Tetrate Istio SubscriptionVersion: NextTCA Analysis
Tetrate Config Analyzers (TCA) performs various configuration checks to ensure the proper setup and functioning of your Istio service mesh. This document describes in detail the validations that TIS Plus performs with examples of recommended configurations.
Following are the analysis checks TCA performs:
TIS00 - General Configurations
- TIS0001 - Multiple configuration objects within the same namespace
- TIS0002 - Multiple configuration objects applied to the same workload
- TIS0003 - No workload matches the specified selector in this namespace
- TIS0004 - Namespace for Configuration Export is Inaccessible or Does Not Exist
TIS01 - Basic Resource Issues
- TIS0101 - Specified Namespace Cannot Be Found
- TIS0102 - Invalid HTTP Method or gRPC Name
- TIS0103 - Specified Host Not Found in Service Registry
- TIS0104 - Mutual TLS (mTLS) is Required for This Field
- TIS0105 - Specified Service Account Cannot Be Found for Principal
TIS02 - DestinationRule and PeerAuthentication
- TIS0201 - Multiple
DestinationRuleObjects for Same Host-Subset Combination - TIS0202 - Specified Host Not Found in Service Registry
- TIS0203 - No Matching Labels Found for Subset in Any Host
- TIS0204 - Mutual TLS (mTLS) Settings Overridden by Non-Local
DestinationRule - TIS0205 - Missing
PeerAuthenticationfor Mesh-Level mTLS - TIS0206 - Missing
PeerAuthenticationfor Namespace-Wide mTLS - TIS0207 -
PeerAuthenticationwith STRICT Mode Found, Should Be PERMISSIVE - TIS0208 -
PeerAuthenticationEnabling mTLS Found, Permissive Mode Needed - TIS0209 - Subset Lacks Labels
TIS03 - Gateway Issues
- TIS0301 - Multiple Gateways for Same Host-Port Combination
- TIS0302 - No Workload Matches Gateway Selector in Namespace
- TIS0303 - Duplicate Certificates in Multiple Gateways
- TIS0304 - Gateway Server Credentials Not Found
TIS04 - Mesh-Wide DestinationRule
TIS05 - Namespace-Wide and Mesh-Wide DestinationRule
- TIS0501 - Namespace-Wide
DestinationRuleEnabling mTLS is Missing - TIS0502 - Namespace-Wide
DestinationRuleDisabling mTLS is Missing - TIS0503 - Mesh-Wide
DestinationRuleDisabling mTLS is Missing
TIS06 - Port Configuration
- TIS0601 - Port Name Must Follow the
'protocol'[-suffix]Format - TIS0602 - Port
appProtocolMust Follow the'protocol'[-suffix]Format
TIS07 - Deployment and Service Issues
TIS08 - EnvoyFilter Operations
- TIS0801 -
ADDOperation Ignored forapplyToSet toROUTE_CONFIGURATIONorHTTP_ROUTE - TIS0802 -
REMOVEOperation Ignored forapplyToSet toROUTE_CONFIGURATIONorHTTP_ROUTE - TIS0803 -
REPLACEOperation Only Valid forHTTP_FILTERandNETWORK_FILTER
TIS09 - Telemetry Issues
TIS10 - Service Registry and Sidecar Issues
- TIS1001 - Specified Host Not Found in Service Registry
- TIS1002 - Global Default Sidecar Should Not Have a
workloadSelector - TIS1003 -
OutboundTrafficPolicywith Empty Mode Value Is Ambiguous
TIS11 - VirtualService and Route Issues
- TIS1101 -
DestinationWeighton Route Does Not Have a Valid Service - TIS1102 -
VirtualServicePoints to Non-Existent Gateway - TIS1103 - Weight Assumed as 100 for a Single Route Destination
- TIS1104 - Host Subset Combination Already Referenced in Another Route Destination
- TIS1105 - More than One
VirtualServiceExists for the Same Host - TIS1106 - Subset Not Found
- TIS1107 - Preferred Gateway Nomenclature
- TIS1108 - JWT Claim Based Routing Without
RequestAuthentication
TIS12 - WorkloadEntry Issues
TIS13 - Authorization Policy Issues
TIS14 - HTTPRoute Issues
TIS15 - Kubernetes Gateway Issues
- TIS1501 - More Than One Kubernetes Gateway Exists for the Same Host-Port Combination
- TIS1502 - More Than One Kubernetes Gateway Exists for the Same Address and Type Combination
- TIS1503 - Listener Must Have a Unique Combination of Hostname, Port, and Protocol
- TIS1504 - Gateway API Class Not Found in Configuration