Configuration Validation Problems

Seemingly valid configuration is rejected

Use istioctl validate -f and istioctl analyze for more insight into why the configuration is rejected. Use an istioctl CLI with a similar version to the control plane version.

The most commonly reported problems with configuration are YAML indentation and array notation (-) mistakes.

Manually verify your configuration is correct, cross-referencing Istio API reference when necessary.

Invalid configuration is accepted

Verify that a validatingwebhookconfiguration named istio-validator- followed by <revision>-, if not the default revision, followed by the Istio system namespace (e.g., istio-validator-myrev-istio-system) exists and is correct. The apiVersion, apiGroup, and resource of the invalid configuration should be listed in the webhooks section of the validatingwebhookconfiguration.

  1. $ kubectl get validatingwebhookconfiguration istio-validator-istio-system -o yaml
  2. apiVersion: admissionregistration.k8s.io/v1
  3. kind: ValidatingWebhookConfiguration
  4. metadata:
  5.   labels:
  6.     app: istiod
  7.     install.operator.istio.io/owning-resource-namespace: istio-system
  8.     istio: istiod
  9.     istio.io/rev: default
  10.     operator.istio.io/component: Pilot
  11.     operator.istio.io/managed: Reconcile
  12.     operator.istio.io/version: unknown
  13.     release: istio
  14.   name: istio-validator-istio-system
  15.   resourceVersion: "615569"
  16.   uid: 112fed62-93e7-41c9-8cb1-b2665f392dd7
  17. webhooks:
  18. - admissionReviewVersions:
  19.   - v1beta1
  20.   - v1
  21.   clientConfig:
  22.     # caBundle should be non-empty. This is periodically (re)patched
  23.     # every second by the webhook service using the ca-cert
  24.     # from the mounted service account secret.
  25.     caBundle: LS0t...
  26.     # service corresponds to the Kubernetes service that implements the webhook
  27.     service:
  28.       name: istiod
  29.       namespace: istio-system
  30.       path: /validate
  31.       port: 443
  32.   failurePolicy: Fail
  33.   matchPolicy: Equivalent
  34.   name: rev.validation.istio.io
  35.   namespaceSelector: {}
  36.   objectSelector:
  37.     matchExpressions:
  38.     - key: istio.io/rev
  39.       operator: In
  40.       values:
  41.       - default
  42.   rules:
  43.   - apiGroups:
  44.     - security.istio.io
  45.     - networking.istio.io
  46.     - telemetry.istio.io
  47.     - extensions.istio.io
  48.     apiVersions:
  49.     - '*'
  50.     operations:
  51.     - CREATE
  52.     - UPDATE
  53.     resources:
  54.     - '*'
  55.     scope: '*'
  56.   sideEffects: None
  57.   timeoutSeconds: 10

If the istio-validator- webhook does not exist, verify the global.configValidation installation option is set to true.

The validation configuration is fail-close. If configuration exists and is scoped properly, the webhook will be invoked. A missing caBundle, bad certificate, or network connectivity problem will produce an error message when the resource is created/updated. If you don’t see any error message and the webhook wasn’t invoked and the webhook configuration is valid, your cluster is misconfigured.

Creating configuration fails with x509 certificate errors

x509: certificate signed by unknown authority related errors are typically caused by an empty caBundle in the webhook configuration. Verify that it is not empty (see verify webhook configuration). Istio consciously reconciles webhook configuration used the istio-validation configmap and root certificate.

  1. Verify the istiod pod(s) are running:

    1. $  kubectl -n istio-system get pod -lapp=istiod
    2. NAME                            READY     STATUS    RESTARTS   AGE
    3. istiod-5dbbbdb746-d676g   1/1       Running   0          2d

  2. Check the pod logs for errors. Failing to patch the caBundle should print an error.

    1. $ for pod in $(kubectl -n istio-system get pod -lapp=istiod -o jsonpath='{.items[*].metadata.name}'); do \
    2.     kubectl -n istio-system logs ${pod} \
    3. done

  3. If the patching failed, verify the RBAC configuration for Istiod:

    1. $ kubectl get clusterrole istiod-istio-system -o yaml
    2. apiVersion: rbac.authorization.k8s.io/v1
    3. kind: ClusterRole
    4.   name: istiod-istio-system
    5. rules:
    6. - apiGroups:
    7.   - admissionregistration.k8s.io
    8.   resources:
    9.   - validatingwebhookconfigurations
    10.   verbs:
    11.   - '*'

    Istio needs validatingwebhookconfigurations write access to create and update the validatingwebhookconfiguration.

Creating configuration fails with no such hosts or no endpoints available errors

Validation is fail-close. If the istiod pod is not ready, configuration cannot be created and updated. In such cases you’ll see an error about no endpoints available.

Verify the istiod pod(s) are running and endpoints are ready.

  1. $  kubectl -n istio-system get pod -lapp=istiod
  2. NAME                            READY     STATUS    RESTARTS   AGE
  3. istiod-5dbbbdb746-d676g   1/1       Running   0          2d
  1. $ kubectl -n istio-system get endpoints istiod
  2. NAME           ENDPOINTS                          AGE
  3. istiod         10.48.6.108:15014,10.48.6.108:443   3d

If the pods or endpoints aren’t ready, check the pod logs and status for any indication about why the webhook pod is failing to start and serve traffic.

  1. $ for pod in $(kubectl -n istio-system get pod -lapp=istiod -o jsonpath='{.items[*].metadata.name}'); do \
  2.     kubectl -n istio-system logs ${pod} \
  3. done
  1. $ for pod in $(kubectl -n istio-system get pod -lapp=istiod -o name); do \
  2.     kubectl -n istio-system describe ${pod} \
  3. done