ExternalControlPlaneAddressIsNotAHostname

Message NameExternalControlPlaneAddressIsNotAHostname
Message CodeIST0164
DescriptionAddress for the ingress gateway on the external control plane is an IP address and not a hostname
LevelInfo

This message occurs when the address provided for the ingress gateway on the external control plane is an IP address and not a hostname.

Example

You will receive this message:

  1. Info [IST0164] (MutatingWebhookConfiguration istio-sidecar-injector-external-istiod testing.yml:28) The address (https://999.999.999.999:5100/inject/cluster/your-cluster-name/net/network1) that was provided for the webhook (rev.namespace.sidecar-injector.istio.io) to reach the ingress gateway on the external control plane cluster is an IP address. This is not recommended for a production environment.

when your cluster has the following ValidatingWebhookConfiguration and MutatingWebhookConfiguration (shortened for clarity):

  1. apiVersion: admissionregistration.k8s.io/v1
  2. kind: ValidatingWebhookConfiguration
  3. metadata:
  4.   name: istio-validator-external-istiod
  5. webhooks:
  6. - admissionReviewVersions:
  7.   - v1beta1
  8.   - v1
  9.   clientConfig:
  10.     url: https://test.com:15017/validate
  11.   name: rev.validation.istio.io
  13. ---
  14. apiVersion: admissionregistration.k8s.io/v1
  15. kind: ValidatingWebhookConfiguration
  16. metadata:
  17.   name: istiod-default-validator
  18. webhooks:
  19. - admissionReviewVersions:
  20.   - v1beta1
  21.   - v1
  22.   clientConfig:
  23.     url: https://test.com:15017/validate
  24.   failurePolicy: Ignore
  25.   name: validation.istio.io
  27. ---
  28. apiVersion: admissionregistration.k8s.io/v1
  29. kind: MutatingWebhookConfiguration
  30. metadata:
  31.   name: istio-sidecar-injector-external-istiod
  32. webhooks:
  33. - admissionReviewVersions:
  34.   - v1beta1
  35.   - v1
  36.   clientConfig:
  37.     url: https://999.999.999.999:5100/inject/cluster/your-cluster-name/net/network1
  38.   failurePolicy: Fail
  39.   name: rev.namespace.sidecar-injector.istio.io
  40. - admissionReviewVersions:
  41.   - v1beta1
  42.   - v1
  43.   clientConfig:
  44.     url: https://test.com/inject/cluster/your-cluster-name/net/network1
  45.   failurePolicy: Fail
  46.   name: rev.object.sidecar-injector.istio.io
  47. - admissionReviewVersions:
  48.   - v1beta1
  49.   - v1
  50.   clientConfig:
  51.     url: https://test.com/inject/cluster/your-cluster-name/net/network1
  52.   failurePolicy: Fail
  53.   name: namespace.sidecar-injector.istio.io
  54. - admissionReviewVersions:
  55.   - v1beta1
  56.   - v1
  57.   clientConfig:
  58.     url: https://test.com/inject/cluster/your-cluster-name/net/network1
  59.   failurePolicy: Fail
  60.   name: object.sidecar-injector.istio.io

How to resolve

Using an IP address instead of a hostname for your ingress gateway running in the external control plane is not recommended in a production environment.

If you are running in a production environment, you can fix this info message by changing the address to a valid hostname that resolves to the IP address of your ingress gateway.

Instructions for exposing the ingress gateway service using a public hostname with TLS can be found here.