Summary
When using istioctl analyze -A, namespaces managed by AKS generate the informational message [IST0102], indicating that these namespaces are not labeled for Istio Injection. While we can label the namespaces we own with istio-injection=disabled, namespaces owned and managed by AKS (eg, aks-isito-system) remain unlabeled. We request AKS to automatically label these namespaces with istio-injection=disabled to improve combability and reduce noise in Istio analysis.
Is your feature request related to a problem? Please describe.
AKS pre-creates certain namespaces during cluster setup (eg, aks-istio-system, kube-system). When we use istioctl analyze -A it frequently reports [IST0102] warning for these namespaces:
Info [IST0102] (Namespace aks-istio-egress) The namespace is not enabled for Istio injection. Run 'kubectl label namespace aks-istio-egress istio-injection=enabled' to enable it, or 'kubectl label namespace aks-istio-egress istio-injection=disabled' to explicitly mark it as not needing injection.
This behavior causes confusion and adds manual effort for AKS users, who needs to inspect these namespaces and manually label them to silence the warnings. However, labeling AKS-managed namespaces isn't straightforward, as AKS automation can override these labels during cluster updates.
Describe the solution you'd like
We request that AKS automatically apply the label istio-injection=disabled to AKS-owned namespaces during its creation. This will ensure:
-Reduced noise in Istio Analysis.
-User do not have to manually label namespaces that AKS manages
Describe alternatives you've considered
We tried to manually label AKS-managed namespaces using kubectl label namespace aks-istio-egress istio-injection=disabled --overwrite. However, AKS automation eventually removed these labels.
We can also ignore these warnings, but it can lead to unintentional oversight of genuine issues.
Summary When using
istioctl analyze -A, namespaces managed by AKS generate the informational message [IST0102], indicating that these namespaces are not labeled for Istio Injection. While we can label the namespaces we own withistio-injection=disabled, namespaces owned and managed by AKS (eg, aks-isito-system) remain unlabeled. We request AKS to automatically label these namespaces withistio-injection=disabledto improve combability and reduce noise in Istio analysis.Is your feature request related to a problem? Please describe. AKS pre-creates certain namespaces during cluster setup (eg, aks-istio-system, kube-system). When we use
istioctl analyze -Ait frequently reports [IST0102] warning for these namespaces:Info [IST0102] (Namespace aks-istio-egress) The namespace is not enabled for Istio injection. Run 'kubectl label namespace aks-istio-egress istio-injection=enabled' to enable it, or 'kubectl label namespace aks-istio-egress istio-injection=disabled' to explicitly mark it as not needing injection.This behavior causes confusion and adds manual effort for AKS users, who needs to inspect these namespaces and manually label them to silence the warnings. However, labeling AKS-managed namespaces isn't straightforward, as AKS automation can override these labels during cluster updates.
Describe the solution you'd like We request that AKS automatically apply the label
istio-injection=disabledto AKS-owned namespaces during its creation. This will ensure: -Reduced noise in Istio Analysis. -User do not have to manually label namespaces that AKS managesDescribe alternatives you've considered We tried to manually label AKS-managed namespaces using
kubectl label namespace aks-istio-egress istio-injection=disabled --overwrite. However, AKS automation eventually removed these labels. We can also ignore these warnings, but it can lead to unintentional oversight of genuine issues.Thank you for your support.