- Release Notes and Announcements
- Product Introduction
- Purchase Guide
- Getting Started
- Operation Guide
- FAQs
- Overview
- Permissions
- Pod Startup Fails Because the Envoy Sidecar Is Unready
- Envoy Status Code 431 "Request Header Fields Too Large" Is Returned
- Envoy Converts Headers to Lowercase
- Headless Service-related FAQs
- Istio-init Crashes
- VirtualService Does Not Take Effect
- Inappropriate VirtualService Route Matching Order
- Failed to Access an Ingress Gateway from the Public Network
- Parsing Fails After Smart DNS Is Enabled
- Locality Load Balancing Does Not Take Effect
- Client Status Code 426 "Upgrade Required" Is Returned
- Sidecars Are Not Automatically Injected
- Circuit Breaking Does Not Take Effect
- 404 Is Returned During Access to a StatefulSet's Pod IP Address
- Service Is Abnormal Due to a Retry Policy
- Incomplete Call Tracing Information
- TCM Policy
- Glossary
- Release Notes and Announcements
- Product Introduction
- Purchase Guide
- Getting Started
- Operation Guide
- FAQs
- Overview
- Permissions
- Pod Startup Fails Because the Envoy Sidecar Is Unready
- Envoy Status Code 431 "Request Header Fields Too Large" Is Returned
- Envoy Converts Headers to Lowercase
- Headless Service-related FAQs
- Istio-init Crashes
- VirtualService Does Not Take Effect
- Inappropriate VirtualService Route Matching Order
- Failed to Access an Ingress Gateway from the Public Network
- Parsing Fails After Smart DNS Is Enabled
- Locality Load Balancing Does Not Take Effect
- Client Status Code 426 "Upgrade Required" Is Returned
- Sidecars Are Not Automatically Injected
- Circuit Breaking Does Not Take Effect
- 404 Is Returned During Access to a StatefulSet's Pod IP Address
- Service Is Abnormal Due to a Retry Policy
- Incomplete Call Tracing Information
- TCM Policy
- Glossary
Using a Wasm Filter o Extend the Data Plane
Last updated: 2023-12-26 14:21:21
Wasm is short for WebAssembly, which can compile binary instructions and load them into the Envoy's filter chain to extend mesh data plane capabilities. In this way, Envoy and extension components are decoupled, and users no longer need to extend capabilities by modifying Envoy code and compiling special Envoy versions. In addition, wasm delivers advantages of dynamic loading and secure isolation.
Since Istio 1.6, the Proxy-Wasm sandbox API has replaced Mixer as a main extension implementation of Istio to implement the interaction between Envoy and wasm virtual machines. Therefore, to extend Envoy through a wasm filter, you need to use Proxy-WASM SDK.
Usually, steps of compiling a wasm file to extend mesh data plane capabilities include the following:
1. Compile a wasm filter by following Examples.
2. Inject the wasm filter into a ConfigMap to mount the wasm filter to any workload through the ConfigMap, thereby preventing the wasm filter from being copied to multiple nodes.
kubectl create cm -n foo example-filter --from-file=example-filter.wasm
3. Mount the wasm filter to a service workload. You can use Istio Annotations to enable a corresponding file to be automatically mounted when creating a workload.
sidecar.istio.io/userVolume: '[{"name":"wasmfilters-dir","configMap": {"name": "example-filter"}}]'sidecar.istio.io/userVolumeMount: '[{"mountPath":"/var/local/lib/wasm-filters","name":"wasmfilters-dir"}]'
Apply the annotation to the corresponding workload.
kubectl patch deployment -n foo frontpage-v1 -p '{"spec":{"template":{"metadata":{"annotations":{"sidecar.istio.io/userVolume":"[{\\"name\\":\\"wasmfilters-dir\\",\\"configMap\\": {\\"name\\": \\"example-filter\\"}}]","sidecar.istio.io/userVolumeMount":"[{\\"mountPath\\":\\"/var/local/lib/wasm-filters\\",\\"name\\":\\"wasmfilters-dir\\"}]"}}}}}'
4. Create an Envoy filter, and add the wasm filter to the Envoy filter chain of the corresponding workload to have it to take effect.
apiVersion: networking.istio.io/v1alpha3kind: EnvoyFiltermetadata:name: frontpage-v1-examplefilternamespace: foospec:configPatches:- applyTo: HTTP_FILTERmatch:listener:filterChain:filter:name: envoy.http_connection_managersubFilter:name: envoy.routerpatch:operation: INSERT_BEFOREvalue:name: envoy.filters.http.wasmtyped_config:'@type': type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasmconfig:name: example-filterroot_id: my_root_idvm_config:code:local:filename: /var/local/lib/wasm-filters/example-filter.wasmruntime: envoy.wasm.runtime.v8vm_id: example-filterallow_precompiled: trueworkloadSelector:labels:app: frontpageversion: v1
Till now, the wasm filter has been deployed. The wasm filter can also be used as an image. For details, see Build a wasm filter image. For details about how to use the wasme tool to deploy the wasm filter, see Deploying Wasm Filters with Wasme.
It can be seen that the deployment of a wasm filter is cumbersome, especially when large-scale deployment is required. It is difficult to deploy and manage a batch of wasm filters without a tool. Tencent Cloud Mesh provides convenient deployment tools, which can be used to deploy a batch of wasm filters in the binary or image format to services. For details, see Using Tencent Cloud Mesh Tools to Deploy Wasm Filters in Batches.
Yes
No
Was this page helpful?