Istio Service Mesh Integration
Configure Istio to authorize inbound requests via PlainID Authorizer.
The following example (found in filter.yaml) enables traffic and external authorization on appropriate ports
in the default namespace:
kind: List
apiVersion: v1
items:
- apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: demo-filter
namespace: default
spec:
configPatches:
- applyTo: HTTP_FILTER
match:
context: SIDECAR_INBOUND
listener:
filterChain:
filter:
name: envoy.filters.network.http_connection_manager
subFilter:
name: envoy.filters.http.router
portNumber: 7000
patch:
operation: INSERT_BEFORE
value:
name: envoy.ext_authz
typed_config:
'@type': type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz
failure_mode_allow: false
grpc_service:
google_grpc:
stat_prefix: ext_authz
target_uri: 127.0.0.1:50051
timeout: 2s
transport_api_version: V3
with_request_body:
allow_partial_message: true
max_request_bytes: 1024
pack_as_bytes: true
| Parameter | Details |
|---|---|
spec.configPatches.match.listener.portNumber |
The port number of the Microservice which handles requests where the Istio VirtualService is pointed to |
spec.configPatches.patch.value.typed_config.grpc_service.google_grpc.target_uri |
The address of the PlainID Authorizer (refers to PlainidSidecar's spec.sidecarConfig.grpc.listener address) |