search

istio / istio

Connect, secure, control, and observe services.
https://istio.io
Apache License 2.0
35.93k stars 7.75k forks source link

istioctl analyze --revison invalid #49100

Closed nicole-lihui closed 5 months ago

nicole-lihui commented 9 months ago

Is this the right place to submit this?

Bug Description

Issue Description:

When utilizing the istioctl analyze --revision canary -A command, it was observed that the analysis did not follow the specified --revision parameter; instead, it provided output for all relevant information.

$  ./istio-1.20.2/bin/istioctl x revision list
REVISION TAG      ISTIO-OPERATOR-CR                   PROFILE REQD-COMPONENTS
bule     <no-tag> istio-system/installed-state-bule   default Istio core
                                                              Istiod
                                                              Ingress gateways:istio-ingressgateway
canary   <no-tag> istio-system/installed-state-canary default Istio core
                                                              Istiod
                                                              Ingress gateways:istio-ingressgateway
default  default  istio-system/installed-state        demo    Istio core
                                                              Istiod
                                                              Ingress gateways:istio-ingressgateway
                                                              Egress gateways:istio-egressgateway

$ istioctl analyze -A                                 
Info [IST0102] (Namespace metallb-system) The namespace is not enabled for Istio injection. Run 'kubectl label namespace metallb-system istio-injection=enabled' to enable it, or 'kubectl label namespace metallb-system istio-injection=disabled' to explicitly mark it as not needing injection.
Info [IST0118] (Service metallb-system/webhook-service) Port name  (port: 443, targetPort: 9443) doesn't follow the naming convention of Istio port.

$ istioctl analyze --revision canary -A          
Info [IST0102] (Namespace metallb-system) The namespace is not enabled for Istio injection. Run 'kubectl label namespace metallb-system istio-injection=enabled' to enable it, or 'kubectl label namespace metallb-system istio-injection=disabled' to explicitly mark it as not needing injection.
Info [IST0118] (Service metallb-system/webhook-service) Port name  (port: 443, targetPort: 9443) doesn't follow the naming convention of Istio port.

$ istioctl analyze --revision bule -A   
Info [IST0102] (Namespace metallb-system) The namespace is not enabled for Istio injection. Run 'kubectl label namespace metallb-system istio-injection=enabled' to enable it, or 'kubectl label namespace metallb-system istio-injection=disabled' to explicitly mark it as not needing injection.
Info [IST0118] (Service metallb-system/webhook-service) Port name  (port: 443, targetPort: 9443) doesn't follow the naming convention of Istio port.

$ istioctl ps                  
NAME                                                   CLUSTER        CDS        LDS        EDS        RDS          ECDS         ISTIOD                             VERSION
istio-egressgateway-6685974644-htnvn.istio-system      Kubernetes     SYNCED     SYNCED     SYNCED     NOT SENT     NOT SENT     istiod-8459cd47d4-f5tg5            1.18.6
istio-ingressgateway-5f6b58d4b5-nvsv7.istio-system     Kubernetes     SYNCED     SYNCED     SYNCED     NOT SENT     NOT SENT     istiod-bule-66d5d8bd5f-ms48t       1.18.6-test
s0-6f5df4bfc-sp788.demo                                Kubernetes     SYNCED     SYNCED     SYNCED     SYNCED       NOT SENT     istiod-8459cd47d4-f5tg5            1.18.6
s1-65c5b67774-pn297.demo                               Kubernetes     SYNCED     SYNCED     SYNCED     SYNCED       NOT SENT     istiod-8459cd47d4-f5tg5            1.18.6
s2-6c8f55f4c7-tn9lg.demo                               Kubernetes     SYNCED     SYNCED     SYNCED     SYNCED       NOT SENT     istiod-8459cd47d4-f5tg5            1.18.6
s3-6fccfdb58d-jkjm8.demo                               Kubernetes     SYNCED     SYNCED     SYNCED     SYNCED       NOT SENT     istiod-8459cd47d4-f5tg5            1.18.6
s4-58b5f7d767-5v8xv.demo                               Kubernetes     SYNCED     SYNCED     SYNCED     SYNCED       NOT SENT     istiod-8459cd47d4-f5tg5            1.18.6
sleep-69cfb4968f-dsx9j.test-bule                       Kubernetes     SYNCED     SYNCED     SYNCED     SYNCED       NOT SENT     istiod-bule-66d5d8bd5f-ms48t       1.18.6-test
sleep-6fcc95dddf-fgx7v.test-ns                         Kubernetes     SYNCED     SYNCED     SYNCED     SYNCED       NOT SENT     istiod-canary-78648569f6-6vmch     1.18.6

Version

$ ./istio-1.20.2/bin/istioctl version
client version: 1.20.2
pilot version: 1.18.6
istiod version: 1.18.6-mspider
istiod version: 1.18.6
data plane version: 1.18.6 (7 proxies), 1.18.6-mspider (2 proxies)

$ kubectl version --short
Flag --short has been deprecated, and will be removed in the future. The --short output will become the default.
Client Version: v1.27.4
Kustomize Version: v5.0.1
Server Version: v1.24.6
WARNING: version difference between client (1.27) and server (1.24) exceeds the supported minor version skew of +/-1

Additional Information

No response

nicole-lihui commented 9 months ago

personally, I think the plus istioctl analyze --revision should be consistent withisitoctl ps --revison

nicole-lihui commented 9 months ago

personally, I think the plus istioctl analyze --revision should be consistent withisitoctl ps --revison

$ istioctl ps --revision canary
NAME                               CLUSTER        CDS        LDS        EDS        RDS        ECDS         ISTIOD                             VERSION
sleep-6fcc95dddf-fgx7v.test-ns     Kubernetes     SYNCED     SYNCED     SYNCED     SYNCED     NOT SENT     istiod-canary-78648569f6-6vmch     1.18.6

$ istioctl ps --revision bule  
NAME                                                   CLUSTER        CDS        LDS        EDS        RDS          ECDS         ISTIOD                           VERSION
istio-ingressgateway-5f6b58d4b5-nvsv7.istio-system     Kubernetes     SYNCED     SYNCED     SYNCED     NOT SENT     NOT SENT     istiod-bule-66d5d8bd5f-ms48t     1.18.6-test
sleep-69cfb4968f-dsx9j.test-bule                       Kubernetes     SYNCED     SYNCED     SYNCED     SYNCED       NOT SENT     istiod-bule-66d5d8bd5f-ms48t     1.18.6-test
hanxiaop commented 9 months ago

I think that currently, there are some base resources such as services, namespaces, and pods that are used for resource discovery. These exist in the analysis without relating to the revision. As you can see, you have same outputs for different --revision that include both services and namespaces.

istio-policy-bot commented 5 months ago

🚧 This issue or pull request has been closed due to not having had activity from an Istio team member since 2024-01-31. If you feel this issue or pull request deserves attention, please reopen the issue. Please see this wiki page for more information. Thank you for your contributions.

Created by the issue and PR lifecycle manager.