Description
Describe the bug
I don't want to use mixer check policy because I need less request latency. While in Istio 1.0, when I shut down istio-policy service, my requests get response with HTTP status code 503 like this:
`* About to connect() to apigateway.smhtest.svc.a1.uae port 12344 (#0)
- Trying 2002:ac1f:91c5:1::d31c...
- Connected to apigateway.smhtest.svc.a1.uae (2002:ac1f:91c5:1::d31c) port 12344 (#0)
GET /helloworld HTTP/1.1
User-Agent: curl/7.29.0
Host: apigateway.smhtest.svc.a1.uae:12344
Accept: /
< HTTP/1.1 503 Service Unavailable
< content-length: 33
< content-type: text/plain
< date: Mon, 06 Aug 2018 13:06:34 GMT
< server: envoy
< x-envoy-decorator-operation: apigateway.smhtest.svc.a1.uae:12344/*
<
Connection #0 to host apigateway.smhtest.svc.a1.uae left intact
UNAVAILABLE:Cluster not available
Expected behavior
I want my http requests can be routed to the desired server and get correctly answered instead of the status code 503 responded by envoy, even when there is no istio-policy service.
Steps to reproduce the bug
Just shut down your istio-policy service.
Version
Kubernetes 1.10
Istio 1.10
Is Istio Auth enabled or not?
Istio Auth disabled
Environment
Centos 7.0
Metadata
Metadata
Assignees
Labels
Type
Projects
Milestone
Relationships
Development
Participants
Activity
kyessenov commentedon Aug 6, 2018
Hi,
Mixer policy is fail-close by default. That means if you remove policy pods, then the requests to policy fail, and that is interpreted as a policy failure.
To disable policy checks being applied altogether, you need to edit the mesh config (and restart pilot pods):
https://github.com/istio/istio/blob/master/install/kubernetes/helm/istio/values.yaml#L85
The corresponding installation helm option is this:
https://github.com/istio/istio/blob/master/install/kubernetes/helm/istio/values.yaml#L85
frost1990 commentedon Aug 7, 2018
@kyessenov
Hi , I changed the istio ConfigMap, set disablePolicyChecks to true, and restarted the istio-pilot. But my requests still got failed with status code 503. I don't know why.
Here is my meshconfig:
apiVersion: v1
kind: ConfigMap
metadata:
name: istio
namespace: istio-system
labels:
app: istio
chart: istio-1.0.0
release: RELEASE-NAME
heritage: Tiller
data:
mesh: |-
# Set the following variable to true to disable policy checks by the Mixer.
# Note that metrics will still be reported to the Mixer.
disablePolicyChecks: true
My requests are responsed like this:
About to connect() to apigateway.smhtest.svc.a1.uae port 12344 (#0)
Trying 2002:ac1f:91c5:1::6ff2...
Connected to apigateway.smhtest.svc.a1.uae (2002:ac1f:91c5:1::6ff2) port 12344 (#0)
< HTTP/1.1 503 Service Unavailable
< content-length: 33
< content-type: text/plain
< date: Tue, 07 Aug 2018 08:51:19 GMT
< server: envoy
< x-envoy-decorator-operation: apigateway.smhtest.svc.a1.uae:12344/*
<
Connection #0 to host apigateway.smhtest.svc.a1.uae left intact
UNAVAILABLE:Cluster not available
kyessenov commentedon Aug 7, 2018
Not sure why the mixer checks are still applied after you changed configmap and istio-pilot. Can you try killing gateway pods and see if that helps? If it does work, then we have an issue with stale config in gateways. cc @nmittler @costinm
frost1990 commentedon Aug 8, 2018
@kyessenov
I tried again, and found that it would take a few minutes to disable mixer checks after restarting istio-pilot.
kyessenov commentedon Aug 9, 2018
Related to #7759 as well as pilot general slowness to push updates.
kyessenov commentedon Aug 9, 2018
Do you mind closing this issue and opening up another one with some evidence / logs for the few minute delay after restarting pilot?
frost1990 commentedon Aug 10, 2018
@kyessenov
No problem