index
access logs, ingress gateways 106 – 107
ACK (acknowledgment) flag 290 – 291
ADS (Aggregated Discovery Service) 64, 281, 313
endpoints to introspect and troubleshoot 426 – 427
querying Istio Pilot debug endpoints through 427 – 428
algorithms, client-side load balancing 147 – 149
ALLOW policy 243, 245 – 246, 248, 252
API gateways 18 – 20, 88
application-aware service proxy 11
application-networking security 230 – 234
comparison of security in monoliths and microservices 231 – 233
how Istio implements SPIFFE 233
service-to-service authentication 231
application-specific libraries 9 – 11
AuthorizationPolicy resource 233, 242 – 243, 245, 257 – 258, 263 – 264, 383
Auto mTLS 234 – 242
PeerAuthentication resource 236 – 242
applying workload-specific policies 237 – 238
denying all non-authenticated traffic using mesh-wide policy 236 – 237
permitting non-mutually authenticated traffic 237
two additional mutual authentication modes 238 – 239
verifying workload identities tied to workload service account 241 – 242
setting up environment 235 – 236
auto passthrough, SNI 338 – 339
Azure, creating clusters in 327 – 328
backend distributed tracing engine 221 – 223
environment variables defining 311 – 312
bootstrapping, of workload identity 419 – 420
CA (certificate authority) 89, 434
CA (certificate authority) private key 416
Canary resource 125 – 126, 129
CDS (cluster discovery service) 63, 187
CEL (Common Expression Language) 201
certificate signing requests (CSRs) 186, 326, 416
CIDRs (classless inter-domain routing) 244
circuit breaking 7 – 8, 166 – 176
connection-pool control 168 – 173
client-side load balancing 7, 139 – 149
getting started with 140 – 142
cloud infrastructure 327 – 328
creating clusters in Azure 327 – 328
cluster_name.internal.* metrics 183
cluster_name.ssl.* metrics 184
Envoy cluster endpoints 281 – 282
exposing cluster services to VM 360 – 361
multi-cluster service meshes 320 – 326
common trust between clusters 324 – 326
cross-cluster workload connectivity 324
discovering workloads in multi-cluster deployments 323 – 324
Istio multi-cluster deployment models 321 – 322
multi-cluster, multi-network, multi-control-plane service mesh 326 – 346
choosing multi-cluster deployment model 327
configuring plug-in CA certificates 328 – 329
enabling cross-cluster workload discovery 333 – 335
installing control planes in each cluster 329 – 333
load-balancing across clusters 341 – 346
setting up cloud infrastructure 327 – 328
setting up cross-cluster connectivity 335 – 341
CNI (Container Network Interface) plugin 413
Common Expression Language (CEL) 201
connection-pool control 168 – 173
consecutive5xxErrors setting 174
container_cpu_usage_seconds_total metric 301
control plane 14, 29 – 34
configuring Prometheus Operator to scrape 190 – 193
factors determining performance 298
steps of data-plane synchronization 297 – 298
Grafana, viewing metrics 208 – 209
ingress and egress gateway 33 – 34
installing in multi-cluster, multi-network, multi-control-plane service mesh 329 – 333
monitoring four signals 298 – 303
event-batching and push-throttling properties 310 – 314
measuring performance before optimizations 305 – 309
setting up workspace 304 – 305
coolstore-gateway gateway definition 84
CRD (custom resource definition) 31
create-remote-secret command 333
configuring east-west gateways with SNI clusters 336 – 338
routing cross-cluster traffic using SNI auto passthrough 338 – 339
validating cross-cluster workload discovery 339 – 341
labeling networks for 329 – 333
installing control planes using IstioOperator resources 330 – 331
running workloads on both clusters 332 – 333
CSRs (certificate signing requests) 186, 326, 416
custom authorization filters 423
Envoy config, misconfigurations from 275 – 291
Envoy administration interface 276
inspecting network traffic with ksniff 288 – 291
querying proxy configurations using istioctl 276 – 282
troubleshooting application issues 282 – 288
finding rate of failing requests in Grafana 291 – 292
querying affected Pods using Prometheus 292 – 294
verifying data plane is up to date 270 – 272
WebAssembly, extending with 395 – 400
building new Envoy filter with 396 – 397
building new Envoy filter with meshctl tool 397 – 399
deploying new WebAssembly Envoy filter 399 – 400
reasons for using for Envoy 396
Debian Software Package (.deb) 363
/debug/authorizationz endpoint 431
/debug/config_distribution endpoint 431
querying through Istio agent 427 – 428
default tracing headers 215 – 216
DestinationRule resource 121, 140 – 142, 154, 268 – 269, 273 – 274, 278, 281, 320, 383 – 384
distributed architectures 21 – 22
configuring Istio to perform 213 – 216
configuring tracing at installation 213 – 214
configuring tracing per workload 215
configuring tracing using MeshConfig 214
default tracing headers 215 – 216
customizing backend distributed tracing engine 221 – 223
customizing tags in trace 219 – 220
force-tracing from client 218 – 219
resolution of in-mesh services 354 – 355
resolving cluster hostnames 372 – 374
east-west gateways 324, 336 – 338
EDS (endpoint discovery service) 32, 63, 187
ENABLE_DEBUG_ON_HTTP environment variable 430
end-user authentication and authorization 231, 252 – 259
JWT (JSON web token) 252 – 254
traffic encryption via 414 – 416
validating JWTs with RequestAuthentication 255 – 259
creating RequestAuthentication resource 256
denying requests without JWTs 257 – 258
levels of access based on JWT claims 258 – 259
requests with tokens from invalid issuers 257
requests with tokens from valid issuers 256
requests without tokens are admitted into cluster 257
querying through Istio agent 427 – 428
to introspec and troubleshoot 426 – 427
cluster configuration 279 – 281
configuring Envoy filter with EnvoyFilter resource 383 – 387
extension capabilities 379 – 383
customizing Istio data plane 382 – 383
filters intended for extension 382
configuring Envoy rate-limit server 389 – 390
configuring request path for rate limiting 390 – 392
building new Envoy filter with 396 – 397
building new Envoy filter with meshctl tool 397 – 399
deploying new WebAssembly Envoy filter 399 – 400
Envoy administration interface 276
inspecting network traffic with ksniff 288 – 291
inspecting network traffic on localhost interface 288 – 291
installing Krew, ksniff, and Wireshark 288
querying proxy configurations using istioctl 276 – 282
Envoy cluster configuration 279 – 281
Envoy cluster endpoints 281 – 282
Envoy listener configuration 277 – 278
Envoy Route configuration 278 – 279
interaction of Envoy APIs routing request 277
troubleshooting application issues 282 – 288
changing Envoy access log format 284 – 285
increasing logging level for ingress gateway 285 – 288
setting up intermittently slow workload that times out 282 – 283
comparing to other proxies 61 – 62
configuring proxies to report statistics 182 – 186
automatic TLS termination and origination 61
observability with distributed tracing 60
observability with metrics collection 60
traffic and request routing 59
traffic shifting and shadowing capabilities 59
Envoy Route configuration 278 – 279
finding rate of failing requests in Grafana 291 – 292
querying affected Pods using Prometheus 292 – 294
Envoy Workload menu item, Workload view 228
envoy_cluster_upstream_cx_tx_bytes_total metric 303
envoy_on_request() function 393 – 394
envoy_on_response() function 393
EnvoyFilter resource 165 – 166, 196, 202, 382 – 385, 390 – 392, 394
ERROR_RATE environment variable 345
ESB (enterprise service bus) 17 – 18
event-batching properties 310 – 314
allocating additional resources to control plane 313 – 314
environment variables defining batching period 311 – 312
increasing batching period 312
latency metrics do not account for debounce period 312
external authorization services 260 – 264
configuring Istio for ExtAuthz 262 – 263
using AuthorizationPolicy resource 263 – 264
external call-out, rate-limiting requests with 387 – 392
external processing filter 382
configuring Envoy filter with EnvoyFilter resource 383 – 387
deploying new WebAssembly Envoy filter 399 – 400
force-tracing from client 218 – 219
FQDN (fully qualified domain name) 183, 332, 351
Gateway resource 82, 85 – 86, 88, 90 – 91, 93 – 97, 99, 101, 103, 115, 140, 255, 269 – 270, 278, 302, 332, 338, 361, 429
Kubernetes Ingress vs. 87 – 88
routing with virtual services 83 – 86
specifying gateway resources 82 – 83
ingress gateway access logs 106 – 107
reducing gateway configuration 107 – 108
split gateway responsibilities 104 – 105
HTTP redirect to HTTPS 93 – 94
HTTP traffic with mutual TLS 94 – 97
serving multiple virtual hosts with TLS 97 – 98
exposing TCP ports on Istio gateway 99 – 101
traffic routing with SNI passthrough 101 – 104
GKE (Google Kubernetes Engine) 25, 83
golden-signal networking metrics 204
control-plane metrics 208 – 209
finding rate of failing requests in 291 – 292
headers, default tracing 215 – 216
high availability of VMs 351 – 354
health checks performed by Istio 353
Istio performing readiness probes in VMs 353 – 354
workload auto-registration 351 – 352
Host header 80, 84, 86, 91, 131
traffic with mutual TLS 94 – 97
httpbin service 63, 65 – 66, 68, 215, 393, 395, 399 – 400
Inbound Metrics menu item, Workload view 228
ingress gateways 33 – 34, 80 – 88, 255
increasing logging level for 285 – 288
Kubernetes Ingress vs. 87 – 88
routing with virtual services 83 – 86
specifying gateway resources 82 – 83
installation profiles 402 – 403
distributed tracing system 212 – 213
Istio components into Kubernetes 27 – 29
verifying that workload registered to mesh 366
Krew, ksniff, and Wireshark 288
installing istio-operator 405 – 406
updating installation of mesh 406 – 407
ingress and egress gateway 33 – 34
customizing standard metrics 193 – 204
configuring existing metrics 196 – 200
creating new metrics 200 – 202
grouping calls with new attributes 202 – 204
deploying application in service mesh 34 – 38
deploying on Kubernetes 25 – 29
getting Istio distribution 26 – 27
installing Istio components into Kubernetes 27 – 29
using Docker Desktop for examples 25
health checks performed by 353
installation profiles 402 – 403
authentication using PKI 414 – 416
distributed architectures 21 – 22
ESB (enterprise service bus) 17 – 18
non-microservices deployments 20 – 21
service-to-service traffic 243 – 244
authorization policy rules 243 – 244
properties of authorization policy 243
security issues with istio-init 413
traffic routing requests with 114 – 122
cleaning up workspace 114 – 115
deploying v1 of catalog service 115 – 116
deploying v2 of catalog service 116 – 117
routing all traffic to v1 of catalog service 117 – 118
routing deep within call graph 120 – 122
routing specific requests to v2 119
routing to services outside cluster 131 – 135
DNS resolution of in-mesh services 354 – 355
simplifying sidecar proxy installation and configuration in VM 348 – 350
ISTIO_KUBE_APP_PROBERS environment variable 427
ISTIO_META_ROUTER_MODE environment variable 337
istio_request_bytes metric 182
istio_request_duration metric 182
istio_request_duration_milliseconds metric 182
istio_requests_total metric 182, 192, 194 – 195, 197, 203
istio_response_bytes metric 182
verifying that workload registered to mesh 366
istio-egressgateway component 80
istio-ingressgateway component 93
istio-ingressgateway service 99 – 100
istio-init containers 408, 413
updating installation of mesh 406 – 407
istio-proxy container 37, 191, 241
istio-reader-service-account service account 333
istio-sidecar-injector configmap 106
istio-system namespace 27 – 28, 39, 90, 106 – 107, 125, 214, 218, 224, 236, 262, 307 – 308, 329, 383
identifying data plane issues with 274 – 275
analyzing Istio configurations 274
detecting workload-specific misconfigurations 274 – 275
istioctl analyze subcommand 280
istioctl dashboard command 216
istioctl kube-inject command 35
istioctl profile dump subcommand 402
istioctl proxy-config clusters flags 279
istioctl proxy-config command 276, 281
istioctl proxy-status command 271, 431
istioctl x internal-debug command 428
istiod.istio-system.svc host entry 434
IstioOperator API 401 – 402, 404, 407
IstioOperator definition 331, 337, 359, 403 – 406
IstioOperator resource 105, 213, 330 – 331, 337, 403, 405 – 406
Jaeger and distributed tracing 209 – 223
configuring Istio to perform 213 – 216
configuring tracing at installation 213 – 214
configuring tracing per workload 215
configuring tracing using MeshConfig 214
default tracing headers 215 – 216
customizing backend distributed tracing engine 221 – 223
customizing tags in trace 219 – 220
force-tracing from client 218 – 219
jsonplaceholder.typicode.com host 134
JWTs (JSON web tokens) 27, 231, 252 – 254, 416
validating with RequestAuthentication 255 – 259
denying requests without JWTs 257 – 258
levels of access based on JWT claims 258 – 259
requests with tokens from invalid issuers 257
requests with tokens from valid issuers 256
requests without tokens are admitted into cluster 257
identifying data plane issues with 272 – 274
inspecting network traffic on localhost interface 288 – 291
installing Krew and Wireshark 288
getting Istio distribution 26 – 27
installing Istio components into 27 – 29
using Docker Desktop for examples 25
last (catch-all) authorization filter 423
latency metrics 299 – 301, 312
LDS (listener discovery service) 32, 63, 238
cross-cluster access control using authorization policies 345 – 346
locality-aware routing across clusters 342 – 344
locality-aware load balancing 58, 149 – 156
with weighted distribution 153 – 156
locality-aware routing 342 – 344
Logs menu item, Workload view 228
updating installation of 406 – 407
VMs (virtual machines) joining 433 – 434
mesh expansion to VMs 359 – 371
enforcing mutual authentication 371
exposing istiod and cluster services to VM 360 – 361
installing and configuring istio-agent in VM 363 – 366
routing traffic to cluster services 366 – 367
routing traffic to WorkloadEntry 367 – 371
starting forum application in VM 370 – 371
verifying health of forum workload 369 – 370
setting up infrastructure 355 – 358
setting up service mesh 356 – 357
generating configuration for VM sidecar 362 – 363
transferring generated files to VM 363
mesh-wide PeerAuthentication policies 236
customizing standard 193 – 204
configuring existing metrics 196 – 200
creating new metrics 200 – 202
grouping calls with new attributes 202 – 204
scraping with Prometheus 187 – 193
configuring Prometheus Operator to scrape Istio control plane and workloads 190 – 193
setting up Prometheus and Grafana 189 – 190
metrics collection and exposure 424
misconfigured data plane 268 – 270
MITM (man-in-the-middle) attacks 89
monitoring, observability vs. 179
mTLS (mutual Transport Layer Security) 14, 32
MTTR (mean time to recovery) 178
multi-cluster service mesh 320
MutatingWebhookConfiguration resource 412
namespace discovery selectors 309
namespace-wide PeerAuthentication policies 236
namespaces 244, 247 – 248
NDS (Name Discovery Service) 355, 427
network traffic inspection 288 – 291
inspecting network traffic on localhost interface 288 – 291
installing Krew, ksniff, and Wireshark 288
non-authenticated legacy workloads 248
non-microservices deployments 20 – 21
customizing Istio standard metrics 193 – 204
configuring existing metrics 196 – 200
creating new metrics 200 – 202
grouping calls with new attributes 202 – 204
distributed tracing 60, 209 – 223
configuring Istio to perform 213 – 216
customizing backend distributed tracing engine 221 – 223
customizing tags in trace 219 – 220
force-tracing from client 218 – 219
viewing control-plane metrics 208 – 209
viewing data-plane metrics 209
Prometheus, scraping Istio metrics with 187 – 193
On the General Theory of Control Systems (Khalman) 178
onResponseHeaders function 397 – 398
optimizations, measuring performance before 305 – 309
defining better defaults with mesh-wide sidecar configuration 307 – 309
reducing configuration size and number of pushes using sidecars 306
Outbound Metrics menu item, Workload view 228
outlier detection 59, 152, 173 – 176
Overview menu item, Workload view 227
P99 (99th percentile) latency 305
PeerAuthentication policy 264, 371
PeerAuthentication resource 233, 236 – 242, 308, 421
applying workload-specific policies 237 – 238
denying all non-authenticated traffic using mesh-wide policy 236 – 237
mutual authentication modes 238 – 239
permitting non-mutually authenticated traffic 237
verifying workload identities are tied to workload service account 241 – 242
performance tuning, control plane 303 – 314
event-batching and push-throttling properties 310 – 314
allocating additional resources to control plane 313 – 314
environment variables defining batching period and push throttling 311 – 312
increasing batching period 312
latency metrics do not account for debounce period 312
measuring performance before optimizations 305 – 309
defining better defaults with mesh-wide sidecar configuration 307 – 309
reducing configuration size and number of pushes using sidecars 306
setting up workspace 304 – 305
PERMISSIVE authentication mode 236, 238
PERMISSIVE mutual authentication 237
PILOT_DEBOUNCE_AFTER variable 311
PILOT_DEBOUNCE_MAX variable 311
PILOT_ENABLE_EDS_DEBOUNCE variable 311
PILOT_FILTER_GATEWAY_CLUSTER_CONFIG feature flag 108
pilot_inbound_updates metric 302
pilot_proxy_convergence_time metric 209, 299 – 300
pilot_proxy_queue_time metric 299, 301
pilot_push_triggers metric 302
pilot_xds_push_time metric 299, 301
querying debug endpoints through 427 – 428
plug-in CA certificates 325 – 326
external certificate authority integration 326
behavior changes when applying to workload 245 – 246
conditional matching of 249 – 250
denying all requests by default with 246 – 247
evaluating policy rules 250 – 251
order of authorization of evaluated 252
verifying cross-cluster access control using authorization 345 – 346
primary-primary deployment model 327
principal workload identity 421
process_cpu_seconds_total metric 301
querying affected Pods using 292 – 294
scraping metrics with 187 – 193
configuring Prometheus Operator 190 – 193
setting up Prometheus and Grafana 189 – 190
prometheus default provider 107
configuring to report Envoy statistics 182 – 186
querying configurations using istioctl 276 – 282
Envoy cluster configuration 279 – 281
Envoy cluster endpoints 281 – 282
Envoy listener configuration 277 – 278
Envoy Route configuration 278 – 279
interaction of Envoy APIs routing request 277
simplifying sidecar installation 348 – 350
proxy.istio.io/config annotation 183
public key infrastructure (PKI) 414 – 416
push-throttling properties 310 – 314
allocating additional resources to control plane 313 – 314
environment variables defining 311 – 312
increasing batching period 312
latency metrics do not account for debounce period 312
requests with external call-out 387 – 392
RBAC (role-based access control) 260
RDS (route discovery service) 32, 63, 271
Red Hat Package Manager (.rpm) 363
release, deployment vs. 111 – 114
remote cluster access 333 – 335
replicated control plane deployment model 322
request authentication claims 421
metadata collected by RequestAuthentication resource 421 – 422
configuring Envoy filter with EnvoyFilter resource 383 – 387
Envoy extension capabilities 379 – 383
customizing Istio data plane 382 – 383
filters intended for extension 382
Lua, extending Istio data plane with 392 – 395
rate-limiting requests with external call-out 387 – 392
WebAssembly, extending Istio data plane with 395 – 400
building new Envoy filter with 396 – 397
building new Envoy filter with meshctl tool 397 – 399
deploying new WebAssembly Envoy filter 399 – 400
reasons for using for Envoy 396
request_protocol dimension 198 – 199
RequestAuthentication 255 – 259
denying requests without JWTs 257 – 258
levels of access based on JWT claims 258 – 259
metadata collected by 421 – 422
with tokens from invalid issuers 257
with tokens from valid issuers 256
without tokens are admitted into cluster 257
requestPrincipals property 257 – 258
building into application 137 – 139
decentralized implementation of resilience 138 – 139
into application libraries 137 – 138
using Istio to solve problems 138
circuit breaking with Istio 166 – 176
connection-pool control 168 – 173
client-side load balancing 139 – 149
getting started with 140 – 142
locality-aware load balancing 149 – 156
with weighted distribution 153 – 156
retryRemoteLocalities setting 164
role-based access control (RBAC) 260
ROUND_ROBIN load-balancing 142
route discovery service (RDS) 32, 63, 271
RPC (remote procedure call) resilience patterns 137
SAN (ubject Alternative Name) extensions 418
saturation 299, 301 – 302
multi-cluster service meshes 320 – 326
common trust between clusters 324 – 326
cross-cluster workload connectivity 324
discovering workloads in multi-cluster deployments 323 – 324
Istio multi-cluster deployment models 321 – 322
multi-cluster, multi-network, multi-control-plane service mesh 326 – 346
choosing multi-cluster deployment model 327
configuring plug-in CA certificates 328 – 329
enabling cross-cluster workload discovery 333 – 335
installing control planes in each cluster 329 – 333
load-balancing across clusters 341 – 346
setting up cloud infrastructure 327 – 328
setting up cross-cluster connectivity 335 – 341
scraping metrics with Prometheus 187 – 193
configuring Prometheus Operator 190 – 193
setting up Prometheus and Grafana 189 – 190
SDS (Secret Discovery Service) 63, 187, 326, 420
application-networking security 230 – 234
comparison of security in monoliths and microservices 231 – 233
how Istio implements SPIFFE 233
service-to-service authentication 231
authentication using PKI 414 – 416
authorizing service-to-service traffic 242 – 252
allowing requests from non-authenticated legacy workloads 248
allowing requests from single service account 248 – 249
allowing requests originating from single namespace 247 – 248
authorization in Istio 243 – 244
behavior changes when applying policy to workload 245 – 246
conditional matching of policies 249 – 250
denying all requests by default with catch-all policy 246 – 247
order of authorization policies evaluated 252
setting up workspace 244 – 245
value-match expressions 250 – 251
PeerAuthentication resource 236 – 242
setting up environment 235 – 236
end-user authentication and authorization 252 – 259
JWT (JSON web token) 252 – 254
validating JWTs with RequestAuthentication 255 – 259
external authorization services 260 – 264
configuring Istio for ExtAuthz 262 – 263
using AuthorizationPolicy resource 263 – 264
HTTP redirect to HTTPS 93 – 94
HTTP traffic with mutual TLS 94 – 97
serving multiple virtual hosts with TLS 97 – 98
metadata collected by RequestAuthentication resource 421 – 422
SPIFFE (Secure Production Identity Framework for Everyone) 416 – 420
bootstrapping of workload identity 419 – 420
SVIDs (SPIFFE Verifiable Identity Documents) 417 – 418
challenges of going faster 5 – 8
cloud infrastructure, unreliabilty of 6 – 7
making service interactions resilient 7 – 8
defined 13 – 15
deploying application in 34 – 38
distributed architectures 21 – 22
ESB (enterprise service bus) 17 – 18
non-microservices deployments 20 – 21
multi-cluster service meshes 320 – 326
common trust between clusters 324 – 326
cross-cluster workload connectivity 324
discovering workloads in multi-cluster deployments 323 – 324
Istio multi-cluster deployment models 321 – 322
multi-cluster, multi-network, multi-control-plane service mesh 326 – 346
choosing multi-cluster deployment model 327
configuring plug-in CA certificates 328 – 329
enabling cross-cluster workload discovery 333 – 335
installing control planes in each cluster 329 – 333
load-balancing across clusters 341 – 346
setting up cloud infrastructure 327 – 328
setting up cross-cluster connectivity 335 – 341
pushing concerns to infrastructure 11 – 12
application-aware service proxy 11
service proxy, application-aware 11
service-to-service authentication 231
service-to-service traffic 242 – 252
from non-authenticated legacy workloads 248
from single service account 248 – 249
originating from single namespace 247 – 248
authorization in Istio 243 – 244
authorization policy rules 243 – 244
properties of authorization policy 243
behavior changes when applying policy to workload 245 – 246
conditional matching of policies 249 – 250
denying all requests by default with catch-all policy 246 – 247
order of authorization policies evaluated 252
setting up workspace 244 – 245
value-match expressions 250 – 251
ServiceEntry resource 133 – 134, 351
ServiceMonitor resource 190 – 192, 208
shared control plane deployment model 322
sidecar deployment packages 35
Sidecar resource 108, 303, 313 – 315, 320
sidecar.istio.io/extraStatTags annotation 199
sidecar.istio.io/statsInclusionPrefixes annotation 201
defining defaults with mesh-wide sidecar configuration 307 – 309
generating configuration for VM 362 – 363
reducing configuration size and number of pushes 306
security issues with istio-init 413
simplifying installation and configuration in VM 348 – 350
simple-backend service 141 – 142, 149, 151 – 154, 157, 159, 161, 168, 170, 173
simple-web service 139, 142, 152 – 153, 170
single control plane deployment model 322
Site Reliability Engineering 299
sleep service 235, 246 – 248, 263
SLOs (service-level objectives) 18, 299
SNI (Server Name Indication) 80, 98
configuring east-west gateways with 336 – 338
routing cross-cluster traffic using 338 – 339
traffic routing with 101 – 104
spec.template.metadata Pod template 199
SPIFFE (Secure Production Identity Framework For Everyone) 32, 231, 416 – 420
bootstrapping of workload identity 419 – 420
SVIDs (SPIFFE Verifiable Identity Documents) 417 – 418
split gateway responsibilities 104 – 105
stackdriver default provider 107
/stats/prometheus endpoint 69, 427
STRICT authentication mode 236
STRICT mutual authentication 237
SVIDs (SPIFFE Verifiable Identity Documents) 233, 350, 416 – 418
SYN (synchronization) flag 290 – 291
exposing TCP ports on Istio gateway 99 – 101
traffic routing with SNI passthrough 101 – 104
tcpdump command-line utility 239
TLS (Transport Layer Security)
automatic termination and origination 61
HTTP traffic with mutual 94 – 97
serving multiple virtual hosts with 97 – 98
traffic encryption via 414 – 416
Traces Workload menu item, Workload view 228
ingress 78 – 80
reducing risk of deploying new code 111 – 114
cleaning up workspace 114 – 115
deploying v1 of catalog service 115 – 116
deploying v2 of catalog service 116 – 117
routing all traffic to v1 of catalog service 117 – 118
routing deep within call graph 120 – 122
routing specific requests to v2 119
starting forum application in VM 370 – 371
verifying health of forum workload 369 – 370
changing Envoy access log format 284 – 285
increasing logging level for ingress gateway 285 – 288
setting up intermittently slow workload that times out 282 – 283
endpoints to introspec and troubleshoot 426 – 427
querying Istio Pilot debug endpoints through 427 – 428
trust-domain variable 233, 416
upstream_operation dimension 203
upstream_proxy_version dimension 197
routing all traffic to 117 – 118
routing specific requests to 119
value-match expressions 250 – 251
version-v1 subset 269, 280 – 281
version-v2 subset 269, 280 – 281, 293
virtual hosting 79 – 80, 97 – 98
VirtualService resource 82 – 86, 88, 98 – 99, 102 – 103, 108, 114, 116, 118 – 119, 121 – 122, 124, 126, 130, 140, 157, 159 – 160, 163, 173, 187, 215, 255, 268 – 270, 278 – 279, 302, 320, 332, 338, 361, 383 – 384, 429
VirtualService retry policy 161 – 162
configuring Istio to perform 213 – 216
trace sampling, force traces, and custom tags 217 – 223
viewing control-plane metrics 208 – 209
viewing data-plane metrics 209
customizing agent behavior 375
resolving cluster hostnames 372 – 374
DNS resolution of in-mesh services 354 – 355
simplifying sidecar proxy installation and configuration in VM 348 – 350
enforcing mutual authentication 371
exposing istiod and cluster services to VM 360 – 361
installing and configuring istio-agent in VM 363 – 366
routing traffic to cluster services 366 – 367
routing traffic to WorkloadEntry 367 – 371
removing WorkloadEntry from mesh 375 – 376
setting up infrastructure 355 – 358
setting up service mesh 356 – 357
wasme open source developer tool 396
building new Envoy filter with 396 – 397
building new Envoy filter with meshctl tool 397 – 399
deploying new WebAssembly Envoy filter 399 – 400
weighted distribution 153 – 156
west-cluster control plane 334
workload auto-registration 351 – 352
workload-specific PeerAuthentication policies 236
starting forum application in VM 370 – 371
verifying health of forum workload 369 – 370
generating configuration for VM sidecar 362 – 363
transferring generated files to VM 363
x-b3-flags tracing header 60, 211, 217
x-b3-parentspanid tracing header 211, 217
x-b3-sampled tracing header 211, 217
x-b3-spanid tracing header 211, 217
x-b3-traceid tracing header 211, 217
x-dark-launch header 30 – 31, 51 – 52
x-envoy-force-trace tracing header 219
x-istio-cohort header 119, 121 – 122
x-ot-span-context tracing header 211, 217
x-request-id tracing header 211, 217