Merge pull request #280654 from shashankbarsin/meshconfig

JamesJBarnett · web-flow · commit 369a18ea6d04 · 2024-07-11T14:41:50.000-07:00
Meshconfig doc updates
diff --git a/articles/aks/istio-meshconfig.md b/articles/aks/istio-meshconfig.md
@@ -17,7 +17,7 @@ This article walks through how to configure Istio-based service mesh add-on for
 
 ## Prerequisites
 
-This guide assumes you followed the [documentation][istio-deploy-addon] to enable the Istio add-on on an AKS cluster.
+This guide assumes you followed the [documentation][istio-deploy-add-on] to enable the Istio add-on on an AKS cluster.
 
 ## Set up configuration on cluster
 
@@ -64,7 +64,7 @@ This guide assumes you followed the [documentation][istio-deploy-addon] to enabl
     The values under `defaultConfig` are mesh-wide settings applied for Envoy sidecar proxy.
 
 > [!CAUTION]
-> A default ConfigMap (for example, `istio-asm-1-18` for revision asm-1-18) is created in `aks-istio-system` namespace on the cluster when the Istio addon is enabled. However, this default ConfigMap gets reconciled by the managed Istio addon and thus users should NOT directly edit this ConfigMap. Instead users should create a revision specific Istio shared ConfigMap (for example `istio-shared-configmap-asm-1-18` for revision asm-1-18) in the aks-istio-system namespace, and then the Istio control plane will merge this with the default ConfigMap, with the default settings taking precedence.
+> A default ConfigMap (for example, `istio-asm-1-18` for revision asm-1-18) is created in `aks-istio-system` namespace on the cluster when the Istio add-on is enabled. However, this default ConfigMap gets reconciled by the managed Istio add-on and thus users should NOT directly edit this ConfigMap. Instead users should create a revision specific Istio shared ConfigMap (for example `istio-shared-configmap-asm-1-18` for revision asm-1-18) in the aks-istio-system namespace, and then the Istio control plane will merge this with the default ConfigMap, with the default settings taking precedence.
 
 ### Mesh configuration and upgrades
 
@@ -76,74 +76,76 @@ After the upgrade is completed or rolled back, you can delete the ConfigMap of t
 
 Fields in `MeshConfig` are classified into three categories: 
 
-- **Blocked**: Disallowed fields are blocked via addon managed admission webhooks. API server immediately publishes the error message to the user that the field is disallowed.
+- **Blocked**: Disallowed fields are blocked via add-on managed admission webhooks. API server immediately publishes the error message to the user that the field is disallowed.
 - **Supported**: Supported fields (for example, fields related to access logging) receive support from Azure support.
 - **Allowed**: These fields (such as proxyListenPort or proxyInboundListenPort) are allowed but they aren't covered by Azure support.
 
 Mesh configuration and the list of allowed/supported fields are revision specific to account for fields being added/removed across revisions. The full list of allowed fields and the supported/unsupported ones within the allowed list is provided in the below table. When new mesh revision is made available, any changes to allowed and supported classification of the fields is noted in this table.
 
 ### MeshConfig
 
-| **Field** | **Supported** | **Notes** |
+Fields present in [open source MeshConfig reference documentation][istio-meshconfig] that are not covered in the following table are blocked. For example, `configSources` is blocked.
+
+| **Field** | **Supported/Allowed** | **Notes** |
 |-----------|---------------|-----------|
-| proxyListenPort | false | - |
-| proxyInboundListenPort | false | - |
-| proxyHttpPort | false | - |
-| connectTimeout | false | Configurable in [DestinationRule](https://istio.io/latest/docs/reference/config/networking/destination-rule/#ConnectionPoolSettings-TCPSettings) |
-| tcpKeepAlive | false | Configurable in [DestinationRule](https://istio.io/latest/docs/reference/config/networking/destination-rule/#ConnectionPoolSettings-TCPSettings) |
-| defaultConfig | true | Used to configure [ProxyConfig](https://istio.io/latest/docs/reference/config/istio.mesh.v1alpha1/#ProxyConfig) |
-| outboundTrafficPolicy | true | Also configurable in [Sidecar CR](https://istio.io/latest/docs/reference/config/networking/sidecar/#OutboundTrafficPolicy) |
-| extensionProviders | false | - |
-| defaultProviders | false | - |
-| accessLogFile | true | - |
-| accessLogFormat | true | - |
-| accessLogEncoding | true | - |
-| enableTracing | true | - |
-| enableEnvoyAccessLogService | true | - |
-| disableEnvoyListenerLog | true | - |
-| trustDomain | false | - |
-| trustDomainAliases | false | - |
-| caCertificates | false | Configurable in [DestinationRule](https://istio.io/latest/docs/reference/config/networking/destination-rule/#ClientTLSSettings) |
-| defaultServiceExportTo | false | Configurable in [ServiceEntry](https://istio.io/latest/docs/reference/config/networking/service-entry/#ServiceEntry) |
-| defaultVirtualServiceExportTo | false | Configurable in [VirtualService](https://istio.io/latest/docs/reference/config/networking/virtual-service/#VirtualService) |
-| defaultDestinationRuleExportTo | false | Configurable in [DestinationRule](https://istio.io/latest/docs/reference/config/networking/destination-rule/#DestinationRule) |
-| localityLbSetting | false | Configurable in [DestinationRule](https://istio.io/latest/docs/reference/config/networking/destination-rule/#LoadBalancerSettings) |
-| dnsRefreshRate | false | - |
-| h2UpgradePolicy | false | Configurable in [DestinationRule](https://istio.io/latest/docs/reference/config/networking/destination-rule/#ConnectionPoolSettings-HTTPSettings) |
-| enablePrometheusMerge | true | - |
-| discoverySelectors | true | - |
-| pathNormalization | false | - |
-| defaultHttpRetryPolicy | false | Configurable in [VirtualService](https://istio.io/latest/docs/reference/config/networking/virtual-service/#HTTPRetry) |
-| serviceSettings | false | - |
-| meshMTLS | false | - |
-| tlsDefaults | false | - |
+| proxyListenPort | Allowed | - |
+| proxyInboundListenPort | Allowed | - |
+| proxyHttpPort | Allowed | - |
+| connectTimeout | Allowed | Configurable in [DestinationRule](https://istio.io/latest/docs/reference/config/networking/destination-rule/#ConnectionPoolSettings-TCPSettings) |
+| tcpKeepAlive | Allowed | Configurable in [DestinationRule](https://istio.io/latest/docs/reference/config/networking/destination-rule/#ConnectionPoolSettings-TCPSettings) |
+| defaultConfig | Supported | Used to configure [ProxyConfig](https://istio.io/latest/docs/reference/config/istio.mesh.v1alpha1/#ProxyConfig) |
+| outboundTrafficPolicy | Supported | Also configurable in [Sidecar CR](https://istio.io/latest/docs/reference/config/networking/sidecar/#OutboundTrafficPolicy) |
+| extensionProviders | Allowed | - |
+| defaultProviders | Allowed | - |
+| accessLogFile | Supported | This field addresses the generation of the access logs. For a managed experience on collection and querying of logs, refer to [Azure Monitor Container Insights on AKS][container-insights-docs] |
+| accessLogFormat | Supported | This field addresses the generation of the access logs. For a managed experience on collection and querying of logs, refer to [Azure Monitor Container Insights on AKS][container-insights-docs] |
+| accessLogEncoding | Supported | This field addresses the generation of the access logs. For a managed experience on collection and querying of logs, refer to [Azure Monitor Container Insights on AKS][container-insights-docs] |
+| enableTracing | Allowed | |
+| enableEnvoyAccessLogService | Supported | This field addresses the generation of the access logs. For a managed experience on collection and querying of logs, refer to [Azure Monitor Container Insights on AKS][container-insights-docs] |
+| disableEnvoyListenerLog | Supported | This field addresses the generation of the access logs. For a managed experience on collection and querying of logs, refer to [Azure Monitor Container Insights on AKS][container-insights-docs] |
+| trustDomain | Allowed | - |
+| trustDomainAliases | Allowed | - |
+| caCertificates | Allowed | Configurable in [DestinationRule](https://istio.io/latest/docs/reference/config/networking/destination-rule/#ClientTLSSettings) |
+| defaultServiceExportTo | Allowed | Configurable in [ServiceEntry](https://istio.io/latest/docs/reference/config/networking/service-entry/#ServiceEntry) |
+| defaultVirtualServiceExportTo | Allowed | Configurable in [VirtualService](https://istio.io/latest/docs/reference/config/networking/virtual-service/#VirtualService) |
+| defaultDestinationRuleExportTo | Allowed | Configurable in [DestinationRule](https://istio.io/latest/docs/reference/config/networking/destination-rule/#DestinationRule) |
+| localityLbSetting | Allowed | Configurable in [DestinationRule](https://istio.io/latest/docs/reference/config/networking/destination-rule/#LoadBalancerSettings) |
+| dnsRefreshRate | Allowed | - |
+| h2UpgradePolicy | Allowed | Configurable in [DestinationRule](https://istio.io/latest/docs/reference/config/networking/destination-rule/#ConnectionPoolSettings-HTTPSettings) |
+| enablePrometheusMerge | Allowed | - |
+| discoverySelectors | Supported | - |
+| pathNormalization | Allowed | - |
+| defaultHttpRetryPolicy | Allowed | Configurable in [VirtualService](https://istio.io/latest/docs/reference/config/networking/virtual-service/#HTTPRetry) |
+| serviceSettings | Allowed | - |
+| meshMTLS | Allowed | - |
+| tlsDefaults | Allowed | - |
 
 ### ProxyConfig (meshConfig.defaultConfig)
 
-| **Field** | **Supported** |
+Fields present in [open source MeshConfig reference documentation](https://istio.io/latest/docs/reference/config/istio.mesh.v1alpha1/#ProxyConfig) that are not covered in the following table are blocked.
+
+| **Field** | **Supported/Allowed** |
 |-----------|---------------|
-| tracingServiceName | true |
-| drainDuration | true |
-| statsUdpAddress | false |
-| proxyAdminPort | false |
-| tracing | true |
-| concurrency | true |
-| envoyAccessLogService | true |
-| envoyMetricsService | true |
-| proxyMetadata | false |
-| statusPort | false |
-| extraStatTags | false |
-| proxyStatsMatcher | false |
-| terminationDrainDuration | true |
-| meshId | false |
-| holdApplicationUntilProxyStarts | true |
-| caCertificatesPem | false |
-| privateKeyProvider | false |
-
-Fields present in [open source MeshConfig reference documentation][istio-meshconfig] but not in the above table are blocked. For example, `configSources` is blocked.
+| tracingServiceName | Allowed |
+| drainDuration | Supported |
+| statsUdpAddress | Allowed |
+| proxyAdminPort | Allowed |
+| tracing | Allowed |
+| concurrency | Supported |
+| envoyAccessLogService | Allowed |
+| envoyMetricsService | Allowed |
+| proxyMetadata | Allowed |
+| statusPort | Allowed |
+| extraStatTags | Allowed |
+| proxyStatsMatcher | Allowed |
+| terminationDrainDuration | Supported |
+| meshId | Allowed |
+| holdApplicationUntilProxyStarts | Supported |
+| caCertificatesPem | Allowed |
+| privateKeyProvider | Allowed |
 
 > [!CAUTION]
-> **Support scope of configurations:** Mesh configuration allows for extension providers such as self-managed instances of Zipkin or Apache Skywalking to be configured with the Istio addon. However, these extension providers are outside the support scope of the Istio addon. Any issues associated with extension tools are outside the support boundary of the Istio addon.
+> **Support scope of configurations:** Mesh configuration allows for extension providers such as self-managed instances of Zipkin or Apache Skywalking to be configured with the Istio add-on. However, these extension providers are outside the support scope of the Istio add-on. Any issues associated with extension tools are outside the support boundary of the Istio add-on.
 
 ## Common errors and troubleshooting tips
 
@@ -159,4 +161,5 @@ Fields present in [open source MeshConfig reference documentation][istio-meshcon
 
 [istio-meshconfig]: https://istio.io/latest/docs/reference/config/istio.mesh.v1alpha1/
 [istio-sidecar-race-condition]: https://istio.io/latest/docs/ops/common-problems/injection/#pod-or-containers-start-with-network-issues-if-istio-proxy-is-not-ready
-[istio-deploy-addon]: istio-deploy-addon.md
+[istio-deploy-add-on]: istio-deploy-addon.md
+[container-insights-docs]: ../azure-monitor/containers/container-insights-overview.md
