IST0001: InternalError
There was an internal error in the toolchain. This is almost always a bug in the implementation.
istioctl
provides rich analysis of Istio configuration state in
order to identity invalid or suboptimal configurations. Here’s is a list of the distinct possible
error or warning messages produced by this analysis.
There was an internal error in the toolchain. This is almost always a bug in the implementation.
A feature that the configuration is depending on is now deprecated.
A resource being referenced does not exist.
A namespace is not enabled for Istio injection.
A pod is missing the Istio proxy.
Unhandled gateway port
The image of the Istio proxy running on the pod does not match the image defined in the injection configuration.
The resource has a schema validation error.
An Istio annotation is applied to the wrong kind of resource.
An Istio annotation is not recognized for any kind of resource
Conflicting hosts on VirtualServices associated with mesh gateway
A Sidecar resource selects the same workloads as another Sidecar resource
More than one sidecar resource in a namespace has no workload selector
A VirtualService routes to a service with more than one port exposed, but does not specify which to use.
A DestinationRule and Policy are in conflict with regards to mTLS.
A Policy targets a port name that cannot be found.
A DestinationRule uses mTLS for a workload that has no sidecar.
The resulting pods of a service mesh deployment can't be associated with multiple services using the same port but different protocols.
The resulting pods of a service mesh deployment must be associated with at least one service.
Port name is not under naming convention. Protocol detection is applied to the port.
Authentication policy with JWT targets Service with invalid port specification.
The Policy resource is deprecated and will be removed in a future Istio release. Migrate to the PeerAuthentication resource.
The MeshPolicy resource is deprecated and will be removed in a future Istio release. Migrate to the PeerAuthentication resource.
Invalid Regex
A namespace has both new and legacy injection labels
An Istio annotation that is not valid
A service registry in Mesh Networks is unknown
There aren't workloads matching the resource labels
No caCertificates are set in DestinationRule, this results in no verification of presented server certificate.
No caCertificates are set in DestinationRule, this results in no verification of presented server certificate for traffic to a given port.