--- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: helm.sh/resource-policy: keep operatorframework.io/installed-alongside-63e273da4c200797: openshift-operators/servicemeshoperator3.v3.1.0 creationTimestamp: "2026-03-18T16:53:28Z" generation: 1 labels: app: istio-pilot chart: istio heritage: Tiller istio: security olm.managed: "true" operators.coreos.com/servicemeshoperator3.openshift-operators: "" release: istio managedFields: - apiVersion: apiextensions.k8s.io/v1 fieldsType: FieldsV1 fieldsV1: f:metadata: f:annotations: .: {} f:helm.sh/resource-policy: {} f:operatorframework.io/installed-alongside-63e273da4c200797: {} f:labels: .: {} f:app: {} f:chart: {} f:heritage: {} f:istio: {} f:olm.managed: {} f:release: {} f:spec: f:conversion: .: {} f:strategy: {} f:group: {} f:names: f:categories: {} f:kind: {} f:listKind: {} f:plural: {} f:shortNames: {} f:singular: {} f:scope: {} f:versions: {} manager: catalog operation: Update time: "2026-03-18T16:53:28Z" - apiVersion: apiextensions.k8s.io/v1 fieldsType: FieldsV1 fieldsV1: f:status: f:acceptedNames: f:categories: {} f:kind: {} f:listKind: {} f:plural: {} f:shortNames: {} f:singular: {} f:conditions: k:{"type":"Established"}: .: {} f:lastTransitionTime: {} f:message: {} f:reason: {} f:status: {} f:type: {} k:{"type":"NamesAccepted"}: .: {} f:lastTransitionTime: {} f:message: {} f:reason: {} f:status: {} f:type: {} manager: kube-apiserver operation: Update subresource: status time: "2026-03-18T16:53:28Z" - apiVersion: apiextensions.k8s.io/v1 fieldsType: FieldsV1 fieldsV1: f:metadata: f:labels: f:operators.coreos.com/servicemeshoperator3.openshift-operators: {} manager: olm operation: Update time: "2026-03-18T16:53:38Z" name: peerauthentications.security.istio.io resourceVersion: "12589" uid: 08d305d3-faf5-4fc3-9ad3-273bfee07a33 spec: conversion: strategy: None group: security.istio.io names: categories: - istio-io - security-istio-io kind: PeerAuthentication listKind: PeerAuthenticationList plural: peerauthentications shortNames: - pa singular: peerauthentication scope: Namespaced versions: - additionalPrinterColumns: - description: Defines the mTLS mode used for peer authentication. jsonPath: .spec.mtls.mode name: Mode type: string - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' jsonPath: .metadata.creationTimestamp name: Age type: date name: v1 schema: openAPIV3Schema: properties: spec: description: 'Peer authentication configuration for workloads. See more details at: https://istio.io/docs/reference/config/security/peer_authentication.html' properties: mtls: description: Mutual TLS settings for workload. properties: mode: description: |- Defines the mTLS mode used for peer authentication. Valid Options: DISABLE, PERMISSIVE, STRICT enum: - UNSET - DISABLE - PERMISSIVE - STRICT type: string type: object portLevelMtls: additionalProperties: properties: mode: description: |- Defines the mTLS mode used for peer authentication. Valid Options: DISABLE, PERMISSIVE, STRICT enum: - UNSET - DISABLE - PERMISSIVE - STRICT type: string type: object description: Port specific mutual TLS settings. minProperties: 1 type: object x-kubernetes-validations: - message: port must be between 1-65535 rule: self.all(key, 0 < int(key) && int(key) <= 65535) selector: description: The selector determines the workloads to apply the PeerAuthentication on. properties: matchLabels: additionalProperties: maxLength: 63 type: string x-kubernetes-validations: - message: wildcard not allowed in label value match rule: '!self.contains("*")' description: One or more labels that indicate a specific set of pods/VMs on which a policy should be applied. maxProperties: 4096 type: object x-kubernetes-validations: - message: wildcard not allowed in label key match rule: self.all(key, !key.contains("*")) - message: key must not be empty rule: self.all(key, key.size() != 0) type: object type: object x-kubernetes-validations: - message: portLevelMtls requires selector rule: 'has(self.portLevelMtls) ? (((has(self.selector) && has(self.selector.matchLabels)) ? self.selector.matchLabels : {}).size() > 0) : true' status: properties: conditions: description: Current service state of the resource. items: properties: lastProbeTime: description: Last time we probed the condition. format: date-time type: string lastTransitionTime: description: Last time the condition transitioned from one status to another. format: date-time type: string message: description: Human-readable message indicating details about last transition. type: string observedGeneration: anyOf: - type: integer - type: string description: Resource Generation to which the Condition refers. x-kubernetes-int-or-string: true reason: description: Unique, one-word, CamelCase reason for the condition's last transition. type: string status: description: Status is the status of the condition. type: string type: description: Type is the type of the condition. type: string type: object type: array observedGeneration: anyOf: - type: integer - type: string x-kubernetes-int-or-string: true validationMessages: description: Includes any errors or warnings detected by Istio's analyzers. items: properties: documentationUrl: description: A url pointing to the Istio documentation for this specific error type. type: string level: description: |- Represents how severe a message is. Valid Options: UNKNOWN, ERROR, WARNING, INFO enum: - UNKNOWN - ERROR - WARNING - INFO type: string type: properties: code: description: A 7 character code matching `^IST[0-9]{4}$` intended to uniquely identify the message type. type: string name: description: A human-readable name for the message type. type: string type: object type: object type: array type: object x-kubernetes-preserve-unknown-fields: true type: object served: true storage: false subresources: status: {} - additionalPrinterColumns: - description: Defines the mTLS mode used for peer authentication. jsonPath: .spec.mtls.mode name: Mode type: string - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' jsonPath: .metadata.creationTimestamp name: Age type: date name: v1beta1 schema: openAPIV3Schema: properties: spec: description: 'Peer authentication configuration for workloads. See more details at: https://istio.io/docs/reference/config/security/peer_authentication.html' properties: mtls: description: Mutual TLS settings for workload. properties: mode: description: |- Defines the mTLS mode used for peer authentication. Valid Options: DISABLE, PERMISSIVE, STRICT enum: - UNSET - DISABLE - PERMISSIVE - STRICT type: string type: object portLevelMtls: additionalProperties: properties: mode: description: |- Defines the mTLS mode used for peer authentication. Valid Options: DISABLE, PERMISSIVE, STRICT enum: - UNSET - DISABLE - PERMISSIVE - STRICT type: string type: object description: Port specific mutual TLS settings. minProperties: 1 type: object x-kubernetes-validations: - message: port must be between 1-65535 rule: self.all(key, 0 < int(key) && int(key) <= 65535) selector: description: The selector determines the workloads to apply the PeerAuthentication on. properties: matchLabels: additionalProperties: maxLength: 63 type: string x-kubernetes-validations: - message: wildcard not allowed in label value match rule: '!self.contains("*")' description: One or more labels that indicate a specific set of pods/VMs on which a policy should be applied. maxProperties: 4096 type: object x-kubernetes-validations: - message: wildcard not allowed in label key match rule: self.all(key, !key.contains("*")) - message: key must not be empty rule: self.all(key, key.size() != 0) type: object type: object x-kubernetes-validations: - message: portLevelMtls requires selector rule: 'has(self.portLevelMtls) ? (((has(self.selector) && has(self.selector.matchLabels)) ? self.selector.matchLabels : {}).size() > 0) : true' status: properties: conditions: description: Current service state of the resource. items: properties: lastProbeTime: description: Last time we probed the condition. format: date-time type: string lastTransitionTime: description: Last time the condition transitioned from one status to another. format: date-time type: string message: description: Human-readable message indicating details about last transition. type: string observedGeneration: anyOf: - type: integer - type: string description: Resource Generation to which the Condition refers. x-kubernetes-int-or-string: true reason: description: Unique, one-word, CamelCase reason for the condition's last transition. type: string status: description: Status is the status of the condition. type: string type: description: Type is the type of the condition. type: string type: object type: array observedGeneration: anyOf: - type: integer - type: string x-kubernetes-int-or-string: true validationMessages: description: Includes any errors or warnings detected by Istio's analyzers. items: properties: documentationUrl: description: A url pointing to the Istio documentation for this specific error type. type: string level: description: |- Represents how severe a message is. Valid Options: UNKNOWN, ERROR, WARNING, INFO enum: - UNKNOWN - ERROR - WARNING - INFO type: string type: properties: code: description: A 7 character code matching `^IST[0-9]{4}$` intended to uniquely identify the message type. type: string name: description: A human-readable name for the message type. type: string type: object type: object type: array type: object x-kubernetes-preserve-unknown-fields: true type: object served: true storage: true subresources: status: {} status: acceptedNames: categories: - istio-io - security-istio-io kind: PeerAuthentication listKind: PeerAuthenticationList plural: peerauthentications shortNames: - pa singular: peerauthentication conditions: - lastTransitionTime: "2026-03-18T16:53:28Z" message: no conflicts found reason: NoConflicts status: "True" type: NamesAccepted - lastTransitionTime: "2026-03-18T16:53:28Z" message: the initial names have been accepted reason: InitialNamesAccepted status: "True" type: Established storedVersions: - v1beta1