When trying to change
REGISTRY_ONLY we ran into an issue where ither pilot or the istio-proxy sidecars would reject updates with an error similar to:
Error adding/updating listener(s) 0.0.0.0_443: multiple filter chains with overlapping matching rules are defined
From that point any ServiceEntry created would not be in the istio-proxy registry (checked with
istioctl proxy-config cluster) and the sidecar would not let the connection go through, as expected.
My current hypothesis is that multiple ServiceEntry configurations for the same hostname might be causing the overlap because different teams deploy to different namespaces, but I can’t really reproduce/prove it. We are also enforcing setting
exportTo: '.' in the ServiceEntry to keep it scoped only to the namespace where it is deployed.
We had similar issues before when we were setting TLS resolution and people would deploy bad certs or reference certs that didn’t exist (typo or something), this caused failures in the pilot push process as well as in ingress (sometimes no ingress traffic was allowed, other times only HTTP worked).
Anyways, I’m hoping to see if someone else ran into this error before or if anyone has ideas on what to look for in the configuration
For context: we are running on istio 1.2 and kubernetes 1.13 (EKS).