can't create pods - failed calling webhook “sidecar-injector.istio.io”

Question

Kubernetes version: 1.17.14-gke.400

I am having trouble creating pods with istio setup, I am getting a timeout error from the sidecar injector.

I setup istio (1.8.1) with this command:

istioctl install --set profile=minimal \
 --set values.cni.cniBinDir=/home/kubernetes/bin \
 --set 'values.cni.excludeNamespaces[0]'=kube-system \
 --set 'values.cni.excludeNamespaces[1]'=istio-system \
 --set 'values.cni.excludeNamespaces[2]'=backend \
 --set components.cni.enabled=true \
 --set components.cni.namespace=kube-system

Then when I try to deploy the sleep sample I get one of these two errors kubectl apply -f samples/sleep/sleep.yaml

Error creating: Internal error occurred: failed calling webhook "sidecar-injector.istio.io": Post https://istiod.istio-system.svc:443/inject?timeout=30s: context deadline exceeded

or

Error creating: Internal error occurred: failed calling webhook "sidecar-injector.istio.io": Post https://istiod.istio-system.svc:443/inject?timeout=30s: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)

I do have network policies enabled, but I don't have any setup in kube-system of istio-system. Also, when I curl that endpoint I get a 400 error.

Answer 1

My issue turned out to be that I needed to update the firewall rule to add port 15017 even though I do not have a private cluster: https://istio.io/latest/docs/setup/platform-setup/gke/

Answer 2

There is a known issue with the upgrade from GKE 1.16 to 1.17. Any custom resources you created in the istio-system namespace are deleted during an upgrade to 1.17. These resources must be manually recreated. We recommend not upgrading clusters with the Istio add-on to 1.17 until the fix is rolled out. The issue only occurs during upgrades, so new clusters are not affected. Check this release notes for more details.