Use the policy defined by the parent scope.

Proxy to control plane traffic is wrapped into mutual TLS connections.

Do not encrypt proxy to control plane traffic.

Do not setup a TLS connection to the upstream endpoint.

Secure connections to the upstream using mutual TLS by presenting client certificates for authentication.

Secure connections to the upstream using mutual TLS by presenting client certificates for authentication.

Originate a TLS connection to the upstream endpoint.

Always forward the XFCC header in the request, regardless of whether the client connection is mTLS.

When the client connection is mTLS, append the client certificate information to the request’s XFCC header and forward it.

When the client connection is mTLS (Mutual TLS), forward the XFCC header in the request.

Do not send the XFCC header to the next hop.

When the client connection is mTLS, reset the XFCC header with the client certificate information and send it to the next hop.

Field is not set.

Selects all Ingress resources, with or without Istio annotation.

No ingress or sync.

Selects only resources with istio annotation.

Unspecified Istio ingress controller.

IstioCNIConditionReady signifies whether the istio-cni-node DaemonSet is ready.

IstioCNIConditionReconciled signifies whether the controller has successfully reconciled the resources defined through the CR.

IstioCNIDaemonSetNotReady indicates that the istio-cni-node DaemonSet is not ready.

IstioCNIReasonHealthy indicates that the control plane is fully reconciled and that all components are ready.

IstioCNIReasonReadinessCheckFailed indicates that the DaemonSet readiness status could not be ascertained.

IstioCNIReasonReconcileError indicates that the reconciliation of the resource has failed, but will be retried.

IstioConditionReady signifies whether any Deployment, StatefulSet, etc.

IstioConditionReconciled signifies whether the controller has successfully reconciled the resources defined through the CR.

IstioReasonFailedToGetActiveRevision indicates that a failure occurred when getting the active IstioRevision.

IstioReasonHealthy indicates that the control plane is fully reconciled and that all components are ready.

IstioReasonIstiodNotReady indicates that the control plane is fully reconciled, but istiod is not ready.

IstioReasonReadinessCheckFailed indicates that readiness could not be ascertained.

IstioReasonReconcileError indicates that the reconciliation of the resource has failed, but will be retried.

IstioReasonRemoteIstiodNotReady indicates that the control plane is fully reconciled, but the remote istiod is not ready.

IstioReasonRevisionNotFound indicates that the active IstioRevision is not found.

IstioRevisionConditionInUse signifies whether any workload is configured to use the revision.

IstioRevisionConditionReady signifies whether any Deployment, StatefulSet, etc.

IstioRevisionConditionReconciled signifies whether the controller has successfully reconciled the resources defined through the CR.

IstioRevisionReasonHealthy indicates that the control plane is fully reconciled and that all components are ready.

IstioRevisionReasonIstiodNotReady indicates that the control plane is fully reconciled, but istiod is not ready.

IstioRevisionReasonNotReferenced indicates that the revision is not referenced by any pod or namespace.

IstioRevisionReasonReadinessCheckFailed indicates that istiod readiness status could not be ascertained.

IstioRevisionReasonReconcileError indicates that the reconciliation of the resource has failed, but will be retried.

IstioRevisionReasonReferencedByWorkloads indicates that the revision is referenced by at least one pod or namespace.

IstioRevisionReasonRemoteIstiodNotReady indicates that the remote istiod is not ready.

IstioRevisionReasonUsageCheckFailed indicates that the operator could not check whether any workloads use the revision.

IstioRevisionConditionInUse signifies whether any workload is configured to use the revision.

IstioRevisionConditionReconciled signifies whether the controller has successfully reconciled the resources defined through the CR.

IstioRevisionTagReasonHealthy indicates that the revision tag has been successfully reconciled and is in use.

IstioRevisionTagNameAlreadyExists indicates that the a revision with the same name as the IstioRevisionTag already exists.

IstioRevisionReasonNotReferenced indicates that the revision is not referenced by any pod or namespace.

IstioRevisionReasonReconcileError indicates that the reconciliation of the resource has failed, but will be retried.

IstioRevisionReasonReferencedByWorkloads indicates that the revision is referenced by at least one pod or namespace.

IstioRevisionTagReasonReferenceNotFound indicates that the resource referenced by the tag's TargetRef was not found.

IstioRevisionReasonUsageCheckFailed indicates that the operator could not check whether any workloads use the revision.

json encoding for the proxy access log.

text encoding for the proxy access log.

Use multi-header B3 context propagation using the `X-B3-TraceId`, `X-B3-SpanId`, and `X-B3-Sampled` HTTP headers.

Use Cloud Trace context propagation using the `X-Cloud-Trace-Context` http header.

Use gRPC binary context propagation using the `grpc-trace-bin` http header.

+hidefromdoc Unspecified context.

Use W3C Trace Context propagation using the `traceparent` HTTP header.

Do not upgrade connections to http2.

Upgrade the connections to http2.

inbound traffic will be sent to the destinations listening on localhost.

inbound traffic will be passed through to the destination listening on Pod IP.

Istio ingress controller will act on ingress resources that do not contain any annotation or whose annotations match the value specified in the ingressClass parameter described earlier.

Disables Istio ingress controller.

Istio ingress controller will only act on ingress resources whose annotations match the value specified in the ingressClass parameter described earlier.

Unspecified Istio ingress controller.

In `ALLOW_ANY` mode, any traffic to unknown destinations will be allowed.

In `REGISTRY_ONLY` mode, unknown outbound traffic will be dropped.

Normalize according to [RFC 3986](https://tools.ietf.org/html/rfc3986).

In addition to normalization in `MERGE_SLASHES`, slash characters are UTF-8 decoded (case insensitive) prior to merging.

Apply default normalizations.

In addition to the `BASE` normalization, consecutive slashes are also merged.

No normalization, paths are used as is.

Automatically choose the optimal TLS version.

TLS version 1.2.

TLS version 1.3.

Outbound traffic to unknown destinations will be allowed, in case there are no services or ServiceEntries for the destination port.

Restrict outbound traffic to services defined in the service registry as well as those defined through ServiceEntries.

The `NONE` mode does not configure redirect to Envoy at all.

The `REDIRECT` mode uses iptables `REDIRECT` to `NAT` and redirect to Envoy.

The `TPROXY` mode uses iptables `TPROXY` to redirect to Envoy.

Only append the istio metadata exchange headers for services considered in-mesh.

Existing Istio behavior for the metadata exchange headers is unchanged.

Default scheme.

Uses the canonical name and namespace for a workload.

Uses the canonical name for a workload (*excluding namespace*).

Set to only receive service entries that are generated by the platform.

Use multi-header B3 context propagation using the `X-B3-TraceId`, `X-B3-SpanId`, and `X-B3-Sampled` HTTP headers.

Use Cloud Trace context propagation using the `X-Cloud-Trace-Context` http header.

Use gRPC binary context propagation using the `grpc-trace-bin` http header.

+hidefromdoc Unspecified context.

Use W3C Trace Context propagation using the `traceparent` HTTP header.

Selects for scenarios when the workload is the source of the network traffic.

Selects for scenarios when the workload is either the source or destination of the network traffic.

Selects for scenarios when the workload is the destination of the network traffic.

Default value, which will be interpreted by its own usage.

ZTunnelConditionReady signifies whether the ztunnel DaemonSet is ready.

ZTunnelConditionReconciled signifies whether the controller has successfully reconciled the resources defined through the CR.

ZTunnelDaemonSetNotReady indicates that the ztunnel DaemonSet is not ready.

ZTunnelReasonHealthy indicates that the control plane is fully reconciled and that all components are ready.

ZTunnelReasonReadinessCheckFailed indicates that the DaemonSet readiness status could not be ascertained.

ZTunnelReasonReconcileError indicates that the reconciliation of the resource has failed, but will be retried.

AddToScheme adds the types in this group-version to the given scheme.

GroupVersion is group version used to register these objects.

SchemeBuilder is used to add go types to the GroupVersionKind scheme.

ArchConfig specifies the pod scheduling target architecture(amd64, ppc64le, s390x, arm64) for all the Istio control plane components.

+hidefromdoc Certificate configures the provision of a certificate and its key.

SSL/TLS related settings for upstream connections.

Configuration for CNI.

CNIGlobalConfig is a subset of the Global Configuration used in the Istio CNI chart.

ConfigSource describes information about a configuration store inside a mesh.

TCP keepalive.

DefaultPodDisruptionBudgetConfig specifies the default pod disruption budget configuration.

ExperimentalConfig is a placeholder for experimental installation features.

Global Configuration for Istio components.

GlobalLoggingConfig specifies the global logging level settings for the Istio control plane components.

Describes the retry policy to use when a HTTP request fails.

Istio represents an Istio Service Mesh deployment consisting of one or more control plane instances (represented by one or more IstioRevision objects).

IstioCNI represents a deployment of the Istio CNI component.

IstioCNICondition represents a specific observation of the IstioCNI object's state.

IstioCNIList contains a list of IstioCNI.

IstioCNISpec defines the desired state of IstioCNI.

IstioCNIStatus defines the observed state of IstioCNI.

IstioCondition represents a specific observation of the IstioCondition object's state.

IstioList contains a list of Istio.

IstioRevision represents a single revision of an Istio Service Mesh deployment.

IstioRevisionCondition represents a specific observation of the IstioRevision object's state.

IstioRevisionList contains a list of IstioRevision.

IstioRevisionSpec defines the desired state of IstioRevision +kubebuilder:validation:XValidation:rule="self.values.global.istioNamespace == self.__namespace__",message="spec.values.global.istioNamespace must match spec.namespace".

IstioRevisionStatus defines the observed state of IstioRevision.

IstioRevisionTag references a Istio or IstioRevision object and serves as an alias for sidecar injection.

IstioRevisionCondition represents a specific observation of the IstioRevision object's state.

IstioRevisionList contains a list of IstioRevision.

IstioRevisionTagSpec defines the desired state of IstioRevisionTag.

IstioRevisionStatus defines the observed state of IstioRevision.

IstioRevisionTagTargetReference can reference either Istio or IstioRevision objects in the cluster.

IstioSpec defines the desired state of Istio +kubebuilder:validation:XValidation:rule="!has(self.values) || !has(self.values.global) || !has(self.values.global.istioNamespace) || self.values.global.istioNamespace == self.__namespace__",message="spec.values.global.istioNamespace must match spec.namespace".

IstioStatus defines the observed state of Istio.

IstioUpdateStrategy defines how the control plane should be updated when the version in the Istio CR is updated.

Locality-weighted load balancing allows administrators to control the distribution of traffic to endpoints based on the localities of where the traffic originates and where it will terminate.

Describes how traffic originating in the 'from' zone or sub-zone is distributed over a set of 'to' zones.

Specify the traffic failover policy across regions.

MeshConfig defines mesh-wide settings for the Istio service mesh.

+kubebuilder:validation:XValidation:message="At most one of [pem spiffeBundleUrl] should be set",rule="(has(self.pem)?1:0) + (has(self.spiffeBundleUrl)?1:0) <= 1".

Holds the name references to the providers that will be used by default in other Istio configuration resources if the provider is not specified.

+kubebuilder:validation:XValidation:message="At most one of [envoyExtAuthzHttp envoyExtAuthzGrpc zipkin lightstep datadog stackdriver opencensus skywalking opentelemetry prometheus envoyFileAccessLog envoyHttpAls envoyTcpAls envoyOtelAls] should be set",rule="(has(self.envoyExtAuthzHttp)?1:0) + (has(self.envoyExtAuthzGrpc)?1:0) + (has(self.zipkin)?1:0) + (has(self.lightstep)?1:0) + (has(self.datadog)?1:0) + (has(self.stackdriver)?1:0) + (has(self.opencensus)?1:0) + (has(self.skywalking)?1:0) + (has(self.opentelemetry)?1:0) + (has(self.prometheus)?1:0) + (has(self.envoyFileAccessLog)?1:0) + (has(self.envoyHttpAls)?1:0) + (has(self.envoyTcpAls)?1:0) + (has(self.envoyOtelAls)?1:0) <= 1".

Defines configuration for a Datadog tracer.

Defines configuration for Envoy-based access logging that writes to local files (and/or standard streams).

+kubebuilder:validation:XValidation:message="At most one of [text labels] should be set",rule="(has(self.text)?1:0) + (has(self.labels)?1:0) <= 1".

Defines configuration for an Envoy [Access Logging Service](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/access_loggers/grpc/v3/als.proto#grpc-access-log-service-als) integration for HTTP traffic.

Defines configuration for an Envoy [OpenTelemetry (gRPC) Access Log](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/access_loggers/open_telemetry/v3/logs_service.proto).

Defines configuration for an Envoy [Access Logging Service](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/access_loggers/grpc/v3/als.proto#grpc-access-log-service-als) integration for TCP traffic.

Defines configuration for an GRPC service that can be used by an Extension Provider.

Defines configuration for an HTTP service that can be used by an Extension Provider.

Defines configuration for a Lightstep tracer.

Defines configuration for an OpenCensus tracer writing to an OpenCensus backend.

Defines configuration for an OpenTelemetry tracing backend.

Dynatrace Resource Detector.

OpenTelemetry Environment Resource Detector.

Defines configuration for a SkyWalking tracer.

Defines configuration for Stackdriver.

Defines configuration for a Zipkin tracer.

`OutboundTrafficPolicy` sets the default behavior of the sidecar for handling unknown outbound traffic from the application.

ProxyConfig defines variables for individual Envoy instances.

+hidefromdoc Settings to be applied to select services.

Settings for the selected services.

MeshNetworks (config map) provides information about the set of networks inside a mesh and how to route to endpoints in each network.

MultiClusterConfig specifies the Configuration for Istio mesh across multiple clusters through the istio gateways.

Network provides information about the endpoints in a routable L3 network.

The gateway associated with this network.

NetworkEndpoints describes how the network associated with an endpoint should be inferred.

OutboundTrafficPolicyConfig controls the default behavior of the sidecar for handling outbound traffic from the application.

Configuration for Pilot.

Controls whether Istio policy is applied to Pilot.

PolicyTargetReference format as defined by [GEP-2648](https://gateway-api.sigs.k8s.io/geps/gep-2648/#direct-policy-design-rules).

Configuration for a port.

PortSelector is the criteria for specifying if a policy can be applied to a listener having a specific port.

PrivateKeyProvider defines private key configuration for gateways and sidecars.

CryptoMb PrivateKeyProvider configuration.

QAT (QuickAssist Technology) PrivateKeyProvider configuration.

Configuration for Proxy.

Proxy stats name matchers for stats creation.

The following values are used to construct proxy image url.

Configuration for proxy_init container which sets the pods' networking to intercept the inbound/outbound traffic.

Configuration for the resource quotas for the CNI DaemonSet.

Configuration for K8s resource requests.

RevisionSummary contains information on the number of IstioRevisions associated with this Istio.

SDS defines secret discovery service(SDS) configuration to be used by the proxy.

Configuration for the SecretDiscoveryService instead of using K8S secrets to mount the certificates.

Configuration for secret volume mounts.

SidecarInjectorConfig is described in istio.io documentation.

Configuration for Security Token Service (STS) server.

Configuration for CPU or memory target utilization for HorizontalPodAutoscaler target.

Controls telemetry configuration.

Controls whether pilot will configure telemetry v2.

Controls telemetry v2 prometheus settings.

TelemetryV2StackDriverConfig controls telemetry v2 stackdriver settings.

Topology describes the configuration for relative location of a proxy with respect to intermediate trusted proxies and the client.

PROXY protocol configuration.

Configuration for each of the supported tracers.

Configuration for the datadog tracing service.

Configuration for the lightstep tracing service.

Configuration for the stackdriver tracing service.

Configuration for the zipkin tracing service.

Tracing defines configuration for the tracing performed by Envoy instances.

Configure custom tags that will be added to any active span.

Datadog defines configuration for a Datadog tracer.

Environment is the proxy's environment variable to be used for populating the custom span tag.

+hidefromdoc Defines configuration for a Lightstep tracer.

Literal type represents a static value.

OpenCensusAgent defines configuration for an OpenCensus tracer writing to an OpenCensus agent backend.

RequestHeader is the HTTP request header which will be used to populate the span tag.

Stackdriver defines configuration for a Stackdriver tracer.

Zipkin defines configuration for a Zipkin tracer.

Configuration for Waypoint proxies.

WorkloadSelector specifies the criteria used to determine if a policy can be applied to a proxy.

ZeroVPNConfig enables cross-cluster access using SNI matching.

ZTunnel represents a deployment of the Istio ztunnel component.

ZTunnelCondition represents a specific observation of the ZTunnel object's state.

Configuration for ztunnel.

ZTunnelGlobalConfig is a subset of the Global Configuration used in the Istio ztunnel chart.

ZTunnelList contains a list of ZTunnel.

ZTunnelSpec defines the desired state of ZTunnel.

ZTunnelStatus defines the observed state of ZTunnel.

AuthenticationPolicy defines how the proxy is authenticated when it connects to the control plane.

TLS connection mode +kubebuilder:validation:Enum=DISABLE;SIMPLE;MUTUAL;ISTIO_MUTUAL.

ForwardClientCertDetails controls how the x-forwarded-client-cert (XFCC) header is handled by a proxy.

Mode for the ingress controller.

IstioCNIConditionReason represents a short message indicating how the condition came to be in its present state.

IstioCNIConditionType represents the type of the condition.

IstioConditionReason represents a short message indicating how the condition came to be in its present state.

IstioConditionType represents the type of the condition.

IstioRevisionConditionReason represents a short message indicating how the condition came to be in its present state.

IstioRevisionConditionType represents the type of the condition.

IstioRevisionConditionReason represents a short message indicating how the condition came to be in its present state.

IstioRevisionConditionType represents the type of the condition.

+kubebuilder:validation:Enum=TEXT;JSON.

+hidefromdoc +kubebuilder:validation:Enum=NONE;MUTUAL_TLS.

TraceContext selects the context propagation headers used for distributed tracing.

Default Policy for upgrading http1.1 connections to http2.

+kubebuilder:validation:Enum=PASSTHROUGH;LOCALHOST.

+kubebuilder:validation:Enum=UNSPECIFIED;OFF;DEFAULT;STRICT.

+kubebuilder:validation:Enum=REGISTRY_ONLY;ALLOW_ANY.

+kubebuilder:validation:Enum=DEFAULT;NONE;BASE;MERGE_SLASHES;DECODE_AND_MERGE_SLASHES.

TLS protocol versions.

Specifies the sidecar's default behavior when handling outbound traffic from the application.

The mode used to redirect inbound traffic to Envoy.

+kubebuilder:validation:Enum=UNDEFINED;IN_MESH.

Allows specification of various Istio-supported naming schemes for the Envoy `service_cluster` value.

Resource describes the source of configuration +kubebuilder:validation:Enum=SERVICE_REGISTRY.

Specifies which tracer to use.

TraceContext selects the context propagation headers used for distributed tracing.

WorkloadMode allows selection of the role of the underlying workload in network traffic.

ZTunnelConditionReason represents a short message indicating how the condition came to be in its present state.

ZTunnelConditionType represents the type of the condition.