Skip to content

Latest commit

 

History

History
221 lines (191 loc) · 7.09 KB

02-30-enable-istio-access-logs.md

File metadata and controls

221 lines (191 loc) · 7.09 KB
Raw
title
Enable Istio Access Logs

You can enable Istio access logs to provide fine-grained details about the access to workloads that are part of the Istio service mesh. This can help indicate the four “golden signals” of monitoring (latency, traffic, errors, and saturation) and troubleshooting anomalies. The Istio setup shipped with the Istio module provides a pre-configured extension provider for access logs, which configures the Istio proxies to print access logs to stdout using the JSON format. It uses a configuration similar to the following one:

extensionProviders:
  - name: stdout-json
    envoyFileAccessLog:
      path: "/dev/stdout"
      logFormat:
        labels:
          ...
          traceparent: "%REQ(TRACEPARENT)%"
          tracestate: "%REQ(TRACESTATE)%"

The log format is based on the Istio default format enhanced with the attributes relevant for identifying the related trace context conform to the w3c-tracecontext protocol. See Kyma tracing for more details on tracing. See Istio tracing on how to enable trace context propagation with Istio.

Warning

Enabling access logs may drastically increase logs volume and might quickly fill up your log storage.

Configuration

Use the Telemetry API to selectively enable Istio access logs. See:

Configure Istio Access Logs for the Entire Namespace

Kyma Dashboard

  1. Go to the namespace for which you want to configure Istio access logs.
  2. Go to Istio > Telemetries and select Create.
  3. Provide the name, for example, access-config.
  4. Select Create.

kubectl

  1. Export the name of the namespace for which you want to configure Istio access logs.

    export YOUR_NAMESPACE={NAMESPACE_NAME}

  2. To apply the configuration, run:

    cat <<EOF | kubectl apply -f -
apiVersion: telemetry.istio.io/v1
kind: Telemetry
metadata:
  name: access-config
  namespace: $YOUR_NAMESPACE
spec:
  accessLogging:
    - providers:
      - name: stdout-json
EOF

  3. To verify that the resource is applied, run:

    kubectl -n $YOUR_NAMESPACE get telemetries.telemetry.istio.io

Configure Istio Access Logs for a Selective Workload

To configure label-based selection of workloads, use a selector.

Kyma Dashboard

  1. Go to the namespace of the workloads for which you want to configure Istio access logs.
  2. Go to Istio > Telemetries and select Create.
  3. Switch to the YAML section and paste the following sample configuration into the editor: 
    apiVersion: telemetry.istio.io/v1
kind: Telemetry
metadata:
  name: access-config
  namespace: {YOUR_NAMESPACE}
spec:
  selector:
    matchLabels:
      service.istio.io/canonical-name: {YOUR_LABEL}
  accessLogging:
    - providers:
      - name: stdout-json
  4. Replace {YOUR_LABEL} with the workloads' label and {YOUR_NAMESPACE} with the name of the workloads' namespace.
  5. Select Create.

kubectl

  1. Export the name of the workloads' namespace and their label as environment variables:

    export YOUR_NAMESPACE={NAMESPACE_NAME}
export YOUR_LABEL={LABEL}

  2. To apply the configuration, run:

    cat <<EOF | kubectl apply -f -
apiVersion: telemetry.istio.io/v1
kind: Telemetry
metadata:
  name: access-config
  namespace: $YOUR_NAMESPACE
spec:
  selector:
    matchLabels:
      service.istio.io/canonical-name: $YOUR_LABEL
  accessLogging:
    - providers:
      - name: stdout-json
EOF

  3. To verify that the resource is applied, run:

    kubectl -n $YOUR_NAMESPACE get telemetries.telemetry.istio.io

Configure Istio Access Logs for a Specific Gateway

Instead of enabling the access logs for all the individual proxies of the workloads you have, you can enable the logs for the proxy used by the related Istio Ingress Gateway.

Kyma Dashboard

  1. Go to the istio-system namespace.
  2. Go to Istio > Telemetries and select Create.
  3. Switch to the YAML section and paste the following sample configuration into the editor: 
    apiVersion: telemetry.istio.io/v1
kind: Telemetry
metadata:
  name: access-config
  namespace: istio-system
spec:
  selector:
    matchLabels:
      istio: ingressgateway
  accessLogging:
    - providers:
      - name: stdout-json
  4. Select Create.

kubectl

  1. To apply the configuration, run: 
    cat <<EOF | kubectl apply -f -
apiVersion: telemetry.istio.io/v1
kind: Telemetry
metadata:
  name: access-config
  namespace: istio-system
spec:
  selector:
    matchLabels:
      istio: ingressgateway
  accessLogging:
    - providers:
      - name: stdout-json
EOF
  2. To verify that the resource is applied, run: 
    kubectl -n istio-system get telemetries.telemetry.istio.io

Configure Istio Access Logs for the Entire Mesh

Enable access logs for all individual proxies of the workloads and Istio Ingress Gateways.

Kyma Dashboard

  1. Go to the istio-system namespace.
  2. Go to Istio > Telemetries and select Create.
  3. Switch to the YAML section and paste the following sample configuration into the editor: 
    apiVersion: telemetry.istio.io/v1
kind: Telemetry
metadata:
  name: access-config
  namespace: istio-system
spec:
  accessLogging:
    - providers:
      - name: stdout-json
  4. Select Create.

kubectl

  1. To apply the configuration, run: 
    cat <<EOF | kubectl apply -f -
apiVersion: telemetry.istio.io/v1
kind: Telemetry
metadata:
  name: access-config
  namespace: istio-system
spec:
  accessLogging:
    - providers:
      - name: stdout-json
EOF
  2. To verify that the resource is applied, run: 
    kubectl -n istio-system get telemetries.telemetry.istio.io