• Installation Options (Helm)
    • certmanager options
    • galley options
    • gateways options
    • global options
    • grafana options
    • istio_cni options
    • istiocoredns options
    • kiali options
    • mixer options
    • nodeagent options
    • pilot options
    • prometheus options
    • security options
    • sidecarInjectorWebhook options
    • tracing options
    • See also

    Installation Options (Helm)

    Installing Istio with Helm is in the process of deprecation, however, you can use these Helmconfiguration options when installing Istio with istioctlby prepending the string “values.” to the option name. For example, instead of this helm command:

    1. $ helm template ... --set global.mtls.enabled=true

    You can use this istioctl command:

    1. $ istioctl manifest generate ... --set values.global.mtls.enabled=true

    Refer to customizing the configuration for details.

    This document is unfortunately out of date with the latest changes in the set of supported options.To get the exact set of supported options, please see the Helm charts.

    certmanager options

    KeyDefault ValueDescription
    certmanager.enabledfalse
    certmanager.replicaCount1
    certmanager.hubquay.io/jetstack
    certmanager.imagecert-manager-controller
    certmanager.tagv0.6.2
    certmanager.resources{}
    certmanager.nodeSelector{}
    certmanager.tolerations[]
    certmanager.podAntiAffinityLabelSelector[]
    certmanager.podAntiAffinityTermLabelSelector[]

    galley options

    KeyDefault ValueDescription
    galley.enabledtrue
    galley.replicaCount1
    galley.rollingMaxSurge100%
    galley.rollingMaxUnavailable25%
    galley.imagegalley
    galley.nodeSelector{}
    galley.tolerations[]
    galley.podAntiAffinityLabelSelector[]
    galley.podAntiAffinityTermLabelSelector[]

    gateways options

    KeyDefault ValueDescription
    gateways.enabledtrue
    gateways.istio-ingressgateway.enabledtrue
    gateways.istio-ingressgateway.sds.enabledfalseIf true, ingress gateway fetches credentials from SDS server to handle TLS connections.
    gateways.istio-ingressgateway.sds.imagenode-agent-k8sSDS server that watches kubernetes secrets and provisions credentials to ingress gateway. This server runs in the same pod as ingress gateway.
    gateways.istio-ingressgateway.sds.resources.requests.cpu100m
    gateways.istio-ingressgateway.sds.resources.requests.memory128Mi
    gateways.istio-ingressgateway.sds.resources.limits.cpu2000m
    gateways.istio-ingressgateway.sds.resources.limits.memory1024Mi
    gateways.istio-ingressgateway.labels.appistio-ingressgateway
    gateways.istio-ingressgateway.labels.istioingressgateway
    gateways.istio-ingressgateway.autoscaleEnabledtrue
    gateways.istio-ingressgateway.autoscaleMin1
    gateways.istio-ingressgateway.autoscaleMax5
    gateways.istio-ingressgateway.rollingMaxSurge100%
    gateways.istio-ingressgateway.rollingMaxUnavailable25%
    gateways.istio-ingressgateway.resources.requests.cpu100m
    gateways.istio-ingressgateway.resources.requests.memory128Mi
    gateways.istio-ingressgateway.resources.limits.cpu2000m
    gateways.istio-ingressgateway.resources.limits.memory1024Mi
    gateways.istio-ingressgateway.cpu.targetAverageUtilization80
    gateways.istio-ingressgateway.loadBalancerIP""
    gateways.istio-ingressgateway.loadBalancerSourceRanges[]
    gateways.istio-ingressgateway.externalIPs[]
    gateways.istio-ingressgateway.serviceAnnotations{}
    gateways.istio-ingressgateway.podAnnotations{}
    gateways.istio-ingressgateway.typeLoadBalancerchange to NodePort, ClusterIP or LoadBalancer if need be
    gateways.istio-ingressgateway.ports.targetPort15020
    gateways.istio-ingressgateway.ports.namestatus-port
    gateways.istio-ingressgateway.ports.targetPort80
    gateways.istio-ingressgateway.ports.namehttp2
    gateways.istio-ingressgateway.ports.nodePort31380
    gateways.istio-ingressgateway.ports.namehttps
    gateways.istio-ingressgateway.ports.nodePort31390
    gateways.istio-ingressgateway.ports.nametcp
    gateways.istio-ingressgateway.ports.nodePort31400
    gateways.istio-ingressgateway.ports.targetPort15029
    gateways.istio-ingressgateway.ports.namehttps-kiali
    gateways.istio-ingressgateway.ports.targetPort15030
    gateways.istio-ingressgateway.ports.namehttps-prometheus
    gateways.istio-ingressgateway.ports.targetPort15031
    gateways.istio-ingressgateway.ports.namehttps-grafana
    gateways.istio-ingressgateway.ports.targetPort15032
    gateways.istio-ingressgateway.ports.namehttps-tracing
    gateways.istio-ingressgateway.ports.targetPort15443
    gateways.istio-ingressgateway.ports.nametls
    gateways.istio-ingressgateway.meshExpansionPorts.targetPort15011
    gateways.istio-ingressgateway.meshExpansionPorts.nametcp-pilot-grpc-tls
    gateways.istio-ingressgateway.meshExpansionPorts.targetPort15004
    gateways.istio-ingressgateway.meshExpansionPorts.nametcp-mixer-grpc-tls
    gateways.istio-ingressgateway.meshExpansionPorts.targetPort8060
    gateways.istio-ingressgateway.meshExpansionPorts.nametcp-citadel-grpc-tls
    gateways.istio-ingressgateway.meshExpansionPorts.targetPort853
    gateways.istio-ingressgateway.meshExpansionPorts.nametcp-dns-tls
    gateways.istio-ingressgateway.secretVolumes.secretNameistio-ingressgateway-certs
    gateways.istio-ingressgateway.secretVolumes.mountPath/etc/istio/ingressgateway-certs
    gateways.istio-ingressgateway.secretVolumes.secretNameistio-ingressgateway-ca-certs
    gateways.istio-ingressgateway.secretVolumes.mountPath/etc/istio/ingressgateway-ca-certs
    gateways.istio-ingressgateway.applicationPorts""
    gateways.istio-ingressgateway.env.ISTIO_META_ROUTER_MODE"sni-dnat"A gateway with this mode ensures that pilot generates an additional set of clusters for internal services but without Istio mTLS, to enable cross cluster routing.
    gateways.istio-ingressgateway.nodeSelector{}
    gateways.istio-ingressgateway.tolerations[]
    gateways.istio-ingressgateway.podAntiAffinityLabelSelector[]
    gateways.istio-ingressgateway.podAntiAffinityTermLabelSelector[]
    gateways.istio-egressgateway.enabledfalse
    gateways.istio-egressgateway.labels.appistio-egressgateway
    gateways.istio-egressgateway.labels.istioegressgateway
    gateways.istio-egressgateway.autoscaleEnabledtrue
    gateways.istio-egressgateway.autoscaleMin1
    gateways.istio-egressgateway.autoscaleMax5
    gateways.istio-egressgateway.rollingMaxSurge100%
    gateways.istio-egressgateway.rollingMaxUnavailable25%
    gateways.istio-egressgateway.resources.requests.cpu100m
    gateways.istio-egressgateway.resources.requests.memory128Mi
    gateways.istio-egressgateway.resources.limits.cpu2000m
    gateways.istio-egressgateway.resources.limits.memory1024Mi
    gateways.istio-egressgateway.cpu.targetAverageUtilization80
    gateways.istio-egressgateway.serviceAnnotations{}
    gateways.istio-egressgateway.podAnnotations{}
    gateways.istio-egressgateway.typeClusterIPchange to NodePort or LoadBalancer if need be
    gateways.istio-egressgateway.ports.namehttp2
    gateways.istio-egressgateway.ports.namehttps
    gateways.istio-egressgateway.ports.targetPort15443
    gateways.istio-egressgateway.ports.nametls
    gateways.istio-egressgateway.secretVolumes.secretNameistio-egressgateway-certs
    gateways.istio-egressgateway.secretVolumes.mountPath/etc/istio/egressgateway-certs
    gateways.istio-egressgateway.secretVolumes.secretNameistio-egressgateway-ca-certs
    gateways.istio-egressgateway.secretVolumes.mountPath/etc/istio/egressgateway-ca-certs
    gateways.istio-egressgateway.env.ISTIO_META_ROUTER_MODE"sni-dnat"
    gateways.istio-egressgateway.nodeSelector{}
    gateways.istio-egressgateway.tolerations[]
    gateways.istio-egressgateway.podAntiAffinityLabelSelector[]
    gateways.istio-egressgateway.podAntiAffinityTermLabelSelector[]
    gateways.istio-ilbgateway.enabledfalse
    gateways.istio-ilbgateway.labels.appistio-ilbgateway
    gateways.istio-ilbgateway.labels.istioilbgateway
    gateways.istio-ilbgateway.autoscaleEnabledtrue
    gateways.istio-ilbgateway.autoscaleMin1
    gateways.istio-ilbgateway.autoscaleMax5
    gateways.istio-ilbgateway.rollingMaxSurge100%
    gateways.istio-ilbgateway.rollingMaxUnavailable25%
    gateways.istio-ilbgateway.cpu.targetAverageUtilization80
    gateways.istio-ilbgateway.resources.requests.cpu800m
    gateways.istio-ilbgateway.resources.requests.memory512Mi
    gateways.istio-ilbgateway.loadBalancerIP""
    gateways.istio-ilbgateway.serviceAnnotations.cloud.google.com/load-balancer-type"internal"
    gateways.istio-ilbgateway.podAnnotations{}
    gateways.istio-ilbgateway.typeLoadBalancer
    gateways.istio-ilbgateway.ports.namegrpc-pilot-mtls
    gateways.istio-ilbgateway.ports.namegrpc-pilot
    gateways.istio-ilbgateway.ports.targetPort8060
    gateways.istio-ilbgateway.ports.nametcp-citadel-grpc-tls
    gateways.istio-ilbgateway.ports.nametcp-dns
    gateways.istio-ilbgateway.secretVolumes.secretNameistio-ilbgateway-certs
    gateways.istio-ilbgateway.secretVolumes.mountPath/etc/istio/ilbgateway-certs
    gateways.istio-ilbgateway.secretVolumes.secretNameistio-ilbgateway-ca-certs
    gateways.istio-ilbgateway.secretVolumes.mountPath/etc/istio/ilbgateway-ca-certs
    gateways.istio-ilbgateway.nodeSelector{}
    gateways.istio-ilbgateway.tolerations[]

    global options

    KeyDefault ValueDescription
    global.hub</td><td><code>Default hub for Istio images. Releases are published to docker hub under &#39;istio&#39; project. Daily builds from prow are on gcr.io</code></td></tr><tr><td><code>global.tag</code></td><td>Default tag for Istio images.
    global.logging.level"default:info"
    global.monitoringPort15014monitoring port used by mixer, pilot, galley and sidecar injector
    global.k8sIngress.enabledfalse
    global.k8sIngress.gatewayNameingressgatewayGateway used for k8s Ingress resources. By default it is using 'istio:ingressgateway' that will be installed by setting 'gateways.enabled' and 'gateways.istio-ingressgateway.enabled' flags to true.
    global.k8sIngress.enableHttpsfalseenableHttps will add port 443 on the ingress. It REQUIRES that the certificates are installed in the expected secrets - enabling this option without certificates will result in LDS rejection and the ingress will not work.
    global.proxy.init.resources.limits.cpu100m
    global.proxy.init.resources.limits.memory50Mi
    global.proxy.init.resources.requests.cpu10m
    global.proxy.init.resources.requests.memory10Mi
    global.proxy.imageproxyv2
    global.proxy.clusterDomain"cluster.local"cluster domain. Default value is "cluster.local".
    global.proxy.resources.requests.cpu100m
    global.proxy.resources.requests.memory128Mi
    global.proxy.resources.limits.cpu2000m
    global.proxy.resources.limits.memory1024Mi
    global.proxy.concurrency2Controls number of Proxy worker threads. If set to 0, then start worker thread for each CPU thread/core.
    global.proxy.accessLogFile""
    global.proxy.accessLogFormat""Configure how and what fields are displayed in sidecar access log. Setting to empty string will result in default log format
    global.proxy.accessLogEncodingTEXTConfigure the access log for sidecar to JSON or TEXT.
    global.proxy.envoyAccessLogService.enabledfalse
    global.proxy.envoyAccessLogService.host</td><td><code>example: accesslog-service.istio-system</code></td></tr><tr><td><code>global.proxy.envoyAccessLogService.port</code></td><td>example: 15000
    global.proxy.envoyAccessLogService.tlsSettings.modeDISABLEDISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL
    global.proxy.envoyAccessLogService.tlsSettings.clientCertificate</td><td><code>example: /etc/istio/als/cert-chain.pem</code></td></tr><tr><td><code>global.proxy.envoyAccessLogService.tlsSettings.privateKey</code></td><td>example: /etc/istio/als/key.pem
    global.proxy.envoyAccessLogService.tlsSettings.caCertificates</td><td><code>example: /etc/istio/als/root-cert.pem</code></td></tr><tr><td><code>global.proxy.envoyAccessLogService.tlsSettings.sni</code></td><td>example: als.somedomain
    global.proxy.envoyAccessLogService.tlsSettings.subjectAltNames[]
    global.proxy.envoyAccessLogService.tcpKeepalive.probes3
    global.proxy.envoyAccessLogService.tcpKeepalive.time10s
    global.proxy.envoyAccessLogService.tcpKeepalive.interval10s
    global.proxy.logLevel""Log level for proxy, applies to gateways and sidecars. If left empty, "warning" is used. Expected values are: trace|debug|info|warning|error|critical|off
    global.proxy.componentLogLevel""Per Component log level for proxy, applies to gateways and sidecars. If a component level is not set, then the global "logLevel" will be used. If left empty, "misc:error" is used.
    global.proxy.dnsRefreshRate300sConfigure the DNS refresh rate for Envoy cluster of type STRICT_DNS This must be given it terms of seconds. For example, 300s is valid but 5m is invalid.
    global.proxy.protocolDetectionTimeout10msAutomatic protocol detection uses a set of heuristics to determine whether the connection is using TLS or not (on the server side), as well as the application protocol being used (e.g., http vs tcp). These heuristics rely on the client sending the first bits of data. For server first protocols like MySQL, MongoDB, etc., Envoy will timeout on the protocol detection after the specified period, defaulting to non mTLS plain TCP traffic. Set this field to tweak the period that Envoy will wait for the client to send the first bits of data. (MUST BE >=1ms)
    global.proxy.privilegedfalseIf set to true, istio-proxy container will have privileged securityContext
    global.proxy.enableCoreDumpfalseIf set, newly injected sidecars will have core dumps enabled.
    global.proxy.enableCoreDumpImageubuntu:xenialImage used to enable core dumps. This is only used, when "enableCoreDump" is set to true.
    global.proxy.statusPort15020Default port for Pilot agent health checks. A value of 0 will disable health checking.
    global.proxy.readinessInitialDelaySeconds1The initial delay for readiness probes in seconds.
    global.proxy.readinessPeriodSeconds2The period between readiness probes.
    global.proxy.readinessFailureThreshold30The number of successive failed probes before indicating readiness failure.
    global.proxy.includeIPRanges""
    global.proxy.excludeIPRanges""
    global.proxy.excludeOutboundPorts""
    global.proxy.kubevirtInterfaces""pod internal interfaces
    global.proxy.includeInboundPorts""
    global.proxy.excludeInboundPorts""
    global.proxy.autoInjectenabledThis controls the 'policy' in the sidecar injector.
    global.proxy.envoyStatsd.enabledfalseIf enabled is set to true, host and port must also be provided. Istio no longer provides a statsd collector.
    global.proxy.envoyStatsd.host</td><td><code>example: statsd-svc.istio-system</code></td></tr><tr><td><code>global.proxy.envoyStatsd.port</code></td><td>example: 9125
    global.proxy.envoyMetricsService.enabledfalse
    global.proxy.envoyMetricsService.host</td><td><code>example: metrics-service.istio-system</code></td></tr><tr><td><code>global.proxy.envoyMetricsService.port</code></td><td>example: 15000
    global.proxy.tracer"zipkin"Specify which tracer to use. One of: zipkin, lightstep, datadog, stackdriver. If using stackdriver tracer outside GCP, set env GOOGLE_APPLICATION_CREDENTIALS to the GCP credential file.
    global.proxy_init.imageproxy_initBase name for the proxy_init container, used to configure iptables.
    global.imagePullPolicyIfNotPresent
    global.controlPlaneSecurityEnabledfalsecontrolPlaneSecurityEnabled enabled. Will result in delays starting the pods while secrets are propagated, not recommended for tests.
    global.disablePolicyCheckstruedisablePolicyChecks disables mixer policy checks. if mixer.policy.enabled==true then disablePolicyChecks has affect. Will set the value with same name in istio config map - pilot needs to be restarted to take effect.
    global.policyCheckFailOpenfalsepolicyCheckFailOpen allows traffic in cases when the mixer policy service cannot be reached. Default is false which means the traffic is denied when the client is unable to connect to Mixer.
    global.enableTracingtrueEnableTracing sets the value with same name in istio config map, requires pilot restart to take effect.
    global.tracer.lightstep.address""example: lightstep-satellite:443
    global.tracer.lightstep.accessToken""example: abcdefg1234567
    global.tracer.lightstep.securetrueexample: true|false
    global.tracer.lightstep.cacertPath""example: /etc/lightstep/cacert.pem
    global.tracer.zipkin.address""
    global.tracer.datadog.address"$(HOST_IP):8126"
    global.mtls.enabledfalseDefault setting for service-to-service mtls. Can be set explicitly using destination rules or service annotations.
    global.imagePullSecrets[]Lists the secrets you need to use to pull Istio images from a private registry.
    global.arch.amd642
    global.arch.s390x2
    global.arch.ppc64le2
    global.oneNamespacefalseWhether to restrict the applications namespace the controller manages; If not set, controller watches all namespaces
    global.defaultNodeSelector{}Default node selector to be applied to all deployments so that all pods can be constrained to run a particular nodes. Each component can overwrite these default values by adding its node selector block in the relevant section below and setting the desired values.
    global.defaultTolerations[]Default node tolerations to be applied to all deployments so that all pods can be scheduled to a particular nodes with matching taints. Each component can overwrite these default values by adding its tolerations block in the relevant section below and setting the desired values. Configure this field in case that all pods of Istio control plane are expected to be scheduled to particular nodes with specified taints.
    global.configValidationtrueWhether to perform server-side validation of configuration.
    global.meshExpansion.enabledfalse
    global.meshExpansion.useILBfalseIf set to true, the pilot and citadel mtls and the plaintext pilot ports will be exposed on an internal gateway
    global.multiCluster.enabledfalseSet to true to connect two kubernetes clusters via their respective ingressgateway services when pods in each cluster cannot directly talk to one another. All clusters should be using Istio mTLS and must have a shared root CA for this model to work.
    global.defaultResources.requests.cpu10m
    global.defaultPodDisruptionBudget.enabledtrue
    global.priorityClassName""
    global.useMCPtrueUse the Mesh Control Protocol (MCP) for configuring Mixer and Pilot. Requires galley (—set galley.enabled=true).
    global.trustDomain""
    global.meshID""Mesh ID means Mesh Identifier. It should be unique within the scope where meshes will interact with each other, but it is not required to be globally/universally unique. For example, if any of the following are true, then two meshes must have different Mesh IDs: - Meshes will have their telemetry aggregated in one place - Meshes will be federated together - Policy will be written referencing one mesh from the other If an administrator expects that any of these conditions may become true in the future, they should ensure their meshes have different Mesh IDs assigned. Within a multicluster mesh, each cluster must be (manually or auto) configured to have the same Mesh ID value. If an existing cluster 'joins' a multicluster mesh, it will need to be migrated to the new mesh ID. Details of migration TBD, and it may be a disruptive operation to change the Mesh ID post-install. If the mesh admin does not specify a value, Istio will use the value of the mesh's Trust Domain. The best practice is to select a proper Trust Domain value.
    global.outboundTrafficPolicy.modeALLOW_ANY
    global.sds.enabledfalseSDS enabled. IF set to true, mTLS certificates for the sidecars will be distributed through the SecretDiscoveryService instead of using K8S secrets to mount the certificates.
    global.sds.udsPath""
    global.meshNetworks{}
    global.localityLbSetting.enabledtrue
    global.enableHelmTestfalseSpecifies whether helm test is enabled or not. This field is set to false by default, so 'helm template …' will ignore the helm test yaml files when generating the template

    grafana options

    KeyDefault ValueDescription
    grafana.enabledfalse
    grafana.replicaCount1
    grafana.image.repositorygrafana/grafana
    grafana.image.tag6.1.6
    grafana.ingress.enabledfalse
    grafana.ingress.hostsgrafana.localUsed to create an Ingress record.
    grafana.persistfalse
    grafana.storageClassName""
    grafana.accessModeReadWriteMany
    grafana.security.enabledfalse
    grafana.security.secretNamegrafana
    grafana.security.usernameKeyusername
    grafana.security.passphraseKeypassphrase
    grafana.nodeSelector{}
    grafana.tolerations[]
    grafana.env{}
    grafana.envSecrets{}
    grafana.podAntiAffinityLabelSelector[]
    grafana.podAntiAffinityTermLabelSelector[]
    grafana.contextPath/grafana
    grafana.service.annotations{}
    grafana.service.namehttp
    grafana.service.typeClusterIP
    grafana.service.externalPort3000
    grafana.datasources.datasources.apiVersion1
    grafana.datasources.datasources.datasources.typeprometheus
    grafana.datasources.datasources.datasources.type.orgId1
    grafana.datasources.datasources.datasources.type.urlhttp://prometheus:9090
    grafana.datasources.datasources.datasources.type.accessproxy
    grafana.datasources.datasources.datasources.type.isDefaulttrue
    grafana.datasources.datasources.datasources.type.jsonData.timeInterval5s
    grafana.datasources.datasources.datasources.type.editabletrue
    grafana.dashboardProviders.dashboardproviders.apiVersion1
    grafana.dashboardProviders.dashboardproviders.providers.orgId1
    grafana.dashboardProviders.dashboardproviders.providers.orgId.folder'istio'
    grafana.dashboardProviders.dashboardproviders.providers.orgId.typefile
    grafana.dashboardProviders.dashboardproviders.providers.orgId.disableDeletionfalse
    grafana.dashboardProviders.dashboardproviders.providers.orgId.options.path/var/lib/grafana/dashboards/istio

    istio_cni options

    KeyDefault ValueDescription
    istio_cni.enabledfalse

    istiocoredns options

    KeyDefault ValueDescription
    istiocoredns.enabledfalse
    istiocoredns.replicaCount1
    istiocoredns.rollingMaxSurge100%
    istiocoredns.rollingMaxUnavailable25%
    istiocoredns.coreDNSImagecoredns/coredns:1.1.2
    istiocoredns.coreDNSPluginImageistio/coredns-plugin:0.2-istio-1.1
    istiocoredns.nodeSelector{}
    istiocoredns.tolerations[]
    istiocoredns.podAntiAffinityLabelSelector[]
    istiocoredns.podAntiAffinityTermLabelSelector[]

    kiali options

    KeyDefault ValueDescription
    kiali.enabledfalseNote that if using the demo yaml when installing via Helm, this default will be true.
    kiali.replicaCount1
    kiali.hubquay.io/kiali
    kiali.imagekiali
    kiali.tagv1.1.0
    kiali.contextPath/kialiThe root context path to access the Kiali UI.
    kiali.nodeSelector{}
    kiali.tolerations[]
    kiali.podAntiAffinityLabelSelector[]
    kiali.podAntiAffinityTermLabelSelector[]
    kiali.ingress.enabledfalse
    kiali.ingress.hostskiali.localUsed to create an Ingress record.
    kiali.dashboard.auth.strategyloginCan be anonymous, login, or openshift
    kiali.dashboard.secretNamekialiYou must create a secret with this name - one is not provided out-of-box.
    kiali.dashboard.viewOnlyModefalseBind the service account to a role with only read access
    kiali.dashboard.grafanaURL</td><td><code>If you have Grafana installed and it is accessible to client browsers, then set this to its external URL. Kiali will redirect users to this URL when Grafana metrics are to be shown.</code></td></tr><tr><td><code>kiali.dashboard.jaegerURL</code></td><td>If you have Jaeger installed and it is accessible to client browsers, then set this property to its external URL. Kiali will redirect users to this URL when Jaeger tracing is to be shown.
    kiali.prometheusAddrhttp://prometheus:9090
    kiali.createDemoSecretfalseWhen true, a secret will be created with a default username and password. Useful for demos.
    kiali.security.enabledtrue
    kiali.security.cert_file/kiali-cert/cert-chain.pem
    kiali.security.private_key_file/kiali-cert/key.pem

    mixer options

    KeyDefault ValueDescription
    mixer.imagemixer
    mixer.env.GODEBUGgctrace=1
    mixer.env.GOMAXPROCS"6"max procs should be ceil(cpu limit + 1)
    mixer.policy.enabledfalseif policy is enabled, global.disablePolicyChecks has affect.
    mixer.policy.replicaCount1
    mixer.policy.autoscaleEnabledtrue
    mixer.policy.autoscaleMin1
    mixer.policy.autoscaleMax5
    mixer.policy.cpu.targetAverageUtilization80
    mixer.policy.rollingMaxSurge100%
    mixer.policy.rollingMaxUnavailable25%
    mixer.telemetry.enabledtrue
    mixer.telemetry.replicaCount1
    mixer.telemetry.autoscaleEnabledtrue
    mixer.telemetry.autoscaleMin1
    mixer.telemetry.autoscaleMax5
    mixer.telemetry.cpu.targetAverageUtilization80
    mixer.telemetry.rollingMaxSurge100%
    mixer.telemetry.rollingMaxUnavailable25%
    mixer.telemetry.sessionAffinityEnabledfalse
    mixer.telemetry.loadshedding.modeenforcedisabled, logonly or enforce
    mixer.telemetry.loadshedding.latencyThreshold100msbased on measurements 100ms p50 translates to p99 of under 1s. This is ok for telemetry which is inherently async.
    mixer.telemetry.resources.requests.cpu1000m
    mixer.telemetry.resources.requests.memory1G
    mixer.telemetry.resources.limits.cpu4800mIt is best to do horizontal scaling of mixer using moderate cpu allocation. We have experimentally found that these values work well.
    mixer.telemetry.resources.limits.memory4G
    mixer.telemetry.reportBatchMaxEntries100Set reportBatchMaxEntries to 0 to use the default batching behavior (i.e., every 100 requests). A positive value indicates the number of requests that are batched before telemetry data is sent to the mixer server
    mixer.telemetry.reportBatchMaxTime1sSet reportBatchMaxTime to 0 to use the default batching behavior (i.e., every 1 second). A positive time value indicates the maximum wait time since the last request will telemetry data be batched before being sent to the mixer server
    mixer.podAnnotations{}
    mixer.nodeSelector{}
    mixer.tolerations[]
    mixer.podAntiAffinityLabelSelector[]
    mixer.podAntiAffinityTermLabelSelector[]
    mixer.adapters.kubernetesenv.enabledtrue
    mixer.adapters.stdio.enabledfalse
    mixer.adapters.stdio.outputAsJsontrue
    mixer.adapters.prometheus.enabledtrue
    mixer.adapters.prometheus.metricsExpiryDuration10m
    mixer.adapters.useAdapterCRDsfalseSetting this to false sets the useAdapterCRDs mixer startup argument to false

    nodeagent options

    KeyDefault ValueDescription
    nodeagent.enabledfalse
    nodeagent.imagenode-agent-k8s
    nodeagent.env.CA_PROVIDER""name of authentication provider.
    nodeagent.env.CA_ADDR""CA endpoint.
    nodeagent.env.Plugins""names of authentication provider's plugins.
    nodeagent.nodeSelector{}
    nodeagent.tolerations[]
    nodeagent.podAntiAffinityLabelSelector[]
    nodeagent.podAntiAffinityTermLabelSelector[]

    pilot options

    KeyDefault ValueDescription
    pilot.enabledtrue
    pilot.autoscaleEnabledtrue
    pilot.autoscaleMin1
    pilot.autoscaleMax5
    pilot.rollingMaxSurge100%
    pilot.rollingMaxUnavailable25%
    pilot.imagepilot
    pilot.sidecartrue
    pilot.traceSampling1.0
    pilot.enableProtocolSniffingfalseif protocol sniffing is enabled. Default to false.
    pilot.resources.requests.cpu500m
    pilot.resources.requests.memory2048Mi
    pilot.env.PILOT_PUSH_THROTTLE100
    pilot.env.GODEBUGgctrace=1
    pilot.cpu.targetAverageUtilization80
    pilot.nodeSelector{}
    pilot.tolerations[]
    pilot.podAntiAffinityLabelSelector[]
    pilot.podAntiAffinityTermLabelSelector[]
    pilot.keepaliveMaxServerConnectionAge30mThe following is used to limit how long a sidecar can be connected to a pilot. It balances out load across pilot instances at the cost of increasing system churn.

    prometheus options

    KeyDefault ValueDescription
    prometheus.enabledtrue
    prometheus.replicaCount1
    prometheus.hubdocker.io/prom
    prometheus.imageprometheus
    prometheus.tagv2.8.0
    prometheus.retention6h
    prometheus.nodeSelector{}
    prometheus.tolerations[]
    prometheus.podAntiAffinityLabelSelector[]
    prometheus.podAntiAffinityTermLabelSelector[]
    prometheus.scrapeInterval15sControls the frequency of prometheus scraping
    prometheus.contextPath/prometheus
    prometheus.ingress.enabledfalse
    prometheus.ingress.hostsprometheus.localUsed to create an Ingress record.
    prometheus.service.annotations{}
    prometheus.service.nodePort.enabledfalse
    prometheus.service.nodePort.port32090
    prometheus.security.enabledtrue

    security options

    KeyDefault ValueDescription
    security.enabledtrue
    security.replicaCount1
    security.rollingMaxSurge100%
    security.rollingMaxUnavailable25%
    security.enableNamespacesByDefaulttruedetermines whether namespaces without the ca.istio.io/env and ca.istio.io/override labels should be targeted by the Citadel instance for secret creation
    security.imagecitadel
    security.selfSignedtrueindicate if self-signed CA is used.
    security.createMeshPolicytrue
    security.nodeSelector{}
    security.tolerations[]
    security.citadelHealthCheckfalse
    security.workloadCertTtl2160h90*24hour = 2160h
    security.enableNamespacesByDefaulttrueDetermines Citadel default behavior if the ca.istio.io/env or ca.istio.io/override labels are not found on a given namespace. For example: consider a namespace called "target", which has neither the "ca.istio.io/env" nor the "ca.istio.io/override" namespace labels. To decide whether or not to generate secrets for service accounts created in this "target" namespace, Citadel will defer to this option. If the value of this option is "true" in this case, secrets will be generated for the "target" namespace. If the value of this option is "false" Citadel will not generate secrets upon service account creation.
    security.podAntiAffinityLabelSelector[]
    security.podAntiAffinityTermLabelSelector[]

    sidecarInjectorWebhook options

    KeyDefault ValueDescription
    sidecarInjectorWebhook.enabledtrue
    sidecarInjectorWebhook.replicaCount1
    sidecarInjectorWebhook.rollingMaxSurge100%
    sidecarInjectorWebhook.rollingMaxUnavailable25%
    sidecarInjectorWebhook.imagesidecar_injector
    sidecarInjectorWebhook.enableNamespacesByDefaultfalse
    sidecarInjectorWebhook.nodeSelector{}
    sidecarInjectorWebhook.tolerations[]
    sidecarInjectorWebhook.podAntiAffinityLabelSelector[]
    sidecarInjectorWebhook.podAntiAffinityTermLabelSelector[]
    sidecarInjectorWebhook.rewriteAppHTTPProbefalseIf true, webhook or istioctl injector will rewrite PodSpec for liveness health check to redirect request to sidecar. This makes liveness check work even when mTLS is enabled.
    sidecarInjectorWebhook.neverInjectSelector[]You can use the field called alwaysInjectSelector and neverInjectSelector which will always inject the sidecar or always skip the injection on pods that match that label selector, regardless of the global policy. See https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/more-control-adding-exceptions
    sidecarInjectorWebhook.alwaysInjectSelector[]

    tracing options

    KeyDefault ValueDescription
    tracing.enabledfalse
    tracing.providerjaeger
    tracing.nodeSelector{}
    tracing.tolerations[]
    tracing.podAntiAffinityLabelSelector[]
    tracing.podAntiAffinityTermLabelSelector[]
    tracing.jaeger.hubdocker.io/jaegertracing
    tracing.jaeger.imageall-in-one
    tracing.jaeger.tag1.12
    tracing.jaeger.memory.max_traces50000
    tracing.jaeger.spanStorageTypebadgerspanStorageType value can be "memory" and "badger" for all-in-one image
    tracing.jaeger.persistfalse
    tracing.jaeger.storageClassName""
    tracing.jaeger.accessModeReadWriteMany
    tracing.zipkin.hubdocker.io/openzipkin
    tracing.zipkin.imagezipkin
    tracing.zipkin.tag2.14.2
    tracing.zipkin.probeStartupDelay200
    tracing.zipkin.queryPort9411
    tracing.zipkin.resources.limits.cpu300m
    tracing.zipkin.resources.limits.memory900Mi
    tracing.zipkin.resources.requests.cpu150m
    tracing.zipkin.resources.requests.memory900Mi
    tracing.zipkin.javaOptsHeap700
    tracing.zipkin.maxSpans500000
    tracing.zipkin.node.cpus2
    tracing.service.annotations{}
    tracing.service.namehttp
    tracing.service.typeClusterIP
    tracing.service.externalPort9411
    tracing.ingress.enabledfalse

    See also

    Customizable Install with Helm

    Install and configure Istio for in-depth evaluation or production use.

    Helm Changes

    Details the Helm chart installation options differences between Istio 1.1 and Istio 1.2.

    Helm Changes

    Details the Helm chart installation options differences between Istio 1.0 and Istio 1.1.

    Helm Changes

    Details the Helm chart installation options differences between Istio 1.2 and Istio 1.3.

    Install Istio with the Istio CNI plugin

    Install and use Istio with the Istio CNI plugin, allowing operators to deploy services with lower privilege.

    DNS Certificate Management

    Provision and manage DNS certificates in Istio.