Observing Istio traffic

Enabling access logs for the entire mesh

To enable Envoy access logs for the entire mesh, you can use the managed-istio-custom ConfigMap resource, which is located in the ibm-operators namespace that is provided by the Istio add-on. To enable Envoy access logs, edit the managed-istio-custom ConfigMap resource and add the key-value pair istio-global-proxy-accessLogFile: "dev/stdout". For more information, see Customizing the Istio installation.

Enabling access logs for individual containers

Starting from version 1.18, the Istio add-on provides the option to enable Envoy access logs for individual containers by using telemetry CRs. To set up telemetry CRs, use the following telemetry definition.

apiVersion: telemetry.istio.io/v1alpha1
kind: Telemetry
metadata:
  name: example-telemetry-enabling-envoy-access-logs
  namespace: <namespace> # Pod's namespace
spec:
  selector:
    matchLabels:
      <key>: <value> # Pod's label
  accessLogging:
  - providers:
    - name: enable-targeted-envoy-access-logs    

Modify the previous example definition to contain your Pod's namespace and label. After the telemetry definition is applied, you can see Envoy access logs through the istio-proxy container.

Setting up logging with IBM Log Analysis

Seamlessly manage logs for your app container and the Envoy proxy sidecar container in each pod by deploying Log Analysis agents to your worker nodes to forward logs to IBM® Log Analysis.

To use IBM Log Analysis, you deploy a logging agent to every worker node in your cluster. This agent collects logs with the extension *.log and extensionless files that are stored in the /var/log directory of your pod from all namespaces, including kube-system. These logs include logs from your app container and the Envoy proxy sidecar container in each pod. The agent then forwards the logs to the IBM Log Analysis service.

To get started, set up logging for your cluster by following the steps in Managing Kubernetes cluster logs with IBM Log Analysis.

Setting up monitoring with IBM Cloud Monitoring

Gain operational visibility into the performance and health of your Istio-managed apps by deploying a Monitoring agent to your worker nodes to forward metrics to IBM Cloud® Monitoring.

To deploy monitoring agents to your cluster, complete the following steps.

1. Provision an instance of IBM Cloud Monitoring.

2. Configure a monitoring agent in your cluster.

3. In the Monitoring console, click Open Dashboard for the instance that you provisioned.

4. In the Monitoring UI, click Add new dashboard.

5. Search for Istio and select one of the Monitoring predefined Istio dashboards.

For more information about referencing metrics and dashboards, monitoring Istio internal components, and monitoring Istio A/B deployments and canary deployments, check out the How to monitor Istio, the Kubernetes service mesh blog post.

Launching the ControlZ component inspection and Envoy sidecar dashboards

To inspect specific components of Istio, launch the ControlZ and Envoy dashboards.

The ControlZ dashboard accesses the Istio component ports to provide an interactive view into the internal state of each component. The Envoy dashboard provides configuration information and metrics for an Envoy sidecar proxy that runs in an app pod.

Before you begin

• Install the istio managed add-on in a cluster.
• Install the istioctl CLI.