Envoy Filter

EnvoyFilter

EnvoyFilter provides a mechanism to customize the Envoy configuration generated by Istio Pilot.

FieldTypeDescriptionRequired
workloadSelectorWorkloadSelector

Criteria used to select the specific set of pods/VMs on which this patch configuration should be applied. If omitted, the set of patches in this configuration will be applied to all workload instances in the same namespace. If omitted, the EnvoyFilter patches will be applied to all workloads in the same namespace. If the EnvoyFilter is present in the config root namespace, it will be applied to all applicable workloads in any namespace.

No
configPatchesEnvoyConfigObjectPatch[]

One or more patches with match conditions.

Yes

EnvoyFilter.ProxyMatch

One or more properties of the proxy to match on.

FieldTypeDescriptionRequired
proxyVersionstring

A regular expression in golang regex format (RE2) that can be used to select proxies using a specific version of istio proxy. The Istio version for a given proxy is obtained from the node metadata field ISTIOVERSION supplied by the proxy when connecting to Pilot. This value is embedded as an environment variable (ISTIOMETAISTIOVERSION) in the Istio proxy docker image. Custom proxy implementations should provide this metadata variable to take advantage of the Istio version check option.

No
metadatamap<string, string>

Match on the node metadata supplied by a proxy when connecting to Istio Pilot. Note that while Envoy’s node metadata is of type Struct, only string key-value pairs are processed by Pilot. All keys specified in the metadata must match with exact values. The match will fail if any of the specified keys are absent or the values fail to match.

No

EnvoyFilter.ClusterMatch

Conditions specified in ClusterMatch must be met for the patch to be applied to a cluster.

FieldTypeDescriptionRequired
portNumberuint32

The service port for which this cluster was generated. If omitted, applies to clusters for any port.

No
servicestring

The fully qualified service name for this cluster. If omitted, applies to clusters for any service. For services defined through service entries, the service name is same as the hosts defined in the service entry.

No
subsetstring

The subset associated with the service. If omitted, applies to clusters for any subset of a service.

No
namestring

The exact name of the cluster to match. To match a specific cluster by name, such as the internally generated “Passthrough” cluster, leave all fields in clusterMatch empty, except the name.

No

EnvoyFilter.RouteConfigurationMatch

Conditions specified in RouteConfigurationMatch must be met for the patch to be applied to a route configuration object or a specific virtual host within the route configuration.

FieldTypeDescriptionRequired
portNumberuint32

The service port number or gateway server port number for which this route configuration was generated. If omitted, applies to route configurations for all ports.

No
portNamestring

Applicable only for GATEWAY context. The gateway server port name for which this route configuration was generated.

No
gatewaystring

The Istio gateway config’s namespace/name for which this route configuration was generated. Applies only if the context is GATEWAY. Should be in the namespace/name format. Use this field in conjunction with the portNumber and portName to accurately select the Envoy route configuration for a specific HTTPS server within a gateway config object.

No
vhostVirtualHostMatch

Match a specific virtual host in a route configuration and apply the patch to the virtual host.

No
namestring

Route configuration name to match on. Can be used to match a specific route configuration by name, such as the internally generated “http_proxy” route configuration for all sidecars.

No

EnvoyFilter.ListenerMatch

Conditions specified in a listener match must be met for the patch to be applied to a specific listener across all filter chains, or a specific filter chain inside the listener.

FieldTypeDescriptionRequired
portNumberuint32

The service port/gateway port to which traffic is being sent/received. If not specified, matches all listeners. Even though inbound listeners are generated for the instance/pod ports, only service ports should be used to match listeners.

No
filterChainFilterChainMatch

Match a specific filter chain in a listener. If specified, the patch will be applied to the filter chain (and a specific filter if specified) and not to other filter chains in the listener.

No
namestring

Match a specific listener by its name. The listeners generated by Pilot are typically named as IP:Port.

No

EnvoyFilter.Patch

Patch specifies how the selected object should be modified.

FieldTypeDescriptionRequired
operationOperation

Determines how the patch should be applied.

No
valueStruct

The JSON config of the object being patched. This will be merged using proto merge semantics with the existing proto in the path.

No
filterClassFilterClass

Determines the filter insertion order.

No

EnvoyFilter.EnvoyConfigObjectMatch

One or more match conditions to be met before a patch is applied to the generated configuration for a given proxy.

FieldTypeDescriptionRequired
contextPatchContext

The specific config generation context to match on. Istio Pilot generates envoy configuration in the context of a gateway, inbound traffic to sidecar and outbound traffic from sidecar.

No
proxyProxyMatch

Match on properties associated with a proxy.

No
listenerListenerMatch (oneof)

Match on envoy listener attributes.

No
routeConfigurationRouteConfigurationMatch (oneof)

Match on envoy HTTP route configuration attributes.

No
clusterClusterMatch (oneof)

Match on envoy cluster attributes.

No

EnvoyFilter.EnvoyConfigObjectPatch

Changes to be made to various envoy config objects.

FieldTypeDescriptionRequired
applyToApplyTo

Specifies where in the Envoy configuration, the patch should be applied. The match is expected to select the appropriate object based on applyTo. For example, an applyTo with HTTPFILTER is expected to have a match condition on the listeners, with a network filter selection on envoy.filters.network.httpconnection_manager and a sub filter selection on the HTTP filter relative to which the insertion should be performed. Similarly, an applyTo on CLUSTER should have a match (if provided) on the cluster and not on a listener.

No
matchEnvoyConfigObjectMatch

Match on listener/route configuration/cluster.

No
patchPatch

The patch to apply along with the operation.

No

EnvoyFilter.RouteConfigurationMatch.RouteMatch

Match a specific route inside a virtual host in a route configuration.

FieldTypeDescriptionRequired
namestring

The Route objects generated by default are named as “default”. Route objects generated using a virtual service will carry the name used in the virtual service’s HTTP routes.

No
actionAction

Match a route with specific action type.

No

EnvoyFilter.RouteConfigurationMatch.VirtualHostMatch

Match a specific virtual host inside a route configuration.

FieldTypeDescriptionRequired
namestring

The VirtualHosts objects generated by Istio are named as host:port, where the host typically corresponds to the VirtualService’s host field or the hostname of a service in the registry.

No
routeRouteMatch

Match a specific route within the virtual host.

No

EnvoyFilter.ListenerMatch.FilterChainMatch

For listeners with multiple filter chains (e.g., inbound listeners on sidecars with permissive mTLS, gateway listeners with multiple SNI matches), the filter chain match can be used to select a specific filter chain to patch.

FieldTypeDescriptionRequired
namestring

The name assigned to the filter chain.

No
snistring

The SNI value used by a filter chain’s match condition. This condition will evaluate to false if the filter chain has no sni match.

No
transportProtocolstring

Applies only to SIDECARINBOUND context. If non-empty, a transport protocol to consider when determining a filter chain match. This value will be compared against the transport protocol of a new connection, when it’s detected by the tlsinspector listener filter.

Accepted values include:

  • raw_buffer - default, used when no transport protocol is detected.
  • tls - set when TLS protocol is detected by the TLS inspector.
No
applicationProtocolsstring

Applies only to sidecars. If non-empty, a comma separated set of application protocols to consider when determining a filter chain match. This value will be compared against the application protocols of a new connection, when it’s detected by one of the listener filters such as the http_inspector.

Accepted values include: h2,http/1.1,http/1.0

No
filterFilterMatch

The name of a specific filter to apply the patch to. Set this to envoy.filters.network.httpconnectionmanager to add a filter or apply a patch to the HTTP connection manager.

No

EnvoyFilter.ListenerMatch.FilterMatch

Conditions to match a specific filter within a filter chain.

FieldTypeDescriptionRequired
namestring

The filter name to match on. For standard Envoy filters, canonical filter names should be used. Refer to https://www.envoyproxy.io/docs/envoy/latest/version_history/v1.14.0#deprecated for canonical names.

No
subFilterSubFilterMatch

The next level filter within this filter to match upon. Typically used for HTTP Connection Manager filters and Thrift filters.

No

EnvoyFilter.ListenerMatch.SubFilterMatch

Conditions to match a specific filter within another filter. This field is typically useful to match a HTTP filter inside the envoy.filters.network.httpconnectionmanager network filter. This could also be applicable for thrift filters.

FieldTypeDescriptionRequired
namestring

The filter name to match on.

No

EnvoyFilter.RouteConfigurationMatch.RouteMatch.Action

Action refers to the route action taken by Envoy when a http route matches.

NameDescription
ANY

All three route actions

ROUTE

Route traffic to a cluster / weighted clusters.

REDIRECT

Redirect request.

DIRECT_RESPONSE

directly respond to a request with specific payload.

EnvoyFilter.Patch.Operation

Operation denotes how the patch should be applied to the selected configuration.

NameDescription
INVALID
MERGE

Merge the provided config with the generated config using proto merge semantics. If you are specifying config in its entirity, use REPLACE instead.

ADD

Add the provided config to an existing list (of listeners, clusters, virtual hosts, network filters, or http filters). This operation will be ignored when applyTo is set to ROUTECONFIGURATION, or HTTPROUTE.

REMOVE

Remove the selected object from the list (of listeners, clusters, virtual hosts, network filters, or http filters). Does not require a value to be specified. This operation will be ignored when applyTo is set to ROUTECONFIGURATION, or HTTPROUTE.

INSERT_BEFORE

Insert operation on an array of named objects. This operation is typically useful only in the context of filters, where the order of filters matter. For clusters and virtual hosts, order of the element in the array does not matter. Insert before the selected filter or sub filter. If no filter is selected, the specified filter will be inserted at the front of the list.

INSERT_AFTER

Insert operation on an array of named objects. This operation is typically useful only in the context of filters, where the order of filters matter. For clusters and virtual hosts, order of the element in the array does not matter. Insert after the selected filter or sub filter. If no filter is selected, the specified filter will be inserted at the end of the list.

INSERT_FIRST

Insert operation on an array of named objects. This operation is typically useful only in the context of filters, where the order of filters matter. For clusters and virtual hosts, order of the element in the array does not matter. Insert first in the list based on the presence of selected filter or not. This is specifically useful when you want your filter first in the list based on a match condition specified in Match clause.

REPLACE

Replace contents of a named filter with new contents. REPLACE operation is only valid for HTTPFILTER and NETWORKFILTER. If the named filter is not found, this operation has no effect.

EnvoyFilter.Patch.FilterClass

FilterClass determines the filter insertion point in the filter chain relative to the filters implicitly inserted by the control plane. It is used in conjuction with the ADD operation. This is the preferred insertion mechanism for adding filters over the INSERT_* operations since those operations rely on potentially unstable filter names. Filter ordering is important if your filter depends on or affects the functioning of a another filter in the filter chain. Within a filter class, filters are inserted in the order of processing.

NameDescription
UNSPECIFIED

Control plane decides where to insert the filter. Do not specify FilterClass if the filter is independent of others.

AUTHN

Insert filter after Istio authentication filters.

AUTHZ

Insert filter after Istio authorization filters.

STATS

Insert filter before Istio stats filters.

EnvoyFilter.ApplyTo

ApplyTo specifies where in the Envoy configuration, the given patch should be applied.

NameDescription
INVALID
LISTENER

Applies the patch to the listener.

FILTER_CHAIN

Applies the patch to the filter chain.

NETWORK_FILTER

Applies the patch to the network filter chain, to modify an existing filter or add a new filter.

HTTP_FILTER

Applies the patch to the HTTP filter chain in the http connection manager, to modify an existing filter or add a new filter.

ROUTE_CONFIGURATION

Applies the patch to the Route configuration (rds output) inside a HTTP connection manager. This does not apply to the virtual host. Currently, only MERGE operation is allowed on the route configuration objects.

VIRTUAL_HOST

Applies the patch to a virtual host inside a route configuration.

HTTP_ROUTE

Applies the patch to a route object inside the matched virtual host in a route configuration. Currently, only MERGE operation is allowed on the route objects.

CLUSTER

Applies the patch to a cluster in a CDS output. Also used to add new clusters.

EnvoyFilter.PatchContext

PatchContext selects a class of configurations based on the traffic flow direction and workload type.

NameDescription
ANY

All listeners/routes/clusters in both sidecars and gateways.

SIDECAR_INBOUND

Inbound listener/route/cluster in sidecar.

SIDECAR_OUTBOUND

Outbound listener/route/cluster in sidecar.

GATEWAY

Gateway listener/route/cluster.

Was this information useful?
Do you have any suggestions for improvement?

Thanks for your feedback!