Search code examples
amazon-web-serviceskubernetesamazon-eksenvoyproxy

Envoy Filter is only getting applied on calls to External Load Balancer but not on Traffic to inbound ingress for Specific Service

I have a K8s Cluster, exposed its address using the command : kubectl get svc istio-ingressgateway -n istio-system -> Let's assume the address was a467.kongz.com

There's an Envoyfilter in my cluster that utilizes ExtAuth and attaches an extra header Is-Kong-Verified to the response headers Consider Something similar to this -> (https://stackoverflow.com/a/67350456/10858217)

Now when I make an API call to -> curl -v a467.kongz.com/stream/1 This reaches External Auth System and the response header has the Is-Kong-Verified attached and then finally reaches the Upstream Service Kong Stream Service Pod(/stream/1)

Now when I make calls to the Kong Stream Service which is exposed to the Public via Ingress as https://stream.kongz.com/stream/1, the Request is not being picked up by the Envoy Filter but reaches the end service.

End Goal

Need the EnvoyFilter to be applied on all incoming requests inside the cluster, even if the Service is directly requested

NOTE: The target Service/deployment has Istio-Sidecar injected

I have checked a few documents and realized that there should be a Gateway Service like Ambassador, Nginx that acts as a Proxy to the services. So when the client/user makes calls to the Nginx Proxy it routes the traffic to the ALB or Cluster Address then it goes through the EnvoyFilter and then reaches the Upstream Service.

Is it possible to achieve the end goal without any proxy system(nginx, ambassdor) or am I missing something?

Thanks in Advance for the answer.

Solution

  • Finally, I have found a solution for my query

    As compared to the spec.configPatches.context=GATEWAY configuration in the following doc envoy filter to intercept upstream response

    It should be changed to spec.configPatches.context=SIDECARD_INBOUND and the workload selector needs to be changed to the labels that match target pods under any namespace

    Use the following doc for gaining more context https://istio.io/latest/docs/reference/config/networking/envoy-filter/#EnvoyFilter-PatchContext

    Now this will allow the API calls to the specific service via Ingress intercepted by the Envoy Filter

    Make sure the Pods have the label that matches the Workload Selector spec.workloadSelector.labels For Instance, it should be similar to the one as follows

    spec:
  workloadSelector:
    labels:
      externalAuth: enabled

    And your Pod(s) have the label externalAuth: enabled