# Copyright 2019 Istio Authors # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. annotations: - name: prometheus.istio.io/merge-metrics featureStatus: Alpha variableName: PrometheusMergeMetrics description: Specifies if application Prometheus metric will be merged with Envoy metrics for this workload. deprecated: false hidden: false resources: - Pod - name: alpha.istio.io/kubernetes-serviceaccounts featureStatus: Alpha variableName: AlphaKubernetesServiceAccounts description: Specifies the Kubernetes service accounts that are allowed to run this service on the VMs. deprecated: true hidden: true resources: - Service - name: alpha.istio.io/canonical-serviceaccounts featureStatus: Alpha variableName: AlphaCanonicalServiceAccounts description: Specifies the non-Kubernetes service accounts that are allowed to run this service. deprecated: true hidden: true resources: - Service - name: networking.istio.io/exportTo featureStatus: Alpha description: Specifies the namespaces to which this service should be exported to. A value of '*' indicates it is reachable within the mesh '.' indicates it is reachable within its namespace. deprecated: false hidden: false resources: - Service - name: sidecar.istio.io/inject featureStatus: Beta description: Specifies whether or not an Envoy sidecar should be automatically injected into the workload. Deprecated in favor of `sidecar.istio.io/inject` label. deprecated: true hidden: false resources: - Pod - name: sidecar.istio.io/status featureStatus: Alpha description: Generated by Envoy sidecar injection that indicates the status of the operation. Includes a version hash of the executed template, as well as names of injected resources. deprecated: false hidden: false resources: - Pod - name: sidecar.istio.io/rewriteAppHTTPProbers featureStatus: Alpha description: Rewrite HTTP readiness and liveness probes to be redirected to the Envoy sidecar. deprecated: false hidden: false resources: - Pod - name: sidecar.istio.io/discoveryAddress featureStatus: Alpha description: Specifies the XDS discovery address to be used by the Envoy sidecar. deprecated: true hidden: false resources: - Pod - name: sidecar.istio.io/proxyImage featureStatus: Alpha description: Specifies the Docker image to be used by the Envoy sidecar. deprecated: false hidden: false resources: - Pod - name: sidecar.istio.io/proxyImageType featureStatus: Alpha description: Specifies the Docker image type to be used by the Envoy sidecar. Istio publishes debug and distroless image types for every release tag. deprecated: false hidden: false resources: - Pod - name: sidecar.istio.io/proxyCPU featureStatus: Alpha description: Specifies the requested CPU setting for the Envoy sidecar. deprecated: false hidden: false resources: - Pod - name: sidecar.istio.io/proxyCPULimit featureStatus: Alpha description: Specifies the CPU limit for the Envoy sidecar. deprecated: false hidden: false resources: - Pod - name: sidecar.istio.io/proxyMemory featureStatus: Alpha description: Specifies the requested memory setting for the Envoy sidecar. deprecated: false hidden: false resources: - Pod - name: sidecar.istio.io/proxyMemoryLimit description: Specifies the memory limit for the Envoy sidecar. deprecated: false hidden: false resources: - Pod - name: sidecar.istio.io/interceptionMode featureStatus: Alpha description: Specifies the mode used to redirect inbound connections to Envoy (REDIRECT or TPROXY). deprecated: false hidden: false resources: - Pod - name: sidecar.istio.io/bootstrapOverride featureStatus: Alpha description: Specifies an alternative Envoy bootstrap configuration file. deprecated: false hidden: false resources: - Pod - name: sidecar.istio.io/statsInclusionPrefixes featureStatus: Alpha description: Specifies the comma separated list of prefixes of the stats to be emitted by Envoy. deprecated: true hidden: false resources: - Pod - name: sidecar.istio.io/statsInclusionSuffixes featureStatus: Alpha description: Specifies the comma separated list of suffixes of the stats to be emitted by Envoy. deprecated: true hidden: false resources: - Pod - name: sidecar.istio.io/statsInclusionRegexps featureStatus: Alpha description: Specifies the comma separated list of regexes the stats should match to be emitted by Envoy. deprecated: true hidden: false resources: - Pod - name: sidecar.istio.io/statsHistogramBuckets featureStatus: Alpha description: Specifies the custom histogram buckets with a prefix matcher to separate the Istio mesh metrics from the Envoy stats, e.g. `{"istiocustom":[1,5,10,50,100,500,1000,5000,10000],"cluster.xds-grpc":[1,5,10,25,50,100,250,500,1000,2500,5000,10000]}`. Default buckets are `[0.5,1,5,10,25,50,100,250,500,1000,2500,5000,10000,30000,60000,300000,600000,1800000,3600000]`. deprecated: false hidden: false resources: - Pod - name: sidecar.istio.io/userVolume featureStatus: Alpha description: Specifies one or more user volumes (as a JSON array) to be added to the Envoy sidecar. deprecated: false hidden: false resources: - Pod - name: sidecar.istio.io/userVolumeMount description: Specifies one or more user volume mounts (as a JSON array) to be added to the Envoy sidecar. deprecated: false hidden: false resources: - Pod - name: sidecar.istio.io/enableCoreDump featureStatus: Alpha description: Specifies whether or not an Envoy sidecar should enable core dump. deprecated: false hidden: false resources: - Pod - name: status.sidecar.istio.io/port featureStatus: Alpha description: Specifies the HTTP status Port for the Envoy sidecar. If zero, the sidecar will not provide status. deprecated: false hidden: false resources: - Pod - name: sidecar.istio.io/logLevel featureStatus: Alpha description: Specifies the log level for Envoy. deprecated: false hidden: false resources: - Pod - name: sidecar.istio.io/componentLogLevel featureStatus: Alpha description: Specifies the component log level for Envoy. deprecated: false hidden: false resources: - Pod - name: sidecar.istio.io/agentLogLevel featureStatus: Alpha description: Specifies the log output level for pilot-agent. deprecated: false hidden: false resources: - Pod - name: sidecar.istio.io/nativeSidecar featureStatus: Alpha description: Specifies if the istio-proxy sidecar should be injected as a native sidecar or not. Takes precedence over the ENABLE_NATIVE_SIDECARS environment variable. deprecated: false hidden: false resources: - Pod - name: readiness.status.sidecar.istio.io/initialDelaySeconds featureStatus: Alpha description: Specifies the initial delay (in seconds) for the Envoy sidecar readiness probe. deprecated: false hidden: false resources: - Pod - name: readiness.status.sidecar.istio.io/periodSeconds featureStatus: Alpha description: Specifies the period (in seconds) for the Envoy sidecar readiness probe. deprecated: false hidden: false resources: - Pod - name: readiness.status.sidecar.istio.io/failureThreshold featureStatus: Alpha description: Specifies the failure threshold for the Envoy sidecar readiness probe. deprecated: false hidden: false resources: - Pod - name: readiness.status.sidecar.istio.io/applicationPorts featureStatus: Alpha description: Specifies the list of ports exposed by the application container. Used by the Envoy sidecar readiness probe to determine that Envoy is configured and ready to receive traffic. deprecated: false hidden: false resources: - Pod - name: traffic.istio.io/nodeSelector featureStatus: Stable description: This annotation is a set of node-labels (key1=value,key2=value). If the annotated Service is of type NodePort and is a multi-network gateway (see topology.istio.io/network), the addresses for selected nodes will be used for cross-network communication. deprecated: false hidden: false resources: - Service - name: traffic.sidecar.istio.io/includeOutboundIPRanges featureStatus: Alpha description: A comma separated list of IP ranges in CIDR form to redirect to Envoy (optional). The wildcard character '*' can be used to redirect all outbound traffic. An empty list will disable all outbound redirection. deprecated: false hidden: false resources: - Pod - name: traffic.sidecar.istio.io/excludeOutboundIPRanges featureStatus: Alpha description: A comma separated list of IP ranges in CIDR form to be excluded from redirection. Only applies when all outbound traffic (i.e. '*') is being redirected. deprecated: false hidden: false resources: - Pod - name: traffic.sidecar.istio.io/includeInboundPorts description: A comma separated list of inbound ports for which traffic is to be redirected to Envoy. The wildcard character '*' can be used to configure redirection for all ports. An empty list will disable all inbound redirection. deprecated: false hidden: false resources: - Pod - name: traffic.sidecar.istio.io/excludeInboundPorts featureStatus: Alpha description: A comma separated list of inbound ports to be excluded from redirection to Envoy. Only applies when all inbound traffic (i.e. '*') is being redirected. deprecated: false hidden: false resources: - Pod - name: traffic.sidecar.istio.io/excludeInterfaces featureStatus: Alpha description: A comma separated list of interfaces to be excluded from Istio traffic capture deprecated: false hidden: false resources: - Pod - name: traffic.sidecar.istio.io/includeOutboundPorts featureStatus: Alpha description: A comma separated list of outbound ports for which traffic is to be redirected to Envoy, regardless of the destination IP. deprecated: false hidden: false resources: - Pod - name: traffic.sidecar.istio.io/excludeOutboundPorts featureStatus: Alpha description: A comma separated list of outbound ports to be excluded from redirection to Envoy. deprecated: false hidden: false resources: - Pod - name: traffic.sidecar.istio.io/kubevirtInterfaces featureStatus: Alpha description: A comma separated list of virtual interfaces whose inbound traffic (from VM) will be treated as outbound. deprecated: false hidden: false resources: - Pod - name: kubernetes.io/ingress.class featureStatus: Stable description: Annotation on an Ingress resources denoting the class of controllers responsible for it. deprecated: false hidden: false resources: - Ingress - name: galley.istio.io/analyze-suppress featureStatus: Alpha description: A comma separated list of configuration analysis message codes to suppress when Istio analyzers are run. For example, to suppress reporting of IST0103 (PodMissingProxy) and IST0108 (UnknownAnnotation) on a resource, apply the annotation 'galley.istio.io/analyze-suppress=IST0108,IST0103'. If the value is '*', then all configuration analysis messages are suppressed. deprecated: false hidden: false resources: - Any - name: proxy.istio.io/config featureStatus: Beta description: Overrides for the proxy configuration for this specific proxy. Available options can be found at https://istio.io/docs/reference/config/istio.mesh.v1alpha1/#ProxyConfig. deprecated: false hidden: false resources: - Pod - name: istio.io/dry-run featureStatus: Alpha description: Specifies whether or not the given resource is in dry-run mode. See https://istio.io/latest/docs/tasks/security/authorization/authz-dry-run/ for more information. deprecated: false hidden: false resources: - AuthorizationPolicy - name: istio.io/rev featureStatus: Alpha description: Specifies a control plane revision to which a given proxy is connected. This annotation is added automatically, not set by a user. In contrary to the label istio.io/rev, it represents the actual revision, not the requested revision. deprecated: false hidden: false resources: - Pod - name: proxy.istio.io/overrides featureStatus: Alpha description: Used internally to indicate user-specified overrides in the proxy container of the pod during injection. deprecated: false hidden: true resources: - Pod - name: inject.istio.io/templates featureStatus: Alpha description: The name of the inject template(s) to use, as a comma separate list. See https://istio.io/latest/docs/setup/additional-setup/sidecar-injection/#custom-templates-experimental for more information. deprecated: false hidden: false resources: - Pod - name: sidecar.istio.io/extraStatTags featureStatus: Alpha description: An additional list of tags to extract from the in-proxy Istio Wasm telemetry. Each additional tag needs to be present in this list. deprecated: true hidden: false resources: - Pod - name: istio.io/autoRegistrationGroup featureStatus: Alpha description: On a WorkloadEntry stores the associated WorkloadGroup. deprecated: false hidden: true resources: - WorkloadEntry - name: istio.io/workloadController featureStatus: Alpha description: On a WorkloadEntry should store the current/last pilot instance connected to the workload for XDS. deprecated: false hidden: true resources: - WorkloadEntry - name: istio.io/connectedAt featureStatus: Alpha description: On a WorkloadEntry stores the time in nanoseconds when the associated workload connected to a Pilot instance. deprecated: false hidden: true resources: - WorkloadEntry - name: istio.io/disconnectedAt featureStatus: Alpha description: On a WorkloadEntry stores the time in nanoseconds when the associated workload disconnected from a Pilot instance. deprecated: false hidden: true resources: - WorkloadEntry - name: topology.istio.io/controlPlaneClusters featureStatus: Alpha description: A comma-separated list of clusters (or * for any) running istiod that should attempt leader election for a remote cluster thats system namespace includes this annotation. Istiod will not attempt to lead unannotated remote clusters. deprecated: false hidden: false resources: - Namespace - name: gateway.istio.io/controller-version featureStatus: Alpha description: A version added to the Gateway by the controller specifying the "controller version". deprecated: false hidden: true resources: - Any - name: ambient.istio.io/redirection featureStatus: Beta description: |- Automatically configured by Istio to indicate a Pod was successfully enrolled in ambient mode. This shows the actual state; to specify intent that a workload should be in ambient mode, see `istio.io/dataplane-mode`. User should not manually modify this annotation. deprecated: false hidden: false resources: - Pod - name: ambient.istio.io/waypoint-inbound-binding featureStatus: Alpha description: | When set on a waypoint (either by its specific `Gateway`, or for the entire collection on the `GatewayClass`), indicates how traffic should be sent to the waypoint. If unset, traffic will be sent to the waypoint as HBONE directly. This takes the format: `<protocol>` or `<protocol>/<port>`. deprecated: false hidden: true resources: - GatewayClass - Gateway - name: gateway.istio.io/service-account featureStatus: Alpha description: | Overrides the name of the generated `ServiceAccount` resource when using [Gateway auto-deployment](/docs/tasks/traffic-management/ingress/gateway-api/#automated-deployment) deprecated: false hidden: true resources: - Gateway - name: gateway.istio.io/name-override featureStatus: Alpha description: | Overrides the name of the generated `Deployment` and `Service` resource when using [Gateway auto-deployment](/docs/tasks/traffic-management/ingress/gateway-api/#automated-deployment) deprecated: false hidden: true resources: - Gateway - name: networking.istio.io/service-type featureStatus: Alpha description: | Overrides the type of the generated `Service` resource when using [Gateway auto-deployment](/docs/tasks/traffic-management/ingress/gateway-api/#automated-deployment) deprecated: false hidden: true resources: - Gateway - name: networking.istio.io/traffic-distribution featureStatus: Alpha description: | Controls how traffic is distributed across the set of available endpoints. At this time, this annotation only impacts routing done by Ztunnel. Accepted values: * `PreferClose`: endpoints will be categorized by how "close" they are, consider network, region, zone, and subzone. Traffic will be prioritized to the closest healthy endpoints. For example, if I have a Service with `PreferClose` set, with endpoints in zones `us-west,us-west,us-east`. When sending traffic from a client in zone `us-west`, all traffic will go to the two `us-west` backends. If one those backends become unhealthy, all traffic will go to the remaining endpoint in `us-west`. If that backend becomes unhealthy, traffic will sent to `us-east`. deprecated: false hidden: false resources: - Service - ServiceEntry - name: ambient.istio.io/bypass-inbound-capture featureStatus: Alpha description: | When specified on a `Pod` enrolled in ambient mesh, only outbound traffic will be captured. This is intended to be used when enrolling a workload that only receives traffic from out-of-the-mesh clients, such as third party ingress controllers. deprecated: false hidden: true resources: - Pod