Configuration Analysis Messages

    There was an internal error in the toolchain. This is almost always a bug in the implementation.

    A feature that the configuration is depending on is now deprecated.

    A resource being referenced does not exist.

    A namespace is not enabled for Istio injection.

    A pod is missing the Istio proxy.

    Unhandled gateway port

    The image of the Istio proxy running on the pod does not match the image defined in the injection configuration.

    The resource has a schema validation error.

    An Istio annotation is applied to the wrong kind of resource.

    An Istio annotation is not recognized for any kind of resource

    Conflicting hosts on VirtualServices associated with mesh gateway

    A Sidecar resource selects the same workloads as another Sidecar resource

    More than one sidecar resource in a namespace has no workload selector

    A VirtualService routes to a service with more than one port exposed, but does not specify which to use.

    A DestinationRule and Policy are in conflict with regards to mTLS.

    The resulting pods of a service mesh deployment can’t be associated with multiple services using the same port but different protocols.

    Port name is not under naming convention. Protocol detection is applied to the port.

    Authentication policy with JWT targets Service with invalid port specification.

    Invalid Regex

    A namespace has both new and legacy injection labels

    An Istio annotation that is not valid

    IST0126: UnknownMeshNetworksServiceRegistry

    A service registry in Mesh Networks is unknown

    IST0127: NoMatchingWorkloadsFound

    There aren’t workloads matching the resource labels

    IST0128: NoServerCertificateVerificationDestinationLevel

    No caCertificates are set in DestinationRule, this results in no verification of presented server certificate.

    IST0129: NoServerCertificateVerificationPortLevel

    No caCertificates are set in DestinationRule, this results in no verification of presented server certificate for traffic to a given port.

    IST0130: VirtualServiceUnreachableRule

    A VirtualService rule will never be used because a previous rule uses the same match.

    IST0131: VirtualServiceIneffectiveMatch

    A VirtualService rule match duplicates a match in a previous rule.

    IST0132: VirtualServiceHostNotFoundInGateway

    Host defined in VirtualService not found in Gateway.

    IST0133: SchemaWarning

    The resource has a schema validation warning.

    Virtual IP addresses are required for ports serving TCP (or unset) protocol

    A resource is using a deprecated Istio annotation.

    An Istio annotation may not be suitable for production.

    IST0138: GatewayDuplicateCertificate

    Duplicate certificate in multiple gateways may cause 404s if clients re-use HTTP2 connections.

    IST0139: InvalidWebhook

    Webhook is invalid or references a control plane service that does not exist.

    IST0140: IngressRouteRulesNotAffected

    Route rules have no effect on ingress gateway requests

    IST0141: InsufficientPermissions

    Required permissions to install Istio are missing.

    IST0142: UnsupportedKubernetesVersion

    The Kubernetes version is not supported

    IST0143: LocalhostListener

    A port exposed in a Service is bound to a localhost address

    IST0144: InvalidApplicationUID

    Application pods should not run as user ID (UID) 1337

    IST0145: ConflictingGateways

    Gateway should not have the same selector, port and matched hosts of server

    IST0146: ImageAutoWithoutInjectionWarning

    Deployments with `image: auto` should be targeted for injection.

    IST0147: ImageAutoWithoutInjectionError

    Pods with `image: auto` should be targeted for injection.

    IST0148: NamespaceInjectionEnabledByDefault

    user namespace should be injectable if Istio is installed with enableNamespacesByDefault enabled and neither injection label is set.

    IST0149: JwtClaimBasedRoutingWithoutRequestAuthN

    Virtual service using JWT claim based routing without request authentication.

    Proxy may prevent tcp named ports and unmatched traffic for ports serving TCP protocol from being forwarded correctly for ExternalName services.

    This EnvoyFilter does not have a priority and has a relative patch operation set which can cause the EnvoyFilter not to be applied. Using the INSERT_FIRST or ADD option or setting the priority may help in ensuring the EnvoyFilter is applied correctly.

    The REPLACE operation is only valid for HTTP_FILTER and NETWORK_FILTER.

    The ADD operation will be ignored when applyTo is set to ROUTE_CONFIGURATION, or HTTP_ROUTE.

    This EnvoyFilter does not have a priority and has a relative patch operation (NSTERT_BEFORE/AFTER, REPLACE, MERGE, DELETE) and proxyVersion set which can cause the EnvoyFilter not to be applied during an upgrade. Using the INSERT_FIRST or ADD option or setting the priority may help in ensuring the EnvoyFilter is applied correctly.