Need help wrapping my head around EnvoyFilter.RouteConfigurationMatch for ExtAuthz based on route

Networking
1

Hi all,

I have a service which is currently being authenticated via external service. The EnvoyFilter configured is similiar to this:

apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: auth
  namespace: default
spec:
  workloadSelector:
    labels:
      app.kubernetes.io/name: promos
  configPatches:
    - applyTo: HTTP_FILTER
      match:
        context: SIDECAR_INBOUND
        listener:
          portNumber: 8080
          filterChain:
            filter:
              name: "envoy.http_connection_manager"
              subFilter:
                name: "envoy.router"

      patch:
        operation: INSERT_BEFORE
        value:
          name: envoy.filters.http.ext_authz
          typed_config:
            "@type": type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz
            grpc_service:
              envoy_grpc:
                cluster_name: auth.default.svc.cluster.local
              timeout: 0.5s

This works great so far. However, now I need to direct traffix to this same auth service, but only for a specific URL. I have a VS akin to this:

...
- match:
    - uri:
        prefix: /store
    - uri:
        prefix: /debug
  route:
    - destination:
        host: store.default.svc.cluster.local
        port:
          number: 8080
...

I want to add auth to /debug endpoint as it is a more sensitive one and I obviously can’t use the same EnvoyFilter I’ve used before with ListenerMatch as I don’t need auth for /store, so I need to match based on route, however this is where I’m having a hard time sussing out the correct config as there is limited examples for this and I haven’t quite yet grasped the mechanics.

I’m experimenting with this, but so far no luck and it’s likely I’m doing something super wrong:

---
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: debug-auth
  namespace: default
spec:
  workloadSelector:
    labels:
      app.kubernetes.io/name: store
  configPatches:
    - applyTo: HTTP_FILTER
      match:
        context: GATEWAY
        routeConfiguration:
          vhost:
            route:
              name: "debug"

      patch:
        operation: INSERT_BEFORE
        value:
          name: envoy.filters.http.ext_authz
          typed_config:
            "@type": type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthzPerRoute
            grpc_service:
              envoy_grpc:
                cluster_name: auth.default.svc.cluster.local
              timeout: 0.5s

This is failing with admission webhook "validation.istio.io" denied the request: configuration is invalid: Envoy filter: applyTo for listener class objects cannot have non listener match

I’m out of my depth here, so, any kind soul care to help me out. Anything is welcome. Pointer in the right direction would be awesome.

TIA

2

Hi @pslobo, did you ever get this working? I’m facing a similar situation and also had trouble finding examples.

Thanks!

3

Hi @scribs, in the end, I managed to get this working with a simple authorization policy and didn’t need to go down this route.