The default capture mode defined by the environment.

Capture traffic using IPtables redirection.

No traffic capture.

Do not setup a TLS connection to the upstream endpoint.

Secure connections to the upstream using mutual TLS by presenting client certificates for authentication.

Secure connections to the upstream using mutual TLS by presenting client certificates for authentication.

Originate a TLS connection to the upstream endpoint.

Use the global default.

Do not upgrade the connection to http2.

Upgrade the connection to http2.

Preflight requests not matching the configured allowed origin will be forwarded to the upstream.

Preflight requests not matching the configured allowed origin will not be forwarded to the upstream.

Default to FORWARD.

Deprecated.

The least request load balancer spreads load across endpoints, favoring endpoints with the least outstanding requests.

This option will forward the connection to the original IP address requested by the caller without doing any form of load balancing.

The random load balancer selects a random healthy host.

A basic round robin load balancing policy.

No load balancing algorithm has been specified by the user.

In `ALLOW_ANY` mode, any traffic to unknown destinations will be allowed.

In `REGISTRY_ONLY` mode, unknown outbound traffic will be dropped.

Similar to the passthrough mode, except servers with this TLS mode do not require an associated VirtualService to map from the SNI value to service in the registry.

Secure connections from the downstream using mutual TLS by presenting server certificates for authentication.

Secure connections to the downstream using mutual TLS by presenting server certificates for authentication.

Similar to MUTUAL mode, except that the client certificate is optional.

The SNI string presented by the client will be used as the match criterion in a VirtualService TLS route to determine the destination service from the service registry.

Secure connections with standard TLS semantics.

Automatically choose the optimal TLS version.

TLS version 1.0.

TLS version 1.1.

TLS version 1.2.

TLS version 1.3.

Attempt to resolve the IP address by querying the ambient DNS, asynchronously.

Attempt to resolve the IP address by querying the ambient DNS, asynchronously.

Signifies that the service is external to the mesh.

Signifies that the service is part of the mesh.

Assume that incoming connections have already been resolved (to a specific destination IP address).

Use the static IP addresses specified in endpoints (see below) as the backing instances associated with the service.

⁣PROXY protocol version 1.

⁣PROXY protocol version 2.

`CaptureMode` describes how traffic to a listener is expected to be captured.

SSL/TLS related settings for upstream connections.

TLS connection mode.

Connection pool settings for an upstream host.

Settings applicable to HTTP1.1/HTTP2/GRPC connections.

Policy for upgrading http1.1 connections to http2.

Settings common to both HTTP and TCP upstream connections.

TCP keepalive.

Describes the Cross-Origin Resource Sharing (CORS) policy, for a given service.

Describes the delegate VirtualService.

Destination indicates the network addressable service to which the request/connection will be sent after processing a routing rule.

DestinationRule defines policies that apply to traffic intended for a service after routing has occurred.

Gateway describes a load balancer operating at the edge of the mesh receiving incoming or outgoing HTTP/TCP connections.

Message headers can be manipulated when Envoy forwards requests to, or responses from, a destination service.

HeaderOperations Describes the header manipulations to apply.

response body as base64 encoded bytes.

response body as a string.

HTTPDirectResponse can be used to send a fixed response to clients.

HTTPFaultInjection can be used to specify one or more faults to inject while forwarding HTTP requests to the destination specified in a route.

Abort specification is used to prematurely abort a request with a pre-specified error code.

GRPC status code to use to abort the request.

$hide_from_docs.

HTTP status code to use to abort the Http request.

Delay specification is used to inject latency into the request forwarding path.

$hide_from_docs.

Add a fixed delay before forwarding the request.

HttpMatchRequest specifies a set of criteria to be met in order for the rule to be applied to the HTTP request.

HTTPMirrorPolicy can be used to specify the destinations to mirror HTTP traffic in addition to the original destination.

HTTPRedirect can be used to send a 301 redirect response to the caller, where the Authority/Host and the URI in the response can be swapped with the specified values.

On a redirect, dynamically set the port: * FROM_PROTOCOL_DEFAULT: automatically set to 80 for HTTP and 443 for HTTPS.

On a redirect, overwrite the port portion of the URL with this value.

Describes the retry policy to use when a HTTP request fails.

HTTPRewrite can be used to rewrite specific parts of a HTTP request before forwarding the request to the destination.

Describes match conditions and actions for routing HTTP/1.1, HTTP2, and gRPC traffic.

Each routing rule is associated with one or more service versions (see glossary in beginning of document).

`IstioEgressListener` specifies the properties of an outbound traffic listener on the sidecar proxy attached to a workload instance.

`IstioIngressListener` specifies the properties of an inbound traffic listener on the sidecar proxy attached to a workload instance.

L4 connection match attributes.

Load balancing policies to apply for a specific destination.

Consistent Hash-based load balancing can be used to provide soft session affinity based on HTTP headers, cookies or other properties.

Hash based on HTTP cookie.

Describes a HTTP cookie that will be used as the hash key for the Consistent Hash load balancer.

Hash based on a specific HTTP header.

Hash based on a specific HTTP query parameter.

The Maglev load balancer implements consistent hashing to backend hosts.

The ring/modulo hash load balancer implements consistent hashing to backend hosts.

Hash based on the source IP address.

+kubebuilder:validation:XValidation:message="only one of warmupDurationSecs or warmup can be set",rule="(has(self.warmupDurationSecs)?1:0)+(has(self.warmup)?1:0)<=1" Standard load balancing algorithms that require no tuning.

Locality-weighted load balancing allows administrators to control the distribution of traffic to endpoints based on the localities of where the traffic originates and where it will terminate.

Describes how traffic originating in the 'from' zone or sub-zone is distributed over a set of 'to' zones.

Specify the traffic failover policy across regions.

`OutboundTrafficPolicy` sets the default behavior of the sidecar for handling unknown outbound traffic from the application.

A Circuit breaker implementation that tracks the status of each individual host in the upstream service.

Percent specifies a percentage in the range of [0.0, 100.0].

Port describes the properties of a specific port of a service.

PortSelector specifies the number of a port to be used for matching or selection for final routing.

Health is determined by how the command that is executed exited.

`httpGet` is performed to a given endpoint and the status/able to connect determines health.

Health is determined by if the proxy is able to connect.

L4 routing rule weighted destination.

`Server` describes the properties of the proxy on a given load balancer port.

TLS modes enforced by the proxy.

TLS protocol versions.

ServiceEntry enables adding additional entries into Istio's internal service registry.

Location specifies whether the service is part of Istio mesh or outside the mesh.

Resolution determines how the proxy will resolve the IP addresses of the network endpoints associated with the service, so that it can route to one of them.

minor abstraction to allow for adding hostnames if relevant.

ServicePort describes the properties of a specific port of a service.

`Sidecar` describes the configuration of the sidecar proxy that mediates inbound and outbound communication of the workload instance to which it is attached.

Port describes the properties of a specific port of a service.

Describes how to match a given string in HTTP headers.

exact string match.

prefix-based match.

[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).

A subset of endpoints of a service.

Describes match conditions and actions for routing TCP traffic.

TLS connection match attributes.

Describes match conditions and actions for routing unterminated TLS traffic (TLS/HTTPS) The following routing rule forwards unterminated TLS traffic arriving at port 443 of gateway called "mygateway" to internal services in the mesh based on the SNI value.

Traffic policies to apply for a specific destination, across all destination ports.

Traffic policies that apply to specific ports of the service.

Configuration affecting traffic routing.

WorkloadEntry enables specifying the properties of a single non-Kubernetes workload such a VM or a bare metal services that can be referred to by service entries.

`WorkloadGroup` enables specifying the properties of a single workload for bootstrap and provides a template for `WorkloadEntry`, similar to how `Deployment` specifies properties of workloads via `Pod` templates.

`ObjectMeta` describes metadata that will be attached to a `WorkloadEntry`.

`WorkloadSelector` specifies the criteria used to determine if the `Gateway`, `Sidecar`, `EnvoyFilter`, `ServiceEntry`, or `DestinationRule` configuration can be applied to a proxy.