How to disable Check policy in Istio 1.0 #7663
Comments
|
Hi, Mixer policy is fail-close by default. That means if you remove policy pods, then the requests to policy fail, and that is interpreted as a policy failure. To disable policy checks being applied altogether, you need to edit the mesh config (and restart pilot pods): The corresponding installation helm option is this: |
|
@kyessenov Here is my meshconfig: apiVersion: v1 My requests are responsed like this: About to connect() to apigateway.smhtest.svc.a1.uae port 12344 (#0)
< HTTP/1.1 503 Service Unavailable |
|
@kyessenov |
|
Related to #7759 as well as pilot general slowness to push updates. |
|
Do you mind closing this issue and opening up another one with some evidence / logs for the few minute delay after restarting pilot? |
|
@kyessenov |
Describe the bug
I don't want to use mixer check policy because I need less request latency. While in Istio 1.0, when I shut down istio-policy service, my requests get response with HTTP status code 503 like this:
`* About to connect() to apigateway.smhtest.svc.a1.uae port 12344 (#0)
< HTTP/1.1 503 Service Unavailable
< content-length: 33
< content-type: text/plain
< date: Mon, 06 Aug 2018 13:06:34 GMT
< server: envoy
< x-envoy-decorator-operation: apigateway.smhtest.svc.a1.uae:12344/*
<
Connection #0 to host apigateway.smhtest.svc.a1.uae left intact
UNAVAILABLE:Cluster not available
Expected behavior
I want my http requests can be routed to the desired server and get correctly answered instead of the status code 503 responded by envoy, even when there is no istio-policy service.
Steps to reproduce the bug
Just shut down your istio-policy service.
Version
Kubernetes 1.10
Istio 1.10
Is Istio Auth enabled or not?
Istio Auth disabled
Environment
Centos 7.0
The text was updated successfully, but these errors were encountered: