what's the unknow service in Istio Kiali?

It's quite strange to see there's "unknown" service(marked with red box) going out from "fota-dmserver". Could you help explain?

A service displayed as "Unknown" can be pretty much anything that is not part of the service mesh. It has such a name in Kiali because this service was not declared, so Istio / Kiali have no idea about what it is. It could be, for instance, calls to third party APIs. To declare it, you must use a Service Entry: https://istio.io/docs/reference/config/networking/v1alpha3/service-entry/ .

If you have no idea what it is you should investigate client calls performed from your fota-dmserver service.

we've found some hints, but I don't understand why it happens.

from fota_dmserver's istio-proxy log file, I found:


Note the downstream_local_address":"". cannot see any of the POD having the address. Maybe it's staled address/routing information in istio-proxy routing table.

I've tried per @Joe's comments. The findings: 1. Prometheus: istio_requests_total{source_workload="fota-dmserver",destination_workload="unknown"}[2d], the result Element: istio_requests_total{connection_security_policy="unknown",destination_app="unknown",destination_principal="unknown",destination_service="unknown",destination_service_name="unknown",destination_service_namespace="unknown",destination_version="unknown",destination_workload="unknown",destination_workload_namespace="unknown",instance="",job="istio-mesh",permissive_response_code="none",permissive_response_policyid="none",reporter="source",request_protocol="http",response_code="404",response_flags="NR",source_app="fota-dmserver",source_principal="unknown",source_version="v1",source_workload="fota-dmserver",source_workload_namespace="ns-fota"}. value: 2 @1565574966.739 3 @1565574981.739 ..... 2.Prometheus:istio_requests_total{source_workload="fota-car",destination_workload="unknown"}[2d], result: empty

We've a load testing today,fota-dmserver does not point to unknown service, but fota-car points to unknown service now. It's quite curious.

  • the calls from "fota-dmserver" to the services outside of mesh- redis server, mysql DB. "fota-car" service has similiar situation with "fota-dmserver". My question why there's no link from "fota-car" to "unknown"? I'm really curious.
  • As you describe, there should be. Might be an indication that not everything is working as you expect in your mesh? Or might be a problem on istio/kiali side as well. I guess it deserves more investigation on your side... FYI Kiali shows what telemetry is available in Prometheus, so if you want to see if Kiali is missing something, you could check Prometheus metric "istio_requests_total" with "fota-car" as source and check what are the destination services (and if there's "unknown"). You can do that from the Prometheus console.
  • @YoufaMao do you see the same issue if you switch graph view to "Workload graph" ?
  • @Joel, could you help?
  • So, your traffic to "unknown" shows a 404 error with the flag "NR". It stands for "no route configured" as explained in istio doc: istio.io/docs/ops/traffic-management/troubleshooting . Probably a misconfiguration on your side. Note that you could have seen that in Kiali too, if you click on the traffic edge in error and display "Response Codes" in the graph side-panel.
  • my gateway/virtural service settings seem OK. Is there anyway that I can see from log which URL has HTTP 404 error?