2.4 KiB
| title | description | weight | keywords | |
|---|---|---|---|---|
| Enabling Policy Enforcement (Deprecated) | This task shows you how to enable Istio policy enforcement. | 1 |
|
{{< warning >}} The mixer policy is deprecated in Istio 1.5 and not recommended for production usage.
-
Rate limiting: Consider using Envoy native rate limiting instead of mixer rate limiting. Istio will add support for native rate limiting API through the Istio extensions API.
-
Control headers and routing: Consider using Envoy
ext_authzfilter,luafilter, or write a filter using theEnvoy-wasmsandbox. -
Denials and White/Black Listing: Please use the Authorization Policy for enforcing access control to a workload. {{< /warning >}}
This task shows you how to enable Istio policy enforcement.
At install time
In the default Istio installation profile, policy enforcement is disabled. To install Istio
with policy enforcement on, use the --set meshConfig.disablePolicyChecks=false and --set values.pilot.policy.enabled=true install option.
Alternatively, you may install Istio using the demo profile, which enables policy checks by default.
For an existing Istio mesh
-
Check the status of policy enforcement for your mesh.
{{< text bash >}} $ kubectl -n istio-system get cm istio -o jsonpath="{@.data.mesh}" | grep disablePolicyChecks disablePolicyChecks: true {{< /text >}}
If policy enforcement is enabled (
disablePolicyChecksis false), no further action is needed. -
Update the
istioconfiguration to enable policy checks.Execute the following command from the root Istio directory:
{{< text bash >}} $ istioctl manifest apply --set meshConfig.disablePolicyChecks=false --set values.pilot.policy.enabled=true configuration "istio" replaced {{< /text >}}
-
Validate that policy enforcement is now enabled.
{{< text bash >}} $ kubectl -n istio-system get cm istio -o jsonpath="{@.data.mesh}" | grep disablePolicyChecks disablePolicyChecks: false {{< /text >}}