=== CMD 1: kubectl apply -f manifest.yaml (client+echo) && wait client Ready + echo rollout === (already applied earlier in this run; re-showing current state) NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES client 2/2 Running 0 2m54s 10.255.194.122 k8s-worker1 echo-5767bbcc56-hpv6x 2/2 Running 0 2m53s 10.255.126.2 k8s-worker2 === CMD 2: before_nack curl (corrected rule: SHORT k8s-service name, not *.svc.homelab.local) === before_nack=200 === CMD 3: apply broken EnvoyFilter (attempt 1 of up to 3 -- see below for prior rejected variant class from run1) === --- ATTEMPT: envoy.filters.http.local_ratelimit with token_bucket.max_tokens=0 (valid TypedStruct, PGV-invalid value) --- (already applied; showing admission result again for the record) envoyfilter.networking.istio.io/broken-filter-client-only unchanged (server dry run) (dry-run=server against existing object; real apply already succeeded earlier: 'envoyfilter.networking.istio.io/broken-filter-client-only created' — ADMISSION WEBHOOK PASSED) === CMD 4: sleep 8 (already elapsed) === === CMD 5: istioctl proxy-status | grep client (summary table -- Istio 1.30 no longer has per-type SYNCED/STALE columns, shows SUBSCRIBED TYPES count) === NAME CLUSTER ISTIOD VERSION SUBSCRIBED TYPES client.istio-vt-t38-r2 Kubernetes istiod-797b447c94-cv7ns 1.30.0 4 (CDS,LDS,EDS,RDS) === CMD 5b (adapted STALE check for this istioctl version): istioctl proxy-status client.istio-vt-t38-r2 -- per-proxy sync diff vs istiod === Clusters Match Listeners Don't Match --- Istiod Listeners ... [full diff saved separately; key excerpt below: listener 0.0.0.0_80 activeState vs errorState] === CMD 6: istiod logs grep for filter name / ACK ERROR === : Proto constraint validation failed (LocalRateLimitValidationError.TokenBucket: embedded message failed validation | caused by TokenBucketValidationError.MaxTokens: value must be greater than 0) : Proto constraint validation failed (LocalRateLimitValidationError.TokenBucket: embedded message failed validation | caused by TokenBucketValidationError.MaxTokens: value must be greater than 0) : Proto constraint validation failed (LocalRateLimitValidationError.TokenBucket: embedded message failed validation | caused by TokenBucketValidationError.MaxTokens: value must be greater than 0) : Proto constraint validation failed (LocalRateLimitValidationError.TokenBucket: embedded message failed validation | caused by TokenBucketValidationError.MaxTokens: value must be greater than 0) : Proto constraint validation failed (LocalRateLimitValidationError.TokenBucket: embedded message failed validation | caused by TokenBucketValidationError.MaxTokens: value must be greater than 0) : Proto constraint validation failed (LocalRateLimitValidationError.TokenBucket: embedded message failed validation | caused by TokenBucketValidationError.MaxTokens: value must be greater than 0) : Proto constraint validation failed (LocalRateLimitValidationError.TokenBucket: embedded message failed validation | caused by TokenBucketValidationError.MaxTokens: value must be greater than 0) 2026-07-05T01:03:05.336644Z warn delta ADS:LDS: ACK ERROR client.istio-vt-t38-r2-1783 Internal:Error adding/updating listener(s) 10.250.50.85_15021: goo.gle/debugonly : Proto constraint validation failed (LocalRateLimitValidationError.TokenBucket: embedded message failed validation | caused by TokenBucketValidationError.MaxTokens: value must be greater than 0) : Proto constraint validation failed (LocalRateLimitValidationError.TokenBucket: embedded message failed validation | caused by TokenBucketValidationError.MaxTokens: value must be greater than 0) : Proto constraint validation failed (LocalRateLimitValidationError.TokenBucket: embedded message failed validation | caused by TokenBucketValidationError.MaxTokens: value must be greater than 0) : Proto constraint validation failed (LocalRateLimitValidationError.TokenBucket: embedded message failed validation | caused by TokenBucketValidationError.MaxTokens: value must be greater than 0) : Proto constraint validation failed (LocalRateLimitValidationError.TokenBucket: embedded message failed validation | caused by TokenBucketValidationError.MaxTokens: value must be greater than 0) : Proto constraint validation failed (LocalRateLimitValidationError.TokenBucket: embedded message failed validation | caused by TokenBucketValidationError.MaxTokens: value must be greater than 0) : Proto constraint validation failed (LocalRateLimitValidationError.TokenBucket: embedded message failed validation | caused by TokenBucketValidationError.MaxTokens: value must be greater than 0) === CMD 7: after_nack curl === after_nack=200 after_nack_retry2=200 === CMD 8: delete broken EnvoyFilter === envoyfilter.networking.istio.io "broken-filter-client-only" deleted from istio-vt-t38-r2 namespace === APPENDIX: istioctl proxy-status client.istio-vt-t38-r2 -- excerpt for listener 0.0.0.0_80 (the client->echo outbound HTTP listener) === captured while broken-filter-client-only was still applied, before CMD8 delete + "details": "goo.gle/debugonly \nstat_prefix: \"http_local_rate_limiter\"\ntoken_bucket {\n tokens_per_fill {\n value: 1\n }\n fill_interval {\n seconds: 1\n }\n}\nfilter_enabled {\n default_value {\n numerator: 100\n }\n runtime_key: \"local_rate_limit_enabled\"\n}\nfilter_enforced {\n default_value {\n numerator: 100\n }\n runtime_key: \"local_rate_limit_enforced\"\n}\n: Proto constraint validation failed (LocalRateLimitValidationError.TokenBucket: embedded message failed validation | caused by TokenBucketValidationError.MaxTokens: value must be greater than 0)" } }, { "activeState": { "listener": { "@type": "type.googleapis.com/envoy.config.listener.v3.Listener", "name": "0.0.0.0_443", @@ -973,37 +1629,14 @@ { "name": "istio.stats", "typedConfig": { "@type": "type.googleapis.com/stats.PluginConfig" } }, { - "name": "envoy.filters.http.local_ratelimit", - "typedConfig": { - "@type": "type.googleapis.com/envoy.extensions.filters.http.local_ratelimit.v3.LocalRateLimit", - "statPrefix": "http_local_rate_limiter", - "tokenBucket": { - "tokensPerFill": 1, - "fillInterval": "1s" - }, - "filterEnabled": { - "defaultValue": { - "numerator": 100 - }, - "runtimeKey": "local_rate_limit_enabled" - }, - "filterEnforced": { - "defaultValue": { - "numerator": 100 - }, - "runtimeKey": "local_rate_limit_enforced" - } - } - }, - { "name": "envoy.filters.http.router", "typedConfig": { "@type": "type.googleapis.com/envoy.extensions.filters.http.router.v3.Router" } } ], "tracing": { @@ -1202,14 +1835,365 @@ } ], "listenerFiltersTimeout": "0s", "continueOnListenerFiltersTimeout": true, "trafficDirection": "OUTBOUND", "bindToPort": false } + }, + "errorState": { + "failedConfiguration": { + "@type": "type.googleapis.com/envoy.config.listener.v3.Listener", + "name": "0.0.0.0_80", + "address": { + "socketAddress": { + "address": "0.0.0.0", + "portValue": 80 + } + }, + "filterChains": [ + { + "filterChainMatch": { + "transportProtocol": "raw_buffer", + "applicationProtocols": [ + "http/1.1", + "h2c" + ] + }, + "filters": [ + { + "name": "envoy.filters.network.http_connection_manager", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager", + "statPrefix": "outbound_0.0.0.0_80;", + "rds": { + "configSource": { + "ads": { + + }, + "initialFetchTimeout": "0s", + "resourceApiVersion": "V3" + }, + "routeConfigName": "80" + }, + "httpFilters": [ + { + "name": "istio.metadata_exchange", + "typedConfig": { + "@type": "type.googleapis.com/udpa.type.v1.TypedStruct", + "typeUrl": "type.googleapis.com/io.istio.http.peer_metadata.Config", + "value": { + "upstream_discovery": [ + { + "istio_headers": { + } + }, + { + "workload_discovery": { + } + } + ], + "upstream_propagation": [ + { + "istio_headers": { + }