EnvoyFilterUsesRelativeOperationWithProxyVersion
當 EnvoyFilter 沒有設定優先權,且使用了相對的修補操作 (INSERT_BEFORE/AFTER、REPLACE、MERGE、DELETE) 以及設定了 proxyVersion 時,會出現此訊息,這可能會導致 EnvoyFilter 在升級期間無法被套用。使用 INSERT_FIRST 或 ADD 選項,或是設定優先權可能會有助於確保 EnvoyFilter 被正確套用。 proxyVersion 令人擔憂的原因在於,升級後 proxyVersion 很可能會改變,而其套用的順序也會和之前不同。
範例
考慮一個使用 REPLACE 修補操作,並同時使用了 proxyVersion 的 EnvoyFilter。
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: test-replace-3
namespace: bookinfo
spec:
workloadSelector:
labels:
app: reviews4
configPatches:
# The first patch adds the Lua filter to the listener/http connection manager
- applyTo: HTTP_FILTER
match:
context: SIDECAR_OUTBOUND
proxy:
proxyVersion: '^1\.11.*'
listener:
portNumber: 8080
filterChain:
filter:
name: "envoy.filters.network.http_connection_manager"
subFilter:
name: "envoy.filters.http.router"
patch:
operation: REPLACE
value: # Lua filter specification
name: envoy.lua
typed_config:
"@type": "type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua"
inlineCode: |
function envoy_on_request(request_handle)
-- Make an HTTP call to an upstream host with the following headers, body, and timeout.
local headers, body = request_handle:httpCall(
"lua_cluster",
{
[":method"] = "POST",
[":path"] = "/acl",
[":authority"] = "internal.org.net"
},
"authorize call",
1000)
end
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: test-replace-4
namespace: bookinfo
spec:
workloadSelector:
labels:
app: reviews4
configPatches:
- applyTo: HTTP_FILTER
match:
context: SIDECAR_OUTBOUND
patch:
operation: REPLACE
value: #Lua filter specification
name: envoy.lua
typed_config:
"@type": "type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua"
inlineCode: |
function envoy_on_request(request_handle)
-- Make an HTTP call to an upstream host with the following headers, body, and timeout.
local headers, body = request_handle:httpCall(
"lua_cluster",
{
[":method"] = "POST",
[":path"] = "/acl",
[":authority"] = "internal.org.net"
},
"authorize call",
5000)
end
如何解決
因為使用了 REPLACE 的相對操作,並同時使用了 proxyVersion,加入 priority 屬性將能解決這個問題。
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: test-replace-3
namespace: bookinfo
spec:
workloadSelector:
labels:
app: reviews4
priority: 10
configPatches:
# The first patch adds the Lua filter to the listener/http connection manager
- applyTo: HTTP_FILTER
match:
context: SIDECAR_OUTBOUND
proxy:
proxyVersion: '^1\.11.*'
listener:
portNumber: 8080
filterChain:
filter:
name: "envoy.filters.network.http_connection_manager"
subFilter:
name: "envoy.filters.http.router"
patch:
operation: REPLACE
value: # Lua filter specification
name: envoy.lua
typed_config:
"@type": "type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua"
inlineCode: |
function envoy_on_request(request_handle)
-- Make an HTTP call to an upstream host with the following headers, body, and timeout.
local headers, body = request_handle:httpCall(
"lua_cluster",
{
[":method"] = "POST",
[":path"] = "/acl",
[":authority"] = "internal.org.net"
},
"authorize call",
1000)
end
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: test-replace-4
namespace: bookinfo
spec:
workloadSelector:
labels:
app: reviews4
priority: 20
configPatches:
- applyTo: HTTP_FILTER
match:
context: SIDECAR_OUTBOUND
patch:
operation: REPLACE
value: #Lua filter specification
name: envoy.lua
typed_config:
"@type": "type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua"
inlineCode: |
function envoy_on_request(request_handle)
-- Make an HTTP call to an upstream host with the following headers, body, and timeout.
local headers, body = request_handle:httpCall(
"lua_cluster",
{
[":method"] = "POST",
[":path"] = "/acl",
[":authority"] = "internal.org.net"
},
"authorize call",
5000)
end