• Enabling Policy Enforcement
    • At install time
    • For an existing Istio mesh
    • 相关内容

    Enabling Policy Enforcement

    This task shows you how to enable Istio policy enforcement.

    At install time

    In the default Istio installation profile, policy enforcement is disabled. To install Istiowith policy enforcement on, use the —set values.global.disablePolicyChecks=false install option.

    Alternatively, you may install Istio using the demo profile,which enables policy checks by default.

    For an existing Istio mesh

    • Check the status of policy enforcement for your mesh.
    1. $ kubectl -n istio-system get cm istio -o jsonpath="{@.data.mesh}" | grep disablePolicyChecks
    2. disablePolicyChecks: true

    If policy enforcement is enabled (disablePolicyChecks is false), no further action is needed.

    • Edit the istio configmap to enable policy checks.

    Execute the following command from the root Istio directory:

    1. $ istioctl manifest apply --set values.global.disablePolicyChecks=false
    2. configmap "istio" replaced
    • Validate that policy enforcement is now enabled.
    1. $ kubectl -n istio-system get cm istio -o jsonpath="{@.data.mesh}" | grep disablePolicyChecks
    2. disablePolicyChecks: false

    相关内容

    App Identity and Access Adapter

    Using Istio to secure multi-cloud Kubernetes applications with zero code changes.

    Mixer and the SPOF Myth

    Improving availability and reducing latency.

    Mixer Adapter Model

    Provides an overview of Mixer's plug-in architecture.

    Control Headers and Routing

    Shows how to modify request headers and routing using policy adapters.

    Denials 和黑白名单

    描述如何使用简单的 denials 或黑白名单来控制对服务的访问。

    Mixer Configuration Model

    Describes the configuration model for Istio's policy enforcement and telemetry mechanisms.