I’m having trouble configuring an external authorization filter with Istio. I’ve written a filter that should be applied to my gRPC service requests:
apiVersion: networking.istio.io/v1alpha3 kind: EnvoyFilter metadata: name: ext-authz spec: filters: - insertPosition: index: FIRST listenerMatch: listenerType: SIDECAR_INBOUND listenerProtocol: HTTP filterType: HTTP filterName: "envoy.ext_authz" filterConfig: grpc_service: envoy_grpc: cluster_name: auth failure_mode_allow: false - insertPosition: index: FIRST listenerMatch: listenerType: SIDECAR_INBOUND listenerProtocol: TCP filterType: NETWORK filterName: "envoy.ext_authz" filterConfig: grpc_service: envoy_grpc: cluster_name: auth failure_mode_allow: false
The filter seems to be intercepting my requests because I’m getting permission denied responses. However in my gRPC service I’m not actually receiving or vetting the auth request (I’ve added a log in my service to output an incoming unary request).
I’m wondering if my cluster_name is incorrect. The documentation in Istio and Envoy aren’t clear as to what “cluster_name” should actually be. In the above example I’m feeding it the Service name I’ve setup. I’ve seen some example where the cluster_name is referred to as:
I’m not sure which one is accurate. Also how can I review logs for this call to help troubleshoot the request once I determine the correct cluster_name?