WorkloadEntry

security.istio.io/tlsMode label can disable mtls for WE

proxy.istio.io/health-checks-enabled annotation defines if hc is enabled

PILOT_ENABLE_HEADLESS_SERVICE_POD_LISTENERS

If enabled, for a headless service/stateful set in Kubernetes, pilot will generate an "+
   "outbound listener for each pod in a headless service. This feature should be disabled "+
   "if headless services have a large number of pods.

PILOT_ENABLE_SERVICEENTRY_SELECT_PODS

PILOT_ENABLE_K8S_SELECT_WORKLOAD_ENTRIES

PILOT_ENABLE_CROSS_CLUSTER_WORKLOAD_ENTRY

PILOT_ENABLE_XDS_CACHE

enableEDSDebounce

debounceMax/debounceAfter

PILOT_ENABLE_FLOW_CONTROL cannot be enabled due to https://github.com/istio/istio.io/issues/8383

If enabled, pilot will wait for the completion of a receive operation before executing a push operation. This is a form of flow control and is useful in environments with high rates of push requests to each gateway. By default this is false.