Envoy LUA filter, contact local container for external authorization

Hi all,
we’ve deployed a sidecar for authorization purposes, that will contact our authorization service. Basically we’ll have our pod with 3 containers:

  • Microservice
  • Authorization sidecar
  • Istio proxy

We were planning to deploy an Envoy LUA filter in front of our pod to intercept each HTTP request and forward it to our authorization service, which in turn will perform the authorization checks. How can i reach that container? I mean: inside the LUA authorization filter we’ve to use the following function to perform http call: request_handle:httpCall. How can i reach, with this function, an internal container belonging to the same pod? I’ve tried with localhost (due to the fact that containers inside the same pod share the same network stack) but it doesn’t work. Any ideas on that?

Thank you very much,
Matteo

httpCall takes an Envoy “cluster” name as its argument, not a hostname like localhost.

What you need to do is create a ServiceEntry that represents your authz service, then find out the cluster name that Istio assigns to it, and use that name.

Just curious, if you need external authorization, why not just use ext_authz filter?

Yeah, yesterday we found a pr on github which was telling about service entries + envoy config and at the end we created a specific service entry and it works :wink:

@YangminZhu we’ve used LUA filter because we needed to pass specific custom headers to the underlying authorization sidecar (like specific path and method of the incoming request that needed to be authorized against our authorization server) and the LUA filter gives us more flexibility. Due how it’s implemented our authorization sidecar this was the easiest and fastest solution. We’re going to do some performance tests on that and we’ll see if we’ll need to change our implementation to ext_authz filter.
Anyway, the problem about how to contact an internal container was still present with the ext_authz filter :wink:

Thank you!

Thanks for the information.

I’m very interested in the performance test result, would you mind to share the result when you got the data?

I have done micro benchmark between Lua filter and RBAC filter by enforcing the same sample access control policy. The result is Lua filter is around 5x slower than the RBAC filter. When comparing with external authorization, I guess the latency will mainly be dominated by the external request.

Can you share the absolute numbers (e.g. number of microseconds) in addition to the relative?

Was the Lua filter in your test implementing the policy, or was it sending an request to an external service that was implementing the policy?