我的书签
添加书签
移除书签pilot-agent
Generate the autocompletion script for pilot-agent for the specified shell. See each sub-command’s help for details on how to use the generated script.
| Flags | Description |
|---|---|
—log_as_json | Whether to format output as JSON or in plain console-friendly format |
—log_caller <string> | Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, iptables, klog, kube, mockcred, model, proxyconfig, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, telemetry, token, trustBundle, validation, wasm, wle, xdsproxy] (default )</td></tr><tr><td><code>--log_output_level <string></code></td><td>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, iptables, klog, kube, mockcred, model, proxyconfig, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, telemetry, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td></tr><tr><td><code>--log_rotate <string></code></td><td>The path for the optional rotating log file (default) |
—log_rotate_max_age <int> | The maximum age in days of a log file beyond which the file is rotated (0 indicates no limit) (default 30) |
—log_rotate_max_backups <int> | The maximum number of log file backups to keep before older files are deleted (0 indicates no limit) (default 1000) |
—log_rotate_max_size <int> | The maximum size in megabytes of a log file beyond which the file is rotated (default 104857600) |
—log_stacktrace_level <string> | Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,… where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, iptables, klog, kube, mockcred, model, proxyconfig, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, telemetry, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default default:none) |
—log_target <stringArray> | The set of paths where to output the log. This can be any path as well as the special values stdout and stderr (default [stdout]) |
—vklog <Level> | number for the log level verbosity. Like -v flag. ex: —vklog=9 (default 0) |
pilot-agent completion bash
Generate the autocompletion script for the bash shell.
This script depends on the ‘bash-completion’ package. If it is not installed already, you can install it via your OS’s package manager.
To load completions in your current shell session:
source <(pilot-agent completion bash)
To load completions for every new session, execute once:
#### Linux:
pilot-agent completion bash > /etc/bash_completion.d/pilot-agent
#### macOS:
pilot-agent completion bash > $(brew —prefix)/etc/bash_completion.d/pilot-agent
You will need to start a new shell for this setup to take effect.
| Flags | Description |
|---|---|
—log_as_json | Whether to format output as JSON or in plain console-friendly format |
—log_caller <string> | Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, iptables, klog, kube, mockcred, model, proxyconfig, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, telemetry, token, trustBundle, validation, wasm, wle, xdsproxy] (default )</td></tr><tr><td><code>--log_output_level <string></code></td><td>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, iptables, klog, kube, mockcred, model, proxyconfig, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, telemetry, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td></tr><tr><td><code>--log_rotate <string></code></td><td>The path for the optional rotating log file (default) |
—log_rotate_max_age <int> | The maximum age in days of a log file beyond which the file is rotated (0 indicates no limit) (default 30) |
—log_rotate_max_backups <int> | The maximum number of log file backups to keep before older files are deleted (0 indicates no limit) (default 1000) |
—log_rotate_max_size <int> | The maximum size in megabytes of a log file beyond which the file is rotated (default 104857600) |
—log_stacktrace_level <string> | Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,… where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, iptables, klog, kube, mockcred, model, proxyconfig, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, telemetry, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default default:none) |
—log_target <stringArray> | The set of paths where to output the log. This can be any path as well as the special values stdout and stderr (default [stdout]) |
—no-descriptions | disable completion descriptions |
—vklog <Level> | number for the log level verbosity. Like -v flag. ex: —vklog=9 (default 0) |
pilot-agent completion fish
Generate the autocompletion script for the fish shell.
pilot-agent completion fish | source
To load completions for every new session, execute once:
pilot-agent completion fish > ~/.config/fish/completions/pilot-agent.fish
You will need to start a new shell for this setup to take effect.
pilot-agent completion fish [flags]
| Flags | Description |
|---|---|
—log_as_json | Whether to format output as JSON or in plain console-friendly format |
—log_caller <string> | Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, iptables, klog, kube, mockcred, model, proxyconfig, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, telemetry, token, trustBundle, validation, wasm, wle, xdsproxy] (default )</td></tr><tr><td><code>--log_output_level <string></code></td><td>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, iptables, klog, kube, mockcred, model, proxyconfig, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, telemetry, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td></tr><tr><td><code>--log_rotate <string></code></td><td>The path for the optional rotating log file (default) |
—log_rotate_max_age <int> | The maximum age in days of a log file beyond which the file is rotated (0 indicates no limit) (default 30) |
—log_rotate_max_backups <int> | The maximum number of log file backups to keep before older files are deleted (0 indicates no limit) (default 1000) |
—log_rotate_max_size <int> | The maximum size in megabytes of a log file beyond which the file is rotated (default 104857600) |
—log_stacktrace_level <string> | Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,… where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, iptables, klog, kube, mockcred, model, proxyconfig, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, telemetry, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default default:none) |
—log_target <stringArray> | The set of paths where to output the log. This can be any path as well as the special values stdout and stderr (default [stdout]) |
—no-descriptions | disable completion descriptions |
—vklog <Level> | number for the log level verbosity. Like -v flag. ex: —vklog=9 (default 0) |
pilot-agent completion powershell
Generate the autocompletion script for powershell.
To load completions in your current shell session:
pilot-agent completion powershell | Out-String | Invoke-Expression
To load completions for every new session, add the output of the above command to your powershell profile.
pilot-agent completion powershell [flags]
Generate the autocompletion script for the zsh shell.
If shell completion is not already enabled in your environment you will need to enable it. You can execute the following once:
echo “autoload -U compinit; compinit” >> ~/.zshrc
To load completions in your current shell session:
To load completions for every new session, execute once:
#### Linux:
pilot-agent completion zsh > “${fpath[1]}/_pilot-agent”
#### macOS:
pilot-agent completion zsh > $(brew —prefix)/share/zsh/site-functions/_pilot-agent
You will need to start a new shell for this setup to take effect.
| Flags | Description |
|---|---|
—log_as_json | Whether to format output as JSON or in plain console-friendly format |
—log_caller <string> | Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, iptables, klog, kube, mockcred, model, proxyconfig, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, telemetry, token, trustBundle, validation, wasm, wle, xdsproxy] (default )</td></tr><tr><td><code>--log_output_level <string></code></td><td>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, iptables, klog, kube, mockcred, model, proxyconfig, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, telemetry, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td></tr><tr><td><code>--log_rotate <string></code></td><td>The path for the optional rotating log file (default) |
—log_rotate_max_age <int> | The maximum age in days of a log file beyond which the file is rotated (0 indicates no limit) (default 30) |
—log_rotate_max_backups <int> | The maximum number of log file backups to keep before older files are deleted (0 indicates no limit) (default 1000) |
—log_rotate_max_size <int> | The maximum size in megabytes of a log file beyond which the file is rotated (default 104857600) |
—log_stacktrace_level <string> | Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,… where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, iptables, klog, kube, mockcred, model, proxyconfig, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, telemetry, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default default:none) |
—log_target <stringArray> | The set of paths where to output the log. This can be any path as well as the special values stdout and stderr (default [stdout]) |
—no-descriptions | disable completion descriptions |
—vklog <Level> | number for the log level verbosity. Like -v flag. ex: —vklog=9 (default 0) |
pilot-agent istio-clean-iptables
Script responsible for cleaning up iptables rules
pilot-agent istio-clean-iptables [flags]
| Flags | Shorthand | Description |
|---|---|---|
—dry-run | -n | Do not call any external dependencies like iptables |
—log_as_json | Whether to format output as JSON or in plain console-friendly format | |
—log_caller <string> | Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, iptables, klog, kube, mockcred, model, proxyconfig, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, telemetry, token, trustBundle, validation, wasm, wle, xdsproxy] (default )</td></tr><tr><td><code>--log_output_level <string></code></td><td></td><td>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, iptables, klog, kube, mockcred, model, proxyconfig, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, telemetry, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td></tr><tr><td><code>--log_rotate <string></code></td><td></td><td>The path for the optional rotating log file (default) | |
—log_rotate_max_age <int> | The maximum age in days of a log file beyond which the file is rotated (0 indicates no limit) (default 30) | |
—log_rotate_max_backups <int> | The maximum number of log file backups to keep before older files are deleted (0 indicates no limit) (default 1000) | |
—log_rotate_max_size <int> | The maximum size in megabytes of a log file beyond which the file is rotated (default 104857600) | |
—log_stacktrace_level <string> | Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,… where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, iptables, klog, kube, mockcred, model, proxyconfig, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, telemetry, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default default:none) | |
—log_target <stringArray> | The set of paths where to output the log. This can be any path as well as the special values stdout and stderr (default [stdout]) | |
—proxy-gid <string> | -g | Specify the GID of the user for which the redirection is not applied. (same default value as -u param) (default )</td></tr><tr><td><code>--proxy-uid <string></code></td><td><code>-u</code></td><td>Specify the UID of the user for which the redirection is not applied. Typically, this is the UID of the proxy container (default) |
—redirect-dns | Enable capture of dns traffic by istio-agent | |
—vklog <Level> | number for the log level verbosity. Like -v flag. ex: —vklog=9 (default 0) |
pilot-agent istio-iptables
istio-iptables is responsible for setting up port forwarding for Istio Sidecar.
pilot-agent istio-iptables [flags]
| Flags | Shorthand | Description |
|---|---|---|
—capture-all-dns | Instead of only capturing DNS traffic to DNS server IP, capture all DNS traffic at port 53. This setting is only effective when redirect dns is enabled. | |
—cni-mode | Whether to run as CNI plugin. | |
—drop-invalid | Enable invalid drop in the iptables rules | |
—dry-run | -n | Do not call any external dependencies like iptables |
—envoy-port <string> | -p | Specify the envoy port to which redirect all TCP traffic (default $ENVOY_PORT = 15001) (default )</td></tr><tr><td><code>--host-nsenter-exec</code></td><td></td><td>Instead of using the internal go netns, use the nsenter command for switching network namespaces.</td></tr><tr><td><code>--inbound-capture-port <string></code></td><td><code>-z</code></td><td>Port to which all inbound TCP traffic to the pod/VM should be redirected to (default $INBOUND_CAPTURE_PORT = 15006) (default) |
—inbound-tunnel-port <string> | -e | Specify the istio tunnel port for inbound tcp traffic (default $INBOUND_TUNNEL_PORT = 15008) (default )</td></tr><tr><td><code>--iptables-probe-port <string></code></td><td></td><td>set listen port for failure detection (default `15002`)</td></tr><tr><td><code>--iptables-trace-logging</code></td><td></td><td>Insert tracing logs for each iptables rules, using the LOG chain.</td></tr><tr><td><code>--istio-exclude-interfaces <string></code></td><td><code>-c</code></td><td>Comma separated list of NIC (optional). Neither inbound nor outbound traffic will be captured (default) |
—istio-inbound-interception-mode <string> | -m | The mode used to redirect inbound connections to Envoy, either “REDIRECT” or “TPROXY” (default )</td></tr><tr><td><code>--istio-inbound-ports <string></code></td><td><code>-b</code></td><td>Comma separated list of inbound ports for which traffic is to be redirected to Envoy (optional). The wildcard character "*" can be used to configure redirection for all ports. An empty list will disable (default) |
—istio-inbound-tproxy-mark <string> | -t | (default )</td></tr><tr><td><code>--istio-inbound-tproxy-route-table <string></code></td><td><code>-r</code></td><td>(default) |
—istio-local-exclude-ports <string> | -d | Comma separated list of inbound ports to be excluded from redirection to Envoy (optional). Only applies when all inbound traffic (i.e. ““) is being redirected (default to $ISTIO_LOCAL_EXCLUDE_PORTS) (default )</td></tr><tr><td><code>--istio-local-outbound-ports-exclude <string></code></td><td><code>-o</code></td><td>Comma separated list of outbound ports to be excluded from redirection to Envoy (default) |
—istio-outbound-ports <string> | -q | Comma separated list of outbound ports to be explicitly included for redirection to Envoy (default ``) |
—istio-service-cidr <string> | -i | Comma separated list of IP ranges in CIDR form to redirect to envoy (optional). The wildcard character ““ can be used to redirect all outbound traffic. An empty list will disable all outbound (default )</td></tr><tr><td><code>--istio-service-exclude-cidr <string></code></td><td><code>-x</code></td><td>Comma separated list of IP ranges in CIDR form to be excluded from redirection. Only applies when all outbound traffic (i.e. "*") is being redirected (default to $ISTIO_SERVICE_EXCLUDE_CIDR) (default) |
—kube-virt-interfaces <string> | -k | Comma separated list of virtual interfaces whose inbound traffic (from VM) will be treated as outbound (default )</td></tr><tr><td><code>--log_as_json</code></td><td></td><td>Whether to format output as JSON or in plain console-friendly format</td></tr><tr><td><code>--log_caller <string></code></td><td></td><td>Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, iptables, klog, kube, mockcred, model, proxyconfig, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, telemetry, token, trustBundle, validation, wasm, wle, xdsproxy] (default) |
—log_output_level <string> | Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,… where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, iptables, klog, kube, mockcred, model, proxyconfig, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, telemetry, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default default:info) | |
—log_rotate <string> | The path for the optional rotating log file (default )</td></tr><tr><td><code>--log_rotate_max_age <int></code></td><td></td><td>The maximum age in days of a log file beyond which the file is rotated (0 indicates no limit) (default `30`)</td></tr><tr><td><code>--log_rotate_max_backups <int></code></td><td></td><td>The maximum number of log file backups to keep before older files are deleted (0 indicates no limit) (default `1000`)</td></tr><tr><td><code>--log_rotate_max_size <int></code></td><td></td><td>The maximum size in megabytes of a log file beyond which the file is rotated (default `104857600`)</td></tr><tr><td><code>--log_stacktrace_level <string></code></td><td></td><td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, iptables, klog, kube, mockcred, model, proxyconfig, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, telemetry, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td></tr><tr><td><code>--log_target <stringArray></code></td><td></td><td>The set of paths where to output the log. This can be any path as well as the special values stdout and stderr (default `[stdout]`)</td></tr><tr><td><code>--network-namespace <string></code></td><td></td><td>The network namespace that iptables rules should be applied to. (default) | |
—output-paths <string> | A file path to write the applied iptables rules to. (default )</td></tr><tr><td><code>--probe-timeout <duration></code></td><td></td><td>failure detection timeout (default `5s`)</td></tr><tr><td><code>--proxy-gid <string></code></td><td><code>-g</code></td><td>Specify the GID of the user for which the redirection is not applied. (same default value as -u param) (default) | |
—proxy-uid <string> | -u | Specify the UID of the user for which the redirection is not applied. Typically, this is the UID of the proxy container (default `)</td></tr><tr><td><code>--redirect-dns</code></td><td></td><td>Enable capture of dns traffic by istio-agent</td></tr><tr><td><code>--restore-format</code></td><td><code>-f</code></td><td>Print iptables rules in iptables-restore interpretable format</td></tr><tr><td><code>--run-validation</code></td><td></td><td>Validate iptables</td></tr><tr><td><code>--skip-rule-apply</code></td><td></td><td>Skip iptables apply</td></tr><tr><td><code>--vklog <Level></code></td><td></td><td>number for the log level verbosity. Like -v flag. ex: --vklog=9 (default0`) |
pilot-agent proxy
XDS proxy agent
Makes an HTTP request to the Envoy admin API
| Flags | Description |
|---|---|
—debug-port <int32> | Set the port to make a local request to. The default points to the Envoy admin API. (default 15000) |
—log_as_json | Whether to format output as JSON or in plain console-friendly format |
—log_caller <string> | Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, iptables, klog, kube, mockcred, model, proxyconfig, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, telemetry, token, trustBundle, validation, wasm, wle, xdsproxy] (default )</td></tr><tr><td><code>--log_output_level <string></code></td><td>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, iptables, klog, kube, mockcred, model, proxyconfig, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, telemetry, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td></tr><tr><td><code>--log_rotate <string></code></td><td>The path for the optional rotating log file (default) |
—log_rotate_max_age <int> | The maximum age in days of a log file beyond which the file is rotated (0 indicates no limit) (default 30) |
—log_rotate_max_backups <int> | The maximum number of log file backups to keep before older files are deleted (0 indicates no limit) (default 1000) |
—log_rotate_max_size <int> | The maximum size in megabytes of a log file beyond which the file is rotated (default 104857600) |
—log_stacktrace_level <string> | Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,… where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, iptables, klog, kube, mockcred, model, proxyconfig, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, telemetry, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default default:none) |
—log_target <stringArray> | The set of paths where to output the log. This can be any path as well as the special values stdout and stderr (default [stdout]) |
—vklog <Level> | number for the log level verbosity. Like -v flag. ex: —vklog=9 (default 0) |
pilot-agent version
Prints out build version information
pilot-agent version [flags]
| Flags | Shorthand | Description |
|---|---|---|
—log_as_json | Whether to format output as JSON or in plain console-friendly format | |
—log_caller <string> | Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, iptables, klog, kube, mockcred, model, proxyconfig, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, telemetry, token, trustBundle, validation, wasm, wle, xdsproxy] (default )</td></tr><tr><td><code>--log_output_level <string></code></td><td></td><td>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, iptables, klog, kube, mockcred, model, proxyconfig, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, telemetry, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td></tr><tr><td><code>--log_rotate <string></code></td><td></td><td>The path for the optional rotating log file (default) | |
—log_rotate_max_age <int> | The maximum age in days of a log file beyond which the file is rotated (0 indicates no limit) (default 30) | |
—log_rotate_max_backups <int> | The maximum number of log file backups to keep before older files are deleted (0 indicates no limit) (default 1000) | |
—log_rotate_max_size <int> | The maximum size in megabytes of a log file beyond which the file is rotated (default 104857600) | |
—log_stacktrace_level <string> | Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,… where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, iptables, klog, kube, mockcred, model, proxyconfig, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, telemetry, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default default:none) | |
—log_target <stringArray> | The set of paths where to output the log. This can be any path as well as the special values stdout and stderr (default [stdout]) | |
—output <string> | -o | One of ‘yaml’ or ‘json’. (default `)</td></tr><tr><td><code>--short</code></td><td><code>-s</code></td><td>Use --short=false to generate full version information</td></tr><tr><td><code>--vklog <Level></code></td><td></td><td>number for the log level verbosity. Like -v flag. ex: --vklog=9 (default0`) |
pilot-agent wait
Waits until the Envoy proxy is ready
| Flags | Description |
|---|---|
—log_as_json | Whether to format output as JSON or in plain console-friendly format |
—log_caller <string> | Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, iptables, klog, kube, mockcred, model, proxyconfig, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, telemetry, token, trustBundle, validation, wasm, wle, xdsproxy] (default )</td></tr><tr><td><code>--log_output_level <string></code></td><td>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, iptables, klog, kube, mockcred, model, proxyconfig, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, telemetry, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td></tr><tr><td><code>--log_rotate <string></code></td><td>The path for the optional rotating log file (default) |
—log_rotate_max_age <int> | The maximum age in days of a log file beyond which the file is rotated (0 indicates no limit) (default 30) |
—log_rotate_max_backups <int> | The maximum number of log file backups to keep before older files are deleted (0 indicates no limit) (default 1000) |
—log_rotate_max_size <int> | The maximum size in megabytes of a log file beyond which the file is rotated (default 104857600) |
—log_stacktrace_level <string> | Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,… where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, iptables, klog, kube, mockcred, model, proxyconfig, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, telemetry, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default default:none) |
—log_target <stringArray> | The set of paths where to output the log. This can be any path as well as the special values stdout and stderr (default [stdout]) |
—periodMillis <int> | number of milliseconds to wait between attempts (default 500) |
—requestTimeoutMillis <int> | number of milliseconds to wait for response (default 500) |
—timeoutSeconds <int> | maximum number of seconds to wait for Envoy to be ready (default 60) |
—url <string> | URL to use in requests (default http://localhost:15021/healthz/ready) |
—vklog <Level> | number for the log level verbosity. Like -v flag. ex: —vklog=9 (default 0) |
Environment variables
| Metric Name | Type | Description |
|---|---|---|
auto_registration_deletes_total | Sum | Total number of auto registration cleaned up by periodic timer. |
auto_registration_errors_total | Sum | Total number of auto registration errors. |
auto_registration_success_total | Sum | Total number of successful auto registrations. |
auto_registration_unregister_total | Sum | Total number of unregistrations. |
auto_registration_updates_total | Sum | Total number of auto registration updates. |
controller_sync_errors_total | Sum | Total number of errorMetric syncing controllers. |
endpoint_no_pod | LastValue | Endpoints without an associated pod. |
envoy_connection_terminations | Sum | The total number of connection errors from envoy |
istio_build | LastValue | Istio component build info |
istiod_connection_failures | Sum | The total number of connection failures to Istiod |
istiod_connection_terminations | Sum | The total number of connection errors to Istiod |
istiod_managed_clusters | LastValue | Number of clusters managed by istiod |
num_failed_outgoing_requests | Sum | Number of failed outgoing requests (e.g. to a token exchange server, CA, etc.) |
num_file_secret_failures_total | Sum | Number of times secret generation failed for files |
num_file_watcher_failures_total | Sum | Number of times file watcher failed to add watchers |
num_outgoing_requests | Sum | Number of total outgoing requests (e.g. to a token exchange server, CA, etc.) |
num_outgoing_retries | Sum | Number of outgoing retry requests (e.g. to a token exchange server, CA, etc.) |
outgoing_latency | Sum | The latency of outgoing requests (e.g. to a token exchange server, CA, etc.) in milliseconds. |
pilot_conflict_inbound_listener | LastValue | Number of conflicting inbound listeners. |
pilot_conflict_outbound_listener_http_over_current_tcp | LastValue | Number of conflicting wildcard http listeners with current wildcard tcp listener. |
pilot_conflict_outbound_listener_tcp_over_current_http | LastValue | Number of conflicting wildcard tcp listeners with current wildcard http listener. |
pilot_conflict_outbound_listener_tcp_over_current_tcp | LastValue | Number of conflicting tcp listeners with current tcp listener. |
pilot_destrule_subsets | LastValue | Duplicate subsets across destination rules for same host |
pilot_duplicate_envoy_clusters | LastValue | Duplicate envoy clusters caused by service entries with same hostname |
pilot_eds_no_instances | LastValue | Number of clusters without instances. |
pilot_endpoint_not_ready | LastValue | Endpoint found in unready state. |
pilot_inbound_updates | Sum | Total number of updates received by pilot. |
pilot_jwks_resolver_network_fetch_fail_total | Sum | Total number of failed network fetch by pilot jwks resolver |
pilot_jwks_resolver_network_fetch_success_total | Sum | Total number of successfully network fetch by pilot jwks resolver |
pilot_k8s_cfg_events | Sum | Events from k8s config. |
pilot_k8s_endpoints_pending_pod | LastValue | Number of endpoints that do not currently have any corresponding pods. |
pilot_k8s_endpoints_with_no_pods | Sum | Endpoints that does not have any corresponding pods. |
pilot_k8s_reg_events | Sum | Events from k8s registry. |
pilot_no_ip | LastValue | Pods not found in the endpoint table, possibly invalid. |
pilot_proxy_convergence_time | Distribution | Delay in seconds between config change and a proxy receiving all required configuration. |
pilot_proxy_queue_time | Distribution | Time in seconds, a proxy is in the push queue before being dequeued. |
pilot_push_triggers | Sum | Total number of times a push was triggered, labeled by reason for the push. |
pilot_pushcontext_init_seconds | Distribution | Total time in seconds Pilot takes to init pushContext. |
pilot_sds_certificate_errors_total | Sum | Total number of failures to fetch SDS key and certificate. |
pilot_services | LastValue | Total services known to pilot. |
pilot_total_rejected_configs | Sum | Total number of configs that Pilot had to reject or ignore. |
pilot_total_xds_internal_errors | Sum | Total number of internal XDS errors in pilot. |
pilot_total_xds_rejects | Sum | Total number of XDS responses from pilot rejected by proxy. |
pilot_virt_services | LastValue | Total virtual services known to pilot. |
pilot_vservice_dup_domain | LastValue | Virtual services with dup domains. |
pilot_xds | LastValue | Number of endpoints connected to this pilot using XDS. |
pilot_xds_cds_reject | LastValue | Pilot rejected CDS configs. |
pilot_xds_config_size_bytes | Distribution | Distribution of configuration sizes pushed to clients |
pilot_xds_delayed_push_timeouts_total | Sum | Total number of XDS pushes that are delayed and timed out |
pilot_xds_delayed_pushes_total | Sum | Total number of XDS pushes that are delayed. |
pilot_xds_eds_reject | LastValue | Pilot rejected EDS. |
pilot_xds_expired_nonce | Sum | Total number of XDS requests with an expired nonce. |
pilot_xds_lds_reject | LastValue | Pilot rejected LDS. |
pilot_xds_push_context_errors | Sum | Number of errors (timeouts) initiating push context. |
pilot_xds_push_time | Distribution | Total time in seconds Pilot takes to push lds, rds, cds and eds. |
pilot_xds_pushes | Sum | Pilot build and send errors for lds, rds, cds and eds. |
pilot_xds_rds_reject | LastValue | Pilot rejected RDS. |
pilot_xds_send_time | Distribution | Total time in seconds Pilot takes to send generated configuration. |
pilot_xds_write_timeout | Sum | Pilot XDS response write timeouts. |
remote_cluster_sync_timeouts_total | Sum | Number of times remote clusters took too long to sync, causing slow startup that excludes remote clusters. |
scrape_failures_total | Sum | The total number of failed scrapes. |
scrapes_total | Sum | The total number of scrapes. |
sidecar_injection_failure_total | Sum | Total number of failed sidecar injection requests. |
sidecar_injection_requests_total | Sum | Total number of sidecar injection requests. |
sidecar_injection_skip_total | Sum | Total number of skipped sidecar injection requests. |
sidecar_injection_success_total | Sum | Total number of successful sidecar injection requests. |
startup_duration_seconds | LastValue | The time from the process starting to being marked ready. |
wasm_cache_entries | LastValue | number of Wasm remote fetch cache entries. |
wasm_cache_lookup_count | Sum | number of Wasm remote fetch cache lookups. |
wasm_config_conversion_count | Sum | number of Wasm config conversion count and results, including success, no remote load, marshal failure, remote fetch failure, miss remote fetch hint. |
wasm_config_conversion_duration | Distribution | Total time in milliseconds istio-agent spends on converting remote load in Wasm config. |
wasm_remote_fetch_count | Sum | number of Wasm remote fetches and results, including success, download failure, and checksum mismatch. |
webhook_patch_attempts_total | Sum | Webhook patching attempts |
webhook_patch_failures_total | Sum | Webhook patching total failures |
webhook_patch_retries_total | Sum | Webhook patching retries |
xds_cache_dependent_config_size | LastValue | Current size of dependent configs |
xds_cache_evictions | Sum | Total number of xds cache evictions. |
xds_cache_reads | Sum | Total number of xds cache xdsCacheReads. |
xds_cache_size | LastValue | Current size of xds cache |
