Enabling Policy Enforcement (Deprecated)

 2 minute read

This task shows you how to enable Istio policy enforcement.

At install time

In the default Istio installation profile, policy enforcement is disabled. To install Istio with policy enforcement on, use the --set meshConfig.disablePolicyChecks=false and --set values.pilot.policy.enabled=true install option.

Alternatively, you may install Istio using the demo profile, which enables policy checks by default.

For an existing Istio mesh

  1. Check the status of policy enforcement for your mesh.

    $ kubectl -n istio-system get cm istio -o jsonpath="{@.data.mesh}" | grep disablePolicyChecks

    disablePolicyChecks: true

    If policy enforcement is enabled (disablePolicyChecks is false), no further action is needed.

  2. Update the istio configuration to enable policy checks.

    Execute the following command from the root Istio directory:

    $ istioctl install --set meshConfig.disablePolicyChecks=false --set values.pilot.policy.enabled=true

    configuration "istio" replaced

  3. Validate that policy enforcement is now enabled.

    $ kubectl -n istio-system get cm istio -o jsonpath="{@.data.mesh}" | grep disablePolicyChecks

    disablePolicyChecks: false
Was this information useful?
Do you have any suggestions for improvement?

Thanks for your feedback!