Envoy Filter

EnvoyFilter provides a mechanism to customize the Envoyconfiguration generated by Istio Pilot. Use EnvoyFilter to modifyvalues for certain fields, add specific filters, or even addentirely new listeners, clusters, etc. This feature must be usedwith care, as incorrect configurations could potentiallydestabilize the entire mesh. Unlike other Istio networking objects,EnvoyFilters are additively applied. Any number of EnvoyFilters canexist for a given workload in a specific namespace. The order ofapplication of these EnvoyFilters is as follows: all EnvoyFiltersin the config rootnamespace,followed by all matching EnvoyFilters in the workload’s namespace.

NOTE 1: Since this is break glass configuration, there will notbe any backward compatibility across different Istio releases. Inother words, this configuration is subject to change based oninternal implementation of Istio networking subsystem.

NOTE 2: The envoy configuration provided through this mechanismshould be carefully monitored across Istio proxy version upgrades,to ensure that deprecated fields are removed and replacedappropriately.

NOTE 3: When multiple EnvoyFilters are bound to the sameworkload in a given namespace, all patches will be processedsequentially in order of creation time. The behavior is undefinedif multiple EnvoyFilter configurations conflict with each other.

NOTE 4: *_To apply an EnvoyFilter resource to all workloads(sidecars and gateways) in the system, define the resource in theconfig rootnamespace,without a workloadSelector.

The example below declares a global default EnvoyFilter resource inthe root namespace called istio-config, that adds a customprotocol filter on all sidecars in the system, for outbound port9307. The filter should be added before the terminating tcp_proxyfilter to take effect. In addition, it sets a 30s idle timeout forall HTTP connections in both gateays and sidecars.

  1. apiVersion: networking.istio.io/v1alpha3
  2. kind: EnvoyFilter
  3. metadata:
  4.   name: custom-protocol
  5.   namespace: istio-config # as defined in meshConfig resource.
  6. spec:
  7.   configPatches:
  8.   - applyTo: NETWORK_FILTER
  9.     match:
  10.       context: SIDECAR_OUTBOUND # will match outbound listeners in all sidecars
  11.       listener:
  12.         portNumber: 9307
  13.         filterChain:
  14.           filter:
  15.             name: "envoy.tcp_proxy"
  16.     patch:
  17.       operation: INSERT_BEFORE
  18.       value:
  19.         name: "envoy.config.filter.network.custom_protocol"
  20.         config:
  21.          ...
  22.   - applyTo: NETWORK_FILTER # http connection manager is a filter in Envoy
  23.     match:
  24.       # context omitted so that this applies to both sidecars and gateways
  25.       listener:
  26.         filterChain:
  27.           filter:
  28.             name: "envoy.http_connection_manager"
  29.     patch:
  30.       operation: MERGE
  31.       value:
  32.         typed_config:
  33.           "@type": "type.googleapis.com/envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager"
  34.           idle_timeout: 30s

The following example enables Envoy’s Lua filter for all inboundHTTP calls arriving at service port 8080 of the reviews service podwith labels “app: reviews”, in the bookinfo namespace. The luafilter calls out to an external service internal.org.net:8888 thatrequires a special cluster definition in envoy. The cluster is alsoadded to the sidecar as part of this configuration.

  1. apiVersion: networking.istio.io/v1alpha3
  2. kind: EnvoyFilter
  3. metadata:
  4.   name: reviews-lua
  5.   namespace: bookinfo
  6. spec:
  7.   workloadSelector:
  8.     labels:
  9.       app: reviews
  10.   configPatches:
  11.     # The first patch adds the lua filter to the listener/http connection manager
  12.   - applyTo: HTTP_FILTER
  13.     match:
  14.       context: SIDECAR_INBOUND
  15.       listener:
  16.         portNumber: 8080
  17.         filterChain:
  18.           filter:
  19.             name: "envoy.http_connection_manager"
  20.             subFilter:
  21.               name: "envoy.router"
  22.     patch:
  23.       operation: INSERT_BEFORE
  24.       value: # lua filter specification
  25.        name: envoy.lua
  26.        config:
  27.          inlineCode: |
  28.            function envoy_on_request(request_handle)
  29.              -- Make an HTTP call to an upstream host with the following headers, body, and timeout.
  30.              local headers, body = request_handle:httpCall(
  31.               "lua_cluster",
  32.               {
  33.                [":method"] = "POST",
  34.                [":path"] = "/acl",
  35.                [":authority"] = "internal.org.net"
  36.               },
  37.              "authorize call",
  38.              5000)
  39.            end
  40.   # The second patch adds the cluster that is referenced by the lua code
  41.   # cds match is omitted as a new cluster is being added
  42.   - applyTo: CLUSTER
  43.     match:
  44.       context: SIDECAR_OUTBOUND
  45.     patch:
  46.       operation: ADD
  47.       value: # cluster specification
  48.         name: "lua_cluster"
  49.         type: STRICT_DNS
  50.         connect_timeout: 0.5s
  51.         lb_policy: ROUND_ROBIN
  52.         hosts:
  53.         - socket_address:
  54.             protocol: TCP
  55.             address: "internal.org.net"
  56.             port_value: 8888

The following example overwrites certain fields (HTTP idle timeoutand X-Forward-For trusted hops) in the HTTP connection manager in alistener on the ingress gateway in istio-system namespace for theSNI host app.example.com:

  1. apiVersion: networking.istio.io/v1alpha3
  2. kind: EnvoyFilter
  3. metadata:
  4.   name: hcm-tweaks
  5.   namespace: istio-system
  6. spec:
  7.   workloadSelector:
  8.     labels:
  9.       istio: ingress-gateway
  10.   configPatches:
  11.   - applyTo: NETWORK_FILTER # http connection manager is a filter in Envoy
  12.     match:
  13.       context: GATEWAY
  14.       listener:
  15.         filterChain:
  16.           sni: app.example.com
  17.           filter:
  18.             name: "envoy.http_connection_manager"
  19.     patch:
  20.       operation: MERGE
  21.       value:
  22.         idle_timeout: 30s
  23.         xff_num_trusted_hops: 5

EnvoyFilter

EnvoyFilter provides a mechanism to customize the Envoy configurationgenerated by Istio Pilot.

FieldTypeDescriptionRequired
workloadSelectorWorkloadSelectorCriteria used to select the specific set of pods/VMs on whichthis patch configuration should be applied. If omitted, the setof patches in this configuration will be applied to all workloadinstances in the same namespace. If omitted, the EnvoyFilterpatches will be applied to all workloads in the samenamespace. If the EnvoyFilter is present in the config rootnamespace, it will be applied to all applicable workloads in anynamespace.No
configPatchesEnvoyConfigObjectPatch[]One or more patches with match conditions.Yes

EnvoyFilter.ApplyTo

ApplyTo specifies where in the Envoy configuration, the given patch should be applied.

NameDescription
INVALID
LISTENERApplies the patch to the listener.
FILTER_CHAINApplies the patch to the filter chain.
NETWORK_FILTERApplies the patch to the network filter chain, to modify anexisting filter or add a new filter.
HTTP_FILTERApplies the patch to the HTTP filter chain in the httpconnection manager, to modify an existing filter or add a newfilter.
ROUTE_CONFIGURATIONApplies the patch to the Route configuration (rds output)inside a HTTP connection manager. This does not apply to thevirtual host. Currently, only MERGE operation is allowed on theroute configuration objects.
VIRTUAL_HOSTApplies the patch to a virtual host inside a route configuration.
HTTP_ROUTEApplies the patch to a route object inside the matched virtualhost in a route configuration. Currently, only MERGE operationis allowed on the route objects.
CLUSTERApplies the patch to a cluster in a CDS output. Also used to add new clusters.

EnvoyFilter.ClusterMatch

Conditions specified in ClusterMatch must be met for the patchto be applied to a cluster.

FieldTypeDescriptionRequired
portNumberuint32The service port for which this cluster was generated. Ifomitted, applies to clusters for any port.No
servicestringThe fully qualified service name for this cluster. If omitted,applies to clusters for any service. For services definedthrough service entries, the service name is same as the hostsdefined in the service entry.No
subsetstringThe subset associated with the service. If omitted, applies toclusters for any subset of a service.No
namestringThe exact name of the cluster to match. To match a specificcluster by name, such as the internally generated “Passthrough”cluster, leave all fields in clusterMatch empty, except thename.No

EnvoyFilter.DeprecatedListenerMatch.ListenerProtocol

NameDescription
ALLAll protocols
HTTPHTTP or HTTPS (with termination) / HTTP2/gRPC
TCPAny non-HTTP listener

EnvoyFilter.DeprecatedListenerMatch.ListenerType

NameDescription
ANYAll listeners
SIDECAR_INBOUNDInbound listener in sidecar
SIDECAR_OUTBOUNDOutbound listener in sidecar
GATEWAYGateway listener

EnvoyFilter.EnvoyConfigObjectMatch

One or more match conditions to be met before a patch is appliedto the generated configuration for a given proxy.

FieldTypeDescriptionRequired
contextPatchContextThe specific config generation context to match on. Istio Pilotgenerates envoy configuration in the context of a gateway,inbound traffic to sidecar and outbound traffic from sidecar.No
proxyProxyMatchMatch on properties associated with a proxy.No
listenerListenerMatch (oneof)Match on envoy listener attributes.Yes
routeConfigurationRouteConfigurationMatch (oneof)Match on envoy HTTP route configuration attributes.Yes
clusterClusterMatch (oneof)Match on envoy cluster attributes.Yes

EnvoyFilter.EnvoyConfigObjectPatch

Changes to be made to various envoy config objects.

FieldTypeDescriptionRequired
applyToApplyToSpecifies where in the Envoy configuration, the patch should beapplied. The match is expected to select the appropriateobject based on applyTo. For example, an applyTo withHTTP_FILTER is expected to have a match condition on thelisteners, with a network filter selection onenvoy.http_connection_manager and a sub filter selection on theHTTP filter relative to which the insertion should beperformed. Similarly, an applyTo on CLUSTER should have a match(if provided) on the cluster and not on a listener.No
matchEnvoyConfigObjectMatchMatch on listener/route configuration/cluster.No
patchPatchThe patch to apply along with the operation.No

EnvoyFilter.Filter.FilterType

NameDescription
INVALIDplaceholder
HTTPHttp filter
NETWORKNetwork filter

EnvoyFilter.InsertPosition.Index

Index/position in the filter chain.

NameDescription
FIRSTInsert first
LASTInsert last
BEFOREInsert before the named filter.
AFTERInsert after the named filter.

EnvoyFilter.ListenerMatch

Conditions specified in a listener match must be met for thepatch to be applied to a specific listener across all filterchains, or a specific filter chain inside the listener.

FieldTypeDescriptionRequired
portNumberuint32The service port/gateway port to which traffic is beingsent/received. If not specified, matches all listeners. Even thoughinbound listeners are generated for the instance/pod ports, onlyservice ports should be used to match listeners.No
filterChainFilterChainMatchMatch a specific filter chain in a listener. If specified, thepatch will be applied to the filter chain (and a specificfilter if specified) and not to other filter chains in thelistener.No
namestringMatch a specific listener by its name. The listeners generatedby Pilot are typically named as IP:Port.No

EnvoyFilter.ListenerMatch.FilterChainMatch

For listeners with multiple filter chains (e.g., inboundlisteners on sidecars with permissive mTLS, gateway listenerswith multiple SNI matches), the filter chain match can be usedto select a specific filter chain to patch.

FieldTypeDescriptionRequired
namestringThe name assigned to the filter chain.No
snistringThe SNI value used by a filter chain’s match condition. Thiscondition will evaluate to false if the filter chain has nosni match.No
transportProtocolstringApplies only to SIDECAR_INBOUND context. If non-empty, atransport protocol to consider when determining a filterchain match. This value will be compared against thetransport protocol of a new connection, when it’s detected bythe tls_inspector listener filter.Accepted values include:- raw_buffer - default, used when no transport protocol is detected.- tls - set when TLS protocol is detected by the TLS inspector.No
applicationProtocolsstringApplies only to sidecars. If non-empty, a comma separated setof application protocols to consider when determining afilter chain match. This value will be compared against theapplication protocols of a new connection, when it’s detectedby one of the listener filters such as the http_inspector.Accepted values include: h2,http/1.1,http/1.0No
filterFilterMatchThe name of a specific filter to apply the patch to. Set thisto envoy.http_connection_manager to add a filter or apply apatch to the HTTP connection manager.No

EnvoyFilter.ListenerMatch.FilterMatch

Conditions to match a specific filter within a filter chain.

FieldTypeDescriptionRequired
namestringThe filter name to match on.No
subFilterSubFilterMatchThe next level filter within this filter to matchupon. Typically used for HTTP Connection Manager filters andThrift filters.No

EnvoyFilter.ListenerMatch.SubFilterMatch

Conditions to match a specific filter within anotherfilter. This field is typically useful to match a HTTP filterinside the envoy.http_connection_manager network filter. Thiscould also be applicable for thrift filters.

FieldTypeDescriptionRequired
namestringThe filter name to match on.No

EnvoyFilter.Patch

Patch specifies how the selected object should be modified.

FieldTypeDescriptionRequired
operationOperationDetermines how the patch should be applied.No
valueStructThe JSON config of the object being patched. This will be merged usingjson merge semantics with the existing proto in the path.No

EnvoyFilter.Patch.Operation

Operation denotes how the patch should be applied to the selectedconfiguration.

NameDescription
INVALID
MERGEMerge the provided config with the generated config usingjson merge semantics.
ADDAdd the provided config to an existing list (of listeners,clusters, virtual hosts, network filters, or httpfilters). This operation will be ignored when applyTo is setto ROUTE_CONFIGURATION, or HTTP_ROUTE.
REMOVERemove the selected object from the list (of listeners,clusters, virtual hosts, network filters, or httpfilters). Does not require a value to be specified. Thisoperation will be ignored when applyTo is set toROUTE_CONFIGURATION, or HTTP_ROUTE.
INSERT_BEFOREInsert operation on an array of named objects. This operationis typically useful only in the context of filters, where theorder of filters matter. For clusters and virtual hosts,order of the element in the array does not matter. Insertbefore the selected filter or sub filter. If no filter isselected, the specified filter will be inserted at the frontof the list.
INSERT_AFTERInsert operation on an array of named objects. This operationis typically useful only in the context of filters, where theorder of filters matter. For clusters and virtual hosts,order of the element in the array does not matter. Insertafter the selected filter or sub filter. If no filter isselected, the specified filter will be inserted at the endof the list.

EnvoyFilter.PatchContext

PatchContext selects a class of configurations based on thetraffic flow direction and workload type.

NameDescription
ANYAll listeners/routes/clusters in both sidecars and gateways.
SIDECAR_INBOUNDInbound listener/route/cluster in sidecar.
SIDECAR_OUTBOUNDOutbound listener/route/cluster in sidecar.
GATEWAYGateway listener/route/cluster.

EnvoyFilter.ProxyMatch

One or more properties of the proxy to match on.

FieldTypeDescriptionRequired
proxyVersionstringA regular expression in golang regex format (RE2) that can beused to select proxies using a specific version of istioproxy. The Istio version for a given proxy is obtained from thenode metadata field ISTIO_VERSION supplied by the proxy whenconnecting to Pilot. This value is embedded as an environmentvariable (ISTIO_META_ISTIO_VERSION) in the Istio proxy dockerimage. Custom proxy implementations should provide this metadatavariable to take advantage of the Istio version check option.No
metadatamap<string, string>Match on the node metadata supplied by a proxy when connectingto Istio Pilot. Note that while Envoy’s node metadata is oftype Struct, only string key-value pairs are processed byPilot. All keys specified in the metadata must match with exactvalues. The match will fail if any of the specified keys areabsent or the values fail to match.No

EnvoyFilter.RouteConfigurationMatch

Conditions specified in RouteConfigurationMatch must be met forthe patch to be applied to a route configuration object or aspecific virtual host within the route configuration.

FieldTypeDescriptionRequired
portNumberuint32The service port number or gateway server port number for whichthis route configuration was generated. If omitted, applies toroute configurations for all ports.No
portNamestringApplicable only for GATEWAY context. The gateway server portname for which this route configuration was generated.No
gatewaystringThe Istio gateway config’s namespace/name for which this routeconfiguration was generated. Applies only if the context isGATEWAY. Should be in the namespace/name format. Use this fieldin conjunction with the portNumber and portName to accuratelyselect the Envoy route configuration for a specific HTTPSserver within a gateway config object.No
vhostVirtualHostMatchMatch a specific virtual host in a route configuration andapply the patch to the virtual host.No
namestringRoute configuration name to match on. Can be used to match aspecific route configuration by name, such as the internallygenerated “http_proxy” route configuration for all sidecars.No

EnvoyFilter.RouteConfigurationMatch.RouteMatch

Match a specific route inside a virtual host in a route configuration.

FieldTypeDescriptionRequired
namestringThe Route objects generated by default are named as“default”. Route objects generated using a virtual servicewill carry the name used in the virtual service’s HTTProutes.No
actionActionMatch a route with specific action type.No

EnvoyFilter.RouteConfigurationMatch.RouteMatch.Action

Action refers to the route action taken by Envoy when a http route matches.

NameDescription
ANYAll three route actions
ROUTERoute traffic to a cluster / weighted clusters.
REDIRECTRedirect request.
DIRECT_RESPONSEdirectly respond to a request with specific payload.

EnvoyFilter.RouteConfigurationMatch.VirtualHostMatch

Match a specific virtual host inside a route configuration.

FieldTypeDescriptionRequired
namestringThe VirtualHosts objects generated by Istio are named ashost:port, where the host typically corresponds to theVirtualService’s host field or the hostname of a service in theregistry.No
routeRouteMatchMatch a specific route within the virtual host.No