diff --git a/.github/workflows/notebook_controller_m2m_test.yaml b/.github/workflows/notebook_controller_m2m_test.yaml
index bc0001e9f6..cb70027de1 100644
--- a/.github/workflows/notebook_controller_m2m_test.yaml
+++ b/.github/workflows/notebook_controller_m2m_test.yaml
@@ -34,7 +34,7 @@ jobs:
run: ./tests/gh-actions/install_oauth2-proxy.sh
- name: Install kubeflow-istio-resources
- run: kustomize build common/istio-1-22/kubeflow-istio-resources/base | kubectl apply -f -
+ run: kustomize build common/istio-1-23/kubeflow-istio-resources/base | kubectl apply -f -
- name: Install KF Multi Tenancy
run: ./tests/gh-actions/install_multi_tenancy.sh
diff --git a/.github/workflows/pipeline_run_from_notebook.yaml b/.github/workflows/pipeline_run_from_notebook.yaml
index ff965b7937..1cb526310a 100644
--- a/.github/workflows/pipeline_run_from_notebook.yaml
+++ b/.github/workflows/pipeline_run_from_notebook.yaml
@@ -37,7 +37,7 @@ jobs:
run: kustomize build common/kubeflow-namespace/base | kubectl apply -f -
- name: Install kubeflow-istio-resources
- run: kustomize build common/istio-1-22/kubeflow-istio-resources/base | kubectl apply -f -
+ run: kustomize build common/istio-1-23/kubeflow-istio-resources/base | kubectl apply -f -
- name: Install KF Pipelines
run: ./tests/gh-actions/install_pipelines.sh
diff --git a/.github/workflows/pipeline_swfs_test.yaml b/.github/workflows/pipeline_swfs_test.yaml
index 2489ee3201..6bebea16e7 100644
--- a/.github/workflows/pipeline_swfs_test.yaml
+++ b/.github/workflows/pipeline_swfs_test.yaml
@@ -45,7 +45,7 @@ jobs:
run: ./tests/gh-actions/install_multi_tenancy.sh
- name: Install kubeflow-istio-resources
- run: kustomize build common/istio-1-22/kubeflow-istio-resources/base | kubectl apply -f -
+ run: kustomize build common/istio-1-23/kubeflow-istio-resources/base | kubectl apply -f -
- name: Create KF Profile
run: kustomize build common/user-namespace/base | kubectl apply -f -
diff --git a/.github/workflows/pipeline_test.yaml b/.github/workflows/pipeline_test.yaml
index f5944e0643..5c73d1ce27 100644
--- a/.github/workflows/pipeline_test.yaml
+++ b/.github/workflows/pipeline_test.yaml
@@ -44,7 +44,7 @@ jobs:
run: ./tests/gh-actions/install_multi_tenancy.sh
- name: Install kubeflow-istio-resources
- run: kustomize build common/istio-1-22/kubeflow-istio-resources/base | kubectl apply -f -
+ run: kustomize build common/istio-1-23/kubeflow-istio-resources/base | kubectl apply -f -
- name: Create KF Profile
run: kustomize build common/user-namespace/base | kubectl apply -f -
diff --git a/.github/workflows/training_operator_test.yaml b/.github/workflows/training_operator_test.yaml
index d63f0b934f..d90957c2bc 100644
--- a/.github/workflows/training_operator_test.yaml
+++ b/.github/workflows/training_operator_test.yaml
@@ -38,7 +38,7 @@ jobs:
run: ./tests/gh-actions/install_multi_tenancy.sh
- name: Install kubeflow-istio-resources
- run: kustomize build common/istio-1-22/kubeflow-istio-resources/base | kubectl apply -f -
+ run: kustomize build common/istio-1-23/kubeflow-istio-resources/base | kubectl apply -f -
- name: Create KF Profile
run: kustomize build common/user-namespace/base | kubectl apply -f -
diff --git a/README.md b/README.md
index 17e026ddb4..23d9d863b7 100755
--- a/README.md
+++ b/README.md
@@ -65,7 +65,7 @@ used from the different projects of Kubeflow:
| Component | Local Manifests Path | Upstream Revision |
| - | - | - |
-| Istio | common/istio-1-22 | [1.22.1](https://github.com/istio/istio/releases/tag/1.22.1) |
+| Istio | common/istio-1-23 | [1.23.2](https://github.com/istio/istio/releases/tag/1.23.2) |
| Knative | common/knative/knative-serving
common/knative/knative-eventing | [v1.12.4](https://github.com/knative/serving/releases/tag/knative-v1.12.4)
[v1.12.6](https://github.com/knative/eventing/releases/tag/knative-v1.12.6) |
| Cert Manager | common/cert-manager | [1.14.5](https://github.com/cert-manager/cert-manager/releases/tag/v1.12.2) |
@@ -210,9 +210,9 @@ Install Istio:
```sh
echo "Installing Istio configured with external authorization..."
-kustomize build common/istio-1-22/istio-crds/base | kubectl apply -f -
-kustomize build common/istio-1-22/istio-namespace/base | kubectl apply -f -
-kustomize build common/istio-1-22/istio-install/overlays/oauth2-proxy | kubectl apply -f -
+kustomize build common/istio-1-23/istio-crds/base | kubectl apply -f -
+kustomize build common/istio-1-23/istio-namespace/base | kubectl apply -f -
+kustomize build common/istio-1-23/istio-install/overlays/oauth2-proxy | kubectl apply -f -
echo "Waiting for all Istio Pods to become ready..."
kubectl wait --for=condition=Ready pods --all -n istio-system --timeout 300s
@@ -264,7 +264,7 @@ Install Knative Serving:
```sh
kustomize build common/knative/knative-serving/overlays/gateways | kubectl apply -f -
-kustomize build common/istio-1-22/cluster-local-gateway/base | kubectl apply -f -
+kustomize build common/istio-1-23/cluster-local-gateway/base | kubectl apply -f -
```
Optionally, you can install Knative Eventing which can be used for inference request logging:
@@ -311,7 +311,7 @@ Create the Kubeflow Gateway, `kubeflow-gateway` and ClusterRole,
Install kubeflow istio resources:
```sh
-kustomize build common/istio-1-22/kubeflow-istio-resources/base | kubectl apply -f -
+kustomize build common/istio-1-23/kubeflow-istio-resources/base | kubectl apply -f -
```
#### Kubeflow Pipelines
diff --git a/common/istio-1-22/README.md b/common/istio-1-23/README.md
similarity index 100%
rename from common/istio-1-22/README.md
rename to common/istio-1-23/README.md
diff --git a/common/istio-1-22/cluster-local-gateway/base/cluster-local-gateway.yaml b/common/istio-1-23/cluster-local-gateway/base/cluster-local-gateway.yaml
similarity index 98%
rename from common/istio-1-22/cluster-local-gateway/base/cluster-local-gateway.yaml
rename to common/istio-1-23/cluster-local-gateway/base/cluster-local-gateway.yaml
index 93265e3e8c..45441c6a4f 100644
--- a/common/istio-1-22/cluster-local-gateway/base/cluster-local-gateway.yaml
+++ b/common/istio-1-23/cluster-local-gateway/base/cluster-local-gateway.yaml
@@ -109,8 +109,7 @@ spec:
- name: ISTIO_META_WORKLOAD_NAME
value: cluster-local-gateway
- name: ISTIO_META_OWNER
- value:
- kubernetes://apis/apps/v1/namespaces/istio-system/deployments/cluster-local-gateway
+ value: kubernetes://apis/apps/v1/namespaces/istio-system/deployments/cluster-local-gateway
- name: ISTIO_META_MESH_ID
value: cluster.local
- name: TRUST_DOMAIN
@@ -123,7 +122,7 @@ spec:
valueFrom:
fieldRef:
fieldPath: spec.nodeName
- image: docker.io/istio/proxyv2:1.22.1
+ image: docker.io/istio/proxyv2:1.23.2
name: istio-proxy
ports:
- containerPort: 15020
diff --git a/common/istio-1-22/cluster-local-gateway/base/gateway-authorizationpolicy.yaml b/common/istio-1-23/cluster-local-gateway/base/gateway-authorizationpolicy.yaml
similarity index 100%
rename from common/istio-1-22/cluster-local-gateway/base/gateway-authorizationpolicy.yaml
rename to common/istio-1-23/cluster-local-gateway/base/gateway-authorizationpolicy.yaml
diff --git a/common/istio-1-22/cluster-local-gateway/base/gateway.yaml b/common/istio-1-23/cluster-local-gateway/base/gateway.yaml
similarity index 100%
rename from common/istio-1-22/cluster-local-gateway/base/gateway.yaml
rename to common/istio-1-23/cluster-local-gateway/base/gateway.yaml
diff --git a/common/istio-1-22/cluster-local-gateway/base/kustomization.yaml b/common/istio-1-23/cluster-local-gateway/base/kustomization.yaml
similarity index 100%
rename from common/istio-1-22/cluster-local-gateway/base/kustomization.yaml
rename to common/istio-1-23/cluster-local-gateway/base/kustomization.yaml
diff --git a/common/istio-1-22/cluster-local-gateway/base/patches/remove-pdb.yaml b/common/istio-1-23/cluster-local-gateway/base/patches/remove-pdb.yaml
similarity index 100%
rename from common/istio-1-22/cluster-local-gateway/base/patches/remove-pdb.yaml
rename to common/istio-1-23/cluster-local-gateway/base/patches/remove-pdb.yaml
diff --git a/common/istio-1-22/istio-crds/base/crd.yaml b/common/istio-1-23/istio-crds/base/crd.yaml
similarity index 88%
rename from common/istio-1-22/istio-crds/base/crd.yaml
rename to common/istio-1-23/istio-crds/base/crd.yaml
index 6907d037fa..33de713fcc 100644
--- a/common/istio-1-22/istio-crds/base/crd.yaml
+++ b/common/istio-1-23/istio-crds/base/crd.yaml
@@ -212,43 +212,87 @@ spec:
properties:
matchLabels:
additionalProperties:
+ maxLength: 63
type: string
+ x-kubernetes-validations:
+ - message: wildcard not allowed in label value match
+ rule: "!self.contains('*')"
description: One or more labels that indicate a specific set of
pods/VMs on which a policy should be applied.
+ maxProperties: 4096
type: object
+ x-kubernetes-validations:
+ - message: wildcard not allowed in label key match
+ rule: self.all(key, !key.contains('*'))
+ - message: key must not be empty
+ rule: self.all(key, key.size() != 0)
type: object
targetRef:
properties:
group:
description: group is the group of the target resource.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
kind:
description: kind is kind of the target resource.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
type: string
name:
description: name is the name of the target resource.
+ maxLength: 253
+ minLength: 1
type: string
namespace:
description: namespace is the namespace of the referent.
type: string
+ x-kubernetes-validations:
+ - message: cross namespace referencing is not currently supported
+ rule: self.size() == 0
+ required:
+ - kind
+ - name
type: object
+ x-kubernetes-validations:
+ - message: Support kinds are core/Service and gateway.networking.k8s.io/Gateway
+ rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],\
+ \ ['gateway.networking.k8s.io','Gateway']]"
targetRefs:
description: Optional.
items:
properties:
group:
description: group is the group of the target resource.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
kind:
description: kind is kind of the target resource.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
type: string
name:
description: name is the name of the target resource.
+ maxLength: 253
+ minLength: 1
type: string
namespace:
description: namespace is the namespace of the referent.
type: string
+ x-kubernetes-validations:
+ - message: cross namespace referencing is not currently supported
+ rule: self.size() == 0
+ required:
+ - kind
+ - name
type: object
+ x-kubernetes-validations:
+ - message: Support kinds are core/Service and gateway.networking.k8s.io/Gateway
+ rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],\
+ \ ['gateway.networking.k8s.io','Gateway']]"
type: array
type: object
status:
@@ -447,43 +491,87 @@ spec:
properties:
matchLabels:
additionalProperties:
+ maxLength: 63
type: string
+ x-kubernetes-validations:
+ - message: wildcard not allowed in label value match
+ rule: "!self.contains('*')"
description: One or more labels that indicate a specific set of
pods/VMs on which a policy should be applied.
+ maxProperties: 4096
type: object
+ x-kubernetes-validations:
+ - message: wildcard not allowed in label key match
+ rule: self.all(key, !key.contains('*'))
+ - message: key must not be empty
+ rule: self.all(key, key.size() != 0)
type: object
targetRef:
properties:
group:
description: group is the group of the target resource.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
kind:
description: kind is kind of the target resource.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
type: string
name:
description: name is the name of the target resource.
+ maxLength: 253
+ minLength: 1
type: string
namespace:
description: namespace is the namespace of the referent.
type: string
+ x-kubernetes-validations:
+ - message: cross namespace referencing is not currently supported
+ rule: self.size() == 0
+ required:
+ - kind
+ - name
type: object
+ x-kubernetes-validations:
+ - message: Support kinds are core/Service and gateway.networking.k8s.io/Gateway
+ rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],\
+ \ ['gateway.networking.k8s.io','Gateway']]"
targetRefs:
description: Optional.
items:
properties:
group:
description: group is the group of the target resource.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
kind:
description: kind is kind of the target resource.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
type: string
name:
description: name is the name of the target resource.
+ maxLength: 253
+ minLength: 1
type: string
namespace:
description: namespace is the namespace of the referent.
type: string
+ x-kubernetes-validations:
+ - message: cross namespace referencing is not currently supported
+ rule: self.size() == 0
+ required:
+ - kind
+ - name
type: object
+ x-kubernetes-validations:
+ - message: Support kinds are core/Service and gateway.networking.k8s.io/Gateway
+ rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],\
+ \ ['gateway.networking.k8s.io','Gateway']]"
type: array
type: object
status:
@@ -598,6 +686,10 @@ spec:
description: The idle timeout for upstream connection
pool connections.
type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than
+ 1ms
+ rule: duration(self) >= duration('1ms')
maxConcurrentStreams:
description: The maximum number of concurrent streams
allowed for a peer on one HTTP/2 connection.
@@ -626,12 +718,24 @@ spec:
connectTimeout:
description: TCP connection timeout.
type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than
+ 1ms
+ rule: duration(self) >= duration('1ms')
idleTimeout:
description: The idle timeout for TCP connections.
type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than
+ 1ms
+ rule: duration(self) >= duration('1ms')
maxConnectionDuration:
description: The maximum duration of a connection.
type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than
+ 1ms
+ rule: duration(self) >= duration('1ms')
maxConnections:
description: Maximum number of HTTP1 /TCP connections
to a destination host.
@@ -645,6 +749,10 @@ spec:
description: The time duration between keep-alive
probes.
type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater
+ than 1ms
+ rule: duration(self) >= duration('1ms')
probes:
description: Maximum number of keepalive probes
to send without response before deciding the
@@ -657,6 +765,10 @@ spec:
needs to be idle before keep-alive probes
start being sent.
type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater
+ than 1ms
+ rule: duration(self) >= duration('1ms')
type: object
type: object
type: object
@@ -822,12 +934,18 @@ spec:
warmupDurationSecs:
description: Represents the warmup duration of Service.
type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
type: object
outlierDetection:
properties:
baseEjectionTime:
description: Minimum ejection duration.
type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
consecutive5xxErrors:
description: Number of 5xx errors before a host is ejected
from the connection pool.
@@ -855,6 +973,9 @@ spec:
interval:
description: Time interval between ejection sweep analysis.
type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
maxEjectionPercent:
description: Maximum % of hosts in the load balancing
pool for the upstream service that can be ejected.
@@ -905,6 +1026,10 @@ spec:
description: The idle timeout for upstream
connection pool connections.
type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater
+ than 1ms
+ rule: duration(self) >= duration('1ms')
maxConcurrentStreams:
description: The maximum number of concurrent
streams allowed for a peer on one HTTP/2
@@ -935,12 +1060,24 @@ spec:
connectTimeout:
description: TCP connection timeout.
type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater
+ than 1ms
+ rule: duration(self) >= duration('1ms')
idleTimeout:
description: The idle timeout for TCP connections.
type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater
+ than 1ms
+ rule: duration(self) >= duration('1ms')
maxConnectionDuration:
description: The maximum duration of a connection.
type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater
+ than 1ms
+ rule: duration(self) >= duration('1ms')
maxConnections:
description: Maximum number of HTTP1 /TCP
connections to a destination host.
@@ -954,6 +1091,10 @@ spec:
description: The time duration between
keep-alive probes.
type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater
+ than 1ms
+ rule: duration(self) >= duration('1ms')
probes:
description: Maximum number of keepalive
probes to send without response before
@@ -966,6 +1107,10 @@ spec:
needs to be idle before keep-alive probes
start being sent.
type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater
+ than 1ms
+ rule: duration(self) >= duration('1ms')
type: object
type: object
type: object
@@ -1136,12 +1281,20 @@ spec:
description: Represents the warmup duration of
Service.
type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than
+ 1ms
+ rule: duration(self) >= duration('1ms')
type: object
outlierDetection:
properties:
baseEjectionTime:
description: Minimum ejection duration.
type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than
+ 1ms
+ rule: duration(self) >= duration('1ms')
consecutive5xxErrors:
description: Number of 5xx errors before a host
is ejected from the connection pool.
@@ -1170,6 +1323,10 @@ spec:
description: Time interval between ejection sweep
analysis.
type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than
+ 1ms
+ rule: duration(self) >= duration('1ms')
maxEjectionPercent:
description: Maximum % of hosts in the load balancing
pool for the upstream service that can be ejected.
@@ -1252,6 +1409,7 @@ spec:
type: array
type: object
type: object
+ maxItems: 4096
type: array
proxyProtocol:
description: The upstream PROXY protocol settings.
@@ -1378,6 +1536,9 @@ spec:
description: The idle timeout for upstream connection
pool connections.
type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
maxConcurrentStreams:
description: The maximum number of concurrent streams
allowed for a peer on one HTTP/2 connection.
@@ -1405,12 +1566,21 @@ spec:
connectTimeout:
description: TCP connection timeout.
type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
idleTimeout:
description: The idle timeout for TCP connections.
type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
maxConnectionDuration:
description: The maximum duration of a connection.
type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
maxConnections:
description: Maximum number of HTTP1 /TCP connections
to a destination host.
@@ -1424,6 +1594,9 @@ spec:
description: The time duration between keep-alive
probes.
type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
probes:
description: Maximum number of keepalive probes to
send without response before deciding the connection
@@ -1436,6 +1609,9 @@ spec:
to be idle before keep-alive probes start being
sent.
type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
type: object
type: object
type: object
@@ -1598,12 +1774,18 @@ spec:
warmupDurationSecs:
description: Represents the warmup duration of Service.
type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
type: object
outlierDetection:
properties:
baseEjectionTime:
description: Minimum ejection duration.
type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
consecutive5xxErrors:
description: Number of 5xx errors before a host is ejected
from the connection pool.
@@ -1631,6 +1813,9 @@ spec:
interval:
description: Time interval between ejection sweep analysis.
type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
maxEjectionPercent:
description: Maximum % of hosts in the load balancing pool
for the upstream service that can be ejected.
@@ -1681,6 +1866,10 @@ spec:
description: The idle timeout for upstream connection
pool connections.
type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than
+ 1ms
+ rule: duration(self) >= duration('1ms')
maxConcurrentStreams:
description: The maximum number of concurrent streams
allowed for a peer on one HTTP/2 connection.
@@ -1709,12 +1898,24 @@ spec:
connectTimeout:
description: TCP connection timeout.
type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than
+ 1ms
+ rule: duration(self) >= duration('1ms')
idleTimeout:
description: The idle timeout for TCP connections.
type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than
+ 1ms
+ rule: duration(self) >= duration('1ms')
maxConnectionDuration:
description: The maximum duration of a connection.
type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than
+ 1ms
+ rule: duration(self) >= duration('1ms')
maxConnections:
description: Maximum number of HTTP1 /TCP connections
to a destination host.
@@ -1728,6 +1929,10 @@ spec:
description: The time duration between keep-alive
probes.
type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater
+ than 1ms
+ rule: duration(self) >= duration('1ms')
probes:
description: Maximum number of keepalive probes
to send without response before deciding the
@@ -1740,6 +1945,10 @@ spec:
needs to be idle before keep-alive probes
start being sent.
type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater
+ than 1ms
+ rule: duration(self) >= duration('1ms')
type: object
type: object
type: object
@@ -1905,12 +2114,18 @@ spec:
warmupDurationSecs:
description: Represents the warmup duration of Service.
type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
type: object
outlierDetection:
properties:
baseEjectionTime:
description: Minimum ejection duration.
type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
consecutive5xxErrors:
description: Number of 5xx errors before a host is ejected
from the connection pool.
@@ -1938,6 +2153,9 @@ spec:
interval:
description: Time interval between ejection sweep analysis.
type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
maxEjectionPercent:
description: Maximum % of hosts in the load balancing
pool for the upstream service that can be ejected.
@@ -2017,6 +2235,7 @@ spec:
type: array
type: object
type: object
+ maxItems: 4096
type: array
proxyProtocol:
description: The upstream PROXY protocol settings.
@@ -2112,10 +2331,20 @@ spec:
properties:
matchLabels:
additionalProperties:
+ maxLength: 63
type: string
+ x-kubernetes-validations:
+ - message: wildcard not allowed in label value match
+ rule: "!self.contains('*')"
description: One or more labels that indicate a specific set of
pods/VMs on which a policy should be applied.
+ maxProperties: 4096
type: object
+ x-kubernetes-validations:
+ - message: wildcard not allowed in label key match
+ rule: self.all(key, !key.contains('*'))
+ - message: key must not be empty
+ rule: self.all(key, key.size() != 0)
type: object
required:
- host
@@ -2205,6 +2434,10 @@ spec:
description: The idle timeout for upstream connection
pool connections.
type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than
+ 1ms
+ rule: duration(self) >= duration('1ms')
maxConcurrentStreams:
description: The maximum number of concurrent streams
allowed for a peer on one HTTP/2 connection.
@@ -2233,12 +2466,24 @@ spec:
connectTimeout:
description: TCP connection timeout.
type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than
+ 1ms
+ rule: duration(self) >= duration('1ms')
idleTimeout:
description: The idle timeout for TCP connections.
type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than
+ 1ms
+ rule: duration(self) >= duration('1ms')
maxConnectionDuration:
description: The maximum duration of a connection.
type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than
+ 1ms
+ rule: duration(self) >= duration('1ms')
maxConnections:
description: Maximum number of HTTP1 /TCP connections
to a destination host.
@@ -2252,6 +2497,10 @@ spec:
description: The time duration between keep-alive
probes.
type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater
+ than 1ms
+ rule: duration(self) >= duration('1ms')
probes:
description: Maximum number of keepalive probes
to send without response before deciding the
@@ -2264,6 +2513,10 @@ spec:
needs to be idle before keep-alive probes
start being sent.
type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater
+ than 1ms
+ rule: duration(self) >= duration('1ms')
type: object
type: object
type: object
@@ -2429,12 +2682,18 @@ spec:
warmupDurationSecs:
description: Represents the warmup duration of Service.
type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
type: object
outlierDetection:
properties:
baseEjectionTime:
description: Minimum ejection duration.
type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
consecutive5xxErrors:
description: Number of 5xx errors before a host is ejected
from the connection pool.
@@ -2462,6 +2721,9 @@ spec:
interval:
description: Time interval between ejection sweep analysis.
type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
maxEjectionPercent:
description: Maximum % of hosts in the load balancing
pool for the upstream service that can be ejected.
@@ -2512,6 +2774,10 @@ spec:
description: The idle timeout for upstream
connection pool connections.
type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater
+ than 1ms
+ rule: duration(self) >= duration('1ms')
maxConcurrentStreams:
description: The maximum number of concurrent
streams allowed for a peer on one HTTP/2
@@ -2542,12 +2808,24 @@ spec:
connectTimeout:
description: TCP connection timeout.
type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater
+ than 1ms
+ rule: duration(self) >= duration('1ms')
idleTimeout:
description: The idle timeout for TCP connections.
type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater
+ than 1ms
+ rule: duration(self) >= duration('1ms')
maxConnectionDuration:
description: The maximum duration of a connection.
type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater
+ than 1ms
+ rule: duration(self) >= duration('1ms')
maxConnections:
description: Maximum number of HTTP1 /TCP
connections to a destination host.
@@ -2561,6 +2839,10 @@ spec:
description: The time duration between
keep-alive probes.
type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater
+ than 1ms
+ rule: duration(self) >= duration('1ms')
probes:
description: Maximum number of keepalive
probes to send without response before
@@ -2573,6 +2855,10 @@ spec:
needs to be idle before keep-alive probes
start being sent.
type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater
+ than 1ms
+ rule: duration(self) >= duration('1ms')
type: object
type: object
type: object
@@ -2743,12 +3029,20 @@ spec:
description: Represents the warmup duration of
Service.
type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than
+ 1ms
+ rule: duration(self) >= duration('1ms')
type: object
outlierDetection:
properties:
baseEjectionTime:
description: Minimum ejection duration.
type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than
+ 1ms
+ rule: duration(self) >= duration('1ms')
consecutive5xxErrors:
description: Number of 5xx errors before a host
is ejected from the connection pool.
@@ -2777,6 +3071,10 @@ spec:
description: Time interval between ejection sweep
analysis.
type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than
+ 1ms
+ rule: duration(self) >= duration('1ms')
maxEjectionPercent:
description: Maximum % of hosts in the load balancing
pool for the upstream service that can be ejected.
@@ -2859,6 +3157,7 @@ spec:
type: array
type: object
type: object
+ maxItems: 4096
type: array
proxyProtocol:
description: The upstream PROXY protocol settings.
@@ -2985,6 +3284,9 @@ spec:
description: The idle timeout for upstream connection
pool connections.
type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
maxConcurrentStreams:
description: The maximum number of concurrent streams
allowed for a peer on one HTTP/2 connection.
@@ -3012,12 +3314,21 @@ spec:
connectTimeout:
description: TCP connection timeout.
type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
idleTimeout:
description: The idle timeout for TCP connections.
type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
maxConnectionDuration:
description: The maximum duration of a connection.
type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
maxConnections:
description: Maximum number of HTTP1 /TCP connections
to a destination host.
@@ -3031,6 +3342,9 @@ spec:
description: The time duration between keep-alive
probes.
type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
probes:
description: Maximum number of keepalive probes to
send without response before deciding the connection
@@ -3043,6 +3357,9 @@ spec:
to be idle before keep-alive probes start being
sent.
type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
type: object
type: object
type: object
@@ -3205,12 +3522,18 @@ spec:
warmupDurationSecs:
description: Represents the warmup duration of Service.
type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
type: object
outlierDetection:
properties:
baseEjectionTime:
description: Minimum ejection duration.
type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
consecutive5xxErrors:
description: Number of 5xx errors before a host is ejected
from the connection pool.
@@ -3238,6 +3561,9 @@ spec:
interval:
description: Time interval between ejection sweep analysis.
type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
maxEjectionPercent:
description: Maximum % of hosts in the load balancing pool
for the upstream service that can be ejected.
@@ -3288,6 +3614,10 @@ spec:
description: The idle timeout for upstream connection
pool connections.
type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than
+ 1ms
+ rule: duration(self) >= duration('1ms')
maxConcurrentStreams:
description: The maximum number of concurrent streams
allowed for a peer on one HTTP/2 connection.
@@ -3316,12 +3646,24 @@ spec:
connectTimeout:
description: TCP connection timeout.
type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than
+ 1ms
+ rule: duration(self) >= duration('1ms')
idleTimeout:
description: The idle timeout for TCP connections.
type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than
+ 1ms
+ rule: duration(self) >= duration('1ms')
maxConnectionDuration:
description: The maximum duration of a connection.
type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than
+ 1ms
+ rule: duration(self) >= duration('1ms')
maxConnections:
description: Maximum number of HTTP1 /TCP connections
to a destination host.
@@ -3335,6 +3677,10 @@ spec:
description: The time duration between keep-alive
probes.
type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater
+ than 1ms
+ rule: duration(self) >= duration('1ms')
probes:
description: Maximum number of keepalive probes
to send without response before deciding the
@@ -3347,6 +3693,10 @@ spec:
needs to be idle before keep-alive probes
start being sent.
type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater
+ than 1ms
+ rule: duration(self) >= duration('1ms')
type: object
type: object
type: object
@@ -3512,12 +3862,18 @@ spec:
warmupDurationSecs:
description: Represents the warmup duration of Service.
type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
type: object
outlierDetection:
properties:
baseEjectionTime:
description: Minimum ejection duration.
type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
consecutive5xxErrors:
description: Number of 5xx errors before a host is ejected
from the connection pool.
@@ -3545,6 +3901,9 @@ spec:
interval:
description: Time interval between ejection sweep analysis.
type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
maxEjectionPercent:
description: Maximum % of hosts in the load balancing
pool for the upstream service that can be ejected.
@@ -3624,6 +3983,7 @@ spec:
type: array
type: object
type: object
+ maxItems: 4096
type: array
proxyProtocol:
description: The upstream PROXY protocol settings.
@@ -3719,10 +4079,20 @@ spec:
properties:
matchLabels:
additionalProperties:
+ maxLength: 63
type: string
+ x-kubernetes-validations:
+ - message: wildcard not allowed in label value match
+ rule: "!self.contains('*')"
description: One or more labels that indicate a specific set of
pods/VMs on which a policy should be applied.
+ maxProperties: 4096
type: object
+ x-kubernetes-validations:
+ - message: wildcard not allowed in label key match
+ rule: self.all(key, !key.contains('*'))
+ - message: key must not be empty
+ rule: self.all(key, key.size() != 0)
type: object
required:
- host
@@ -3812,6 +4182,10 @@ spec:
description: The idle timeout for upstream connection
pool connections.
type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than
+ 1ms
+ rule: duration(self) >= duration('1ms')
maxConcurrentStreams:
description: The maximum number of concurrent streams
allowed for a peer on one HTTP/2 connection.
@@ -3840,12 +4214,24 @@ spec:
connectTimeout:
description: TCP connection timeout.
type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than
+ 1ms
+ rule: duration(self) >= duration('1ms')
idleTimeout:
description: The idle timeout for TCP connections.
type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than
+ 1ms
+ rule: duration(self) >= duration('1ms')
maxConnectionDuration:
description: The maximum duration of a connection.
type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than
+ 1ms
+ rule: duration(self) >= duration('1ms')
maxConnections:
description: Maximum number of HTTP1 /TCP connections
to a destination host.
@@ -3859,6 +4245,10 @@ spec:
description: The time duration between keep-alive
probes.
type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater
+ than 1ms
+ rule: duration(self) >= duration('1ms')
probes:
description: Maximum number of keepalive probes
to send without response before deciding the
@@ -3871,6 +4261,10 @@ spec:
needs to be idle before keep-alive probes
start being sent.
type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater
+ than 1ms
+ rule: duration(self) >= duration('1ms')
type: object
type: object
type: object
@@ -4036,12 +4430,18 @@ spec:
warmupDurationSecs:
description: Represents the warmup duration of Service.
type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
type: object
outlierDetection:
properties:
baseEjectionTime:
description: Minimum ejection duration.
type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
consecutive5xxErrors:
description: Number of 5xx errors before a host is ejected
from the connection pool.
@@ -4069,6 +4469,9 @@ spec:
interval:
description: Time interval between ejection sweep analysis.
type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
maxEjectionPercent:
description: Maximum % of hosts in the load balancing
pool for the upstream service that can be ejected.
@@ -4119,6 +4522,10 @@ spec:
description: The idle timeout for upstream
connection pool connections.
type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater
+ than 1ms
+ rule: duration(self) >= duration('1ms')
maxConcurrentStreams:
description: The maximum number of concurrent
streams allowed for a peer on one HTTP/2
@@ -4149,12 +4556,24 @@ spec:
connectTimeout:
description: TCP connection timeout.
type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater
+ than 1ms
+ rule: duration(self) >= duration('1ms')
idleTimeout:
description: The idle timeout for TCP connections.
type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater
+ than 1ms
+ rule: duration(self) >= duration('1ms')
maxConnectionDuration:
description: The maximum duration of a connection.
type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater
+ than 1ms
+ rule: duration(self) >= duration('1ms')
maxConnections:
description: Maximum number of HTTP1 /TCP
connections to a destination host.
@@ -4168,6 +4587,10 @@ spec:
description: The time duration between
keep-alive probes.
type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater
+ than 1ms
+ rule: duration(self) >= duration('1ms')
probes:
description: Maximum number of keepalive
probes to send without response before
@@ -4180,6 +4603,10 @@ spec:
needs to be idle before keep-alive probes
start being sent.
type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater
+ than 1ms
+ rule: duration(self) >= duration('1ms')
type: object
type: object
type: object
@@ -4350,12 +4777,20 @@ spec:
description: Represents the warmup duration of
Service.
type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than
+ 1ms
+ rule: duration(self) >= duration('1ms')
type: object
outlierDetection:
properties:
baseEjectionTime:
description: Minimum ejection duration.
type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than
+ 1ms
+ rule: duration(self) >= duration('1ms')
consecutive5xxErrors:
description: Number of 5xx errors before a host
is ejected from the connection pool.
@@ -4384,6 +4819,10 @@ spec:
description: Time interval between ejection sweep
analysis.
type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than
+ 1ms
+ rule: duration(self) >= duration('1ms')
maxEjectionPercent:
description: Maximum % of hosts in the load balancing
pool for the upstream service that can be ejected.
@@ -4466,6 +4905,7 @@ spec:
type: array
type: object
type: object
+ maxItems: 4096
type: array
proxyProtocol:
description: The upstream PROXY protocol settings.
@@ -4592,6 +5032,9 @@ spec:
description: The idle timeout for upstream connection
pool connections.
type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
maxConcurrentStreams:
description: The maximum number of concurrent streams
allowed for a peer on one HTTP/2 connection.
@@ -4619,12 +5062,21 @@ spec:
connectTimeout:
description: TCP connection timeout.
type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
idleTimeout:
description: The idle timeout for TCP connections.
type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
maxConnectionDuration:
description: The maximum duration of a connection.
type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
maxConnections:
description: Maximum number of HTTP1 /TCP connections
to a destination host.
@@ -4638,6 +5090,9 @@ spec:
description: The time duration between keep-alive
probes.
type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
probes:
description: Maximum number of keepalive probes to
send without response before deciding the connection
@@ -4650,6 +5105,9 @@ spec:
to be idle before keep-alive probes start being
sent.
type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
type: object
type: object
type: object
@@ -4812,12 +5270,18 @@ spec:
warmupDurationSecs:
description: Represents the warmup duration of Service.
type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
type: object
outlierDetection:
properties:
baseEjectionTime:
description: Minimum ejection duration.
type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
consecutive5xxErrors:
description: Number of 5xx errors before a host is ejected
from the connection pool.
@@ -4845,6 +5309,9 @@ spec:
interval:
description: Time interval between ejection sweep analysis.
type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
maxEjectionPercent:
description: Maximum % of hosts in the load balancing pool
for the upstream service that can be ejected.
@@ -4895,6 +5362,10 @@ spec:
description: The idle timeout for upstream connection
pool connections.
type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than
+ 1ms
+ rule: duration(self) >= duration('1ms')
maxConcurrentStreams:
description: The maximum number of concurrent streams
allowed for a peer on one HTTP/2 connection.
@@ -4923,12 +5394,24 @@ spec:
connectTimeout:
description: TCP connection timeout.
type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than
+ 1ms
+ rule: duration(self) >= duration('1ms')
idleTimeout:
description: The idle timeout for TCP connections.
type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than
+ 1ms
+ rule: duration(self) >= duration('1ms')
maxConnectionDuration:
description: The maximum duration of a connection.
type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than
+ 1ms
+ rule: duration(self) >= duration('1ms')
maxConnections:
description: Maximum number of HTTP1 /TCP connections
to a destination host.
@@ -4942,6 +5425,10 @@ spec:
description: The time duration between keep-alive
probes.
type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater
+ than 1ms
+ rule: duration(self) >= duration('1ms')
probes:
description: Maximum number of keepalive probes
to send without response before deciding the
@@ -4954,6 +5441,10 @@ spec:
needs to be idle before keep-alive probes
start being sent.
type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater
+ than 1ms
+ rule: duration(self) >= duration('1ms')
type: object
type: object
type: object
@@ -5119,12 +5610,18 @@ spec:
warmupDurationSecs:
description: Represents the warmup duration of Service.
type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
type: object
outlierDetection:
properties:
baseEjectionTime:
description: Minimum ejection duration.
type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
consecutive5xxErrors:
description: Number of 5xx errors before a host is ejected
from the connection pool.
@@ -5152,6 +5649,9 @@ spec:
interval:
description: Time interval between ejection sweep analysis.
type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
maxEjectionPercent:
description: Maximum % of hosts in the load balancing
pool for the upstream service that can be ejected.
@@ -5231,6 +5731,7 @@ spec:
type: array
type: object
type: object
+ maxItems: 4096
type: array
proxyProtocol:
description: The upstream PROXY protocol settings.
@@ -5326,10 +5827,20 @@ spec:
properties:
matchLabels:
additionalProperties:
+ maxLength: 63
type: string
+ x-kubernetes-validations:
+ - message: wildcard not allowed in label value match
+ rule: "!self.contains('*')"
description: One or more labels that indicate a specific set of
pods/VMs on which a policy should be applied.
+ maxProperties: 4096
type: object
+ x-kubernetes-validations:
+ - message: wildcard not allowed in label key match
+ rule: self.all(key, !key.contains('*'))
+ - message: key must not be empty
+ rule: self.all(key, key.size() != 0)
type: object
required:
- host
@@ -5620,17 +6131,34 @@ spec:
properties:
group:
description: group is the group of the target resource.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
kind:
description: kind is kind of the target resource.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
type: string
name:
description: name is the name of the target resource.
+ maxLength: 253
+ minLength: 1
type: string
namespace:
description: namespace is the namespace of the referent.
type: string
+ x-kubernetes-validations:
+ - message: cross namespace referencing is not currently supported
+ rule: self.size() == 0
+ required:
+ - kind
+ - name
type: object
+ x-kubernetes-validations:
+ - message: Support kinds are core/Service and gateway.networking.k8s.io/Gateway
+ rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],\
+ \ ['gateway.networking.k8s.io','Gateway']]"
type: array
workloadSelector:
description: Criteria used to select the specific set of pods/VMs
@@ -6242,19 +6770,37 @@ spec:
type: string
type: object
description: Port specific mutual TLS settings.
+ minProperties: 1
type: object
+ x-kubernetes-validations:
+ - message: port must be between 1-65535
+ rule: self.all(key, 0 < int(key) && int(key) <= 65535)
selector:
description: The selector determines the workloads to apply the PeerAuthentication
on.
properties:
matchLabels:
additionalProperties:
+ maxLength: 63
type: string
+ x-kubernetes-validations:
+ - message: wildcard not allowed in label value match
+ rule: "!self.contains('*')"
description: One or more labels that indicate a specific set of
pods/VMs on which a policy should be applied.
+ maxProperties: 4096
type: object
+ x-kubernetes-validations:
+ - message: wildcard not allowed in label key match
+ rule: self.all(key, !key.contains('*'))
+ - message: key must not be empty
+ rule: self.all(key, key.size() != 0)
type: object
type: object
+ x-kubernetes-validations:
+ - message: portLevelMtls requires selector
+ rule: (has(self.selector) && has(self.selector.matchLabels) && self.selector.matchLabels.size()
+ > 0) || !has(self.portLevelMtls)
status:
type: object
x-kubernetes-preserve-unknown-fields: true
@@ -6315,19 +6861,37 @@ spec:
type: string
type: object
description: Port specific mutual TLS settings.
+ minProperties: 1
type: object
+ x-kubernetes-validations:
+ - message: port must be between 1-65535
+ rule: self.all(key, 0 < int(key) && int(key) <= 65535)
selector:
description: The selector determines the workloads to apply the PeerAuthentication
on.
properties:
matchLabels:
additionalProperties:
+ maxLength: 63
type: string
+ x-kubernetes-validations:
+ - message: wildcard not allowed in label value match
+ rule: "!self.contains('*')"
description: One or more labels that indicate a specific set of
pods/VMs on which a policy should be applied.
+ maxProperties: 4096
type: object
+ x-kubernetes-validations:
+ - message: wildcard not allowed in label key match
+ rule: self.all(key, !key.contains('*'))
+ - message: key must not be empty
+ rule: self.all(key, key.size() != 0)
type: object
type: object
+ x-kubernetes-validations:
+ - message: portLevelMtls requires selector
+ rule: (has(self.selector) && has(self.selector.matchLabels) && self.selector.matchLabels.size()
+ > 0) || !has(self.portLevelMtls)
status:
type: object
x-kubernetes-preserve-unknown-fields: true
@@ -6372,10 +6936,12 @@ spec:
concurrency:
description: The number of worker threads to run.
format: int32
+ minimum: 0
nullable: true
type: integer
environmentVariables:
additionalProperties:
+ maxLength: 2048
type: string
description: Additional environment variables for the proxy.
type: object
@@ -6391,10 +6957,20 @@ spec:
properties:
matchLabels:
additionalProperties:
+ maxLength: 63
type: string
+ x-kubernetes-validations:
+ - message: wildcard not allowed in label value match
+ rule: "!self.contains('*')"
description: One or more labels that indicate a specific set of
pods/VMs on which a policy should be applied.
+ maxProperties: 4096
type: object
+ x-kubernetes-validations:
+ - message: wildcard not allowed in label key match
+ rule: self.all(key, !key.contains('*'))
+ - message: key must not be empty
+ rule: self.all(key, key.size() != 0)
type: object
type: object
status:
@@ -6450,6 +7026,7 @@ spec:
description: The list of JWT [audiences](https://tools.ietf.org/html/rfc7519#section-4.1.3)
that are allowed to access.
items:
+ minLength: 1
type: string
type: array
forwardOriginalToken:
@@ -6459,6 +7036,7 @@ spec:
fromCookies:
description: List of cookie names from which JWT is expected.
items:
+ minLength: 1
type: string
type: array
fromHeaders:
@@ -6467,6 +7045,7 @@ spec:
properties:
name:
description: The HTTP header name.
+ minLength: 1
type: string
prefix:
description: The prefix that should be stripped before
@@ -6479,10 +7058,12 @@ spec:
fromParams:
description: List of query parameters from which JWT is expected.
items:
+ minLength: 1
type: string
type: array
issuer:
description: Identifies the issuer that issued the JWT.
+ minLength: 1
type: string
jwks:
description: JSON Web Key Set of public keys to validate signature
@@ -6491,11 +7072,21 @@ spec:
jwks_uri:
description: URL of the provider's public key set to validate
signature of the JWT.
+ maxLength: 2048
+ minLength: 1
type: string
+ x-kubernetes-validations:
+ - message: url must have scheme http:// or https://
+ rule: url(self).getScheme() in ['http', 'https']
jwksUri:
description: URL of the provider's public key set to validate
signature of the JWT.
+ maxLength: 2048
+ minLength: 1
type: string
+ x-kubernetes-validations:
+ - message: url must have scheme http:// or https://
+ rule: url(self).getScheme() in ['http', 'https']
outputClaimToHeaders:
description: This field specifies a list of operations to copy
the claim to HTTP headers on a successfully verified token.
@@ -6503,10 +7094,16 @@ spec:
properties:
claim:
description: The name of the claim to be copied from.
+ minLength: 1
type: string
header:
description: The name of the header to be created.
+ minLength: 1
+ pattern: ^[-_A-Za-z0-9]+$
type: string
+ required:
+ - header
+ - claim
type: object
type: array
outputPayloadToHeader:
@@ -6518,54 +7115,108 @@ spec:
by the PILOT_JWT_ENABLE_REMOTE_JWKS environment variable,
will spend waiting for the JWKS to be fetched.
type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
required:
- issuer
type: object
+ x-kubernetes-validations:
+ - message: only one of jwks or jwksUri can be set
+ rule: (has(self.jwksUri)?1:0)+(has(self.jwks_uri)?1:0)+(has(self.jwks)?1:0)<=1
+ maxItems: 4096
type: array
selector:
description: Optional.
properties:
matchLabels:
additionalProperties:
+ maxLength: 63
type: string
+ x-kubernetes-validations:
+ - message: wildcard not allowed in label value match
+ rule: "!self.contains('*')"
description: One or more labels that indicate a specific set of
pods/VMs on which a policy should be applied.
+ maxProperties: 4096
type: object
+ x-kubernetes-validations:
+ - message: wildcard not allowed in label key match
+ rule: self.all(key, !key.contains('*'))
+ - message: key must not be empty
+ rule: self.all(key, key.size() != 0)
type: object
targetRef:
properties:
group:
description: group is the group of the target resource.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
kind:
description: kind is kind of the target resource.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
type: string
name:
description: name is the name of the target resource.
+ maxLength: 253
+ minLength: 1
type: string
namespace:
description: namespace is the namespace of the referent.
type: string
+ x-kubernetes-validations:
+ - message: cross namespace referencing is not currently supported
+ rule: self.size() == 0
+ required:
+ - kind
+ - name
type: object
+ x-kubernetes-validations:
+ - message: Support kinds are core/Service and gateway.networking.k8s.io/Gateway
+ rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],\
+ \ ['gateway.networking.k8s.io','Gateway']]"
targetRefs:
description: Optional.
items:
properties:
group:
description: group is the group of the target resource.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
kind:
description: kind is kind of the target resource.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
type: string
name:
description: name is the name of the target resource.
+ maxLength: 253
+ minLength: 1
type: string
namespace:
description: namespace is the namespace of the referent.
type: string
+ x-kubernetes-validations:
+ - message: cross namespace referencing is not currently supported
+ rule: self.size() == 0
+ required:
+ - kind
+ - name
type: object
+ x-kubernetes-validations:
+ - message: Support kinds are core/Service and gateway.networking.k8s.io/Gateway
+ rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],\
+ \ ['gateway.networking.k8s.io','Gateway']]"
type: array
type: object
+ x-kubernetes-validations:
+ - message: only one of targetRefs or workloadSelector can be set
+ rule: (has(self.selector)?1:0)+(has(self.targetRef)?1:0)+(has(self.targetRefs)?1:0)<=1
status:
type: object
x-kubernetes-preserve-unknown-fields: true
@@ -6591,6 +7242,7 @@ spec:
description: The list of JWT [audiences](https://tools.ietf.org/html/rfc7519#section-4.1.3)
that are allowed to access.
items:
+ minLength: 1
type: string
type: array
forwardOriginalToken:
@@ -6600,6 +7252,7 @@ spec:
fromCookies:
description: List of cookie names from which JWT is expected.
items:
+ minLength: 1
type: string
type: array
fromHeaders:
@@ -6608,6 +7261,7 @@ spec:
properties:
name:
description: The HTTP header name.
+ minLength: 1
type: string
prefix:
description: The prefix that should be stripped before
@@ -6620,10 +7274,12 @@ spec:
fromParams:
description: List of query parameters from which JWT is expected.
items:
+ minLength: 1
type: string
type: array
issuer:
description: Identifies the issuer that issued the JWT.
+ minLength: 1
type: string
jwks:
description: JSON Web Key Set of public keys to validate signature
@@ -6632,11 +7288,21 @@ spec:
jwks_uri:
description: URL of the provider's public key set to validate
signature of the JWT.
+ maxLength: 2048
+ minLength: 1
type: string
+ x-kubernetes-validations:
+ - message: url must have scheme http:// or https://
+ rule: url(self).getScheme() in ['http', 'https']
jwksUri:
description: URL of the provider's public key set to validate
signature of the JWT.
+ maxLength: 2048
+ minLength: 1
type: string
+ x-kubernetes-validations:
+ - message: url must have scheme http:// or https://
+ rule: url(self).getScheme() in ['http', 'https']
outputClaimToHeaders:
description: This field specifies a list of operations to copy
the claim to HTTP headers on a successfully verified token.
@@ -6644,10 +7310,16 @@ spec:
properties:
claim:
description: The name of the claim to be copied from.
+ minLength: 1
type: string
header:
description: The name of the header to be created.
+ minLength: 1
+ pattern: ^[-_A-Za-z0-9]+$
type: string
+ required:
+ - header
+ - claim
type: object
type: array
outputPayloadToHeader:
@@ -6659,54 +7331,108 @@ spec:
by the PILOT_JWT_ENABLE_REMOTE_JWKS environment variable,
will spend waiting for the JWKS to be fetched.
type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
required:
- issuer
type: object
+ x-kubernetes-validations:
+ - message: only one of jwks or jwksUri can be set
+ rule: (has(self.jwksUri)?1:0)+(has(self.jwks_uri)?1:0)+(has(self.jwks)?1:0)<=1
+ maxItems: 4096
type: array
selector:
description: Optional.
properties:
matchLabels:
additionalProperties:
+ maxLength: 63
type: string
+ x-kubernetes-validations:
+ - message: wildcard not allowed in label value match
+ rule: "!self.contains('*')"
description: One or more labels that indicate a specific set of
pods/VMs on which a policy should be applied.
+ maxProperties: 4096
type: object
+ x-kubernetes-validations:
+ - message: wildcard not allowed in label key match
+ rule: self.all(key, !key.contains('*'))
+ - message: key must not be empty
+ rule: self.all(key, key.size() != 0)
type: object
targetRef:
properties:
group:
description: group is the group of the target resource.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
kind:
description: kind is kind of the target resource.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
type: string
name:
description: name is the name of the target resource.
+ maxLength: 253
+ minLength: 1
type: string
namespace:
description: namespace is the namespace of the referent.
type: string
+ x-kubernetes-validations:
+ - message: cross namespace referencing is not currently supported
+ rule: self.size() == 0
+ required:
+ - kind
+ - name
type: object
+ x-kubernetes-validations:
+ - message: Support kinds are core/Service and gateway.networking.k8s.io/Gateway
+ rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],\
+ \ ['gateway.networking.k8s.io','Gateway']]"
targetRefs:
description: Optional.
items:
properties:
group:
description: group is the group of the target resource.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
kind:
description: kind is kind of the target resource.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
type: string
name:
description: name is the name of the target resource.
+ maxLength: 253
+ minLength: 1
type: string
namespace:
description: namespace is the namespace of the referent.
type: string
+ x-kubernetes-validations:
+ - message: cross namespace referencing is not currently supported
+ rule: self.size() == 0
+ required:
+ - kind
+ - name
type: object
+ x-kubernetes-validations:
+ - message: Support kinds are core/Service and gateway.networking.k8s.io/Gateway
+ rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],\
+ \ ['gateway.networking.k8s.io','Gateway']]"
type: array
type: object
+ x-kubernetes-validations:
+ - message: only one of targetRefs or workloadSelector can be set
+ rule: (has(self.selector)?1:0)+(has(self.targetRef)?1:0)+(has(self.targetRefs)?1:0)<=1
status:
type: object
x-kubernetes-preserve-unknown-fields: true
@@ -6784,29 +7510,48 @@ spec:
address:
description: Address associated with the network endpoint without
the port.
+ maxLength: 256
type: string
+ x-kubernetes-validations:
+ - message: UDS must be an absolute path or abstract socket
+ rule: "self.startsWith('unix://') ? (self.substring(7,8) ==\
+ \ '/' || self.substring(7,8) == '@') : true"
+ - message: UDS may not be a dir
+ rule: "self.startsWith('unix://') ? !self.endsWith('/') :\
+ \ true"
labels:
additionalProperties:
type: string
description: One or more labels associated with the endpoint.
+ maxProperties: 256
type: object
locality:
description: The locality associated with the endpoint.
+ maxLength: 2048
type: string
network:
description: Network enables Istio to group endpoints resident
in the same L3 domain/network.
+ maxLength: 2048
type: string
ports:
additionalProperties:
maximum: 4294967295
minimum: 0
type: integer
+ x-kubernetes-validations:
+ - message: port must be between 1-65535
+ rule: 0 < self && self <= 65535
description: Set of ports associated with the endpoint.
+ maxProperties: 128
type: object
+ x-kubernetes-validations:
+ - message: port name must be valid
+ rule: self.all(key, size(key) < 63 && key.matches('^[a-zA-Z0-9](?:[-a-zA-Z0-9]*[a-zA-Z0-9])?$'))
serviceAccount:
description: The service account associated with the workload
if a sidecar is present in the workload.
+ maxLength: 253
type: string
weight:
description: The load balancing weight associated with the endpoint.
@@ -6814,6 +7559,13 @@ spec:
minimum: 0
type: integer
type: object
+ x-kubernetes-validations:
+ - message: Address is required
+ rule: has(self.address) || has(self.network)
+ - message: UDS may not include ports
+ rule: "(has(self.address) && self.address.startsWith('unix://'))\
+ \ ? !has(self.ports) : true"
+ maxItems: 4096
type: array
exportTo:
description: A list of namespaces to which this service is exported.
@@ -6940,29 +7692,48 @@ spec:
address:
description: Address associated with the network endpoint without
the port.
+ maxLength: 256
type: string
+ x-kubernetes-validations:
+ - message: UDS must be an absolute path or abstract socket
+ rule: "self.startsWith('unix://') ? (self.substring(7,8) ==\
+ \ '/' || self.substring(7,8) == '@') : true"
+ - message: UDS may not be a dir
+ rule: "self.startsWith('unix://') ? !self.endsWith('/') :\
+ \ true"
labels:
additionalProperties:
type: string
description: One or more labels associated with the endpoint.
+ maxProperties: 256
type: object
locality:
description: The locality associated with the endpoint.
+ maxLength: 2048
type: string
network:
description: Network enables Istio to group endpoints resident
in the same L3 domain/network.
+ maxLength: 2048
type: string
ports:
additionalProperties:
maximum: 4294967295
minimum: 0
type: integer
+ x-kubernetes-validations:
+ - message: port must be between 1-65535
+ rule: 0 < self && self <= 65535
description: Set of ports associated with the endpoint.
+ maxProperties: 128
type: object
+ x-kubernetes-validations:
+ - message: port name must be valid
+ rule: self.all(key, size(key) < 63 && key.matches('^[a-zA-Z0-9](?:[-a-zA-Z0-9]*[a-zA-Z0-9])?$'))
serviceAccount:
description: The service account associated with the workload
if a sidecar is present in the workload.
+ maxLength: 253
type: string
weight:
description: The load balancing weight associated with the endpoint.
@@ -6970,6 +7741,13 @@ spec:
minimum: 0
type: integer
type: object
+ x-kubernetes-validations:
+ - message: Address is required
+ rule: has(self.address) || has(self.network)
+ - message: UDS may not include ports
+ rule: "(has(self.address) && self.address.startsWith('unix://'))\
+ \ ? !has(self.ports) : true"
+ maxItems: 4096
type: array
exportTo:
description: A list of namespaces to which this service is exported.
@@ -7096,29 +7874,48 @@ spec:
address:
description: Address associated with the network endpoint without
the port.
+ maxLength: 256
type: string
+ x-kubernetes-validations:
+ - message: UDS must be an absolute path or abstract socket
+ rule: "self.startsWith('unix://') ? (self.substring(7,8) ==\
+ \ '/' || self.substring(7,8) == '@') : true"
+ - message: UDS may not be a dir
+ rule: "self.startsWith('unix://') ? !self.endsWith('/') :\
+ \ true"
labels:
additionalProperties:
type: string
description: One or more labels associated with the endpoint.
+ maxProperties: 256
type: object
locality:
description: The locality associated with the endpoint.
+ maxLength: 2048
type: string
network:
description: Network enables Istio to group endpoints resident
in the same L3 domain/network.
+ maxLength: 2048
type: string
ports:
additionalProperties:
maximum: 4294967295
minimum: 0
type: integer
+ x-kubernetes-validations:
+ - message: port must be between 1-65535
+ rule: 0 < self && self <= 65535
description: Set of ports associated with the endpoint.
+ maxProperties: 128
type: object
+ x-kubernetes-validations:
+ - message: port name must be valid
+ rule: self.all(key, size(key) < 63 && key.matches('^[a-zA-Z0-9](?:[-a-zA-Z0-9]*[a-zA-Z0-9])?$'))
serviceAccount:
description: The service account associated with the workload
if a sidecar is present in the workload.
+ maxLength: 253
type: string
weight:
description: The load balancing weight associated with the endpoint.
@@ -7126,6 +7923,13 @@ spec:
minimum: 0
type: integer
type: object
+ x-kubernetes-validations:
+ - message: Address is required
+ rule: has(self.address) || has(self.network)
+ - message: UDS may not include ports
+ rule: "(has(self.address) && self.address.startsWith('unix://'))\
+ \ ? !has(self.ports) : true"
+ maxItems: 4096
type: array
exportTo:
description: A list of namespaces to which this service is exported.
@@ -7322,6 +8126,9 @@ spec:
description: The idle timeout for upstream connection pool
connections.
type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
maxConcurrentStreams:
description: The maximum number of concurrent streams allowed
for a peer on one HTTP/2 connection.
@@ -7348,12 +8155,21 @@ spec:
connectTimeout:
description: TCP connection timeout.
type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
idleTimeout:
description: The idle timeout for TCP connections.
type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
maxConnectionDuration:
description: The maximum duration of a connection.
type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
maxConnections:
description: Maximum number of HTTP1 /TCP connections to a
destination host.
@@ -7366,6 +8182,9 @@ spec:
interval:
description: The time duration between keep-alive probes.
type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
probes:
description: Maximum number of keepalive probes to send
without response before deciding the connection is dead.
@@ -7376,6 +8195,9 @@ spec:
description: The time duration a connection needs to be
idle before keep-alive probes start being sent.
type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
type: object
type: object
type: object
@@ -7429,6 +8251,9 @@ spec:
description: The idle timeout for upstream connection
pool connections.
type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
maxConcurrentStreams:
description: The maximum number of concurrent streams
allowed for a peer on one HTTP/2 connection.
@@ -7456,12 +8281,21 @@ spec:
connectTimeout:
description: TCP connection timeout.
type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
idleTimeout:
description: The idle timeout for TCP connections.
type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
maxConnectionDuration:
description: The maximum duration of a connection.
type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
maxConnections:
description: Maximum number of HTTP1 /TCP connections
to a destination host.
@@ -7475,6 +8309,10 @@ spec:
description: The time duration between keep-alive
probes.
type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than
+ 1ms
+ rule: duration(self) >= duration('1ms')
probes:
description: Maximum number of keepalive probes
to send without response before deciding the connection
@@ -7487,6 +8325,10 @@ spec:
to be idle before keep-alive probes start being
sent.
type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than
+ 1ms
+ rule: duration(self) >= duration('1ms')
type: object
type: object
type: object
@@ -7748,6 +8590,9 @@ spec:
description: The idle timeout for upstream connection pool
connections.
type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
maxConcurrentStreams:
description: The maximum number of concurrent streams allowed
for a peer on one HTTP/2 connection.
@@ -7774,12 +8619,21 @@ spec:
connectTimeout:
description: TCP connection timeout.
type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
idleTimeout:
description: The idle timeout for TCP connections.
type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
maxConnectionDuration:
description: The maximum duration of a connection.
type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
maxConnections:
description: Maximum number of HTTP1 /TCP connections to a
destination host.
@@ -7792,6 +8646,9 @@ spec:
interval:
description: The time duration between keep-alive probes.
type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
probes:
description: Maximum number of keepalive probes to send
without response before deciding the connection is dead.
@@ -7802,6 +8659,9 @@ spec:
description: The time duration a connection needs to be
idle before keep-alive probes start being sent.
type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
type: object
type: object
type: object
@@ -7855,6 +8715,9 @@ spec:
description: The idle timeout for upstream connection
pool connections.
type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
maxConcurrentStreams:
description: The maximum number of concurrent streams
allowed for a peer on one HTTP/2 connection.
@@ -7882,12 +8745,21 @@ spec:
connectTimeout:
description: TCP connection timeout.
type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
idleTimeout:
description: The idle timeout for TCP connections.
type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
maxConnectionDuration:
description: The maximum duration of a connection.
type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
maxConnections:
description: Maximum number of HTTP1 /TCP connections
to a destination host.
@@ -7901,6 +8773,10 @@ spec:
description: The time duration between keep-alive
probes.
type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than
+ 1ms
+ rule: duration(self) >= duration('1ms')
probes:
description: Maximum number of keepalive probes
to send without response before deciding the connection
@@ -7913,6 +8789,10 @@ spec:
to be idle before keep-alive probes start being
sent.
type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than
+ 1ms
+ rule: duration(self) >= duration('1ms')
type: object
type: object
type: object
@@ -8174,6 +9054,9 @@ spec:
description: The idle timeout for upstream connection pool
connections.
type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
maxConcurrentStreams:
description: The maximum number of concurrent streams allowed
for a peer on one HTTP/2 connection.
@@ -8200,12 +9083,21 @@ spec:
connectTimeout:
description: TCP connection timeout.
type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
idleTimeout:
description: The idle timeout for TCP connections.
type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
maxConnectionDuration:
description: The maximum duration of a connection.
type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
maxConnections:
description: Maximum number of HTTP1 /TCP connections to a
destination host.
@@ -8218,6 +9110,9 @@ spec:
interval:
description: The time duration between keep-alive probes.
type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
probes:
description: Maximum number of keepalive probes to send
without response before deciding the connection is dead.
@@ -8228,6 +9123,9 @@ spec:
description: The time duration a connection needs to be
idle before keep-alive probes start being sent.
type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
type: object
type: object
type: object
@@ -8281,6 +9179,9 @@ spec:
description: The idle timeout for upstream connection
pool connections.
type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
maxConcurrentStreams:
description: The maximum number of concurrent streams
allowed for a peer on one HTTP/2 connection.
@@ -8308,12 +9209,21 @@ spec:
connectTimeout:
description: TCP connection timeout.
type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
idleTimeout:
description: The idle timeout for TCP connections.
type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
maxConnectionDuration:
description: The maximum duration of a connection.
type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
maxConnections:
description: Maximum number of HTTP1 /TCP connections
to a destination host.
@@ -8327,6 +9237,10 @@ spec:
description: The time duration between keep-alive
probes.
type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than
+ 1ms
+ rule: duration(self) >= duration('1ms')
probes:
description: Maximum number of keepalive probes
to send without response before deciding the connection
@@ -8339,6 +9253,10 @@ spec:
to be idle before keep-alive probes start being
sent.
type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than
+ 1ms
+ rule: duration(self) >= duration('1ms')
type: object
type: object
type: object
@@ -8681,11 +9599,11 @@ spec:
type: object
x-kubernetes-validations:
- message: value must be set when operation is UPSERT
- rule: "((has(self.operation) ? self.operation : '')
- == 'UPSERT') ? self.value != '' : true"
+ rule: "((has(self.operation) ? self.operation : '')\
+ \ == 'UPSERT') ? self.value != '' : true"
- message: value must not be set when operation is REMOVE
- rule: "((has(self.operation) ? self.operation : '')
- == 'REMOVE') ? !has(self.value) : true"
+ rule: "((has(self.operation) ? self.operation : '')\
+ \ == 'REMOVE') ? !has(self.value) : true"
description: Optional.
type: object
type: object
@@ -8705,6 +9623,9 @@ spec:
reportingInterval:
description: Optional.
type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
type: object
type: array
selector:
@@ -8712,43 +9633,87 @@ spec:
properties:
matchLabels:
additionalProperties:
+ maxLength: 63
type: string
+ x-kubernetes-validations:
+ - message: wildcard not allowed in label value match
+ rule: "!self.contains('*')"
description: One or more labels that indicate a specific set of
pods/VMs on which a policy should be applied.
+ maxProperties: 4096
type: object
+ x-kubernetes-validations:
+ - message: wildcard not allowed in label key match
+ rule: self.all(key, !key.contains('*'))
+ - message: key must not be empty
+ rule: self.all(key, key.size() != 0)
type: object
targetRef:
properties:
group:
description: group is the group of the target resource.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
kind:
description: kind is kind of the target resource.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
type: string
name:
description: name is the name of the target resource.
+ maxLength: 253
+ minLength: 1
type: string
namespace:
description: namespace is the namespace of the referent.
type: string
+ x-kubernetes-validations:
+ - message: cross namespace referencing is not currently supported
+ rule: self.size() == 0
+ required:
+ - kind
+ - name
type: object
+ x-kubernetes-validations:
+ - message: Support kinds are core/Service and gateway.networking.k8s.io/Gateway
+ rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],\
+ \ ['gateway.networking.k8s.io','Gateway']]"
targetRefs:
description: Optional.
items:
properties:
group:
description: group is the group of the target resource.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
kind:
description: kind is kind of the target resource.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
type: string
name:
description: name is the name of the target resource.
+ maxLength: 253
+ minLength: 1
type: string
namespace:
description: namespace is the namespace of the referent.
type: string
+ x-kubernetes-validations:
+ - message: cross namespace referencing is not currently supported
+ rule: self.size() == 0
+ required:
+ - kind
+ - name
type: object
+ x-kubernetes-validations:
+ - message: Support kinds are core/Service and gateway.networking.k8s.io/Gateway
+ rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],\
+ \ ['gateway.networking.k8s.io','Gateway']]"
type: array
tracing:
description: Optional.
@@ -9008,11 +9973,11 @@ spec:
type: object
x-kubernetes-validations:
- message: value must be set when operation is UPSERT
- rule: "((has(self.operation) ? self.operation : '')
- == 'UPSERT') ? self.value != '' : true"
+ rule: "((has(self.operation) ? self.operation : '')\
+ \ == 'UPSERT') ? self.value != '' : true"
- message: value must not be set when operation is REMOVE
- rule: "((has(self.operation) ? self.operation : '')
- == 'REMOVE') ? !has(self.value) : true"
+ rule: "((has(self.operation) ? self.operation : '')\
+ \ == 'REMOVE') ? !has(self.value) : true"
description: Optional.
type: object
type: object
@@ -9032,6 +9997,9 @@ spec:
reportingInterval:
description: Optional.
type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
type: object
type: array
selector:
@@ -9039,43 +10007,87 @@ spec:
properties:
matchLabels:
additionalProperties:
+ maxLength: 63
type: string
+ x-kubernetes-validations:
+ - message: wildcard not allowed in label value match
+ rule: "!self.contains('*')"
description: One or more labels that indicate a specific set of
pods/VMs on which a policy should be applied.
+ maxProperties: 4096
type: object
+ x-kubernetes-validations:
+ - message: wildcard not allowed in label key match
+ rule: self.all(key, !key.contains('*'))
+ - message: key must not be empty
+ rule: self.all(key, key.size() != 0)
type: object
targetRef:
properties:
group:
description: group is the group of the target resource.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
kind:
description: kind is kind of the target resource.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
type: string
name:
description: name is the name of the target resource.
+ maxLength: 253
+ minLength: 1
type: string
namespace:
description: namespace is the namespace of the referent.
type: string
+ x-kubernetes-validations:
+ - message: cross namespace referencing is not currently supported
+ rule: self.size() == 0
+ required:
+ - kind
+ - name
type: object
+ x-kubernetes-validations:
+ - message: Support kinds are core/Service and gateway.networking.k8s.io/Gateway
+ rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],\
+ \ ['gateway.networking.k8s.io','Gateway']]"
targetRefs:
description: Optional.
items:
properties:
group:
description: group is the group of the target resource.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
kind:
description: kind is kind of the target resource.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
type: string
name:
description: name is the name of the target resource.
+ maxLength: 253
+ minLength: 1
type: string
namespace:
description: namespace is the namespace of the referent.
type: string
+ x-kubernetes-validations:
+ - message: cross namespace referencing is not currently supported
+ rule: self.size() == 0
+ required:
+ - kind
+ - name
type: object
+ x-kubernetes-validations:
+ - message: Support kinds are core/Service and gateway.networking.k8s.io/Gateway
+ rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],\
+ \ ['gateway.networking.k8s.io','Gateway']]"
type: array
tracing:
description: Optional.
@@ -9316,7 +10328,7 @@ spec:
prefix:
type: string
regex:
- description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
+ description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).'
type: string
type: object
type: array
@@ -9330,6 +10342,19 @@ spec:
description: Specifies how long the results of a preflight
request can be cached.
type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
+ unmatchedPreflights:
+ description: |-
+ Indicates whether preflight requests not matching the configured allowed origin shouldn't be forwarded to the upstream.
+
+ Valid Options: FORWARD, IGNORE
+ enum:
+ - UNSPECIFIED
+ - FORWARD
+ - IGNORE
+ type: string
type: object
delegate:
description: Delegate is used to specify the particular VirtualService
@@ -9437,10 +10462,16 @@ spec:
properties:
exponentialDelay:
type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
fixedDelay:
description: Add a fixed delay before forwarding the
request.
type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
percent:
description: Percentage of requests on which the delay
will be injected (0-100).
@@ -9498,7 +10529,7 @@ spec:
description: 'HTTP Authority values are case-sensitive
and formatted as follows: - `exact: "value"` for exact
string match - `prefix: "value"` for prefix-based match
- - `regex: "value"` for RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).'
+ - `regex: "value"` for [RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).'
oneOf:
- not:
anyOf:
@@ -9520,7 +10551,7 @@ spec:
prefix:
type: string
regex:
- description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
+ description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).'
type: string
type: object
gateways:
@@ -9552,7 +10583,7 @@ spec:
prefix:
type: string
regex:
- description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
+ description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).'
type: string
type: object
description: The header keys must be lowercase and use
@@ -9566,7 +10597,7 @@ spec:
description: 'HTTP Method values are case-sensitive and
formatted as follows: - `exact: "value"` for exact string
match - `prefix: "value"` for prefix-based match - `regex:
- "value"` for RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).'
+ "value"` for [RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).'
oneOf:
- not:
anyOf:
@@ -9588,7 +10619,7 @@ spec:
prefix:
type: string
regex:
- description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
+ description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).'
type: string
type: object
name:
@@ -9623,7 +10654,7 @@ spec:
prefix:
type: string
regex:
- description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
+ description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).'
type: string
type: object
description: Query parameters for matching.
@@ -9632,7 +10663,7 @@ spec:
description: 'URI Scheme values are case-sensitive and
formatted as follows: - `exact: "value"` for exact string
match - `prefix: "value"` for prefix-based match - `regex:
- "value"` for RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).'
+ "value"` for [RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).'
oneOf:
- not:
anyOf:
@@ -9654,7 +10685,7 @@ spec:
prefix:
type: string
regex:
- description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
+ description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).'
type: string
type: object
sourceLabels:
@@ -9676,7 +10707,7 @@ spec:
description: 'URI to match values are case-sensitive and
formatted as follows: - `exact: "value"` for exact string
match - `prefix: "value"` for prefix-based match - `regex:
- "value"` for RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).'
+ "value"` for [RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).'
oneOf:
- not:
anyOf:
@@ -9698,7 +10729,7 @@ spec:
prefix:
type: string
regex:
- description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
+ description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).'
type: string
type: object
withoutHeaders:
@@ -9724,7 +10755,7 @@ spec:
prefix:
type: string
regex:
- description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
+ description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).'
type: string
type: object
description: withoutHeader has the same syntax with the
@@ -9876,6 +10907,9 @@ spec:
description: Timeout per attempt for a given request, including
the initial call and any retries.
type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
retryOn:
description: Specifies the conditions under which retry
takes place.
@@ -9902,7 +10936,7 @@ spec:
specified regex.
properties:
match:
- description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
+ description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).'
type: string
rewrite:
description: The string that should replace into matching
@@ -9984,6 +11018,9 @@ spec:
timeout:
description: Timeout for HTTP requests, default is disabled.
type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
type: object
type: array
tcp:
@@ -10259,7 +11296,7 @@ spec:
prefix:
type: string
regex:
- description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
+ description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).'
type: string
type: object
type: array
@@ -10273,6 +11310,19 @@ spec:
description: Specifies how long the results of a preflight
request can be cached.
type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
+ unmatchedPreflights:
+ description: |-
+ Indicates whether preflight requests not matching the configured allowed origin shouldn't be forwarded to the upstream.
+
+ Valid Options: FORWARD, IGNORE
+ enum:
+ - UNSPECIFIED
+ - FORWARD
+ - IGNORE
+ type: string
type: object
delegate:
description: Delegate is used to specify the particular VirtualService
@@ -10380,10 +11430,16 @@ spec:
properties:
exponentialDelay:
type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
fixedDelay:
description: Add a fixed delay before forwarding the
request.
type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
percent:
description: Percentage of requests on which the delay
will be injected (0-100).
@@ -10441,7 +11497,7 @@ spec:
description: 'HTTP Authority values are case-sensitive
and formatted as follows: - `exact: "value"` for exact
string match - `prefix: "value"` for prefix-based match
- - `regex: "value"` for RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).'
+ - `regex: "value"` for [RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).'
oneOf:
- not:
anyOf:
@@ -10463,7 +11519,7 @@ spec:
prefix:
type: string
regex:
- description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
+ description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).'
type: string
type: object
gateways:
@@ -10495,7 +11551,7 @@ spec:
prefix:
type: string
regex:
- description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
+ description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).'
type: string
type: object
description: The header keys must be lowercase and use
@@ -10509,7 +11565,7 @@ spec:
description: 'HTTP Method values are case-sensitive and
formatted as follows: - `exact: "value"` for exact string
match - `prefix: "value"` for prefix-based match - `regex:
- "value"` for RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).'
+ "value"` for [RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).'
oneOf:
- not:
anyOf:
@@ -10531,7 +11587,7 @@ spec:
prefix:
type: string
regex:
- description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
+ description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).'
type: string
type: object
name:
@@ -10566,7 +11622,7 @@ spec:
prefix:
type: string
regex:
- description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
+ description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).'
type: string
type: object
description: Query parameters for matching.
@@ -10575,7 +11631,7 @@ spec:
description: 'URI Scheme values are case-sensitive and
formatted as follows: - `exact: "value"` for exact string
match - `prefix: "value"` for prefix-based match - `regex:
- "value"` for RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).'
+ "value"` for [RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).'
oneOf:
- not:
anyOf:
@@ -10597,7 +11653,7 @@ spec:
prefix:
type: string
regex:
- description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
+ description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).'
type: string
type: object
sourceLabels:
@@ -10619,7 +11675,7 @@ spec:
description: 'URI to match values are case-sensitive and
formatted as follows: - `exact: "value"` for exact string
match - `prefix: "value"` for prefix-based match - `regex:
- "value"` for RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).'
+ "value"` for [RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).'
oneOf:
- not:
anyOf:
@@ -10641,7 +11697,7 @@ spec:
prefix:
type: string
regex:
- description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
+ description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).'
type: string
type: object
withoutHeaders:
@@ -10667,7 +11723,7 @@ spec:
prefix:
type: string
regex:
- description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
+ description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).'
type: string
type: object
description: withoutHeader has the same syntax with the
@@ -10819,6 +11875,9 @@ spec:
description: Timeout per attempt for a given request, including
the initial call and any retries.
type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
retryOn:
description: Specifies the conditions under which retry
takes place.
@@ -10845,7 +11904,7 @@ spec:
specified regex.
properties:
match:
- description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
+ description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).'
type: string
rewrite:
description: The string that should replace into matching
@@ -10927,6 +11986,9 @@ spec:
timeout:
description: Timeout for HTTP requests, default is disabled.
type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
type: object
type: array
tcp:
@@ -11202,7 +12264,7 @@ spec:
prefix:
type: string
regex:
- description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
+ description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).'
type: string
type: object
type: array
@@ -11216,6 +12278,19 @@ spec:
description: Specifies how long the results of a preflight
request can be cached.
type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
+ unmatchedPreflights:
+ description: |-
+ Indicates whether preflight requests not matching the configured allowed origin shouldn't be forwarded to the upstream.
+
+ Valid Options: FORWARD, IGNORE
+ enum:
+ - UNSPECIFIED
+ - FORWARD
+ - IGNORE
+ type: string
type: object
delegate:
description: Delegate is used to specify the particular VirtualService
@@ -11323,10 +12398,16 @@ spec:
properties:
exponentialDelay:
type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
fixedDelay:
description: Add a fixed delay before forwarding the
request.
type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
percent:
description: Percentage of requests on which the delay
will be injected (0-100).
@@ -11384,7 +12465,7 @@ spec:
description: 'HTTP Authority values are case-sensitive
and formatted as follows: - `exact: "value"` for exact
string match - `prefix: "value"` for prefix-based match
- - `regex: "value"` for RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).'
+ - `regex: "value"` for [RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).'
oneOf:
- not:
anyOf:
@@ -11406,7 +12487,7 @@ spec:
prefix:
type: string
regex:
- description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
+ description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).'
type: string
type: object
gateways:
@@ -11438,7 +12519,7 @@ spec:
prefix:
type: string
regex:
- description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
+ description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).'
type: string
type: object
description: The header keys must be lowercase and use
@@ -11452,7 +12533,7 @@ spec:
description: 'HTTP Method values are case-sensitive and
formatted as follows: - `exact: "value"` for exact string
match - `prefix: "value"` for prefix-based match - `regex:
- "value"` for RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).'
+ "value"` for [RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).'
oneOf:
- not:
anyOf:
@@ -11474,7 +12555,7 @@ spec:
prefix:
type: string
regex:
- description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
+ description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).'
type: string
type: object
name:
@@ -11509,7 +12590,7 @@ spec:
prefix:
type: string
regex:
- description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
+ description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).'
type: string
type: object
description: Query parameters for matching.
@@ -11518,7 +12599,7 @@ spec:
description: 'URI Scheme values are case-sensitive and
formatted as follows: - `exact: "value"` for exact string
match - `prefix: "value"` for prefix-based match - `regex:
- "value"` for RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).'
+ "value"` for [RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).'
oneOf:
- not:
anyOf:
@@ -11540,7 +12621,7 @@ spec:
prefix:
type: string
regex:
- description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
+ description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).'
type: string
type: object
sourceLabels:
@@ -11562,7 +12643,7 @@ spec:
description: 'URI to match values are case-sensitive and
formatted as follows: - `exact: "value"` for exact string
match - `prefix: "value"` for prefix-based match - `regex:
- "value"` for RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).'
+ "value"` for [RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).'
oneOf:
- not:
anyOf:
@@ -11584,7 +12665,7 @@ spec:
prefix:
type: string
regex:
- description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
+ description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).'
type: string
type: object
withoutHeaders:
@@ -11610,7 +12691,7 @@ spec:
prefix:
type: string
regex:
- description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
+ description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).'
type: string
type: object
description: withoutHeader has the same syntax with the
@@ -11762,6 +12843,9 @@ spec:
description: Timeout per attempt for a given request, including
the initial call and any retries.
type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
retryOn:
description: Specifies the conditions under which retry
takes place.
@@ -11788,7 +12872,7 @@ spec:
specified regex.
properties:
match:
- description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
+ description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).'
type: string
rewrite:
description: The string that should replace into matching
@@ -11870,6 +12954,9 @@ spec:
timeout:
description: Timeout for HTTP requests, default is disabled.
type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
type: object
type: array
tcp:
@@ -12183,10 +13270,20 @@ spec:
properties:
matchLabels:
additionalProperties:
+ maxLength: 63
type: string
+ x-kubernetes-validations:
+ - message: wildcard not allowed in label value match
+ rule: "!self.contains('*')"
description: One or more labels that indicate a specific set of
pods/VMs on which a policy should be applied.
+ maxProperties: 4096
type: object
+ x-kubernetes-validations:
+ - message: wildcard not allowed in label key match
+ rule: self.all(key, !key.contains('*'))
+ - message: key must not be empty
+ rule: self.all(key, key.size() != 0)
type: object
sha256:
description: SHA256 checksum that will be used to verify Wasm module
@@ -12197,34 +13294,68 @@ spec:
properties:
group:
description: group is the group of the target resource.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
kind:
description: kind is kind of the target resource.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
type: string
name:
description: name is the name of the target resource.
+ maxLength: 253
+ minLength: 1
type: string
namespace:
description: namespace is the namespace of the referent.
type: string
+ x-kubernetes-validations:
+ - message: cross namespace referencing is not currently supported
+ rule: self.size() == 0
+ required:
+ - kind
+ - name
type: object
+ x-kubernetes-validations:
+ - message: Support kinds are core/Service and gateway.networking.k8s.io/Gateway
+ rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],\
+ \ ['gateway.networking.k8s.io','Gateway']]"
targetRefs:
description: Optional.
items:
properties:
group:
description: group is the group of the target resource.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
kind:
description: kind is kind of the target resource.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
type: string
name:
description: name is the name of the target resource.
+ maxLength: 253
+ minLength: 1
type: string
namespace:
description: namespace is the namespace of the referent.
type: string
+ x-kubernetes-validations:
+ - message: cross namespace referencing is not currently supported
+ rule: self.size() == 0
+ required:
+ - kind
+ - name
type: object
+ x-kubernetes-validations:
+ - message: Support kinds are core/Service and gateway.networking.k8s.io/Gateway
+ rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],\
+ \ ['gateway.networking.k8s.io','Gateway']]"
type: array
type:
description: |-
@@ -12242,9 +13373,9 @@ spec:
type: string
x-kubernetes-validations:
- message: url must have schema one of [http, https, file, oci]
- rule: "isURL(self) ? (url(self).getScheme() in ['', 'http', 'https',
- 'oci', 'file']) : (isURL('http://' + self) && url('http://' +self).getScheme()
- in ['', 'http', 'https', 'oci', 'file'])"
+ rule: "isURL(self) ? (url(self).getScheme() in ['', 'http', 'https',\
+ \ 'oci', 'file']) : (isURL('http://' + self) && url('http://'\
+ \ +self).getScheme() in ['', 'http', 'https', 'oci', 'file'])"
verificationKey:
type: string
vmConfig:
@@ -12278,8 +13409,8 @@ spec:
type: object
x-kubernetes-validations:
- message: value may only be set when valueFrom is INLINE
- rule: "(has(self.valueFrom) ? self.valueFrom : '') != 'HOST'
- || !has(self.value)"
+ rule: "(has(self.valueFrom) ? self.valueFrom : '') != 'HOST'\
+ \ || !has(self.value)"
maxItems: 256
type: array
x-kubernetes-list-map-keys:
@@ -12350,29 +13481,47 @@ spec:
address:
description: Address associated with the network endpoint without
the port.
+ maxLength: 256
type: string
+ x-kubernetes-validations:
+ - message: UDS must be an absolute path or abstract socket
+ rule: "self.startsWith('unix://') ? (self.substring(7,8) == '/'\
+ \ || self.substring(7,8) == '@') : true"
+ - message: UDS may not be a dir
+ rule: "self.startsWith('unix://') ? !self.endsWith('/') : true"
labels:
additionalProperties:
type: string
description: One or more labels associated with the endpoint.
+ maxProperties: 256
type: object
locality:
description: The locality associated with the endpoint.
+ maxLength: 2048
type: string
network:
description: Network enables Istio to group endpoints resident in
the same L3 domain/network.
+ maxLength: 2048
type: string
ports:
additionalProperties:
maximum: 4294967295
minimum: 0
type: integer
+ x-kubernetes-validations:
+ - message: port must be between 1-65535
+ rule: 0 < self && self <= 65535
description: Set of ports associated with the endpoint.
+ maxProperties: 128
type: object
+ x-kubernetes-validations:
+ - message: port name must be valid
+ rule: self.all(key, size(key) < 63 && key.matches('^[a-zA-Z0-9](?:[-a-zA-Z0-9]*[a-zA-Z0-9])?$'))
serviceAccount:
description: The service account associated with the workload if a
sidecar is present in the workload.
+ maxLength: 253
type: string
weight:
description: The load balancing weight associated with the endpoint.
@@ -12380,9 +13529,19 @@ spec:
minimum: 0
type: integer
type: object
+ x-kubernetes-validations:
+ - message: Address is required
+ rule: has(self.address) || has(self.network)
+ - message: UDS may not include ports
+ rule: "(has(self.address) && self.address.startsWith('unix://')) ? !has(self.ports)\
+ \ : true"
status:
type: object
x-kubernetes-preserve-unknown-fields: true
+ required:
+ - spec
+ - spec
+ - spec
type: object
served: true
storage: false
@@ -12412,29 +13571,47 @@ spec:
address:
description: Address associated with the network endpoint without
the port.
+ maxLength: 256
type: string
+ x-kubernetes-validations:
+ - message: UDS must be an absolute path or abstract socket
+ rule: "self.startsWith('unix://') ? (self.substring(7,8) == '/'\
+ \ || self.substring(7,8) == '@') : true"
+ - message: UDS may not be a dir
+ rule: "self.startsWith('unix://') ? !self.endsWith('/') : true"
labels:
additionalProperties:
type: string
description: One or more labels associated with the endpoint.
+ maxProperties: 256
type: object
locality:
description: The locality associated with the endpoint.
+ maxLength: 2048
type: string
network:
description: Network enables Istio to group endpoints resident in
the same L3 domain/network.
+ maxLength: 2048
type: string
ports:
additionalProperties:
maximum: 4294967295
minimum: 0
type: integer
+ x-kubernetes-validations:
+ - message: port must be between 1-65535
+ rule: 0 < self && self <= 65535
description: Set of ports associated with the endpoint.
+ maxProperties: 128
type: object
+ x-kubernetes-validations:
+ - message: port name must be valid
+ rule: self.all(key, size(key) < 63 && key.matches('^[a-zA-Z0-9](?:[-a-zA-Z0-9]*[a-zA-Z0-9])?$'))
serviceAccount:
description: The service account associated with the workload if a
sidecar is present in the workload.
+ maxLength: 253
type: string
weight:
description: The load balancing weight associated with the endpoint.
@@ -12442,9 +13619,19 @@ spec:
minimum: 0
type: integer
type: object
+ x-kubernetes-validations:
+ - message: Address is required
+ rule: has(self.address) || has(self.network)
+ - message: UDS may not include ports
+ rule: "(has(self.address) && self.address.startsWith('unix://')) ? !has(self.ports)\
+ \ : true"
status:
type: object
x-kubernetes-preserve-unknown-fields: true
+ required:
+ - spec
+ - spec
+ - spec
type: object
served: true
storage: false
@@ -12474,29 +13661,47 @@ spec:
address:
description: Address associated with the network endpoint without
the port.
+ maxLength: 256
type: string
+ x-kubernetes-validations:
+ - message: UDS must be an absolute path or abstract socket
+ rule: "self.startsWith('unix://') ? (self.substring(7,8) == '/'\
+ \ || self.substring(7,8) == '@') : true"
+ - message: UDS may not be a dir
+ rule: "self.startsWith('unix://') ? !self.endsWith('/') : true"
labels:
additionalProperties:
type: string
description: One or more labels associated with the endpoint.
+ maxProperties: 256
type: object
locality:
description: The locality associated with the endpoint.
+ maxLength: 2048
type: string
network:
description: Network enables Istio to group endpoints resident in
the same L3 domain/network.
+ maxLength: 2048
type: string
ports:
additionalProperties:
maximum: 4294967295
minimum: 0
type: integer
+ x-kubernetes-validations:
+ - message: port must be between 1-65535
+ rule: 0 < self && self <= 65535
description: Set of ports associated with the endpoint.
+ maxProperties: 128
type: object
+ x-kubernetes-validations:
+ - message: port name must be valid
+ rule: self.all(key, size(key) < 63 && key.matches('^[a-zA-Z0-9](?:[-a-zA-Z0-9]*[a-zA-Z0-9])?$'))
serviceAccount:
description: The service account associated with the workload if a
sidecar is present in the workload.
+ maxLength: 253
type: string
weight:
description: The load balancing weight associated with the endpoint.
@@ -12504,9 +13709,19 @@ spec:
minimum: 0
type: integer
type: object
+ x-kubernetes-validations:
+ - message: Address is required
+ rule: has(self.address) || has(self.network)
+ - message: UDS may not include ports
+ rule: "(has(self.address) && self.address.startsWith('unix://')) ? !has(self.ports)\
+ \ : true"
status:
type: object
x-kubernetes-preserve-unknown-fields: true
+ required:
+ - spec
+ - spec
+ - spec
type: object
served: true
storage: true
@@ -12551,10 +13766,8 @@ spec:
openAPIV3Schema:
properties:
spec:
- description: '`WorkloadGroup` enables specifying the properties of a single
- workload for bootstrap and provides a template for `WorkloadEntry`,
- similar to how `Deployment` specifies properties of workloads via `Pod`
- templates.'
+ description: 'Describes a collection of workload instances. See more details
+ at: https://istio.io/docs/reference/config/networking/workload-group.html'
properties:
metadata:
description: Metadata that will be used for all corresponding `WorkloadEntries`.
@@ -12671,29 +13884,47 @@ spec:
address:
description: Address associated with the network endpoint without
the port.
+ maxLength: 256
type: string
+ x-kubernetes-validations:
+ - message: UDS must be an absolute path or abstract socket
+ rule: "self.startsWith('unix://') ? (self.substring(7,8) ==\
+ \ '/' || self.substring(7,8) == '@') : true"
+ - message: UDS may not be a dir
+ rule: "self.startsWith('unix://') ? !self.endsWith('/') : true"
labels:
additionalProperties:
type: string
description: One or more labels associated with the endpoint.
+ maxProperties: 256
type: object
locality:
description: The locality associated with the endpoint.
+ maxLength: 2048
type: string
network:
description: Network enables Istio to group endpoints resident
in the same L3 domain/network.
+ maxLength: 2048
type: string
ports:
additionalProperties:
maximum: 4294967295
minimum: 0
type: integer
+ x-kubernetes-validations:
+ - message: port must be between 1-65535
+ rule: 0 < self && self <= 65535
description: Set of ports associated with the endpoint.
+ maxProperties: 128
type: object
+ x-kubernetes-validations:
+ - message: port name must be valid
+ rule: self.all(key, size(key) < 63 && key.matches('^[a-zA-Z0-9](?:[-a-zA-Z0-9]*[a-zA-Z0-9])?$'))
serviceAccount:
description: The service account associated with the workload
if a sidecar is present in the workload.
+ maxLength: 253
type: string
weight:
description: The load balancing weight associated with the endpoint.
@@ -12701,6 +13932,10 @@ spec:
minimum: 0
type: integer
type: object
+ x-kubernetes-validations:
+ - message: UDS may not include ports
+ rule: "(has(self.address) && self.address.startsWith('unix://'))\
+ \ ? !has(self.ports) : true"
required:
- template
type: object
@@ -12844,29 +14079,47 @@ spec:
address:
description: Address associated with the network endpoint without
the port.
+ maxLength: 256
type: string
+ x-kubernetes-validations:
+ - message: UDS must be an absolute path or abstract socket
+ rule: "self.startsWith('unix://') ? (self.substring(7,8) ==\
+ \ '/' || self.substring(7,8) == '@') : true"
+ - message: UDS may not be a dir
+ rule: "self.startsWith('unix://') ? !self.endsWith('/') : true"
labels:
additionalProperties:
type: string
description: One or more labels associated with the endpoint.
+ maxProperties: 256
type: object
locality:
description: The locality associated with the endpoint.
+ maxLength: 2048
type: string
network:
description: Network enables Istio to group endpoints resident
in the same L3 domain/network.
+ maxLength: 2048
type: string
ports:
additionalProperties:
maximum: 4294967295
minimum: 0
type: integer
+ x-kubernetes-validations:
+ - message: port must be between 1-65535
+ rule: 0 < self && self <= 65535
description: Set of ports associated with the endpoint.
+ maxProperties: 128
type: object
+ x-kubernetes-validations:
+ - message: port name must be valid
+ rule: self.all(key, size(key) < 63 && key.matches('^[a-zA-Z0-9](?:[-a-zA-Z0-9]*[a-zA-Z0-9])?$'))
serviceAccount:
description: The service account associated with the workload
if a sidecar is present in the workload.
+ maxLength: 253
type: string
weight:
description: The load balancing weight associated with the endpoint.
@@ -12874,6 +14127,10 @@ spec:
minimum: 0
type: integer
type: object
+ x-kubernetes-validations:
+ - message: UDS may not include ports
+ rule: "(has(self.address) && self.address.startsWith('unix://'))\
+ \ ? !has(self.ports) : true"
required:
- template
type: object
@@ -12899,10 +14156,8 @@ spec:
openAPIV3Schema:
properties:
spec:
- description: '`WorkloadGroup` enables specifying the properties of a single
- workload for bootstrap and provides a template for `WorkloadEntry`,
- similar to how `Deployment` specifies properties of workloads via `Pod`
- templates.'
+ description: 'Describes a collection of workload instances. See more details
+ at: https://istio.io/docs/reference/config/networking/workload-group.html'
properties:
metadata:
description: Metadata that will be used for all corresponding `WorkloadEntries`.
@@ -13019,29 +14274,47 @@ spec:
address:
description: Address associated with the network endpoint without
the port.
+ maxLength: 256
type: string
+ x-kubernetes-validations:
+ - message: UDS must be an absolute path or abstract socket
+ rule: "self.startsWith('unix://') ? (self.substring(7,8) ==\
+ \ '/' || self.substring(7,8) == '@') : true"
+ - message: UDS may not be a dir
+ rule: "self.startsWith('unix://') ? !self.endsWith('/') : true"
labels:
additionalProperties:
type: string
description: One or more labels associated with the endpoint.
+ maxProperties: 256
type: object
locality:
description: The locality associated with the endpoint.
+ maxLength: 2048
type: string
network:
description: Network enables Istio to group endpoints resident
in the same L3 domain/network.
+ maxLength: 2048
type: string
ports:
additionalProperties:
maximum: 4294967295
minimum: 0
type: integer
+ x-kubernetes-validations:
+ - message: port must be between 1-65535
+ rule: 0 < self && self <= 65535
description: Set of ports associated with the endpoint.
+ maxProperties: 128
type: object
+ x-kubernetes-validations:
+ - message: port name must be valid
+ rule: self.all(key, size(key) < 63 && key.matches('^[a-zA-Z0-9](?:[-a-zA-Z0-9]*[a-zA-Z0-9])?$'))
serviceAccount:
description: The service account associated with the workload
if a sidecar is present in the workload.
+ maxLength: 253
type: string
weight:
description: The load balancing weight associated with the endpoint.
@@ -13049,6 +14322,10 @@ spec:
minimum: 0
type: integer
type: object
+ x-kubernetes-validations:
+ - message: UDS may not include ports
+ rule: "(has(self.address) && self.address.startsWith('unix://'))\
+ \ ? !has(self.ports) : true"
required:
- template
type: object
diff --git a/common/istio-1-22/istio-crds/base/kustomization.yaml b/common/istio-1-23/istio-crds/base/kustomization.yaml
similarity index 100%
rename from common/istio-1-22/istio-crds/base/kustomization.yaml
rename to common/istio-1-23/istio-crds/base/kustomization.yaml
diff --git a/common/istio-1-22/istio-install/base/deny_all_authorizationpolicy.yaml b/common/istio-1-23/istio-install/base/deny_all_authorizationpolicy.yaml
similarity index 100%
rename from common/istio-1-22/istio-install/base/deny_all_authorizationpolicy.yaml
rename to common/istio-1-23/istio-install/base/deny_all_authorizationpolicy.yaml
diff --git a/common/istio-1-22/istio-install/base/gateway.yaml b/common/istio-1-23/istio-install/base/gateway.yaml
similarity index 100%
rename from common/istio-1-22/istio-install/base/gateway.yaml
rename to common/istio-1-23/istio-install/base/gateway.yaml
diff --git a/common/istio-1-22/istio-install/base/gateway_authorizationpolicy.yaml b/common/istio-1-23/istio-install/base/gateway_authorizationpolicy.yaml
similarity index 100%
rename from common/istio-1-22/istio-install/base/gateway_authorizationpolicy.yaml
rename to common/istio-1-23/istio-install/base/gateway_authorizationpolicy.yaml
diff --git a/common/istio-1-22/istio-install/base/install.yaml b/common/istio-1-23/istio-install/base/install.yaml
similarity index 98%
rename from common/istio-1-22/istio-install/base/install.yaml
rename to common/istio-1-23/istio-install/base/install.yaml
index e43e9eecf0..59d77f1575 100644
--- a/common/istio-1-22/istio-install/base/install.yaml
+++ b/common/istio-1-23/istio-install/base/install.yaml
@@ -202,6 +202,16 @@ rules:
- patch
- create
- delete
+- apiGroups:
+ - networking.istio.io
+ resources:
+ - serviceentries/status
+ verbs:
+ - get
+ - watch
+ - list
+ - update
+ - patch
- apiGroups:
- apiextensions.k8s.io
resources:
@@ -424,7 +434,6 @@ metadata:
name: istio-validator-istio-system
webhooks:
- admissionReviewVersions:
- - v1beta1
- v1
clientConfig:
service:
@@ -711,6 +720,9 @@ data:
{{- if .Values.global.logAsJson }}
- --log_as_json
{{- end }}
+ {{- if .Values.global.proxy.outlierLogPath }}
+ - --outlierLogPath={{ .Values.global.proxy.outlierLogPath }}
+ {{- end}}
{{- if .Values.global.proxy.lifecycle }}
lifecycle:
{{ toYaml .Values.global.proxy.lifecycle | indent 6 }}
@@ -1052,12 +1064,16 @@ data:
}
spec:
securityContext:
+ {{- if .Values.gateways.securityContext }}
+ {{- toYaml .Values.gateways.securityContext | nindent 4 }}
+ {{- else }}
sysctls:
- name: net.ipv4.ip_unprivileged_port_start
value: "0"
+ {{- end }}
containers:
- name: istio-proxy
- {{- if contains "/" .Values.global.proxy.image }}
+ {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }}
image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}"
{{- else }}
image: "{{ .ProxyImage }}"
@@ -1875,10 +1891,17 @@ data:
securityContext:
privileged: false
runAsGroup: 1337
- runAsUser: 0
+ runAsUser: 1337
+ allowPrivilegeEscalation: false
+ readOnlyRootFilesystem: true
+ runAsNonRoot: true
capabilities:
drop:
- ALL
+ {{- if .Values.gateways.seccompProfile }}
+ seccompProfile:
+ {{- toYaml .Values.gateways.seccompProfile | nindent 12 }}
+ {{- end }}
volumeMounts:
- name: workload-socket
mountPath: /var/run/secrets/workload-spiffe-uds
@@ -1951,6 +1974,7 @@ data:
name: "{{.Name}}"
uid: "{{.UID}}"
spec:
+ ipFamilyPolicy: PreferDualStack
ports:
{{- range $key, $val := .Ports }}
- name: {{ $val.Name | quote }}
@@ -2036,12 +2060,17 @@ data:
"istio.io/gateway-name" .Name
) | nindent 8 }}
spec:
- {{- if ge .KubeVersion 122 }}
- {{/* safe since 1.22: https://github.com/kubernetes/kubernetes/pull/103326. */}}
securityContext:
+ {{- if .Values.gateways.securityContext }}
+ {{- toYaml .Values.gateways.securityContext | nindent 8 }}
+ {{- else }}
sysctls:
- name: net.ipv4.ip_unprivileged_port_start
value: "0"
+ {{- if .Values.gateways.seccompProfile }}
+ seccompProfile:
+ {{- toYaml .Values.gateways.seccompProfile | nindent 10 }}
+ {{- end }}
{{- end }}
serviceAccountName: {{.ServiceAccount | quote}}
containers:
@@ -2057,8 +2086,6 @@ data:
{{- end }}
{{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
securityContext:
- {{- if ge .KubeVersion 122 }}
- # Safe since 1.22: https://github.com/kubernetes/kubernetes/pull/103326
capabilities:
drop:
- ALL
@@ -2068,18 +2095,6 @@ data:
runAsUser: {{ .ProxyUID | default "1337" }}
runAsGroup: {{ .ProxyGID | default "1337" }}
runAsNonRoot: true
- {{- else }}
- capabilities:
- drop:
- - ALL
- add:
- - NET_BIND_SERVICE
- runAsUser: 0
- runAsGroup: 1337
- runAsNonRoot: false
- allowPrivilegeEscalation: true
- readOnlyRootFilesystem: true
- {{- end }}
ports:
- containerPort: 15021
name: status-port
@@ -2320,6 +2335,10 @@ data:
---
values: |-
{
+ "gateways": {
+ "seccompProfile": {},
+ "securityContext": {}
+ },
"global": {
"autoscalingv2API": true,
"caAddress": "",
@@ -2374,6 +2393,7 @@ data:
"includeInboundPorts": "*",
"includeOutboundPorts": "",
"logLevel": "warning",
+ "outlierLogPath": "",
"privileged": false,
"readinessFailureThreshold": 4,
"readinessInitialDelaySeconds": 0,
@@ -2407,7 +2427,7 @@ data:
"sts": {
"servicePort": 0
},
- "tag": "1.22.1",
+ "tag": "1.23.2",
"variant": ""
},
"istio_cni": {
@@ -2455,7 +2475,6 @@ metadata:
name: istio-sidecar-injector
webhooks:
- admissionReviewVersions:
- - v1beta1
- v1
clientConfig:
service:
@@ -2491,7 +2510,6 @@ webhooks:
- pods
sideEffects: None
- admissionReviewVersions:
- - v1beta1
- v1
clientConfig:
service:
@@ -2529,7 +2547,6 @@ webhooks:
- pods
sideEffects: None
- admissionReviewVersions:
- - v1beta1
- v1
clientConfig:
service:
@@ -2563,7 +2580,6 @@ webhooks:
- pods
sideEffects: None
- admissionReviewVersions:
- - v1beta1
- v1
clientConfig:
service:
@@ -2695,8 +2711,7 @@ spec:
- name: ISTIO_META_WORKLOAD_NAME
value: istio-ingressgateway
- name: ISTIO_META_OWNER
- value:
- kubernetes://apis/apps/v1/namespaces/istio-system/deployments/istio-ingressgateway
+ value: kubernetes://apis/apps/v1/namespaces/istio-system/deployments/istio-ingressgateway
- name: ISTIO_META_MESH_ID
value: cluster.local
- name: TRUST_DOMAIN
@@ -2709,7 +2724,7 @@ spec:
valueFrom:
fieldRef:
fieldPath: spec.nodeName
- image: docker.io/istio/proxyv2:1.22.1
+ image: docker.io/istio/proxyv2:1.23.2
name: istio-proxy
ports:
- containerPort: 15021
@@ -2885,6 +2900,8 @@ spec:
fieldPath: spec.serviceAccountName
- name: KUBECONFIG
value: /var/run/secrets/remote/config
+ - name: CA_TRUSTED_NODE_ACCOUNTS
+ value: istio-system/ztunnel
- name: PILOT_TRACE_SAMPLING
value: '1'
- name: PILOT_ENABLE_ANALYSIS
@@ -2901,7 +2918,7 @@ spec:
resource: limits.cpu
- name: PLATFORM
value: ''
- image: docker.io/istio/pilot:1.22.1
+ image: docker.io/istio/pilot:1.23.2
name: discovery
ports:
- containerPort: 8080
diff --git a/common/istio-1-22/istio-install/base/kustomization.yaml b/common/istio-1-23/istio-install/base/kustomization.yaml
similarity index 100%
rename from common/istio-1-22/istio-install/base/kustomization.yaml
rename to common/istio-1-23/istio-install/base/kustomization.yaml
diff --git a/common/istio-1-22/istio-install/base/patches/disable-debugging.yaml b/common/istio-1-23/istio-install/base/patches/disable-debugging.yaml
similarity index 100%
rename from common/istio-1-22/istio-install/base/patches/disable-debugging.yaml
rename to common/istio-1-23/istio-install/base/patches/disable-debugging.yaml
diff --git a/common/istio-1-22/istio-install/base/patches/istio-configmap-disable-tracing.yaml b/common/istio-1-23/istio-install/base/patches/istio-configmap-disable-tracing.yaml
similarity index 100%
rename from common/istio-1-22/istio-install/base/patches/istio-configmap-disable-tracing.yaml
rename to common/istio-1-23/istio-install/base/patches/istio-configmap-disable-tracing.yaml
diff --git a/common/istio-1-22/istio-install/base/patches/istio-ingressgateway-remove-pdb.yaml b/common/istio-1-23/istio-install/base/patches/istio-ingressgateway-remove-pdb.yaml
similarity index 100%
rename from common/istio-1-22/istio-install/base/patches/istio-ingressgateway-remove-pdb.yaml
rename to common/istio-1-23/istio-install/base/patches/istio-ingressgateway-remove-pdb.yaml
diff --git a/common/istio-1-22/istio-install/base/patches/istiod-remove-pdb.yaml b/common/istio-1-23/istio-install/base/patches/istiod-remove-pdb.yaml
similarity index 100%
rename from common/istio-1-22/istio-install/base/patches/istiod-remove-pdb.yaml
rename to common/istio-1-23/istio-install/base/patches/istiod-remove-pdb.yaml
diff --git a/common/istio-1-22/istio-install/base/patches/seccomp-istio-ingressgateway.yaml b/common/istio-1-23/istio-install/base/patches/seccomp-istio-ingressgateway.yaml
similarity index 100%
rename from common/istio-1-22/istio-install/base/patches/seccomp-istio-ingressgateway.yaml
rename to common/istio-1-23/istio-install/base/patches/seccomp-istio-ingressgateway.yaml
diff --git a/common/istio-1-22/istio-install/base/patches/seccomp-istiod.yaml b/common/istio-1-23/istio-install/base/patches/seccomp-istiod.yaml
similarity index 100%
rename from common/istio-1-22/istio-install/base/patches/seccomp-istiod.yaml
rename to common/istio-1-23/istio-install/base/patches/seccomp-istiod.yaml
diff --git a/common/istio-1-22/istio-install/base/patches/service.yaml b/common/istio-1-23/istio-install/base/patches/service.yaml
similarity index 100%
rename from common/istio-1-22/istio-install/base/patches/service.yaml
rename to common/istio-1-23/istio-install/base/patches/service.yaml
diff --git a/common/istio-1-22/istio-install/overlays/oauth2-proxy/kustomization.yaml b/common/istio-1-23/istio-install/overlays/oauth2-proxy/kustomization.yaml
similarity index 100%
rename from common/istio-1-22/istio-install/overlays/oauth2-proxy/kustomization.yaml
rename to common/istio-1-23/istio-install/overlays/oauth2-proxy/kustomization.yaml
diff --git a/common/istio-1-22/istio-namespace/base/kustomization.yaml b/common/istio-1-23/istio-namespace/base/kustomization.yaml
similarity index 100%
rename from common/istio-1-22/istio-namespace/base/kustomization.yaml
rename to common/istio-1-23/istio-namespace/base/kustomization.yaml
diff --git a/common/istio-1-22/istio-namespace/base/namespace.yaml b/common/istio-1-23/istio-namespace/base/namespace.yaml
similarity index 100%
rename from common/istio-1-22/istio-namespace/base/namespace.yaml
rename to common/istio-1-23/istio-namespace/base/namespace.yaml
diff --git a/common/istio-1-22/kubeflow-istio-resources/base/cluster-roles.yaml b/common/istio-1-23/kubeflow-istio-resources/base/cluster-roles.yaml
similarity index 100%
rename from common/istio-1-22/kubeflow-istio-resources/base/cluster-roles.yaml
rename to common/istio-1-23/kubeflow-istio-resources/base/cluster-roles.yaml
diff --git a/common/istio-1-22/kubeflow-istio-resources/base/kf-istio-resources.yaml b/common/istio-1-23/kubeflow-istio-resources/base/kf-istio-resources.yaml
similarity index 100%
rename from common/istio-1-22/kubeflow-istio-resources/base/kf-istio-resources.yaml
rename to common/istio-1-23/kubeflow-istio-resources/base/kf-istio-resources.yaml
diff --git a/common/istio-1-22/kubeflow-istio-resources/base/kustomization.yaml b/common/istio-1-23/kubeflow-istio-resources/base/kustomization.yaml
similarity index 100%
rename from common/istio-1-22/kubeflow-istio-resources/base/kustomization.yaml
rename to common/istio-1-23/kubeflow-istio-resources/base/kustomization.yaml
diff --git a/common/istio-1-22/profile-overlay.yaml b/common/istio-1-23/profile-overlay.yaml
similarity index 100%
rename from common/istio-1-22/profile-overlay.yaml
rename to common/istio-1-23/profile-overlay.yaml
diff --git a/common/istio-1-22/profile.yaml b/common/istio-1-23/profile.yaml
similarity index 97%
rename from common/istio-1-22/profile.yaml
rename to common/istio-1-23/profile.yaml
index 7d6ef09cb6..077b0c86d2 100644
--- a/common/istio-1-22/profile.yaml
+++ b/common/istio-1-23/profile.yaml
@@ -14,7 +14,7 @@ spec:
enabled: true
hub: docker.io/istio
profile: default
- tag: 1.22.1
+ tag: 1.23.2
values:
defaultRevision: ""
gateways:
diff --git a/common/istio-1-22/split-istio-packages b/common/istio-1-23/split-istio-packages
similarity index 100%
rename from common/istio-1-22/split-istio-packages
rename to common/istio-1-23/split-istio-packages
diff --git a/common/oauth2-proxy/components/README.md b/common/oauth2-proxy/components/README.md
index d44bb35fce..8332d6d5ec 100644
--- a/common/oauth2-proxy/components/README.md
+++ b/common/oauth2-proxy/components/README.md
@@ -154,9 +154,9 @@ make the following changes to the `example/kustomization.yaml` file:
* use `oauth2-proxy` overlay for istio-install
```
# from
- - ../common/istio-1-22/istio-install/base
+ - ../common/istio-1-23/istio-install/base
# to
- - ../common/istio-1-22/istio-install/overlays/oauth2-proxy
+ - ../common/istio-1-23/istio-install/overlays/oauth2-proxy
```
* change `OIDC Authservice` to `oauth2-proxy for OIDC` and use overlay for m2m
bearer tokens with self-signed in-cluster issuer
@@ -189,12 +189,12 @@ index c1a85789..4a50440c 100644
+++ b/example/kustomization.yaml
@@ -38,11 +38,11 @@ resources:
# Istio
- - ../common/istio-1-22/istio-crds/base
- - ../common/istio-1-22/istio-namespace/base
--- ../common/istio-1-22/istio-install/base
+ - ../common/istio-1-23/istio-crds/base
+ - ../common/istio-1-23/istio-namespace/base
+-- ../common/istio-1-23/istio-install/base
-# OIDC Authservice
-- ../common//oidc-authservice/base
-+- ../common/istio-1-22/istio-install/overlays/oauth2-proxy
++- ../common/istio-1-23/istio-install/overlays/oauth2-proxy
+# oauth2-proxy for OIDC
+- ../common/oauth2-proxy/overlays/m2m-dex-and-kind
# Dex
diff --git a/contrib/kserve/README.md b/contrib/kserve/README.md
index 671dd70733..250480c0e2 100644
--- a/contrib/kserve/README.md
+++ b/contrib/kserve/README.md
@@ -61,15 +61,15 @@ For upgrading see [UPGRADE.md](UPGRADE.md)
```
5. Install Istio
```sh
- kubectl apply -k ../../common/istio-1-22/istio-crds/base
- kubectl apply -k ../../common/istio-1-22/istio-namespace/base
- kubectl apply -k ../../common/istio-1-22/istio-install/base
+ kubectl apply -k ../../common/istio-1-23/istio-crds/base
+ kubectl apply -k ../../common/istio-1-23/istio-namespace/base
+ kubectl apply -k ../../common/istio-1-23/istio-install/base
```
6. Install knative
```sh
kubectl apply -k ../../common/knative/knative-serving/overlays/gateways
- kubectl apply -k ../../common/istio-1-22/cluster-local-gateway/base
- kubectl apply -k ../../common/istio-1-22/kubeflow-istio-resources/base
+ kubectl apply -k ../../common/istio-1-23/cluster-local-gateway/base
+ kubectl apply -k ../../common/istio-1-23/kubeflow-istio-resources/base
```
7. Install kserve
```sh
diff --git a/example/kustomization.yaml b/example/kustomization.yaml
index f553452b06..2c0e243274 100644
--- a/example/kustomization.yaml
+++ b/example/kustomization.yaml
@@ -37,9 +37,9 @@ resources:
- ../common/cert-manager/cert-manager/base
- ../common/cert-manager/kubeflow-issuer/base
# Istio
-- ../common/istio-1-22/istio-crds/base
-- ../common/istio-1-22/istio-namespace/base
-- ../common/istio-1-22/istio-install/overlays/oauth2-proxy
+- ../common/istio-1-23/istio-crds/base
+- ../common/istio-1-23/istio-namespace/base
+- ../common/istio-1-23/istio-install/overlays/oauth2-proxy
# oauth2-proxy
# NOTE: only uncomment ONE of the following overlays, depending on your cluster type
- ../common/oauth2-proxy/overlays/m2m-dex-only # for all clusters
@@ -52,7 +52,7 @@ resources:
- ../common/knative/knative-serving/overlays/gateways
# Uncomment the following line if `knative-eventing` is required
# - ../common/knative/knative-eventing/base
-- ../common/istio-1-22/cluster-local-gateway/base
+- ../common/istio-1-23/cluster-local-gateway/base
# Kubeflow namespace
- ../common/kubeflow-namespace/base
# NetworkPolicies
@@ -60,7 +60,7 @@ resources:
# Kubeflow Roles
- ../common/kubeflow-roles/base
# Kubeflow Istio Resources
-- ../common/istio-1-22/kubeflow-istio-resources/base
+- ../common/istio-1-23/kubeflow-istio-resources/base
# Kubeflow Pipelines
diff --git a/hack/synchronize-istio-manifests.sh b/hack/synchronize-istio-manifests.sh
index ad75d68022..e2e1e97629 100755
--- a/hack/synchronize-istio-manifests.sh
+++ b/hack/synchronize-istio-manifests.sh
@@ -15,9 +15,9 @@
set -euxo pipefail
IFS=$'\n\t'
-COMMIT="1.22.1"
-CURRENT_VERSION="1-21"
-NEW_VERSION="1-22" # Must be a release
+COMMIT="1.23.2"
+CURRENT_VERSION="1-22"
+NEW_VERSION="1-23" # Must be a release
SRC_DIR=${SRC_DIR:=/tmp/istio} # Must be a release
BRANCH=${BRANCH:=istio-${COMMIT?}}
diff --git a/hack/trivy_scan.py b/hack/trivy_scan.py
index 3e2213eaa5..b93334156e 100755
--- a/hack/trivy_scan.py
+++ b/hack/trivy_scan.py
@@ -34,7 +34,7 @@
"automl": "../apps/katib/upstream/installs",
"pipelines": "../apps/pipeline/upstream/env ../apps/kfp-tekton/upstream/env",
"training": "../apps/training-operator/upstream/overlays",
- "manifests": "../common/cert-manager/cert-manager/base ../common/cert-manager/kubeflow-issuer/base ../common/istio-1-22/istio-crds/base ../common/istio-1-22/istio-namespace/base ../common/istio-1-22/istio-install/overlays/oauth2-proxy ../common/oauth2-proxy/overlays/m2m-self-signed ../common/dex/overlays/oauth2-proxy ../common/knative/knative-serving/overlays/gateways ../common/knative/knative-eventing/base ../common/istio-1-22/cluster-local-gateway/base ../common/kubeflow-namespace/base ../common/kubeflow-roles/base ../common/istio-1-22/kubeflow-istio-resources/base",
+ "manifests": "../common/cert-manager/cert-manager/base ../common/cert-manager/kubeflow-issuer/base ../common/istio-1-23/istio-crds/base ../common/istio-1-23/istio-namespace/base ../common/istio-1-23/istio-install/overlays/oauth2-proxy ../common/oauth2-proxy/overlays/m2m-self-signed ../common/dex/overlays/oauth2-proxy ../common/knative/knative-serving/overlays/gateways ../common/knative/knative-eventing/base ../common/istio-1-23/cluster-local-gateway/base ../common/kubeflow-namespace/base ../common/kubeflow-roles/base ../common/istio-1-23/kubeflow-istio-resources/base",
"workbenches": "../apps/pvcviewer-controller/upstream/base ../apps/admission-webhook/upstream/overlays ../apps/centraldashboard/overlays ../apps/jupyter/jupyter-web-app/upstream/overlays ../apps/volumes-web-app/upstream/overlays ../apps/tensorboard/tensorboards-web-app/upstream/overlays ../apps/profiles/upstream/overlays ../apps/jupyter/notebook-controller/upstream/overlays ../apps/tensorboard/tensorboard-controller/upstream/overlays",
"serving": "../contrib/kserve - ../contrib/kserve/models-web-app/overlays/kubeflow",
"model-registry": "../apps/model-registry/upstream",
diff --git a/tests/gh-actions/deploy-dex-login-environment/kustomization.yaml b/tests/gh-actions/deploy-dex-login-environment/kustomization.yaml
index 0da06749e5..3d34b0f0ab 100644
--- a/tests/gh-actions/deploy-dex-login-environment/kustomization.yaml
+++ b/tests/gh-actions/deploy-dex-login-environment/kustomization.yaml
@@ -34,14 +34,14 @@ sortOptions:
resources:
# Istio
-- ../../../common/istio-1-22/istio-crds/base
-- ../../../common/istio-1-22/istio-namespace/base
-- ../../../common/istio-1-22/istio-install/overlays/oauth2-proxy
+- ../../../common/istio-1-23/istio-crds/base
+- ../../../common/istio-1-23/istio-namespace/base
+- ../../../common/istio-1-23/istio-install/overlays/oauth2-proxy
# oauth2-proxy
- ../../../common/oauth2-proxy/overlays/m2m-dex-and-kind
# Dex
- ../../../common/dex/overlays/oauth2-proxy
-- ../../../common/istio-1-22/cluster-local-gateway/base
+- ../../../common/istio-1-23/cluster-local-gateway/base
# Kubeflow namespace
- ../../../common/kubeflow-namespace/base
# NetworkPolicies
@@ -49,7 +49,7 @@ resources:
# Kubeflow Roles
- ../../../common/kubeflow-roles/base
# Kubeflow Istio Resources
-- ../../../common/istio-1-22/kubeflow-istio-resources/base
+- ../../../common/istio-1-23/kubeflow-istio-resources/base
# Central Dashboard
- ../../../apps/centraldashboard/overlays/oauth2-proxy
# Profiles + KFAM
diff --git a/tests/gh-actions/install_istio.sh b/tests/gh-actions/install_istio.sh
index 6af5b748d4..5d8e66d427 100755
--- a/tests/gh-actions/install_istio.sh
+++ b/tests/gh-actions/install_istio.sh
@@ -1,7 +1,7 @@
#!/bin/bash
set -e
echo "Installing Istio (with ExtAuthZ from oauth2-proxy) ..."
-cd common/istio-1-22
+cd common/istio-1-23
kustomize build istio-crds/base | kubectl apply -f -
kustomize build istio-namespace/base | kubectl apply -f -
kustomize build istio-install/overlays/oauth2-proxy | kubectl apply -f -
diff --git a/tests/gh-actions/install_knative.sh b/tests/gh-actions/install_knative.sh
index 70fe05b42e..c9b04b36cb 100755
--- a/tests/gh-actions/install_knative.sh
+++ b/tests/gh-actions/install_knative.sh
@@ -6,8 +6,8 @@ kustomize build common/knative/knative-serving/base | kubectl apply -f -
set -e
kustomize build common/knative/knative-serving/base | kubectl apply -f -
-kustomize build common/istio-1-22/cluster-local-gateway/base | kubectl apply -f -
-kustomize build common/istio-1-22/kubeflow-istio-resources/base | kubectl apply -f -
+kustomize build common/istio-1-23/cluster-local-gateway/base | kubectl apply -f -
+kustomize build common/istio-1-23/kubeflow-istio-resources/base | kubectl apply -f -
kubectl wait --for=condition=Ready pods --all --all-namespaces --timeout=600s \
--field-selector=status.phase!=Succeeded