Any changes to this folder should have a `make copy-templates` applied afterwards.

Warning: unlike the `IstioOperator` profiles, these profiles cannot enable or disable certain components.
As a result, users still need to ensure they install the appropriate charts to use a profile correctly.

This project is covered by two different licenses: MIT and Apache.

#### MIT License ####

The following files were ported to Go from C files of libyaml, and thus
are still covered by their original MIT license, with the additional
copyright staring in 2011 when the project was ported over:

    apic.go emitterc.go parserc.go readerc.go scannerc.go
    writerc.go yamlh.go yamlprivateh.go

Copyright (c) 2006-2010 Kirill Simonov

}

// PodDisruptionBudgetSpec is a description of a PodDisruptionBudget.
message PodDisruptionBudgetSpec {
  // An eviction is allowed if at least "minAvailable" pods selected by
  // "selector" will still be available after the eviction, i.e. even in the
  // absence of the evicted pod.  So for example you can prevent all voluntary
  // evictions by specifying "100%".
  // +optional

// The auth package provides support for checking the authentication and authorization policy applied
// in the mesh. It aims to increase the debuggability and observability of auth policies.
// Note: this is still under active development and is not ready for real use.
package authz

import (
	"fmt"
	"io"

	envoy_admin "github.com/envoyproxy/go-control-plane/envoy/admin/v3"

The following diagram illustrates the flow of unauthenticated traffic with a `PERMISSIVE` policy:

```mermaid
graph TD;

	}

	taggedNamespaces, err := GetNamespacesWithTag(ctx, kubeClient, tagName)
	if err != nil {
		return fmt.Errorf("failed to retrieve namespaces dependent on tag %q", tagName)
	}
	// warn user if deleting a tag that still has namespaces pointed to it
	if len(taggedNamespaces) > 0 && !skipConfirmation {
		if !util.Confirm(buildDeleteTagConfirmation(tagName, taggedNamespaces), w) {
			fmt.Fprintf(w, "Aborting operation.\n")
			return nil
		}

	// in that case, try finding the netns using procfs.
	if err := s.rescanPod(pod); err != nil {
		log.Errorf("error scanning proc: error was %s", err)
		return nil, err
	}
	// try again. we can still get here if the pod is in the process of being created.
	// in this case the CNI will be invoked soon and provide us with the netns.
	openNetns = s.currentPodSnapshot.Get(string(pod.UID))
	if openNetns == nil {

type PodNetnsCache interface {
	ReadCurrentPodSnapshot() map[string]WorkloadInfo
}

// Hold a cache of node local pods with their netns
// if we don't know the netns, the pod will still be here with a nil netns.
type podNetnsCache struct {
	openNetns func(nspath string) (NetnsCloser, error)

	currentPodCache map[string]WorkloadInfo
	mu              sync.RWMutex
}

type WorkloadInfo struct {

	kubeClient, client, err := KubernetesClients(cliClient, l)
	if err != nil {
		l.LogAndFatal(err)
	}

	// If the user is performing purge but also specified a revision, we should warn
	// that the purge will still remove all resources
	if orArgs.purge && orArgs.revision != "" {
		orArgs.revision = ""
		l.LogAndPrint("Purge remove will remove all Istio operator controller, ignoring the specified revision\n")
	}

	var installed bool

and it is possible to gradually move apps from Istio 1.0/1.1 to the new environments and
across environments ( for example canary -> prod )

Note: there are still some cluster roles that may need to be fixed, most likely cluster permissions
will need to move to the security component.

## Everything is Optional