Istio · Schema
Istio WasmPlugin
A WasmPlugin provides a mechanism to extend the functionality provided by the Istio proxy through WebAssembly filters. It enables custom authentication, authorization, metrics, logging, and traffic transformation at the proxy level.
CNCFKubernetesMicroservicesOpen SourceService Mesh
Properties
| Name | Type | Description |
|---|---|---|
| selector | object | Workload selector to apply the plugin to specific workloads. |
| targetRefs | array | Target references to apply the plugin to specific resources. |
| url | string | URL of a Wasm module or OCI container image. Supports oci://, http://, https://, and file:// schemes. |
| sha256 | string | SHA256 checksum that will be used to verify the Wasm module or OCI container. |
| imagePullPolicy | string | The pull behavior to be applied when fetching Wasm module images. |
| imagePullSecret | string | Credentials to use for OCI image pulling. Name of a Kubernetes Secret. |
| pluginConfig | object | The configuration that will be passed on to the plugin. Encoded as JSON and passed to the Wasm module. |
| pluginName | string | The plugin name to be used in the Envoy configuration. Allows distinguishing between multiple uses of the same Wasm module. |
| phase | string | Determines where in the filter chain this WasmPlugin is to be injected. |
| priority | integer | Determines ordering of WasmPlugins in the same phase. Higher priority is evaluated first. |
| failStrategy | string | Specifies the failure behavior for the plugin. FAIL_CLOSE rejects traffic, FAIL_OPEN skips the plugin. |
| vmConfig | object | Configuration for the Wasm VM. |
| match | array | Specifies the criteria to determine which traffic is passed to WasmPlugin. |
| type | string | Specifies the type of Wasm Extension to be used. |
JSON Schema
{
"$schema": "https://json-schema.org/draft/2020-12/schema",
"$id": "https://github.com/api-evangelist/istio/blob/main/json-schema/wasm-plugin.json",
"title": "Istio WasmPlugin",
"description": "A WasmPlugin provides a mechanism to extend the functionality provided by the Istio proxy through WebAssembly filters. It enables custom authentication, authorization, metrics, logging, and traffic transformation at the proxy level.",
"type": "object",
"properties": {
"selector": {
"type": "object",
"properties": {
"matchLabels": {
"type": "object",
"additionalProperties": {
"type": "string"
},
"description": "One or more labels that indicate a specific set of pods/VMs on which the plugin should be applied."
}
},
"description": "Workload selector to apply the plugin to specific workloads."
},
"targetRefs": {
"type": "array",
"items": {
"type": "object",
"properties": {
"group": {
"type": "string"
},
"kind": {
"type": "string"
},
"name": {
"type": "string"
}
}
},
"description": "Target references to apply the plugin to specific resources."
},
"url": {
"type": "string",
"description": "URL of a Wasm module or OCI container image. Supports oci://, http://, https://, and file:// schemes."
},
"sha256": {
"type": "string",
"description": "SHA256 checksum that will be used to verify the Wasm module or OCI container."
},
"imagePullPolicy": {
"type": "string",
"enum": ["UNSPECIFIED_POLICY", "IfNotPresent", "Always"],
"description": "The pull behavior to be applied when fetching Wasm module images."
},
"imagePullSecret": {
"type": "string",
"description": "Credentials to use for OCI image pulling. Name of a Kubernetes Secret."
},
"pluginConfig": {
"type": "object",
"description": "The configuration that will be passed on to the plugin. Encoded as JSON and passed to the Wasm module."
},
"pluginName": {
"type": "string",
"description": "The plugin name to be used in the Envoy configuration. Allows distinguishing between multiple uses of the same Wasm module."
},
"phase": {
"type": "string",
"enum": ["UNSPECIFIED_PHASE", "AUTHN", "AUTHZ", "STATS"],
"description": "Determines where in the filter chain this WasmPlugin is to be injected."
},
"priority": {
"type": "integer",
"description": "Determines ordering of WasmPlugins in the same phase. Higher priority is evaluated first."
},
"failStrategy": {
"type": "string",
"enum": ["FAIL_CLOSE", "FAIL_OPEN"],
"description": "Specifies the failure behavior for the plugin. FAIL_CLOSE rejects traffic, FAIL_OPEN skips the plugin."
},
"vmConfig": {
"type": "object",
"description": "Configuration for the Wasm VM.",
"properties": {
"env": {
"type": "array",
"items": {
"type": "object",
"properties": {
"name": {
"type": "string",
"description": "Name of the environment variable."
},
"valueFrom": {
"type": "string",
"enum": ["INLINE", "HOST"],
"description": "Source for the environment variable's value."
},
"value": {
"type": "string",
"description": "Value for the environment variable when valueFrom is INLINE."
}
},
"required": ["name"]
},
"description": "Environment variables to pass to the VM."
}
}
},
"match": {
"type": "array",
"items": {
"type": "object",
"properties": {
"mode": {
"type": "string",
"enum": ["UNDEFINED", "CLIENT", "SERVER", "CLIENT_AND_SERVER"],
"description": "Criteria for selecting traffic by their direction."
},
"ports": {
"type": "array",
"items": {
"type": "object",
"properties": {
"number": {
"type": "integer"
}
}
},
"description": "Criteria for selecting traffic by port."
}
}
},
"description": "Specifies the criteria to determine which traffic is passed to WasmPlugin."
},
"type": {
"type": "string",
"enum": ["UNSPECIFIED_PLUGIN_TYPE", "HTTP", "NETWORK"],
"description": "Specifies the type of Wasm Extension to be used."
}
},
"required": ["url"]
}