Envoy LUA filter, contact local container for external authorization

Hi all,
we’ve deployed a sidecar for authorization purposes, that will contact our authorization service. Basically we’ll have our pod with 3 containers:

  • Microservice
  • Authorization sidecar
  • Istio proxy

We were planning to deploy an Envoy LUA filter in front of our pod to intercept each HTTP request and forward it to our authorization service, which in turn will perform the authorization checks. How can i reach that container? I mean: inside the LUA authorization filter we’ve to use the following function to perform http call: request_handle:httpCall. How can i reach, with this function, an internal container belonging to the same pod? I’ve tried with localhost (due to the fact that containers inside the same pod share the same network stack) but it doesn’t work. Any ideas on that?

Thank you very much,

httpCall takes an Envoy “cluster” name as its argument, not a hostname like localhost.

What you need to do is create a ServiceEntry that represents your authz service, then find out the cluster name that Istio assigns to it, and use that name.

Just curious, if you need external authorization, why not just use ext_authz filter?

Yeah, yesterday we found a pr on github which was telling about service entries + envoy config and at the end we created a specific service entry and it works :wink:

@YangminZhu we’ve used LUA filter because we needed to pass specific custom headers to the underlying authorization sidecar (like specific path and method of the incoming request that needed to be authorized against our authorization server) and the LUA filter gives us more flexibility. Due how it’s implemented our authorization sidecar this was the easiest and fastest solution. We’re going to do some performance tests on that and we’ll see if we’ll need to change our implementation to ext_authz filter.
Anyway, the problem about how to contact an internal container was still present with the ext_authz filter :wink:

Thank you!

Thanks for the information.

I’m very interested in the performance test result, would you mind to share the result when you got the data?

I have done micro benchmark between Lua filter and RBAC filter by enforcing the same sample access control policy. The result is Lua filter is around 5x slower than the RBAC filter. When comparing with external authorization, I guess the latency will mainly be dominated by the external request.

Can you share the absolute numbers (e.g. number of microseconds) in addition to the relative?

Was the Lua filter in your test implementing the policy, or was it sending an request to an external service that was implementing the policy?

Hi Spike, sorry for the late reply I forget to follow on this, I tested the Lua implementing the policy directly. I didn’t test any external requests. The following table shows the raw benchmark data, together with some other implementations (CEL and C++):

2019-08-06 21:25:05
Running ./bazel-bin/test/cel/benchmark_test
Run on (12 X 4000 MHz CPU s)
CPU Caches:
  L1 Data 32K (x6)
  L1 Instruction 32K (x6)
  L2 Unified 256K (x6)
  L3 Unified 15360K (x1)
Load Average: 1.08, 1.47, 1.79
***WARNING*** CPU scaling is enabled, the benchmark real time measurements may be noisy and will incur extra overhead.
Benchmark                 Time             CPU   Iterations
Native                 108 ns          108 ns     5957712
RBAC                   292 ns          292 ns     2339761
CEL                   3535 ns         3535 ns      194319
CEL_FlattenedMap      1164 ns         1164 ns      653968
LuaJIT                1573 ns         1573 ns      453999

The code for the benchmark is https://github.com/yangminzhu/envoy/blob/69c2d33ef46129b16028e0b2f8452c7d4caf1562/test/cel/benchmark_test.cc, the RBAC is about 5x faster than the LuaJIT in Envoy.