EnvoyFilter implementation debugging

Hello! I’m trying to implement EnvoyFilter (envoy.ext_authz) into my projects. EnvoyFilter CRD has successfully created and I culd see it in Pilot’s debug/configz but It doesn’t applied to neither my sidecars or gateways.
Pilot’s log doesn’t contain any errors or failures that could be linked with EnvoyFilter, istio-proxy containers also shows none of errors.
Istioctl ps shows no difference and SYNCED state for all my pods.

Has anyone got understanding how to debug EnvoyFilter application? Which istio components are responsible for that functionality?

example of filter below:

apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: ext-authz-grpc
spec:
filters:
- filterConfig:
grpc_service:
google_grpc:
stat_prefix: ext_authz
target_uri: localhost:8080
filterName: envoy.ext_authz
filterType: HTTP
insertPosition:
index: FIRST
listenerMatch:
listenerType: SIDECAR_OUTBOUND
portNumber: 8002
workloadLabels:
app: sleep

Environment:
openshift v3.11.98
kubernetes v1.11.0+d4cacc0

Istio version: Maistra:“0.10.0-1”, DockerHub:“brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888/openshift-istio-tech-preview