pilot-agent
Istio Pilot agent runs in the sidecar or gateway container and bootstraps Envoy.
Flags | Description |
---|---|
--log_as_json | Whether to format output as JSON or in plain console-friendly format |
--log_caller <string> | Comma-separated list of scopes for which to include caller information, scopes can be any of [all, authn, cache, citadelclient, configmapcontroller, default, googleca, model, rbac, sds, secretfetcher, stsclient, stsserver, token, validation, vault] (default ``) |
--log_output_level <string> | Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [all, authn, cache, citadelclient, configmapcontroller, default, googleca, model, rbac, sds, secretfetcher, stsclient, stsserver, token, validation, vault] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`) |
--log_rotate <string> | The path for the optional rotating log file (default ``) |
--log_rotate_max_age <int> | The maximum age in days of a log file beyond which the file is rotated (0 indicates no limit) (default `30`) |
--log_rotate_max_backups <int> | The maximum number of log file backups to keep before older files are deleted (0 indicates no limit) (default `1000`) |
--log_rotate_max_size <int> | The maximum size in megabytes of a log file beyond which the file is rotated (default `104857600`) |
--log_stacktrace_level <string> | Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [all, authn, cache, citadelclient, configmapcontroller, default, googleca, model, rbac, sds, secretfetcher, stsclient, stsserver, token, validation, vault] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`) |
--log_target <stringArray> | The set of paths where to output the log. This can be any path as well as the special values stdout and stderr (default `[stdout]`) |
pilot-agent proxy
Envoy proxy agent
pilot-agent proxy [flags]
Flags | Description |
---|---|
--binaryPath <string> | Path to the proxy binary (default `/usr/local/bin/envoy`) |
--concurrency <int> | number of worker threads to run (default `0`) |
--configPath <string> | Path to the generated configuration file directory (default `/etc/istio/proxy`) |
--connectTimeout <duration> | Connection timeout used by Envoy for supporting services (default `10s`) |
--controlPlaneAuthPolicy <string> | Control Plane Authentication Policy (default `NONE`) |
--controlPlaneBootstrap | Process bootstrap provided via templateFile to be used by control plane components. |
--customConfigFile <string> | Path to the custom configuration file (default ``) |
--datadogAgentAddress <string> | Address of the Datadog Agent (default ``) |
--disableInternalTelemetry | Disable internal telemetry |
--discoveryAddress <string> | Address of the discovery service exposing xDS (e.g. istio-pilot:8080) (default `istio-pilot:15010`) |
--dnsRefreshRate <string> | The dns_refresh_rate for bootstrap STRICT_DNS clusters (default `300s`) |
--domain <string> | DNS domain suffix. If not provided uses ${POD_NAMESPACE}.svc.cluster.local (default ``) |
--drainDuration <duration> | The time in seconds that Envoy will drain connections during a hot restart (default `45s`) |
--envoyAccessLogService <string> | Settings of an Envoy gRPC Access Log Service API implementation (default ``) |
--envoyMetricsService <string> | Settings of an Envoy gRPC Metrics Service API implementation (default ``) |
--id <string> | Proxy unique ID. If not provided uses ${POD_NAME}.${POD_NAMESPACE} from environment variables (default ``) |
--ip <string> | Proxy IP address. If not provided uses ${INSTANCE_IP} environment variable. (default ``) |
--lightstepAccessToken <string> | Access Token for LightStep Satellite pool (default ``) |
--lightstepAddress <string> | Address of the LightStep Satellite pool (default ``) |
--lightstepCacertPath <string> | Path to the trusted cacert used to authenticate the pool (default ``) |
--lightstepSecure | Should connection to the LightStep Satellite pool be secure |
--log_as_json | Whether to format output as JSON or in plain console-friendly format |
--log_caller <string> | Comma-separated list of scopes for which to include caller information, scopes can be any of [all, authn, cache, citadelclient, configmapcontroller, default, googleca, model, rbac, sds, secretfetcher, stsclient, stsserver, token, validation, vault] (default ``) |
--log_output_level <string> | Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [all, authn, cache, citadelclient, configmapcontroller, default, googleca, model, rbac, sds, secretfetcher, stsclient, stsserver, token, validation, vault] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`) |
--log_rotate <string> | The path for the optional rotating log file (default ``) |
--log_rotate_max_age <int> | The maximum age in days of a log file beyond which the file is rotated (0 indicates no limit) (default `30`) |
--log_rotate_max_backups <int> | The maximum number of log file backups to keep before older files are deleted (0 indicates no limit) (default `1000`) |
--log_rotate_max_size <int> | The maximum size in megabytes of a log file beyond which the file is rotated (default `104857600`) |
--log_stacktrace_level <string> | Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [all, authn, cache, citadelclient, configmapcontroller, default, googleca, model, rbac, sds, secretfetcher, stsclient, stsserver, token, validation, vault] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`) |
--log_target <stringArray> | The set of paths where to output the log. This can be any path as well as the special values stdout and stderr (default `[stdout]`) |
--mixerIdentity <string> | The identity used as the suffix for mixer's spiffe SAN. This would only be used by pilot all other proxy would get this value from pilot (default ``) |
--outlierLogPath <string> | The log path for outlier detection (default ``) |
--parentShutdownDuration <duration> | The time in seconds that Envoy will wait before shutting down the parent process during a hot restart (default `1m0s`) |
--pilotIdentity <string> | The identity used as the suffix for pilot's spiffe SAN (default ``) |
--proxyAdminPort <uint16> | Port on which Envoy should listen for administrative commands (default `15000`) |
--proxyComponentLogLevel <string> | The component log level used to start the Envoy proxy (default `misc:error`) |
--proxyLogLevel <string> | The log level used to start the Envoy proxy (choose from {trace, debug, info, warning, error, critical, off}) (default `warning`) |
--serviceCluster <string> | Service cluster (default `istio-proxy`) |
--serviceregistry <string> | Select the platform for service registry, options are {Kubernetes, Consul, Mock} (default `Kubernetes`) |
--statsdUdpAddress <string> | IP Address and Port of a statsd UDP listener (e.g. 10.75.241.127:9125) (default ``) |
--statusPort <uint16> | HTTP Port on which to serve pilot agent status. If zero, agent status will not be provided. (default `0`) |
--stsPort <int> | HTTP Port on which to serve Security Token Service (STS). If zero, STS service will not be provided. (default `0`) |
--templateFile <string> | Go template bootstrap config (default ``) |
--tokenManagerPlugin <string> | Token provider specific plugin name. (default `GoogleTokenExchange`) |
--trust-domain <string> | The domain to use for identities (default ``) |
--zipkinAddress <string> | Address of the Zipkin service (e.g. zipkin:9411) (default ``) |
pilot-agent request
Makes an HTTP request to the Envoy admin API
pilot-agent request <method> <path> [<body>] [flags]
Flags | Description |
---|---|
--log_as_json | Whether to format output as JSON or in plain console-friendly format |
--log_caller <string> | Comma-separated list of scopes for which to include caller information, scopes can be any of [all, authn, cache, citadelclient, configmapcontroller, default, googleca, model, rbac, sds, secretfetcher, stsclient, stsserver, token, validation, vault] (default ``) |
--log_output_level <string> | Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [all, authn, cache, citadelclient, configmapcontroller, default, googleca, model, rbac, sds, secretfetcher, stsclient, stsserver, token, validation, vault] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`) |
--log_rotate <string> | The path for the optional rotating log file (default ``) |
--log_rotate_max_age <int> | The maximum age in days of a log file beyond which the file is rotated (0 indicates no limit) (default `30`) |
--log_rotate_max_backups <int> | The maximum number of log file backups to keep before older files are deleted (0 indicates no limit) (default `1000`) |
--log_rotate_max_size <int> | The maximum size in megabytes of a log file beyond which the file is rotated (default `104857600`) |
--log_stacktrace_level <string> | Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [all, authn, cache, citadelclient, configmapcontroller, default, googleca, model, rbac, sds, secretfetcher, stsclient, stsserver, token, validation, vault] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`) |
--log_target <stringArray> | The set of paths where to output the log. This can be any path as well as the special values stdout and stderr (default `[stdout]`) |
pilot-agent version
Prints out build version information
pilot-agent version [flags]
Flags | Shorthand | Description |
---|---|---|
--log_as_json | Whether to format output as JSON or in plain console-friendly format | |
--log_caller <string> | Comma-separated list of scopes for which to include caller information, scopes can be any of [all, authn, cache, citadelclient, configmapcontroller, default, googleca, model, rbac, sds, secretfetcher, stsclient, stsserver, token, validation, vault] (default ``) | |
--log_output_level <string> | Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [all, authn, cache, citadelclient, configmapcontroller, default, googleca, model, rbac, sds, secretfetcher, stsclient, stsserver, token, validation, vault] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`) | |
--log_rotate <string> | The path for the optional rotating log file (default ``) | |
--log_rotate_max_age <int> | The maximum age in days of a log file beyond which the file is rotated (0 indicates no limit) (default `30`) | |
--log_rotate_max_backups <int> | The maximum number of log file backups to keep before older files are deleted (0 indicates no limit) (default `1000`) | |
--log_rotate_max_size <int> | The maximum size in megabytes of a log file beyond which the file is rotated (default `104857600`) | |
--log_stacktrace_level <string> | Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [all, authn, cache, citadelclient, configmapcontroller, default, googleca, model, rbac, sds, secretfetcher, stsclient, stsserver, token, validation, vault] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`) | |
--log_target <stringArray> | The set of paths where to output the log. This can be any path as well as the special values stdout and stderr (default `[stdout]`) | |
--output <string> | -o | One of 'yaml' or 'json'. (default ``) |
--short | -s | Use --short=false to generate full version information |
Environment variables
These environment variables affect the behavior of thepilot-agent
command.Variable Name | Type | Default Value | Description |
---|---|---|---|
CA_ADDR | String |
| |
CA_PROVIDER | String | Citadel | |
ENABLE_INGRESS_GATEWAY_SDS | Boolean | false | |
GKE_CLUSTER_URL | String |
| The url of GKE cluster |
INGRESS_GATEWAY_FALLBACK_SECRET | String | gateway-fallback | |
INGRESS_GATEWAY_NAMESPACE | String |
| |
INITIAL_BACKOFF_MSEC | Integer | 0 | |
INSTANCE_IP | String |
| |
ISTIOD_ADDR | String |
| Service name of istiod. If empty the istiod listener, certs will be disabled. |
ISTIO_AUTO_MTLS_ENABLED | Boolean | false | If true, auto mTLS is enabled, sidecar checks key/cert if SDS is not enabled. |
ISTIO_BOOTSTRAP | String |
| |
ISTIO_BOOTSTRAP_OVERRIDE | String |
| |
ISTIO_GPRC_MAXRECVMSGSIZE | Integer | 4194304 | Sets the max receive buffer size of gRPC stream in bytes. |
ISTIO_GPRC_MAXSTREAMS | Integer | 100000 | Sets the maximum number of concurrent grpc streams. |
ISTIO_KUBE_APP_PROBERS | String |
| |
ISTIO_META_TLS_CLIENT_CERT_CHAIN | String | /etc/certs/cert-chain.pem | |
ISTIO_META_TLS_CLIENT_KEY | String | /etc/certs/key.pem | |
ISTIO_META_TLS_CLIENT_ROOT_CERT | String | /etc/certs/root-cert.pem | |
ISTIO_META_TLS_SERVER_CERT_CHAIN | String | /etc/certs/cert-chain.pem | |
ISTIO_META_TLS_SERVER_KEY | String | /etc/certs/key.pem | |
ISTIO_META_TLS_SERVER_ROOT_CERT | String | /etc/certs/root-cert.pem | |
ISTIO_NAMESPACE | String |
| |
JWT_POLICY | String | third-party-jwt | The JWT validation policy. |
MESH_CONFIG | String |
| The mesh configuration |
NAMESPACE | String | istio-system | namespace that nodeagent/citadel run in |
OUTPUT_KEY_CERT_TO_DIRECTORY | String |
| The output directory for the key and certificate. If empty, no output of key and certificate. |
PILOT_BLOCK_HTTP_ON_443 | Boolean | true | If enabled, any HTTP services will be blocked on HTTPS port (443). If this is disabled, any HTTP service on port 443 could block all external traffic |
PILOT_CERT_DIR | String |
| |
PILOT_CERT_PROVIDER | String | citadel | the provider of Pilot DNS certificate. |
PILOT_DEBOUNCE_AFTER | Time Duration | 100ms | The delay added to config/registry events for debouncing. This will delay the push by at least this internal. If no change is detected within this period, the push will happen, otherwise we'll keep delaying until things settle, up to a max of PILOT_DEBOUNCE_MAX. |
PILOT_DEBOUNCE_MAX | Time Duration | 10s | The maximum amount of time to wait for events while debouncing. If events keep showing up with no breaks for this time, we'll trigger a push. |
PILOT_DEBUG_ADSZ_CONFIG | Boolean | false | |
PILOT_DISTRIBUTION_HISTORY_RETENTION | Time Duration | 1m0s | If enabled, Pilot will keep track of old versions of distributed config for this duration. |
PILOT_ENABLE_CONFIG_DISTRIBUTION_TRACKING | Boolean | true | If enabled, Pilot will assign meaningful nonces to each Envoy configuration message, and allow users to interrogate which envoy has which config from the debug interface. |
PILOT_ENABLE_CRD_VALIDATION | Boolean | false | If enabled, pilot will validate CRDs while retrieving CRDs from kubernetes cache.Use this flag to enable validation of CRDs in Pilot, especially in deployments that do not have galley installed. |
PILOT_ENABLE_EDS_DEBOUNCE | Boolean | true | If enabled, Pilot will include EDS pushes in the push debouncing, configured by PILOT_DEBOUNCE_AFTER and PILOT_DEBOUNCE_MAX. EDS pushes may be delayed, but there will be fewer pushes. By default this is enabled |
PILOT_ENABLE_EDS_FOR_HEADLESS_SERVICES | Boolean | false | If enabled, for headless service in Kubernetes, pilot will send endpoints over EDS, allowing the sidecar to load balance among pods in the headless service. This feature should be enabled if applications access all services explicitly via a HTTP proxy port in the sidecar. |
PILOT_ENABLE_FALLTHROUGH_ROUTE | Boolean | true | EnableFallthroughRoute provides an option to add a final wildcard match for routes. When ALLOW_ANY traffic policy is used, a Passthrough cluster is used. When REGISTRY_ONLY traffic policy is used, a 502 error is returned. |
PILOT_ENABLE_HEADLESS_SERVICE_POD_LISTENERS | Boolean | true | If enabled, for a headless service/stateful set in Kubernetes, pilot will generate an outbound listener for each pod in a headless service. This feature should be disabled if headless services have a large number of pods. |
PILOT_ENABLE_MYSQL_FILTER | Boolean | false | EnableMysqlFilter enables injection of `envoy.filters.network.mysql_proxy` in the filter chain. |
PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_INBOUND | Boolean | true | If enabled, protocol sniffing will be used for inbound listeners whose port protocol is not specified or unsupported |
PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_OUTBOUND | Boolean | true | If enabled, protocol sniffing will be used for outbound listeners whose port protocol is not specified or unsupported |
PILOT_ENABLE_REDIS_FILTER | Boolean | false | EnableRedisFilter enables injection of `envoy.filters.network.redis_proxy` in the filter chain. |
PILOT_ENABLE_TCP_METADATA_EXCHANGE | Boolean | true | If enabled, metadata exchange will be enabled for TCP using ALPN and Network Metadata Exchange filters in Envoy |
PILOT_ENABLE_THRIFT_FILTER | Boolean | false | EnableThriftFilter enables injection of `envoy.filters.network.thrift_proxy` in the filter chain. |
PILOT_FILTER_GATEWAY_CLUSTER_CONFIG | Boolean | false | |
PILOT_HTTP10 | Boolean | false | Enables the use of HTTP 1.0 in the outbound HTTP listeners, to support legacy applications. |
PILOT_INBOUND_PROTOCOL_DETECTION_TIMEOUT | Time Duration | 1s | Protocol detection timeout for inbound listener |
PILOT_INITIAL_FETCH_TIMEOUT | Time Duration | 0s | Specifies the initial_fetch_timeout for config. If this time is reached without a response to the config requested by Envoy, the Envoy will move on with the init phase. This prevents envoy from getting stuck waiting on config during startup. |
PILOT_PUSH_THROTTLE | Integer | 100 | Limits the number of concurrent pushes allowed. On larger machines this can be increased for faster pushes |
PILOT_RESPECT_DNS_TTL | Boolean | true | If enabled, DNS based clusters will respect the TTL of the DNS, rather than polling at a fixed rate. This option is only provided for backward compatibility purposes and will be removed in the near future. |
PILOT_RESTRICT_POD_UP_TRAFFIC_LOOP | Boolean | true | If enabled, this will block inbound traffic from matching outbound listeners, which could result in an infinite loop of traffic. This option is only provided for backward compatibility purposes and will be removed in the near future. |
PILOT_SCOPE_GATEWAY_TO_NAMESPACE | Boolean | false | If enabled, a gateway workload can only select gateway resources in the same namespace. Gateways with same selectors in different namespaces will not be applicable. |
PILOT_SCOPE_PUSHES | Boolean | true | If enabled, pilot will attempt to limit unnecessary pushes by determining what proxies a config or endpoint update will impact. |
PILOT_SIDECAR_USE_REMOTE_ADDRESS | Boolean | false | UseRemoteAddress sets useRemoteAddress to true for side car outbound listeners. |
PILOT_SKIP_VALIDATE_TRUST_DOMAIN | Boolean | false | Skip validating the peer is from the same trust domain when mTLS is enabled in authentication policy |
PILOT_TRACE_SAMPLING | Floating-Point | 100 | Sets the mesh-wide trace sampling percentage. Should be 0.0 - 100.0. Precision to 0.01. Default is 100, not recommended for production use. |
PILOT_USE_ENDPOINT_SLICE | Boolean | false | If enabled, Pilot will use EndpointSlices as the source of endpoints for Kubernetes services. By default, this is false, and Endpoints will be used. This requires the Kubernetes EndpointSlice controller to be enabled. Currently this is mutual exclusive - either Endpoints or EndpointSlices will be used |
PKCS8_KEY | Boolean | false | Whether to generate PKCS#8 private keys |
PLUGINS | String |
| |
POD_NAME | String |
| |
POD_NAMESPACE | String |
| |
SDS_ENABLED | Boolean | false | |
SDS_UDS_PATH | String | unix:/var/run/sds/uds_path | SDS address |
SECRET_GRACE_DURATION | Time Duration | 12h0m0s | |
SECRET_JOB_RUN_INTERVAL | Time Duration | 10m0s | |
SECRET_TTL | Time Duration | 24h0m0s | |
SECRET_WATCHER_RESYNC_PERIOD | String |
| |
STACKDRIVER_TRACING_DEBUG | Boolean | false | If set to true, enables trace output to stdout |
STACKDRIVER_TRACING_ENABLED | Boolean | false | If enabled, stackdriver will get configured as the tracer. |
STACKDRIVER_TRACING_MAX_NUMBER_OF_ANNOTATIONS | Integer | 200 | Sets the max number of annotations for stackdriver |
STACKDRIVER_TRACING_MAX_NUMBER_OF_ATTRIBUTES | Integer | 200 | Sets the max number of attributes for stackdriver |
STACKDRIVER_TRACING_MAX_NUMBER_OF_MESSAGE_EVENTS | Integer | 200 | Sets the max number of message events for stackdriver |
STALED_CONNECTION_RECYCLE_RUN_INTERVAL | Time Duration | 5m0s | |
TERMINATION_DRAIN_DURATION_SECONDS | Integer | 5 | The amount of time allowed for connections to complete on pilot-agent shutdown. On receiving SIGTERM or SIGINT, pilot-agent tells the active Envoy to start draining, preventing any new connections and allowing existing connections to complete. It then sleeps for the TerminationDrainDuration and then kills any remaining active Envoy processes. |
TRUST_DOMAIN | String |
| |
USE_ISTIO_JWT_FILTER | Boolean | false | Use the Istio JWT filter for JWT token verification. |
Exported metrics
Metric Name | Type | Description |
---|---|---|
endpoint_no_pod | LastValue | Endpoints without an associated pod. |
istio_build | LastValue | Istio component build info |
num_failed_outgoing_requests | Sum | Number of failed outgoing requests (e.g. to a token exchange server, CA, etc.) |
num_outgoing_requests | Sum | Number of total outgoing requests (e.g. to a token exchange server, CA, etc.) |
num_outgoing_retries | Sum | Number of outgoing retry requests (e.g. to a token exchange server, CA, etc.) |
outgoing_latency | Sum | The latency of outgoing requests (e.g. to a token exchange server, CA, etc.) in milliseconds. |
pilot_conflict_inbound_listener | LastValue | Number of conflicting inbound listeners. |
pilot_conflict_outbound_listener_http_over_current_tcp | LastValue | Number of conflicting wildcard http listeners with current wildcard tcp listener. |
pilot_conflict_outbound_listener_http_over_https | LastValue | Number of conflicting HTTP listeners with well known HTTPS ports |
pilot_conflict_outbound_listener_tcp_over_current_http | LastValue | Number of conflicting wildcard tcp listeners with current wildcard http listener. |
pilot_conflict_outbound_listener_tcp_over_current_tcp | LastValue | Number of conflicting tcp listeners with current tcp listener. |
pilot_destrule_subsets | LastValue | Duplicate subsets across destination rules for same host |
pilot_duplicate_envoy_clusters | LastValue | Duplicate envoy clusters caused by service entries with same hostname |
pilot_eds_no_instances | LastValue | Number of clusters without instances. |
pilot_endpoint_not_ready | LastValue | Endpoint found in unready state. |
pilot_jwks_resolver_network_fetch_fail_total | Sum | Total number of failed network fetch by pilot jwks resolver |
pilot_jwks_resolver_network_fetch_success_total | Sum | Total number of successfully network fetch by pilot jwks resolver |
pilot_no_ip | LastValue | Pods not found in the endpoint table, possibly invalid. |
pilot_total_rejected_configs | Sum | Total number of configs that Pilot had to reject or ignore. |
pilot_virt_services | LastValue | Total virtual services known to pilot. |
pilot_vservice_dup_domain | LastValue | Virtual services with dup domains. |
total_active_connections | Sum | The total number of active SDS connections. |
total_push_errors | Sum | The total number of failed SDS pushes. |
total_pushes | Sum | The total number of SDS pushes. |
total_secret_update_failures | Sum | The total number of dynamic secret update failures reported by proxy. |
total_stale_connections | Sum | The total number of stale SDS connections. |