Configuration Analysis Messages

    There was an internal error in the toolchain. This is almost always a bug in the implementation.

    A feature that the configuration is depending on is now deprecated.

    A resource being referenced does not exist.

    A namespace is not enabled for Istio injection.

    A pod is missing the Istio proxy.

    Unhandled gateway port

    The image of the Istio proxy running on the pod does not match the image defined in the injection configuration.

    The resource has a schema validation error.

    An Istio annotation is applied to the wrong kind of resource.

    An Istio annotation is not recognized for any kind of resource

    Conflicting hosts on VirtualServices associated with mesh gateway

    A Sidecar resource selects the same workloads as another Sidecar resource

    More than one sidecar resource in a namespace has no workload selector

    A VirtualService routes to a service with more than one port exposed, but does not specify which to use.

    The resulting pods of a service mesh deployment can’t be associated with multiple services using the same port but different protocols.

    The resulting pods of a service mesh deployment must be associated with at least one service.

    Port name is not under naming convention. Protocol detection is applied to the port.

    Authentication policy with JWT targets Service with invalid port specification.

    Invalid Regex

    A namespace has both new and legacy injection labels

    An Istio annotation that is not valid

    IST0126: UnknownMeshNetworksServiceRegistry

    A service registry in Mesh Networks is unknown

    IST0127: NoMatchingWorkloadsFound

    There aren’t workloads matching the resource labels

    IST0128: NoServerCertificateVerificationDestinationLevel

    No caCertificates are set in DestinationRule, this results in no verification of presented server certificate.

    IST0129: NoServerCertificateVerificationPortLevel

    No caCertificates are set in DestinationRule, this results in no verification of presented server certificate for traffic to a given port.

    IST0130: VirtualServiceUnreachableRule

    A VirtualService rule will never be used because a previous rule uses the same match.

    IST0131: VirtualServiceIneffectiveMatch

    A VirtualService rule match duplicates a match in a previous rule.

    IST0132: VirtualServiceHostNotFoundInGateway

    Host defined in VirtualService not found in Gateway.

    IST0133: SchemaWarning

    Virtual IP addresses are required for ports serving TCP (or unset) protocol

    A resource is using a deprecated Istio annotation.

    An Istio annotation may not be suitable for production.

    Two services selecting the same workload with the same targetPort MUST refer to the same port.

    IST0138: GatewayDuplicateCertificate

    Duplicate certificate in multiple gateways may cause 404s if clients re-use HTTP2 connections.

    IST0139: InvalidWebhook

    Webhook is invalid or references a control plane service that does not exist.

    IST0140: IngressRouteRulesNotAffected

    Route rules have no effect on ingress gateway requests

    IST0141: InsufficientPermissions

    Required permissions to install Istio are missing.

    IST0142: UnsupportedKubernetesVersion

    The Kubernetes version is not supported

    IST0143: LocalhostListener

    A port exposed in a Service is bound to a localhost address

    IST0144: InvalidApplicationUID

    Application pods should not run as user ID (UID) 1337

    IST0145: ConflictingGateways

    Gateway should not have the same selector, port and matched hosts of server

    IST0146: ImageAutoWithoutInjectionWarning

    Deployments with `image: auto` should be targeted for injection.

    IST0147: ImageAutoWithoutInjectionError

    Pods with `image: auto` should be targeted for injection.

    IST0148: NamespaceInjectionEnabledByDefault
    IST0149: JwtClaimBasedRoutingWithoutRequestAuthN

    Virtual service using JWT claim based routing without request authentication.