The default capture mode defined by the environment.

Capture traffic using IPtables redirection.

No traffic capture.

Configs with this scope are visible to only workloads in the same namespace as the configuration resource.

Config with this scope are visible to all workloads in the mesh.

Http filter.

placeholder.

Network filter.

Insert after the named filter.

Insert before the named filter.

Insert first.

Insert last.

All protocols.

All listeners.

Gateway listener.

HTTP or HTTPS (with termination) / HTTP2/gRPC.

Inbound listener in sidecar.

Outbound listener in sidecar.

Any non-HTTP listener.

The least request load balancer uses an O(1) algorithm which selects two random healthy hosts and picks the host which has fewer active requests.

This option will forward the connection to the original IP address requested by the caller without doing any form of load balancing.

The random load balancer selects a random healthy host.

Round Robin policy.

Similar to the passthrough mode, except servers with this TLS mode do not require an associated VirtualService to map from the SNI value to service in the registry.

Secure connections to the upstream using mutual TLS by presenting client certificates for authentication.

The SNI string presented by the client will be used as the match criterion in a VirtualService TLS route to determine the destination service from the service registry.

Secure connections with standard TLS semantics.

Automatically choose the optimal TLS version.

TLS version 1.0.

TLS version 1.1.

TLS version 1.2.

TLS version 1.3.

Attempt to resolve the IP address by querying the ambient DNS, during request processing.

Signifies that the service is external to the mesh.

Signifies that the service is part of the mesh.

Assume that incoming connections have already been resolved (to a specific destination IP address).

Use the static IP addresses specified in endpoints (see below) as the backing instances associated with the service.

Do not setup a TLS connection to the upstream endpoint.

Secure connections to the upstream using mutual TLS by presenting client certificates for authentication.

Secure connections to the upstream using mutual TLS by presenting client certificates for authentication.

Originate a TLS connection to the upstream endpoint.

Connection pool settings for an upstream host.

Settings applicable to HTTP1.1/HTTP2/GRPC connections.

Settings common to both HTTP and TCP upstream connections.

TCP keepalive.

Describes the Cross-Origin Resource Sharing (CORS) policy, for a given service.

Destination indicates the network addressable service to which the request/connection will be sent after processing a routing rule.

`DestinationRule` defines policies that apply to traffic intended for a service after routing has occurred.

`EnvoyFilter` describes Envoy proxy-specific filters that can be used to customize the Envoy proxy configuration generated by Istio networking subsystem (Pilot).

Envoy filters to be added to a network or http filter chain.

Indicates the relative index in the filter chain where the filter should be inserted.

Select a listener to add the filter to based on the match conditions.

`Gateway` describes a load balancer operating at the edge of the mesh receiving incoming or outgoing HTTP/TCP connections.

Header manipulation rules.

HeaderOperations Describes the header manipulations to apply.

HTTPFaultInjection can be used to specify one or more faults to inject while forwarding http requests to the destination specified in a route.

Abort specification is used to prematurely abort a request with a pre-specified error code.

Delay specification is used to inject latency into the request forwarding path.

HttpMatchRequest specifies a set of criterion to be met in order for the rule to be applied to the HTTP request.

HTTPRedirect can be used to send a 301 redirect response to the caller, where the Authority/Host and the URI in the response can be swapped with the specified values.

Describes the retry policy to use when a HTTP request fails.

HTTPRewrite can be used to rewrite specific parts of a HTTP request before forwarding the request to the destination.

Describes match conditions and actions for routing HTTP/1.1, HTTP2, and gRPC traffic.

Each routing rule is associated with one or more service versions (see glossary in beginning of document).

IstioEgressListener specifies the properties of an outbound traffic listener on the sidecar proxy attached to a workload.

$hide_from_docs IstioIngressListener specifies the properties of an inbound traffic listener on the sidecar proxy attached to a workload.

L4 connection match attributes.

Load balancing policies to apply for a specific destination.

Consistent Hash-based load balancing can be used to provide soft session affinity based on HTTP headers, cookies or other properties.

Describes a HTTP cookie that will be used as the hash key for the Consistent Hash load balancer.

Originating -> upstream cluster locality weight set, support wildcard matching '*' '*' matches all localities 'region1/*' matches all zones in region1.

A Circuit breaker implementation that tracks the status of each individual host in the upstream service.

Percent specifies a percentage in the range of [0.0, 100.0].

Port describes the properties of a specific port of a service.

PortSelector specifies the number of a port to be used for matching or selection for final routing.

L4 routing rule weighted destination.

`Server` describes the properties of the proxy on a given load balancer port.

`ServiceEntry` enables adding additional entries into Istio's internal service registry, so that auto-discovered services in the mesh can access/route to these manually specified services.

Endpoint defines a network address (IP or hostname) associated with the mesh service.

`Sidecar` describes the configuration of the sidecar proxy that mediates inbound and outbound communication to the workload it is attached to.

Describes how to match a given string in HTTP headers.

A subset of endpoints of a service.

Describes match conditions and actions for routing TCP traffic.

TLS connection match attributes.

Describes match conditions and actions for routing unterminated TLS traffic (TLS/HTTPS) The following routing rule forwards unterminated TLS traffic arriving at port 443 of gateway called "mygateway" to internal services in the mesh based on the SNI value.

SSL/TLS related settings for upstream connections.

Traffic policies to apply for a specific destination, across all destination ports.

Traffic policies that apply to specific ports of the service.

A `VirtualService` defines a set of traffic routing rules to apply when a host is addressed.

WorkloadSelector specifies the criteria used to determine if the Gateway or Sidecar resource can be applied to a proxy.

$hide_from_docs CaptureMode describes how traffic to a listener is expected to be captured.

ConfigScope defines the visibility of an Istio configuration artifact in a namespace when the namespace is imported.

Index/position in the filter chain.

Standard load balancing algorithms that require no tuning.

TLS modes enforced by the proxy.

TLS protocol versions.

Location specifies whether the service is part of Istio mesh or outside the mesh.

Resolution determines how the proxy will resolve the IP addresses of the network endpoints associated with the service, so that it can route to one of them.

TLS connection mode.