AKS Service Mesh -Istio enable envoy access log problem

Question

I have set up a AKS and enabled Service Mesh -Istio.

I would like to enable envoy access log for ingress gateway, however, the following error showed

Error from server: error when creating ".\enable-accesslog.yml": admission webhook "azure-service-mesh-ccp-validating-webhook.azmk8s.io" denied the request: updating object Telemetry is blocked by Azure Service Mesh

The following is the Telemetry Config of Istio (ref: https://istio.io/latest/docs/tasks/observability/logs/access-log/)

apiVersion: telemetry.istio.io/v1alpha1
kind: Telemetry
metadata:
  name: aks-istio-ingressgateway-internal
  namespace: aks-istio-ingress
spec:
  selector:
    matchLabels:
      app: aks-istio-ingressgateway-internal
  accessLogging:
  - providers:
    - name: envoy
    disabled: false

If it is not deployed to AKS, the envoy access log shall be able to be enabled by the above Telemetry setting (Already tested in EKS). However, if it is deployed to AKS ( and enabled istio in AKS panel), the configure is blocked by Azure service mesh webhook.

May I know how to enable the envoy access log in AKS?

Answer 1

Hello Stanley Tsang,

Welcome to microsoft Q&A, Thankyou for providing your query here.

Please check if Istio is installed properly.

Issue may be related to the Azure service mesh or other webhook configurations that modify or override settings.

https://istio.io/latest/docs/ops/configuration/mesh/webhook/

if the issue still exist, try to directly set the Envoy access log configuration. You can edit the Istio Operator deployment to include the necessary Envoy logging configuration.

you can also refer this links if any of them help you.

https://learn.microsoft.com/en-us/azure/aks/istio-deploy-addon

https://learn.microsoft.com/en-us/azure/aks/istio-meshconfig

Hope this helps you