Envoyfilter outlier no effect

Config
1

I use EnvoyFilter to controller outlier, but has no effect. Any suggestions?

This is my deploy config:

apiVersion: v1
kind: ServiceAccount
metadata:
  name: restdemo
---
apiVersion: v1
kind: Service
metadata:
  name: restdemo
  labels:
    app: restdemo
    service: restdemo
spec:
  ports:
  - name: http
    port: 8080
    targetPort: 8080
  selector:
    app: restdemo
  type: NodePort
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: restdemo
spec:
  replicas: 1
  selector:
    matchLabels:
      app: restdemo
      version: v2
  template:
    metadata:
      labels:
        app: restdemo
        version: v2
      annotations:
        proxy.istio.io/config: |-
          proxyStatsMatcher:
            inclusionRegexps:
            - ".*http_local_rate_limit.*"
            - "cluster.*.outlier_detection.*"
    spec:
      serviceAccountName: restdemo
      containers:
      - image: myimg/demo:v2
        imagePullPolicy: IfNotPresent
        name: restdemo
        ports:
        - containerPort: 8080

This is my virtual service:

---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: restdemo
spec:
  hosts:
  - "*"
  gateways:
  - istio-system/istio-gateway
  http:
  - route:
    - destination:
        host: restdemo
        port:
          number: 8080

This is my outlier config:

apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: rest-outlier-cluster
  namespace: default
spec:
  configPatches:
    - applyTo: CLUSTER
      match:
        context: SIDECAR_OUTBOUND
        cluster:
          name: "outbound|8080||restdemo.default.svc.cluster.local"
      patch:
        operation: MERGE
        value:
          "outlier_detection": {
            "consecutive_5xx": 5,
            "interval": "15s",
            "base_ejection_time": "60s",
            "max_ejection_percent": 100,
            "enforcing_consecutive_5xx": 100,
            "max_ejection_time": "300s",
          }

I made consecutive requests which will return error code 500. But outlier doesn’t take effects, I always get result from upstream pods.

2

I tried by DestinationRule outlier config, and it worked.

apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
  name: restdemo
spec:
  host: restdemo
  trafficPolicy:
    outlierDetection:
      consecutive5xxErrors: 1
      interval: 5s
      baseEjectionTime: 30s

I compared the proxy config between this right and my wrong, the only suspicious part is the healthy_panic_threshold. By using DR(which outlier takes effect), there was an empty healthy_panic_threshold config, and with envoy filter the was not.

But I don’t know how to config this by envoy filter, and I also don’t consider this to be the problem.

3

Turn out that it IS the healthy_panic_threshold config that takes effect.
I add a config of an empty healthy_panic_threshold config, the outlier works.
It’s kind of wierd…

In addition, the envoyfilter should be added in istio-system namespace, because I found the outlier should also be injected into ingress-gateway.

This is my final outlier config

apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: rest-outlier-cluster
  namespace: istio-system
spec:
  configPatches:
    - applyTo: CLUSTER
      match:
        context: ANY
        cluster:
          name: "outbound|8080||restdemo.default.svc.cluster.local"
      patch:
        operation: MERGE
        value:
          "common_lb_config": {
            "healthy_panic_threshold": {},
          }
    - applyTo: CLUSTER
      match:
        context: ANY
        cluster:
          name: "outbound|8080||restdemo.default.svc.cluster.local"
      patch:
        operation: MERGE
        value:
          "outlier_detection": {
            "consecutive_5xx": 1,
            "interval": "5s",
            "base_ejection_time": "60s",
            "enforcing_consecutive_5xx": 100,
            "max_ejection_time": "120s",
            "enforcing_success_rate": 0,
          }