IneffectiveSelector

當 AuthorizationPolicy、RequestAuthentication、Telemetry 或 WasmPlugin 等政策中的工作負載選擇器無法有效鎖定 Kubernetes 閘道內的任何 Pod 時，會發生此訊息。

範例

當您的政策選擇器符合 Kubernetes 閘道時，您會收到類似的訊息，例如

Warning [IST0166] (AuthorizationPolicy default/ap-ineffective testdata/k8sgateway-selector.yaml:47) Ineffective selector on
Kubernetes Gateway bookinfo-gateway. Use the TargetRef field instead.

當您的政策選擇器符合 Kubernetes 閘道時。

例如，當您有一個 Kubernetes 閘道 Pod，例如

apiVersion: v1
kind: Pod
metadata:
  annotations:
    istio.io/rev: default
  labels:
    gateway.networking.k8s.io/gateway-name: bookinfo-gateway
  name: bookinfo-gateway-istio-6ff4cf9645-xbqmc
  namespace: default
spec:
  containers:
  - image: proxyv2:1.21.0
    name: istio-proxy

並且有一個具有 selector 的 AuthorizationPolicy，例如

apiVersion: security.istio.io/v1
kind: AuthorizationPolicy
metadata:
  namespace: default
  name: ap-ineffective
spec:
  selector:
    matchLabels:
      gateway.networking.k8s.io/gateway-name: bookinfo-gateway
  action: DENY
  rules:
  - from:
    - source:
      namespaces: ["dev"]
    to:
    - operation:
      methods: ["POST"]

如果您的政策中同時具有 targetRef 和 selector，則不會發生此訊息。例如

apiVersion: telemetry.istio.io/v1
kind: Telemetry
metadata:
  name: telemetry-example
  namespace: default
spec:
  tracing:
  - randomSamplingPercentage: 10.00
  selector:
    matchLabels:
      gateway.networking.k8s.io/gateway-name: bookinfo-gateway
  targetRef:
    group: gateway.networking.k8s.io
    kind: Gateway
    name: bookinfo-gateway

如何解決

請確保您針對 Sidecar 或 Istio Gateway Pod 使用 selector 欄位，並針對 Kubernetes Gateway Pod 使用 targetRef 欄位。否則，此策略將不會被套用。

這裡有一個範例

apiVersion: telemetry.istio.io/v1
kind: Telemetry
metadata:
  name: telemetry-example
  namespace: default
spec:
  tracing:
  - randomSamplingPercentage: 10.00
  targetRef:
    group: gateway.networking.k8s.io
    kind: Gateway
    name: bookinfo-gateway