Configuration Analysis Messages

istioctl provides rich analysis of Istio configuration state in order to identity invalid or suboptimal configurations. Here’s is a list of the distinct possible error or warning messages produced by this analysis.

IST0001: InternalError

There was an internal error in the toolchain. This is almost always a bug in the implementation.

IST0002: Deprecated

A feature that the configuration is depending on is now deprecated.

IST0101: ReferencedResourceNotFound

A resource being referenced does not exist.

IST0102: NamespaceNotInjected

A namespace is not enabled for Istio injection.

IST0103: PodMissingProxy

A pod is missing the Istio proxy.

IST0106: SchemaValidationError

The resource has a schema validation error.

IST0107: MisplacedAnnotation

An Istio annotation is applied to the wrong kind of resource.

IST0108: UnknownAnnotation

An Istio annotation is not recognized for any kind of resource

IST0109: ConflictingMeshGatewayVirtualServiceHosts

Conflicting hosts on VirtualServices associated with mesh gateway

IST0110: ConflictingSidecarWorkloadSelectors

A Sidecar resource selects the same workloads as another Sidecar resource

IST0111: MultipleSidecarsWithoutWorkloadSelectors

More than one sidecar resource in a namespace has no workload selector

IST0112: VirtualServiceDestinationPortSelectorRequired

A VirtualService routes to a service with more than one port exposed, but does not specify which to use.

IST0116: DeploymentAssociatedToMultipleServices

The resulting pods of a service mesh deployment can't be associated with multiple services using the same port but different protocols.

IST0118: PortNameIsNotUnderNamingConvention

Port name is not under naming convention. Protocol detection is applied to the port.

IST0122: InvalidRegexp

Invalid Regex

IST0123: NamespaceMultipleInjectionLabels

A namespace has more than one type of injection labels

IST0125: InvalidAnnotation

An Istio annotation that is not valid

IST0126: UnknownMeshNetworksServiceRegistry

A service registry in Mesh Networks is unknown

IST0127: NoMatchingWorkloadsFound

There aren't workloads matching the resource labels

IST0128: NoServerCertificateVerificationDestinationLevel

No caCertificates are set in DestinationRule, this results in no verification of presented server certificate.

IST0129: NoServerCertificateVerificationPortLevel

No caCertificates are set in DestinationRule, this results in no verification of presented server certificate for traffic to a given port.

IST0130: VirtualServiceUnreachableRule

A VirtualService rule will never be used because a previous rule uses the same match.

IST0131: VirtualServiceIneffectiveMatch

A VirtualService rule match duplicates a match in a previous rule.

IST0132: VirtualServiceHostNotFoundInGateway

Host defined in VirtualService not found in Gateway.

IST0133: SchemaWarning

The resource has a schema validation warning.

IST0134: ServiceEntryAddressesRequired

Virtual IP addresses are required for ports serving TCP (or unset) protocol

IST0135: DeprecatedAnnotation

A resource is using a deprecated Istio annotation.

IST0136: AlphaAnnotation

An Istio annotation may not be suitable for production.

IST0137: DeploymentConflictingPorts

Two services selecting the same workload with the same targetPort MUST refer to the same port.

IST0138: GatewayDuplicateCertificate

Duplicate certificate in multiple gateways may cause 404s if clients re-use HTTP2 connections.

IST0139: InvalidWebhook

Webhook is invalid or references a control plane service that does not exist.

IST0140: IngressRouteRulesNotAffected

Route rules have no effect on ingress gateway requests

IST0141: InsufficientPermissions

Required permissions to install Istio are missing.

IST0142: UnsupportedKubernetesVersion

The Kubernetes version is not supported

IST0143: LocalhostListener

A port exposed in a Service is bound to a localhost address

IST0144: InvalidApplicationUID

Application pods should not run as user ID (UID) 1337

IST0145: ConflictingGateways

Gateway should not have the same selector, port and matched hosts of server

IST0146: ImageAutoWithoutInjectionWarning

Deployments with `image: auto` should be targeted for injection.

IST0147: ImageAutoWithoutInjectionError

Pods with `image: auto` should be targeted for injection.

IST0148: NamespaceInjectionEnabledByDefault

user namespace should be injectable if Istio is installed with enableNamespacesByDefault enabled and neither injection label is set.

IST0149: JwtClaimBasedRoutingWithoutRequestAuthN

Virtual service using JWT claim based routing without request authentication.

IST0150: ExternalNameServiceTypeInvalidPortName

Proxy may prevent tcp named ports and unmatched traffic for ports serving TCP protocol from being forwarded correctly for ExternalName services.

IST0151: EnvoyFilterUsesRelativeOperation

This EnvoyFilter does not have a priority and has a relative patch operation set which can cause the EnvoyFilter not to be applied. Using the INSERT_FIRST or ADD option or setting the priority may help in ensuring the EnvoyFilter is applied correctly.

IST0152: EnvoyFilterUsesReplaceOperationIncorrectly

The REPLACE operation is only valid for HTTP_FILTER and NETWORK_FILTER.

IST0153: EnvoyFilterUsesAddOperationIncorrectly

The ADD operation will be ignored when applyTo is set to ROUTE_CONFIGURATION, or HTTP_ROUTE.

IST0154: EnvoyFilterUsesRemoveOperationIncorrectly

The REMOVE operation will be ignored when applyTo is set to ROUTE_CONFIGURATION, or HTTP_ROUTE.

IST0155: EnvoyFilterUsesRelativeOperationWithProxyVersion

This EnvoyFilter does not have a priority and has a relative patch operation (NSTERT_BEFORE/AFTER, REPLACE, MERGE, DELETE) and proxyVersion set which can cause the EnvoyFilter not to be applied during an upgrade. Using the INSERT_FIRST or ADD option or setting the priority may help in ensuring the EnvoyFilter is applied correctly.

IST0156: UnsupportedGatewayAPIVersion

The Gateway API CRD version is not supported

IST0157: InvalidTelemetryProvider

The Telemetry with empty providers will be ignored

IST0158: PodsIstioProxyImageMismatchInNamespace

The Istio proxy image of the pods running in the namespace do not match the image defined in the injection configuration.

IST0159: ConflictingTelemetryWorkloadSelectors

A Telemetry resource selects the same workloads as another Telemetry resource

IST0160: MultipleTelemetriesWithoutWorkloadSelectors

More than one telemetry resource in a namespace has no workload selector

IST0161: InvalidGatewayCredential

The credential provided for the Gateway resource is invalid

IST0162: GatewayPortNotDefinedOnService

Gateway port not exposed by service

IST0163: InvalidExternalControlPlaneConfig

Address for the ingress gateway on the external control plane is not valid

IST0164: ExternalControlPlaneAddressIsNotAHostname

Address for the ingress gateway on the external control plane is an IP address and not a hostname

IST0165: ReferencedInternalGateway

VirtualServices should not reference internal Gateways.

IST0166: IneffectiveSelector

Selector has no effect when applied to Kubernetes Gateways.

IST0167: IneffectivePolicy

The policy applied has no impact.

IST0168: UnknownUpgradeCompatibility

We cannot automatically detect whether a change is fully compatible or not

IST0169: UpdateIncompatibility

The provided configuration object may be incompatible due to an upgrade

IST0170: MultiClusterInconsistentService

The services live in different clusters under multi-cluster deployment model are inconsistent