istio: Index | Files

package features

import ""


Package Files



var (
    MaxConcurrentStreams = env.RegisterIntVar(
        "Sets the maximum number of concurrent grpc streams.",

    TraceSampling = env.RegisterFloatVar(
        "Sets the mesh-wide trace sampling percentage. Should be 0.0 - 100.0. Precision to 0.01. "+
            "Default is 1.0.",

    // EnableIstioTags controls whether or not to configure Envoy with support for Istio-specific tags
    // in trace spans. This is a temporary flag for controlling the feature that will be replaced by
    // Telemetry API (or accepted as an always-on feature).
    EnableIstioTags = env.RegisterBoolVar(
        "Determines whether or not trace spans generated by Envoy will include Istio-specific tags.",

    PushThrottle = env.RegisterIntVar(
        "Limits the number of concurrent pushes allowed. On larger machines this can be increased for faster pushes",

    // MaxRecvMsgSize The max receive buffer size of gRPC received channel of Pilot in bytes.
    MaxRecvMsgSize = env.RegisterIntVar(
        "Sets the max receive buffer size of gRPC stream in bytes.",

    // FilterGatewayClusterConfig controls if a subset of clusters(only those required) should be pushed to gateways
    // TODO enable by default once is resolved
    // Currently this may cause a bug when we go from N clusters -> 0 clusters -> N clusters
    FilterGatewayClusterConfig = env.RegisterBoolVar("PILOT_FILTER_GATEWAY_CLUSTER_CONFIG", false, "").Get()

    DebounceAfter = env.RegisterDurationVar(
        "The delay added to config/registry events for debouncing. This will delay the push by "+
            "at least this internal. If no change is detected within this period, the push will happen, "+
            " otherwise we'll keep delaying until things settle, up to a max of PILOT_DEBOUNCE_MAX.",

    DebounceMax = env.RegisterDurationVar(
        "The maximum amount of time to wait for events while debouncing. If events keep showing up with no breaks "+
            "for this time, we'll trigger a push.",

    EnableEDSDebounce = env.RegisterBoolVar(
        "If enabled, Pilot will include EDS pushes in the push debouncing, configured by PILOT_DEBOUNCE_AFTER and PILOT_DEBOUNCE_MAX."+
            " EDS pushes may be delayed, but there will be fewer pushes. By default this is enabled",

    // HTTP10 will add "accept_http_10" to http outbound listeners. Can also be set only for specific sidecars via meta.
    // Alpha in 1.1, may become the default or be turned into a Sidecar API or mesh setting. Only applies to namespaces
    // where Sidecar is enabled.
    HTTP10 = env.RegisterBoolVar(
        "Enables the use of HTTP 1.0 in the outbound HTTP listeners, to support legacy applications.",

    InitialFetchTimeout = func() *duration.Duration {
        timeout, f := initialFetchTimeoutVar.Lookup()
        if !f {
            return nil
        return ptypes.DurationProto(timeout)

    TerminationDrainDuration = env.RegisterIntVar(
        "The amount of time allowed for connections to complete on pilot-agent shutdown. "+
            "On receiving SIGTERM or SIGINT, pilot-agent tells the active Envoy to start draining, "+
            "preventing any new connections and allowing existing connections to complete. It then "+
            "sleeps for the TerminationDrainDuration and then kills any remaining active Envoy processes.",

    // EnableMysqlFilter enables injection of `` in the filter chain.
    // Pilot injects this outbound filter if the service port name is `mysql`.
    EnableMysqlFilter = env.RegisterBoolVar(
        "EnableMysqlFilter enables injection of `` in the filter chain.",

    // EnableRedisFilter enables injection of `` in the filter chain.
    // Pilot injects this outbound filter if the service port name is `redis`.
    EnableRedisFilter = env.RegisterBoolVar(
        "EnableRedisFilter enables injection of `` in the filter chain.",

    // UseRemoteAddress sets useRemoteAddress to true for side car outbound listeners so that it picks up the localhost
    // address of the sender, which is an internal address, so that trusted headers are not sanitized.
    UseRemoteAddress = env.RegisterBoolVar(
        "UseRemoteAddress sets useRemoteAddress to true for side car outbound listeners.",

    // EnableThriftFilter enables injection of `` in the filter chain.
    // Pilot injects this outbound filter if the service port name is `thrift`.
    EnableThriftFilter = env.RegisterBoolVar(
        "EnableThriftFilter enables injection of `` in the filter chain.",

    // SkipValidateTrustDomain tells the server proxy to not to check the peer's trust domain when
    // mTLS is enabled in authentication policy.
    SkipValidateTrustDomain = env.RegisterBoolVar(
        "Skip validating the peer is from the same trust domain when mTLS is enabled in authentication policy")

    EnableProtocolSniffingForOutbound = env.RegisterBoolVar(
        "If enabled, protocol sniffing will be used for outbound listeners whose port protocol is not specified or unsupported",

    EnableProtocolSniffingForInbound = env.RegisterBoolVar(
        "If enabled, protocol sniffing will be used for inbound listeners whose port protocol is not specified or unsupported",

    EnableWasmTelemetry = env.RegisterBoolVar(
        "If enabled, Wasm-based telemetry will be enabled.",

    ScopeGatewayToNamespace = env.RegisterBoolVar(
        "If enabled, a gateway workload can only select gateway resources in the same namespace. "+
            "Gateways with same selectors in different namespaces will not be applicable.",

    // nolint
    InboundProtocolDetectionTimeout, InboundProtocolDetectionTimeoutSet = env.RegisterDurationVar(
        "Protocol detection timeout for inbound listener",

    EnableHeadlessService = env.RegisterBoolVar(
        "If enabled, for a headless service/stateful set in Kubernetes, pilot will generate an "+
            "outbound listener for each pod in a headless service. This feature should be disabled "+
            "if headless services have a large number of pods.",

    EnableEDSForHeadless = env.RegisterBoolVar(
        "If enabled, for headless service in Kubernetes, pilot will send endpoints over EDS, "+
            "allowing the sidecar to load balance among pods in the headless service. This feature "+
            "should be enabled if applications access all services explicitly via a HTTP proxy port in the sidecar.",

    EnableDistributionTracking = env.RegisterBoolVar(
        "If enabled, Pilot will assign meaningful nonces to each Envoy configuration message, and allow "+
            "users to interrogate which envoy has which config from the debug interface.",

    DistributionHistoryRetention = env.RegisterDurationVar(
        "If enabled, Pilot will keep track of old versions of distributed config for this duration.",

    EnableEndpointSliceController = env.RegisterBoolVar(
        "If enabled, Pilot will use EndpointSlices as the source of endpoints for Kubernetes services. "+
            "By default, this is false, and Endpoints will be used. This requires the Kubernetes EndpointSlice controller to be enabled. "+
            "Currently this is mutual exclusive - either Endpoints or EndpointSlices will be used",

    EnableSDSServer = env.RegisterBoolVar(
        "If enabled, Istiod will serve SDS for credentialName secrets (rather than in-proxy). "+
            "To ensure proper security, PILOT_ENABLE_XDS_IDENTITY_CHECK=true is required as well.",

    EnableCRDValidation = env.RegisterBoolVar(
        "If enabled, pilot will validate CRDs while retrieving CRDs from kubernetes cache."+
            "Use this flag to enable validation of CRDs in Pilot, especially in deployments "+
            "that do not have galley installed.",

    EnableAnalysis = env.RegisterBoolVar(
        "If enabled, pilot will run istio analyzers and write analysis errors to the Status field of any "+
            "Istio Resources",

    EnableStatus = env.RegisterBoolVar(
        "If enabled, pilot will update the CRD Status field of all istio resources with reconciliation status.",

    StatusQPS = env.RegisterFloatVar(
        "If status is enabled, controls the QPS with which status will be updated.  "+
            "See QPS",

    StatusBurst = env.RegisterIntVar(
        "If status is enabled, controls the Burst rate with which status will be updated.  "+
            "See Burst",

    // IstiodServiceCustomHost allow user to bring a custom address for istiod server
    // for examples:
    IstiodServiceCustomHost = env.RegisterStringVar("ISTIOD_CUSTOM_HOST", "",
        "Custom host name of istiod that istiod signs the server cert.")

    PilotCertProvider = env.RegisterStringVar("PILOT_CERT_PROVIDER", "istiod",
        "The provider of Pilot DNS certificate.")

    JwtPolicy = env.RegisterStringVar("JWT_POLICY", jwt.PolicyThirdParty,
        "The JWT validation policy.")

    DefaultRequestTimeout = func() *duration.Duration {
        return ptypes.DurationProto(defaultRequestTimeoutVar.Get())

    EnableServiceApis = env.RegisterBoolVar("PILOT_ENABLED_SERVICE_APIS", true,
        "If this is set to true, support for Kubernetes service-apis ( will "+
            " be enabled. In addition to this being enabled, the service-apis CRDs need to be installed.").Get()

    EnableVirtualServiceDelegate = env.RegisterBoolVar(
        "If set to false, virtualService delegate will not be supported.").Get()

    ClusterName = env.RegisterStringVar("CLUSTER_ID", "Kubernetes",
        "Defines the cluster and service registry that this Istiod instance is belongs to").Get()

    ExternalIstiod = env.RegisterBoolVar("EXTERNAL_ISTIOD", false,
        "If this is set to true, one Istiod will control remote clusters including CA.").Get()

    EnableCAServer = env.RegisterBoolVar("ENABLE_CA_SERVER", true,
        "If this is set to false, will not create CA server in istiod.").Get()

    EnableDebugOnHTTP = env.RegisterBoolVar("ENABLE_DEBUG_ON_HTTP", true,
        "If this is set to false, the debug interface will not be ebabled on Http, recommended for production").Get()

    EnableAdminEndpoints = env.RegisterBoolVar("ENABLE_ADMIN_ENDPOINTS", false,
        "If this is set to true, dangerous admin endpoins will be exposed on the debug interface. Not recommended for production.").Get()

    XDSAuth = env.RegisterBoolVar("XDS_AUTH", true,
        "If true, will authenticate XDS clients.").Get()

    EnableXDSIdentityCheck = env.RegisterBoolVar(
        "If enabled, pilot will authorize XDS clients, to ensure they are acting only as namespaces they have permissions for.",

    EnableServiceEntrySelectPods = env.RegisterBoolVar("PILOT_ENABLE_SERVICEENTRY_SELECT_PODS", true,
        "If enabled, service entries with selectors will select pods from the cluster. "+
            "It is safe to disable it if you are quite sure you don't need this feature").Get()
    EnableK8SServiceSelectWorkloadEntries = env.RegisterBoolVar("PILOT_ENABLE_K8S_SELECT_WORKLOAD_ENTRIES", true,
        "If enabled, Kubernetes services with selectors will select workload entries with matching labels. "+
            "It is safe to disable it if you are quite sure you don't need this feature").Get()
    InjectionWebhookConfigName = env.RegisterStringVar("INJECTION_WEBHOOK_CONFIG_NAME", "istio-sidecar-injector",
        "Name of the mutatingwebhookconfiguration to patch, if istioctl is not used.")

    SpiffeBundleEndpoints = env.RegisterStringVar("SPIFFE_BUNDLE_ENDPOINTS", "",
        "The SPIFFE bundle trust domain to endpoint mappings. Istiod retrieves the root certificate from each SPIFFE "+
            "bundle endpoint and uses it to verify client certifiates from that trust domain. The endpoint must be "+
            "compliant to the SPIFFE Bundle Endpoint standard. For details, please refer to "+
            " . "+
            "No need to configure this for root certificates issued via Istiod or web-PKI based root certificates. "+
            "Use || between <trustdomain, endpoint> tuples. Use | as delimiter between trust domain and endpoint in "+
            "each tuple. For example: foo|https://url/for/foo||bar|https://url/for/bar").Get()

    EnableXDSCaching = env.RegisterBoolVar("PILOT_ENABLE_XDS_CACHE", true,
        "If true, Pilot will cache XDS responses.").Get()

    EnableXDSCacheMetrics = env.RegisterBoolVar("PILOT_XDS_CACHE_STATS", false,
        "If true, Pilot will collect metrics for XDS cache efficiency.").Get()

    XDSCacheMaxSize = env.RegisterIntVar("PILOT_XDS_CACHE_SIZE", 20000,
        "The maximum number of cache entries for the XDS cache. If the size is <= 0, the cache will have no upper bound.").Get()

    AllowMetadataCertsInMutualTLS = env.RegisterBoolVar("PILOT_ALLOW_METADATA_CERTS_DR_MUTUAL_TLS", false,
        "If true, Pilot will allow certs specified in Metadata to override DR certs in MUTUAL TLS mode. "+
            "This is only enabled for migration and will be removed soon.").Get()

    // EnableLegacyFSGroupInjection has first-party-jwt as allowed because we only
    // need the fsGroup configuration for the projected service account volume mount,
    // which is only used by first-party-jwt. The installer will automatically
    // configure this on Kubernetes 1.19+.
    EnableLegacyFSGroupInjection = env.RegisterBoolVar("ENABLE_LEGACY_FSGROUP_INJECTION", JwtPolicy.Get() != jwt.PolicyFirstParty,
        "If true, Istiod will set the pod fsGroup to 1337 on injection. This is required for Kubernetes 1.18 and older "+
            `(see for details) unless JWT_POLICY is "first-party-jwt".`).Get()

    EnableTLSv2OnInboundPath = env.RegisterBoolVar("PILOT_SIDECAR_ENABLE_INBOUND_TLS_V2", true,
        "If true, Pilot will set the TLS version on server side as TLSv1_2 and also enforce strong cipher suites").Get()

    XdsPushSendTimeout = env.RegisterDurationVar(
        "The timeout to send the XDS configuration to proxies. After this timeout is reached, Pilot will discard that push.",

    EndpointTelemetryLabel = env.RegisterBoolVar("PILOT_ENDPOINT_TELEMETRY_LABEL", true,
        "If true, pilot will add telemetry related metadata to Endpoint resource, which will be consumed by telemetry filter.",

    WorkloadEntryAutoRegistration = env.RegisterBoolVar("PILOT_ENABLE_WORKLOAD_ENTRY_AUTOREGISTRATION", false,
        "Enables auto-registering WorkloadEntries based on associated WorkloadGroups upon XDS connection by the workload.").Get()

    WorkloadEntryCleanupGracePeriod = env.RegisterDurationVar("PILOT_WORKLOAD_ENTRY_GRACE_PERIOD", 10*time.Second,
        "The amount of time an auto-registered workload can remain disconnected from all Pilot instances before the "+
            "associated WorkloadEntry is cleaned up.").Get()

    WorkloadEntryHealthChecks = env.RegisterBoolVar("PILOT_ENABLE_WORKLOAD_ENTRY_HEALTHCHECKS", false,
        "Enables automatic health checks of WorkloadEntries based on the config provided in the associated WorkloadGroup").Get()

    WorkloadEntryCrossCluster = env.RegisterBoolVar("PILOT_ENABLE_CROSS_CLUSTER_WORKLOAD_ENTRY", false,
        "If enabled, pilot will read WorkloadEntry from other clusters, selectable by Services in that cluster.").Get()

    EnableFlowControl = env.RegisterBoolVar(
        "If enabled, pilot will wait for the completion of a receive operation before"+
            "executing a push operation. This is a form of flow control and is useful in"+
            "environments with high rates of push requests to each gateway. By default,"+
            "this is false.").Get()

    FlowControlTimeout = env.RegisterDurationVar(
        "If set, the max amount of time to delay a push by. Depends on PILOT_ENABLE_FLOW_CONTROL.",

    PilotEnableLoopBlockers = env.RegisterBoolVar("PILOT_ENABLE_LOOP_BLOCKER", true,
        "If enabled, Envoy will be configured to prevent traffic directly the the inbound/outbound "+
            "ports (15001/15006). This prevents traffic loops. This option will be removed, and considered always enabled, in 1.9.").Get()

    StatusMaxWorkers = env.RegisterIntVar("PILOT_STATUS_MAX_WORKERS", 100, "The maximum number of workers"+
        " Pilot will use to keep configuration status up to date.  Smaller numbers will result in higher status latency, "+
        "but larger numbers may impact CPU in high scale environments.")

    WasmRemoteLoadConversion = env.RegisterBoolVar("ISTIO_AGENT_ENABLE_WASM_REMOTE_LOAD_CONVERSION", true,
        "If enabled, Istio agent will intercept ECDS resource update, downloads Wasm module, "+
            "and replaces Wasm module remote load with downloaded local module file.").Get()

Package features imports 5 packages (graph) and is imported by 35 packages. Updated 2021-01-20. Refresh now. Tools for package owners.