pilot-agent

Istio Pilot agent runs in the sidecar or gateway container and bootstraps Envoy.

Flags Description
--log_as_json Whether to format output as JSON or in plain console-friendly format
--log_caller <string> Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, adsc, all, authn, authorization, cache, citadelclient, default, googleca, model, sds, secretfetcher, spiffe, stsclient, stsserver, token, validation] (default ``)
--log_output_level <string> Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, adsc, all, authn, authorization, cache, citadelclient, default, googleca, model, sds, secretfetcher, spiffe, stsclient, stsserver, token, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)
--log_rotate <string> The path for the optional rotating log file (default ``)
--log_rotate_max_age <int> The maximum age in days of a log file beyond which the file is rotated (0 indicates no limit) (default `30`)
--log_rotate_max_backups <int> The maximum number of log file backups to keep before older files are deleted (0 indicates no limit) (default `1000`)
--log_rotate_max_size <int> The maximum size in megabytes of a log file beyond which the file is rotated (default `104857600`)
--log_stacktrace_level <string> Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, adsc, all, authn, authorization, cache, citadelclient, default, googleca, model, sds, secretfetcher, spiffe, stsclient, stsserver, token, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)
--log_target <stringArray> The set of paths where to output the log. This can be any path as well as the special values stdout and stderr (default `[stdout]`)

pilot-agent istio-clean-iptables

Script responsible for cleaning up iptables rules

pilot-agent istio-clean-iptables [flags]
Flags Shorthand Description
--dry-run -n Do not call any external dependencies like iptables
--log_as_json Whether to format output as JSON or in plain console-friendly format
--log_caller <string> Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, adsc, all, authn, authorization, cache, citadelclient, default, googleca, model, sds, secretfetcher, spiffe, stsclient, stsserver, token, validation] (default ``)
--log_output_level <string> Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, adsc, all, authn, authorization, cache, citadelclient, default, googleca, model, sds, secretfetcher, spiffe, stsclient, stsserver, token, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)
--log_rotate <string> The path for the optional rotating log file (default ``)
--log_rotate_max_age <int> The maximum age in days of a log file beyond which the file is rotated (0 indicates no limit) (default `30`)
--log_rotate_max_backups <int> The maximum number of log file backups to keep before older files are deleted (0 indicates no limit) (default `1000`)
--log_rotate_max_size <int> The maximum size in megabytes of a log file beyond which the file is rotated (default `104857600`)
--log_stacktrace_level <string> Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, adsc, all, authn, authorization, cache, citadelclient, default, googleca, model, sds, secretfetcher, spiffe, stsclient, stsserver, token, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)
--log_target <stringArray> The set of paths where to output the log. This can be any path as well as the special values stdout and stderr (default `[stdout]`)

pilot-agent istio-iptables

Script responsible for setting up port forwarding for Istio sidecar.

pilot-agent istio-iptables [flags]
Flags Shorthand Description
--dry-run -n Do not call any external dependencies like iptables
--envoy-port <string> -p Specify the envoy port to which redirect all TCP traffic (default $ENVOY_PORT = 15001) (default ``)
--inbound-capture-port <string> -z Port to which all inbound TCP traffic to the pod/VM should be redirected to (default $INBOUND_CAPTURE_PORT = 15006) (default ``)
--inbound-tunnel-port <string> -e Specify the istio tunnel port for inbound tcp traffic (default $INBOUND_TUNNEL_PORT = 15008) (default ``)
--iptables-probe-port <string> set listen port for failure detection (default `15002`)
--istio-inbound-interception-mode <string> -m The mode used to redirect inbound connections to Envoy, either "REDIRECT" or "TPROXY" (default ``)
--istio-inbound-ports <string> -b Comma separated list of inbound ports for which traffic is to be redirected to Envoy (optional). The wildcard character "*" can be used to configure redirection for all ports. An empty list will disable (default ``)
--istio-inbound-tproxy-mark <string> -t (default ``)
--istio-inbound-tproxy-route-table <string> -r (default ``)
--istio-local-exclude-ports <string> -d Comma separated list of inbound ports to be excluded from redirection to Envoy (optional). Only applies when all inbound traffic (i.e. "*") is being redirected (default to $ISTIO_LOCAL_EXCLUDE_PORTS) (default ``)
--istio-local-outbound-ports-exclude <string> -o Comma separated list of outbound ports to be excluded from redirection to Envoy (default ``)
--istio-outbound-ports <string> -q Comma separated list of outbound ports to be explicitly included for redirection to Envoy (default ``)
--istio-service-cidr <string> -i Comma separated list of IP ranges in CIDR form to redirect to envoy (optional). The wildcard character "*" can be used to redirect all outbound traffic. An empty list will disable all outbound (default ``)
--istio-service-exclude-cidr <string> -x Comma separated list of IP ranges in CIDR form to be excluded from redirection. Only applies when all outbound traffic (i.e. "*") is being redirected (default to $ISTIO_SERVICE_EXCLUDE_CIDR) (default ``)
--kube-virt-interfaces <string> -k Comma separated list of virtual interfaces whose inbound traffic (from VM) will be treated as outbound (default ``)
--log_as_json Whether to format output as JSON or in plain console-friendly format
--log_caller <string> Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, adsc, all, authn, authorization, cache, citadelclient, default, googleca, model, sds, secretfetcher, spiffe, stsclient, stsserver, token, validation] (default ``)
--log_output_level <string> Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, adsc, all, authn, authorization, cache, citadelclient, default, googleca, model, sds, secretfetcher, spiffe, stsclient, stsserver, token, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)
--log_rotate <string> The path for the optional rotating log file (default ``)
--log_rotate_max_age <int> The maximum age in days of a log file beyond which the file is rotated (0 indicates no limit) (default `30`)
--log_rotate_max_backups <int> The maximum number of log file backups to keep before older files are deleted (0 indicates no limit) (default `1000`)
--log_rotate_max_size <int> The maximum size in megabytes of a log file beyond which the file is rotated (default `104857600`)
--log_stacktrace_level <string> Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, adsc, all, authn, authorization, cache, citadelclient, default, googleca, model, sds, secretfetcher, spiffe, stsclient, stsserver, token, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)
--log_target <stringArray> The set of paths where to output the log. This can be any path as well as the special values stdout and stderr (default `[stdout]`)
--probe-timeout <duration> failure detection timeout (default `5s`)
--proxy-gid <string> -g Specify the GID of the user for which the redirection is not applied. (same default value as -u param) (default ``)
--proxy-uid <string> -u Specify the UID of the user for which the redirection is not applied. Typically, this is the UID of the proxy container (default ``)
--restore-format -f Print iptables rules in iptables-restore interpretable format
--run-validation Validate iptables
--skip-rule-apply Skip iptables apply

pilot-agent proxy

Envoy proxy agent

pilot-agent proxy [flags]
Flags Description
--concurrency <int> number of worker threads to run (default `0`)
--disableInternalTelemetry Disable internal telemetry
--domain <string> DNS domain suffix. If not provided uses ${POD_NAMESPACE}.svc.cluster.local (default ``)
--id <string> Proxy unique ID. If not provided uses ${POD_NAME}.${POD_NAMESPACE} from environment variables (default ``)
--ip <string> Proxy IP address. If not provided uses ${INSTANCE_IP} environment variable. (default ``)
--log_as_json Whether to format output as JSON or in plain console-friendly format
--log_caller <string> Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, adsc, all, authn, authorization, cache, citadelclient, default, googleca, model, sds, secretfetcher, spiffe, stsclient, stsserver, token, validation] (default ``)
--log_output_level <string> Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, adsc, all, authn, authorization, cache, citadelclient, default, googleca, model, sds, secretfetcher, spiffe, stsclient, stsserver, token, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)
--log_rotate <string> The path for the optional rotating log file (default ``)
--log_rotate_max_age <int> The maximum age in days of a log file beyond which the file is rotated (0 indicates no limit) (default `30`)
--log_rotate_max_backups <int> The maximum number of log file backups to keep before older files are deleted (0 indicates no limit) (default `1000`)
--log_rotate_max_size <int> The maximum size in megabytes of a log file beyond which the file is rotated (default `104857600`)
--log_stacktrace_level <string> Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, adsc, all, authn, authorization, cache, citadelclient, default, googleca, model, sds, secretfetcher, spiffe, stsclient, stsserver, token, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)
--log_target <stringArray> The set of paths where to output the log. This can be any path as well as the special values stdout and stderr (default `[stdout]`)
--meshConfig <string> File name for Istio mesh configuration. If not specified, a default mesh will be used. This may be overridden by PROXY_CONFIG environment variable or proxy.istio.io/config annotation. (default `./etc/istio/config/mesh`)
--mixerIdentity <string> The identity used as the suffix for mixer's spiffe SAN. This would only be used by pilot all other proxy would get this value from pilot (default ``)
--outlierLogPath <string> The log path for outlier detection (default ``)
--proxyComponentLogLevel <string> The component log level used to start the Envoy proxy (default `misc:error`)
--proxyLogLevel <string> The log level used to start the Envoy proxy (choose from {trace, debug, info, warning, error, critical, off}) (default `warning`)
--serviceCluster <string> Service cluster (default `istio-proxy`)
--serviceregistry <string> Select the platform for service registry, options are {Kubernetes, Consul, Mock} (default `Kubernetes`)
--stsPort <int> HTTP Port on which to serve Security Token Service (STS). If zero, STS service will not be provided. (default `0`)
--templateFile <string> Go template bootstrap config (default ``)
--tokenManagerPlugin <string> Token provider specific plugin name. (default `GoogleTokenExchange`)
--trust-domain <string> The domain to use for identities (default ``)

pilot-agent request

Makes an HTTP request to the Envoy admin API

pilot-agent request <method> <path> [<body>] [flags]
Flags Description
--log_as_json Whether to format output as JSON or in plain console-friendly format
--log_caller <string> Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, adsc, all, authn, authorization, cache, citadelclient, default, googleca, model, sds, secretfetcher, spiffe, stsclient, stsserver, token, validation] (default ``)
--log_output_level <string> Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, adsc, all, authn, authorization, cache, citadelclient, default, googleca, model, sds, secretfetcher, spiffe, stsclient, stsserver, token, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)
--log_rotate <string> The path for the optional rotating log file (default ``)
--log_rotate_max_age <int> The maximum age in days of a log file beyond which the file is rotated (0 indicates no limit) (default `30`)
--log_rotate_max_backups <int> The maximum number of log file backups to keep before older files are deleted (0 indicates no limit) (default `1000`)
--log_rotate_max_size <int> The maximum size in megabytes of a log file beyond which the file is rotated (default `104857600`)
--log_stacktrace_level <string> Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, adsc, all, authn, authorization, cache, citadelclient, default, googleca, model, sds, secretfetcher, spiffe, stsclient, stsserver, token, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)
--log_target <stringArray> The set of paths where to output the log. This can be any path as well as the special values stdout and stderr (default `[stdout]`)

pilot-agent version

Prints out build version information

pilot-agent version [flags]
Flags Shorthand Description
--log_as_json Whether to format output as JSON or in plain console-friendly format
--log_caller <string> Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, adsc, all, authn, authorization, cache, citadelclient, default, googleca, model, sds, secretfetcher, spiffe, stsclient, stsserver, token, validation] (default ``)
--log_output_level <string> Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, adsc, all, authn, authorization, cache, citadelclient, default, googleca, model, sds, secretfetcher, spiffe, stsclient, stsserver, token, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)
--log_rotate <string> The path for the optional rotating log file (default ``)
--log_rotate_max_age <int> The maximum age in days of a log file beyond which the file is rotated (0 indicates no limit) (default `30`)
--log_rotate_max_backups <int> The maximum number of log file backups to keep before older files are deleted (0 indicates no limit) (default `1000`)
--log_rotate_max_size <int> The maximum size in megabytes of a log file beyond which the file is rotated (default `104857600`)
--log_stacktrace_level <string> Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, adsc, all, authn, authorization, cache, citadelclient, default, googleca, model, sds, secretfetcher, spiffe, stsclient, stsserver, token, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)
--log_target <stringArray> The set of paths where to output the log. This can be any path as well as the special values stdout and stderr (default `[stdout]`)
--output <string> -o One of 'yaml' or 'json'. (default ``)
--short -s Use --short=false to generate full version information

pilot-agent wait

Waits until the Envoy proxy is ready

pilot-agent wait [flags]
Flags Description
--log_as_json Whether to format output as JSON or in plain console-friendly format
--log_caller <string> Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, adsc, all, authn, authorization, cache, citadelclient, default, googleca, model, sds, secretfetcher, spiffe, stsclient, stsserver, token, validation] (default ``)
--log_output_level <string> Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, adsc, all, authn, authorization, cache, citadelclient, default, googleca, model, sds, secretfetcher, spiffe, stsclient, stsserver, token, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)
--log_rotate <string> The path for the optional rotating log file (default ``)
--log_rotate_max_age <int> The maximum age in days of a log file beyond which the file is rotated (0 indicates no limit) (default `30`)
--log_rotate_max_backups <int> The maximum number of log file backups to keep before older files are deleted (0 indicates no limit) (default `1000`)
--log_rotate_max_size <int> The maximum size in megabytes of a log file beyond which the file is rotated (default `104857600`)
--log_stacktrace_level <string> Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, adsc, all, authn, authorization, cache, citadelclient, default, googleca, model, sds, secretfetcher, spiffe, stsclient, stsserver, token, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)
--log_target <stringArray> The set of paths where to output the log. This can be any path as well as the special values stdout and stderr (default `[stdout]`)
--periodMillis <int> number of milliseconds to wait between attempts (default `500`)
--requestTimeoutMillis <int> number of milliseconds to wait for response (default `500`)
--timeoutSeconds <int> maximum number of seconds to wait for Envoy to be ready (default `60`)
--url <string> URL to use in requests (default `http://localhost:15021/healthz/ready`)

Environment variables

These environment variables affect the behavior of the pilot-agent command.
Variable Name Type Default Value Description
CA_ADDR String Address of the spiffee certificate provider. Defaults to discoveryAddress
CA_PROVIDER String Citadel name of authentication provider
CENTRAL_ISTIOD Boolean false If this is set to true, one Istiod will control remote clusters including CA.
CLUSTER_ID String Kubernetes Defines the cluster and service registry that this Istiod instance is belongs to
DNS_ADDR String :15053 DNS listen address
DNS_AGENT String If set, enable the capture of outgoing DNS packets on port 53, redirecting to istio-agent on :15053
DNS_SERVER String Protocol and DNS server to use. Currently only tcp-tls: is supported.
ECC_SIGNATURE_ALGORITHM String The type of ECC signature algorithm to use when generating private keys
ENABLE_CA_SERVER Boolean true If this is set to false, will not create CA server in istiod.
ENABLE_INGRESS_GATEWAY_SDS Boolean false Enable provisioning gateway secrets. Requires Secret read permission
ENVOY_USER String istio-proxy Envoy proxy username
FILE_MOUNTED_CERTS Boolean false
GCP_METADATA String Pipe separted GCP metadata, schemed as PROJECT_ID|PROJECT_NUMBER|CLUSTER_NAME|CLUSTER_ZONE
GKE_CLUSTER_URL String The url of GKE cluster
INGRESS_GATEWAY_NAMESPACE String
INITIAL_BACKOFF_MSEC Integer 0
INJECTION_WEBHOOK_CONFIG_NAME String istio-sidecar-injector Name of the mutatingwebhookconfiguration to patch, if istioctl is not used.
INSTANCE_IP String
ISTIOD_CUSTOM_HOST String Custom host name of istiod that istiod signs the server cert.
ISTIO_BOOTSTRAP String
ISTIO_BOOTSTRAP_OVERRIDE String
ISTIO_DEFAULT_REQUEST_TIMEOUT Time Duration 0s Default Http and gRPC Request timeout
ISTIO_GPRC_MAXRECVMSGSIZE Integer 4194304 Sets the max receive buffer size of gRPC stream in bytes.
ISTIO_GPRC_MAXSTREAMS Integer 100000 Sets the maximum number of concurrent grpc streams.
ISTIO_KUBE_APP_PROBERS String
ISTIO_META_CLUSTER_ID String
ISTIO_META_DNS_CAPTURE String If set, enable the capture of outgoing DNS packets on port 53, redirecting to envoy on :15013
ISTIO_NAMESPACE String
ISTIO_PROMETHEUS_ANNOTATIONS String
JWT_POLICY String third-party-jwt The JWT validation policy.
OUTPUT_CERTS String The output directory for the key and certificate. If empty, key and certificate will not be saved. Must be set for VMs using provisioning certificates.
PILOT_CERT_PROVIDER String istiod the provider of Pilot DNS certificate.
PILOT_DEBOUNCE_AFTER Time Duration 100ms The delay added to config/registry events for debouncing. This will delay the push by at least this internal. If no change is detected within this period, the push will happen, otherwise we'll keep delaying until things settle, up to a max of PILOT_DEBOUNCE_MAX.
PILOT_DEBOUNCE_MAX Time Duration 10s The maximum amount of time to wait for events while debouncing. If events keep showing up with no breaks for this time, we'll trigger a push.
PILOT_DEBUG_ADSZ_CONFIG Boolean false
PILOT_DISTRIBUTION_HISTORY_RETENTION Time Duration 1m0s If enabled, Pilot will keep track of old versions of distributed config for this duration.
PILOT_ENABLED_SERVICE_APIS Boolean false If this is set to true, support for Kubernetes service-apis (github.com/kubernetes-sigs/service-apis) will be enabled. This feature is currently experimental, and is off by default.
PILOT_ENABLE_ANALYSIS Boolean false If enabled, pilot will run istio analyzers and write analysis errors to the Status field of any Istio Resources
PILOT_ENABLE_CONFIG_DISTRIBUTION_TRACKING Boolean true If enabled, Pilot will assign meaningful nonces to each Envoy configuration message, and allow users to interrogate which envoy has which config from the debug interface.
PILOT_ENABLE_CRD_VALIDATION Boolean false If enabled, pilot will validate CRDs while retrieving CRDs from kubernetes cache.Use this flag to enable validation of CRDs in Pilot, especially in deployments that do not have galley installed.
PILOT_ENABLE_EDS_DEBOUNCE Boolean true If enabled, Pilot will include EDS pushes in the push debouncing, configured by PILOT_DEBOUNCE_AFTER and PILOT_DEBOUNCE_MAX. EDS pushes may be delayed, but there will be fewer pushes. By default this is enabled
PILOT_ENABLE_EDS_FOR_HEADLESS_SERVICES Boolean false If enabled, for headless service in Kubernetes, pilot will send endpoints over EDS, allowing the sidecar to load balance among pods in the headless service. This feature should be enabled if applications access all services explicitly via a HTTP proxy port in the sidecar.
PILOT_ENABLE_HEADLESS_SERVICE_POD_LISTENERS Boolean true If enabled, for a headless service/stateful set in Kubernetes, pilot will generate an outbound listener for each pod in a headless service. This feature should be disabled if headless services have a large number of pods.
PILOT_ENABLE_INCREMENTAL_MCP Boolean false If enabled, pilot will set the incremental flag of the options in the mcp controller to true, and then galley may push data incrementally, it depends on whether the resource supports incremental. By default, this is false.
PILOT_ENABLE_K8S_SELECT_WORKLOAD_ENTRIES Boolean true If enabled, Kubernetes services with selectors will select workload entries with matching labels. It is safe to disable it if you are quite sure you don't need this feature
PILOT_ENABLE_MYSQL_FILTER Boolean false EnableMysqlFilter enables injection of `envoy.filters.network.mysql_proxy` in the filter chain.
PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_INBOUND Boolean true If enabled, protocol sniffing will be used for inbound listeners whose port protocol is not specified or unsupported
PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_OUTBOUND Boolean true If enabled, protocol sniffing will be used for outbound listeners whose port protocol is not specified or unsupported
PILOT_ENABLE_REDIS_FILTER Boolean false EnableRedisFilter enables injection of `envoy.filters.network.redis_proxy` in the filter chain.
PILOT_ENABLE_SERVICEENTRY_SELECT_PODS Boolean true If enabled, service entries with selectors will select pods from the cluster. It is safe to disable it if you are quite sure you don't need this feature
PILOT_ENABLE_STATUS Boolean false If enabled, pilot will update the CRD Status field of all istio resources with reconciliation status.
PILOT_ENABLE_TCP_METADATA_EXCHANGE Boolean true If enabled, metadata exchange will be enabled for TCP using ALPN and Network Metadata Exchange filters in Envoy
PILOT_ENABLE_THRIFT_FILTER Boolean false EnableThriftFilter enables injection of `envoy.filters.network.thrift_proxy` in the filter chain.
PILOT_ENABLE_VIRTUAL_SERVICE_DELEGATE Boolean false If enabled, Pilot will merge virtual services with delegates. By default, this is false, and virtualService with delegate will be ignored
PILOT_FILTER_GATEWAY_CLUSTER_CONFIG Boolean false
PILOT_HTTP10 Boolean false Enables the use of HTTP 1.0 in the outbound HTTP listeners, to support legacy applications.
PILOT_INBOUND_PROTOCOL_DETECTION_TIMEOUT Time Duration 1s Protocol detection timeout for inbound listener
PILOT_INITIAL_FETCH_TIMEOUT Time Duration 0s Specifies the initial_fetch_timeout for config. If this time is reached without a response to the config requested by Envoy, the Envoy will move on with the init phase. This prevents envoy from getting stuck waiting on config during startup.
PILOT_PUSH_THROTTLE Integer 100 Limits the number of concurrent pushes allowed. On larger machines this can be increased for faster pushes
PILOT_SCOPE_GATEWAY_TO_NAMESPACE Boolean false If enabled, a gateway workload can only select gateway resources in the same namespace. Gateways with same selectors in different namespaces will not be applicable.
PILOT_SIDECAR_USE_REMOTE_ADDRESS Boolean false UseRemoteAddress sets useRemoteAddress to true for side car outbound listeners.
PILOT_SKIP_VALIDATE_TRUST_DOMAIN Boolean false Skip validating the peer is from the same trust domain when mTLS is enabled in authentication policy
PILOT_STATUS_BURST Integer 500 If status is enabled, controls the Burst rate with which status will be updated. See https://godoc.org/k8s.io/client-go/rest#Config Burst
PILOT_STATUS_QPS Floating-Point 100 If status is enabled, controls the QPS with which status will be updated. See https://godoc.org/k8s.io/client-go/rest#Config QPS
PILOT_TRACE_SAMPLING Floating-Point 100 Sets the mesh-wide trace sampling percentage. Should be 0.0 - 100.0. Precision to 0.01. Default is 100, not recommended for production use.
PILOT_USE_ENDPOINT_SLICE Boolean false If enabled, Pilot will use EndpointSlices as the source of endpoints for Kubernetes services. By default, this is false, and Endpoints will be used. This requires the Kubernetes EndpointSlice controller to be enabled. Currently this is mutual exclusive - either Endpoints or EndpointSlices will be used
PKCS8_KEY Boolean false Whether to generate PKCS#8 private keys
PLUGINS String Token exchange plugins
POD_NAME String
POD_NAMESPACE String
PROV_CERT String Set to a directory containing provisioned certs, for VMs
PROXY_CONFIG String The proxy configuration. This will be set by the injection - gateways will use file mounts.
SECRET_GRACE_PERIOD_RATIO Floating-Point 0.5 The grace period ratio for the cert rotation, by default 0.5.
SECRET_ROTATION_CHECK_INTERVAL Time Duration 5m0s The ticker to detect and rotate the certificates, by default 5 minutes
SECRET_TTL Time Duration 24h0m0s The cert lifetime requested by istio agent
SECRET_WATCHER_RESYNC_PERIOD String
SPIFFE_BUNDLE_ENDPOINTS String The SPIFFE bundle trust domain to endpoint mappings. Istiod retrieves the root certificate from each SPIFFE bundle endpoint and uses it to verify client certifiates from that trust domain. The endpoint must be compliant to the SPIFFE Bundle Endpoint standard. For details, please refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE_Trust_Domain_and_Bundle.md . No need to configure this for root certificates issued via Istiod or web-PKI based root certificates. Use || between <trustdomain, endpoint> tuples. Use | as delimiter between trust domain and endpoint in each tuple. For example: foo|https://url/for/foo||bar|https://url/for/bar
STALED_CONNECTION_RECYCLE_RUN_INTERVAL Time Duration 5m0s The ticker to detect and close stale connections
TERMINATION_DRAIN_DURATION_SECONDS Integer 5 The amount of time allowed for connections to complete on pilot-agent shutdown. On receiving SIGTERM or SIGINT, pilot-agent tells the active Envoy to start draining, preventing any new connections and allowing existing connections to complete. It then sleeps for the TerminationDrainDuration and then kills any remaining active Envoy processes.
TRUST_DOMAIN String The trust domain for spiffe certificates
USE_TOKEN_FOR_CSR Boolean false CSR requires a token
XDS_AUTH Boolean true If true, will authenticate XDS clients.
XDS_LOCAL String Address for a local XDS proxy. If empty, the proxy is disabled
XDS_SAVE String If set, the XDS proxy will save a snapshot of the received config
XDS_UPSTREAM String Address for upstream XDS server. If not set, discoveryAddress is used

Exported metrics

Metric NameTypeDescription
endpoint_no_podLastValueEndpoints without an associated pod.
istio_buildLastValueIstio component build info
num_failed_outgoing_requestsSumNumber of failed outgoing requests (e.g. to a token exchange server, CA, etc.)
num_outgoing_requestsSumNumber of total outgoing requests (e.g. to a token exchange server, CA, etc.)
num_outgoing_retriesSumNumber of outgoing retry requests (e.g. to a token exchange server, CA, etc.)
outgoing_latencySumThe latency of outgoing requests (e.g. to a token exchange server, CA, etc.) in milliseconds.
pilot_conflict_inbound_listenerLastValueNumber of conflicting inbound listeners.
pilot_conflict_outbound_listener_http_over_current_tcpLastValueNumber of conflicting wildcard http listeners with current wildcard tcp listener.
pilot_conflict_outbound_listener_tcp_over_current_httpLastValueNumber of conflicting wildcard tcp listeners with current wildcard http listener.
pilot_conflict_outbound_listener_tcp_over_current_tcpLastValueNumber of conflicting tcp listeners with current tcp listener.
pilot_destrule_subsetsLastValueDuplicate subsets across destination rules for same host
pilot_duplicate_envoy_clustersLastValueDuplicate envoy clusters caused by service entries with same hostname
pilot_eds_no_instancesLastValueNumber of clusters without instances.
pilot_endpoint_not_readyLastValueEndpoint found in unready state.
pilot_inbound_updatesSumTotal number of updates received by pilot.
pilot_invalid_out_listenersLastValueNumber of invalid outbound listeners.
pilot_jwks_resolver_network_fetch_fail_totalSumTotal number of failed network fetch by pilot jwks resolver
pilot_jwks_resolver_network_fetch_success_totalSumTotal number of successfully network fetch by pilot jwks resolver
pilot_no_ipLastValuePods not found in the endpoint table, possibly invalid.
pilot_proxy_convergence_timeDistributionDelay in seconds between config change and a proxy receiving all required configuration.
pilot_proxy_queue_timeDistributionTime in seconds, a proxy is in the push queue before being dequeued.
pilot_push_triggersSumTotal number of times a push was triggered, labeled by reason for the push.
pilot_servicesLastValueTotal services known to pilot.
pilot_total_rejected_configsSumTotal number of configs that Pilot had to reject or ignore.
pilot_total_xds_internal_errorsSumTotal number of internal XDS errors in pilot.
pilot_total_xds_rejectsSumTotal number of XDS responses from pilot rejected by proxy.
pilot_virt_servicesLastValueTotal virtual services known to pilot.
pilot_vservice_dup_domainLastValueVirtual services with dup domains.
pilot_xdsLastValueNumber of endpoints connected to this pilot using XDS.
pilot_xds_cds_rejectLastValuePilot rejected CDS configs.
pilot_xds_eds_rejectLastValuePilot rejected EDS.
pilot_xds_expired_nonceSumTotal number of XDS requests with an expired nonce.
pilot_xds_lds_rejectLastValuePilot rejected LDS.
pilot_xds_push_context_errorsSumNumber of errors (timeouts) initiating push context.
pilot_xds_push_timeDistributionTotal time in seconds Pilot takes to push lds, rds, cds and eds.
pilot_xds_pushesSumPilot build and send errors for lds, rds, cds and eds.
pilot_xds_rds_rejectLastValuePilot rejected RDS.
pilot_xds_write_timeoutSumPilot XDS response write timeouts.
scrape_failures_totalSumThe total number of failed scrapes.
scrapes_totalSumThe total number of scrapes.
sidecar_injection_failure_totalSumTotal number of failed sidecar injection requests.
sidecar_injection_requests_totalSumTotal number of sidecar injection requests.
sidecar_injection_skip_totalSumTotal number of skipped sidecar injection requests.
sidecar_injection_success_totalSumTotal number of successful sidecar injection requests.
total_active_connectionsSumThe total number of active SDS connections.
total_push_errorsSumThe total number of failed SDS pushes.
total_pushesSumThe total number of SDS pushes.
total_secret_update_failuresSumThe total number of dynamic secret update failures reported by proxy.
total_stale_connectionsSumThe total number of stale SDS connections.
Was this information useful?
Do you have any suggestions for improvement?

Thanks for your feedback!