istio
/
istio.io
mirror of https://github.com/istio/istio.io.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
istio.io/content/zh/docs/reference/config/analysis/ist0127/index.md

1.5 KiB
Raw Blame History

title layout owner test
NoMatchingWorkloadsFound analysis-message istio/wg-user-experience-maintainers no

AuthorizationPolicy 资源的选择器匹配不到任何 Pod 时,会出现此消息。

示例

当集群包含以下 AuthorizationPolicy 时:

{{< text yaml >}} apiVersion: security.istio.io/v1 kind: AuthorizationPolicy metadata: name: httpbin-nopods namespace: httpbin spec: selector: matchLabels: app: bogus-label # 标签有误,没有匹配的工作负载 version: v1 rules: - from: - source: principals: ["cluster.local/ns/default/sa/curl"] - source: namespaces: ["httpbin"] to: - operation: methods: ["GET"] paths: ["/info*"] - operation: methods: ["POST"] paths: ["/data"] when: - key: request.auth.claims[iss] values: ["https://accounts.google.com"] {{< /text >}}

您会收到此消息:

{{< text plain >}} Warning [IST0127] (AuthorizationPolicy httpbin-nopods.httpbin) No matching workloads for this resource with the following labels: app=bogus-label,version=v1 {{< /text >}}

在这个样例中,AuthorizationPolicy 资源 httpbin-nopods 需要绑定到包含 app=bogus-label 标签的 Pod 上,但是其不存在。

如何修复

  • 修改选择器 selector 以选择存在的 Pod
  • 修改特定 Pod 的标签以匹配此资源的选择器