istio · hklai · Jan 9, 2019 · Dec 11, 2018 · Dec 14, 2018 · Dec 14, 2018
@@ -61,6 +61,10 @@ message MeshConfig {
   // to connect to Mixer.
   bool policy_check_fail_open = 25;
 
+  // Enable session affinity for envoy mixer reports so that calls from a proxy will
+  // always target the same mixer instance.
+  bool sidecar_to_telemetry_session_affinity = 30;
+
   // Port on which Envoy should listen for incoming connections from
   // other services.
   int32 proxy_listen_port = 4;
@@ -123,9 +127,9 @@ message MeshConfig {
   // File address for the proxy access log (e.g. /dev/stdout).
   // Empty value disables access logging.
   string access_log_file = 13;
-  
-  // Format for the proxy access log 
-  // Empty value results in proxy's default access log format 
+
+  // Format for the proxy access log
+  // Empty value results in proxy's default access log format
   string access_log_format = 24;
 
   enum AccessLogEncoding {
@@ -145,30 +149,34 @@ message MeshConfig {
   ProxyConfig default_config = 14;
 
   reserved 15;
-  
+
   // $hide_from_docs
   string mixer_address = 16 [deprecated=true];
-  
+
   message OutboundTrafficPolicy {
     enum Mode {
-      // outbound traffic will be restricted to services defined in the service registry as well as those defined
-      // through ServiceEntries
-      REGISTRY_ONLY = 0 [deprecated=true];
-      // outbound traffic to unknown destinations will be allowed
-      ALLOW_ANY = 1 [deprecated=true];
-      // not implemented. outbound traffic will be restricted to destinations defined in VirtualServices only
-      VIRTUAL_SERVICE_ONLY = 2 [deprecated=true];
+      // outbound traffic will be restricted to services defined in the
+      // service registry as well as those defined through ServiceEntries
+      REGISTRY_ONLY = 0;
+      // outbound traffic to unknown destinations will be allowed, in case
+      // there are no services or ServiceEntries for the destination port
+      ALLOW_ANY = 1;
+
+      reserved 2;
+      reserved "VIRTUAL_SERVICE_ONLY";
     }
-    Mode mode = 1 [deprecated=true];
+    Mode mode = 1;
   }
 
-  // Set the default behavior of the sidecar for handling outbound traffic from the application.
-  // While the default mode should work out of the box, if your application uses one or more external services that
-  // are not known apriori, setting the policy to ALLOW_ANY will cause the sidecars to route traffic to the any
-  // requested destination.
-  // Users are strongly encouraged to use ServiceEntries to explicitly declare any external dependencies,
-  // instead of using allow_any.
-  OutboundTrafficPolicy outbound_traffic_policy = 17 [deprecated=true];
+  // Set the default behavior of the sidecar for handling outbound traffic
+  // from the application.  If your application uses one or more external
+  // services that are not known apriori, setting the policy to ALLOW_ANY
+  // will cause the sidecars to route any unknown traffic originating from
+  // the application to its requested destination.  Users are strongly
+  // encouraged to use ServiceEntries to explicitly declare any external
+  // dependencies, instead of using allow_any, so that traffic to these
+  // services can be monitored.
+  OutboundTrafficPolicy outbound_traffic_policy = 17;
 
   reserved 18;
 
@@ -178,7 +186,7 @@ message MeshConfig {
   // Unix Domain Socket through which envoy communicates with NodeAgent SDS to get key/cert for mTLS.
   // Use secret-mount files instead of SDS if set to empty.
   string sds_uds_path = 20;
-  
+
   // $hide_from_docs
   google.protobuf.Duration sds_refresh_delay = 21 [deprecated=true];
 
@@ -188,52 +196,29 @@ message MeshConfig {
   repeated ConfigSource config_sources = 22;
 
   // $hide_from_docs
-  // This flag is used by secret discovery service(SDS). 
-  // If set to true(prerequisite: https://kubernetes.io/docs/concepts/storage/volumes/#projected), Istio will inject volumes mount 
-  // for k8s service account JWT, so that K8s API server mounts k8s service account JWT to envoy container, which 
-  // will be used to generate key/cert eventually. This isn't supported for non-k8s case.
+  // This flag is used by secret discovery service(SDS).
+  // If set to true(prerequisite: https://kubernetes.io/docs/concepts/storage/volumes/#projected), Istio will inject volumes mount
+  // for k8s service account trustworthy JWT(which is avaialbe for k8s 1.12 or higher), so that K8s API server
+  // mounts k8s service account trustworthy JWT to envoy container, which will be used to request key/cert eventually.
+  // This isn't supported for non-k8s case.
   bool enable_sds_token_mount = 23;
 
+  // $hide_from_docs
+  // This flag is used by secret discovery service(SDS).
+  // If set to true, envoy will fetch normal k8s service account JWT from '/var/run/secrets/kubernetes.io/serviceaccount/token'
+  // (https://kubernetes.io/docs/tasks/access-application-cluster/access-cluster/#accessing-the-api-from-a-pod)
+  // and pass to sds server, which will be used to request key/cert eventually.
+  // If both enable_sds_token_mount and sds_use_k8s_sa_jwt are set to true, enable_sds_token_mount(trustworthy jwt) takes precedence.
+  // This isn't supported for non-k8s case.
+  bool sds_use_k8s_sa_jwt = 29;
+
   // The trust domain corresponds to the trust root of a system.
   // Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain
   // Fallback to old identity format(without trust domain) if not set.
   string trust_domain = 26;
 
-  // Default service dependency settings for each workload in the
-  // mesh. ServiceDependencycontrols the reachability of workloads to other
-  // services in the mesh.
-  message DefaultServiceDependency {
-    enum Mode {
-      // Configure routes to services in all namespaces, i.e. import
-      // services from all namespaces.
-      ALL_NAMESPACES = 0;
-
-      // Only configure routes to services that are in the same namespace
-      // as the workload as well as services in namespaces specified in
-      // importNamespaces.
-      SAME_NAMESPACE = 1;
-    }
-
-    // REQUIRED: The default import setting for every workload in the mesh.
-    Mode import_mode = 1;
-
-    // Specifies one or more namespaces that should be imported by default
-    // in all user defined ServiceDependency resources in addition to the
-    // namespaces explicitly specified by the end user. Use this setting to
-    // automatically import services/resources from namespaces such as
-    // istio-system that all workloads in the mesh depend upon.
-    repeated string import_namespaces = 2;
-  }
-
-  // The default service dependency setting associated with every workload
-  // in the mesh.  Pilot will program the routes in the sidecars and
-  // gateways accordingly. If omitted, sidecars will be configured to reach
-  // every service in the mesh. The default scope can be overriden by
-  // supplying a ServiceDependency resource per namespace.
-  DefaultServiceDependency default_service_dependency = 29;
-
   // $hide_from_docs
-  // Next available field number: 30
+  // Next available field number: 31
 }
 
 // ConfigSource describes information about a configuration store inside a

@@ -4,7 +4,7 @@
 generator: protoc-gen-docs
 aliases:
   - /docs/reference/config/service-mesh.html
-number_of_entries: 18
+number_of_entries: 16
 ---
 <h2 id="AuthenticationPolicy">AuthenticationPolicy</h2>
 <section>
@@ -146,6 +146,15 @@ <h2 id="MeshConfig">MeshConfig</h2>
 Default is false which means the traffic is denied when the client is unable
 to connect to Mixer.</p>
 
+</td>
+</tr>
+<tr id="MeshConfig-sidecar_to_telemetry_session_affinity">
+<td><code>sidecarToTelemetrySessionAffinity</code></td>
+<td><code>bool</code></td>
+<td>
+<p>Enable session affinity for envoy mixer reports so that calls from a proxy will
+always target the same mixer instance.</p>
+
 </td>
 </tr>
 <tr id="MeshConfig-proxy_listen_port">
@@ -255,16 +264,18 @@ <h2 id="MeshConfig">MeshConfig</h2>
 
 </td>
 </tr>
-<tr id="MeshConfig-outbound_traffic_policy" class="deprecated ">
+<tr id="MeshConfig-outbound_traffic_policy">
 <td><code>outboundTrafficPolicy</code></td>
 <td><code><a href="#MeshConfig-OutboundTrafficPolicy">MeshConfig.OutboundTrafficPolicy</a></code></td>
 <td>
-<p>Set the default behavior of the sidecar for handling outbound traffic from the application.
-While the default mode should work out of the box, if your application uses one or more external services that
-are not known apriori, setting the policy to ALLOW<em>ANY will cause the sidecars to route traffic to the any
-requested destination.
-Users are strongly encouraged to use ServiceEntries to explicitly declare any external dependencies,
-instead of using allow</em>any.</p>
+<p>Set the default behavior of the sidecar for handling outbound traffic
+from the application.  If your application uses one or more external
+services that are not known apriori, setting the policy to ALLOW<em>ANY
+will cause the sidecars to route any unknown traffic originating from
+the application to its requested destination.  Users are strongly
+encouraged to use ServiceEntries to explicitly declare any external
+dependencies, instead of using allow</em>any, so that traffic to these
+services can be monitored.</p>
 
 </td>
 </tr>
@@ -303,18 +314,6 @@ <h2 id="MeshConfig">MeshConfig</h2>
 Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain
 Fallback to old identity format(without trust domain) if not set.</p>
 
-</td>
-</tr>
-<tr id="MeshConfig-default_service_dependency">
-<td><code>defaultServiceDependency</code></td>
-<td><code><a href="#MeshConfig-DefaultServiceDependency">MeshConfig.DefaultServiceDependency</a></code></td>
-<td>
-<p>The default service dependency setting associated with every workload
-in the mesh.  Pilot will program the routes in the sidecars and
-gateways accordingly. If omitted, sidecars will be configured to reach
-every service in the mesh. The default scope can be overriden by
-supplying a ServiceDependency resource per namespace.</p>
-
 </td>
 </tr>
 </tbody>
@@ -338,74 +337,6 @@ <h2 id="MeshConfig-AccessLogEncoding">MeshConfig.AccessLogEncoding</h2>
 <tr id="MeshConfig-AccessLogEncoding-JSON">
 <td><code>JSON</code></td>
 <td>
-</td>
-</tr>
-</tbody>
-</table>
-</section>
-<h2 id="MeshConfig-DefaultServiceDependency">MeshConfig.DefaultServiceDependency</h2>
-<section>
-<p>Default service dependency settings for each workload in the
-mesh. ServiceDependencycontrols the reachability of workloads to other
-services in the mesh.</p>
-
-<table class="message-fields">
-<thead>
-<tr>
-<th>Field</th>
-<th>Type</th>
-<th>Description</th>
-</tr>
-</thead>
-<tbody>
-<tr id="MeshConfig-DefaultServiceDependency-import_mode">
-<td><code>importMode</code></td>
-<td><code><a href="#MeshConfig-DefaultServiceDependency-Mode">MeshConfig.DefaultServiceDependency.Mode</a></code></td>
-<td>
-<p>REQUIRED: The default import setting for every workload in the mesh.</p>
-
-</td>
-</tr>
-<tr id="MeshConfig-DefaultServiceDependency-import_namespaces">
-<td><code>importNamespaces</code></td>
-<td><code>string[]</code></td>
-<td>
-<p>Specifies one or more namespaces that should be imported by default
-in all user defined ServiceDependency resources in addition to the
-namespaces explicitly specified by the end user. Use this setting to
-automatically import services/resources from namespaces such as
-istio-system that all workloads in the mesh depend upon.</p>
-
-</td>
-</tr>
-</tbody>
-</table>
-</section>
-<h2 id="MeshConfig-DefaultServiceDependency-Mode">MeshConfig.DefaultServiceDependency.Mode</h2>
-<section>
-<table class="enum-values">
-<thead>
-<tr>
-<th>Name</th>
-<th>Description</th>
-</tr>
-</thead>
-<tbody>
-<tr id="MeshConfig-DefaultServiceDependency-Mode-ALL_NAMESPACES">
-<td><code>ALL_NAMESPACES</code></td>
-<td>
-<p>Configure routes to services in all namespaces, i.e. import
-services from all namespaces.</p>
-
-</td>
-</tr>
-<tr id="MeshConfig-DefaultServiceDependency-Mode-SAME_NAMESPACE">
-<td><code>SAME_NAMESPACE</code></td>
-<td>
-<p>Only configure routes to services that are in the same namespace
-as the workload as well as services in namespaces specified in
-importNamespaces.</p>
-
 </td>
 </tr>
 </tbody>
@@ -464,7 +395,7 @@ <h2 id="MeshConfig-OutboundTrafficPolicy">MeshConfig.OutboundTrafficPolicy</h2>
 </tr>
 </thead>
 <tbody>
-<tr id="MeshConfig-OutboundTrafficPolicy-mode" class="deprecated ">
+<tr id="MeshConfig-OutboundTrafficPolicy-mode">
 <td><code>mode</code></td>
 <td><code><a href="#MeshConfig-OutboundTrafficPolicy-Mode">MeshConfig.OutboundTrafficPolicy.Mode</a></code></td>
 <td>
@@ -483,25 +414,19 @@ <h2 id="MeshConfig-OutboundTrafficPolicy-Mode">MeshConfig.OutboundTrafficPolicy.
 </tr>
 </thead>
 <tbody>
-<tr id="MeshConfig-OutboundTrafficPolicy-Mode-REGISTRY_ONLY" class="deprecated ">
+<tr id="MeshConfig-OutboundTrafficPolicy-Mode-REGISTRY_ONLY">
 <td><code>REGISTRY_ONLY</code></td>
 <td>
-<p>outbound traffic will be restricted to services defined in the service registry as well as those defined
-through ServiceEntries</p>
+<p>outbound traffic will be restricted to services defined in the
+service registry as well as those defined through ServiceEntries</p>
 
 </td>
 </tr>
-<tr id="MeshConfig-OutboundTrafficPolicy-Mode-ALLOW_ANY" class="deprecated ">
+<tr id="MeshConfig-OutboundTrafficPolicy-Mode-ALLOW_ANY">
 <td><code>ALLOW_ANY</code></td>
 <td>
-<p>outbound traffic to unknown destinations will be allowed</p>
-
-</td>
-</tr>
-<tr id="MeshConfig-OutboundTrafficPolicy-Mode-VIRTUAL_SERVICE_ONLY" class="deprecated ">
-<td><code>VIRTUAL_SERVICE_ONLY</code></td>
-<td>
-<p>not implemented. outbound traffic will be restricted to destinations defined in VirtualServices only</p>
+<p>outbound traffic to unknown destinations will be allowed, in case
+there are no services or ServiceEntries for the destination port</p>
 
 </td>
 </tr>
@@ -656,7 +581,7 @@ <h2 id="Network-NetworkEndpoints">Network.NetworkEndpoints</h2>
 </ol>
 
 <p>a. By matching the registry name with one of the &ldquo;from<em>registries&rdquo;
-   in the mesh config. A &ldquo;from</em>registry&rdquo; can only be assinged to a
+   in the mesh config. A &ldquo;from</em>registry&rdquo; can only be assigned to a
    single network.</p>
 
 <p>b. By matching the IP against one of the CIDR ranges in a mesh

@@ -36,7 +36,7 @@ message Network {
   // 2. Explicitly:
   //
   //    a. By matching the registry name with one of the "from_registries"
-  //    in the mesh config. A "from_registry" can only be assinged to a
+  //    in the mesh config. A "from_registry" can only be assigned to a
   //    single network.
   //
   //    b. By matching the IP against one of the CIDR ranges in a mesh