Telemetry API for Istio-based service mesh add-on for Azure Kubernetes Service
Istio can generate metrics, distributed traces, and access logs for all workloads in the mesh. The Istio-based service mesh add-on for Azure Kubernetes Service (AKS) provides telemetry customization options through the shared MeshConfig and the Istio Telemetry API v1
for Istio add-on minor revisions asm-1-22
and higher.
Note
While the Istio MeshConfig also provides options for configuring telemetry globally across the mesh, the Telemetry API offers more granular control over telemetry settings on a per-service or per-workload basis. As the Istio community continues to invest in the Telemetry API, it is now the preferred method for telemetry configuration. We encourage migrating to the Telemetry API for configuring telemetry to be collected in the mesh.
Prerequisites
- You must be on revision
asm-1-22
or higher. For information on how to perform minor version upgrades, see the Istio add-on upgrade documentation.
Configure Telemetry resources
The following example demonstrates how Envoy access logging can be enabled across the mesh for the Istio add-on via the Telemetry API using asm-1-22
(adjust the revision as needed). For guidance on other Telemetry API customizations for the add-on, see the Telemetry API support scope section and the Istio documentation.
Deploy sample applications
Label the namespace for sidecar injection:
kubectl label ns default istio.io/rev=asm-1-22
Deploy the sleep
application and set the SOURCE_POD
environment variable:
kubectl apply -f https://raw.githubusercontent.com/istio/istio/release-1.22/samples/sleep/sleep.yaml
export SOURCE_POD=$(kubectl get pod -l app=sleep -o jsonpath={.items..metadata.name})
Then, deploy the httpbin
application:
kubectl apply -f https://raw.githubusercontent.com/istio/istio/release-1.22/samples/httpbin/httpbin.yaml
Enable Envoy access logging with the Istio Telemetry API
Deploy the following Istio v1
Telemetry API resource to enable Envoy access logging for the entire mesh:
cat <<EOF | kubectl apply -n aks-istio-system -f -
apiVersion: telemetry.istio.io/v1
kind: Telemetry
metadata:
name: mesh-logging-default
spec:
accessLogging:
- providers:
- name: envoy
EOF
Test access logs
Send a request from sleep
to httpbin
:
kubectl exec "$SOURCE_POD" -c sleep -- curl -sS -v httpbin:8000/status/418
Verify that access logs are visible for the sleep
pod:
kubectl logs -l app=sleep -c istio-proxy
You should see the following output:
[2024-08-13T00:31:47.690Z] "GET /status/418 HTTP/1.1" 418 - via_upstream - "-" 0 135 12 11 "-" "curl/8.9.1" "cdecaca5-5964-48f3-b42d-f474dfa623d5" "httpbin:8000" "10.244.0.13:8080" outbound|8000||httpbin.default.svc.cluster.local 10.244.0.12:53336 10.0.112.220:8000 10.244.0.12:42360 - default
Now, verify that access logs are visible for the httpbin
pod:
kubectl logs -l app=httpbin -c istio-proxy
You should see the following output:
[2024-08-13T00:31:47.696Z] "GET /status/418 HTTP/1.1" 418 - via_upstream - "-" 0 135 2 1 "-" "curl/8.9.1" "cdecaca5-5964-48f3-b42d-f474dfa623d5" "httpbin:8000" "10.244.0.13:8080" inbound|8080|| 127.0.0.6:55401 10.244.0.13:8080 10.244.0.12:53336 outbound_.8000_._.httpbin.default.svc.cluster.local default
Telemetry API support scope
For the Istio service mesh add-on for AKS, Telemetry API fields are classified as allowed
, supported
, and blocked
values. For more information about the Istio add-on's support policy for features and mesh configurations, see the Istio add-on support policy document.
The following Telemetry API configurations are either allowed
or supported
for the Istio add-on. Any field not included in this table is blocked
.
Telemetry API Field | Supported/Allowed | Notes |
---|---|---|
accessLogging.match |
Supported | - |
accessLogging.disabled |
Supported | - |
accessLogging.providers |
Allowed | The default envoy access log provider is supported. For a managed experience for log collection and querying, see Azure Monitor Container Insights Log Analytics. Third-party or open-source log collection and analytics solutions are allowed but unsupported. |
metrics.overrides |
Supported | - |
metrics.providers |
Allowed | Metrics collection with Azure Monitor Managed Prometheus is supported. Third-party or open-source metrics scraping solutions are allowed but unsupported. |
tracing.* |
Allowed | All tracing configurations are allowed but unsupported. |
Azure Kubernetes Service