This topic describes common asmctl commands.
Compatibility
Service Mesh (ASM) does not ensure the compatibility with Istioctl that is provided by the Istio community. However, ASM provides asmctl that supports partial Istioctl commands.
You can use asmctl in Container Service for Kubernetes (ACK) clusters and ASM instances of the following versions:
Standard ASM instances whose version is v1.8.6.49-gda24841c-aliyun or later
Professional managed ACK clusters whose version is v1.20.4-aluyun-1 or later
If you use asmctl in ASM instances whose version is earlier than v1.8.6.49-gda24841c-aliyun, specific commands may be unavailable.
Limits
asmctl commands are compatible with Istioctl 1.9 that is provided by the Istio community. asmctl supports only partial Istioctl commands because ASM is a managed cloud service. The following table describes the Istioctl commands that are unavailable in asmctl and the reasons for unavailability.
Command | Reason for unavailability |
dashboard commands except for dashboard envoy | The control plane of ASM is managed by Alibaba Cloud. You cannot use a CLI to build observability for ASM instances or the core components of the control plane. |
create-remote-secret | The control plane of ASM is managed by Alibaba Cloud. You cannot create a secret for the control plane to access remote Kubernetes clusters. |
istiod | The control plane of ASM is managed by Alibaba Cloud. You cannot use a CLI to manage the core components of the control plane. |
metrics | The control plane of ASM is managed by Alibaba Cloud. You cannot use a CLI to build observability for ASM instances or the core components of the control plane. |
precheck | The control plane of ASM is managed by Alibaba Cloud. asmctl does not need to provide features to check the compatibility with Istio. |
proxy-status | The control plane of ASM is managed by Alibaba Cloud. You cannot use a CLI to query the status of the control plane. You can view the status of ASM instances on the Overview page in the ASM console. |
uninstall and install | The control plane of ASM is managed by Alibaba Cloud. You cannot install or uninstall the control plane. |
version | You cannot use a CLI to query the version information about ASM instances. You can view the basic information about ASM instances in the ASM console. |
wait | The control plane of ASM is managed by Alibaba Cloud. You cannot use a CLI to query the status of the control plane. |
manifest, operator, profile, upgrade, and verify-install | The control plane of ASM is managed by Alibaba Cloud. You cannot use asmctl to install Istio for your clusters. |
kube-inject, kube-uninject, workload, add-to-mesh, and remove-from-mesh | asmctl is in early development and does not provide commands that may change cluster configurations. |
Overview of asmctl commands
Command | Description | References |
asmctl analyze | Analyze the control plane configurations of clusters and return the analysis results. | |
asmctl bug-report | Selectively collect the information and logs of clusters and ASM instances and compress the information and logs into a package. This helps you diagnose common issues. | |
asmctl dashboard | Access web UIs that are compatible with the Istio community. | |
asmctl dashboard envoy | Open the Envoy admin dashboard for the sidecar proxies of a specified pod. | |
asmctl experimental | These commands are being developed. | |
asmctl experimental authz | Provide features that are related to the authorization policies of ASM. | |
asmctl experimental authz check | Check the sidecar proxy configurations of a specified pod and return all authorization policies that are applied to the sidecar proxies of the pod. | |
asmctl experimental config | Provide features that are related to default settings in ASM. | |
asmctl experimental config list | Query configurable default settings in ASM. | |
asmctl experimental describe | Describe a specified Kubernetes resource and related ASM configurations. | |
asmctl experimental describe pod | Analyze the Kubernetes services, destination rules, and virtual services that are related to a specified pod, and describe the pod. | |
asmctl experimental describe service | Analyze the pods, destination rules, and virtual services that are related to a specified Kubernetes service, and describe the Kubernetes service. | |
asmctl experimental injector | Query the information about sidecar injection and sidecar injectors. | |
asmctl experimental injector list | Query the information about sidecar injection for the pods in each namespace and the basic information about the sidecar injectors that are used in ASM. | |
asmctl proxy-config | Query the configurations of sidecar proxies in pods. | |
asmctl proxy-config bootstrap | Query the bootstrap configurations of the Envoy instance in a specified pod. | |
asmctl proxy-config cluster | Query the cluster configurations of the Envoy instance in a specified pod. | |
asmctl proxy-config endpoint | Query the endpoint configurations of the Envoy instance in a specified pod. | |
asmctl proxy-config listener | Query the listener configurations of the Envoy instance in a specified pod. | |
asmctl proxy-config log | Query the logging levels of the Envoy instance in a specified pod and optionally update the logging levels. | |
asmctl proxy-config route | Query the route configurations of the Envoy instance in a specified pod. | |
asmctl proxy-config secret | Query the secret configurations of the Envoy instance in a specified pod. | |
asmctl validate | Validate policy and rule files in ASM. |
asmctl analyze
Analyze the control plane configurations of clusters and return the analysis results.
asmctl analyze <file>... [flags]
Flag | Shorthand | Description |
--all-namespaces | -A | Analyzes all namespaces. |
--asmconfig <string> | -m | Specifies the path of the kubeconfig file for the ASM instance. Default value: $HOME/.kube/asmconfig. |
--color | N/A | Specifies whether to return the analysis results in color. Default value: |
--context <string> | N/A | Specifies the name of the kubeconfig context to be used. By default, this flag is left empty. |
--failure-threshold <Level> | N/A | Specifies the severity level of analysis at which a non-zero error code is returned. Valid values: |
--istioNamespace <string> | -i | Specifies the namespace of Istio. Default value: |
--kubeconfig <string> | -c | Specifies the path of the kubeconfig file for the cluster. By default, this flag is left empty. |
--list-analyzers | -L | Queries available analyzers. |
--meshConfigFile <string> | N/A | Specifies the instance configuration file that is used to override the current instance configurations for analysis. By default, this flag is left empty. |
--namespace <string> | -n | Specifies the namespace on which the command is run. By default, this flag is left empty. |
--output <string> | -o | Specifies the format of the returned results. Valid values: |
--output-threshold <Level> | N/A | Specifies the severity level of analysis at which messages are displayed. Valid values: |
--recursive | -R | Recursively processes all files in a specified directory instead of only first-level files. |
--suppress <stringArray> | -S | Suppresses reporting a message code on a specified resource. Valid values must be in the |
--timeout <duration> | N/A | Specifies the duration to wait before a timeout error is returned. When the duration runs out, a timeout error is returned, and analysis results are no longer returned. Default value: |
--use-kube | -k | Specifies whether to perform analysis based on the current cluster and ASM instance. If you want to analyze only files, set this flag to |
--verbose | -v | Returns a verbose analysis procedure. |
The following code provides sample asmctl analyze commands:
# Analyze the control plane configurations of the current cluster and ASM instance.
asmctl analyze
# Analyze the current cluster and ASM instance and simulate the effect of applying the a.yaml file, the b.yaml file, and the configuration files in the my-app-config directory.
asmctl analyze a.yaml b.yaml my-app-config/
# Analyze the current cluster and ASM instance, simulate the effect of applying the a.yaml file, the b.yaml file, and the configuration files in the my-app-config directory, and specify the kubeconfig files of the cluster and ASM instance to be analyzed.
asmctl analyze a.yaml b.yaml my-app-config/ -c ~/.kube/ackconfig1 -m ~/.kube/asmconfig1
# Analyze the current cluster and ASM instance and simulate the effect of applying the configuration files in the my-app-config directory. All configuration files in the my-app-config directory are recursively analyzed.
asmctl analyze --recursive my-istio-config/
# Analyze only the a.yaml file, the b.yaml file, and the YAML files in the my-app-config directory regardless of the configurations of the current cluster and ASM instance.
asmctl analyze --use-kube=false a.yaml b.yaml my-app-config/
# Analyze the current cluster and ASM instance but suppress the PodMissingProxy analysis results for the mypod pod in the testing namespace.
asmctl analyze -S "IST0103=Pod mypod.testing"
# Analyze the current cluster and ASM instance but suppress the PodMissingProxy analysis results for all pods in the testing namespace.
# In addition, suppress the MissplacedAnnotation analysis results for the foobar deployment in the default namespace.
asmctl analyze -S "IST0103=Pod *.testing" -S "IST0107=Deployment foobar.default"
# Query available analyzers.
asmctl analyze -L
asmctl bug-report
Selectively collect the information and logs of clusters and ASM instances and compress the information and logs into a package. This helps you diagnose common issues. The collected information includes the following items:
Configurations and status information of sidecar proxies
Logs that are generated by sidecar proxies
Cluster information
Analysis results that are returned by
analyze
commands
asmctl bug-report [flags]
Flag | Shorthand | Description |
--asmconfig <string> | -m | Specifies the path of the kubeconfig file for the ASM instance. Default value: |
--context <string> | N/A | Specifies the name of the kubeconfig context to be used. By default, this flag is left empty. |
--dir <string> | N/A | Specifies the directory that is used to store temporary output files generated by bug-report commands. By default, this flag is left empty. |
--dry-run | N/A | Does not collect or store logs. |
--duration <duration> | N/A | Specifies the period of time when logs are collected before the current point in time. Default value: |
--end-time <string> | N/A | Specifies the end of the period of time when logs are collected. By default, the end time is the current point in time. |
--exclude <stringSlice> | N/A | Specifies the sidecar proxy logs of pods to be excluded from all sidecar proxy logs. You can set this flag after the |
--filename <string> | -f | Specifies the name of the YAML file that contains bug-report configurations. The file content is applied over the flag settings. By default, this flag is left empty. |
--full-secrets | N/A | Includes secret information in the command output. |
--ignore-errs <stringSlice> | N/A | Specifies the glob patterns that are separated by commas (,), which are used to match ignored log error strings. Errors that match these patterns are ignored when the log importance is calculated. |
--include <stringSlice> | N/A | Specifies the sidecar proxy logs of pods to include in the command output. For more information, see the section below the table. By default, this flag is left empty. |
--istio-namespace <string> | -i | Specifies the namespace where Istio control plane is installed. Default value: |
--kubeconfig <string> | -c | Specifies the path of the kubeconfig file for the cluster. By default, this flag is left empty. |
--namespace <string> | -n | Specifies the namespace on which the command is run. By default, this flag is left empty. |
--start-time <string> | N/A | Specifies the beginning of the period of time when logs are collected. By default, this flag is left empty, which indicates that logs start to be collected at the earliest. |
--timeout <duration> | N/A | Specifies the maximum amount of time that is used to collect logs. Default value: |
bug-report command for collecting specific sidecar proxy logs
You can set flags in the following format to collect specific sidecar proxy logs:
--include|--exclude
ns1,ns2.../dep1,dep2.../pod1,pod2.../cntr1,cntr.../lbl1=val1,lbl2=val2.../ann1=val1,ann2=val2
The string below include/exclude
specifies the filter conditions for collecting logs. ns
indicates namespaces, dep
indicates deployments, pod
indicates pods, cntr
indicates containers, lbl
indicates labels, and ann
indicates annotations.
The filter conditions are interpreted as (ns1 OR ns2) AND (dep1 OR dep2) AND (cntr1 OR cntr2)……
. The sidecar proxy logs of a pod are included in the package generated by the command only if the pod matches at least one filter condition specified by the include
flag but no filter condition specified by the exclude
flag.
All filter conditions are optional and can be omitted. For example, you can use ns1//pod1
to filter logs by namespace and pod.
All filter names except label and annotation keys support the glob matching pattern. For example, n*//p*/l=v*
is used to match pods that meet the following conditions: the name of the pod starts with p, the name of the namespace where the pod resides starts with n, and the pod has a label with the key of l and the value that starts with v.
asmctl dashboard
Access web UIs that are compatible with the Istio community. asmctl provides dashboard
commands only for Envoy.
asmctl dashboard [flags]
Alternative formats:
asmctl dash [flags]
asmctl d [flags]
Flag | Shorthand | Description |
--address <string> | N/A | Specifies the web UI address to listen on. The value must be localhost or an IP address. If this flag is set to localhost, asmctl tries to bind 127.0.0.1 (IPv4) or ::1 (IPv6). If neither of the addresses are available for binding, the command fails. Default value: |
--browser | N/A | Specifies whether to open a browser. If the |
--context <string> | N/A | Specifies the name of the kubeconfig context to be used. By default, this flag is left empty. |
--kubeconfig <string> | -c | Specifies the path of the kubeconfig file for the cluster. By default, this flag is left empty. |
--namespace <string> | -n | Specifies the namespace on which the command is run. By default, this flag is left empty. |
--port <int> | -p | Specifies the local port of the web UI to listen on. By default, this flag is left empty. |
asmctl dashboard envoy
Open the Envoy admin dashboard for the sidecar proxies of a specified pod.
asmctl dashboard envoy [<type>/]<name>[.<namespace>] [flags]
Flag | Shorthand | Description |
--address <string> | N/A | Specifies the web UI address to listen on. The value must be localhost or an IP address. If this flag is set to localhost, asmctl tries to bind 127.0.0.1 (IPv4) or ::1 (IPv6). If neither of the addresses are available for binding, the command fails. Default value: |
--browser | N/A | Specifies whether to open a browser. If the |
--context <string> | N/A | Specifies the name of the kubeconfig context to be used. By default, this flag is left empty. |
--kubeconfig <string> | -c | Specifies the path of the kubeconfig file for the cluster. By default, this flag is left empty. |
--namespace <string> | -n | Specifies the namespace on which the command is run. By default, this flag is left empty. |
--port <int> | -p | Specifies the local port of the web UI to listen on. Default value: |
--selector <string> | -l | Specifies the label selector for pods. By default, this flag is left empty. If you set this flag, you cannot specify pod names. |
The following code provides sample asmctl dashboard envoy commands:
# Specify a pod based on its name and the namespace to which the pod belongs, and open the Envoy admin dashboard for the sidecar proxies of the pod.
asmctl dashboard envoy productpage-123-456.default
# Specify a pod based on its name and deployment name, and open the Envoy admin dashboard for the sidecar proxies of the pod.
asmctl dashboard envoy deployment/productpage-v1
# Use abbreviated dashboard commands.
asmctl dash envoy productpage-123-456.default
asmctl d envoy productpage-123-456.default
asmctl experimental
asmctl experimental indicates that the commands are being developed. asmctl is compatible with Istioctl 1.9. The compatibility follows the compatibility of ASM with the Istio community. Therefore, asmctl includes the experimental commands of Istioctl 1.9.
Flag | Shorthand | Description |
--asmconfig <string> | -m | Specifies the path of the kubeconfig file for the ASM instance. Default value: |
--context <string> | N/A | Specifies the name of the kubeconfig context to be used. By default, this flag is left empty. |
--istioNamespace <string> | -i | Specifies the namespace of Istio. Default value: |
--kubeconfig <string> | -c | Specifies the path of the kubeconfig file for the cluster. By default, this flag is left empty. |
--namespace <string> | -n | Specifies the namespace on which the command is run. By default, this flag is left empty. |
asmctl experimental authz
Provide features that are related to authorization policies in ASM.
Flag | Shorthand | Description |
--context <string> | N/A | Specifies the name of the kubeconfig context to be used. By default, this flag is left empty. |
--istioNamespace <string> | -i | Specifies the namespace of Istio. Default value: |
--kubeconfig <string> | -c | Specifies the path of the kubeconfig file for the cluster. By default, this flag is left empty. |
--namespace <string> | -n | Specifies the namespace on which the command is run. By default, this flag is left empty. |
asmctl experimental authz check
Check the sidecar proxy configurations of a specified pod and return all authorization policies that are applied to the sidecar proxies of the pod. The command is helpful for checking the final authorization policy that is applied to a sidecar proxy. The final authorization policy is merged from multiple authorization policies.
If you set the -f flag in the command, the command reads a copy file of sidecar proxy configurations and queries the authorization policies that are specified by the configurations in the file.
asmctl experimental authz check [<type>/]<name>[.<namespace>] [flags]
Flag | Shorthand | Description |
--context <string> | N/A | Specifies the name of the kubeconfig context to be used. By default, this flag is left empty. |
--file <string> | -f | Specifies the Envoy configuration dump file to be checked, in the JSON format. By default, this flag is left empty. |
--istioNamespace <string> | -i | Specifies the namespace of Istio. Default value: |
--kubeconfig <string> | -c | Specifies the path of the kubeconfig file for the cluster. By default, this flag is left empty. |
--namespace <string> | -n | Specifies the namespace on which the command is run. By default, this flag is left empty. |
The following code provides sample asmctl experimental authz check commands:
# Check the authorization policies that are applied to the httpbin-88ddbcfdd-nt5jb pod.
asmctl x authz check httpbin-88ddbcfdd-nt5jb
# Check the authorization policies that are applied to the productpage-v1 deployment.
asmctl proxy-status deployment/productpage-v1
# Check the authorization policies in the Envoy configuration dump file httpbin_config_dump.json.
asmctl x authz check -f httpbin_config_dump.json
asmctl experimental config
Provide features that are related to default settings in ASM.
Flag | Shorthand | Description |
--context <string> | N/A | Specifies the name of the kubeconfig context to be used. By default, this flag is left empty. |
--istioNamespace <string> | -i | Specifies the namespace of Istio. Default value: |
--kubeconfig <string> | -c | Specifies the path of the kubeconfig file for the cluster. By default, this flag is left empty. |
asmctl experimental config list
Query configurable default settings in ASM.
asmctl experimental config list [flags]
Flag | Shorthand | Description |
--context <string> | N/A | Specifies the name of the kubeconfig context to be used. By default, this flag is left empty. |
--istioNamespace <string> | -i | Specifies the namespace of Istio. Default value: |
--kubeconfig <string> | -c | Specifies the path of the kubeconfig file for the cluster. By default, this flag is left empty. |
--namespace <string> | -n | Specifies the namespace on which the command is run. By default, this flag is left empty. |
asmctl experimental describe
Describe a specified Kubernetes resource and related ASM configurations.
asmctl experimental describe [command] [flags]
Alternative format:
asmctl experimental des [command] [flags]
Flag | Shorthand | Description |
--asmconfig <string> | -m | Specifies the path of the kubeconfig file for the ASM instance. Default value: |
--context <string> | N/A | Specifies the name of the kubeconfig context to be used. By default, this flag is left empty. |
--istioNamespace <string> | -i | Specifies the namespace of Istio. Default value: |
--kubeconfig <string> | -c | Specifies the path of the kubeconfig file for the cluster. By default, this flag is left empty. |
--namespace <string> | -n | Specifies the namespace on which the command is run. By default, this flag is left empty. |
asmctl experimental describe pod
Analyze the Kubernetes services, destination rules, and virtual services that are related to a specified pod, and describe the pod.
asmctl experimental describe pod <pod> [flags]
Flag | Shorthand | Description |
--context <string> | N/A | Specifies the name of the kubeconfig context to be used. By default, this flag is left empty. |
--ignoreUnmeshed | N/A | Specifies whether to return alert information for pods that are not added to ASM instances. Default value: |
--istioNamespace <string> | -i | Specifies the namespace of Istio. Default value: |
--kubeconfig <string> | -c | Specifies the path of the kubeconfig file for the cluster. By default, this flag is left empty. |
--asmconfig <string> | -m | Specifies the path of the kubeconfig file for the ASM instance. Default value: |
--namespace <string> | -n | Specifies the namespace on which the command is run. By default, this flag is left empty. |
The following code provides sample asmctl experimental describe pod commands:
# Describe the productpage-v1-c7765c886-7zzd4 pod.
asmctl experimental describe pod productpage-v1-c7765c886-7zzd4
asmctl experimental describe service
Analyze the pods, destination rules, and virtual services that are related to a specified Kubernetes service, and describe the Kubernetes service.
asmctl experimental describe service <svc> [flags]
Alternative format:
asmctl experimental describe svc <svc> [flags]
Flag | Shorthand | Description |
--context <string> | N/A | Specifies the name of the kubeconfig context to be used. By default, this flag is left empty. |
--ignoreUnmeshed | N/A | Specifies whether to return alert information for pods that are not added to ASM instances. Default value: |
--istioNamespace <string> | -i | Specifies the namespace of Istio. Default value: |
--kubeconfig <string> | -c | Specifies the path of the kubeconfig file for the cluster. By default, this flag is left empty. |
--asmconfig <string> | -m | Specifies the path of the kubeconfig file for the ASM instance. Default value: |
--namespace <string> | -n | Specifies the namespace on which the command is run. By default, this flag is left empty. |
The following code provides sample asmctl experimental describe service commands:
# Describe the Kubernetes service of productpage.
asmctl experimental describe service productpage
asmctl experimental injector
Query the information about sidecar injection and sidecar injectors.
asmctl experimental injector [command] [flags]
Flag | Shorthand | Description |
--context <string> | N/A | Specifies the name of the kubeconfig context to be used. By default, this flag is left empty. |
--istioNamespace <string> | -i | Specifies the namespace of Istio. Default value: |
--kubeconfig <string> | -c | Specifies the path of the kubeconfig file for the cluster. By default, this flag is left empty. |
--namespace <string> | -n | Specifies the namespace on which the command is run. By default, this flag is left empty. |
asmctl experimental injector list
Query the information about sidecar injection for the pods in each namespace and the basic information about the sidecar injectors that are used in ASM.
asmctl experimental injector list [flags]
Flag | Shorthand | Description |
--context <string> | N/A | Specifies the name of the kubeconfig context to be used. By default, this flag is left empty. |
--istioNamespace <string> | -i | Specifies the namespace of Istio. Default value: |
--kubeconfig <string> | -c | Specifies the path of the kubeconfig file for the cluster. By default, this flag is left empty. |
--namespace <string> | -n | Specifies the namespace on which the command is run. By default, this flag is left empty. |
The following code provides sample asmctl experimental injector list commands:
# Query the information about sidecar injection for the pods in each namespace and the basic information about the sidecar injectors that are used in ASM.
asmctl experimental injector list
asmctl proxy-config
Query sidecar proxy configurations in pods.
Flag | Shorthand | Description |
--context <string> | N/A | Specifies the name of the kubeconfig context to be used. By default, this flag is left empty. |
--istioNamespace <string> | -i | Specifies the namespace of Istio. Default value: |
--kubeconfig <string> | -c | Specifies the path of the kubeconfig file for the cluster. By default, this flag is left empty. |
--namespace <string> | -n | Specifies the namespace on which the command is run. By default, this flag is left empty. |
--output <string> | -o | Specifies the output format. Valid values: |
asmctl proxy-config bootstrap
Query the information about the bootstrap configurations of the Envoy instance in a specified pod.
asmctl proxy-config bootstrap [<type>/]<name>[.<namespace>] [flags]
Alternative format:
asmctl proxy-config b [<type>/]<name>[.<namespace>] [flags]
Flag | Shorthand | Description |
--context <string> | N/A | Specifies the name of the kubeconfig context to be used. By default, this flag is left empty. |
--file <string> | -f | Specifies the Envoy configuration dump file, in the JSON format. By default, this flag is left empty. |
--istioNamespace <string> | -i | Specifies the namespace of Istio. Default value: |
--kubeconfig <string> | -c | Specifies the path of the kubeconfig file for the cluster. By default, this flag is left empty. |
--namespace <string> | -n | Specifies the namespace on which the command is run. By default, this flag is left empty. |
--output <string> | -o | Specifies the output format. Valid values: |
The following code provides sample asmctl proxy-config bootstrap commands:
# Query the bootstrap configurations of the Envoy instance in a specified pod.
asmctl proxy-config bootstrap <pod-name[.namespace]>
# Query the bootstrap configurations of the Envoy instance from the file without using Kubernetes API.
ssh <user@hostname> 'curl localhost:15000/config_dump' > envoy-config.json
asmctl proxy-config bootstrap --file envoy-config.json
asmctl proxy-config cluster
Query the cluster configurations of the Envoy instance in a specified pod.
asmctl proxy-config cluster [<type>/]<name>[.<namespace>] [flags]
Alternative formats:
asmctl proxy-config clusters [<type>/]<name>[.<namespace>] [flags]
asmctl proxy-config c [<type>/]<name>[.<namespace>] [flags]
Flag | Shorthand | Description |
--context <string> | N/A | Specifies the name of the kubeconfig context to be used. By default, this flag is left empty. |
--direction <string> | N/A | Filters cluster configurations by the |
--file <string> | -f | Specifies the Envoy configuration dump file, in the JSON format. By default, this flag is left empty. |
--fqdn <string> | N/A | Filters cluster configurations by the |
--istioNamespace <string> | -i | Specifies the namespace of Istio. Default value: |
--kubeconfig <string> | -c | Specifies the path of the kubeconfig file for the cluster. By default, this flag is left empty. |
--namespace <string> | -n | Specifies the namespace on which the command is run. By default, this flag is left empty. |
--output <string> | -o | Specifies the output format. Valid values: |
--port <int> | N/A | Filters cluster configurations by the |
--subset <string> | N/A | Filters cluster configurations by the |
The following code provides sample asmctl proxy-config cluster commands:
# Query the cluster configurations of the Envoy instance in a specified pod.
asmctl proxy-config clusters <pod-name[.namespace]>
# Query the configurations of the clusters with port 9080 for the Envoy instance in a specified pod.
asmctl proxy-config clusters <pod-name[.namespace]> --port 9080
# Query full cluster dump for clusters that are inbound with a fully qualified domain name (FQDN) of details.default.svc.cluster.local.
asmctl proxy-config clusters <pod-name[.namespace]> --fqdn details.default.svc.cluster.local --direction inbound -o json
# Query cluster configurations from the file without using Kubernetes API.
ssh <user@hostname> 'curl localhost:15000/config_dump' > envoy-config.json
asmctl proxy-config clusters --file envoy-config.json
asmctl proxy-config endpoint
Query the endpoint configurations of the Envoy instance in a specified pod.
asmctl proxy-config endpoint [<type>/]<name>[.<namespace>] [flags]
Alternative formats:
asmctl proxy-config endpoints [<type>/]<name>[.<namespace>] [flags]
asmctl proxy-config ep [<type>/]<name>[.<namespace>] [flags]
Flag | Shorthand | Description |
--address <string> | N/A | Filters endpoint configurations by the |
--cluster <string> | N/A | Filters endpoint configurations by the |
--context <string> | N/A | Specifies the name of the kubeconfig context to be used. By default, this flag is left empty. |
--file <string> | -f | Specifies the Envoy configuration dump file, in the JSON format. By default, this flag is left empty. |
--istioNamespace <string> | -i | Specifies the namespace of Istio. Default value: |
--kubeconfig <string> | -c | Specifies the path of the kubeconfig file for the cluster. By default, this flag is left empty. |
--namespace <string> | -n | Specifies the namespace on which the command is run. By default, this flag is left empty. |
--output <string> | -o | Specifies the output format. Valid values: |
--port <int> | N/A | Filters endpoint configurations by the |
--status <string> | N/A | Filters endpoint configurations by the |
The following code provides sample asmctl proxy-config endpoint commands:
# Query the endpoint configurations of the Envoy instance in a specified pod.
asmctl proxy-config endpoint <pod-name[.namespace]>
# Query the configurations of the endpoint with port 9080 for the Envoy instance in a specified pod.
asmctl proxy-config endpoint <pod-name[.namespace]> --port 9080
# Query the configurations of the endpoint with the address of 172.17.0.2 for the Envoy instance in a specified pod.
asmctl proxy-config endpoint <pod-name[.namespace]> --address 172.17.0.2 -o json
# Query the configurations of the endpoint with the cluster name of outbound|9411||zipkin.istio-system.svc.cluster.local for the Envoy instance in a specified pod.
asmctl proxy-config endpoint <pod-name[.namespace]> --cluster "outbound|9411||zipkin.istio-system.svc.cluster.local" -o json
# Query the configurations of the endpoint with the status of healthy for the Envoy instance in a specified pod.
asmctl proxy-config endpoint <pod-name[.namespace]> --status healthy -ojson
# Query endpoint configurations from the file without using Kubernetes API.
ssh <user@hostname> 'curl localhost:15000/clusters?format=json' > envoy-clusters.json
asmctl proxy-config endpoints --file envoy-clusters.json
asmctl proxy-config listener
Query the listener configurations of the Envoy instance in a specified pod.
asmctl proxy-config listener [<type>/]<name>[.<namespace>] [flags]
Alternative formats:
asmctl proxy-config listeners [<type>/]<name>[.<namespace>] [flags]
asmctl proxy-config l [<type>/]<name>[.<namespace>] [flags]
Flag | Shorthand | Description |
--address <string> | N/A | Filters listener configurations by the |
--context <string> | N/A | Specifies the name of the kubeconfig context to be used. By default, this flag is left empty. |
--file <string> | -f | Specifies the Envoy configuration dump file, in the JSON format. By default, this flag is left empty. |
--istioNamespace <string> | -i | Specifies the namespace of Istio. Default value: |
--kubeconfig <string> | -c | Specifies the path of the kubeconfig file for the cluster. By default, this flag is left empty. |
--namespace <string> | -n | Specifies the namespace on which the command is run. By default, this flag is left empty. |
--output <string> | -o | Specifies the output format. Valid values: |
--port <int> | N/A | Filters listener configurations by the |
--type <string> | N/A | Filters listener configurations by the |
--verbose | N/A | Specifies whether to query more information. Default value: |
The following code provides sample asmctl proxy-config listener commands:
# Query the listener configurations of the Envoy instance in a specified pod.
asmctl proxy-config listeners <pod-name[.namespace]>
# Query the configurations of the listeners with port 9080 for the Envoy instance in a specified pod.
asmctl proxy-config listeners <pod-name[.namespace]> --port 9080
# Query the configurations of the listeners with a wildcard address of 0.0.0.0 for the Envoy instance in a specified pod.
asmctl proxy-config listeners <pod-name[.namespace]> --type HTTP --address 0.0.0.0 -o json
# Query listener configurations from the file without using Kubernetes API.
ssh <user@hostname> 'curl localhost:15000/config_dump' > envoy-config.json
asmctl proxy-config listeners --file envoy-config.json
asmctl proxy-config log
Query the logging levels of the Envoy instance in a specified pod and optionally update the logging levels.
asmctl proxy-config log [<type>/]<name>[.<namespace>] [flags]
Alternative format:
asmctl proxy-config o [<type>/]<name>[.<namespace>] [flags]
Flag | Shorthand | Description |
--context <string> | N/A | Specifies the name of the kubeconfig context to be used. By default, this flag is left empty. |
--istioNamespace <string> | -i | Specifies the namespace of Istio. Default value: |
--kubeconfig <string> | -c | Specifies the path of the kubeconfig file for the cluster. By default, this flag is left empty. |
--level <string> | N/A | Specifies the comma-separated minimum per-logger level of messages, in the |
--namespace <string> | -n | Specifies the namespace on which the command is run. By default, this flag is left empty. |
--output <string> | -o | Specifies the output format. Valid values: |
--reset | -r | Resets the logging levels to the default value of |
--selector <string> | -l | Specifies the label selector. By default, this flag is left empty. |
The following code provides sample asmctl proxy-config log commands:
# Query the logging levels of the Envoy instance in a specified pod.
asmctl proxy-config log <pod-name[.namespace]>
# Update the logging levels of all loggers in the Envoy instance.
asmctl proxy-config log <pod-name[.namespace]> --level none
# Update the logging levels of specified loggers in the Envoy instance.
asmctl proxy-config log <pod-name[.namespace]> --level http:debug,redis:debug
# Reset the logging levels of all loggers in the Envoy instance to the default value of warning.
asmctl proxy-config log <pod-name[.namespace]> -r
asmctl proxy-config route
Query the route configurations of the Envoy instance in a specified pod.
asmctl proxy-config route [<type>/]<name>[.<namespace>] [flags]
Alternative formats:
asmctl proxy-config routes [<type>/]<name>[.<namespace>] [flags]
asmctl proxy-config r [<type>/]<name>[.<namespace>] [flags]
Flag | Shorthand | Description |
--context <string> | N/A | Specifies the name of the kubeconfig context to be used. By default, this flag is left empty. |
--file <string> | -f | Specifies the Envoy configuration dump file, in the JSON format. By default, this flag is left empty. |
--istioNamespace <string> | -i | Specifies the namespace of Istio. Default value: |
--kubeconfig <string> | -c | Specifies the path of the kubeconfig file for the cluster. By default, this flag is left empty. |
--name <string> | N/A | Filters route configurations by the |
--namespace <string> | -n | Specifies the namespace on which the command is run. By default, this flag is left empty. |
--output <string> | -o | Specifies the output format. Valid values: |
--verbose | N/A | Specifies whether to query more information. Default value: |
The following code provides sample asmctl proxy-config route commands:
# Query the route configurations of the Envoy instance in a specified pod.
asmctl proxy-config routes <pod-name[.namespace]>
# Query the configurations of the route with port 9080 in a specified Envoy instance.
asmctl proxy-config route <pod-name[.namespace]> --port 9080
# Query the configurations of the route with port 9080 in a specified Envoy instance and the full route dump.
asmctl proxy-config route <pod-name[.namespace]> --name 9080 -o json
# Query route configurations from the file without using Kubernetes API.
ssh <user@hostname> 'curl localhost:15000/config_dump' > envoy-config.json
asmctl proxy-config listeners --file envoy-config.json
asmctl proxy-config secret
Query the secret configurations of the Envoy instance in a specified pod.
asmctl proxy-config secret [<type>/]<name>[.<namespace>] [flags]
Alternative formats:
asmctl proxy-config secrets [<type>/]<name>[.<namespace>] [flags]
asmctl proxy-config s [<type>/]<name>[.<namespace>] [flags]
Flag | Shorthand | Description |
--context <string> | N/A | Specifies the name of the kubeconfig context to be used. By default, this flag is left empty. |
--file <string> | -f | Specifies the Envoy configuration dump file, in the JSON format. By default, this flag is left empty. |
--istioNamespace <string> | -i | Specifies the namespace of Istio. Default value: |
--kubeconfig <string> | -c | Specifies the path of the kubeconfig file for the cluster. By default, this flag is left empty. |
--namespace <string> | -n | Specifies the namespace on which the command is run. By default, this flag is left empty. |
--output <string> | -o | Specifies the output format. Valid values: |
The following code provides sample asmctl proxy-config secret commands:
# Query the secret configurations of the Envoy instance in a specified pod.
asmctl proxy-config secret <pod-name[.namespace]>
# Query secret configurations from the file without using Kubernetes API.
ssh <user@hostname> 'curl localhost:15000/config_dump' > envoy-config.json
asmctl proxy-config listeners --file envoy-config.json
asmctl validate
Validate policy and rule files in ASM.
asmctl validate -f FILENAME [options] [flags]
Alternative format:
asmctl v -f FILENAME [options] [flags]
Flag | Shorthand | Description |
--context <string> | N/A | Specifies the name of the kubeconfig context to be used. By default, this flag is left empty. |
--file <string> | -f | Specifies the name of the ASM policy and rule file to be validated. |
--istioNamespace <string> | -i | Specifies the namespace of Istio. Default value: |
--namespace <string> | -n | Specifies the namespace on which the command is run. By default, this flag is left empty. |
The following code provides sample asmctl validate commands:
# Validate the bookinfo-gateway.yaml file.
asmctl validate -f samples/bookinfo/networking/bookinfo-gateway.yaml
# Validate the bookinfo-gateway.yaml file by using an abbreviated command.
asmctl v -f samples/bookinfo/networking/bookinfo-gateway.yaml
# Validate all deployments in the default namespace.
asmctl get deployments -o yaml | asmctl validate -f -
# Validate all services in the default namespace.
asmctl get services -o yaml | asmctl validate -f -