Skip to main content
logoTetrate Istio SubscriptionVersion: Next

TIS0003 - No workload matches the specified selector in this namespace

No workload matches the specified selector in this namespace.

Recommendation: Ensure selectors match existing workloads

By ensuring that your policy selectors match existing workloads, you can apply configurations effectively and avoid unnecessary or ineffective policy objects in your Istio service mesh.

Examples

  1. PeerAuthentication with Non-Matching Selector

    apiVersion: security.istio.io/v1beta1
    kind: PeerAuthentication
    metadata:
      name: mtls-policy
      namespace: example-namespace
    spec:
      selector:
        matchLabels:
          app: non-existent-app
      mtls:
        mode: STRICT

    Explanation: The PeerAuthentication policy is targeting workloads with the label app: non-existent-app, but no such workloads exist in the example-namespace. Therefore, the policy has no effect.

  2. RequestAuthentication with Non-Matching Selector

    apiVersion: security.istio.io/v1beta1
    kind: RequestAuthentication
    metadata:
      name: jwt-auth
      namespace: example-namespace
    spec:
      selector:
        matchLabels:
          app: missing-service
      jwtRules:
        - issuer: "https://secure.token.service"
          jwksUri: "https://secure.token.service/.well-known/jwks.json"

    Explanation: The RequestAuthentication policy specifies a selector for app: missing-service, but no workloads in the namespace have this label, rendering the policy ineffective.

  3. Telemetry with Non-Matching Selector

    apiVersion: telemetry.istio.io/v1alpha1
    kind: Telemetry
    metadata:
      name: telemetry-settings
      namespace: example-namespace
    spec:
      selector:
        matchLabels:
          app: unknown-app
      accessLogging:
        - disabled: false

    Explanation: The Telemetry configuration is intended for workloads labeled app: unknown-app, but such workloads do not exist in the namespace, so the telemetry settings are not applied to any workload.

Recommendation

Modify the labels to match an existing workload, deploy a compatible workload, or remove the object.

  1. Modify the Selector to Match Existing Workloads

    If you intended to apply the policy to an existing workload, update the selector to match the labels of that workload.

    apiVersion: security.istio.io/v1beta1
    kind: PeerAuthentication
    metadata:
      name: mtls-policy
      namespace: example-namespace
    spec:
      selector:
        matchLabels:
          app: existing-app
      mtls:
        mode: STRICT

  2. Add Labels to Workloads to Match the Selector

    If you intended to apply the policy to a workload but it lacks the necessary labels, add the appropriate labels to the workload.

    apiVersion: apps/v1
    kind: Deployment
    metadata:
      name: my-service
      namespace: example-namespace
      labels:
        app: non-existent-app
    spec:
      replicas: 1
      selector:
        matchLabels:
          app: non-existent-app
      template:
        metadata:
          labels:
            app: non-existent-app
        spec:
          containers:
          - name: my-container
            image: my-image

  3. Remove Unused Policy Objects

    If the policy is not needed, consider removing it to clean up your configuration.

    kubectl delete peerauthentication mtls-policy -n example-namespace