1.5 KiB
| title | description | weight | keywords | |
|---|---|---|---|---|
| Enabling Policy Enforcement | This task shows you how to enable Istio policy enforcement. | 1 |
|
This task shows you how to enable Istio policy enforcement.
At install time
In the default Istio installation profile, policy enforcement is disabled. To install Istio
with policy enforcement on, use the --set global.disablePolicyChecks=false Helm install option.
Alternatively, you may install Istio using the demo profile, which enables policy checks by default.
For an existing Istio mesh
-
Check the status of policy enforcement for your mesh.
{{< text bash >}} $ kubectl -n istio-system get cm istio -o jsonpath="{@.data.mesh}" | grep disablePolicyChecks disablePolicyChecks: true {{< /text >}}
If policy enforcement is enabled, no further action is needed.
-
Edit the
istioconfigmap to enable policy checks.Execute the following command from the root Istio directory:
{{< text bash >}} $ helm template install/kubernetes/helm/istio --namespace=istio-system -x templates/configmap.yaml --set global.disablePolicyChecks=false | kubectl -n istio-system replace -f - configmap "istio" replaced {{< /text >}}
-
Validate that policy enforcement is now enabled.
{{< text bash >}} $ kubectl -n istio-system get cm istio -o jsonpath="{@.data.mesh}" | grep disablePolicyChecks disablePolicyChecks: false {{< /text >}}