Envoy Filter to increase max header size does not work



Istio 1.6.8

there are two services A and B in default namespace. All of them are with injected sidecard istio-proxy and etc. When A sends request to B, request URL can be up to 80KiB. Which leads to 431 response.

I’m trying to increase max header size by applying following envoy filter:

apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
  name: max-request-headers
  namespace: istio-system
  - applyTo: NETWORK_FILTER # http connection manager is a filter in Envoy
            name: "envoy.filters.network.http_connection_manager"
      operation: MERGE
          "@type": "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager"
          max_request_headers_kb: 81

but to no availability.

Filter was tested within default, istio-config and as in example istio-system namespaces.

As of that have following questions:

  1. How to verify that envoy filter was applied?
  2. Does istio apply Filter configuration on the fly if not, which services needs to be restarted? only sidecarts? istiod?
  3. What is wrong with envoy filter provided in example?

Istio applies filter dynamically - no need to restart any services. My guess is that the filter names are not compatible “type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager” - as 1.6.8 might not be using v3. Try with v2 filters and “envoy.filters.network.http_connection_manager” name (use old name). BTW, 1.6.8 is Eoled, please consider moving to latest version to get better support.

1 Like

Thank you for help. It seems that indeed that was a problem. While we are still looking to ensure that filter was applied, at least it seems that 431 is gone.

We are planning to migrate to 1.7 istio asap.