This topic describes common asmctl commands.

Compatibility

Alibaba Cloud Service Mesh (ASM) does not ensure the compatibility with Istioctl that is provided by the Istio community. However, ASM provides asmctl that supports partial Istioctl commands.

You can use asmctl in Container Service for Kubernetes (ACK) clusters and ASM instances of the following versions:
  • Standard ASM instances whose version is v1.8.6.49-gda24841c-aliyun or later
  • Professional managed ACK clusters whose version is v1.20.4-aluyun-1 or later

If you use asmctl in ASM instances whose version is earlier than v1.8.6.49-gda24841c-aliyun, specific commands may be unavailable.

Limits

asmctl commands are compatible with Istioctl 1.9 that is provided by the Istio community. asmctl supports only partial Istioctl commands because ASM is a managed cloud service. The following table describes the Istioctl commands that are unavailable in asmctl and the reasons for unavailability.

Command Reason for unavailability
dashboard commands except for dashboard envoy The control plane of ASM is managed by Alibaba Cloud. You cannot use a CLI to build observability for ASM instances or the core components of the control plane.
create-remote-secret The control plane of ASM is managed by Alibaba Cloud. You cannot create a secret for the control plane to access remote Kubernetes clusters.
istiod The control plane of ASM is managed by Alibaba Cloud. You cannot use a CLI to manage the core components of the control plane.
metrics The control plane of ASM is managed by Alibaba Cloud. You cannot use a CLI to build observability for ASM instances or the core components of the control plane.
precheck The control plane of ASM is managed by Alibaba Cloud. asmctl does not need to provide features to check the compatibility with Istio.
proxy-status The control plane of ASM is managed by Alibaba Cloud. You cannot use a CLI to query the status of the control plane. You can view the status of ASM instances on the Overview page in the ASM console.
uninstall and install The control plane of ASM is managed by Alibaba Cloud. You cannot install or uninstall the control plane.
version You cannot use a CLI to query the version information about ASM instances. You can view the basic information about ASM instances in the ASM console.
wait The control plane of ASM is managed by Alibaba Cloud. You cannot use a CLI to query the status of the control plane.
manifest, operator, profile, upgrade, and verify-install The control plane of ASM is managed by Alibaba Cloud. You cannot use asmctl to install Istio for your clusters.
kube-inject, kube-uninject, workload, add-to-mesh, and remove-from-mesh asmctl is in early development and does not provide commands that may change cluster configurations.

Overview of asmctl commands

Command Description References
asmctl analyze Analyze the control plane configurations of clusters and return the analysis results. asmctl analyze
asmctl bug-report Selectively collect the information and logs of clusters and ASM instances and compress the information and logs into a package. This helps you diagnose common issues. asmctl bug-report
asmctl dashboard Access web UIs that are compatible with the Istio community. asmctl dashboard
asmctl dashboard envoy Open the Envoy admin dashboard for the sidecar proxies of a specified pod. asmctl dashboard envoy
asmctl experimental These commands are being developed. asmctl experimental
asmctl experimental authz Provide features that are related to the authorization policies of ASM. asmctl experimental authz
asmctl experimental authz check Check the sidecar proxy configurations of a specified pod and return all authorization policies that are applied to the sidecar proxies of the pod. asmctl experimental authz check
asmctl experimental config Provide features that are related to default settings in ASM. asmctl experimental config
asmctl experimental config list Query configurable default settings in ASM. asmctl experimental config list
asmctl experimental describe Describe a specified Kubernetes resource and related ASM configurations. asmctl experimental describe
asmctl experimental describe pod Analyze the Kubernetes services, destination rules, and virtual services that are related to a specified pod, and describe the pod. asmctl experimental describe pod
asmctl experimental describe service Analyze the pods, destination rules, and virtual services that are related to a specified Kubernetes service, and describe the Kubernetes service. asmctl experimental describe service
asmctl experimental injector Query the information about sidecar injection and sidecar injectors. asmctl experimental injector
asmctl experimental injector list Query the information about sidecar injection for the pods in each namespace and the basic information about the sidecar injectors that are used in ASM. asmctl experimental injector list
asmctl proxy-config Query the configurations of sidecar proxies in pods. asmctl proxy-config
asmctl proxy-config bootstrap Query the bootstrap configurations of the Envoy instance in a specified pod. asmctl proxy-config bootstrap
asmctl proxy-config cluster Query the cluster configurations of the Envoy instance in a specified pod. asmctl proxy-config cluster
asmctl proxy-config endpoint Query the endpoint configurations of the Envoy instance in a specified pod. asmctl proxy-config endpoint
asmctl proxy-config listener Query the listener configurations of the Envoy instance in a specified pod. asmctl proxy-config listener
asmctl proxy-config log Query the logging levels of the Envoy instance in a specified pod and optionally update the logging levels. asmctl proxy-config log
asmctl proxy-config route Query the route configurations of the Envoy instance in a specified pod. asmctl proxy-config route
asmctl proxy-config secret Query the secret configurations of the Envoy instance in a specified pod. asmctl proxy-config secret
asmctl validate Validate policy and rule files in ASM. asmctl validate

asmctl analyze

Analyze the control plane configurations of clusters and return the analysis results.
asmctl analyze <file>... [flags]
Flag Shorthand Description
--all-namespaces -A Analyzes all namespaces.
--asmconfig <string> -m Specifies the path of the kubeconfig file for the ASM instance. Default value: $HOME/.kube/asmconfig.
--color N/A Specifies whether to return the analysis results in color. Default value: true. You can set the value to false.
--context <string> N/A Specifies the name of the kubeconfig context to be used. By default, this flag is left empty.
--failure-threshold <Level> N/A Specifies the severity level of analysis at which a non-zero error code is returned. Valid values: Info, Warning, and Error. Default value: Error.
--istioNamespace <string> -i Specifies the namespace of Istio. Default value: istio-system.
--kubeconfig <string> -c Specifies the path of the kubeconfig file for the cluster. By default, this flag is left empty.
--list-analyzers -L Queries available analyzers.
--meshConfigFile <string> N/A Specifies the instance configuration file that is used to override the current instance configurations for analysis. By default, this flag is left empty.
--namespace <string> -n Specifies the namespace on which the command is run. By default, this flag is left empty.
--output <string> -o Specifies the format of the returned results. Valid values: log, json, and yaml. By default, this flag is left empty.
--output-threshold <Level> N/A Specifies the severity level of analysis at which messages are displayed. Valid values: Info, Warning, and Error. Default value: Info.
--recursive -R Recursively processes all files in a specified directory instead of only first-level files.
--suppress <stringArray> -S Suppresses reporting a message code on a specified resource. Valid values must be in the <code>=<resource> format, such as --suppress "IST0102=DestinationRule primary-dr.default. You can set this flag multiple times and include a wildcard character (*) to support a partial match. For example, you can set this flag to suppress "IST0102=DestinationRule *.default. Default value: [].
--timeout <duration> N/A Specifies the duration to wait before a timeout error is returned. When the duration runs out, a timeout error is returned, and analysis results are no longer returned. Default value: 30s.
--use-kube -k Specifies whether to perform analysis based on the current cluster and ASM instance. If you want to analyze only files, set this flag to false.
--verbose -v Returns a verbose analysis procedure.

The following code provides sample asmctl analyze commands:

# Analyze the control plane configurations of the current cluster and ASM instance. 
asmctl analyze

# Analyze the current cluster and ASM instance and simulate the effect of applying the a.yaml file, the b.yaml file, and the configuration files in the my-app-config directory. 
asmctl analyze a.yaml b.yaml my-app-config/

# Analyze the current cluster and ASM instance, simulate the effect of applying the a.yaml file, the b.yaml file, and the configuration files in the my-app-config directory, and specify the kubeconfig files of the cluster and ASM instance to be analyzed. 
asmctl analyze a.yaml b.yaml my-app-config/ -c ~/.kube/ackconfig1 -m ~/.kube/asmconfig1

# Analyze the current cluster and ASM instance and simulate the effect of applying the configuration files in the my-app-config directory. All configuration files in the my-app-config directory are recursively analyzed. 
asmctl analyze --recursive my-istio-config/

# Analyze only the a.yaml file, the b.yaml file, and the YAML files in the my-app-config directory regardless of the configurations of the current cluster and ASM instance.
asmctl analyze --use-kube=false a.yaml b.yaml my-app-config/

# Analyze the current cluster and ASM instance but suppress the PodMissingProxy analysis results for the mypod pod in the testing namespace. 
asmctl analyze -S "IST0103=Pod mypod.testing"

# Analyze the current cluster and ASM instance but suppress the PodMissingProxy analysis results for all pods in the testing namespace. 
# In addition, suppress the MissplacedAnnotation analysis results for the foobar deployment in the default namespace. 
asmctl analyze -S "IST0103=Pod *.testing" -S "IST0107=Deployment foobar.default"

# Query available analyzers. 
asmctl analyze -L

asmctl bug-report

Selectively collect the information and logs of clusters and ASM instances and compress the information and logs into a package. This helps you diagnose common issues. The collected information includes the following items:
  • Configurations and status information of sidecar proxies
  • Logs that are generated by sidecar proxies
  • Cluster information
  • Analysis results that are returned by analyze commands
asmctl bug-report [flags]
Flag Shorthand Description
--asmconfig <string> -m Specifies the path of the kubeconfig file for the ASM instance. Default value: $HOME/.kube/asmconfig.
--context <string> N/A Specifies the name of the kubeconfig context to be used. By default, this flag is left empty.
--dir <string> N/A Specifies the directory that is used to store temporary output files generated by bug-report commands. By default, this flag is left empty.
--dry-run N/A Does not collect or store logs.
--duration <duration> N/A Specifies the period of time when logs are collected before the current point in time. Default value: 0s, which indicates an infinite period of time. If you set this flag, you must not set the start-time flag.
--end-time <string> N/A Specifies the end of the period of time when logs are collected. By default, the end time is the current point in time.
--exclude <stringSlice> N/A Specifies the sidecar proxy logs of pods to be excluded from all sidecar proxy logs. You can set this flag after the include flag is set. For more information, see the section below the table. By default, the pods in the kube-system, kube-public, kube-node-lease, and local-path-storage namespaces are excluded.
--filename <string> -f Specifies the name of the YAML file that contains bug-report configurations. The file content is applied over the flag settings. By default, this flag is left empty.
--full-secrets N/A Includes secret information in the command output.
--ignore-errs <stringSlice> N/A Specifies the glob patterns that are separated by commas (,), which are used to match ignored log error strings. Errors that match these patterns are ignored when the log importance is calculated.
--include <stringSlice> N/A Specifies the sidecar proxy logs of pods to include in the command output. For more information, see the section below the table. By default, this flag is left empty.
--istio-namespace <string> -i Specifies the namespace where Istio control plane is installed. Default value: istio-system.
--kubeconfig <string> -c Specifies the path of the kubeconfig file for the cluster. By default, this flag is left empty.
--namespace <string> -n Specifies the namespace on which the command is run. By default, this flag is left empty.
--start-time <string> N/A Specifies the beginning of the period of time when logs are collected. By default, this flag is left empty, which indicates that logs start to be collected at the earliest.
--timeout <duration> N/A Specifies the maximum amount of time that is used to collect logs. Default value: 30m0s. If log collection times out, only logs collected before the timeout are saved to the command output.

bug-report command for collecting specific sidecar proxy logs

You can set flags in the following format to collect specific sidecar proxy logs:
--include|--exclude 
ns1,ns2.../dep1,dep2.../pod1,pod2.../cntr1,cntr.../lbl1=val1,lbl2=val2.../ann1=val1,ann2=val2

The string below include/exclude specifies the filter conditions for collecting logs. ns indicates namespaces, dep indicates deployments, pod indicates pods, cntr indicates containers, lbl indicates labels, and ann indicates annotations.

The filter conditions are interpreted as (ns1 OR ns2) AND (dep1 OR dep2) AND (cntr1 OR cntr2)……. The sidecar proxy logs of a pod are included in the package generated by the command only if the pod matches at least one filter condition specified by the include flag but no filter condition specified by the exclude flag.

All filter conditions are optional and can be omitted. For example, you can use ns1//pod1 to filter logs by namespace and pod.

All filter names except label and annotation keys support the glob matching pattern. For example, n*//p*/l=v* is used to match pods that meet the following conditions: the name of the pod starts with p, the name of the namespace where the pod resides starts with n, and the pod has a label with the key of l and the value that starts with v.

asmctl dashboard

Access web UIs that are compatible with the Istio community. asmctl provides dashboard commands only for Envoy.

asmctl dashboard [flags]

Alternative formats:

asmctl dash [flags]
asmctl d [flags]
Flag Shorthand Description
--address <string> N/A Specifies the web UI address to listen on. The value must be localhost or an IP address. If this flag is set to localhost, asmctl tries to bind 127.0.0.1 (IPv4) or ::1 (IPv6). If neither of the addresses are available for binding, the command fails. Default value: localhost.
--browser N/A Specifies whether to open a browser. If the browse flag is set to false, asmctl does not open a browser. Default value: true.
--context <string> N/A Specifies the name of the kubeconfig context to be used. By default, this flag is left empty.
--kubeconfig <string> -c Specifies the path of the kubeconfig file for the cluster. By default, this flag is left empty.
--namespace <string> -n Specifies the namespace on which the command is run. By default, this flag is left empty.
--port <int> -p Specifies the local port of the web UI to listen on. By default, this flag is left empty.

asmctl dashboard envoy

Open the Envoy admin dashboard for the sidecar proxies of a specified pod.

asmctl dashboard envoy [<type>/]<name>[.<namespace>] [flags]
Flag Shorthand Description
--address <string> N/A Specifies the web UI address to listen on. The value must be localhost or an IP address. If this flag is set to localhost, asmctl tries to bind 127.0.0.1 (IPv4) or ::1 (IPv6). If neither of the addresses are available for binding, the command fails. Default value: localhost.
--browser N/A Specifies whether to open a browser. If the browse flag is set to false, asmctl does not open a browser. Default value: true.
--context <string> N/A Specifies the name of the kubeconfig context to be used. By default, this flag is left empty.
--kubeconfig <string> -c Specifies the path of the kubeconfig file for the cluster. By default, this flag is left empty.
--namespace <string> -n Specifies the namespace on which the command is run. By default, this flag is left empty.
--port <int> -p Specifies the local port of the web UI to listen on. Default value: 0.
--selector <string> -l Specifies the label selector for pods. By default, this flag is left empty. If you set this flag, you cannot specify pod names.

The following code provides sample asmctl dashboard envoy commands:

# Specify a pod based on its name and the namespace to which the pod belongs, and open the Envoy admin dashboard for the sidecar proxies of the pod. 
asmctl dashboard envoy productpage-123-456.default

# Specify a pod based on its name and deployment name, and open the Envoy admin dashboard for the sidecar proxies of the pod. 
asmctl dashboard envoy deployment/productpage-v1

# Use abbreviated dashboard commands. 
asmctl dash envoy productpage-123-456.default
asmctl d envoy productpage-123-456.default

asmctl experimental

asmctl experimental indicates that the commands are being developed. asmctl is compatible with Istioctl 1.9. The compatibility follows the compatibility of ASM with the Istio community. Therefore, asmctl includes the experimental commands of Istioctl 1.9.

Flag Shorthand Description
--asmconfig <string> -m Specifies the path of the kubeconfig file for the ASM instance. Default value: $HOME/.kube/asmconfig.
--context <string> N/A Specifies the name of the kubeconfig context to be used. By default, this flag is left empty.
--istioNamespace <string> -i Specifies the namespace of Istio. Default value: istio-system.
--kubeconfig <string> -c Specifies the path of the kubeconfig file for the cluster. By default, this flag is left empty.
--namespace <string> -n Specifies the namespace on which the command is run. By default, this flag is left empty.

asmctl experimental authz

Provide features that are related to authorization policies in ASM.

Flag Shorthand Description
--context <string> N/A Specifies the name of the kubeconfig context to be used. By default, this flag is left empty.
--istioNamespace <string> -i Specifies the namespace of Istio. Default value: istio-system.
--kubeconfig <string> -c Specifies the path of the kubeconfig file for the cluster. By default, this flag is left empty.
--namespace <string> -n Specifies the namespace on which the command is run. By default, this flag is left empty.

asmctl experimental authz check

Check the sidecar proxy configurations of a specified pod and return all authorization policies that are applied to the sidecar proxies of the pod. The command is helpful for checking the final authorization policy that is applied to a sidecar proxy. The final authorization policy is merged from multiple authorization policies.

If you set the -f flag in the command, the command reads a copy file of sidecar proxy configurations and queries the authorization policies that are specified by the configurations in the file.
asmctl experimental authz check [<type>/]<name>[.<namespace>] [flags]
Flag Shorthand Description
--context <string> N/A Specifies the name of the kubeconfig context to be used. By default, this flag is left empty.
--file <string> -f Specifies the Envoy configuration dump file to be checked, in the JSON format. By default, this flag is left empty.
--istioNamespace <string> -i Specifies the namespace of Istio. Default value: istio-system.
--kubeconfig <string> -c Specifies the path of the kubeconfig file for the cluster. By default, this flag is left empty.
--namespace <string> -n Specifies the namespace on which the command is run. By default, this flag is left empty.

The following code provides sample asmctl experimental authz check commands:

# Check the authorization policies that are applied to the httpbin-88ddbcfdd-nt5jb pod. 
asmctl x authz check httpbin-88ddbcfdd-nt5jb

# Check the authorization policies that are applied to the productpage-v1 deployment. 
asmctl proxy-status deployment/productpage-v1

# Check the authorization policies in the Envoy configuration dump file httpbin_config_dump.json. 
asmctl x authz check -f httpbin_config_dump.json

asmctl experimental config

Provide features that are related to default settings in ASM.

Flag Shorthand Description
--context <string> N/A Specifies the name of the kubeconfig context to be used. By default, this flag is left empty.
--istioNamespace <string> -i Specifies the namespace of Istio. Default value: istio-system.
--kubeconfig <string> -c Specifies the path of the kubeconfig file for the cluster. By default, this flag is left empty.

asmctl experimental config list

Query configurable default settings in ASM.
asmctl experimental config list [flags]
Flag Shorthand Description
--context <string> N/A Specifies the name of the kubeconfig context to be used. By default, this flag is left empty.
--istioNamespace <string> -i Specifies the namespace of Istio. Default value: istio-system.
--kubeconfig <string> -c Specifies the path of the kubeconfig file for the cluster. By default, this flag is left empty.
--namespace <string> -n Specifies the namespace on which the command is run. By default, this flag is left empty.

asmctl experimental describe

Describe a specified Kubernetes resource and related ASM configurations.

asmctl experimental describe [command] [flags]

Alternative format:

asmctl experimental des [command] [flags]
Flag Shorthand Description
--asmconfig <string> -m Specifies the path of the kubeconfig file for the ASM instance. Default value: $HOME/.kube/asmconfig.
--context <string> N/A Specifies the name of the kubeconfig context to be used. By default, this flag is left empty.
--istioNamespace <string> -i Specifies the namespace of Istio. Default value: istio-system.
--kubeconfig <string> -c Specifies the path of the kubeconfig file for the cluster. By default, this flag is left empty.
--namespace <string> -n Specifies the namespace on which the command is run. By default, this flag is left empty.

asmctl experimental describe pod

Analyze the Kubernetes services, destination rules, and virtual services that are related to a specified pod, and describe the pod.

asmctl experimental describe pod <pod> [flags]
Flag Shorthand Description
--context <string> N/A Specifies the name of the kubeconfig context to be used. By default, this flag is left empty.
--ignoreUnmeshed N/A Specifies whether to return alert information for pods that are not added to ASM instances. Default value: false.
--istioNamespace <string> -i Specifies the namespace of Istio. Default value: istio-system.
--kubeconfig <string> -c Specifies the path of the kubeconfig file for the cluster. By default, this flag is left empty.
--asmconfig <string> -m Specifies the path of the kubeconfig file for the ASM instance. Default value: $HOME/.kube/asmconfig.
--namespace <string> -n Specifies the namespace on which the command is run. By default, this flag is left empty.

The following code provides sample asmctl experimental describe pod commands:

# Describe the productpage-v1-c7765c886-7zzd4 pod. 
asmctl experimental describe pod productpage-v1-c7765c886-7zzd4

asmctl experimental describe service

Analyze the pods, destination rules, and virtual services that are related to a specified Kubernetes service, and describe the Kubernetes service.

asmctl experimental describe service <svc> [flags]

Alternative format:

asmctl experimental describe svc <svc> [flags]
Flag Shorthand Description
--context <string> N/A Specifies the name of the kubeconfig context to be used. By default, this flag is left empty.
--ignoreUnmeshed N/A Specifies whether to return alert information for pods that are not added to ASM instances. Default value: false.
--istioNamespace <string> -i Specifies the namespace of Istio. Default value: istio-system.
--kubeconfig <string> -c Specifies the path of the kubeconfig file for the cluster. By default, this flag is left empty.
--asmconfig <string> -m Specifies the path of the kubeconfig file for the ASM instance. Default value: $HOME/.kube/asmconfig.
--namespace <string> -n Specifies the namespace on which the command is run. By default, this flag is left empty.

The following code provides sample asmctl experimental describe service commands:

# Describe the Kubernetes service of productpage. 
asmctl experimental describe service productpage

asmctl experimental injector

Query the information about sidecar injection and sidecar injectors.

asmctl experimental injector [command] [flags]
Flag Shorthand Description
--context <string> N/A Specifies the name of the kubeconfig context to be used. By default, this flag is left empty.
--istioNamespace <string> -i Specifies the namespace of Istio. Default value: istio-system.
--kubeconfig <string> -c Specifies the path of the kubeconfig file for the cluster. By default, this flag is left empty.
--namespace <string> -n Specifies the namespace on which the command is run. By default, this flag is left empty.

asmctl experimental injector list

Query the information about sidecar injection for the pods in each namespace and the basic information about the sidecar injectors that are used in ASM.
asmctl experimental injector list [flags]
Flag Shorthand Description
--context <string> N/A Specifies the name of the kubeconfig context to be used. By default, this flag is left empty.
--istioNamespace <string> -i Specifies the namespace of Istio. Default value: istio-system.
--kubeconfig <string> -c Specifies the path of the kubeconfig file for the cluster. By default, this flag is left empty.
--namespace <string> -n Specifies the namespace on which the command is run. By default, this flag is left empty.

The following code provides sample asmctl experimental injector list commands:

# Query the information about sidecar injection for the pods in each namespace and the basic information about the sidecar injectors that are used in ASM. 
asmctl experimental injector list

asmctl proxy-config

Query sidecar proxy configurations in pods.

Flag Shorthand Description
--context <string> N/A Specifies the name of the kubeconfig context to be used. By default, this flag is left empty.
--istioNamespace <string> -i Specifies the namespace of Istio. Default value: istio-system.
--kubeconfig <string> -c Specifies the path of the kubeconfig file for the cluster. By default, this flag is left empty.
--namespace <string> -n Specifies the namespace on which the command is run. By default, this flag is left empty.
--output <string> -o Specifies the output format. Valid values: json and short. Default value: short.

asmctl proxy-config bootstrap

Query the information about the bootstrap configurations of the Envoy instance in a specified pod.

asmctl proxy-config bootstrap [<type>/]<name>[.<namespace>] [flags]

Alternative format:

asmctl proxy-config b [<type>/]<name>[.<namespace>] [flags]
Flag Shorthand Description
--context <string> N/A Specifies the name of the kubeconfig context to be used. By default, this flag is left empty.
--file <string> -f Specifies the Envoy configuration dump file, in the JSON format. By default, this flag is left empty.
--istioNamespace <string> -i Specifies the namespace of Istio. Default value: istio-system.
--kubeconfig <string> -c Specifies the path of the kubeconfig file for the cluster. By default, this flag is left empty.
--namespace <string> -n Specifies the namespace on which the command is run. By default, this flag is left empty.
--output <string> -o Specifies the output format. Valid values: json and short. Default value: short.

The following code provides sample asmctl proxy-config bootstrap commands:

# Query the bootstrap configurations of the Envoy instance in a specified pod. 
asmctl proxy-config bootstrap <pod-name[.namespace]>

# Query the bootstrap configurations of the Envoy instance from the file without using Kubernetes API. 
ssh <user@hostname> 'curl localhost:15000/config_dump' > envoy-config.json
asmctl proxy-config bootstrap --file envoy-config.json

asmctl proxy-config cluster

Query the cluster configurations of the Envoy instance in a specified pod.

asmctl proxy-config cluster [<type>/]<name>[.<namespace>] [flags]

Alternative formats:

asmctl proxy-config clusters [<type>/]<name>[.<namespace>] [flags]
asmctl proxy-config c [<type>/]<name>[.<namespace>] [flags]
Flag Shorthand Description
--context <string> N/A Specifies the name of the kubeconfig context to be used. By default, this flag is left empty.
--direction <string> N/A Filters cluster configurations by the Direction field. By default, this flag is left empty.
--file <string> -f Specifies the Envoy configuration dump file, in the JSON format. By default, this flag is left empty.
--fqdn <string> N/A Filters cluster configurations by the Service FQDN field. By default, this flag is left empty.
--istioNamespace <string> -i Specifies the namespace of Istio. Default value: istio-system.
--kubeconfig <string> -c Specifies the path of the kubeconfig file for the cluster. By default, this flag is left empty.
--namespace <string> -n Specifies the namespace on which the command is run. By default, this flag is left empty.
--output <string> -o Specifies the output format. Valid values: json and short. Default value: short.
--port <int> N/A Filters cluster configurations by the Port field. By default, this flag is left empty.
--subset <string> N/A Filters cluster configurations by the Subset field. By default, this flag is left empty.

The following code provides sample asmctl proxy-config cluster commands:

# Query the cluster configurations of the Envoy instance in a specified pod. 
asmctl proxy-config clusters <pod-name[.namespace]>

# Query the configurations of the clusters with port 9080 for the Envoy instance in a specified pod. 
asmctl proxy-config clusters <pod-name[.namespace]> --port 9080

# Query full cluster dump for clusters that are inbound with a fully qualified domain name (FQDN) of details.default.svc.cluster.local. 
asmctl proxy-config clusters <pod-name[.namespace]> --fqdn details.default.svc.cluster.local --direction inbound -o json

# Query cluster configurations from the file without using Kubernetes API. 
ssh <user@hostname> 'curl localhost:15000/config_dump' > envoy-config.json
asmctl proxy-config clusters --file envoy-config.json

asmctl proxy-config endpoint

Query the endpoint configurations of the Envoy instance in a specified pod.

asmctl proxy-config endpoint [<type>/]<name>[.<namespace>] [flags]

Alternative formats:

asmctl proxy-config endpoints [<type>/]<name>[.<namespace>] [flags]
asmctl proxy-config ep [<type>/]<name>[.<namespace>] [flags]
Flag Shorthand Description
--address <string> N/A Filters endpoint configurations by the address field. By default, this flag is left empty.
--cluster <string> N/A Filters endpoint configurations by the cluster name field. By default, this flag is left empty.
--context <string> N/A Specifies the name of the kubeconfig context to be used. By default, this flag is left empty.
--file <string> -f Specifies the Envoy configuration dump file, in the JSON format. By default, this flag is left empty.
--istioNamespace <string> -i Specifies the namespace of Istio. Default value: istio-system.
--kubeconfig <string> -c Specifies the path of the kubeconfig file for the cluster. By default, this flag is left empty.
--namespace <string> -n Specifies the namespace on which the command is run. By default, this flag is left empty.
--output <string> -o Specifies the output format. Valid values: json and short. Default value: short.
--port <int> N/A Filters endpoint configurations by the Port field. By default, this flag is left empty.
--status <string> N/A Filters endpoint configurations by the status field. By default, this flag is left empty.

The following code provides sample asmctl proxy-config endpoint commands:

# Query the endpoint configurations of the Envoy instance in a specified pod. 
asmctl proxy-config endpoint <pod-name[.namespace]>

# Query the configurations of the endpoint with port 9080 for the Envoy instance in a specified pod. 
asmctl proxy-config endpoint <pod-name[.namespace]> --port 9080

# Query the configurations of the endpoint with the address of 172.17.0.2 for the Envoy instance in a specified pod. 
asmctl proxy-config endpoint <pod-name[.namespace]> --address 172.17.0.2 -o json

# Query the configurations of the endpoint with the cluster name of outbound|9411||zipkin.istio-system.svc.cluster.local for the Envoy instance in a specified pod. 
asmctl proxy-config endpoint <pod-name[.namespace]> --cluster "outbound|9411||zipkin.istio-system.svc.cluster.local" -o json
# Query the configurations of the endpoint with the status of healthy for the Envoy instance in a specified pod. 
asmctl proxy-config endpoint <pod-name[.namespace]> --status healthy -ojson

# Query endpoint configurations from the file without using Kubernetes API. 
ssh <user@hostname> 'curl localhost:15000/clusters?format=json' > envoy-clusters.json
asmctl proxy-config endpoints --file envoy-clusters.json

asmctl proxy-config listener

Query the listener configurations of the Envoy instance in a specified pod.

asmctl proxy-config listener [<type>/]<name>[.<namespace>] [flags]

Alternative formats:

asmctl proxy-config listeners [<type>/]<name>[.<namespace>] [flags]
asmctl proxy-config l [<type>/]<name>[.<namespace>] [flags]
Flag Shorthand Description
--address <string> N/A Filters listener configurations by the address field. By default, this flag is left empty.
--context <string> N/A Specifies the name of the kubeconfig context to be used. By default, this flag is left empty.
--file <string> -f Specifies the Envoy configuration dump file, in the JSON format. By default, this flag is left empty.
--istioNamespace <string> -i Specifies the namespace of Istio. Default value: istio-system.
--kubeconfig <string> -c Specifies the path of the kubeconfig file for the cluster. By default, this flag is left empty.
--namespace <string> -n Specifies the namespace on which the command is run. By default, this flag is left empty.
--output <string> -o Specifies the output format. Valid values: json and short. Default value: short.
--port <int> N/A Filters listener configurations by the Port field. By default, this flag is left empty.
--type <string> N/A Filters listener configurations by the type field. By default, this flag is left empty.
--verbose N/A Specifies whether to query more information. Default value: true.

The following code provides sample asmctl proxy-config listener commands:

# Query the listener configurations of the Envoy instance in a specified pod. 
asmctl proxy-config listeners <pod-name[.namespace]>

# Query the configurations of the listeners with port 9080 for the Envoy instance in a specified pod. 
asmctl proxy-config listeners <pod-name[.namespace]> --port 9080

# Query the configurations of the listeners with a wildcard address of 0.0.0.0 for the Envoy instance in a specified pod. 
asmctl proxy-config listeners <pod-name[.namespace]> --type HTTP --address 0.0.0.0 -o json

# Query listener configurations from the file without using Kubernetes API. 
ssh <user@hostname> 'curl localhost:15000/config_dump' > envoy-config.json
asmctl proxy-config listeners --file envoy-config.json

asmctl proxy-config log

Query the logging levels of the Envoy instance in a specified pod and optionally update the logging levels.

asmctl proxy-config log [<type>/]<name>[.<namespace>] [flags]

Alternative format:

asmctl proxy-config o [<type>/]<name>[.<namespace>] [flags]
Flag Shorthand Description
--context <string> N/A Specifies the name of the kubeconfig context to be used. By default, this flag is left empty.
--istioNamespace <string> -i Specifies the namespace of Istio. Default value: istio-system.
--kubeconfig <string> -c Specifies the path of the kubeconfig file for the cluster. By default, this flag is left empty.
--level <string> N/A Specifies the comma-separated minimum per-logger level of messages, in the [<logger>:]<level>,[<logger>:]<level>,... format. A logger can be one of the following items: admin, aws, assert, backtrace, client, config, connection, conn_handler, dubbo, file, filter, forward_proxy, grpc, hc, health_checker, http, mongo, quic, pool, rbac, redis, router, runtime, stats, secret, tap, testing, thrift, tracing, upstream, udp, and wasm. A level can be one of the following items: trace, debug, info, warning, error, critical, and off. By default, the value is left empty.
--namespace <string> -n Specifies the namespace on which the command is run. By default, this flag is left empty.
--output <string> -o Specifies the output format. Valid values: json and short. Default value: short.
--reset -r Resets the logging levels to the default value of warning.
--selector <string> -l Specifies the label selector. By default, this flag is left empty.

The following code provides sample asmctl proxy-config log commands:

# Query the logging levels of the Envoy instance in a specified pod. 
asmctl proxy-config log <pod-name[.namespace]>

# Update the logging levels of all loggers in the Envoy instance. 
asmctl proxy-config log <pod-name[.namespace]> --level none

# Update the logging levels of specified loggers in the Envoy instance. 
asmctl proxy-config log <pod-name[.namespace]> --level http:debug,redis:debug

# Reset the logging levels of all loggers in the Envoy instance to the default value of warning. 
asmctl proxy-config log <pod-name[.namespace]> -r

asmctl proxy-config route

Query the route configurations of the Envoy instance in a specified pod.

asmctl proxy-config route [<type>/]<name>[.<namespace>] [flags]

Alternative formats:

asmctl proxy-config routes [<type>/]<name>[.<namespace>] [flags]
asmctl proxy-config r [<type>/]<name>[.<namespace>] [flags]
Flag Shorthand Description
--context <string> N/A Specifies the name of the kubeconfig context to be used. By default, this flag is left empty.
--file <string> -f Specifies the Envoy configuration dump file, in the JSON format. By default, this flag is left empty.
--istioNamespace <string> -i Specifies the namespace of Istio. Default value: istio-system.
--kubeconfig <string> -c Specifies the path of the kubeconfig file for the cluster. By default, this flag is left empty.
--name <string> N/A Filters route configurations by the name field. By default, this flag is left empty.
--namespace <string> -n Specifies the namespace on which the command is run. By default, this flag is left empty.
--output <string> -o Specifies the output format. Valid values: json and short. Default value: short.
--verbose N/A Specifies whether to query more information. Default value: true.

The following code provides sample asmctl proxy-config route commands:

# Query the route configurations of the Envoy instance in a specified pod. 
asmctl proxy-config routes <pod-name[.namespace]>

# Query the configurations of the route with port 9080 in a specified Envoy instance. 
asmctl proxy-config route <pod-name[.namespace]> --port 9080

# Query the configurations of the route with port 9080 in a specified Envoy instance and the full route dump. 
asmctl proxy-config route <pod-name[.namespace]> --name 9080 -o json

# Query route configurations from the file without using Kubernetes API. 
ssh <user@hostname> 'curl localhost:15000/config_dump' > envoy-config.json
asmctl proxy-config listeners --file envoy-config.json

asmctl proxy-config secret

Query the secret configurations of the Envoy instance in a specified pod.

asmctl proxy-config secret [<type>/]<name>[.<namespace>] [flags]

Alternative formats:

asmctl proxy-config secrets [<type>/]<name>[.<namespace>] [flags]
asmctl proxy-config s [<type>/]<name>[.<namespace>] [flags]
Flag Shorthand Description
--context <string> N/A Specifies the name of the kubeconfig context to be used. By default, this flag is left empty.
--file <string> -f Specifies the Envoy configuration dump file, in the JSON format. By default, this flag is left empty.
--istioNamespace <string> -i Specifies the namespace of Istio. Default value: istio-system.
--kubeconfig <string> -c Specifies the path of the kubeconfig file for the cluster. By default, this flag is left empty.
--namespace <string> -n Specifies the namespace on which the command is run. By default, this flag is left empty.
--output <string> -o Specifies the output format. Valid values: json and short. Default value: short.

The following code provides sample asmctl proxy-config secret commands:

# Query the secret configurations of the Envoy instance in a specified pod. 
asmctl proxy-config secret <pod-name[.namespace]>

# Query secret configurations from the file without using Kubernetes API. 
ssh <user@hostname> 'curl localhost:15000/config_dump' > envoy-config.json
asmctl proxy-config listeners --file envoy-config.json

asmctl validate

Validate policy and rule files in ASM.

asmctl validate -f FILENAME [options] [flags]

Alternative format:

asmctl v -f FILENAME [options] [flags]
Flag Shorthand Description
--context <string> N/A Specifies the name of the kubeconfig context to be used. By default, this flag is left empty.
--file <string> -f Specifies the name of the ASM policy and rule file to be validated.
--istioNamespace <string> -i Specifies the namespace of Istio. Default value: istio-system.
--namespace <string> -n Specifies the namespace on which the command is run. By default, this flag is left empty.

The following code provides sample asmctl validate commands:

# Validate the bookinfo-gateway.yaml file. 
asmctl validate -f samples/bookinfo/networking/bookinfo-gateway.yaml

# Validate the bookinfo-gateway.yaml file by using an abbreviated command. 
asmctl v -f samples/bookinfo/networking/bookinfo-gateway.yaml

# Validate all deployments in the default namespace. 
asmctl get deployments -o yaml | asmctl validate -f -

# Validate all services in the default namespace. 
asmctl get services -o yaml | asmctl validate -f -