Component Debugging

You can gain insights into what individual components are doing by inspecting their logs or peering inside via introspection. If that’s insufficient, the steps below explain how to get under the hood.

With istioctl

Get an overview of your mesh

You can get an overview of your mesh using the proxy-status command:

$ istioctl proxy-status

If a proxy is missing from the output list it means that it is not currently connected to a Pilot instance and so it will not receive any configuration. Additionally, if it is marked stale, it likely means there are networking issues or Pilot needs to be scaled.

Get proxy configuration

istioctl allows you to retrieve information about proxy configuration using the proxy-config or pc command.

For example, to retrieve information about cluster configuration for the Envoy instance in a specific pod:

$ istioctl proxy-config cluster <pod-name> [flags]

To retrieve information about bootstrap configuration for the Envoy instance in a specific pod:

$ istioctl proxy-config bootstrap <pod-name> [flags]

To retrieve information about listener configuration for the Envoy instance in a specific pod:

$ istioctl proxy-config listener <pod-name> [flags]

To retrieve information about route configuration for the Envoy instance in a specific pod:

$ istioctl proxy-config route <pod-name> [flags]

To retrieve information about endpoint configuration for the Envoy instance in a specific pod:

$ istioctl proxy-config endpoints <pod-name> [flags]

See Debugging Envoy and Pilot for more advice on interpreting this information.

With GDB

To debug Istio with gdb, you will need to run the debug images of Envoy / Mixer / Pilot. A recent gdb and the golang extensions (for Mixer/Pilot or other golang components) is required.

  1. kubectl exec -it PODNAME -c [proxy | mixer | pilot]

  2. Find process ID: ps ax

  3. gdb -p PID binary

  4. For go: info goroutines, goroutine x bt

With Tcpdump

Tcpdump doesn’t work in the sidecar pod - the container doesn’t run as root. However any other container in the same pod will see all the packets, since the network namespace is shared. iptables will also see the pod-wide configuration.

Communication between Envoy and the app happens on 127.0.0.1, and is not encrypted.