IneffectiveSelector

消息名称IneffectiveSelector
消息代码IST0166
描述Selector has no effect when applied to Kubernetes Gateways.
等级Warning

AuthorizationPolicyRequestAuthenticationTelemetryWasmPlugin 这类策略中的工作负载选择器没有有效指向任何 Kubernetes Gateway Pod 目标时,会出现此消息。

示例

当您的策略选择器匹配到某个 Kubernetes Gateway 时,您将收到类似的消息:

  1. Warning [IST0166] (AuthorizationPolicy default/ap-ineffective testdata/k8sgateway-selector.yaml:47) Ineffective selector on
  2. Kubernetes Gateway bookinfo-gateway. Use the TargetRef field instead.

例如,当您有一个这样的 Kubernetes Gateway Pod:

  1. apiVersion: v1
  2. kind: Pod
  3. metadata:
  4. annotations:
  5. istio.io/rev: default
  6. labels:
  7. gateway.networking.k8s.io/gateway-name: bookinfo-gateway
  8. name: bookinfo-gateway-istio-6ff4cf9645-xbqmc
  9. namespace: default
  10. spec:
  11. containers:
  12. - image: proxyv2:1.21.0
  13. name: istio-proxy

且有如下的 AuthorizationPolicy 带有 selector

  1. apiVersion: security.istio.io/v1
  2. kind: AuthorizationPolicy
  3. metadata:
  4. namespace: default
  5. name: ap-ineffective
  6. spec:
  7. selector:
  8. matchLabels:
  9. gateway.networking.k8s.io/gateway-name: bookinfo-gateway
  10. action: DENY
  11. rules:
  12. - from:
  13. - source:
  14. namespaces: ["dev"]
  15. to:
  16. - operation:
  17. methods: ["POST"]

如果您在策略中同时设置了 targetRefselector,将不会出现此消息。例如:

  1. apiVersion: telemetry.istio.io/v1
  2. kind: Telemetry
  3. metadata:
  4. name: telemetry-example
  5. namespace: default
  6. spec:
  7. tracing:
  8. - randomSamplingPercentage: 10.00
  9. selector:
  10. matchLabels:
  11. gateway.networking.k8s.io/gateway-name: bookinfo-gateway
  12. targetRef:
  13. group: gateway.networking.k8s.io
  14. kind: Gateway
  15. name: bookinfo-gateway

如何修复

确保为 Sidecar 或 Istio Gateway Pod 使用 selector 字段, 并为 Kubernetes Gateway Pod 使用 targetRef 字段。 否则,此策略将不会生效。

以下是一个例子:

  1. apiVersion: telemetry.istio.io/v1
  2. kind: Telemetry
  3. metadata:
  4. name: telemetry-example
  5. namespace: default
  6. spec:
  7. tracing:
  8. - randomSamplingPercentage: 10.00
  9. targetRef:
  10. group: gateway.networking.k8s.io
  11. kind: Gateway
  12. name: bookinfo-gateway