403 Envoy Filter Ext Auth

apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: authn-filter
  namespace: istio-system
spec:
  workloadSelector:
    labels:
      istio: ingressgateway
  configPatches:
    - applyTo: HTTP_FILTER
      match:
        context: GATEWAY
        listener:
          filterChain:
            filter:
              name: "envoy.http_connection_manager"
              subFilter:
                name: "envoy.router"
      patch:
        operation: INSERT_BEFORE
        value:
          name: "envoy.ext_authz"
          typed_config:
            "@type": type.googleapis.com/envoy.config.filter.http.ext_authz.v2.ExtAuthz
            failure_mode_allow: false
            grpc_service:
              timeout: 0.5s
              envoy_grpc:
                cluster_name: authentication-service.default.svc.cluster.local

how to debug this error 403 its look like can’t to connect to grpc server ?

the cluster_name authentication-service.default.svc.cluster.local seems wrong unless you have another EnvoyFilter to add it by yourself, the default cluster name generated by Istio has a different format, see https://github.com/istio/istio/issues/21841

Thanks @YangminZhu after following your envoy filter config its working!

I’m glad it works for you.

By the way, I’m working on a design to provide better external authorization support in Istio, feel free to comment and provide your feedback in the design (https://docs.google.com/document/d/1V4mCQCw7mlGp0zSQQXYoBdbKMDnkPOjeyUb85U07iSI/edit#) (need join Istio community first to gain access), thanks.