IneffectiveSelector
This message occurs when a workload selector in policies like AuthorizationPolicy, RequestAuthentication, Telemetry, or WasmPlugin does not effectively target any pods within the Kubernetes Gateway.
Example
You will receive similar messages like:
Warning [IST0166] (AuthorizationPolicy default/ap-ineffective testdata/k8sgateway-selector.yaml:47) Ineffective selector on Kubernetes Gateway bookinfo-gateway. Use the TargetRef field instead. when your policy’s selector matches a Kubernetes Gateway.
For example, when you have a Kubernetes Gateway pod like:
apiVersion: v1 kind: Pod metadata: annotations: istio.io/rev: default labels: gateway.networking.k8s.io/gateway-name: bookinfo-gateway name: bookinfo-gateway-istio-6ff4cf9645-xbqmc namespace: default spec: containers: - image: proxyv2:1.21.0 name: istio-proxy And there is an AuthorizationPolicy with a selector like:
apiVersion: security.istio.io/v1 kind: AuthorizationPolicy metadata: namespace: default name: ap-ineffective spec: selector: matchLabels: gateway.networking.k8s.io/gateway-name: bookinfo-gateway action: DENY rules: - from: - source: namespaces: ["dev"] to: - operation: methods: ["POST"] If you have both targetRef and selector in the policy, this message will not occur. For example:
apiVersion: telemetry.istio.io/v1 kind: Telemetry metadata: name: telemetry-example namespace: default spec: tracing: - randomSamplingPercentage: 10.00 selector: matchLabels: gateway.networking.k8s.io/gateway-name: bookinfo-gateway targetRef: group: gateway.networking.k8s.io kind: Gateway name: bookinfo-gateway How to resolve
Make sure you are using the selector field for sidecars or Istio Gateway pods, and use the targetRef field for Kubernetes Gateway pods. Otherwise, the policy will not be applied.
Here is an example:
apiVersion: telemetry.istio.io/v1 kind: Telemetry metadata: name: telemetry-example namespace: default spec: tracing: - randomSamplingPercentage: 10.00 targetRef: group: gateway.networking.k8s.io kind: Gateway name: bookinfo-gateway