The default capture mode defined by the environment.

Capture traffic using IPtables redirection.

No traffic capture.

Do not setup a TLS connection to the upstream endpoint.

Secure connections to the upstream using mutual TLS by presenting client certificates for authentication.

Secure connections to the upstream using mutual TLS by presenting client certificates for authentication.

Originate a TLS connection to the upstream endpoint.

Use the global default.

Do not upgrade the connection to http2.

Upgrade the connection to http2.

Preflight requests not matching the configured allowed origin will be forwarded to the upstream.

Preflight requests not matching the configured allowed origin will not be forwarded to the upstream.

Default to FORWARD.

All listeners/routes/clusters in both sidecars and gateways.

DEPRECATED.

Applies the patch to a cluster in a CDS output.

Applies the patch to or adds an extension config in ECDS output.

Applies the patch to the filter chain.

Gateway listener/route/cluster.

Applies the patch to the HTTP filter chain in the http connection manager, to modify an existing filter or add a new filter.

Applies the patch to a route object inside the matched virtual host in a route configuration.

Applies the patch to the listener.

Applies the patch to the listener filter.

Applies the patch to the network filter chain, to modify an existing filter or add a new filter.

Add the provided config to an existing list (of listeners, clusters, virtual hosts, network filters, or http filters).

Insert filter after Istio authentication filters.

Insert filter after Istio authorization filters.

Insert operation on an array of named objects.

Insert operation on an array of named objects.

Insert operation on an array of named objects.

Merge the provided config with the generated config using proto merge semantics.

Remove the selected object from the list (of listeners, clusters, virtual hosts, network filters, routes, or http filters).

Replace contents of a named filter with new contents.

Insert filter before Istio stats filters.

Control plane decides where to insert the filter.

Applies the patch to the Route configuration (rds output) inside a HTTP connection manager.

All three route actions.

directly respond to a request with specific payload.

Redirect request.

Route traffic to a cluster / weighted clusters.

Inbound listener/route/cluster in sidecar.

Outbound listener/route/cluster in sidecar.

Applies the patch to a virtual host inside a route configuration.

Deprecated.

The least request load balancer spreads load across endpoints, favoring endpoints with the least outstanding requests.

This option will forward the connection to the original IP address requested by the caller without doing any form of load balancing.

The random load balancer selects a random healthy host.

A basic round robin load balancing policy.

No load balancing algorithm has been specified by the user.

In `ALLOW_ANY` mode, any traffic to unknown destinations will be allowed.

In `REGISTRY_ONLY` mode, unknown outbound traffic will be dropped.

Similar to the passthrough mode, except servers with this TLS mode do not require an associated VirtualService to map from the SNI value to service in the registry.

Secure connections from the downstream using mutual TLS by presenting server certificates for authentication.

Secure connections to the downstream using mutual TLS by presenting server certificates for authentication.

Similar to MUTUAL mode, except that the client certificate is optional.

The SNI string presented by the client will be used as the match criterion in a VirtualService TLS route to determine the destination service from the service registry.

Secure connections with standard TLS semantics.

Automatically choose the optimal TLS version.

TLS version 1.0.

TLS version 1.1.

TLS version 1.2.

TLS version 1.3.

Attempt to resolve the IP address by querying the ambient DNS, asynchronously.

Attempt to resolve the IP address by querying the ambient DNS, asynchronously.

Signifies that the service is external to the mesh.

Signifies that the service is part of the mesh.

Assume that incoming connections have already been resolved (to a specific destination IP address).

Use the static IP addresses specified in endpoints (see below) as the backing instances associated with the service.

⁣PROXY protocol version 1.

⁣PROXY protocol version 2.

Enum value maps for CaptureMode.

Enum value maps for CaptureMode.

Enum value maps for ClientTLSSettings_TLSmode.

Enum value maps for ClientTLSSettings_TLSmode.

Enum value maps for ConnectionPoolSettings_HTTPSettings_H2UpgradePolicy.

Enum value maps for ConnectionPoolSettings_HTTPSettings_H2UpgradePolicy.

Enum value maps for CorsPolicy_UnmatchedPreflights.

Enum value maps for CorsPolicy_UnmatchedPreflights.

Enum value maps for EnvoyFilter_ApplyTo.

Enum value maps for EnvoyFilter_ApplyTo.

Enum value maps for EnvoyFilter_Patch_FilterClass.

Enum value maps for EnvoyFilter_Patch_FilterClass.

Enum value maps for EnvoyFilter_Patch_Operation.

Enum value maps for EnvoyFilter_Patch_Operation.

Enum value maps for EnvoyFilter_PatchContext.

Enum value maps for EnvoyFilter_PatchContext.

Enum value maps for EnvoyFilter_RouteConfigurationMatch_RouteMatch_Action.

Enum value maps for EnvoyFilter_RouteConfigurationMatch_RouteMatch_Action.

Enum value maps for HTTPRedirect_RedirectPortSelection.

Enum value maps for HTTPRedirect_RedirectPortSelection.

Enum value maps for LoadBalancerSettings_SimpleLB.

Enum value maps for LoadBalancerSettings_SimpleLB.

Enum value maps for OutboundTrafficPolicy_Mode.

Enum value maps for OutboundTrafficPolicy_Mode.

Enum value maps for ServerTLSSettings_TLSmode.

Enum value maps for ServerTLSSettings_TLSmode.

Enum value maps for ServerTLSSettings_TLSProtocol.

Enum value maps for ServerTLSSettings_TLSProtocol.

Enum value maps for ServiceEntry_Location.

Enum value maps for ServiceEntry_Location.

Enum value maps for ServiceEntry_Resolution.

Enum value maps for ServiceEntry_Resolution.

Enum value maps for TrafficPolicy_ProxyProtocol_VERSION.

Enum value maps for TrafficPolicy_ProxyProtocol_VERSION.

SSL/TLS related settings for upstream connections.

Connection pool settings for an upstream host.

Settings applicable to HTTP1.1/HTTP2/GRPC connections.

Settings common to both HTTP and TCP upstream connections.

TCP keepalive.

Describes the Cross-Origin Resource Sharing (CORS) policy, for a given service.

Describes the delegate VirtualService.

Destination indicates the network addressable service to which the request/connection will be sent after processing a routing rule.

DestinationRule defines policies that apply to traffic intended for a service after routing has occurred.

EnvoyFilter provides a mechanism to customize the Envoy configuration generated by Istio Pilot.

Conditions specified in `ClusterMatch` must be met for the patch to be applied to a cluster.

One or more match conditions to be met before a patch is applied to the generated configuration for a given proxy.

Changes to be made to various envoy config objects.

Conditions specified in a listener match must be met for the patch to be applied to a specific listener across all filter chains, or a specific filter chain inside the listener.

For listeners with multiple filter chains (e.g., inbound listeners on sidecars with permissive mTLS, gateway listeners with multiple SNI matches), the filter chain match can be used to select a specific filter chain to patch.

Conditions to match a specific filter within a filter chain.

Conditions to match a specific filter within another filter.

Patch specifies how the selected object should be modified.

One or more properties of the proxy to match on.

Conditions specified in RouteConfigurationMatch must be met for the patch to be applied to a route configuration object or a specific virtual host within the route configuration.

Match a specific route inside a virtual host in a route configuration.

Match a specific virtual host inside a route configuration.

Gateway describes a load balancer operating at the edge of the mesh receiving incoming or outgoing HTTP/TCP connections.

Message headers can be manipulated when Envoy forwards requests to, or responses from, a destination service.

HeaderOperations Describes the header manipulations to apply.

HTTPDirectResponse can be used to send a fixed response to clients.

HTTPFaultInjection can be used to specify one or more faults to inject while forwarding HTTP requests to the destination specified in a route.

Abort specification is used to prematurely abort a request with a pre-specified error code.

Delay specification is used to inject latency into the request forwarding path.

HttpMatchRequest specifies a set of criteria to be met in order for the rule to be applied to the HTTP request.

HTTPMirrorPolicy can be used to specify the destinations to mirror HTTP traffic in addition to the original destination.

HTTPRedirect can be used to send a 301 redirect response to the caller, where the Authority/Host and the URI in the response can be swapped with the specified values.

Describes the retry policy to use when a HTTP request fails.

HTTPRewrite can be used to rewrite specific parts of a HTTP request before forwarding the request to the destination.

Describes match conditions and actions for routing HTTP/1.1, HTTP2, and gRPC traffic.

Each routing rule is associated with one or more service versions (see glossary in beginning of document).

`IstioEgressListener` specifies the properties of an outbound traffic listener on the sidecar proxy attached to a workload instance.

`IstioIngressListener` specifies the properties of an inbound traffic listener on the sidecar proxy attached to a workload instance.

L4 connection match attributes.

Load balancing policies to apply for a specific destination.

Consistent Hash-based load balancing can be used to provide soft session affinity based on HTTP headers, cookies or other properties.

Describes a HTTP cookie that will be used as the hash key for the Consistent Hash load balancer.

Locality-weighted load balancing allows administrators to control the distribution of traffic to endpoints based on the localities of where the traffic originates and where it will terminate.

Describes how traffic originating in the 'from' zone or sub-zone is distributed over a set of 'to' zones.

Specify the traffic failover policy across regions.

`OutboundTrafficPolicy` sets the default behavior of the sidecar for handling unknown outbound traffic from the application.

A Circuit breaker implementation that tracks the status of each individual host in the upstream service.

Percent specifies a percentage in the range of [0.0, 100.0].

Port describes the properties of a specific port of a service.

PortSelector specifies the number of a port to be used for matching or selection for final routing.

L4 routing rule weighted destination.

`Server` describes the properties of the proxy on a given load balancer port.

ServiceEntry enables adding additional entries into Istio's internal service registry.

minor abstraction to allow for adding hostnames if relevant.

ServicePort describes the properties of a specific port of a service.

`Sidecar` describes the configuration of the sidecar proxy that mediates inbound and outbound communication of the workload instance to which it is attached.

Port describes the properties of a specific port of a service.

Describes how to match a given string in HTTP headers.

A subset of endpoints of a service.

Describes match conditions and actions for routing TCP traffic.

TLS connection match attributes.

Describes match conditions and actions for routing unterminated TLS traffic (TLS/HTTPS) The following routing rule forwards unterminated TLS traffic arriving at port 443 of gateway called "mygateway" to internal services in the mesh based on the SNI value.

Traffic policies to apply for a specific destination, across all destination ports.

Traffic policies that apply to specific ports of the service.

Configuration affecting traffic routing.

WorkloadEntry enables specifying the properties of a single non-Kubernetes workload such a VM or a bare metal services that can be referred to by service entries.

`WorkloadGroup` enables specifying the properties of a single workload for bootstrap and provides a template for `WorkloadEntry`, similar to how `Deployment` specifies properties of workloads via `Pod` templates.

`ObjectMeta` describes metadata that will be attached to a `WorkloadEntry`.

`WorkloadSelector` specifies the criteria used to determine if the `Gateway`, `Sidecar`, `EnvoyFilter`, `ServiceEntry`, or `DestinationRule` configuration can be applied to a proxy.

`CaptureMode` describes how traffic to a listener is expected to be captured.

TLS connection mode.

Policy for upgrading http1.1 connections to http2.

`ApplyTo` specifies where in the Envoy configuration, the given patch should be applied.

FilterClass determines the filter insertion point in the filter chain relative to the filters implicitly inserted by the control plane.

Operation denotes how the patch should be applied to the selected configuration.

PatchContext selects a class of configurations based on the traffic flow direction and workload type.

Action refers to the route action taken by Envoy when a http route matches.

+kubebuilder:validation:XValidation:message="only one of warmupDurationSecs or warmup can be set",rule="(has(self.warmupDurationSecs)?1:0)+(has(self.warmup)?1:0)<=1" Standard load balancing algorithms that require no tuning.

TLS modes enforced by the proxy.

TLS protocol versions.

Location specifies whether the service is part of Istio mesh or outside the mesh.

Resolution determines how the proxy will resolve the IP addresses of the network endpoints associated with the service, so that it can route to one of them.