IST0001: InternalError
There was an internal error in the toolchain. This is almost always a bug in the implementation.
istioctl
provides rich analysis of Istio configuration state in
order to identity invalid or suboptimal configurations. Here’s is a list of the distinct possible
error or warning messages produced by this analysis.
There was an internal error in the toolchain. This is almost always a bug in the implementation.
A feature that the configuration is depending on is now deprecated.
A resource being referenced does not exist.
A namespace is not enabled for Istio injection.
A pod is missing the Istio proxy.
The resource has a schema validation error.
An Istio annotation is applied to the wrong kind of resource.
An Istio annotation is not recognized for any kind of resource
Conflicting hosts on VirtualServices associated with mesh gateway
A Sidecar resource selects the same workloads as another Sidecar resource
More than one sidecar resource in a namespace has no workload selector
A VirtualService routes to a service with more than one port exposed, but does not specify which to use.
The resulting pods of a service mesh deployment can't be associated with multiple services using the same port but different protocols.
Port name is not under naming convention. Protocol detection is applied to the port.
Invalid Regex
A namespace has more than one type of injection labels
An Istio annotation that is not valid
A service registry in Mesh Networks is unknown
There aren't workloads matching the resource labels
No caCertificates are set in DestinationRule, this results in no verification of presented server certificate.
No caCertificates are set in DestinationRule, this results in no verification of presented server certificate for traffic to a given port.
A VirtualService rule will never be used because a previous rule uses the same match.
A VirtualService rule match duplicates a match in a previous rule.
Host defined in VirtualService not found in Gateway.
The resource has a schema validation warning.
Virtual IP addresses are required for ports serving TCP (or unset) protocol
A resource is using a deprecated Istio annotation.
An Istio annotation may not be suitable for production.
Two services selecting the same workload with the same targetPort MUST refer to the same port.
Duplicate certificate in multiple gateways may cause 404s if clients re-use HTTP2 connections.
Webhook is invalid or references a control plane service that does not exist.
Route rules have no effect on ingress gateway requests
Required permissions to install Istio are missing.
The Kubernetes version is not supported
A port exposed in a Service is bound to a localhost address
Application pods should not run as user ID (UID) 1337
Gateway should not have the same selector, port and matched hosts of server
Deployments with `image: auto` should be targeted for injection.
Pods with `image: auto` should be targeted for injection.
user namespace should be injectable if Istio is installed with enableNamespacesByDefault enabled and neither injection label is set.
Virtual service using JWT claim based routing without request authentication.
Proxy may prevent tcp named ports and unmatched traffic for ports serving TCP protocol from being forwarded correctly for ExternalName services.
This EnvoyFilter does not have a priority and has a relative patch operation set which can cause the EnvoyFilter not to be applied. Using the INSERT_FIRST or ADD option or setting the priority may help in ensuring the EnvoyFilter is applied correctly.
The REPLACE operation is only valid for HTTP_FILTER and NETWORK_FILTER.
The ADD operation will be ignored when applyTo is set to ROUTE_CONFIGURATION, or HTTP_ROUTE.
The REMOVE operation will be ignored when applyTo is set to ROUTE_CONFIGURATION, or HTTP_ROUTE.
This EnvoyFilter does not have a priority and has a relative patch operation (NSTERT_BEFORE/AFTER, REPLACE, MERGE, DELETE) and proxyVersion set which can cause the EnvoyFilter not to be applied during an upgrade. Using the INSERT_FIRST or ADD option or setting the priority may help in ensuring the EnvoyFilter is applied correctly.
The Gateway API CRD version is not supported
The Telemetry with empty providers will be ignored
The Istio proxy image of the pods running in the namespace do not match the image defined in the injection configuration.
A Telemetry resource selects the same workloads as another Telemetry resource
More than one telemetry resource in a namespace has no workload selector
The credential provided for the Gateway resource is invalid
Gateway port not exposed by service
Address for the ingress gateway on the external control plane is not valid
Address for the ingress gateway on the external control plane is an IP address and not a hostname
VirtualServices should not reference internal Gateways.
Selector has no effect when applied to Kubernetes Gateways.
The policy applied has no impact.
We cannot automatically detect whether a change is fully compatible or not
The provided configuration object may be incompatible due to an upgrade
The services live in different clusters under multi-cluster deployment model are inconsistent