Istio 1.3+ apply http filter only for specific routes

10/17/2019

I have an EnvoyFilter ressource that is doing an http call to an authentication service. This filter is applied to the SIDECAR_INBOUND and it's working very well. I just have to deploy my POD with a certain label and the filter is applied. So, every incoming requests on that POD are authenticated by this filter.

But recently, some team mates wanted a new feature : the possibility to have public routes and private routes in the same POD. So I need to execute the filter only if a private route is called (for example /private/getUsers or /public/getUsers).

With the 1.3+ release of Istio I can see that the filter management has been completly refactored with new capabilities and features. But the Documentation is not very helpful and I don't know if the new version of EnvoyFilters is able to respond to my need.

Do you know if its possible ?

Thank you

-- Fred Mériot
envoyproxy
istio
kubernetes

1 Answer

10/30/2019

Unfortunately it is impossible. You can only match to fields mentioned here, but not individual routes.

Below you can find example which will apply to all routes but you cannot match specific paths.

apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: httproute
spec:
  configPatches:
  - applyTo: VIRTUAL_HOST
    patch:
      operation: MERGE
      value:
        request_headers_to_remove: [foo]
-- PjoterS
Source: StackOverflow