Istio: sidecar EnvoyFilter workloadSelector not filtering

7/10/2020

I'm having an issue where two EnvoyFilters with different workloadSelectors that are supposed to apply to different pods workloads, are instead both being applied to both workloads.

More specifically, I'm using Istio 1.4.9 and I have two instances of the same deployment workload in two different namespaces, and each workload has a sidecar. Each deployment has different labels applied.

kubectl get po --show-labels --all-namespaces -l app=myapp,namespace
NAMESPACE   NAME                    ...truncated...  LABELS
first       myapp-58489c8fcd-kch9f  ...truncated...  app=myapp,namespace=first ...truncated...
second      myapp-6f58dd65dd-tdjm7  ...truncated...  app=myapp,namespace=second ...truncated...

I want to attach a different instance of a Lua EnvoyFilter to each workload in each namespace, so each has its own filter. So, for example, the filter for the first namespace looks like the following. The second is similar but with a different workloadSelector

apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name:  first-myapp-filter
  ...truncated...
spec:
  workloadSelector:
    labels:
      app: myapp
      namespace: first

However, I'm seeing that a given workload is processing BOTH envoyfilters instead of only the filter that is matched by the selector. When I look at the listeners on the pod in the first namespace with istioctl, it has BOTH filters attached.

"httpFilters": [
  {"name": "envoy.lua", "config": {"inlineCode": "function ...truncated... end\n" }},
  {"name": "envoy.lua", "config": {"inlineCode": "function ...truncated... end\n" }}

The selector doesn't seem to be working the way I expect it. Any ideas on how to debug?

-- Joe J
envoyproxy
istio
kubernetes
kubernetes-ingress
lua

1 Answer

7/10/2020

Only thing I can think of is that you defined your EnvoyFilter in the config root namespace and it's ignoring workloadSelector.

If you see the docs:

NOTE 3: *_To apply an EnvoyFilter resource to all workloads (sidecars and gateways) in the system, define the resource in the config root namespace, without a workloadSelector.

Try creating 2 EnvoyFilters, each in each namespace were your workloads exist and delete the original EnvoyFilter. So like this:

apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name:  first-myapp-filter
  namespace: first
spec:
  workloadSelector:
    labels:
      app: myapp
      namespace: first
...

and

apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name:  second-myapp-filter
  namespace: second
spec:
  workloadSelector:
    labels:
      app: myapp
      namespace: second
...

Note: you might also want to try different labels. For example, app: myapp1, app: myapp2.

-- Rico
Source: StackOverflow