-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Does the Envoy plugin support policies for non-HTTP protocols such as TCP? #3091
Comments
https://www.envoyproxy.io/docs/envoy/latest/api-v2/config/filter/network/ext_authz/v2/ext_authz.proto I have yet to try it, but this makes me think it should be using the same ext_authz API. What do you see if configuring envoy to call the plugin for network filters...? |
I'm getting the following error message with quick_start.yaml.txt
I think it might be a version/url error but I'm not sure if my envoy config is correct |
✔️ Yes. Concretely, I've changed the ext auth service to be used as a network filter, instead of as a http filter in the gRPC example we've got in diff --git a/examples/grpc/envoy.yaml b/examples/grpc/envoy.yaml
index f9a65289..f776a767 100644
--- a/examples/grpc/envoy.yaml
+++ b/examples/grpc/envoy.yaml
@@ -10,6 +10,14 @@ static_resources:
socket_address: { address: 0.0.0.0, port_value: 51051 }
filter_chains:
- filters:
+ - name: envoy.network_ext_authz
+ typed_config:
+ "@type": type.googleapis.com/envoy.extensions.filters.network.ext_authz.v3.ExtAuthz
+ stat_prefix: network_ext_authz
+ transport_api_version: V3
+ grpc_service:
+ envoy_grpc:
+ cluster_name: opa-envoy
- name: envoy.filters.network.http_connection_manager
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
@@ -24,18 +32,6 @@ static_resources:
- match: { prefix: "/" }
route: { cluster: testsrv, timeout: { seconds: 60 } }
http_filters:
- - name: envoy.ext_authz
- typed_config:
- '@type': type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz
- transport_api_version: V3
- failure_mode_allow: false
- grpc_service:
- envoy_grpc:
- cluster_name: opa-envoy
- with_request_body:
- allow_partial_message: true
- max_request_bytes: 1024
- pack_as_bytes: true
- name: envoy.filters.http.router
clusters: Running
☝️ This makes sense because I haven't adjusted the |
Thank you! I'm trying to adapt the Quick Start example with this, but I haven't quite managed. I'm trying to do it on Kubernetes (instead of docker-compose), so I will try again later maybe with the Istio example. My issue was the following in the envoy proxy logs:
I tried using the ENVOY_UID environment variable for the envoy container but that broke the opa-envoy container |
Please refer to envoy's support with this... they've got an active slack channel, too. |
|
@DR0ZZA Are you following the envoy tutorial from the docs page? I'm updating that as I write this, for #3101, and I'm facing the same problem. I'll let you know how it's resolved when I get there. |
@DR0ZZA I'm still on it, but I think this might be promising: https://gist.github.com/srenatus/fe899c6b12f36c3e04df92fe394184e2#file-deployment-yaml-L37-L49 note that securityContext.runAsUser is removed, and the env var is added. Opening a shell inside the running container reveals that the uid of the envoy user (running envoy) ends up as 1111 that way ✔️ |
I'll close this one. Please re-open, or add a new issue if this hasn't been resolved for you. |
If this possible, I was wondering how I'm able to configure this for the Quick Start example?
Many thanks in advance
The text was updated successfully, but these errors were encountered: