IneffectiveSelector

当 AuthorizationPolicy、RequestAuthentication、Telemetry 或 WasmPlugin 这类策略中的工作负载选择器没有有效指向任何 Kubernetes Gateway Pod 目标时，会出现此消息。

示例

当您的策略选择器匹配到某个 Kubernetes Gateway 时，您将收到类似的消息：

Warning [IST0166] (AuthorizationPolicy default/ap-ineffective testdata/k8sgateway-selector.yaml:47) Ineffective selector on
Kubernetes Gateway bookinfo-gateway. Use the TargetRef field instead.

例如，当您有一个这样的 Kubernetes Gateway Pod：

apiVersion: v1
kind: Pod
metadata:
  annotations:
    istio.io/rev: default
  labels:
    gateway.networking.k8s.io/gateway-name: bookinfo-gateway
  name: bookinfo-gateway-istio-6ff4cf9645-xbqmc
  namespace: default
spec:
  containers:
  - image: proxyv2:1.21.0
    name: istio-proxy

且有如下的 AuthorizationPolicy 带有 selector：

apiVersion: security.istio.io/v1
kind: AuthorizationPolicy
metadata:
  namespace: default
  name: ap-ineffective
spec:
  selector:
    matchLabels:
      gateway.networking.k8s.io/gateway-name: bookinfo-gateway
  action: DENY
  rules:
  - from:
    - source:
      namespaces: ["dev"]
    to:
    - operation:
      methods: ["POST"]

如果您在策略中同时设置了 targetRef 和 selector，将不会出现此消息。例如：

apiVersion: telemetry.istio.io/v1
kind: Telemetry
metadata:
  name: telemetry-example
  namespace: default
spec:
  tracing:
  - randomSamplingPercentage: 10.00
  selector:
    matchLabels:
      gateway.networking.k8s.io/gateway-name: bookinfo-gateway
  targetRef:
    group: gateway.networking.k8s.io
    kind: Gateway
    name: bookinfo-gateway

如何修复

确保为 Sidecar 或 Istio Gateway Pod 使用 selector 字段， 并为 Kubernetes Gateway Pod 使用 targetRef 字段。 否则，此策略将不会生效。

以下是一个例子：

apiVersion: telemetry.istio.io/v1
kind: Telemetry
metadata:
  name: telemetry-example
  namespace: default
spec:
  tracing:
  - randomSamplingPercentage: 10.00
  targetRef:
    group: gateway.networking.k8s.io
    kind: Gateway
    name: bookinfo-gateway