3

I need to exclude specific host from the EnvoyFilter that looks like this:

apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: authn-filter
spec:
  workloadLabels:
    istio: ingressgateway
  filters:
  - filterConfig:
      httpService:
        serverUri:
          uri: http://authservice.$(namespace).svc.cluster.local
          cluster: outbound|8080||authservice.$(namespace).svc.cluster.local
          failureModeAllow: false
          timeout: 10s
        authorizationRequest:
          allowedHeaders:
            patterns:
            - exact: "cookie"
            - exact: "X-Auth-Token"
        authorizationResponse:
          allowedUpstreamHeaders:
            patterns:
            - exact: "kubeflow-userid"
      statusOnError:
        code: GatewayTimeout
    filterName: envoy.ext_authz
    filterType: HTTP
    insertPosition:
      index: FIRST
    listenerMatch:
      listenerType: GATEWAY

The problem is that the filter applies to the default istio ingress gateway which affects all traffic that is coming through that gateway, i would like to have some hosts that could be excluded / whitelisted from the filter.

Alex Pryiomka
  • 391
  • 3
  • 11
  • The only thing I found about that is [here](https://discuss.istio.io/t/ip-whitelisting-with-authorizationpolicy-in-eks/5618), but i'm not sure it works. Maybe you could think about changing it from the istio ingress gateway to specific pod labels,namespaces as mentioned in [istio documentation](https://istio.io/docs/reference/config/networking/envoy-filter/)? – Jakub May 22 '20 at 10:16
  • Did you find a solution to this? – reza Jun 14 '20 at 23:53

1 Answers1

1

I found my answer here. The question asks to exclude some paths, but I was successful with hosts as well. This is what I used:

apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: bypass-authn
  namespace: istio-system
spec:
  workloadSelector:
    labels:
      istio: ingressgateway
  configPatches:
  - applyTo: HTTP_ROUTE
    match:
      routeConfiguration:
        vhost:
          name: subdomain.example.org:80 # <== your host goes here
    patch:
      operation: MERGE
      value:
        name: envoy.ext_authz_disabled
        typed_per_filter_config:
          envoy.ext_authz:
            "@type": type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthzPerRoute
            disabled: true

More information in Istio documentation. Specifically, the documentation specifies that you should also put into the name: field the port, but I think it should work without it as well.

vladimirror
  • 729
  • 12
  • 8