Istio Integrations

Updated on 04 Dec 2024
1 Minute to read

Print
Dark
Light
PDF

Article summary

Did you find this summary helpful?

Thank you for your feedback

Istio Service Mesh Integration

Configure Istio to authorize inbound requests via PlainID Authorizer.

The following example (found in filter.yaml) enables traffic and external authorization on appropriate ports
in the default namespace:

kind: List
apiVersion: v1
items:
  - apiVersion: networking.istio.io/v1alpha3
    kind: EnvoyFilter
    metadata:
      name: demo-filter
      namespace: default
    spec:
      configPatches:
        - applyTo: HTTP_FILTER
          match:
            context: SIDECAR_INBOUND
            listener:
              filterChain:
                filter:
                  name: envoy.filters.network.http_connection_manager
                  subFilter:
                    name: envoy.filters.http.router
              portNumber: 7000
          patch:
            operation: INSERT_BEFORE
            value:
              name: envoy.ext_authz
              typed_config:
                '@type': type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz
                failure_mode_allow: false
                grpc_service:
                  google_grpc:
                    stat_prefix: ext_authz
                    target_uri: 127.0.0.1:50051
                  timeout: 2s
                transport_api_version: V3
                with_request_body:
                  allow_partial_message: true
                  max_request_bytes: 1024
                  pack_as_bytes: true

Parameter	Details
`spec.configPatches.match.listener.portNumber`	The port number of the Microservice which handles requests where the Istio `VirtualService` is pointed to
`spec.configPatches.patch.value.typed_config.grpc_service.google_grpc.target_uri`	The address of the PlainID Authorizer (refers to `PlainidSidecar`'s `spec.sidecarConfig.grpc.listener` address)

Was this article helpful?

What's Next

Upgrade Instructions

Table of contents