Hi. I’m trying to apply envoy filter (ext_authz), the thing is i need to exclude one (or several endpoints) to be protected by authz service. The filter works in the main, but exceptions i want - doesn’t. There are not much examples and official documentation doesn’t help much.
Here is my configuration (applying it via kubectl):
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: ext-authz
namespace: hsbc-shpe-authz-sct
spec:
workloadLabels:
app.kubernetes.io/instance: sct-protected-service
filters:
- filterConfig:
http_service:
server_uri:
uri: http://authz-app.namestace.svc.cluster.local
cluster: outbound|80||authz-app.namestace.svc.cluster.local
timeout: 1s
failure_mode_allow: false
path_prefix: "/auth"
include_peer_certificate: true
route_config:
name: local_route
virtual_hosts:
- name: local_service
domains: ["*"]
per_filter_config:
envoy.ext_authz:
check_settings:
context_extensions:
virtual_host: local_service
routes:
- match:
prefix: "/health"
per_filter_config:
envoy.ext_authz:
disabled: true
route:
cluster: outbound|80||protected-service.namespace.svc.cluster.local
- match:
prefix: "/health"
per_filter_config:
envoy.ext_authz:
disabled: true
route:
cluster: outbound|8080||protected-service.namespace.svc.cluster.local
- match:
prefix: "/"
route:
cluster: outbound|80||protected-service.namespace.svc.cluster.local
listenerMatch:
listenerType: SIDECAR_INBOUND
listenerProtocol: HTTP
filterType: HTTP
filterName: envoy.ext_authz
I was looking into " config.filter.http.ext_authz.v2.ExtAuthzPerRoute" but don’t know how toadd this into yaml (which section) and what “check_settings” can be in my case. Ideally i want to allow GET method to /health endpoint to be unprotected. Really easy requirement i stuck with.
I want to do it by applying envoy filter in a separate yaml, not “ConfigMap -> filter chain” if it is possible.