Enabling Policy Enforcement (Deprecated)
The mixer policy is deprecated in Istio 1.5 and not recommended for production usage.
Rate limiting: Consider using Envoy native rate limiting instead of mixer rate limiting. Istio will add support for native rate limiting API through the Istio extensions API.
Control headers and routing: Consider using Envoy
ext_authz
filter,lua
filter, or write a filter using theEnvoy-wasm
sandbox.Denials and White/Black Listing: Please use the Authorization Policy for enforcing access control to a workload.
This task shows you how to enable Istio policy enforcement.
At install time
In the default Istio installation profile, policy enforcement is disabled. To install Istio with policy enforcement on, use the --set meshConfig.disablePolicyChecks=false
and --set values.pilot.policy.enabled=true
install option.
Alternatively, you may install Istio using the demo profile, which enables policy checks by default.
For an existing Istio mesh
Check the status of policy enforcement for your mesh.
$ kubectl -n istio-system get cm istio -o jsonpath="{@.data.mesh}" | grep disablePolicyChecks
disablePolicyChecks: true
If policy enforcement is enabled (
disablePolicyChecks
is false), no further action is needed.Update the
istio
configuration to enable policy checks.Execute the following command from the root Istio directory:
$ istioctl install --set meshConfig.disablePolicyChecks=false --set values.pilot.policy.enabled=true
configuration "istio" replaced
Validate that policy enforcement is now enabled.
$ kubectl -n istio-system get cm istio -o jsonpath="{@.data.mesh}" | grep disablePolicyChecks
disablePolicyChecks: false
See also
App Identity and Access Adapter
Using Istio to secure multi-cloud Kubernetes applications with zero code changes.
Improving availability and reducing latency.
Provides an overview of Mixer’s plug-in architecture.
Control Headers and Routing (Deprecated)
Shows how to modify request headers and routing using policy adapters.
Denials and White/Black Listing (Deprecated)
Shows how to control access to a service using simple denials or white/black listing.
Enabling Rate Limits (Deprecated)
This task shows you how to use Istio to dynamically limit the traffic to a service.