i enabled ext_autz now in the default pipeline but it also affects the connection the the database it seems. when i add ext_auth filters to the default ovveride it applies it to all services no suprise realy, as i gues thats what its ment to do. but i need to be able to apply this to the services that neeeds it. how can this be achieved in consul
Hey, @dagtveit is there something you require more than Service level intentions to define service to service authorization policy?
Service Mesh Intentions | Consul by HashiCorp
If you could explain a little what you would like to achieve from manually using ext_authz, I might be able to help you find a better solution than using the Envoy escape hatches and having to manually write envoy config.
i want to use opa sidecarts to check different policy level stuff very common use case. though enabling it the way i did it tries to do it on all or nothing.
kuma as an example has an selector
---
apiVersion: kuma.io/v1alpha1
kind: ProxyTemplate
mesh: default
metadata:
name: opa-ext-authz-filter
spec:
selectors:
- match:
kuma.io/service: '*'
conf:
imports:
- default-proxy
modifications:
- httpFilter:
operation: addBefore
match:
name: envoy.filters.http.router
origin: inbound
value: |
name: envoy.filters.http.header_to_metadata
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.header_to_metadata.v3.Config
request_rules:
- header: x-opa-authz
on_header_missing:
key: 'policy_type'
value: 'ingress'
- httpFilter:
operation: addBefore
match:
name: envoy.filters.http.router
origin: inbound
value: |
name: envoy.filters.http.ext_authz
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz
metadata_context_namespaces:
- envoy.filters.http.header_to_metadata
transport_api_version: V3
with_request_body:
max_request_bytes: 8192
allow_partial_message: true
failure_mode_allow: false
grpc_service:
google_grpc:
target_uri: 127.0.0.1:9191
stat_prefix: ext_authz
timeout: 0.5s
- httpFilter:
operation: addBefore
match:
name: envoy.filters.http.router
origin: outbound
value: |
name: envoy.filters.http.header_to_metadata
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.header_to_metadata.v3.Config
request_rules:
- header: x-opa-authz
on_header_missing:
key: 'policy_type'
value: 'egress'
- httpFilter:
operation: addBefore
match:
name: envoy.filters.http.router
origin: outbound
value: |
name: envoy.filters.http.ext_authz
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz
metadata_context_namespaces:
- envoy.filters.http.header_to_metadata
transport_api_version: V3
with_request_body:
max_request_bytes: 8192
allow_partial_message: true
failure_mode_allow: false
grpc_service:
google_grpc:
target_uri: 127.0.0.1:9191
stat_prefix: ext_authz
timeout: 0.5s
not shure if i replied correctly but read under/over