New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unable to get basic sample app to work with OPA envoy plugin for Istio #2831
Comments
It would be helpful to get logs from the product page, envoy and OPA containers from the product page pod to debug this further. Also make sure OPA is deployed inside every app pod. |
I am in process of creating a new AKS cluster to start everything afresh (but waiting for our CloudOps person to do since I don't have permission to create one). |
I repeated on a new AKS cluster. I see the error in envoy container but don't know the cause and how to fix it. Attached pl see all logs. |
Apart from warnings, I don't see an error in the Envoy logs. OPA seems to be started as well. The logs don't show an actual request destined for the product page app being handled by OPA. Do you have that ? |
I attempted accessing productpage both from within the cluster and externally but it does not seem like the request even makes it. There is no record of it anywhere in envoy, opa or productpage. Am attaching them but not sure how useful they would be. I then attempted the following:
|
The opa-envoy plugin seems to not be working with Istio |
Ouch! Is this something Istio needs to do something about that I can follow up with them? Or can OPA do something to resolve it (in future)? thanks |
The opa-envoy plugin will work with v1.6.x. For Istio v1.7.x, we could add a Rego policy to allow health checks as a workaround but it would be better if there was a way to configure the behavior in the |
I tested with Istio v1.6.13 and everything in OPA envoy plugin for Istio's quick start worked as expected. Thanks! I want to update the simple policies to recognize JWT tokens and do some authorizations using certain claims in it. Time to read up on Rego syntax :-) Will see how it goes. |
Can someone please help me out with opa rego policy to allow health checks to run it with 1.7.0 as mentioned above by @ashutosh-narkar , apologies but im am relatively new to opa and could not find an example online. Regards. |
@shashanksrivastava10 you would need to add an |
Hi @ashutosh-narkar, so i recently made changes to the rego policy that is available as a configmap in my target application namespace and it looks like this:
But still im facing the same issue when i describe the pods : Any suggestions from you would be highly appreciated, rest of the configurations remain the same as mentioned in istio-opa quickstart guide. |
Check the OPA logs to get the actual input OPA gets. Then take your policy and the OPA input and write some unit tests. This will help in faster debugging. |
👉 |
🤔 I think this can be closed. If I'm mistaken, please re-open 😃 |
Hello,
I was just trying to get my feet wet with OPA plugin for Istio and did the following:
Am doing this in Azure AKS. I first installed Istio in my cluster which went fine. I then installed Istio's sample bookinfo application in the cluster with Istio's envoy/sidecar injection enabled in default namespace. Confirmed the application worked as expected. Exposed it externally and was able to access it without any issues.
Removed the sample all completely before installing OPA envoy plugin.
I then proceeded to install & deploy opa's envoy plugin for Istio. Used the guide at https://github.com/open-policy-agent/opa-envoy-plugin/tree/master/examples/istio. Followed the steps in Quick Start. There were no errors in applying the quick_start.yaml as listed in the guide. Confirmed it created all resources that it should have like the ext-authz EnvoyFilter and admission controller under opa-istio namespace. Enabled opa-istion injection using "kubectl label namespace default opa-istio-injection="enabled""
Proceeded to deploy the sample bookinfo application and the accompanying bookinfo-gateway. Both were deployed without any errors. Saw the app was deploy and all pods/services were created and started correctly.
Expected Behavior
After exposing the app/service externally, attempted accessing it using
curl --user alice:password -i http://$GATEWAY_URL/productpage that I expected to work.
Actual Behavior
But get this error instead:
Even when attempting to access the productpage from inside the cluster using the following cmd get the same error:
kubectl exec "$(kubectl get pod -l app=ratings -o jsonpath='{.items[0].metadata.name}')" -c ratings -- curl -s productpage:9080/productpage.
If I remove opa-istio plugin completely including the ext-authz filter and all resources in opa-istio namespace, then the sample app becomes accessible without any errors.
Steps to Reproduce the Problem
In AKS cluster, install latest version of Istio 1.7.3 using default profile. Enable envoy injection using " kubectl label namespace default istio-injection=enabled". Follow the instructions on https://github.com/open-policy-agent/opa-envoy-plugin/tree/master/examples/istio.
Attempt accessing the productpage as indicated.
Am I missing something?
Pl see above. thanks
Kyle
The text was updated successfully, but these errors were encountered: