Did you review https://istio.io/help/ and existing issues to identify if this is already solved or being worked on?: yes
Bug:
Y
What Version of Istio and Kubernetes are you using, where did you get Istio from, Installation details
❯ istioctl version
Version: 0.7.1
GitRevision: 62110d4f0373a7613e57b8a4d559ded9cb6a1cc8
User: root@c5207293dc14
Hub: docker.io/istio
GolangVersion: go1.9
BuildStatus: Clean
❯ k version
Client Version: version.Info{Major:"1", Minor:"10", GitVersion:"v1.10.0", GitCommit:"fc32d2f3698e36b93322a3465f63a14e9f0eaead", GitTreeState:"clean", BuildDate:"2018-03-26T16:55:54Z", GoVersion:"go1.9.3", Compiler:"gc", Platform:"darwin/amd64"}
Server Version: version.Info{Major:"1", Minor:"10", GitVersion:"v1.10.2", GitCommit:"81753b10df112992bf51bbc2c2f85208aad78335", GitTreeState:"clean", BuildDate:"2018-04-27T09:10:24Z", GoVersion:"go1.9.3", Compiler:"gc", Platform:"linux/amd64"}
Is Istio Auth enabled or not ?
Yes
What happened:
Automatically injected istio sidecar broke apiserver connectivity.
What you expected to happen:
Istio shouldn't introduce network faults that require manual workarounds.
How to reproduce it:
This is a followup to a stash bug. Stash creates a Job to restore PV from a backup and if istio is enabled for the namespace, it breaks the stash pod. Here are the logs:
Is this a BUG or FEATURE REQUEST?: BUG
Did you review https://istio.io/help/ and existing issues to identify if this is already solved or being worked on?: yes
Bug: Y
What Version of Istio and Kubernetes are you using, where did you get Istio from, Installation details
Is Istio Auth enabled or not ? Yes
What happened: Automatically injected istio sidecar broke apiserver connectivity.
What you expected to happen: Istio shouldn't introduce network faults that require manual workarounds.
How to reproduce it: This is a followup to a stash bug. Stash creates a Job to restore PV from a backup and if istio is enabled for the namespace, it breaks the stash pod. Here are the logs:
Notice how stash tries to talk to the apiserver (10.200.0.1:443), fails, and dies.
Here's the relevant part of istio-proxy sidecar log:
As you see, envoy wasn't fast enough.