Closed mabukhovsky closed 4 years ago
cc @zuercher I think you are using a newer build with the older docs, but I'm not sure.
If I start Envoy without a filter I can clearly see that's I'm using 1.13.0:
{
"configs": [
{
"@type": "type.googleapis.com/envoy.admin.v3.BootstrapConfigDump",
"bootstrap": {
"node": {
"id": "9dc0633771a0",
"cluster": "s-envoy",
"metadata": {
"host": "9dc0633771a0",
"instance": "9dc0633771a0s-envoy",
"port": 10324,
"admin_port": 10327
},
"hidden_envoy_deprecated_build_version": "bb7ceff4c3c5bd4555dff28b6e56d27f2f8be0a7/1.13.0/Clean/RELEASE/BoringSSL",
"user_agent_name": "envoy",
"user_agent_build_version": {
"version": {
"major_number": 1,
"minor_number": 13
},
"metadata": {
"ssl.version": "BoringSSL",
"revision.status": "Clean",
"revision.sha": "bb7ceff4c3c5bd4555dff28b6e56d27f2f8be0a7",
"build.type": "RELEASE"
}
},
- name: dynamic_forward_proxy_cluster
...
filters:
- name: envoy.ext_authz
...
Hum, seems like that filters:
field only accepts a list of NamedUpstreamNetworkFilter
s? cc. @htuch
@zuercher @dio @htuch Thanks for looking into my issue, guys. Truly appreciate your help as this is a blocker for a team. We are trying to build dynamic forward proxy with ext_authz requests authorization. Please let us know if this is possible, or there are constraints that do not allow doing it.
To clarify some more: There is no support for http filters on upstream clusters. As @dio mentioned only upstream network filters are supported and there aren't actually any shipped with Envoy (there's one defined for tests only). Issue #10455 tracks adding support for upstream http filters, at which point use the ext_authz filter becomes theoretically possible (depending on what limitations, if any, are placed on upstream http filters).
One example of network filters that can be attached to that is istio.metadata_exchange
wasm filter. https://github.com/istio/proxy/blob/1d997c17e2321d43565c80eb828f7bdcb78de7e2/src/envoy/tcp/metadata_exchange/config.h#L49-L71
This issue has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in the next 7 days unless it is tagged "help wanted" or other activity occurs. Thank you for your contributions.
Hi,
I'm having a similar issue. Except i try to configure RBAC filter envoy.filters.network.rbac
for a cluster and get Didn't find a registered implementation for name: 'envoy.filters.network.rbac'
.
"version": "bb7ceff4c3c5bd4555dff28b6e56d27f2f8be0a7/1.13.0/Clean/RELEASE/BoringSSL",
As @dio mentioned only upstream network filters are supported and there aren't actually any shipped with Envoy (there's one defined for tests only)
@zuercher please, correct me if i'm wrong - does this mean that there needs to be a separate upstream filter with similar functionality to network.rbac
but exclusively for upstream?
Edit: based on #11015 the answer seems to be - yes.
It looks UpstreamNetworkFilters implement the same interface as a regular network filter, but have a separate registration. Someone would have to evaluate whether the RBAC filter operates correctly in the upstream context and, if so, add a registration for it.
@kyessenov could you confirm that?
This issue has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in the next 7 days unless it is tagged "help wanted" or other activity occurs. Thank you for your contributions.
This issue has been automatically closed because it has not had activity in the last 37 days. If this issue is still valid, please ping a maintainer and ask them to label it as "help wanted". Thank you for your contributions.
Title: Envoy 1.13.0: Didn't find a registered implementation for name: 'envoy.ext_authz'
Description: I'm following envoy Envoy 1.13.0 documentation to build dynamic forward proxy that is using ExtAuthz cluster to verify requests (see relevant links). It is saying that: This filter should be configured with the name envoy.ext_authz However I'm hitting: Didn't find a registered implementation for name: 'envoy.ext_authz' error and Envoy exits with code 1.
If I remove filter block from my cluster, it starts and works fine.
[optional Relevant Links:] https://www.envoyproxy.io/docs/envoy/v1.13.0/configuration/http/http_filters/ext_authz_filter
Config:
Call Stack: