Attribute Vocabulary (Deprecated)

Attributes are a central concept used throughout Istio. You can find a description of what attributes are and what they are used for here.

A given Istio deployment has a fixed vocabulary of attributes that it understands. The specific vocabulary is determined by the set of attribute producers being used in the deployment. The primary attribute producer in Istio is Envoy, although Mixer and services can also introduce attributes.

The table below shows the set of canonical attributes and their respective types. Most Istio deployments will have agents (Envoy or Mixer adapters) that produce these attributes.

Name Type Description Kubernetes Example
source.uid string Platform-specific unique identifier for the source workload instance. kubernetes://
source.ip ip_address Source workload instance IP address.
source.labels map[string, string] A map of key-value pairs attached to the source instance. version => v1 string Source workload instance name. redis-master-2353460263-1ecey
source.namespace string Source workload instance namespace. my-namespace
source.principal string Authority under which the source workload instance is running. service-account-foo
source.owner string Reference to the workload controlling the source workload instance. kubernetes://apis/apps/v1/namespaces/istio-system/deployments/istio-policy
source.workload.uid string Unique identifier of the source workload. istio://istio-system/workloads/istio-policy string Source workload name. istio-policy
source.workload.namespace string Source workload namespace. istio-system
destination.uid string Platform-specific unique identifier for the server instance. kubernetes://
destination.ip ip_address Server IP address.
destination.port int64 The recipient port on the server IP address. 8080
destination.labels map[string, string] A map of key-value pairs attached to the server instance. version => v2 string Destination workload instance name. istio-telemetry-2359333
destination.namespace string Destination workload instance namespace. istio-system
destination.principal string Authority under which the destination workload instance is running. service-account
destination.owner string Reference to the workload controlling the destination workload instance. kubernetes://apis/apps/v1/namespaces/istio-system/deployments/istio-telemetry
destination.workload.uid string Unique identifier of the destination workload. istio://istio-system/workloads/istio-telemetry string Destination workload name. istio-telemetry
destination.workload.namespace string Destination workload namespace. istio-system string Name of the destination workload instance’s container. mixer
destination.container.image string Image of the destination workload instance’s container. string Destination host address. istio-telemetry.istio-system.svc.cluster.local
destination.service.uid string Unique identifier of the destination service. istio://istio-system/services/istio-telemetry string Destination service name. istio-telemetry
destination.service.namespace string Destination service namespace. istio-system
origin.ip ip_address IP address of the proxy client, e.g. origin for the ingress proxies.
request.headers map[string, string] HTTP request headers with lowercase keys. For gRPC, its metadata will be here. string An ID for the request with statistically low probability of collision.
request.path string The HTTP URL path including query string
request.url_path string The path part of HTTP URL, with query string being stripped
request.query_params map[string, string] A map of query parameters extracted from the HTTP URL. string HTTP/1.x host header or HTTP/2 authority header. redis-master:3337
request.method string The HTTP method.
request.reason string The request reason used by auditing systems.
request.referer string The HTTP referer header.
request.scheme string URI Scheme of the request
request.size int64 Size of the request in bytes. For HTTP requests this is equivalent to the Content-Length header.
request.total_size int64 Total size of HTTP request in bytes, including request headers, body and trailers.
request.time timestamp The timestamp when the destination receives the request. This should be equivalent to Firebase “now”.
request.useragent string The HTTP User-Agent header.
response.headers map[string, string] HTTP response headers with lowercase keys.
response.size int64 Size of the response body in bytes
response.total_size int64 Total size of HTTP response in bytes, including response headers and body.
response.time timestamp The timestamp when the destination produced the response.
response.duration duration The amount of time the response took to generate.
response.code int64 The response’s HTTP status code.
response.grpc_status string The response’s gRPC status.
response.grpc_message string The response’s gRPC status message. string An ID for a TCP connection with statistically low probability of collision.
connection.event string Status of a TCP connection, its value is one of “open”, “continue” and “close”.
connection.received.bytes int64 Number of bytes received by a destination service on a connection since the last Report() for a connection.
connection.received.bytes_total int64 Total number of bytes received by a destination service during the lifetime of a connection.
connection.sent.bytes int64 Number of bytes sent by a destination service on a connection since the last Report() for a connection.
connection.sent.bytes_total int64 Total number of bytes sent by a destination service during the lifetime of a connection.
connection.duration duration The total amount of time a connection has been open.
connection.mtls boolean Indicates whether a request is received over a mutual TLS enabled downstream connection.
connection.requested_server_name string The requested server name (SNI) of the connection
context.protocol string Protocol of the request or connection being proxied. tcp
context.time timestamp The timestamp of Mixer operation.
context.reporter.kind string Contextualizes the reported attribute set. Set to inbound for the server-side calls from sidecars and outbound for the client-side calls from sidecars and gateways inbound
context.reporter.uid string Platform-specific identifier of the attribute reporter. kubernetes://
context.proxy_error_code string Additional details about the response or connection from proxy. In case of Envoy, see %RESPONSE_FLAGS% in Envoy Access Log for more detail UH
api.service string The public service name. This is different than the in-mesh service identity and reflects the name of the service exposed to the client.
api.version string The API version. v1alpha1
api.operation string Unique string used to identify the operation. The id is unique among all operations described in a specific <service, version>. getPetsById
api.protocol string The protocol type of the API call. Mainly for monitoring/analytics. Note that this is the frontend protocol exposed to the client, not the protocol implemented by the backend service. http, https, or grpc
request.auth.principal string The authenticated principal of the request. This is a string of the issuer (iss) and subject (sub) claims within a JWT concatenated with “/” with a percent-encoded subject value. This attribute may come from the peer or the origin in the Istio authentication policy, depending on the binding rule defined in the Istio authentication policy.
request.auth.audiences string The intended audience(s) for this authentication information. This should reflect the audience (aud) claim within a JWT. aud1
request.auth.presenter string The authorized presenter of the credential. This value should reflect the optional Authorized Presenter (azp) claim within a JWT or the OAuth2 client id. map[string, string] all raw string claims from the origin JWT iss:, sub:, aud: aud1
request.api_key string The API key used for the request. abcde12345
check.error_code int64 The error code for Mixer Check call. 5
check.error_message string The error message for Mixer Check call. Could not find the resource
check.cache_hit boolean Indicates whether Mixer check call hits local cache.
quota.cache_hit boolean Indicates whether Mixer quota call hits local cache.

Timestamp and duration attributes format

Timestamp attributes are represented in the RFC 3339 format. When operating with timestamp attributes, you can use the timestamp function defined in CEXL to convert a textual timestamp in RFC 3339 format into the TIMESTAMP type, for example: request.time | timestamp("2018-01-01T22:08:41+00:00"), response.time > timestamp("2020-02-29T00:00:00-08:00").

Duration attributes represent an amount of time, expressed as a series of decimal numbers with an optional fractional part denoted with a period, and a unit value. The possible unit values are ns for nanoseconds, us (or µs) for microseconds, ms for milliseconds, s for seconds, m for minutes, h for hours. For example:

  • 1ms represents 1 millisecond
  • 2.3s represents 2.3 seconds
  • 4m represents 4 minutes
  • 5h10m represents 5 hours and 10 minutes
Was this information useful?
Do you have any suggestions for improvement?

Thanks for your feedback!