istioopen-telemetryenvoyproxyistio-gatewayistio-sidecar

Modify AccessLog for custom requests in Istio


We are following the standard AccessLog format:

[%START_TIME%] "%REQ(:METHOD)% %REQ(X-ENVOY-ORIGINAL-PATH?:PATH)% %PROTOCOL%"
%RESPONSE_CODE% %RESPONSE_FLAGS% %BYTES_RECEIVED% %BYTES_SENT% %DURATION%
%RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)% "%REQ(X-FORWARDED-FOR)%" "%REQ(USER-AGENT)%"
"%REQ(X-REQUEST-ID)%" "%REQ(:AUTHORITY)%" "%UPSTREAM_HOST%"\n

I would like to modify this format for a custom request (.../exit) to not log sensitive data. Is it possible to filter the route this way?

Init code:

apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: ***
  namespace: ***
spec:
  workloadSelector:
    labels:
      service.istio.io/canonical-name: ***
  configPatches:
    - applyTo: HTTP_FILTER
      match:
        context: GATEWAY
        routeConfiguration:
        vhost:
          name: "*"
          route:
            name: "/exit"
            action: ANY
    patch:
      operation: MERGE
      value:
        value:
        typed_config:
          "@type": "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager"
          access_log:
          - name: envoy.access_loggers.file
            typed_config:
              "@type": "type.googleapis.com/envoy.extensions.access_loggers.file.v3.FileAccessLog"
              path: /dev/stdout
              format: "[%START_TIME%] \"%REQ(:METHOD)% %REQ(X-ENVOY-ORIGINAL-PATH?:PATH)% %PROTOCOL%\" %RESPONSE_CODE% %RESPONSE_FLAGS% \n"

Anyone has an idea how can I fix this to filter out the /exit requests?


Solution

  • You should be able to do that with the Telemetry resource - I think you can match the specific path with CEL expression in the filter field.

    You can find the list of attributes you can use in the CEL expressions here: https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/advanced/attributes

    Example Telemetry resource with filter:

    apiVersion: telemetry.istio.io/v1alpha1
    kind: Telemetry
    metadata:
      name: mesh-default
      namespace: istio-system
    spec:
      accessLogging:
        - providers:
          - name: privateLoggingProvider
          filter:
            expression: "request.url_path.contains('/ip')"
    

    The privateLoggingProvider is set in the mesh config:

      meshConfig:
        extensionProviders:
        - name: privateLoggingProvider
          envoyFileAccessLog:
            path: /dev/stdout
            logFormat:
                text: "your custom format here"
    

    Note that if you know the workloads you want to restrict or change the formats for, you can use the selectors in the Telemetry resource to target the workloads specifically (instead of applying it to all workloads/mesh).