If you are experiencing issues with the cluster, follow the steps below to troubleshoot the problem before you contact us. This guide is designed to help you identify the root cause of the problem, which might not necessarily be related to Istio itself but rather to the misconfiguration of Istio custom resources (CRs) or other cluster resources.
- Verify if Istio CR is in the
Warningstate. If it is, check the warning message and conditions. This might be helpful at the beginning of the investigation. - Verify that no NetworkPolicies are affecting the connectivity by blocking traffic between Pods in the service mesh. To find all NetworkPolicies, run the command
kubectl get networkpolicies -A. - The configuration of the following kinds of resources can affect the connectivity in the service mesh. Verify that those resources are configured as intended:
- Use the command
istioctl analyze -Ato check for potential issues in the Istio configuration and see suggestions on how to fix them. - To enable the access logs of the Envoy proxy, follow the guide Envoy Access Logs. In the access logs, you can find the field response_flags. The response flags DC (Downstream client terminated connection) and UC (Upstream terminated connection) are not within the scope of the Istio module team, as they relate to the behavior of the client (DC) or the workload application (UC).
- Verify if Istio CR is in the
Warningstate. If it is, check the warning message. It might be helpful at the beginning of the investigation. - Check if you correctly enabled sidecar injection. See the guide Check If You Have Istio Sidecar Proxy Injection Enabled for more information.
- Make sure the Pod does not have
hostNetwork: truein the spec. If it does, the sidecar will not be injected.
- Check the Official Istio Troubleshooting Guide.
- Look for already existing issues in the Istio module repository. If none of them is related to your problem, create a new issue.