Istio namespaces are missing when Istio Add-On is enabled

Question

Istio namespaces are missing when Istio Add-On is enabled

Majid Rafigh 40 Microsoft Employee

I am evaluating using the Istio add‑on in AKS cluster. For testing a few scenarios, I need to enable and disable the add‑on. After disabling and re‑enabling it, I don’t see the Istio‑related namespaces in the cluster, such as istio-system or aks-istio-ingress. I checked the logs for errors but didn’t find anything. I also re‑enabled the add‑on multiple times, but it didn’t help, even though the add‑on shows as enabled in the portal.

Ankit Yadav 12,120 Reputation points Microsoft External Staff Moderator

2026-02-11T10:16:50.43+00:00

Additionally, to help you further, I have sent you a private message. Please check your messages and provide the necessary details.
Majid Rafigh 40 Reputation points Microsoft Employee

2026-02-11T18:59:35.0533333+00:00

Sorry Ankit for causing confusion.

I am aware of self-managed mode, what I meant was the aks-istio-system is missing. Also, since I am going to use K8s Gateway API extension, I am not enabling ingress, so aks-istio-ingress is fine that doesn't exist.

I am checking reconciliation state and logs, and I don't see any issues, that's why I am out of ideas.

In that case, cleaning up any leftover Istio CRDs (if applicable) and then disabling and re-enabling the add-on via CLI typically resolves the issue.

I have already done this, but no luck, maybe I am missing a CRD.
Ankit Yadav 12,120 Reputation points Microsoft External Staff Moderator

2026-02-12T06:21:26.0933333+00:00
Hello @Majid Rafigh ,

If the aks-istio-system namespace is missing after you re-enable the Istio add-on, that is not expected behavior. The namespace is automatically created when the Istio add-on is successfully enabled. It contains the Istio control plane. If it does not appear, it usually means the control plane was not fully provisioned, even if the add-on shows as enabled.

Since you’ve already:

Disabled and re-enabled the add-on using the CLI

Removed existing Istio CRDs

Checked reconciliation status and logs without seeing errors

The next step is to verify that the service mesh configuration and revision state are correct. A mismatch or stale revision can prevent the control plane from being created — and this can happen without obvious error messages.

Step 1: Verify the service mesh profile on the cluster

Run:

az aks show -g <rg> -n <cluster> --query serviceMeshProfile -o json

Please confirm:

"mode" is set to "Istio"

There is at least one entry under istio.revisions

Then check which revisions are supported for your AKS version and region:

az aks mesh get-revisions --location <location> -o table

If the revision configured on your cluster does not match a supported revision, provisioning may silently fail.

Step 2: Check whether the control plane namespace is created

After re-enabling the add-on, wait a few minutes and run:

kubectl get ns | grep aks-istio

If aks-istio-system appears -> the control plane is being created.

If it does not appear -> the add-on did not complete reconciliation.

Step 3: Confirm there are no leftover Istio CRDs

Sometimes CRDs from previous installations remain and block re-provisioning.

Run:

kubectl get crd | grep istio

If any are listed, delete them, then disable and re-enable the add-on again.

Step 4: If the namespace exists but Istio is not healthy

If aks-istio-system exists but seems empty or unstable, check:

kubectl get pods -n aks-istio-system kubectl logs --selector app=istiod -n aks-istio-system kubectl get events -n aks-istio-system

This will help identify whether the control plane is failing during startup.

Answer accepted by question author

1 additional answer

Your answer

Ankit Yadav 12,120 Reputation points Microsoft External Staff Moderator

2026-02-11T10:16:50.43+00:00

Additionally, to help you further, I have sent you a private message. Please check your messages and provide the necessary details.
Majid Rafigh 40 Reputation points Microsoft Employee

2026-02-11T18:59:35.0533333+00:00

Sorry Ankit for causing confusion.

I am aware of self-managed mode, what I meant was the aks-istio-system is missing. Also, since I am going to use K8s Gateway API extension, I am not enabling ingress, so aks-istio-ingress is fine that doesn't exist.

I am checking reconciliation state and logs, and I don't see any issues, that's why I am out of ideas.

In that case, cleaning up any leftover Istio CRDs (if applicable) and then disabling and re-enabling the add-on via CLI typically resolves the issue.

I have already done this, but no luck, maybe I am missing a CRD.

Answer 1

We worked with the customer offline and the issue was mitigated, below is the RCA for the issue:

Issue Summary:

The customer's AKS cluster showed Istio add-on as "enabled" in the Azure Portal UI, but no Istio-related namespaces (e.g., aks-istio-system) were created, leading to control-plane instability.

Root Cause

We checked the issue from the backend and found that the Istio add-on could not be enabled because some parts of a previous Istio installation were not fully removed from the cluster.

There were leftover webhooks from the earlier Istio setup. These webhooks had different configuration details than what the AKS Istio add-on expects. Because of this mismatch, the API server was not able to communicate with them properly, and as a result, Istio could not be configured successfully.

Mitigation:

->We identified the Istio-related webhooks by running the command

kubectl get validatingwebhookconfiguration and kubectl get mutatingwebhookconfiguration, then filtering for Istio entries. After identifying them, we deleted the leftover webhooks.

-> Next, we disabled the Istio add-on and then enabled it again. This time, it was deployed correctly with the proper settings, which helped stabilize the cluster.

Best Practices:

Before enabling Istio, always check if there are any existing Istio resources in the cluster. Look for validating or mutating webhooks, CRDs, and related namespaces, and remove them if they are leftovers from a previous installation.
Avoid making manual changes in the kube-system namespace, as this can affect core cluster components and cause unexpected issues.
After uninstalling Istio, make sure everything is completely removed, including webhooks, CRDs, roles, and any related resources. This helps prevent conflicts when reinstalling or enabling the add-on again.

Answer 2

If you are not seeing the Istio-related namespaces (like istio-system or aks-istio-ingress) after re-enabling the Istio add-on in your AKS cluster, there are a few steps you can take to troubleshoot this issue:

Verify Installation: Use the istioctl verify-install command to ensure that Istio is installed correctly. This command can help confirm whether the installation was successful and if the necessary components are present.
```
   istioctl verify-install --istioNamespace aks-istio-system --revision <tag>
```
Check Namespace Creation: Sometimes, namespaces may not be created automatically. You can manually check if the namespaces exist using the following command:
```
   kubectl get namespaces
```
If the namespaces are missing, you may need to create them manually or investigate further why they are not being created.
Review Logs: Since you mentioned checking logs for errors, ensure you are looking at the correct logs for the Istio components. You can retrieve the logs for the Istiod pod using:
```
   kubectl logs --selector app=istiod --namespace aks-istio-system
```
Deployment Status: Check the status of the Istio deployment and replica sets to see if there are any issues preventing the pods from starting. Use:
```
   kubectl get deployments --namespace aks-istio-system
   kubectl get pods --namespace aks-istio-system
```
Re-enable Add-On: If the add-on shows as enabled in the portal but the namespaces are still missing, consider disabling and re-enabling the add-on again, ensuring that there are no underlying issues with the AKS cluster itself.

If the problem persists after these steps, you may want to consult Azure support for further assistance.

Share via

Istio namespaces are missing when Istio Add-On is enabled

1 additional answer

Your answer