istio-istiod
Helm chart
Request a free trial
Contact our team to test out this Helm chart and related images for free. Please also indicate any other images you would like to evaluate.
Tag:
1
# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally.
2
# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`.
3
image: cgr.dev/chainguard-private/istio-pilot:1.29@sha256:b9c35817127bf7d3d8bfff473dbc4d9bd1ba488c7fb9cb2f3e88e26b1fb28241
4
global:
5
proxy:
6
image: cgr.dev/chainguard-private/istio-proxy:1.29@sha256:05022ce6bd59e104bce4ca101c5ff95a3ed1a9173e8dd64f2aeabf5b628f0383
7
proxy_init:
8
image: cgr.dev/chainguard-private/istio-proxy:1.29@sha256:05022ce6bd59e104bce4ca101c5ff95a3ed1a9173e8dd64f2aeabf5b628f0383
9
_internal_defaults_do_not_set:
10
autoscaleEnabled: true
11
autoscaleMin: 1
12
autoscaleMax: 5
13
autoscaleBehavior: {}
14
replicaCount: 1
15
rollingMaxSurge: 100%
16
rollingMaxUnavailable: 25%
17
hub: ""
18
tag: ""
19
variant: ""
20
# Can be a full hub/image:tag
21
image: pilot
22
traceSampling: 1.0
23
# Resources for a small pilot install
24
resources:
25
requests:
26
cpu: 500m
27
memory: 2048Mi
28
# Set to `type: RuntimeDefault` to use the default profile if available.
29
seccompProfile: {}
30
# Whether to use an existing CNI installation
31
cni:
32
enabled: false
33
provider: default
34
# Additional container arguments
35
extraContainerArgs: []
36
env: {}
37
envVarFrom: []
38
# Settings related to the untaint controller
39
# This controller will remove `cni.istio.io/not-ready` from nodes when the istio-cni pod becomes ready
40
# It should be noted that cluster operator/owner is responsible for having the taint set by their infrastructure provider when new nodes are added to the cluster; the untaint controller does not taint nodes
41
taint:
42
# Controls whether or not the untaint controller is active
43
enabled: false
44
# What namespace the untaint controller should watch for istio-cni pods. This is only required when istio-cni is running in a different namespace than istiod
45
namespace: ""
46
affinity: {}
47
tolerations: []
48
cpu:
49
targetAverageUtilization: 80
50
memory: {}
51
# targetAverageUtilization: 80
52
53
# Additional volumeMounts to the istiod container
54
volumeMounts: []
55
# Additional volumes to the istiod pod
56
volumes: []
57
# Inject initContainers into the istiod pod
58
initContainers: []
59
nodeSelector: {}
60
podAnnotations: {}
61
serviceAnnotations: {}
62
serviceAccountAnnotations: {}
63
sidecarInjectorWebhookAnnotations: {}
64
topologySpreadConstraints: []
65
# You can use jwksResolverExtraRootCA to provide a root certificate
66
# in PEM format. This will then be trusted by pilot when resolving
67
# JWKS URIs.
68
jwksResolverExtraRootCA: ""
69
# The following is used to limit how long a sidecar can be connected
70
# to a pilot. It balances out load across pilot instances at the cost of
71
# increasing system churn.
72
keepaliveMaxServerConnectionAge: 30m
73
# Additional labels to apply to the deployment.
74
deploymentLabels: {}
75
# Annotations to apply to the istiod deployment.
76
deploymentAnnotations: {}
77
## Mesh config settings
78
79
# Install the mesh config map, generated from values.yaml.
80
# If false, pilot wil use default values (by default) or user-supplied values.
81
configMap: true
82
# Additional labels to apply on the pod level for monitoring and logging configuration.
83
podLabels: {}
84
# Setup how istiod Service is configured. See https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services
85
ipFamilyPolicy: ""
86
ipFamilies: []
87
# Ambient mode only.
88
# Set this if you install ztunnel to a different namespace from `istiod`.
89
# If set, `istiod` will allow connections from trusted node proxy ztunnels
90
# in the provided namespace.
91
# If unset, `istiod` will assume the trusted node proxy ztunnel resides
92
# in the same namespace as itself.
93
trustedZtunnelNamespace: ""
94
# Set this if you install ztunnel with a name different from the default.
95
trustedZtunnelName: ""
96
sidecarInjectorWebhook:
97
# You can use the field called alwaysInjectSelector and neverInjectSelector which will always inject the sidecar or
98
# always skip the injection on pods that match that label selector, regardless of the global policy.
99
# See https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#more-control-adding-exceptions
100
neverInjectSelector: []
101
alwaysInjectSelector: []
102
# injectedAnnotations are additional annotations that will be added to the pod spec after injection
103
# This is primarily to support PSP annotations. For example, if you defined a PSP with the annotations:
104
#
105
# annotations:
106
# apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default
107
# apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default
108
#
109
# The PSP controller would add corresponding annotations to the pod spec for each container. However, this happens before
110
# the inject adds additional containers, so we must specify them explicitly here. With the above example, we could specify:
111
# injectedAnnotations:
112
# container.apparmor.security.beta.kubernetes.io/istio-init: runtime/default
113
# container.apparmor.security.beta.kubernetes.io/istio-proxy: runtime/default
114
injectedAnnotations: {}
115
# This enables injection of sidecar in all namespaces,
116
# with the exception of namespaces with "istio-injection:disabled" annotation
117
# Only one environment should have this enabled.
118
enableNamespacesByDefault: false
119
# Mutations that occur after the sidecar injector are not handled by default, as the Istio sidecar injector is only run
120
# once. For example, an OPA sidecar injected after the Istio sidecar will not have it's liveness/readiness probes rewritten.
121
# Setting this to `IfNeeded` will result in the sidecar injector being run again if additional mutations occur.
122
reinvocationPolicy: Never
123
rewriteAppHTTPProbe: true
124
# Templates defines a set of custom injection templates that can be used. For example, defining:
125
#
126
# templates:
127
# hello: |
128
# metadata:
129
# labels:
130
# hello: world
131
#
132
# Then starting a pod with the `inject.istio.io/templates: hello` annotation, will result in the pod
133
# being injected with the hello=world labels.
134
# This is intended for advanced configuration only; most users should use the built in template
135
templates: {}
136
# Default templates specifies a set of default templates that are used in sidecar injection.
137
# By default, a template `sidecar` is always provided, which contains the template of default sidecar.
138
# To inject other additional templates, define it using the `templates` option, and add it to
139
# the default templates list.
140
# For example:
141
#
142
# templates:
143
# hello: |
144
# metadata:
145
# labels:
146
# hello: world
147
#
148
# defaultTemplates: ["sidecar", "hello"]
149
defaultTemplates: []
150
istiodRemote:
151
# If `true`, indicates that this cluster/install should consume a "remote istiod" installation,
152
# and istiod itself will NOT be installed in this cluster - only the support resources necessary
153
# to utilize a remote instance.
154
enabled: false
155
# If `true`, indicates that this cluster/install should consume a "local istiod" installation,
156
# local istiod inject sidecars
157
enabledLocalInjectorIstiod: false
158
# Sidecar injector mutating webhook configuration clientConfig.url value.
159
# For example: https://$remotePilotAddress:15017/inject
160
# The host should not refer to a service running in the cluster; use a service reference by specifying
161
# the clientConfig.service field instead.
162
injectionURL: ""
163
# Sidecar injector mutating webhook configuration path value for the clientConfig.service field.
164
# Override to pass env variables, for example: /inject/cluster/remote/net/network2
165
injectionPath: "/inject"
166
injectionCABundle: ""
167
telemetry:
168
enabled: true
169
v2:
170
# For Null VM case now.
171
# This also enables metadata exchange.
172
enabled: true
173
# Indicate if prometheus stats filter is enabled or not
174
prometheus:
175
enabled: true
176
# stackdriver filter settings.
177
stackdriver:
178
enabled: false
179
# Revision is set as 'version' label and part of the resource names when installing multiple control planes.
180
revision: ""
181
# Revision tags are aliases to Istio control plane revisions
182
revisionTags: []
183
# For Helm compatibility.
184
ownerName: ""
185
# meshConfig defines runtime configuration of components, including Istiod and istio-agent behavior
186
# See https://istio.io/docs/reference/config/istio.mesh.v1alpha1/ for all available options
187
meshConfig:
188
enablePrometheusMerge: true
189
experimental:
190
stableValidationPolicy: false
191
global:
192
# Used to locate istiod.
193
istioNamespace: istio-system
194
# List of cert-signers to allow "approve" action in the istio cluster role
195
#
196
# certSigners:
197
# - clusterissuers.cert-manager.io/istio-ca
198
certSigners: []
199
# enable pod disruption budget for the control plane, which is used to
200
# ensure Istio control plane components are gradually upgraded or recovered.
201
defaultPodDisruptionBudget:
202
enabled: true
203
# The values aren't mutable due to a current PodDisruptionBudget limitation
204
# minAvailable: 1
205
# A minimal set of requested resources to applied to all deployments so that
206
# Horizontal Pod Autoscaler will be able to function (if set).
207
# Each component can overwrite these default values by adding its own resources
208
# block in the relevant section below and setting the desired resources values.
209
defaultResources:
210
requests:
211
cpu: 10m
212
# memory: 128Mi
213
# limits:
214
# cpu: 100m
215
# memory: 128Mi
216
# Default hub for Istio images.
217
# Releases are published to docker hub under 'istio' project.
218
# Dev builds from prow are on gcr.io
219
hub: gcr.io/istio-testing
220
# Default tag for Istio images.
221
tag: latest
222
# Variant of the image to use.
223
# Currently supported are: [debug, distroless]
224
variant: ""
225
# Specify image pull policy if default behavior isn't desired.
226
# Default behavior: latest images will be Always else IfNotPresent.
227
imagePullPolicy: ""
228
# ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace
229
# to use for pulling any images in pods that reference this ServiceAccount.
230
# For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing)
231
# ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects.
232
# Must be set for any cluster configured with private docker registry.
233
imagePullSecrets: []
234
# - private-registry-key
235
236
# Enabled by default in master for maximising testing.
237
istiod:
238
enableAnalysis: false
239
# To output all istio components logs in json format by adding --log_as_json argument to each container argument
240
logAsJson: false
241
# In order to use native nftable rules instead of iptable rules, set this flag to true.
242
nativeNftables: false
243
# Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>
244
# The control plane has different scopes depending on component, but can configure default log level across all components
245
# If empty, default scope and level will be used as configured in code
246
logging:
247
level: "default:info"
248
# When enabled, default NetworkPolicy resources will be created
249
networkPolicy:
250
enabled: false
251
omitSidecarInjectorConfigMap: false
252
# resourceScope controls what resources will be processed by helm.
253
# This is useful when installing Istio on a cluster where some resources need to be owned by a cluster administrator and some can be owned by the mesh administrator.
254
# It can be one of:
255
# - all: all resources are processed
256
# - cluster: only cluster-scoped resources are processed
257
# - namespace: only namespace-scoped resources are processed
258
resourceScope: all
259
# Configure whether Operator manages webhook configurations. The current behavior
260
# of Istiod is to manage its own webhook configurations.
261
# When this option is set as true, Istio Operator, instead of webhooks, manages the
262
# webhook configurations. When this option is set as false, webhooks manage their
263
# own webhook configurations.
264
operatorManageWebhooks: false
265
# Custom DNS config for the pod to resolve names of services in other
266
# clusters. Use this to add additional search domains, and other settings.
267
# see
268
# https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#dns-config
269
# This does not apply to gateway pods as they typically need a different
270
# set of DNS settings than the normal application pods (e.g., in
271
# multicluster scenarios).
272
# NOTE: If using templates, follow the pattern in the commented example below.
273
#podDNSSearchNamespaces:
274
#- global
275
#- "{{ valueOrDefault .DeploymentMeta.Namespace \"default\" }}.global"
276
277
# Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and
278
# system-node-critical, it is better to configure this in order to make sure your Istio pods
279
# will not be killed because of low priority class.
280
# Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass
281
# for more detail.
282
priorityClassName: ""
283
proxy:
284
image: proxyv2
285
# This controls the 'policy' in the sidecar injector.
286
autoInject: enabled
287
# CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value
288
# cluster domain. Default value is "cluster.local".
289
clusterDomain: "cluster.local"
290
# Per Component log level for proxy, applies to gateways and sidecars. If a component level is
291
# not set, then the global "logLevel" will be used.
292
componentLogLevel: "misc:error"
293
# istio ingress capture allowlist
294
# examples:
295
# Redirect only selected ports: --includeInboundPorts="80,8080"
296
excludeInboundPorts: ""
297
includeInboundPorts: "*"
298
# istio egress capture allowlist
299
# https://istio.io/docs/tasks/traffic-management/egress.html#calling-external-services-directly
300
# example: includeIPRanges: "172.30.0.0/16,172.20.0.0/16"
301
# would only capture egress traffic on those two IP Ranges, all other outbound traffic would
302
# be allowed by the sidecar
303
includeIPRanges: "*"
304
excludeIPRanges: ""
305
includeOutboundPorts: ""
306
excludeOutboundPorts: ""
307
# Log level for proxy, applies to gateways and sidecars.
308
# Expected values are: trace|debug|info|warning|error|critical|off
309
logLevel: warning
310
# Specify the path to the outlier event log.
311
# Example: /dev/stdout
312
outlierLogPath: ""
313
#If set to true, istio-proxy container will have privileged securityContext
314
privileged: false
315
seccompProfile: {}
316
# The number of successive failed probes before indicating readiness failure.
317
readinessFailureThreshold: 4
318
# The initial delay for readiness probes in seconds.
319
readinessInitialDelaySeconds: 0
320
# The period between readiness probes.
321
readinessPeriodSeconds: 15
322
# Enables or disables a startup probe.
323
# For optimal startup times, changing this should be tied to the readiness probe values.
324
#
325
# If the probe is enabled, it is recommended to have delay=0s,period=15s,failureThreshold=4.
326
# This ensures the pod is marked ready immediately after the startup probe passes (which has a 1s poll interval),
327
# and doesn't spam the readiness endpoint too much
328
#
329
# If the probe is disabled, it is recommended to have delay=1s,period=2s,failureThreshold=30.
330
# This ensures the startup is reasonable fast (polling every 2s). 1s delay is used since the startup is not often ready instantly.
331
startupProbe:
332
enabled: true
333
failureThreshold: 600 # 10 minutes
334
# Resources for the sidecar.
335
resources:
336
requests:
337
cpu: 100m
338
memory: 128Mi
339
limits:
340
cpu: 2000m
341
memory: 1024Mi
342
# Default port for Pilot agent health checks. A value of 0 will disable health checking.
343
statusPort: 15020
344
# Specify which tracer to use. One of: zipkin, lightstep, datadog, stackdriver, none.
345
# If using stackdriver tracer outside GCP, set env GOOGLE_APPLICATION_CREDENTIALS to the GCP credential file.
346
tracer: "none"
347
proxy_init:
348
# Base name for the proxy_init container, used to configure iptables.
349
image: proxyv2
350
# Bypasses iptables idempotency handling, and attempts to apply iptables rules regardless of table state, which may cause unrecoverable failures.
351
# Do not use unless you need to work around an issue of the idempotency handling. This flag will be removed in future releases.
352
forceApplyIptables: false
353
# configure remote pilot and istiod service and endpoint
354
remotePilotAddress: ""
355
##############################################################################################
356
# The following values are found in other charts. To effectively modify these values, make #
357
# make sure they are consistent across your Istio helm charts #
358
##############################################################################################
359
360
# The customized CA address to retrieve certificates for the pods in the cluster.
361
# CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint.
362
# If not set explicitly, default to the Istio discovery address.
363
caAddress: ""
364
# Enable control of remote clusters.
365
externalIstiod: false
366
# Configure a remote cluster as the config cluster for an external istiod.
367
configCluster: false
368
# configValidation enables the validation webhook for Istio configuration.
369
configValidation: true
370
# Mesh ID means Mesh Identifier. It should be unique within the scope where
371
# meshes will interact with each other, but it is not required to be
372
# globally/universally unique. For example, if any of the following are true,
373
# then two meshes must have different Mesh IDs:
374
# - Meshes will have their telemetry aggregated in one place
375
# - Meshes will be federated together
376
# - Policy will be written referencing one mesh from the other
377
#
378
# If an administrator expects that any of these conditions may become true in
379
# the future, they should ensure their meshes have different Mesh IDs
380
# assigned.
381
#
382
# Within a multicluster mesh, each cluster must be (manually or auto)
383
# configured to have the same Mesh ID value. If an existing cluster 'joins' a
384
# multicluster mesh, it will need to be migrated to the new mesh ID. Details
385
# of migration TBD, and it may be a disruptive operation to change the Mesh
386
# ID post-install.
387
#
388
# If the mesh admin does not specify a value, Istio will use the value of the
389
# mesh's Trust Domain. The best practice is to select a proper Trust Domain
390
# value.
391
meshID: ""
392
# Configure the mesh networks to be used by the Split Horizon EDS.
393
#
394
# The following example defines two networks with different endpoints association methods.
395
# For `network1` all endpoints that their IP belongs to the provided CIDR range will be
396
# mapped to network1. The gateway for this network example is specified by its public IP
397
# address and port.
398
# The second network, `network2`, in this example is defined differently with all endpoints
399
# retrieved through the specified Multi-Cluster registry being mapped to network2. The
400
# gateway is also defined differently with the name of the gateway service on the remote
401
# cluster. The public IP for the gateway will be determined from that remote service (only
402
# LoadBalancer gateway service type is currently supported, for a NodePort type gateway service,
403
# it still need to be configured manually).
404
#
405
# meshNetworks:
406
# network1:
407
# endpoints:
408
# - fromCidr: "192.168.0.1/24"
409
# gateways:
410
# - address: 1.1.1.1
411
# port: 80
412
# network2:
413
# endpoints:
414
# - fromRegistry: reg1
415
# gateways:
416
# - registryServiceName: istio-ingressgateway.istio-system.svc.cluster.local
417
# port: 443
418
#
419
meshNetworks: {}
420
# Use the user-specified, secret volume mounted key and certs for Pilot and workloads.
421
mountMtlsCerts: false
422
multiCluster:
423
# Should be set to the name of the cluster this installation will run in. This is required for sidecar injection
424
# to properly label proxies
425
clusterName: ""
426
# Network defines the network this cluster belong to. This name
427
# corresponds to the networks in the map of mesh networks.
428
network: ""
429
# Configure the certificate provider for control plane communication.
430
# Currently, two providers are supported: "kubernetes" and "istiod".
431
# As some platforms may not have kubernetes signing APIs,
432
# Istiod is the default
433
pilotCertProvider: istiod
434
sds:
435
# The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3.
436
# When a CSR is sent from Istio Agent to the CA (e.g. Istiod), this aud is to make sure the
437
# JWT is intended for the CA.
438
token:
439
aud: istio-ca
440
sts:
441
# The service port used by Security Token Service (STS) server to handle token exchange requests.
442
# Setting this port to a non-zero value enables STS server.
443
servicePort: 0
444
# The name of the CA for workload certificates.
445
# For example, when caName=GkeWorkloadCertificate, GKE workload certificates
446
# will be used as the certificates for workloads.
447
# The default value is "" and when caName="", the CA will be configured by other
448
# mechanisms (e.g., environmental variable CA_PROVIDER).
449
caName: ""
450
waypoint:
451
# Resources for the waypoint proxy.
452
resources:
453
requests:
454
cpu: 100m
455
memory: 128Mi
456
limits:
457
cpu: "2"
458
memory: 1Gi
459
# If specified, affinity defines the scheduling constraints of waypoint pods.
460
affinity: {}
461
# Topology Spread Constraints for the waypoint proxy.
462
topologySpreadConstraints: []
463
# Node labels for the waypoint proxy.
464
nodeSelector: {}
465
# Tolerations for the waypoint proxy.
466
tolerations: []
467
base:
468
# For istioctl usage to disable istio config crds in base
469
enableIstioConfigCRDs: true
470
# Override the failurePolicy for the validation webhook.
471
# By default, the webhook starts with "Ignore" and istiod flips it to "Fail" once ready.
472
# Set to "Fail" to avoid the flip-flop, which is useful for server-side apply tools
473
# that do not support .Release.IsUpgrade (e.g. helm template | kubectl apply --server-side).
474
# validationFailurePolicy: Fail
475
# Gateway Settings
476
gateways:
477
# Define the security context for the pod.
478
# If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443.
479
# On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl.
480
securityContext: {}
481
# Set to `type: RuntimeDefault` to use the default profile for templated gateways, if your container runtime supports it
482
seccompProfile: {}
483
# gatewayClasses allows customizing the configuration of the default deployment of Gateways per GatewayClass.
484
# For example:
485
# gatewayClasses:
486
# istio:
487
# service:
488
# spec:
489
# type: ClusterIP
490
# Per-Gateway configuration can also be set in the `Gateway.spec.infrastructure.parametersRef` field.
491
gatewayClasses: {}
492
pdb:
493
# -- Minimum available pods set in PodDisruptionBudget.
494
# Define either 'minAvailable' or 'maxUnavailable', never both.
495
minAvailable: 1
496
# -- Maximum unavailable pods set in PodDisruptionBudget. If set, 'minAvailable' is ignored.
497
# maxUnavailable: 1
498
# -- Eviction policy for unhealthy pods guarded by PodDisruptionBudget.
499
# Ref: https://kubernetes.io/blog/2023/01/06/unhealthy-pod-eviction-policy-for-pdbs/
500
unhealthyPodEvictionPolicy: ""
501
The trusted source for open source
Talk to an expertProduct
Customers
© 2026 Chainguard, Inc. All Rights Reserved.
Chainguard® and the Chainguard logo are registered trademarks of Chainguard, Inc. in the United States and/or other countries.
The other respective trademarks mentioned on this page are owned by the respective companies and use of them does not imply any affiliation or endorsement.
Chainguard® and the Chainguard logo are registered trademarks of Chainguard, Inc. in the United States and/or other countries.
The other respective trademarks mentioned on this page are owned by the respective companies and use of them does not imply any affiliation or endorsement.