apiVersion: v1 kind: ServiceAccount metadata: name: istio-ingressgateway-service-account namespace: istio-system labels: app: istio-ingressgateway istio: ingressgateway release: istio istio.io/rev: default install.operator.istio.io/owning-resource: unknown operator.istio.io/component: "IngressGateways" --- apiVersion: v1 kind: ServiceAccount metadata: name: istio-reader-service-account namespace: istio-system labels: app: istio-reader release: istio --- apiVersion: v1 kind: ServiceAccount metadata: name: istiod-service-account namespace: istio-system labels: app: istiod release: istio --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: istio-reader-istio-system labels: app: istio-reader release: istio rules: - apiGroups: - "config.istio.io" - "security.istio.io" - "networking.istio.io" - "authentication.istio.io" - "rbac.istio.io" resources: ["*"] verbs: ["get", "list", "watch"] - apiGroups: [""] resources: ["endpoints", "pods", "services", "nodes", "replicationcontrollers", "namespaces", "secrets"] verbs: ["get", "list", "watch"] - apiGroups: ["networking.istio.io"] verbs: ["get", "watch", "list"] resources: ["workloadentries"] - apiGroups: ["apiextensions.k8s.io"] resources: ["customresourcedefinitions"] verbs: ["get", "list", "watch"] - apiGroups: ["discovery.k8s.io"] resources: ["endpointslices"] verbs: ["get", "list", "watch"] - apiGroups: ["apps"] resources: ["replicasets"] verbs: ["get", "list", "watch"] - apiGroups: ["authentication.k8s.io"] resources: ["tokenreviews"] verbs: ["create"] - apiGroups: ["authorization.k8s.io"] resources: ["subjectaccessreviews"] verbs: ["create"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: istiod-istio-system labels: app: istiod release: istio rules: # sidecar injection controller - apiGroups: ["admissionregistration.k8s.io"] resources: ["mutatingwebhookconfigurations"] verbs: ["get", "list", "watch", "update", "patch"] # configuration validation webhook controller - apiGroups: ["admissionregistration.k8s.io"] resources: ["validatingwebhookconfigurations"] verbs: ["get", "list", "watch", "update"] # istio configuration # removing CRD permissions can break older versions of Istio running alongside this control plane (https://github.com/istio/istio/issues/29382) # please proceed with caution - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io"] verbs: ["get", "watch", "list"] resources: ["*"] - apiGroups: ["networking.istio.io"] verbs: ["get", "watch", "list", "update", "patch", "create", "delete"] resources: ["workloadentries"] - apiGroups: ["networking.istio.io"] verbs: ["get", "watch", "list", "update", "patch", "create", "delete"] resources: ["workloadentries/status"] # auto-detect installed CRD definitions - apiGroups: ["apiextensions.k8s.io"] resources: ["customresourcedefinitions"] verbs: ["get", "list", "watch"] # discovery and routing - apiGroups: [""] resources: ["pods", "nodes", "services", "namespaces", "endpoints"] verbs: ["get", "list", "watch"] - apiGroups: ["discovery.k8s.io"] resources: ["endpointslices"] verbs: ["get", "list", "watch"] # ingress controller - apiGroups: ["networking.k8s.io"] resources: ["ingresses", "ingressclasses"] verbs: ["get", "list", "watch"] - apiGroups: ["networking.k8s.io"] resources: ["ingresses/status"] verbs: ["*"] # required for CA's namespace controller - apiGroups: [""] resources: ["configmaps"] verbs: ["create", "get", "list", "watch", "update"] # Istiod and bootstrap. - apiGroups: ["certificates.k8s.io"] resources: - "certificatesigningrequests" - "certificatesigningrequests/approval" - "certificatesigningrequests/status" verbs: ["update", "create", "get", "delete", "watch"] - apiGroups: ["certificates.k8s.io"] resources: - "signers" resourceNames: - "kubernetes.io/legacy-unknown" verbs: ["approve"] # Used by Istiod to verify the JWT tokens - apiGroups: ["authentication.k8s.io"] resources: ["tokenreviews"] verbs: ["create"] # Used by Istiod to verify gateway SDS - apiGroups: ["authorization.k8s.io"] resources: ["subjectaccessreviews"] verbs: ["create"] # Use for Kubernetes Service APIs - apiGroups: ["networking.x-k8s.io"] resources: ["*"] verbs: ["get", "watch", "list"] # Needed for multicluster secret reading, possibly ingress certs in the future - apiGroups: [""] resources: ["secrets"] verbs: ["get", "watch", "list"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: istio-reader-istio-system labels: app: istio-reader release: istio roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: istio-reader-istio-system subjects: - kind: ServiceAccount name: istio-reader-service-account namespace: istio-system --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: istiod-istio-system labels: app: istiod release: istio roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: istiod-istio-system subjects: - kind: ServiceAccount name: istiod-service-account namespace: istio-system --- apiVersion: admissionregistration.k8s.io/v1beta1 kind: ValidatingWebhookConfiguration metadata: name: istiod-istio-system labels: app: istiod release: istio istio: istiod webhooks: - name: validation.istio.io clientConfig: service: name: istiod namespace: istio-system path: "/validate" caBundle: "" # patched at runtime when the webhook is ready. rules: - operations: - CREATE - UPDATE apiGroups: - security.istio.io - networking.istio.io apiVersions: - "*" resources: - "*" # Fail open until the validation webhook is ready. The webhook controller # will update this to `Fail` and patch in the `caBundle` when the webhook # endpoint is ready. failurePolicy: Ignore sideEffects: None admissionReviewVersions: ["v1beta1", "v1"] --- apiVersion: networking.istio.io/v1alpha3 kind: EnvoyFilter metadata: name: metadata-exchange-1.8 namespace: istio-system labels: istio.io/rev: default install.operator.istio.io/owning-resource: unknown operator.istio.io/component: "Pilot" spec: configPatches: - applyTo: HTTP_FILTER match: context: SIDECAR_INBOUND proxy: proxyVersion: '^1\.8.*' listener: filterChain: filter: name: "envoy.filters.network.http_connection_manager" patch: operation: INSERT_BEFORE value: name: istio.metadata_exchange typed_config: "@type": type.googleapis.com/udpa.type.v1.TypedStruct type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm value: config: configuration: "@type": "type.googleapis.com/google.protobuf.StringValue" value: | {} vm_config: runtime: envoy.wasm.runtime.null code: local: inline_string: envoy.wasm.metadata_exchange - applyTo: HTTP_FILTER match: context: SIDECAR_OUTBOUND proxy: proxyVersion: '^1\.8.*' listener: filterChain: filter: name: "envoy.filters.network.http_connection_manager" patch: operation: INSERT_BEFORE value: name: istio.metadata_exchange typed_config: "@type": type.googleapis.com/udpa.type.v1.TypedStruct type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm value: config: configuration: "@type": "type.googleapis.com/google.protobuf.StringValue" value: | {} vm_config: runtime: envoy.wasm.runtime.null code: local: inline_string: envoy.wasm.metadata_exchange - applyTo: HTTP_FILTER match: context: GATEWAY proxy: proxyVersion: '^1\.8.*' listener: filterChain: filter: name: "envoy.filters.network.http_connection_manager" patch: operation: INSERT_BEFORE value: name: istio.metadata_exchange typed_config: "@type": type.googleapis.com/udpa.type.v1.TypedStruct type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm value: config: configuration: "@type": "type.googleapis.com/google.protobuf.StringValue" value: | {} vm_config: runtime: envoy.wasm.runtime.null code: local: inline_string: envoy.wasm.metadata_exchange --- apiVersion: networking.istio.io/v1alpha3 kind: EnvoyFilter metadata: name: metadata-exchange-1.9 namespace: istio-system labels: istio.io/rev: default install.operator.istio.io/owning-resource: unknown operator.istio.io/component: "Pilot" spec: configPatches: - applyTo: HTTP_FILTER match: context: SIDECAR_INBOUND proxy: proxyVersion: '^1\.9.*' listener: filterChain: filter: name: "envoy.filters.network.http_connection_manager" patch: operation: INSERT_BEFORE value: name: istio.metadata_exchange typed_config: "@type": type.googleapis.com/udpa.type.v1.TypedStruct type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm value: config: configuration: "@type": "type.googleapis.com/google.protobuf.StringValue" value: | {} vm_config: runtime: envoy.wasm.runtime.null code: local: inline_string: envoy.wasm.metadata_exchange - applyTo: HTTP_FILTER match: context: SIDECAR_OUTBOUND proxy: proxyVersion: '^1\.9.*' listener: filterChain: filter: name: "envoy.filters.network.http_connection_manager" patch: operation: INSERT_BEFORE value: name: istio.metadata_exchange typed_config: "@type": type.googleapis.com/udpa.type.v1.TypedStruct type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm value: config: configuration: "@type": "type.googleapis.com/google.protobuf.StringValue" value: | {} vm_config: runtime: envoy.wasm.runtime.null code: local: inline_string: envoy.wasm.metadata_exchange - applyTo: HTTP_FILTER match: context: GATEWAY proxy: proxyVersion: '^1\.9.*' listener: filterChain: filter: name: "envoy.filters.network.http_connection_manager" patch: operation: INSERT_BEFORE value: name: istio.metadata_exchange typed_config: "@type": type.googleapis.com/udpa.type.v1.TypedStruct type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm value: config: configuration: "@type": "type.googleapis.com/google.protobuf.StringValue" value: | {} vm_config: runtime: envoy.wasm.runtime.null code: local: inline_string: envoy.wasm.metadata_exchange --- apiVersion: networking.istio.io/v1alpha3 kind: EnvoyFilter metadata: name: stats-filter-1.8 namespace: istio-system labels: istio.io/rev: default spec: configPatches: - applyTo: HTTP_FILTER match: context: SIDECAR_OUTBOUND proxy: proxyVersion: '^1\.8.*' listener: filterChain: filter: name: "envoy.filters.network.http_connection_manager" subFilter: name: "envoy.filters.http.router" patch: operation: INSERT_BEFORE value: name: istio.stats typed_config: "@type": type.googleapis.com/udpa.type.v1.TypedStruct type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm value: config: root_id: stats_outbound configuration: "@type": "type.googleapis.com/google.protobuf.StringValue" value: | { } vm_config: vm_id: stats_outbound runtime: envoy.wasm.runtime.null code: local: inline_string: envoy.wasm.stats - applyTo: HTTP_FILTER match: context: SIDECAR_INBOUND proxy: proxyVersion: '^1\.8.*' listener: filterChain: filter: name: "envoy.filters.network.http_connection_manager" subFilter: name: "envoy.filters.http.router" patch: operation: INSERT_BEFORE value: name: istio.stats typed_config: "@type": type.googleapis.com/udpa.type.v1.TypedStruct type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm value: config: root_id: stats_inbound configuration: "@type": "type.googleapis.com/google.protobuf.StringValue" value: | { } vm_config: vm_id: stats_inbound runtime: envoy.wasm.runtime.null code: local: inline_string: envoy.wasm.stats - applyTo: HTTP_FILTER match: context: GATEWAY proxy: proxyVersion: '^1\.8.*' listener: filterChain: filter: name: "envoy.filters.network.http_connection_manager" subFilter: name: "envoy.filters.http.router" patch: operation: INSERT_BEFORE value: name: istio.stats typed_config: "@type": type.googleapis.com/udpa.type.v1.TypedStruct type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm value: config: root_id: stats_outbound configuration: "@type": "type.googleapis.com/google.protobuf.StringValue" value: | { "disable_host_header_fallback": true } vm_config: vm_id: stats_outbound runtime: envoy.wasm.runtime.null code: local: inline_string: envoy.wasm.stats --- apiVersion: networking.istio.io/v1alpha3 kind: EnvoyFilter metadata: name: stats-filter-1.9 namespace: istio-system labels: istio.io/rev: default spec: configPatches: - applyTo: HTTP_FILTER match: context: SIDECAR_OUTBOUND proxy: proxyVersion: '^1\.9.*' listener: filterChain: filter: name: "envoy.filters.network.http_connection_manager" subFilter: name: "envoy.filters.http.router" patch: operation: INSERT_BEFORE value: name: istio.stats typed_config: "@type": type.googleapis.com/udpa.type.v1.TypedStruct type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm value: config: root_id: stats_outbound configuration: "@type": "type.googleapis.com/google.protobuf.StringValue" value: | { "debug": "false", "stat_prefix": "istio", "metrics": [ { "dimensions": { "source_cluster": "node.metadata['CLUSTER_ID']", "destination_cluster": "upstream_peer.cluster_id" } } ] } vm_config: vm_id: stats_outbound runtime: envoy.wasm.runtime.null code: local: inline_string: envoy.wasm.stats - applyTo: HTTP_FILTER match: context: SIDECAR_INBOUND proxy: proxyVersion: '^1\.9.*' listener: filterChain: filter: name: "envoy.filters.network.http_connection_manager" subFilter: name: "envoy.filters.http.router" patch: operation: INSERT_BEFORE value: name: istio.stats typed_config: "@type": type.googleapis.com/udpa.type.v1.TypedStruct type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm value: config: root_id: stats_inbound configuration: "@type": "type.googleapis.com/google.protobuf.StringValue" value: | { "debug": "false", "stat_prefix": "istio", "metrics": [ { "dimensions": { "destination_cluster": "node.metadata['CLUSTER_ID']", "source_cluster": "downstream_peer.cluster_id" } } ] } vm_config: vm_id: stats_inbound runtime: envoy.wasm.runtime.null code: local: inline_string: envoy.wasm.stats - applyTo: HTTP_FILTER match: context: GATEWAY proxy: proxyVersion: '^1\.9.*' listener: filterChain: filter: name: "envoy.filters.network.http_connection_manager" subFilter: name: "envoy.filters.http.router" patch: operation: INSERT_BEFORE value: name: istio.stats typed_config: "@type": type.googleapis.com/udpa.type.v1.TypedStruct type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm value: config: root_id: stats_outbound configuration: "@type": "type.googleapis.com/google.protobuf.StringValue" value: | { "debug": "false", "stat_prefix": "istio", "disable_host_header_fallback": true, "metrics": [ { "dimensions": { "source_cluster": "node.metadata['CLUSTER_ID']", "destination_cluster": "upstream_peer.cluster_id" } } ] } vm_config: vm_id: stats_outbound runtime: envoy.wasm.runtime.null code: local: inline_string: envoy.wasm.stats --- apiVersion: networking.istio.io/v1alpha3 kind: EnvoyFilter metadata: name: tcp-metadata-exchange-1.8 namespace: istio-system labels: istio.io/rev: default spec: configPatches: - applyTo: NETWORK_FILTER match: context: SIDECAR_INBOUND proxy: proxyVersion: '^1\.8.*' listener: {} patch: operation: INSERT_BEFORE value: name: istio.metadata_exchange typed_config: "@type": type.googleapis.com/udpa.type.v1.TypedStruct type_url: type.googleapis.com/envoy.tcp.metadataexchange.config.MetadataExchange value: protocol: istio-peer-exchange - applyTo: CLUSTER match: context: SIDECAR_OUTBOUND proxy: proxyVersion: '^1\.8.*' cluster: {} patch: operation: MERGE value: filters: - name: istio.metadata_exchange typed_config: "@type": type.googleapis.com/udpa.type.v1.TypedStruct type_url: type.googleapis.com/envoy.tcp.metadataexchange.config.MetadataExchange value: protocol: istio-peer-exchange - applyTo: CLUSTER match: context: GATEWAY proxy: proxyVersion: '^1\.8.*' cluster: {} patch: operation: MERGE value: filters: - name: istio.metadata_exchange typed_config: "@type": type.googleapis.com/udpa.type.v1.TypedStruct type_url: type.googleapis.com/envoy.tcp.metadataexchange.config.MetadataExchange value: protocol: istio-peer-exchange --- apiVersion: networking.istio.io/v1alpha3 kind: EnvoyFilter metadata: name: tcp-metadata-exchange-1.9 namespace: istio-system labels: istio.io/rev: default spec: configPatches: - applyTo: NETWORK_FILTER match: context: SIDECAR_INBOUND proxy: proxyVersion: '^1\.9.*' listener: {} patch: operation: INSERT_BEFORE value: name: istio.metadata_exchange typed_config: "@type": type.googleapis.com/udpa.type.v1.TypedStruct type_url: type.googleapis.com/envoy.tcp.metadataexchange.config.MetadataExchange value: protocol: istio-peer-exchange - applyTo: CLUSTER match: context: SIDECAR_OUTBOUND proxy: proxyVersion: '^1\.9.*' cluster: {} patch: operation: MERGE value: filters: - name: istio.metadata_exchange typed_config: "@type": type.googleapis.com/udpa.type.v1.TypedStruct type_url: type.googleapis.com/envoy.tcp.metadataexchange.config.MetadataExchange value: protocol: istio-peer-exchange - applyTo: CLUSTER match: context: GATEWAY proxy: proxyVersion: '^1\.9.*' cluster: {} patch: operation: MERGE value: filters: - name: istio.metadata_exchange typed_config: "@type": type.googleapis.com/udpa.type.v1.TypedStruct type_url: type.googleapis.com/envoy.tcp.metadataexchange.config.MetadataExchange value: protocol: istio-peer-exchange --- apiVersion: networking.istio.io/v1alpha3 kind: EnvoyFilter metadata: name: tcp-stats-filter-1.8 namespace: istio-system labels: istio.io/rev: default spec: configPatches: - applyTo: NETWORK_FILTER match: context: SIDECAR_INBOUND proxy: proxyVersion: '^1\.8.*' listener: filterChain: filter: name: "envoy.filters.network.tcp_proxy" patch: operation: INSERT_BEFORE value: name: istio.stats typed_config: "@type": type.googleapis.com/udpa.type.v1.TypedStruct type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm value: config: root_id: stats_inbound configuration: "@type": "type.googleapis.com/google.protobuf.StringValue" value: | { } vm_config: vm_id: tcp_stats_inbound runtime: envoy.wasm.runtime.null code: local: inline_string: "envoy.wasm.stats" - applyTo: NETWORK_FILTER match: context: SIDECAR_OUTBOUND proxy: proxyVersion: '^1\.8.*' listener: filterChain: filter: name: "envoy.filters.network.tcp_proxy" patch: operation: INSERT_BEFORE value: name: istio.stats typed_config: "@type": type.googleapis.com/udpa.type.v1.TypedStruct type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm value: config: root_id: stats_outbound configuration: "@type": "type.googleapis.com/google.protobuf.StringValue" value: | { } vm_config: vm_id: tcp_stats_outbound runtime: envoy.wasm.runtime.null code: local: inline_string: "envoy.wasm.stats" - applyTo: NETWORK_FILTER match: context: GATEWAY proxy: proxyVersion: '^1\.8.*' listener: filterChain: filter: name: "envoy.filters.network.tcp_proxy" patch: operation: INSERT_BEFORE value: name: istio.stats typed_config: "@type": type.googleapis.com/udpa.type.v1.TypedStruct type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm value: config: root_id: stats_outbound configuration: "@type": "type.googleapis.com/google.protobuf.StringValue" value: | { } vm_config: vm_id: tcp_stats_outbound runtime: envoy.wasm.runtime.null code: local: inline_string: "envoy.wasm.stats" --- apiVersion: networking.istio.io/v1alpha3 kind: EnvoyFilter metadata: name: tcp-stats-filter-1.9 namespace: istio-system labels: istio.io/rev: default spec: configPatches: - applyTo: NETWORK_FILTER match: context: SIDECAR_INBOUND proxy: proxyVersion: '^1\.9.*' listener: filterChain: filter: name: "envoy.filters.network.tcp_proxy" patch: operation: INSERT_BEFORE value: name: istio.stats typed_config: "@type": type.googleapis.com/udpa.type.v1.TypedStruct type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm value: config: root_id: stats_inbound configuration: "@type": "type.googleapis.com/google.protobuf.StringValue" value: | { "debug": "false", "stat_prefix": "istio", "metrics": [ { "dimensions": { "destination_cluster": "node.metadata['CLUSTER_ID']", "source_cluster": "downstream_peer.cluster_id" } } ] } vm_config: vm_id: tcp_stats_inbound runtime: envoy.wasm.runtime.null code: local: inline_string: "envoy.wasm.stats" - applyTo: NETWORK_FILTER match: context: SIDECAR_OUTBOUND proxy: proxyVersion: '^1\.9.*' listener: filterChain: filter: name: "envoy.filters.network.tcp_proxy" patch: operation: INSERT_BEFORE value: name: istio.stats typed_config: "@type": type.googleapis.com/udpa.type.v1.TypedStruct type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm value: config: root_id: stats_outbound configuration: "@type": "type.googleapis.com/google.protobuf.StringValue" value: | { "debug": "false", "stat_prefix": "istio", "metrics": [ { "dimensions": { "source_cluster": "node.metadata['CLUSTER_ID']", "destination_cluster": "upstream_peer.cluster_id" } } ] } vm_config: vm_id: tcp_stats_outbound runtime: envoy.wasm.runtime.null code: local: inline_string: "envoy.wasm.stats" - applyTo: NETWORK_FILTER match: context: GATEWAY proxy: proxyVersion: '^1\.9.*' listener: filterChain: filter: name: "envoy.filters.network.tcp_proxy" patch: operation: INSERT_BEFORE value: name: istio.stats typed_config: "@type": type.googleapis.com/udpa.type.v1.TypedStruct type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm value: config: root_id: stats_outbound configuration: "@type": "type.googleapis.com/google.protobuf.StringValue" value: | { "debug": "false", "stat_prefix": "istio", "metrics": [ { "dimensions": { "source_cluster": "node.metadata['CLUSTER_ID']", "destination_cluster": "upstream_peer.cluster_id" } } ] } vm_config: vm_id: tcp_stats_outbound runtime: envoy.wasm.runtime.null code: local: inline_string: "envoy.wasm.stats" --- apiVersion: v1 kind: ConfigMap metadata: name: istio namespace: istio-system labels: istio.io/rev: default install.operator.istio.io/owning-resource: unknown operator.istio.io/component: "Pilot" release: istio data: # Configuration file for the mesh networks to be used by the Split Horizon EDS. meshNetworks: |- networks: {} mesh: |- accessLogFile: /dev/stdout defaultConfig: discoveryAddress: istiod.istio-system.svc:15012 proxyMetadata: {} tracing: zipkin: address: zipkin.istio-system:9411 enablePrometheusMerge: true rootNamespace: istio-system tcpKeepalive: interval: 5s probes: 3 time: 10s trustDomain: cluster.local --- apiVersion: v1 kind: ConfigMap metadata: name: istio-sidecar-injector namespace: istio-system labels: istio.io/rev: default install.operator.istio.io/owning-resource: unknown operator.istio.io/component: "Pilot" release: istio data: values: |- { "global": { "arch": { "amd64": 2, "ppc64le": 2, "s390x": 2 }, "caAddress": "", "configValidation": true, "defaultNodeSelector": {}, "defaultPodDisruptionBudget": { "enabled": true }, "defaultResources": { "requests": { "cpu": "10m" } }, "enabled": true, "externalIstiod": false, "hub": "docker.io/istio", "imagePullPolicy": "", "imagePullSecrets": [], "istioNamespace": "istio-system", "istiod": { "enableAnalysis": false }, "jwtPolicy": "third-party-jwt", "logAsJson": false, "logging": { "level": "default:info" }, "meshID": "", "meshNetworks": {}, "mountMtlsCerts": false, "multiCluster": { "clusterName": "", "enabled": false }, "namespace": "istio-system", "network": "", "omitSidecarInjectorConfigMap": false, "oneNamespace": false, "operatorManageWebhooks": false, "pilotCertProvider": "istiod", "priorityClassName": "", "proxy": { "autoInject": "enabled", "clusterDomain": "cluster.local", "componentLogLevel": "misc:error", "enableCoreDump": false, "excludeIPRanges": "", "excludeInboundPorts": "", "excludeOutboundPorts": "", "holdApplicationUntilProxyStarts": false, "image": "proxyv2", "includeIPRanges": "*", "logLevel": "warning", "privileged": false, "readinessFailureThreshold": 30, "readinessInitialDelaySeconds": 1, "readinessPeriodSeconds": 2, "resources": { "limits": { "cpu": "2000m", "memory": "1024Mi" }, "requests": { "cpu": "10m", "memory": "40Mi" } }, "statusPort": 15020, "tracer": "zipkin" }, "proxy_init": { "image": "proxyv2", "resources": { "limits": { "cpu": "2000m", "memory": "1024Mi" }, "requests": { "cpu": "10m", "memory": "10Mi" } } }, "remotePilotAddress": "", "sds": { "token": { "aud": "istio-ca" } }, "sts": { "servicePort": 0 }, "tag": "1.9.6", "tracer": { "datadog": { "address": "$(HOST_IP):8126" }, "lightstep": { "accessToken": "", "address": "" }, "stackdriver": { "debug": false, "maxNumberOfAnnotations": 200, "maxNumberOfAttributes": 200, "maxNumberOfMessageEvents": 200 }, "zipkin": { "address": "" } }, "trustDomain": "", "useMCP": false }, "istio_cni": { "enabled": false }, "revision": "", "sidecarInjectorWebhook": { "alwaysInjectSelector": [], "defaultTemplates": [], "enableNamespacesByDefault": false, "injectedAnnotations": {}, "neverInjectSelector": [], "objectSelector": { "autoInject": true, "enabled": true }, "rewriteAppHTTPProbe": true, "templates": {}, "useLegacySelectors": true } } # To disable injection: use omitSidecarInjectorConfigMap, which disables the webhook patching # and istiod webhook functionality. # # New fields should not use Values - it is a 'primary' config object, users should be able # to fine tune it or use it with kube-inject. config: |- # defaultTemplates defines the default template to use for pods that do not explicitly specify a template defaultTemplates: [sidecar] policy: enabled alwaysInjectSelector: [] neverInjectSelector: [] injectedAnnotations: template: "{{ Template_Version_And_Istio_Version_Mismatched_Check_Installation }}" templates: sidecar: | {{- $containers := list }} {{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} metadata: labels: security.istio.io/tlsMode: {{ index .ObjectMeta.Labels `security.istio.io/tlsMode` | default "istio" | quote }} service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }} service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} istio.io/rev: {{ .Revision | default "default" | quote }} annotations: { {{- if eq (len $containers) 1 }} kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", {{ end }} {{- if .Values.istio_cni.enabled }} {{- if not .Values.istio_cni.chained }} k8s.v1.cni.cncf.io/networks: '{{ appendMultusNetwork (index .ObjectMeta.Annotations `k8s.v1.cni.cncf.io/networks`) `istio-cni` }}', {{- end }} sidecar.istio.io/interceptionMode: "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}", {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}traffic.sidecar.istio.io/includeOutboundIPRanges: "{{.}}",{{ end }} {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}traffic.sidecar.istio.io/excludeOutboundIPRanges: "{{.}}",{{ end }} traffic.sidecar.istio.io/includeInboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` `*` }}", traffic.sidecar.istio.io/excludeInboundPorts: "{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}", {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") }} traffic.sidecar.istio.io/includeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}", {{- end }} {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne .Values.global.proxy.excludeOutboundPorts "") }} traffic.sidecar.istio.io/excludeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}", {{- end }} {{ with index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}traffic.sidecar.istio.io/kubevirtInterfaces: "{{.}}",{{ end }} {{- end }} } spec: {{- $holdProxy := or .ProxyConfig.HoldApplicationUntilProxyStarts.GetValue .Values.global.proxy.holdApplicationUntilProxyStarts }} initContainers: {{ if ne (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE` }} {{ if .Values.istio_cni.enabled -}} - name: istio-validation {{ else -}} - name: istio-init {{ end -}} {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image) }} image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image }}" {{- else }} image: "{{ .Values.global.hub }}/{{ .Values.global.proxy_init.image }}:{{ .Values.global.tag }}" {{- end }} args: - istio-iptables - "-p" - "15001" - "-z" - "15006" - "-u" - "1337" - "-m" - "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}" - "-i" - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}" - "-x" - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}" - "-b" - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` `*` }}" - "-d" {{- if excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }} - "15090,15021,{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}" {{- else }} - "15090,15021" {{- end }} {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") -}} - "-q" - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}" {{ end -}} {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.excludeOutboundPorts "") "") -}} - "-o" - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}" {{ end -}} {{ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces`) -}} - "-k" - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}" {{ end -}} {{ if .Values.istio_cni.enabled -}} - "--run-validation" - "--skip-rule-apply" {{ end -}} imagePullPolicy: "{{ valueOrDefault .Values.global.imagePullPolicy `Always` }}" {{- if .ProxyConfig.ProxyMetadata }} env: {{- range $key, $value := .ProxyConfig.ProxyMetadata }} - name: {{ $key }} value: "{{ $value }}" {{- end }} {{- end }} resources: {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }} requests: {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}} cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}" {{ end }} {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}} memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}" {{ end }} {{- end }} {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} limits: {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}} cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}" {{ end }} {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}} memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}" {{ end }} {{- end }} {{- else }} {{- if .Values.global.proxy.resources }} {{ toYaml .Values.global.proxy.resources | indent 6 }} {{- end }} {{- end }} securityContext: allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} privileged: {{ .Values.global.proxy.privileged }} capabilities: {{- if not .Values.istio_cni.enabled }} add: - NET_ADMIN - NET_RAW {{- end }} drop: - ALL {{- if not .Values.istio_cni.enabled }} readOnlyRootFilesystem: false runAsGroup: 0 runAsNonRoot: false runAsUser: 0 {{- else }} readOnlyRootFilesystem: true runAsGroup: 1337 runAsUser: 1337 runAsNonRoot: true {{- end }} restartPolicy: Always {{ end -}} {{- if eq .Values.global.proxy.enableCoreDump true }} - name: enable-core-dump args: - -c - sysctl -w kernel.core_pattern=/var/lib/istio/data/core.proxy && ulimit -c unlimited command: - /bin/sh {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image) }} image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image }}" {{- else }} image: "{{ .Values.global.hub }}/{{ .Values.global.proxy_init.image }}:{{ .Values.global.tag }}" {{- end }} imagePullPolicy: "{{ valueOrDefault .Values.global.imagePullPolicy `Always` }}" resources: {} securityContext: allowPrivilegeEscalation: true capabilities: add: - SYS_ADMIN drop: - ALL privileged: true readOnlyRootFilesystem: false runAsGroup: 0 runAsNonRoot: false runAsUser: 0 {{ end }} containers: - name: istio-proxy {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" {{- else }} image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image }}:{{ .Values.global.tag }}" {{- end }} ports: - containerPort: 15090 protocol: TCP name: http-envoy-prom args: - proxy - sidecar - --domain - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} - --serviceCluster {{ if ne "" (index .ObjectMeta.Labels "app") -}} - "{{ index .ObjectMeta.Labels `app` }}.$(POD_NAMESPACE)" {{ else -}} - "{{ valueOrDefault .DeploymentMeta.Name `istio-proxy` }}.{{ valueOrDefault .DeploymentMeta.Namespace `default` }}" {{ end -}} - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} {{- if .Values.global.sts.servicePort }} - --stsPort={{ .Values.global.sts.servicePort }} {{- end }} {{- if .Values.global.logAsJson }} - --log_as_json {{- end }} {{- if gt .ProxyConfig.Concurrency.GetValue 0 }} - --concurrency - "{{ .ProxyConfig.Concurrency.GetValue }}" {{- end -}} {{- if .Values.global.proxy.lifecycle }} lifecycle: {{ toYaml .Values.global.proxy.lifecycle | indent 6 }} {{- else if $holdProxy }} lifecycle: postStart: exec: command: - pilot-agent - wait {{- end }} env: - name: JWT_POLICY value: {{ .Values.global.jwtPolicy }} - name: PILOT_CERT_PROVIDER value: {{ .Values.global.pilotCertProvider }} - name: CA_ADDR {{- if .Values.global.caAddress }} value: {{ .Values.global.caAddress }} {{- else }} value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 {{- end }} - name: POD_NAME valueFrom: fieldRef: fieldPath: metadata.name - name: POD_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: INSTANCE_IP valueFrom: fieldRef: fieldPath: status.podIP - name: SERVICE_ACCOUNT valueFrom: fieldRef: fieldPath: spec.serviceAccountName - name: HOST_IP valueFrom: fieldRef: fieldPath: status.hostIP - name: CANONICAL_SERVICE valueFrom: fieldRef: fieldPath: metadata.labels['service.istio.io/canonical-name'] - name: CANONICAL_REVISION valueFrom: fieldRef: fieldPath: metadata.labels['service.istio.io/canonical-revision'] - name: PROXY_CONFIG value: | {{ protoToJSON .ProxyConfig }} - name: ISTIO_META_POD_PORTS value: |- [ {{- $first := true }} {{- range $index1, $c := .Spec.Containers }} {{- range $index2, $p := $c.Ports }} {{- if (structToJSON $p) }} {{if not $first}},{{end}}{{ structToJSON $p }} {{- $first = false }} {{- end }} {{- end}} {{- end}} ] - name: ISTIO_META_APP_CONTAINERS value: "{{ $containers | join "," }}" - name: ISTIO_META_CLUSTER_ID value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" - name: ISTIO_META_INTERCEPTION_MODE value: "{{ or (index .ObjectMeta.Annotations `sidecar.istio.io/interceptionMode`) .ProxyConfig.InterceptionMode.String }}" {{- if .Values.global.network }} - name: ISTIO_META_NETWORK value: "{{ .Values.global.network }}" {{- end }} {{ if .ObjectMeta.Annotations }} - name: ISTIO_METAJSON_ANNOTATIONS value: | {{ toJSON .ObjectMeta.Annotations }} {{ end }} {{- if .DeploymentMeta.Name }} - name: ISTIO_META_WORKLOAD_NAME value: "{{ .DeploymentMeta.Name }}" {{ end }} {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} - name: ISTIO_META_OWNER value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} {{- end}} {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - name: ISTIO_BOOTSTRAP_OVERRIDE value: "/etc/istio/custom-bootstrap/custom_bootstrap.json" {{- end }} {{- if .Values.global.meshID }} - name: ISTIO_META_MESH_ID value: "{{ .Values.global.meshID }}" {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - name: ISTIO_META_MESH_ID value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" {{- end }} {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - name: TRUST_DOMAIN value: "{{ . }}" {{- end }} {{- if and (eq .Values.global.proxy.tracer "datadog") (isset .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} {{- range $key, $value := fromJSON (index .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} - name: {{ $key }} value: "{{ $value }}" {{- end }} {{- end }} {{- range $key, $value := .ProxyConfig.ProxyMetadata }} - name: {{ $key }} value: "{{ $value }}" {{- end }} imagePullPolicy: "{{ valueOrDefault .Values.global.imagePullPolicy `Always` }}" {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }} readinessProbe: httpGet: path: /healthz/ready port: 15021 initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }} periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }} timeoutSeconds: 3 failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }} {{ end -}} securityContext: allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} capabilities: {{ if or (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}} add: {{ if eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY` -}} - NET_ADMIN {{- end }} {{ if eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true` -}} - NET_BIND_SERVICE {{- end }} {{- end }} drop: - ALL privileged: {{ .Values.global.proxy.privileged }} readOnlyRootFilesystem: {{ not .Values.global.proxy.enableCoreDump }} runAsGroup: 1337 fsGroup: 1337 {{ if or (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}} runAsNonRoot: false runAsUser: 0 {{- else -}} runAsNonRoot: true runAsUser: 1337 {{- end }} resources: {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }} requests: {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}} cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}" {{ end }} {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}} memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}" {{ end }} {{- end }} {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} limits: {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}} cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}" {{ end }} {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}} memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}" {{ end }} {{- end }} {{- else }} {{- if .Values.global.proxy.resources }} {{ toYaml .Values.global.proxy.resources | indent 6 }} {{- end }} {{- end }} volumeMounts: {{- if eq .Values.global.pilotCertProvider "istiod" }} - mountPath: /var/run/secrets/istio name: istiod-ca-cert {{- end }} - mountPath: /var/lib/istio/data name: istio-data {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - mountPath: /etc/istio/custom-bootstrap name: custom-bootstrap-volume {{- end }} # SDS channel between istioagent and Envoy - mountPath: /etc/istio/proxy name: istio-envoy {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} - mountPath: /var/run/secrets/tokens name: istio-token {{- end }} {{- if .Values.global.mountMtlsCerts }} # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - mountPath: /etc/certs/ name: istio-certs readOnly: true {{- end }} - name: istio-podinfo mountPath: /etc/istio/pod {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }} - mountPath: {{ directory .ProxyConfig.GetTracing.GetTlsSettings.GetCaCertificates }} name: lightstep-certs readOnly: true {{- end }} {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }} {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }} - name: "{{ $index }}" {{ toYaml $value | indent 6 }} {{ end }} {{- end }} volumes: {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - name: custom-bootstrap-volume configMap: name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }} {{- end }} # SDS channel between istioagent and Envoy - emptyDir: medium: Memory name: istio-envoy - name: istio-data emptyDir: {} - name: istio-podinfo downwardAPI: items: - path: "labels" fieldRef: fieldPath: metadata.labels - path: "annotations" fieldRef: fieldPath: metadata.annotations - path: "cpu-limit" resourceFieldRef: containerName: istio-proxy resource: limits.cpu divisor: 1m - path: "cpu-request" resourceFieldRef: containerName: istio-proxy resource: requests.cpu divisor: 1m {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} - name: istio-token projected: sources: - serviceAccountToken: path: istio-token expirationSeconds: 43200 audience: {{ .Values.global.sds.token.aud }} {{- end }} {{- if eq .Values.global.pilotCertProvider "istiod" }} - name: istiod-ca-cert configMap: name: istio-ca-root-cert {{- end }} {{- if .Values.global.mountMtlsCerts }} # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - name: istio-certs secret: optional: true {{ if eq .Spec.ServiceAccountName "" }} secretName: istio.default {{ else -}} secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} {{ end -}} {{- end }} {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }} {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }} - name: "{{ $index }}" {{ toYaml $value | indent 4 }} {{ end }} {{ end }} {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }} - name: lightstep-certs secret: optional: true secretName: lightstep.cacert {{- end }} {{- if .Values.global.imagePullSecrets }} imagePullSecrets: {{- range .Values.global.imagePullSecrets }} - name: {{ . }} {{- end }} {{- end }} {{- if eq (env "ENABLE_LEGACY_FSGROUP_INJECTION" "true") "true" }} securityContext: fsGroup: 1337 {{- end }} gateway: | {{- $containers := list }} {{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} metadata: labels: service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }} service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} istio.io/rev: {{ .Revision | default "default" | quote }} annotations: { {{- if eq (len $containers) 1 }} kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", {{ end }} } spec: containers: - name: istio-proxy {{- if contains "/" .Values.global.proxy.image }} image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" {{- else }} image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image }}:{{ .Values.global.tag }}" {{- end }} ports: - containerPort: 15090 protocol: TCP name: http-envoy-prom args: - proxy - router - --domain - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} - --serviceCluster {{ if ne "" (index .ObjectMeta.Labels "app") -}} - "{{ index .ObjectMeta.Labels `app` }}.$(POD_NAMESPACE)" {{ else -}} - "{{ valueOrDefault .DeploymentMeta.Name `istio-proxy` }}.{{ valueOrDefault .DeploymentMeta.Namespace `default` }}" {{ end -}} - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} {{- if .Values.global.sts.servicePort }} - --stsPort={{ .Values.global.sts.servicePort }} {{- end }} {{- if .Values.global.logAsJson }} - --log_as_json {{- end }} {{- if .Values.global.proxy.lifecycle }} lifecycle: {{ toYaml .Values.global.proxy.lifecycle | indent 6 }} {{- end }} env: - name: JWT_POLICY value: {{ .Values.global.jwtPolicy }} - name: PILOT_CERT_PROVIDER value: {{ .Values.global.pilotCertProvider }} - name: CA_ADDR {{- if .Values.global.caAddress }} value: {{ .Values.global.caAddress }} {{- else }} value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 {{- end }} - name: POD_NAME valueFrom: fieldRef: fieldPath: metadata.name - name: POD_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: INSTANCE_IP valueFrom: fieldRef: fieldPath: status.podIP - name: SERVICE_ACCOUNT valueFrom: fieldRef: fieldPath: spec.serviceAccountName - name: HOST_IP valueFrom: fieldRef: fieldPath: status.hostIP - name: CANONICAL_SERVICE valueFrom: fieldRef: fieldPath: metadata.labels['service.istio.io/canonical-name'] - name: CANONICAL_REVISION valueFrom: fieldRef: fieldPath: metadata.labels['service.istio.io/canonical-revision'] - name: PROXY_CONFIG value: | {{ protoToJSON .ProxyConfig }} - name: ISTIO_META_POD_PORTS value: |- [ {{- $first := true }} {{- range $index1, $c := .Spec.Containers }} {{- range $index2, $p := $c.Ports }} {{- if (structToJSON $p) }} {{if not $first}},{{end}}{{ structToJSON $p }} {{- $first = false }} {{- end }} {{- end}} {{- end}} ] - name: ISTIO_META_APP_CONTAINERS value: "{{ $containers | join "," }}" - name: ISTIO_META_CLUSTER_ID value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" - name: ISTIO_META_INTERCEPTION_MODE value: "{{ .ProxyConfig.InterceptionMode.String }}" {{- if .Values.global.network }} - name: ISTIO_META_NETWORK value: "{{ .Values.global.network }}" {{- end }} {{ if .ObjectMeta.Annotations }} - name: ISTIO_METAJSON_ANNOTATIONS value: | {{ toJSON .ObjectMeta.Annotations }} {{ end }} {{- if .DeploymentMeta.Name }} - name: ISTIO_META_WORKLOAD_NAME value: "{{ .DeploymentMeta.Name }}" {{ end }} {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} - name: ISTIO_META_OWNER value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} {{- end}} {{- if .Values.global.meshID }} - name: ISTIO_META_MESH_ID value: "{{ .Values.global.meshID }}" {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - name: ISTIO_META_MESH_ID value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" {{- end }} {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - name: TRUST_DOMAIN value: "{{ . }}" {{- end }} {{- range $key, $value := .ProxyConfig.ProxyMetadata }} - name: {{ $key }} value: "{{ $value }}" {{- end }} {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} readinessProbe: httpGet: path: /healthz/ready port: 15021 initialDelaySeconds: {{.Values.global.proxy.readinessInitialDelaySeconds }} periodSeconds: {{ .Values.global.proxy.readinessPeriodSeconds }} timeoutSeconds: 3 failureThreshold: {{ .Values.global.proxy.readinessFailureThreshold }} volumeMounts: {{- if eq .Values.global.pilotCertProvider "istiod" }} - mountPath: /var/run/secrets/istio name: istiod-ca-cert {{- end }} - mountPath: /var/lib/istio/data name: istio-data # SDS channel between istioagent and Envoy - mountPath: /etc/istio/proxy name: istio-envoy {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} - mountPath: /var/run/secrets/tokens name: istio-token {{- end }} {{- if .Values.global.mountMtlsCerts }} # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - mountPath: /etc/certs/ name: istio-certs readOnly: true {{- end }} - name: istio-podinfo mountPath: /etc/istio/pod volumes: # SDS channel between istioagent and Envoy - emptyDir: medium: Memory name: istio-envoy - name: istio-data emptyDir: {} - name: istio-podinfo downwardAPI: items: - path: "labels" fieldRef: fieldPath: metadata.labels - path: "annotations" fieldRef: fieldPath: metadata.annotations - path: "cpu-limit" resourceFieldRef: containerName: istio-proxy resource: limits.cpu divisor: 1m - path: "cpu-request" resourceFieldRef: containerName: istio-proxy resource: requests.cpu divisor: 1m {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} - name: istio-token projected: sources: - serviceAccountToken: path: istio-token expirationSeconds: 43200 audience: {{ .Values.global.sds.token.aud }} {{- end }} {{- if eq .Values.global.pilotCertProvider "istiod" }} - name: istiod-ca-cert configMap: name: istio-ca-root-cert {{- end }} {{- if .Values.global.mountMtlsCerts }} # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - name: istio-certs secret: optional: true {{ if eq .Spec.ServiceAccountName "" }} secretName: istio.default {{ else -}} secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} {{ end -}} {{- end }} {{- if .Values.global.imagePullSecrets }} imagePullSecrets: {{- range .Values.global.imagePullSecrets }} - name: {{ . }} {{- end }} {{- end }} {{- if eq (env "ENABLE_LEGACY_FSGROUP_INJECTION" "true") "true" }} securityContext: fsGroup: 1337 {{- end }} --- apiVersion: admissionregistration.k8s.io/v1beta1 kind: MutatingWebhookConfiguration metadata: name: istio-sidecar-injector labels: istio.io/rev: default install.operator.istio.io/owning-resource: unknown operator.istio.io/component: "Pilot" app: sidecar-injector release: istio webhooks: - name: sidecar-injector.istio.io clientConfig: service: name: istiod namespace: istio-system path: "/inject" port: 443 caBundle: "" sideEffects: None rules: - operations: ["CREATE"] apiGroups: [""] apiVersions: ["v1"] resources: ["pods"] failurePolicy: Fail admissionReviewVersions: ["v1beta1", "v1"] namespaceSelector: matchLabels: istio-injection: enabled objectSelector: matchExpressions: - key: "sidecar.istio.io/inject" operator: NotIn values: - "false" --- apiVersion: apps/v1 kind: Deployment metadata: labels: app: istio-ingressgateway install.operator.istio.io/owning-resource: unknown istio: ingressgateway istio.io/rev: default operator.istio.io/component: IngressGateways release: istio name: istio-ingressgateway namespace: istio-system spec: selector: matchLabels: app: istio-ingressgateway istio: ingressgateway strategy: rollingUpdate: maxSurge: 100% maxUnavailable: 25% template: metadata: annotations: prometheus.io/path: /stats/prometheus prometheus.io/port: "15020" prometheus.io/scrape: "true" sidecar.istio.io/inject: "false" labels: app: istio-ingressgateway chart: gateways heritage: Tiller install.operator.istio.io/owning-resource: unknown istio: ingressgateway istio.io/rev: default operator.istio.io/component: IngressGateways release: istio service.istio.io/canonical-name: istio-ingressgateway service.istio.io/canonical-revision: latest sidecar.istio.io/inject: "false" spec: affinity: nodeAffinity: preferredDuringSchedulingIgnoredDuringExecution: - preference: matchExpressions: - key: kubernetes.io/arch operator: In values: - amd64 weight: 2 - preference: matchExpressions: - key: kubernetes.io/arch operator: In values: - ppc64le weight: 2 - preference: matchExpressions: - key: kubernetes.io/arch operator: In values: - s390x weight: 2 requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - matchExpressions: - key: kubernetes.io/arch operator: In values: - amd64 - ppc64le - s390x containers: - args: - proxy - router - --domain - $(POD_NAMESPACE).svc.cluster.local - --proxyLogLevel=warning - --proxyComponentLogLevel=misc:error - --log_output_level=default:info - --serviceCluster - istio-ingressgateway env: - name: JWT_POLICY value: third-party-jwt - name: PILOT_CERT_PROVIDER value: istiod - name: CA_ADDR value: istiod.istio-system.svc:15012 - name: NODE_NAME valueFrom: fieldRef: apiVersion: v1 fieldPath: spec.nodeName - name: POD_NAME valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.name - name: POD_NAMESPACE valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.namespace - name: INSTANCE_IP valueFrom: fieldRef: apiVersion: v1 fieldPath: status.podIP - name: HOST_IP valueFrom: fieldRef: apiVersion: v1 fieldPath: status.hostIP - name: SERVICE_ACCOUNT valueFrom: fieldRef: fieldPath: spec.serviceAccountName - name: CANONICAL_SERVICE valueFrom: fieldRef: fieldPath: metadata.labels['service.istio.io/canonical-name'] - name: CANONICAL_REVISION valueFrom: fieldRef: fieldPath: metadata.labels['service.istio.io/canonical-revision'] - name: ISTIO_META_WORKLOAD_NAME value: istio-ingressgateway - name: ISTIO_META_OWNER value: kubernetes://apis/apps/v1/namespaces/istio-system/deployments/istio-ingressgateway - name: ISTIO_META_UNPRIVILEGED_POD value: "true" - name: ISTIO_META_ROUTER_MODE value: standard - name: ISTIO_META_CLUSTER_ID value: Kubernetes image: docker.io/istio/proxyv2:1.9.6 name: istio-proxy ports: - containerPort: 15021 protocol: TCP - containerPort: 8080 protocol: TCP - containerPort: 8443 protocol: TCP - containerPort: 31400 protocol: TCP - containerPort: 15443 protocol: TCP - containerPort: 15090 name: http-envoy-prom protocol: TCP readinessProbe: failureThreshold: 30 httpGet: path: /healthz/ready port: 15021 scheme: HTTP initialDelaySeconds: 1 periodSeconds: 2 successThreshold: 1 timeoutSeconds: 1 resources: limits: cpu: 2000m memory: 1024Mi requests: cpu: 10m memory: 40Mi securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL privileged: false readOnlyRootFilesystem: true volumeMounts: - mountPath: /etc/istio/proxy name: istio-envoy - mountPath: /etc/istio/config name: config-volume - mountPath: /var/run/secrets/istio name: istiod-ca-cert - mountPath: /var/run/secrets/tokens name: istio-token readOnly: true - mountPath: /var/lib/istio/data name: istio-data - mountPath: /etc/istio/pod name: podinfo - mountPath: /etc/istio/ingressgateway-certs name: ingressgateway-certs readOnly: true - mountPath: /etc/istio/ingressgateway-ca-certs name: ingressgateway-ca-certs readOnly: true securityContext: fsGroup: 1337 runAsGroup: 1337 runAsNonRoot: true runAsUser: 1337 serviceAccountName: istio-ingressgateway-service-account volumes: - configMap: name: istio-ca-root-cert name: istiod-ca-cert - downwardAPI: items: - fieldRef: fieldPath: metadata.labels path: labels - fieldRef: fieldPath: metadata.annotations path: annotations - path: cpu-limit resourceFieldRef: containerName: istio-proxy divisor: 1m resource: limits.cpu - path: cpu-request resourceFieldRef: containerName: istio-proxy divisor: 1m resource: requests.cpu name: podinfo - emptyDir: {} name: istio-envoy - emptyDir: {} name: istio-data - name: istio-token projected: sources: - serviceAccountToken: audience: istio-ca expirationSeconds: 43200 path: istio-token - configMap: name: istio optional: true name: config-volume - name: ingressgateway-certs secret: optional: true secretName: istio-ingressgateway-certs - name: ingressgateway-ca-certs secret: optional: true secretName: istio-ingressgateway-ca-certs --- apiVersion: apps/v1 kind: Deployment metadata: labels: app: istiod install.operator.istio.io/owning-resource: unknown istio: pilot istio.io/rev: default operator.istio.io/component: Pilot release: istio name: istiod namespace: istio-system spec: replicas: 1 selector: matchLabels: istio: pilot strategy: rollingUpdate: maxSurge: 100% maxUnavailable: 25% template: metadata: annotations: prometheus.io/port: "15014" prometheus.io/scrape: "true" sidecar.istio.io/inject: "false" labels: app: istiod install.operator.istio.io/owning-resource: unknown istio: pilot istio.io/rev: default operator.istio.io/component: Pilot sidecar.istio.io/inject: "false" spec: containers: - args: - discovery - --monitoringAddr=:15014 - --log_output_level=default:info - --domain - cluster.local - --keepaliveMaxServerConnectionAge - 30m env: - name: REVISION value: default - name: JWT_POLICY value: third-party-jwt - name: PILOT_CERT_PROVIDER value: istiod - name: POD_NAME valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.name - name: POD_NAMESPACE valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.namespace - name: SERVICE_ACCOUNT valueFrom: fieldRef: apiVersion: v1 fieldPath: spec.serviceAccountName - name: KUBECONFIG value: /var/run/secrets/remote/config - name: PILOT_TRACE_SAMPLING value: "100" - name: PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_OUTBOUND value: "true" - name: PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_INBOUND value: "true" - name: ISTIOD_ADDR value: istiod.istio-system.svc:15012 - name: PILOT_ENABLE_ANALYSIS value: "false" - name: CLUSTER_ID value: Kubernetes - name: EXTERNAL_ISTIOD value: "false" image: docker.io/istio/pilot:1.9.6 name: discovery ports: - containerPort: 8080 protocol: TCP - containerPort: 15010 protocol: TCP - containerPort: 15017 protocol: TCP readinessProbe: httpGet: path: /ready port: 8080 initialDelaySeconds: 1 periodSeconds: 3 timeoutSeconds: 5 resources: requests: cpu: 10m memory: 100Mi securityContext: capabilities: drop: - ALL runAsGroup: 1337 runAsNonRoot: true runAsUser: 1337 volumeMounts: - mountPath: /etc/istio/config name: config-volume - mountPath: /var/run/secrets/tokens name: istio-token readOnly: true - mountPath: /var/run/secrets/istio-dns name: local-certs - mountPath: /etc/cacerts name: cacerts readOnly: true - mountPath: /var/run/secrets/remote name: istio-kubeconfig readOnly: true - mountPath: /var/lib/istio/inject name: inject readOnly: true nodeSelector: {} securityContext: fsGroup: 1337 serviceAccountName: istiod-service-account volumes: - emptyDir: medium: Memory name: local-certs - name: istio-token projected: sources: - serviceAccountToken: audience: istio-ca expirationSeconds: 43200 path: istio-token - name: cacerts secret: optional: true secretName: cacerts - name: istio-kubeconfig secret: optional: true secretName: istio-kubeconfig - configMap: name: istio-sidecar-injector name: inject - configMap: name: istio name: config-volume --- apiVersion: policy/v1beta1 kind: PodDisruptionBudget metadata: name: istio-ingressgateway namespace: istio-system labels: app: istio-ingressgateway istio: ingressgateway release: istio istio.io/rev: default install.operator.istio.io/owning-resource: unknown operator.istio.io/component: "IngressGateways" spec: minAvailable: 1 selector: matchLabels: app: istio-ingressgateway istio: ingressgateway --- apiVersion: policy/v1beta1 kind: PodDisruptionBudget metadata: name: istiod namespace: istio-system labels: app: istiod istio.io/rev: default install.operator.istio.io/owning-resource: unknown operator.istio.io/component: "Pilot" release: istio istio: pilot spec: minAvailable: 1 selector: matchLabels: app: istiod istio: pilot --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: istio-ingressgateway-sds namespace: istio-system labels: release: istio istio.io/rev: default install.operator.istio.io/owning-resource: unknown operator.istio.io/component: "IngressGateways" rules: - apiGroups: [""] resources: ["secrets"] verbs: ["get", "watch", "list"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: istiod-istio-system namespace: istio-system labels: app: istiod release: istio rules: - apiGroups: ["networking.istio.io"] verbs: ["create"] resources: ["gateways"] - apiGroups: [""] resources: ["secrets"] # TODO lock this down to istio-ca-cert if not using the DNS cert mesh config verbs: ["create", "get", "watch", "list", "update", "delete"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: istio-ingressgateway-sds namespace: istio-system labels: release: istio istio.io/rev: default install.operator.istio.io/owning-resource: unknown operator.istio.io/component: "IngressGateways" roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: istio-ingressgateway-sds subjects: - kind: ServiceAccount name: istio-ingressgateway-service-account --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: istiod-istio-system namespace: istio-system labels: app: istiod release: istio roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: istiod-istio-system subjects: - kind: ServiceAccount name: istiod-service-account namespace: istio-system --- apiVersion: v1 kind: Service metadata: annotations: labels: app: istio-ingressgateway install.operator.istio.io/owning-resource: unknown istio: ingressgateway istio.io/rev: default operator.istio.io/component: IngressGateways release: istio name: istio-ingressgateway namespace: istio-system spec: ports: - name: status-port port: 15021 protocol: TCP targetPort: 15021 - name: http2 port: 80 protocol: TCP targetPort: 8080 - name: https port: 443 protocol: TCP targetPort: 8443 - name: tcp port: 31400 protocol: TCP targetPort: 31400 - name: tls port: 15443 protocol: TCP targetPort: 15443 selector: app: istio-ingressgateway istio: ingressgateway type: LoadBalancer --- apiVersion: v1 kind: Service metadata: name: istiod namespace: istio-system labels: istio.io/rev: default install.operator.istio.io/owning-resource: unknown operator.istio.io/component: "Pilot" app: istiod istio: pilot release: istio spec: ports: - port: 15010 name: grpc-xds # plaintext protocol: TCP - port: 15012 name: https-dns # mTLS with k8s-signed cert protocol: TCP - port: 443 name: https-webhook # validation and injection targetPort: 15017 protocol: TCP - port: 15014 name: http-monitoring # prometheus stats protocol: TCP selector: app: istiod # Label used by the 'default' service. For versioned deployments we match with app and version. # This avoids default deployment picking the canary istio: pilot