Istio Authorization with Internal Service

Security
21

Hello,
I am working on similar thing as per this discussion. I modified my yml of EnvoyFilter as above but i am getting below error:
Error from server: error when creating "filter.yaml": admission webhook "pilot.validation.istio.io" denied the request: configuration is invalid: envoy filter: missing filters
istio version : 1 .1.17
Do you have any suggestion to overcome this error?

Regards,
Esha Ingle

22

Can you share your file? apparently a configuration is not allowed in the EnvoyFilter

24

can you send it ordered please type code

25

Hi everyone.
Finally I could solve my problem.
I have generated a filter through Envoy Lua, which accesses the validation service based on the path it receives.
I hope that if someone wants to do the same, this can help them

Here I present my solution:

apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: envoy-filter
  namespace: istio-system
spec:
  filters:
  - filterConfig:
      inlineCode: |
        function envoy_on_request(request_handle)

          local path= request_handle:headers():get(":path");
          local host= request_handle:headers():get(":authority");
          
          request_handle:logWarn("Path Obtenido en la url " .. path);

          local metodo= request_handle:headers():get(":method");

          request_handle:logWarn("Metodo Utilizado " .. metodo);

          if string.match(metodo, "GET") or string.match(metodo, "POST") then
            if string.match(path, "path-service") then  
              request_handle:logWarn("Dentro de la funcion llamada al servicio");
              request_handle:logWarn("Obteniendo el Host");
              request_handle:logWarn(host);
              request_handle:logWarn("Obteniendo el path");
              request_handle:logWarn(path);
              
              local auth_host = "validate-service.namespace.svc.cluster.local"
              local cluster = "outbound|80||validate-service.namespace.svc.cluster.local"              
              local auth = request_handle:headers():get("authorization") #get token
              
              local request_headers = {
              [":method"] = "GET",
              [":path"] = "/path-for-validate",
              [":authority"] = auth_host,
              ["authorization"] = auth
              }

              local request_body = ""
              local timeout = 5000 --ms
              
              local response_headers, response_body = request_handle:httpCall(
                cluster,
                request_headers,
                request_body,
                timeout
                )

              if tonumber(response_headers[":status"]) ~= 200 then
                request_handle:logWarn("Se produjo un error en la llamada");
                request_handle:respond({[":status"] = response_headers[":status"]}, response_body)
              else
                request_handle:logWarn("Respuesta 200");
              end
            else
              request_handle:logWarn("no encontrĂł el path definido  " .. path);
            end
          end
        end
    filterName: envoy.lua
    filterType: HTTP
    insertPosition:
      index: FIRST
    listenerMatch:
      listenerType: GATEWAY
      portNumber: 443
  workloadLabels:
    app: istio-ingressgateway
2 Likes
26

Hi [Bastian_Ubilla1] - Any idea of how EnvoyFilter can cache certain information? For example, public-keys for a bunch of users for signature validation (asymmetric crypto validation).

27

I don’t know if this is possible. You could try to program what you need by Envoy lua.

This link shows how to modify headers. https://istiobyexample.dev/response-headers/
I don’t know if this comes close to what you need

It can also guide you from this link: https://istio.io/docs/concepts/security/