Our app is deployed on GKE and uses Istio as a sidecar on every container.
We use Istio for the all good use cases, authorization, traffic splitting, routing etc.
In production, we observed that Istio (with its default logging configuration) logs the complete URL which, in our case, consists of sensitive information which we wouldn't like to be logged.
Upon research, found that, Istio OOB does not have a way to configure it to not log the queryParameters.
Tried the following but to no avail:
Set the Istio Log level to "off"
sidecar.istio.io/logLevel: "off"Set the componentLogLevel to "error" and "off"
sidecar.istio.io/componentLogLevelcurl -s -X POST http://localhost:15000/logging?level=offSet the agentLogLevel to
none.sidecar.istio.io/agentLogLevel: "default:none"
Log snapshot
2024-02-12T23:25:51.216339Z info cache returned workload trust anchor from cache ttl=23h59m59.783666749s
2024-02-12T23:25:51.216647Z info ads SDS: PUSH request for node:istio-test-1.0.1-7cc4c4f575-ddd12.istio-ns resources:1 size:4.0kB resource:default
2024-02-12T23:25:51.216758Z info ads SDS: PUSH request for node:istio-test-1.0.1-7cc4c4f575-ddd12.istio-ns resources:1 size:1.1kB resource:ROOTCA
[2024-02-12T23:27:13.262Z] "GET /istio-test?queryParam=Sensitive HTTP/1.1" 403 - rbac_access_denied_matched_policy[none] - "-" 0 19 0 - "10.0.0.0"...
Help appreciated!
We can use this annotation ---> "sidecar.istio.io/logLevel": off to disable logs for istio-proxy (Sidecar).
You can add this annotation under spec for the container and apply the yaml again. Pod will get restart and logs won't appear.