EnvoyFilterUsesRelativeOperationWithProxyVersion

Message NameEnvoyFilterUsesRelativeOperationWithProxyVersion
Message CodeIST0155
DescriptionThis EnvoyFilter does not have a priority and has a relative patch operation (NSTERT_BEFORE/AFTER, REPLACE, MERGE, DELETE) and proxyVersion set which can cause the EnvoyFilter not to be applied during an upgrade. Using the INSERT_FIRST or ADD option or setting the priority may help in ensuring the EnvoyFilter is applied correctly.
LevelWarning

This message occurs when an EnvoyFilter does not have a priority and uses a relative patch operation (INSERT_BEFORE/AFTER, REPLACE, MERGE, DELETE) and proxyVersion set which can cause the EnvoyFilter not to be applied during an upgrade. Using the INSERT_FIRST or ADD option or setting the priority may help in ensuring the EnvoyFilter is applied correctly.” The reason for concern with the proxyVersion is that after an upgrade the proxyVersion would likely have changed and the order it is applied would now be different than before.

An example

Consider an EnvoyFilter with the patch operation of REPLACE with the use of proxyVersion:

  1. apiVersion: networking.istio.io/v1alpha3
  2. kind: EnvoyFilter
  3. metadata:
  4. name: test-replace-3
  5. namespace: bookinfo
  6. spec:
  7. workloadSelector:
  8. labels:
  9. app: reviews4
  10. configPatches:
  11. # The first patch adds the Lua filter to the listener/http connection manager
  12. - applyTo: HTTP_FILTER
  13. match:
  14. context: SIDECAR_OUTBOUND
  15. proxy:
  16. proxyVersion: '^1\.11.*'
  17. listener:
  18. portNumber: 8080
  19. filterChain:
  20. filter:
  21. name: "envoy.filters.network.http_connection_manager"
  22. subFilter:
  23. name: "envoy.filters.http.router"
  24. patch:
  25. operation: REPLACE
  26. value: # Lua filter specification
  27. name: envoy.lua
  28. typed_config:
  29. "@type": "type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua"
  30. inlineCode: |
  31. function envoy_on_request(request_handle)
  32. -- Make an HTTP call to an upstream host with the following headers, body, and timeout.
  33. local headers, body = request_handle:httpCall(
  34. "lua_cluster",
  35. {
  36. [":method"] = "POST",
  37. [":path"] = "/acl",
  38. [":authority"] = "internal.org.net"
  39. },
  40. "authorize call",
  41. 1000)
  42. end
  43. apiVersion: networking.istio.io/v1alpha3
  44. kind: EnvoyFilter
  45. metadata:
  46. name: test-replace-4
  47. namespace: bookinfo
  48. spec:
  49. workloadSelector:
  50. labels:
  51. app: reviews4
  52. configPatches:
  53. - applyTo: HTTP_FILTER
  54. match:
  55. context: SIDECAR_OUTBOUND
  56. patch:
  57. operation: REPLACE
  58. value: #Lua filter specification
  59. name: envoy.lua
  60. typed_config:
  61. "@type": "type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua"
  62. inlineCode: |
  63. function envoy_on_request(request_handle)
  64. -- Make an HTTP call to an upstream host with the following headers, body, and timeout.
  65. local headers, body = request_handle:httpCall(
  66. "lua_cluster",
  67. {
  68. [":method"] = "POST",
  69. [":path"] = "/acl",
  70. [":authority"] = "internal.org.net"
  71. },
  72. "authorize call",
  73. 5000)
  74. end

How to resolve

Because the relative operation of REPLACE was used along with the proxyVersion, adding a priority would resolve the issue:

  1. apiVersion: networking.istio.io/v1alpha3
  2. kind: EnvoyFilter
  3. metadata:
  4. name: test-replace-3
  5. namespace: bookinfo
  6. spec:
  7. workloadSelector:
  8. labels:
  9. app: reviews4
  10. priority: 10
  11. configPatches:
  12. # The first patch adds the Lua filter to the listener/http connection manager
  13. - applyTo: HTTP_FILTER
  14. match:
  15. context: SIDECAR_OUTBOUND
  16. proxy:
  17. proxyVersion: '^1\.11.*'
  18. listener:
  19. portNumber: 8080
  20. filterChain:
  21. filter:
  22. name: "envoy.filters.network.http_connection_manager"
  23. subFilter:
  24. name: "envoy.filters.http.router"
  25. patch:
  26. operation: REPLACE
  27. value: # Lua filter specification
  28. name: envoy.lua
  29. typed_config:
  30. "@type": "type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua"
  31. inlineCode: |
  32. function envoy_on_request(request_handle)
  33. -- Make an HTTP call to an upstream host with the following headers, body, and timeout.
  34. local headers, body = request_handle:httpCall(
  35. "lua_cluster",
  36. {
  37. [":method"] = "POST",
  38. [":path"] = "/acl",
  39. [":authority"] = "internal.org.net"
  40. },
  41. "authorize call",
  42. 1000)
  43. end
  44. apiVersion: networking.istio.io/v1alpha3
  45. kind: EnvoyFilter
  46. metadata:
  47. name: test-replace-4
  48. namespace: bookinfo
  49. spec:
  50. workloadSelector:
  51. labels:
  52. app: reviews4
  53. priority: 20
  54. configPatches:
  55. - applyTo: HTTP_FILTER
  56. match:
  57. context: SIDECAR_OUTBOUND
  58. patch:
  59. operation: REPLACE
  60. value: #Lua filter specification
  61. name: envoy.lua
  62. typed_config:
  63. "@type": "type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua"
  64. inlineCode: |
  65. function envoy_on_request(request_handle)
  66. -- Make an HTTP call to an upstream host with the following headers, body, and timeout.
  67. local headers, body = request_handle:httpCall(
  68. "lua_cluster",
  69. {
  70. [":method"] = "POST",
  71. [":path"] = "/acl",
  72. [":authority"] = "internal.org.net"
  73. },
  74. "authorize call",
  75. 5000)
  76. end