This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.


The MENU > MESH page on the Service Mesh Manager web interface shows information about your service mesh and the control planes.

Mesh overview Mesh overview

The page shows the following real-time information:

The mesh in numbers

  • CONTROL PLANES: The number of Istio control planes in the mesh.
  • CLUSTERS: The number of clusters in the mesh.
  • ISTIO PROXIES MEMORY USAGE: Current memory usage of the Istio proxies (sidecars).
  • ISTIO PROXIES CPU USAGE: Current CPU usage of the Istio proxies (sidecars).
  • ISTIO PROXIES NOT RUNNING: The Istio proxies (sidecars) that are not running for some reason.


Displays basic status information about the clusters in the mesh.

Clusters Clusters

This is mostly useful in the multi-cluster setup when multiple clusters are in the mesh.

Control planes

This section displays information and metrics about the Istio control planes in the mesh, including version and revision information, and validation errors.

Istio control planes in the mesh Istio control planes in the mesh

Click on a specific control plane to display information about:

In addition, selecting a control plane also shows the following basic information:

  • CLUSTER NAME: The name of the cluster the control plane is running on.
  • VERSION: The Istio version of the service mesh.
  • ROOT NAMESPACE: The administrative root namespace for Istio configuration of the service mesh.
  • TRUST DOMAIN: The list of trust domains.
  • AUTOMATIC MTLS: Shows whether automatic mutual TLS is enabled for the service mesh.
  • OUTBOUND TRAFFIC POLICY: The default outbound traffic policy for accessing external services set for the mesh. For details, see External Services.
  • PROXIES: The number of sidecar proxies in the mesh.
  • CONFIG: Click the Show YAML configuration icon to display the configuration of the control plane.


Shows information and status about the pods of the control plane.

Control plane pods Control plane pods


Lists the proxies managed by the control plane, and the synchronization status of the cluster discovery service (CDS), listener discovery service (LDS), endpoint discovery service(EDS), and route discovery service (RDS) for the proxy.

Control plane proxies Control plane proxies

Trust bundles

Shows the trust bundles defined for the control plane.

Validation issues

Lists the validation issues for the entire control plane.

Control plane validation Control plane validation


The timeline charts show the version and revision of the Istio proxies used in the mesh, as well as error metrics from the Istio Pilot agent, for example, rejected CDS and EDS configurations. (Istio Pilot agent runs in the sidecar or gateway container and bootstraps Envoy.)

To display more detailed metrics about the resource usage of Istiod and the proxies, click on a control plane in the Control planes section.

Control plane metrics Control plane metrics

1 - Validation

The Service Mesh Manager product:

  • simplifies service mesh configuration and management,
  • guides you through setting up complex traffic routing rules
  • takes care of creating, merging and validating the YAML configuration.

And unlike some other similar products, it’s working in both directions: you can edit the YAML files manually, and you can still view and manipulate the configuration from Service Mesh Manager. That’s possible because there’s no intermediate configuration layer in Service Mesh Manager.

To support the bi-directional mesh configuration, Service Mesh Manager provides a validation subsystem for the entire mesh. Istio itself provides some syntactic and semantic validation for the individual Istio resources, but Service Mesh Manager goes even further. Service Mesh Manager performs complex validations which take the whole cluster state and related resources into account to check whether everything is configured correctly within the whole mesh.

Service Mesh Manager performs a lot of syntactical and semantical validation checks for various aspects of the configuration. The validation checks are constantly curated and new checks added with every release. For example:

  • Sidecar injection template validation: Validates whether there are any pods in the environment that run with outdated sidecar proxy image or configuration.
  • Gateway port protocol configuration conflict validation: Detects conflicting port configuration in different Gateway resources.
  • Multiple gateways with the same TLS certificate validation: Configuring multiple gateways to use the same TLS certificate causes most browsers to produce 404 errors when accessing a second host after a connection to another host has already been established.

Check validation results on the Service Mesh Manager UI

The validations are constantly running in the background. To display the actual results, navigate to OVERVIEW > VALIDATION ISSUES. You can use the NAMESPACES field to select the namespaces you want to observe.

Show validation results Show validation results

To display the invalid part of the configuration in the invalid resource, click the Show YAML configuration icon.

Show validation details Show validation details

To display every validation error of a control plane as a list, navigate to MENU > MESH, and click on the control plane in the Control planes section, then select VALIDATIONS. For details, see Validation issues.

Check validation results from the CLI

To check the results of the validation from the CLI, run the smm analyze command. To show only results affecting a specific namespace, use the –namespace option, for example: smm analyze --namespace smm-demo, or smm analyze --namespace istio-system

The smm analyze command can also produce JSON output, for example:

smm analyze --namespace istio-system -o json

Example output:

  "": [
      "checkID": "gateway/reused-cert",
      "istioRevision": "cp-v115x.istio-system",
      "subjectContextKey": "",
      "passed": false,
      "error": {},
      "errorMessage": "multiple gateways configured with same TLS certificate"
  "": [
      "checkID": "gateway/reused-cert",
      "istioRevision": "cp-v115x.istio-system",
      "subjectContextKey": "",
      "passed": false,
      "error": {},
      "errorMessage": "multiple gateways configured with same TLS certificate"