istio/istio#17176 istio/istio#15086
- Envoy - https://www.envoyproxy.io/docs/envoy/latest/
- Envoy Access Log: https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage
- Check proxy config
istioctl pc listener istio-ingressgateway-xxxx-yyyy.istio-system -o json
-
Need istio injection for RequestAuthentication and AuthorizationPolicy to work
-
Host in Gateway and sni in EnvoyFilter should match for listener config
-
Check envoy version included in istio
kubectl exec -it -c istio-proxy -n pilot-agent request GET server_info
-
DENY policy is checked first
-
local_reply_config to customize 403 output is supported only from envoy v1.15+
-
No customization available for upstream errors
-
Need a route for / is needed in VirtualService for EnvoyFilter to work if there is a separate route for context path
-
Analyze
istioctl analyze -n <ns>
- Describe
istioctl x describe service <ns>.<service>
- Install manifest
istioctl manifest install --set values.pilot.enableProtocolSniffingForOutbound=false
- Set envoy log level
Method 1:
istioctl dashboard envoy <pod>.<ns> --address "0.0.0.0"
curl -X POST http://localhost:15000/logging?level=info
kubectl -n <ns> logs -f <pod> istio-proxy
Method 2:
istioctl dashboard controlz $(kubectl -n istio-system get pods -l app=istiod -o jsonpath='{.items[0].metadata.name}').istio-system --port 15000 --address "0.0.0.0"
kubectl -n <ns> exec <pod> -c istio-proxy -- pilot-agent request POST 'logging?connection=info'
kubectl -n <ns> exec <pod> -c istio-proxy -- pilot-agent request POST 'logging?level=info'
kubectl -n <ns> exec <pod> -c istio-proxy -- pilot-agent request POST 'logging?rbac=debug'
- Authorization debug
https://istio.io/latest/docs/ops/common-problems/security-issues/#ensure-istiod-accepts-the-policies