• Attribute Vocabulary
    • Timestamp and duration attributes format

    Attribute Vocabulary

    Attributes are a central concept used throughout Istio. You can find a description of what attributes areand what they are used for here.

    A given Istio deployment has a fixed vocabulary of attributes that it understands. The specific vocabulary isdetermined by the set of attribute producers being used in the deployment. The primary attribute producer in Istiois Envoy, although Mixer and services can also introduce attributes.

    The table below shows the set of canonical attributes and their respective types. Most Istiodeployments will have agents (Envoy or Mixer adapters) that produce these attributes.

    NameTypeDescriptionKubernetes Example
    source.uidstringPlatform-specific unique identifier for the source workload instance.kubernetes://redis-master-2353460263-1ecey.my-namespace
    source.ipip_addressSource workload instance IP address.10.0.0.117
    source.labelsmap[string, string]A map of key-value pairs attached to the source instance.version => v1
    source.namestringSource workload instance name.redis-master-2353460263-1ecey
    source.namespacestringSource workload instance namespace.my-namespace
    source.principalstringAuthority under which the source workload instance is running.service-account-foo
    source.ownerstringReference to the workload controlling the source workload instance.kubernetes://apis/extensions/v1beta1/namespaces/istio-system/deployments/istio-policy
    source.workload.uidstringUnique identifier of the source workload.istio://istio-system/workloads/istio-policy
    source.workload.namestringSource workload name.istio-policy
    source.workload.namespacestringSource workload namespace.istio-system
    destination.uidstringPlatform-specific unique identifier for the server instance.kubernetes://my-svc-234443-5sffe.my-namespace
    destination.ipip_addressServer IP address.10.0.0.104
    destination.portint64The recipient port on the server IP address.8080
    destination.labelsmap[string, string]A map of key-value pairs attached to the server instance.version => v2
    destination.namestringDestination workload instance name.istio-telemetry-2359333
    destination.namespacestringDestination workload instance namespace.istio-system
    destination.principalstringAuthority under which the destination workload instance is running.service-account
    destination.ownerstringReference to the workload controlling the destination workload instance.kubernetes://apis/extensions/v1beta1/namespaces/istio-system/deployments/istio-telemetry
    destination.workload.uidstringUnique identifier of the destination workload.istio://istio-system/workloads/istio-telemetry
    destination.workload.namestringDestination workload name.istio-telemetry
    destination.workload.namespacestringDestination workload namespace.istio-system
    destination.container.namestringName of the destination workload instance’s container.mixer
    destination.container.imagestringImage of the destination workload instance’s container.gcr.io/istio-testing/mixer:0.8.0
    destination.service.hoststringDestination host address.istio-telemetry.istio-system.svc.cluster.local
    destination.service.uidstringUnique identifier of the destination service.istio://istio-system/services/istio-telemetry
    destination.service.namestringDestination service name.istio-telemetry
    destination.service.namespacestringDestination service namespace.istio-system
    origin.ipip_addressIP address of the proxy client, e.g. origin for the ingress proxies.127.0.0.1
    request.headersmap[string, string]HTTP request headers with lowercase keys. For gRPC, its metadata will be here.
    request.idstringAn ID for the request with statistically low probability of collision.
    request.pathstringThe HTTP URL path including query string
    request.url_pathstringThe path part of HTTP URL, with query string being stripped
    request.query_paramsmap[string, string]A map of query parameters extracted from the HTTP URL.
    request.hoststringHTTP/1.x host header or HTTP/2 authority header.redis-master:3337
    request.methodstringThe HTTP method.
    request.reasonstringThe request reason used by auditing systems.
    request.refererstringThe HTTP referer header.
    request.schemestringURI Scheme of the request
    request.sizeint64Size of the request in bytes. For HTTP requests this is equivalent to the Content-Length header.
    request.total_sizeint64Total size of HTTP request in bytes, including request headers, body and trailers.
    request.timetimestampThe timestamp when the destination receives the request. This should be equivalent to Firebase “now”.
    request.useragentstringThe HTTP User-Agent header.
    response.headersmap[string, string]HTTP response headers with lowercase keys.
    response.sizeint64Size of the response body in bytes
    response.total_sizeint64Total size of HTTP response in bytes, including response headers and body.
    response.timetimestampThe timestamp when the destination produced the response.
    response.durationdurationThe amount of time the response took to generate.
    response.codeint64The response’s HTTP status code.
    response.grpc_statusstringThe response’s gRPC status.
    response.grpc_messagestringThe response’s gRPC status message.
    connection.idstringAn ID for a TCP connection with statistically low probability of collision.
    connection.eventstringStatus of a TCP connection, its value is one of “open”, “continue” and “close”.
    connection.received.bytesint64Number of bytes received by a destination service on a connection since the last Report() for a connection.
    connection.received.bytes_totalint64Total number of bytes received by a destination service during the lifetime of a connection.
    connection.sent.bytesint64Number of bytes sent by a destination service on a connection since the last Report() for a connection.
    connection.sent.bytes_totalint64Total number of bytes sent by a destination service during the lifetime of a connection.
    connection.durationdurationThe total amount of time a connection has been open.
    connection.mtlsbooleanIndicates whether a request is received over a mutual TLS enabled downstream connection.
    connection.requested_server_namestringThe requested server name (SNI) of the connection
    context.protocolstringProtocol of the request or connection being proxied.tcp
    context.timetimestampThe timestamp of Mixer operation.
    context.reporter.kindstringContextualizes the reported attribute set. Set to inbound for the server-side calls from sidecars and outbound for the client-side calls from sidecars and gatewaysinbound
    context.reporter.uidstringPlatform-specific identifier of the attribute reporter.kubernetes://my-svc-234443-5sffe.my-namespace
    context.proxy_error_codestringAdditional details about the response or connection from proxy. In case of Envoy, see %RESPONSE_FLAGS% in Envoy Access Log for more detailUH
    api.servicestringThe public service name. This is different than the in-mesh service identity and reflects the name of the service exposed to the client.my-svc.com
    api.versionstringThe API version.v1alpha1
    api.operationstringUnique string used to identify the operation. The id is unique among all operations described in a specific <service, version>.getPetsById
    api.protocolstringThe protocol type of the API call. Mainly for monitoring/analytics. Note that this is the frontend protocol exposed to the client, not the protocol implemented by the backend service.http, https, or grpc
    request.auth.principalstringThe authenticated principal of the request. This is a string of the issuer (iss) and subject (sub) claims within a JWT concatenated with “/” with a percent-encoded subject value. This attribute may come from the peer or the origin in the Istio authentication policy, depending on the binding rule defined in the Istio authentication policy.issuer@foo.com/sub@foo.com
    request.auth.audiencesstringThe intended audience(s) for this authentication information. This should reflect the audience (aud) claim within a JWT.aud1
    request.auth.presenterstringThe authorized presenter of the credential. This value should reflect the optional Authorized Presenter (azp) claim within a JWT or the OAuth2 client id.123456789012.my-svc.com
    request.auth.claimsmap[string, string]all raw string claims from the origin JWTiss: issuer@foo.com, sub: sub@foo.com, aud: aud1
    request.api_keystringThe API key used for the request.abcde12345
    check.error_codeint64The error code for Mixer Check call.5
    check.error_messagestringThe error message for Mixer Check call.Could not find the resource
    check.cache_hitbooleanIndicates whether Mixer check call hits local cache.
    quota.cache_hitbooleanIndicates whether Mixer quota call hits local cache.

    Timestamp and duration attributes format

    Timestamp attributes are represented in the RFC 3339 format. When operating with timestamp attributes, you can use the timestamp function defined in CEXL to convert a textual timestamp in RFC 3339 format into the TIMESTAMP type, for example: request.time | timestamp("2018-01-01T22:08:41+00:00"), response.time > timestamp("2020-02-29T00:00:00-08:00").

    Duration attributes represent an amount of time, expressed as a series of decimal numbers with an optional fractional part denoted with a period, and a unit value. The possible unit values are ns for nanoseconds, us (or µs) for microseconds, ms for milliseconds, s for seconds, m for minutes, h for hours. For example:

    • 1ms represents 1 millisecond
    • 2.3s represents 2.3 seconds
    • 4m represents 4 minutes
    • 5h10m represents 5 hours and 10 minutes