I'm having an issue where two EnvoyFilters with different workloadSelectors that are supposed to apply to different pods workloads, are instead both being applied to both workloads.
More specifically, I'm using Istio 1.4.9 and I have two instances of the same deployment workload in two different namespaces, and each workload has a sidecar. Each deployment has different labels applied.
kubectl get po --show-labels --all-namespaces -l app=myapp,namespace
NAMESPACE NAME ...truncated... LABELS
first myapp-58489c8fcd-kch9f ...truncated... app=myapp,namespace=first ...truncated...
second myapp-6f58dd65dd-tdjm7 ...truncated... app=myapp,namespace=second ...truncated...
I want to attach a different instance of a Lua EnvoyFilter to each workload in each namespace, so each has its own filter. So, for example, the filter for the first namespace looks like the following. The second is similar but with a different workloadSelector
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: first-myapp-filter
...truncated...
spec:
workloadSelector:
labels:
app: myapp
namespace: first
However, I'm seeing that a given workload is processing BOTH envoyfilters instead of only the filter that is matched by the selector. When I look at the listeners on the pod in the first namespace with istioctl, it has BOTH filters attached.
"httpFilters": [
{"name": "envoy.lua", "config": {"inlineCode": "function ...truncated... end\n" }},
{"name": "envoy.lua", "config": {"inlineCode": "function ...truncated... end\n" }}
The selector doesn't seem to be working the way I expect it. Any ideas on how to debug?
Only thing I can think of is that you defined your EnvoyFilter
in the config root namespace and it's ignoring workloadSelector
.
If you see the docs:
NOTE 3: *_To apply an EnvoyFilter resource to all workloads (sidecars and gateways) in the system, define the resource in the config root namespace, without a workloadSelector.
Try creating 2 EnvoyFilters, each in each namespace were your workloads exist and delete the original EnvoyFilter. So like this:
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: first-myapp-filter
namespace: first
spec:
workloadSelector:
labels:
app: myapp
namespace: first
...
and
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: second-myapp-filter
namespace: second
spec:
workloadSelector:
labels:
app: myapp
namespace: second
...
Note: you might also want to try different labels. For example, app: myapp1
, app: myapp2
.