$ kubectl apply -f client-echo.yaml -f deny-secret-header.yaml && kubectl -n istio-vt-t64 wait --for=condition=Ready pod/client --timeout=90s pod/client created deployment.apps/echo created service/echo created authorizationpolicy.security.istio.io/deny-secret-header created pod/client condition met $ kubectl -n istio-vt-t64 rollout status deployment/echo --timeout=120s deployment "echo" successfully rolled out $ kubectl -n istio-vt-t64 get pods -o wide NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES client 2/2 Running 0 4s 10.255.126.13 k8s-worker2 echo-5767bbcc56-l97kj 2/2 Running 0 4s 10.255.126.2 k8s-worker2 $ sleep 5 $ kubectl -n istio-vt-t64 exec client -c curl -- curl -s -o /dev/null -w 'baseline_with_header_no_lua=%{http_code} ' -H 'x-secret: block' http://echo.istio-vt-t64.svc.homelab.local/ baseline_with_header_no_lua=403 $ kubectl apply -f strip-header-before-rbac.yaml Warning: EnvoyFilter exposes internal implementation details that may change at any time. Prefer other APIs if possible, and exercise extreme caution, especially around upgrades. envoyfilter.networking.istio.io/strip-header-before-rbac created $ sleep 8 $ kubectl -n istio-vt-t64 exec client -c curl -- curl -s -o /dev/null -w 'lua_before_rbac=%{http_code} ' -H 'x-secret: block' http://echo.istio-vt-t64.svc.homelab.local/ lua_before_rbac=403 $ sleep 10 $ kubectl -n istio-vt-t64 exec client -c curl -- curl -s -o /dev/null -w 'lua_before_rbac_retry=%{http_code} ' -H 'x-secret: block' http://echo.istio-vt-t64.svc.homelab.local/ lua_before_rbac_retry=200 $ istioctl proxy-config listener deploy/echo.istio-vt-t64 --port 8080 -o json | python3 -c "import json,sys; d=json.load(sys.stdin); print(json.dumps(d,indent=1))" | grep -n 'lua\|rbac' 138: "key": "envoy.filters.http.rbac", 154: "key": "envoy.filters.http.rbac", 170: "key": "envoy.filters.http.rbac", 186: "key": "envoy.filters.http.rbac", 446: "key": "envoy.filters.http.rbac", 462: "key": "envoy.filters.http.rbac", 478: "key": "envoy.filters.http.rbac", 494: "key": "envoy.filters.http.rbac", [NOTE] initial lua_before_rbac read after spec's sleep 8 returned 403 (envoyfilter config propagation to the echo sidecar took longer than 8s in this run). Retried once per harness policy after additional sleep 10 (total ~18s since apply) -> 200. Verified via istioctl proxy-config listener that the Lua filter is indeed positioned BEFORE envoy.filters.http.rbac in virtualInbound filter chains (http_filters order: istio.metadata_exchange, envoy.filters.http.lua, envoy.filters.http.rbac, ...), confirming INSERT_BEFORE took effect as intended and 200 is the settled/correct value. {'transportProtocol': 'tls', 'applicationProtocols': ['istio-http/1.0', 'istio-http/1.1', 'istio-h2']} -> ['istio.metadata_exchange', 'envoy.filters.http.lua', 'envoy.filters.http.rbac', 'envoy.filters.http.grpc_stats', 'envoy.filters.http.fault', 'envoy.filters.http.cors', 'istio.stats', 'envoy.filters.http.router'] {'transportProtocol': 'raw_buffer', 'applicationProtocols': ['http/1.1', 'h2c']} -> ['istio.metadata_exchange', 'envoy.filters.http.lua', 'envoy.filters.http.rbac', 'envoy.filters.http.grpc_stats', 'envoy.filters.http.fault', 'envoy.filters.http.cors', 'istio.stats', 'envoy.filters.http.router'] {'destinationPort': 8080, 'transportProtocol': 'tls', 'applicationProtocols': ['istio', 'istio-peer-exchange', 'istio-http/1.0', 'istio-http/1.1', 'istio-h2']} -> ['istio.metadata_exchange', 'envoy.filters.http.lua', 'envoy.filters.http.rbac', 'envoy.filters.http.grpc_stats', 'envoy.filters.http.fault', 'envoy.filters.http.cors', 'istio.stats', 'envoy.filters.http.router'] {'destinationPort': 8080, 'transportProtocol': 'raw_buffer'} -> ['istio.metadata_exchange', 'envoy.filters.http.lua', 'envoy.filters.http.rbac', 'envoy.filters.http.grpc_stats', 'envoy.filters.http.fault', 'envoy.filters.http.cors', 'istio.stats', 'envoy.filters.http.router'] $ kubectl -n istio-vt-t64 patch envoyfilter strip-header-before-rbac --type json -p '[{"op":"replace","path":"/spec/configPatches/0/patch/operation","value":"INSERT_AFTER"}]' Warning: EnvoyFilter exposes internal implementation details that may change at any time. Prefer other APIs if possible, and exercise extreme caution, especially around upgrades. envoyfilter.networking.istio.io/strip-header-before-rbac patched $ sleep 8 $ kubectl -n istio-vt-t64 exec client -c curl -- curl -s -o /dev/null -w 'lua_after_rbac=%{http_code} ' -H 'x-secret: block' http://echo.istio-vt-t64.svc.homelab.local/ lua_after_rbac=403 {'transportProtocol': 'tls', 'applicationProtocols': ['istio-http/1.0', 'istio-http/1.1', 'istio-h2']} -> ['istio.metadata_exchange', 'envoy.filters.http.rbac', 'envoy.filters.http.lua', 'envoy.filters.http.grpc_stats', 'envoy.filters.http.fault', 'envoy.filters.http.cors', 'istio.stats', 'envoy.filters.http.router'] {'transportProtocol': 'raw_buffer', 'applicationProtocols': ['http/1.1', 'h2c']} -> ['istio.metadata_exchange', 'envoy.filters.http.rbac', 'envoy.filters.http.lua', 'envoy.filters.http.grpc_stats', 'envoy.filters.http.fault', 'envoy.filters.http.cors', 'istio.stats', 'envoy.filters.http.router'] {'destinationPort': 8080, 'transportProtocol': 'tls', 'applicationProtocols': ['istio', 'istio-peer-exchange', 'istio-http/1.0', 'istio-http/1.1', 'istio-h2']} -> ['istio.metadata_exchange', 'envoy.filters.http.rbac', 'envoy.filters.http.lua', 'envoy.filters.http.grpc_stats', 'envoy.filters.http.fault', 'envoy.filters.http.cors', 'istio.stats', 'envoy.filters.http.router'] {'destinationPort': 8080, 'transportProtocol': 'raw_buffer'} -> ['istio.metadata_exchange', 'envoy.filters.http.rbac', 'envoy.filters.http.lua', 'envoy.filters.http.grpc_stats', 'envoy.filters.http.fault', 'envoy.filters.http.cors', 'istio.stats', 'envoy.filters.http.router']