Open
Description
Is this the right place to submit this?
- This is not a security vulnerability or a crashing bug
- This is not a question about how to use Istio
Bug Description
I’ve encountered an issue when configuring a mesh-wide log file output path using meshConfig.accessLogFile. When this is set to a file path (e.g., /var/log/access.log), Istio attempts to write logs to the specified location. However, in many environments (including ours), the default pod security context results in a read-only root filesystem, which causes the following error:
unable to open file '/var/log/istio-proxy-access.log': No such file or directory
Suggested Improvement
It would be great if:
- The documentation could clearly mention that writing to the file system requires writable volumes and won't work with a read-only root FS.
- Alternatively, supporting logging to a location like an emptyDir or allowing redirection to stdout in file format could help mitigate this.
- If possible, when installing via IstioOperator, display a warning during installation if accessLogFile is set to a file path and the root filesystem is likely to be read-only. This would help users catch the issue early before running into runtime errors.
Version
$ istioctl version
client version: 1.25.0
control plane version: 1.25.0
data plane version: 1.23.2, 1.25.0
$ kubectl version
Client version: v1.32.1
Kustomize Version: v5.5.0
Server Version: v1.31.4
Additional Information
No response