2019独角兽企业重金招聘Python工程师标准>>> 
==============遥测=====================================
演示如何从网格中收集遥测信息。
分布式跟踪。如何配置代理以向Zipkin或Jaeger发送跟踪请求
收集度量标准和日志。此任务说明如何配置Istio以收集度量标准和日志。
收集TCP服务的度量标准。此任务说明如何配置Istio以收集TCP服务的度量标准。
查询普罗米修斯的指标。此任务说明如何使用Prometheus查询Istio指标。
使用Grafana可视化度量标准。此任务说明如何设置和使用Istio仪表板来监视网格流量。
生成服务图。此任务说明如何在Istio网格中生成服务图。
使用流利的日志记录。此任务说明如何配置Istio以记录到Fluentd守护程序
参考:https://istio.io/docs/tasks/telemetry/
[root@es-cluster-16-203 istio-0.8.0]# kubectl get svc --all-namespaces -o wide
NAMESPACE NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE SELECTOR
istio-system grafana NodePort 10.107.95.110
istio-system istio-citadel ClusterIP 10.108.92.127
istio-system istio-egressgateway ClusterIP 10.102.75.11
istio-system istio-ingressgateway NodePort 10.108.182.215
istio-system istio-pilot ClusterIP 10.96.123.16
istio-system istio-policy ClusterIP 10.111.105.105
istio-system istio-sidecar-injector ClusterIP 10.103.198.142
istio-system istio-statsd-prom-bridge ClusterIP 10.103.191.43
istio-system istio-telemetry ClusterIP 10.111.255.9
istio-system prometheus ClusterIP 10.98.2.55
istio-system servicegraph ClusterIP 10.103.179.215
istio-system tracing NodePort 10.101.234.215
istio-system zipkin NodePort 10.108.245.11
-----------------收集度量标准和日志-----------------
https://istio.io/docs/tasks/telemetry/metrics-logs/
/root/istio-0.8.0/bin/istioctl create -f new_telemetry.yaml
-----------------收集TCP服务的度量标准-----------------
https://istio.io/docs/tasks/telemetry/tcp-metrics/
/root/istio-0.8.0/bin/istioctl create -f tcp_telemetry.yaml
查询度量标准:Prometheus
地址:http://192.168.16.203:NodePort
分布式跟踪: tracing(jaeger),zipkin
地址:http://192.168.16.203:30323/search
使用Istio仪表板: grafana
地址:http://192.168.16.203:31076/?orgId=1
配置Prometheus为数据源,默认监控仪表板
istio-dashboard:
pilot-dashboard:
mixer-dashboard:
istio-demo.yaml
apiVersion: v1
kind: Namespace
metadata:
name: istio-system
---
# Source: istio/charts/mixer/templates/configmap.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: istio-statsd-prom-bridge
namespace: istio-system
labels:
app: istio-statsd-prom-bridge
chart: mixer-0.8.0
release: RELEASE-NAME
heritage: Tiller
istio: mixer
data:
mapping.conf: |-
---
apiVersion: v1
kind: ConfigMap
metadata:
name: istio-mixer-custom-resources
namespace: istio-system
labels:
app: istio-mixer
chart: mixer-0.8.0
release: RELEASE-NAME
heritage: Tiller
istio: mixer
data:
custom-resources.yaml: |-
apiVersion: "config.istio.io/v1alpha2"
kind: attributemanifest
metadata:
name: istioproxy
namespace: istio-system
spec:
attributes:
origin.ip:
valueType: IP_ADDRESS
origin.uid:
valueType: STRING
origin.user:
valueType: STRING
request.headers:
valueType: STRING_MAP
request.id:
valueType: STRING
request.host:
valueType: STRING
request.method:
valueType: STRING
request.path:
valueType: STRING
request.reason:
valueType: STRING
request.referer:
valueType: STRING
request.scheme:
valueType: STRING
request.total_size:
valueType: INT64
request.size:
valueType: INT64
request.time:
valueType: TIMESTAMP
request.useragent:
valueType: STRING
response.code:
valueType: INT64
response.duration:
valueType: DURATION
response.headers:
valueType: STRING_MAP
response.total_size:
valueType: INT64
response.size:
valueType: INT64
response.time:
valueType: TIMESTAMP
source.uid:
valueType: STRING
source.user:
valueType: STRING
destination.uid:
valueType: STRING
connection.id:
valueType: STRING
connection.received.bytes:
valueType: INT64
connection.received.bytes_total:
valueType: INT64
connection.sent.bytes:
valueType: INT64
connection.sent.bytes_total:
valueType: INT64
connection.duration:
valueType: DURATION
connection.mtls:
valueType: BOOL
context.protocol:
valueType: STRING
context.timestamp:
valueType: TIMESTAMP
context.time:
valueType: TIMESTAMP
api.service:
valueType: STRING
api.version:
valueType: STRING
api.operation:
valueType: STRING
api.protocol:
valueType: STRING
request.auth.principal:
valueType: STRING
request.auth.audiences:
valueType: STRING
request.auth.presenter:
valueType: STRING
request.auth.claims:
valueType: STRING_MAP
request.auth.raw_claims:
valueType: STRING
request.api_key:
valueType: STRING
---
apiVersion: "config.istio.io/v1alpha2"
kind: attributemanifest
metadata:
name: kubernetes
namespace: istio-system
spec:
attributes:
source.ip:
valueType: IP_ADDRESS
source.labels:
valueType: STRING_MAP
source.name:
valueType: STRING
source.namespace:
valueType: STRING
source.service:
valueType: STRING
source.serviceAccount:
valueType: STRING
destination.ip:
valueType: IP_ADDRESS
destination.labels:
valueType: STRING_MAP
destination.name:
valueType: STRING
destination.namespace:
valueType: STRING
destination.service:
valueType: STRING
destination.serviceAccount:
valueType: STRING
---
apiVersion: "config.istio.io/v1alpha2"
kind: stdio
metadata:
name: handler
namespace: istio-system
spec:
outputAsJson: true
---
apiVersion: "config.istio.io/v1alpha2"
kind: logentry
metadata:
name: accesslog
namespace: istio-system
spec:
severity: '"Info"'
timestamp: request.time
variables:
originIp: origin.ip | ip("0.0.0.0")
sourceIp: source.ip | ip("0.0.0.0")
sourceService: source.service | ""
sourceUser: source.user | source.uid | ""
sourceNamespace: source.namespace | ""
destinationIp: destination.ip | ip("0.0.0.0")
destinationService: destination.service | ""
destinationNamespace: destination.namespace | ""
apiName: api.service | ""
apiVersion: api.version | ""
apiClaims: request.headers["sec-istio-auth-userinfo"]| ""
apiKey: request.api_key | request.headers["x-api-key"] | ""
requestOperation: api.operation | ""
protocol: request.scheme | "http"
method: request.method | ""
url: request.path | ""
responseCode: response.code | 0
responseSize: response.size | 0
requestSize: request.size | 0
latency: response.duration | "0ms"
connectionMtls: connection.mtls | false
userAgent: request.useragent | ""
responseTimestamp: response.time
receivedBytes: request.total_size | connection.received.bytes | 0
sentBytes: response.total_size | connection.sent.bytes | 0
referer: request.referer | ""
monitored_resource_type: '"UNSPECIFIED"'
---
apiVersion: "config.istio.io/v1alpha2"
kind: rule
metadata:
name: stdio
namespace: istio-system
spec:
match: "true" # If omitted match is true.
actions:
- handler: handler.stdio
instances:
- accesslog.logentry
---
apiVersion: "config.istio.io/v1alpha2"
kind: metric
metadata:
name: requestcount
namespace: istio-system
spec:
value: "1"
dimensions:
source_service: source.service | "unknown"
source_version: source.labels["version"] | "unknown"
destination_service: destination.service | "unknown"
destination_version: destination.labels["version"] | "unknown"
response_code: response.code | 200
connection_mtls: connection.mtls | false
monitored_resource_type: '"UNSPECIFIED"'
---
apiVersion: "config.istio.io/v1alpha2"
kind: metric
metadata:
name: requestduration
namespace: istio-system
spec:
value: response.duration | "0ms"
dimensions:
source_service: source.service | "unknown"
source_version: source.labels["version"] | "unknown"
destination_service: destination.service | "unknown"
destination_version: destination.labels["version"] | "unknown"
response_code: response.code | 200
connection_mtls: connection.mtls | false
monitored_resource_type: '"UNSPECIFIED"'
---
apiVersion: "config.istio.io/v1alpha2"
kind: metric
metadata:
name: requestsize
namespace: istio-system
spec:
value: request.size | 0
dimensions:
source_service: source.service | "unknown"
source_version: source.labels["version"] | "unknown"
destination_service: destination.service | "unknown"
destination_version: destination.labels["version"] | "unknown"
response_code: response.code | 200
connection_mtls: connection.mtls | false
monitored_resource_type: '"UNSPECIFIED"'
---
apiVersion: "config.istio.io/v1alpha2"
kind: metric
metadata:
name: responsesize
namespace: istio-system
spec:
value: response.size | 0
dimensions:
source_service: source.service | "unknown"
source_version: source.labels["version"] | "unknown"
destination_service: destination.service | "unknown"
destination_version: destination.labels["version"] | "unknown"
response_code: response.code | 200
connection_mtls: connection.mtls | false
monitored_resource_type: '"UNSPECIFIED"'
---
apiVersion: "config.istio.io/v1alpha2"
kind: metric
metadata:
name: tcpbytesent
namespace: istio-system
labels:
istio-protocol: tcp # needed so that mixer will only generate when context.protocol == tcp
spec:
value: connection.sent.bytes | 0
dimensions:
source_service: source.service | "unknown"
source_version: source.labels["version"] | "unknown"
destination_service: destination.service | "unknown"
destination_version: destination.labels["version"] | "unknown"
connection_mtls: connection.mtls | false
monitored_resource_type: '"UNSPECIFIED"'
---
apiVersion: "config.istio.io/v1alpha2"
kind: metric
metadata:
name: tcpbytereceived
namespace: istio-system
labels:
istio-protocol: tcp # needed so that mixer will only generate when context.protocol == tcp
spec:
value: connection.received.bytes | 0
dimensions:
source_service: source.service | "unknown"
source_version: source.labels["version"] | "unknown"
destination_service: destination.service | "unknown"
destination_version: destination.labels["version"] | "unknown"
connection_mtls: connection.mtls | false
monitored_resource_type: '"UNSPECIFIED"'
---
apiVersion: "config.istio.io/v1alpha2"
kind: prometheus
metadata:
name: handler
namespace: istio-system
spec:
metrics:
- name: request_count
instance_name: requestcount.metric.istio-system
kind: COUNTER
label_names:
- source_service
- source_version
- destination_service
- destination_version
- response_code
- connection_mtls
- name: request_duration
instance_name: requestduration.metric.istio-system
kind: DISTRIBUTION
label_names:
- source_service
- source_version
- destination_service
- destination_version
- response_code
- connection_mtls
buckets:
explicit_buckets:
bounds: [0.005, 0.01, 0.025, 0.05, 0.1, 0.25, 0.5, 1, 2.5, 5, 10]
- name: request_size
instance_name: requestsize.metric.istio-system
kind: DISTRIBUTION
label_names:
- source_service
- source_version
- destination_service
- destination_version
- response_code
- connection_mtls
buckets:
exponentialBuckets:
numFiniteBuckets: 8
scale: 1
growthFactor: 10
- name: response_size
instance_name: responsesize.metric.istio-system
kind: DISTRIBUTION
label_names:
- source_service
- source_version
- destination_service
- destination_version
- response_code
- connection_mtls
buckets:
exponentialBuckets:
numFiniteBuckets: 8
scale: 1
growthFactor: 10
- name: tcp_bytes_sent
instance_name: tcpbytesent.metric.istio-system
kind: COUNTER
label_names:
- source_service
- source_version
- destination_service
- destination_version
- connection_mtls
- name: tcp_bytes_received
instance_name: tcpbytereceived.metric.istio-system
kind: COUNTER
label_names:
- source_service
- source_version
- destination_service
- destination_version
- connection_mtls
---
apiVersion: "config.istio.io/v1alpha2"
kind: rule
metadata:
name: promhttp
namespace: istio-system
labels:
istio-protocol: http
spec:
actions:
- handler: handler.prometheus
instances:
- requestcount.metric
- requestduration.metric
- requestsize.metric
- responsesize.metric
---
apiVersion: "config.istio.io/v1alpha2"
kind: rule
metadata:
name: promtcp
namespace: istio-system
labels:
istio-protocol: tcp # needed so that mixer will only execute when context.protocol == TCP
spec:
actions:
- handler: handler.prometheus
instances:
- tcpbytesent.metric
- tcpbytereceived.metric
---
apiVersion: "config.istio.io/v1alpha2"
kind: kubernetesenv
metadata:
name: handler
namespace: istio-system
spec:
# when running from mixer root, use the following config after adding a
# symbolic link to a kubernetes config file via:
#
# $ ln -s ~/.kube/config mixer/adapter/kubernetes/kubeconfig
#
# kubeconfig_path: "mixer/adapter/kubernetes/kubeconfig"
---
apiVersion: "config.istio.io/v1alpha2"
kind: rule
metadata:
name: kubeattrgenrulerule
namespace: istio-system
spec:
actions:
- handler: handler.kubernetesenv
instances:
- attributes.kubernetes
---
apiVersion: "config.istio.io/v1alpha2"
kind: rule
metadata:
name: tcpkubeattrgenrulerule
namespace: istio-system
spec:
match: context.protocol == "tcp"
actions:
- handler: handler.kubernetesenv
instances:
- attributes.kubernetes
---
apiVersion: "config.istio.io/v1alpha2"
kind: kubernetes
metadata:
name: attributes
namespace: istio-system
spec:
# Pass the required attribute data to the adapter
source_uid: source.uid | ""
source_ip: source.ip | ip("0.0.0.0") # default to unspecified ip addr
destination_uid: destination.uid | ""
origin_uid: '""'
origin_ip: ip("0.0.0.0") # default to unspecified ip addr
attribute_bindings:
# Fill the new attributes from the adapter produced output.
# $out refers to an instance of OutputTemplate message
source.ip: $out.source_pod_ip | ip("0.0.0.0")
source.labels: $out.source_labels | emptyStringMap()
source.namespace: $out.source_namespace | "default"
source.service: $out.source_service | "unknown"
source.serviceAccount: $out.source_service_account_name | "unknown"
destination.ip: $out.destination_pod_ip | ip("0.0.0.0")
destination.labels: $out.destination_labels | emptyStringMap()
destination.namespace: $out.destination_namespace | "default"
destination.service: $out.destination_service | "unknown"
destination.serviceAccount: $out.destination_service_account_name | "unknown"
---
# Configuration needed by Mixer.
# Mixer cluster is delivered via CDS
# Specify mixer cluster settings
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: istio-policy
namespace: istio-system
spec:
host: istio-policy.istio-system.svc.cluster.local
trafficPolicy:
connectionPool:
http:
http2MaxRequests: 10000
maxRequestsPerConnection: 10000
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: istio-telemetry
namespace: istio-system
spec:
host: istio-telemetry.istio-system.svc.cluster.local
trafficPolicy:
connectionPool:
http:
http2MaxRequests: 10000
maxRequestsPerConnection: 10000
---
---
# Source: istio/charts/prometheus/templates/configmap.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: prometheus
namespace: istio-system
labels:
app: prometheus
chart: prometheus-0.1.0
release: RELEASE-NAME
heritage: Tiller
data:
prometheus.yml: |-
global:
scrape_interval: 15s
scrape_configs:
- job_name: 'istio-mesh'
# Override the global default and scrape targets from this job every 5 seconds.
scrape_interval: 5s
kubernetes_sd_configs:
- role: endpoints
relabel_configs:
- source_labels: [__meta_kubernetes_namespace, __meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name]
action: keep
regex: istio-system;istio-telemetry;prometheus
- job_name: 'envoy'
# Override the global default and scrape targets from this job every 5 seconds.
scrape_interval: 5s
# metrics_path defaults to '/metrics'
# scheme defaults to 'http'.
kubernetes_sd_configs:
- role: endpoints
relabel_configs:
- source_labels: [__meta_kubernetes_namespace, __meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name]
action: keep
regex: istio-system;istio-statsd-prom-bridge;statsd-prom
- job_name: 'istio-policy'
# Override the global default and scrape targets from this job every 5 seconds.
scrape_interval: 5s
# metrics_path defaults to '/metrics'
# scheme defaults to 'http'.
kubernetes_sd_configs:
- role: endpoints
relabel_configs:
- source_labels: [__meta_kubernetes_namespace, __meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name]
action: keep
regex: istio-system;istio-policy;http-monitoring
- job_name: 'istio-telemetry'
# Override the global default and scrape targets from this job every 5 seconds.
scrape_interval: 5s
# metrics_path defaults to '/metrics'
# scheme defaults to 'http'.
kubernetes_sd_configs:
- role: endpoints
relabel_configs:
- source_labels: [__meta_kubernetes_namespace, __meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name]
action: keep
regex: istio-system;istio-telemetry;http-monitoring
- job_name: 'pilot'
# Override the global default and scrape targets from this job every 5 seconds.
scrape_interval: 5s
# metrics_path defaults to '/metrics'
# scheme defaults to 'http'.
kubernetes_sd_configs:
- role: endpoints
relabel_configs:
- source_labels: [__meta_kubernetes_namespace, __meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name]
action: keep
regex: istio-system;istio-pilot;http-monitoring
# scrape config for API servers
- job_name: 'kubernetes-apiservers'
kubernetes_sd_configs:
- role: endpoints
scheme: https
tls_config:
ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
relabel_configs:
- source_labels: [__meta_kubernetes_namespace, __meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name]
action: keep
regex: default;kubernetes;https
# scrape config for nodes (kubelet)
- job_name: 'kubernetes-nodes'
scheme: https
tls_config:
ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
kubernetes_sd_configs:
- role: node
relabel_configs:
- action: labelmap
regex: __meta_kubernetes_node_label_(.+)
- target_label: __address__
replacement: kubernetes.default.svc:443
- source_labels: [__meta_kubernetes_node_name]
regex: (.+)
target_label: __metrics_path__
replacement: /api/v1/nodes/${1}/proxy/metrics
# Scrape config for Kubelet cAdvisor.
#
# This is required for Kubernetes 1.7.3 and later, where cAdvisor metrics
# (those whose names begin with 'container_') have been removed from the
# Kubelet metrics endpoint. This job scrapes the cAdvisor endpoint to
# retrieve those metrics.
#
# In Kubernetes 1.7.0-1.7.2, these metrics are only exposed on the cAdvisor
# HTTP endpoint; use "replacement: /api/v1/nodes/${1}:4194/proxy/metrics"
# in that case (and ensure cAdvisor's HTTP server hasn't been disabled with
# the --cadvisor-port=0 Kubelet flag).
#
# This job is not necessary and should be removed in Kubernetes 1.6 and
# earlier versions, or it will cause the metrics to be scraped twice.
- job_name: 'kubernetes-cadvisor'
scheme: https
tls_config:
ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
kubernetes_sd_configs:
- role: node
relabel_configs:
- action: labelmap
regex: __meta_kubernetes_node_label_(.+)
- target_label: __address__
replacement: kubernetes.default.svc:443
- source_labels: [__meta_kubernetes_node_name]
regex: (.+)
target_label: __metrics_path__
replacement: /api/v1/nodes/${1}/proxy/metrics/cadvisor
# scrape config for service endpoints.
- job_name: 'kubernetes-service-endpoints'
kubernetes_sd_configs:
- role: endpoints
relabel_configs:
- source_labels: [__meta_kubernetes_service_annotation_prometheus_io_scrape]
action: keep
regex: true
- source_labels: [__meta_kubernetes_service_annotation_prometheus_io_scheme]
action: replace
target_label: __scheme__
regex: (https?)
- source_labels: [__meta_kubernetes_service_annotation_prometheus_io_path]
action: replace
target_label: __metrics_path__
regex: (.+)
- source_labels: [__address__, __meta_kubernetes_service_annotation_prometheus_io_port]
action: replace
target_label: __address__
regex: ([^:]+)(?::\d+)?;(\d+)
replacement: $1:$2
- action: labelmap
regex: __meta_kubernetes_service_label_(.+)
- source_labels: [__meta_kubernetes_namespace]
action: replace
target_label: kubernetes_namespace
- source_labels: [__meta_kubernetes_service_name]
action: replace
target_label: kubernetes_name
# Example scrape config for pods
- job_name: 'kubernetes-pods'
kubernetes_sd_configs:
- role: pod
relabel_configs:
- source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_scrape]
action: keep
regex: true
- source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_path]
action: replace
target_label: __metrics_path__
regex: (.+)
- source_labels: [__address__, __meta_kubernetes_pod_annotation_prometheus_io_port]
action: replace
regex: ([^:]+)(?::\d+)?;(\d+)
replacement: $1:$2
target_label: __address__
- action: labelmap
regex: __meta_kubernetes_pod_label_(.+)
- source_labels: [__meta_kubernetes_namespace]
action: replace
target_label: namespace
- source_labels: [__meta_kubernetes_pod_name]
action: replace
target_label: pod_name
---
# Source: istio/templates/configmap.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: istio
namespace: istio-system
labels:
app: istio
chart: istio-0.8.0
release: RELEASE-NAME
heritage: Tiller
data:
mesh: |-
#
# Edit this list to avoid using mTLS to connect to these services.
# Typically, these are control services (e.g kubernetes API server) that don't have istio sidecar
# to transparently terminate mTLS authentication.
# mtlsExcludedServices: ["kubernetes.default.svc.cluster.local"]
# Set the following variable to true to disable policy checks by the Mixer.
# Note that metrics will still be reported to the Mixer.
disablePolicyChecks: false
# Set enableTracing to false to disable request tracing.
enableTracing: true
#
# To disable the mixer completely (including metrics), comment out
# the following lines
mixerCheckServer: istio-policy.istio-system.svc.cluster.local:15004
mixerReportServer: istio-telemetry.istio-system.svc.cluster.local:15004
# This is the ingress service name, update if you used a different name
ingressService: istio-ingress
#
# Along with discoveryRefreshDelay, this setting determines how
# frequently should Envoy fetch and update its internal configuration
# from istio Pilot. Lower refresh delay results in higher CPU
# utilization and potential performance loss in exchange for faster
# convergence. Tweak this value according to your setup.
rdsRefreshDelay: 10s
#
defaultConfig:
# NOTE: If you change any values in this section, make sure to make
# the same changes in start up args in istio-ingress pods.
# See rdsRefreshDelay for explanation about this setting.
discoveryRefreshDelay: 10s
#
# TCP connection timeout between Envoy & the application, and between Envoys.
connectTimeout: 10s
#
### ADVANCED SETTINGS #############
# Where should envoy's configuration be stored in the istio-proxy container
configPath: "/etc/istio/proxy"
binaryPath: "/usr/local/bin/envoy"
# The pseudo service name used for Envoy.
serviceCluster: istio-proxy
# These settings that determine how long an old Envoy
# process should be kept alive after an occasional reload.
drainDuration: 45s
parentShutdownDuration: 1m0s
#
# The mode used to redirect inbound connections to Envoy. This setting
# has no effect on outbound traffic: iptables REDIRECT is always used for
# outbound connections.
# If "REDIRECT", use iptables REDIRECT to NAT and redirect to Envoy.
# The "REDIRECT" mode loses source addresses during redirection.
# If "TPROXY", use iptables TPROXY to redirect to Envoy.
# The "TPROXY" mode preserves both the source and destination IP
# addresses and ports, so that they can be used for advanced filtering
# and manipulation.
# The "TPROXY" mode also configures the sidecar to run with the
# CAP_NET_ADMIN capability, which is required to use TPROXY.
#interceptionMode: REDIRECT
#
# Port where Envoy listens (on local host) for admin commands
# You can exec into the istio-proxy container in a pod and
# curl the admin port (curl http://localhost:15000/) to obtain
# diagnostic information from Envoy. See
# https://lyft.github.io/envoy/docs/operations/admin.html
# for more details
proxyAdminPort: 15000
#
# Zipkin trace collector
zipkinAddress: zipkin.istio-system:9411
#
# Statsd metrics collector converts statsd metrics into Prometheus metrics.
statsdUdpAddress: istio-statsd-prom-bridge.istio-system:9125
#
# Mutual TLS authentication between sidecars and istio control plane.
controlPlaneAuthPolicy: NONE
#
# Address where istio Pilot service is running
discoveryAddress: istio-pilot.istio-system:15007
---
# Source: istio/templates/sidecar-injector-configmap.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: istio-sidecar-injector
namespace: istio-system
labels:
app: istio
chart: istio-0.8.0
release: RELEASE-NAME
heritage: Tiller
istio: sidecar-injector
data:
config: |-
policy: enabled
template: |-
initContainers:
- name: istio-init
image: docker.io/istio/proxy_init:0.8.0
args:
- "-p"
- [[ .MeshConfig.ProxyListenPort ]]
- "-u"
- 1337
- "-m"
- [[ or (index .ObjectMeta.Annotations "sidecar.istio.io/interceptionMode") .ProxyConfig.InterceptionMode.String ]]
- "-i"
[[ if (isset .ObjectMeta.Annotations "traffic.sidecar.istio.io/includeOutboundIPRanges") -]]
- "[[ index .ObjectMeta.Annotations "traffic.sidecar.istio.io/includeOutboundIPRanges" ]]"
[[ else -]]
- "*"
[[ end -]]
- "-x"
[[ if (isset .ObjectMeta.Annotations "traffic.sidecar.istio.io/excludeOutboundIPRanges") -]]
- "[[ index .ObjectMeta.Annotations "traffic.sidecar.istio.io/excludeOutboundIPRanges" ]]"
[[ else -]]
- ""
[[ end -]]
- "-b"
[[ if (isset .ObjectMeta.Annotations "traffic.sidecar.istio.io/includeInboundPorts") -]]
- "[[ index .ObjectMeta.Annotations "traffic.sidecar.istio.io/includeInboundPorts" ]]"
[[ else -]]
- [[ range .Spec.Containers -]][[ range .Ports -]][[ .ContainerPort -]], [[ end -]][[ end -]][[ end]]
- "-d"
[[ if (isset .ObjectMeta.Annotations "traffic.sidecar.istio.io/excludeInboundPorts") -]]
- "[[ index .ObjectMeta.Annotations "traffic.sidecar.istio.io/excludeInboundPorts" ]]"
[[ else -]]
- ""
[[ end -]]
imagePullPolicy: IfNotPresent
securityContext:
capabilities:
add:
- NET_ADMIN
privileged: true
restartPolicy: Always
containers:
- name: istio-proxy
image: [[ if (isset .ObjectMeta.Annotations "sidecar.istio.io/proxyImage") -]]
"[[ index .ObjectMeta.Annotations "sidecar.istio.io/proxyImage" ]]"
[[ else -]]
docker.io/istio/proxyv2:0.8.0
[[ end -]]
args:
- proxy
- sidecar
- --configPath
- [[ .ProxyConfig.ConfigPath ]]
- --binaryPath
- [[ .ProxyConfig.BinaryPath ]]
- --serviceCluster
[[ if ne "" (index .ObjectMeta.Labels "app") -]]
- [[ index .ObjectMeta.Labels "app" ]]
[[ else -]]
- "istio-proxy"
[[ end -]]
- --drainDuration
- [[ formatDuration .ProxyConfig.DrainDuration ]]
- --parentShutdownDuration
- [[ formatDuration .ProxyConfig.ParentShutdownDuration ]]
- --discoveryAddress
- [[ .ProxyConfig.DiscoveryAddress ]]
- --discoveryRefreshDelay
- [[ formatDuration .ProxyConfig.DiscoveryRefreshDelay ]]
- --zipkinAddress
- [[ .ProxyConfig.ZipkinAddress ]]
- --connectTimeout
- [[ formatDuration .ProxyConfig.ConnectTimeout ]]
- --statsdUdpAddress
- [[ .ProxyConfig.StatsdUdpAddress ]]
- --proxyAdminPort
- [[ .ProxyConfig.ProxyAdminPort ]]
- --controlPlaneAuthPolicy
- [[ .ProxyConfig.ControlPlaneAuthPolicy ]]
env:
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: INSTANCE_IP
valueFrom:
fieldRef:
fieldPath: status.podIP
- name: ISTIO_META_POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: ISTIO_META_INTERCEPTION_MODE
value: [[ or (index .ObjectMeta.Annotations "sidecar.istio.io/interceptionMode") .ProxyConfig.InterceptionMode.String ]]
imagePullPolicy: IfNotPresent
securityContext:
privileged: false
readOnlyRootFilesystem: true
[[ if eq (or (index .ObjectMeta.Annotations "sidecar.istio.io/interceptionMode") .ProxyConfig.InterceptionMode.String) "TPROXY" -]]
capabilities:
add:
- NET_ADMIN
[[ else -]]
runAsUser: 1337
[[ end -]]
restartPolicy: Always
resources:
requests:
cpu: 100m
memory: 128Mi
volumeMounts:
- mountPath: /etc/istio/proxy
name: istio-envoy
- mountPath: /etc/certs/
name: istio-certs
readOnly: true
volumes:
- emptyDir:
medium: Memory
name: istio-envoy
- name: istio-certs
secret:
optional: true
[[ if eq .Spec.ServiceAccountName "" -]]
secretName: istio.default
[[ else -]]
secretName: [[ printf "istio.%s" .Spec.ServiceAccountName ]]
[[ end -]]
---
# Source: istio/charts/egressgateway/templates/serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: istio-egressgateway-service-account
namespace: istio-system
labels:
app: egressgateway
chart: egressgateway-0.8.0
heritage: Tiller
release: RELEASE-NAME
---
# Source: istio/charts/ingressgateway/templates/serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: istio-ingressgateway-service-account
namespace: istio-system
labels:
app: ingressgateway
chart: ingressgateway-0.8.0
heritage: Tiller
release: RELEASE-NAME
---
# Source: istio/charts/mixer/templates/create-custom-resources-job.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: istio-mixer-post-install-account
namespace: istio-system
labels:
app: mixer
chart: mixer-0.8.0
heritage: Tiller
release: RELEASE-NAME
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: istio-mixer-post-install-istio-system
namespace: istio-system
labels:
app: mixer
chart: mixer-0.8.0
heritage: Tiller
release: RELEASE-NAME
rules:
- apiGroups: ["config.istio.io"] # istio CRD watcher
resources: ["*"]
verbs: ["create", "get", "list", "watch", "patch"]
- apiGroups: ["networking.istio.io"] # needed to create mixer destination rules
resources: ["*"]
verbs: ["*"]
- apiGroups: ["apiextensions.k8s.io"]
resources: ["customresourcedefinitions"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["configmaps", "endpoints", "pods", "services", "namespaces", "secrets"]
verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: istio-mixer-post-install-role-binding-istio-system
labels:
app: mixer
chart: mixer-0.8.0
heritage: Tiller
release: RELEASE-NAME
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: istio-mixer-post-install-istio-system
subjects:
- kind: ServiceAccount
name: istio-mixer-post-install-account
namespace: istio-system
---
apiVersion: batch/v1
kind: Job
metadata:
name: istio-mixer-post-install
namespace: istio-system
annotations:
"helm.sh/hook": post-install
"helm.sh/hook-delete-policy": before-hook-creation
labels:
app: mixer
chart: mixer-0.8.0
release: RELEASE-NAME
heritage: Tiller
spec:
template:
metadata:
name: istio-mixer-post-install
labels:
app: mixer
release: RELEASE-NAME
spec:
serviceAccountName: istio-mixer-post-install-account
containers:
- name: hyperkube
image: "quay.io/coreos/hyperkube:v1.7.6_coreos.0"
command:
- ./kubectl
- apply
- -f
- /tmp/mixer/custom-resources.yaml
volumeMounts:
- mountPath: "/tmp/mixer"
name: tmp-configmap-mixer
volumes:
- name: tmp-configmap-mixer
configMap:
name: istio-mixer-custom-resources
restartPolicy: Never # CRD might take some time till they are available to consume
---
# Source: istio/charts/mixer/templates/serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: istio-mixer-service-account
namespace: istio-system
labels:
app: mixer
chart: mixer-0.8.0
heritage: Tiller
release: RELEASE-NAME
---
# Source: istio/charts/pilot/templates/serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: istio-pilot-service-account
namespace: istio-system
labels:
app: istio-pilot
chart: pilot-0.8.0
heritage: Tiller
release: RELEASE-NAME
---
# Source: istio/charts/prometheus/templates/serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: prometheus
namespace: istio-system
---
# Source: istio/charts/security/templates/serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: istio-citadel-service-account
namespace: istio-system
labels:
app: security
chart: security-0.8.0
heritage: Tiller
release: RELEASE-NAME
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: istio-cleanup-old-ca-service-account
namespace: istio-system
labels:
app: security
chart: security-0.8.0
heritage: Tiller
release: RELEASE-NAME
---
# Source: istio/charts/sidecarInjectorWebhook/templates/serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: istio-sidecar-injector-service-account
namespace: istio-system
labels:
app: istio-sidecar-injector
chart: sidecarInjectorWebhook-0.8.0
heritage: Tiller
release: RELEASE-NAME
---
# Source: istio/charts/mixer/templates/crds.yaml
# Mixer CRDs
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: rules.config.istio.io
labels:
app: mixer
package: istio.io.mixer
istio: core
spec:
group: config.istio.io
names:
kind: rule
plural: rules
singular: rule
scope: Namespaced
version: v1alpha2
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: attributemanifests.config.istio.io
labels:
app: mixer
package: istio.io.mixer
istio: core
spec:
group: config.istio.io
names:
kind: attributemanifest
plural: attributemanifests
singular: attributemanifest
scope: Namespaced
version: v1alpha2
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: circonuses.config.istio.io
labels:
app: mixer
package: circonus
istio: mixer-adapter
spec:
group: config.istio.io
names:
kind: circonus
plural: circonuses
singular: circonus
scope: Namespaced
version: v1alpha2
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: deniers.config.istio.io
labels:
app: mixer
package: denier
istio: mixer-adapter
spec:
group: config.istio.io
names:
kind: denier
plural: deniers
singular: denier
scope: Namespaced
version: v1alpha2
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: fluentds.config.istio.io
labels:
app: mixer
package: fluentd
istio: mixer-adapter
spec:
group: config.istio.io
names:
kind: fluentd
plural: fluentds
singular: fluentd
scope: Namespaced
version: v1alpha2
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: kubernetesenvs.config.istio.io
labels:
app: mixer
package: kubernetesenv
istio: mixer-adapter
spec:
group: config.istio.io
names:
kind: kubernetesenv
plural: kubernetesenvs
singular: kubernetesenv
scope: Namespaced
version: v1alpha2
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: listcheckers.config.istio.io
labels:
app: mixer
package: listchecker
istio: mixer-adapter
spec:
group: config.istio.io
names:
kind: listchecker
plural: listcheckers
singular: listchecker
scope: Namespaced
version: v1alpha2
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: memquotas.config.istio.io
labels:
app: mixer
package: memquota
istio: mixer-adapter
spec:
group: config.istio.io
names:
kind: memquota
plural: memquotas
singular: memquota
scope: Namespaced
version: v1alpha2
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: noops.config.istio.io
labels:
app: mixer
package: noop
istio: mixer-adapter
spec:
group: config.istio.io
names:
kind: noop
plural: noops
singular: noop
scope: Namespaced
version: v1alpha2
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: opas.config.istio.io
labels:
app: mixer
package: opa
istio: mixer-adapter
spec:
group: config.istio.io
names:
kind: opa
plural: opas
singular: opa
scope: Namespaced
version: v1alpha2
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: prometheuses.config.istio.io
labels:
app: mixer
package: prometheus
istio: mixer-adapter
spec:
group: config.istio.io
names:
kind: prometheus
plural: prometheuses
singular: prometheus
scope: Namespaced
version: v1alpha2
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: rbacs.config.istio.io
labels:
app: mixer
package: rbac
istio: mixer-adapter
spec:
group: config.istio.io
names:
kind: rbac
plural: rbacs
singular: rbac
scope: Namespaced
version: v1alpha2
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: servicecontrols.config.istio.io
labels:
app: mixer
package: servicecontrol
istio: mixer-adapter
spec:
group: config.istio.io
names:
kind: servicecontrol
plural: servicecontrols
singular: servicecontrol
scope: Namespaced
version: v1alpha2
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: solarwindses.config.istio.io
labels:
app: mixer
package: solarwinds
istio: mixer-adapter
spec:
group: config.istio.io
names:
kind: solarwinds
plural: solarwindses
singular: solarwinds
scope: Namespaced
version: v1alpha2
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: stackdrivers.config.istio.io
labels:
app: mixer
package: stackdriver
istio: mixer-adapter
spec:
group: config.istio.io
names:
kind: stackdriver
plural: stackdrivers
singular: stackdriver
scope: Namespaced
version: v1alpha2
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: statsds.config.istio.io
labels:
app: mixer
package: statsd
istio: mixer-adapter
spec:
group: config.istio.io
names:
kind: statsd
plural: statsds
singular: statsd
scope: Namespaced
version: v1alpha2
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: stdios.config.istio.io
labels:
app: mixer
package: stdio
istio: mixer-adapter
spec:
group: config.istio.io
names:
kind: stdio
plural: stdios
singular: stdio
scope: Namespaced
version: v1alpha2
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: apikeys.config.istio.io
labels:
app: mixer
package: apikey
istio: mixer-instance
spec:
group: config.istio.io
names:
kind: apikey
plural: apikeys
singular: apikey
scope: Namespaced
version: v1alpha2
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: authorizations.config.istio.io
labels:
app: mixer
package: authorization
istio: mixer-instance
spec:
group: config.istio.io
names:
kind: authorization
plural: authorizations
singular: authorization
scope: Namespaced
version: v1alpha2
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: checknothings.config.istio.io
labels:
app: mixer
package: checknothing
istio: mixer-instance
spec:
group: config.istio.io
names:
kind: checknothing
plural: checknothings
singular: checknothing
scope: Namespaced
version: v1alpha2
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: kuberneteses.config.istio.io
labels:
app: mixer
package: adapter.template.kubernetes
istio: mixer-instance
spec:
group: config.istio.io
names:
kind: kubernetes
plural: kuberneteses
singular: kubernetes
scope: Namespaced
version: v1alpha2
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: listentries.config.istio.io
labels:
app: mixer
package: listentry
istio: mixer-instance
spec:
group: config.istio.io
names:
kind: listentry
plural: listentries
singular: listentry
scope: Namespaced
version: v1alpha2
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: logentries.config.istio.io
labels:
app: mixer
package: logentry
istio: mixer-instance
spec:
group: config.istio.io
names:
kind: logentry
plural: logentries
singular: logentry
scope: Namespaced
version: v1alpha2
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: metrics.config.istio.io
labels:
app: mixer
package: metric
istio: mixer-instance
spec:
group: config.istio.io
names:
kind: metric
plural: metrics
singular: metric
scope: Namespaced
version: v1alpha2
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: quotas.config.istio.io
labels:
app: mixer
package: quota
istio: mixer-instance
spec:
group: config.istio.io
names:
kind: quota
plural: quotas
singular: quota
scope: Namespaced
version: v1alpha2
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: reportnothings.config.istio.io
labels:
app: mixer
package: reportnothing
istio: mixer-instance
spec:
group: config.istio.io
names:
kind: reportnothing
plural: reportnothings
singular: reportnothing
scope: Namespaced
version: v1alpha2
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: servicecontrolreports.config.istio.io
labels:
app: mixer
package: servicecontrolreport
istio: mixer-instance
spec:
group: config.istio.io
names:
kind: servicecontrolreport
plural: servicecontrolreports
singular: servicecontrolreport
scope: Namespaced
version: v1alpha2
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: tracespans.config.istio.io
labels:
app: mixer
package: tracespan
istio: mixer-instance
spec:
group: config.istio.io
names:
kind: tracespan
plural: tracespans
singular: tracespan
scope: Namespaced
version: v1alpha2
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: serviceroles.config.istio.io
labels:
app: mixer
package: istio.io.mixer
istio: rbac
spec:
group: config.istio.io
names:
kind: ServiceRole
plural: serviceroles
singular: servicerole
scope: Namespaced
version: v1alpha2
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: servicerolebindings.config.istio.io
labels:
app: mixer
package: istio.io.mixer
istio: rbac
spec:
group: config.istio.io
names:
kind: ServiceRoleBinding
plural: servicerolebindings
singular: servicerolebinding
scope: Namespaced
version: v1alpha2
---
# Source: istio/charts/pilot/templates/crds.yaml
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: destinationpolicies.config.istio.io
labels:
app: istio-pilot
spec:
group: config.istio.io
names:
kind: DestinationPolicy
listKind: DestinationPolicyList
plural: destinationpolicies
singular: destinationpolicy
scope: Namespaced
version: v1alpha2
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: egressrules.config.istio.io
labels:
app: istio-pilot
spec:
group: config.istio.io
names:
kind: EgressRule
listKind: EgressRuleList
plural: egressrules
singular: egressrule
scope: Namespaced
version: v1alpha2
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: routerules.config.istio.io
labels:
app: istio-pilot
spec:
group: config.istio.io
names:
kind: RouteRule
listKind: RouteRuleList
plural: routerules
singular: routerule
scope: Namespaced
version: v1alpha2
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: virtualservices.networking.istio.io
labels:
app: istio-pilot
spec:
group: networking.istio.io
names:
kind: VirtualService
listKind: VirtualServiceList
plural: virtualservices
singular: virtualservice
scope: Namespaced
version: v1alpha3
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: destinationrules.networking.istio.io
labels:
app: istio-pilot
spec:
group: networking.istio.io
names:
kind: DestinationRule
listKind: DestinationRuleList
plural: destinationrules
singular: destinationrule
scope: Namespaced
version: v1alpha3
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: serviceentries.networking.istio.io
labels:
app: istio-pilot
spec:
group: networking.istio.io
names:
kind: ServiceEntry
listKind: ServiceEntryList
plural: serviceentries
singular: serviceentry
scope: Namespaced
version: v1alpha3
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: gateways.networking.istio.io
labels:
app: istio-pilot
spec:
group: networking.istio.io
names:
kind: Gateway
plural: gateways
singular: gateway
scope: Namespaced
version: v1alpha3
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: policies.authentication.istio.io
spec:
group: authentication.istio.io
names:
kind: Policy
plural: policies
singular: policy
scope: Namespaced
version: v1alpha1
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: httpapispecbindings.config.istio.io
spec:
group: config.istio.io
names:
kind: HTTPAPISpecBinding
plural: httpapispecbindings
singular: httpapispecbinding
scope: Namespaced
version: v1alpha2
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: httpapispecs.config.istio.io
spec:
group: config.istio.io
names:
kind: HTTPAPISpec
plural: httpapispecs
singular: httpapispec
scope: Namespaced
version: v1alpha2
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: quotaspecbindings.config.istio.io
spec:
group: config.istio.io
names:
kind: QuotaSpecBinding
plural: quotaspecbindings
singular: quotaspecbinding
scope: Namespaced
version: v1alpha2
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: quotaspecs.config.istio.io
spec:
group: config.istio.io
names:
kind: QuotaSpec
plural: quotaspecs
singular: quotaspec
scope: Namespaced
version: v1alpha2
---
# Source: istio/charts/mixer/templates/clusterrole.yaml
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: istio-mixer-istio-system
namespace: istio-system
labels:
app: mixer
chart: mixer-0.8.0
heritage: Tiller
release: RELEASE-NAME
rules:
- apiGroups: ["config.istio.io"] # istio CRD watcher
resources: ["*"]
verbs: ["create", "get", "list", "watch", "patch"]
- apiGroups: ["apiextensions.k8s.io"]
resources: ["customresourcedefinitions"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["configmaps", "endpoints", "pods", "services", "namespaces", "secrets"]
verbs: ["get", "list", "watch"]
---
# Source: istio/charts/pilot/templates/clusterrole.yaml
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: istio-pilot-istio-system
namespace: istio-system
labels:
app: istio-pilot
chart: pilot-0.8.0
heritage: Tiller
release: RELEASE-NAME
rules:
- apiGroups: ["config.istio.io"]
resources: ["*"]
verbs: ["*"]
- apiGroups: ["networking.istio.io"]
resources: ["*"]
verbs: ["*"]
- apiGroups: ["authentication.istio.io"]
resources: ["*"]
verbs: ["*"]
- apiGroups: ["apiextensions.k8s.io"]
resources: ["customresourcedefinitions"]
verbs: ["*"]
- apiGroups: ["extensions"]
resources: ["thirdpartyresources", "thirdpartyresources.extensions", "ingresses", "ingresses/status"]
verbs: ["*"]
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["create", "get", "list", "watch", "update"]
- apiGroups: [""]
resources: ["endpoints", "pods", "services"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["namespaces", "nodes", "secrets"]
verbs: ["get", "list", "watch"]
---
# Source: istio/charts/prometheus/templates/clusterrole.yaml
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: prometheus-istio-system
namespace: istio-system
rules:
- apiGroups: [""]
resources:
- nodes
- services
- endpoints
- pods
- nodes/proxy
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources:
- configmaps
verbs: ["get"]
- nonResourceURLs: ["/metrics"]
verbs: ["get"]
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: prometheus-istio-system
namespace: istio-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: prometheus-istio-system
subjects:
- kind: ServiceAccount
name: prometheus
namespace: istio-system
---
---
# Source: istio/charts/security/templates/clusterrole.yaml
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: istio-citadel-istio-system
namespace: istio-system
labels:
app: security
chart: security-0.8.0
heritage: Tiller
release: RELEASE-NAME
rules:
- apiGroups: [""]
resources: ["secrets"]
verbs: ["create", "get", "watch", "list", "update", "delete"]
- apiGroups: [""]
resources: ["serviceaccounts"]
verbs: ["get", "watch", "list"]
- apiGroups: [""]
resources: ["services"]
verbs: ["get", "watch", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: Role
metadata:
name: istio-cleanup-old-ca-istio-system
namespace: istio-system
labels:
app: security
chart: security-0.8.0
heritage: Tiller
release: RELEASE-NAME
rules:
- apiGroups: [""]
resources: ["deployments", "serviceaccounts", "services"]
verbs: ["get", "delete"]
- apiGroups: ["extensions"]
resources: ["deployments", "replicasets"]
verbs: ["get", "list", "update", "delete"]
---
# Source: istio/charts/sidecarInjectorWebhook/templates/clusterrole.yaml
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: istio-sidecar-injector-istio-system
labels:
app: istio-sidecar-injector
chart: sidecarInjectorWebhook-0.8.0
heritage: Tiller
release: RELEASE-NAME
rules:
- apiGroups: ["*"]
resources: ["configmaps"]
verbs: ["get", "list", "watch"]
- apiGroups: ["admissionregistration.k8s.io"]
resources: ["mutatingwebhookconfigurations"]
verbs: ["get", "list", "watch", "patch"]
---
# Source: istio/charts/mixer/templates/clusterrolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: istio-mixer-admin-role-binding-istio-system
labels:
app: mixer
chart: mixer-0.8.0
heritage: Tiller
release: RELEASE-NAME
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: istio-mixer-istio-system
subjects:
- kind: ServiceAccount
name: istio-mixer-service-account
namespace: istio-system
---
# Source: istio/charts/pilot/templates/clusterrolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: istio-pilot-istio-system
labels:
app: istio-pilot
chart: pilot-0.8.0
heritage: Tiller
release: RELEASE-NAME
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: istio-pilot-istio-system
subjects:
- kind: ServiceAccount
name: istio-pilot-service-account
namespace: istio-system
---
# Source: istio/charts/security/templates/clusterrolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: istio-citadel-istio-system
labels:
app: security
chart: security-0.8.0
heritage: Tiller
release: RELEASE-NAME
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: istio-citadel-istio-system
subjects:
- kind: ServiceAccount
name: istio-citadel-service-account
namespace: istio-system
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
name: istio-cleanup-old-ca-istio-system
namespace: istio-system
labels:
app: security
chart: security-0.8.0
heritage: Tiller
release: RELEASE-NAME
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: istio-cleanup-old-ca-istio-system
subjects:
- kind: ServiceAccount
name: istio-cleanup-old-ca-service-account
namespace: istio-system
---
# Source: istio/charts/sidecarInjectorWebhook/templates/clusterrolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: istio-sidecar-injector-admin-role-binding-istio-system
labels:
app: istio-sidecar-injector
chart: sidecarInjectorWebhook-0.8.0
heritage: Tiller
release: RELEASE-NAME
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: istio-sidecar-injector-istio-system
subjects:
- kind: ServiceAccount
name: istio-sidecar-injector-service-account
namespace: istio-system
---
# Source: istio/charts/egressgateway/templates/service.yaml
apiVersion: v1
kind: Service
metadata:
name: istio-egressgateway
namespace: istio-system
labels:
chart: egressgateway-0.8.0
release: RELEASE-NAME
heritage: Tiller
istio: egressgateway
spec:
type: ClusterIP
selector:
istio: egressgateway
ports:
-
name: http
port: 80
-
name: https
port: 443
---
# Source: istio/charts/grafana/templates/service.yaml
apiVersion: v1
kind: Service
metadata:
name: grafana
namespace: istio-system
annotations:
auth.istio.io/3000: NONE
labels:
app: grafana
chart: grafana-0.1.0
release: RELEASE-NAME
heritage: Tiller
spec:
#type: ClusterIP
type: NodePort
ports:
- port: 3000
targetPort: 3000
nodePort: 31076
protocol: TCP
name: http
selector:
app: grafana
---
# Source: istio/charts/ingressgateway/templates/service.yaml
apiVersion: v1
kind: Service
metadata:
name: istio-ingressgateway
namespace: istio-system
labels:
chart: ingressgateway-0.8.0
release: RELEASE-NAME
heritage: Tiller
istio: ingressgateway
spec:
#type: LoadBalancer
type: NodePort
selector:
istio: ingressgateway
ports:
-
name: http
nodePort: 31380
port: 80
-
name: https
nodePort: 31390
port: 443
-
name: tcp
nodePort: 31400
port: 31400
---
# Source: istio/charts/mixer/templates/service.yaml
apiVersion: v1
kind: Service
metadata:
name: istio-policy
namespace: istio-system
labels:
chart: mixer-0.8.0
release: RELEASE-NAME
istio: mixer
spec:
ports:
- name: grpc-mixer
port: 9091
- name: grpc-mixer-mtls
port: 15004
- name: http-monitoring
port: 9093
selector:
istio: mixer
istio-mixer-type: policy
---
apiVersion: v1
kind: Service
metadata:
name: istio-telemetry
namespace: istio-system
labels:
chart: mixer-0.8.0
release: RELEASE-NAME
istio: mixer
spec:
ports:
- name: grpc-mixer
port: 9091
- name: grpc-mixer-mtls
port: 15004
- name: http-monitoring
port: 9093
- name: prometheus
port: 42422
selector:
istio: mixer
istio-mixer-type: telemetry
---
---
# Source: istio/charts/mixer/templates/statsdtoprom.yaml
---
apiVersion: v1
kind: Service
metadata:
name: istio-statsd-prom-bridge
namespace: istio-system
labels:
chart: mixer-0.8.0
release: RELEASE-NAME
istio: statsd-prom-bridge
spec:
ports:
- name: statsd-prom
port: 9102
- name: statsd-udp
port: 9125
protocol: UDP
selector:
istio: statsd-prom-bridge
---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: istio-statsd-prom-bridge
namespace: istio-system
labels:
chart: mixer-0.8.0
release: RELEASE-NAME
istio: mixer
spec:
template:
metadata:
labels:
istio: statsd-prom-bridge
annotations:
sidecar.istio.io/inject: "false"
spec:
serviceAccountName: istio-mixer-service-account
volumes:
- name: config-volume
configMap:
name: istio-statsd-prom-bridge
containers:
- name: statsd-prom-bridge
image: "prom/statsd-exporter:latest"
imagePullPolicy: IfNotPresent
ports:
- containerPort: 9102
- containerPort: 9125
protocol: UDP
args:
- '-statsd.mapping-config=/etc/statsd/mapping.conf'
resources:
{}
volumeMounts:
- name: config-volume
mountPath: /etc/statsd
---
# Source: istio/charts/pilot/templates/service.yaml
apiVersion: v1
kind: Service
metadata:
name: istio-pilot
namespace: istio-system
labels:
app: istio-pilot
chart: pilot-0.8.0
release: RELEASE-NAME
heritage: Tiller
spec:
ports:
- port: 15003
name: http-old-discovery # mTLS or non-mTLS depending on auth setting
- port: 15005
name: https-discovery # always mTLS
- port: 15007
name: http-discovery # always plain-text
- port: 15010
name: grpc-xds # direct
- port: 15011
name: https-xds # mTLS
- port: 8080
name: http-legacy-discovery # direct
- port: 9093
name: http-monitoring
selector:
istio: pilot
---
# Source: istio/charts/prometheus/templates/service.yaml
apiVersion: v1
kind: Service
metadata:
name: prometheus
namespace: istio-system
annotations:
prometheus.io/scrape: 'true'
labels:
name: prometheus
spec:
type: NodePort
selector:
app: prometheus
ports:
- name: http-prometheus
protocol: TCP
port: 9090
---
# Source: istio/charts/security/templates/service.yaml
apiVersion: v1
kind: Service
metadata:
# we use the normal name here (e.g. 'prometheus')
# as grafana is configured to use this as a data source
name: istio-citadel
namespace: istio-system
labels:
app: istio-citadel
spec:
ports:
- name: grpc-citadel
port: 8060
targetPort: 8060
protocol: TCP
- name: http-monitoring
port: 9093
selector:
istio: citadel
---
# Source: istio/charts/servicegraph/templates/service.yaml
apiVersion: v1
kind: Service
metadata:
name: servicegraph
namespace: istio-system
labels:
app: servicegraph
chart: servicegraph-0.1.0
release: RELEASE-NAME
heritage: Tiller
spec:
type: ClusterIP
ports:
- port: 8088
targetPort: 8088
protocol: TCP
name: http
selector:
app: servicegraph
---
# Source: istio/charts/sidecarInjectorWebhook/templates/service.yaml
apiVersion: v1
kind: Service
metadata:
name: istio-sidecar-injector
namespace: istio-system
labels:
istio: sidecar-injector
spec:
ports:
- port: 443
selector:
istio: sidecar-injector
---
# Source: istio/charts/egressgateway/templates/deployment.yaml
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: istio-egressgateway
namespace: istio-system
labels:
app: egressgateway
chart: egressgateway-0.8.0
release: RELEASE-NAME
heritage: Tiller
istio: egressgateway
spec:
replicas:
template:
metadata:
labels:
istio: egressgateway
annotations:
sidecar.istio.io/inject: "false"
spec:
serviceAccountName: istio-egressgateway-service-account
containers:
- name: egressgateway
image: "docker.io/istio/proxyv2:0.8.0"
imagePullPolicy: IfNotPresent
ports:
- containerPort: 80
- containerPort: 443
args:
- proxy
- router
- -v
- "2"
- --discoveryRefreshDelay
- '1s' #discoveryRefreshDelay
- --drainDuration
- '45s' #drainDuration
- --parentShutdownDuration
- '1m0s' #parentShutdownDuration
- --connectTimeout
- '10s' #connectTimeout
- --serviceCluster
- istio-egressgateway
- --zipkinAddress
- zipkin:9411
- --statsdUdpAddress
- istio-statsd-prom-bridge:9125
- --proxyAdminPort
- "15000"
- --controlPlaneAuthPolicy
- NONE
- --discoveryAddress
- istio-pilot:8080
resources:
{}
env:
- name: POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: INSTANCE_IP
valueFrom:
fieldRef:
fieldPath: status.podIP
- name: ISTIO_META_POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
volumeMounts:
- name: istio-certs
mountPath: /etc/certs
readOnly: true
volumes:
- name: istio-certs
secret:
secretName: "istio.default"
optional: true
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: beta.kubernetes.io/arch
operator: In
values:
- amd64
- ppc64le
- s390x
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 2
preference:
matchExpressions:
- key: beta.kubernetes.io/arch
operator: In
values:
- amd64
- weight: 2
preference:
matchExpressions:
- key: beta.kubernetes.io/arch
operator: In
values:
- ppc64le
- weight: 2
preference:
matchExpressions:
- key: beta.kubernetes.io/arch
operator: In
values:
- s390x
---
# Source: istio/charts/grafana/templates/deployment.yaml
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: grafana
namespace: istio-system
labels:
app: grafana
chart: grafana-0.1.0
release: RELEASE-NAME
heritage: Tiller
spec:
replicas: 1
template:
metadata:
labels:
app: grafana
annotations:
sidecar.istio.io/inject: "false"
spec:
containers:
- name: grafana
image: "docker.io/istio/grafana:0.8.0"
imagePullPolicy: IfNotPresent
ports:
- containerPort: 3000
readinessProbe:
httpGet:
path: /login
port: 3000
env:
- name: GRAFANA_PORT
value: "3000"
- name: GF_AUTH_BASIC_ENABLED
value: "false"
- name: GF_AUTH_ANONYMOUS_ENABLED
value: "true"
- name: GF_AUTH_ANONYMOUS_ORG_ROLE
value: Admin
- name: GF_PATHS_DATA
value: /data/grafana
resources:
{}
volumeMounts:
- name: data
mountPath: /data/grafana
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: beta.kubernetes.io/arch
operator: In
values:
- amd64
- ppc64le
- s390x
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 2
preference:
matchExpressions:
- key: beta.kubernetes.io/arch
operator: In
values:
- amd64
- weight: 2
preference:
matchExpressions:
- key: beta.kubernetes.io/arch
operator: In
values:
- ppc64le
- weight: 2
preference:
matchExpressions:
- key: beta.kubernetes.io/arch
operator: In
values:
- s390x
volumes:
- name: data
emptyDir: {}
---
# Source: istio/charts/ingressgateway/templates/deployment.yaml
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: istio-ingressgateway
namespace: istio-system
labels:
app: ingressgateway
chart: ingressgateway-0.8.0
release: RELEASE-NAME
heritage: Tiller
istio: ingressgateway
spec:
replicas:
template:
metadata:
labels:
istio: ingressgateway
annotations:
sidecar.istio.io/inject: "false"
spec:
serviceAccountName: istio-ingressgateway-service-account
containers:
- name: ingressgateway
image: "docker.io/istio/proxyv2:0.8.0"
imagePullPolicy: IfNotPresent
ports:
- containerPort: 80
- containerPort: 443
- containerPort: 31400
args:
- proxy
- router
- -v
- "2"
- --discoveryRefreshDelay
- '1s' #discoveryRefreshDelay
- --drainDuration
- '45s' #drainDuration
- --parentShutdownDuration
- '1m0s' #parentShutdownDuration
- --connectTimeout
- '10s' #connectTimeout
- --serviceCluster
- istio-ingressgateway
- --zipkinAddress
- zipkin:9411
- --statsdUdpAddress
- istio-statsd-prom-bridge:9125
- --proxyAdminPort
- "15000"
- --controlPlaneAuthPolicy
- NONE
- --discoveryAddress
- istio-pilot:8080
resources:
{}
env:
- name: POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: INSTANCE_IP
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: status.podIP
- name: ISTIO_META_POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
volumeMounts:
- name: istio-certs
mountPath: /etc/certs
readOnly: true
- name: ingressgateway-certs
mountPath: "/etc/istio/ingressgateway-certs"
readOnly: true
volumes:
- name: istio-certs
secret:
secretName: "istio.default"
optional: true
- name: ingressgateway-certs
secret:
secretName: "istio-ingressgateway-certs"
optional: true
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: beta.kubernetes.io/arch
operator: In
values:
- amd64
- ppc64le
- s390x
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 2
preference:
matchExpressions:
- key: beta.kubernetes.io/arch
operator: In
values:
- amd64
- weight: 2
preference:
matchExpressions:
- key: beta.kubernetes.io/arch
operator: In
values:
- ppc64le
- weight: 2
preference:
matchExpressions:
- key: beta.kubernetes.io/arch
operator: In
values:
- s390x
---
# Source: istio/charts/mixer/templates/deployment.yaml
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: istio-policy
namespace: istio-system
labels:
chart: mixer-0.8.0
release: RELEASE-NAME
istio: mixer
spec:
replicas: 1
template:
metadata:
labels:
istio: mixer
istio-mixer-type: policy
annotations:
sidecar.istio.io/inject: "false"
spec:
serviceAccountName: istio-mixer-service-account
volumes:
- name: istio-certs
secret:
secretName: istio.istio-mixer-service-account
optional: true
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: beta.kubernetes.io/arch
operator: In
values:
- amd64
- ppc64le
- s390x
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 2
preference:
matchExpressions:
- key: beta.kubernetes.io/arch
operator: In
values:
- amd64
- weight: 2
preference:
matchExpressions:
- key: beta.kubernetes.io/arch
operator: In
values:
- ppc64le
- weight: 2
preference:
matchExpressions:
- key: beta.kubernetes.io/arch
operator: In
values:
- s390x
containers:
- name: mixer
image: "docker.io/istio/mixer:0.8.0"
imagePullPolicy: IfNotPresent
ports:
- containerPort: 9092
- containerPort: 9093
- containerPort: 42422
args:
- --address
- tcp://127.0.0.1:9092
- --configStoreURL=k8s://
- --configDefaultNamespace=istio-system
- --trace_zipkin_url=http://zipkin:9411/api/v1/spans
resources:
{}
- name: istio-proxy
image: "docker.io/istio/proxyv2:0.8.0"
imagePullPolicy: IfNotPresent
ports:
- containerPort: 9091
- containerPort: 15004
args:
- proxy
- --serviceCluster
- istio-policy
- --templateFile
- /etc/istio/proxy/envoy_policy.yaml.tmpl
- --controlPlaneAuthPolicy
- NONE
env:
- name: POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: INSTANCE_IP
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: status.podIP
resources:
requests:
cpu: 100m
memory: 128Mi
volumeMounts:
- name: istio-certs
mountPath: /etc/certs
readOnly: true
---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: istio-telemetry
namespace: istio-system
labels:
chart: mixer-0.8.0
release: RELEASE-NAME
istio: mixer
spec:
replicas: 1
template:
metadata:
labels:
istio: mixer
istio-mixer-type: telemetry
annotations:
sidecar.istio.io/inject: "false"
spec:
serviceAccountName: istio-mixer-service-account
volumes:
- name: istio-certs
secret:
secretName: istio.istio-mixer-service-account
optional: true
containers:
- name: mixer
image: "docker.io/istio/mixer:0.8.0"
imagePullPolicy: IfNotPresent
ports:
- containerPort: 9092
- containerPort: 9093
- containerPort: 42422
args:
- --address
- tcp://127.0.0.1:9092
- --configStoreURL=k8s://
- --configDefaultNamespace=istio-system
- --trace_zipkin_url=http://zipkin:9411/api/v1/spans
resources:
{}
- name: istio-proxy
image: "docker.io/istio/proxyv2:0.8.0"
imagePullPolicy: IfNotPresent
ports:
- containerPort: 9091
- containerPort: 15004
args:
- proxy
- --serviceCluster
- istio-telemetry
- --templateFile
- /etc/istio/proxy/envoy_telemetry.yaml.tmpl
- --controlPlaneAuthPolicy
- NONE
env:
- name: POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: INSTANCE_IP
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: status.podIP
resources:
requests:
cpu: 100m
memory: 128Mi
volumeMounts:
- name: istio-certs
mountPath: /etc/certs
readOnly: true
---
---
# Source: istio/charts/pilot/templates/deployment.yaml
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: istio-pilot
namespace: istio-system
# TODO: default tempate doesn't have this, which one is right ?
labels:
app: istio-pilot
chart: pilot-0.8.0
release: RELEASE-NAME
heritage: Tiller
istio: pilot
annotations:
checksum/config-volume: f8da08b6b8c170dde721efd680270b2901e750d4aa186ebb6c22bef5b78a43f9
spec:
replicas: 1
template:
metadata:
labels:
istio: pilot
annotations:
sidecar.istio.io/inject: "false"
spec:
serviceAccountName: istio-pilot-service-account
containers:
- name: discovery
image: "docker.io/istio/pilot:0.8.0"
imagePullPolicy: IfNotPresent
args:
- "discovery"
# TODO(sdake) remove when secrets are automagically registered
ports:
- containerPort: 8080
- containerPort: 15010
readinessProbe:
httpGet:
path: /v1/registration
port: 8080
initialDelaySeconds: 30
periodSeconds: 30
timeoutSeconds: 5
env:
- name: POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: PILOT_THROTTLE
value: "500"
- name: PILOT_CACHE_SQUASH
value: "5"
resources:
{}
volumeMounts:
- name: config-volume
mountPath: /etc/istio/config
- name: istio-certs
mountPath: /etc/certs
readOnly: true
- name: istio-proxy
image: "docker.io/istio/proxyv2:0.8.0"
imagePullPolicy: IfNotPresent
ports:
- containerPort: 15003
- containerPort: 15005
- containerPort: 15007
- containerPort: 15011
args:
- proxy
- --serviceCluster
- istio-pilot
- --templateFile
- /etc/istio/proxy/envoy_pilot.yaml.tmpl
- --controlPlaneAuthPolicy
- NONE
env:
- name: POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: INSTANCE_IP
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: status.podIP
resources:
requests:
cpu: 100m
memory: 128Mi
volumeMounts:
- name: istio-certs
mountPath: /etc/certs
readOnly: true
volumes:
- name: config-volume
configMap:
name: istio
- name: istio-certs
secret:
secretName: "istio.istio-pilot-service-account"
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: beta.kubernetes.io/arch
operator: In
values:
- amd64
- ppc64le
- s390x
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 2
preference:
matchExpressions:
- key: beta.kubernetes.io/arch
operator: In
values:
- amd64
- weight: 2
preference:
matchExpressions:
- key: beta.kubernetes.io/arch
operator: In
values:
- ppc64le
- weight: 2
preference:
matchExpressions:
- key: beta.kubernetes.io/arch
operator: In
values:
- s390x
---
# Source: istio/charts/prometheus/templates/deployment.yaml
# TODO: the original template has service account, roles, etc
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: prometheus
namespace: istio-system
labels:
app: prometheus
chart: prometheus-0.1.0
release: RELEASE-NAME
heritage: Tiller
spec:
replicas: 1
selector:
matchLabels:
app: prometheus
template:
metadata:
labels:
app: prometheus
annotations:
sidecar.istio.io/inject: "false"
spec:
serviceAccountName: prometheus
containers:
- name: prometheus
image: "docker.io/prom/prometheus:latest"
imagePullPolicy: IfNotPresent
args:
- '--storage.tsdb.retention=6h'
- '--config.file=/etc/prometheus/prometheus.yml'
ports:
- containerPort: 9090
name: http
livenessProbe:
httpGet:
path: /-/healthy
port: 9090
readinessProbe:
httpGet:
path: /-/ready
port: 9090
resources:
{}
volumeMounts:
- name: config-volume
mountPath: /etc/prometheus
volumes:
- name: config-volume
configMap:
name: prometheus
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: beta.kubernetes.io/arch
operator: In
values:
- amd64
- ppc64le
- s390x
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 2
preference:
matchExpressions:
- key: beta.kubernetes.io/arch
operator: In
values:
- amd64
- weight: 2
preference:
matchExpressions:
- key: beta.kubernetes.io/arch
operator: In
values:
- ppc64le
- weight: 2
preference:
matchExpressions:
- key: beta.kubernetes.io/arch
operator: In
values:
- s390x
---
# Source: istio/charts/security/templates/deployment.yaml
# istio CA watching all namespaces
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: istio-citadel
namespace: istio-system
labels:
app: security
chart: security-0.8.0
release: RELEASE-NAME
heritage: Tiller
istio: citadel
spec:
replicas: 1
template:
metadata:
labels:
istio: citadel
annotations:
sidecar.istio.io/inject: "false"
spec:
serviceAccountName: istio-citadel-service-account
containers:
- name: citadel
image: "docker.io/istio/citadel:0.8.0"
imagePullPolicy: IfNotPresent
args:
- --append-dns-names=true
- --grpc-port=8060
- --grpc-hostname=citadel
- --self-signed-ca=true
- --citadel-storage-namespace=istio-system
resources:
{}
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: beta.kubernetes.io/arch
operator: In
values:
- amd64
- ppc64le
- s390x
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 2
preference:
matchExpressions:
- key: beta.kubernetes.io/arch
operator: In
values:
- amd64
- weight: 2
preference:
matchExpressions:
- key: beta.kubernetes.io/arch
operator: In
values:
- ppc64le
- weight: 2
preference:
matchExpressions:
- key: beta.kubernetes.io/arch
operator: In
values:
- s390x
---
# Source: istio/charts/servicegraph/templates/deployment.yaml
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: servicegraph
namespace: istio-system
labels:
app: servicegraph
chart: servicegraph-0.1.0
release: RELEASE-NAME
heritage: Tiller
spec:
replicas: 1
template:
metadata:
labels:
app: servicegraph
annotations:
sidecar.istio.io/inject: "false"
spec:
containers:
- name: servicegraph
image: "docker.io/istio/servicegraph:0.8.0"
imagePullPolicy: IfNotPresent
ports:
- containerPort: 8088
args:
- --prometheusAddr=http://prometheus:9090
livenessProbe:
httpGet:
path: /graph
port: 8088
readinessProbe:
httpGet:
path: /graph
port: 8088
resources:
{}
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: beta.kubernetes.io/arch
operator: In
values:
- amd64
- ppc64le
- s390x
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 2
preference:
matchExpressions:
- key: beta.kubernetes.io/arch
operator: In
values:
- amd64
- weight: 2
preference:
matchExpressions:
- key: beta.kubernetes.io/arch
operator: In
values:
- ppc64le
- weight: 2
preference:
matchExpressions:
- key: beta.kubernetes.io/arch
operator: In
values:
- s390x
---
# Source: istio/charts/sidecarInjectorWebhook/templates/deployment.yaml
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: istio-sidecar-injector
namespace: istio-system
labels:
app: sidecarInjectorWebhook
chart: sidecarInjectorWebhook-0.8.0
release: RELEASE-NAME
heritage: Tiller
istio: sidecar-injector
spec:
replicas:
template:
metadata:
labels:
istio: sidecar-injector
spec:
serviceAccountName: istio-sidecar-injector-service-account
containers:
- name: sidecar-injector-webhook
image: "docker.io/istio/sidecar_injector:0.8.0"
imagePullPolicy: IfNotPresent
args:
- --caCertFile=/etc/istio/certs/root-cert.pem
- --tlsCertFile=/etc/istio/certs/cert-chain.pem
- --tlsKeyFile=/etc/istio/certs/key.pem
- --injectConfig=/etc/istio/inject/config
- --meshConfig=/etc/istio/config/mesh
- --healthCheckInterval=2s
- --healthCheckFile=/health
volumeMounts:
- name: config-volume
mountPath: /etc/istio/config
readOnly: true
- name: certs
mountPath: /etc/istio/certs
readOnly: true
- name: inject-config
mountPath: /etc/istio/inject
readOnly: true
livenessProbe:
exec:
command:
- /usr/local/bin/sidecar-injector
- probe
- --probe-path=/health
- --interval=2s
initialDelaySeconds: 4
periodSeconds: 4
readinessProbe:
exec:
command:
- /usr/local/bin/sidecar-injector
- probe
- --probe-path=/health
- --interval=2s
initialDelaySeconds: 4
periodSeconds: 4
volumes:
- name: config-volume
configMap:
name: istio
- name: certs
secret:
secretName: istio.istio-sidecar-injector-service-account
- name: inject-config
configMap:
name: istio-sidecar-injector
items:
- key: config
path: config
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: beta.kubernetes.io/arch
operator: In
values:
- amd64
- ppc64le
- s390x
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 2
preference:
matchExpressions:
- key: beta.kubernetes.io/arch
operator: In
values:
- amd64
- weight: 2
preference:
matchExpressions:
- key: beta.kubernetes.io/arch
operator: In
values:
- ppc64le
- weight: 2
preference:
matchExpressions:
- key: beta.kubernetes.io/arch
operator: In
values:
- s390x
---
# Source: istio/charts/tracing/templates/deployment.yaml
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: istio-tracing
namespace: istio-system
labels:
app: istio-tracing
chart: tracing-0.1.0
release: RELEASE-NAME
heritage: Tiller
spec:
replicas: 1
template:
metadata:
labels:
app: jaeger
annotations:
sidecar.istio.io/inject: "false"
spec:
containers:
- name: jaeger
image: "jaegertracing/all-in-one:1.5"
imagePullPolicy: IfNotPresent
ports:
- containerPort: 9411
- containerPort: 16686
- containerPort: 5775
protocol: UDP
- containerPort: 6831
protocol: UDP
- containerPort: 6832
protocol: UDP
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: COLLECTOR_ZIPKIN_HTTP_PORT
value: "9411"
- name: MEMORY_MAX_TRACES
value: "50000"
livenessProbe:
httpGet:
path: /
port: 16686
readinessProbe:
httpGet:
path: /
port: 16686
resources:
{}
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: beta.kubernetes.io/arch
operator: In
values:
- amd64
- ppc64le
- s390x
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 2
preference:
matchExpressions:
- key: beta.kubernetes.io/arch
operator: In
values:
- amd64
- weight: 2
preference:
matchExpressions:
- key: beta.kubernetes.io/arch
operator: In
values:
- ppc64le
- weight: 2
preference:
matchExpressions:
- key: beta.kubernetes.io/arch
operator: In
values:
- s390x
---
# Source: istio/charts/security/templates/cleanup-old-ca.yaml
apiVersion: batch/v1
kind: Job
metadata:
name: istio-cleanup-old-ca
namespace: istio-system
annotations:
"helm.sh/hook": post-install
"helm.sh/hook-delete-policy": hook-succeeded
labels:
app: security
chart: security-0.8.0
release: RELEASE-NAME
heritage: Tiller
spec:
template:
metadata:
name: istio-cleanup-old-ca
labels:
app: security
release: RELEASE-NAME
spec:
serviceAccountName: istio-cleanup-old-ca-service-account
containers:
- name: hyperkube
image: "quay.io/coreos/hyperkube:v1.7.6_coreos.0"
command:
- /bin/bash
- -c
- >
NS="-n istio-system";
./kubectl get deploy istio-ca $NS;
if [[ $? = 0 ]]; then ./kubectl delete deploy istio-ca $NS; fi;
./kubectl get serviceaccount istio-ca-service-account $NS;
if [[ $? = 0 ]]; then ./kubectl delete serviceaccount istio-ca-service-account $NS; fi;
./kubectl get service istio-ca-ilb $NS;
if [[ $? = 0 ]]; then ./kubectl delete service istio-ca-ilb $NS; fi
restartPolicy: Never
---
# Source: istio/charts/egressgateway/templates/autoscale.yaml
apiVersion: autoscaling/v2beta1
kind: HorizontalPodAutoscaler
metadata:
name: istio-egressgateway
namespace: istio-system
spec:
maxReplicas: 1
minReplicas: 1
scaleTargetRef:
apiVersion: apps/v1beta1
kind: Deployment
name: istio-egressgateway
metrics:
- type: Resource
resource:
name: cpu
targetAverageUtilization: 80
---
# Source: istio/charts/ingressgateway/templates/autoscale.yaml
apiVersion: autoscaling/v2beta1
kind: HorizontalPodAutoscaler
metadata:
name: istio-ingressgateway
namespace: istio-system
spec:
maxReplicas: 1
minReplicas: 1
scaleTargetRef:
apiVersion: apps/v1beta1
kind: Deployment
name: istio-ingressgateway
metrics:
- type: Resource
resource:
name: cpu
targetAverageUtilization: 80
---
# Source: istio/charts/tracing/templates/service.yaml
apiVersion: v1
kind: List
items:
- apiVersion: v1
kind: Service
metadata:
name: zipkin
namespace: istio-system
labels:
app: jaeger
chart: tracing-0.1.0
release: RELEASE-NAME
heritage: Tiller
spec:
#type: ClusterIP
type: NodePort
ports:
- port: 9411
targetPort: 9411
nodePort: 32698
protocol: TCP
name: http
selector:
app: jaeger
- apiVersion: v1
kind: Service
metadata:
name: tracing
namespace: istio-system
labels:
app: jaeger
chart: tracing-0.1.0
release: RELEASE-NAME
heritage: Tiller
spec:
ports:
- name: query-http
port: 80
protocol: TCP
targetPort: 16686
selector:
app: jaeger
#type: LoadBalancer
type: NodePort
---
# Source: istio/charts/sidecarInjectorWebhook/templates/mutatingwebhook.yaml
apiVersion: admissionregistration.k8s.io/v1beta1
kind: MutatingWebhookConfiguration
metadata:
name: istio-sidecar-injector
namespace: istio-system
labels:
app: istio-sidecar-injector
chart: sidecarInjectorWebhook-0.8.0
release: RELEASE-NAME
heritage: Tiller
webhooks:
- name: sidecar-injector.istio.io
clientConfig:
service:
name: istio-sidecar-injector
namespace: istio-system
path: "/inject"
caBundle: ""
rules:
- operations: [ "CREATE" ]
apiGroups: [""]
apiVersions: ["v1"]
resources: ["pods"]
failurePolicy: Fail
namespaceSelector:
matchLabels:
istio-injection: enabled
---
# Source: istio/charts/grafana/templates/ingress.yaml
---
# Source: istio/charts/mixer/templates/config.yaml
---
# Source: istio/charts/prometheus/templates/ingress.yaml
---
# Source: istio/charts/servicegraph/templates/ingress.yaml
---
# Source: istio/charts/tracing/templates/ingress.yaml
---
# Source: istio/charts/tracing/templates/service-jaeger.yaml