Skip to content

Traffic / mTLS / Circuit breaking

Richieste per coppia source→destination (matrice di traffico)

Section titled “Richieste per coppia source→destination (matrice di traffico)”
sum by (source_workload, destination_workload) (
rate(istio_requests_total{reporter="destination"}[5m])
)

Richieste per response_flags (capire se sono drop/retry/timeout lato Envoy)

Section titled “Richieste per response_flags (capire se sono drop/retry/timeout lato Envoy)”
sum by (response_flags) (
rate(istio_requests_total{reporter="destination"}[5m])
)

Flag comuni da monitorare: UO (upstream overflow — circuit breaker aperto), UF (upstream connection failure), UT (upstream timeout), NR (no route configurata).

Traffico non cifrato/non-mTLS nel mesh (verifica PeerAuthentication STRICT)

Section titled “Traffico non cifrato/non-mTLS nel mesh (verifica PeerAuthentication STRICT)”
sum by (source_workload, destination_workload, connection_security_policy) (
rate(istio_requests_total{reporter="destination"}[5m])
)

Filtrare poi connection_security_policy!="mutual_tls" per isolare traffico non-mTLS: sintomo di workload fuori mesh o PeerAuthentication troppo permissiva (PERMISSIVE/DISABLE).

Connessioni upstream attive per destinazione (saturazione pool)

Section titled “Connessioni upstream attive per destinazione (saturazione pool)”
envoy_cluster_upstream_cx_active

Richieste rifiutate per overflow del circuit breaker

Section titled “Richieste rifiutate per overflow del circuit breaker”
rate(envoy_cluster_upstream_rq_pending_overflow[5m])
sum by (destination_service_name) (
rate(istio_requests_total{reporter="destination", response_flags=~".*RR.*"}[5m])
)

Connessioni resettate (RST) verso upstream

Section titled “Connessioni resettate (RST) verso upstream”
rate(envoy_cluster_upstream_cx_destroy_with_active_rq[5m])
sum by (destination_service_name) (
rate(istio_requests_total{reporter="destination", response_flags=~".*UT.*"}[5m])
)