Applies the patch to the listener.

Applies the patch to the filter chain.

Applies the patch to the network filter chain, to modify an existing filter or add a new filter.

Applies the patch to the HTTP filter chain in the http connection manager, to modify an existing filter or add a new filter.

Applies the patch to the Route configuration (rds output) inside a HTTP connection manager. This does not apply to the virtual host. Currently, only MERGE operation is allowed on the route configuration objects.

Applies the patch to a virtual host inside a route configuration.

Applies the patch to a route object inside the matched virtual host in a route configuration. Currently, only MERGE operation is allowed on the route objects.

Applies the patch to a cluster in a CDS output. Also used to add new clusters.

The service port for which this cluster was generated. If omitted, applies to clusters for any port.

The fully qualified service name for this cluster. If omitted, applies to clusters for any service. For services defined through service entries, the service name is same as the hosts defined in the service entry.

The subset associated with the service. If omitted, applies to clusters for any subset of a service.

The exact name of the cluster to match. To match a specific cluster by name, such as the internally generated “Passthrough” cluster, leave all fields in clusterMatch empty, except the name.

All protocols

HTTP or HTTPS (with termination) / HTTP2/gRPC

Any non-HTTP listener

All listeners

Inbound listener in sidecar

Outbound listener in sidecar

Gateway listener

Match on properties associated with a proxy.

Match on envoy listener attributes.

Match on envoy HTTP route configuration attributes.

Match on envoy cluster attributes.

Specifies where in the Envoy configuration, the patch should be applied. The match is expected to select the appropriate object based on applyTo. For example, an applyTo with HTTPFILTER is expected to have a match condition on the listeners, with a network filter selection on envoy.httpconnection_manager and a sub filter selection on the HTTP filter relative to which the insertion should be performed. Similarly, an applyTo on CLUSTER should have a match (if provided) on the cluster and not on a listener.

Match on listener/route configuration/cluster.

The patch to apply along with the operation.

Insert first

Insert last

Insert before the named filter.

Insert after the named filter.

The service port/gateway port to which traffic is being sent/received. If not specified, matches all listeners. Even though inbound listeners are generated for the instance/pod ports, only service ports should be used to match listeners.

Match a specific filter chain in a listener. If specified, the patch will be applied to the filter chain (and a specific filter if specified) and not to other filter chains in the listener.

Match a specific listener by its name. The listeners generated by Pilot are typically named as IP:Port.

The name assigned to the filter chain.

The SNI value used by a filter chain’s match condition. This condition will evaluate to false if the filter chain has no sni match.

Applies only to SIDECARINBOUND context. If non-empty, a transport protocol to consider when determining a filter chain match. This value will be compared against the transport protocol of a new connection, when it’s detected by the tlsinspector listener filter.

Accepted values include:

• raw_buffer - default, used when no transport protocol is detected.
• tls - set when TLS protocol is detected by the TLS inspector.

Applies only to sidecars. If non-empty, a comma separated set of application protocols to consider when determining a filter chain match. This value will be compared against the application protocols of a new connection, when it’s detected by one of the listener filters such as the http_inspector.

Accepted values include: h2,http/1.1,http/1.0

The name of a specific filter to apply the patch to. Set this to envoy.httpconnectionmanager to add a filter or apply a patch to the HTTP connection manager.

The filter name to match on.

The next level filter within this filter to match upon. Typically used for HTTP Connection Manager filters and Thrift filters.

Determines how the patch should be applied.

The JSON config of the object being patched. This will be merged using json merge semantics with the existing proto in the path.

All listeners/routes/clusters in both sidecars and gateways.

Inbound listener/route/cluster in sidecar.

Outbound listener/route/cluster in sidecar.

Gateway listener/route/cluster.

A regular expression in golang regex format (RE2) that can be used to select proxies using a specific version of istio proxy. The Istio version for a given proxy is obtained from the node metadata field ISTIOVERSION supplied by the proxy when connecting to Pilot. This value is embedded as an environment variable (ISTIOMETAISTIOVERSION) in the Istio proxy docker image. Custom proxy implementations should provide this metadata variable to take advantage of the Istio version check option.

Match on the node metadata supplied by a proxy when connecting to Istio Pilot. Note that while Envoy’s node metadata is of type Struct, only string key-value pairs are processed by Pilot. All keys specified in the metadata must match with exact values. The match will fail if any of the specified keys are absent or the values fail to match.

The service port number or gateway server port number for which this route configuration was generated. If omitted, applies to route configurations for all ports.

Applicable only for GATEWAY context. The gateway server port name for which this route configuration was generated.

The Istio gateway config’s namespace/name for which this route configuration was generated. Applies only if the context is GATEWAY. Should be in the namespace/name format. Use this field in conjunction with the portNumber and portName to accurately select the Envoy route configuration for a specific HTTPS server within a gateway config object.

Match a specific virtual host in a route configuration and apply the patch to the virtual host.

Route configuration name to match on. Can be used to match a specific route configuration by name, such as the internally generated “http_proxy” route configuration for all sidecars.

The Route objects generated by default are named as “default”. Route objects generated using a virtual service will carry the name used in the virtual service’s HTTP routes.

Match a route with specific action type.

All three route actions

Route traffic to a cluster / weighted clusters.

Redirect request.

directly respond to a request with specific payload.

Match a specific route within the virtual host.