AKS Service Mesh -Istio enable envoy access log problem

Stanley Tsang 0 Reputation points
2024-05-02T10:57:24.6066667+00:00

I have set up a AKS and enabled Service Mesh -Istio.

I would like to enable envoy access log for ingress gateway, however, the following error showed

Error from server: error when creating ".\enable-accesslog.yml": admission webhook "azure-service-mesh-ccp-validating-webhook.azmk8s.io" denied the request: updating object Telemetry is blocked by Azure Service Mesh

The following is the Telemetry Config of Istio (ref: https://istio.io/latest/docs/tasks/observability/logs/access-log/)

apiVersion: telemetry.istio.io/v1alpha1
kind: Telemetry
metadata:
  name: aks-istio-ingressgateway-internal
  namespace: aks-istio-ingress
spec:
  selector:
    matchLabels:
      app: aks-istio-ingressgateway-internal
  accessLogging:
  - providers:
    - name: envoy
    disabled: false

If it is not deployed to AKS, the envoy access log shall be able to be enabled by the above Telemetry setting (Already tested in EKS). However, if it is deployed to AKS ( and enabled istio in AKS panel), the configure is blocked by Azure service mesh webhook.

May I know how to enable the envoy access log in AKS?

Azure Kubernetes Service
Azure Kubernetes Service
An Azure service that provides serverless Kubernetes, an integrated continuous integration and continuous delivery experience, and enterprise-grade security and governance.
2,454 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Anveshreddy Nimmala 3,550 Reputation points Microsoft External Staff Moderator
    2024-05-03T05:43:47.3733333+00:00

    Hello Stanley Tsang,

    Welcome to microsoft Q&A, Thankyou for providing your query here.

    Please check if Istio is installed properly.

    Issue may be related to the Azure service mesh or other webhook configurations that modify or override settings.

    https://istio.io/latest/docs/ops/configuration/mesh/webhook/

    if the issue still exist, try to directly set the Envoy access log configuration. You can edit the Istio Operator deployment to include the necessary Envoy logging configuration.

    you can also refer this links if any of them help you.

    https://learn.microsoft.com/en-us/azure/aks/istio-deploy-addon

    https://learn.microsoft.com/en-us/azure/aks/istio-meshconfig

    Hope this helps you

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.