-
Notifications
You must be signed in to change notification settings - Fork 7.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
EnvoyFilter not matching on other EnvoyFilter with lower priority #41536
Comments
I think this is expected, because when istio applies the second patch, it couldn't match the filterchain as the low priority patch is not applied yet |
@hzxuzhonghu thanks for the reply, I'm working with @breuerfelix on this. We read in the docs:
So our assumption was that a lower priority EnvoyFilter is applied first, and then our second, higher priority EnvoyFilter is applied after. Funny enough, we also tried it the other way around, too (because we didn't have any other ideas). That also didn't work. So the problem remains, unfortunately. |
Thanks, IC. Different type of patches do not respect the priority value here. https://github.com/istio/istio/blob/master/pilot/pkg/networking/core/v1alpha3/envoyfilter/listener_patch.go#L132-L168 |
@hzxuzhonghu thanks for investigating on how the patches apply. Now it is clear why our patch won't apply. I would assume that ALL filters are first sorted by priority and than all patches on the same priority are sorted by the algorithm you explained (patchFilterChains -> patchFilterChain(-->patchNetworkFilters) -> filterChain add). That way, the user has the ability to fine tune when which filter gets merged :) /edit |
I do have the same kind of feeling for the last point |
I think it makes sense to add filter chains first before we process patches that apply to filter chains. I think that should solve this case? |
That should solve issue, but i would suggest solving it on a different basis. The priority doesn't really makes sense to me, if you have a "hidden" priority which beats the priority from the customer. |
/not stale |
/not stale |
Not stale. This is still needed. |
hello @ramaraochavali , do you have any fix ideas? Apply strictly according to the priority specified by |
IMO, should first should by priority. Then for each set of patches of same priority, patch like what we do currently |
I agree. This is what I am thinking. Honour priority fully/ |
Appreciate anyone willing to take it |
Behavior-breaking changes seem to be difficult to be backwards compatible. Do we need to consider backwards compatibility? |
Yes, but we can have a feature env |
We cannot just add a feature env if there is no path off if it; It adds to
the problem, not lessens it. So if we do please propose a path to removing
it. (I will also follow up to make this an official policy)
…On Sat, Oct 7, 2023, 10:50 PM Zhonghu Xu ***@***.***> wrote:
Yes, but we can have a feature env
—
Reply to this email directly, view it on GitHub
<#41536 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAEYGXKS2P7HKBW7KY6LN3TX6IPH3AVCNFSM6AAAAAARJ4NPFWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTONJRHEYTAOJQG4>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
/not stale |
Since Envoy filters is a break glass API, if we decide to make this change, we can introduce a feature flag that can be removed in couple of releases to give time for people to adjust their filters? My guess is not many customers should be impacted |
Bug Description
We have a TCP Listener
0.0.0.0_8443
with a simple TCP Proxy as the default filter_chain.The following EnvoyFilter creates a new filter_chain on the Listener that matches a certain address_prefix and proxies to a different location:
We add another EnvoyFilter that has a higher priority and should add an rbac rule into the filter_chain created by the first EnvoyFilter.
However, the second EnvoyFilter is never applied in the resulting Envoy config.
We tried matching by destinationPort, filterchain name and also by specifying the networkfilter name (envoy.filters.network.tcp_proxy) without success.
See the resulting envoy config in the additional informations.
Version
Additional Information
This is the resulting filter_chain from the envoy config_dump:
This setup is inside the gardener/gardener environment.
The first EnvoyFilter is created by another part of the system which we do not have control over.
Our current workaround is to write a mutating Webhook which mutates the first Envoyfilter in order to add the rbac rules. The ability to just add the second EnvoyFilter which mutates the filter_chain would simplify our setup a lot.
The text was updated successfully, but these errors were encountered: