Policy Issues

Policies Not Working

The update and release of Maistra 0.9 introduced a significant change in behaviour related to policy enforcement via Mixer. In older versions of the product, Mixer’s policy enforcement was enabled by default. However, from release 0.9 onward, the policy enforcement is now disabled.

  • To see whether policy checks are disabled, execute:

$ oc get cm -n istio-system istio -o jsonpath='{.data.mesh}' | grep disablePolicyChecks
  • If you see disablePolicyChecks: true, policy checks have been disabled.

Enabling Policy Checks

  • Edit the Istio ConfigMap

$ oc edit cm -n istio-system istio
  • Locate disablePolicyChecks: true within the ConfigMap and change the value to false

  • Exit the editor to save the configuration

  • Check the policy enforcement status again and ensure it is now set to false

$ oc get cm -n istio-system istio -o jsonpath='{.data.mesh}' | grep disablePolicyChecks