EnvoyFilterUsesRelativeOperationWithProxyVersion

消息名称EnvoyFilterUsesRelativeOperationWithProxyVersion
消息代码IST0155
描述This EnvoyFilter does not have a priority and has a relative patch operation (NSTERT_BEFORE/AFTER, REPLACE, MERGE, DELETE) and proxyVersion set which can cause the EnvoyFilter not to be applied during an upgrade. Using the INSERT_FIRST or ADD option or setting the priority may help in ensuring the EnvoyFilter is applied correctly.
等级Warning

EnvoyFilter 没有设置优先级并没有使用相关补丁操作 (INSERT_BEFORE/AFTERREPLACEMERGEDELETE) 和 proxyVersion 时会出现此消息,这可能会导致 EnvoyFilter 升级期间没有被应用。使用 INSERT_FIRSTADD 选项或设置优先级可能有助于确保 EnvoyFilter 被正确应用。 关注 proxyVersion 的原因是,在升级后,proxyVersion 可能会发生变化, 升级后它的使用顺序可能不同于升级前的顺序。

示例

考虑一个 EnvoyFilter 的补丁操作 REPLACE,并使用 proxyVersion

  1. apiVersion: networking.istio.io/v1alpha3
  2. kind: EnvoyFilter
  3. metadata:
  4. name: test-replace-3
  5. namespace: bookinfo
  6. spec:
  7. workloadSelector:
  8. labels:
  9. app: reviews4
  10. configPatches:
  11. # 第一个补丁将 Lua 过滤器添加到 listener/http 连接管理器
  12. - applyTo: HTTP_FILTER
  13. match:
  14. context: SIDECAR_OUTBOUND
  15. proxy:
  16. proxyVersion: '^1\.11.*'
  17. listener:
  18. portNumber: 8080
  19. filterChain:
  20. filter:
  21. name: "envoy.filters.network.http_connection_manager"
  22. subFilter:
  23. name: "envoy.filters.http.router"
  24. patch:
  25. operation: REPLACE
  26. value: # Lua 过滤器规范
  27. name: envoy.lua
  28. typed_config:
  29. "@type": "type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua"
  30. inlineCode: |
  31. function envoy_on_request(request_handle)
  32. -- Make an HTTP call to an upstream host with the following headers, body, and timeout.
  33. local headers, body = request_handle:httpCall(
  34. "lua_cluster",
  35. {
  36. [":method"] = "POST",
  37. [":path"] = "/acl",
  38. [":authority"] = "internal.org.net"
  39. },
  40. "authorize call",
  41. 1000)
  42. end
  43. apiVersion: networking.istio.io/v1alpha3
  44. kind: EnvoyFilter
  45. metadata:
  46. name: test-replace-4
  47. namespace: bookinfo
  48. spec:
  49. workloadSelector:
  50. labels:
  51. app: reviews4
  52. configPatches:
  53. - applyTo: HTTP_FILTER
  54. match:
  55. context: SIDECAR_OUTBOUND
  56. patch:
  57. operation: REPLACE
  58. value: # Lua 过滤器规范
  59. name: envoy.lua
  60. typed_config:
  61. "@type": "type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua"
  62. inlineCode: |
  63. function envoy_on_request(request_handle)
  64. -- Make an HTTP call to an upstream host with the following headers, body, and timeout.
  65. local headers, body = request_handle:httpCall(
  66. "lua_cluster",
  67. {
  68. [":method"] = "POST",
  69. [":path"] = "/acl",
  70. [":authority"] = "internal.org.net"
  71. },
  72. "authorize call",
  73. 5000)
  74. end

如何修复

因为 REPLACE 的相关操作是与 proxyVersion 一起使用, 所以添加 priority 可以解决这个问题:

  1. apiVersion: networking.istio.io/v1alpha3
  2. kind: EnvoyFilter
  3. metadata:
  4. name: test-replace-3
  5. namespace: bookinfo
  6. spec:
  7. workloadSelector:
  8. labels:
  9. app: reviews4
  10. priority: 10
  11. configPatches:
  12. # 第一个补丁将 Lua 过滤器添加到 listener/http 连接管理器
  13. - applyTo: HTTP_FILTER
  14. match:
  15. context: SIDECAR_OUTBOUND
  16. proxy:
  17. proxyVersion: '^1\.11.*'
  18. listener:
  19. portNumber: 8080
  20. filterChain:
  21. filter:
  22. name: "envoy.filters.network.http_connection_manager"
  23. subFilter:
  24. name: "envoy.filters.http.router"
  25. patch:
  26. operation: REPLACE
  27. value: # Lua 过滤器规范
  28. name: envoy.lua
  29. typed_config:
  30. "@type": "type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua"
  31. inlineCode: |
  32. function envoy_on_request(request_handle)
  33. -- Make an HTTP call to an upstream host with the following headers, body, and timeout.
  34. local headers, body = request_handle:httpCall(
  35. "lua_cluster",
  36. {
  37. [":method"] = "POST",
  38. [":path"] = "/acl",
  39. [":authority"] = "internal.org.net"
  40. },
  41. "authorize call",
  42. 1000)
  43. end
  44. apiVersion: networking.istio.io/v1alpha3
  45. kind: EnvoyFilter
  46. metadata:
  47. name: test-replace-4
  48. namespace: bookinfo
  49. spec:
  50. workloadSelector:
  51. labels:
  52. app: reviews4
  53. priority: 20
  54. configPatches:
  55. - applyTo: HTTP_FILTER
  56. match:
  57. context: SIDECAR_OUTBOUND
  58. patch:
  59. operation: REPLACE
  60. value: #Lua filter specification
  61. name: envoy.lua
  62. typed_config:
  63. "@type": "type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua"
  64. inlineCode: |
  65. function envoy_on_request(request_handle)
  66. -- Make an HTTP call to an upstream host with the following headers, body, and timeout.
  67. local headers, body = request_handle:httpCall(
  68. "lua_cluster",
  69. {
  70. [":method"] = "POST",
  71. [":path"] = "/acl",
  72. [":authority"] = "internal.org.net"
  73. },
  74. "authorize call",
  75. 5000)
  76. end