pilot-discovery

22 minute read

Istio Pilot provides fleet-wide traffic management capabilities in the Istio Service Mesh.

Flags	Description
`--ctrlz_address <string>`	The IP Address to listen on for the ControlZ introspection facility. Use '*' to indicate all addresses. (default `localhost`)
`--ctrlz_port <uint16>`	The IP port to use for the ControlZ introspection facility (default `9876`)
`--keepaliveInterval <duration>`	The time interval if no activity on the connection it pings the peer to see if the transport is alive (default `30s`)
`--keepaliveMaxServerConnectionAge <duration>`	Maximum duration a connection will be kept open on the server before a graceful close. (default `2562047h47m16.854775807s`)
`--keepaliveTimeout <duration>`	After having pinged for keepalive check, the client/server waits for a duration of keepaliveTimeout and if no activity is seen even after that the connection is closed. (default `10s`)
`--log_as_json`	Whether to format output as JSON or in plain console-friendly format
`--log_caller <string>`	Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, adsc, all, analysis, authn, authorization, cache, default, klog, kube, mcp, model, pkica, processing, resource, rootcertrotator, secretcontroller, secretfetcher, serverca, source, spiffe, status, validation, validationController, validationServer] (default ``)
`--log_output_level <string>`	Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, adsc, all, analysis, authn, authorization, cache, default, klog, kube, mcp, model, pkica, processing, resource, rootcertrotator, secretcontroller, secretfetcher, serverca, source, spiffe, status, validation, validationController, validationServer] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)
`--log_rotate <string>`	The path for the optional rotating log file (default ``)
`--log_rotate_max_age <int>`	The maximum age in days of a log file beyond which the file is rotated (0 indicates no limit) (default `30`)
`--log_rotate_max_backups <int>`	The maximum number of log file backups to keep before older files are deleted (0 indicates no limit) (default `1000`)
`--log_rotate_max_size <int>`	The maximum size in megabytes of a log file beyond which the file is rotated (default `104857600`)
`--log_stacktrace_level <string>`	Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, adsc, all, analysis, authn, authorization, cache, default, klog, kube, mcp, model, pkica, processing, resource, rootcertrotator, secretcontroller, secretfetcher, serverca, source, spiffe, status, validation, validationController, validationServer] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)
`--log_target <stringArray>`	The set of paths where to output the log. This can be any path as well as the special values stdout and stderr (default `[stdout]`)

pilot-discovery discovery

Start Istio proxy discovery service.

pilot-discovery discovery [flags]

Flags	Shorthand	Description
`--appNamespace <string>`	`-a`	Specify the applications namespace list the controller manages, separated by comma; if not set, controller watches all namespaces (default ``)
`--caCertFile <string>`		File containing the x509 Server CA Certificate (default ``)
`--clusterID <string>`		The ID of the cluster that this Istiod instance resides (default `Kubernetes`)
`--clusterRegistriesNamespace <string>`		Namespace for ConfigMap which stores clusters configs (default `istio-system`)
`--configDir <string>`		Directory to watch for updates to config yaml files. If specified, the files will be used as the source of config, rather than a CRD client. (default ``)
`--ctrlz_address <string>`		The IP Address to listen on for the ControlZ introspection facility. Use '*' to indicate all addresses. (default `localhost`)
`--ctrlz_port <uint16>`		The IP port to use for the ControlZ introspection facility (default `9876`)
`--domain <string>`		DNS domain suffix (default `cluster.local`)
`--grpcAddr <string>`		Discovery service gRPC address (default `:15010`)
`--httpAddr <string>`		Discovery service HTTP address (default `:8080`)
`--httpsAddr <string>`		Injection and validation service HTTPS address (default `:15017`)
`--keepaliveInterval <duration>`		The time interval if no activity on the connection it pings the peer to see if the transport is alive (default `30s`)
`--keepaliveMaxServerConnectionAge <duration>`		Maximum duration a connection will be kept open on the server before a graceful close. (default `2562047h47m16.854775807s`)
`--keepaliveTimeout <duration>`		After having pinged for keepalive check, the client/server waits for a duration of keepaliveTimeout and if no activity is seen even after that the connection is closed. (default `10s`)
`--kubeconfig <string>`		Use a Kubernetes configuration file instead of in-cluster configuration (default ``)
`--kubernetesApiBurst <int>`		Maximum burst for throttle when communicating with the kubernetes API (default `40`)
`--kubernetesApiQPS <float32>`		Maximum QPS when communicating with the kubernetes API (default `20`)
`--log_as_json`		Whether to format output as JSON or in plain console-friendly format
`--log_caller <string>`		Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, adsc, all, analysis, authn, authorization, cache, default, klog, kube, mcp, model, pkica, processing, resource, rootcertrotator, secretcontroller, secretfetcher, serverca, source, spiffe, status, validation, validationController, validationServer] (default ``)
`--log_output_level <string>`		Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, adsc, all, analysis, authn, authorization, cache, default, klog, kube, mcp, model, pkica, processing, resource, rootcertrotator, secretcontroller, secretfetcher, serverca, source, spiffe, status, validation, validationController, validationServer] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)
`--log_rotate <string>`		The path for the optional rotating log file (default ``)
`--log_rotate_max_age <int>`		The maximum age in days of a log file beyond which the file is rotated (0 indicates no limit) (default `30`)
`--log_rotate_max_backups <int>`		The maximum number of log file backups to keep before older files are deleted (0 indicates no limit) (default `1000`)
`--log_rotate_max_size <int>`		The maximum size in megabytes of a log file beyond which the file is rotated (default `104857600`)
`--log_stacktrace_level <string>`		Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, adsc, all, analysis, authn, authorization, cache, default, klog, kube, mcp, model, pkica, processing, resource, rootcertrotator, secretcontroller, secretfetcher, serverca, source, spiffe, status, validation, validationController, validationServer] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)
`--log_target <stringArray>`		The set of paths where to output the log. This can be any path as well as the special values stdout and stderr (default `[stdout]`)
`--mcpInitialConnWindowSize <int>`		Initial connection window size for MCP's gRPC connection (default `1048576`)
`--mcpInitialWindowSize <int>`		Initial window size for MCP's gRPC connection (default `1048576`)
`--mcpMaxMsgSize <int>`		Max message size received by MCP's gRPC client (default `4194304`)
`--meshConfig <string>`		File name for Istio mesh configuration. If not specified, a default mesh will be used. (default `./etc/istio/config/mesh`)
`--monitoringAddr <string>`		HTTP address to use for pilot's self-monitoring information (default `:15014`)
`--namespace <string>`	`-n`	Select a namespace where the controller resides. If not set, uses ${POD_NAMESPACE} environment variable (default `istio-system`)
`--networksConfig <string>`		File name for Istio mesh networks configuration. If not specified, a default mesh networks will be used. (default `/etc/istio/config/meshNetworks`)
`--plugins <stringSlice>`		comma separated list of networking plugins to enable (default `[authn,authz,health]`)
`--profile`		Enable profiling via web interface host:port/debug/pprof
`--registries <stringSlice>`		Comma separated list of platform service registries to read from (choose one or more from {Kubernetes, Mock}) (default `[Kubernetes]`)
`--resync <duration>`		Controller resync interval (default `1m0s`)
`--secureGRPCAddr <string>`		Discovery service secured gRPC address (default `:15012`)
`--tlsCertFile <string>`		File containing the x509 Server Certificate (default ``)
`--tlsKeyFile <string>`		File containing the x509 private key matching --tlsCertFile (default ``)
`--trust-domain <string>`		The domain serves to identify the system with spiffe (default ``)

pilot-discovery request

Makes an HTTP request to Pilot metrics/debug endpoint

pilot-discovery request <method> <path> [<body>] [flags]

Flags	Description
`--ctrlz_address <string>`	The IP Address to listen on for the ControlZ introspection facility. Use '*' to indicate all addresses. (default `localhost`)
`--ctrlz_port <uint16>`	The IP port to use for the ControlZ introspection facility (default `9876`)
`--keepaliveInterval <duration>`	The time interval if no activity on the connection it pings the peer to see if the transport is alive (default `30s`)
`--keepaliveMaxServerConnectionAge <duration>`	Maximum duration a connection will be kept open on the server before a graceful close. (default `2562047h47m16.854775807s`)
`--keepaliveTimeout <duration>`	After having pinged for keepalive check, the client/server waits for a duration of keepaliveTimeout and if no activity is seen even after that the connection is closed. (default `10s`)
`--log_as_json`	Whether to format output as JSON or in plain console-friendly format
`--log_caller <string>`	Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, adsc, all, analysis, authn, authorization, cache, default, klog, kube, mcp, model, pkica, processing, resource, rootcertrotator, secretcontroller, secretfetcher, serverca, source, spiffe, status, validation, validationController, validationServer] (default ``)
`--log_output_level <string>`	Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, adsc, all, analysis, authn, authorization, cache, default, klog, kube, mcp, model, pkica, processing, resource, rootcertrotator, secretcontroller, secretfetcher, serverca, source, spiffe, status, validation, validationController, validationServer] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)
`--log_rotate <string>`	The path for the optional rotating log file (default ``)
`--log_rotate_max_age <int>`	The maximum age in days of a log file beyond which the file is rotated (0 indicates no limit) (default `30`)
`--log_rotate_max_backups <int>`	The maximum number of log file backups to keep before older files are deleted (0 indicates no limit) (default `1000`)
`--log_rotate_max_size <int>`	The maximum size in megabytes of a log file beyond which the file is rotated (default `104857600`)
`--log_stacktrace_level <string>`	Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, adsc, all, analysis, authn, authorization, cache, default, klog, kube, mcp, model, pkica, processing, resource, rootcertrotator, secretcontroller, secretfetcher, serverca, source, spiffe, status, validation, validationController, validationServer] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)
`--log_target <stringArray>`	The set of paths where to output the log. This can be any path as well as the special values stdout and stderr (default `[stdout]`)

pilot-discovery version

Prints out build version information

pilot-discovery version [flags]

Flags	Shorthand	Description
`--ctrlz_address <string>`		The IP Address to listen on for the ControlZ introspection facility. Use '*' to indicate all addresses. (default `localhost`)
`--ctrlz_port <uint16>`		The IP port to use for the ControlZ introspection facility (default `9876`)
`--keepaliveInterval <duration>`		The time interval if no activity on the connection it pings the peer to see if the transport is alive (default `30s`)
`--keepaliveMaxServerConnectionAge <duration>`		Maximum duration a connection will be kept open on the server before a graceful close. (default `2562047h47m16.854775807s`)
`--keepaliveTimeout <duration>`		After having pinged for keepalive check, the client/server waits for a duration of keepaliveTimeout and if no activity is seen even after that the connection is closed. (default `10s`)
`--log_as_json`		Whether to format output as JSON or in plain console-friendly format
`--log_caller <string>`		Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, adsc, all, analysis, authn, authorization, cache, default, klog, kube, mcp, model, pkica, processing, resource, rootcertrotator, secretcontroller, secretfetcher, serverca, source, spiffe, status, validation, validationController, validationServer] (default ``)
`--log_output_level <string>`		Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, adsc, all, analysis, authn, authorization, cache, default, klog, kube, mcp, model, pkica, processing, resource, rootcertrotator, secretcontroller, secretfetcher, serverca, source, spiffe, status, validation, validationController, validationServer] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)
`--log_rotate <string>`		The path for the optional rotating log file (default ``)
`--log_rotate_max_age <int>`		The maximum age in days of a log file beyond which the file is rotated (0 indicates no limit) (default `30`)
`--log_rotate_max_backups <int>`		The maximum number of log file backups to keep before older files are deleted (0 indicates no limit) (default `1000`)
`--log_rotate_max_size <int>`		The maximum size in megabytes of a log file beyond which the file is rotated (default `104857600`)
`--log_stacktrace_level <string>`		Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, adsc, all, analysis, authn, authorization, cache, default, klog, kube, mcp, model, pkica, processing, resource, rootcertrotator, secretcontroller, secretfetcher, serverca, source, spiffe, status, validation, validationController, validationServer] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)
`--log_target <stringArray>`		The set of paths where to output the log. This can be any path as well as the special values stdout and stderr (default `[stdout]`)
`--output <string>`	`-o`	One of 'yaml' or 'json'. (default ``)
`--short`	`-s`	Use --short=false to generate full version information

Environment variables

These environment variables affect the behavior of the pilot-discovery command. Please use with caution as these environment variables are experimental and can change anytime.

Variable Name	Type	Default Value	Description
`AUDIENCE`	String		Expected audience in the tokens.
`CENTRAL_ISTIOD`	Boolean	`false`	If this is set to true, one Istiod will control remote clusters including CA.
`CITADEL_ENABLE_JITTER_FOR_ROOT_CERT_ROTATOR`	Boolean	`true`	If true, set up a jitter to start root cert rotator. Jitter selects a backoff time in seconds to start root cert rotator, and the back off time is below root cert check interval.
`CITADEL_SELF_SIGNED_CA_CERT_TTL`	Time Duration	`87600h0m0s`	The TTL of self-signed CA root certificate.
`CITADEL_SELF_SIGNED_CA_RSA_KEY_SIZE`	Integer	`2048`	Specify the RSA key size to use for self-signed Istio CA certificates.
`CITADEL_SELF_SIGNED_ROOT_CERT_CHECK_INTERVAL`	Time Duration	`1h0m0s`	The interval that self-signed CA checks its root certificate expiration time and rotates root certificate. Setting this interval to zero or a negative value disables automated root cert check and rotation. This interval is suggested to be larger than 10 minutes.
`CITADEL_SELF_SIGNED_ROOT_CERT_GRACE_PERIOD_PERCENTILE`	Integer	`20`	Grace period percentile for self-signed root cert.
`CLUSTER_ID`	String	`Kubernetes`	Defines the cluster and service registry that this Istiod instance is belongs to
`DEFAULT_WORKLOAD_CERT_TTL`	Time Duration	`24h0m0s`	The default TTL of issued workload certificates. Applied when the client sets a non-positive TTL in the CSR.
`ENABLE_ADMIN_ENDPOINTS`	Boolean	`false`	If this is set to true, dangerous admin endpoins will be exposed on the debug interface. Not recommended for production.
`ENABLE_CA_SERVER`	Boolean	`true`	If this is set to false, will not create CA server in istiod.
`ENABLE_DEBUG_ON_HTTP`	Boolean	`true`	If this is set to false, the debug interface will not be ebabled on Http, recommended for production
`ENABLE_LEGACY_FSGROUP_INJECTION`	Boolean	`true`	If true, Istiod will set the pod fsGroup to 1337 on injection. This is required for Kubernetes 1.18 and older (see https://github.com/kubernetes/kubernetes/issues/57923 for details) unless JWT_POLICY is "first-party-jwt".
`EXTERNAL_CA`	String		External CA Integration Type. Permitted Values are ISTIOD_RA_KUBERNETES_API or ISTIOD_RA_ISTIO_API
`EXTERNAL_ISTIOD`	Boolean	`false`	If this is set to true, one Istiod will control remote clusters including CA.
`INGRESS_GATEWAY_NAMESPACE`	String
`INJECTION_WEBHOOK_CONFIG_NAME`	String	`istio-sidecar-injector`	Name of the mutatingwebhookconfiguration to patch, if istioctl is not used.
`INJECT_ENABLED`	Boolean	`true`	Enable mutating webhook handler.
`ISTIOD_CUSTOM_HOST`	String		Custom host name of istiod that istiod signs the server cert.
`ISTIOD_ENABLE_SDS_SERVER`	Boolean	`true`	If enabled, Istiod will serve SDS for credentialName secrets (rather than in-proxy). To ensure proper security, PILOT_ENABLE_XDS_IDENTITY_CHECK=true is required as well.
`ISTIO_DEFAULT_REQUEST_TIMEOUT`	Time Duration	`0s`	Default Http and gRPC Request timeout
`ISTIO_GPRC_MAXRECVMSGSIZE`	Integer	`4194304`	Sets the max receive buffer size of gRPC stream in bytes.
`ISTIO_GPRC_MAXSTREAMS`	Integer	`100000`	Sets the maximum number of concurrent grpc streams.
`ISTIO_PROMETHEUS_ANNOTATIONS`	String
`JWT_POLICY`	String	`third-party-jwt`	The JWT validation policy.
`K8S_INGRESS_NS`	String
`K8S_SIGNER`	String		Kubernates CA Signer type. Valid from Kubernates 1.18
`KUBERNETES_SERVICE_HOST`	String		Kuberenetes service host, set automatically when running in-cluster
`MAX_WORKLOAD_CERT_TTL`	Time Duration	`2160h0m0s`	The max TTL of issued workload certificates.
`PILOT_ALLOW_METADATA_CERTS_DR_MUTUAL_TLS`	Boolean	`false`	If true, Pilot will allow certs specified in Metadata to override DR certs in MUTUAL TLS mode. This is only enabled for migration and will be removed soon.
`PILOT_CERT_PROVIDER`	String	`istiod`	The provider of Pilot DNS certificate.
`PILOT_DEBOUNCE_AFTER`	Time Duration	`100ms`	The delay added to config/registry events for debouncing. This will delay the push by at least this internal. If no change is detected within this period, the push will happen, otherwise we'll keep delaying until things settle, up to a max of PILOT_DEBOUNCE_MAX.
`PILOT_DEBOUNCE_MAX`	Time Duration	`10s`	The maximum amount of time to wait for events while debouncing. If events keep showing up with no breaks for this time, we'll trigger a push.
`PILOT_DISTRIBUTION_HISTORY_RETENTION`	Time Duration	`1m0s`	If enabled, Pilot will keep track of old versions of distributed config for this duration.
`PILOT_ENABLED_SERVICE_APIS`	Boolean	`false`	If this is set to true, support for Kubernetes service-apis (github.com/kubernetes-sigs/service-apis) will be enabled. This feature is currently experimental, and is off by default.
`PILOT_ENABLE_ANALYSIS`	Boolean	`false`	If enabled, pilot will run istio analyzers and write analysis errors to the Status field of any Istio Resources
`PILOT_ENABLE_CONFIG_DISTRIBUTION_TRACKING`	Boolean	`true`	If enabled, Pilot will assign meaningful nonces to each Envoy configuration message, and allow users to interrogate which envoy has which config from the debug interface.
`PILOT_ENABLE_CRD_VALIDATION`	Boolean	`false`	If enabled, pilot will validate CRDs while retrieving CRDs from kubernetes cache.Use this flag to enable validation of CRDs in Pilot, especially in deployments that do not have galley installed.
`PILOT_ENABLE_EDS_DEBOUNCE`	Boolean	`true`	If enabled, Pilot will include EDS pushes in the push debouncing, configured by PILOT_DEBOUNCE_AFTER and PILOT_DEBOUNCE_MAX. EDS pushes may be delayed, but there will be fewer pushes. By default this is enabled
`PILOT_ENABLE_EDS_FOR_HEADLESS_SERVICES`	Boolean	`false`	If enabled, for headless service in Kubernetes, pilot will send endpoints over EDS, allowing the sidecar to load balance among pods in the headless service. This feature should be enabled if applications access all services explicitly via a HTTP proxy port in the sidecar.
`PILOT_ENABLE_HEADLESS_SERVICE_POD_LISTENERS`	Boolean	`true`	If enabled, for a headless service/stateful set in Kubernetes, pilot will generate an outbound listener for each pod in a headless service. This feature should be disabled if headless services have a large number of pods.
`PILOT_ENABLE_INCREMENTAL_MCP`	Boolean	`false`	If enabled, pilot will set the incremental flag of the options in the mcp controller to true, and then galley may push data incrementally, it depends on whether the resource supports incremental. By default, this is false.
`PILOT_ENABLE_K8S_SELECT_WORKLOAD_ENTRIES`	Boolean	`true`	If enabled, Kubernetes services with selectors will select workload entries with matching labels. It is safe to disable it if you are quite sure you don't need this feature
`PILOT_ENABLE_MYSQL_FILTER`	Boolean	`false`	EnableMysqlFilter enables injection of `envoy.filters.network.mysql_proxy` in the filter chain.
`PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_INBOUND`	Boolean	`true`	If enabled, protocol sniffing will be used for inbound listeners whose port protocol is not specified or unsupported
`PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_OUTBOUND`	Boolean	`true`	If enabled, protocol sniffing will be used for outbound listeners whose port protocol is not specified or unsupported
`PILOT_ENABLE_REDIS_FILTER`	Boolean	`false`	EnableRedisFilter enables injection of `envoy.filters.network.redis_proxy` in the filter chain.
`PILOT_ENABLE_SERVICEENTRY_SELECT_PODS`	Boolean	`true`	If enabled, service entries with selectors will select pods from the cluster. It is safe to disable it if you are quite sure you don't need this feature
`PILOT_ENABLE_STATUS`	Boolean	`false`	If enabled, pilot will update the CRD Status field of all istio resources with reconciliation status.
`PILOT_ENABLE_TCP_METADATA_EXCHANGE`	Boolean	`true`	If enabled, metadata exchange will be enabled for TCP using ALPN and Network Metadata Exchange filters in Envoy
`PILOT_ENABLE_THRIFT_FILTER`	Boolean	`false`	EnableThriftFilter enables injection of `envoy.filters.network.thrift_proxy` in the filter chain.
`PILOT_ENABLE_VIRTUAL_SERVICE_DELEGATE`	Boolean	`true`	If set to false, virtualService delegate will not be supported.
`PILOT_ENABLE_WORKLOAD_ENTRY_AUTOREGISTRATION`	Boolean	`false`	Enables auto-registering WorkloadEntries based on associated WorkloadGroups upon XDS connection by the workload.
`PILOT_ENABLE_XDS_CACHE`	Boolean	`true`	If true, Pilot will cache XDS responses.
`PILOT_ENABLE_XDS_IDENTITY_CHECK`	Boolean	`true`	If enabled, pilot will authorize XDS clients, to ensure they are acting only as namespaces they have permissions for.
`PILOT_ENDPOINT_TELEMETRY_LABEL`	Boolean	`false`	If true, pilot will add telemetry related metadata to Endpoint resource, which will be consumed by telemetry filter.
`PILOT_FILTER_GATEWAY_CLUSTER_CONFIG`	Boolean	`true`
`PILOT_HTTP10`	Boolean	`false`	Enables the use of HTTP 1.0 in the outbound HTTP listeners, to support legacy applications.
`PILOT_INBOUND_PROTOCOL_DETECTION_TIMEOUT`	Time Duration	`1s`	Protocol detection timeout for inbound listener
`PILOT_INITIAL_FETCH_TIMEOUT`	Time Duration	`0s`	Specifies the initial_fetch_timeout for config. If this time is reached without a response to the config requested by Envoy, the Envoy will move on with the init phase. This prevents envoy from getting stuck waiting on config during startup.
`PILOT_PUSH_THROTTLE`	Integer	`100`	Limits the number of concurrent pushes allowed. On larger machines this can be increased for faster pushes
`PILOT_SCOPE_GATEWAY_TO_NAMESPACE`	Boolean	`false`	If enabled, a gateway workload can only select gateway resources in the same namespace. Gateways with same selectors in different namespaces will not be applicable.
`PILOT_SIDECAR_ENABLE_INBOUND_TLS_V2`	Boolean	`true`	If true, Pilot will set the TLS version on server side as TLSv1_2 and also enforce strong cipher suites
`PILOT_SIDECAR_USE_REMOTE_ADDRESS`	Boolean	`false`	UseRemoteAddress sets useRemoteAddress to true for side car outbound listeners.
`PILOT_SKIP_VALIDATE_TRUST_DOMAIN`	Boolean	`false`	Skip validating the peer is from the same trust domain when mTLS is enabled in authentication policy
`PILOT_STATUS_BURST`	Integer	`500`	If status is enabled, controls the Burst rate with which status will be updated. See https://godoc.org/k8s.io/client-go/rest#Config Burst
`PILOT_STATUS_QPS`	Floating-Point	`100`	If status is enabled, controls the QPS with which status will be updated. See https://godoc.org/k8s.io/client-go/rest#Config QPS
`PILOT_TRACE_SAMPLING`	Floating-Point	`100`	Sets the mesh-wide trace sampling percentage. Should be 0.0 - 100.0. Precision to 0.01. Default is 100, not recommended for production use.
`PILOT_USE_ENDPOINT_SLICE`	Boolean	`false`	If enabled, Pilot will use EndpointSlices as the source of endpoints for Kubernetes services. By default, this is false, and Endpoints will be used. This requires the Kubernetes EndpointSlice controller to be enabled. Currently this is mutual exclusive - either Endpoints or EndpointSlices will be used
`PILOT_WORKLOAD_ENTRY_GRACE_PERIOD`	Time Duration	`10s`	The amount of time an auto-registered workload can remain disconnected from all Pilot instances before the associated WorkloadEntry is cleaned up.
`PILOT_XDS_CACHE_SIZE`	Integer	`20000`	The maximum number of cache entries for the XDS cache. If the size is <= 0, the cache will have no upper bound.
`PILOT_XDS_CACHE_STATS`	Boolean	`false`	If true, Pilot will collect metrics for XDS cache efficiency.
`PILOT_XDS_SEND_TIMEOUT`	Time Duration	`5s`	The timeout to send the XDS configuration to proxies. After this timeout is reached, Pilot will discard that push.
`POD_NAME`	String
`POD_NAMESPACE`	String	`istio-system`
`REQUIRE_3P_TOKEN`	Boolean	`false`	Reject k8s default tokens, without audience. If false, default K8S token will be accepted
`REVISION`	String
`ROOT_CA_DIR`	String	`./etc/cacerts`	Location of a local or mounted CA root
`SECRET_WATCHER_RESYNC_PERIOD`	String
`SPIFFE_BUNDLE_ENDPOINTS`	String		The SPIFFE bundle trust domain to endpoint mappings. Istiod retrieves the root certificate from each SPIFFE bundle endpoint and uses it to verify client certifiates from that trust domain. The endpoint must be compliant to the SPIFFE Bundle Endpoint standard. For details, please refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE_Trust_Domain_and_Bundle.md . No need to configure this for root certificates issued via Istiod or web-PKI based root certificates. Use \|\| between <trustdomain, endpoint> tuples. Use \| as delimiter between trust domain and endpoint in each tuple. For example: foo\|https://url/for/foo\|\|bar\|https://url/for/bar
`TERMINATION_DRAIN_DURATION_SECONDS`	Integer	`5`	The amount of time allowed for connections to complete on pilot-agent shutdown. On receiving SIGTERM or SIGINT, pilot-agent tells the active Envoy to start draining, preventing any new connections and allowing existing connections to complete. It then sleeps for the TerminationDrainDuration and then kills any remaining active Envoy processes.
`TOKEN_AUDIENCES`	String	`istio-ca`	A list of comma separated audiences to check in the JWT token before issuing a certificate. The token is accepted if it matches with one of the audiences
`TOKEN_ISSUER`	String		OIDC token issuer. If set, will be used to check the tokens.
`USE_REMOTE_CERTS`	Boolean	`false`	Whether to try to load CA certs from a remote Kubernetes cluster. Used for external Istiod.
`VALIDATION_ENABLED`	Boolean	`true`	Enable config validation handler.
`VALIDATION_WEBHOOK_CONFIG_NAME`	String	`istiod-${namespace}`	Name of validatingwebhookconfiguration to patch. Empty will skip using cluster admin to patch.
`XDS_AUTH`	Boolean	`true`	If true, will authenticate XDS clients.

Exported metrics

Metric Name	Type	Description
`citadel_server_authentication_failure_count`	`Sum`	The number of authentication failures.
`citadel_server_cert_chain_expiry_timestamp`	`LastValue`	The unix timestamp, in seconds, when Citadel cert chain will expire. A negative time indicates the cert is expired.
`citadel_server_csr_count`	`Sum`	The number of CSRs received by Citadel server.
`citadel_server_csr_parsing_err_count`	`Sum`	The number of errors occurred when parsing the CSR.
`citadel_server_csr_sign_err_count`	`Sum`	The number of errors occurred when signing the CSR.
`citadel_server_id_extraction_err_count`	`Sum`	The number of errors occurred when extracting the ID from CSR.
`citadel_server_root_cert_expiry_timestamp`	`LastValue`	The unix timestamp, in seconds, when Citadel root cert will expire. A negative time indicates the cert is expired.
`citadel_server_success_cert_issuance_count`	`Sum`	The number of certificates issuances that have succeeded.
`endpoint_no_pod`	`LastValue`	Endpoints without an associated pod.
`galley_runtime_processor_event_span_duration_milliseconds`	`Distribution`	The duration between each incoming event
`galley_runtime_processor_events_processed_total`	`Count`	The number of events that have been processed
`galley_runtime_processor_snapshot_events_total`	`Distribution`	The number of events per snapshot
`galley_runtime_processor_snapshot_lifetime_duration_milliseconds`	`Distribution`	The duration of each snapshot
`galley_runtime_processor_snapshots_published_total`	`Count`	The number of snapshots that have been published
`galley_runtime_state_type_instances_total`	`LastValue`	The number of type instances per type URL
`galley_runtime_strategy_on_change_total`	`Count`	The number of times the strategy's onChange has been called
`galley_runtime_strategy_timer_max_time_reached_total`	`Count`	The number of times the max time has been reached
`galley_runtime_strategy_timer_quiesce_reached_total`	`Count`	The number of times a quiesce has been reached
`galley_runtime_strategy_timer_resets_total`	`Count`	The number of times the timer has been reset
`galley_source_kube_dynamic_converter_failure_total`	`Count`	The number of times a dynamnic kubernetes source failed converting a resources
`galley_source_kube_dynamic_converter_success_total`	`Count`	The number of times a dynamic kubernetes source successfully converted a resource
`galley_source_kube_event_error_total`	`Count`	The number of times a kubernetes source encountered errored while handling an event
`galley_source_kube_event_success_total`	`Count`	The number of times a kubernetes source successfully handled an event
`galley_validation_config_delete_error`	`Count`	k8s webhook configuration delete error
`galley_validation_config_load`	`Count`	k8s webhook configuration (re)loads
`galley_validation_config_load_error`	`Count`	k8s webhook configuration (re)load error
`galley_validation_config_update_error`	`Count`	k8s webhook configuration update error
`galley_validation_config_updates`	`Count`	k8s webhook configuration updates
`galley_validation_failed`	`Sum`	Resource validation failed
`galley_validation_http_error`	`Sum`	Resource validation http serve errors
`galley_validation_passed`	`Sum`	Resource is valid
`istio_build`	`LastValue`	Istio component build info
`istio_mcp_clients_total`	`LastValue`	The number of streams currently connected.
`istio_mcp_message_sizes_bytes`	`Distribution`	Size of messages received from clients.
`istio_mcp_reconnections`	`Sum`	The number of times the sink has reconnected.
`istio_mcp_recv_failures_total`	`Sum`	The number of recv failures in the source.
`istio_mcp_request_acks_total`	`Sum`	The number of request acks received by the source.
`istio_mcp_request_nacks_total`	`Sum`	The number of request nacks received by the source.
`istio_mcp_send_failures_total`	`Sum`	The number of send failures in the source.
`num_failed_outgoing_requests`	`Sum`	Number of failed outgoing requests (e.g. to a token exchange server, CA, etc.)
`num_outgoing_requests`	`Sum`	Number of total outgoing requests (e.g. to a token exchange server, CA, etc.)
`num_outgoing_retries`	`Sum`	Number of outgoing retry requests (e.g. to a token exchange server, CA, etc.)
`outgoing_latency`	`Sum`	The latency of outgoing requests (e.g. to a token exchange server, CA, etc.) in milliseconds.
`pilot_conflict_inbound_listener`	`LastValue`	Number of conflicting inbound listeners.
`pilot_conflict_outbound_listener_http_over_current_tcp`	`LastValue`	Number of conflicting wildcard http listeners with current wildcard tcp listener.
`pilot_conflict_outbound_listener_tcp_over_current_http`	`LastValue`	Number of conflicting wildcard tcp listeners with current wildcard http listener.
`pilot_conflict_outbound_listener_tcp_over_current_tcp`	`LastValue`	Number of conflicting tcp listeners with current tcp listener.
`pilot_destrule_subsets`	`LastValue`	Duplicate subsets across destination rules for same host
`pilot_duplicate_envoy_clusters`	`LastValue`	Duplicate envoy clusters caused by service entries with same hostname
`pilot_eds_no_instances`	`LastValue`	Number of clusters without instances.
`pilot_endpoint_not_ready`	`LastValue`	Endpoint found in unready state.
`pilot_inbound_updates`	`Sum`	Total number of updates received by pilot.
`pilot_invalid_out_listeners`	`LastValue`	Number of invalid outbound listeners.
`pilot_jwks_resolver_network_fetch_fail_total`	`Sum`	Total number of failed network fetch by pilot jwks resolver
`pilot_jwks_resolver_network_fetch_success_total`	`Sum`	Total number of successfully network fetch by pilot jwks resolver
`pilot_k8s_cfg_events`	`Sum`	Events from k8s config.
`pilot_k8s_endpoints_pending_pod`	`LastValue`	Number of endpoints that do not currently have any corresponding pods.
`pilot_k8s_endpoints_with_no_pods`	`Sum`	Endpoints that does not have any corresponding pods.
`pilot_k8s_object_errors`	`LastValue`	Errors converting k8s CRDs
`pilot_k8s_reg_events`	`Sum`	Events from k8s registry.
`pilot_no_ip`	`LastValue`	Pods not found in the endpoint table, possibly invalid.
`pilot_proxy_convergence_time`	`Distribution`	Delay in seconds between config change and a proxy receiving all required configuration.
`pilot_proxy_queue_time`	`Distribution`	Time in seconds, a proxy is in the push queue before being dequeued.
`pilot_push_triggers`	`Sum`	Total number of times a push was triggered, labeled by reason for the push.
`pilot_services`	`LastValue`	Total services known to pilot.
`pilot_total_k8s_object_errors`	`Sum`	Total Errors converting k8s CRDs
`pilot_total_rejected_configs`	`Sum`	Total number of configs that Pilot had to reject or ignore.
`pilot_total_xds_internal_errors`	`Sum`	Total number of internal XDS errors in pilot.
`pilot_total_xds_rejects`	`Sum`	Total number of XDS responses from pilot rejected by proxy.
`pilot_virt_services`	`LastValue`	Total virtual services known to pilot.
`pilot_vservice_dup_domain`	`LastValue`	Virtual services with dup domains.
`pilot_xds`	`LastValue`	Number of endpoints connected to this pilot using XDS.
`pilot_xds_cds_reject`	`LastValue`	Pilot rejected CDS configs.
`pilot_xds_eds_reject`	`LastValue`	Pilot rejected EDS.
`pilot_xds_expired_nonce`	`Sum`	Total number of XDS requests with an expired nonce.
`pilot_xds_lds_reject`	`LastValue`	Pilot rejected LDS.
`pilot_xds_push_context_errors`	`Sum`	Number of errors (timeouts) initiating push context.
`pilot_xds_push_time`	`Distribution`	Total time in seconds Pilot takes to push lds, rds, cds and eds.
`pilot_xds_pushes`	`Sum`	Pilot build and send errors for lds, rds, cds and eds.
`pilot_xds_rds_reject`	`LastValue`	Pilot rejected RDS.
`pilot_xds_send_time`	`Distribution`	Total time in seconds Pilot takes to send generated configuration.
`pilot_xds_write_timeout`	`Sum`	Pilot XDS response write timeouts.
`scrape_failures_total`	`Sum`	The total number of failed scrapes.
`scrapes_total`	`Sum`	The total number of scrapes.
`sidecar_injection_failure_total`	`Sum`	Total number of failed sidecar injection requests.
`sidecar_injection_requests_total`	`Sum`	Total number of sidecar injection requests.
`sidecar_injection_skip_total`	`Sum`	Total number of skipped sidecar injection requests.
`sidecar_injection_success_total`	`Sum`	Total number of successful sidecar injection requests.
`startup_duration_seconds`	`LastValue`	The time from the process starting to being marked ready.
`xds_cache_evictions`	`Sum`	Total number of xds cache evictions.
`xds_cache_reads`	`Sum`	Total number of xds cache xdsCacheReads.
`xds_cache_size`	`LastValue`	Current size of xds cache

Was this information useful?

Do you have any suggestions for improvement?

Thanks for your feedback!