diff --git a/.github/workflows/kserve_cni_test.yaml b/.github/workflows/kserve_cni_test.yaml
index 3ac21b91d5..013339ebb8 100644
--- a/.github/workflows/kserve_cni_test.yaml
+++ b/.github/workflows/kserve_cni_test.yaml
@@ -6,7 +6,7 @@ on:
- tests/gh-actions/kind-cluster.yaml
- tests/gh-actions/install_kind.sh
- tests/gh-actions/install_kustomize.sh
- - common/istio-cni-1-17/**
+ - common/istio-cni-1-18/**
- tests/gh-actions/install_cert_manager.sh
- common/cert-manager/**
- tests/gh-actions/install_knative-cni.sh
diff --git a/.github/workflows/notebook_controller_m2m_test.yaml b/.github/workflows/notebook_controller_m2m_test.yaml
index fc8f380388..b46a1cf025 100644
--- a/.github/workflows/notebook_controller_m2m_test.yaml
+++ b/.github/workflows/notebook_controller_m2m_test.yaml
@@ -38,7 +38,7 @@ jobs:
run: ./tests/gh-actions/install_istio_with_ext_auth.sh*
- name: Install kubeflow-istio-resources
- run: kustomize build common/istio-1-17/kubeflow-istio-resources/base | kubectl apply -f -
+ run: kustomize build common/istio-1-18/kubeflow-istio-resources/base | kubectl apply -f -
- name: Install KF Multi Tenancy
run: ./tests/gh-actions/install_multi_tenancy.sh
diff --git a/.github/workflows/pipeline_test.yaml b/.github/workflows/pipeline_test.yaml
index f464378645..af7f8bc760 100644
--- a/.github/workflows/pipeline_test.yaml
+++ b/.github/workflows/pipeline_test.yaml
@@ -49,7 +49,7 @@ jobs:
run: ./tests/gh-actions/install_multi_tenancy.sh
- name: Install kubeflow-istio-resources
- run: kustomize build common/istio-1-17/kubeflow-istio-resources/base | kubectl apply -f -
+ run: kustomize build common/istio-1-18/kubeflow-istio-resources/base | kubectl apply -f -
- name: Create KF Profile
run: kustomize build common/user-namespace/base | kubectl apply -f -
diff --git a/README.md b/README.md
index 19c5f3912e..e79d70f12d 100644
--- a/README.md
+++ b/README.md
@@ -65,7 +65,7 @@ used from the different projects of Kubeflow:
| Component | Local Manifests Path | Upstream Revision |
| - | - | - |
-| Istio | common/istio-1-17 | [1.17.3](https://github.com/istio/istio/releases/tag/1.17.3) |
+| Istio | common/istio-1-18 | [1.18.7](https://github.com/istio/istio/releases/tag/1.18.7) |
| Knative | common/knative/knative-serving
common/knative/knative-eventing | [v1.12.4](https://github.com/knative/serving/releases/tag/knative-v1.12.4)
[v1.12.6](https://github.com/knative/eventing/releases/tag/knative-v1.12.6) |
| Cert Manager | common/cert-manager | [1.14.5](https://github.com/cert-manager/cert-manager/releases/tag/v1.12.2) |
@@ -209,10 +209,10 @@ Install Istio:
```sh
echo "Installing Istio configured with external authorization..."
-cd common/istio-1-17
-kustomize build common/istio-1-17/istio-crds/base | kubectl apply -f -
-kustomize build common/istio-1-17/istio-namespace/base | kubectl apply -f -
-kustomize build common/istio-1-17/istio-install/overlays/oauth2-proxy | kubectl apply -f -
+cd common/istio-1-18
+kustomize build common/istio-1-18/istio-crds/base | kubectl apply -f -
+kustomize build common/istio-1-18/istio-namespace/base | kubectl apply -f -
+kustomize build common/istio-1-18/istio-install/overlays/oauth2-proxy | kubectl apply -f -
echo "Waiting for all Istio Pods to become ready..."
kubectl wait --for=condition=Ready pods --all -n istio-system --timeout 300s
@@ -248,7 +248,7 @@ Install Knative Serving:
```sh
kustomize build common/knative/knative-serving/overlays/gateways | kubectl apply -f -
-kustomize build common/istio-1-17/cluster-local-gateway/base | kubectl apply -f -
+kustomize build common/istio-1-18/cluster-local-gateway/base | kubectl apply -f -
```
Optionally, you can install Knative Eventing which can be used for inference request logging:
diff --git a/common/istio-1-17/README.md b/common/istio-1-18/README.md
similarity index 100%
rename from common/istio-1-17/README.md
rename to common/istio-1-18/README.md
diff --git a/common/istio-1-17/cluster-local-gateway/base/cluster-local-gateway.yaml b/common/istio-1-18/cluster-local-gateway/base/cluster-local-gateway.yaml
similarity index 97%
rename from common/istio-1-17/cluster-local-gateway/base/cluster-local-gateway.yaml
rename to common/istio-1-18/cluster-local-gateway/base/cluster-local-gateway.yaml
index 20ecc30f15..1134c395c1 100644
--- a/common/istio-1-17/cluster-local-gateway/base/cluster-local-gateway.yaml
+++ b/common/istio-1-18/cluster-local-gateway/base/cluster-local-gateway.yaml
@@ -35,6 +35,7 @@ spec:
template:
metadata:
annotations:
+ istio.io/rev: default
prometheus.io/path: /stats/prometheus
prometheus.io/port: '15020'
prometheus.io/scrape: 'true'
@@ -99,6 +100,10 @@ spec:
fieldRef:
apiVersion: v1
fieldPath: status.hostIP
+ - name: ISTIO_CPU_LIMIT
+ valueFrom:
+ resourceFieldRef:
+ resource: limits.cpu
- name: SERVICE_ACCOUNT
valueFrom:
fieldRef:
@@ -120,7 +125,7 @@ spec:
valueFrom:
fieldRef:
fieldPath: spec.nodeName
- image: docker.io/istio/proxyv2:1.17.5
+ image: docker.io/istio/proxyv2:1.18.7
name: istio-proxy
ports:
- containerPort: 15020
diff --git a/common/istio-1-17/cluster-local-gateway/base/gateway-authorizationpolicy.yaml b/common/istio-1-18/cluster-local-gateway/base/gateway-authorizationpolicy.yaml
similarity index 100%
rename from common/istio-1-17/cluster-local-gateway/base/gateway-authorizationpolicy.yaml
rename to common/istio-1-18/cluster-local-gateway/base/gateway-authorizationpolicy.yaml
diff --git a/common/istio-1-17/cluster-local-gateway/base/gateway.yaml b/common/istio-1-18/cluster-local-gateway/base/gateway.yaml
similarity index 100%
rename from common/istio-1-17/cluster-local-gateway/base/gateway.yaml
rename to common/istio-1-18/cluster-local-gateway/base/gateway.yaml
diff --git a/common/istio-1-17/cluster-local-gateway/base/kustomization.yaml b/common/istio-1-18/cluster-local-gateway/base/kustomization.yaml
similarity index 100%
rename from common/istio-1-17/cluster-local-gateway/base/kustomization.yaml
rename to common/istio-1-18/cluster-local-gateway/base/kustomization.yaml
diff --git a/common/istio-1-17/cluster-local-gateway/base/patches/remove-pdb.yaml b/common/istio-1-18/cluster-local-gateway/base/patches/remove-pdb.yaml
similarity index 100%
rename from common/istio-1-17/cluster-local-gateway/base/patches/remove-pdb.yaml
rename to common/istio-1-18/cluster-local-gateway/base/patches/remove-pdb.yaml
diff --git a/common/istio-1-17/istio-crds/base/crd.yaml b/common/istio-1-18/istio-crds/base/crd.yaml
similarity index 100%
rename from common/istio-1-17/istio-crds/base/crd.yaml
rename to common/istio-1-18/istio-crds/base/crd.yaml
diff --git a/common/istio-1-17/istio-crds/base/kustomization.yaml b/common/istio-1-18/istio-crds/base/kustomization.yaml
similarity index 100%
rename from common/istio-1-17/istio-crds/base/kustomization.yaml
rename to common/istio-1-18/istio-crds/base/kustomization.yaml
diff --git a/common/istio-1-17/istio-install/base/deny_all_authorizationpolicy.yaml b/common/istio-1-18/istio-install/base/deny_all_authorizationpolicy.yaml
similarity index 100%
rename from common/istio-1-17/istio-install/base/deny_all_authorizationpolicy.yaml
rename to common/istio-1-18/istio-install/base/deny_all_authorizationpolicy.yaml
diff --git a/common/istio-1-17/istio-install/base/gateway.yaml b/common/istio-1-18/istio-install/base/gateway.yaml
similarity index 100%
rename from common/istio-1-17/istio-install/base/gateway.yaml
rename to common/istio-1-18/istio-install/base/gateway.yaml
diff --git a/common/istio-1-17/istio-install/base/gateway_authorizationpolicy.yaml b/common/istio-1-18/istio-install/base/gateway_authorizationpolicy.yaml
similarity index 100%
rename from common/istio-1-17/istio-install/base/gateway_authorizationpolicy.yaml
rename to common/istio-1-18/istio-install/base/gateway_authorizationpolicy.yaml
diff --git a/common/istio-1-17/istio-install/base/install.yaml b/common/istio-1-18/istio-install/base/install.yaml
similarity index 74%
rename from common/istio-1-17/istio-install/base/install.yaml
rename to common/istio-1-18/istio-install/base/install.yaml
index 33113c1620..f038f35845 100644
--- a/common/istio-1-17/istio-install/base/install.yaml
+++ b/common/istio-1-18/istio-install/base/install.yaml
@@ -187,18 +187,6 @@ rules:
verbs: [create, get, list, watch, update]
# Istiod and bootstrap.
-- apiGroups: [certificates.k8s.io]
- resources:
- - certificatesigningrequests
- - certificatesigningrequests/approval
- - certificatesigningrequests/status
- verbs: [update, create, get, delete, watch]
-- apiGroups: [certificates.k8s.io]
- resources:
- - signers
- resourceNames:
- - kubernetes.io/legacy-unknown
- verbs: [approve]
# Used by Istiod to verify the JWT tokens
- apiGroups: [authentication.k8s.io]
@@ -487,1024 +475,6 @@ webhooks:
values:
- default
---
-apiVersion: networking.istio.io/v1alpha3
-kind: EnvoyFilter
-metadata:
- name: stats-filter-1.13
- namespace: istio-system
- labels:
- istio.io/rev: default
-spec:
- priority: -1
- configPatches:
- - applyTo: HTTP_FILTER
- match:
- context: SIDECAR_OUTBOUND
- proxy:
- proxyVersion: ^1\.13.*
- listener:
- filterChain:
- filter:
- name: envoy.filters.network.http_connection_manager
- subFilter:
- name: envoy.filters.http.router
- patch:
- operation: INSERT_BEFORE
- value:
- name: istio.stats
- typed_config:
- '@type': type.googleapis.com/udpa.type.v1.TypedStruct
- type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
- value:
- config:
- root_id: stats_outbound
- configuration:
- '@type': type.googleapis.com/google.protobuf.StringValue
- value: |
- {
- "debug": "false",
- "stat_prefix": "istio"
- }
- vm_config:
- vm_id: stats_outbound
- runtime: envoy.wasm.runtime.null
- code:
- local:
- inline_string: envoy.wasm.stats
- - applyTo: HTTP_FILTER
- match:
- context: SIDECAR_INBOUND
- proxy:
- proxyVersion: ^1\.13.*
- listener:
- filterChain:
- filter:
- name: envoy.filters.network.http_connection_manager
- subFilter:
- name: envoy.filters.http.router
- patch:
- operation: INSERT_BEFORE
- value:
- name: istio.stats
- typed_config:
- '@type': type.googleapis.com/udpa.type.v1.TypedStruct
- type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
- value:
- config:
- root_id: stats_inbound
- configuration:
- '@type': type.googleapis.com/google.protobuf.StringValue
- value: |
- {
- "debug": "false",
- "stat_prefix": "istio",
- "disable_host_header_fallback": true
- }
- vm_config:
- vm_id: stats_inbound
- runtime: envoy.wasm.runtime.null
- code:
- local:
- inline_string: envoy.wasm.stats
- - applyTo: HTTP_FILTER
- match:
- context: GATEWAY
- proxy:
- proxyVersion: ^1\.13.*
- listener:
- filterChain:
- filter:
- name: envoy.filters.network.http_connection_manager
- subFilter:
- name: envoy.filters.http.router
- patch:
- operation: INSERT_BEFORE
- value:
- name: istio.stats
- typed_config:
- '@type': type.googleapis.com/udpa.type.v1.TypedStruct
- type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
- value:
- config:
- root_id: stats_outbound
- configuration:
- '@type': type.googleapis.com/google.protobuf.StringValue
- value: |
- {
- "debug": "false",
- "stat_prefix": "istio",
- "disable_host_header_fallback": true
- }
- vm_config:
- vm_id: stats_outbound
- runtime: envoy.wasm.runtime.null
- code:
- local:
- inline_string: envoy.wasm.stats
----
-apiVersion: networking.istio.io/v1alpha3
-kind: EnvoyFilter
-metadata:
- name: stats-filter-1.14
- namespace: istio-system
- labels:
- istio.io/rev: default
-spec:
- priority: -1
- configPatches:
- - applyTo: HTTP_FILTER
- match:
- context: SIDECAR_OUTBOUND
- proxy:
- proxyVersion: ^1\.14.*
- listener:
- filterChain:
- filter:
- name: envoy.filters.network.http_connection_manager
- subFilter:
- name: envoy.filters.http.router
- patch:
- operation: INSERT_BEFORE
- value:
- name: istio.stats
- typed_config:
- '@type': type.googleapis.com/udpa.type.v1.TypedStruct
- type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
- value:
- config:
- root_id: stats_outbound
- configuration:
- '@type': type.googleapis.com/google.protobuf.StringValue
- value: |
- {
- "debug": "false",
- "stat_prefix": "istio"
- }
- vm_config:
- vm_id: stats_outbound
- runtime: envoy.wasm.runtime.null
- code:
- local:
- inline_string: envoy.wasm.stats
- - applyTo: HTTP_FILTER
- match:
- context: SIDECAR_INBOUND
- proxy:
- proxyVersion: ^1\.14.*
- listener:
- filterChain:
- filter:
- name: envoy.filters.network.http_connection_manager
- subFilter:
- name: envoy.filters.http.router
- patch:
- operation: INSERT_BEFORE
- value:
- name: istio.stats
- typed_config:
- '@type': type.googleapis.com/udpa.type.v1.TypedStruct
- type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
- value:
- config:
- root_id: stats_inbound
- configuration:
- '@type': type.googleapis.com/google.protobuf.StringValue
- value: |
- {
- "debug": "false",
- "stat_prefix": "istio",
- "disable_host_header_fallback": true
- }
- vm_config:
- vm_id: stats_inbound
- runtime: envoy.wasm.runtime.null
- code:
- local:
- inline_string: envoy.wasm.stats
- - applyTo: HTTP_FILTER
- match:
- context: GATEWAY
- proxy:
- proxyVersion: ^1\.14.*
- listener:
- filterChain:
- filter:
- name: envoy.filters.network.http_connection_manager
- subFilter:
- name: envoy.filters.http.router
- patch:
- operation: INSERT_BEFORE
- value:
- name: istio.stats
- typed_config:
- '@type': type.googleapis.com/udpa.type.v1.TypedStruct
- type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
- value:
- config:
- root_id: stats_outbound
- configuration:
- '@type': type.googleapis.com/google.protobuf.StringValue
- value: |
- {
- "debug": "false",
- "stat_prefix": "istio",
- "disable_host_header_fallback": true
- }
- vm_config:
- vm_id: stats_outbound
- runtime: envoy.wasm.runtime.null
- code:
- local:
- inline_string: envoy.wasm.stats
----
-apiVersion: networking.istio.io/v1alpha3
-kind: EnvoyFilter
-metadata:
- name: stats-filter-1.15
- namespace: istio-system
- labels:
- istio.io/rev: default
-spec:
- priority: -1
- configPatches:
- - applyTo: HTTP_FILTER
- match:
- context: SIDECAR_OUTBOUND
- proxy:
- proxyVersion: ^1\.15.*
- listener:
- filterChain:
- filter:
- name: envoy.filters.network.http_connection_manager
- subFilter:
- name: envoy.filters.http.router
- patch:
- operation: INSERT_BEFORE
- value:
- name: istio.stats
- typed_config:
- '@type': type.googleapis.com/udpa.type.v1.TypedStruct
- type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
- value:
- config:
- root_id: stats_outbound
- configuration:
- '@type': type.googleapis.com/google.protobuf.StringValue
- value: |
- {
- "debug": "false",
- "stat_prefix": "istio"
- }
- vm_config:
- vm_id: stats_outbound
- runtime: envoy.wasm.runtime.null
- code:
- local:
- inline_string: envoy.wasm.stats
- - applyTo: HTTP_FILTER
- match:
- context: SIDECAR_INBOUND
- proxy:
- proxyVersion: ^1\.15.*
- listener:
- filterChain:
- filter:
- name: envoy.filters.network.http_connection_manager
- subFilter:
- name: envoy.filters.http.router
- patch:
- operation: INSERT_BEFORE
- value:
- name: istio.stats
- typed_config:
- '@type': type.googleapis.com/udpa.type.v1.TypedStruct
- type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
- value:
- config:
- root_id: stats_inbound
- configuration:
- '@type': type.googleapis.com/google.protobuf.StringValue
- value: |
- {
- "debug": "false",
- "stat_prefix": "istio",
- "disable_host_header_fallback": true
- }
- vm_config:
- vm_id: stats_inbound
- runtime: envoy.wasm.runtime.null
- code:
- local:
- inline_string: envoy.wasm.stats
- - applyTo: HTTP_FILTER
- match:
- context: GATEWAY
- proxy:
- proxyVersion: ^1\.15.*
- listener:
- filterChain:
- filter:
- name: envoy.filters.network.http_connection_manager
- subFilter:
- name: envoy.filters.http.router
- patch:
- operation: INSERT_BEFORE
- value:
- name: istio.stats
- typed_config:
- '@type': type.googleapis.com/udpa.type.v1.TypedStruct
- type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
- value:
- config:
- root_id: stats_outbound
- configuration:
- '@type': type.googleapis.com/google.protobuf.StringValue
- value: |
- {
- "debug": "false",
- "stat_prefix": "istio",
- "disable_host_header_fallback": true
- }
- vm_config:
- vm_id: stats_outbound
- runtime: envoy.wasm.runtime.null
- code:
- local:
- inline_string: envoy.wasm.stats
----
-apiVersion: networking.istio.io/v1alpha3
-kind: EnvoyFilter
-metadata:
- name: stats-filter-1.16
- namespace: istio-system
- labels:
- istio.io/rev: default
-spec:
- priority: -1
- configPatches:
- - applyTo: HTTP_FILTER
- match:
- context: SIDECAR_OUTBOUND
- proxy:
- proxyVersion: ^1\.16.*
- listener:
- filterChain:
- filter:
- name: envoy.filters.network.http_connection_manager
- subFilter:
- name: envoy.filters.http.router
- patch:
- operation: INSERT_BEFORE
- value:
- name: istio.stats
- typed_config:
- '@type': type.googleapis.com/udpa.type.v1.TypedStruct
- type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
- value:
- config:
- root_id: stats_outbound
- configuration:
- '@type': type.googleapis.com/google.protobuf.StringValue
- value: |
- {
- "debug": "false",
- "stat_prefix": "istio"
- }
- vm_config:
- vm_id: stats_outbound
- runtime: envoy.wasm.runtime.null
- code:
- local:
- inline_string: envoy.wasm.stats
- - applyTo: HTTP_FILTER
- match:
- context: SIDECAR_INBOUND
- proxy:
- proxyVersion: ^1\.16.*
- listener:
- filterChain:
- filter:
- name: envoy.filters.network.http_connection_manager
- subFilter:
- name: envoy.filters.http.router
- patch:
- operation: INSERT_BEFORE
- value:
- name: istio.stats
- typed_config:
- '@type': type.googleapis.com/udpa.type.v1.TypedStruct
- type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
- value:
- config:
- root_id: stats_inbound
- configuration:
- '@type': type.googleapis.com/google.protobuf.StringValue
- value: |
- {
- "debug": "false",
- "stat_prefix": "istio",
- "disable_host_header_fallback": true
- }
- vm_config:
- vm_id: stats_inbound
- runtime: envoy.wasm.runtime.null
- code:
- local:
- inline_string: envoy.wasm.stats
- - applyTo: HTTP_FILTER
- match:
- context: GATEWAY
- proxy:
- proxyVersion: ^1\.16.*
- listener:
- filterChain:
- filter:
- name: envoy.filters.network.http_connection_manager
- subFilter:
- name: envoy.filters.http.router
- patch:
- operation: INSERT_BEFORE
- value:
- name: istio.stats
- typed_config:
- '@type': type.googleapis.com/udpa.type.v1.TypedStruct
- type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
- value:
- config:
- root_id: stats_outbound
- configuration:
- '@type': type.googleapis.com/google.protobuf.StringValue
- value: |
- {
- "debug": "false",
- "stat_prefix": "istio",
- "disable_host_header_fallback": true
- }
- vm_config:
- vm_id: stats_outbound
- runtime: envoy.wasm.runtime.null
- code:
- local:
- inline_string: envoy.wasm.stats
----
-apiVersion: networking.istio.io/v1alpha3
-kind: EnvoyFilter
-metadata:
- name: stats-filter-1.17
- namespace: istio-system
- labels:
- istio.io/rev: default
-spec:
- priority: -1
- configPatches:
- - applyTo: HTTP_FILTER
- match:
- context: SIDECAR_OUTBOUND
- proxy:
- proxyVersion: ^1\.17.*
- listener:
- filterChain:
- filter:
- name: envoy.filters.network.http_connection_manager
- subFilter:
- name: envoy.filters.http.router
- patch:
- operation: INSERT_BEFORE
- value:
- name: istio.stats
- typed_config:
- '@type': type.googleapis.com/udpa.type.v1.TypedStruct
- type_url: type.googleapis.com/stats.PluginConfig
- value: {}
- - applyTo: HTTP_FILTER
- match:
- context: SIDECAR_INBOUND
- proxy:
- proxyVersion: ^1\.17.*
- listener:
- filterChain:
- filter:
- name: envoy.filters.network.http_connection_manager
- subFilter:
- name: envoy.filters.http.router
- patch:
- operation: INSERT_BEFORE
- value:
- name: istio.stats
- typed_config:
- '@type': type.googleapis.com/udpa.type.v1.TypedStruct
- type_url: type.googleapis.com/stats.PluginConfig
- value: {disable_host_header_fallback: true}
- - applyTo: HTTP_FILTER
- match:
- context: GATEWAY
- proxy:
- proxyVersion: ^1\.17.*
- listener:
- filterChain:
- filter:
- name: envoy.filters.network.http_connection_manager
- subFilter:
- name: envoy.filters.http.router
- patch:
- operation: INSERT_BEFORE
- value:
- name: istio.stats
- typed_config:
- '@type': type.googleapis.com/udpa.type.v1.TypedStruct
- type_url: type.googleapis.com/stats.PluginConfig
- value: {disable_host_header_fallback: true}
----
-apiVersion: networking.istio.io/v1alpha3
-kind: EnvoyFilter
-metadata:
- name: tcp-stats-filter-1.13
- namespace: istio-system
- labels:
- istio.io/rev: default
-spec:
- priority: -1
- configPatches:
- - applyTo: NETWORK_FILTER
- match:
- context: SIDECAR_INBOUND
- proxy:
- proxyVersion: ^1\.13.*
- listener:
- filterChain:
- filter:
- name: envoy.filters.network.tcp_proxy
- patch:
- operation: INSERT_BEFORE
- value:
- name: istio.stats
- typed_config:
- '@type': type.googleapis.com/udpa.type.v1.TypedStruct
- type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm
- value:
- config:
- root_id: stats_inbound
- configuration:
- '@type': type.googleapis.com/google.protobuf.StringValue
- value: |
- {
- "debug": "false",
- "stat_prefix": "istio"
- }
- vm_config:
- vm_id: tcp_stats_inbound
- runtime: envoy.wasm.runtime.null
- code:
- local:
- inline_string: envoy.wasm.stats
- - applyTo: NETWORK_FILTER
- match:
- context: SIDECAR_OUTBOUND
- proxy:
- proxyVersion: ^1\.13.*
- listener:
- filterChain:
- filter:
- name: envoy.filters.network.tcp_proxy
- patch:
- operation: INSERT_BEFORE
- value:
- name: istio.stats
- typed_config:
- '@type': type.googleapis.com/udpa.type.v1.TypedStruct
- type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm
- value:
- config:
- root_id: stats_outbound
- configuration:
- '@type': type.googleapis.com/google.protobuf.StringValue
- value: |
- {
- "debug": "false",
- "stat_prefix": "istio"
- }
- vm_config:
- vm_id: tcp_stats_outbound
- runtime: envoy.wasm.runtime.null
- code:
- local:
- inline_string: envoy.wasm.stats
- - applyTo: NETWORK_FILTER
- match:
- context: GATEWAY
- proxy:
- proxyVersion: ^1\.13.*
- listener:
- filterChain:
- filter:
- name: envoy.filters.network.tcp_proxy
- patch:
- operation: INSERT_BEFORE
- value:
- name: istio.stats
- typed_config:
- '@type': type.googleapis.com/udpa.type.v1.TypedStruct
- type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm
- value:
- config:
- root_id: stats_outbound
- configuration:
- '@type': type.googleapis.com/google.protobuf.StringValue
- value: |
- {
- "debug": "false",
- "stat_prefix": "istio"
- }
- vm_config:
- vm_id: tcp_stats_outbound
- runtime: envoy.wasm.runtime.null
- code:
- local:
- inline_string: envoy.wasm.stats
----
-apiVersion: networking.istio.io/v1alpha3
-kind: EnvoyFilter
-metadata:
- name: tcp-stats-filter-1.14
- namespace: istio-system
- labels:
- istio.io/rev: default
-spec:
- priority: -1
- configPatches:
- - applyTo: NETWORK_FILTER
- match:
- context: SIDECAR_INBOUND
- proxy:
- proxyVersion: ^1\.14.*
- listener:
- filterChain:
- filter:
- name: envoy.filters.network.tcp_proxy
- patch:
- operation: INSERT_BEFORE
- value:
- name: istio.stats
- typed_config:
- '@type': type.googleapis.com/udpa.type.v1.TypedStruct
- type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm
- value:
- config:
- root_id: stats_inbound
- configuration:
- '@type': type.googleapis.com/google.protobuf.StringValue
- value: |
- {
- "debug": "false",
- "stat_prefix": "istio"
- }
- vm_config:
- vm_id: tcp_stats_inbound
- runtime: envoy.wasm.runtime.null
- code:
- local:
- inline_string: envoy.wasm.stats
- - applyTo: NETWORK_FILTER
- match:
- context: SIDECAR_OUTBOUND
- proxy:
- proxyVersion: ^1\.14.*
- listener:
- filterChain:
- filter:
- name: envoy.filters.network.tcp_proxy
- patch:
- operation: INSERT_BEFORE
- value:
- name: istio.stats
- typed_config:
- '@type': type.googleapis.com/udpa.type.v1.TypedStruct
- type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm
- value:
- config:
- root_id: stats_outbound
- configuration:
- '@type': type.googleapis.com/google.protobuf.StringValue
- value: |
- {
- "debug": "false",
- "stat_prefix": "istio"
- }
- vm_config:
- vm_id: tcp_stats_outbound
- runtime: envoy.wasm.runtime.null
- code:
- local:
- inline_string: envoy.wasm.stats
- - applyTo: NETWORK_FILTER
- match:
- context: GATEWAY
- proxy:
- proxyVersion: ^1\.14.*
- listener:
- filterChain:
- filter:
- name: envoy.filters.network.tcp_proxy
- patch:
- operation: INSERT_BEFORE
- value:
- name: istio.stats
- typed_config:
- '@type': type.googleapis.com/udpa.type.v1.TypedStruct
- type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm
- value:
- config:
- root_id: stats_outbound
- configuration:
- '@type': type.googleapis.com/google.protobuf.StringValue
- value: |
- {
- "debug": "false",
- "stat_prefix": "istio"
- }
- vm_config:
- vm_id: tcp_stats_outbound
- runtime: envoy.wasm.runtime.null
- code:
- local:
- inline_string: envoy.wasm.stats
----
-apiVersion: networking.istio.io/v1alpha3
-kind: EnvoyFilter
-metadata:
- name: tcp-stats-filter-1.15
- namespace: istio-system
- labels:
- istio.io/rev: default
-spec:
- priority: -1
- configPatches:
- - applyTo: NETWORK_FILTER
- match:
- context: SIDECAR_INBOUND
- proxy:
- proxyVersion: ^1\.15.*
- listener:
- filterChain:
- filter:
- name: envoy.filters.network.tcp_proxy
- patch:
- operation: INSERT_BEFORE
- value:
- name: istio.stats
- typed_config:
- '@type': type.googleapis.com/udpa.type.v1.TypedStruct
- type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm
- value:
- config:
- root_id: stats_inbound
- configuration:
- '@type': type.googleapis.com/google.protobuf.StringValue
- value: |
- {
- "debug": "false",
- "stat_prefix": "istio"
- }
- vm_config:
- vm_id: tcp_stats_inbound
- runtime: envoy.wasm.runtime.null
- code:
- local:
- inline_string: envoy.wasm.stats
- - applyTo: NETWORK_FILTER
- match:
- context: SIDECAR_OUTBOUND
- proxy:
- proxyVersion: ^1\.15.*
- listener:
- filterChain:
- filter:
- name: envoy.filters.network.tcp_proxy
- patch:
- operation: INSERT_BEFORE
- value:
- name: istio.stats
- typed_config:
- '@type': type.googleapis.com/udpa.type.v1.TypedStruct
- type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm
- value:
- config:
- root_id: stats_outbound
- configuration:
- '@type': type.googleapis.com/google.protobuf.StringValue
- value: |
- {
- "debug": "false",
- "stat_prefix": "istio"
- }
- vm_config:
- vm_id: tcp_stats_outbound
- runtime: envoy.wasm.runtime.null
- code:
- local:
- inline_string: envoy.wasm.stats
- - applyTo: NETWORK_FILTER
- match:
- context: GATEWAY
- proxy:
- proxyVersion: ^1\.15.*
- listener:
- filterChain:
- filter:
- name: envoy.filters.network.tcp_proxy
- patch:
- operation: INSERT_BEFORE
- value:
- name: istio.stats
- typed_config:
- '@type': type.googleapis.com/udpa.type.v1.TypedStruct
- type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm
- value:
- config:
- root_id: stats_outbound
- configuration:
- '@type': type.googleapis.com/google.protobuf.StringValue
- value: |
- {
- "debug": "false",
- "stat_prefix": "istio"
- }
- vm_config:
- vm_id: tcp_stats_outbound
- runtime: envoy.wasm.runtime.null
- code:
- local:
- inline_string: envoy.wasm.stats
----
-apiVersion: networking.istio.io/v1alpha3
-kind: EnvoyFilter
-metadata:
- name: tcp-stats-filter-1.16
- namespace: istio-system
- labels:
- istio.io/rev: default
-spec:
- priority: -1
- configPatches:
- - applyTo: NETWORK_FILTER
- match:
- context: SIDECAR_INBOUND
- proxy:
- proxyVersion: ^1\.16.*
- listener:
- filterChain:
- filter:
- name: envoy.filters.network.tcp_proxy
- patch:
- operation: INSERT_BEFORE
- value:
- name: istio.stats
- typed_config:
- '@type': type.googleapis.com/udpa.type.v1.TypedStruct
- type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm
- value:
- config:
- root_id: stats_inbound
- configuration:
- '@type': type.googleapis.com/google.protobuf.StringValue
- value: |
- {
- "debug": "false",
- "stat_prefix": "istio"
- }
- vm_config:
- vm_id: tcp_stats_inbound
- runtime: envoy.wasm.runtime.null
- code:
- local:
- inline_string: envoy.wasm.stats
- - applyTo: NETWORK_FILTER
- match:
- context: SIDECAR_OUTBOUND
- proxy:
- proxyVersion: ^1\.16.*
- listener:
- filterChain:
- filter:
- name: envoy.filters.network.tcp_proxy
- patch:
- operation: INSERT_BEFORE
- value:
- name: istio.stats
- typed_config:
- '@type': type.googleapis.com/udpa.type.v1.TypedStruct
- type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm
- value:
- config:
- root_id: stats_outbound
- configuration:
- '@type': type.googleapis.com/google.protobuf.StringValue
- value: |
- {
- "debug": "false",
- "stat_prefix": "istio"
- }
- vm_config:
- vm_id: tcp_stats_outbound
- runtime: envoy.wasm.runtime.null
- code:
- local:
- inline_string: envoy.wasm.stats
- - applyTo: NETWORK_FILTER
- match:
- context: GATEWAY
- proxy:
- proxyVersion: ^1\.16.*
- listener:
- filterChain:
- filter:
- name: envoy.filters.network.tcp_proxy
- patch:
- operation: INSERT_BEFORE
- value:
- name: istio.stats
- typed_config:
- '@type': type.googleapis.com/udpa.type.v1.TypedStruct
- type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm
- value:
- config:
- root_id: stats_outbound
- configuration:
- '@type': type.googleapis.com/google.protobuf.StringValue
- value: |
- {
- "debug": "false",
- "stat_prefix": "istio"
- }
- vm_config:
- vm_id: tcp_stats_outbound
- runtime: envoy.wasm.runtime.null
- code:
- local:
- inline_string: envoy.wasm.stats
----
-apiVersion: networking.istio.io/v1alpha3
-kind: EnvoyFilter
-metadata:
- name: tcp-stats-filter-1.17
- namespace: istio-system
- labels:
- istio.io/rev: default
-spec:
- priority: -1
- configPatches:
- - applyTo: NETWORK_FILTER
- match:
- context: SIDECAR_INBOUND
- proxy:
- proxyVersion: ^1\.17.*
- listener:
- filterChain:
- filter:
- name: envoy.filters.network.tcp_proxy
- patch:
- operation: INSERT_BEFORE
- value:
- name: istio.stats
- typed_config:
- '@type': type.googleapis.com/udpa.type.v1.TypedStruct
- type_url: type.googleapis.com/stats.PluginConfig
- value: {}
- - applyTo: NETWORK_FILTER
- match:
- context: SIDECAR_OUTBOUND
- proxy:
- proxyVersion: ^1\.17.*
- listener:
- filterChain:
- filter:
- name: envoy.filters.network.tcp_proxy
- patch:
- operation: INSERT_BEFORE
- value:
- name: istio.stats
- typed_config:
- '@type': type.googleapis.com/udpa.type.v1.TypedStruct
- type_url: type.googleapis.com/stats.PluginConfig
- value: {}
- - applyTo: NETWORK_FILTER
- match:
- context: GATEWAY
- proxy:
- proxyVersion: ^1\.17.*
- listener:
- filterChain:
- filter:
- name: envoy.filters.network.tcp_proxy
- patch:
- operation: INSERT_BEFORE
- value:
- name: istio.stats
- typed_config:
- '@type': type.googleapis.com/udpa.type.v1.TypedStruct
- type_url: type.googleapis.com/stats.PluginConfig
- value: {}
----
apiVersion: v1
kind: ConfigMap
metadata:
@@ -1528,6 +498,9 @@ data:
tracing:
zipkin:
address: zipkin.istio-system:9411
+ defaultProviders:
+ metrics:
+ - prometheus
enablePrometheusMerge: true
rootNamespace: istio-system
tcpKeepalive:
@@ -1602,7 +575,6 @@ data:
"excludeIPRanges": "",
"excludeInboundPorts": "",
"excludeOutboundPorts": "",
- "holdApplicationUntilProxyStarts": false,
"image": "proxyv2",
"includeIPRanges": "*",
"includeInboundPorts": "*",
@@ -1626,17 +598,7 @@ data:
"tracer": "zipkin"
},
"proxy_init": {
- "image": "proxyv2",
- "resources": {
- "limits": {
- "cpu": "2000m",
- "memory": "1024Mi"
- },
- "requests": {
- "cpu": "10m",
- "memory": "10Mi"
- }
- }
+ "image": "proxyv2"
},
"remotePilotAddress": "",
"sds": {
@@ -1647,24 +609,12 @@ data:
"sts": {
"servicePort": 0
},
- "tag": "1.17.5",
+ "tag": "1.18.7",
"tracer": {
- "datadog": {
- "address": "$(HOST_IP):8126"
- },
- "lightstep": {
- "accessToken": "",
- "address": ""
- },
- "stackdriver": {
- "debug": false,
- "maxNumberOfAnnotations": 200,
- "maxNumberOfAttributes": 200,
- "maxNumberOfMessageEvents": 200
- },
- "zipkin": {
- "address": ""
- }
+ "datadog": {},
+ "lightstep": {},
+ "stackdriver": {},
+ "zipkin": {}
},
"useMCP": false,
"variant": ""
@@ -1738,6 +688,7 @@ data:
service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }}
service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }}
annotations: {
+ istio.io/rev: {{ .Revision | default "default" | quote }},
{{- if ge (len $containers) 1 }}
{{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }}
kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}",
@@ -1784,7 +735,7 @@ data:
- "-p"
- {{ .MeshConfig.ProxyListenPort | default "15001" | quote }}
- "-z"
- - "15006"
+ - {{ .MeshConfig.ProxyInboundListenPort | default "15006" | quote }}
- "-u"
- "1337"
- "-m"
@@ -1911,10 +862,6 @@ data:
{{- if .Values.global.logAsJson }}
- --log_as_json
{{- end }}
- {{- if gt .EstimatedConcurrency 0 }}
- - --concurrency
- - "{{ .EstimatedConcurrency }}"
- {{- end -}}
{{- if .Values.global.proxy.lifecycle }}
lifecycle:
{{ toYaml .Values.global.proxy.lifecycle | indent 6 }}
@@ -1961,6 +908,10 @@ data:
valueFrom:
fieldRef:
fieldPath: status.hostIP
+ - name: ISTIO_CPU_LIMIT
+ valueFrom:
+ resourceFieldRef:
+ resource: limits.cpu
- name: PROXY_CONFIG
value: |
{{ protoToJSON .ProxyConfig }}
@@ -2220,8 +1171,8 @@ data:
labels:
service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }}
service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }}
- istio.io/rev: {{ index .ObjectMeta.Labels `istio.io/rev` | default .Revision | default "default" | quote }}
annotations: {
+ istio.io/rev: {{ .Revision | default "default" | quote }},
{{- if eq (len $containers) 1 }}
kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}",
kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}",
@@ -2288,6 +1239,10 @@ data:
valueFrom:
fieldRef:
fieldPath: status.hostIP
+ - name: ISTIO_CPU_LIMIT
+ valueFrom:
+ resourceFieldRef:
+ resource: limits.cpu
- name: PROXY_CONFIG
value: |
{{ protoToJSON .ProxyConfig }}
@@ -2548,6 +1503,7 @@ data:
service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }}
service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }}
annotations: {
+ istio.io/rev: {{ .Revision | default "default" }},
{{- if ge (len $containers) 1 }}
{{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }}
kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}",
@@ -2833,6 +1789,558 @@ data:
securityContext:
fsGroup: 1337
{{- end }}
+ waypoint: |
+ apiVersion: v1
+ kind: ServiceAccount
+ metadata:
+ name: {{.ServiceAccount | quote}}
+ namespace: {{.Namespace | quote}}
+ ---
+ apiVersion: apps/v1
+ kind: Deployment
+ metadata:
+ name: {{.DeploymentName | quote}}
+ namespace: {{.Namespace | quote}}
+ annotations:
+ {{- toJsonMap (omit .Annotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }}
+ labels:
+ {{- toJsonMap .Labels | nindent 4 }}
+ ownerReferences:
+ - apiVersion: gateway.networking.k8s.io/v1beta1
+ kind: Gateway
+ name: "{{.Name}}"
+ uid: "{{.UID}}"
+ spec:
+ selector:
+ matchLabels:
+ istio.io/gateway-name: "{{.Name}}"
+ template:
+ metadata:
+ annotations:
+ {{- toJsonMap
+ (omit .Annotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version")
+ (strdict "istio.io/rev" (.Revision | default "default"))
+ (strdict
+ "ambient.istio.io/redirection" "disabled"
+ "prometheus.io/path" "/stats/prometheus"
+ "prometheus.io/port" "15020"
+ "prometheus.io/scrape" "true"
+ ) | nindent 8 }}
+ labels:
+ {{- toJsonMap
+ (strdict
+ "sidecar.istio.io/inject" "false"
+ "service.istio.io/canonical-name" .DeploymentName
+ "service.istio.io/canonical-revision" "latest"
+ )
+ .Labels
+ (strdict
+ "istio.io/gateway-name" .Name
+ "gateway.istio.io/managed" "istio.io-mesh-controller"
+ ) | nindent 8}}
+ spec:
+ terminationGracePeriodSeconds: 2
+ serviceAccountName: {{.ServiceAccount | quote}}
+ containers:
+ - args:
+ - proxy
+ - waypoint
+ - --domain
+ - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }}
+ - --serviceCluster
+ - {{.ServiceAccount}}.$(POD_NAMESPACE)
+ - --proxyLogLevel
+ - {{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel | quote}}
+ - --proxyComponentLogLevel
+ - {{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel | quote}}
+ - --log_output_level
+ - {{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level | quote}}
+ {{- if .Values.global.logAsJson }}
+ - --log_as_json
+ {{- end }}
+ env:
+ - name: ISTIO_META_SERVICE_ACCOUNT
+ valueFrom:
+ fieldRef:
+ fieldPath: spec.serviceAccountName
+ - name: ISTIO_META_NODE_NAME
+ valueFrom:
+ fieldRef:
+ fieldPath: spec.nodeName
+ - name: JWT_POLICY
+ value: {{ .Values.global.jwtPolicy }}
+ - name: PILOT_CERT_PROVIDER
+ value: {{ .Values.global.pilotCertProvider }}
+ - name: CA_ADDR
+ {{- if .Values.global.caAddress }}
+ value: {{ .Values.global.caAddress }}
+ {{- else }}
+ value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012
+ {{- end }}
+ - name: POD_NAME
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.name
+ - name: POD_NAMESPACE
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.namespace
+ - name: INSTANCE_IP
+ valueFrom:
+ fieldRef:
+ fieldPath: status.podIP
+ - name: SERVICE_ACCOUNT
+ valueFrom:
+ fieldRef:
+ fieldPath: spec.serviceAccountName
+ - name: HOST_IP
+ valueFrom:
+ fieldRef:
+ fieldPath: status.hostIP
+ - name: ISTIO_CPU_LIMIT
+ valueFrom:
+ resourceFieldRef:
+ resource: limits.cpu
+ - name: PROXY_CONFIG
+ value: |
+ {{ protoToJSON .ProxyConfig }}
+ - name: ISTIO_META_CLUSTER_ID
+ value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}"
+ - name: ISTIO_META_INTERCEPTION_MODE
+ value: REDIRECT
+ - name: ISTIO_META_WORKLOAD_NAME
+ value: {{.DeploymentName}}
+ - name: ISTIO_META_OWNER
+ value: kubernetes://apis/apps/v1/namespaces/{{.Namespace}}/deployments/{{.DeploymentName}}
+ {{- if .Values.global.meshID }}
+ - name: ISTIO_META_MESH_ID
+ value: "{{ .Values.global.meshID }}"
+ {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
+ - name: ISTIO_META_MESH_ID
+ value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}"
+ {{- end }}
+ image: {{.ProxyImage}}
+ {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
+ name: istio-proxy
+ resources:
+ limits:
+ cpu: "2"
+ memory: 1Gi
+ requests:
+ cpu: 100m
+ memory: 128Mi
+ startupProbe:
+ failureThreshold: 30
+ httpGet:
+ path: /healthz/ready
+ port: 15021
+ scheme: HTTP
+ initialDelaySeconds: 1
+ periodSeconds: 1
+ successThreshold: 1
+ timeoutSeconds: 1
+ readinessProbe:
+ failureThreshold: 4
+ httpGet:
+ path: /healthz/ready
+ port: 15021
+ scheme: HTTP
+ initialDelaySeconds: 0
+ periodSeconds: 15
+ successThreshold: 1
+ timeoutSeconds: 1
+ securityContext:
+ privileged: true
+ runAsGroup: 1337
+ runAsUser: 0
+ capabilities:
+ add:
+ - NET_ADMIN
+ - NET_RAW
+ volumeMounts:
+ - mountPath: /var/run/secrets/istio
+ name: istiod-ca-cert
+ - mountPath: /var/lib/istio/data
+ name: istio-data
+ - mountPath: /etc/istio/proxy
+ name: istio-envoy
+ - mountPath: /var/run/secrets/tokens
+ name: istio-token
+ - mountPath: /etc/istio/pod
+ name: istio-podinfo
+ volumes:
+ - emptyDir:
+ medium: Memory
+ name: istio-envoy
+ - emptyDir:
+ medium: Memory
+ name: go-proxy-envoy
+ - emptyDir: {}
+ name: istio-data
+ - emptyDir: {}
+ name: go-proxy-data
+ - downwardAPI:
+ items:
+ - fieldRef:
+ fieldPath: metadata.labels
+ path: labels
+ - fieldRef:
+ fieldPath: metadata.annotations
+ path: annotations
+ name: istio-podinfo
+ - name: istio-token
+ projected:
+ sources:
+ - serviceAccountToken:
+ audience: istio-ca
+ expirationSeconds: 43200
+ path: istio-token
+ - configMap:
+ name: istio-ca-root-cert
+ name: istiod-ca-cert
+ {{- if .Values.global.imagePullSecrets }}
+ imagePullSecrets:
+ {{- range .Values.global.imagePullSecrets }}
+ - name: {{ . }}
+ {{- end }}
+ {{- end }}
+ ---
+ apiVersion: v1
+ kind: Service
+ metadata:
+ annotations:
+ {{ toJsonMap (omit .Annotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }}
+ labels:
+ {{ toJsonMap .Labels | nindent 4}}
+ name: {{.DeploymentName | quote}}
+ namespace: {{.Namespace | quote}}
+ ownerReferences:
+ - apiVersion: gateway.networking.k8s.io/v1beta1
+ kind: Gateway
+ name: "{{.Name}}"
+ uid: "{{.UID}}"
+ spec:
+ ports:
+ - name: https-hbone
+ port: 15008
+ protocol: TCP
+ appProtocol: https
+ selector:
+ istio.io/gateway-name: "{{.Name}}"
+ ---
+ kube-gateway: |
+ apiVersion: v1
+ kind: ServiceAccount
+ metadata:
+ name: {{.ServiceAccount | quote}}
+ namespace: {{.Namespace | quote}}
+ ---
+ apiVersion: apps/v1
+ kind: Deployment
+ metadata:
+ name: {{.DeploymentName | quote}}
+ namespace: {{.Namespace | quote}}
+ annotations:
+ {{- toJsonMap (omit .Annotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }}
+ labels:
+ {{- toJsonMap .Labels | nindent 4 }}
+ ownerReferences:
+ - apiVersion: gateway.networking.k8s.io/v1beta1
+ kind: Gateway
+ name: {{.Name}}
+ uid: "{{.UID}}"
+ spec:
+ selector:
+ matchLabels:
+ istio.io/gateway-name: {{.Name}}
+ template:
+ metadata:
+ annotations:
+ {{- toJsonMap
+ (omit .Annotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version")
+ (strdict "istio.io/rev" (.Revision | default "default"))
+ (strdict
+ "prometheus.io/path" "/stats/prometheus"
+ "prometheus.io/port" "15020"
+ "prometheus.io/scrape" "true"
+ ) | nindent 8 }}
+ labels:
+ {{- toJsonMap
+ (strdict
+ "sidecar.istio.io/inject" "false"
+ "service.istio.io/canonical-name" .DeploymentName
+ "service.istio.io/canonical-revision" "latest"
+ )
+ .Labels
+ (strdict "istio.io/gateway-name" .Name) | nindent 8}}
+ spec:
+ {{- if .KubeVersion122 }}
+ {{/* safe since 1.22: https://github.com/kubernetes/kubernetes/pull/103326. */}}
+ securityContext:
+ sysctls:
+ - name: net.ipv4.ip_unprivileged_port_start
+ value: "0"
+ {{- end }}
+ serviceAccountName: {{.ServiceAccount | quote}}
+ containers:
+ - name: istio-proxy
+ image: "{{ .ProxyImage }}"
+ {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
+ securityContext:
+ {{- if .KubeVersion122 }}
+ # Safe since 1.22: https://github.com/kubernetes/kubernetes/pull/103326
+ capabilities:
+ drop:
+ - ALL
+ allowPrivilegeEscalation: false
+ privileged: false
+ readOnlyRootFilesystem: true
+ runAsUser: 1337
+ runAsGroup: 1337
+ runAsNonRoot: true
+ {{- else }}
+ capabilities:
+ drop:
+ - ALL
+ add:
+ - NET_BIND_SERVICE
+ runAsUser: 0
+ runAsGroup: 1337
+ runAsNonRoot: false
+ allowPrivilegeEscalation: true
+ readOnlyRootFilesystem: true
+ {{- end }}
+ ports:
+ - containerPort: 15021
+ name: status-port
+ protocol: TCP
+ - containerPort: 15090
+ protocol: TCP
+ name: http-envoy-prom
+ args:
+ - proxy
+ - router
+ - --domain
+ - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }}
+ - --proxyLogLevel
+ - {{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel | quote}}
+ - --proxyComponentLogLevel
+ - {{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel | quote}}
+ - --log_output_level
+ - {{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level | quote}}
+ {{- if .Values.global.sts.servicePort }}
+ - --stsPort={{ .Values.global.sts.servicePort }}
+ {{- end }}
+ {{- if .Values.global.logAsJson }}
+ - --log_as_json
+ {{- end }}
+ {{- if .Values.global.proxy.lifecycle }}
+ lifecycle:
+ {{ toYaml .Values.global.proxy.lifecycle | indent 6 }}
+ {{- end }}
+ env:
+ - name: JWT_POLICY
+ value: {{ .Values.global.jwtPolicy }}
+ - name: PILOT_CERT_PROVIDER
+ value: {{ .Values.global.pilotCertProvider }}
+ - name: CA_ADDR
+ {{- if .Values.global.caAddress }}
+ value: {{ .Values.global.caAddress }}
+ {{- else }}
+ value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012
+ {{- end }}
+ - name: POD_NAME
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.name
+ - name: POD_NAMESPACE
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.namespace
+ - name: INSTANCE_IP
+ valueFrom:
+ fieldRef:
+ fieldPath: status.podIP
+ - name: SERVICE_ACCOUNT
+ valueFrom:
+ fieldRef:
+ fieldPath: spec.serviceAccountName
+ - name: HOST_IP
+ valueFrom:
+ fieldRef:
+ fieldPath: status.hostIP
+ - name: ISTIO_CPU_LIMIT
+ valueFrom:
+ resourceFieldRef:
+ resource: limits.cpu
+ - name: PROXY_CONFIG
+ value: |
+ {{ protoToJSON .ProxyConfig }}
+ - name: ISTIO_META_POD_PORTS
+ value: "[]"
+ - name: ISTIO_META_APP_CONTAINERS
+ value: ""
+ - name: ISTIO_META_CLUSTER_ID
+ value: "{{ valueOrDefault .Values.global.multiCluster.clusterName .ClusterID }}"
+ - name: ISTIO_META_NODE_NAME
+ valueFrom:
+ fieldRef:
+ fieldPath: spec.nodeName
+ - name: ISTIO_META_INTERCEPTION_MODE
+ value: "{{ .ProxyConfig.InterceptionMode.String }}"
+ {{- if .Values.global.network }}
+ - name: ISTIO_META_NETWORK
+ value: "{{ .Values.global.network }}"
+ {{- end }}
+ - name: ISTIO_META_WORKLOAD_NAME
+ value: {{.DeploymentName|quote}}
+ - name: ISTIO_META_OWNER
+ value: "kubernetes://apis/apps/v1/namespaces/{{.Namespace}}/deployments/{{.DeploymentName}}"
+ {{- if .Values.global.meshID }}
+ - name: ISTIO_META_MESH_ID
+ value: "{{ .Values.global.meshID }}"
+ {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
+ - name: ISTIO_META_MESH_ID
+ value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}"
+ {{- end }}
+ {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
+ - name: TRUST_DOMAIN
+ value: "{{ . }}"
+ {{- end }}
+ {{- range $key, $value := .ProxyConfig.ProxyMetadata }}
+ - name: {{ $key }}
+ value: "{{ $value }}"
+ {{- end }}
+ {{- with (index .Labels "topology.istio.io/network") }}
+ - name: ISTIO_META_REQUESTED_NETWORK_VIEW
+ value: {{.|quote}}
+ {{- end }}
+ startupProbe:
+ failureThreshold: 30
+ httpGet:
+ path: /healthz/ready
+ port: 15021
+ scheme: HTTP
+ initialDelaySeconds: 1
+ periodSeconds: 1
+ successThreshold: 1
+ timeoutSeconds: 1
+ readinessProbe:
+ failureThreshold: 4
+ httpGet:
+ path: /healthz/ready
+ port: 15021
+ scheme: HTTP
+ initialDelaySeconds: 0
+ periodSeconds: 15
+ successThreshold: 1
+ timeoutSeconds: 1
+ volumeMounts:
+ - name: workload-socket
+ mountPath: /var/run/secrets/workload-spiffe-uds
+ - name: credential-socket
+ mountPath: /var/run/secrets/credential-uds
+ {{- if eq .Values.global.caName "GkeWorkloadCertificate" }}
+ - name: gke-workload-certificate
+ mountPath: /var/run/secrets/workload-spiffe-credentials
+ readOnly: true
+ {{- else }}
+ - name: workload-certs
+ mountPath: /var/run/secrets/workload-spiffe-credentials
+ {{- end }}
+ {{- if eq .Values.global.pilotCertProvider "istiod" }}
+ - mountPath: /var/run/secrets/istio
+ name: istiod-ca-cert
+ {{- end }}
+ - mountPath: /var/lib/istio/data
+ name: istio-data
+ # SDS channel between istioagent and Envoy
+ - mountPath: /etc/istio/proxy
+ name: istio-envoy
+ {{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
+ - mountPath: /var/run/secrets/tokens
+ name: istio-token
+ {{- end }}
+ - name: istio-podinfo
+ mountPath: /etc/istio/pod
+ volumes:
+ - emptyDir: {}
+ name: workload-socket
+ - emptyDir: {}
+ name: credential-socket
+ {{- if eq .Values.global.caName "GkeWorkloadCertificate" }}
+ - name: gke-workload-certificate
+ csi:
+ driver: workloadcertificates.security.cloud.google.com
+ {{- else}}
+ - emptyDir: {}
+ name: workload-certs
+ {{- end }}
+ # SDS channel between istioagent and Envoy
+ - emptyDir:
+ medium: Memory
+ name: istio-envoy
+ - name: istio-data
+ emptyDir: {}
+ - name: istio-podinfo
+ downwardAPI:
+ items:
+ - path: "labels"
+ fieldRef:
+ fieldPath: metadata.labels
+ - path: "annotations"
+ fieldRef:
+ fieldPath: metadata.annotations
+ {{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
+ - name: istio-token
+ projected:
+ sources:
+ - serviceAccountToken:
+ path: istio-token
+ expirationSeconds: 43200
+ audience: {{ .Values.global.sds.token.aud }}
+ {{- end }}
+ {{- if eq .Values.global.pilotCertProvider "istiod" }}
+ - name: istiod-ca-cert
+ configMap:
+ name: istio-ca-root-cert
+ {{- end }}
+ {{- if .Values.global.imagePullSecrets }}
+ imagePullSecrets:
+ {{- range .Values.global.imagePullSecrets }}
+ - name: {{ . }}
+ {{- end }}
+ {{- end }}
+ ---
+ apiVersion: v1
+ kind: Service
+ metadata:
+ annotations:
+ {{ toJsonMap (omit .Annotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }}
+ labels:
+ {{ toJsonMap .Labels | nindent 4}}
+ name: {{.DeploymentName | quote}}
+ namespace: {{.Namespace | quote}}
+ ownerReferences:
+ - apiVersion: gateway.networking.k8s.io/v1beta1
+ kind: Gateway
+ name: {{.Name}}
+ uid: {{.UID}}
+ spec:
+ ports:
+ {{- range $key, $val := .Ports }}
+ - name: {{ $val.Name | quote }}
+ port: {{ $val.Port }}
+ protocol: TCP
+ appProtocol: {{ $val.AppProtocol }}
+ {{- end }}
+ selector:
+ istio.io/gateway-name: {{.Name}}
+ {{- if .Spec.Addresses }}
+ loadBalancerIP: {{ (index .Spec.Addresses 0).Value | quote}}
+ {{- end }}
+ type: {{ index .Annotations "networking.istio.io/service-type" | default "LoadBalancer" | quote }}
+ ---
---
apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
@@ -2998,6 +2506,7 @@ spec:
operator.istio.io/component: IngressGateways
sidecar.istio.io/inject: 'false'
annotations:
+ istio.io/rev: default
prometheus.io/port: '15020'
prometheus.io/scrape: 'true'
prometheus.io/path: /stats/prometheus
@@ -3011,7 +2520,7 @@ spec:
serviceAccountName: istio-ingressgateway-service-account
containers:
- name: istio-proxy
- image: docker.io/istio/proxyv2:1.17.5
+ image: docker.io/istio/proxyv2:1.18.7
ports:
- containerPort: 15021
protocol: TCP
@@ -3086,6 +2595,10 @@ spec:
fieldRef:
apiVersion: v1
fieldPath: status.hostIP
+ - name: ISTIO_CPU_LIMIT
+ valueFrom:
+ resourceFieldRef:
+ resource: limits.cpu
- name: SERVICE_ACCOUNT
valueFrom:
fieldRef:
@@ -3212,6 +2725,7 @@ spec:
annotations:
prometheus.io/port: '15014'
prometheus.io/scrape: 'true'
+ ambient.istio.io/redirection: disabled
sidecar.istio.io/inject: 'false'
spec:
serviceAccountName: istiod
@@ -3219,7 +2733,7 @@ spec:
fsGroup: 1337
containers:
- name: discovery
- image: docker.io/istio/pilot:1.17.5
+ image: docker.io/istio/pilot:1.18.7
args:
- discovery
- --monitoringAddr=:15014
@@ -3278,6 +2792,10 @@ spec:
value: 'false'
- name: CLUSTER_ID
value: Kubernetes
+ - name: GOMEMLIMIT
+ valueFrom:
+ resourceFieldRef:
+ resource: limits.memory
resources:
requests:
cpu: 500m
@@ -3416,6 +2934,10 @@ rules:
- apiGroups: ['']
resources: [configmaps]
verbs: [delete]
+
+- apiGroups: [coordination.k8s.io]
+ resources: [leases]
+ verbs: [get, update, patch, create]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
diff --git a/common/istio-1-17/istio-install/base/kustomization.yaml b/common/istio-1-18/istio-install/base/kustomization.yaml
similarity index 100%
rename from common/istio-1-17/istio-install/base/kustomization.yaml
rename to common/istio-1-18/istio-install/base/kustomization.yaml
diff --git a/common/istio-1-17/istio-install/base/patches/disable-debugging.yaml b/common/istio-1-18/istio-install/base/patches/disable-debugging.yaml
similarity index 100%
rename from common/istio-1-17/istio-install/base/patches/disable-debugging.yaml
rename to common/istio-1-18/istio-install/base/patches/disable-debugging.yaml
diff --git a/common/istio-1-17/istio-install/base/patches/istio-configmap-disable-tracing.yaml b/common/istio-1-18/istio-install/base/patches/istio-configmap-disable-tracing.yaml
similarity index 100%
rename from common/istio-1-17/istio-install/base/patches/istio-configmap-disable-tracing.yaml
rename to common/istio-1-18/istio-install/base/patches/istio-configmap-disable-tracing.yaml
diff --git a/common/istio-1-17/istio-install/base/patches/istio-ingressgateway-remove-pdb.yaml b/common/istio-1-18/istio-install/base/patches/istio-ingressgateway-remove-pdb.yaml
similarity index 100%
rename from common/istio-1-17/istio-install/base/patches/istio-ingressgateway-remove-pdb.yaml
rename to common/istio-1-18/istio-install/base/patches/istio-ingressgateway-remove-pdb.yaml
diff --git a/common/istio-1-17/istio-install/base/patches/istiod-remove-pdb.yaml b/common/istio-1-18/istio-install/base/patches/istiod-remove-pdb.yaml
similarity index 100%
rename from common/istio-1-17/istio-install/base/patches/istiod-remove-pdb.yaml
rename to common/istio-1-18/istio-install/base/patches/istiod-remove-pdb.yaml
diff --git a/common/istio-1-17/istio-install/base/patches/service.yaml b/common/istio-1-18/istio-install/base/patches/service.yaml
similarity index 100%
rename from common/istio-1-17/istio-install/base/patches/service.yaml
rename to common/istio-1-18/istio-install/base/patches/service.yaml
diff --git a/common/istio-1-17/istio-install/base/x-forwarded-host.yaml b/common/istio-1-18/istio-install/base/x-forwarded-host.yaml
similarity index 100%
rename from common/istio-1-17/istio-install/base/x-forwarded-host.yaml
rename to common/istio-1-18/istio-install/base/x-forwarded-host.yaml
diff --git a/common/istio-1-17/istio-install/overlays/oauth2-proxy/kustomization.yaml b/common/istio-1-18/istio-install/overlays/oauth2-proxy/kustomization.yaml
similarity index 100%
rename from common/istio-1-17/istio-install/overlays/oauth2-proxy/kustomization.yaml
rename to common/istio-1-18/istio-install/overlays/oauth2-proxy/kustomization.yaml
diff --git a/common/istio-1-17/istio-namespace/base/kustomization.yaml b/common/istio-1-18/istio-namespace/base/kustomization.yaml
similarity index 100%
rename from common/istio-1-17/istio-namespace/base/kustomization.yaml
rename to common/istio-1-18/istio-namespace/base/kustomization.yaml
diff --git a/common/istio-1-17/istio-namespace/base/namespace.yaml b/common/istio-1-18/istio-namespace/base/namespace.yaml
similarity index 100%
rename from common/istio-1-17/istio-namespace/base/namespace.yaml
rename to common/istio-1-18/istio-namespace/base/namespace.yaml
diff --git a/common/istio-1-17/kubeflow-istio-resources/base/cluster-roles.yaml b/common/istio-1-18/kubeflow-istio-resources/base/cluster-roles.yaml
similarity index 100%
rename from common/istio-1-17/kubeflow-istio-resources/base/cluster-roles.yaml
rename to common/istio-1-18/kubeflow-istio-resources/base/cluster-roles.yaml
diff --git a/common/istio-1-17/kubeflow-istio-resources/base/kf-istio-resources.yaml b/common/istio-1-18/kubeflow-istio-resources/base/kf-istio-resources.yaml
similarity index 100%
rename from common/istio-1-17/kubeflow-istio-resources/base/kf-istio-resources.yaml
rename to common/istio-1-18/kubeflow-istio-resources/base/kf-istio-resources.yaml
diff --git a/common/istio-1-17/kubeflow-istio-resources/base/kustomization.yaml b/common/istio-1-18/kubeflow-istio-resources/base/kustomization.yaml
similarity index 100%
rename from common/istio-1-17/kubeflow-istio-resources/base/kustomization.yaml
rename to common/istio-1-18/kubeflow-istio-resources/base/kustomization.yaml
diff --git a/common/istio-1-17/profile-overlay.yaml b/common/istio-1-18/profile-overlay.yaml
similarity index 100%
rename from common/istio-1-17/profile-overlay.yaml
rename to common/istio-1-18/profile-overlay.yaml
diff --git a/common/istio-cni-1-17/profile.yaml b/common/istio-1-18/profile.yaml
similarity index 95%
rename from common/istio-cni-1-17/profile.yaml
rename to common/istio-1-18/profile.yaml
index 9621a5596c..3048418468 100644
--- a/common/istio-cni-1-17/profile.yaml
+++ b/common/istio-1-18/profile.yaml
@@ -22,7 +22,7 @@ spec:
proxyMetadata: {}
enablePrometheusMerge: true
profile: default
- tag: 1.17.5
+ tag: 1.18.7
values:
base:
enableCRDTemplates: false
@@ -107,13 +107,6 @@ spec:
tracer: zipkin
proxy_init:
image: proxyv2
- resources:
- limits:
- cpu: 2000m
- memory: 1024Mi
- requests:
- cpu: 10m
- memory: 10Mi
sds:
token:
aud: istio-ca
diff --git a/common/istio-1-17/split-istio-packages b/common/istio-1-18/split-istio-packages
similarity index 100%
rename from common/istio-1-17/split-istio-packages
rename to common/istio-1-18/split-istio-packages
diff --git a/common/istio-cni-1-17/README.md b/common/istio-cni-1-18/README.md
similarity index 100%
rename from common/istio-cni-1-17/README.md
rename to common/istio-cni-1-18/README.md
diff --git a/common/istio-cni-1-17/cluster-local-gateway/base/cluster-local-gateway.yaml b/common/istio-cni-1-18/cluster-local-gateway/base/cluster-local-gateway.yaml
similarity index 97%
rename from common/istio-cni-1-17/cluster-local-gateway/base/cluster-local-gateway.yaml
rename to common/istio-cni-1-18/cluster-local-gateway/base/cluster-local-gateway.yaml
index 20ecc30f15..1134c395c1 100644
--- a/common/istio-cni-1-17/cluster-local-gateway/base/cluster-local-gateway.yaml
+++ b/common/istio-cni-1-18/cluster-local-gateway/base/cluster-local-gateway.yaml
@@ -35,6 +35,7 @@ spec:
template:
metadata:
annotations:
+ istio.io/rev: default
prometheus.io/path: /stats/prometheus
prometheus.io/port: '15020'
prometheus.io/scrape: 'true'
@@ -99,6 +100,10 @@ spec:
fieldRef:
apiVersion: v1
fieldPath: status.hostIP
+ - name: ISTIO_CPU_LIMIT
+ valueFrom:
+ resourceFieldRef:
+ resource: limits.cpu
- name: SERVICE_ACCOUNT
valueFrom:
fieldRef:
@@ -120,7 +125,7 @@ spec:
valueFrom:
fieldRef:
fieldPath: spec.nodeName
- image: docker.io/istio/proxyv2:1.17.5
+ image: docker.io/istio/proxyv2:1.18.7
name: istio-proxy
ports:
- containerPort: 15020
diff --git a/common/istio-cni-1-17/cluster-local-gateway/base/gateway-authorizationpolicy.yaml b/common/istio-cni-1-18/cluster-local-gateway/base/gateway-authorizationpolicy.yaml
similarity index 100%
rename from common/istio-cni-1-17/cluster-local-gateway/base/gateway-authorizationpolicy.yaml
rename to common/istio-cni-1-18/cluster-local-gateway/base/gateway-authorizationpolicy.yaml
diff --git a/common/istio-cni-1-17/cluster-local-gateway/base/gateway.yaml b/common/istio-cni-1-18/cluster-local-gateway/base/gateway.yaml
similarity index 100%
rename from common/istio-cni-1-17/cluster-local-gateway/base/gateway.yaml
rename to common/istio-cni-1-18/cluster-local-gateway/base/gateway.yaml
diff --git a/common/istio-cni-1-17/cluster-local-gateway/base/kustomization.yaml b/common/istio-cni-1-18/cluster-local-gateway/base/kustomization.yaml
similarity index 100%
rename from common/istio-cni-1-17/cluster-local-gateway/base/kustomization.yaml
rename to common/istio-cni-1-18/cluster-local-gateway/base/kustomization.yaml
diff --git a/common/istio-cni-1-17/cluster-local-gateway/base/patches/remove-pdb.yaml b/common/istio-cni-1-18/cluster-local-gateway/base/patches/remove-pdb.yaml
similarity index 100%
rename from common/istio-cni-1-17/cluster-local-gateway/base/patches/remove-pdb.yaml
rename to common/istio-cni-1-18/cluster-local-gateway/base/patches/remove-pdb.yaml
diff --git a/common/istio-cni-1-17/istio-crds/base/crd.yaml b/common/istio-cni-1-18/istio-crds/base/crd.yaml
similarity index 100%
rename from common/istio-cni-1-17/istio-crds/base/crd.yaml
rename to common/istio-cni-1-18/istio-crds/base/crd.yaml
diff --git a/common/istio-cni-1-17/istio-crds/base/kustomization.yaml b/common/istio-cni-1-18/istio-crds/base/kustomization.yaml
similarity index 100%
rename from common/istio-cni-1-17/istio-crds/base/kustomization.yaml
rename to common/istio-cni-1-18/istio-crds/base/kustomization.yaml
diff --git a/common/istio-cni-1-17/istio-install/base/deny_all_authorizationpolicy.yaml b/common/istio-cni-1-18/istio-install/base/deny_all_authorizationpolicy.yaml
similarity index 100%
rename from common/istio-cni-1-17/istio-install/base/deny_all_authorizationpolicy.yaml
rename to common/istio-cni-1-18/istio-install/base/deny_all_authorizationpolicy.yaml
diff --git a/common/istio-cni-1-17/istio-install/base/gateway.yaml b/common/istio-cni-1-18/istio-install/base/gateway.yaml
similarity index 100%
rename from common/istio-cni-1-17/istio-install/base/gateway.yaml
rename to common/istio-cni-1-18/istio-install/base/gateway.yaml
diff --git a/common/istio-cni-1-17/istio-install/base/gateway_authorizationpolicy.yaml b/common/istio-cni-1-18/istio-install/base/gateway_authorizationpolicy.yaml
similarity index 100%
rename from common/istio-cni-1-17/istio-install/base/gateway_authorizationpolicy.yaml
rename to common/istio-cni-1-18/istio-install/base/gateway_authorizationpolicy.yaml
diff --git a/common/istio-cni-1-17/istio-install/base/install.yaml b/common/istio-cni-1-18/istio-install/base/install.yaml
similarity index 75%
rename from common/istio-cni-1-17/istio-install/base/install.yaml
rename to common/istio-cni-1-18/istio-install/base/install.yaml
index c5fe6e1ade..0352653ec5 100644
--- a/common/istio-cni-1-17/istio-install/base/install.yaml
+++ b/common/istio-cni-1-18/istio-install/base/install.yaml
@@ -62,11 +62,8 @@ metadata:
operator.istio.io/component: Cni
rules:
- apiGroups: ['']
- resources:
- - pods
- - nodes
- verbs:
- - get
+ resources: [pods, nodes, namespaces]
+ verbs: [get, list, watch]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
@@ -81,10 +78,10 @@ metadata:
rules:
- apiGroups: ['']
resources: [pods]
- verbs: [get, list, watch, delete, patch, update]
+ verbs: [watch, get, list]
- apiGroups: ['']
- resources: [events]
- verbs: [get, list, watch, delete, patch, update, create]
+ resources: [pods]
+ verbs: [delete]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
@@ -235,18 +232,6 @@ rules:
verbs: [create, get, list, watch, update]
# Istiod and bootstrap.
-- apiGroups: [certificates.k8s.io]
- resources:
- - certificatesigningrequests
- - certificatesigningrequests/approval
- - certificatesigningrequests/status
- verbs: [update, create, get, delete, watch]
-- apiGroups: [certificates.k8s.io]
- resources:
- - signers
- resourceNames:
- - kubernetes.io/legacy-unknown
- verbs: [approve]
# Used by Istiod to verify the JWT tokens
- apiGroups: [authentication.k8s.io]
@@ -572,1024 +557,6 @@ webhooks:
values:
- default
---
-apiVersion: networking.istio.io/v1alpha3
-kind: EnvoyFilter
-metadata:
- name: stats-filter-1.13
- namespace: istio-system
- labels:
- istio.io/rev: default
-spec:
- priority: -1
- configPatches:
- - applyTo: HTTP_FILTER
- match:
- context: SIDECAR_OUTBOUND
- proxy:
- proxyVersion: ^1\.13.*
- listener:
- filterChain:
- filter:
- name: envoy.filters.network.http_connection_manager
- subFilter:
- name: envoy.filters.http.router
- patch:
- operation: INSERT_BEFORE
- value:
- name: istio.stats
- typed_config:
- '@type': type.googleapis.com/udpa.type.v1.TypedStruct
- type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
- value:
- config:
- root_id: stats_outbound
- configuration:
- '@type': type.googleapis.com/google.protobuf.StringValue
- value: |
- {
- "debug": "false",
- "stat_prefix": "istio"
- }
- vm_config:
- vm_id: stats_outbound
- runtime: envoy.wasm.runtime.null
- code:
- local:
- inline_string: envoy.wasm.stats
- - applyTo: HTTP_FILTER
- match:
- context: SIDECAR_INBOUND
- proxy:
- proxyVersion: ^1\.13.*
- listener:
- filterChain:
- filter:
- name: envoy.filters.network.http_connection_manager
- subFilter:
- name: envoy.filters.http.router
- patch:
- operation: INSERT_BEFORE
- value:
- name: istio.stats
- typed_config:
- '@type': type.googleapis.com/udpa.type.v1.TypedStruct
- type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
- value:
- config:
- root_id: stats_inbound
- configuration:
- '@type': type.googleapis.com/google.protobuf.StringValue
- value: |
- {
- "debug": "false",
- "stat_prefix": "istio",
- "disable_host_header_fallback": true
- }
- vm_config:
- vm_id: stats_inbound
- runtime: envoy.wasm.runtime.null
- code:
- local:
- inline_string: envoy.wasm.stats
- - applyTo: HTTP_FILTER
- match:
- context: GATEWAY
- proxy:
- proxyVersion: ^1\.13.*
- listener:
- filterChain:
- filter:
- name: envoy.filters.network.http_connection_manager
- subFilter:
- name: envoy.filters.http.router
- patch:
- operation: INSERT_BEFORE
- value:
- name: istio.stats
- typed_config:
- '@type': type.googleapis.com/udpa.type.v1.TypedStruct
- type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
- value:
- config:
- root_id: stats_outbound
- configuration:
- '@type': type.googleapis.com/google.protobuf.StringValue
- value: |
- {
- "debug": "false",
- "stat_prefix": "istio",
- "disable_host_header_fallback": true
- }
- vm_config:
- vm_id: stats_outbound
- runtime: envoy.wasm.runtime.null
- code:
- local:
- inline_string: envoy.wasm.stats
----
-apiVersion: networking.istio.io/v1alpha3
-kind: EnvoyFilter
-metadata:
- name: stats-filter-1.14
- namespace: istio-system
- labels:
- istio.io/rev: default
-spec:
- priority: -1
- configPatches:
- - applyTo: HTTP_FILTER
- match:
- context: SIDECAR_OUTBOUND
- proxy:
- proxyVersion: ^1\.14.*
- listener:
- filterChain:
- filter:
- name: envoy.filters.network.http_connection_manager
- subFilter:
- name: envoy.filters.http.router
- patch:
- operation: INSERT_BEFORE
- value:
- name: istio.stats
- typed_config:
- '@type': type.googleapis.com/udpa.type.v1.TypedStruct
- type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
- value:
- config:
- root_id: stats_outbound
- configuration:
- '@type': type.googleapis.com/google.protobuf.StringValue
- value: |
- {
- "debug": "false",
- "stat_prefix": "istio"
- }
- vm_config:
- vm_id: stats_outbound
- runtime: envoy.wasm.runtime.null
- code:
- local:
- inline_string: envoy.wasm.stats
- - applyTo: HTTP_FILTER
- match:
- context: SIDECAR_INBOUND
- proxy:
- proxyVersion: ^1\.14.*
- listener:
- filterChain:
- filter:
- name: envoy.filters.network.http_connection_manager
- subFilter:
- name: envoy.filters.http.router
- patch:
- operation: INSERT_BEFORE
- value:
- name: istio.stats
- typed_config:
- '@type': type.googleapis.com/udpa.type.v1.TypedStruct
- type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
- value:
- config:
- root_id: stats_inbound
- configuration:
- '@type': type.googleapis.com/google.protobuf.StringValue
- value: |
- {
- "debug": "false",
- "stat_prefix": "istio",
- "disable_host_header_fallback": true
- }
- vm_config:
- vm_id: stats_inbound
- runtime: envoy.wasm.runtime.null
- code:
- local:
- inline_string: envoy.wasm.stats
- - applyTo: HTTP_FILTER
- match:
- context: GATEWAY
- proxy:
- proxyVersion: ^1\.14.*
- listener:
- filterChain:
- filter:
- name: envoy.filters.network.http_connection_manager
- subFilter:
- name: envoy.filters.http.router
- patch:
- operation: INSERT_BEFORE
- value:
- name: istio.stats
- typed_config:
- '@type': type.googleapis.com/udpa.type.v1.TypedStruct
- type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
- value:
- config:
- root_id: stats_outbound
- configuration:
- '@type': type.googleapis.com/google.protobuf.StringValue
- value: |
- {
- "debug": "false",
- "stat_prefix": "istio",
- "disable_host_header_fallback": true
- }
- vm_config:
- vm_id: stats_outbound
- runtime: envoy.wasm.runtime.null
- code:
- local:
- inline_string: envoy.wasm.stats
----
-apiVersion: networking.istio.io/v1alpha3
-kind: EnvoyFilter
-metadata:
- name: stats-filter-1.15
- namespace: istio-system
- labels:
- istio.io/rev: default
-spec:
- priority: -1
- configPatches:
- - applyTo: HTTP_FILTER
- match:
- context: SIDECAR_OUTBOUND
- proxy:
- proxyVersion: ^1\.15.*
- listener:
- filterChain:
- filter:
- name: envoy.filters.network.http_connection_manager
- subFilter:
- name: envoy.filters.http.router
- patch:
- operation: INSERT_BEFORE
- value:
- name: istio.stats
- typed_config:
- '@type': type.googleapis.com/udpa.type.v1.TypedStruct
- type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
- value:
- config:
- root_id: stats_outbound
- configuration:
- '@type': type.googleapis.com/google.protobuf.StringValue
- value: |
- {
- "debug": "false",
- "stat_prefix": "istio"
- }
- vm_config:
- vm_id: stats_outbound
- runtime: envoy.wasm.runtime.null
- code:
- local:
- inline_string: envoy.wasm.stats
- - applyTo: HTTP_FILTER
- match:
- context: SIDECAR_INBOUND
- proxy:
- proxyVersion: ^1\.15.*
- listener:
- filterChain:
- filter:
- name: envoy.filters.network.http_connection_manager
- subFilter:
- name: envoy.filters.http.router
- patch:
- operation: INSERT_BEFORE
- value:
- name: istio.stats
- typed_config:
- '@type': type.googleapis.com/udpa.type.v1.TypedStruct
- type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
- value:
- config:
- root_id: stats_inbound
- configuration:
- '@type': type.googleapis.com/google.protobuf.StringValue
- value: |
- {
- "debug": "false",
- "stat_prefix": "istio",
- "disable_host_header_fallback": true
- }
- vm_config:
- vm_id: stats_inbound
- runtime: envoy.wasm.runtime.null
- code:
- local:
- inline_string: envoy.wasm.stats
- - applyTo: HTTP_FILTER
- match:
- context: GATEWAY
- proxy:
- proxyVersion: ^1\.15.*
- listener:
- filterChain:
- filter:
- name: envoy.filters.network.http_connection_manager
- subFilter:
- name: envoy.filters.http.router
- patch:
- operation: INSERT_BEFORE
- value:
- name: istio.stats
- typed_config:
- '@type': type.googleapis.com/udpa.type.v1.TypedStruct
- type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
- value:
- config:
- root_id: stats_outbound
- configuration:
- '@type': type.googleapis.com/google.protobuf.StringValue
- value: |
- {
- "debug": "false",
- "stat_prefix": "istio",
- "disable_host_header_fallback": true
- }
- vm_config:
- vm_id: stats_outbound
- runtime: envoy.wasm.runtime.null
- code:
- local:
- inline_string: envoy.wasm.stats
----
-apiVersion: networking.istio.io/v1alpha3
-kind: EnvoyFilter
-metadata:
- name: stats-filter-1.16
- namespace: istio-system
- labels:
- istio.io/rev: default
-spec:
- priority: -1
- configPatches:
- - applyTo: HTTP_FILTER
- match:
- context: SIDECAR_OUTBOUND
- proxy:
- proxyVersion: ^1\.16.*
- listener:
- filterChain:
- filter:
- name: envoy.filters.network.http_connection_manager
- subFilter:
- name: envoy.filters.http.router
- patch:
- operation: INSERT_BEFORE
- value:
- name: istio.stats
- typed_config:
- '@type': type.googleapis.com/udpa.type.v1.TypedStruct
- type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
- value:
- config:
- root_id: stats_outbound
- configuration:
- '@type': type.googleapis.com/google.protobuf.StringValue
- value: |
- {
- "debug": "false",
- "stat_prefix": "istio"
- }
- vm_config:
- vm_id: stats_outbound
- runtime: envoy.wasm.runtime.null
- code:
- local:
- inline_string: envoy.wasm.stats
- - applyTo: HTTP_FILTER
- match:
- context: SIDECAR_INBOUND
- proxy:
- proxyVersion: ^1\.16.*
- listener:
- filterChain:
- filter:
- name: envoy.filters.network.http_connection_manager
- subFilter:
- name: envoy.filters.http.router
- patch:
- operation: INSERT_BEFORE
- value:
- name: istio.stats
- typed_config:
- '@type': type.googleapis.com/udpa.type.v1.TypedStruct
- type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
- value:
- config:
- root_id: stats_inbound
- configuration:
- '@type': type.googleapis.com/google.protobuf.StringValue
- value: |
- {
- "debug": "false",
- "stat_prefix": "istio",
- "disable_host_header_fallback": true
- }
- vm_config:
- vm_id: stats_inbound
- runtime: envoy.wasm.runtime.null
- code:
- local:
- inline_string: envoy.wasm.stats
- - applyTo: HTTP_FILTER
- match:
- context: GATEWAY
- proxy:
- proxyVersion: ^1\.16.*
- listener:
- filterChain:
- filter:
- name: envoy.filters.network.http_connection_manager
- subFilter:
- name: envoy.filters.http.router
- patch:
- operation: INSERT_BEFORE
- value:
- name: istio.stats
- typed_config:
- '@type': type.googleapis.com/udpa.type.v1.TypedStruct
- type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
- value:
- config:
- root_id: stats_outbound
- configuration:
- '@type': type.googleapis.com/google.protobuf.StringValue
- value: |
- {
- "debug": "false",
- "stat_prefix": "istio",
- "disable_host_header_fallback": true
- }
- vm_config:
- vm_id: stats_outbound
- runtime: envoy.wasm.runtime.null
- code:
- local:
- inline_string: envoy.wasm.stats
----
-apiVersion: networking.istio.io/v1alpha3
-kind: EnvoyFilter
-metadata:
- name: stats-filter-1.17
- namespace: istio-system
- labels:
- istio.io/rev: default
-spec:
- priority: -1
- configPatches:
- - applyTo: HTTP_FILTER
- match:
- context: SIDECAR_OUTBOUND
- proxy:
- proxyVersion: ^1\.17.*
- listener:
- filterChain:
- filter:
- name: envoy.filters.network.http_connection_manager
- subFilter:
- name: envoy.filters.http.router
- patch:
- operation: INSERT_BEFORE
- value:
- name: istio.stats
- typed_config:
- '@type': type.googleapis.com/udpa.type.v1.TypedStruct
- type_url: type.googleapis.com/stats.PluginConfig
- value: {}
- - applyTo: HTTP_FILTER
- match:
- context: SIDECAR_INBOUND
- proxy:
- proxyVersion: ^1\.17.*
- listener:
- filterChain:
- filter:
- name: envoy.filters.network.http_connection_manager
- subFilter:
- name: envoy.filters.http.router
- patch:
- operation: INSERT_BEFORE
- value:
- name: istio.stats
- typed_config:
- '@type': type.googleapis.com/udpa.type.v1.TypedStruct
- type_url: type.googleapis.com/stats.PluginConfig
- value: {disable_host_header_fallback: true}
- - applyTo: HTTP_FILTER
- match:
- context: GATEWAY
- proxy:
- proxyVersion: ^1\.17.*
- listener:
- filterChain:
- filter:
- name: envoy.filters.network.http_connection_manager
- subFilter:
- name: envoy.filters.http.router
- patch:
- operation: INSERT_BEFORE
- value:
- name: istio.stats
- typed_config:
- '@type': type.googleapis.com/udpa.type.v1.TypedStruct
- type_url: type.googleapis.com/stats.PluginConfig
- value: {disable_host_header_fallback: true}
----
-apiVersion: networking.istio.io/v1alpha3
-kind: EnvoyFilter
-metadata:
- name: tcp-stats-filter-1.13
- namespace: istio-system
- labels:
- istio.io/rev: default
-spec:
- priority: -1
- configPatches:
- - applyTo: NETWORK_FILTER
- match:
- context: SIDECAR_INBOUND
- proxy:
- proxyVersion: ^1\.13.*
- listener:
- filterChain:
- filter:
- name: envoy.filters.network.tcp_proxy
- patch:
- operation: INSERT_BEFORE
- value:
- name: istio.stats
- typed_config:
- '@type': type.googleapis.com/udpa.type.v1.TypedStruct
- type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm
- value:
- config:
- root_id: stats_inbound
- configuration:
- '@type': type.googleapis.com/google.protobuf.StringValue
- value: |
- {
- "debug": "false",
- "stat_prefix": "istio"
- }
- vm_config:
- vm_id: tcp_stats_inbound
- runtime: envoy.wasm.runtime.null
- code:
- local:
- inline_string: envoy.wasm.stats
- - applyTo: NETWORK_FILTER
- match:
- context: SIDECAR_OUTBOUND
- proxy:
- proxyVersion: ^1\.13.*
- listener:
- filterChain:
- filter:
- name: envoy.filters.network.tcp_proxy
- patch:
- operation: INSERT_BEFORE
- value:
- name: istio.stats
- typed_config:
- '@type': type.googleapis.com/udpa.type.v1.TypedStruct
- type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm
- value:
- config:
- root_id: stats_outbound
- configuration:
- '@type': type.googleapis.com/google.protobuf.StringValue
- value: |
- {
- "debug": "false",
- "stat_prefix": "istio"
- }
- vm_config:
- vm_id: tcp_stats_outbound
- runtime: envoy.wasm.runtime.null
- code:
- local:
- inline_string: envoy.wasm.stats
- - applyTo: NETWORK_FILTER
- match:
- context: GATEWAY
- proxy:
- proxyVersion: ^1\.13.*
- listener:
- filterChain:
- filter:
- name: envoy.filters.network.tcp_proxy
- patch:
- operation: INSERT_BEFORE
- value:
- name: istio.stats
- typed_config:
- '@type': type.googleapis.com/udpa.type.v1.TypedStruct
- type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm
- value:
- config:
- root_id: stats_outbound
- configuration:
- '@type': type.googleapis.com/google.protobuf.StringValue
- value: |
- {
- "debug": "false",
- "stat_prefix": "istio"
- }
- vm_config:
- vm_id: tcp_stats_outbound
- runtime: envoy.wasm.runtime.null
- code:
- local:
- inline_string: envoy.wasm.stats
----
-apiVersion: networking.istio.io/v1alpha3
-kind: EnvoyFilter
-metadata:
- name: tcp-stats-filter-1.14
- namespace: istio-system
- labels:
- istio.io/rev: default
-spec:
- priority: -1
- configPatches:
- - applyTo: NETWORK_FILTER
- match:
- context: SIDECAR_INBOUND
- proxy:
- proxyVersion: ^1\.14.*
- listener:
- filterChain:
- filter:
- name: envoy.filters.network.tcp_proxy
- patch:
- operation: INSERT_BEFORE
- value:
- name: istio.stats
- typed_config:
- '@type': type.googleapis.com/udpa.type.v1.TypedStruct
- type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm
- value:
- config:
- root_id: stats_inbound
- configuration:
- '@type': type.googleapis.com/google.protobuf.StringValue
- value: |
- {
- "debug": "false",
- "stat_prefix": "istio"
- }
- vm_config:
- vm_id: tcp_stats_inbound
- runtime: envoy.wasm.runtime.null
- code:
- local:
- inline_string: envoy.wasm.stats
- - applyTo: NETWORK_FILTER
- match:
- context: SIDECAR_OUTBOUND
- proxy:
- proxyVersion: ^1\.14.*
- listener:
- filterChain:
- filter:
- name: envoy.filters.network.tcp_proxy
- patch:
- operation: INSERT_BEFORE
- value:
- name: istio.stats
- typed_config:
- '@type': type.googleapis.com/udpa.type.v1.TypedStruct
- type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm
- value:
- config:
- root_id: stats_outbound
- configuration:
- '@type': type.googleapis.com/google.protobuf.StringValue
- value: |
- {
- "debug": "false",
- "stat_prefix": "istio"
- }
- vm_config:
- vm_id: tcp_stats_outbound
- runtime: envoy.wasm.runtime.null
- code:
- local:
- inline_string: envoy.wasm.stats
- - applyTo: NETWORK_FILTER
- match:
- context: GATEWAY
- proxy:
- proxyVersion: ^1\.14.*
- listener:
- filterChain:
- filter:
- name: envoy.filters.network.tcp_proxy
- patch:
- operation: INSERT_BEFORE
- value:
- name: istio.stats
- typed_config:
- '@type': type.googleapis.com/udpa.type.v1.TypedStruct
- type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm
- value:
- config:
- root_id: stats_outbound
- configuration:
- '@type': type.googleapis.com/google.protobuf.StringValue
- value: |
- {
- "debug": "false",
- "stat_prefix": "istio"
- }
- vm_config:
- vm_id: tcp_stats_outbound
- runtime: envoy.wasm.runtime.null
- code:
- local:
- inline_string: envoy.wasm.stats
----
-apiVersion: networking.istio.io/v1alpha3
-kind: EnvoyFilter
-metadata:
- name: tcp-stats-filter-1.15
- namespace: istio-system
- labels:
- istio.io/rev: default
-spec:
- priority: -1
- configPatches:
- - applyTo: NETWORK_FILTER
- match:
- context: SIDECAR_INBOUND
- proxy:
- proxyVersion: ^1\.15.*
- listener:
- filterChain:
- filter:
- name: envoy.filters.network.tcp_proxy
- patch:
- operation: INSERT_BEFORE
- value:
- name: istio.stats
- typed_config:
- '@type': type.googleapis.com/udpa.type.v1.TypedStruct
- type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm
- value:
- config:
- root_id: stats_inbound
- configuration:
- '@type': type.googleapis.com/google.protobuf.StringValue
- value: |
- {
- "debug": "false",
- "stat_prefix": "istio"
- }
- vm_config:
- vm_id: tcp_stats_inbound
- runtime: envoy.wasm.runtime.null
- code:
- local:
- inline_string: envoy.wasm.stats
- - applyTo: NETWORK_FILTER
- match:
- context: SIDECAR_OUTBOUND
- proxy:
- proxyVersion: ^1\.15.*
- listener:
- filterChain:
- filter:
- name: envoy.filters.network.tcp_proxy
- patch:
- operation: INSERT_BEFORE
- value:
- name: istio.stats
- typed_config:
- '@type': type.googleapis.com/udpa.type.v1.TypedStruct
- type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm
- value:
- config:
- root_id: stats_outbound
- configuration:
- '@type': type.googleapis.com/google.protobuf.StringValue
- value: |
- {
- "debug": "false",
- "stat_prefix": "istio"
- }
- vm_config:
- vm_id: tcp_stats_outbound
- runtime: envoy.wasm.runtime.null
- code:
- local:
- inline_string: envoy.wasm.stats
- - applyTo: NETWORK_FILTER
- match:
- context: GATEWAY
- proxy:
- proxyVersion: ^1\.15.*
- listener:
- filterChain:
- filter:
- name: envoy.filters.network.tcp_proxy
- patch:
- operation: INSERT_BEFORE
- value:
- name: istio.stats
- typed_config:
- '@type': type.googleapis.com/udpa.type.v1.TypedStruct
- type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm
- value:
- config:
- root_id: stats_outbound
- configuration:
- '@type': type.googleapis.com/google.protobuf.StringValue
- value: |
- {
- "debug": "false",
- "stat_prefix": "istio"
- }
- vm_config:
- vm_id: tcp_stats_outbound
- runtime: envoy.wasm.runtime.null
- code:
- local:
- inline_string: envoy.wasm.stats
----
-apiVersion: networking.istio.io/v1alpha3
-kind: EnvoyFilter
-metadata:
- name: tcp-stats-filter-1.16
- namespace: istio-system
- labels:
- istio.io/rev: default
-spec:
- priority: -1
- configPatches:
- - applyTo: NETWORK_FILTER
- match:
- context: SIDECAR_INBOUND
- proxy:
- proxyVersion: ^1\.16.*
- listener:
- filterChain:
- filter:
- name: envoy.filters.network.tcp_proxy
- patch:
- operation: INSERT_BEFORE
- value:
- name: istio.stats
- typed_config:
- '@type': type.googleapis.com/udpa.type.v1.TypedStruct
- type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm
- value:
- config:
- root_id: stats_inbound
- configuration:
- '@type': type.googleapis.com/google.protobuf.StringValue
- value: |
- {
- "debug": "false",
- "stat_prefix": "istio"
- }
- vm_config:
- vm_id: tcp_stats_inbound
- runtime: envoy.wasm.runtime.null
- code:
- local:
- inline_string: envoy.wasm.stats
- - applyTo: NETWORK_FILTER
- match:
- context: SIDECAR_OUTBOUND
- proxy:
- proxyVersion: ^1\.16.*
- listener:
- filterChain:
- filter:
- name: envoy.filters.network.tcp_proxy
- patch:
- operation: INSERT_BEFORE
- value:
- name: istio.stats
- typed_config:
- '@type': type.googleapis.com/udpa.type.v1.TypedStruct
- type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm
- value:
- config:
- root_id: stats_outbound
- configuration:
- '@type': type.googleapis.com/google.protobuf.StringValue
- value: |
- {
- "debug": "false",
- "stat_prefix": "istio"
- }
- vm_config:
- vm_id: tcp_stats_outbound
- runtime: envoy.wasm.runtime.null
- code:
- local:
- inline_string: envoy.wasm.stats
- - applyTo: NETWORK_FILTER
- match:
- context: GATEWAY
- proxy:
- proxyVersion: ^1\.16.*
- listener:
- filterChain:
- filter:
- name: envoy.filters.network.tcp_proxy
- patch:
- operation: INSERT_BEFORE
- value:
- name: istio.stats
- typed_config:
- '@type': type.googleapis.com/udpa.type.v1.TypedStruct
- type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm
- value:
- config:
- root_id: stats_outbound
- configuration:
- '@type': type.googleapis.com/google.protobuf.StringValue
- value: |
- {
- "debug": "false",
- "stat_prefix": "istio"
- }
- vm_config:
- vm_id: tcp_stats_outbound
- runtime: envoy.wasm.runtime.null
- code:
- local:
- inline_string: envoy.wasm.stats
----
-apiVersion: networking.istio.io/v1alpha3
-kind: EnvoyFilter
-metadata:
- name: tcp-stats-filter-1.17
- namespace: istio-system
- labels:
- istio.io/rev: default
-spec:
- priority: -1
- configPatches:
- - applyTo: NETWORK_FILTER
- match:
- context: SIDECAR_INBOUND
- proxy:
- proxyVersion: ^1\.17.*
- listener:
- filterChain:
- filter:
- name: envoy.filters.network.tcp_proxy
- patch:
- operation: INSERT_BEFORE
- value:
- name: istio.stats
- typed_config:
- '@type': type.googleapis.com/udpa.type.v1.TypedStruct
- type_url: type.googleapis.com/stats.PluginConfig
- value: {}
- - applyTo: NETWORK_FILTER
- match:
- context: SIDECAR_OUTBOUND
- proxy:
- proxyVersion: ^1\.17.*
- listener:
- filterChain:
- filter:
- name: envoy.filters.network.tcp_proxy
- patch:
- operation: INSERT_BEFORE
- value:
- name: istio.stats
- typed_config:
- '@type': type.googleapis.com/udpa.type.v1.TypedStruct
- type_url: type.googleapis.com/stats.PluginConfig
- value: {}
- - applyTo: NETWORK_FILTER
- match:
- context: GATEWAY
- proxy:
- proxyVersion: ^1\.17.*
- listener:
- filterChain:
- filter:
- name: envoy.filters.network.tcp_proxy
- patch:
- operation: INSERT_BEFORE
- value:
- name: istio.stats
- typed_config:
- '@type': type.googleapis.com/udpa.type.v1.TypedStruct
- type_url: type.googleapis.com/stats.PluginConfig
- value: {}
----
apiVersion: v1
kind: ConfigMap
metadata:
@@ -1613,6 +580,9 @@ data:
tracing:
zipkin:
address: zipkin.istio-system:9411
+ defaultProviders:
+ metrics:
+ - prometheus
enablePrometheusMerge: true
rootNamespace: istio-system
tcpKeepalive:
@@ -1641,7 +611,8 @@ data:
"name": "istio-cni",
"type": "istio-cni",
"log_level": "debug",
- "log_uds_address": "__LOG_UDS_ADDRESS__",
+ "log_uds_address": "__LOG_UDS_ADDRESS__",
+
"kubernetes": {
"kubeconfig": "__KUBECONFIG_FILEPATH__",
"cni_bin_dir": "/opt/cni/bin",
@@ -1715,7 +686,6 @@ data:
"excludeIPRanges": "",
"excludeInboundPorts": "",
"excludeOutboundPorts": "",
- "holdApplicationUntilProxyStarts": false,
"image": "proxyv2",
"includeIPRanges": "*",
"includeInboundPorts": "*",
@@ -1739,17 +709,7 @@ data:
"tracer": "zipkin"
},
"proxy_init": {
- "image": "proxyv2",
- "resources": {
- "limits": {
- "cpu": "2000m",
- "memory": "1024Mi"
- },
- "requests": {
- "cpu": "10m",
- "memory": "10Mi"
- }
- }
+ "image": "proxyv2"
},
"remotePilotAddress": "",
"sds": {
@@ -1760,24 +720,12 @@ data:
"sts": {
"servicePort": 0
},
- "tag": "1.17.5",
+ "tag": "1.18.7",
"tracer": {
- "datadog": {
- "address": "$(HOST_IP):8126"
- },
- "lightstep": {
- "accessToken": "",
- "address": ""
- },
- "stackdriver": {
- "debug": false,
- "maxNumberOfAnnotations": 200,
- "maxNumberOfAttributes": 200,
- "maxNumberOfMessageEvents": 200
- },
- "zipkin": {
- "address": ""
- }
+ "datadog": {},
+ "lightstep": {},
+ "stackdriver": {},
+ "zipkin": {}
},
"useMCP": false,
"variant": ""
@@ -1851,6 +799,7 @@ data:
service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }}
service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }}
annotations: {
+ istio.io/rev: {{ .Revision | default "default" | quote }},
{{- if ge (len $containers) 1 }}
{{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }}
kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}",
@@ -1897,7 +846,7 @@ data:
- "-p"
- {{ .MeshConfig.ProxyListenPort | default "15001" | quote }}
- "-z"
- - "15006"
+ - {{ .MeshConfig.ProxyInboundListenPort | default "15006" | quote }}
- "-u"
- "1337"
- "-m"
@@ -2024,10 +973,6 @@ data:
{{- if .Values.global.logAsJson }}
- --log_as_json
{{- end }}
- {{- if gt .EstimatedConcurrency 0 }}
- - --concurrency
- - "{{ .EstimatedConcurrency }}"
- {{- end -}}
{{- if .Values.global.proxy.lifecycle }}
lifecycle:
{{ toYaml .Values.global.proxy.lifecycle | indent 6 }}
@@ -2074,6 +1019,10 @@ data:
valueFrom:
fieldRef:
fieldPath: status.hostIP
+ - name: ISTIO_CPU_LIMIT
+ valueFrom:
+ resourceFieldRef:
+ resource: limits.cpu
- name: PROXY_CONFIG
value: |
{{ protoToJSON .ProxyConfig }}
@@ -2333,8 +1282,8 @@ data:
labels:
service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }}
service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }}
- istio.io/rev: {{ index .ObjectMeta.Labels `istio.io/rev` | default .Revision | default "default" | quote }}
annotations: {
+ istio.io/rev: {{ .Revision | default "default" | quote }},
{{- if eq (len $containers) 1 }}
kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}",
kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}",
@@ -2401,6 +1350,10 @@ data:
valueFrom:
fieldRef:
fieldPath: status.hostIP
+ - name: ISTIO_CPU_LIMIT
+ valueFrom:
+ resourceFieldRef:
+ resource: limits.cpu
- name: PROXY_CONFIG
value: |
{{ protoToJSON .ProxyConfig }}
@@ -2661,6 +1614,7 @@ data:
service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }}
service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }}
annotations: {
+ istio.io/rev: {{ .Revision | default "default" }},
{{- if ge (len $containers) 1 }}
{{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }}
kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}",
@@ -2946,6 +1900,558 @@ data:
securityContext:
fsGroup: 1337
{{- end }}
+ waypoint: |
+ apiVersion: v1
+ kind: ServiceAccount
+ metadata:
+ name: {{.ServiceAccount | quote}}
+ namespace: {{.Namespace | quote}}
+ ---
+ apiVersion: apps/v1
+ kind: Deployment
+ metadata:
+ name: {{.DeploymentName | quote}}
+ namespace: {{.Namespace | quote}}
+ annotations:
+ {{- toJsonMap (omit .Annotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }}
+ labels:
+ {{- toJsonMap .Labels | nindent 4 }}
+ ownerReferences:
+ - apiVersion: gateway.networking.k8s.io/v1beta1
+ kind: Gateway
+ name: "{{.Name}}"
+ uid: "{{.UID}}"
+ spec:
+ selector:
+ matchLabels:
+ istio.io/gateway-name: "{{.Name}}"
+ template:
+ metadata:
+ annotations:
+ {{- toJsonMap
+ (omit .Annotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version")
+ (strdict "istio.io/rev" (.Revision | default "default"))
+ (strdict
+ "ambient.istio.io/redirection" "disabled"
+ "prometheus.io/path" "/stats/prometheus"
+ "prometheus.io/port" "15020"
+ "prometheus.io/scrape" "true"
+ ) | nindent 8 }}
+ labels:
+ {{- toJsonMap
+ (strdict
+ "sidecar.istio.io/inject" "false"
+ "service.istio.io/canonical-name" .DeploymentName
+ "service.istio.io/canonical-revision" "latest"
+ )
+ .Labels
+ (strdict
+ "istio.io/gateway-name" .Name
+ "gateway.istio.io/managed" "istio.io-mesh-controller"
+ ) | nindent 8}}
+ spec:
+ terminationGracePeriodSeconds: 2
+ serviceAccountName: {{.ServiceAccount | quote}}
+ containers:
+ - args:
+ - proxy
+ - waypoint
+ - --domain
+ - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }}
+ - --serviceCluster
+ - {{.ServiceAccount}}.$(POD_NAMESPACE)
+ - --proxyLogLevel
+ - {{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel | quote}}
+ - --proxyComponentLogLevel
+ - {{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel | quote}}
+ - --log_output_level
+ - {{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level | quote}}
+ {{- if .Values.global.logAsJson }}
+ - --log_as_json
+ {{- end }}
+ env:
+ - name: ISTIO_META_SERVICE_ACCOUNT
+ valueFrom:
+ fieldRef:
+ fieldPath: spec.serviceAccountName
+ - name: ISTIO_META_NODE_NAME
+ valueFrom:
+ fieldRef:
+ fieldPath: spec.nodeName
+ - name: JWT_POLICY
+ value: {{ .Values.global.jwtPolicy }}
+ - name: PILOT_CERT_PROVIDER
+ value: {{ .Values.global.pilotCertProvider }}
+ - name: CA_ADDR
+ {{- if .Values.global.caAddress }}
+ value: {{ .Values.global.caAddress }}
+ {{- else }}
+ value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012
+ {{- end }}
+ - name: POD_NAME
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.name
+ - name: POD_NAMESPACE
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.namespace
+ - name: INSTANCE_IP
+ valueFrom:
+ fieldRef:
+ fieldPath: status.podIP
+ - name: SERVICE_ACCOUNT
+ valueFrom:
+ fieldRef:
+ fieldPath: spec.serviceAccountName
+ - name: HOST_IP
+ valueFrom:
+ fieldRef:
+ fieldPath: status.hostIP
+ - name: ISTIO_CPU_LIMIT
+ valueFrom:
+ resourceFieldRef:
+ resource: limits.cpu
+ - name: PROXY_CONFIG
+ value: |
+ {{ protoToJSON .ProxyConfig }}
+ - name: ISTIO_META_CLUSTER_ID
+ value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}"
+ - name: ISTIO_META_INTERCEPTION_MODE
+ value: REDIRECT
+ - name: ISTIO_META_WORKLOAD_NAME
+ value: {{.DeploymentName}}
+ - name: ISTIO_META_OWNER
+ value: kubernetes://apis/apps/v1/namespaces/{{.Namespace}}/deployments/{{.DeploymentName}}
+ {{- if .Values.global.meshID }}
+ - name: ISTIO_META_MESH_ID
+ value: "{{ .Values.global.meshID }}"
+ {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
+ - name: ISTIO_META_MESH_ID
+ value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}"
+ {{- end }}
+ image: {{.ProxyImage}}
+ {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
+ name: istio-proxy
+ resources:
+ limits:
+ cpu: "2"
+ memory: 1Gi
+ requests:
+ cpu: 100m
+ memory: 128Mi
+ startupProbe:
+ failureThreshold: 30
+ httpGet:
+ path: /healthz/ready
+ port: 15021
+ scheme: HTTP
+ initialDelaySeconds: 1
+ periodSeconds: 1
+ successThreshold: 1
+ timeoutSeconds: 1
+ readinessProbe:
+ failureThreshold: 4
+ httpGet:
+ path: /healthz/ready
+ port: 15021
+ scheme: HTTP
+ initialDelaySeconds: 0
+ periodSeconds: 15
+ successThreshold: 1
+ timeoutSeconds: 1
+ securityContext:
+ privileged: true
+ runAsGroup: 1337
+ runAsUser: 0
+ capabilities:
+ add:
+ - NET_ADMIN
+ - NET_RAW
+ volumeMounts:
+ - mountPath: /var/run/secrets/istio
+ name: istiod-ca-cert
+ - mountPath: /var/lib/istio/data
+ name: istio-data
+ - mountPath: /etc/istio/proxy
+ name: istio-envoy
+ - mountPath: /var/run/secrets/tokens
+ name: istio-token
+ - mountPath: /etc/istio/pod
+ name: istio-podinfo
+ volumes:
+ - emptyDir:
+ medium: Memory
+ name: istio-envoy
+ - emptyDir:
+ medium: Memory
+ name: go-proxy-envoy
+ - emptyDir: {}
+ name: istio-data
+ - emptyDir: {}
+ name: go-proxy-data
+ - downwardAPI:
+ items:
+ - fieldRef:
+ fieldPath: metadata.labels
+ path: labels
+ - fieldRef:
+ fieldPath: metadata.annotations
+ path: annotations
+ name: istio-podinfo
+ - name: istio-token
+ projected:
+ sources:
+ - serviceAccountToken:
+ audience: istio-ca
+ expirationSeconds: 43200
+ path: istio-token
+ - configMap:
+ name: istio-ca-root-cert
+ name: istiod-ca-cert
+ {{- if .Values.global.imagePullSecrets }}
+ imagePullSecrets:
+ {{- range .Values.global.imagePullSecrets }}
+ - name: {{ . }}
+ {{- end }}
+ {{- end }}
+ ---
+ apiVersion: v1
+ kind: Service
+ metadata:
+ annotations:
+ {{ toJsonMap (omit .Annotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }}
+ labels:
+ {{ toJsonMap .Labels | nindent 4}}
+ name: {{.DeploymentName | quote}}
+ namespace: {{.Namespace | quote}}
+ ownerReferences:
+ - apiVersion: gateway.networking.k8s.io/v1beta1
+ kind: Gateway
+ name: "{{.Name}}"
+ uid: "{{.UID}}"
+ spec:
+ ports:
+ - name: https-hbone
+ port: 15008
+ protocol: TCP
+ appProtocol: https
+ selector:
+ istio.io/gateway-name: "{{.Name}}"
+ ---
+ kube-gateway: |
+ apiVersion: v1
+ kind: ServiceAccount
+ metadata:
+ name: {{.ServiceAccount | quote}}
+ namespace: {{.Namespace | quote}}
+ ---
+ apiVersion: apps/v1
+ kind: Deployment
+ metadata:
+ name: {{.DeploymentName | quote}}
+ namespace: {{.Namespace | quote}}
+ annotations:
+ {{- toJsonMap (omit .Annotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }}
+ labels:
+ {{- toJsonMap .Labels | nindent 4 }}
+ ownerReferences:
+ - apiVersion: gateway.networking.k8s.io/v1beta1
+ kind: Gateway
+ name: {{.Name}}
+ uid: "{{.UID}}"
+ spec:
+ selector:
+ matchLabels:
+ istio.io/gateway-name: {{.Name}}
+ template:
+ metadata:
+ annotations:
+ {{- toJsonMap
+ (omit .Annotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version")
+ (strdict "istio.io/rev" (.Revision | default "default"))
+ (strdict
+ "prometheus.io/path" "/stats/prometheus"
+ "prometheus.io/port" "15020"
+ "prometheus.io/scrape" "true"
+ ) | nindent 8 }}
+ labels:
+ {{- toJsonMap
+ (strdict
+ "sidecar.istio.io/inject" "false"
+ "service.istio.io/canonical-name" .DeploymentName
+ "service.istio.io/canonical-revision" "latest"
+ )
+ .Labels
+ (strdict "istio.io/gateway-name" .Name) | nindent 8}}
+ spec:
+ {{- if .KubeVersion122 }}
+ {{/* safe since 1.22: https://github.com/kubernetes/kubernetes/pull/103326. */}}
+ securityContext:
+ sysctls:
+ - name: net.ipv4.ip_unprivileged_port_start
+ value: "0"
+ {{- end }}
+ serviceAccountName: {{.ServiceAccount | quote}}
+ containers:
+ - name: istio-proxy
+ image: "{{ .ProxyImage }}"
+ {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
+ securityContext:
+ {{- if .KubeVersion122 }}
+ # Safe since 1.22: https://github.com/kubernetes/kubernetes/pull/103326
+ capabilities:
+ drop:
+ - ALL
+ allowPrivilegeEscalation: false
+ privileged: false
+ readOnlyRootFilesystem: true
+ runAsUser: 1337
+ runAsGroup: 1337
+ runAsNonRoot: true
+ {{- else }}
+ capabilities:
+ drop:
+ - ALL
+ add:
+ - NET_BIND_SERVICE
+ runAsUser: 0
+ runAsGroup: 1337
+ runAsNonRoot: false
+ allowPrivilegeEscalation: true
+ readOnlyRootFilesystem: true
+ {{- end }}
+ ports:
+ - containerPort: 15021
+ name: status-port
+ protocol: TCP
+ - containerPort: 15090
+ protocol: TCP
+ name: http-envoy-prom
+ args:
+ - proxy
+ - router
+ - --domain
+ - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }}
+ - --proxyLogLevel
+ - {{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel | quote}}
+ - --proxyComponentLogLevel
+ - {{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel | quote}}
+ - --log_output_level
+ - {{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level | quote}}
+ {{- if .Values.global.sts.servicePort }}
+ - --stsPort={{ .Values.global.sts.servicePort }}
+ {{- end }}
+ {{- if .Values.global.logAsJson }}
+ - --log_as_json
+ {{- end }}
+ {{- if .Values.global.proxy.lifecycle }}
+ lifecycle:
+ {{ toYaml .Values.global.proxy.lifecycle | indent 6 }}
+ {{- end }}
+ env:
+ - name: JWT_POLICY
+ value: {{ .Values.global.jwtPolicy }}
+ - name: PILOT_CERT_PROVIDER
+ value: {{ .Values.global.pilotCertProvider }}
+ - name: CA_ADDR
+ {{- if .Values.global.caAddress }}
+ value: {{ .Values.global.caAddress }}
+ {{- else }}
+ value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012
+ {{- end }}
+ - name: POD_NAME
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.name
+ - name: POD_NAMESPACE
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.namespace
+ - name: INSTANCE_IP
+ valueFrom:
+ fieldRef:
+ fieldPath: status.podIP
+ - name: SERVICE_ACCOUNT
+ valueFrom:
+ fieldRef:
+ fieldPath: spec.serviceAccountName
+ - name: HOST_IP
+ valueFrom:
+ fieldRef:
+ fieldPath: status.hostIP
+ - name: ISTIO_CPU_LIMIT
+ valueFrom:
+ resourceFieldRef:
+ resource: limits.cpu
+ - name: PROXY_CONFIG
+ value: |
+ {{ protoToJSON .ProxyConfig }}
+ - name: ISTIO_META_POD_PORTS
+ value: "[]"
+ - name: ISTIO_META_APP_CONTAINERS
+ value: ""
+ - name: ISTIO_META_CLUSTER_ID
+ value: "{{ valueOrDefault .Values.global.multiCluster.clusterName .ClusterID }}"
+ - name: ISTIO_META_NODE_NAME
+ valueFrom:
+ fieldRef:
+ fieldPath: spec.nodeName
+ - name: ISTIO_META_INTERCEPTION_MODE
+ value: "{{ .ProxyConfig.InterceptionMode.String }}"
+ {{- if .Values.global.network }}
+ - name: ISTIO_META_NETWORK
+ value: "{{ .Values.global.network }}"
+ {{- end }}
+ - name: ISTIO_META_WORKLOAD_NAME
+ value: {{.DeploymentName|quote}}
+ - name: ISTIO_META_OWNER
+ value: "kubernetes://apis/apps/v1/namespaces/{{.Namespace}}/deployments/{{.DeploymentName}}"
+ {{- if .Values.global.meshID }}
+ - name: ISTIO_META_MESH_ID
+ value: "{{ .Values.global.meshID }}"
+ {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
+ - name: ISTIO_META_MESH_ID
+ value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}"
+ {{- end }}
+ {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
+ - name: TRUST_DOMAIN
+ value: "{{ . }}"
+ {{- end }}
+ {{- range $key, $value := .ProxyConfig.ProxyMetadata }}
+ - name: {{ $key }}
+ value: "{{ $value }}"
+ {{- end }}
+ {{- with (index .Labels "topology.istio.io/network") }}
+ - name: ISTIO_META_REQUESTED_NETWORK_VIEW
+ value: {{.|quote}}
+ {{- end }}
+ startupProbe:
+ failureThreshold: 30
+ httpGet:
+ path: /healthz/ready
+ port: 15021
+ scheme: HTTP
+ initialDelaySeconds: 1
+ periodSeconds: 1
+ successThreshold: 1
+ timeoutSeconds: 1
+ readinessProbe:
+ failureThreshold: 4
+ httpGet:
+ path: /healthz/ready
+ port: 15021
+ scheme: HTTP
+ initialDelaySeconds: 0
+ periodSeconds: 15
+ successThreshold: 1
+ timeoutSeconds: 1
+ volumeMounts:
+ - name: workload-socket
+ mountPath: /var/run/secrets/workload-spiffe-uds
+ - name: credential-socket
+ mountPath: /var/run/secrets/credential-uds
+ {{- if eq .Values.global.caName "GkeWorkloadCertificate" }}
+ - name: gke-workload-certificate
+ mountPath: /var/run/secrets/workload-spiffe-credentials
+ readOnly: true
+ {{- else }}
+ - name: workload-certs
+ mountPath: /var/run/secrets/workload-spiffe-credentials
+ {{- end }}
+ {{- if eq .Values.global.pilotCertProvider "istiod" }}
+ - mountPath: /var/run/secrets/istio
+ name: istiod-ca-cert
+ {{- end }}
+ - mountPath: /var/lib/istio/data
+ name: istio-data
+ # SDS channel between istioagent and Envoy
+ - mountPath: /etc/istio/proxy
+ name: istio-envoy
+ {{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
+ - mountPath: /var/run/secrets/tokens
+ name: istio-token
+ {{- end }}
+ - name: istio-podinfo
+ mountPath: /etc/istio/pod
+ volumes:
+ - emptyDir: {}
+ name: workload-socket
+ - emptyDir: {}
+ name: credential-socket
+ {{- if eq .Values.global.caName "GkeWorkloadCertificate" }}
+ - name: gke-workload-certificate
+ csi:
+ driver: workloadcertificates.security.cloud.google.com
+ {{- else}}
+ - emptyDir: {}
+ name: workload-certs
+ {{- end }}
+ # SDS channel between istioagent and Envoy
+ - emptyDir:
+ medium: Memory
+ name: istio-envoy
+ - name: istio-data
+ emptyDir: {}
+ - name: istio-podinfo
+ downwardAPI:
+ items:
+ - path: "labels"
+ fieldRef:
+ fieldPath: metadata.labels
+ - path: "annotations"
+ fieldRef:
+ fieldPath: metadata.annotations
+ {{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
+ - name: istio-token
+ projected:
+ sources:
+ - serviceAccountToken:
+ path: istio-token
+ expirationSeconds: 43200
+ audience: {{ .Values.global.sds.token.aud }}
+ {{- end }}
+ {{- if eq .Values.global.pilotCertProvider "istiod" }}
+ - name: istiod-ca-cert
+ configMap:
+ name: istio-ca-root-cert
+ {{- end }}
+ {{- if .Values.global.imagePullSecrets }}
+ imagePullSecrets:
+ {{- range .Values.global.imagePullSecrets }}
+ - name: {{ . }}
+ {{- end }}
+ {{- end }}
+ ---
+ apiVersion: v1
+ kind: Service
+ metadata:
+ annotations:
+ {{ toJsonMap (omit .Annotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }}
+ labels:
+ {{ toJsonMap .Labels | nindent 4}}
+ name: {{.DeploymentName | quote}}
+ namespace: {{.Namespace | quote}}
+ ownerReferences:
+ - apiVersion: gateway.networking.k8s.io/v1beta1
+ kind: Gateway
+ name: {{.Name}}
+ uid: {{.UID}}
+ spec:
+ ports:
+ {{- range $key, $val := .Ports }}
+ - name: {{ $val.Name | quote }}
+ port: {{ $val.Port }}
+ protocol: TCP
+ appProtocol: {{ $val.AppProtocol }}
+ {{- end }}
+ selector:
+ istio.io/gateway-name: {{.Name}}
+ {{- if .Spec.Addresses }}
+ loadBalancerIP: {{ (index .Spec.Addresses 0).Value | quote}}
+ {{- end }}
+ type: {{ index .Annotations "networking.istio.io/service-type" | default "LoadBalancer" | quote }}
+ ---
---
apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
@@ -3101,6 +2607,7 @@ spec:
sidecar.istio.io/inject: 'false'
annotations:
sidecar.istio.io/inject: 'false'
+ ambient.istio.io/redirection: disabled
# Add Prometheus Scrape annotations
prometheus.io/scrape: 'true'
prometheus.io/port: '15014'
@@ -3109,6 +2616,7 @@ spec:
spec:
nodeSelector:
kubernetes.io/os: linux
+ # Can be configured to allow for excluding instio-cni from being scheduled on specified nodes
tolerations:
# Make sure istio-cni-node gets scheduled on all nodes.
- effect: NoSchedule
@@ -3127,7 +2635,7 @@ spec:
# This container installs the Istio CNI binaries
# and CNI network config file on each node.
- name: install-cni
- image: docker.io/istio/install-cni:1.17.5
+ image: docker.io/istio/install-cni:1.18.7
readinessProbe:
httpGet:
path: /readyz
@@ -3159,7 +2667,7 @@ spec:
fieldRef:
fieldPath: spec.nodeName
- name: REPAIR_LABEL_PODS
- value: 'true'
+ value: 'false'
# Set to true to enable pod deletion
- name: REPAIR_DELETE_PODS
value: 'true'
@@ -3173,6 +2681,13 @@ spec:
value: cni.istio.io/uninitialized
- name: REPAIR_BROKEN_POD_LABEL_VALUE
value: 'true'
+ - name: NODE_NAME
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: spec.nodeName
+ - name: LOG_LEVEL
+ value: debug
volumeMounts:
- mountPath: /host/opt/cni/bin
name: cni-bin-dir
@@ -3196,6 +2711,9 @@ spec:
- name: cni-log-dir
hostPath:
path: /var/run/istio-cni
+ - name: cni-netns-dir
+ hostPath:
+ path: /var/run/netns
---
apiVersion: apps/v1
kind: Deployment
@@ -3233,6 +2751,7 @@ spec:
operator.istio.io/component: IngressGateways
sidecar.istio.io/inject: 'false'
annotations:
+ istio.io/rev: default
prometheus.io/port: '15020'
prometheus.io/scrape: 'true'
prometheus.io/path: /stats/prometheus
@@ -3246,7 +2765,7 @@ spec:
serviceAccountName: istio-ingressgateway-service-account
containers:
- name: istio-proxy
- image: docker.io/istio/proxyv2:1.17.5
+ image: docker.io/istio/proxyv2:1.18.7
ports:
- containerPort: 15021
protocol: TCP
@@ -3321,6 +2840,10 @@ spec:
fieldRef:
apiVersion: v1
fieldPath: status.hostIP
+ - name: ISTIO_CPU_LIMIT
+ valueFrom:
+ resourceFieldRef:
+ resource: limits.cpu
- name: SERVICE_ACCOUNT
valueFrom:
fieldRef:
@@ -3447,6 +2970,7 @@ spec:
annotations:
prometheus.io/port: '15014'
prometheus.io/scrape: 'true'
+ ambient.istio.io/redirection: disabled
sidecar.istio.io/inject: 'false'
spec:
serviceAccountName: istiod
@@ -3454,7 +2978,7 @@ spec:
fsGroup: 1337
containers:
- name: discovery
- image: docker.io/istio/pilot:1.17.5
+ image: docker.io/istio/pilot:1.18.7
args:
- discovery
- --monitoringAddr=:15014
@@ -3513,6 +3037,10 @@ spec:
value: 'false'
- name: CLUSTER_ID
value: Kubernetes
+ - name: GOMEMLIMIT
+ valueFrom:
+ resourceFieldRef:
+ resource: limits.memory
resources:
requests:
cpu: 500m
@@ -3651,6 +3179,10 @@ rules:
- apiGroups: ['']
resources: [configmaps]
verbs: [delete]
+
+- apiGroups: [coordination.k8s.io]
+ resources: [leases]
+ verbs: [get, update, patch, create]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
diff --git a/common/istio-cni-1-17/istio-install/base/kustomization.yaml b/common/istio-cni-1-18/istio-install/base/kustomization.yaml
similarity index 100%
rename from common/istio-cni-1-17/istio-install/base/kustomization.yaml
rename to common/istio-cni-1-18/istio-install/base/kustomization.yaml
diff --git a/common/istio-cni-1-17/istio-install/base/patches/disable-debugging.yaml b/common/istio-cni-1-18/istio-install/base/patches/disable-debugging.yaml
similarity index 100%
rename from common/istio-cni-1-17/istio-install/base/patches/disable-debugging.yaml
rename to common/istio-cni-1-18/istio-install/base/patches/disable-debugging.yaml
diff --git a/common/istio-cni-1-17/istio-install/base/patches/istio-configmap-disable-tracing.yaml b/common/istio-cni-1-18/istio-install/base/patches/istio-configmap-disable-tracing.yaml
similarity index 100%
rename from common/istio-cni-1-17/istio-install/base/patches/istio-configmap-disable-tracing.yaml
rename to common/istio-cni-1-18/istio-install/base/patches/istio-configmap-disable-tracing.yaml
diff --git a/common/istio-cni-1-17/istio-install/base/patches/istio-ingressgateway-remove-pdb.yaml b/common/istio-cni-1-18/istio-install/base/patches/istio-ingressgateway-remove-pdb.yaml
similarity index 100%
rename from common/istio-cni-1-17/istio-install/base/patches/istio-ingressgateway-remove-pdb.yaml
rename to common/istio-cni-1-18/istio-install/base/patches/istio-ingressgateway-remove-pdb.yaml
diff --git a/common/istio-cni-1-17/istio-install/base/patches/istiod-remove-pdb.yaml b/common/istio-cni-1-18/istio-install/base/patches/istiod-remove-pdb.yaml
similarity index 100%
rename from common/istio-cni-1-17/istio-install/base/patches/istiod-remove-pdb.yaml
rename to common/istio-cni-1-18/istio-install/base/patches/istiod-remove-pdb.yaml
diff --git a/common/istio-cni-1-17/istio-install/base/patches/service.yaml b/common/istio-cni-1-18/istio-install/base/patches/service.yaml
similarity index 100%
rename from common/istio-cni-1-17/istio-install/base/patches/service.yaml
rename to common/istio-cni-1-18/istio-install/base/patches/service.yaml
diff --git a/common/istio-cni-1-17/istio-install/base/x-forwarded-host.yaml b/common/istio-cni-1-18/istio-install/base/x-forwarded-host.yaml
similarity index 100%
rename from common/istio-cni-1-17/istio-install/base/x-forwarded-host.yaml
rename to common/istio-cni-1-18/istio-install/base/x-forwarded-host.yaml
diff --git a/common/istio-cni-1-17/istio-install/overlays/oauth2-proxy/kustomization.yaml b/common/istio-cni-1-18/istio-install/overlays/oauth2-proxy/kustomization.yaml
similarity index 100%
rename from common/istio-cni-1-17/istio-install/overlays/oauth2-proxy/kustomization.yaml
rename to common/istio-cni-1-18/istio-install/overlays/oauth2-proxy/kustomization.yaml
diff --git a/common/istio-cni-1-17/istio-namespace/base/kustomization.yaml b/common/istio-cni-1-18/istio-namespace/base/kustomization.yaml
similarity index 100%
rename from common/istio-cni-1-17/istio-namespace/base/kustomization.yaml
rename to common/istio-cni-1-18/istio-namespace/base/kustomization.yaml
diff --git a/common/istio-cni-1-17/istio-namespace/base/namespace.yaml b/common/istio-cni-1-18/istio-namespace/base/namespace.yaml
similarity index 100%
rename from common/istio-cni-1-17/istio-namespace/base/namespace.yaml
rename to common/istio-cni-1-18/istio-namespace/base/namespace.yaml
diff --git a/common/istio-cni-1-17/kubeflow-istio-resources/base/cluster-roles.yaml b/common/istio-cni-1-18/kubeflow-istio-resources/base/cluster-roles.yaml
similarity index 100%
rename from common/istio-cni-1-17/kubeflow-istio-resources/base/cluster-roles.yaml
rename to common/istio-cni-1-18/kubeflow-istio-resources/base/cluster-roles.yaml
diff --git a/common/istio-cni-1-17/kubeflow-istio-resources/base/kf-istio-resources.yaml b/common/istio-cni-1-18/kubeflow-istio-resources/base/kf-istio-resources.yaml
similarity index 100%
rename from common/istio-cni-1-17/kubeflow-istio-resources/base/kf-istio-resources.yaml
rename to common/istio-cni-1-18/kubeflow-istio-resources/base/kf-istio-resources.yaml
diff --git a/common/istio-cni-1-17/kubeflow-istio-resources/base/kustomization.yaml b/common/istio-cni-1-18/kubeflow-istio-resources/base/kustomization.yaml
similarity index 100%
rename from common/istio-cni-1-17/kubeflow-istio-resources/base/kustomization.yaml
rename to common/istio-cni-1-18/kubeflow-istio-resources/base/kustomization.yaml
diff --git a/common/istio-cni-1-17/profile-overlay.yaml b/common/istio-cni-1-18/profile-overlay.yaml
similarity index 100%
rename from common/istio-cni-1-17/profile-overlay.yaml
rename to common/istio-cni-1-18/profile-overlay.yaml
diff --git a/common/istio-1-17/profile.yaml b/common/istio-cni-1-18/profile.yaml
similarity index 95%
rename from common/istio-1-17/profile.yaml
rename to common/istio-cni-1-18/profile.yaml
index 9621a5596c..3048418468 100644
--- a/common/istio-1-17/profile.yaml
+++ b/common/istio-cni-1-18/profile.yaml
@@ -22,7 +22,7 @@ spec:
proxyMetadata: {}
enablePrometheusMerge: true
profile: default
- tag: 1.17.5
+ tag: 1.18.7
values:
base:
enableCRDTemplates: false
@@ -107,13 +107,6 @@ spec:
tracer: zipkin
proxy_init:
image: proxyv2
- resources:
- limits:
- cpu: 2000m
- memory: 1024Mi
- requests:
- cpu: 10m
- memory: 10Mi
sds:
token:
aud: istio-ca
diff --git a/common/istio-cni-1-17/split-istio-packages b/common/istio-cni-1-18/split-istio-packages
similarity index 100%
rename from common/istio-cni-1-17/split-istio-packages
rename to common/istio-cni-1-18/split-istio-packages
diff --git a/common/oidc-client/oauth2-proxy/README.md b/common/oidc-client/oauth2-proxy/README.md
index f3699bce7e..4335be8469 100644
--- a/common/oidc-client/oauth2-proxy/README.md
+++ b/common/oidc-client/oauth2-proxy/README.md
@@ -169,9 +169,9 @@ make the following changes to the `example/kustomization.yaml` file:
* use `oauth2-proxy` overlay for istio-install
```
# from
- - ../common/istio-1-17/istio-install/base
+ - ../common/istio-1-18/istio-install/base
# to
- - ../common/istio-1-17/istio-install/overlays/oauth2-proxy
+ - ../common/istio-1-18/istio-install/overlays/oauth2-proxy
```
* change `OIDC Authservice` to `oauth2-proxy for OIDC` and use overlay for m2m
bearer tokens with self-signed in-cluster issuer
@@ -204,12 +204,12 @@ index c1a85789..4a50440c 100644
+++ b/example/kustomization.yaml
@@ -38,11 +38,11 @@ resources:
# Istio
- - ../common/istio-1-17/istio-crds/base
- - ../common/istio-1-17/istio-namespace/base
--- ../common/istio-1-17/istio-install/base
+ - ../common/istio-1-18/istio-crds/base
+ - ../common/istio-1-18/istio-namespace/base
+-- ../common/istio-1-18/istio-install/base
-# OIDC Authservice
-- ../common/oidc-client/oidc-authservice/base
-+- ../common/istio-1-17/istio-install/overlays/oauth2-proxy
++- ../common/istio-1-18/istio-install/overlays/oauth2-proxy
+# oauth2-proxy for OIDC
+- ../common/oidc-client/oauth2-proxy/overlays/m2m-self-signed
# Dex
diff --git a/contrib/kserve/README.md b/contrib/kserve/README.md
index 4eea52736b..65f42d8b19 100644
--- a/contrib/kserve/README.md
+++ b/contrib/kserve/README.md
@@ -61,15 +61,15 @@ For upgrading see [UPGRADE.md](UPGRADE.md)
```
5. Install Istio
```sh
- kubectl apply -k ../../common/istio-1-17/istio-crds/base
- kubectl apply -k ../../common/istio-1-17/istio-namespace/base
- kubectl apply -k ../../common/istio-1-17/istio-install/base
+ kubectl apply -k ../../common/istio-1-18/istio-crds/base
+ kubectl apply -k ../../common/istio-1-18/istio-namespace/base
+ kubectl apply -k ../../common/istio-1-18/istio-install/base
```
6. Install knative
```sh
kubectl apply -k ../../common/knative/knative-serving/overlays/gateways
- kubectl apply -k ../../common/istio-1-17/cluster-local-gateway/base
- kubectl apply -k ../../common/istio-1-17/kubeflow-istio-resources/base
+ kubectl apply -k ../../common/istio-1-18/cluster-local-gateway/base
+ kubectl apply -k ../../common/istio-1-18/kubeflow-istio-resources/base
```
7. Install kserve
```sh
diff --git a/example/kustomization.yaml b/example/kustomization.yaml
index c00819031d..f292f0122a 100644
--- a/example/kustomization.yaml
+++ b/example/kustomization.yaml
@@ -37,9 +37,9 @@ resources:
- ../common/cert-manager/cert-manager/base
- ../common/cert-manager/kubeflow-issuer/base
# Istio
-- ../common/istio-1-17/istio-crds/base
-- ../common/istio-1-17/istio-namespace/base
-- ../common/istio-1-17/istio-install/overlays/oauth2-proxy
+- ../common/istio-1-18/istio-crds/base
+- ../common/istio-1-18/istio-namespace/base
+- ../common/istio-1-18/istio-install/overlays/oauth2-proxy
# oauth2-proxy
- ../common/oidc-client/oauth2-proxy/overlays/m2m-self-signed
# Dex
@@ -47,7 +47,7 @@ resources:
# KNative
- ../common/knative/knative-serving/overlays/gateways
- ../common/knative/knative-eventing/base
-- ../common/istio-1-17/cluster-local-gateway/base
+- ../common/istio-1-18/cluster-local-gateway/base
# Kubeflow namespace
- ../common/kubeflow-namespace/base
# NetworkPolicies
@@ -55,7 +55,7 @@ resources:
# Kubeflow Roles
- ../common/kubeflow-roles/base
# Kubeflow Istio Resources
-- ../common/istio-1-17/kubeflow-istio-resources/base
+- ../common/istio-1-18/kubeflow-istio-resources/base
# Kubeflow Pipelines
diff --git a/hack/extract_images.sh b/hack/extract_images.sh
index 5db55390b9..96a0158ccb 100755
--- a/hack/extract_images.sh
+++ b/hack/extract_images.sh
@@ -15,7 +15,7 @@ declare -A wg_dirs=(
[automl]="../apps/katib/upstream/installs"
[pipelines]="../apps/pipeline/upstream/env ../apps/kfp-tekton/upstream/env"
[training]="../apps/training-operator/upstream/overlays"
- [manifests]="../common/cert-manager/cert-manager/base ../common/cert-manager/kubeflow-issuer/base ../common/istio-1-17/istio-crds/base ../common/istio-1-17/istio-namespace/base ../common/istio-1-17/istio-install/overlays/oauth2-proxy ../common/oidc-client/oauth2-proxy/overlays/m2m-self-signed ../common/dex/overlays/oauth2-proxy ../common/knative/knative-serving/overlays/gateways ../common/knative/knative-eventing/base ../common/istio-1-17/cluster-local-gateway/base ../common/kubeflow-namespace/base ../common/kubeflow-roles/base ../common/istio-1-17/kubeflow-istio-resources/base"
+ [manifests]="../common/cert-manager/cert-manager/base ../common/cert-manager/kubeflow-issuer/base ../common/istio-1-18/istio-crds/base ../common/istio-1-18/istio-namespace/base ../common/istio-1-18/istio-install/overlays/oauth2-proxy ../common/oidc-client/oauth2-proxy/overlays/m2m-self-signed ../common/dex/overlays/oauth2-proxy ../common/knative/knative-serving/overlays/gateways ../common/knative/knative-eventing/base ../common/istio-1-18/cluster-local-gateway/base ../common/kubeflow-namespace/base ../common/kubeflow-roles/base ../common/istio-1-18/kubeflow-istio-resources/base"
[workbenches]="../apps/pvcviewer-controller/upstream/base ../apps/admission-webhook/upstream/overlays ../apps/centraldashboard/upstream/overlays/oauth2-proxy ../apps/jupyter/jupyter-web-app/upstream/overlays ../apps/volumes-web-app/upstream/overlays ../apps/tensorboard/tensorboards-web-app/upstream/overlays ../apps/profiles/upstream/overlays ../apps/jupyter/notebook-controller/upstream/overlays ../apps/tensorboard/tensorboard-controller/upstream/overlays"
[serving]="../contrib/kserve - ../contrib/kserve/models-web-app/overlays/kubeflow"
[model-registry]="../apps/model-registry/upstream"
diff --git a/tests/gh-actions/install_istio-cni.sh b/tests/gh-actions/install_istio-cni.sh
index 05b2d0ab0a..9c8cdbbac0 100755
--- a/tests/gh-actions/install_istio-cni.sh
+++ b/tests/gh-actions/install_istio-cni.sh
@@ -1,7 +1,7 @@
#!/bin/bash
set -e
echo "Installing Istio-cni ..."
-cd common/istio-cni-1-17
+cd common/istio-cni-1-18
kustomize build istio-crds/base | kubectl apply -f -
kustomize build istio-namespace/base | kubectl apply -f -
kustomize build istio-install/base | kubectl apply -f -
\ No newline at end of file
diff --git a/tests/gh-actions/install_istio.sh b/tests/gh-actions/install_istio.sh
index eb01319b43..0e1eb4353d 100755
--- a/tests/gh-actions/install_istio.sh
+++ b/tests/gh-actions/install_istio.sh
@@ -1,7 +1,7 @@
#!/bin/bash
set -e
echo "Installing Istio ..."
-cd common/istio-1-17
+cd common/istio-1-18
kustomize build istio-crds/base | kubectl apply -f -
kustomize build istio-namespace/base | kubectl apply -f -
kustomize build istio-install/base | kubectl apply -f -
diff --git a/tests/gh-actions/install_istio_with_ext_auth.sh b/tests/gh-actions/install_istio_with_ext_auth.sh
index bb991d354b..23dcf4ef0a 100755
--- a/tests/gh-actions/install_istio_with_ext_auth.sh
+++ b/tests/gh-actions/install_istio_with_ext_auth.sh
@@ -1,7 +1,7 @@
#!/bin/bash
set -e
echo "Installing Istio configured with external authorization..."
-cd common/istio-1-17
+cd common/istio-1-18
kustomize build istio-crds/base | kubectl apply -f -
kustomize build istio-namespace/base | kubectl apply -f -
kustomize build istio-install/overlays/oauth2-proxy | kubectl apply -f -
diff --git a/tests/gh-actions/install_knative-cni.sh b/tests/gh-actions/install_knative-cni.sh
index 4381f0a000..06787b4adb 100755
--- a/tests/gh-actions/install_knative-cni.sh
+++ b/tests/gh-actions/install_knative-cni.sh
@@ -6,8 +6,8 @@ kustomize build common/knative/knative-serving/base | kubectl apply -f -
set -e
kustomize build common/knative/knative-serving/base | kubectl apply -f -
-kustomize build common/istio-cni-1-17/cluster-local-gateway/base | kubectl apply -f -
-kustomize build common/istio-cni-1-17/kubeflow-istio-resources/base | kubectl apply -f -
+kustomize build common/istio-cni-1-18/cluster-local-gateway/base | kubectl apply -f -
+kustomize build common/istio-cni-1-18/kubeflow-istio-resources/base | kubectl apply -f -
kubectl wait --for=condition=Ready pods --all --all-namespaces --timeout 600s
kubectl patch cm config-domain --patch '{"data":{"example.com":""}}' -n knative-serving
diff --git a/tests/gh-actions/install_knative.sh b/tests/gh-actions/install_knative.sh
index cf409a64c9..94b3b0f044 100755
--- a/tests/gh-actions/install_knative.sh
+++ b/tests/gh-actions/install_knative.sh
@@ -6,8 +6,8 @@ kustomize build common/knative/knative-serving/base | kubectl apply -f -
set -e
kustomize build common/knative/knative-serving/base | kubectl apply -f -
-kustomize build common/istio-1-17/cluster-local-gateway/base | kubectl apply -f -
-kustomize build common/istio-1-17/kubeflow-istio-resources/base | kubectl apply -f -
+kustomize build common/istio-1-18/cluster-local-gateway/base | kubectl apply -f -
+kustomize build common/istio-1-18/kubeflow-istio-resources/base | kubectl apply -f -
kubectl wait --for=condition=Ready pods --all --all-namespaces --timeout 600s
kubectl patch cm config-domain --patch '{"data":{"example.com":""}}' -n knative-serving