Resource Annotations
This page presents the various resource annotations that Istio supports to control its behavior.
| Annotation Name | Description |
|---|---|
kubernetes.io/ingress.class | Annotation on an Ingress resources denoting the class of controllers responsible for it. |
networking.istio.io/exportTo | Specifies the namespaces to which this service should be exported to. A value of '*' indicates it is reachable within the mesh '.' indicates it is reachable within its namespace. |
policy.istio.io/check | Determines the policy for behavior when unable to connect to Mixer. If not set, FAIL_CLOSE is set, rejecting requests. |
policy.istio.io/checkBaseRetryWaitTime | Base time to wait between retries, will be adjusted by backoff and jitter. In duration format. If not set, this will be 80ms. |
policy.istio.io/checkMaxRetryWaitTime | Maximum time to wait between retries to Mixer. In duration format. If not set, this will be 1000ms. |
policy.istio.io/checkRetries | The maximum number of retries on transport errors to Mixer. If not set, this will be 0, indicating no retries. |
policy.istio.io/lang | Selects the attribute expression langauge runtime for Mixer.. |
readiness.status.sidecar.istio.io/applicationPorts | Specifies the list of ports exposed by the application container. Used by the istio-proxy readiness probe to determine that Envoy is configured and ready to receive traffic. |
readiness.status.sidecar.istio.io/failureThreshold | Specifies the failure threshold for the istio-proxy readiness probe. |
readiness.status.sidecar.istio.io/initialDelaySeconds | Specifies the initial delay (in seconds) for the istio-proxy readiness probe. |
readiness.status.sidecar.istio.io/periodSeconds | Specifies the period (in seconds) for the istio-proxy readiness probe. |
sidecar.istio.io/bootstrapOverride | Specifies an alternative Envoy bootstrap configuration file. |
sidecar.istio.io/componentLogLevel | Specifies the component log level for Envoy. |
sidecar.istio.io/controlPlaneAuthPolicy | Specifies the auth policy used by the Istio control plane. If NONE, traffic will not be encrypted. If MUTUAL_TLS, traffic between istio-proxy sidecars will be wrapped into mutual TLS connections. |
sidecar.istio.io/discoveryAddress | Specifies the XDS discovery address to be used by the istio-proxy sidecar. |
sidecar.istio.io/inject | Specifies whether or not an istio-proxy sidecar should be automatically injected into the workload. |
sidecar.istio.io/interceptionMode | Specifies the mode used to redirect inbound connections to Envoy (REDIRECT or TPROXY). |
sidecar.istio.io/logLevel | Specifies the log level for Envoy. |
sidecar.istio.io/proxyCPU | Specifies the requested CPU setting for the istio-proxy sidecar. |
sidecar.istio.io/proxyImage | Specifies the Docker image to be used by the istio-proxy sidecar. |
sidecar.istio.io/proxyMemory | Specifies the requested memory setting for the istio-proxy sidecar. |
sidecar.istio.io/rewriteAppHTTPProbers | Rewrite HTTP readiness and liveness probes to be redirected to istio-proxy sidecar. |
sidecar.istio.io/statsInclusionPrefixes | Specifies the comma separated list of prefixes of the stats to be emitted by Envoy. |
sidecar.istio.io/statsInclusionRegexps | Specifies the comma separated list of regexes the stats should match to be emitted by Envoy. |
sidecar.istio.io/statsInclusionSuffixes | Specifies the comma separated list of suffixes of the stats to be emitted by Envoy. |
sidecar.istio.io/status | Generated by istio-proxy sidecar injection that indicates the status of the operation. Includes a version hash of the executed template, as well as names of injected resources. |
sidecar.istio.io/userVolume | Specifies one or more user volumes (as a JSON array) to be added to the istio-proxy sidecar. |
sidecar.istio.io/userVolumeMount | Specifies one or more user volume mounts (as a JSON array) to be added to the istio-proxy sidecar. |
status.sidecar.istio.io/port | Specifies the HTTP status Port for the istio-proxy sidecar. If zero, the istio-proxy will not provide status. |
traffic.sidecar.istio.io/excludeInboundPorts | A comma separated list of inbound ports to be excluded from redirection to Envoy. Only applies when all inbound traffic (i.e. '*') is being redirected. |
traffic.sidecar.istio.io/excludeOutboundIPRanges | A comma separated list of IP ranges in CIDR form to be excluded from redirection. Only applies when all outbound traffic (i.e. '*') is being redirected. |
traffic.sidecar.istio.io/excludeOutboundPorts | A comma separated list of outbound ports to be excluded from redirection to Envoy. |
traffic.sidecar.istio.io/includeInboundPorts | A comma separated list of inbound ports for which traffic is to be redirected to Envoy. The wildcard character '*' can be used to configure redirection for all ports. An empty list will disable all inbound redirection. |
traffic.sidecar.istio.io/includeOutboundIPRanges | A comma separated list of IP ranges in CIDR form to redirect to envoy (optional). The wildcard character '*' can be used to redirect all outbound traffic. An empty list will disable all outbound redirection. |
traffic.sidecar.istio.io/kubevirtInterfaces | A comma separated list of virtual interfaces whose inbound traffic (from VM) will be treated as outbound. |