K
Q

Envoy External Authorization with OPA - evaluate fail with large JSON body

6/16/2020

I have k8s pod running 3 containers: my app, opa, envoy

All my setup follow this guide: https://www.openpolicyagent.org/docs/latest/envoy-authorization/

Everything went well until I have 15kb JSON body.

Checking the OPA container log I see in request.http.body - only about half of JSON there.

{
  "decision_id": "",
  "error": {},
  "input": {
    "attributes": {
      "destination": {
        "address": {
          "Address": {
            "SocketAddress": {
              "PortSpecifier": {
                "PortValue": 8000
              },
              "address": "10.244.8.102"
            }
          }
        }
      },
      "request": {
        "http": {
          "body": "only half of JSON body come here",
          "headers": {
            ":authority": "api-service.com",
            ":method": "PUT",
            ":path": "/api",
            "accept": "application/json",
            "content-length": "14822",
            "content-type": "application/json",
            "x-envoy-decorator-operation": "....",
            "x-envoy-internal": "true",
            "x-forwarded-for": "10.244.6.0",
            "x-forwarded-proto": "https",
            "x-istio-attributes": "..."  
          },
          "host": "....com",
          "id": "12114967460600931537",
          "method": "PUT",
          "path": "/api",
          "size": 14822
        }
      },
      "source": {
        "address": {
          "Address": {
            "SocketAddress": {
              "PortSpecifier": {
                "PortValue": 34670
              },
              "address": "10.244.3.164"
            }
          }
        }
      }
    },
    "parsed_path": [
      "api"
    ],
    "parsed_query": {}
  },
  "level": "info",
  "msg": "Decision Log",
  "query": "data.app.allow",
  "type": "openpolicyagent.org/decision_logs"
}

I tried increase with_request_body. 

http_filters:
   - name: envoy.ext_authz
        config:
          with_request_body:
            max_request_bytes: 819200
            allow_partial_message: true
            failure_mode_allow: false

Is there any other thing I missed?

Thanks a lot for your help

-- Nick L
envoyproxy
kubernetes
open-policy-agent

Similar Questions

Kubernetes dashboard does not respond when number of Pods are high
Exposing a TCP port out of cluster in Kubernetes using nginx-Ingress
Kubernetes: How to re-use pvc and pv in another cluster
Unexplained outage due to faulty (?) Readiness check results
Network policy in Kubernetes for access though Ingress only

2 Answers

6/16/2020

Are there any errors in the Envoy logs ?

What is the data that you are trying to send ? Does it need to be part of OPA's input document or can you leverage OPA's bundle feature.

-- Ash Narkar
Source: StackOverflow
6/18/2020

I finally make it works by increasing max_request_bytes. 

name: envoy.ext_authz
        config:
          with_request_body:
            max_request_bytes: 819200

I configured this before in configmap but forgot to restart the pod. Just redeploy everything with new max_request_bytes - it's ok now

Reference: https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/http/buffer/v3/buffer.proto.html?highlight=max_request_bytes Thank you all

-- Nick L
Source: StackOverflow