Istio v1.8.1: How to enable validatingwebhook's failurePolicy to fail?

Config
1

Hi,
I installed istio with istioctl and the following overrides in EKS v1.18:

apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
spec:
  profile: default
  revision: 1-8-1
  tag: 1.8.1-distroless
  components:
    egressGateways:
      - name: istio-egressgateway
        enabled: true
  meshConfig:
    accessLogFile: /dev/stdout
    accessLogEncoding: JSON
    defaultConfig:
      holdApplicationUntilProxyStarts: true
    # defaultServiceExportTo: .
    enableAutoMtls: true
    enableTracing: false
    outboundTrafficPolicy:
      mode: REGISTRY_ONLY
  values:
    # tracing:
    #   enabled: false
    pilot:
      traceSampling: 0.0

When I see istiod logs, it shows that invalid configs are allowed as validation webhook is set to ignore.
Istiod logs:

2021-01-13T07:26:40.423009Z	info	validationController	Reconcile(enter): retry dry-run creation of invalid config
2021-01-13T07:26:40.429378Z	info	validationController	Not ready to switch validation to fail-closed: dummy invalid config not rejected
2021-01-13T07:26:40.430251Z	info	validationController	validatingwebhookconfiguration istiod-istio-system (failurePolicy=Ignore, resourceVersion=2488575) is up-to-date. No change required.

I tried to follow the steps mentioned here: Istio / Configuration Validation Problems, but I don’t see istio-validation configmap in istio-system namespace and I can’t find global.configValidation option in the docs.
What am i missing?

2

Greetings,

i had the same issue. It relates to the use of the revision. The WebHook config is configured to check against the istiod service in your istio namespace.
In the service section of the hook you will find the service name pointing to the default istiod service without the revision. If you add your revision to the service name it will work again.

clientConfig:
  service:
        name: istiod-1-8-1
        namespace: istio-system
        path: /validate
        port: 443

Its not the best solution. I stopped using the revisions for now. It seems to have a couple of missing changes and is therefore a bit unstable.

Regards

1 Like
3

There is a better solution than modifying the ValidatingWebhookConfiguration object.
IstioOperators allows modifying anything in the generated manifest through overlays.

This snippet would solve your problem until a fix is released.

apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
spec:
  profile: default
  revision: 1-8-1
  tag: 1.8.1-distroless
  components:
## Here is the solution
    base:
      k8s:
        overlays:
          - kind: ValidatingWebhookConfiguration 
            name: istiod-istio-system
            patches:
              - path: webhooks.[name:validation\.istio\.io].clientConfig.service.name # << json path to reach the target value to fix
                value: istiod-1-8-1
###### :) 
    egressGateways:
      - name: istio-egressgateway
        enabled: true
  meshConfig:
    accessLogFile: /dev/stdout
    accessLogEncoding: JSON
    defaultConfig:
      holdApplicationUntilProxyStarts: true
    # defaultServiceExportTo: .
    enableAutoMtls: true
    enableTracing: false
    outboundTrafficPolicy:
      mode: REGISTRY_ONLY
  values:
    # tracing:
    #   enabled: false
    pilot:
      traceSampling: 0.0
1 Like