istio.io/archive/v1.0/help/ops/setup/validation/index.html

<!doctype html><html lang=en itemscope itemtype=https://schema.org/WebPage><head><meta charset=utf-8><meta http-equiv=x-ua-compatible content="IE=edge"><meta name=viewport content="width=device-width,initial-scale=1,shrink-to-fit=no"><meta name=theme-color content="#466BB0"><meta name=title content="Configuration Validation Webhook"><meta name=description content="Describes Istio's use of Kubernetes webhooks for server-side configuration validation."><meta name=keywords content="microservices,services,mesh"><meta property="og:title" content="Configuration Validation Webhook"><meta property="og:type" content="website"><meta property="og:description" content="Describes Istio's use of Kubernetes webhooks for server-side configuration validation."><meta property="og:url" content="/v1.0/help/ops/setup/validation/"><meta property="og:image" content="/v1.0/img/istio-logo-blue-background.svg"><meta property="og:image:alt" content="Istio Logo"><meta property="og:image:width" content="112"><meta property="og:image:height" content="150"><meta property="og:site_name" content="Istio"><meta name=twitter:card content="summary"><meta name=twitter:site content="@IstioMesh"><title>Istioldie 1.0 / Configuration Validation Webhook</title><script async src="https://www.googletagmanager.com/gtag/js?id=UA-98480406-2"></script><script>window.dataLayer=window.dataLayer||[];function gtag(){dataLayer.push(arguments);}
gtag('js',new Date());gtag('config','UA-98480406-2');</script><script>var branchName="release-1.0";var docTitle="Configuration Validation Webhook";</script><link rel=alternate type=application/rss+xml title="Istio Blog" href=/v1.0/feed.xml><link rel="shortcut icon" href=/v1.0/favicons/favicon.ico><link rel=apple-touch-icon href=/v1.0/favicons/apple-touch-icon-180x180.png sizes=180x180><link rel=icon type=image/png href=/v1.0/favicons/favicon-16x16.png sizes=16x16><link rel=icon type=image/png href=/v1.0/favicons/favicon-32x32.png sizes=32x32><link rel=icon type=image/png href=/v1.0/favicons/android-36x36.png sizes=36x36><link rel=icon type=image/png href=/v1.0/favicons/android-48x48.png sizes=48x48><link rel=icon type=image/png href=/v1.0/favicons/android-72x72.png sizes=72x72><link rel=icon type=image/png href=/v1.0/favicons/android-96x196.png sizes=96x196><link rel=icon type=image/png href=/v1.0/favicons/android-144x144.png sizes=144x144><link rel=icon type=image/png href=/v1.0/favicons/android-192x192.png sizes=192x192><link rel=manifest href=/v1.0/manifest.json><meta name=apple-mobile-web-app-title content="Istio"><meta name=application-name content="Istio"><link rel=stylesheet href="https://fonts.googleapis.com/css?family=Chivo:400,100,100italic,300,300italic,400italic,500,500italic,700,700italic,900,900italic"><link rel=stylesheet href="https://fonts.googleapis.com/css?family=Work Sans:400,100,100italic,300,300italic,400italic,500,500italic,700,700italic,900,900italic"><link rel=stylesheet href=https://maxcdn.bootstrapcdn.com/bootstrap/4.0.0/css/bootstrap.min.css integrity=sha384-Gn5384xqQ1aoWXA+058RXPxPg6fy4IWvTNh0E263XmFcJlSAwiGgFAW/dAiS6JXm crossorigin=anonymous><link rel=stylesheet href=https://use.fontawesome.com/releases/v5.0.6/css/all.css><link rel=stylesheet href=/v1.0/css/light_theme_archive.css title=light><link rel="alternate stylesheet" href=/v1.0/css/dark_theme_archive.css title=dark><script src=/v1.0/js/styleSwitcher.min.js></script></head><body class=language-unknown><header><nav class="navbar navbar-expand-md navbar-dark fixed-top bg-dark justify-content-between"><a class=navbar-brand href=/v1.0/><span class=logo><svg viewBox="0 0 300 300"><circle cx="150" cy="150" r="150" stroke-width="2" /><polygon points="65,240 225,240 125,270"/><polygon points="65,230 125,220 125,110"/><polygon points="135,220 225,230 135,30"/></svg></span><span class=brand-name>Istioldie 1.0</span></a>
<button class=navbar-toggler type=button data-toggle=collapse data-target=#navbarCollapse aria-controls=navbarCollapse aria-expanded=false aria-label="Toggle navigation">
<span class=navbar-toggler-icon></span></button><div class="collapse navbar-collapse justify-content-end" id=navbarCollapse><ul id=navbar-links class="navbar-nav active"><li class=nav-item><a class=nav-link title="Learn how to deploy, use, and operate Istio." href=/v1.0/docs/>Docs</a></li><li class=nav-item><a class=nav-link title="Posts about using Istio." href=/v1.0/blog/2019/announcing-1.0.6/>Blog</a></li><li class=nav-item><a class="nav-link active" title="A bunch of resources to help you deploy, configure and use Istio." href=/v1.0/help/>Help</a></li><li class=nav-item><a class=nav-link title="Get a bit more in-depth info about the Istio project." href=/v1.0/about/>About</a></li><li class="nav-item dropdown" id=gearDropdown style=white-space:nowrap><a title="Options and Settings" href class=nav-link data-toggle=dropdown aria-label=Tools aria-haspopup=true aria-expanded=false><i style=width:1em class="fa fa-lg fa-cog"></i></a><div class="dropdown-menu dropdown-menu-right" aria-labelledby=gearDropdown><a class=dropdown-item id=light-theme-item href onclick="setActiveStyleSheet('light');return false;">Light Theme</a>
<a class=dropdown-item id=dark-theme-item href onclick="setActiveStyleSheet('dark');return false;">Dark Theme</a><div class=dropdown-divider></div><h6 class=dropdown-header>Other versions of this site</h6><a href=https://istio.io class=dropdown-item>Current Release</a>
<a href=https://preliminary.istio.io class=dropdown-item>Next Release</a>
<a href=https://archive.istio.io class=dropdown-item>Older Releases</a></div></li><li class=nav-item><a id=search_show class=nav-link href title="Search istio.io" aria-label=Search><i style=width:1em class="fa fa-lg fa-search"></i></a></li></ul><form name=cse id=search_form class="form-inline mr-sm-2" role=search><input type=hidden name=cx value=013699703217164175118:iwwf17ikgf4>
<input type=hidden name=ie value=utf-8>
<input type=hidden name=hl value=en>
<input type=hidden id=search_page_url value=/v1.0/search.html>
<input id=search_textbox class=form-control name=q type=text aria-label="Search this site">
<button id=search_close type=reset aria-label="Cancel Search"><i class="far fa-lg fa-times-circle"></i></button></form></div></nav></header><div class=container-fluid><div class="row row-offcanvas"><div class="col-0 col-md-3 col-xl-2 sidebar-offcanvas"><nav class="sidebar d-print-none"><div class=spacer></div><div class=directory role=tablist><div class=card><div class=card-header role=tab><div title="A bunch of resources to help you deploy, configure and use Istio."><img src=/v1.0/img/help.svg alt=Icon class=page_icon>
Need Help?</div></div><div role=tabpanel aria-labelledby=header0><div class=card-body><ul class=tree><li class=sublist><label class=tree-toggle><i class="fa fa-lg fa-caret-down"></i><a title="Hints, tips, tricks about running an Istio mesh." href=/v1.0/help/ops/>Operations Guide</a></label><ul class=tree><li><a title="Describes how to use component-level logging to get insights into a running component's behavior." href=/v1.0/help/ops/component-logging/>Component Logging</a></li><li><a title="Describes how to use ControlZ to get insight into individual running components." href=/v1.0/help/ops/controlz/>Component Introspection</a></li><li><a title="How to do low-level debugging of Istio components." href=/v1.0/help/ops/component-debugging/>Component Debugging</a></li><li class=sublist><label class=tree-toggle><i class="fa fa-lg fa-caret-right"></i><a title="Helps you manage the networking aspects of a running mesh." href=/v1.0/help/ops/traffic-management/>Traffic Management</a></label><ul class="tree collapse"><li><a title="Demonstrates how to debug Pilot and Envoy." href=/v1.0/help/ops/traffic-management/proxy-cmd/>Debugging Envoy and Pilot</a></li><li><a title="Provides specific deployment and configuration guidelines." href=/v1.0/help/ops/traffic-management/deploy-guidelines/>Deployment and Configuration Guidelines</a></li><li><a title="An introduction to Istio networking operational aspects." href=/v1.0/help/ops/traffic-management/introduction/>Introduction to Network Operations</a></li><li><a title="Describes tools and techniques to observe traffic management or issues related to traffic management." href=/v1.0/help/ops/traffic-management/observing/>Observing Traffic Management</a></li><li><a title="Describes tools and techniques that can be used to root cause networking issues." href=/v1.0/help/ops/traffic-management/troubleshooting/>Troubleshooting Networking Issues</a></li></ul></li><li class=sublist><label class=tree-toggle><i class="fa fa-lg fa-caret-right"></i><a title="Helps you manage the security aspects of a running mesh." href=/v1.0/help/ops/security/>Security</a></label><ul class="tree collapse"><li><a title="Demonstrates how to debug authorization." href=/v1.0/help/ops/security/debugging-authorization/>Debugging Authorization</a></li><li><a title="What to do if Citadel is not behaving properly." href=/v1.0/help/ops/security/repairing-citadel/>Repairing Citadel</a></li><li><a title="What to do if you suspect problems with Istio keys and certificates." href=/v1.0/help/ops/security/keys-and-certs/>Keys and Certificates</a></li><li><a title="What to do if mutual TLS authentication isn't working." href=/v1.0/help/ops/security/mutual-tls/>Mutual TLS</a></li><li><a title="How to get health checks working when mutual TLS is enabled." href=/v1.0/help/ops/security/health-checks-and-mtls/>Health Checks and Mutual TLS</a></li><li><a title="Authorization is enabled, but requests make it through anyway." href=/v1.0/help/ops/security/authorization-permissive/>Authorization Too Permissive</a></li><li><a title="Authorization is enabled and no requests make it through to the service." href=/v1.0/help/ops/security/authorization-restrictive/>Authorization Too Restrictive</a></li><li><a title="What to do if end-user authentication doesn't work." href=/v1.0/help/ops/security/end-user-auth/>End User Authentication</a></li></ul></li><li class=sublist><label class=tree-toggle><i class="fa fa-lg fa-caret-right"></i><a title="Helps you manage telemetry collection and visualization in a running mesh." href=/v1.0/help/ops/telemetry/>Telemetry</a></label><ul class="tree collapse"><li><a href=/v1.0/help/ops/telemetry/missing-metrics/>Missing Metrics</a></li><li><a title="Dealing with Grafana issues." href=/v1.0/help/ops/telemetry/grafana/>Grafana</a></li></ul></li><li class=sublist><label class=tree-toggle><i class="fa fa-lg fa-caret-down"></i><a title="Helps you diagnose and repair Istio installations." href=/v1.0/help/ops/setup/>Installation and Setup</a></label><ul class=tree><li><a title="Provides a general overview of Istio's use of Kubernetes webhooks and the related issues that can arise." href=/v1.0/help/ops/setup/webhook/>Dynamic Admission Webhooks Overview</a></li><li><span class=current title="Describes Istio's use of Kubernetes webhooks for server-side configuration validation.">Configuration Validation Webhook</span></li><li><a title="Describes Istio's use of Kubernetes webhooks for automatic sidecar injection." href=/v1.0/help/ops/setup/injection/>Sidecar Injection Webhook</a></li></ul></li><li><a title="Advice on tackling common problems with Istio." href=/v1.0/help/ops/misc/>Miscellaneous</a></li></ul></li><li class=sublist><label class=tree-toggle><i class="fa fa-lg fa-caret-right"></i><a title="Frequently Asked Questions about Istio." href=/v1.0/help/faq/>FAQ</a></label><ul class="tree collapse"><li><a title="General Q & A." href=/v1.0/help/faq/general/>General</a></li><li><a title="Setup Q & A." href=/v1.0/help/faq/setup/>Setup</a></li><li><a title="Security Q & A." href=/v1.0/help/faq/security/>Security</a></li><li><a title="Mixer Q & A." href=/v1.0/help/faq/mixer/>Mixer</a></li><li><a title="Telemetry Q & A." href=/v1.0/help/faq/telemetry/>Telemetry</a></li><li><a title="Traffic Management Q & A." href=/v1.0/help/faq/traffic-management/>Traffic Management</a></li></ul></li><li><a title="A glossary of common Istio terms." href=/v1.0/help/glossary/>Glossary</a></li></ul></div></div></div></div></nav></div><div class="col-12 col-md-9 col-xl-8"><p class=d-md-none><label class=sidebar-toggler data-toggle=offcanvas><i class="fa fa-sign-out-alt"></i></label></p><main aria-labelledby=title><div class=pagenav><p><a href=/v1.0/help/ops/setup/ title="Helps you diagnose and repair Istio installations."><i style=transform:scaleX(-1) class="fa fa-level-up-alt"></i>&nbsp;Installation and Setup</a></p></div><h1 id=title>Configuration Validation Webhook</h1><nav class="toc-inlined d-xl-none d-print-none"><hr><div class=directory role=directory><nav id=InlinedTableOfContents><ul><li><a href=#seemingly-valid-configuration-is-rejected>Seemingly valid configuration is rejected</a></li><li><a href=#invalid-configuration-is-accepted>Invalid configuration is accepted</a></li><li><a href=#creating-configuration-fails-with-x509-certificate-errors>Creating configuration fails with x509 certificate errors</a></li><li><a href=#creating-configuration-fails-with-no-such-hosts-or-no-endpoints-available-errors>Creating configuration fails with <code>no such hosts</code> or <code>no endpoints available</code> errors</a></li></ul></nav></div><hr></nav><p>Galley’s configuration validation ensures user authored Istio
configuration is syntactically and semantically valid. It uses a
Kubernetes <code>ValidatingWebhook</code>. The <code>istio-galley</code>
<code>ValidationWebhookConfiguration</code> has two webhooks.</p><ul><li><p><code>pilot.validation.istio.io</code> - Served on path <code>/admitpilot</code> and is
responsible for validating configuration consumed by Pilot
(e.g. VirtualService, Authentication).</p></li><li><p><code>mixer.validation.istio.io</code> - Served on path <code>/admitmixer</code> and is
responsible for validating configuration consumed by Mixer.</p></li></ul><p>Both webhooks are implemented by the <code>istio-galley</code> service on
port 443. Each webhook has its own <code>clientConfig</code>, <code>namespaceSelector</code>,
and <code>rules</code> section. Both webhooks are scoped to all namespaces. The
<code>namespaceSelector</code> should be empty. Both rules apply to Istio Custom
Resource Definitions (CRDs).</p><h2 id=seemingly-valid-configuration-is-rejected>Seemingly valid configuration is rejected</h2><p>Manually verify your configuration is correct, cross-referencing
<a href=https://istio.io/docs/reference/config>Istio API reference</a> when
necessary.</p><h2 id=invalid-configuration-is-accepted>Invalid configuration is accepted</h2><p>Verify the <code>istio-galley</code> <code>validationwebhookconfiguration</code> exists and
is correct. The <code>apiVersion</code>, <code>apiGroup</code>, and <code>resource</code> of the
invalid configuration should be listed in one of the two <code>webhooks</code>
entries.</p><pre><code class=language-command-output-as-yaml>$ kubectl get validatingwebhookconfiguration istio-galley -o yaml
apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingWebhookConfiguration
metadata:
  labels:
    app: istio-galley
  name: istio-galley
  ownerReferences:
  - apiVersion: extensions/v1beta1
    blockOwnerDeletion: true
    controller: true
    kind: Deployment
    name: istio-galley
    uid: 5c64585d-91c6-11e8-a98a-42010a8001a8
webhooks:
- clientConfig:
    # caBundle should be non-empty. This is periodically (re)patched
    # every second by the webhook service using the ca-cert
    # from the mounted service account secret.
    caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM1VENDQWMyZ0F3SUJBZ0lRVzVYNWpJcnJCemJmZFdLaWVoaVVSakFOQmdrcWhraUc5dzBCQVFzRkFEQWMKTVJvd0dBWURWUVFLRXhGck9ITXVZMngxYzNSbGNpNXNiMk5oYkRBZUZ3MHhPREEzTWpjeE56VTJNakJhRncweApPVEEzTWpjeE56VTJNakJhTUJ3eEdqQVlCZ05WQkFvVEVXczRjeTVqYkhWemRHVnlMbXh2WTJGc01JSUJJakFOCkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQXdVMi9SdWlyeTNnUzdPd2xJRCtaaGZiOEpOWnMKK05OL0dRWUsxbVozb3duaEw4dnJHdDBhenpjNXFuOXo2ZEw5Z1pPVFJXeFVCYXVJMUpOa3d0dSt2NmRjRzlkWgp0Q2JaQWloc1BLQWQ4MVRaa3RwYkNnOFdrcTRyNTh3QldRemNxMldsaFlPWHNlWGtRejdCbStOSUoyT0NRbmJwCjZYMmJ4Slc2OGdaZkg2UHlNR0libXJxaDgvZ2hISjFha3ptNGgzc0VGU1dTQ1Y2anZTZHVJL29NM2pBem5uZlUKU3JKY3VpQnBKZmJSMm1nQm4xVmFzNUJNdFpaaTBubDYxUzhyZ1ZiaHp4bWhpeFhlWU0zQzNHT3FlRUthY0N3WQo0TVczdEJFZ3NoN2ovZGM5cEt1ZG1wdFBFdit2Y2JnWjdreEhhazlOdFV2YmRGempJeTMxUS9Qd1NRSURBUUFCCm95TXdJVEFPQmdOVkhROEJBZjhFQkFNQ0FnUXdEd1lEVlIwVEFRSC9CQVV3QXdFQi96QU5CZ2txaGtpRzl3MEIKQVFzRkFBT0NBUUVBTnRLSnVkQ3NtbTFzU3dlS2xKTzBIY1ZMQUFhbFk4ZERUYWVLNksyakIwRnl0MkM3ZUtGSAoya3JaOWlkbWp5Yk8xS0djMVlWQndNeWlUMGhjYWFlaTdad2g0aERRWjVRN0k3ZFFuTVMzc2taR3ByaW5idU1aCmg3Tm1WUkVnV1ZIcm9OcGZEN3pBNEVqWk9FZzkwR0J6YXUzdHNmanI4RDQ1VVRJZUw3M3hwaUxmMXhRTk10RWEKd0NSelplQ3lmSUhra2ZrTCtISVVGK0lWV1g2VWp2WTRpRDdRR0JCenpHZTluNS9KM1g5OU1Gb1F3bExjNHMrTQpnLzNQdnZCYjBwaTU5MWxveXluU3lkWDVqUG5ibDhkNEFJaGZ6OU8rUTE5UGVULy9ydXFRNENOancrZmVIbTBSCjJzYmowZDd0SjkyTzgwT2NMVDlpb05NQlFLQlk3cGlOUkE9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
    service:
      # service corresponds to the Kubernetes service that implements the
      # webhook, e.g. istio-galley.istio-system.svc:443
      name: istio-galley
      namespace: istio-system
      path: /admitpilot
  failurePolicy: Fail
  name: pilot.validation.istio.io
  namespaceSelector: {}
  rules:
  - apiGroups:
    - config.istio.io
    apiVersions:
    - v1alpha2
    operations:
    - CREATE
    - UPDATE
    resources:
    - httpapispecs
    - httpapispecbindings
    - quotaspecs
    - quotaspecbindings
  - apiGroups:
    - rbac.istio.io
    apiVersions:
    - &#39;*&#39;
    operations:
    - CREATE
    - UPDATE
    resources:
    - &#39;*&#39;
  - apiGroups:
    - authentication.istio.io
    apiVersions:
    - &#39;*&#39;
    operations:
    - CREATE
    - UPDATE
    resources:
    - &#39;*&#39;
  - apiGroups:
    - networking.istio.io
    apiVersions:
    - &#39;*&#39;
    operations:
    - CREATE
    - UPDATE
    resources:
    - destinationrules
    - envoyfilters
    - gateways
    - virtualservices
- clientConfig:
    # caBundle should be non-empty. This is periodically (re)patched
    # every second by the webhook service using the ca-cert
    # from the mounted service account secret.
    caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM1VENDQWMyZ0F3SUJBZ0lRVzVYNWpJcnJCemJmZFdLaWVoaVVSakFOQmdrcWhraUc5dzBCQVFzRkFEQWMKTVJvd0dBWURWUVFLRXhGck9ITXVZMngxYzNSbGNpNXNiMk5oYkRBZUZ3MHhPREEzTWpjeE56VTJNakJhRncweApPVEEzTWpjeE56VTJNakJhTUJ3eEdqQVlCZ05WQkFvVEVXczRjeTVqYkhWemRHVnlMbXh2WTJGc01JSUJJakFOCkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQXdVMi9SdWlyeTNnUzdPd2xJRCtaaGZiOEpOWnMKK05OL0dRWUsxbVozb3duaEw4dnJHdDBhenpjNXFuOXo2ZEw5Z1pPVFJXeFVCYXVJMUpOa3d0dSt2NmRjRzlkWgp0Q2JaQWloc1BLQWQ4MVRaa3RwYkNnOFdrcTRyNTh3QldRemNxMldsaFlPWHNlWGtRejdCbStOSUoyT0NRbmJwCjZYMmJ4Slc2OGdaZkg2UHlNR0libXJxaDgvZ2hISjFha3ptNGgzc0VGU1dTQ1Y2anZTZHVJL29NM2pBem5uZlUKU3JKY3VpQnBKZmJSMm1nQm4xVmFzNUJNdFpaaTBubDYxUzhyZ1ZiaHp4bWhpeFhlWU0zQzNHT3FlRUthY0N3WQo0TVczdEJFZ3NoN2ovZGM5cEt1ZG1wdFBFdit2Y2JnWjdreEhhazlOdFV2YmRGempJeTMxUS9Qd1NRSURBUUFCCm95TXdJVEFPQmdOVkhROEJBZjhFQkFNQ0FnUXdEd1lEVlIwVEFRSC9CQVV3QXdFQi96QU5CZ2txaGtpRzl3MEIKQVFzRkFBT0NBUUVBTnRLSnVkQ3NtbTFzU3dlS2xKTzBIY1ZMQUFhbFk4ZERUYWVLNksyakIwRnl0MkM3ZUtGSAoya3JaOWlkbWp5Yk8xS0djMVlWQndNeWlUMGhjYWFlaTdad2g0aERRWjVRN0k3ZFFuTVMzc2taR3ByaW5idU1aCmg3Tm1WUkVnV1ZIcm9OcGZEN3pBNEVqWk9FZzkwR0J6YXUzdHNmanI4RDQ1VVRJZUw3M3hwaUxmMXhRTk10RWEKd0NSelplQ3lmSUhra2ZrTCtISVVGK0lWV1g2VWp2WTRpRDdRR0JCenpHZTluNS9KM1g5OU1Gb1F3bExjNHMrTQpnLzNQdnZCYjBwaTU5MWxveXluU3lkWDVqUG5ibDhkNEFJaGZ6OU8rUTE5UGVULy9ydXFRNENOancrZmVIbTBSCjJzYmowZDd0SjkyTzgwT2NMVDlpb05NQlFLQlk3cGlOUkE9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
    service:
      # service corresponds to the Kubernetes service that implements the
      # webhook, e.g. istio-galley.istio-system.svc:443
      name: istio-galley
      namespace: istio-system
      path: /admitmixer
  failurePolicy: Fail
  name: mixer.validation.istio.io
  namespaceSelector: {}
  rules:
  - apiGroups:
    - config.istio.io
    apiVersions:
    - v1alpha2
    operations:
    - CREATE
    - UPDATE
    resources:
    - rules
    - attributemanifests
    - circonuses
    - deniers
    - fluentds
    - kubernetesenvs
    - listcheckers
    - memquotas
    - noops
    - opas
    - prometheuses
    - rbacs
    - servicecontrols
    - solarwindses
    - stackdrivers
    - statsds
    - stdios
    - apikeys
    - authorizations
    - checknothings
    - listentries
    - logentries
    - metrics
    - quotas
    - reportnothings
    - servicecontrolreports
    - tracespans</code></pre><p>If the <code>validatingwebhookconfiguration</code> doesn’t exist, verify the
<code>istio-galley-configuration</code> <code>configmap</code> exists. <code>istio-galley</code> uses
the data from this configmap to create and update the
<code>validatingwebhookconfiguration</code>.</p><pre><code class=language-command-output-as-yaml>$ kubectl -n istio-system get configmap istio-galley-configuration -o jsonpath=&#39;{.data}&#39;
map[validatingwebhookconfiguration.yaml:apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingWebhookConfiguration
metadata:
  name: istio-galley
  namespace: istio-system
  labels:
    app: istio-galley
    chart: galley-1.0.0
    release: istio
    heritage: Tiller
webhooks:
  - name: pilot.validation.istio.io
    clientConfig:
      service:
        name: istio-galley
        namespace: istio-system
        path: &#34;/admitpilot&#34;
      caBundle: &#34;&#34;
    rules:
      - operations:
      (... snip ...)</code></pre><p>If the webhook array in <code>istio-galley-configuration</code> is empty and
you're using <code>helm template</code> or <code>helm install</code>, verify <code>--set galley.enabled</code> and <code>--set global.configValidation=true</code> options are
set. If you're not using helm, you'll need to find a generate
YAML that includes the populated webhook array.</p><p>The <code>istio-galley</code> validation configuration is fail-close. If
configuration exists and is scoped properly, the webhook will be
invoked. A missing <code>caBundle</code>, bad certificate, or network connectivity
problem will produce an error message when the resource is
created/updated. If you don’t see any error message and the webhook
wasn’t invoked and the webhook configuration is valid, your cluster is
misconfigured.</p><h2 id=creating-configuration-fails-with-x509-certificate-errors>Creating configuration fails with x509 certificate errors</h2><p><code>x509: certificate signed by unknown authority</code> related errors are
typically caused by an empty <code>caBundle</code> in the webhook
configuration. Verify that it is not empty (see <a href=#invalid-configuration-is-accepted>verify webhook
configuration</a>). The
<code>istio-galley</code> deployment consciously reconciles webhook configuration
used the <code>istio-galley-configuration</code> <code>configmap</code> and root certificate
mounted from <code>istio.istio-galley-service-account</code> secret in the
<code>istio-system</code> namespace.</p><ol><li><p>Verify the <code>istio-galley</code> pods(s) are running:</p><pre><code class=language-command>$  kubectl -n istio-system get pod -listio=galley
NAME                            READY     STATUS    RESTARTS   AGE
istio-galley-5dbbbdb746-d676g   1/1       Running   0          2d</code></pre></li><li><p>Verify you’re using Istio version >= 1.0.0. Older version of Galley
did not properly re-patch the <code>caBundle</code>. This typically happened
when the <code>istio.yaml</code> was re-applied, overwriting a previously
patched <code>caBundle</code>.</p><pre><code class=language-command>$ for pod in $(kubectl -n istio-system get pod -listio=galley -o jsonpath=&#39;{.items[*].metadata.name}&#39;); do \
    kubectl -n istio-system exec ${pod} -it /usr/local/bin/galley version| grep ^Version; \
done
Version: 1.0.0</code></pre></li><li><p>Check the Galley pod logs for errors. Failing to patch the
<code>caBundle</code> should print an error.</p><pre><code class=language-command>$ for pod in $(kubectl -n istio-system get pod -listio=galley -o jsonpath=&#39;{.items[*].metadata.name}&#39;); do \
    kubectl -n istio-system logs ${pod} \
done</code></pre></li><li><p>If the patching failed, verify the RBAC configuration for Galley:</p><pre><code class=language-command-output-as-yaml>$ kubectl get clusterrole istio-galley-istio-system -o yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  labels:
    app: istio-galley
  name: istio-galley-istio-system
rules:
- apiGroups:
  - admissionregistration.k8s.io
  resources:
  - validatingwebhookconfigurations
  verbs:
  - &#39;*&#39;
- apiGroups:
  - config.istio.io
  resources:
  - &#39;*&#39;
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - &#39;*&#39;
  resourceNames:
  - istio-galley
  resources:
  - deployments
  verbs:
  - get</code></pre><p><code>istio-galley</code> needs <code>validatingwebhookconfigurations</code> write access to
create and update the <code>istio-galley</code> <code>validatingwebhookconfiguration</code>.</p></li></ol><h2 id=creating-configuration-fails-with-no-such-hosts-or-no-endpoints-available-errors>Creating configuration fails with <code>no such hosts</code> or <code>no endpoints available</code> errors</h2><p>Validation is fail-close. If the <code>istio-galley</code> pod is not ready,
configuration cannot be created and updated. In such cases you’ll see
an error about <code>no such host</code> (Kubernetes 1.9) or <code>no endpoints available</code> (>=1.10).</p><p>Verify the <code>istio-galley</code> pods(s) are running and endpoints are ready.</p><pre><code class=language-command>$  kubectl -n istio-system get pod -listio=galley
NAME                            READY     STATUS    RESTARTS   AGE
istio-galley-5dbbbdb746-d676g   1/1       Running   0          2d</code></pre><pre><code class=language-command>$ kubectl -n istio-system get endpoints istio-galley
NAME           ENDPOINTS                          AGE
istio-galley   10.48.6.108:9093,10.48.6.108:443   3d</code></pre><p>If the pods or endpoints aren't ready, check the pod logs and
status for any indication about why the webhook pod is failing to start
and serve traffic.</p><pre><code class=language-command>$ for pod in $(kubectl -n istio-system get pod -listio=galley -o jsonpath=&#39;{.items[*].metadata.name}&#39;); do \
    kubectl -n istio-system logs ${pod} \
done</code></pre><pre><code class=language-command>$ for pod in $(kubectl -n istio-system get pod -listio=galley -o name); do \
    kubectl -n istio-system describe ${pod} \
done</code></pre></main><div class="container-fluid d-print-none"><br><div class=row><div class="col-6 pagenav"><p><a title="Provides a general overview of Istio's use of Kubernetes webhooks and the related issues that can arise." href=/v1.0/help/ops/setup/webhook/><i class="fa fa-long-arrow-alt-left"></i>Dynamic Admission Webhooks Overview</a></p></div><div class="col-6 pagenav" style=text-align:right><p><a title="Describes Istio's use of Kubernetes webhooks for automatic sidecar injection." href=/v1.0/help/ops/setup/injection/>Sidecar Injection Webhook
<i class="fa fa-long-arrow-alt-right"></i></a></p></div></div></div><div class="d-none d-print-block" aria-hidden=true><h2>Links</h2><ol id=endnotes></ol></div></div><div class="col-12 col-md-2 d-none d-xl-block d-print-none"><nav class=toc><div class=spacer></div><div id=toc class=directory role=directory><nav id=TableOfContents><ul><li><a href=#seemingly-valid-configuration-is-rejected>Seemingly valid configuration is rejected</a></li><li><a href=#invalid-configuration-is-accepted>Invalid configuration is accepted</a></li><li><a href=#creating-configuration-fails-with-x509-certificate-errors>Creating configuration fails with x509 certificate errors</a></li><li><a href=#creating-configuration-fails-with-no-such-hosts-or-no-endpoints-available-errors>Creating configuration fails with <code>no such hosts</code> or <code>no endpoints available</code> errors</a></li></ul></nav></div></nav></div></div></div><footer class="d-print-none container-fluid"><div class=row><div class="col-5 col-lg-4" role=navigation><div class=container-fluid><div class=row><div class=icon><span>discuss</span>
<a title="Join the Istio discussion board to participate in discussions and get help troubleshooting problems" href=https://discuss.istio.io aria-label="Istio discussion board"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 448 512"><path d="M225.9 32C103.3 32 0 130.5.0 252.1.0 256 .1 480 .1 480l225.8-.2c122.7.0 222.1-102.3 222.1-223.9S348.6 32 225.9 32zM224 384c-19.4.0-37.9-4.3-54.4-12.1L88.5 392l22.9-75c-9.8-18.1-15.4-38.9-15.4-61 0-70.7 57.3-128 128-128s128 57.3 128 128-57.3 128-128 128z" /></svg></a></div><div class=icon><span>slack</span>
<a title="Interactively discuss issues with the Istio community on Slack" href=https://istio.slack.com aria-label=slack><svg viewBox="0 0 31.444 31.443"><path d="M31.202 16.369c-.62-1.388-2.249-2.011-3.637-1.391l-1.325.594-3.396-7.591 1.325-.592c1.388-.622 2.01-2.25 1.389-3.637-.62-1.389-2.248-2.012-3.637-1.39l-1.324.593-.593-1.326c-.621-1.388-2.249-2.009-3.637-1.388-1.388.62-2.009 2.247-1.389 3.637l.593 1.325L7.98 8.598 7.388 7.273c-.621-1.39-2.249-2.009-3.637-1.39C2.363 6.504 1.742 8.132 2.362 9.52l.592 1.324L1.63 11.438c-1.388.621-2.01 2.247-1.389 3.636.62 1.388 2.249 2.01 3.637 1.39l1.325-.594 3.394 7.592-1.325.592c-1.388.621-2.009 2.25-1.389 3.637.621 1.389 2.249 2.011 3.637 1.391l1.324-.593.593 1.325c.621 1.389 2.249 2.01 3.637 1.389 1.387-.62 2.009-2.248 1.388-3.636l-.591-1.326 7.591-3.394.592 1.321c.621 1.391 2.248 2.013 3.637 1.392 1.388-.619 2.01-2.248 1.389-3.637l-.592-1.324 1.323-.594C31.201 19.384 31.823 17.757 31.202 16.369zM13.623 21.215l-3.395-7.593 7.591-3.394 3.395 7.591L13.623 21.215z"/></svg></a></div><div class=icon><span>twitter</span>
<a title="Follow us on Twitter to get the latest news" href=https://twitter.com/IstioMesh aria-label=Twitter><svg viewBox="0 0 310 310"><path d="M302.973 57.388c-4.87 2.16-9.877 3.983-14.993 5.463 6.057-6.85 10.675-14.91 13.494-23.73.632-1.977-.023-4.141-1.648-5.434-1.623-1.294-3.878-1.449-5.665-.39-10.865 6.444-22.587 11.075-34.878 13.783-12.381-12.098-29.197-18.983-46.581-18.983-36.695.0-66.549 29.853-66.549 66.547.0 2.89.183 5.764.545 8.598C101.163 99.244 58.83 76.863 29.76 41.204c-1.036-1.271-2.632-1.956-4.266-1.825-1.635.128-3.104 1.05-3.93 2.467-5.896 10.117-9.013 21.688-9.013 33.461.0 16.035 5.725 31.249 15.838 43.137-3.075-1.065-6.059-2.396-8.907-3.977-1.529-.851-3.395-.838-4.914.033-1.52.871-2.473 2.473-2.513 4.224-.007.295-.007.59-.007.889.0 23.935 12.882 45.484 32.577 57.229-1.692-.169-3.383-.414-5.063-.735-1.732-.331-3.513.276-4.681 1.597-1.17 1.32-1.557 3.16-1.018 4.84 7.29 22.76 26.059 39.501 48.749 44.605-18.819 11.787-40.34 17.961-62.932 17.961-4.714.0-9.455-.277-14.095-.826-2.305-.274-4.509 1.087-5.294 3.279-.785 2.193.047 4.638 2.008 5.895 29.023 18.609 62.582 28.445 97.047 28.445 67.754.0 110.139-31.95 133.764-58.753 29.46-33.421 46.356-77.658 46.356-121.367.0-1.826-.028-3.67-.084-5.508 11.623-8.757 21.63-19.355 29.773-31.536 1.237-1.85 1.103-4.295-.33-5.998C307.394 57.037 305.009 56.486 302.973 57.388z"/></svg></a></div><div class=icon><span>stack overflow</span>
<a title="Stack Overflow is where you can ask questions and find curated answers on deploying, configuring, and using Istio" href=https://stackoverflow.com/questions/tagged/istio aria-label="Stack Overflow"><svg viewBox="0 0 120 120"><polygon points="84.4,93.8 84.4,70.6 92.1,70.6 92.1,101.5 22.6,101.5 22.6,70.6 30.3,70.6 30.3,93.8"/><path d="M38.8 68.4l37.8 7.9 1.6-7.6-37.8-7.9L38.8 68.4zM43.8 50.4l35 16.3 3.2-7-35-16.4L43.8 50.4zM53.5 33.2l29.7 24.7 4.9-5.9L58.4 27.3 53.5 33.2zM72.7 14.9l-6.2 4.6 23 31 6.2-4.6-23-31zM38 86h38.6v-7.7H38V86z"/></svg></a></div></div><div class="tag row d-none d-lg-flex">for everyone</div></div></div><div class="col-7 col-lg-4"><p class="text-center copyright" role=contentinfo>Istio
Archive
1.0<br>&copy; 2019 Istio Authors, <a href=https://policies.google.com/privacy>Privacy Policy</a><br>Archived on March 19, 2019</p></div><div class="col-6 col-lg-4 d-none d-lg-flex" role=navigation><div class=container-fluid><div class="row justify-content-end"><div class=icon><span>github</span>
<a title="GitHub is where development takes place on Istio code" href=https://github.com/istio/community aria-label=GitHub><svg viewBox="0 0 478.165 478.165"><path d="M349.22 55.768c6.136 14.046 10.241 37.556 4.224 54.69 24.426 20.999 33.073 71.904 21.079 113.704 35.006 2.73 76.666-1.235 103.642 9.484-25.183-3.248-59.651-9.563-91.987-7.431-6.136.458-15.361-.239-14.903 8.408 37.735 3.008 75.092 6.117 105.894 15.779-30.702-4.981-67.74-12.552-105.894-13.668-15.54 30.921-47.239 46.262-90.991 49.49 4.682 10.261 13.847 14.066 15.879 30.702 3.267 24.406-4.881 60.328 3.208 76.686 4.064 7.89 10.579 8.009 14.863 14.604-10.699 12.871-37.257-1.395-40.186-14.604-5.14-22.852 7.89-58.256-6.415-73.737.996 24.865-5.718 59.85.996 82.145 2.789 8.806 10.659 12.113 8.647 20.063-49.809 5.08-28.989-64.373-37.177-105.356-7.471.697-4.204 11.197-4.224 15.76-.199 40.106 8.189 94.836-34.846 89.556-1.315-8.348 5.838-11.217 8.467-19.007 7.91-22.434-1.454-56.045 2.112-83.161-16.417 12.512 1.793 55.666-8.428 77.961-5.838 12.671-24.785 18.27-39.19 12.651 1.873-9.464 11.695-7.989 15.879-16.875 5.818-12.452.02-30.244 2.092-48.494-30.423 6.097-53.993-.877-65.608-20.023-5.12-8.507-6.356-18.708-12.632-26.219-6.117-7.551-16.098-8.507-19.087-18.808 37.755-9.185 39.17 38.771 73.06 39.807 10.44.418 15.799-2.909 25.402-5.16 2.749-12.113 8.428-21.039 16.875-27.494-42.078-5.658-76.865-18.788-93.023-50.466-38.293 1.893-73.339 7.013-105.894 14.843 29.547-10.679 65.807-14.604 104.778-15.819-2.351-13.807-22.434-10.022-34.866-9.543C47.677 227.17 18.449 230.138.0 233.645c26.817-9.543 64.233-8.348 100.454-8.428-11.038-34.767-7.232-90.014 17.015-110.615-6.854-17.254-4.722-45.346 4.184-58.834 27.036 1.175 43.374 12.891 60.388 24.247 21.019-6.017 43.035-9.045 71.904-7.451 12.133.677 24.705 6.097 33.731 5.32 8.906-.877 18.728-10.898 27.534-14.843C326.507 58.099 336.17 56.206 349.22 55.768z"/></svg></a></div><div class=icon><span>drive</span>
<a title="Access our team drive if you'd like to take a look at the Istio technical design documents" href=https://groups.google.com/forum/#!forum/istio-team-drive-access aria-label="team drive"><svg viewBox="0 0 207.027 207.027"><path d="M69.866 15.557.0 138.919l28.732 52.552 143.288-.029 35.008-59.588L136.39 15.735 69.866 15.557zM17.166 139.046 74.268 38.205 91.21 67.783 33.24 168.447 17.166 139.046zM99.841 82.851l23.805 41.558-47.732-.006L99.841 82.851zM163.434 176.443l-117.332.024 21.53-37.065 64.606.008.067.119 52.865-.085L163.434 176.443zM140.932 124.411 90.157 35.767l-2.966-5.178 40.751.121 57.003 93.706L140.932 124.411z"/></svg></a></div><div class=icon><span>working groups</span>
<a title="If you'd like to contribute to the Istio project, consider participating in our working groups" href=https://github.com/istio/community/blob/master/WORKING-GROUPS.md aria-label="working groups"><svg viewBox="0 -45 439.833 439.833"><polygon points="246.048,195.833 299.966,235.085 319.497,227.296 276.278,195.833"/><polygon points="193.786,195.833 163.556,195.833 120.33,227.3 139.862,235.089"/><path d="M219.927 11.558c-23.854.0-37.057 12.362-36.814 36.182.348 32.623 14.211 52.414 36.814 52.068.0.0 36.802 1.492 36.802-52.068C256.729 23.918 244.294 11.558 219.927 11.558z"/><path d="M285.017 124.567l-36.77-14.659-8.608-7.256c-2.274-1.922-5.636-1.78-7.741.317l-11.973 11.904-12.008-11.907c-2.109-2.094-5.465-2.229-7.736-.313l-8.611 7.256-36.77 14.661c-11.842 4.715-11.83 46.647-12.848 50.497h155.93C296.866 171.228 296.862 129.28 285.017 124.567z"/><path d="M77.976 228.568s36.801 1.492 36.801-52.068c0-23.82-12.434-36.182-36.801-36.182-23.854.0-37.057 12.362-36.814 36.182C41.509 209.124 55.372 228.915 77.976 228.568z"/><path d="M143.065 253.329l-36.77-14.658-8.609-7.256c-2.275-1.923-5.635-1.781-7.742.315l-11.971 11.904-12.008-11.908c-2.109-2.094-5.465-2.229-7.736-.312l-8.611 7.256-36.77 14.66C1.006 258.045 1.018 299.977.0 303.827h155.93C154.915 299.988 154.911 258.042 143.065 253.329z"/><path d="M361.878 228.568s36.801 1.492 36.801-52.068c0-23.82-12.434-36.182-36.801-36.182-23.854.0-37.057 12.362-36.812 36.182C325.411 209.124 339.274 228.915 361.878 228.568z"/><path d="M426.968 253.329l-36.77-14.658-8.609-7.256c-2.273-1.923-5.635-1.781-7.742.315l-11.971 11.904-12.008-11.908c-2.109-2.094-5.465-2.229-7.736-.312l-8.61 7.256-36.771 14.66c-11.842 4.715-11.83 46.646-12.848 50.497h155.93C438.817 299.988 438.812 258.042 426.968 253.329z"/></svg></a></div></div><div class="tag row justify-content-end text-right">for developers</div></div></div></div></footer><div class="d-xl-none d-print-none"><button id=scroll-to-top aria-hidden=true onclick=scrollToTop() title="Back to top"><i class="fa fa-lg fa-arrow-up"></i></button></div><script src=https://code.jquery.com/jquery-3.2.1.slim.min.js integrity=sha384-KJ3o2DKtIkvYIK3UENzmM7KCkRr/rE9/Qpg6aAZGJwFDMVNA/GpGFF93hXpG5KkN crossorigin=anonymous></script><script src=https://maxcdn.bootstrapcdn.com/bootstrap/4.0.0/js/bootstrap.min.js integrity=sha384-JZR6Spejh4U02d8jOt6vLEHfe/JQGiRRSQQxSfFWpi1MquVdAyjUar5+76PVCmYl crossorigin=anonymous></script><script src=https://cdnjs.cloudflare.com/ajax/libs/clipboard.js/1.7.1/clipboard.min.js></script><script src="https://www.google.com/cse/brand?form=search_form"></script><script src=/v1.0/js/all.min.js data-manual></script></body></html>