networking.istio.io / v1 / Sidecar
- object
.spec
Configuration affecting network reachability of a sidecar. See more details at: https://istio.io/docs/reference/config/networking/sidecar.html
- array
.spec .egress
Egress specifies the configuration of the sidecar for processing outbound traffic from the attached workload instance to other services in the mesh.
- string
.spec .egress[] .bind
The IP(IPv4 or IPv6) or the Unix domain socket to which the listener should be bound to.
- string
.spec .egress[] .captureMode
When the bind address is an IP, the captureMode option dictates how traffic to the listener is expected to be captured (or not).
Valid Options: DEFAULT, IPTABLES, NONE
- array required
.spec .egress[] .hosts
One or more service hosts exposed by the listener in
namespace/dnsNameformat. - object
.spec .egress[] .port
The port associated with the listener.
- string
.spec .egress[] .port .name
Label assigned to the port.
- integer
.spec .egress[] .port .number
A valid non-negative integer port number.
- string
.spec .egress[] .port .protocol
The protocol exposed on the port.
- integer
.spec .egress[] .port .targetPort
- object
.spec .inboundConnectionPool
Settings controlling the volume of connections Envoy will accept from the network.
- object
.spec .inboundConnectionPool .http
HTTP connection pool settings.
- string
.spec .inboundConnectionPool .http .h2UpgradePolicy
Specify if http1.1 connection should be upgraded to http2 for the associated destination.
Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE
- integer
.spec .inboundConnectionPool .http .http1MaxPendingRequests
Maximum number of requests that will be queued while waiting for a ready connection pool connection.
- integer
.spec .inboundConnectionPool .http .http2MaxRequests
Maximum number of active requests to a destination.
- string
.spec .inboundConnectionPool .http .idleTimeout
The idle timeout for upstream connection pool connections.
- integer
.spec .inboundConnectionPool .http .maxConcurrentStreams
The maximum number of concurrent streams allowed for a peer on one HTTP/2 connection.
- integer
.spec .inboundConnectionPool .http .maxRequestsPerConnection
Maximum number of requests per connection to a backend.
- integer
.spec .inboundConnectionPool .http .maxRetries
Maximum number of retries that can be outstanding to all hosts in a cluster at a given time.
- boolean
.spec .inboundConnectionPool .http .useClientProtocol
If set to true, client protocol will be preserved while initiating connection to backend.
- object
.spec .inboundConnectionPool .tcp
Settings common to both HTTP and TCP upstream connections.
- string
.spec .inboundConnectionPool .tcp .connectTimeout
TCP connection timeout.
- string
.spec .inboundConnectionPool .tcp .idleTimeout
The idle timeout for TCP connections.
- string
.spec .inboundConnectionPool .tcp .maxConnectionDuration
The maximum duration of a connection.
- integer
.spec .inboundConnectionPool .tcp .maxConnections
Maximum number of HTTP1 /TCP connections to a destination host.
- object
.spec .inboundConnectionPool .tcp .tcpKeepalive
If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives.
- string
.spec .inboundConnectionPool .tcp .tcpKeepalive .interval
The time duration between keep-alive probes.
- integer
.spec .inboundConnectionPool .tcp .tcpKeepalive .probes
Maximum number of keepalive probes to send without response before deciding the connection is dead.
- string
.spec .inboundConnectionPool .tcp .tcpKeepalive .time
The time duration a connection needs to be idle before keep-alive probes start being sent.
- array
.spec .ingress
Ingress specifies the configuration of the sidecar for processing inbound traffic to the attached workload instance.
- string
.spec .ingress[] .bind
The IP(IPv4 or IPv6) to which the listener should be bound.
- string
.spec .ingress[] .captureMode
The captureMode option dictates how traffic to the listener is expected to be captured (or not).
Valid Options: DEFAULT, IPTABLES, NONE
- object
.spec .ingress[] .connectionPool
Settings controlling the volume of connections Envoy will accept from the network.
- object
.spec .ingress[] .connectionPool .http
HTTP connection pool settings.
- string
.spec .ingress[] .connectionPool .http .h2UpgradePolicy
Specify if http1.1 connection should be upgraded to http2 for the associated destination.
Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE
- integer
.spec .ingress[] .connectionPool .http .http1MaxPendingRequests
Maximum number of requests that will be queued while waiting for a ready connection pool connection.
- integer
.spec .ingress[] .connectionPool .http .http2MaxRequests
Maximum number of active requests to a destination.
- string
.spec .ingress[] .connectionPool .http .idleTimeout
The idle timeout for upstream connection pool connections.
- integer
.spec .ingress[] .connectionPool .http .maxConcurrentStreams
The maximum number of concurrent streams allowed for a peer on one HTTP/2 connection.
- integer
.spec .ingress[] .connectionPool .http .maxRequestsPerConnection
Maximum number of requests per connection to a backend.
- integer
.spec .ingress[] .connectionPool .http .maxRetries
Maximum number of retries that can be outstanding to all hosts in a cluster at a given time.
- boolean
.spec .ingress[] .connectionPool .http .useClientProtocol
If set to true, client protocol will be preserved while initiating connection to backend.
- object
.spec .ingress[] .connectionPool .tcp
Settings common to both HTTP and TCP upstream connections.
- string
.spec .ingress[] .connectionPool .tcp .connectTimeout
TCP connection timeout.
- string
.spec .ingress[] .connectionPool .tcp .idleTimeout
The idle timeout for TCP connections.
- string
.spec .ingress[] .connectionPool .tcp .maxConnectionDuration
The maximum duration of a connection.
- integer
.spec .ingress[] .connectionPool .tcp .maxConnections
Maximum number of HTTP1 /TCP connections to a destination host.
- object
.spec .ingress[] .connectionPool .tcp .tcpKeepalive
If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives.
- string
.spec .ingress[] .connectionPool .tcp .tcpKeepalive .interval
The time duration between keep-alive probes.
- integer
.spec .ingress[] .connectionPool .tcp .tcpKeepalive .probes
Maximum number of keepalive probes to send without response before deciding the connection is dead.
- string
.spec .ingress[] .connectionPool .tcp .tcpKeepalive .time
The time duration a connection needs to be idle before keep-alive probes start being sent.
- string
.spec .ingress[] .defaultEndpoint
The IP endpoint or Unix domain socket to which traffic should be forwarded to.
- object required
.spec .ingress[] .port
The port associated with the listener.
- string
.spec .ingress[] .port .name
Label assigned to the port.
- integer
.spec .ingress[] .port .number
A valid non-negative integer port number.
- string
.spec .ingress[] .port .protocol
The protocol exposed on the port.
- integer
.spec .ingress[] .port .targetPort
- object
.spec .ingress[] .tls
Set of TLS related options that will enable TLS termination on the sidecar for requests originating from outside the mesh.
- string
.spec .ingress[] .tls .caCertificates
REQUIRED if mode is
MUTUALorOPTIONAL_MUTUAL. - string
.spec .ingress[] .tls .caCrl
OPTIONAL: The path to the file containing the certificate revocation list (CRL) to use in verifying a presented client side certificate.
- array
.spec .ingress[] .tls .cipherSuites
Optional: If specified, only support the specified cipher list.
- string
.spec .ingress[] .tls .credentialName
For gateways running on Kubernetes, the name of the secret that holds the TLS certs including the CA certificates.
- array
.spec .ingress[] .tls .credentialNames
Same as CredentialName but for multiple certificates.
- boolean
.spec .ingress[] .tls .httpsRedirect
If set to true, the load balancer will send a 301 redirect for all http connections, asking the clients to use HTTPS.
- string
.spec .ingress[] .tls .maxProtocolVersion
Optional: Maximum TLS protocol version.
Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3
- string
.spec .ingress[] .tls .minProtocolVersion
Optional: Minimum TLS protocol version.
Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3
- string
.spec .ingress[] .tls .mode
Optional: Indicates whether connections to this port should be secured using TLS.
Valid Options: PASSTHROUGH, SIMPLE, MUTUAL, AUTO_PASSTHROUGH, ISTIO_MUTUAL, OPTIONAL_MUTUAL
- string
.spec .ingress[] .tls .privateKey
REQUIRED if mode is
SIMPLEorMUTUAL. - string
.spec .ingress[] .tls .serverCertificate
REQUIRED if mode is
SIMPLEorMUTUAL. - array
.spec .ingress[] .tls .subjectAltNames
A list of alternate names to verify the subject identity in the certificate presented by the client.
- array
.spec .ingress[] .tls .tlsCertificates
Only one of
server_certificate,private_keyorcredential_nameorcredential_namesortls_certificatesshould be specified. - string
.spec .ingress[] .tls .tlsCertificates[] .caCertificates
- string
.spec .ingress[] .tls .tlsCertificates[] .privateKey
REQUIRED if mode is
SIMPLEorMUTUAL. - string
.spec .ingress[] .tls .tlsCertificates[] .serverCertificate
REQUIRED if mode is
SIMPLEorMUTUAL. - array
.spec .ingress[] .tls .verifyCertificateHash
An optional list of hex-encoded SHA-256 hashes of the authorized client certificates.
- array
.spec .ingress[] .tls .verifyCertificateSpki
An optional list of base64-encoded SHA-256 hashes of the SPKIs of authorized client certificates.
- object
.spec .outboundTrafficPolicy
Set the default behavior of the sidecar for handling outbound traffic from the application.
- object
.spec .outboundTrafficPolicy .egressProxy
- string required
.spec .outboundTrafficPolicy .egressProxy .host
The name of a service from the service registry.
- object
.spec .outboundTrafficPolicy .egressProxy .port
Specifies the port on the host that is being addressed.
- integer
.spec .outboundTrafficPolicy .egressProxy .port .number
- string
.spec .outboundTrafficPolicy .egressProxy .subset
The name of a subset within the service.
- string
.spec .outboundTrafficPolicy .mode
Valid Options: REGISTRY_ONLY, ALLOW_ANY
- object
.spec .workloadSelector
Criteria used to select the specific set of pods/VMs on which this
Sidecarconfiguration should be applied. - object
.spec .workloadSelector .labels
One or more labels that indicate a specific set of pods/VMs on which the configuration should be applied.
- object
.status
- array
.status .conditions
Current service state of the resource.
- string
.status .conditions[] .lastProbeTime
Last time we probed the condition.
- string
.status .conditions[] .lastTransitionTime
Last time the condition transitioned from one status to another.
- string
.status .conditions[] .message
Human-readable message indicating details about last transition.
- integer | string
.status .conditions[] .observedGeneration
Resource Generation to which the Condition refers.
- string
.status .conditions[] .reason
Unique, one-word, CamelCase reason for the condition’s last transition.
- string
.status .conditions[] .status
Status is the status of the condition.
- string
.status .conditions[] .type
Type is the type of the condition.
- integer | string
.status .observedGeneration
- array
.status .validationMessages
Includes any errors or warnings detected by Istio’s analyzers.
- string
.status .validationMessages[] .documentationUrl
A url pointing to the Istio documentation for this specific error type.
- string
.status .validationMessages[] .level
Represents how severe a message is.
Valid Options: UNKNOWN, ERROR, WARNING, INFO
- object
.status .validationMessages[] .type
- string
.status .validationMessages[] .type .code
A 7 character code matching
^IST[0-9]{4}$intended to uniquely identify the message type. - string
.status .validationMessages[] .type .name
A human-readable name for the message type.