NoMatchingWorkloadsFound

Message NameNoMatchingWorkloadsFound
Message CodeIST0127
DescriptionThere aren’t workloads matching the resource labels
LevelWarning

This message occurs when an authorization policy’s selector does not match any pods.

Example

You will receive this message:

  1. Warning [IST0127] (AuthorizationPolicy httpbin-nopods.httpbin) No matching workloads for this resource with the following labels: app=bogus-label,version=v1

when your cluster has the following authorization policy:

  1. apiVersion: security.istio.io/v1
  2. kind: AuthorizationPolicy
  3. metadata:
  4. name: httpbin-nopods
  5. namespace: httpbin
  6. spec:
  7. selector:
  8. matchLabels:
  9. app: bogus-label # Bogus label. No matching workloads
  10. version: v1
  11. rules:
  12. - from:
  13. - source:
  14. principals: ["cluster.local/ns/default/sa/curl"]
  15. - source:
  16. namespaces: ["httpbin"]
  17. to:
  18. - operation:
  19. methods: ["GET"]
  20. paths: ["/info*"]
  21. - operation:
  22. methods: ["POST"]
  23. paths: ["/data"]
  24. when:
  25. - key: request.auth.claims[iss]
  26. values: ["https://accounts.google.com"]

In this example, the authorization policy httpbin-nopods selects pods with the label app=bogus-label, and none exist.

How to resolve

  • Change the selector to match the pods you have
  • Label pods to match the selector