我正在尝试为我的应用程序的每条路由应用 ext authz 过滤器,但它失败了。下面是过滤器配置
步骤1。为应用程序应用了以下配置,所有请求都通过了过滤器,但我希望为特定的路由路径禁用过滤器,所以我也使用第 2 步
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: myFiltername
namespace: myNamespace
spec:
configPatches:
- applyTo: HTTP_FILTER
match:
context: SIDECAR_INBOUND
listener:
filterChain:
filter:
name: envoy.filters.network.http_connection_manager
subFilter:
name: envoy.filters.http.router
patch:
operation: INSERT_BEFORE
value:
name: envoy.ext_authz
typed_config:
'@type': type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz
failure_mode_allow: false
http_service:
authorization_request:
allowed_headers:
patterns:
- exact: Authorization
path_prefix: /mypath
server_uri:
cluster: outbound|8080||myClusterName
timeout: 6s
uri: myClusterName:8080
with_request_body:
allow_partial_message: true
max_request_bytes: 8192
workloadSelector:
labels:
app: myApp
step-2 禁用基于路由或虚拟服务路径的 ext authz 过滤器。通过传递路由名称,我在应用第 2 步后看不到任何区别,但是当将合并操作与标头匹配时,使用标头进行的调用是通过过滤器进行的,但其他调用失败并出现 404 错误
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: myFiltername-bypass
namespace: myNamespace
spec:
workloadSelector:
labels:
app: myApp
configPatches:
- applyTo: HTTP_ROUTE
match:
context: SIDECAR_INBOUND
routeConfiguration:
portNumber: 8080
vhost:
name: inbound|http|8080
# I tried with route name from virtual service but not working as expected
patch:
operation: MERGE
value:
match:
headers:
- name: some-header
present_match: true
prefix: /
typed_per_filter_config:
envoy.filters.http.ext_authz:
"@type": type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthzPerRoute
disabled: true