Skip to content

Envoy External Authorization Filter

The Envoy External Authorization Filter (often referred to as ext_authz) is an Envoy filter used to integrate custom authorization systems into a Service mesh.^[400-devops-07-monitoring-and-observability-k8s-istio-samples-extauthz-readme.md]

Functionality

The filter operates by calling out to an external authorization service to determine if an incoming request should be allowed or denied.^[400-devops-07-monitoring-and-observability-k8s-istio-samples-extauthz-readme.md] It supports communication with this external service via either HTTP (commonly on port 8000) or gRPC v2/v3 (commonly on port 9000) APIs.^[400-devops-07-monitoring-and-observability-k8s-istio-samples-extauthz-readme.md]

Authorization Logic

The decision to allow or deny a request is determined by the logic implemented in the external service.^[400-devops-07-monitoring-and-observability-k8s-istio-samples-extauthz-readme.md]

For example, a sample authorization server might implement logic to: * Allow the request if it contains a specific header (e.g., x-ext-authz: allow).^[400-devops-07-monitoring-and-observability-k8s-istio-samples-extauthz-readme.md] * Allow the request based on the source workload's service account (e.g., if the account is a).^[400-devops-07-monitoring-and-observability-k8s-istio-samples-extauthz-readme.md]

If the criteria are not met, the external service typically returns a 403 Forbidden status to the client.^[400-devops-07-monitoring-and-observability-k8s-istio-samples-extauthz-readme.md]

Request Processing

When a request is checked by the external service, the service can manipulate the request headers before the proxy forwards it to the upstream service.^[400-devops-07-monitoring-and-observability-k8s-istio-samples-extauthz-readme.md]

  • Request Dumping: The authorization service may add a header (e.g., x-ext-authz-check-received) containing a dump of the check request received from the filter.^[400-devops-07-monitoring-and-observability-k8s-istio-samples-extauthz-readme.md]
  • Header Overrides: The service can add or override existing headers in the user request.^[400-devops-07-monitoring-and-observability-k8s-istio-samples-extauthz-readme.md] For instance, an HTTP-based authorization server might reflect a header from the check request back to the original request, while a gRPC server might apply a constant value.^[400-devops-07-monitoring-and-observability-k8s-istio-samples-extauthz-readme.md]
  • [[Envoy]]
  • Istio
  • [[gRPC]]

Sources

^[400-devops-07-monitoring-and-observability-k8s-istio-samples-extauthz-readme.md]