NoMatchingWorkloadsFound
当 AuthorizationPolicy
资源的选择器匹配不到任何 Pod 时,会出现此消息。
示例
当集群包含以下资源时:
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: httpbin-nopods
namespace: httpbin
spec:
selector:
matchLabels:
app: bogus-label # Bogus label. No matching workloads
version: v1
rules:
- from:
- source:
principals: ["cluster.local/ns/default/sa/sleep"]
- source:
namespaces: ["httpbin"]
to:
- operation:
methods: ["GET"]
paths: ["/info*"]
- operation:
methods: ["POST"]
paths: ["/data"]
when:
- key: request.auth.claims[iss]
values: ["https://accounts.google.com"]
您会收到此消息:
Warning [IST0127] (AuthorizationPolicy httpbin-nopods.httpbin) No matching workloads for this resource with the following labels: app=bogus-label,version=v1
在这个样例中, AuthorizationPolicy
资源 httpbin-nopods
需要绑定到包含 app=bogus-label
标签的 Pod 上,但是其不存在。
如何修复
- 修改选择器
selector
以选择存在的 Pod - 修改特定 Pod 的标签以匹配此资源的选择器