Istio analyze: Referenced selector not found: "app=istio-ingressgateway"

[zeeqko]

Bug Description

Bug description

Having a gateway living in the gateways namespace and istio-ingressgateway living in istio-system namespace.

The ingressgateway has the label app=istio-ingressgateway as follows

k get pod -n istio-system -l "app=istio-ingressgateway"
NAME                                            READY   STATUS    RESTARTS   AGE
istio-private-ingressgateway-8657c4fcdb-6h4qb   1/1     Running   0          20d
istio-private-ingressgateway-8657c4fcdb-bwkvp   1/1     Running   0          20d

The traffic works fine but when running istioctl analyze -n gateways the following error would show up:

Error [IST0101] (Gateway gateways/private-gateway) Referenced selector not found: "app=istio-ingressgateway"

What I have tried

I have verified that the PILOT_SCOPE_GATEWAY_TO_NAMESPACE flag in istiod configuration is set to false.

I have also tried putting my gateway inside the istio-system namespace, but it is still complaining about the same error.

Version

➜ istioctl version
client version: 1.15.2
istiod version: 1.16.0
istiod version: 1.16.0
pilot version: 1.15.2
data plane version: 1.16.0 (7 proxies)

Additional Information

No response

Affected product area

• [ ] Ambient
• [ ] Docs
• [ ] Installation
• [ ] Networking
• [ ] Performance and Scalability
• [ ] Extensions and Telemetry
• [ ] Security
• [ ] Test and Release
• [ ] User Experience
• [ ] Developer Infrastructure
• [ ] Upgrade
• [ ] Multi Cluster
• [ ] Virtual Machine
• [ ] Control Plane Revisions

[zirain]

cc @hanxiaop

[hanxiaop]

Can you provide your Gateway and ingressgateway configurations?

[hanxiaop]

Also, try using the latest istioctl to see if you are still receiving unexpected messages.

[zeeqko]

Thanks for the swift reply. A colleague is using the latest istioctl 1.17.2 and he is seeing those errors as well.

gateway.yaml

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: gateway
  namespace: gateways
spec:
  selector:
    app: istio-ingressgateway
  servers:
    - hosts:
        - xxx
      port:
        number: 80
        name: http
        protocol: HTTP
      tls:
        httpsRedirect: true
    - hosts:
        - xxx
      port:
        number: 443
        name: https
        protocol: HTTPS
      tls:
        mode: SIMPLE
        minProtocolVersion: TLSV1_2
        credentialName: xxx

istioOperator.yaml

apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
spec:
  profile: default
  components:
    ingressGateways:
      ...
      - enabled: true
        name: istio-private-ingressgateway
        k8s:
          hpaSpec:
            maxReplicas: 25
            minReplicas: 2
          strategy:
            rollingUpdate:
              maxSurge: 100%
              maxUnavailable: 0
          podDisruptionBudget:
            maxUnavailable: 20%
          overlays:
            ...
          service:
            type: NodePort
        label:
          app: istio-ingressgateway

[hanxiaop]

Are you using revisions? If so, try to analyze with --revision

[zeeqko]

Tried on another cluster that uses istio 1-17 with the revision flag and got the same error

➜ ./istioctl analyze -n gateways --revision 1-17
Error [IST0101] (Gateway gateways/xxx-gw) Referenced selector not found: "istio=ingressgateway"

➜ ./istioctl version
client version: 1.17.2
istiod version: 1.15.0
istiod version: 1.15.0
istiod version: 1.17.0
istiod version: 1.17.0
data plane version: 1.17.0 (2139 proxies)

[hanxiaop]

Do you have both revisioned and non-revisioned control planes? I cannot reproduce the issue if only one control plane exists, as both analyze and analyze --revision work fine.

Edited: there's a bug that results in the wrong message when control planes with and without revisions both exist.

The revision specified in the analyze should match the ingressgateway's revision.

[zeeqko]

Thank you very much. I have cleaned up my cluster, having only one version 1-17 of istio running and used the revision flag and the error resolved.