Why is My TCP Istio EnvoyFilter Not Working?

Question

I am trying to set TCP idleTimeout via an Envoy Filter, so that outbound connections external domain some.app.com will be terminated if they are idle for 5s:

apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: listener-timeout-tcp
  namespace: istio-system
spec:
  configPatches:
  - applyTo: NETWORK_FILTER
    match:
      context: SIDECAR_OUTBOUND
      listener:
        filterChain:
          sni: some.app.com
          filter:
            name: envoy.filters.network.tcp_proxy
    patch:
      operation: MERGE
      value:
        name: envoy.filters.network.tcp_proxy
        typed_config:
          '@type': type.googleapis.com/envoy.config.filter.network.tcp_proxy.v2.TcpProxy
          idle_timeout: 5s

However, when I try to apply this filter I get the following error:

Error from server: error when creating "filter.yaml": admission webhook "pilot.validation.istio.io" denied the request: configuration is invalid: envoy filter: missing filters

So, I realised that the EnvoyFilter configuration above is not supported by istio 1.2.5, so I modified the configuration to work with the old version:

apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: tcp-idle-timeout
spec:
  workloadSelector:
    labels:
      app: mecha-dev
  filters:
    - listenerMatch:
        listenerType: SIDECAR_OUTBOUND
        listenerProtocol: TCP
      filterName: envoy.tcp_proxy
      filterType: NETWORK
      filterConfig:
        idle_timeout: 5s

After modifying the EnvoyFilter was created but it does not seem to have any affect on the outbound requests. Also, I couldn't find a way to restrict this filter to only outbound requests going to external service some.app.com.

Is there something missing in my EnvoyFilter configuration? Also, can we restrict this filter to just some.app.com? There's address option under listenerMatch but what if the IP address of the external service keeps on changing?

Istio and EnvoyProxy version used:

ISTIO_VERSION=1.2.5
ENVOY_VERSION=1.11.0-dev

Hello @bakadevops. Could you please tell us which version of Istio are you using? — Wytrzymały Wiktor, Apr 28 '21 at 09:22
@WytrzymałyWiktor the Istio version is ```1.2.5``` and the envoy version it uses is ```1.11.0-dev```. — bakadevops, Apr 28 '21 at 16:39
You should upgrade to the latest version, support for 1.2 ended in Dec 2019 — Chris, Apr 29 '21 at 07:29
@ChristophRaab I realised that this EnvoyFilter configuration does not work because it is not supported y version ```1.2.5```. Yes, upgrading istio will help but, it is an old production cluster so, I cannot do that now. Is there any other work around to make it work? — bakadevops, Apr 29 '21 at 07:34
You can use the old docs and modify your filter to work with the old api: https://istio.io/v1.2/docs/reference/config/networking/v1alpha3/envoy-filter/ — Chris, Apr 29 '21 at 07:40
@ChristophRaab I modified the filter and it was created successfully but seems to have no effect. I have updated the question with my modified filter configuration. Is there something missing in it? Thanks. — bakadevops, Apr 29 '21 at 09:15
I guess the EnvoyFilter config is wrong. Run ``istioctl dashboard envoy mecha-dev`` and get the envoy dump. There you can see, if the config is used. — Chris, Apr 29 '21 at 13:05
any update? replied you also on [serverfault](https://serverfault.com/questions/1062044/why-is-my-istio-envoyfilter-with-tcp-idle-timeout-setting-isnt-working#comment1383839_1062044) — Vit, Apr 30 '21 at 13:59
@Vitalii I couldn't make the filter work. I checked the envoy dump and it is not being used. — bakadevops, Apr 30 '21 at 14:53

score 1 · Accepted Answer · answered May 11 '21 at 09:41

This is a community wiki answer. Feel free to expand it.

As already discussed in the comments, the EnvoyFilter was not yet supported in Istio version 1.2 and actually that version is no longer in support since Dec 2019.

I strongly recommend upgrading to the latest Istio and Envoy versions. Also, after you upgrade please notice that the filter name you want to use was deprecated and replaced. You should now use envoy.filters.network.tcp_proxy instead of envoy.tcp_proxy.

Please remember that things are getting deprecated for a reason and keeping the old versions will sooner or later bring you more trouble. Try to keep things more up-to-date.

More details can be found in the latest docs.

Why is My TCP Istio EnvoyFilter Not Working?

1 Answers1