Allocating two new identities and updating the policy engine can take too long, tripping a circuit-breaker (100ms) and returning a DNS message early to the endpoint.
I have an excerpt from an agent log that shows this. The summary:
- 29.960481392Z: ipcache starts
- 29.964383980Z: allocation complete, update policy engine
- 29.987019603Z: policy engine update complete, waiting for Envoy to update