type: string type: array gateways: description: The names of gateways and sidecars that should apply these routes. items: type: string type: array hosts: description: The destination hosts to which traffic is being sent. items: type: string type: array http: description: An ordered list of route rules for HTTP traffic. items: properties: corsPolicy: description: Cross-Origin Resource Sharing policy (CORS). properties: allowCredentials: description: Indicates whether the caller is allowed to send the actual request (not the preflight) using credentials. nullable: true type: boolean allowHeaders: description: List of HTTP headers that can be used when requesting the resource. items: type: string type: array allowMethods: description: List of HTTP methods allowed to access the resource. items: type: string type: array allowOrigin: items: type: string type: array allowOrigins: description: String patterns that match allowed origins. items: oneOf: - not: anyOf: - required: - exact - required: - prefix - required: - regex - required: - exact - required: - prefix - required: - regex properties: exact: type: string prefix: type: string regex: description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' type: string type: object type: array exposeHeaders: description: A list of HTTP headers that the browsers are allowed to access. items: type: string type: array maxAge: description: Specifies how long the results of a preflight request can be cached. type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms rule: duration(self) >= duration('1ms') unmatchedPreflights: description: |- Indicates whether preflight requests not matching the configured allowed origin shouldn't be forwarded to the upstream. Valid Options: FORWARD, IGNORE enum: - UNSPECIFIED - FORWARD - IGNORE type: string type: object delegate: description: Delegate is used to specify the particular VirtualService which can be used to define delegate HTTPRoute. properties: name: description: Name specifies the name of the delegate VirtualService. type: string namespace: description: Namespace specifies the namespace where the delegate VirtualService resides. type: string type: object directResponse: description: A HTTP rule can either return a direct_response, redirect or forward (default) traffic. properties: body: description: Specifies the content of the response body. oneOf: - not: anyOf: - required: - string - required: - bytes - required: - string - required: - bytes properties: bytes: description: response body as base64 encoded bytes. format: binary type: string string: type: string type: object status: description: Specifies the HTTP response status to be returned. maximum: 4294967295 minimum: 0 type: integer required: - status type: object fault: description: Fault injection policy to apply on HTTP traffic at the client side. properties: abort: description: Abort Http request attempts and return error codes back to downstream service, giving the impression that the upstream service is faulty. oneOf: - not: anyOf: - required: - httpStatus - required: - grpcStatus - required: - http2Error - required: - httpStatus - required: - grpcStatus - required: - http2Error properties: grpcStatus: description: GRPC status code to use to abort the request. type: string http2Error: type: string httpStatus: description: HTTP status code to use to abort the Http request. format: int32 type: integer percentage: description: Percentage of requests to be aborted with the error code provided. properties: value: format: double type: number type: object type: object delay: description: Delay requests before forwarding, emulating various failures such as network issues, overloaded upstream service, etc. oneOf: - not: anyOf: - required: - fixedDelay - required: - exponentialDelay - required: - fixedDelay - required: - exponentialDelay properties: exponentialDelay: type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms rule: duration(self) >= duration('1ms') fixedDelay: description: Add a fixed delay before forwarding the request. type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms rule: duration(self) >= duration('1ms') percent: description: Percentage of requests on which the delay will be injected (0-100). format: int32 type: integer percentage: description: Percentage of requests on which the delay will be injected. properties: value: format: double type: number type: object type: object type: object headers: properties: request: properties: add: additionalProperties: type: string type: object remove: items: type: string type: array set: additionalProperties: type: string type: object type: object response: properties: add: additionalProperties: type: string type: object remove: items: type: string type: array set: additionalProperties: type: string type: object type: object type: object match: description: Match conditions to be satisfied for the rule to be activated. items: properties: authority: description: 'HTTP Authority values are case-sensitive and formatted as follows: - `exact: "value"` for exact string match - `prefix: "value"` for prefix-based match - `regex: "value"` for [RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' oneOf: - not: anyOf: - required: - exact - required: - prefix - required: - regex - required: - exact - required: - prefix - required: - regex properties: exact: type: string prefix: type: string regex: description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' type: string type: object gateways: description: Names of gateways where the rule should be applied. items: type: string type: array headers: additionalProperties: oneOf: - not: anyOf: - required: - exact - required: - prefix - required: - regex - required: - exact - required: - prefix - required: - regex properties: exact: type: string prefix: type: string regex: description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' type: string type: object description: The header keys must be lowercase and use hyphen as the separator, e.g. type: object ignoreUriCase: description: Flag to specify whether the URI matching should be case-insensitive. type: boolean method: description: 'HTTP Method values are case-sensitive and formatted as follows: - `exact: "value"` for exact string match - `prefix: "value"` for prefix-based match - `regex: "value"` for [RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' oneOf: - not: anyOf: - required: - exact - required: - prefix - required: - regex - required: - exact - required: - prefix - required: - regex properties: exact: type: string prefix: type: string regex: description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' type: string type: object name: description: The name assigned to a match. type: string port: description: Specifies the ports on the host that is being addressed. maximum: 4294967295 minimum: 0 type: integer queryParams: additionalProperties: oneOf: - not: anyOf: - required: - exact - required: - prefix - required: - regex - required: - exact - required: - prefix - required: - regex properties: exact: type: string prefix: type: string regex: description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' type: string type: object description: Query parameters for matching. type: object scheme: description: 'URI Scheme values are case-sensitive and formatted as follows: - `exact: "value"` for exact string match - `prefix: "value"` for prefix-based match - `regex: "value"` for [RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' oneOf: - not: anyOf: - required: - exact - required: - prefix - required: - regex - required: - exact - required: - prefix - required: - regex properties: exact: type: string prefix: type: string regex: description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' type: string type: object sourceLabels: additionalProperties: type: string description: One or more labels that constrain the applicability of a rule to source (client) workloads with the given labels. type: object sourceNamespace: description: Source namespace constraining the applicability of a rule to workloads in that namespace. type: string statPrefix: description: The human readable prefix to use when emitting statistics for this route. type: string uri: description: 'URI to match values are case-sensitive and formatted as follows: - `exact: "value"` for exact string match - `prefix: "value"` for prefix-based match - `regex: "value"` for [RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' oneOf: - not: anyOf: - required: - exact - required: - prefix - required: - regex - required: - exact - required: - prefix - required: - regex properties: exact: type: string prefix: type: string regex: description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' type: string type: object withoutHeaders: additionalProperties: oneOf: - not: anyOf: - required: - exact - required: - prefix - required: - regex - required: - exact - required: - prefix - required: - regex properties: exact: type: string prefix: type: string regex: description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' type: string type: object description: withoutHeader has the same syntax with the header, but has opposite meaning. type: object type: object type: array mirror: description: Mirror HTTP traffic to a another destination in addition to forwarding the requests to the intended destination. properties: host: description: The name of a service from the service registry. type: string port: description: Specifies the port on the host that is being addressed. properties: number: maximum: 4294967295 minimum: 0 type: integer type: object subset: description: The name of a subset within the service. type: string required: - host type: object mirror_percent: maximum: 4294967295 minimum: 0 nullable: true type: integer mirrorPercent: maximum: 4294967295 minimum: 0 nullable: true type: integer mirrorPercentage: description: Percentage of the traffic to be mirrored by the `mirror` field. properties: value: format: double type: number type: object mirrors: description: Specifies the destinations to mirror HTTP traffic in addition to the original destination. items: properties: destination: description: Destination specifies the target of the mirror operation. properties: host: description: The name of a service from the service registry. type: string port: description: Specifies the port on the host that is being addressed. properties: number: maximum: 4294967295 minimum: 0 type: integer type: object subset: description: The name of a subset within the service. type: string required: - host type: object percentage: description: Percentage of the traffic to be mirrored by the `destination` field. properties: value: format: double type: number type: object required: - destination type: object type: array name: description: The name assigned to the route for debugging purposes. type: string redirect: description: A HTTP rule can either return a direct_response, redirect or forward (default) traffic. oneOf: - not: anyOf: - required: - port - required: - derivePort - required: - port - required: - derivePort properties: authority: description: On a redirect, overwrite the Authority/Host portion of the URL with this value. type: string derivePort: description: |- On a redirect, dynamically set the port: * FROM_PROTOCOL_DEFAULT: automatically set to 80 for HTTP and 443 for HTTPS. Valid Options: FROM_PROTOCOL_DEFAULT, FROM_REQUEST_PORT enum: - FROM_PROTOCOL_DEFAULT - FROM_REQUEST_PORT type: string port: description: On a redirect, overwrite the port portion of the URL with this value. maximum: 4294967295 minimum: 0 type: integer redirectCode: description: On a redirect, Specifies the HTTP status code to use in the redirect response. maximum: 4294967295 minimum: 0 type: integer scheme: description: On a redirect, overwrite the scheme portion of the URL with this value. type: string uri: description: On a redirect, overwrite the Path portion of the URL with this value. type: string type: object retries: description: Retry policy for HTTP requests. properties: attempts: description: Number of retries to be allowed for a given request. format: int32 type: integer perTryTimeout: description: Timeout per attempt for a given request, including the initial call and any retries. type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms rule: duration(self) >= duration('1ms') retryOn: description: Specifies the conditions under which retry takes place. type: string retryRemoteLocalities: description: Flag to specify whether the retries should retry to other localities. nullable: true type: boolean type: object rewrite: description: Rewrite HTTP URIs and Authority headers. properties: authority: description: rewrite the Authority/Host header with this value. type: string uri: description: rewrite the path (or the prefix) portion of the URI with this value. type: string uriRegexRewrite: description: rewrite the path portion of the URI with the specified regex. properties: match: description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' type: string rewrite: description: The string that should replace into matching portions of original URI. type: string type: object type: object route: description: A HTTP rule can either return a direct_response, redirect or forward (default) traffic. items: properties: destination: description: Destination uniquely identifies the instances of a service to which the request/connection should be forwarded to. properties: host: description: The name of a service from the service registry. type: string port: description: Specifies the port on the host that is being addressed. properties: number: maximum: 4294967295 minimum: 0 type: integer type: object subset: description: The name of a subset within the service. type: string required: - host type: object headers: properties: request: properties: add: additionalProperties: type: string type: object remove: items: type: string type: array set: additionalProperties: type: string type: object type: object response: properties: add: additionalProperties: type: string type: object remove: items: type: string type: array set: additionalProperties: type: string type: object type: object type: object weight: description: Weight specifies the relative proportion of traffic to be forwarded to the destination. format: int32 type: integer required: - destination type: object type: array timeout: description: Timeout for HTTP requests, default is disabled. type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms rule: duration(self) >= duration('1ms') type: object type: array tcp: description: An ordered list of route rules for opaque TCP traffic. items: properties: match: description: Match conditions to be satisfied for the rule to be activated. items: properties: destinationSubnets: description: IPv4 or IPv6 ip addresses of destination with optional subnet. items: type: string type: array gateways: description: Names of gateways where the rule should be applied. items: type: string type: array port: description: Specifies the port on the host that is being addressed. maximum: 4294967295 minimum: 0 type: integer sourceLabels: additionalProperties: type: string description: One or more labels that constrain the applicability of a rule to workloads with the given labels. type: object sourceNamespace: description: Source namespace constraining the applicability of a rule to workloads in that namespace. type: string sourceSubnet: type: string type: object type: array route: description: The destination to which the connection should be forwarded to. items: properties: destination: description: Destination uniquely identifies the instances of a service to which the request/connection should be forwarded to. properties: host: description: The name of a service from the service registry. type: string port: description: Specifies the port on the host that is being addressed. properties: number: maximum: 4294967295 minimum: 0 type: integer type: object subset: description: The name of a subset within the service. type: string required: - host type: object weight: description: Weight specifies the relative proportion of traffic to be forwarded to the destination. format: int32 type: integer required: - destination type: object type: array type: object type: array tls: description: An ordered list of route rule for non-terminated TLS & HTTPS traffic. items: properties: match: description: Match conditions to be satisfied for the rule to be activated. items: properties: destinationSubnets: description: IPv4 or IPv6 ip addresses of destination with optional subnet. items: type: string type: array gateways: description: Names of gateways where the rule should be applied. items: type: string type: array port: description: Specifies the port on the host that is being addressed. maximum: 4294967295 minimum: 0 type: integer sniHosts: description: SNI (server name indicator) to match on. items: type: string type: array sourceLabels: additionalProperties: type: string description: One or more labels that constrain the applicability of a rule to workloads with the given labels. type: object sourceNamespace: description: Source namespace constraining the applicability of a rule to workloads in that namespace. type: string required: - sniHosts type: object type: array route: description: The destination to which the connection should be forwarded to. items: properties: destination: description: Destination uniquely identifies the instances of a service to which the request/connection should be forwarded to. properties: host: description: The name of a service from the service registry. type: string port: description: Specifies the port on the host that is being addressed. properties: number: maximum: 4294967295 minimum: 0 type: integer type: object subset: description: The name of a subset within the service. type: string required: - host type: object weight: description: Weight specifies the relative proportion of traffic to be forwarded to the destination. format: int32 type: integer required: - destination type: object type: array required: - match type: object type: array type: object status: type: object x-kubernetes-preserve-unknown-fields: true type: object served: true storage: false subresources: status: {} - additionalPrinterColumns: - description: The names of gateways and sidecars that should apply these routes jsonPath: .spec.gateways name: Gateways type: string - description: The destination hosts to which traffic is being sent jsonPath: .spec.hosts name: Hosts type: string - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' jsonPath: .metadata.creationTimestamp name: Age type: date name: v1alpha3 schema: openAPIV3Schema: properties: spec: description: 'Configuration affecting label/content routing, sni routing, etc. See more details at: https://istio.io/docs/reference/config/networking/virtual-service.html' properties: exportTo: description: A list of namespaces to which this virtual service is exported. items: type: string type: array gateways: description: The names of gateways and sidecars that should apply these routes. items: type: string type: array hosts: description: The destination hosts to which traffic is being sent. items: type: string type: array http: description: An ordered list of route rules for HTTP traffic. items: properties: corsPolicy: description: Cross-Origin Resource Sharing policy (CORS). properties: allowCredentials: description: Indicates whether the caller is allowed to send the actual request (not the preflight) using credentials. nullable: true type: boolean allowHeaders: description: List of HTTP headers that can be used when requesting the resource. items: type: string type: array allowMethods: description: List of HTTP methods allowed to access the resource. items: type: string type: array allowOrigin: items: type: string type: array allowOrigins: description: String patterns that match allowed origins. items: oneOf: - not: anyOf: - required: - exact - required: - prefix - required: - regex - required: - exact - required: - prefix - required: - regex properties: exact: type: string prefix: type: string regex: description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' type: string type: object type: array exposeHeaders: description: A list of HTTP headers that the browsers are allowed to access. items: type: string type: array maxAge: description: Specifies how long the results of a preflight request can be cached. type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms rule: duration(self) >= duration('1ms') unmatchedPreflights: description: |- Indicates whether preflight requests not matching the configured allowed origin shouldn't be forwarded to the upstream. Valid Options: FORWARD, IGNORE enum: - UNSPECIFIED - FORWARD - IGNORE type: string type: object delegate: description: Delegate is used to specify the particular VirtualService which can be used to define delegate HTTPRoute. properties: name: description: Name specifies the name of the delegate VirtualService. type: string namespace: description: Namespace specifies the namespace where the delegate VirtualService resides. type: string type: object directResponse: description: A HTTP rule can either return a direct_response, redirect or forward (default) traffic. properties: body: description: Specifies the content of the response body. oneOf: - not: anyOf: - required: - string - required: - bytes - required: - string - required: - bytes properties: bytes: description: response body as base64 encoded bytes. format: binary type: string string: type: string type: object status: description: Specifies the HTTP response status to be returned. maximum: 4294967295 minimum: 0 type: integer required: - status type: object fault: description: Fault injection policy to apply on HTTP traffic at the client side. properties: abort: description: Abort Http request attempts and return error codes back to downstream service, giving the impression that the upstream service is faulty. oneOf: - not: anyOf: - required: - httpStatus - required: - grpcStatus - required: - http2Error - required: - httpStatus - required: - grpcStatus - required: - http2Error properties: grpcStatus: description: GRPC status code to use to abort the request. type: string http2Error: type: string httpStatus: description: HTTP status code to use to abort the Http request. format: int32 type: integer percentage: description: Percentage of requests to be aborted with the error code provided. properties: value: format: double type: number type: object type: object delay: description: Delay requests before forwarding, emulating various failures such as network issues, overloaded upstream service, etc. oneOf: - not: anyOf: - required: - fixedDelay - required: - exponentialDelay - required: - fixedDelay - required: - exponentialDelay properties: exponentialDelay: type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms rule: duration(self) >= duration('1ms') fixedDelay: description: Add a fixed delay before forwarding the request. type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms rule: duration(self) >= duration('1ms') percent: description: Percentage of requests on which the delay will be injected (0-100). format: int32 type: integer percentage: description: Percentage of requests on which the delay will be injected. properties: value: format: double type: number type: object type: object type: object headers: properties: request: properties: add: additionalProperties: type: string type: object remove: items: type: string type: array set: additionalProperties: type: string type: object type: object response: properties: add: additionalProperties: type: string type: object remove: items: type: string type: array set: additionalProperties: type: string type: object type: object type: object match: description: Match conditions to be satisfied for the rule to be activated. items: properties: authority: description: 'HTTP Authority values are case-sensitive and formatted as follows: - `exact: "value"` for exact string match - `prefix: "value"` for prefix-based match - `regex: "value"` for [RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' oneOf: - not: anyOf: - required: - exact - required: - prefix - required: - regex - required: - exact - required: - prefix - required: - regex properties: exact: type: string prefix: type: string regex: description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' type: string type: object gateways: description: Names of gateways where the rule should be applied. items: type: string type: array headers: additionalProperties: oneOf: - not: anyOf: - required: - exact - required: - prefix - required: - regex - required: - exact - required: - prefix - required: - regex properties: exact: type: string prefix: type: string regex: description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' type: string type: object description: The header keys must be lowercase and use hyphen as the separator, e.g. type: object ignoreUriCase: description: Flag to specify whether the URI matching should be case-insensitive. type: boolean method: description: 'HTTP Method values are case-sensitive and formatted as follows: - `exact: "value"` for exact string match - `prefix: "value"` for prefix-based match - `regex: "value"` for [RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' oneOf: - not: anyOf: - required: - exact - required: - prefix - required: - regex - required: - exact - required: - prefix - required: - regex properties: exact: type: string prefix: type: string regex: description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' type: string type: object name: description: The name assigned to a match. type: string port: description: Specifies the ports on the host that is being addressed. maximum: 4294967295 minimum: 0 type: integer queryParams: additionalProperties: oneOf: - not: anyOf: - required: - exact - required: - prefix - required: - regex - required: - exact - required: - prefix - required: - regex properties: exact: type: string prefix: type: string regex: description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' type: string type: object description: Query parameters for matching. type: object scheme: description: 'URI Scheme values are case-sensitive and formatted as follows: - `exact: "value"` for exact string match - `prefix: "value"` for prefix-based match - `regex: "value"` for [RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' oneOf: - not: anyOf: - required: - exact - required: - prefix - required: - regex - required: - exact - required: - prefix - required: - regex properties: exact: type: string prefix: type: string regex: description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' type: string type: object sourceLabels: additionalProperties: type: string description: One or more labels that constrain the applicability of a rule to source (client) workloads with the given labels. type: object sourceNamespace: description: Source namespace constraining the applicability of a rule to workloads in that namespace. type: string statPrefix: description: The human readable prefix to use when emitting statistics for this route. type: string uri: description: 'URI to match values are case-sensitive and formatted as follows: - `exact: "value"` for exact string match - `prefix: "value"` for prefix-based match - `regex: "value"` for [RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' oneOf: - not: anyOf: - required: - exact - required: - prefix - required: - regex - required: - exact - required: - prefix - required: - regex properties: exact: type: string prefix: type: string regex: description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' type: string type: object withoutHeaders: additionalProperties: oneOf: - not: anyOf: - required: - exact - required: - prefix - required: - regex - required: - exact - required: - prefix - required: - regex properties: exact: type: string prefix: type: string regex: description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' type: string type: object description: withoutHeader has the same syntax with the header, but has opposite meaning. type: object type: object type: array mirror: description: Mirror HTTP traffic to a another destination in addition to forwarding the requests to the intended destination. properties: host: description: The name of a service from the service registry. type: string port: description: Specifies the port on the host that is being addressed. properties: number: maximum: 4294967295 minimum: 0 type: integer type: object subset: description: The name of a subset within the service. type: string required: - host type: object mirror_percent: maximum: 4294967295 minimum: 0 nullable: true type: integer mirrorPercent: maximum: 4294967295 minimum: 0 nullable: true type: integer mirrorPercentage: description: Percentage of the traffic to be mirrored by the `mirror` field. properties: value: format: double type: number type: object mirrors: description: Specifies the destinations to mirror HTTP traffic in addition to the original destination. items: properties: destination: description: Destination specifies the target of the mirror operation. properties: host: description: The name of a service from the service registry. type: string port: description: Specifies the port on the host that is being addressed. properties: number: maximum: 4294967295 minimum: 0 type: integer type: object subset: description: The name of a subset within the service. type: string required: - host type: object percentage: description: Percentage of the traffic to be mirrored by the `destination` field. properties: value: format: double type: number type: object required: - destination type: object type: array name: description: The name assigned to the route for debugging purposes. type: string redirect: description: A HTTP rule can either return a direct_response, redirect or forward (default) traffic. oneOf: - not: anyOf: - required: - port - required: - derivePort - required: - port - required: - derivePort properties: authority: description: On a redirect, overwrite the Authority/Host portion of the URL with this value. type: string derivePort: description: |- On a redirect, dynamically set the port: * FROM_PROTOCOL_DEFAULT: automatically set to 80 for HTTP and 443 for HTTPS. Valid Options: FROM_PROTOCOL_DEFAULT, FROM_REQUEST_PORT enum: - FROM_PROTOCOL_DEFAULT - FROM_REQUEST_PORT type: string port: description: On a redirect, overwrite the port portion of the URL with this value. maximum: 4294967295 minimum: 0 type: integer redirectCode: description: On a redirect, Specifies the HTTP status code to use in the redirect response. maximum: 4294967295 minimum: 0 type: integer scheme: description: On a redirect, overwrite the scheme portion of the URL with this value. type: string uri: description: On a redirect, overwrite the Path portion of the URL with this value. type: string type: object retries: description: Retry policy for HTTP requests. properties: attempts: description: Number of retries to be allowed for a given request. format: int32 type: integer perTryTimeout: description: Timeout per attempt for a given request, including the initial call and any retries. type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms rule: duration(self) >= duration('1ms') retryOn: description: Specifies the conditions under which retry takes place. type: string retryRemoteLocalities: description: Flag to specify whether the retries should retry to other localities. nullable: true type: boolean type: object rewrite: description: Rewrite HTTP URIs and Authority headers. properties: authority: description: rewrite the Authority/Host header with this value. type: string uri: description: rewrite the path (or the prefix) portion of the URI with this value. type: string uriRegexRewrite: description: rewrite the path portion of the URI with the specified regex. properties: match: description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' type: string rewrite: description: The string that should replace into matching portions of original URI. type: string type: object type: object route: description: A HTTP rule can either return a direct_response, redirect or forward (default) traffic. items: properties: destination: description: Destination uniquely identifies the instances of a service to which the request/connection should be forwarded to. properties: host: description: The name of a service from the service registry. type: string port: description: Specifies the port on the host that is being addressed. properties: number: maximum: 4294967295 minimum: 0 type: integer type: object subset: description: The name of a subset within the service. type: string required: - host type: object headers: properties: request: properties: add: additionalProperties: type: string type: object remove: items: type: string type: array set: additionalProperties: type: string type: object type: object response: properties: add: additionalProperties: type: string type: object remove: items: type: string type: array set: additionalProperties: type: string type: object type: object type: object weight: description: Weight specifies the relative proportion of traffic to be forwarded to the destination. format: int32 type: integer required: - destination type: object type: array timeout: description: Timeout for HTTP requests, default is disabled. type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms rule: duration(self) >= duration('1ms') type: object type: array tcp: description: An ordered list of route rules for opaque TCP traffic. items: properties: match: description: Match conditions to be satisfied for the rule to be activated. items: properties: destinationSubnets: description: IPv4 or IPv6 ip addresses of destination with optional subnet. items: type: string type: array gateways: description: Names of gateways where the rule should be applied. items: type: string type: array port: description: Specifies the port on the host that is being addressed. maximum: 4294967295 minimum: 0 type: integer sourceLabels: additionalProperties: type: string description: One or more labels that constrain the applicability of a rule to workloads with the given labels. type: object sourceNamespace: description: Source namespace constraining the applicability of a rule to workloads in that namespace. type: string sourceSubnet: type: string type: object type: array route: description: The destination to which the connection should be forwarded to. items: properties: destination: description: Destination uniquely identifies the instances of a service to which the request/connection should be forwarded to. properties: host: description: The name of a service from the service registry. type: string port: description: Specifies the port on the host that is being addressed. properties: number: maximum: 4294967295 minimum: 0 type: integer type: object subset: description: The name of a subset within the service. type: string required: - host type: object weight: description: Weight specifies the relative proportion of traffic to be forwarded to the destination. format: int32 type: integer required: - destination type: object type: array type: object type: array tls: description: An ordered list of route rule for non-terminated TLS & HTTPS traffic. items: properties: match: description: Match conditions to be satisfied for the rule to be activated. items: properties: destinationSubnets: description: IPv4 or IPv6 ip addresses of destination with optional subnet. items: type: string type: array gateways: description: Names of gateways where the rule should be applied. items: type: string type: array port: description: Specifies the port on the host that is being addressed. maximum: 4294967295 minimum: 0 type: integer sniHosts: description: SNI (server name indicator) to match on. items: type: string type: array sourceLabels: additionalProperties: type: string description: One or more labels that constrain the applicability of a rule to workloads with the given labels. type: object sourceNamespace: description: Source namespace constraining the applicability of a rule to workloads in that namespace. type: string required: - sniHosts type: object type: array route: description: The destination to which the connection should be forwarded to. items: properties: destination: description: Destination uniquely identifies the instances of a service to which the request/connection should be forwarded to. properties: host: description: The name of a service from the service registry. type: string port: description: Specifies the port on the host that is being addressed. properties: number: maximum: 4294967295 minimum: 0 type: integer type: object subset: description: The name of a subset within the service. type: string required: - host type: object weight: description: Weight specifies the relative proportion of traffic to be forwarded to the destination. format: int32 type: integer required: - destination type: object type: array required: - match type: object type: array type: object status: type: object x-kubernetes-preserve-unknown-fields: true type: object served: true storage: false subresources: status: {} - additionalPrinterColumns: - description: The names of gateways and sidecars that should apply these routes jsonPath: .spec.gateways name: Gateways type: string - description: The destination hosts to which traffic is being sent jsonPath: .spec.hosts name: Hosts type: string - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' jsonPath: .metadata.creationTimestamp name: Age type: date name: v1beta1 schema: openAPIV3Schema: properties: spec: description: 'Configuration affecting label/content routing, sni routing, etc. See more details at: https://istio.io/docs/reference/config/networking/virtual-service.html' properties: exportTo: description: A list of namespaces to which this virtual service is exported. items: type: string type: array gateways: description: The names of gateways and sidecars that should apply these routes. items: type: string type: array hosts: description: The destination hosts to which traffic is being sent. items: type: string type: array http: description: An ordered list of route rules for HTTP traffic. items: properties: corsPolicy: description: Cross-Origin Resource Sharing policy (CORS). properties: allowCredentials: description: Indicates whether the caller is allowed to send the actual request (not the preflight) using credentials. nullable: true type: boolean allowHeaders: description: List of HTTP headers that can be used when requesting the resource. items: type: string type: array allowMethods: description: List of HTTP methods allowed to access the resource. items: type: string type: array allowOrigin: items: type: string type: array allowOrigins: description: String patterns that match allowed origins. items: oneOf: - not: anyOf: - required: - exact - required: - prefix - required: - regex - required: - exact - required: - prefix - required: - regex properties: exact: type: string prefix: type: string regex: description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' type: string type: object type: array exposeHeaders: description: A list of HTTP headers that the browsers are allowed to access. items: type: string type: array maxAge: description: Specifies how long the results of a preflight request can be cached. type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms rule: duration(self) >= duration('1ms') unmatchedPreflights: description: |- Indicates whether preflight requests not matching the configured allowed origin shouldn't be forwarded to the upstream. Valid Options: FORWARD, IGNORE enum: - UNSPECIFIED - FORWARD - IGNORE type: string type: object delegate: description: Delegate is used to specify the particular VirtualService which can be used to define delegate HTTPRoute. properties: name: description: Name specifies the name of the delegate VirtualService. type: string namespace: description: Namespace specifies the namespace where the delegate VirtualService resides. type: string type: object directResponse: description: A HTTP rule can either return a direct_response, redirect or forward (default) traffic. properties: body: description: Specifies the content of the response body. oneOf: - not: anyOf: - required: - string - required: - bytes - required: - string - required: - bytes properties: bytes: description: response body as base64 encoded bytes. format: binary type: string string: type: string type: object status: description: Specifies the HTTP response status to be returned. maximum: 4294967295 minimum: 0 type: integer required: - status type: object fault: description: Fault injection policy to apply on HTTP traffic at the client side. properties: abort: description: Abort Http request attempts and return error codes back to downstream service, giving the impression that the upstream service is faulty. oneOf: - not: anyOf: - required: - httpStatus - required: - grpcStatus - required: - http2Error - required: - httpStatus - required: - grpcStatus - required: - http2Error properties: grpcStatus: description: GRPC status code to use to abort the request. type: string http2Error: type: string httpStatus: description: HTTP status code to use to abort the Http request. format: int32 type: integer percentage: description: Percentage of requests to be aborted with the error code provided. properties: value: format: double type: number type: object type: object delay: description: Delay requests before forwarding, emulating various failures such as network issues, overloaded upstream service, etc. oneOf: - not: anyOf: - required: - fixedDelay - required: - exponentialDelay - required: - fixedDelay - required: - exponentialDelay properties: exponentialDelay: type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms rule: duration(self) >= duration('1ms') fixedDelay: description: Add a fixed delay before forwarding the request. type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms rule: duration(self) >= duration('1ms') percent: description: Percentage of requests on which the delay will be injected (0-100). format: int32 type: integer percentage: description: Percentage of requests on which the delay will be injected. properties: value: format: double type: number type: object type: object type: object headers: properties: request: properties: add: additionalProperties: type: string type: object remove: items: type: string type: array set: additionalProperties: type: string type: object type: object response: properties: add: additionalProperties: type: string type: object remove: items: type: string type: array set: additionalProperties: type: string type: object type: object type: object match: description: Match conditions to be satisfied for the rule to be activated. items: properties: authority: description: 'HTTP Authority values are case-sensitive and formatted as follows: - `exact: "value"` for exact string match - `prefix: "value"` for prefix-based match - `regex: "value"` for [RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' oneOf: - not: anyOf: - required: - exact - required: - prefix - required: - regex - required: - exact - required: - prefix - required: - regex properties: exact: type: string prefix: type: string regex: description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' type: string type: object gateways: description: Names of gateways where the rule should be applied. items: type: string type: array headers: additionalProperties: oneOf: - not: anyOf: - required: - exact - required: - prefix - required: - regex - required: - exact - required: - prefix - required: - regex properties: exact: type: string prefix: type: string regex: description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' type: string type: object description: The header keys must be lowercase and use hyphen as the separator, e.g. type: object ignoreUriCase: description: Flag to specify whether the URI matching should be case-insensitive. type: boolean method: description: 'HTTP Method values are case-sensitive and formatted as follows: - `exact: "value"` for exact string match - `prefix: "value"` for prefix-based match - `regex: "value"` for [RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' oneOf: - not: anyOf: - required: - exact - required: - prefix - required: - regex - required: - exact - required: - prefix - required: - regex properties: exact: type: string prefix: type: string regex: description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' type: string type: object name: description: The name assigned to a match. type: string port: description: Specifies the ports on the host that is being addressed. maximum: 4294967295 minimum: 0 type: integer queryParams: additionalProperties: oneOf: - not: anyOf: - required: - exact - required: - prefix - required: - regex - required: - exact - required: - prefix - required: - regex properties: exact: type: string prefix: type: string regex: description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' type: string type: object description: Query parameters for matching. type: object scheme: description: 'URI Scheme values are case-sensitive and formatted as follows: - `exact: "value"` for exact string match - `prefix: "value"` for prefix-based match - `regex: "value"` for [RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' oneOf: - not: anyOf: - required: - exact - required: - prefix - required: - regex - required: - exact - required: - prefix - required: - regex properties: exact: type: string prefix: type: string regex: description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' type: string type: object sourceLabels: additionalProperties: type: string description: One or more labels that constrain the applicability of a rule to source (client) workloads with the given labels. type: object sourceNamespace: description: Source namespace constraining the applicability of a rule to workloads in that namespace. type: string statPrefix: description: The human readable prefix to use when emitting statistics for this route. type: string uri: description: 'URI to match values are case-sensitive and formatted as follows: - `exact: "value"` for exact string match - `prefix: "value"` for prefix-based match - `regex: "value"` for [RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' oneOf: - not: anyOf: - required: - exact - required: - prefix - required: - regex - required: - exact - required: - prefix - required: - regex properties: exact: type: string prefix: type: string regex: description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' type: string type: object withoutHeaders: additionalProperties: oneOf: - not: anyOf: - required: - exact - required: - prefix - required: - regex - required: - exact - required: - prefix - required: - regex properties: exact: type: string prefix: type: string regex: description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' type: string type: object description: withoutHeader has the same syntax with the header, but has opposite meaning. type: object type: object type: array mirror: description: Mirror HTTP traffic to a another destination in addition to forwarding the requests to the intended destination. properties: host: description: The name of a service from the service registry. type: string port: description: Specifies the port on the host that is being addressed. properties: number: maximum: 4294967295 minimum: 0 type: integer type: object subset: description: The name of a subset within the service. type: string required: - host type: object mirror_percent: maximum: 4294967295 minimum: 0 nullable: true type: integer mirrorPercent: maximum: 4294967295 minimum: 0 nullable: true type: integer mirrorPercentage: description: Percentage of the traffic to be mirrored by the `mirror` field. properties: value: format: double type: number type: object mirrors: description: Specifies the destinations to mirror HTTP traffic in addition to the original destination. items: properties: destination: description: Destination specifies the target of the mirror operation. properties: host: description: The name of a service from the service registry. type: string port: description: Specifies the port on the host that is being addressed. properties: number: maximum: 4294967295 minimum: 0 type: integer type: object subset: description: The name of a subset within the service. type: string required: - host type: object percentage: description: Percentage of the traffic to be mirrored by the `destination` field. properties: value: format: double type: number type: object required: - destination type: object type: array name: description: The name assigned to the route for debugging purposes. type: string redirect: description: A HTTP rule can either return a direct_response, redirect or forward (default) traffic. oneOf: - not: anyOf: - required: - port - required: - derivePort - required: - port - required: - derivePort properties: authority: description: On a redirect, overwrite the Authority/Host portion of the URL with this value. type: string derivePort: description: |- On a redirect, dynamically set the port: * FROM_PROTOCOL_DEFAULT: automatically set to 80 for HTTP and 443 for HTTPS. Valid Options: FROM_PROTOCOL_DEFAULT, FROM_REQUEST_PORT enum: - FROM_PROTOCOL_DEFAULT - FROM_REQUEST_PORT type: string port: description: On a redirect, overwrite the port portion of the URL with this value. maximum: 4294967295 minimum: 0 type: integer redirectCode: description: On a redirect, Specifies the HTTP status code to use in the redirect response. maximum: 4294967295 minimum: 0 type: integer scheme: description: On a redirect, overwrite the scheme portion of the URL with this value. type: string uri: description: On a redirect, overwrite the Path portion of the URL with this value. type: string type: object retries: description: Retry policy for HTTP requests. properties: attempts: description: Number of retries to be allowed for a given request. format: int32 type: integer perTryTimeout: description: Timeout per attempt for a given request, including the initial call and any retries. type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms rule: duration(self) >= duration('1ms') retryOn: description: Specifies the conditions under which retry takes place. type: string retryRemoteLocalities: description: Flag to specify whether the retries should retry to other localities. nullable: true type: boolean type: object rewrite: description: Rewrite HTTP URIs and Authority headers. properties: authority: description: rewrite the Authority/Host header with this value. type: string uri: description: rewrite the path (or the prefix) portion of the URI with this value. type: string uriRegexRewrite: description: rewrite the path portion of the URI with the specified regex. properties: match: description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' type: string rewrite: description: The string that should replace into matching portions of original URI. type: string type: object type: object route: description: A HTTP rule can either return a direct_response, redirect or forward (default) traffic. items: properties: destination: description: Destination uniquely identifies the instances of a service to which the request/connection should be forwarded to. properties: host: description: The name of a service from the service registry. type: string port: description: Specifies the port on the host that is being addressed. properties: number: maximum: 4294967295 minimum: 0 type: integer type: object subset: description: The name of a subset within the service. type: string required: - host type: object headers: properties: request: properties: add: additionalProperties: type: string type: object remove: items: type: string type: array set: additionalProperties: type: string type: object type: object response: properties: add: additionalProperties: type: string type: object remove: items: type: string type: array set: additionalProperties: type: string type: object type: object type: object weight: description: Weight specifies the relative proportion of traffic to be forwarded to the destination. format: int32 type: integer required: - destination type: object type: array timeout: description: Timeout for HTTP requests, default is disabled. type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms rule: duration(self) >= duration('1ms') type: object type: array tcp: description: An ordered list of route rules for opaque TCP traffic. items: properties: match: description: Match conditions to be satisfied for the rule to be activated. items: properties: destinationSubnets: description: IPv4 or IPv6 ip addresses of destination with optional subnet. items: type: string type: array gateways: description: Names of gateways where the rule should be applied. items: type: string type: array port: description: Specifies the port on the host that is being addressed. maximum: 4294967295 minimum: 0 type: integer sourceLabels: additionalProperties: type: string description: One or more labels that constrain the applicability of a rule to workloads with the given labels. type: object sourceNamespace: description: Source namespace constraining the applicability of a rule to workloads in that namespace. type: string sourceSubnet: type: string type: object type: array route: description: The destination to which the connection should be forwarded to. items: properties: destination: description: Destination uniquely identifies the instances of a service to which the request/connection should be forwarded to. properties: host: description: The name of a service from the service registry. type: string port: description: Specifies the port on the host that is being addressed. properties: number: maximum: 4294967295 minimum: 0 type: integer type: object subset: description: The name of a subset within the service. type: string required: - host type: object weight: description: Weight specifies the relative proportion of traffic to be forwarded to the destination. format: int32 type: integer required: - destination type: object type: array type: object type: array tls: description: An ordered list of route rule for non-terminated TLS & HTTPS traffic. items: properties: match: description: Match conditions to be satisfied for the rule to be activated. items: properties: destinationSubnets: description: IPv4 or IPv6 ip addresses of destination with optional subnet. items: type: string type: array gateways: description: Names of gateways where the rule should be applied. items: type: string type: array port: description: Specifies the port on the host that is being addressed. maximum: 4294967295 minimum: 0 type: integer sniHosts: description: SNI (server name indicator) to match on. items: type: string type: array sourceLabels: additionalProperties: type: string description: One or more labels that constrain the applicability of a rule to workloads with the given labels. type: object sourceNamespace: description: Source namespace constraining the applicability of a rule to workloads in that namespace. type: string required: - sniHosts type: object type: array route: description: The destination to which the connection should be forwarded to. items: properties: destination: description: Destination uniquely identifies the instances of a service to which the request/connection should be forwarded to. properties: host: description: The name of a service from the service registry. type: string port: description: Specifies the port on the host that is being addressed. properties: number: maximum: 4294967295 minimum: 0 type: integer type: object subset: description: The name of a subset within the service. type: string required: - host type: object weight: description: Weight specifies the relative proportion of traffic to be forwarded to the destination. format: int32 type: integer required: - destination type: object type: array required: - match type: object type: array type: object status: type: object x-kubernetes-preserve-unknown-fields: true type: object served: true storage: true subresources: status: {} --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: "helm.sh/resource-policy": keep labels: app: istio-pilot chart: istio heritage: Tiller release: istio name: workloadentries.networking.istio.io spec: group: networking.istio.io names: categories: - istio-io - networking-istio-io kind: WorkloadEntry listKind: WorkloadEntryList plural: workloadentries shortNames: - we singular: workloadentry scope: Namespaced versions: - additionalPrinterColumns: - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' jsonPath: .metadata.creationTimestamp name: Age type: date - description: Address associated with the network endpoint. jsonPath: .spec.address name: Address type: string name: v1 schema: openAPIV3Schema: properties: spec: description: 'Configuration affecting VMs onboarded into the mesh. See more details at: https://istio.io/docs/reference/config/networking/workload-entry.html' properties: address: description: Address associated with the network endpoint without the port. maxLength: 256 type: string x-kubernetes-validations: - message: UDS must be an absolute path or abstract socket rule: 'self.startsWith(''unix://'') ? (self.substring(7,8) == ''/'' || self.substring(7,8) == ''@'') : true' - message: UDS may not be a dir rule: 'self.startsWith(''unix://'') ? !self.endsWith(''/'') : true' labels: additionalProperties: type: string description: One or more labels associated with the endpoint. maxProperties: 256 type: object locality: description: The locality associated with the endpoint. maxLength: 2048 type: string network: description: Network enables Istio to group endpoints resident in the same L3 domain/network. maxLength: 2048 type: string ports: additionalProperties: maximum: 4294967295 minimum: 0 type: integer x-kubernetes-validations: - message: port must be between 1-65535 rule: 0 < self && self <= 65535 description: Set of ports associated with the endpoint. maxProperties: 128 type: object x-kubernetes-validations: - message: port name must be valid rule: self.all(key, size(key) < 63 && key.matches('^[a-zA-Z0-9](?:[-a-zA-Z0-9]*[a-zA-Z0-9])?$')) serviceAccount: description: The service account associated with the workload if a sidecar is present in the workload. maxLength: 253 type: string weight: description: The load balancing weight associated with the endpoint. maximum: 4294967295 minimum: 0 type: integer type: object x-kubernetes-validations: - message: Address is required rule: has(self.address) || has(self.network) - message: UDS may not include ports rule: '(has(self.address) && self.address.startsWith(''unix://'')) ? !has(self.ports) : true' status: type: object x-kubernetes-preserve-unknown-fields: true required: - spec - spec - spec type: object served: true storage: false subresources: status: {} - additionalPrinterColumns: - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' jsonPath: .metadata.creationTimestamp name: Age type: date - description: Address associated with the network endpoint. jsonPath: .spec.address name: Address type: string name: v1alpha3 schema: openAPIV3Schema: properties: spec: description: 'Configuration affecting VMs onboarded into the mesh. See more details at: https://istio.io/docs/reference/config/networking/workload-entry.html' properties: address: description: Address associated with the network endpoint without the port. maxLength: 256 type: string x-kubernetes-validations: - message: UDS must be an absolute path or abstract socket rule: 'self.startsWith(''unix://'') ? (self.substring(7,8) == ''/'' || self.substring(7,8) == ''@'') : true' - message: UDS may not be a dir rule: 'self.startsWith(''unix://'') ? !self.endsWith(''/'') : true' labels: additionalProperties: type: string description: One or more labels associated with the endpoint. maxProperties: 256 type: object locality: description: The locality associated with the endpoint. maxLength: 2048 type: string network: description: Network enables Istio to group endpoints resident in the same L3 domain/network. maxLength: 2048 type: string ports: additionalProperties: maximum: 4294967295 minimum: 0 type: integer x-kubernetes-validations: - message: port must be between 1-65535 rule: 0 < self && self <= 65535 description: Set of ports associated with the endpoint. maxProperties: 128 type: object x-kubernetes-validations: - message: port name must be valid rule: self.all(key, size(key) < 63 && key.matches('^[a-zA-Z0-9](?:[-a-zA-Z0-9]*[a-zA-Z0-9])?$')) serviceAccount: description: The service account associated with the workload if a sidecar is present in the workload. maxLength: 253 type: string weight: description: The load balancing weight associated with the endpoint. maximum: 4294967295 minimum: 0 type: integer type: object x-kubernetes-validations: - message: Address is required rule: has(self.address) || has(self.network) - message: UDS may not include ports rule: '(has(self.address) && self.address.startsWith(''unix://'')) ? !has(self.ports) : true' status: type: object x-kubernetes-preserve-unknown-fields: true required: - spec - spec - spec type: object served: true storage: false subresources: status: {} - additionalPrinterColumns: - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' jsonPath: .metadata.creationTimestamp name: Age type: date - description: Address associated with the network endpoint. jsonPath: .spec.address name: Address type: string name: v1beta1 schema: openAPIV3Schema: properties: spec: description: 'Configuration affecting VMs onboarded into the mesh. See more details at: https://istio.io/docs/reference/config/networking/workload-entry.html' properties: address: description: Address associated with the network endpoint without the port. maxLength: 256 type: string x-kubernetes-validations: - message: UDS must be an absolute path or abstract socket rule: 'self.startsWith(''unix://'') ? (self.substring(7,8) == ''/'' || self.substring(7,8) == ''@'') : true' - message: UDS may not be a dir rule: 'self.startsWith(''unix://'') ? !self.endsWith(''/'') : true' labels: additionalProperties: type: string description: One or more labels associated with the endpoint. maxProperties: 256 type: object locality: description: The locality associated with the endpoint. maxLength: 2048 type: string network: description: Network enables Istio to group endpoints resident in the same L3 domain/network. maxLength: 2048 type: string ports: additionalProperties: maximum: 4294967295 minimum: 0 type: integer x-kubernetes-validations: - message: port must be between 1-65535 rule: 0 < self && self <= 65535 description: Set of ports associated with the endpoint. maxProperties: 128 type: object x-kubernetes-validations: - message: port name must be valid rule: self.all(key, size(key) < 63 && key.matches('^[a-zA-Z0-9](?:[-a-zA-Z0-9]*[a-zA-Z0-9])?$')) serviceAccount: description: The service account associated with the workload if a sidecar is present in the workload. maxLength: 253 type: string weight: description: The load balancing weight associated with the endpoint. maximum: 4294967295 minimum: 0 type: integer type: object x-kubernetes-validations: - message: Address is required rule: has(self.address) || has(self.network) - message: UDS may not include ports rule: '(has(self.address) && self.address.startsWith(''unix://'')) ? !has(self.ports) : true' status: type: object x-kubernetes-preserve-unknown-fields: true required: - spec - spec - spec type: object served: true storage: true subresources: status: {} --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: labels: app: istio-pilot chart: istio heritage: Tiller release: istio name: workloadgroups.networking.istio.io spec: group: networking.istio.io names: categories: - istio-io - networking-istio-io kind: WorkloadGroup listKind: WorkloadGroupList plural: workloadgroups shortNames: - wg singular: workloadgroup scope: Namespaced versions: - additionalPrinterColumns: - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' jsonPath: .metadata.creationTimestamp name: Age type: date name: v1 schema: openAPIV3Schema: properties: spec: description: 'Describes a collection of workload instances. See more details at: https://istio.io/docs/reference/config/networking/workload-group.html' properties: metadata: description: Metadata that will be used for all corresponding `WorkloadEntries`. properties: annotations: additionalProperties: type: string type: object labels: additionalProperties: type: string type: object type: object probe: description: '`ReadinessProbe` describes the configuration the user must provide for healthchecking on their workload.' oneOf: - not: anyOf: - required: - httpGet - required: - tcpSocket - required: - exec - required: - httpGet - required: - tcpSocket - required: - exec properties: exec: description: Health is determined by how the command that is executed exited. properties: command: description: Command to run. items: type: string type: array type: object failureThreshold: description: Minimum consecutive failures for the probe to be considered failed after having succeeded. format: int32 type: integer httpGet: description: '`httpGet` is performed to a given endpoint and the status/able to connect determines health.' properties: host: description: Host name to connect to, defaults to the pod IP. type: string httpHeaders: description: Headers the proxy will pass on to make the request. items: properties: name: type: string value: type: string type: object type: array path: description: Path to access on the HTTP server. type: string port: description: Port on which the endpoint lives. maximum: 4294967295 minimum: 0 type: integer scheme: type: string required: - port type: object initialDelaySeconds: description: Number of seconds after the container has started before readiness probes are initiated. format: int32 type: integer periodSeconds: description: How often (in seconds) to perform the probe. format: int32 type: integer successThreshold: description: Minimum consecutive successes for the probe to be considered successful after having failed. format: int32 type: integer tcpSocket: description: Health is determined by if the proxy is able to connect. properties: host: type: string port: maximum: 4294967295 minimum: 0 type: integer required: - port type: object timeoutSeconds: description: Number of seconds after which the probe times out. format: int32 type: integer type: object template: description: Template to be used for the generation of `WorkloadEntry` resources that belong to this `WorkloadGroup`. properties: address: description: Address associated with the network endpoint without the port. maxLength: 256 type: string x-kubernetes-validations: - message: UDS must be an absolute path or abstract socket rule: 'self.startsWith(''unix://'') ? (self.substring(7,8) == ''/'' || self.substring(7,8) == ''@'') : true' - message: UDS may not be a dir rule: 'self.startsWith(''unix://'') ? !self.endsWith(''/'') : true' labels: additionalProperties: type: string description: One or more labels associated with the endpoint. maxProperties: 256 type: object locality: description: The locality associated with the endpoint. maxLength: 2048 type: string network: description: Network enables Istio to group endpoints resident in the same L3 domain/network. maxLength: 2048 type: string ports: additionalProperties: maximum: 4294967295 minimum: 0 type: integer x-kubernetes-validations: - message: port must be between 1-65535 rule: 0 < self && self <= 65535 description: Set of ports associated with the endpoint. maxProperties: 128 type: object x-kubernetes-validations: - message: port name must be valid rule: self.all(key, size(key) < 63 && key.matches('^[a-zA-Z0-9](?:[-a-zA-Z0-9]*[a-zA-Z0-9])?$')) serviceAccount: description: The service account associated with the workload if a sidecar is present in the workload. maxLength: 253 type: string weight: description: The load balancing weight associated with the endpoint. maximum: 4294967295 minimum: 0 type: integer type: object x-kubernetes-validations: - message: Address is required rule: has(self.address) || has(self.network) - message: UDS may not include ports rule: '(has(self.address) && self.address.startsWith(''unix://'')) ? !has(self.ports) : true' required: - template type: object status: type: object x-kubernetes-preserve-unknown-fields: true type: object served: true storage: false subresources: status: {} - additionalPrinterColumns: - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' jsonPath: .metadata.creationTimestamp name: Age type: date name: v1alpha3 schema: openAPIV3Schema: properties: spec: description: 'Describes a collection of workload instances. See more details at: https://istio.io/docs/reference/config/networking/workload-group.html' properties: metadata: description: Metadata that will be used for all corresponding `WorkloadEntries`. properties: annotations: additionalProperties: type: string type: object labels: additionalProperties: type: string type: object type: object probe: description: '`ReadinessProbe` describes the configuration the user must provide for healthchecking on their workload.' oneOf: - not: anyOf: - required: - httpGet - required: - tcpSocket - required: - exec - required: - httpGet - required: - tcpSocket - required: - exec properties: exec: description: Health is determined by how the command that is executed exited. properties: command: description: Command to run. items: type: string type: array type: object failureThreshold: description: Minimum consecutive failures for the probe to be considered failed after having succeeded. format: int32 type: integer httpGet: description: '`httpGet` is performed to a given endpoint and the status/able to connect determines health.' properties: host: description: Host name to connect to, defaults to the pod IP. type: string httpHeaders: description: Headers the proxy will pass on to make the request. items: properties: name: type: string value: type: string type: object type: array path: description: Path to access on the HTTP server. type: string port: description: Port on which the endpoint lives. maximum: 4294967295 minimum: 0 type: integer scheme: type: string required: - port type: object initialDelaySeconds: description: Number of seconds after the container has started before readiness probes are initiated. format: int32 type: integer periodSeconds: description: How often (in seconds) to perform the probe. format: int32 type: integer successThreshold: description: Minimum consecutive successes for the probe to be considered successful after having failed. format: int32 type: integer tcpSocket: description: Health is determined by if the proxy is able to connect. properties: host: type: string port: maximum: 4294967295 minimum: 0 type: integer required: - port type: object timeoutSeconds: description: Number of seconds after which the probe times out. format: int32 type: integer type: object template: description: Template to be used for the generation of `WorkloadEntry` resources that belong to this `WorkloadGroup`. properties: address: description: Address associated with the network endpoint without the port. maxLength: 256 type: string x-kubernetes-validations: - message: UDS must be an absolute path or abstract socket rule: 'self.startsWith(''unix://'') ? (self.substring(7,8) == ''/'' || self.substring(7,8) == ''@'') : true' - message: UDS may not be a dir rule: 'self.startsWith(''unix://'') ? !self.endsWith(''/'') : true' labels: additionalProperties: type: string description: One or more labels associated with the endpoint. maxProperties: 256 type: object locality: description: The locality associated with the endpoint. maxLength: 2048 type: string network: description: Network enables Istio to group endpoints resident in the same L3 domain/network. maxLength: 2048 type: string ports: additionalProperties: maximum: 4294967295 minimum: 0 type: integer x-kubernetes-validations: - message: port must be between 1-65535 rule: 0 < self && self <= 65535 description: Set of ports associated with the endpoint. maxProperties: 128 type: object x-kubernetes-validations: - message: port name must be valid rule: self.all(key, size(key) < 63 && key.matches('^[a-zA-Z0-9](?:[-a-zA-Z0-9]*[a-zA-Z0-9])?$')) serviceAccount: description: The service account associated with the workload if a sidecar is present in the workload. maxLength: 253 type: string weight: description: The load balancing weight associated with the endpoint. maximum: 4294967295 minimum: 0 type: integer type: object x-kubernetes-validations: - message: Address is required rule: has(self.address) || has(self.network) - message: UDS may not include ports rule: '(has(self.address) && self.address.startsWith(''unix://'')) ? !has(self.ports) : true' required: - template type: object status: type: object x-kubernetes-preserve-unknown-fields: true type: object served: true storage: false subresources: status: {} - additionalPrinterColumns: - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' jsonPath: .metadata.creationTimestamp name: Age type: date name: v1beta1 schema: openAPIV3Schema: properties: spec: description: 'Describes a collection of workload instances. See more details at: https://istio.io/docs/reference/config/networking/workload-group.html' properties: metadata: description: Metadata that will be used for all corresponding `WorkloadEntries`. properties: annotations: additionalProperties: type: string type: object labels: additionalProperties: type: string type: object type: object probe: description: '`ReadinessProbe` describes the configuration the user must provide for healthchecking on their workload.' oneOf: - not: anyOf: - required: - httpGet - required: - tcpSocket - required: - exec - required: - httpGet - required: - tcpSocket - required: - exec properties: exec: description: Health is determined by how the command that is executed exited. properties: command: description: Command to run. items: type: string type: array type: object failureThreshold: description: Minimum consecutive failures for the probe to be considered failed after having succeeded. format: int32 type: integer httpGet: description: '`httpGet` is performed to a given endpoint and the status/able to connect determines health.' properties: host: description: Host name to connect to, defaults to the pod IP. type: string httpHeaders: description: Headers the proxy will pass on to make the request. items: properties: name: type: string value: type: string type: object type: array path: description: Path to access on the HTTP server. type: string port: description: Port on which the endpoint lives. maximum: 4294967295 minimum: 0 type: integer scheme: type: string required: - port type: object initialDelaySeconds: description: Number of seconds after the container has started before readiness probes are initiated. format: int32 type: integer periodSeconds: description: How often (in seconds) to perform the probe. format: int32 type: integer successThreshold: description: Minimum consecutive successes for the probe to be considered successful after having failed. format: int32 type: integer tcpSocket: description: Health is determined by if the proxy is able to connect. properties: host: type: string port: maximum: 4294967295 minimum: 0 type: integer required: - port type: object timeoutSeconds: description: Number of seconds after which the probe times out. format: int32 type: integer type: object template: description: Template to be used for the generation of `WorkloadEntry` resources that belong to this `WorkloadGroup`. properties: address: description: Address associated with the network endpoint without the port. maxLength: 256 type: string x-kubernetes-validations: - message: UDS must be an absolute path or abstract socket rule: 'self.startsWith(''unix://'') ? (self.substring(7,8) == ''/'' || self.substring(7,8) == ''@'') : true' - message: UDS may not be a dir rule: 'self.startsWith(''unix://'') ? !self.endsWith(''/'') : true' labels: additionalProperties: type: string description: One or more labels associated with the endpoint. maxProperties: 256 type: object locality: description: The locality associated with the endpoint. maxLength: 2048 type: string network: description: Network enables Istio to group endpoints resident in the same L3 domain/network. maxLength: 2048 type: string ports: additionalProperties: maximum: 4294967295 minimum: 0 type: integer x-kubernetes-validations: - message: port must be between 1-65535 rule: 0 < self && self <= 65535 description: Set of ports associated with the endpoint. maxProperties: 128 type: object x-kubernetes-validations: - message: port name must be valid rule: self.all(key, size(key) < 63 && key.matches('^[a-zA-Z0-9](?:[-a-zA-Z0-9]*[a-zA-Z0-9])?$')) serviceAccount: description: The service account associated with the workload if a sidecar is present in the workload. maxLength: 253 type: string weight: description: The load balancing weight associated with the endpoint. maximum: 4294967295 minimum: 0 type: integer type: object x-kubernetes-validations: - message: Address is required rule: has(self.address) || has(self.network) - message: UDS may not include ports rule: '(has(self.address) && self.address.startsWith(''unix://'')) ? !has(self.ports) : true' required: - template type: object status: type: object x-kubernetes-preserve-unknown-fields: true type: object served: true storage: true subresources: status: {} --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: "helm.sh/resource-policy": keep labels: app: istio-pilot chart: istio heritage: Tiller istio: security release: istio name: authorizationpolicies.security.istio.io spec: group: security.istio.io names: categories: - istio-io - security-istio-io kind: AuthorizationPolicy listKind: AuthorizationPolicyList plural: authorizationpolicies shortNames: - ap singular: authorizationpolicy scope: Namespaced versions: - additionalPrinterColumns: - description: The operation to take. jsonPath: .spec.action name: Action type: string - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' jsonPath: .metadata.creationTimestamp name: Age type: date name: v1 schema: openAPIV3Schema: properties: spec: description: 'Configuration for access control on workloads. See more details at: https://istio.io/docs/reference/config/security/authorization-policy.html' oneOf: - not: anyOf: - required: - provider - required: - provider properties: action: description: |- Optional. Valid Options: ALLOW, DENY, AUDIT, CUSTOM enum: - ALLOW - DENY - AUDIT - CUSTOM type: string provider: description: Specifies detailed configuration of the CUSTOM action. properties: name: description: Specifies the name of the extension provider. type: string type: object rules: description: Optional. items: properties: from: description: Optional. items: properties: source: description: Source specifies the source of a request. properties: ipBlocks: description: Optional. items: type: string type: array namespaces: description: Optional. items: type: string type: array notIpBlocks: description: Optional. items: type: string type: array notNamespaces: description: Optional. items: type: string type: array notPrincipals: description: Optional. items: type: string type: array notRemoteIpBlocks: description: Optional. items: type: string type: array notRequestPrincipals: description: Optional. items: type: string type: array principals: description: Optional. items: type: string type: array remoteIpBlocks: description: Optional. items: type: string type: array requestPrincipals: description: Optional. items: type: string type: array type: object type: object type: array to: description: Optional. items: properties: operation: description: Operation specifies the operation of a request. properties: hosts: description: Optional. items: type: string type: array methods: description: Optional. items: type: string type: array notHosts: description: Optional. items: type: string type: array notMethods: description: Optional. items: type: string type: array notPaths: description: Optional. items: type: string type: array notPorts: description: Optional. items: type: string type: array paths: description: Optional. items: type: string type: array ports: description: Optional. items: type: string type: array type: object type: object type: array when: description: Optional. items: properties: key: description: The name of an Istio attribute. type: string notValues: description: Optional. items: type: string type: array values: description: Optional. items: type: string type: array required: - key type: object type: array type: object type: array selector: description: Optional. properties: matchLabels: additionalProperties: maxLength: 63 type: string x-kubernetes-validations: - message: wildcard not allowed in label value match rule: '!self.contains(''*'')' description: One or more labels that indicate a specific set of pods/VMs on which a policy should be applied. maxProperties: 4096 type: object x-kubernetes-validations: - message: wildcard not allowed in label key match rule: self.all(key, !key.contains('*')) - message: key must not be empty rule: self.all(key, key.size() != 0) type: object targetRef: properties: group: description: group is the group of the target resource. maxLength: 253 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string kind: description: kind is kind of the target resource. maxLength: 63 minLength: 1 pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ type: string name: description: name is the name of the target resource. maxLength: 253 minLength: 1 type: string namespace: description: namespace is the namespace of the referent. type: string x-kubernetes-validations: - message: cross namespace referencing is not currently supported rule: self.size() == 0 required: - kind - name type: object x-kubernetes-validations: - message: Support kinds are core/Service and gateway.networking.k8s.io/Gateway rule: '[self.group, self.kind] in [[''core'',''Service''], ['''',''Service''], [''gateway.networking.k8s.io'',''Gateway'']]' targetRefs: description: Optional. items: properties: group: description: group is the group of the target resource. maxLength: 253 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string kind: description: kind is kind of the target resource. maxLength: 63 minLength: 1 pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ type: string name: description: name is the name of the target resource. maxLength: 253 minLength: 1 type: string namespace: description: namespace is the namespace of the referent. type: string x-kubernetes-validations: - message: cross namespace referencing is not currently supported rule: self.size() == 0 required: - kind - name type: object x-kubernetes-validations: - message: Support kinds are core/Service and gateway.networking.k8s.io/Gateway rule: '[self.group, self.kind] in [[''core'',''Service''], ['''',''Service''], [''gateway.networking.k8s.io'',''Gateway'']]' type: array type: object status: type: object x-kubernetes-preserve-unknown-fields: true type: object served: true storage: false subresources: status: {} - additionalPrinterColumns: - description: The operation to take. jsonPath: .spec.action name: Action type: string - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' jsonPath: .metadata.creationTimestamp name: Age type: date name: v1beta1 schema: openAPIV3Schema: properties: spec: description: 'Configuration for access control on workloads. See more details at: https://istio.io/docs/reference/config/security/authorization-policy.html' oneOf: - not: anyOf: - required: - provider - required: - provider properties: action: description: |- Optional. Valid Options: ALLOW, DENY, AUDIT, CUSTOM enum: - ALLOW - DENY - AUDIT - CUSTOM type: string provider: description: Specifies detailed configuration of the CUSTOM action. properties: name: description: Specifies the name of the extension provider. type: string type: object rules: description: Optional. items: properties: from: description: Optional. items: properties: source: description: Source specifies the source of a request. properties: ipBlocks: description: Optional. items: type: string type: array namespaces: description: Optional. items: type: string type: array notIpBlocks: description: Optional. items: type: string type: array notNamespaces: description: Optional. items: type: string type: array notPrincipals: description: Optional. items: type: string type: array notRemoteIpBlocks: description: Optional. items: type: string type: array notRequestPrincipals: description: Optional. items: type: string type: array principals: description: Optional. items: type: string type: array remoteIpBlocks: description: Optional. items: type: string type: array requestPrincipals: description: Optional. items: type: string type: array type: object type: object type: array to: description: Optional. items: properties: operation: description: Operation specifies the operation of a request. properties: hosts: description: Optional. items: type: string type: array methods: description: Optional. items: type: string type: array notHosts: description: Optional. items: type: string type: array notMethods: description: Optional. items: type: string type: array notPaths: description: Optional. items: type: string type: array notPorts: description: Optional. items: type: string type: array paths: description: Optional. items: type: string type: array ports: description: Optional. items: type: string type: array type: object type: object type: array when: description: Optional. items: properties: key: description: The name of an Istio attribute. type: string notValues: description: Optional. items: type: string type: array values: description: Optional. items: type: string type: array required: - key type: object type: array type: object type: array selector: description: Optional. properties: matchLabels: additionalProperties: maxLength: 63 type: string x-kubernetes-validations: - message: wildcard not allowed in label value match rule: '!self.contains(''*'')' description: One or more labels that indicate a specific set of pods/VMs on which a policy should be applied. maxProperties: 4096 type: object x-kubernetes-validations: - message: wildcard not allowed in label key match rule: self.all(key, !key.contains('*')) - message: key must not be empty rule: self.all(key, key.size() != 0) type: object targetRef: properties: group: description: group is the group of the target resource. maxLength: 253 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string kind: description: kind is kind of the target resource. maxLength: 63 minLength: 1 pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ type: string name: description: name is the name of the target resource. maxLength: 253 minLength: 1 type: string namespace: description: namespace is the namespace of the referent. type: string x-kubernetes-validations: - message: cross namespace referencing is not currently supported rule: self.size() == 0 required: - kind - name type: object x-kubernetes-validations: - message: Support kinds are core/Service and gateway.networking.k8s.io/Gateway rule: '[self.group, self.kind] in [[''core'',''Service''], ['''',''Service''], [''gateway.networking.k8s.io'',''Gateway'']]' targetRefs: description: Optional. items: properties: group: description: group is the group of the target resource. maxLength: 253 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string kind: description: kind is kind of the target resource. maxLength: 63 minLength: 1 pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ type: string name: description: name is the name of the target resource. maxLength: 253 minLength: 1 type: string namespace: description: namespace is the namespace of the referent. type: string x-kubernetes-validations: - message: cross namespace referencing is not currently supported rule: self.size() == 0 required: - kind - name type: object x-kubernetes-validations: - message: Support kinds are core/Service and gateway.networking.k8s.io/Gateway rule: '[self.group, self.kind] in [[''core'',''Service''], ['''',''Service''], [''gateway.networking.k8s.io'',''Gateway'']]' type: array type: object status: type: object x-kubernetes-preserve-unknown-fields: true type: object served: true storage: true subresources: status: {} --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: "helm.sh/resource-policy": keep labels: app: istio-pilot chart: istio heritage: Tiller istio: security release: istio name: peerauthentications.security.istio.io spec: group: security.istio.io names: categories: - istio-io - security-istio-io kind: PeerAuthentication listKind: PeerAuthenticationList plural: peerauthentications shortNames: - pa singular: peerauthentication scope: Namespaced versions: - additionalPrinterColumns: - description: Defines the mTLS mode used for peer authentication. jsonPath: .spec.mtls.mode name: Mode type: string - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' jsonPath: .metadata.creationTimestamp name: Age type: date name: v1 schema: openAPIV3Schema: properties: spec: description: 'Peer authentication configuration for workloads. See more details at: https://istio.io/docs/reference/config/security/peer_authentication.html' properties: mtls: description: Mutual TLS settings for workload. properties: mode: description: |- Defines the mTLS mode used for peer authentication. Valid Options: DISABLE, PERMISSIVE, STRICT enum: - UNSET - DISABLE - PERMISSIVE - STRICT type: string type: object portLevelMtls: additionalProperties: properties: mode: description: |- Defines the mTLS mode used for peer authentication. Valid Options: DISABLE, PERMISSIVE, STRICT enum: - UNSET - DISABLE - PERMISSIVE - STRICT type: string type: object description: Port specific mutual TLS settings. minProperties: 1 type: object x-kubernetes-validations: - message: port must be between 1-65535 rule: self.all(key, 0 < int(key) && int(key) <= 65535) selector: description: The selector determines the workloads to apply the PeerAuthentication on. properties: matchLabels: additionalProperties: maxLength: 63 type: string x-kubernetes-validations: - message: wildcard not allowed in label value match rule: '!self.contains(''*'')' description: One or more labels that indicate a specific set of pods/VMs on which a policy should be applied. maxProperties: 4096 type: object x-kubernetes-validations: - message: wildcard not allowed in label key match rule: self.all(key, !key.contains('*')) - message: key must not be empty rule: self.all(key, key.size() != 0) type: object type: object x-kubernetes-validations: - message: portLevelMtls requires selector rule: (has(self.selector) && has(self.selector.matchLabels) && self.selector.matchLabels.size() > 0) || !has(self.portLevelMtls) status: type: object x-kubernetes-preserve-unknown-fields: true type: object served: true storage: false subresources: status: {} - additionalPrinterColumns: - description: Defines the mTLS mode used for peer authentication. jsonPath: .spec.mtls.mode name: Mode type: string - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' jsonPath: .metadata.creationTimestamp name: Age type: date name: v1beta1 schema: openAPIV3Schema: properties: spec: description: 'Peer authentication configuration for workloads. See more details at: https://istio.io/docs/reference/config/security/peer_authentication.html' properties: mtls: description: Mutual TLS settings for workload. properties: mode: description: |- Defines the mTLS mode used for peer authentication. Valid Options: DISABLE, PERMISSIVE, STRICT enum: - UNSET - DISABLE - PERMISSIVE - STRICT type: string type: object portLevelMtls: additionalProperties: properties: mode: description: |- Defines the mTLS mode used for peer authentication. Valid Options: DISABLE, PERMISSIVE, STRICT enum: - UNSET - DISABLE - PERMISSIVE - STRICT type: string type: object description: Port specific mutual TLS settings. minProperties: 1 type: object x-kubernetes-validations: - message: port must be between 1-65535 rule: self.all(key, 0 < int(key) && int(key) <= 65535) selector: description: The selector determines the workloads to apply the PeerAuthentication on. properties: matchLabels: additionalProperties: maxLength: 63 type: string x-kubernetes-validations: - message: wildcard not allowed in label value match rule: '!self.contains(''*'')' description: One or more labels that indicate a specific set of pods/VMs on which a policy should be applied. maxProperties: 4096 type: object x-kubernetes-validations: - message: wildcard not allowed in label key match rule: self.all(key, !key.contains('*')) - message: key must not be empty rule: self.all(key, key.size() != 0) type: object type: object x-kubernetes-validations: - message: portLevelMtls requires selector rule: (has(self.selector) && has(self.selector.matchLabels) && self.selector.matchLabels.size() > 0) || !has(self.portLevelMtls) status: type: object x-kubernetes-preserve-unknown-fields: true type: object served: true storage: true subresources: status: {} --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: "helm.sh/resource-policy": keep labels: app: istio-pilot chart: istio heritage: Tiller istio: security release: istio name: requestauthentications.security.istio.io spec: group: security.istio.io names: categories: - istio-io - security-istio-io kind: RequestAuthentication listKind: RequestAuthenticationList plural: requestauthentications shortNames: - ra singular: requestauthentication scope: Namespaced versions: - name: v1 schema: openAPIV3Schema: properties: spec: description: 'Request authentication configuration for workloads. See more details at: https://istio.io/docs/reference/config/security/request_authentication.html' properties: jwtRules: description: Define the list of JWTs that can be validated at the selected workloads' proxy. items: properties: audiences: description: The list of JWT [audiences](https://tools.ietf.org/html/rfc7519#section-4.1.3) that are allowed to access. items: minLength: 1 type: string type: array forwardOriginalToken: description: If set to true, the original token will be kept for the upstream request. type: boolean fromCookies: description: List of cookie names from which JWT is expected. items: minLength: 1 type: string type: array fromHeaders: description: List of header locations from which JWT is expected. items: properties: name: description: The HTTP header name. minLength: 1 type: string prefix: description: The prefix that should be stripped before decoding the token. type: string required: - name type: object type: array fromParams: description: List of query parameters from which JWT is expected. items: minLength: 1 type: string type: array issuer: description: Identifies the issuer that issued the JWT. minLength: 1 type: string jwks: description: JSON Web Key Set of public keys to validate signature of the JWT. type: string jwks_uri: description: URL of the provider's public key set to validate signature of the JWT. maxLength: 2048 minLength: 1 type: string x-kubernetes-validations: - message: url must have scheme http:// or https:// rule: url(self).getScheme() in ['http', 'https'] jwksUri: description: URL of the provider's public key set to validate signature of the JWT. maxLength: 2048 minLength: 1 type: string x-kubernetes-validations: - message: url must have scheme http:// or https:// rule: url(self).getScheme() in ['http', 'https'] outputClaimToHeaders: description: This field specifies a list of operations to copy the claim to HTTP headers on a successfully verified token. items: properties: claim: description: The name of the claim to be copied from. minLength: 1 type: string header: description: The name of the header to be created. minLength: 1 pattern: ^[-_A-Za-z0-9]+$ type: string required: - header - claim type: object type: array outputPayloadToHeader: description: This field specifies the header name to output a successfully verified JWT payload to the backend. type: string timeout: description: The maximum amount of time that the resolver, determined by the PILOT_JWT_ENABLE_REMOTE_JWKS environment variable, will spend waiting for the JWKS to be fetched. type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms rule: duration(self) >= duration('1ms') required: - issuer type: object x-kubernetes-validations: - message: only one of jwks or jwksUri can be set rule: (has(self.jwksUri)?1:0)+(has(self.jwks_uri)?1:0)+(has(self.jwks)?1:0)<=1 maxItems: 4096 type: array selector: description: Optional. properties: matchLabels: additionalProperties: maxLength: 63 type: string x-kubernetes-validations: - message: wildcard not allowed in label value match rule: '!self.contains(''*'')' description: One or more labels that indicate a specific set of pods/VMs on which a policy should be applied. maxProperties: 4096 type: object x-kubernetes-validations: - message: wildcard not allowed in label key match rule: self.all(key, !key.contains('*')) - message: key must not be empty rule: self.all(key, key.size() != 0) type: object targetRef: properties: group: description: group is the group of the target resource. maxLength: 253 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string kind: description: kind is kind of the target resource. maxLength: 63 minLength: 1 pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ type: string name: description: name is the name of the target resource. maxLength: 253 minLength: 1 type: string namespace: description: namespace is the namespace of the referent. type: string x-kubernetes-validations: - message: cross namespace referencing is not currently supported rule: self.size() == 0 required: - kind - name type: object x-kubernetes-validations: - message: Support kinds are core/Service and gateway.networking.k8s.io/Gateway rule: '[self.group, self.kind] in [[''core'',''Service''], ['''',''Service''], [''gateway.networking.k8s.io'',''Gateway'']]' targetRefs: description: Optional. items: properties: group: description: group is the group of the target resource. maxLength: 253 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string kind: description: kind is kind of the target resource. maxLength: 63 minLength: 1 pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ type: string name: description: name is the name of the target resource. maxLength: 253 minLength: 1 type: string namespace: description: namespace is the namespace of the referent. type: string x-kubernetes-validations: - message: cross namespace referencing is not currently supported rule: self.size() == 0 required: - kind - name type: object x-kubernetes-validations: - message: Support kinds are core/Service and gateway.networking.k8s.io/Gateway rule: '[self.group, self.kind] in [[''core'',''Service''], ['''',''Service''], [''gateway.networking.k8s.io'',''Gateway'']]' type: array type: object x-kubernetes-validations: - message: only one of targetRefs or workloadSelector can be set rule: (has(self.selector)?1:0)+(has(self.targetRef)?1:0)+(has(self.targetRefs)?1:0)<=1 status: type: object x-kubernetes-preserve-unknown-fields: true type: object served: true storage: false subresources: status: {} - name: v1beta1 schema: openAPIV3Schema: properties: spec: description: 'Request authentication configuration for workloads. See more details at: https://istio.io/docs/reference/config/security/request_authentication.html' properties: jwtRules: description: Define the list of JWTs that can be validated at the selected workloads' proxy. items: properties: audiences: description: The list of JWT [audiences](https://tools.ietf.org/html/rfc7519#section-4.1.3) that are allowed to access. items: minLength: 1 type: string type: array forwardOriginalToken: description: If set to true, the original token will be kept for the upstream request. type: boolean fromCookies: description: List of cookie names from which JWT is expected. items: minLength: 1 type: string type: array fromHeaders: description: List of header locations from which JWT is expected. items: properties: name: description: The HTTP header name. minLength: 1 type: string prefix: description: The prefix that should be stripped before decoding the token. type: string required: - name type: object type: array fromParams: description: List of query parameters from which JWT is expected. items: minLength: 1 type: string type: array issuer: description: Identifies the issuer that issued the JWT. minLength: 1 type: string jwks: description: JSON Web Key Set of public keys to validate signature of the JWT. type: string jwks_uri: description: URL of the provider's public key set to validate signature of the JWT. maxLength: 2048 minLength: 1 type: string x-kubernetes-validations: - message: url must have scheme http:// or https:// rule: url(self).getScheme() in ['http', 'https'] jwksUri: description: URL of the provider's public key set to validate signature of the JWT. maxLength: 2048 minLength: 1 type: string x-kubernetes-validations: - message: url must have scheme http:// or https:// rule: url(self).getScheme() in ['http', 'https'] outputClaimToHeaders: description: This field specifies a list of operations to copy the claim to HTTP headers on a successfully verified token. items: properties: claim: description: The name of the claim to be copied from. minLength: 1 type: string header: description: The name of the header to be created. minLength: 1 pattern: ^[-_A-Za-z0-9]+$ type: string required: - header - claim type: object type: array outputPayloadToHeader: description: This field specifies the header name to output a successfully verified JWT payload to the backend. type: string timeout: description: The maximum amount of time that the resolver, determined by the PILOT_JWT_ENABLE_REMOTE_JWKS environment variable, will spend waiting for the JWKS to be fetched. type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms rule: duration(self) >= duration('1ms') required: - issuer type: object x-kubernetes-validations: - message: only one of jwks or jwksUri can be set rule: (has(self.jwksUri)?1:0)+(has(self.jwks_uri)?1:0)+(has(self.jwks)?1:0)<=1 maxItems: 4096 type: array selector: description: Optional. properties: matchLabels: additionalProperties: maxLength: 63 type: string x-kubernetes-validations: - message: wildcard not allowed in label value match rule: '!self.contains(''*'')' description: One or more labels that indicate a specific set of pods/VMs on which a policy should be applied. maxProperties: 4096 type: object x-kubernetes-validations: - message: wildcard not allowed in label key match rule: self.all(key, !key.contains('*')) - message: key must not be empty rule: self.all(key, key.size() != 0) type: object targetRef: properties: group: description: group is the group of the target resource. maxLength: 253 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string kind: description: kind is kind of the target resource. maxLength: 63 minLength: 1 pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ type: string name: description: name is the name of the target resource. maxLength: 253 minLength: 1 type: string namespace: description: namespace is the namespace of the referent. type: string x-kubernetes-validations: - message: cross namespace referencing is not currently supported rule: self.size() == 0 required: - kind - name type: object x-kubernetes-validations: - message: Support kinds are core/Service and gateway.networking.k8s.io/Gateway rule: '[self.group, self.kind] in [[''core'',''Service''], ['''',''Service''], [''gateway.networking.k8s.io'',''Gateway'']]' targetRefs: description: Optional. items: properties: group: description: group is the group of the target resource. maxLength: 253 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string kind: description: kind is kind of the target resource. maxLength: 63 minLength: 1 pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ type: string name: description: name is the name of the target resource. maxLength: 253 minLength: 1 type: string namespace: description: namespace is the namespace of the referent. type: string x-kubernetes-validations: - message: cross namespace referencing is not currently supported rule: self.size() == 0 required: - kind - name type: object x-kubernetes-validations: - message: Support kinds are core/Service and gateway.networking.k8s.io/Gateway rule: '[self.group, self.kind] in [[''core'',''Service''], ['''',''Service''], [''gateway.networking.k8s.io'',''Gateway'']]' type: array type: object x-kubernetes-validations: - message: only one of targetRefs or workloadSelector can be set rule: (has(self.selector)?1:0)+(has(self.targetRef)?1:0)+(has(self.targetRefs)?1:0)<=1 status: type: object x-kubernetes-preserve-unknown-fields: true type: object served: true storage: true subresources: status: {} --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: "helm.sh/resource-policy": keep labels: app: istio-pilot chart: istio heritage: Tiller istio: telemetry release: istio name: telemetries.telemetry.istio.io spec: group: telemetry.istio.io names: categories: - istio-io - telemetry-istio-io kind: Telemetry listKind: TelemetryList plural: telemetries shortNames: - telemetry singular: telemetry scope: Namespaced versions: - additionalPrinterColumns: - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' jsonPath: .metadata.creationTimestamp name: Age type: date name: v1 schema: openAPIV3Schema: properties: spec: description: 'Telemetry configuration for workloads. See more details at: https://istio.io/docs/reference/config/telemetry.html' properties: accessLogging: description: Optional. items: properties: disabled: description: Controls logging. nullable: true type: boolean filter: description: Optional. properties: expression: description: CEL expression for selecting when requests/connections should be logged. type: string type: object match: description: Allows tailoring of logging behavior to specific conditions. properties: mode: description: |- This determines whether or not to apply the access logging configuration based on the direction of traffic relative to the proxied workload. Valid Options: CLIENT_AND_SERVER, CLIENT, SERVER enum: - CLIENT_AND_SERVER - CLIENT - SERVER type: string type: object providers: description: Optional. items: properties: name: description: Required. minLength: 1 type: string required: - name type: object type: array type: object type: array metrics: description: Optional. items: properties: overrides: description: Optional. items: properties: disabled: description: Optional. nullable: true type: boolean match: description: Match allows providing the scope of the override. oneOf: - not: anyOf: - required: - metric - required: - customMetric - required: - metric - required: - customMetric properties: customMetric: description: Allows free-form specification of a metric. minLength: 1 type: string metric: description: |- One of the well-known [Istio Standard Metrics](https://istio.io/latest/docs/reference/config/metrics/). Valid Options: ALL_METRICS, REQUEST_COUNT, REQUEST_DURATION, REQUEST_SIZE, RESPONSE_SIZE, TCP_OPENED_CONNECTIONS, TCP_CLOSED_CONNECTIONS, TCP_SENT_BYTES, TCP_RECEIVED_BYTES, GRPC_REQUEST_MESSAGES, GRPC_RESPONSE_MESSAGES enum: - ALL_METRICS - REQUEST_COUNT - REQUEST_DURATION - REQUEST_SIZE - RESPONSE_SIZE - TCP_OPENED_CONNECTIONS - TCP_CLOSED_CONNECTIONS - TCP_SENT_BYTES - TCP_RECEIVED_BYTES - GRPC_REQUEST_MESSAGES - GRPC_RESPONSE_MESSAGES type: string mode: description: |- Controls which mode of metrics generation is selected: `CLIENT`, `SERVER`, or `CLIENT_AND_SERVER`. Valid Options: CLIENT_AND_SERVER, CLIENT, SERVER enum: - CLIENT_AND_SERVER - CLIENT - SERVER type: string type: object tagOverrides: additionalProperties: properties: operation: description: |- Operation controls whether or not to update/add a tag, or to remove it. Valid Options: UPSERT, REMOVE enum: - UPSERT - REMOVE type: string value: description: Value is only considered if the operation is `UPSERT`. type: string type: object x-kubernetes-validations: - message: value must be set when operation is UPSERT rule: '((has(self.operation) ? self.operation : '''') == ''UPSERT'') ? self.value != '''' : true' - message: value must not be set when operation is REMOVE rule: '((has(self.operation) ? self.operation : '''') == ''REMOVE'') ? !has(self.value) : true' description: Optional. type: object type: object type: array providers: description: Optional. items: properties: name: description: Required. minLength: 1 type: string required: - name type: object type: array reportingInterval: description: Optional. type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms rule: duration(self) >= duration('1ms') type: object type: array selector: description: Optional. properties: matchLabels: additionalProperties: maxLength: 63 type: string x-kubernetes-validations: - message: wildcard not allowed in label value match rule: '!self.contains(''*'')' description: One or more labels that indicate a specific set of pods/VMs on which a policy should be applied. maxProperties: 4096 type: object x-kubernetes-validations: - message: wildcard not allowed in label key match rule: self.all(key, !key.contains('*')) - message: key must not be empty rule: self.all(key, key.size() != 0) type: object targetRef: properties: group: description: group is the group of the target resource. maxLength: 253 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string kind: description: kind is kind of the target resource. maxLength: 63 minLength: 1 pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ type: string name: description: name is the name of the target resource. maxLength: 253 minLength: 1 type: string namespace: description: namespace is the namespace of the referent. type: string x-kubernetes-validations: - message: cross namespace referencing is not currently supported rule: self.size() == 0 required: - kind - name type: object x-kubernetes-validations: - message: Support kinds are core/Service and gateway.networking.k8s.io/Gateway rule: '[self.group, self.kind] in [[''core'',''Service''], ['''',''Service''], [''gateway.networking.k8s.io'',''Gateway'']]' targetRefs: description: Optional. items: properties: group: description: group is the group of the target resource. maxLength: 253 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string kind: description: kind is kind of the target resource. maxLength: 63 minLength: 1 pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ type: string name: description: name is the name of the target resource. maxLength: 253 minLength: 1 type: string namespace: description: namespace is the namespace of the referent. type: string x-kubernetes-validations: - message: cross namespace referencing is not currently supported rule: self.size() == 0 required: - kind - name type: object x-kubernetes-validations: - message: Support kinds are core/Service and gateway.networking.k8s.io/Gateway rule: '[self.group, self.kind] in [[''core'',''Service''], ['''',''Service''], [''gateway.networking.k8s.io'',''Gateway'']]' type: array tracing: description: Optional. items: properties: customTags: additionalProperties: oneOf: - not: anyOf: - required: - literal - required: - environment - required: - header - required: - literal - required: - environment - required: - header properties: environment: description: Environment adds the value of an environment variable to each span. properties: defaultValue: description: Optional. type: string name: description: Name of the environment variable from which to extract the tag value. minLength: 1 type: string required: - name type: object header: description: RequestHeader adds the value of an header from the request to each span. properties: defaultValue: description: Optional. type: string name: description: Name of the header from which to extract the tag value. minLength: 1 type: string required: - name type: object literal: description: Literal adds the same, hard-coded value to each span. properties: value: description: The tag value to use. minLength: 1 type: string required: - value type: object type: object description: Optional. type: object disableSpanReporting: description: Controls span reporting. nullable: true type: boolean match: description: Allows tailoring of behavior to specific conditions. properties: mode: description: |- This determines whether or not to apply the tracing configuration based on the direction of traffic relative to the proxied workload. Valid Options: CLIENT_AND_SERVER, CLIENT, SERVER enum: - CLIENT_AND_SERVER - CLIENT - SERVER type: string type: object providers: description: Optional. items: properties: name: description: Required. minLength: 1 type: string required: - name type: object type: array randomSamplingPercentage: description: Controls the rate at which traffic will be selected for tracing if no prior sampling decision has been made. format: double maximum: 100 minimum: 0 nullable: true type: number useRequestIdForTraceSampling: nullable: true type: boolean type: object type: array type: object status: type: object x-kubernetes-preserve-unknown-fields: true type: object served: true storage: false subresources: status: {} - additionalPrinterColumns: - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' jsonPath: .metadata.creationTimestamp name: Age type: date name: v1alpha1 schema: openAPIV3Schema: properties: spec: description: 'Telemetry configuration for workloads. See more details at: https://istio.io/docs/reference/config/telemetry.html' properties: accessLogging: description: Optional. items: properties: disabled: description: Controls logging. nullable: true type: boolean filter: description: Optional. properties: expression: description: CEL expression for selecting when requests/connections should be logged. type: string type: object match: description: Allows tailoring of logging behavior to specific conditions. properties: mode: description: |- This determines whether or not to apply the access logging configuration based on the direction of traffic relative to the proxied workload. Valid Options: CLIENT_AND_SERVER, CLIENT, SERVER enum: - CLIENT_AND_SERVER - CLIENT - SERVER type: string type: object providers: description: Optional. items: properties: name: description: Required. minLength: 1 type: string required: - name type: object type: array type: object type: array metrics: description: Optional. items: properties: overrides: description: Optional. items: properties: disabled: description: Optional. nullable: true type: boolean match: description: Match allows providing the scope of the override. oneOf: - not: anyOf: - required: - metric - required: - customMetric - required: - metric - required: - customMetric properties: customMetric: description: Allows free-form specification of a metric. minLength: 1 type: string metric: description: |- One of the well-known [Istio Standard Metrics](https://istio.io/latest/docs/reference/config/metrics/). Valid Options: ALL_METRICS, REQUEST_COUNT, REQUEST_DURATION, REQUEST_SIZE, RESPONSE_SIZE, TCP_OPENED_CONNECTIONS, TCP_CLOSED_CONNECTIONS, TCP_SENT_BYTES, TCP_RECEIVED_BYTES, GRPC_REQUEST_MESSAGES, GRPC_RESPONSE_MESSAGES enum: - ALL_METRICS - REQUEST_COUNT - REQUEST_DURATION - REQUEST_SIZE - RESPONSE_SIZE - TCP_OPENED_CONNECTIONS - TCP_CLOSED_CONNECTIONS - TCP_SENT_BYTES - TCP_RECEIVED_BYTES - GRPC_REQUEST_MESSAGES - GRPC_RESPONSE_MESSAGES type: string mode: description: |- Controls which mode of metrics generation is selected: `CLIENT`, `SERVER`, or `CLIENT_AND_SERVER`. Valid Options: CLIENT_AND_SERVER, CLIENT, SERVER enum: - CLIENT_AND_SERVER - CLIENT - SERVER type: string type: object tagOverrides: additionalProperties: properties: operation: description: |- Operation controls whether or not to update/add a tag, or to remove it. Valid Options: UPSERT, REMOVE enum: - UPSERT - REMOVE type: string value: description: Value is only considered if the operation is `UPSERT`. type: string type: object x-kubernetes-validations: - message: value must be set when operation is UPSERT rule: '((has(self.operation) ? self.operation : '''') == ''UPSERT'') ? self.value != '''' : true' - message: value must not be set when operation is REMOVE rule: '((has(self.operation) ? self.operation : '''') == ''REMOVE'') ? !has(self.value) : true' description: Optional. type: object type: object type: array providers: description: Optional. items: properties: name: description: Required. minLength: 1 type: string required: - name type: object type: array reportingInterval: description: Optional. type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms rule: duration(self) >= duration('1ms') type: object type: array selector: description: Optional. properties: matchLabels: additionalProperties: maxLength: 63 type: string x-kubernetes-validations: - message: wildcard not allowed in label value match rule: '!self.contains(''*'')' description: One or more labels that indicate a specific set of pods/VMs on which a policy should be applied. maxProperties: 4096 type: object x-kubernetes-validations: - message: wildcard not allowed in label key match rule: self.all(key, !key.contains('*')) - message: key must not be empty rule: self.all(key, key.size() != 0) type: object targetRef: properties: group: description: group is the group of the target resource. maxLength: 253 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string kind: description: kind is kind of the target resource. maxLength: 63 minLength: 1 pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ type: string name: description: name is the name of the target resource. maxLength: 253 minLength: 1 type: string namespace: description: namespace is the namespace of the referent. type: string x-kubernetes-validations: - message: cross namespace referencing is not currently supported rule: self.size() == 0 required: - kind - name type: object x-kubernetes-validations: - message: Support kinds are core/Service and gateway.networking.k8s.io/Gateway rule: '[self.group, self.kind] in [[''core'',''Service''], ['''',''Service''], [''gateway.networking.k8s.io'',''Gateway'']]' targetRefs: description: Optional. items: properties: group: description: group is the group of the target resource. maxLength: 253 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string kind: description: kind is kind of the target resource. maxLength: 63 minLength: 1 pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ type: string name: description: name is the name of the target resource. maxLength: 253 minLength: 1 type: string namespace: description: namespace is the namespace of the referent. type: string x-kubernetes-validations: - message: cross namespace referencing is not currently supported rule: self.size() == 0 required: - kind - name type: object x-kubernetes-validations: - message: Support kinds are core/Service and gateway.networking.k8s.io/Gateway rule: '[self.group, self.kind] in [[''core'',''Service''], ['''',''Service''], [''gateway.networking.k8s.io'',''Gateway'']]' type: array tracing: description: Optional. items: properties: customTags: additionalProperties: oneOf: - not: anyOf: - required: - literal - required: - environment - required: - header - required: - literal - required: - environment - required: - header properties: environment: description: Environment adds the value of an environment variable to each span. properties: defaultValue: description: Optional. type: string name: description: Name of the environment variable from which to extract the tag value. minLength: 1 type: string required: - name type: object header: description: RequestHeader adds the value of an header from the request to each span. properties: defaultValue: description: Optional. type: string name: description: Name of the header from which to extract the tag value. minLength: 1 type: string required: - name type: object literal: description: Literal adds the same, hard-coded value to each span. properties: value: description: The tag value to use. minLength: 1 type: string required: - value type: object type: object description: Optional. type: object disableSpanReporting: description: Controls span reporting. nullable: true type: boolean match: description: Allows tailoring of behavior to specific conditions. properties: mode: description: |- This determines whether or not to apply the tracing configuration based on the direction of traffic relative to the proxied workload. Valid Options: CLIENT_AND_SERVER, CLIENT, SERVER enum: - CLIENT_AND_SERVER - CLIENT - SERVER type: string type: object providers: description: Optional. items: properties: name: description: Required. minLength: 1 type: string required: - name type: object type: array randomSamplingPercentage: description: Controls the rate at which traffic will be selected for tracing if no prior sampling decision has been made. format: double maximum: 100 minimum: 0 nullable: true type: number useRequestIdForTraceSampling: nullable: true type: boolean type: object type: array type: object status: type: object x-kubernetes-preserve-unknown-fields: true type: object served: true storage: true subresources: status: {}