Resolving configuration issues
This section explains common Cloud Service Mesh problems and how to resolve them. If you need additional assistance, see Getting support .
Checking MembershipState
At any time you can check the most recent status of the mesh by running the following command:
gcloud
container
fleet
mesh
describe
The output is similar to:
...
membershipSpecs
:
projects/project_id/locations/global/memberships/cluster
:
mesh
:
management
:
MANAGEMENT_AUTOMATIC
membershipStates
:
projects/project_id/locations/global/memberships/cluster
:
servicemesh
:
...
conditions
:
-
code
:
CONFIG_VALIDATION_WARNING
documentationLink
:
https://cloud.google.com/...
details
:
Application of one or more configs has failed. Error details are shown on individual config resources. See documentation link for more detail.
severity
:
WARNING
...
MembershipState Error Codes
If Cloud Service Mesh reports conditions to the MembershipState for a cluster, it could mean Mesh configurations (such as Istio Custom Resources) were not able to be applied. The following error code descriptions give more information on how to address them.
| Error Code | Cause | Resolution |
|---|---|---|
CONFIG_APPLY_INTERNAL_ERROR
|
One or more configs failed to be applied due to an internal error. | Contact customer support. |
QUOTA_EXCEEDED_*
|
One or more configs failed to be applied due to resources reaching a quota limit. | See Quotas for information on the specific quotas and how to raise them. |
CONFIG_VALIDATION_ERROR
|
One or more configs failed to be applied due to invalid configuration. | Specific errors are written to the configs that caused them. More information on how to diagnose these is described in the section: Configuration Validation errors . |
CONFIG_VALIDATION_WARNING
|
We encountered potential problems in one or more configs. These may not have been applied, and if they have been applied, there may be unintended behavior. | More information on how to diagnose these is described in the section: Configuration Validation errors . |
MULTICLUSTER_SECRET_WARNING
|
The cluster is using a manually created Istio multi-cluster secret instead of using the declarative multi-cluster API for endpoint discovery. | Move multi-cluster endpoint discovery setup to the declarative implementation. More information can be seen in the Multi-cluster Secrets page. |
WORKLOAD_IDENTITY_REQUIRED
|
Workload identity is not enabled for the cluster or at least one of the node pools. | Enable workload identity at cluster and nodepool level. For instructions, see Enable workload identity page. |
MANAGED_CNI_NOT_ENABLED
|
Managed CNI is not enabled for this cluster. | Enable Managed CNI to maintain best practices within your mesh. More information can be seen in the Enable managed CNI page. |
NON_STANDARD_SIDECAR_BINARY_USAGE
|
One or more commands within Istio containers are using binaries other than `envoy`, `pilot_agent`, or `iptables`. | Remove dependency on unsupported binaries. More information can be seen in the Unsupported binary usage page. |
UNSUPPORTED_GATEWAY_CLASS_USAGE
|
The cluster is configured with gateway classes (Istio and Anthos Service Mesh) that require migration to the Istio Ingress Gateway to align with best practices. | Refer to the documentation for the detailed instructions |
UNSUPPORTED_MULTIPLE_CONTROL_PLANES
|
The cluster has provisioned multiple multiple control plane channels. Cloud Service Mesh only supports one channel per cluster. | For more information, see Fix multiple control planes . |
REQUIRED_ORG_POLICY_DISABLED
|
A disabled organization policy needs to be enabled. | Please disable this policy for the project to ensure Cloud Service Mesh functionality. For more information, see Enabling a Required Organization Policy . |
Configuration Validation Errors
CONFIG_VALIDATION_WARNING
and CONFIG_VALIDATION_ERROR
codes indicate problems were found on mesh configs (Istio or Kubernetes
Custom Resources) and that a subset of configs may not have been properly
applied.
Many per-resource error details are written to the applicable resource. The following command can be used to locate the invalid configs and view the specific error messages. (Note: these are specifically for Istio resources, and not all validation errors may be displayed here).
for
resource
in
serviceentries
destinationrules
virtualservices
gateways
peerauthentications
authorizationpolicies
requestauthentications
sidecars
telemetries
envoyfilters ;
do
kubectl
get
$resource
--all-namespaces
--output =
json
|
\
jq
'.items[] | select(.status.conditions != null and any(.status.conditions[]; .type == "Accepted" and .status == "False")) | {"name": .metadata.name, "namespace": .metadata.namespace, "kind": .kind, "conditions": .status.conditions}'
;
done
The output is similar to:
{
"name"
:
"demo-envoy-filter"
,
"namespace"
:
"default"
,
"kind"
:
"EnvoyFilter"
,
"conditions"
:
[
{
"lastTransitionTime"
:
"2024-04-04T21:10:18.046975988Z"
,
"message"
:
"This API is not supported"
,
"reason"
:
"Invalid"
,
"status"
:
"False"
,
"type"
:
"Accepted"
}
]
}
