InvalidExternalControlPlaneConfig

Message NameInvalidExternalControlPlaneConfig
Message CodeIST0163
DescriptionAddress for the ingress gateway on the external control plane is not valid
LevelWarning

This message occurs when the address provided for the ingress gateway on the external control plane is not valid. The address could be invalid for several reasons including: the hostname address is malformed, the hostname cannot be resolved to an IP address via a DNS lookup, or the hostname resolves to zero IP addresses.

Example

You will receive this message:

  1. Warning [IST0163] (MutatingWebhookConfiguration istio-sidecar-injector-external-istiod testing.yml:28) The hostname () that was provided for the webhook (rev.namespace.sidecar-injector.istio.io) to reach the ingress gateway on the external control plane cluster is blank. Traffic may not flow properly.
  2. Warning [IST0163] (ValidatingWebhookConfiguration istio-validator-external-istiod testing.yml:1) The hostname () that was provided for the webhook (rev.validation.istio.io) to reach the ingress gateway on the external control plane cluster is blank. Traffic may not flow properly.

when your cluster has the following ValidatingWebhookConfiguration and MutatingWebhookConfiguration (shortened for clarity) that are missing webhook URLs:

  1. apiVersion: admissionregistration.k8s.io/v1
  2. kind: ValidatingWebhookConfiguration
  3. metadata:
  4.   name: istio-validator-external-istiod
  5. webhooks:
  6. - admissionReviewVersions:
  7.   - v1beta1
  8.   - v1
  9.   clientConfig:
  10.     url:
  11.   name: rev.validation.istio.io
  13. ---
  14. apiVersion: admissionregistration.k8s.io/v1
  15. kind: ValidatingWebhookConfiguration
  16. metadata:
  17.   name: istiod-default-validator
  18. webhooks:
  19. - admissionReviewVersions:
  20.   - v1beta1
  21.   - v1
  22.   clientConfig:
  23.     url: https://test.com:15017/validate
  24.   failurePolicy: Ignore
  25.   name: validation.istio.io
  27. ---
  28. apiVersion: admissionregistration.k8s.io/v1
  29. kind: MutatingWebhookConfiguration
  30. metadata:
  31.   name: istio-sidecar-injector-external-istiod
  32. webhooks:
  33. - admissionReviewVersions:
  34.   - v1beta1
  35.   - v1
  36.   clientConfig:
  37.     url:
  38.   failurePolicy: Fail
  39.   name: rev.namespace.sidecar-injector.istio.io
  40. - admissionReviewVersions:
  41.   - v1beta1
  42.   - v1
  43.   clientConfig:
  44.     url: https://test.com/inject/cluster/your-cluster-name/net/network1
  45.   failurePolicy: Fail
  46.   name: rev.object.sidecar-injector.istio.io
  47. - admissionReviewVersions:
  48.   - v1beta1
  49.   - v1
  50.   clientConfig:
  51.     url: https://test.com/inject/cluster/your-cluster-name/net/network1
  52.   failurePolicy: Fail
  53.   name: namespace.sidecar-injector.istio.io
  54. - admissionReviewVersions:
  55.   - v1beta1
  56.   - v1
  57.   clientConfig:
  58.     url: https://test.com/inject/cluster/your-cluster-name/net/network1
  59.   failurePolicy: Fail
  60.   name: object.sidecar-injector.istio.io

You will receive this message:

  1. Warning [IST0163] (ValidatingWebhookConfiguration istio-validator-external-istiod testing.yml:1) The hostname (https://thisisnotarealdomainname.com:15017/validate) that was provided for the webhook (rev.validation.istio.io) to reach the ingress gateway on the external control plane cluster cannot be resolved via a DNS lookup. Traffic may not flow properly.

when your cluster has the following ValidatingWebhookConfiguration and MutatingWebhookConfiguration (shortened for clarity) that are using a hostname that cannot be resolved during a DNS lookup:

  1. apiVersion: admissionregistration.k8s.io/v1
  2. kind: ValidatingWebhookConfiguration
  3. metadata:
  4.   name: istio-validator-external-istiod
  5. webhooks:
  6. - admissionReviewVersions:
  7.   - v1beta1
  8.   - v1
  9.   clientConfig:
  10.     url: https://thisisnotarealdomainname.com:15017/validate
  11.   name: rev.validation.istio.io
  13. ---
  14. apiVersion: admissionregistration.k8s.io/v1
  15. kind: ValidatingWebhookConfiguration
  16. metadata:
  17.   name: istiod-default-validator
  18. webhooks:
  19. - admissionReviewVersions:
  20.   - v1beta1
  21.   - v1
  22.   clientConfig:
  23.     url: https://test.com:15017/validate
  24.   failurePolicy: Ignore
  25.   name: validation.istio.io
  27. ---
  28. apiVersion: admissionregistration.k8s.io/v1
  29. kind: MutatingWebhookConfiguration
  30. metadata:
  31.   name: istio-sidecar-injector-external-istiod
  32. webhooks:
  33. - admissionReviewVersions:
  34.   - v1beta1
  35.   - v1
  36.   clientConfig:
  37.     url: https://test.com/inject/cluster/your-cluster-name/net/network1
  38.   failurePolicy: Fail
  39.   name: rev.namespace.sidecar-injector.istio.io
  40. - admissionReviewVersions:
  41.   - v1beta1
  42.   - v1
  43.   clientConfig:
  44.     url: https://test.com/inject/cluster/your-cluster-name/net/network1
  45.   failurePolicy: Fail
  46.   name: rev.object.sidecar-injector.istio.io
  47. - admissionReviewVersions:
  48.   - v1beta1
  49.   - v1
  50.   clientConfig:
  51.     url: https://test.com/inject/cluster/your-cluster-name/net/network1
  52.   failurePolicy: Fail
  53.   name: namespace.sidecar-injector.istio.io
  54. - admissionReviewVersions:
  55.   - v1beta1
  56.   - v1
  57.   clientConfig:
  58.     url: https://test.com/inject/cluster/your-cluster-name/net/network1
  59.   failurePolicy: Fail
  60.   name: object.sidecar-injector.istio.io

How to resolve

There are several ways to resolve these invalid configurations, depending on why the configuration is invalid.

If your webhook configurations have no URLs defined, adding valid URLs that use a hostname will resolve this warning message. Instructions on how to do that can be found here.

If your hostname cannot be resolved to an IP address via a DNS lookup, you can try running dig <your-hostname> on your local machine to see if a DNS resolution occurs. If your local machine can resolve the hostname via a DNS lookup, your cluster may not be able to. Any security rules blocking DNS traffic could result in a failure to resolve lookups. New DNS records may take up to 72 hours to propagate across the web depending on your DNS provider and specific configuration.

If your hostname resolves to zero IP addresses, check that the webhook URLs are using the correct hostname and that your DNS provider correctly has at least one IP address for your hostname to resolve to.