IneffectiveSelector
This message occurs when a workload selector in policies
like AuthorizationPolicy, RequestAuthentication, Telemetry, or
WasmPlugin does not effectively target any pods within the Kubernetes Gateway.
Example
You will receive similar messages like:
Warning [IST0166] (AuthorizationPolicy default/ap-ineffective testdata/k8sgateway-selector.yaml:47) Ineffective selector on
Kubernetes Gateway bookinfo-gateway. Use the TargetRef field instead.
when your policy’s selector matches a Kubernetes Gateway.
For example, when you have a Kubernetes Gateway pod like:
apiVersion: v1
kind: Pod
metadata:
annotations:
istio.io/rev: default
labels:
gateway.networking.k8s.io/gateway-name: bookinfo-gateway
name: bookinfo-gateway-istio-6ff4cf9645-xbqmc
namespace: default
spec:
containers:
- image: proxyv2:1.21.0
name: istio-proxy
And there is an AuthorizationPolicy with a selector like:
apiVersion: security.istio.io/v1
kind: AuthorizationPolicy
metadata:
namespace: default
name: ap-ineffective
spec:
selector:
matchLabels:
gateway.networking.k8s.io/gateway-name: bookinfo-gateway
action: DENY
rules:
- from:
- source:
namespaces: ["dev"]
to:
- operation:
methods: ["POST"]
If you have both targetRef and selector in the policy, this message will not occur. For example:
apiVersion: telemetry.istio.io/v1alpha1
kind: Telemetry
metadata:
name: telemetry-example
namespace: default
spec:
tracing:
- randomSamplingPercentage: 10.00
selector:
matchLabels:
gateway.networking.k8s.io/gateway-name: bookinfo-gateway
targetRef:
group: gateway.networking.k8s.io
kind: Gateway
name: bookinfo-gateway
How to resolve
Make sure you are using the selector field for sidecars or Istio Gateway pods, and use the targetRef field for
Kubernetes Gateway pods. Otherwise, the policy will not be applied.
Here is an example:
apiVersion: telemetry.istio.io/v1alpha1
kind: Telemetry
metadata:
name: telemetry-example
namespace: default
spec:
tracing:
- randomSamplingPercentage: 10.00
targetRef:
group: gateway.networking.k8s.io
kind: Gateway
name: bookinfo-gateway