I’m having trouble configuring an external authorization filter with Istio. I’ve written a filter that should be applied to my gRPC service requests:
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: ext-authz
spec:
filters:
- insertPosition:
index: FIRST
listenerMatch:
listenerType: SIDECAR_INBOUND
listenerProtocol: HTTP
filterType: HTTP
filterName: "envoy.ext_authz"
filterConfig:
grpc_service:
envoy_grpc:
cluster_name: auth
failure_mode_allow: false
- insertPosition:
index: FIRST
listenerMatch:
listenerType: SIDECAR_INBOUND
listenerProtocol: TCP
filterType: NETWORK
filterName: "envoy.ext_authz"
filterConfig:
grpc_service:
envoy_grpc:
cluster_name: auth
failure_mode_allow: false
The filter seems to be intercepting my requests because I’m getting permission denied responses. However in my gRPC service I’m not actually receiving or vetting the auth request (I’ve added a log in my service to output an incoming unary request).
I’m wondering if my cluster_name is incorrect. The documentation in Istio and Envoy aren’t clear as to what “cluster_name” should actually be. In the above example I’m feeding it the Service name I’ve setup. I’ve seen some example where the cluster_name is referred to as:
cluster_name: "outbound|8448||auth.default.svc.cluster.local"
I’m not sure which one is accurate. Also how can I review logs for this call to help troubleshoot the request once I determine the correct cluster_name?
Thanks.