AWS FIS does not work for Istio enabled applications

Question

AWS FIS eks experiments such as eks pod termination, pod cpu stress does not work for Istio enabled application. I have namespace for which istio-injection is enabled and application is running under that namespace. If I run pod delete FIS experiment I get below error:

ERROR: Error captured while executing... Post "https://x.x.x.x:443/api/v1/namespaces/prod/configmaps": dial tcp x.x.x.x:443: connect: connection refused
ERROR: Fault injection has failed with error:  Post "https://x.x.x.x:443/api/v1/namespaces/prod/configmaps": dial tcp x.x.x.x:443: connect: connection refused

AWS FIS works fine for Istio disabled applications.

I tried traffic.sidecar.istio.io/excludeOutboundIPRanges: x.x.x.x/32 whitelisting IP address of kubernetes api but doesn't seems to help.

Answer 1

In service meshes, sidecar containers are injected into pods. If pods make network calls while the sidecars are injected, network requests might experience issues.

I use the EKS actions with Istio by disabling the sidecar injection. Set the parameter fisPodAnnotations in your FIS experiment template action to {"sidecar.istio.io/inject":"false"}. For other service mesh providers, it is necessary to use fisPodLabels to disable the sidecar injection for the FIS Pod.