apiVersion: v1 kind: Namespace metadata: name: istio-system --- apiVersion: v1 kind: Service metadata: name: istio namespace: istio-system labels: app: istio spec: type: LoadBalancer selector: app: istio ports: - name: http port: 80 - name: https port: 443 --- apiVersion: apps/v1 kind: Deployment metadata: name: istio namespace: istio-system spec: selector: matchLabels: app: istio template: metadata: labels: app: istio istio: ingressgateway spec: serviceAccountName: istio containers: - name: istio # Pinned to latest verified version, as this is changing rapidly image: gcr.io/istio-testing/pilot:1.8-alpha.39f0b315f9f2ac29df449bf54994f8b0a6aec057 imagePullPolicy: Always args: - discovery env: - name: PILOT_ENABLED_SERVICE_APIS value: "true" # This will be enabled by default in the future - name: VALIDATION_WEBHOOK_CONFIG_NAME value: "" - name: ENABLE_CA_SERVER value: "false" volumeMounts: - name: config-volume mountPath: /etc/istio/config - name: proxy image: gcr.io/istio-testing/proxyv2:1.8-alpha.39f0b315f9f2ac29df449bf54994f8b0a6aec057 args: - proxy - router env: # TODO(https://github.com/istio/istio/issues/24655) remove this - name: JWT_POLICY value: first-party-jwt - name: ISTIO_META_CLUSTER_ID value: Kubernetes - name: ISTIO_META_CONFIG_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace volumeMounts: - mountPath: /etc/istio/pod name: podinfo - name: config-volume mountPath: /etc/istio/config - name: ingressgatewaysdsudspath mountPath: /var/run/ingress_gateway volumes: - downwardAPI: items: - fieldRef: fieldPath: metadata.labels path: labels - fieldRef: fieldPath: metadata.annotations path: annotations name: podinfo - emptyDir: medium: Memory name: local-certs - name: config-volume configMap: name: istio - name: ingressgatewaysdsudspath emptyDir: {} --- apiVersion: v1 kind: ServiceAccount metadata: name: istio namespace: istio-system --- kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: istio namespace: istio-system rules: - apiGroups: [""] resources: ["services", "nodes", "pods", "endpoints", "secrets", "namespaces"] verbs: ["get", "list", "watch"] - apiGroups: [""] resources: ["secrets"] verbs: ["create", "get", "watch", "list", "update", "delete"] - apiGroups: [""] resources: ["configmaps"] verbs: ["create", "update", "get", "list", "watch"] - apiGroups: ["networking.x-k8s.io"] resources: ["*"] verbs: ["get", "list", "watch"] - apiGroups: ["networking.k8s.io"] resources: ["ingresses", "ingressclasses"] verbs: ["get", "list", "watch"] - apiGroups: ["networking.k8s.io"] resources: ["ingresses/status"] verbs: ["*"] - apiGroups: ["apiextensions.k8s.io"] resources: ["customresourcedefinitions"] verbs: ["get", "list", "watch"] # Pilot will try to read these even if they aren't existing. For now, just give access. - apiGroups: - config.istio.io - networking.istio.io - authentication.istio.io - rbac.istio.io - security.istio.io resources: ["*"] verbs: [get, list, watch] --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: istio namespace: istio-system subjects: - kind: ServiceAccount name: istio namespace: istio-system roleRef: kind: ClusterRole name: istio apiGroup: rbac.authorization.k8s.io --- kind: ConfigMap apiVersion: v1 metadata: name: istio namespace: istio-system data: mesh: |- enableAutoMtls: false accessLogFile: /dev/stdout defaultConfig: discoveryAddress: localhost:15010 controlPlaneAuthPolicy: NONE