This repository has been archived by the owner on May 23, 2023. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 22
Debug Authorization check in Istio 1.1.x
Scott Ganyo edited this page May 15, 2019
·
1 revision
$ kubectl get pods
NAME READY STATUS RESTARTS AGE
helloworld-v1-d4557d97b-zfcfs 2/2 Running 0 3d
helloworld-v2-7dd57c44c4-v7qss 2/2 Running 0 3d
Your target pods should show 2/2 under READY.
$ kubectl -n istio-system get pods -l chart=mixer
NAME READY STATUS RESTARTS AGE
istio-policy-7bfbf5d6db-nk2ct 2/2 Running 0 3d
istio-telemetry-957c685dd-tqhxd 2/2 Running 0 3d
You should see at least one policy and telemetry mixer instance.
$ kubectl -n istio-system get cm istio -o jsonpath="{@.data.mesh}" | grep disablePolicyChecks
disablePolicyChecks: false
If disablePolicyChecks: true, Istio is not enforcing policy. See Istio docs.
IMPORTANT: If you're running Istio 1.1.6 or prior, your service port must be named and must not be a "tcp" port! See issue #13868 and the service port naming documentation.
$ kubectl -n istio-system logs `kubectl -n istio-system get po -l istio-mixer-type=policy -o 'jsonpath={.items[0].metadata.name}';` mixer | grep error
$ kubectl -n istio-system get svc -l app=apigee-adapter
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
apigee-adapter ClusterIP 10.110.77.242 <none> 5000/TCP 4d
$ kubectl -n istio-system get po -l app=apigee-adapter
NAME READY STATUS RESTARTS AGE
apigee-adapter-7d5f8b7f9f-jvmqs 1/1 Running 0 4d
apigee-adapter-7d5f8b7f9f-qlfdz 1/1 Running 0 4d
$ kubectl -n istio-system get handler apigee-handler -o custom-columns=KIND:.kind,NAME:.metadata.name,ADAPTER:.spec.adapter
KIND NAME ADAPTER
handler apigee-handler apigee
$ kubectl -n istio-system get rule apigee-rule -o custom-columns=MATCH:.spec.match
MATCH
context.reporter.kind == "inbound" && destination.namespace == "default"
Path cannot be empty in Apigee product.
See instructions here.