content/en/docs/reference/config/annotations/index.html
--- WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL SOURCE IN THE 'https://github.com/istio/api' REPO source_repo: https://github.com/istio/api title: Resource Annotations description: Resource annotations used by Istio. location: https://istio.io/docs/reference/config/annotations/ weight: 60 ---
This page presents the various resource annotations that Istio supports to control its behavior.
| Name | ambient.istio.io/bypass-inbound-capture |
| Feature Status | Alpha |
| Resource Types | [Pod] |
| Description |
When specified on a Pod enrolled in ambient mesh, only outbound traffic will be captured. This is intended to be used when enrolling a workload that only receives traffic from out-of-the-mesh clients, such as third party ingress controllers.
|
| Name | ambient.istio.io/redirection |
| Feature Status | Beta |
| Resource Types | [Pod] |
| Description |
Automatically configured by Istio to indicate a Pod was successfully enrolled in ambient mode. This shows the actual state; to specify intent that a workload should be in ambient mode, see istio.io/dataplane-mode. User should not manually modify this annotation.
|
| Name | galley.istio.io/analyze-suppress |
| Feature Status | Alpha |
| Resource Types | [Any] |
| Description |
A comma separated list of configuration analysis message codes to suppress when Istio analyzers are run. For example, to suppress reporting of IST0103 (PodMissingProxy) and IST0108 (UnknownAnnotation) on a resource, apply the annotation ‘galley.istio.io/analyze-suppress=IST0108,IST0103’. If the value is ‘*’, then all configuration analysis messages are suppressed.
|
| Name | inject.istio.io/templates |
| Feature Status | Alpha |
| Resource Types | [Pod] |
| Description |
The name of the inject template(s) to use, as a comma separate list. See https://istio.io/latest/docs/setup/additional-setup/sidecar-injection/#custom-templates-experimental for more information.
|
| Name | istio.io/dry-run |
| Feature Status | Alpha |
| Resource Types | [AuthorizationPolicy] |
| Description |
Specifies whether or not the given resource is in dry-run mode. See https://istio.io/latest/docs/tasks/security/authorization/authz-dry-run/ for more information.
|
| Name | istio.io/reroute-virtual-interfaces |
| Feature Status | Alpha |
| Resource Types | [Pod] |
| Description |
A comma separated list of virtual interfaces whose inbound traffic will be unconditionally treated as outbound. This allows workloads using virtualized networking (kubeVirt, VMs, docker-in-docker, etc) to function correctly with mesh traffic capture. Note: When using docker-in-docker container, the default bridge interface name is typically docker0. However, custom networks (often used with docker compose) are assigned a randomized interface name. To have a predictable name, you can configure the Docker option com.docker.network.bridge.name with a fixed value and use that name in the annotation.
|
| Name | istio.io/rev |
| Feature Status | Alpha |
| Resource Types | [Pod] |
| Description |
Specifies a control plane revision to which a given proxy is connected. This annotation is added automatically, not set by a user. In contrary to the label istio.io/rev, it represents the actual revision, not the requested revision.
|
| Name | kubernetes.io/ingress.class |
| Feature Status | Stable |
| Resource Types | [Ingress] |
| Description |
Annotation on an Ingress resources denoting the class of controllers responsible for it.
|
| Name | networking.istio.io/exportTo |
| Feature Status | Alpha |
| Resource Types | [Service] |
| Description |
Specifies the namespaces to which this service should be exported to. A value of * indicates it is reachable within the mesh. . indicates it is reachable within its namespace. ‘~’ indicates it is hidden and exported to no namespaces. Additionally, a list of comma separated namespace names can be specified.
|
| Name | networking.istio.io/traffic-distribution |
| Feature Status | Alpha |
| Resource Types | [Namespace Service ServiceEntry] |
| Description |
Controls how traffic is distributed across the set of available endpoints.
At this time, this annotation only impacts routing done by Ztunnel.
When applied to a Namespace, Services and ServiceEntries in that namespace inherit the setting unless they have their own annotation.
Accepted values:
PreferClose: endpoints will be categorized by how “close” they are, consider network, region, zone, and subzone. Traffic will be prioritized to the closest healthy endpoints. For example, if I have a Service with PreferClose set, with endpoints in zones us-west,us-west,us-east. When sending traffic from a client in zone us-west, all traffic will go to the two us-west backends. If one those backends become unhealthy, all traffic will go to the remaining endpoint in us-west. If that backend becomes unhealthy, traffic will sent to us-east.|
| Name | prometheus.istio.io/merge-metrics |
| Feature Status | Alpha |
| Resource Types | [Pod] |
| Description |
Specifies if application Prometheus metric will be merged with Envoy metrics for this workload.
|
| Name | proxy.istio.io/config |
| Feature Status | Beta |
| Resource Types | [Pod] |
| Description |
Overrides for the proxy configuration for this specific proxy. Available options can be found at https://istio.io/docs/reference/config/istio.mesh.v1alpha1/#ProxyConfig.
|
| Name | readiness.status.sidecar.istio.io/applicationPorts |
| Feature Status | Alpha |
| Resource Types | [Pod] |
| Description |
Specifies the list of ports exposed by the application container. Used by the Envoy sidecar readiness probe to determine that Envoy is configured and ready to receive traffic.
|
| Name | readiness.status.sidecar.istio.io/failureThreshold |
| Feature Status | Alpha |
| Resource Types | [Pod] |
| Description |
Specifies the failure threshold for the Envoy sidecar readiness probe.
|
| Name | readiness.status.sidecar.istio.io/initialDelaySeconds |
| Feature Status | Alpha |
| Resource Types | [Pod] |
| Description |
Specifies the initial delay (in seconds) for the Envoy sidecar readiness probe.
|
| Name | readiness.status.sidecar.istio.io/periodSeconds |
| Feature Status | Alpha |
| Resource Types | [Pod] |
| Description |
Specifies the period (in seconds) for the Envoy sidecar readiness probe.
|
| Name | sidecar.istio.io/agentLogLevel |
| Feature Status | Alpha |
| Resource Types | [Pod] |
| Description |
Specifies the log output level for pilot-agent.
|
| Name | sidecar.istio.io/bootstrapOverride |
| Feature Status | Alpha |
| Resource Types | [Pod] |
| Description |
Specifies an alternative Envoy bootstrap configuration file.
|
| Name | sidecar.istio.io/componentLogLevel |
| Feature Status | Alpha |
| Resource Types | [Pod] |
| Description |
Specifies the component log level for Envoy.
|
| Name | sidecar.istio.io/discoveryAddress |
| Feature Status | Deprecated |
| Resource Types | [Pod] |
| Description |
Specifies the XDS discovery address to be used by the Envoy sidecar.
|
| Name | sidecar.istio.io/extraStatTags |
| Feature Status | Deprecated |
| Resource Types | [Pod] |
| Description |
An additional list of tags to extract from the in-proxy Istio Wasm telemetry. Each additional tag needs to be present in this list.
|
| Name | sidecar.istio.io/inject |
| Feature Status | Deprecated |
| Resource Types | [Pod] |
| Description |
Specifies whether or not an Envoy sidecar should be automatically injected into the workload. This annotation has been deprecated in favor of the sidecar.istio.io/inject label documented here.
|
| Name | sidecar.istio.io/interceptionMode |
| Feature Status | Alpha |
| Resource Types | [Pod] |
| Description |
Specifies the mode used to redirect inbound connections to Envoy (REDIRECT or TPROXY).
|
| Name | sidecar.istio.io/logLevel |
| Feature Status | Alpha |
| Resource Types | [Pod] |
| Description |
Specifies the log level for Envoy.
|
| Name | sidecar.istio.io/nativeSidecar |
| Feature Status | Alpha |
| Resource Types | [Pod] |
| Description |
Specifies if the istio-proxy sidecar should be injected as a native sidecar or not. Takes precedence over the ENABLE_NATIVE_SIDECARS environment variable.
|
| Name | sidecar.istio.io/proxyCPU |
| Feature Status | Alpha |
| Resource Types | [Pod] |
| Description |
Specifies the requested CPU setting for the Envoy sidecar.
|
| Name | sidecar.istio.io/proxyCPULimit |
| Feature Status | Alpha |
| Resource Types | [Pod] |
| Description |
Specifies the CPU limit for the Envoy sidecar.
|
| Name | sidecar.istio.io/proxyImage |
| Feature Status | Alpha |
| Resource Types | [Pod] |
| Description |
Specifies the Docker image to be used by the Envoy sidecar.
|
| Name | sidecar.istio.io/proxyImageType |
| Feature Status | Alpha |
| Resource Types | [Pod] |
| Description |
Specifies the Docker image type to be used by the Envoy sidecar. Istio publishes debug and distroless image types for every release tag.
|
| Name | sidecar.istio.io/proxyMemory |
| Feature Status | Alpha |
| Resource Types | [Pod] |
| Description |
Specifies the requested memory setting for the Envoy sidecar.
|
| Name | sidecar.istio.io/proxyMemoryLimit |
| Feature Status | Alpha |
| Resource Types | [Pod] |
| Description |
Specifies the memory limit for the Envoy sidecar.
|
| Name | sidecar.istio.io/rewriteAppHTTPProbers |
| Feature Status | Alpha |
| Resource Types | [Pod] |
| Description |
Rewrite HTTP readiness and liveness probes to be redirected to the Envoy sidecar.
|
| Name | sidecar.istio.io/statsCompression |
| Feature Status | Deprecated |
| Resource Types | [Pod] |
| Description |
Specifies the compression algorithm to use for stats emitted by the Envoy sidecar. Supported values are brotli, gzip, and zstd.
|
| Name | sidecar.istio.io/statsEvictionInterval |
| Feature Status | Alpha |
| Resource Types | [Pod] |
| Description |
Specifies the expiration interval for the Istio standard metrics. This gets rounded to a multiple of the flush interval. A time series is expected to be evicted after 2 iterations of this interval from the last measurement.
|
| Name | sidecar.istio.io/statsFlushInterval |
| Feature Status | Alpha |
| Resource Types | [Pod] |
| Description |
Specifies the flush interval for push-based stat sinks, e.g. OTLP. Default interval is 5s.
|
| Name | sidecar.istio.io/statsHistogramBins |
| Feature Status | Alpha |
| Resource Types | [Pod] |
| Description |
Specifies the bin size per time series for the Istio standard metrics histograms. Reducing this value from the default 100 decreases overall memory usage for sparse and/or high cardinality histograms.
|
| Name | sidecar.istio.io/statsHistogramBuckets |
| Feature Status | Alpha |
| Resource Types | [Pod] |
| Description |
Specifies the custom histogram buckets with a prefix matcher to separate the Istio mesh metrics from the Envoy stats, e.g. {"istiocustom":[1,5,10,50,100,500,1000,5000,10000],"cluster.xds-grpc":[1,5,10,25,50,100,250,500,1000,2500,5000,10000]}. Default buckets are [0.5,1,5,10,25,50,100,250,500,1000,2500,5000,10000,30000,60000,300000,600000,1800000,3600000].
|
| Name | sidecar.istio.io/statsInclusionPrefixes |
| Feature Status | Deprecated |
| Resource Types | [Pod] |
| Description |
Specifies the comma separated list of prefixes of the stats to be emitted by Envoy.
|
| Name | sidecar.istio.io/statsInclusionRegexps |
| Feature Status | Deprecated |
| Resource Types | [Pod] |
| Description |
Specifies the comma separated list of regexes the stats should match to be emitted by Envoy.
|
| Name | sidecar.istio.io/statsInclusionSuffixes |
| Feature Status | Deprecated |
| Resource Types | [Pod] |
| Description |
Specifies the comma separated list of suffixes of the stats to be emitted by Envoy.
|
| Name | sidecar.istio.io/status |
| Feature Status | Alpha |
| Resource Types | [Pod] |
| Description |
Generated by Envoy sidecar injection that indicates the status of the operation. Includes a version hash of the executed template, as well as names of injected resources.
|
| Name | sidecar.istio.io/userVolume |
| Feature Status | Alpha |
| Resource Types | [Pod] |
| Description |
Specifies one or more user volumes (as a JSON array) to be added to the Envoy sidecar.
|
| Name | sidecar.istio.io/userVolumeMount |
| Feature Status | Alpha |
| Resource Types | [Pod] |
| Description |
Specifies one or more user volume mounts (as a JSON array) to be added to the Envoy sidecar.
|
| Name | status.sidecar.istio.io/port |
| Feature Status | Alpha |
| Resource Types | [Pod] |
| Description |
Specifies the HTTP status Port for the Envoy sidecar. If zero, the sidecar will not provide status.
|
| Name | topology.istio.io/controlPlaneClusters |
| Feature Status | Alpha |
| Resource Types | [Namespace] |
| Description |
A comma-separated list of clusters (or * for any) running istiod that should attempt leader election for a remote cluster thats system namespace includes this annotation. Istiod will not attempt to lead unannotated remote clusters.
|
| Name | traffic.istio.io/nodeSelector |
| Feature Status | Stable |
| Resource Types | [Service] |
| Description |
This annotation is a set of node-labels (key1=value,key2=value). If the annotated Service is of type NodePort and is a multi-network gateway (see topology.istio.io/network), the addresses for selected nodes will be used for cross-network communication.
|
| Name | traffic.sidecar.istio.io/excludeInboundPorts |
| Feature Status | Alpha |
| Resource Types | [Pod] |
| Description |
A comma separated list of inbound ports to be excluded from redirection to Envoy. Only applies when all inbound traffic (i.e. ‘*’) is being redirected.
|
| Name | traffic.sidecar.istio.io/excludeInterfaces |
| Feature Status | Alpha |
| Resource Types | [Pod] |
| Description |
A comma separated list of interfaces to be excluded from Istio traffic capture
|
| Name | traffic.sidecar.istio.io/excludeOutboundIPRanges |
| Feature Status | Alpha |
| Resource Types | [Pod] |
| Description |
A comma separated list of IP ranges in CIDR form to be excluded from redirection. Only applies when all outbound traffic (i.e. ‘*’) is being redirected.
|
| Name | traffic.sidecar.istio.io/excludeOutboundPorts |
| Feature Status | Alpha |
| Resource Types | [Pod] |
| Description |
A comma separated list of outbound ports to be excluded from redirection to Envoy.
|
| Name | traffic.sidecar.istio.io/includeInboundPorts |
| Feature Status | Alpha |
| Resource Types | [Pod] |
| Description |
A comma separated list of inbound ports for which traffic is to be redirected to Envoy. The wildcard character ‘*’ can be used to configure redirection for all ports. An empty list will disable all inbound redirection.
|
| Name | traffic.sidecar.istio.io/includeOutboundIPRanges |
| Feature Status | Alpha |
| Resource Types | [Pod] |
| Description |
A comma separated list of IP ranges in CIDR form to redirect to Envoy (optional). The wildcard character ‘*’ can be used to redirect all outbound traffic. An empty list will disable all outbound redirection.
|
| Name | traffic.sidecar.istio.io/includeOutboundPorts |
| Feature Status | Alpha |
| Resource Types | [Pod] |
| Description |
A comma separated list of outbound ports for which traffic is to be redirected to Envoy, regardless of the destination IP.
|
| Name | traffic.sidecar.istio.io/kubevirtInterfaces |
| Feature Status | Deprecated |
| Resource Types | [Pod] |
| Description |
A comma separated list of virtual interfaces whose inbound traffic (from VM) will be treated as outbound. Deprecated in favor of istio.io/reroute-virtual-interfaces
|