Add ist0166 message description (#14365)

* add ist0166 message description * Update content/en/docs/reference/config/analysis/ist0166/index.md Co-authored-by: Michael <haifeng.yao@daocloud.io> * Update index.md * Apply suggestions from code review Co-authored-by: Daniel Hawton <daniel@hawton.org> --------- Co-authored-by: Michael <haifeng.yao@daocloud.io> Co-authored-by: Daniel Hawton <daniel@hawton.org>
2023-12-28 05:14:29 +08:00 · 2023-12-28 05:14:29 +08:00 · b1f36cbf91
parent aad2d5ce29
commit b1f36cbf91
1 changed files with 104 additions and 0 deletions
--- a/content/en/docs/reference/config/analysis/ist0166/index.md
+++ b/content/en/docs/reference/config/analysis/ist0166/index.md
@ -0,0 +1,104 @@
+---
+title: IneffectiveSelector
+layout: analysis-message
+owner: istio/wg-user-experience-maintainers
+test: n/a
+---
+
+This message occurs when a workload selector in policies
+like `AuthorizationPolicy`, `RequestAuthentication`, `Telemetry`, or
+`WasmPlugin` does not effectively target any pods within the Kubernetes Gateway.
+
+## Example
+
+You will receive similar messages like:
+
+{{< text plain >}}
+Warning [IST0166] (AuthorizationPolicy default/ap-ineffective testdata/k8sgateway-selector.yaml:47) Ineffective selector on
+Kubernetes Gateway bookinfo-gateway. Use the TargetRef field instead.
+{{< /text >}}
+
+when your policy's selector matches a Kubernetes Gateway.
+
+For example, when you have a Kubernetes Gateway pod like:
+
+{{< text yaml >}}
+apiVersion: v1
+kind: Pod
+metadata:
+  annotations:
+    istio.io/rev: default
+  labels:
+    gateway.networking.k8s.io/gateway-name: bookinfo-gateway
+    istio.io/gateway-name: bookinfo-gateway
+  name: bookinfo-gateway-istio-6ff4cf9645-xbqmc
+  namespace: default
+spec:
+  containers:
+  - image: proxyv2:1.21.0
+    name: istio-proxy
+{{< /text >}}
+
+And there is an `AuthorizationPolicy` with a `selector` like:
+
+{{< text yaml >}}
+apiVersion: security.istio.io/v1
+kind: AuthorizationPolicy
+metadata:
+  namespace: default
+  name: ap-ineffective
+spec:
+  selector:
+    matchLabels:
+      gateway.networking.k8s.io/gateway-name: bookinfo-gateway
+  action: DENY
+  rules:
+  - from:
+    - source:
+      namespaces: ["dev"]
+    to:
+    - operation:
+      methods: ["POST"]
+{{< /text >}}
+
+If you have both `targetRef` and `selector` in the policy, this message will not occur. For example:
+
+{{< text yaml >}}
+apiVersion: telemetry.istio.io/v1alpha1
+kind: Telemetry
+metadata:
+  name: telemetry-example
+  namespace: default
+spec:
+  tracing:
+  - randomSamplingPercentage: 10.00
+  selector:
+    matchLabels:
+      gateway.networking.k8s.io/gateway-name: bookinfo-gateway
+  targetRef:
+    group: gateway.networking.k8s.io
+    kind: Gateway
+    name: bookinfo-gateway
+{{< /text >}}
+
+## How to resolve
+
+Make sure you are using the `selector` field for sidecars or Istio Gateway pods, and use the `targetRef` field for
+Kubernetes Gateway pods. Otherwise, the policy will not be applied.
+
+Here is an example:
+
+{{< text yaml >}}
+apiVersion: telemetry.istio.io/v1alpha1
+kind: Telemetry
+metadata:
+  name: telemetry-example
+  namespace: default
+spec:
+  tracing:
+  - randomSamplingPercentage: 10.00
+  targetRef:
+    group: gateway.networking.k8s.io
+    kind: Gateway
+    name: bookinfo-gateway
+{{< /text >}}