July 2019
Intermediate to advanced
502 pages
14h
English
Content preview from Hands-On Microservices with Kubernetes
Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
Start your free trial
Enforcing policies with Istio
Istio policy enforcement is similar to the way admission controllers work in Kubernetes. Mixer has a set of adapters that are invoked before and after a request is processed. Before we dive in further, it's important to note that policy enforcement is disabled by default. If you install Istio using helm, you can enable it by providing the following flag:
--set global.disablePolicyChecks=false.
On GKE, it is enabled; here is how to check this:
$ kubectl -n istio-system get cm istio -o jsonpath="{@.data.mesh}" | grep disablePolicyChecksdisablePolicyChecks: false
If the result is disablePolicyChecks: false, then it's already enabled. Otherwise, enable it by editing the Istio ConfigMap and setting it to false.