Use the policy defined by the parent scope.

Proxy to control plane traffic is wrapped into mutual TLS connections.

Do not encrypt proxy to control plane traffic.

Always forward the XFCC header in the request, regardless of whether the client connection is mTLS.

When the client connection is mTLS, append the client certificate information to the request’s XFCC header and forward it.

When the client connection is mTLS (Mutual TLS), forward the XFCC header in the request.

Do not send the XFCC header to the next hop.

When the client connection is mTLS, reset the XFCC header with the client certificate information and send it to the next hop.

Field is not set.

Istio ingress controller will act on ingress resources that do not contain any annotation or whose annotations match the value specified in the ingressClass parameter described earlier.

Do not upgrade connections to http2.

Use multi-header B3 context propagation using the `X-B3-TraceId`, `X-B3-SpanId`, and `X-B3-Sampled` HTTP headers.

Use Cloud Trace context propagation using the `X-Cloud-Trace-Context` http header.

Use gRPC binary context propagation using the `grpc-trace-bin` http header.

$hide_from_docs Unspecified context.

Use W3C Trace Context propagation using the `traceparent` HTTP header.

inbound traffic will be sent to the destinations listening on localhost.

inbound traffic will be passed through to the destination listening on Pod IP.

json encoding for the proxy access log.

Disables Istio ingress controller.

In `ALLOW_ANY` mode, any traffic to unknown destinations will be allowed.

In `REGISTRY_ONLY` mode, unknown outbound traffic will be dropped.

Normalize according to [RFC 3986](https://tools.ietf.org/html/rfc3986).

In addition to normalization in `MERGE_SLASHES`, slash characters are UTF-8 decoded (case insensitive) prior to merging.

Apply default normalizations.

In addition to the `BASE` normalization, consecutive slashes are also merged.

No normalization, paths are used as is.

Istio ingress controller will only act on ingress resources whose annotations match the value specified in the ingressClass parameter described earlier.

text encoding for the proxy access log.

Automatically choose the optimal TLS version.

TLS version 1.2.

TLS version 1.3.

Unspecified Istio ingress controller.

Upgrade the connections to http2.

Default scheme.

Uses the canonical name and namespace for a workload.

Uses the canonical name for a workload (*excluding namespace*).

The `NONE` mode does not configure redirect to Envoy at all.

Only append the istio metadata exchange headers for services considered in-mesh.

Existing Istio behavior for the metadata exchange headers is unchanged.

The `REDIRECT` mode uses iptables `REDIRECT` to `NAT` and redirect to Envoy.

The `TPROXY` mode uses iptables `TPROXY` to redirect to Envoy.

Set to only receive service entries that are generated by the platform.

Use multi-header B3 context propagation using the `X-B3-TraceId`, `X-B3-SpanId`, and `X-B3-Sampled` HTTP headers.

Use Cloud Trace context propagation using the `X-Cloud-Trace-Context` http header.

Use gRPC binary context propagation using the `grpc-trace-bin` http header.

$hide_from_docs Unspecified context.

Use W3C Trace Context propagation using the `traceparent` HTTP header.

Enum value maps for AuthenticationPolicy.

Enum value maps for AuthenticationPolicy.

Enum value maps for ForwardClientCertDetails.

Enum value maps for ForwardClientCertDetails.

Enum value maps for MeshConfig_AccessLogEncoding.

Enum value maps for MeshConfig_AccessLogEncoding.

Enum value maps for MeshConfig_AuthPolicy.

Enum value maps for MeshConfig_AuthPolicy.

Enum value maps for MeshConfig_ExtensionProvider_OpenCensusAgentTracingProvider_TraceContext.

Enum value maps for MeshConfig_ExtensionProvider_OpenCensusAgentTracingProvider_TraceContext.

Enum value maps for MeshConfig_H2UpgradePolicy.

Enum value maps for MeshConfig_H2UpgradePolicy.

Enum value maps for MeshConfig_InboundTrafficPolicy_Mode.

Enum value maps for MeshConfig_InboundTrafficPolicy_Mode.

Enum value maps for MeshConfig_IngressControllerMode.

Enum value maps for MeshConfig_IngressControllerMode.

Enum value maps for MeshConfig_OutboundTrafficPolicy_Mode.

Enum value maps for MeshConfig_OutboundTrafficPolicy_Mode.

Enum value maps for MeshConfig_ProxyPathNormalization_NormalizationType.

Enum value maps for MeshConfig_ProxyPathNormalization_NormalizationType.

Enum value maps for MeshConfig_TLSConfig_TLSProtocol.

Enum value maps for MeshConfig_TLSConfig_TLSProtocol.

Enum value maps for ProxyConfig_InboundInterceptionMode.

Enum value maps for ProxyConfig_InboundInterceptionMode.

Enum value maps for ProxyConfig_ProxyHeaders_MetadataExchangeMode.

Enum value maps for ProxyConfig_ProxyHeaders_MetadataExchangeMode.

Enum value maps for ProxyConfig_TracingServiceName.

Enum value maps for ProxyConfig_TracingServiceName.

Enum value maps for Resource.

Enum value maps for Resource.

Enum value maps for Tracing_OpenCensusAgent_TraceContext.

Enum value maps for Tracing_OpenCensusAgent_TraceContext.

$hide_from_docs Certificate configures the provision of a certificate and its key.

ConfigSource describes information about a configuration store inside a mesh.

A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.

A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.

MeshConfig defines mesh-wide settings for the Istio service mesh.

Holds the name references to the providers that will be used by default in other Istio configuration resources if the provider is not specified.

Defines configuration for a Datadog tracer.

Defines configuration for Envoy-based access logging that writes to local files (and/or standard streams).

Defines configuration for an Envoy [Access Logging Service](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/access_loggers/grpc/v3/als.proto#grpc-access-log-service-als) integration for HTTP traffic.

Defines configuration for an Envoy [OpenTelemetry (gRPC) Access Log](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/access_loggers/open_telemetry/v3/logs_service.proto).

Defines configuration for an Envoy [Access Logging Service](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/access_loggers/grpc/v3/als.proto#grpc-access-log-service-als) integration for TCP traffic.

Defines configuration for an GRPC service that can be used by an Extension Provider.

Defines configuration for an HTTP service that can be used by an Extension Provider.

Defines configuration for a Lightstep tracer.

Defines configuration for an OpenCensus tracer writing to an OpenCensus backend.

Defines configuration for an OpenTelemetry tracing backend.

Dynatrace Resource Detector.

OpenTelemetry Environment Resource Detector.

Defines configuration for a SkyWalking tracer.

Defines configuration for Stackdriver.

Defines configuration for a Zipkin tracer.

`OutboundTrafficPolicy` sets the default behavior of the sidecar for handling unknown outbound traffic from the application.

$hide_from_docs Settings to be applied to select services.

Settings for the selected services.

MeshNetworks (config map) provides information about the set of networks inside a mesh and how to route to endpoints in each network.

Network provides information about the endpoints in a routable L3 network.

The gateway associated with this network.

NetworkEndpoints describes how the network associated with an endpoint should be inferred.

PrivateKeyProvider defines private key configuration for gateways and sidecars.

CryptoMb PrivateKeyProvider configuration.

QAT (QuickAssist Technology) PrivateKeyProvider configuration.

ProxyConfig defines variables for individual Envoy instances.

Proxy stats name matchers for stats creation.

SDS defines secret discovery service(SDS) configuration to be used by the proxy.

Topology describes the configuration for relative location of a proxy with respect to intermediate trusted proxies and the client.

PROXY protocol configuration.

Tracing defines configuration for the tracing performed by Envoy instances.

Configure custom tags that will be added to any active span.

Datadog defines configuration for a Datadog tracer.

Environment is the proxy's environment variable to be used for populating the custom span tag.

$hide_from_docs Defines configuration for a Lightstep tracer.

Literal type represents a static value.

OpenCensusAgent defines configuration for an OpenCensus tracer writing to an OpenCensus agent backend.

RequestHeader is the HTTP request header which will be used to populate the span tag.

Stackdriver defines configuration for a Stackdriver tracer.

Zipkin defines configuration for a Zipkin tracer.

AuthenticationPolicy defines how the proxy is authenticated when it connects to the control plane.

ForwardClientCertDetails controls how the x-forwarded-client-cert (XFCC) header is handled by a proxy.

$hide_from_docs.

TraceContext selects the context propagation headers used for distributed tracing.

Default Policy for upgrading http1.1 connections to http2.

TLS protocol versions.

The mode used to redirect inbound traffic to Envoy.

Allows specification of various Istio-supported naming schemes for the Envoy `service_cluster` value.

Resource describes the source of configuration.

TraceContext selects the context propagation headers used for distributed tracing.