Skip to main content
logoTetrate Istio SubscriptionVersion: Next

TIS0004 - Namespace for Configuration Export is Inaccessible or Does Not Exist

The namespace to which the configuration object is exported is either inaccessible or does not exist.

Recommendation: Ensure Namespace Exists for Configuration Export

By ensuring that the namespace specified for export exists and is accessible, you can avoid misconfigurations and ensure that your Istio service mesh policies are applied correctly.

Examples

  1. AuthorizationPolicy Exported to a Non-Existent Namespace

    apiVersion: security.istio.io/v1beta1
    kind: AuthorizationPolicy
    metadata:
      name: allow-traffic
      namespace: example-namespace
    spec:
      rules:
      - from:
        - source:
            namespaces: ["non-existent-namespace"]

    Explanation: The AuthorizationPolicy is specifying a source namespace non-existent-namespace that does not exist or is inaccessible, making the policy ineffective in controlling access as intended.

  2. ServiceEntry Exported to Inaccessible Namespace

    apiVersion: networking.istio.io/v1beta1
    kind: ServiceEntry
    metadata:
      name: external-service
      namespace: example-namespace
    spec:
      exportTo:
      - "unknown-namespace"
      hosts:
      - "external.example.com"
      ports:
      - number: 80
        name: http
        protocol: HTTP

    Explanation: The ServiceEntry is being exported to unknown-namespace, which does not exist or is inaccessible. This prevents the configuration from being properly shared and used across the desired namespaces.

  3. VirtualService with Export to Inaccessible Namespace

    apiVersion: networking.istio.io/v1beta1
    kind: VirtualService
    metadata:
      name: my-virtual-service
      namespace: example-namespace
    spec:
      exportTo:
      - "inaccessible-namespace"
      hosts:
      - "my-service"
      http:
      - route:
        - destination:
            host: my-service

    Explanation: The VirtualService configuration is being exported to inaccessible-namespace, which does not exist or cannot be accessed, causing the configuration to fail in being propagated correctly.

Recommendation

Select the appropriate namespace for export.

  1. Specify an Existing Namespace

    Ensure that the namespace specified for export actually exists and is accessible.

    apiVersion: security.istio.io/v1beta1
    kind: AuthorizationPolicy
    metadata:
      name: allow-traffic
      namespace: example-namespace
    spec:
      rules:
      - from:
        - source:
            namespaces: ["existing-namespace"]

  2. Use . to Export to All Namespaces

    If the intention is to export the configuration to all namespaces, use . in the exportTo field.

    apiVersion: networking.istio.io/v1beta1
    kind: ServiceEntry
    metadata:
      name: external-service
      namespace: example-namespace
    spec:
      exportTo:
      - "."
      hosts:
      - "external.example.com"
      ports:
      - number: 80
        name: http
        protocol: HTTP

  3. Remove exportTo Field if Unnecessary

    If exporting the configuration is not required, consider removing the exportTo field to avoid issues.

    apiVersion: networking.istio.io/v1beta1
    kind: VirtualService
    metadata:
      name: my-virtual-service
      namespace: example-namespace
    spec:
      hosts:
      - "my-service"
      http:
      - route:
        - destination:
            host: my-service