istioctl analyze shows IST0133 "addresses are required" for ServiceEntry objects even when ISTIO_META_DNS_AUTO_ALLOCATE is enabled

[mmerickel]

Is this the right place to submit this?

• This is not a security vulnerability or a crashing bug
• This is not a question about how to use Istio

Bug Description

• Enable ISTIO_META_DNS_CAPTURE and ISTIO_META_DNS_AUTO_ALLOCATE.
• Deploy some stuff.
• Run istioctl analyze.
• Observe warnings:

Warning [IST0133] (ServiceEntry myapp/myapp-db) Schema validation warning: addresses are required for ports serving TCP (or unset) protocol
Warning [IST0133] (ServiceEntry myapp/myapp-smtp) Schema validation warning: addresses are required for ports serving TCP (or unset) protocol

I believe these warnings should not be there. I know this AUTO_ALLOCATE is per-pod, so it's hard to look at a ServiceEntry in a vacuum and say it's ok but something can be improved around this, hence opening the ticket.

Version

$ istioctl version
client version: 1.21.2
control plane version: 1.21.2
data plane version: 1.21.2 (6 proxies)

$ kubectl version
Client Version: v1.30.0
Kustomize Version: v5.0.4-0.20230601165947-6ce0bf390ce3
Server Version: v1.29.1-eks-b9c9ed7

[hzxuzhonghu]

Keep reminded that ISTIO_META_DNS_AUTO_ALLOCATE = true is a per proxy config. but the analysis is not for per proxy.

So I think warning may be good

[mmerickel]

Yep I addressed that in the original text of the ticket - and y'all can choose to close this if you choose.

I opened the ticket because there are warnings when nothing is misconfigured. And of course I don't want warnings when there isn't an issue. It'd be nice if istio would only warn if ISTIO_META_DNS_AUTO_ALLOCATE was not set on a pod running in the namespaces that the service entries are exported into.

Istio could be smarter here, and this ticket is just pointing it out as a gap in the analyze of the "live cluster".

[hzxuzhonghu]

I agree with you, we can improve a little bit here