How can I enable access log for istio-proxy in a specific namespace?

Solution Unverified - Updated -

Environment

  • Openshift Container Platform 4.6, 4.7
    • Red Hat Openshift Service Mesh v2

Issue

  • How can I enable access log for istio-proxy in a specific namespace?
  • For the performance reason, I don't want to enable access log for instio-proxy globally, how can I do that?

Resolution

# enable-bookinfo-accesslog.yaml

apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: enable-bookinfo-accesslog
  namespace: bookinfo
spec:
  configPatches:
  - applyTo: NETWORK_FILTER
    match:
      context: ANY
      listener:
        filterChain:
          filter:
            name: envoy.http_connection_manager
    patch:
      operation: MERGE
      value:
        typed_config:
          "@type": "type.googleapis.com/envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager"
          access_log:
          - name: envoy.file_access_log
            config:
              path: /dev/stdout

oc create -f enable-bookinfo-accesslog.yaml

If you want to enable access logging globally in Red Hat OpenShift Service Mesh, please refer to KB5127991

Root Cause

For some reason, a user does not want to enable access log in all namespaces, at this time EnvoyFilter can be used to achieve this.

Diagnostic Steps

  • After the configuration was created, the access logs should be observed in the istio-proxy sidecar, check the log by the below command
oc logs $<YOUR_POD_NAME> -c istio-proxy -f

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments