[BUG] Customization of "Envoy Filter" to make an external call inside a Lua code

[vraghani]

We have implemented a “custom side car injection” (in Istio-addon deployed in AKS Cluster) by using EnvoyFilter.
As per Istio documentation (Istio / Envoy Filter) , we have implemented example 2 , to intercept all HTTP calls and inject with Lua code to call an external service.

We extended custom LUA script to call an external service . As per documentation, for calling ext services requires a cluster definition in envoy. We implemented this and get an error
While deploying this yaml file we get an error as below:

Admission webhook has denied the request for envoy filter to create a cluster definition
Can you pls help on this issue ?

Version
Kubernetes version 1.29
Istio add-on 1.23

[nshankar13]

Hi @vraghani can you share the EnvoyFilter that you are using? Lua EnvoyFilter should be allowed: https://learn.microsoft.com/en-us/azure/aks/istio-about#limitations

[Winbobob]

In our current validation, we require each Lua EnvoyFilter patch has the typed_config and @type fields.
This validation works well when the patch is applied to HTTP_FILTER, but will block the request when the patch is applied to CLUSTER, which is the cluster definition . I think if we want to support cluster definition, we need to update our validation logic.

I believe this is the example you are using: https://istio.io/latest/docs/reference/config/networking/envoy-filter/#:~:text=idle_timeout%3A%2030s-,The%20following%20example,-enables%20Envoy%E2%80%99s%20Lua

[Winbobob]

We've merged the fix, and it will be rolled out in the next release, thank you!