Istio: EnvoyFilter not being applied to the workload sidecar "virtual" listener

Created on 15 Jul 2019  路  3Comments  路  Source: istio/istio

(NOTE: This is used to report product bugs:
To report a security vulnerability, please visit https://istio.io/about/security-vulnerabilities/
To ask questions about how to use Istio, please visit https://discuss.istio.io
)

Bug description
EnvoyFilter CR object is not being applied to the "virtual" listener of a workload sidecar.
No logs are visible neither in the pilot > discovery container nor the workload proxy.

Affected product area (please put an X in all that apply)

[ ] Configuration Infrastructure
[ ] Docs
[ ] Installation
[x] Networking
[ ] Performance and Scalability
[ ] Policies and Telemetry
[ ] Security
[ ] Test and Release
[ ] User Experience
[ ] Developer Infrastructure

Expected behavior
The configured Filter get inserted into the matching "virtual" listeners FilterChain and shows up in the dynamic_listener_config block.

Steps to reproduce the bug
Deploy sleep app in sidecar-injection=enabled labeled namespace (default)

Create EnvoyFilter CR object with the following spec

apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: sleep-filter
  namespace: default
spec:
  workloadLabels:
    app: sleep
  filters:
  - listenerMatch:
      portNumber: 15001
      listenerType: SIDECAR_OUTBOUND
      listenerProtocol: TCP
      address: 
      - 0.0.0.0
    filterName: envoy.tcp_proxy
    filterType: NETWORK
    filterConfig:
      cluster: "BlackHoleCluster"
      stat_prefix: "BlackHoleCluster"

Version (include the output of istioctl version --remote and kubectl version)
Istio 1.2.2

How was Istio installed?
Using install/kubernetes/helm/istio/values.yaml

Environment where bug was observed (cloud vendor, OS, etc)
Minikube

Additionally, please consider attaching a cluster state archive by attaching
the dump file to this issue.

Additional Concern:
Investigating the code for listener.go and the LDS Listener config generation, it seems like the listener generator is hard coded to skip EnvoyFilter CRDs. I might be looking at the wrong section perhaps, but if that is not the case, then this means it would never apply to the generated Config.
See https://github.com/istio/istio/blob/master/pilot/pkg/networking/core/v1alpha3/listener.go#L300-L318

arenetworking
Source
picture nitishm

Most helpful comment

fixed in new envoy filter impl in master

picture rshriram on 31 Jul 2019
👍3

All 3 comments

More details - https://discuss.istio.io/t/applying-envoyfilter-to-the-virtual-listener/3087

nitishm picture nitishm on 15 Jul 2019

as stated, it doesn't apply to virtual listeners. Its not much of a change to get this to work with old envoy filter spec, but you would then need a patch release (1.2.3 or something).

rshriram picture rshriram on 21 Jul 2019

fixed in new envoy filter impl in master

rshriram picture rshriram on 31 Jul 2019
👍3
Was this page helpful?
0 / 5 - 0 ratings

Related issues

kovalyukm picture kovalyukm  路  63Comments
ldemailly picture ldemailly  路  87Comments
Stono picture Stono  路  93Comments
oaktowner picture oaktowner  路  73Comments
yacut picture yacut  路  73Comments