Wasm Plugin

WasmPlugin

WasmPlugins provides a mechanism to extend the functionality provided by the Istio proxy through WebAssembly filters.

FieldTypeDescriptionRequired
selectorWorkloadSelector

Criteria used to select the specific set of pods/VMs on which this plugin configuration should be applied. If omitted, this configuration will be applied to all workload instances in the same namespace. If the WasmPlugin is present in the config root namespace, it will be applied to all applicable workloads in any namespace.

No
urlstring

URL of a Wasm module or OCI container. If no scheme is present, defaults to oci://, referencing an OCI image. Other valid schemes are file:// for referencing .wasm module files present locally within the proxy container, and http[s]:// for .wasm module files hosted remotely.

No
sha256string

SHA256 checksum that will be used to verify Wasm module or OCI container. If the url field already references a SHA256 (using the @sha256: notation), it must match the value of this field. If an OCI image is referenced by tag and this field is set, its checksum will be verified against the contents of this field after pulling.

No
imagePullPolicyPullPolicy

The pull behaviour to be applied when fetching an OCI image. Only relevant when images are referenced by tag instead of SHA. Defaults to IfNotPresent, except when an OCI image is referenced in the url and the latest tag is used, in which case Always is the default, mirroring K8s behaviour. Setting is ignored if url field is referencing a Wasm module directly using file:// or http[s]://

No
imagePullSecretstring

Credentials to use for OCI image pulling. Name of a K8s Secret in the same namespace as the WasmPlugin that contains a docker pull secret which is to be used to authenticate against the registry when pulling the image.

No
verificationKeystring

Public key that will be used to verify signatures of signed OCI images or Wasm modules. Must be supplied in PEM format.

No
pluginConfigStruct

The configuration that will be passed on to the plugin.

No
pluginNamestring

The plugin name to be used in the Envoy configuration (used to be called rootID). Some .wasm modules might require this value to select the Wasm plugin to execute.

No
phasePluginPhase

Determines where in the filter chain this WasmPlugin is to be injected.

No
priorityInt64Value

Determines ordering of WasmPlugins in the same phase. When multiple WasmPlugins are applied to the same workload in the same phase, they will be applied by priority, in descending order. If priority is not set, or two WasmPlugins exist with the same value, the ordering will be deterministically derived from name and namespace of the WasmPlugins. Defaults to 0.

No

PluginPhase

The phase in the filter chain where the plugin will be injected.

NameDescription
UNSPECIFIED_PHASE

Control plane decides where to insert the plugin. This will generally be at the end of the filter chain, right before the Router. Do not specify PluginPhase if the plugin is independent of others.

AUTHN

Insert plugin before Istio authentication filters.

AUTHZ

Insert plugin before Istio authorization filters and after Istio authentication filters.

STATS

Insert plugin before Istio stats filters and after Istio authorization filters.

PullPolicy

The pull behaviour to be applied when fetching an OCI image, mirroring K8s behaviour.

buf:lint:ignore ENUMVALUEUPPERSNAKECASE

NameDescription
UNSPECIFIED_POLICY

Defaults to IfNotPresent, except for OCI images with tag latest, for which the default will be Always.

IfNotPresent

If an existing version of the image has been pulled before, that will be used. If no version of the image is present locally, we will pull the latest version.

Always

We will always pull the latest version of an image when applying this plugin.

Was this information useful?
Do you have any suggestions for improvement?

Thanks for your feedback!