IneffectiveSelector

Message NameIneffectiveSelector
Message CodeIST0166
DescriptionSelector has no effect when applied to Kubernetes Gateways.
LevelWarning

This message occurs when a workload selector in policies like AuthorizationPolicy, RequestAuthentication, Telemetry, or WasmPlugin does not effectively target any pods within the Kubernetes Gateway.

Example

You will receive similar messages like:

  1. Warning [IST0166] (AuthorizationPolicy default/ap-ineffective testdata/k8sgateway-selector.yaml:47) Ineffective selector on
  2. Kubernetes Gateway bookinfo-gateway. Use the TargetRef field instead.

when your policy’s selector matches a Kubernetes Gateway.

For example, when you have a Kubernetes Gateway pod like:

  1. apiVersion: v1
  2. kind: Pod
  3. metadata:
  4.   annotations:
  5.     istio.io/rev: default
  6.   labels:
  7.     gateway.networking.k8s.io/gateway-name: bookinfo-gateway
  8.   name: bookinfo-gateway-istio-6ff4cf9645-xbqmc
  9.   namespace: default
  10. spec:
  11.   containers:
  12.   - image: proxyv2:1.21.0
  13.     name: istio-proxy

And there is an AuthorizationPolicy with a selector like:

  1. apiVersion: security.istio.io/v1
  2. kind: AuthorizationPolicy
  3. metadata:
  4.   namespace: default
  5.   name: ap-ineffective
  6. spec:
  7.   selector:
  8.     matchLabels:
  9.       gateway.networking.k8s.io/gateway-name: bookinfo-gateway
  10.   action: DENY
  11.   rules:
  12.   - from:
  13.     - source:
  14.       namespaces: ["dev"]
  15.     to:
  16.     - operation:
  17.       methods: ["POST"]

If you have both targetRef and selector in the policy, this message will not occur. For example:

  1. apiVersion: telemetry.istio.io/v1alpha1
  2. kind: Telemetry
  3. metadata:
  4.   name: telemetry-example
  5.   namespace: default
  6. spec:
  7.   tracing:
  8.   - randomSamplingPercentage: 10.00
  9.   selector:
  10.     matchLabels:
  11.       gateway.networking.k8s.io/gateway-name: bookinfo-gateway
  12.   targetRef:
  13.     group: gateway.networking.k8s.io
  14.     kind: Gateway
  15.     name: bookinfo-gateway

How to resolve

Make sure you are using the selector field for sidecars or Istio Gateway pods, and use the targetRef field for Kubernetes Gateway pods. Otherwise, the policy will not be applied.

Here is an example:

  1. apiVersion: telemetry.istio.io/v1alpha1
  2. kind: Telemetry
  3. metadata:
  4.   name: telemetry-example
  5.   namespace: default
  6. spec:
  7.   tracing:
  8.   - randomSamplingPercentage: 10.00
  9.   targetRef:
  10.     group: gateway.networking.k8s.io
  11.     kind: Gateway
  12.     name: bookinfo-gateway