- 配置分析消息
- IST0001: InternalError
- IST0002: Deprecated
- IST0101: ReferencedResourceNotFound
- IST0102: NamespaceNotInjected
- IST0103: PodMissingProxy
- IST0106: SchemaValidationError
- IST0107: MisplacedAnnotation
- IST0108: UnknownAnnotation
- IST0109: ConflictingMeshGatewayVirtualServiceHosts
- IST0110: ConflictingSidecarWorkloadSelectors
- IST0111: MultipleSidecarsWithoutWorkloadSelectors
- IST0112: VirtualServiceDestinationPortSelectorRequired
- IST0113: MTLSPolicyConflict
- IST0116: DeploymentAssociatedToMultipleServices
- IST0118: PortNameIsNotUnderNamingConvention
- IST0119: JwtFailureDueToInvalidServicePortPrefix
- IST0122: InvalidRegexp
- IST0123: NamespaceMultipleInjectionLabels
- IST0125: InvalidAnnotation
- IST0126: UnknownMeshNetworksServiceRegistry
- IST0127: NoMatchingWorkloadsFound
- IST0128: NoServerCertificateVerificationDestinationLevel
- IST0129: NoServerCertificateVerificationPortLevel
- IST0130: VirtualServiceUnreachableRule
- IST0131: VirtualServiceIneffectiveMatch
- IST0132: VirtualServiceHostNotFoundInGateway
- IST0133: SchemaWarning
- IST0134: ServiceEntryAddressesRequired
- IST0135: DeprecatedAnnotation
- IST0136: AlphaAnnotation
- IST0137: DeploymentConflictingPorts
- IST0138: GatewayDuplicateCertificate
- IST0139: InvalidWebhook
- IST0140: IngressRouteRulesNotAffected
- IST0141: InsufficientPermissions
- IST0142: UnsupportedKubernetesVersion
- IST0143: LocalhostListener
- IST0144: InvalidApplicationUID
- IST0145: ConflictingGateways
- IST0146: ImageAutoWithoutInjectionWarning
- IST0147: ImageAutoWithoutInjectionError
- IST0148: NamespaceInjectionEnabledByDefault
- IST0149: JwtClaimBasedRoutingWithoutRequestAuthN
- IST0150: ExternalNameServiceTypeInvalidPortName
- IST0151: EnvoyFilterUsesRelativeOperation
- IST0152: EnvoyFilterUsesReplaceOperationIncorrectly
- IST0153: EnvoyFilterUsesAddOperationIncorrectly
- IST0154: EnvoyFilterUsesRemoveOperationIncorrectly
- IST0155: EnvoyFilterUsesRelativeOperationWithProxyVersion
- IST0156: UnsupportedGatewayAPIVersion
- IST0157: InvalidTelemetryProvider
- IST0158: PodsIstioProxyImageMismatchInNamespace
- IST0159: ConflictingTelemetryWorkloadSelectors
- IST0160: MultipleTelemetriesWithoutWorkloadSelectors
- IST0161: InvalidGatewayCredential
- IST0162: GatewayPortNotDefinedOnService
- IST0163: InvalidExternalControlPlaneConfig
- IST0164: ExternalControlPlaneAddressIsNotAHostname
配置分析消息
istioctl 提供了对 Istio 配置状态的丰富分析,以便标识无效或次优的配置。这是此分析可能产生的错误或警告消息的列表。
IST0001: InternalError
There was an internal error in the toolchain. This is almost always a bug in the implementation.
IST0002: Deprecated
A feature that the configuration is depending on is now deprecated.
IST0101: ReferencedResourceNotFound
A resource being referenced does not exist.
IST0102: NamespaceNotInjected
A namespace is not enabled for Istio injection.
IST0103: PodMissingProxy
A pod is missing the Istio proxy.
IST0106: SchemaValidationError
The resource has a schema validation error.
IST0107: MisplacedAnnotation
An Istio annotation is applied to the wrong kind of resource.
IST0108: UnknownAnnotation
An Istio annotation is not recognized for any kind of resource
IST0109: ConflictingMeshGatewayVirtualServiceHosts
Conflicting hosts on VirtualServices associated with mesh gateway
IST0110: ConflictingSidecarWorkloadSelectors
A Sidecar resource selects the same workloads as another Sidecar resource
IST0111: MultipleSidecarsWithoutWorkloadSelectors
More than one sidecar resource in a namespace has no workload selector
IST0112: VirtualServiceDestinationPortSelectorRequired
A VirtualService routes to a service with more than one port exposed, but does not specify which to use.
IST0113: MTLSPolicyConflict
A DestinationRule and Policy are in conflict with regards to mTLS.
IST0116: DeploymentAssociatedToMultipleServices
The resulting pods of a service mesh deployment can’t be associated with multiple services using the same port but different protocols.
IST0118: PortNameIsNotUnderNamingConvention
Port name is not under naming convention. Protocol detection is applied to the port.
IST0119: JwtFailureDueToInvalidServicePortPrefix
Authentication policy with JWT targets Service with invalid port specification.
IST0122: InvalidRegexp
Invalid Regex
IST0123: NamespaceMultipleInjectionLabels
A namespace has more than one type of injection labels
IST0125: InvalidAnnotation
An Istio annotation that is not valid
IST0126: UnknownMeshNetworksServiceRegistry
A service registry in Mesh Networks is unknown
IST0127: NoMatchingWorkloadsFound
There aren’t workloads matching the resource labels
IST0128: NoServerCertificateVerificationDestinationLevel
No caCertificates are set in DestinationRule, this results in no verification of presented server certificate.
IST0129: NoServerCertificateVerificationPortLevel
No caCertificates are set in DestinationRule, this results in no verification of presented server certificate for traffic to a given port.
IST0130: VirtualServiceUnreachableRule
A VirtualService rule will never be used because a previous rule uses the same match.
IST0131: VirtualServiceIneffectiveMatch
A VirtualService rule match duplicates a match in a previous rule.
IST0132: VirtualServiceHostNotFoundInGateway
Host defined in VirtualService not found in Gateway.
IST0133: SchemaWarning
The resource has a schema validation warning.
IST0134: ServiceEntryAddressesRequired
Virtual IP addresses are required for ports serving TCP (or unset) protocol
IST0135: DeprecatedAnnotation
A resource is using a deprecated Istio annotation.
IST0136: AlphaAnnotation
An Istio annotation may not be suitable for production.
IST0137: DeploymentConflictingPorts
Two services selecting the same workload with the same targetPort MUST refer to the same port.
IST0138: GatewayDuplicateCertificate
Duplicate certificate in multiple gateways may cause 404s if clients re-use HTTP2 connections.
IST0139: InvalidWebhook
Webhook is invalid or references a control plane service that does not exist.
IST0140: IngressRouteRulesNotAffected
Route rules have no effect on ingress gateway requests
IST0141: InsufficientPermissions
Required permissions to install Istio are missing.
IST0142: UnsupportedKubernetesVersion
The Kubernetes version is not supported
IST0143: LocalhostListener
A port exposed in a Service is bound to a localhost address
IST0144: InvalidApplicationUID
Application pods should not run as user ID (UID) 1337
IST0145: ConflictingGateways
Gateway should not have the same selector, port and matched hosts of server
IST0146: ImageAutoWithoutInjectionWarning
Deployments with `image: auto` should be targeted for injection.
IST0147: ImageAutoWithoutInjectionError
Pods with `image: auto` should be targeted for injection.
IST0148: NamespaceInjectionEnabledByDefault
user namespace should be injectable if Istio is installed with enableNamespacesByDefault enabled and neither injection label is set.
IST0149: JwtClaimBasedRoutingWithoutRequestAuthN
Virtual service using JWT claim based routing without request authentication.
IST0150: ExternalNameServiceTypeInvalidPortName
Proxy may prevent tcp named ports and unmatched traffic for ports serving TCP protocol from being forwarded correctly for ExternalName services.
IST0151: EnvoyFilterUsesRelativeOperation
This EnvoyFilter does not have a priority and has a relative patch operation set which can cause the EnvoyFilter not to be applied. Using the INSERT_FIRST or ADD option or setting the priority may help in ensuring the EnvoyFilter is applied correctly.
IST0152: EnvoyFilterUsesReplaceOperationIncorrectly
The REPLACE operation is only valid for HTTP_FILTER and NETWORK_FILTER.
IST0153: EnvoyFilterUsesAddOperationIncorrectly
The ADD operation will be ignored when applyTo is set to ROUTE_CONFIGURATION, or HTTP_ROUTE.
IST0154: EnvoyFilterUsesRemoveOperationIncorrectly
The REMOVE operation will be ignored when applyTo is set to ROUTE_CONFIGURATION, or HTTP_ROUTE.
IST0155: EnvoyFilterUsesRelativeOperationWithProxyVersion
This EnvoyFilter does not have a priority and has a relative patch operation (NSTERT_BEFORE/AFTER, REPLACE, MERGE, DELETE) and proxyVersion set which can cause the EnvoyFilter not to be applied during an upgrade. Using the INSERT_FIRST or ADD option or setting the priority may help in ensuring the EnvoyFilter is applied correctly.
IST0156: UnsupportedGatewayAPIVersion
The Gateway API CRD version is not supported
IST0157: InvalidTelemetryProvider
The Telemetry with empty providers will be ignored
IST0158: PodsIstioProxyImageMismatchInNamespace
The Istio proxy image of the pods running in the namespace do not match the image defined in the injection configuration.
IST0159: ConflictingTelemetryWorkloadSelectors
A Telemetry resource selects the same workloads as another Telemetry resource
IST0160: MultipleTelemetriesWithoutWorkloadSelectors
More than one telemetry resource in a namespace has no workload selector
IST0161: InvalidGatewayCredential
The credential provided for the Gateway resource is invalid
IST0162: GatewayPortNotDefinedOnService
Gateway port not exposed by service
IST0163: InvalidExternalControlPlaneConfig
Address for the ingress gateway on the external control plane is not valid
IST0164: ExternalControlPlaneAddressIsNotAHostname
Address for the ingress gateway on the external control plane is an IP address and not a hostname