istio-istiod
Helm chart
Request a free trial
Contact our team to test out this Helm chart and related images for free. Please also indicate any other images you would like to evaluate.
Tag:
1
# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally.
2
# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`.
3
image: cgr.dev/chainguard-private/istio-pilot:1.30@sha256:ed0507ca458af43a7ed85685b37e4ad3112564861c0223c6002458c76a8e005f
4
global:
5
proxy:
6
image: cgr.dev/chainguard-private/istio-proxy:1.30@sha256:aedd889bdd94497bf73a34334ec3ccd1bec647ed25396b5c74f6ebf0080240cc
7
proxy_init:
8
image: cgr.dev/chainguard-private/istio-proxy:1.30@sha256:aedd889bdd94497bf73a34334ec3ccd1bec647ed25396b5c74f6ebf0080240cc
9
_internal_defaults_do_not_set:
10
autoscaleEnabled: true
11
autoscaleMin: 1
12
autoscaleMax: 5
13
autoscaleBehavior: {}
14
replicaCount: 1
15
rollingMaxSurge: 100%
16
rollingMaxUnavailable: 25%
17
hub: ""
18
tag: ""
19
variant: ""
20
# Can be a full hub/image:tag
21
image: pilot
22
traceSampling: 1.0
23
# Resources for a small pilot install
24
resources:
25
requests:
26
cpu: 500m
27
memory: 2048Mi
28
# Set to `type: RuntimeDefault` to use the default profile if available.
29
seccompProfile: {}
30
# Whether to use an existing CNI installation
31
cni:
32
enabled: false
33
provider: default
34
# Additional container arguments
35
extraContainerArgs: []
36
env: {}
37
envVarFrom: []
38
# Settings related to the untaint controller
39
# This controller will remove `cni.istio.io/not-ready` from nodes when the istio-cni pod becomes ready
40
# It should be noted that cluster operator/owner is responsible for having the taint set by their infrastructure provider when new nodes are added to the cluster; the untaint controller does not taint nodes
41
taint:
42
# Controls whether or not the untaint controller is active
43
# When enabled, this automatically sets PILOT_ENABLE_NODE_UNTAINT_CONTROLLERS environment variable to true in the istiod deployment.
44
enabled: false
45
# What namespace the untaint controller should watch for istio-cni pods. This is only required when istio-cni is running in a different namespace than istiod
46
namespace: ""
47
affinity: {}
48
tolerations: []
49
cpu:
50
targetAverageUtilization: 80
51
memory: {}
52
# targetAverageUtilization: 80
53
54
# Additional volumeMounts to the istiod container
55
volumeMounts: []
56
# Additional volumes to the istiod pod
57
volumes: []
58
# Inject initContainers into the istiod pod
59
initContainers: []
60
nodeSelector: {}
61
podAnnotations: {}
62
serviceAnnotations: {}
63
serviceAccountAnnotations: {}
64
sidecarInjectorWebhookAnnotations: {}
65
topologySpreadConstraints: []
66
# You can use jwksResolverExtraRootCA to provide a root certificate
67
# in PEM format. This will then be trusted by pilot when resolving
68
# JWKS URIs.
69
jwksResolverExtraRootCA: ""
70
# The following is used to limit how long a sidecar can be connected
71
# to a pilot. It balances out load across pilot instances at the cost of
72
# increasing system churn.
73
keepaliveMaxServerConnectionAge: 30m
74
# Additional labels to apply to the deployment.
75
deploymentLabels: {}
76
# Annotations to apply to the istiod deployment.
77
deploymentAnnotations: {}
78
## Mesh config settings
79
80
# Install the mesh config map, generated from values.yaml.
81
# If false, pilot wil use default values (by default) or user-supplied values.
82
configMap: true
83
# Additional labels to apply on the pod level for monitoring and logging configuration.
84
podLabels: {}
85
# Setup how istiod Service is configured. See https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services
86
ipFamilyPolicy: ""
87
ipFamilies: []
88
# Ambient mode only.
89
# Set this if you install ztunnel to a different namespace from `istiod`.
90
# If set, `istiod` will allow connections from trusted node proxy ztunnels
91
# in the provided namespace.
92
# If unset, `istiod` will assume the trusted node proxy ztunnel resides
93
# in the same namespace as itself.
94
trustedZtunnelNamespace: ""
95
# Set this if you install ztunnel with a name different from the default.
96
trustedZtunnelName: ""
97
sidecarInjectorWebhook:
98
# You can use the field called alwaysInjectSelector and neverInjectSelector which will always inject the sidecar or
99
# always skip the injection on pods that match that label selector, regardless of the global policy.
100
# See https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#more-control-adding-exceptions
101
neverInjectSelector: []
102
alwaysInjectSelector: []
103
# injectedAnnotations are additional annotations that will be added to the pod spec after injection
104
# This is primarily to support PSP annotations. For example, if you defined a PSP with the annotations:
105
#
106
# annotations:
107
# apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default
108
# apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default
109
#
110
# The PSP controller would add corresponding annotations to the pod spec for each container. However, this happens before
111
# the inject adds additional containers, so we must specify them explicitly here. With the above example, we could specify:
112
# injectedAnnotations:
113
# container.apparmor.security.beta.kubernetes.io/istio-init: runtime/default
114
# container.apparmor.security.beta.kubernetes.io/istio-proxy: runtime/default
115
injectedAnnotations: {}
116
# This enables injection of sidecar in all namespaces,
117
# with the exception of namespaces with "istio-injection:disabled" annotation
118
# Only one environment should have this enabled.
119
enableNamespacesByDefault: false
120
# Mutations that occur after the sidecar injector are not handled by default, as the Istio sidecar injector is only run
121
# once. For example, an OPA sidecar injected after the Istio sidecar will not have it's liveness/readiness probes rewritten.
122
# Setting this to `IfNeeded` will result in the sidecar injector being run again if additional mutations occur.
123
reinvocationPolicy: Never
124
rewriteAppHTTPProbe: true
125
# Templates defines a set of custom injection templates that can be used. For example, defining:
126
#
127
# templates:
128
# hello: |
129
# metadata:
130
# labels:
131
# hello: world
132
#
133
# Then starting a pod with the `inject.istio.io/templates: hello` annotation, will result in the pod
134
# being injected with the hello=world labels.
135
# This is intended for advanced configuration only; most users should use the built in template
136
templates: {}
137
# Default templates specifies a set of default templates that are used in sidecar injection.
138
# By default, a template `sidecar` is always provided, which contains the template of default sidecar.
139
# To inject other additional templates, define it using the `templates` option, and add it to
140
# the default templates list.
141
# For example:
142
#
143
# templates:
144
# hello: |
145
# metadata:
146
# labels:
147
# hello: world
148
#
149
# defaultTemplates: ["sidecar", "hello"]
150
defaultTemplates: []
151
istiodRemote:
152
# If `true`, indicates that this cluster/install should consume a "remote istiod" installation,
153
# and istiod itself will NOT be installed in this cluster - only the support resources necessary
154
# to utilize a remote instance.
155
enabled: false
156
# If `true`, indicates that this cluster/install should consume a "local istiod" installation,
157
# local istiod inject sidecars
158
enabledLocalInjectorIstiod: false
159
# Sidecar injector mutating webhook configuration clientConfig.url value.
160
# For example: https://$remotePilotAddress:15017/inject
161
# The host should not refer to a service running in the cluster; use a service reference by specifying
162
# the clientConfig.service field instead.
163
injectionURL: ""
164
# Sidecar injector mutating webhook configuration path value for the clientConfig.service field.
165
# Override to pass env variables, for example: /inject/cluster/remote/net/network2
166
injectionPath: "/inject"
167
injectionCABundle: ""
168
telemetry:
169
enabled: true
170
v2:
171
# For Null VM case now.
172
# This also enables metadata exchange.
173
enabled: true
174
# Indicate if prometheus stats filter is enabled or not
175
prometheus:
176
enabled: true
177
# stackdriver filter settings.
178
stackdriver:
179
enabled: false
180
# Revision is set as 'version' label and part of the resource names when installing multiple control planes.
181
revision: ""
182
# Revision tags are aliases to Istio control plane revisions
183
revisionTags: []
184
# For Helm compatibility.
185
ownerName: ""
186
# meshConfig defines runtime configuration of components, including Istiod and istio-agent behavior
187
# See https://istio.io/docs/reference/config/istio.mesh.v1alpha1/ for all available options
188
meshConfig:
189
enablePrometheusMerge: true
190
experimental:
191
stableValidationPolicy: false
192
global:
193
# Used to locate istiod.
194
istioNamespace: istio-system
195
# List of cert-signers to allow "approve" action in the istio cluster role
196
#
197
# certSigners:
198
# - clusterissuers.cert-manager.io/istio-ca
199
certSigners: []
200
# enable pod disruption budget for the control plane, which is used to
201
# ensure Istio control plane components are gradually upgraded or recovered.
202
defaultPodDisruptionBudget:
203
enabled: true
204
# The values aren't mutable due to a current PodDisruptionBudget limitation
205
# minAvailable: 1
206
# A minimal set of requested resources to applied to all deployments so that
207
# Horizontal Pod Autoscaler will be able to function (if set).
208
# Each component can overwrite these default values by adding its own resources
209
# block in the relevant section below and setting the desired resources values.
210
defaultResources:
211
requests:
212
cpu: 10m
213
# memory: 128Mi
214
# limits:
215
# cpu: 100m
216
# memory: 128Mi
217
# Default hub for Istio images.
218
# Releases are published to docker hub under 'istio' project.
219
# Dev builds from prow are on registry.istio.io/testing.
220
hub: registry.istio.io/testing
221
# Default tag for Istio images.
222
tag: latest
223
# Variant of the image to use.
224
# Currently supported are: [debug, distroless]
225
variant: ""
226
# Specify image pull policy if default behavior isn't desired.
227
# Default behavior: latest images will be Always else IfNotPresent.
228
imagePullPolicy: ""
229
# ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace
230
# to use for pulling any images in pods that reference this ServiceAccount.
231
# For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing)
232
# ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects.
233
# Must be set for any cluster configured with private docker registry.
234
imagePullSecrets: []
235
# - private-registry-key
236
237
# Enabled by default in master for maximising testing.
238
istiod:
239
enableAnalysis: false
240
# To output all istio components logs in json format by adding --log_as_json argument to each container argument
241
logAsJson: false
242
# In order to use native nftable rules instead of iptable rules, set this flag to true.
243
nativeNftables: false
244
# Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>
245
# The control plane has different scopes depending on component, but can configure default log level across all components
246
# If empty, default scope and level will be used as configured in code
247
logging:
248
level: "default:info"
249
# When enabled, default NetworkPolicy resources will be created
250
networkPolicy:
251
enabled: false
252
omitSidecarInjectorConfigMap: false
253
# resourceScope controls what resources will be processed by helm.
254
# This is useful when installing Istio on a cluster where some resources need to be owned by a cluster administrator and some can be owned by the mesh administrator.
255
# It can be one of:
256
# - all: all resources are processed
257
# - cluster: only cluster-scoped resources are processed
258
# - namespace: only namespace-scoped resources are processed
259
resourceScope: all
260
# Configure whether Operator manages webhook configurations. The current behavior
261
# of Istiod is to manage its own webhook configurations.
262
# When this option is set as true, Istio Operator, instead of webhooks, manages the
263
# webhook configurations. When this option is set as false, webhooks manage their
264
# own webhook configurations.
265
operatorManageWebhooks: false
266
# Custom DNS config for the pod to resolve names of services in other
267
# clusters. Use this to add additional search domains, and other settings.
268
# see
269
# https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#dns-config
270
# This does not apply to gateway pods as they typically need a different
271
# set of DNS settings than the normal application pods (e.g., in
272
# multicluster scenarios).
273
# NOTE: If using templates, follow the pattern in the commented example below.
274
#podDNSSearchNamespaces:
275
#- global
276
#- "{{ valueOrDefault .DeploymentMeta.Namespace \"default\" }}.global"
277
278
# Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and
279
# system-node-critical, it is better to configure this in order to make sure your Istio pods
280
# will not be killed because of low priority class.
281
# Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass
282
# for more detail.
283
priorityClassName: ""
284
proxy:
285
image: proxyv2
286
# This controls the 'policy' in the sidecar injector.
287
autoInject: enabled
288
# CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value
289
# cluster domain. Default value is "cluster.local".
290
clusterDomain: "cluster.local"
291
# Per Component log level for proxy, applies to gateways and sidecars. If a component level is
292
# not set, then the global "logLevel" will be used.
293
componentLogLevel: "misc:error"
294
# istio ingress capture allowlist
295
# examples:
296
# Redirect only selected ports: --includeInboundPorts="80,8080"
297
excludeInboundPorts: ""
298
includeInboundPorts: "*"
299
# istio egress capture allowlist
300
# https://istio.io/docs/tasks/traffic-management/egress.html#calling-external-services-directly
301
# example: includeIPRanges: "172.30.0.0/16,172.20.0.0/16"
302
# would only capture egress traffic on those two IP Ranges, all other outbound traffic would
303
# be allowed by the sidecar
304
includeIPRanges: "*"
305
excludeIPRanges: ""
306
includeOutboundPorts: ""
307
excludeOutboundPorts: ""
308
# Log level for proxy, applies to gateways and sidecars.
309
# Expected values are: trace|debug|info|warning|error|critical|off
310
logLevel: warning
311
# Specify the path to the outlier event log.
312
# Example: /dev/stdout
313
outlierLogPath: ""
314
#If set to true, istio-proxy container will have privileged securityContext
315
privileged: false
316
seccompProfile: {}
317
# The number of successive failed probes before indicating readiness failure.
318
readinessFailureThreshold: 4
319
# The initial delay for readiness probes in seconds.
320
readinessInitialDelaySeconds: 0
321
# The period between readiness probes.
322
readinessPeriodSeconds: 15
323
# Enables or disables a startup probe.
324
# For optimal startup times, changing this should be tied to the readiness probe values.
325
#
326
# If the probe is enabled, it is recommended to have delay=0s,period=15s,failureThreshold=4.
327
# This ensures the pod is marked ready immediately after the startup probe passes (which has a 1s poll interval),
328
# and doesn't spam the readiness endpoint too much
329
#
330
# If the probe is disabled, it is recommended to have delay=1s,period=2s,failureThreshold=30.
331
# This ensures the startup is reasonable fast (polling every 2s). 1s delay is used since the startup is not often ready instantly.
332
startupProbe:
333
enabled: true
334
failureThreshold: 600 # 10 minutes
335
# Resources for the sidecar.
336
resources:
337
requests:
338
cpu: 100m
339
memory: 128Mi
340
limits:
341
cpu: 2000m
342
memory: 1024Mi
343
# Default port for Pilot agent health checks. A value of 0 will disable health checking.
344
statusPort: 15020
345
# Specify which tracer to use. One of: zipkin, lightstep, datadog, stackdriver, none.
346
# If using stackdriver tracer outside GCP, set env GOOGLE_APPLICATION_CREDENTIALS to the GCP credential file.
347
tracer: "none"
348
proxy_init:
349
# Base name for the proxy_init container, used to configure iptables.
350
image: proxyv2
351
# Bypasses iptables idempotency handling, and attempts to apply iptables rules regardless of table state, which may cause unrecoverable failures.
352
# Do not use unless you need to work around an issue of the idempotency handling. This flag will be removed in future releases.
353
forceApplyIptables: false
354
# configure remote pilot and istiod service and endpoint
355
remotePilotAddress: ""
356
##############################################################################################
357
# The following values are found in other charts. To effectively modify these values, make #
358
# make sure they are consistent across your Istio helm charts #
359
##############################################################################################
360
361
# The customized CA address to retrieve certificates for the pods in the cluster.
362
# CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint.
363
# If not set explicitly, default to the Istio discovery address.
364
caAddress: ""
365
# Enable control of remote clusters.
366
externalIstiod: false
367
# Configure a remote cluster as the config cluster for an external istiod.
368
configCluster: false
369
# configValidation enables the validation webhook for Istio configuration.
370
configValidation: true
371
# Mesh ID means Mesh Identifier. It should be unique within the scope where
372
# meshes will interact with each other, but it is not required to be
373
# globally/universally unique. For example, if any of the following are true,
374
# then two meshes must have different Mesh IDs:
375
# - Meshes will have their telemetry aggregated in one place
376
# - Meshes will be federated together
377
# - Policy will be written referencing one mesh from the other
378
#
379
# If an administrator expects that any of these conditions may become true in
380
# the future, they should ensure their meshes have different Mesh IDs
381
# assigned.
382
#
383
# Within a multicluster mesh, each cluster must be (manually or auto)
384
# configured to have the same Mesh ID value. If an existing cluster 'joins' a
385
# multicluster mesh, it will need to be migrated to the new mesh ID. Details
386
# of migration TBD, and it may be a disruptive operation to change the Mesh
387
# ID post-install.
388
#
389
# If the mesh admin does not specify a value, Istio will use the value of the
390
# mesh's Trust Domain. The best practice is to select a proper Trust Domain
391
# value.
392
meshID: ""
393
# Configure the mesh networks to be used by the Split Horizon EDS.
394
#
395
# The following example defines two networks with different endpoints association methods.
396
# For `network1` all endpoints that their IP belongs to the provided CIDR range will be
397
# mapped to network1. The gateway for this network example is specified by its public IP
398
# address and port.
399
# The second network, `network2`, in this example is defined differently with all endpoints
400
# retrieved through the specified Multi-Cluster registry being mapped to network2. The
401
# gateway is also defined differently with the name of the gateway service on the remote
402
# cluster. The public IP for the gateway will be determined from that remote service (only
403
# LoadBalancer gateway service type is currently supported, for a NodePort type gateway service,
404
# it still need to be configured manually).
405
#
406
# meshNetworks:
407
# network1:
408
# endpoints:
409
# - fromCidr: "192.168.0.1/24"
410
# gateways:
411
# - address: 1.1.1.1
412
# port: 80
413
# network2:
414
# endpoints:
415
# - fromRegistry: reg1
416
# gateways:
417
# - registryServiceName: istio-ingressgateway.istio-system.svc.cluster.local
418
# port: 443
419
#
420
meshNetworks: {}
421
# Use the user-specified, secret volume mounted key and certs for Pilot and workloads.
422
mountMtlsCerts: false
423
multiCluster:
424
# Should be set to the name of the cluster this installation will run in. This is required for sidecar injection
425
# to properly label proxies
426
clusterName: ""
427
# Network defines the network this cluster belong to. This name
428
# corresponds to the networks in the map of mesh networks.
429
network: ""
430
# Configure the certificate provider for control plane communication.
431
# Currently, two providers are supported: "kubernetes" and "istiod".
432
# As some platforms may not have kubernetes signing APIs,
433
# Istiod is the default
434
pilotCertProvider: istiod
435
sds:
436
# The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3.
437
# When a CSR is sent from Istio Agent to the CA (e.g. Istiod), this aud is to make sure the
438
# JWT is intended for the CA.
439
token:
440
aud: istio-ca
441
sts:
442
# The service port used by Security Token Service (STS) server to handle token exchange requests.
443
# Setting this port to a non-zero value enables STS server.
444
servicePort: 0
445
# The name of the CA for workload certificates.
446
# For example, when caName=GkeWorkloadCertificate, GKE workload certificates
447
# will be used as the certificates for workloads.
448
# The default value is "" and when caName="", the CA will be configured by other
449
# mechanisms (e.g., environmental variable CA_PROVIDER).
450
caName: ""
451
waypoint:
452
# Resources for the waypoint proxy.
453
resources:
454
requests:
455
cpu: 100m
456
memory: 128Mi
457
limits:
458
cpu: "2"
459
memory: 1Gi
460
# If specified, affinity defines the scheduling constraints of waypoint pods.
461
affinity: {}
462
# Topology Spread Constraints for the waypoint proxy.
463
topologySpreadConstraints: []
464
# Node labels for the waypoint proxy.
465
nodeSelector: {}
466
# Tolerations for the waypoint proxy.
467
tolerations: []
468
base:
469
# For istioctl usage to disable istio config crds in base
470
enableIstioConfigCRDs: true
471
# Override the failurePolicy for the validation webhook.
472
# By default, the webhook starts with "Ignore" and istiod flips it to "Fail" once ready.
473
# Set to "Fail" to avoid the flip-flop, which is useful for server-side apply tools
474
# that do not support .Release.IsUpgrade (e.g. helm template | kubectl apply --server-side).
475
# validationFailurePolicy: Fail
476
# Gateway Settings
477
gateways:
478
# Define the security context for the pod.
479
# If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443.
480
# On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl.
481
securityContext: {}
482
# Set to `type: RuntimeDefault` to use the default profile for templated gateways, if your container runtime supports it
483
seccompProfile: {}
484
# gatewayClasses allows customizing the configuration of the default deployment of Gateways per GatewayClass.
485
# For example:
486
# gatewayClasses:
487
# istio:
488
# service:
489
# spec:
490
# type: ClusterIP
491
# Per-Gateway configuration can also be set in the `Gateway.spec.infrastructure.parametersRef` field.
492
gatewayClasses: {}
493
pdb:
494
# -- Minimum available pods set in PodDisruptionBudget.
495
# Define either 'minAvailable' or 'maxUnavailable', never both.
496
minAvailable: 1
497
# -- Maximum unavailable pods set in PodDisruptionBudget. If set, 'minAvailable' is ignored.
498
# maxUnavailable: 1
499
# -- Eviction policy for unhealthy pods guarded by PodDisruptionBudget.
500
# Ref: https://kubernetes.io/blog/2023/01/06/unhealthy-pod-eviction-policy-for-pdbs/
501
unhealthyPodEvictionPolicy: ""
502
The trusted source for open source
Talk to an expertProduct
Customers
© 2026 Chainguard, Inc. All Rights Reserved.
Chainguard® and the Chainguard logo are registered trademarks of Chainguard, Inc. in the United States and/or other countries.
The other respective trademarks mentioned on this page are owned by the respective companies and use of them does not imply any affiliation or endorsement.
Chainguard® and the Chainguard logo are registered trademarks of Chainguard, Inc. in the United States and/or other countries.
The other respective trademarks mentioned on this page are owned by the respective companies and use of them does not imply any affiliation or endorsement.