From 32714b39cdb85d6076ded8af6fa266d567df4992 Mon Sep 17 00:00:00 2001 From: JingLu5 Date: Tue, 28 Aug 2018 16:34:07 +0800 Subject: Add envoy.ext_authz filter JIRA: CLOVER-86 This external authorization HTTP filter calls an external HTTP service (ModSecuruty service) to check if the incoming HTTP request is authorized or not. If the request is deemed unauthorized then the request will be denied normally with 403 (Forbidden) response. Change-Id: I0fe14c73defec027c54f42713cbdf69b0b83e102 Signed-off-by: JingLu5 --- .../istio_ingressgateway_envoyfilter.yaml | 24 ++++++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 samples/scenarios/istio_ingressgateway_envoyfilter.yaml (limited to 'samples') diff --git a/samples/scenarios/istio_ingressgateway_envoyfilter.yaml b/samples/scenarios/istio_ingressgateway_envoyfilter.yaml new file mode 100644 index 0000000..46f730c --- /dev/null +++ b/samples/scenarios/istio_ingressgateway_envoyfilter.yaml @@ -0,0 +1,24 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: ext-authz + namespace: istio-system +spec: + workloadLabels: + app: istio-ingressgateway + filters: + - insertPosition: + index: FIRST + listenerMatch: + portNumber: 80 + listenerType: GATEWAY + listenerProtocol: HTTP + filterType: HTTP + filterName: "envoy.ext_authz" + filterConfig: + http_service: + server_uri: + uri: "http://modsecurity-crs.istio-system.svc.cluster.local" + cluster: "outbound|80||modsecurity-crs.istio-system.svc.cluster.local" + timeout: 0.5s + failure_mode_allow: false -- cgit 1.2.3-korg