summaryrefslogtreecommitdiffstats
path: root/install
diff options
context:
space:
mode:
Diffstat (limited to 'install')
-rwxr-xr-xinstall/3_install_istio.sh10
-rw-r--r--install/istio.yaml3505
2 files changed, 2450 insertions, 1065 deletions
diff --git a/install/3_install_istio.sh b/install/3_install_istio.sh
index 7166db7..5e216c4 100755
--- a/install/3_install_istio.sh
+++ b/install/3_install_istio.sh
@@ -14,10 +14,10 @@
# See the License for the specific language governing permissions and
# limitations under the License.
-wget https://github.com/istio/istio/releases/download/0.8.0/istio-0.8.0-linux.tar.gz
-tar -zxvf istio-0.8.0-linux.tar.gz
-rm -rf istio-0.8.0-linux.tar.gz
-sudo cp istio-0.8.0/bin/istioctl /usr/bin/
-rm -rf istio-0.8.0
+wget https://github.com/istio/istio/releases/download/1.0.0/istio-1.0.0-linux.tar.gz
+tar -zxvf istio-1.0.0-linux.tar.gz
+rm -rf istio-1.0.0-linux.tar.gz
+sudo cp istio-1.0.0/bin/istioctl /usr/bin/
+rm -rf istio-1.0.0
kubectl apply -f istio.yaml
diff --git a/install/istio.yaml b/install/istio.yaml
index 500940d..15716c5 100644
--- a/install/istio.yaml
+++ b/install/istio.yaml
@@ -1,525 +1,210 @@
apiVersion: v1
kind: Namespace
metadata:
- name: istio-system
+ name: istio-system
+ labels:
+ istio-injection: disabled
---
-# Source: istio/charts/mixer/templates/configmap.yaml
+# Source: istio/charts/galley/templates/configmap.yaml
apiVersion: v1
kind: ConfigMap
metadata:
- name: istio-statsd-prom-bridge
+ name: istio-galley-configuration
namespace: istio-system
labels:
- app: istio-statsd-prom-bridge
- chart: mixer-0.8.0
+ app: istio-galley
+ chart: galley-1.0.0
release: RELEASE-NAME
heritage: Tiller
istio: mixer
data:
- mapping.conf: |-
+ validatingwebhookconfiguration.yaml: |-
+ apiVersion: admissionregistration.k8s.io/v1beta1
+ kind: ValidatingWebhookConfiguration
+ metadata:
+ name: istio-galley
+ namespace: istio-system
+ labels:
+ app: istio-galley
+ chart: galley-1.0.0
+ release: RELEASE-NAME
+ heritage: Tiller
+ webhooks:
+ - name: pilot.validation.istio.io
+ clientConfig:
+ service:
+ name: istio-galley
+ namespace: istio-system
+ path: "/admitpilot"
+ caBundle: ""
+ rules:
+ - operations:
+ - CREATE
+ - UPDATE
+ apiGroups:
+ - config.istio.io
+ apiVersions:
+ - v1alpha2
+ resources:
+ - httpapispecs
+ - httpapispecbindings
+ - quotaspecs
+ - quotaspecbindings
+ - operations:
+ - CREATE
+ - UPDATE
+ apiGroups:
+ - rbac.istio.io
+ apiVersions:
+ - "*"
+ resources:
+ - "*"
+ - operations:
+ - CREATE
+ - UPDATE
+ apiGroups:
+ - authentication.istio.io
+ apiVersions:
+ - "*"
+ resources:
+ - "*"
+ - operations:
+ - CREATE
+ - UPDATE
+ apiGroups:
+ - networking.istio.io
+ apiVersions:
+ - "*"
+ resources:
+ - destinationrules
+ - envoyfilters
+ - gateways
+ # disabled per @costinm's request
+ # - serviceentries
+ - virtualservices
+ failurePolicy: Fail
+ - name: mixer.validation.istio.io
+ clientConfig:
+ service:
+ name: istio-galley
+ namespace: istio-system
+ path: "/admitmixer"
+ caBundle: ""
+ rules:
+ - operations:
+ - CREATE
+ - UPDATE
+ apiGroups:
+ - config.istio.io
+ apiVersions:
+ - v1alpha2
+ resources:
+ - rules
+ - attributemanifests
+ - circonuses
+ - deniers
+ - fluentds
+ - kubernetesenvs
+ - listcheckers
+ - memquotas
+ - noops
+ - opas
+ - prometheuses
+ - rbacs
+ - servicecontrols
+ - solarwindses
+ - stackdrivers
+ - statsds
+ - stdios
+ - apikeys
+ - authorizations
+ - checknothings
+ # - kuberneteses
+ - listentries
+ - logentries
+ - metrics
+ - quotas
+ - reportnothings
+ - servicecontrolreports
+ - tracespans
+ failurePolicy: Fail
+
+
---
+# Source: istio/charts/grafana/templates/configmap.yaml
apiVersion: v1
kind: ConfigMap
metadata:
- name: istio-mixer-custom-resources
+ name: istio-grafana-custom-resources
namespace: istio-system
labels:
- app: istio-mixer
- chart: mixer-0.8.0
+ app: istio-grafana
+ chart: grafana-0.1.0
release: RELEASE-NAME
heritage: Tiller
- istio: mixer
+ istio: grafana
data:
custom-resources.yaml: |-
- apiVersion: "config.istio.io/v1alpha2"
- kind: attributemanifest
+ apiVersion: authentication.istio.io/v1alpha1
+ kind: Policy
metadata:
- name: istioproxy
+ name: grafana-ports-mtls-disabled
namespace: istio-system
spec:
- attributes:
- origin.ip:
- valueType: IP_ADDRESS
- origin.uid:
- valueType: STRING
- origin.user:
- valueType: STRING
- request.headers:
- valueType: STRING_MAP
- request.id:
- valueType: STRING
- request.host:
- valueType: STRING
- request.method:
- valueType: STRING
- request.path:
- valueType: STRING
- request.reason:
- valueType: STRING
- request.referer:
- valueType: STRING
- request.scheme:
- valueType: STRING
- request.total_size:
- valueType: INT64
- request.size:
- valueType: INT64
- request.time:
- valueType: TIMESTAMP
- request.useragent:
- valueType: STRING
- response.code:
- valueType: INT64
- response.duration:
- valueType: DURATION
- response.headers:
- valueType: STRING_MAP
- response.total_size:
- valueType: INT64
- response.size:
- valueType: INT64
- response.time:
- valueType: TIMESTAMP
- source.uid:
- valueType: STRING
- source.user:
- valueType: STRING
- destination.uid:
- valueType: STRING
- connection.id:
- valueType: STRING
- connection.received.bytes:
- valueType: INT64
- connection.received.bytes_total:
- valueType: INT64
- connection.sent.bytes:
- valueType: INT64
- connection.sent.bytes_total:
- valueType: INT64
- connection.duration:
- valueType: DURATION
- connection.mtls:
- valueType: BOOL
- context.protocol:
- valueType: STRING
- context.timestamp:
- valueType: TIMESTAMP
- context.time:
- valueType: TIMESTAMP
- api.service:
- valueType: STRING
- api.version:
- valueType: STRING
- api.operation:
- valueType: STRING
- api.protocol:
- valueType: STRING
- request.auth.principal:
- valueType: STRING
- request.auth.audiences:
- valueType: STRING
- request.auth.presenter:
- valueType: STRING
- request.auth.claims:
- valueType: STRING_MAP
- request.auth.raw_claims:
- valueType: STRING
- request.api_key:
- valueType: STRING
+ targets:
+ - name: grafana
+ ports:
+ - number: 3000
+ run.sh: |-
+ #!/bin/sh
- ---
- apiVersion: "config.istio.io/v1alpha2"
- kind: attributemanifest
- metadata:
- name: kubernetes
- namespace: istio-system
- spec:
- attributes:
- source.ip:
- valueType: IP_ADDRESS
- source.labels:
- valueType: STRING_MAP
- source.name:
- valueType: STRING
- source.namespace:
- valueType: STRING
- source.service:
- valueType: STRING
- source.serviceAccount:
- valueType: STRING
- destination.ip:
- valueType: IP_ADDRESS
- destination.labels:
- valueType: STRING_MAP
- destination.name:
- valueType: STRING
- destination.namespace:
- valueType: STRING
- destination.service:
- valueType: STRING
- destination.serviceAccount:
- valueType: STRING
- ---
- apiVersion: "config.istio.io/v1alpha2"
- kind: stdio
- metadata:
- name: handler
- namespace: istio-system
- spec:
- outputAsJson: true
- ---
- apiVersion: "config.istio.io/v1alpha2"
- kind: logentry
- metadata:
- name: accesslog
- namespace: istio-system
- spec:
- severity: '"Info"'
- timestamp: request.time
- variables:
- originIp: origin.ip | ip("0.0.0.0")
- sourceIp: source.ip | ip("0.0.0.0")
- sourceService: source.service | ""
- sourceUser: source.user | source.uid | ""
- sourceNamespace: source.namespace | ""
- destinationIp: destination.ip | ip("0.0.0.0")
- destinationService: destination.service | ""
- destinationNamespace: destination.namespace | ""
- apiName: api.service | ""
- apiVersion: api.version | ""
- apiClaims: request.headers["sec-istio-auth-userinfo"]| ""
- apiKey: request.api_key | request.headers["x-api-key"] | ""
- requestOperation: api.operation | ""
- protocol: request.scheme | "http"
- method: request.method | ""
- url: request.path | ""
- responseCode: response.code | 0
- responseSize: response.size | 0
- requestSize: request.size | 0
- latency: response.duration | "0ms"
- connectionMtls: connection.mtls | false
- userAgent: request.useragent | ""
- responseTimestamp: response.time
- receivedBytes: request.total_size | connection.received.bytes | 0
- sentBytes: response.total_size | connection.sent.bytes | 0
- referer: request.referer | ""
- monitored_resource_type: '"UNSPECIFIED"'
- ---
- apiVersion: "config.istio.io/v1alpha2"
- kind: rule
- metadata:
- name: stdio
- namespace: istio-system
- spec:
- match: "true" # If omitted match is true.
- actions:
- - handler: handler.stdio
- instances:
- - accesslog.logentry
- ---
- apiVersion: "config.istio.io/v1alpha2"
- kind: metric
- metadata:
- name: requestcount
- namespace: istio-system
- spec:
- value: "1"
- dimensions:
- source_service: source.service | "unknown"
- source_version: source.labels["version"] | "unknown"
- destination_service: destination.service | "unknown"
- destination_version: destination.labels["version"] | "unknown"
- response_code: response.code | 200
- connection_mtls: connection.mtls | false
- monitored_resource_type: '"UNSPECIFIED"'
- ---
- apiVersion: "config.istio.io/v1alpha2"
- kind: metric
- metadata:
- name: requestduration
- namespace: istio-system
- spec:
- value: response.duration | "0ms"
- dimensions:
- source_service: source.service | "unknown"
- source_version: source.labels["version"] | "unknown"
- destination_service: destination.service | "unknown"
- destination_version: destination.labels["version"] | "unknown"
- response_code: response.code | 200
- connection_mtls: connection.mtls | false
- monitored_resource_type: '"UNSPECIFIED"'
- ---
- apiVersion: "config.istio.io/v1alpha2"
- kind: metric
- metadata:
- name: requestsize
- namespace: istio-system
- spec:
- value: request.size | 0
- dimensions:
- source_service: source.service | "unknown"
- source_version: source.labels["version"] | "unknown"
- destination_service: destination.service | "unknown"
- destination_version: destination.labels["version"] | "unknown"
- response_code: response.code | 200
- connection_mtls: connection.mtls | false
- monitored_resource_type: '"UNSPECIFIED"'
- ---
- apiVersion: "config.istio.io/v1alpha2"
- kind: metric
- metadata:
- name: responsesize
- namespace: istio-system
- spec:
- value: response.size | 0
- dimensions:
- source_service: source.service | "unknown"
- source_version: source.labels["version"] | "unknown"
- destination_service: destination.service | "unknown"
- destination_version: destination.labels["version"] | "unknown"
- response_code: response.code | 200
- connection_mtls: connection.mtls | false
- monitored_resource_type: '"UNSPECIFIED"'
- ---
- apiVersion: "config.istio.io/v1alpha2"
- kind: metric
- metadata:
- name: tcpbytesent
- namespace: istio-system
- labels:
- istio-protocol: tcp # needed so that mixer will only generate when context.protocol == tcp
- spec:
- value: connection.sent.bytes | 0
- dimensions:
- source_service: source.service | "unknown"
- source_version: source.labels["version"] | "unknown"
- destination_service: destination.service | "unknown"
- destination_version: destination.labels["version"] | "unknown"
- connection_mtls: connection.mtls | false
- monitored_resource_type: '"UNSPECIFIED"'
- ---
- apiVersion: "config.istio.io/v1alpha2"
- kind: metric
- metadata:
- name: tcpbytereceived
- namespace: istio-system
- labels:
- istio-protocol: tcp # needed so that mixer will only generate when context.protocol == tcp
- spec:
- value: connection.received.bytes | 0
- dimensions:
- source_service: source.service | "unknown"
- source_version: source.labels["version"] | "unknown"
- destination_service: destination.service | "unknown"
- destination_version: destination.labels["version"] | "unknown"
- connection_mtls: connection.mtls | false
- monitored_resource_type: '"UNSPECIFIED"'
- ---
- apiVersion: "config.istio.io/v1alpha2"
- kind: prometheus
- metadata:
- name: handler
- namespace: istio-system
- spec:
- metrics:
- - name: request_count
- instance_name: requestcount.metric.istio-system
- kind: COUNTER
- label_names:
- - source_service
- - source_version
- - destination_service
- - destination_version
- - response_code
- - connection_mtls
- - name: request_duration
- instance_name: requestduration.metric.istio-system
- kind: DISTRIBUTION
- label_names:
- - source_service
- - source_version
- - destination_service
- - destination_version
- - response_code
- - connection_mtls
- buckets:
- explicit_buckets:
- bounds: [0.005, 0.01, 0.025, 0.05, 0.1, 0.25, 0.5, 1, 2.5, 5, 10]
- - name: request_size
- instance_name: requestsize.metric.istio-system
- kind: DISTRIBUTION
- label_names:
- - source_service
- - source_version
- - destination_service
- - destination_version
- - response_code
- - connection_mtls
- buckets:
- exponentialBuckets:
- numFiniteBuckets: 8
- scale: 1
- growthFactor: 10
- - name: response_size
- instance_name: responsesize.metric.istio-system
- kind: DISTRIBUTION
- label_names:
- - source_service
- - source_version
- - destination_service
- - destination_version
- - response_code
- - connection_mtls
- buckets:
- exponentialBuckets:
- numFiniteBuckets: 8
- scale: 1
- growthFactor: 10
- - name: tcp_bytes_sent
- instance_name: tcpbytesent.metric.istio-system
- kind: COUNTER
- label_names:
- - source_service
- - source_version
- - destination_service
- - destination_version
- - connection_mtls
- - name: tcp_bytes_received
- instance_name: tcpbytereceived.metric.istio-system
- kind: COUNTER
- label_names:
- - source_service
- - source_version
- - destination_service
- - destination_version
- - connection_mtls
- ---
- apiVersion: "config.istio.io/v1alpha2"
- kind: rule
- metadata:
- name: promhttp
- namespace: istio-system
- labels:
- istio-protocol: http
- spec:
- actions:
- - handler: handler.prometheus
- instances:
- - requestcount.metric
- - requestduration.metric
- - requestsize.metric
- - responsesize.metric
- ---
- apiVersion: "config.istio.io/v1alpha2"
- kind: rule
- metadata:
- name: promtcp
- namespace: istio-system
- labels:
- istio-protocol: tcp # needed so that mixer will only execute when context.protocol == TCP
- spec:
- actions:
- - handler: handler.prometheus
- instances:
- - tcpbytesent.metric
- - tcpbytereceived.metric
- ---
+ set -x
- apiVersion: "config.istio.io/v1alpha2"
- kind: kubernetesenv
- metadata:
- name: handler
- namespace: istio-system
- spec:
- # when running from mixer root, use the following config after adding a
- # symbolic link to a kubernetes config file via:
- #
- # $ ln -s ~/.kube/config mixer/adapter/kubernetes/kubeconfig
- #
- # kubeconfig_path: "mixer/adapter/kubernetes/kubeconfig"
+ if [ "$#" -ne "1" ]; then
+ echo "first argument should be path to custom resource yaml"
+ exit 1
+ fi
- ---
- apiVersion: "config.istio.io/v1alpha2"
- kind: rule
- metadata:
- name: kubeattrgenrulerule
- namespace: istio-system
- spec:
- actions:
- - handler: handler.kubernetesenv
- instances:
- - attributes.kubernetes
- ---
- apiVersion: "config.istio.io/v1alpha2"
- kind: rule
- metadata:
- name: tcpkubeattrgenrulerule
- namespace: istio-system
- spec:
- match: context.protocol == "tcp"
- actions:
- - handler: handler.kubernetesenv
- instances:
- - attributes.kubernetes
- ---
- apiVersion: "config.istio.io/v1alpha2"
- kind: kubernetes
- metadata:
- name: attributes
- namespace: istio-system
- spec:
- # Pass the required attribute data to the adapter
- source_uid: source.uid | ""
- source_ip: source.ip | ip("0.0.0.0") # default to unspecified ip addr
- destination_uid: destination.uid | ""
- origin_uid: '""'
- origin_ip: ip("0.0.0.0") # default to unspecified ip addr
- attribute_bindings:
- # Fill the new attributes from the adapter produced output.
- # $out refers to an instance of OutputTemplate message
- source.ip: $out.source_pod_ip | ip("0.0.0.0")
- source.labels: $out.source_labels | emptyStringMap()
- source.namespace: $out.source_namespace | "default"
- source.service: $out.source_service | "unknown"
- source.serviceAccount: $out.source_service_account_name | "unknown"
- destination.ip: $out.destination_pod_ip | ip("0.0.0.0")
- destination.labels: $out.destination_labels | emptyStringMap()
- destination.namespace: $out.destination_namespace | "default"
- destination.service: $out.destination_service | "unknown"
- destination.serviceAccount: $out.destination_service_account_name | "unknown"
- ---
- # Configuration needed by Mixer.
- # Mixer cluster is delivered via CDS
- # Specify mixer cluster settings
- apiVersion: networking.istio.io/v1alpha3
- kind: DestinationRule
- metadata:
- name: istio-policy
- namespace: istio-system
- spec:
- host: istio-policy.istio-system.svc.cluster.local
- trafficPolicy:
- connectionPool:
- http:
- http2MaxRequests: 10000
- maxRequestsPerConnection: 10000
- ---
- apiVersion: networking.istio.io/v1alpha3
- kind: DestinationRule
- metadata:
- name: istio-telemetry
- namespace: istio-system
- spec:
- host: istio-telemetry.istio-system.svc.cluster.local
- trafficPolicy:
- connectionPool:
- http:
- http2MaxRequests: 10000
- maxRequestsPerConnection: 10000
- ---
+ pathToResourceYAML=${1}
+
+ /kubectl get validatingwebhookconfiguration istio-galley 2>/dev/null
+ if [ "$?" -eq 0 ]; then
+ echo "istio-galley validatingwebhookconfiguration found - waiting for istio-galley deployment to be ready"
+ while true; do
+ /kubectl -n istio-system get deployment istio-galley 2>/dev/null
+ if [ "$?" -eq 0 ]; then
+ break
+ fi
+ sleep 1
+ done
+ /kubectl -n istio-system rollout status deployment istio-galley
+ if [ "$?" -ne 0 ]; then
+ echo "istio-galley deployment rollout status check failed"
+ exit 1
+ fi
+ echo "istio-galley deployment ready for configuration validation"
+ fi
+ sleep 5
+ /kubectl apply -f ${pathToResourceYAML}
---
+# Source: istio/charts/mixer/templates/configmap.yaml
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: istio-statsd-prom-bridge
+ namespace: istio-system
+ labels:
+ app: istio-statsd-prom-bridge
+ chart: mixer-1.0.0
+ release: RELEASE-NAME
+ heritage: Tiller
+ istio: mixer
+data:
+ mapping.conf: |-
+
+---
# Source: istio/charts/prometheus/templates/configmap.yaml
apiVersion: v1
kind: ConfigMap
@@ -543,11 +228,14 @@ data:
kubernetes_sd_configs:
- role: endpoints
+ namespaces:
+ names:
+ - istio-system
relabel_configs:
- - source_labels: [__meta_kubernetes_namespace, __meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name]
+ - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name]
action: keep
- regex: istio-system;istio-telemetry;prometheus
+ regex: istio-telemetry;prometheus
- job_name: 'envoy'
# Override the global default and scrape targets from this job every 5 seconds.
@@ -557,11 +245,14 @@ data:
kubernetes_sd_configs:
- role: endpoints
+ namespaces:
+ names:
+ - istio-system
relabel_configs:
- - source_labels: [__meta_kubernetes_namespace, __meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name]
+ - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name]
action: keep
- regex: istio-system;istio-statsd-prom-bridge;statsd-prom
+ regex: istio-statsd-prom-bridge;statsd-prom
- job_name: 'istio-policy'
# Override the global default and scrape targets from this job every 5 seconds.
@@ -571,11 +262,15 @@ data:
kubernetes_sd_configs:
- role: endpoints
+ namespaces:
+ names:
+ - istio-system
+
relabel_configs:
- - source_labels: [__meta_kubernetes_namespace, __meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name]
+ - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name]
action: keep
- regex: istio-system;istio-policy;http-monitoring
+ regex: istio-policy;http-monitoring
- job_name: 'istio-telemetry'
# Override the global default and scrape targets from this job every 5 seconds.
@@ -585,11 +280,14 @@ data:
kubernetes_sd_configs:
- role: endpoints
+ namespaces:
+ names:
+ - istio-system
relabel_configs:
- - source_labels: [__meta_kubernetes_namespace, __meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name]
+ - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name]
action: keep
- regex: istio-system;istio-telemetry;http-monitoring
+ regex: istio-telemetry;http-monitoring
- job_name: 'pilot'
# Override the global default and scrape targets from this job every 5 seconds.
@@ -599,24 +297,47 @@ data:
kubernetes_sd_configs:
- role: endpoints
+ namespaces:
+ names:
+ - istio-system
+
+ relabel_configs:
+ - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name]
+ action: keep
+ regex: istio-pilot;http-monitoring
+
+ - job_name: 'galley'
+ # Override the global default and scrape targets from this job every 5 seconds.
+ scrape_interval: 5s
+ # metrics_path defaults to '/metrics'
+ # scheme defaults to 'http'.
+
+ kubernetes_sd_configs:
+ - role: endpoints
+ namespaces:
+ names:
+ - istio-system
relabel_configs:
- - source_labels: [__meta_kubernetes_namespace, __meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name]
+ - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name]
action: keep
- regex: istio-system;istio-pilot;http-monitoring
+ regex: istio-galley;http-monitoring
# scrape config for API servers
- job_name: 'kubernetes-apiservers'
kubernetes_sd_configs:
- role: endpoints
+ namespaces:
+ names:
+ - default
scheme: https
tls_config:
ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
relabel_configs:
- - source_labels: [__meta_kubernetes_namespace, __meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name]
+ - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name]
action: keep
- regex: default;kubernetes;https
+ regex: kubernetes;https
# scrape config for nodes (kubelet)
- job_name: 'kubernetes-nodes'
@@ -725,7 +446,56 @@ data:
target_label: pod_name
---
+# Source: istio/charts/security/templates/configmap.yaml
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: istio-security-custom-resources
+ namespace: istio-system
+ labels:
+ app: istio-security
+ chart: security-1.0.0
+ release: RELEASE-NAME
+ heritage: Tiller
+ istio: security
+data:
+ custom-resources.yaml: |-
+ run.sh: |-
+ #!/bin/sh
+
+ set -x
+
+ if [ "$#" -ne "1" ]; then
+ echo "first argument should be path to custom resource yaml"
+ exit 1
+ fi
+
+ pathToResourceYAML=${1}
+
+ /kubectl get validatingwebhookconfiguration istio-galley 2>/dev/null
+ if [ "$?" -eq 0 ]; then
+ echo "istio-galley validatingwebhookconfiguration found - waiting for istio-galley deployment to be ready"
+ while true; do
+ /kubectl -n istio-system get deployment istio-galley 2>/dev/null
+ if [ "$?" -eq 0 ]; then
+ break
+ fi
+ sleep 1
+ done
+ /kubectl -n istio-system rollout status deployment istio-galley
+ if [ "$?" -ne 0 ]; then
+ echo "istio-galley deployment rollout status check failed"
+ exit 1
+ fi
+ echo "istio-galley deployment ready for configuration validation"
+ fi
+ sleep 5
+ /kubectl apply -f ${pathToResourceYAML}
+
+
+---
# Source: istio/templates/configmap.yaml
+
apiVersion: v1
kind: ConfigMap
metadata:
@@ -733,42 +503,34 @@ metadata:
namespace: istio-system
labels:
app: istio
- chart: istio-0.8.0
+ chart: istio-1.0.0
release: RELEASE-NAME
heritage: Tiller
data:
mesh: |-
- #
- # Edit this list to avoid using mTLS to connect to these services.
- # Typically, these are control services (e.g kubernetes API server) that don't have istio sidecar
- # to transparently terminate mTLS authentication.
- # mtlsExcludedServices: ["kubernetes.default.svc.cluster.local"]
-
# Set the following variable to true to disable policy checks by the Mixer.
# Note that metrics will still be reported to the Mixer.
disablePolicyChecks: false
+
# Set enableTracing to false to disable request tracing.
enableTracing: true
+
+ # Set accessLogFile to empty string to disable access log.
+ accessLogFile: "/dev/stdout"
#
- # To disable the mixer completely (including metrics), comment out
- # the following lines
- mixerCheckServer: istio-policy.istio-system.svc.cluster.local:15004
- mixerReportServer: istio-telemetry.istio-system.svc.cluster.local:15004
- # This is the ingress service name, update if you used a different name
- ingressService: istio-ingress
- #
- # Along with discoveryRefreshDelay, this setting determines how
- # frequently should Envoy fetch and update its internal configuration
- # from istio Pilot. Lower refresh delay results in higher CPU
- # utilization and potential performance loss in exchange for faster
- # convergence. Tweak this value according to your setup.
- rdsRefreshDelay: 10s
+ # Deprecated: mixer is using EDS
+ mixerCheckServer: istio-policy.istio-system.svc.cluster.local:9091
+ mixerReportServer: istio-telemetry.istio-system.svc.cluster.local:9091
+
+ # Unix Domain Socket through which envoy communicates with NodeAgent SDS to get
+ # key/cert for mTLS. Use secret-mount files instead of SDS if set to empty.
+ sdsUdsPath: ""
+
+ # How frequently should Envoy fetch key/cert from NodeAgent.
+ sdsRefreshDelay: 15s
+
#
defaultConfig:
- # NOTE: If you change any values in this section, make sure to make
- # the same changes in start up args in istio-ingress pods.
- # See rdsRefreshDelay for explanation about this setting.
- discoveryRefreshDelay: 10s
#
# TCP connection timeout between Envoy & the application, and between Envoys.
connectTimeout: 10s
@@ -819,6 +581,7 @@ data:
---
# Source: istio/templates/sidecar-injector-configmap.yaml
+
apiVersion: v1
kind: ConfigMap
metadata:
@@ -826,7 +589,7 @@ metadata:
namespace: istio-system
labels:
app: istio
- chart: istio-0.8.0
+ chart: istio-1.0.0
release: RELEASE-NAME
heritage: Tiller
istio: sidecar-injector
@@ -836,7 +599,7 @@ data:
template: |-
initContainers:
- name: istio-init
- image: docker.io/istio/proxy_init:0.8.0
+ image: "gcr.io/istio-release/proxy_init:1.0.0"
args:
- "-p"
- [[ .MeshConfig.ProxyListenPort ]]
@@ -880,7 +643,7 @@ data:
image: [[ if (isset .ObjectMeta.Annotations "sidecar.istio.io/proxyImage") -]]
"[[ index .ObjectMeta.Annotations "sidecar.istio.io/proxyImage" ]]"
[[ else -]]
- docker.io/istio/proxy_debug:0.8.0
+ gcr.io/istio-release/proxy_debug:1.0.0
[[ end -]]
args:
- proxy
@@ -912,7 +675,7 @@ data:
- --proxyAdminPort
- [[ .ProxyConfig.ProxyAdminPort ]]
- --controlPlaneAuthPolicy
- - [[ .ProxyConfig.ControlPlaneAuthPolicy ]]
+ - [[ or (index .ObjectMeta.Annotations "sidecar.istio.io/controlPlaneAuthPolicy") .ProxyConfig.ControlPlaneAuthPolicy ]]
env:
- name: POD_NAME
valueFrom:
@@ -934,21 +697,27 @@ data:
value: [[ or (index .ObjectMeta.Annotations "sidecar.istio.io/interceptionMode") .ProxyConfig.InterceptionMode.String ]]
imagePullPolicy: IfNotPresent
securityContext:
- privileged: false
- readOnlyRootFilesystem: true
- [[ if eq (or (index .ObjectMeta.Annotations "sidecar.istio.io/interceptionMode") .ProxyConfig.InterceptionMode.String) "TPROXY" -]]
- capabilities:
- add:
- - NET_ADMIN
- [[ else -]]
- runAsUser: 1337
- [[ end -]]
+ privileged: false
+ readOnlyRootFilesystem: true
+ [[ if eq (or (index .ObjectMeta.Annotations "sidecar.istio.io/interceptionMode") .ProxyConfig.InterceptionMode.String) "TPROXY" -]]
+ capabilities:
+ add:
+ - NET_ADMIN
+ runAsGroup: 1337
+ [[ else -]]
+ runAsUser: 1337
+ [[ end -]]
restartPolicy: Always
resources:
+ [[ if (isset .ObjectMeta.Annotations "sidecar.istio.io/proxyCPU") -]]
requests:
- cpu: 100m
- memory: 128Mi
+ cpu: "[[ index .ObjectMeta.Annotations "sidecar.istio.io/proxyCPU" ]]"
+ memory: "[[ index .ObjectMeta.Annotations "sidecar.istio.io/proxyMemory" ]]"
+ [[ else -]]
+ requests:
+ cpu: 10m
+ [[ end -]]
volumeMounts:
- mountPath: /etc/istio/proxy
name: istio-envoy
@@ -968,9 +737,22 @@ data:
secretName: [[ printf "istio.%s" .Spec.ServiceAccountName ]]
[[ end -]]
+---
+# Source: istio/charts/galley/templates/serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: istio-galley-service-account
+ namespace: istio-system
+ labels:
+ app: istio-galley
+ chart: galley-1.0.0
+ heritage: Tiller
+ release: RELEASE-NAME
---
-# Source: istio/charts/egressgateway/templates/serviceaccount.yaml
+# Source: istio/charts/gateways/templates/serviceaccount.yaml
+
apiVersion: v1
kind: ServiceAccount
metadata:
@@ -978,12 +760,10 @@ metadata:
namespace: istio-system
labels:
app: egressgateway
- chart: egressgateway-0.8.0
+ chart: gateways-1.0.0
heritage: Tiller
release: RELEASE-NAME
-
---
-# Source: istio/charts/ingressgateway/templates/serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
@@ -991,108 +771,93 @@ metadata:
namespace: istio-system
labels:
app: ingressgateway
- chart: ingressgateway-0.8.0
+ chart: gateways-1.0.0
heritage: Tiller
release: RELEASE-NAME
+---
---
-# Source: istio/charts/mixer/templates/create-custom-resources-job.yaml
+# Source: istio/charts/grafana/templates/create-custom-resources-job.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
- name: istio-mixer-post-install-account
+ name: istio-grafana-post-install-account
namespace: istio-system
labels:
- app: mixer
- chart: mixer-0.8.0
+ app: istio-grafana
+ chart: grafana-0.1.0
heritage: Tiller
release: RELEASE-NAME
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
- name: istio-mixer-post-install-istio-system
- namespace: istio-system
+ name: istio-grafana-post-install-istio-system
labels:
- app: mixer
- chart: mixer-0.8.0
+ app: istio-grafana
+ chart: grafana-0.1.0
heritage: Tiller
release: RELEASE-NAME
rules:
-- apiGroups: ["config.istio.io"] # istio CRD watcher
- resources: ["*"]
- verbs: ["create", "get", "list", "watch", "patch"]
-- apiGroups: ["networking.istio.io"] # needed to create mixer destination rules
+- apiGroups: ["authentication.istio.io"] # needed to create default authn policy
resources: ["*"]
verbs: ["*"]
-- apiGroups: ["apiextensions.k8s.io"]
- resources: ["customresourcedefinitions"]
- verbs: ["get", "list", "watch"]
-- apiGroups: [""]
- resources: ["configmaps", "endpoints", "pods", "services", "namespaces", "secrets"]
- verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
- name: istio-mixer-post-install-role-binding-istio-system
+ name: istio-grafana-post-install-role-binding-istio-system
labels:
- app: mixer
- chart: mixer-0.8.0
+ app: istio-grafana
+ chart: grafana-0.1.0
heritage: Tiller
release: RELEASE-NAME
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
- name: istio-mixer-post-install-istio-system
+ name: istio-grafana-post-install-istio-system
subjects:
- kind: ServiceAccount
- name: istio-mixer-post-install-account
+ name: istio-grafana-post-install-account
namespace: istio-system
---
-
apiVersion: batch/v1
kind: Job
metadata:
- name: istio-mixer-post-install
+ name: istio-grafana-post-install
namespace: istio-system
annotations:
"helm.sh/hook": post-install
- "helm.sh/hook-delete-policy": before-hook-creation
+ "helm.sh/hook-delete-policy": hook-succeeded
labels:
- app: mixer
- chart: mixer-0.8.0
+ app: istio-grafana
+ chart: grafana-0.1.0
release: RELEASE-NAME
heritage: Tiller
spec:
template:
metadata:
- name: istio-mixer-post-install
+ name: istio-grafana-post-install
labels:
- app: mixer
+ app: istio-grafana
release: RELEASE-NAME
spec:
- serviceAccountName: istio-mixer-post-install-account
+ serviceAccountName: istio-grafana-post-install-account
containers:
- name: hyperkube
image: "quay.io/coreos/hyperkube:v1.7.6_coreos.0"
- command:
- - ./kubectl
- - apply
- - -f
- - /tmp/mixer/custom-resources.yaml
+ command: [ "/bin/bash", "/tmp/grafana/run.sh", "/tmp/grafana/custom-resources.yaml" ]
volumeMounts:
- - mountPath: "/tmp/mixer"
- name: tmp-configmap-mixer
+ - mountPath: "/tmp/grafana"
+ name: tmp-configmap-grafana
volumes:
- - name: tmp-configmap-mixer
+ - name: tmp-configmap-grafana
configMap:
- name: istio-mixer-custom-resources
- restartPolicy: Never # CRD might take some time till they are available to consume
+ name: istio-grafana-custom-resources
+ restartPolicy: OnFailure
---
# Source: istio/charts/mixer/templates/serviceaccount.yaml
-
apiVersion: v1
kind: ServiceAccount
metadata:
@@ -1100,13 +865,12 @@ metadata:
namespace: istio-system
labels:
app: mixer
- chart: mixer-0.8.0
+ chart: mixer-1.0.0
heritage: Tiller
release: RELEASE-NAME
---
# Source: istio/charts/pilot/templates/serviceaccount.yaml
-
apiVersion: v1
kind: ServiceAccount
metadata:
@@ -1114,13 +878,12 @@ metadata:
namespace: istio-system
labels:
app: istio-pilot
- chart: pilot-0.8.0
+ chart: pilot-1.0.0
heritage: Tiller
release: RELEASE-NAME
---
# Source: istio/charts/prometheus/templates/serviceaccount.yaml
-
apiVersion: v1
kind: ServiceAccount
metadata:
@@ -1128,27 +891,118 @@ metadata:
namespace: istio-system
---
-# Source: istio/charts/security/templates/serviceaccount.yaml
+# Source: istio/charts/security/templates/cleanup-secrets.yaml
+# The reason for creating a ServiceAccount and ClusterRole specifically for this
+# post-delete hooked job is because the citadel ServiceAccount is being deleted
+# before this hook is launched. On the other hand, running this hook before the
+# deletion of the citadel (e.g. pre-delete) won't delete the secrets because they
+# will be re-created immediately by the to-be-deleted citadel.
+#
+# It's also important that the ServiceAccount, ClusterRole and ClusterRoleBinding
+# will be ready before running the hooked Job therefore the hook weights.
apiVersion: v1
kind: ServiceAccount
metadata:
- name: istio-citadel-service-account
+ name: istio-cleanup-secrets-service-account
namespace: istio-system
+ annotations:
+ "helm.sh/hook": post-delete
+ "helm.sh/hook-delete-policy": hook-succeeded
+ "helm.sh/hook-weight": "1"
+ labels:
+ app: security
+ chart: security-1.0.0
+ heritage: Tiller
+ release: RELEASE-NAME
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+ name: istio-cleanup-secrets-istio-system
+ annotations:
+ "helm.sh/hook": post-delete
+ "helm.sh/hook-delete-policy": hook-succeeded
+ "helm.sh/hook-weight": "1"
+ labels:
+ app: security
+ chart: security-1.0.0
+ heritage: Tiller
+ release: RELEASE-NAME
+rules:
+- apiGroups: [""]
+ resources: ["secrets"]
+ verbs: ["list", "delete"]
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+ name: istio-cleanup-secrets-istio-system
+ annotations:
+ "helm.sh/hook": post-delete
+ "helm.sh/hook-delete-policy": hook-succeeded
+ "helm.sh/hook-weight": "2"
labels:
app: security
- chart: security-0.8.0
+ chart: security-1.0.0
heritage: Tiller
release: RELEASE-NAME
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: istio-cleanup-secrets-istio-system
+subjects:
+ - kind: ServiceAccount
+ name: istio-cleanup-secrets-service-account
+ namespace: istio-system
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: istio-cleanup-secrets
+ namespace: istio-system
+ annotations:
+ "helm.sh/hook": post-delete
+ "helm.sh/hook-delete-policy": hook-succeeded
+ "helm.sh/hook-weight": "3"
+ labels:
+ app: security
+ chart: security-1.0.0
+ release: RELEASE-NAME
+ heritage: Tiller
+spec:
+ template:
+ metadata:
+ name: istio-cleanup-secrets
+ labels:
+ app: security
+ release: RELEASE-NAME
+ spec:
+ serviceAccountName: istio-cleanup-secrets-service-account
+ containers:
+ - name: hyperkube
+ image: "quay.io/coreos/hyperkube:v1.7.6_coreos.0"
+ command:
+ - /bin/bash
+ - -c
+ - >
+ kubectl get secret --all-namespaces | grep "istio.io/key-and-cert" | while read -r entry; do
+ ns=$(echo $entry | awk '{print $1}');
+ name=$(echo $entry | awk '{print $2}');
+ kubectl delete secret $name -n $ns;
+ done
+ restartPolicy: OnFailure
+
---
+# Source: istio/charts/security/templates/serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
- name: istio-cleanup-old-ca-service-account
+ name: istio-citadel-service-account
namespace: istio-system
labels:
app: security
- chart: security-0.8.0
+ chart: security-1.0.0
heritage: Tiller
release: RELEASE-NAME
@@ -1161,17 +1015,205 @@ metadata:
namespace: istio-system
labels:
app: istio-sidecar-injector
- chart: sidecarInjectorWebhook-0.8.0
+ chart: sidecarInjectorWebhook-1.0.0
heritage: Tiller
release: RELEASE-NAME
---
-# Source: istio/charts/mixer/templates/crds.yaml
+# Source: istio/templates/crds.yaml
+#
+# these CRDs only make sense when pilot is enabled
+#
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+ name: virtualservices.networking.istio.io
+ annotations:
+ "helm.sh/hook": crd-install
+ labels:
+ app: istio-pilot
+spec:
+ group: networking.istio.io
+ names:
+ kind: VirtualService
+ listKind: VirtualServiceList
+ plural: virtualservices
+ singular: virtualservice
+ categories:
+ - istio-io
+ - networking-istio-io
+ scope: Namespaced
+ version: v1alpha3
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+ name: destinationrules.networking.istio.io
+ annotations:
+ "helm.sh/hook": crd-install
+ labels:
+ app: istio-pilot
+spec:
+ group: networking.istio.io
+ names:
+ kind: DestinationRule
+ listKind: DestinationRuleList
+ plural: destinationrules
+ singular: destinationrule
+ categories:
+ - istio-io
+ - networking-istio-io
+ scope: Namespaced
+ version: v1alpha3
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+ name: serviceentries.networking.istio.io
+ annotations:
+ "helm.sh/hook": crd-install
+ labels:
+ app: istio-pilot
+spec:
+ group: networking.istio.io
+ names:
+ kind: ServiceEntry
+ listKind: ServiceEntryList
+ plural: serviceentries
+ singular: serviceentry
+ categories:
+ - istio-io
+ - networking-istio-io
+ scope: Namespaced
+ version: v1alpha3
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+ name: gateways.networking.istio.io
+ annotations:
+ "helm.sh/hook": crd-install
+ "helm.sh/hook-weight": "-5"
+ labels:
+ app: istio-pilot
+spec:
+ group: networking.istio.io
+ names:
+ kind: Gateway
+ plural: gateways
+ singular: gateway
+ categories:
+ - istio-io
+ - networking-istio-io
+ scope: Namespaced
+ version: v1alpha3
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+ name: envoyfilters.networking.istio.io
+ annotations:
+ "helm.sh/hook": crd-install
+ labels:
+ app: istio-pilot
+spec:
+ group: networking.istio.io
+ names:
+ kind: EnvoyFilter
+ plural: envoyfilters
+ singular: envoyfilter
+ categories:
+ - istio-io
+ - networking-istio-io
+ scope: Namespaced
+ version: v1alpha3
+---
+#
+
+# these CRDs only make sense when security is enabled
+#
+
+#
+kind: CustomResourceDefinition
+apiVersion: apiextensions.k8s.io/v1beta1
+metadata:
+ annotations:
+ "helm.sh/hook": crd-install
+ name: httpapispecbindings.config.istio.io
+spec:
+ group: config.istio.io
+ names:
+ kind: HTTPAPISpecBinding
+ plural: httpapispecbindings
+ singular: httpapispecbinding
+ categories:
+ - istio-io
+ - apim-istio-io
+ scope: Namespaced
+ version: v1alpha2
+---
+kind: CustomResourceDefinition
+apiVersion: apiextensions.k8s.io/v1beta1
+metadata:
+ annotations:
+ "helm.sh/hook": crd-install
+ name: httpapispecs.config.istio.io
+spec:
+ group: config.istio.io
+ names:
+ kind: HTTPAPISpec
+ plural: httpapispecs
+ singular: httpapispec
+ categories:
+ - istio-io
+ - apim-istio-io
+ scope: Namespaced
+ version: v1alpha2
+---
+kind: CustomResourceDefinition
+apiVersion: apiextensions.k8s.io/v1beta1
+metadata:
+ annotations:
+ "helm.sh/hook": crd-install
+ name: quotaspecbindings.config.istio.io
+spec:
+ group: config.istio.io
+ names:
+ kind: QuotaSpecBinding
+ plural: quotaspecbindings
+ singular: quotaspecbinding
+ categories:
+ - istio-io
+ - apim-istio-io
+ scope: Namespaced
+ version: v1alpha2
+---
+kind: CustomResourceDefinition
+apiVersion: apiextensions.k8s.io/v1beta1
+metadata:
+ annotations:
+ "helm.sh/hook": crd-install
+ name: quotaspecs.config.istio.io
+spec:
+ group: config.istio.io
+ names:
+ kind: QuotaSpec
+ plural: quotaspecs
+ singular: quotaspec
+ categories:
+ - istio-io
+ - apim-istio-io
+ scope: Namespaced
+ version: v1alpha2
+---
+
# Mixer CRDs
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: rules.config.istio.io
+ annotations:
+ "helm.sh/hook": crd-install
labels:
app: mixer
package: istio.io.mixer
@@ -1182,6 +1224,9 @@ spec:
kind: rule
plural: rules
singular: rule
+ categories:
+ - istio-io
+ - policy-istio-io
scope: Namespaced
version: v1alpha2
---
@@ -1190,6 +1235,8 @@ kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: attributemanifests.config.istio.io
+ annotations:
+ "helm.sh/hook": crd-install
labels:
app: mixer
package: istio.io.mixer
@@ -1200,6 +1247,32 @@ spec:
kind: attributemanifest
plural: attributemanifests
singular: attributemanifest
+ categories:
+ - istio-io
+ - policy-istio-io
+ scope: Namespaced
+ version: v1alpha2
+---
+
+kind: CustomResourceDefinition
+apiVersion: apiextensions.k8s.io/v1beta1
+metadata:
+ name: bypasses.config.istio.io
+ annotations:
+ "helm.sh/hook": crd-install
+ labels:
+ app: mixer
+ package: bypass
+ istio: mixer-adapter
+spec:
+ group: config.istio.io
+ names:
+ kind: bypass
+ plural: bypasses
+ singular: bypass
+ categories:
+ - istio-io
+ - policy-istio-io
scope: Namespaced
version: v1alpha2
---
@@ -1208,6 +1281,8 @@ kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: circonuses.config.istio.io
+ annotations:
+ "helm.sh/hook": crd-install
labels:
app: mixer
package: circonus
@@ -1218,6 +1293,9 @@ spec:
kind: circonus
plural: circonuses
singular: circonus
+ categories:
+ - istio-io
+ - policy-istio-io
scope: Namespaced
version: v1alpha2
---
@@ -1226,6 +1304,8 @@ kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: deniers.config.istio.io
+ annotations:
+ "helm.sh/hook": crd-install
labels:
app: mixer
package: denier
@@ -1236,6 +1316,9 @@ spec:
kind: denier
plural: deniers
singular: denier
+ categories:
+ - istio-io
+ - policy-istio-io
scope: Namespaced
version: v1alpha2
---
@@ -1244,6 +1327,8 @@ kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: fluentds.config.istio.io
+ annotations:
+ "helm.sh/hook": crd-install
labels:
app: mixer
package: fluentd
@@ -1254,6 +1339,9 @@ spec:
kind: fluentd
plural: fluentds
singular: fluentd
+ categories:
+ - istio-io
+ - policy-istio-io
scope: Namespaced
version: v1alpha2
---
@@ -1262,6 +1350,8 @@ kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: kubernetesenvs.config.istio.io
+ annotations:
+ "helm.sh/hook": crd-install
labels:
app: mixer
package: kubernetesenv
@@ -1272,6 +1362,9 @@ spec:
kind: kubernetesenv
plural: kubernetesenvs
singular: kubernetesenv
+ categories:
+ - istio-io
+ - policy-istio-io
scope: Namespaced
version: v1alpha2
---
@@ -1280,6 +1373,8 @@ kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: listcheckers.config.istio.io
+ annotations:
+ "helm.sh/hook": crd-install
labels:
app: mixer
package: listchecker
@@ -1290,6 +1385,9 @@ spec:
kind: listchecker
plural: listcheckers
singular: listchecker
+ categories:
+ - istio-io
+ - policy-istio-io
scope: Namespaced
version: v1alpha2
---
@@ -1298,6 +1396,8 @@ kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: memquotas.config.istio.io
+ annotations:
+ "helm.sh/hook": crd-install
labels:
app: mixer
package: memquota
@@ -1308,6 +1408,9 @@ spec:
kind: memquota
plural: memquotas
singular: memquota
+ categories:
+ - istio-io
+ - policy-istio-io
scope: Namespaced
version: v1alpha2
---
@@ -1316,6 +1419,8 @@ kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: noops.config.istio.io
+ annotations:
+ "helm.sh/hook": crd-install
labels:
app: mixer
package: noop
@@ -1326,6 +1431,9 @@ spec:
kind: noop
plural: noops
singular: noop
+ categories:
+ - istio-io
+ - policy-istio-io
scope: Namespaced
version: v1alpha2
---
@@ -1334,6 +1442,8 @@ kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: opas.config.istio.io
+ annotations:
+ "helm.sh/hook": crd-install
labels:
app: mixer
package: opa
@@ -1344,6 +1454,9 @@ spec:
kind: opa
plural: opas
singular: opa
+ categories:
+ - istio-io
+ - policy-istio-io
scope: Namespaced
version: v1alpha2
---
@@ -1352,6 +1465,8 @@ kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: prometheuses.config.istio.io
+ annotations:
+ "helm.sh/hook": crd-install
labels:
app: mixer
package: prometheus
@@ -1362,6 +1477,9 @@ spec:
kind: prometheus
plural: prometheuses
singular: prometheus
+ categories:
+ - istio-io
+ - policy-istio-io
scope: Namespaced
version: v1alpha2
---
@@ -1370,6 +1488,8 @@ kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: rbacs.config.istio.io
+ annotations:
+ "helm.sh/hook": crd-install
labels:
app: mixer
package: rbac
@@ -1380,6 +1500,28 @@ spec:
kind: rbac
plural: rbacs
singular: rbac
+ categories:
+ - istio-io
+ - policy-istio-io
+ scope: Namespaced
+ version: v1alpha2
+---
+
+kind: CustomResourceDefinition
+apiVersion: apiextensions.k8s.io/v1beta1
+metadata:
+ name: redisquotas.config.istio.io
+ annotations:
+ "helm.sh/hook": crd-install
+ labels:
+ package: redisquota
+ istio: mixer-adapter
+spec:
+ group: config.istio.io
+ names:
+ kind: redisquota
+ plural: redisquotas
+ singular: redisquota
scope: Namespaced
version: v1alpha2
---
@@ -1388,6 +1530,8 @@ kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: servicecontrols.config.istio.io
+ annotations:
+ "helm.sh/hook": crd-install
labels:
app: mixer
package: servicecontrol
@@ -1398,6 +1542,33 @@ spec:
kind: servicecontrol
plural: servicecontrols
singular: servicecontrol
+ categories:
+ - istio-io
+ - policy-istio-io
+ scope: Namespaced
+ version: v1alpha2
+
+---
+
+kind: CustomResourceDefinition
+apiVersion: apiextensions.k8s.io/v1beta1
+metadata:
+ name: signalfxs.config.istio.io
+ annotations:
+ "helm.sh/hook": crd-install
+ labels:
+ app: mixer
+ package: signalfx
+ istio: mixer-adapter
+spec:
+ group: config.istio.io
+ names:
+ kind: signalfx
+ plural: signalfxs
+ singular: signalfx
+ categories:
+ - istio-io
+ - policy-istio-io
scope: Namespaced
version: v1alpha2
---
@@ -1406,6 +1577,8 @@ kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: solarwindses.config.istio.io
+ annotations:
+ "helm.sh/hook": crd-install
labels:
app: mixer
package: solarwinds
@@ -1416,6 +1589,9 @@ spec:
kind: solarwinds
plural: solarwindses
singular: solarwinds
+ categories:
+ - istio-io
+ - policy-istio-io
scope: Namespaced
version: v1alpha2
---
@@ -1424,6 +1600,8 @@ kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: stackdrivers.config.istio.io
+ annotations:
+ "helm.sh/hook": crd-install
labels:
app: mixer
package: stackdriver
@@ -1434,6 +1612,9 @@ spec:
kind: stackdriver
plural: stackdrivers
singular: stackdriver
+ categories:
+ - istio-io
+ - policy-istio-io
scope: Namespaced
version: v1alpha2
---
@@ -1442,6 +1623,8 @@ kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: statsds.config.istio.io
+ annotations:
+ "helm.sh/hook": crd-install
labels:
app: mixer
package: statsd
@@ -1452,6 +1635,9 @@ spec:
kind: statsd
plural: statsds
singular: statsd
+ categories:
+ - istio-io
+ - policy-istio-io
scope: Namespaced
version: v1alpha2
---
@@ -1460,6 +1646,8 @@ kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: stdios.config.istio.io
+ annotations:
+ "helm.sh/hook": crd-install
labels:
app: mixer
package: stdio
@@ -1470,6 +1658,9 @@ spec:
kind: stdio
plural: stdios
singular: stdio
+ categories:
+ - istio-io
+ - policy-istio-io
scope: Namespaced
version: v1alpha2
---
@@ -1478,6 +1669,8 @@ kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: apikeys.config.istio.io
+ annotations:
+ "helm.sh/hook": crd-install
labels:
app: mixer
package: apikey
@@ -1488,6 +1681,9 @@ spec:
kind: apikey
plural: apikeys
singular: apikey
+ categories:
+ - istio-io
+ - policy-istio-io
scope: Namespaced
version: v1alpha2
---
@@ -1496,6 +1692,8 @@ kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: authorizations.config.istio.io
+ annotations:
+ "helm.sh/hook": crd-install
labels:
app: mixer
package: authorization
@@ -1506,6 +1704,9 @@ spec:
kind: authorization
plural: authorizations
singular: authorization
+ categories:
+ - istio-io
+ - policy-istio-io
scope: Namespaced
version: v1alpha2
---
@@ -1514,6 +1715,8 @@ kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: checknothings.config.istio.io
+ annotations:
+ "helm.sh/hook": crd-install
labels:
app: mixer
package: checknothing
@@ -1524,6 +1727,9 @@ spec:
kind: checknothing
plural: checknothings
singular: checknothing
+ categories:
+ - istio-io
+ - policy-istio-io
scope: Namespaced
version: v1alpha2
---
@@ -1532,6 +1738,8 @@ kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: kuberneteses.config.istio.io
+ annotations:
+ "helm.sh/hook": crd-install
labels:
app: mixer
package: adapter.template.kubernetes
@@ -1542,6 +1750,9 @@ spec:
kind: kubernetes
plural: kuberneteses
singular: kubernetes
+ categories:
+ - istio-io
+ - policy-istio-io
scope: Namespaced
version: v1alpha2
---
@@ -1550,6 +1761,8 @@ kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: listentries.config.istio.io
+ annotations:
+ "helm.sh/hook": crd-install
labels:
app: mixer
package: listentry
@@ -1560,6 +1773,9 @@ spec:
kind: listentry
plural: listentries
singular: listentry
+ categories:
+ - istio-io
+ - policy-istio-io
scope: Namespaced
version: v1alpha2
---
@@ -1568,6 +1784,8 @@ kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: logentries.config.istio.io
+ annotations:
+ "helm.sh/hook": crd-install
labels:
app: mixer
package: logentry
@@ -1578,6 +1796,32 @@ spec:
kind: logentry
plural: logentries
singular: logentry
+ categories:
+ - istio-io
+ - policy-istio-io
+ scope: Namespaced
+ version: v1alpha2
+---
+
+kind: CustomResourceDefinition
+apiVersion: apiextensions.k8s.io/v1beta1
+metadata:
+ name: edges.config.istio.io
+ annotations:
+ "helm.sh/hook": crd-install
+ labels:
+ app: mixer
+ package: edge
+ istio: mixer-instance
+spec:
+ group: config.istio.io
+ names:
+ kind: edge
+ plural: edges
+ singular: edge
+ categories:
+ - istio-io
+ - policy-istio-io
scope: Namespaced
version: v1alpha2
---
@@ -1586,6 +1830,8 @@ kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: metrics.config.istio.io
+ annotations:
+ "helm.sh/hook": crd-install
labels:
app: mixer
package: metric
@@ -1596,6 +1842,9 @@ spec:
kind: metric
plural: metrics
singular: metric
+ categories:
+ - istio-io
+ - policy-istio-io
scope: Namespaced
version: v1alpha2
---
@@ -1604,6 +1853,8 @@ kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: quotas.config.istio.io
+ annotations:
+ "helm.sh/hook": crd-install
labels:
app: mixer
package: quota
@@ -1614,6 +1865,9 @@ spec:
kind: quota
plural: quotas
singular: quota
+ categories:
+ - istio-io
+ - policy-istio-io
scope: Namespaced
version: v1alpha2
---
@@ -1622,6 +1876,8 @@ kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: reportnothings.config.istio.io
+ annotations:
+ "helm.sh/hook": crd-install
labels:
app: mixer
package: reportnothing
@@ -1632,6 +1888,9 @@ spec:
kind: reportnothing
plural: reportnothings
singular: reportnothing
+ categories:
+ - istio-io
+ - policy-istio-io
scope: Namespaced
version: v1alpha2
---
@@ -1640,6 +1899,8 @@ kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: servicecontrolreports.config.istio.io
+ annotations:
+ "helm.sh/hook": crd-install
labels:
app: mixer
package: servicecontrolreport
@@ -1650,6 +1911,9 @@ spec:
kind: servicecontrolreport
plural: servicecontrolreports
singular: servicecontrolreport
+ categories:
+ - istio-io
+ - policy-istio-io
scope: Namespaced
version: v1alpha2
---
@@ -1658,6 +1922,8 @@ kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: tracespans.config.istio.io
+ annotations:
+ "helm.sh/hook": crd-install
labels:
app: mixer
package: tracespan
@@ -1668,6 +1934,9 @@ spec:
kind: tracespan
plural: tracespans
singular: tracespan
+ categories:
+ - istio-io
+ - policy-istio-io
scope: Namespaced
version: v1alpha2
---
@@ -1675,258 +1944,265 @@ spec:
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
- name: serviceroles.config.istio.io
+ name: rbacconfigs.rbac.istio.io
+ annotations:
+ "helm.sh/hook": crd-install
labels:
app: mixer
package: istio.io.mixer
istio: rbac
spec:
- group: config.istio.io
+ group: rbac.istio.io
+ names:
+ kind: RbacConfig
+ plural: rbacconfigs
+ singular: rbacconfig
+ categories:
+ - istio-io
+ - rbac-istio-io
+ scope: Namespaced
+ version: v1alpha1
+---
+
+kind: CustomResourceDefinition
+apiVersion: apiextensions.k8s.io/v1beta1
+metadata:
+ name: serviceroles.rbac.istio.io
+ annotations:
+ "helm.sh/hook": crd-install
+ labels:
+ app: mixer
+ package: istio.io.mixer
+ istio: rbac
+spec:
+ group: rbac.istio.io
names:
kind: ServiceRole
plural: serviceroles
singular: servicerole
+ categories:
+ - istio-io
+ - rbac-istio-io
scope: Namespaced
- version: v1alpha2
+ version: v1alpha1
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
- name: servicerolebindings.config.istio.io
+ name: servicerolebindings.rbac.istio.io
+ annotations:
+ "helm.sh/hook": crd-install
labels:
app: mixer
package: istio.io.mixer
istio: rbac
spec:
- group: config.istio.io
+ group: rbac.istio.io
names:
kind: ServiceRoleBinding
plural: servicerolebindings
singular: servicerolebinding
+ categories:
+ - istio-io
+ - rbac-istio-io
scope: Namespaced
- version: v1alpha2
-
+ version: v1alpha1
---
-# Source: istio/charts/pilot/templates/crds.yaml
-apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
+apiVersion: apiextensions.k8s.io/v1beta1
metadata:
- name: destinationpolicies.config.istio.io
+ name: adapters.config.istio.io
+ annotations:
+ "helm.sh/hook": crd-install
labels:
- app: istio-pilot
+ app: mixer
+ package: adapter
+ istio: mixer-adapter
spec:
group: config.istio.io
names:
- kind: DestinationPolicy
- listKind: DestinationPolicyList
- plural: destinationpolicies
- singular: destinationpolicy
+ kind: adapter
+ plural: adapters
+ singular: adapter
+ categories:
+ - istio-io
+ - policy-istio-io
scope: Namespaced
version: v1alpha2
---
-apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
+apiVersion: apiextensions.k8s.io/v1beta1
metadata:
- name: egressrules.config.istio.io
+ name: instances.config.istio.io
+ annotations:
+ "helm.sh/hook": crd-install
labels:
- app: istio-pilot
+ app: mixer
+ package: instance
+ istio: mixer-instance
spec:
group: config.istio.io
names:
- kind: EgressRule
- listKind: EgressRuleList
- plural: egressrules
- singular: egressrule
+ kind: instance
+ plural: instances
+ singular: instance
+ categories:
+ - istio-io
+ - policy-istio-io
scope: Namespaced
version: v1alpha2
---
-apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
+apiVersion: apiextensions.k8s.io/v1beta1
metadata:
- name: routerules.config.istio.io
+ name: templates.config.istio.io
+ annotations:
+ "helm.sh/hook": crd-install
labels:
- app: istio-pilot
+ app: mixer
+ package: template
+ istio: mixer-template
spec:
group: config.istio.io
names:
- kind: RouteRule
- listKind: RouteRuleList
- plural: routerules
- singular: routerule
+ kind: template
+ plural: templates
+ singular: template
+ categories:
+ - istio-io
+ - policy-istio-io
scope: Namespaced
version: v1alpha2
---
-apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
-metadata:
- name: virtualservices.networking.istio.io
- labels:
- app: istio-pilot
-spec:
- group: networking.istio.io
- names:
- kind: VirtualService
- listKind: VirtualServiceList
- plural: virtualservices
- singular: virtualservice
- scope: Namespaced
- version: v1alpha3
----
apiVersion: apiextensions.k8s.io/v1beta1
-kind: CustomResourceDefinition
metadata:
- name: destinationrules.networking.istio.io
+ name: handlers.config.istio.io
+ annotations:
+ "helm.sh/hook": crd-install
labels:
- app: istio-pilot
+ app: mixer
+ package: handler
+ istio: mixer-handler
spec:
- group: networking.istio.io
+ group: config.istio.io
names:
- kind: DestinationRule
- listKind: DestinationRuleList
- plural: destinationrules
- singular: destinationrule
+ kind: handler
+ plural: handlers
+ singular: handler
+ categories:
+ - istio-io
+ - policy-istio-io
scope: Namespaced
- version: v1alpha3
+ version: v1alpha2
---
-apiVersion: apiextensions.k8s.io/v1beta1
-kind: CustomResourceDefinition
-metadata:
- name: serviceentries.networking.istio.io
- labels:
- app: istio-pilot
-spec:
- group: networking.istio.io
- names:
- kind: ServiceEntry
- listKind: ServiceEntryList
- plural: serviceentries
- singular: serviceentry
- scope: Namespaced
- version: v1alpha3
+#
+#
---
-apiVersion: apiextensions.k8s.io/v1beta1
-kind: CustomResourceDefinition
+# Source: istio/charts/galley/templates/clusterrole.yaml
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
metadata:
- name: gateways.networking.istio.io
+ name: istio-galley-istio-system
labels:
- app: istio-pilot
-spec:
- group: networking.istio.io
- names:
- kind: Gateway
- plural: gateways
- singular: gateway
- scope: Namespaced
- version: v1alpha3
----
-kind: CustomResourceDefinition
-apiVersion: apiextensions.k8s.io/v1beta1
-metadata:
- name: policies.authentication.istio.io
-spec:
- group: authentication.istio.io
- names:
- kind: Policy
- plural: policies
- singular: policy
- scope: Namespaced
- version: v1alpha1
----
-kind: CustomResourceDefinition
-apiVersion: apiextensions.k8s.io/v1beta1
-metadata:
- name: httpapispecbindings.config.istio.io
-spec:
- group: config.istio.io
- names:
- kind: HTTPAPISpecBinding
- plural: httpapispecbindings
- singular: httpapispecbinding
- scope: Namespaced
- version: v1alpha2
+ app: istio-galley
+ chart: galley-1.0.0
+ heritage: Tiller
+ release: RELEASE-NAME
+rules:
+- apiGroups: ["admissionregistration.k8s.io"]
+ resources: ["validatingwebhookconfigurations"]
+ verbs: ["*"]
+- apiGroups: ["config.istio.io"] # istio mixer CRD watcher
+ resources: ["*"]
+ verbs: ["get", "list", "watch"]
+- apiGroups: ["*"]
+ resources: ["deployments"]
+ resourceNames: ["istio-galley"]
+ verbs: ["get"]
+
---
-kind: CustomResourceDefinition
-apiVersion: apiextensions.k8s.io/v1beta1
+# Source: istio/charts/gateways/templates/clusterrole.yaml
+
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
metadata:
- name: httpapispecs.config.istio.io
-spec:
- group: config.istio.io
- names:
- kind: HTTPAPISpec
- plural: httpapispecs
- singular: httpapispec
- scope: Namespaced
- version: v1alpha2
+ labels:
+ app: gateways
+ chart: gateways-1.0.0
+ heritage: Tiller
+ release: RELEASE-NAME
+ name: istio-egressgateway-istio-system
+rules:
+- apiGroups: ["extensions"]
+ resources: ["thirdpartyresources", "virtualservices", "destinationrules", "gateways"]
+ verbs: ["get", "watch", "list", "update"]
---
-kind: CustomResourceDefinition
-apiVersion: apiextensions.k8s.io/v1beta1
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
metadata:
- name: quotaspecbindings.config.istio.io
-spec:
- group: config.istio.io
- names:
- kind: QuotaSpecBinding
- plural: quotaspecbindings
- singular: quotaspecbinding
- scope: Namespaced
- version: v1alpha2
+ labels:
+ app: gateways
+ chart: gateways-1.0.0
+ heritage: Tiller
+ release: RELEASE-NAME
+ name: istio-ingressgateway-istio-system
+rules:
+- apiGroups: ["extensions"]
+ resources: ["thirdpartyresources", "virtualservices", "destinationrules", "gateways"]
+ verbs: ["get", "watch", "list", "update"]
---
-kind: CustomResourceDefinition
-apiVersion: apiextensions.k8s.io/v1beta1
-metadata:
- name: quotaspecs.config.istio.io
-spec:
- group: config.istio.io
- names:
- kind: QuotaSpec
- plural: quotaspecs
- singular: quotaspec
- scope: Namespaced
- version: v1alpha2
-
---
# Source: istio/charts/mixer/templates/clusterrole.yaml
-
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: istio-mixer-istio-system
- namespace: istio-system
labels:
app: mixer
- chart: mixer-0.8.0
+ chart: mixer-1.0.0
heritage: Tiller
release: RELEASE-NAME
rules:
- apiGroups: ["config.istio.io"] # istio CRD watcher
resources: ["*"]
verbs: ["create", "get", "list", "watch", "patch"]
+- apiGroups: ["rbac.istio.io"] # istio RBAC watcher
+ resources: ["*"]
+ verbs: ["get", "list", "watch"]
- apiGroups: ["apiextensions.k8s.io"]
resources: ["customresourcedefinitions"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["configmaps", "endpoints", "pods", "services", "namespaces", "secrets"]
verbs: ["get", "list", "watch"]
+- apiGroups: ["extensions"]
+ resources: ["replicasets"]
+ verbs: ["get", "list", "watch"]
+- apiGroups: ["apps"]
+ resources: ["replicasets"]
+ verbs: ["get", "list", "watch"]
---
# Source: istio/charts/pilot/templates/clusterrole.yaml
-
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: istio-pilot-istio-system
- namespace: istio-system
labels:
app: istio-pilot
- chart: pilot-0.8.0
+ chart: pilot-1.0.0
heritage: Tiller
release: RELEASE-NAME
rules:
- apiGroups: ["config.istio.io"]
resources: ["*"]
verbs: ["*"]
+- apiGroups: ["rbac.istio.io"]
+ resources: ["*"]
+ verbs: ["get", "watch", "list"]
- apiGroups: ["networking.istio.io"]
resources: ["*"]
verbs: ["*"]
@@ -1951,13 +2227,10 @@ rules:
---
# Source: istio/charts/prometheus/templates/clusterrole.yaml
-
----
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: prometheus-istio-system
- namespace: istio-system
rules:
- apiGroups: [""]
resources:
@@ -1973,34 +2246,16 @@ rules:
verbs: ["get"]
- nonResourceURLs: ["/metrics"]
verbs: ["get"]
----
-apiVersion: rbac.authorization.k8s.io/v1beta1
-kind: ClusterRoleBinding
-metadata:
- name: prometheus-istio-system
- namespace: istio-system
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: prometheus-istio-system
-subjects:
-- kind: ServiceAccount
- name: prometheus
- namespace: istio-system
----
-
---
# Source: istio/charts/security/templates/clusterrole.yaml
-
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: istio-citadel-istio-system
- namespace: istio-system
labels:
app: security
- chart: security-0.8.0
+ chart: security-1.0.0
heritage: Tiller
release: RELEASE-NAME
rules:
@@ -2013,35 +2268,16 @@ rules:
- apiGroups: [""]
resources: ["services"]
verbs: ["get", "watch", "list"]
----
-apiVersion: rbac.authorization.k8s.io/v1beta1
-kind: Role
-metadata:
- name: istio-cleanup-old-ca-istio-system
- namespace: istio-system
- labels:
- app: security
- chart: security-0.8.0
- heritage: Tiller
- release: RELEASE-NAME
-rules:
-- apiGroups: [""]
- resources: ["deployments", "serviceaccounts", "services"]
- verbs: ["get", "delete"]
-- apiGroups: ["extensions"]
- resources: ["deployments", "replicasets"]
- verbs: ["get", "list", "update", "delete"]
---
# Source: istio/charts/sidecarInjectorWebhook/templates/clusterrole.yaml
-
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: istio-sidecar-injector-istio-system
labels:
app: istio-sidecar-injector
- chart: sidecarInjectorWebhook-0.8.0
+ chart: sidecarInjectorWebhook-1.0.0
heritage: Tiller
release: RELEASE-NAME
rules:
@@ -2053,15 +2289,64 @@ rules:
verbs: ["get", "list", "watch", "patch"]
---
-# Source: istio/charts/mixer/templates/clusterrolebinding.yaml
+# Source: istio/charts/galley/templates/clusterrolebinding.yaml
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+ name: istio-galley-admin-role-binding-istio-system
+ labels:
+ app: istio-galley
+ chart: galley-1.0.0
+ heritage: Tiller
+ release: RELEASE-NAME
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: istio-galley-istio-system
+subjects:
+ - kind: ServiceAccount
+ name: istio-galley-service-account
+ namespace: istio-system
+
+---
+# Source: istio/charts/gateways/templates/clusterrolebindings.yaml
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
+ name: istio-egressgateway-istio-system
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: istio-egressgateway-istio-system
+subjects:
+ - kind: ServiceAccount
+ name: istio-egressgateway-service-account
+ namespace: istio-system
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+ name: istio-ingressgateway-istio-system
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: istio-ingressgateway-istio-system
+subjects:
+ - kind: ServiceAccount
+ name: istio-ingressgateway-service-account
+ namespace: istio-system
+---
+
+---
+# Source: istio/charts/mixer/templates/clusterrolebinding.yaml
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
name: istio-mixer-admin-role-binding-istio-system
labels:
app: mixer
- chart: mixer-0.8.0
+ chart: mixer-1.0.0
heritage: Tiller
release: RELEASE-NAME
roleRef:
@@ -2075,14 +2360,13 @@ subjects:
---
# Source: istio/charts/pilot/templates/clusterrolebinding.yaml
-
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: istio-pilot-istio-system
labels:
app: istio-pilot
- chart: pilot-0.8.0
+ chart: pilot-1.0.0
heritage: Tiller
release: RELEASE-NAME
roleRef:
@@ -2095,55 +2379,49 @@ subjects:
namespace: istio-system
---
-# Source: istio/charts/security/templates/clusterrolebinding.yaml
-
+# Source: istio/charts/prometheus/templates/clusterrolebindings.yaml
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
- name: istio-citadel-istio-system
- labels:
- app: security
- chart: security-0.8.0
- heritage: Tiller
- release: RELEASE-NAME
+ name: prometheus-istio-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
- name: istio-citadel-istio-system
+ name: prometheus-istio-system
subjects:
- - kind: ServiceAccount
- name: istio-citadel-service-account
- namespace: istio-system
+- kind: ServiceAccount
+ name: prometheus
+ namespace: istio-system
+
---
+# Source: istio/charts/security/templates/clusterrolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1beta1
-kind: RoleBinding
+kind: ClusterRoleBinding
metadata:
- name: istio-cleanup-old-ca-istio-system
- namespace: istio-system
+ name: istio-citadel-istio-system
labels:
app: security
- chart: security-0.8.0
+ chart: security-1.0.0
heritage: Tiller
release: RELEASE-NAME
roleRef:
apiGroup: rbac.authorization.k8s.io
- kind: Role
- name: istio-cleanup-old-ca-istio-system
+ kind: ClusterRole
+ name: istio-citadel-istio-system
subjects:
- kind: ServiceAccount
- name: istio-cleanup-old-ca-service-account
+ name: istio-citadel-service-account
namespace: istio-system
---
# Source: istio/charts/sidecarInjectorWebhook/templates/clusterrolebinding.yaml
-
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: istio-sidecar-injector-admin-role-binding-istio-system
labels:
app: istio-sidecar-injector
- chart: sidecarInjectorWebhook-0.8.0
+ chart: sidecarInjectorWebhook-1.0.0
heritage: Tiller
release: RELEASE-NAME
roleRef:
@@ -2154,76 +2432,76 @@ subjects:
- kind: ServiceAccount
name: istio-sidecar-injector-service-account
namespace: istio-system
+
+---
+# Source: istio/charts/galley/templates/service.yaml
+apiVersion: v1
+kind: Service
+metadata:
+ name: istio-galley
+ namespace: istio-system
+ labels:
+ istio: galley
+spec:
+ ports:
+ - port: 443
+ name: https-validation
+ - port: 9093
+ name: http-monitoring
+ selector:
+ istio: galley
+
---
-# Source: istio/charts/egressgateway/templates/service.yaml
+# Source: istio/charts/gateways/templates/service.yaml
+
apiVersion: v1
kind: Service
metadata:
name: istio-egressgateway
- namespace: istio-system
+ namespace: istio-system
+ annotations:
labels:
- chart: egressgateway-0.8.0
+ chart: gateways-1.0.0
release: RELEASE-NAME
heritage: Tiller
+ app: istio-egressgateway
istio: egressgateway
spec:
type: ClusterIP
selector:
+ app: istio-egressgateway
istio: egressgateway
ports:
-
- name: http
+ name: http2
port: 80
-
name: https
port: 443
-
---
-# Source: istio/charts/grafana/templates/service.yaml
apiVersion: v1
kind: Service
metadata:
- name: grafana
+ name: istio-ingressgateway
namespace: istio-system
annotations:
- auth.istio.io/3000: NONE
- labels:
- app: grafana
- chart: grafana-0.1.0
- release: RELEASE-NAME
- heritage: Tiller
-spec:
- type: NodePort
- ports:
- - port: 3000
- targetPort: 3000
- protocol: TCP
- name: http
- nodePort: 30300
- selector:
- app: grafana
-
----
-# Source: istio/charts/ingressgateway/templates/service.yaml
-apiVersion: v1
-kind: Service
-metadata:
- name: istio-ingressgateway
- namespace: istio-system
labels:
- chart: ingressgateway-0.8.0
+ chart: gateways-1.0.0
release: RELEASE-NAME
heritage: Tiller
+ app: istio-ingressgateway
istio: ingressgateway
spec:
type: LoadBalancer
selector:
+ app: istio-ingressgateway
istio: ingressgateway
ports:
-
- name: http
+ name: http2
nodePort: 31380
port: 80
+ targetPort: 80
-
name: https
nodePort: 31390
@@ -2232,6 +2510,47 @@ spec:
name: tcp
nodePort: 31400
port: 31400
+ -
+ name: tcp-pilot-grpc-tls
+ port: 15011
+ targetPort: 15011
+ -
+ name: tcp-citadel-grpc-tls
+ port: 8060
+ targetPort: 8060
+ -
+ name: http2-prometheus
+ port: 15030
+ targetPort: 15030
+ -
+ name: http2-grafana
+ port: 15031
+ targetPort: 15031
+---
+
+---
+# Source: istio/charts/grafana/templates/service.yaml
+apiVersion: v1
+kind: Service
+metadata:
+ name: grafana
+ namespace: istio-system
+ annotations:
+ labels:
+ app: grafana
+ chart: grafana-0.1.0
+ release: RELEASE-NAME
+ heritage: Tiller
+spec:
+ type: NodePort
+ ports:
+ - port: 3000
+ targetPort: 3000
+ protocol: TCP
+ name: http
+ nodePort: 30300
+ selector:
+ app: grafana
---
# Source: istio/charts/mixer/templates/service.yaml
@@ -2242,7 +2561,7 @@ metadata:
name: istio-policy
namespace: istio-system
labels:
- chart: mixer-0.8.0
+ chart: mixer-1.0.0
release: RELEASE-NAME
istio: mixer
spec:
@@ -2263,7 +2582,7 @@ metadata:
name: istio-telemetry
namespace: istio-system
labels:
- chart: mixer-0.8.0
+ chart: mixer-1.0.0
release: RELEASE-NAME
istio: mixer
spec:
@@ -2291,7 +2610,7 @@ metadata:
name: istio-statsd-prom-bridge
namespace: istio-system
labels:
- chart: mixer-0.8.0
+ chart: mixer-1.0.0
release: RELEASE-NAME
istio: statsd-prom-bridge
spec:
@@ -2312,7 +2631,7 @@ metadata:
name: istio-statsd-prom-bridge
namespace: istio-system
labels:
- chart: mixer-0.8.0
+ chart: mixer-1.0.0
release: RELEASE-NAME
istio: mixer
spec:
@@ -2330,7 +2649,7 @@ spec:
name: istio-statsd-prom-bridge
containers:
- name: statsd-prom-bridge
- image: "prom/statsd-exporter:latest"
+ image: "docker.io/prom/statsd-exporter:v0.6.0"
imagePullPolicy: IfNotPresent
ports:
- containerPort: 9102
@@ -2339,8 +2658,9 @@ spec:
args:
- '-statsd.mapping-config=/etc/statsd/mapping.conf'
resources:
- {}
-
+ requests:
+ cpu: 10m
+
volumeMounts:
- name: config-volume
mountPath: /etc/statsd
@@ -2354,17 +2674,11 @@ metadata:
namespace: istio-system
labels:
app: istio-pilot
- chart: pilot-0.8.0
+ chart: pilot-1.0.0
release: RELEASE-NAME
heritage: Tiller
spec:
ports:
- - port: 15003
- name: http-old-discovery # mTLS or non-mTLS depending on auth setting
- - port: 15005
- name: https-discovery # always mTLS
- - port: 15007
- name: http-discovery # always plain-text
- port: 15010
name: grpc-xds # direct
- port: 15011
@@ -2424,6 +2738,7 @@ kind: Service
metadata:
name: servicegraph
namespace: istio-system
+ annotations:
labels:
app: servicegraph
chart: servicegraph-0.1.0
@@ -2456,7 +2771,124 @@ spec:
istio: sidecar-injector
---
-# Source: istio/charts/egressgateway/templates/deployment.yaml
+# Source: istio/charts/galley/templates/deployment.yaml
+apiVersion: extensions/v1beta1
+kind: Deployment
+metadata:
+ name: istio-galley
+ namespace: istio-system
+ labels:
+ app: galley
+ chart: galley-1.0.0
+ release: RELEASE-NAME
+ heritage: Tiller
+ istio: galley
+spec:
+ replicas: 1
+ strategy:
+ rollingUpdate:
+ maxSurge: 1
+ maxUnavailable: 0
+ template:
+ metadata:
+ labels:
+ istio: galley
+ annotations:
+ sidecar.istio.io/inject: "false"
+ scheduler.alpha.kubernetes.io/critical-pod: ""
+ spec:
+ serviceAccountName: istio-galley-service-account
+ containers:
+ - name: validator
+ image: "gcr.io/istio-release/galley:1.0.0"
+ imagePullPolicy: IfNotPresent
+ ports:
+ - containerPort: 443
+ - containerPort: 9093
+ command:
+ - /usr/local/bin/galley
+ - validator
+ - --deployment-namespace=istio-system
+ - --caCertFile=/etc/istio/certs/root-cert.pem
+ - --tlsCertFile=/etc/istio/certs/cert-chain.pem
+ - --tlsKeyFile=/etc/istio/certs/key.pem
+ - --healthCheckInterval=2s
+ - --healthCheckFile=/health
+ - --webhook-config-file
+ - /etc/istio/config/validatingwebhookconfiguration.yaml
+ volumeMounts:
+ - name: certs
+ mountPath: /etc/istio/certs
+ readOnly: true
+ - name: config
+ mountPath: /etc/istio/config
+ readOnly: true
+ livenessProbe:
+ exec:
+ command:
+ - /usr/local/bin/galley
+ - probe
+ - --probe-path=/health
+ - --interval=4s
+ initialDelaySeconds: 4
+ periodSeconds: 4
+ readinessProbe:
+ exec:
+ command:
+ - /usr/local/bin/galley
+ - probe
+ - --probe-path=/health
+ - --interval=4s
+ initialDelaySeconds: 4
+ periodSeconds: 4
+ resources:
+ requests:
+ cpu: 10m
+
+ volumes:
+ - name: certs
+ secret:
+ secretName: istio.istio-galley-service-account
+ - name: config
+ configMap:
+ name: istio-galley-configuration
+ affinity:
+ nodeAffinity:
+ requiredDuringSchedulingIgnoredDuringExecution:
+ nodeSelectorTerms:
+ - matchExpressions:
+ - key: beta.kubernetes.io/arch
+ operator: In
+ values:
+ - amd64
+ - ppc64le
+ - s390x
+ preferredDuringSchedulingIgnoredDuringExecution:
+ - weight: 2
+ preference:
+ matchExpressions:
+ - key: beta.kubernetes.io/arch
+ operator: In
+ values:
+ - amd64
+ - weight: 2
+ preference:
+ matchExpressions:
+ - key: beta.kubernetes.io/arch
+ operator: In
+ values:
+ - ppc64le
+ - weight: 2
+ preference:
+ matchExpressions:
+ - key: beta.kubernetes.io/arch
+ operator: In
+ values:
+ - s390x
+
+---
+# Source: istio/charts/gateways/templates/deployment.yaml
+
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
@@ -2464,23 +2896,26 @@ metadata:
namespace: istio-system
labels:
app: egressgateway
- chart: egressgateway-0.8.0
+ chart: gateways-1.0.0
release: RELEASE-NAME
heritage: Tiller
+ app: istio-egressgateway
istio: egressgateway
spec:
- replicas:
+ replicas: 1
template:
metadata:
labels:
+ app: istio-egressgateway
istio: egressgateway
annotations:
sidecar.istio.io/inject: "false"
+ scheduler.alpha.kubernetes.io/critical-pod: ""
spec:
serviceAccountName: istio-egressgateway-service-account
containers:
- name: egressgateway
- image: "docker.io/istio/proxyv2:0.8.0"
+ image: "gcr.io/istio-release/proxyv2:1.0.0"
imagePullPolicy: IfNotPresent
ports:
- containerPort: 80
@@ -2509,9 +2944,10 @@ spec:
- --controlPlaneAuthPolicy
- NONE
- --discoveryAddress
- - istio-pilot:8080
+ - istio-pilot.istio-system:8080
resources:
- {}
+ requests:
+ cpu: 10m
env:
- name: POD_NAME
@@ -2527,6 +2963,7 @@ spec:
- name: INSTANCE_IP
valueFrom:
fieldRef:
+ apiVersion: v1
fieldPath: status.podIP
- name: ISTIO_META_POD_NAME
valueFrom:
@@ -2536,10 +2973,24 @@ spec:
- name: istio-certs
mountPath: /etc/certs
readOnly: true
+ - name: egressgateway-certs
+ mountPath: "/etc/istio/egressgateway-certs"
+ readOnly: true
+ - name: egressgateway-ca-certs
+ mountPath: "/etc/istio/egressgateway-ca-certs"
+ readOnly: true
volumes:
- name: istio-certs
secret:
- secretName: "istio.default"
+ secretName: istio.istio-egressgateway-service-account
+ optional: true
+ - name: egressgateway-certs
+ secret:
+ secretName: "istio-egressgateway-certs"
+ optional: true
+ - name: egressgateway-ca-certs
+ secret:
+ secretName: "istio-egressgateway-ca-certs"
optional: true
affinity:
nodeAffinity:
@@ -2574,93 +3025,7 @@ spec:
operator: In
values:
- s390x
-
----
-# Source: istio/charts/grafana/templates/deployment.yaml
-apiVersion: extensions/v1beta1
-kind: Deployment
-metadata:
- name: grafana
- namespace: istio-system
- labels:
- app: grafana
- chart: grafana-0.1.0
- release: RELEASE-NAME
- heritage: Tiller
-spec:
- replicas: 1
- template:
- metadata:
- labels:
- app: grafana
- annotations:
- sidecar.istio.io/inject: "false"
- spec:
- containers:
- - name: grafana
- image: "docker.io/istio/grafana:0.8.0"
- imagePullPolicy: IfNotPresent
- ports:
- - containerPort: 3000
- readinessProbe:
- httpGet:
- path: /login
- port: 3000
- env:
- - name: GRAFANA_PORT
- value: "3000"
- - name: GF_AUTH_BASIC_ENABLED
- value: "false"
- - name: GF_AUTH_ANONYMOUS_ENABLED
- value: "true"
- - name: GF_AUTH_ANONYMOUS_ORG_ROLE
- value: Admin
- - name: GF_PATHS_DATA
- value: /data/grafana
- resources:
- {}
-
- volumeMounts:
- - name: data
- mountPath: /data/grafana
- affinity:
- nodeAffinity:
- requiredDuringSchedulingIgnoredDuringExecution:
- nodeSelectorTerms:
- - matchExpressions:
- - key: beta.kubernetes.io/arch
- operator: In
- values:
- - amd64
- - ppc64le
- - s390x
- preferredDuringSchedulingIgnoredDuringExecution:
- - weight: 2
- preference:
- matchExpressions:
- - key: beta.kubernetes.io/arch
- operator: In
- values:
- - amd64
- - weight: 2
- preference:
- matchExpressions:
- - key: beta.kubernetes.io/arch
- operator: In
- values:
- - ppc64le
- - weight: 2
- preference:
- matchExpressions:
- - key: beta.kubernetes.io/arch
- operator: In
- values:
- - s390x
- volumes:
- - name: data
- emptyDir: {}
---
-# Source: istio/charts/ingressgateway/templates/deployment.yaml
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
@@ -2668,28 +3033,35 @@ metadata:
namespace: istio-system
labels:
app: ingressgateway
- chart: ingressgateway-0.8.0
+ chart: gateways-1.0.0
release: RELEASE-NAME
heritage: Tiller
+ app: istio-ingressgateway
istio: ingressgateway
spec:
- replicas:
+ replicas: 1
template:
metadata:
labels:
+ app: istio-ingressgateway
istio: ingressgateway
annotations:
sidecar.istio.io/inject: "false"
+ scheduler.alpha.kubernetes.io/critical-pod: ""
spec:
serviceAccountName: istio-ingressgateway-service-account
containers:
- name: ingressgateway
- image: "docker.io/istio/proxyv2:0.8.0"
+ image: "gcr.io/istio-release/proxyv2:1.0.0"
imagePullPolicy: IfNotPresent
ports:
- containerPort: 80
- containerPort: 443
- containerPort: 31400
+ - containerPort: 15011
+ - containerPort: 8060
+ - containerPort: 15030
+ - containerPort: 15031
args:
- proxy
- router
@@ -2714,9 +3086,10 @@ spec:
- --controlPlaneAuthPolicy
- NONE
- --discoveryAddress
- - istio-pilot:8080
+ - istio-pilot.istio-system:8080
resources:
- {}
+ requests:
+ cpu: 10m
env:
- name: POD_NAME
@@ -2745,15 +3118,107 @@ spec:
- name: ingressgateway-certs
mountPath: "/etc/istio/ingressgateway-certs"
readOnly: true
+ - name: ingressgateway-ca-certs
+ mountPath: "/etc/istio/ingressgateway-ca-certs"
+ readOnly: true
volumes:
- name: istio-certs
secret:
- secretName: "istio.default"
+ secretName: istio.istio-ingressgateway-service-account
optional: true
- name: ingressgateway-certs
secret:
secretName: "istio-ingressgateway-certs"
optional: true
+ - name: ingressgateway-ca-certs
+ secret:
+ secretName: "istio-ingressgateway-ca-certs"
+ optional: true
+ affinity:
+ nodeAffinity:
+ requiredDuringSchedulingIgnoredDuringExecution:
+ nodeSelectorTerms:
+ - matchExpressions:
+ - key: beta.kubernetes.io/arch
+ operator: In
+ values:
+ - amd64
+ - ppc64le
+ - s390x
+ preferredDuringSchedulingIgnoredDuringExecution:
+ - weight: 2
+ preference:
+ matchExpressions:
+ - key: beta.kubernetes.io/arch
+ operator: In
+ values:
+ - amd64
+ - weight: 2
+ preference:
+ matchExpressions:
+ - key: beta.kubernetes.io/arch
+ operator: In
+ values:
+ - ppc64le
+ - weight: 2
+ preference:
+ matchExpressions:
+ - key: beta.kubernetes.io/arch
+ operator: In
+ values:
+ - s390x
+---
+
+---
+# Source: istio/charts/grafana/templates/deployment.yaml
+apiVersion: extensions/v1beta1
+kind: Deployment
+metadata:
+ name: grafana
+ namespace: istio-system
+ labels:
+ app: grafana
+ chart: grafana-0.1.0
+ release: RELEASE-NAME
+ heritage: Tiller
+spec:
+ replicas: 1
+ template:
+ metadata:
+ labels:
+ app: grafana
+ annotations:
+ sidecar.istio.io/inject: "false"
+ scheduler.alpha.kubernetes.io/critical-pod: ""
+ spec:
+ containers:
+ - name: grafana
+ image: "gcr.io/istio-release/grafana:1.0.0"
+ imagePullPolicy: IfNotPresent
+ ports:
+ - containerPort: 3000
+ readinessProbe:
+ httpGet:
+ path: /login
+ port: 3000
+ env:
+ - name: GRAFANA_PORT
+ value: "3000"
+ - name: GF_AUTH_BASIC_ENABLED
+ value: "false"
+ - name: GF_AUTH_ANONYMOUS_ENABLED
+ value: "true"
+ - name: GF_AUTH_ANONYMOUS_ORG_ROLE
+ value: Admin
+ - name: GF_PATHS_DATA
+ value: /data/grafana
+ resources:
+ requests:
+ cpu: 10m
+
+ volumeMounts:
+ - name: data
+ mountPath: /data/grafana
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
@@ -2787,6 +3252,9 @@ spec:
operator: In
values:
- s390x
+ volumes:
+ - name: data
+ emptyDir: {}
---
# Source: istio/charts/mixer/templates/deployment.yaml
@@ -2797,7 +3265,7 @@ metadata:
name: istio-policy
namespace: istio-system
labels:
- chart: mixer-0.8.0
+ chart: mixer-1.0.0
release: RELEASE-NAME
istio: mixer
spec:
@@ -2805,10 +3273,12 @@ spec:
template:
metadata:
labels:
+ app: policy
istio: mixer
istio-mixer-type: policy
annotations:
sidecar.istio.io/inject: "false"
+ scheduler.alpha.kubernetes.io/critical-pod: ""
spec:
serviceAccountName: istio-mixer-service-account
volumes:
@@ -2816,6 +3286,8 @@ spec:
secret:
secretName: istio.istio-mixer-service-account
optional: true
+ - name: uds-socket
+ emptyDir: {}
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
@@ -2851,23 +3323,32 @@ spec:
- s390x
containers:
- name: mixer
- image: "docker.io/istio/mixer:0.8.0"
+ image: "gcr.io/istio-release/mixer:1.0.0"
imagePullPolicy: IfNotPresent
ports:
- - containerPort: 9092
- containerPort: 9093
- containerPort: 42422
args:
- --address
- - tcp://127.0.0.1:9092
+ - unix:///sock/mixer.socket
- --configStoreURL=k8s://
- --configDefaultNamespace=istio-system
- --trace_zipkin_url=http://zipkin:9411/api/v1/spans
resources:
- {}
-
+ requests:
+ cpu: 10m
+
+ volumeMounts:
+ - name: uds-socket
+ mountPath: /sock
+ livenessProbe:
+ httpGet:
+ path: /version
+ port: 9093
+ initialDelaySeconds: 5
+ periodSeconds: 5
- name: istio-proxy
- image: "docker.io/istio/proxyv2:0.8.0"
+ image: "gcr.io/istio-release/proxyv2:1.0.0"
imagePullPolicy: IfNotPresent
ports:
- containerPort: 9091
@@ -2897,14 +3378,15 @@ spec:
apiVersion: v1
fieldPath: status.podIP
resources:
- requests:
- cpu: 100m
- memory: 128Mi
-
+ requests:
+ cpu: 10m
+
volumeMounts:
- name: istio-certs
mountPath: /etc/certs
readOnly: true
+ - name: uds-socket
+ mountPath: /sock
---
apiVersion: extensions/v1beta1
@@ -2913,7 +3395,7 @@ metadata:
name: istio-telemetry
namespace: istio-system
labels:
- chart: mixer-0.8.0
+ chart: mixer-1.0.0
release: RELEASE-NAME
istio: mixer
spec:
@@ -2921,10 +3403,12 @@ spec:
template:
metadata:
labels:
+ app: telemetry
istio: mixer
istio-mixer-type: telemetry
annotations:
sidecar.istio.io/inject: "false"
+ scheduler.alpha.kubernetes.io/critical-pod: ""
spec:
serviceAccountName: istio-mixer-service-account
volumes:
@@ -2932,25 +3416,36 @@ spec:
secret:
secretName: istio.istio-mixer-service-account
optional: true
+ - name: uds-socket
+ emptyDir: {}
containers:
- name: mixer
- image: "docker.io/istio/mixer:0.8.0"
+ image: "gcr.io/istio-release/mixer:1.0.0"
imagePullPolicy: IfNotPresent
ports:
- - containerPort: 9092
- containerPort: 9093
- containerPort: 42422
args:
- --address
- - tcp://127.0.0.1:9092
+ - unix:///sock/mixer.socket
- --configStoreURL=k8s://
- --configDefaultNamespace=istio-system
- --trace_zipkin_url=http://zipkin:9411/api/v1/spans
resources:
- {}
-
+ requests:
+ cpu: 10m
+
+ volumeMounts:
+ - name: uds-socket
+ mountPath: /sock
+ livenessProbe:
+ httpGet:
+ path: /version
+ port: 9093
+ initialDelaySeconds: 5
+ periodSeconds: 5
- name: istio-proxy
- image: "docker.io/istio/proxyv2:0.8.0"
+ image: "gcr.io/istio-release/proxyv2:1.0.0"
imagePullPolicy: IfNotPresent
ports:
- containerPort: 9091
@@ -2980,14 +3475,15 @@ spec:
apiVersion: v1
fieldPath: status.podIP
resources:
- requests:
- cpu: 100m
- memory: 128Mi
-
+ requests:
+ cpu: 10m
+
volumeMounts:
- name: istio-certs
mountPath: /etc/certs
readOnly: true
+ - name: uds-socket
+ mountPath: /sock
---
@@ -2998,10 +3494,10 @@ kind: Deployment
metadata:
name: istio-pilot
namespace: istio-system
- # TODO: default tempate doesn't have this, which one is right ?
+ # TODO: default template doesn't have this, which one is right ?
labels:
app: istio-pilot
- chart: pilot-0.8.0
+ chart: pilot-1.0.0
release: RELEASE-NAME
heritage: Tiller
istio: pilot
@@ -3013,23 +3509,24 @@ spec:
metadata:
labels:
istio: pilot
+ app: pilot
annotations:
sidecar.istio.io/inject: "false"
+ scheduler.alpha.kubernetes.io/critical-pod: ""
spec:
serviceAccountName: istio-pilot-service-account
containers:
- name: discovery
- image: "docker.io/istio/pilot:0.8.0"
+ image: "gcr.io/istio-release/pilot:1.0.0"
imagePullPolicy: IfNotPresent
args:
- "discovery"
-# TODO(sdake) remove when secrets are automagically registered
ports:
- containerPort: 8080
- containerPort: 15010
readinessProbe:
httpGet:
- path: /v1/registration
+ path: /debug/endpointz
port: 8080
initialDelaySeconds: 30
periodSeconds: 30
@@ -3049,8 +3546,12 @@ spec:
value: "500"
- name: PILOT_CACHE_SQUASH
value: "5"
+ - name: PILOT_TRACE_SAMPLING
+ value: "100"
resources:
- {}
+ requests:
+ cpu: 500m
+ memory: 2048Mi
volumeMounts:
- name: config-volume
@@ -3059,7 +3560,7 @@ spec:
mountPath: /etc/certs
readOnly: true
- name: istio-proxy
- image: "docker.io/istio/proxyv2:0.8.0"
+ image: "gcr.io/istio-release/proxyv2:1.0.0"
imagePullPolicy: IfNotPresent
ports:
- containerPort: 15003
@@ -3092,8 +3593,7 @@ spec:
fieldPath: status.podIP
resources:
requests:
- cpu: 100m
- memory: 128Mi
+ cpu: 10m
volumeMounts:
- name: istio-certs
@@ -3105,7 +3605,7 @@ spec:
name: istio
- name: istio-certs
secret:
- secretName: "istio.istio-pilot-service-account"
+ secretName: istio.istio-pilot-service-account
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
@@ -3164,12 +3664,12 @@ spec:
app: prometheus
annotations:
sidecar.istio.io/inject: "false"
+ scheduler.alpha.kubernetes.io/critical-pod: ""
spec:
serviceAccountName: prometheus
-
containers:
- name: prometheus
- image: "docker.io/prom/prometheus:latest"
+ image: "docker.io/prom/prometheus:v2.3.1"
imagePullPolicy: IfNotPresent
args:
- '--storage.tsdb.retention=6h'
@@ -3186,7 +3686,8 @@ spec:
path: /-/ready
port: 9090
resources:
- {}
+ requests:
+ cpu: 10m
volumeMounts:
- name: config-volume
@@ -3239,7 +3740,7 @@ metadata:
namespace: istio-system
labels:
app: security
- chart: security-0.8.0
+ chart: security-1.0.0
release: RELEASE-NAME
heritage: Tiller
istio: citadel
@@ -3251,20 +3752,22 @@ spec:
istio: citadel
annotations:
sidecar.istio.io/inject: "false"
+ scheduler.alpha.kubernetes.io/critical-pod: ""
spec:
serviceAccountName: istio-citadel-service-account
containers:
- name: citadel
- image: "docker.io/istio/citadel:0.8.0"
+ image: "gcr.io/istio-release/citadel:1.0.0"
imagePullPolicy: IfNotPresent
args:
- --append-dns-names=true
- --grpc-port=8060
- --grpc-hostname=citadel
- - --self-signed-ca=true
- --citadel-storage-namespace=istio-system
+ - --self-signed-ca=true
resources:
- {}
+ requests:
+ cpu: 10m
affinity:
nodeAffinity:
@@ -3320,10 +3823,11 @@ spec:
app: servicegraph
annotations:
sidecar.istio.io/inject: "false"
+ scheduler.alpha.kubernetes.io/critical-pod: ""
spec:
containers:
- name: servicegraph
- image: "docker.io/istio/servicegraph:0.8.0"
+ image: "gcr.io/istio-release/servicegraph:1.0.0"
imagePullPolicy: IfNotPresent
ports:
- containerPort: 8088
@@ -3338,7 +3842,8 @@ spec:
path: /graph
port: 8088
resources:
- {}
+ requests:
+ cpu: 10m
affinity:
nodeAffinity:
@@ -3383,21 +3888,24 @@ metadata:
namespace: istio-system
labels:
app: sidecarInjectorWebhook
- chart: sidecarInjectorWebhook-0.8.0
+ chart: sidecarInjectorWebhook-1.0.0
release: RELEASE-NAME
heritage: Tiller
istio: sidecar-injector
spec:
- replicas:
+ replicas: 1
template:
metadata:
labels:
istio: sidecar-injector
+ annotations:
+ sidecar.istio.io/inject: "false"
+ scheduler.alpha.kubernetes.io/critical-pod: ""
spec:
serviceAccountName: istio-sidecar-injector-service-account
containers:
- name: sidecar-injector-webhook
- image: "docker.io/istio/sidecar_injector:0.8.0"
+ image: "gcr.io/istio-release/sidecar_injector:1.0.0"
imagePullPolicy: IfNotPresent
args:
- --caCertFile=/etc/istio/certs/root-cert.pem
@@ -3423,7 +3931,7 @@ spec:
- /usr/local/bin/sidecar-injector
- probe
- --probe-path=/health
- - --interval=2s
+ - --interval=4s
initialDelaySeconds: 4
periodSeconds: 4
readinessProbe:
@@ -3432,9 +3940,13 @@ spec:
- /usr/local/bin/sidecar-injector
- probe
- --probe-path=/health
- - --interval=2s
+ - --interval=4s
initialDelaySeconds: 4
periodSeconds: 4
+ resources:
+ requests:
+ cpu: 10m
+
volumes:
- name: config-volume
configMap:
@@ -3502,10 +4014,11 @@ spec:
app: jaeger
annotations:
sidecar.istio.io/inject: "false"
+ scheduler.alpha.kubernetes.io/critical-pod: ""
spec:
containers:
- name: jaeger
- image: "jaegertracing/all-in-one:1.5"
+ image: "docker.io/jaegertracing/all-in-one:1.5"
imagePullPolicy: IfNotPresent
ports:
- containerPort: 9411
@@ -3535,7 +4048,8 @@ spec:
path: /
port: 16686
resources:
- {}
+ requests:
+ cpu: 10m
affinity:
nodeAffinity:
@@ -3572,47 +4086,27 @@ spec:
- s390x
---
-# Source: istio/charts/security/templates/cleanup-old-ca.yaml
-
-apiVersion: batch/v1
-kind: Job
+# Source: istio/charts/pilot/templates/gateway.yaml
+apiVersion: networking.istio.io/v1alpha3
+kind: Gateway
metadata:
- name: istio-cleanup-old-ca
+ name: istio-autogenerated-k8s-ingress
namespace: istio-system
- annotations:
- "helm.sh/hook": post-install
- "helm.sh/hook-delete-policy": hook-succeeded
- labels:
- app: security
- chart: security-0.8.0
- release: RELEASE-NAME
- heritage: Tiller
spec:
- template:
- metadata:
- name: istio-cleanup-old-ca
- labels:
- app: security
- release: RELEASE-NAME
- spec:
- serviceAccountName: istio-cleanup-old-ca-service-account
- containers:
- - name: hyperkube
- image: "quay.io/coreos/hyperkube:v1.7.6_coreos.0"
- command:
- - /bin/bash
- - -c
- - >
- NS="-n istio-system";
- ./kubectl get deploy istio-ca $NS;
- if [[ $? = 0 ]]; then ./kubectl delete deploy istio-ca $NS; fi;
- ./kubectl get serviceaccount istio-ca-service-account $NS;
- if [[ $? = 0 ]]; then ./kubectl delete serviceaccount istio-ca-service-account $NS; fi;
- ./kubectl get service istio-ca-ilb $NS;
- if [[ $? = 0 ]]; then ./kubectl delete service istio-ca-ilb $NS; fi
- restartPolicy: Never
+ selector:
+ istio: ingress
+ servers:
+ - port:
+ number: 80
+ protocol: HTTP2
+ name: http
+ hosts:
+ - "*"
+
+---
+
---
-# Source: istio/charts/egressgateway/templates/autoscale.yaml
+# Source: istio/charts/gateways/templates/autoscale.yaml
apiVersion: autoscaling/v2beta1
kind: HorizontalPodAutoscaler
@@ -3620,7 +4114,7 @@ metadata:
name: istio-egressgateway
namespace: istio-system
spec:
- maxReplicas: 1
+ maxReplicas: 5
minReplicas: 1
scaleTargetRef:
apiVersion: apps/v1beta1
@@ -3630,29 +4124,170 @@ spec:
- type: Resource
resource:
name: cpu
- targetAverageUtilization: 80
-
+ targetAverageUtilization: 60
+---
+apiVersion: autoscaling/v2beta1
+kind: HorizontalPodAutoscaler
+metadata:
+ name: istio-ingressgateway
+ namespace: istio-system
+spec:
+ maxReplicas: 5
+ minReplicas: 1
+ scaleTargetRef:
+ apiVersion: apps/v1beta1
+ kind: Deployment
+ name: istio-ingressgateway
+ metrics:
+ - type: Resource
+ resource:
+ name: cpu
+ targetAverageUtilization: 60
+---
---
-# Source: istio/charts/ingressgateway/templates/autoscale.yaml
+# Source: istio/charts/mixer/templates/autoscale.yaml
apiVersion: autoscaling/v2beta1
kind: HorizontalPodAutoscaler
metadata:
- name: istio-ingressgateway
+ name: istio-policy
namespace: istio-system
spec:
+ maxReplicas: 5
+ minReplicas: 1
+ scaleTargetRef:
+ apiVersion: apps/v1beta1
+ kind: Deployment
+ name: istio-policy
+ metrics:
+ - type: Resource
+ resource:
+ name: cpu
+ targetAverageUtilization: 80
+---
+apiVersion: autoscaling/v2beta1
+kind: HorizontalPodAutoscaler
+metadata:
+ name: istio-telemetry
+ namespace: istio-system
+spec:
+ maxReplicas: 5
+ minReplicas: 1
+ scaleTargetRef:
+ apiVersion: apps/v1beta1
+ kind: Deployment
+ name: istio-telemetry
+ metrics:
+ - type: Resource
+ resource:
+ name: cpu
+ targetAverageUtilization: 80
+---
+
+---
+# Source: istio/charts/pilot/templates/autoscale.yaml
+
+apiVersion: autoscaling/v2beta1
+kind: HorizontalPodAutoscaler
+metadata:
+ name: istio-pilot
+spec:
maxReplicas: 1
minReplicas: 1
scaleTargetRef:
apiVersion: apps/v1beta1
kind: Deployment
- name: istio-ingressgateway
+ name: istio-pilot
metrics:
- type: Resource
resource:
name: cpu
- targetAverageUtilization: 80
+ targetAverageUtilization: 55
+---
+
+---
+# Source: istio/charts/tracing/templates/service-jaeger.yaml
+
+
+apiVersion: v1
+kind: List
+items:
+- apiVersion: v1
+ kind: Service
+ metadata:
+ name: jaeger-query
+ namespace: istio-system
+ annotations:
+ labels:
+ app: jaeger
+ jaeger-infra: jaeger-service
+ chart: tracing-0.1.0
+ release: RELEASE-NAME
+ heritage: Tiller
+ spec:
+ type: NodePort
+ ports:
+ - name: query-http
+ port: 16686
+ protocol: TCP
+ targetPort: 16686
+ nodePort: 30686
+ selector:
+ app: jaeger
+- apiVersion: v1
+ kind: Service
+ metadata:
+ name: jaeger-collector
+ namespace: istio-system
+ labels:
+ app: jaeger
+ jaeger-infra: collector-service
+ chart: tracing-0.1.0
+ release: RELEASE-NAME
+ heritage: Tiller
+ spec:
+ ports:
+ - name: jaeger-collector-tchannel
+ port: 14267
+ protocol: TCP
+ targetPort: 14267
+ - name: jaeger-collector-http
+ port: 14268
+ targetPort: 14268
+ protocol: TCP
+ selector:
+ app: jaeger
+ type: ClusterIP
+- apiVersion: v1
+ kind: Service
+ metadata:
+ name: jaeger-agent
+ namespace: istio-system
+ labels:
+ app: jaeger
+ jaeger-infra: agent-service
+ chart: tracing-0.1.0
+ release: RELEASE-NAME
+ heritage: Tiller
+ spec:
+ ports:
+ - name: agent-zipkin-thrift
+ port: 5775
+ protocol: UDP
+ targetPort: 5775
+ - name: agent-compact
+ port: 6831
+ protocol: UDP
+ targetPort: 6831
+ - name: agent-binary
+ port: 6832
+ protocol: UDP
+ targetPort: 6832
+ clusterIP: None
+ selector:
+ app: jaeger
+
---
@@ -3671,7 +4306,7 @@ items:
release: RELEASE-NAME
heritage: Tiller
spec:
- type: NodePort
+ type: NodePort
ports:
- port: 9411
targetPort: 9411
@@ -3685,6 +4320,7 @@ items:
metadata:
name: tracing
namespace: istio-system
+ annotations:
labels:
app: jaeger
chart: tracing-0.1.0
@@ -3692,14 +4328,12 @@ items:
heritage: Tiller
spec:
ports:
- - name: query-http
+ - name: http-query
port: 80
protocol: TCP
targetPort: 16686
selector:
app: jaeger
- type: LoadBalancer
-
---
# Source: istio/charts/sidecarInjectorWebhook/templates/mutatingwebhook.yaml
@@ -3710,7 +4344,7 @@ metadata:
namespace: istio-system
labels:
app: istio-sidecar-injector
- chart: sidecarInjectorWebhook-0.8.0
+ chart: sidecarInjectorWebhook-1.0.0
release: RELEASE-NAME
heritage: Tiller
webhooks:
@@ -3731,24 +4365,775 @@ webhooks:
matchLabels:
istio-injection: enabled
+
---
-# Source: istio/charts/grafana/templates/ingress.yaml
+# Source: istio/charts/galley/templates/validatingwehookconfiguration.yaml.tpl
+
---
-# Source: istio/charts/mixer/templates/config.yaml
+# Source: istio/charts/grafana/templates/grafana-ports-mtls.yaml
+
+
+---
+# Source: istio/charts/grafana/templates/secret.yaml
+
+---
+# Source: istio/charts/pilot/templates/meshexpansion.yaml
+
+
+---
+# Source: istio/charts/security/templates/create-custom-resources-job.yaml
+
+
+---
+# Source: istio/charts/security/templates/enable-mesh-mtls.yaml
+
+
+---
+# Source: istio/charts/security/templates/meshexpansion.yaml
---
-# Source: istio/charts/prometheus/templates/ingress.yaml
---
# Source: istio/charts/servicegraph/templates/ingress.yaml
---
+# Source: istio/charts/telemetry-gateway/templates/gateway.yaml
+
+
+---
+# Source: istio/charts/tracing/templates/ingress-jaeger.yaml
+
+---
# Source: istio/charts/tracing/templates/ingress.yaml
---
-# Source: istio/charts/tracing/templates/service-jaeger.yaml
+# Source: istio/templates/install-custom-resources.sh.tpl
+---
+# Source: istio/charts/mixer/templates/config.yaml
+apiVersion: "config.istio.io/v1alpha2"
+kind: attributemanifest
+metadata:
+ name: istioproxy
+ namespace: istio-system
+spec:
+ attributes:
+ origin.ip:
+ valueType: IP_ADDRESS
+ origin.uid:
+ valueType: STRING
+ origin.user:
+ valueType: STRING
+ request.headers:
+ valueType: STRING_MAP
+ request.id:
+ valueType: STRING
+ request.host:
+ valueType: STRING
+ request.method:
+ valueType: STRING
+ request.path:
+ valueType: STRING
+ request.reason:
+ valueType: STRING
+ request.referer:
+ valueType: STRING
+ request.scheme:
+ valueType: STRING
+ request.total_size:
+ valueType: INT64
+ request.size:
+ valueType: INT64
+ request.time:
+ valueType: TIMESTAMP
+ request.useragent:
+ valueType: STRING
+ response.code:
+ valueType: INT64
+ response.duration:
+ valueType: DURATION
+ response.headers:
+ valueType: STRING_MAP
+ response.total_size:
+ valueType: INT64
+ response.size:
+ valueType: INT64
+ response.time:
+ valueType: TIMESTAMP
+ source.uid:
+ valueType: STRING
+ source.user: # DEPRECATED
+ valueType: STRING
+ source.principal:
+ valueType: STRING
+ destination.uid:
+ valueType: STRING
+ destination.principal:
+ valueType: STRING
+ destination.port:
+ valueType: INT64
+ connection.event:
+ valueType: STRING
+ connection.id:
+ valueType: STRING
+ connection.received.bytes:
+ valueType: INT64
+ connection.received.bytes_total:
+ valueType: INT64
+ connection.sent.bytes:
+ valueType: INT64
+ connection.sent.bytes_total:
+ valueType: INT64
+ connection.duration:
+ valueType: DURATION
+ connection.mtls:
+ valueType: BOOL
+ context.protocol:
+ valueType: STRING
+ context.timestamp:
+ valueType: TIMESTAMP
+ context.time:
+ valueType: TIMESTAMP
+ # Deprecated, kept for compatibility
+ context.reporter.local:
+ valueType: BOOL
+ context.reporter.kind:
+ valueType: STRING
+ context.reporter.uid:
+ valueType: STRING
+ api.service:
+ valueType: STRING
+ api.version:
+ valueType: STRING
+ api.operation:
+ valueType: STRING
+ api.protocol:
+ valueType: STRING
+ request.auth.principal:
+ valueType: STRING
+ request.auth.audiences:
+ valueType: STRING
+ request.auth.presenter:
+ valueType: STRING
+ request.auth.claims:
+ valueType: STRING_MAP
+ request.auth.raw_claims:
+ valueType: STRING
+ request.api_key:
+ valueType: STRING
+
+---
+apiVersion: "config.istio.io/v1alpha2"
+kind: attributemanifest
+metadata:
+ name: kubernetes
+ namespace: istio-system
+spec:
+ attributes:
+ source.ip:
+ valueType: IP_ADDRESS
+ source.labels:
+ valueType: STRING_MAP
+ source.metadata:
+ valueType: STRING_MAP
+ source.name:
+ valueType: STRING
+ source.namespace:
+ valueType: STRING
+ source.owner:
+ valueType: STRING
+ source.service: # DEPRECATED
+ valueType: STRING
+ source.serviceAccount:
+ valueType: STRING
+ source.services:
+ valueType: STRING
+ source.workload.uid:
+ valueType: STRING
+ source.workload.name:
+ valueType: STRING
+ source.workload.namespace:
+ valueType: STRING
+ destination.ip:
+ valueType: IP_ADDRESS
+ destination.labels:
+ valueType: STRING_MAP
+ destination.metadata:
+ valueType: STRING_MAP
+ destination.owner:
+ valueType: STRING
+ destination.name:
+ valueType: STRING
+ destination.container.name:
+ valueType: STRING
+ destination.namespace:
+ valueType: STRING
+ destination.service: # DEPRECATED
+ valueType: STRING
+ destination.service.uid:
+ valueType: STRING
+ destination.service.name:
+ valueType: STRING
+ destination.service.namespace:
+ valueType: STRING
+ destination.service.host:
+ valueType: STRING
+ destination.serviceAccount:
+ valueType: STRING
+ destination.workload.uid:
+ valueType: STRING
+ destination.workload.name:
+ valueType: STRING
+ destination.workload.namespace:
+ valueType: STRING
+---
+apiVersion: "config.istio.io/v1alpha2"
+kind: stdio
+metadata:
+ name: handler
+ namespace: istio-system
+spec:
+ outputAsJson: true
+---
+apiVersion: "config.istio.io/v1alpha2"
+kind: logentry
+metadata:
+ name: accesslog
+ namespace: istio-system
+spec:
+ severity: '"Info"'
+ timestamp: request.time
+ variables:
+ sourceIp: source.ip | ip("0.0.0.0")
+ sourceApp: source.labels["app"] | ""
+ sourcePrincipal: source.principal | ""
+ sourceName: source.name | ""
+ sourceWorkload: source.workload.name | ""
+ sourceNamespace: source.namespace | ""
+ sourceOwner: source.owner | ""
+ destinationApp: destination.labels["app"] | ""
+ destinationIp: destination.ip | ip("0.0.0.0")
+ destinationServiceHost: destination.service.host | ""
+ destinationWorkload: destination.workload.name | ""
+ destinationName: destination.name | ""
+ destinationNamespace: destination.namespace | ""
+ destinationOwner: destination.owner | ""
+ destinationPrincipal: destination.principal | ""
+ apiClaims: request.auth.raw_claims | ""
+ apiKey: request.api_key | request.headers["x-api-key"] | ""
+ protocol: request.scheme | context.protocol | "http"
+ method: request.method | ""
+ url: request.path | ""
+ responseCode: response.code | 0
+ responseSize: response.size | 0
+ requestSize: request.size | 0
+ requestId: request.headers["x-request-id"] | ""
+ clientTraceId: request.headers["x-client-trace-id"] | ""
+ latency: response.duration | "0ms"
+ connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none"))
+ userAgent: request.useragent | ""
+ responseTimestamp: response.time
+ receivedBytes: request.total_size | 0
+ sentBytes: response.total_size | 0
+ referer: request.referer | ""
+ httpAuthority: request.headers[":authority"] | request.host | ""
+ xForwardedFor: request.headers["x-forwarded-for"] | "0.0.0.0"
+ reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination")
+ monitored_resource_type: '"global"'
+---
+apiVersion: "config.istio.io/v1alpha2"
+kind: logentry
+metadata:
+ name: tcpaccesslog
+ namespace: istio-system
+spec:
+ severity: '"Info"'
+ timestamp: context.time | timestamp("2017-01-01T00:00:00Z")
+ variables:
+ connectionEvent: connection.event | ""
+ sourceIp: source.ip | ip("0.0.0.0")
+ sourceApp: source.labels["app"] | ""
+ sourcePrincipal: source.principal | ""
+ sourceName: source.name | ""
+ sourceWorkload: source.workload.name | ""
+ sourceNamespace: source.namespace | ""
+ sourceOwner: source.owner | ""
+ destinationApp: destination.labels["app"] | ""
+ destinationIp: destination.ip | ip("0.0.0.0")
+ destinationServiceHost: destination.service.host | ""
+ destinationWorkload: destination.workload.name | ""
+ destinationName: destination.name | ""
+ destinationNamespace: destination.namespace | ""
+ destinationOwner: destination.owner | ""
+ destinationPrincipal: destination.principal | ""
+ protocol: context.protocol | "tcp"
+ connectionDuration: connection.duration | "0ms"
+ connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none"))
+ receivedBytes: connection.received.bytes | 0
+ sentBytes: connection.sent.bytes | 0
+ totalReceivedBytes: connection.received.bytes_total | 0
+ totalSentBytes: connection.sent.bytes_total | 0
+ reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination")
+ monitored_resource_type: '"global"'
+---
+apiVersion: "config.istio.io/v1alpha2"
+kind: rule
+metadata:
+ name: stdio
+ namespace: istio-system
+spec:
+ match: context.protocol == "http" || context.protocol == "grpc"
+ actions:
+ - handler: handler.stdio
+ instances:
+ - accesslog.logentry
+---
+apiVersion: "config.istio.io/v1alpha2"
+kind: rule
+metadata:
+ name: stdiotcp
+ namespace: istio-system
+spec:
+ match: context.protocol == "tcp"
+ actions:
+ - handler: handler.stdio
+ instances:
+ - tcpaccesslog.logentry
+---
+apiVersion: "config.istio.io/v1alpha2"
+kind: metric
+metadata:
+ name: requestcount
+ namespace: istio-system
+spec:
+ value: "1"
+ dimensions:
+ reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination")
+ source_workload: source.workload.name | "unknown"
+ source_workload_namespace: source.workload.namespace | "unknown"
+ source_principal: source.principal | "unknown"
+ source_app: source.labels["app"] | "unknown"
+ source_version: source.labels["version"] | "unknown"
+ destination_workload: destination.workload.name | "unknown"
+ destination_workload_namespace: destination.workload.namespace | "unknown"
+ destination_principal: destination.principal | "unknown"
+ destination_app: destination.labels["app"] | "unknown"
+ destination_version: destination.labels["version"] | "unknown"
+ destination_service: destination.service.host | "unknown"
+ destination_service_name: destination.service.name | "unknown"
+ destination_service_namespace: destination.service.namespace | "unknown"
+ request_protocol: api.protocol | context.protocol | "unknown"
+ response_code: response.code | 200
+ connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none"))
+ monitored_resource_type: '"UNSPECIFIED"'
+---
+apiVersion: "config.istio.io/v1alpha2"
+kind: metric
+metadata:
+ name: requestduration
+ namespace: istio-system
+spec:
+ value: response.duration | "0ms"
+ dimensions:
+ reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination")
+ source_workload: source.workload.name | "unknown"
+ source_workload_namespace: source.workload.namespace | "unknown"
+ source_principal: source.principal | "unknown"
+ source_app: source.labels["app"] | "unknown"
+ source_version: source.labels["version"] | "unknown"
+ destination_workload: destination.workload.name | "unknown"
+ destination_workload_namespace: destination.workload.namespace | "unknown"
+ destination_principal: destination.principal | "unknown"
+ destination_app: destination.labels["app"] | "unknown"
+ destination_version: destination.labels["version"] | "unknown"
+ destination_service: destination.service.host | "unknown"
+ destination_service_name: destination.service.name | "unknown"
+ destination_service_namespace: destination.service.namespace | "unknown"
+ request_protocol: api.protocol | context.protocol | "unknown"
+ response_code: response.code | 200
+ connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none"))
+ monitored_resource_type: '"UNSPECIFIED"'
+---
+apiVersion: "config.istio.io/v1alpha2"
+kind: metric
+metadata:
+ name: requestsize
+ namespace: istio-system
+spec:
+ value: request.size | 0
+ dimensions:
+ reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination")
+ source_workload: source.workload.name | "unknown"
+ source_workload_namespace: source.workload.namespace | "unknown"
+ source_principal: source.principal | "unknown"
+ source_app: source.labels["app"] | "unknown"
+ source_version: source.labels["version"] | "unknown"
+ destination_workload: destination.workload.name | "unknown"
+ destination_workload_namespace: destination.workload.namespace | "unknown"
+ destination_principal: destination.principal | "unknown"
+ destination_app: destination.labels["app"] | "unknown"
+ destination_version: destination.labels["version"] | "unknown"
+ destination_service: destination.service.host | "unknown"
+ destination_service_name: destination.service.name | "unknown"
+ destination_service_namespace: destination.service.namespace | "unknown"
+ request_protocol: api.protocol | context.protocol | "unknown"
+ response_code: response.code | 200
+ connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none"))
+ monitored_resource_type: '"UNSPECIFIED"'
+---
+apiVersion: "config.istio.io/v1alpha2"
+kind: metric
+metadata:
+ name: responsesize
+ namespace: istio-system
+spec:
+ value: response.size | 0
+ dimensions:
+ reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination")
+ source_workload: source.workload.name | "unknown"
+ source_workload_namespace: source.workload.namespace | "unknown"
+ source_principal: source.principal | "unknown"
+ source_app: source.labels["app"] | "unknown"
+ source_version: source.labels["version"] | "unknown"
+ destination_workload: destination.workload.name | "unknown"
+ destination_workload_namespace: destination.workload.namespace | "unknown"
+ destination_principal: destination.principal | "unknown"
+ destination_app: destination.labels["app"] | "unknown"
+ destination_version: destination.labels["version"] | "unknown"
+ destination_service: destination.service.host | "unknown"
+ destination_service_name: destination.service.name | "unknown"
+ destination_service_namespace: destination.service.namespace | "unknown"
+ request_protocol: api.protocol | context.protocol | "unknown"
+ response_code: response.code | 200
+ connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none"))
+ monitored_resource_type: '"UNSPECIFIED"'
+---
+apiVersion: "config.istio.io/v1alpha2"
+kind: metric
+metadata:
+ name: tcpbytesent
+ namespace: istio-system
+spec:
+ value: connection.sent.bytes | 0
+ dimensions:
+ reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination")
+ source_workload: source.workload.name | "unknown"
+ source_workload_namespace: source.workload.namespace | "unknown"
+ source_principal: source.principal | "unknown"
+ source_app: source.labels["app"] | "unknown"
+ source_version: source.labels["version"] | "unknown"
+ destination_workload: destination.workload.name | "unknown"
+ destination_workload_namespace: destination.workload.namespace | "unknown"
+ destination_principal: destination.principal | "unknown"
+ destination_app: destination.labels["app"] | "unknown"
+ destination_version: destination.labels["version"] | "unknown"
+ destination_service: destination.service.name | "unknown"
+ destination_service_name: destination.service.name | "unknown"
+ destination_service_namespace: destination.service.namespace | "unknown"
+ connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none"))
+ monitored_resource_type: '"UNSPECIFIED"'
+---
+apiVersion: "config.istio.io/v1alpha2"
+kind: metric
+metadata:
+ name: tcpbytereceived
+ namespace: istio-system
+spec:
+ value: connection.received.bytes | 0
+ dimensions:
+ reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination")
+ source_workload: source.workload.name | "unknown"
+ source_workload_namespace: source.workload.namespace | "unknown"
+ source_principal: source.principal | "unknown"
+ source_app: source.labels["app"] | "unknown"
+ source_version: source.labels["version"] | "unknown"
+ destination_workload: destination.workload.name | "unknown"
+ destination_workload_namespace: destination.workload.namespace | "unknown"
+ destination_principal: destination.principal | "unknown"
+ destination_app: destination.labels["app"] | "unknown"
+ destination_version: destination.labels["version"] | "unknown"
+ destination_service: destination.service.name | "unknown"
+ destination_service_name: destination.service.name | "unknown"
+ destination_service_namespace: destination.service.namespace | "unknown"
+ connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none"))
+ monitored_resource_type: '"UNSPECIFIED"'
+---
+apiVersion: "config.istio.io/v1alpha2"
+kind: prometheus
+metadata:
+ name: handler
+ namespace: istio-system
+spec:
+ metrics:
+ - name: requests_total
+ instance_name: requestcount.metric.istio-system
+ kind: COUNTER
+ label_names:
+ - reporter
+ - source_app
+ - source_principal
+ - source_workload
+ - source_workload_namespace
+ - source_version
+ - destination_app
+ - destination_principal
+ - destination_workload
+ - destination_workload_namespace
+ - destination_version
+ - destination_service
+ - destination_service_name
+ - destination_service_namespace
+ - request_protocol
+ - response_code
+ - connection_security_policy
+ - name: request_duration_seconds
+ instance_name: requestduration.metric.istio-system
+ kind: DISTRIBUTION
+ label_names:
+ - reporter
+ - source_app
+ - source_principal
+ - source_workload
+ - source_workload_namespace
+ - source_version
+ - destination_app
+ - destination_principal
+ - destination_workload
+ - destination_workload_namespace
+ - destination_version
+ - destination_service
+ - destination_service_name
+ - destination_service_namespace
+ - request_protocol
+ - response_code
+ - connection_security_policy
+ buckets:
+ explicit_buckets:
+ bounds: [0.005, 0.01, 0.025, 0.05, 0.1, 0.25, 0.5, 1, 2.5, 5, 10]
+ - name: request_bytes
+ instance_name: requestsize.metric.istio-system
+ kind: DISTRIBUTION
+ label_names:
+ - reporter
+ - source_app
+ - source_principal
+ - source_workload
+ - source_workload_namespace
+ - source_version
+ - destination_app
+ - destination_principal
+ - destination_workload
+ - destination_workload_namespace
+ - destination_version
+ - destination_service
+ - destination_service_name
+ - destination_service_namespace
+ - request_protocol
+ - response_code
+ - connection_security_policy
+ buckets:
+ exponentialBuckets:
+ numFiniteBuckets: 8
+ scale: 1
+ growthFactor: 10
+ - name: response_bytes
+ instance_name: responsesize.metric.istio-system
+ kind: DISTRIBUTION
+ label_names:
+ - reporter
+ - source_app
+ - source_principal
+ - source_workload
+ - source_workload_namespace
+ - source_version
+ - destination_app
+ - destination_principal
+ - destination_workload
+ - destination_workload_namespace
+ - destination_version
+ - destination_service
+ - destination_service_name
+ - destination_service_namespace
+ - request_protocol
+ - response_code
+ - connection_security_policy
+ buckets:
+ exponentialBuckets:
+ numFiniteBuckets: 8
+ scale: 1
+ growthFactor: 10
+ - name: tcp_sent_bytes_total
+ instance_name: tcpbytesent.metric.istio-system
+ kind: COUNTER
+ label_names:
+ - reporter
+ - source_app
+ - source_principal
+ - source_workload
+ - source_workload_namespace
+ - source_version
+ - destination_app
+ - destination_principal
+ - destination_workload
+ - destination_workload_namespace
+ - destination_version
+ - destination_service
+ - destination_service_name
+ - destination_service_namespace
+ - connection_security_policy
+ - name: tcp_received_bytes_total
+ instance_name: tcpbytereceived.metric.istio-system
+ kind: COUNTER
+ label_names:
+ - reporter
+ - source_app
+ - source_principal
+ - source_workload
+ - source_workload_namespace
+ - source_version
+ - destination_app
+ - destination_principal
+ - destination_workload
+ - destination_workload_namespace
+ - destination_version
+ - destination_service
+ - destination_service_name
+ - destination_service_namespace
+ - connection_security_policy
+---
+apiVersion: "config.istio.io/v1alpha2"
+kind: rule
+metadata:
+ name: promhttp
+ namespace: istio-system
+spec:
+ match: context.protocol == "http" || context.protocol == "grpc"
+ actions:
+ - handler: handler.prometheus
+ instances:
+ - requestcount.metric
+ - requestduration.metric
+ - requestsize.metric
+ - responsesize.metric
+---
+apiVersion: "config.istio.io/v1alpha2"
+kind: rule
+metadata:
+ name: promtcp
+ namespace: istio-system
+spec:
+ match: context.protocol == "tcp"
+ actions:
+ - handler: handler.prometheus
+ instances:
+ - tcpbytesent.metric
+ - tcpbytereceived.metric
+---
+
+apiVersion: "config.istio.io/v1alpha2"
+kind: kubernetesenv
+metadata:
+ name: handler
+ namespace: istio-system
+spec:
+ # when running from mixer root, use the following config after adding a
+ # symbolic link to a kubernetes config file via:
+ #
+ # $ ln -s ~/.kube/config mixer/adapter/kubernetes/kubeconfig
+ #
+ # kubeconfig_path: "mixer/adapter/kubernetes/kubeconfig"
+
+---
+apiVersion: "config.istio.io/v1alpha2"
+kind: rule
+metadata:
+ name: kubeattrgenrulerule
+ namespace: istio-system
+spec:
+ actions:
+ - handler: handler.kubernetesenv
+ instances:
+ - attributes.kubernetes
+---
+apiVersion: "config.istio.io/v1alpha2"
+kind: rule
+metadata:
+ name: tcpkubeattrgenrulerule
+ namespace: istio-system
+spec:
+ match: context.protocol == "tcp"
+ actions:
+ - handler: handler.kubernetesenv
+ instances:
+ - attributes.kubernetes
+---
+apiVersion: "config.istio.io/v1alpha2"
+kind: kubernetes
+metadata:
+ name: attributes
+ namespace: istio-system
+spec:
+ # Pass the required attribute data to the adapter
+ source_uid: source.uid | ""
+ source_ip: source.ip | ip("0.0.0.0") # default to unspecified ip addr
+ destination_uid: destination.uid | ""
+ destination_port: destination.port | 0
+ attribute_bindings:
+ # Fill the new attributes from the adapter produced output.
+ # $out refers to an instance of OutputTemplate message
+ source.ip: $out.source_pod_ip | ip("0.0.0.0")
+ source.uid: $out.source_pod_uid | "unknown"
+ source.labels: $out.source_labels | emptyStringMap()
+ source.name: $out.source_pod_name | "unknown"
+ source.namespace: $out.source_namespace | "default"
+ source.owner: $out.source_owner | "unknown"
+ source.serviceAccount: $out.source_service_account_name | "unknown"
+ source.workload.uid: $out.source_workload_uid | "unknown"
+ source.workload.name: $out.source_workload_name | "unknown"
+ source.workload.namespace: $out.source_workload_namespace | "unknown"
+ destination.ip: $out.destination_pod_ip | ip("0.0.0.0")
+ destination.uid: $out.destination_pod_uid | "unknown"
+ destination.labels: $out.destination_labels | emptyStringMap()
+ destination.name: $out.destination_pod_name | "unknown"
+ destination.container.name: $out.destination_container_name | "unknown"
+ destination.namespace: $out.destination_namespace | "default"
+ destination.owner: $out.destination_owner | "unknown"
+ destination.serviceAccount: $out.destination_service_account_name | "unknown"
+ destination.workload.uid: $out.destination_workload_uid | "unknown"
+ destination.workload.name: $out.destination_workload_name | "unknown"
+ destination.workload.namespace: $out.destination_workload_namespace | "unknown"
+
+---
+# Configuration needed by Mixer.
+# Mixer cluster is delivered via CDS
+# Specify mixer cluster settings
+apiVersion: networking.istio.io/v1alpha3
+kind: DestinationRule
+metadata:
+ name: istio-policy
+ namespace: istio-system
+spec:
+ host: istio-policy.istio-system.svc.cluster.local
+ trafficPolicy:
+ connectionPool:
+ http:
+ http2MaxRequests: 10000
+ maxRequestsPerConnection: 10000
+---
+apiVersion: networking.istio.io/v1alpha3
+kind: DestinationRule
+metadata:
+ name: istio-telemetry
+ namespace: istio-system
+spec:
+ host: istio-telemetry.istio-system.svc.cluster.local
+ trafficPolicy:
+ connectionPool:
+ http:
+ http2MaxRequests: 10000
+ maxRequestsPerConnection: 10000
+---