The Istio Extensions API (extensions.istio.io) provides configuration resources for extending the Istio service mesh with custom functionality. The WasmPlugin resource enables deploying WebAssembly (Wasm) modules as plugins to the Envoy sidecar proxies, allowing custom processing of network traffic at various phases of the request lifecycle including authentication, authorization, metrics collection, and traffic transformation.
openapi: 3.1.0
info:
title: Istio Extensions API
description: >-
The Istio Extensions API (extensions.istio.io) provides configuration
resources for extending the Istio service mesh with custom functionality.
The WasmPlugin resource enables deploying WebAssembly (Wasm) modules as
plugins to the Envoy sidecar proxies, allowing custom processing of network
traffic at various phases of the request lifecycle. These resources are
defined as Kubernetes Custom Resource Definitions (CRDs) and are accessed
via the Kubernetes API server.
version: v1alpha1
contact:
name: Istio
url: https://istio.io/
license:
name: Apache 2.0
url: https://www.apache.org/licenses/LICENSE-2.0
externalDocs:
description: Istio Extensions Configuration Reference
url: https://istio.io/latest/docs/reference/config/
servers:
- url: https://{cluster}/apis/extensions.istio.io/v1alpha1
description: Kubernetes API server endpoint for Istio Extensions v1alpha1
variables:
cluster:
default: kubernetes.default.svc
description: Kubernetes API server hostname
paths:
/namespaces/{namespace}/wasmplugins:
get:
operationId: listWasmPlugins
summary: Istio List WasmPlugins
description: >-
List all WasmPlugin resources in the specified namespace. A WasmPlugin
provides a mechanism to extend the functionality provided by the Istio
proxy through WebAssembly filters, enabling custom authentication,
authorization, metrics, logging, and traffic transformation at the proxy
level.
tags:
- WasmPlugin
parameters:
- $ref: '#/components/parameters/namespace'
- $ref: '#/components/parameters/labelSelector'
- $ref: '#/components/parameters/limit'
- $ref: '#/components/parameters/continue'
responses:
'200':
description: Successful response containing list of WasmPlugins
content:
application/json:
schema:
$ref: '#/components/schemas/WasmPluginList'
'401':
description: Unauthorized
post:
operationId: createWasmPlugin
summary: Istio Create a WasmPlugin
description: Create a new WasmPlugin resource in the specified namespace.
tags:
- WasmPlugin
parameters:
- $ref: '#/components/parameters/namespace'
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/WasmPlugin'
responses:
'201':
description: WasmPlugin created
content:
application/json:
schema:
$ref: '#/components/schemas/WasmPlugin'
'401':
description: Unauthorized
'409':
description: Conflict - resource already exists
/namespaces/{namespace}/wasmplugins/{name}:
get:
operationId: getWasmPlugin
summary: Istio Get a WasmPlugin
description: Read the specified WasmPlugin resource.
tags:
- WasmPlugin
parameters:
- $ref: '#/components/parameters/namespace'
- $ref: '#/components/parameters/name'
responses:
'200':
description: Successful response
content:
application/json:
schema:
$ref: '#/components/schemas/WasmPlugin'
'401':
description: Unauthorized
'404':
description: Not found
put:
operationId: replaceWasmPlugin
summary: Istio Replace a WasmPlugin
description: Replace the specified WasmPlugin resource.
tags:
- WasmPlugin
parameters:
- $ref: '#/components/parameters/namespace'
- $ref: '#/components/parameters/name'
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/WasmPlugin'
responses:
'200':
description: WasmPlugin replaced
content:
application/json:
schema:
$ref: '#/components/schemas/WasmPlugin'
'401':
description: Unauthorized
'404':
description: Not found
delete:
operationId: deleteWasmPlugin
summary: Istio Delete a WasmPlugin
description: Delete the specified WasmPlugin resource.
tags:
- WasmPlugin
parameters:
- $ref: '#/components/parameters/namespace'
- $ref: '#/components/parameters/name'
responses:
'200':
description: WasmPlugin deleted
'401':
description: Unauthorized
'404':
description: Not found
components:
parameters:
namespace:
name: namespace
in: path
required: true
description: The Kubernetes namespace
schema:
type: string
name:
name: name
in: path
required: true
description: The resource name
schema:
type: string
labelSelector:
name: labelSelector
in: query
description: A selector to restrict the list of returned objects by their labels
schema:
type: string
limit:
name: limit
in: query
description: Maximum number of resources to return
schema:
type: integer
continue:
name: continue
in: query
description: Continue token for paginated list requests
schema:
type: string
schemas:
ObjectMeta:
type: object
properties:
name:
type: string
description: Name of the resource
namespace:
type: string
description: Namespace of the resource
labels:
type: object
additionalProperties:
type: string
annotations:
type: object
additionalProperties:
type: string
creationTimestamp:
type: string
format: date-time
resourceVersion:
type: string
ListMeta:
type: object
properties:
resourceVersion:
type: string
continue:
type: string
WasmPlugin:
type: object
properties:
apiVersion:
type: string
enum:
- extensions.istio.io/v1alpha1
kind:
type: string
enum:
- WasmPlugin
metadata:
$ref: '#/components/schemas/ObjectMeta'
spec:
type: object
properties:
selector:
type: object
properties:
matchLabels:
type: object
additionalProperties:
type: string
description: Workload selector to determine which proxies receive the plugin.
url:
type: string
description: >-
URL of a Wasm module or OCI container. Supported schemes include
oci://, file://, and http(s)://.
sha256:
type: string
description: SHA256 checksum for verification of the Wasm module.
imagePullPolicy:
type: string
enum:
- UNSPECIFIED_POLICY
- IfNotPresent
- Always
description: The pull behavior to be applied to the Wasm image.
imagePullSecret:
type: string
description: >-
Name of the Kubernetes secret for pulling OCI images from
private registries.
pluginConfig:
type: object
description: >-
The configuration passed to the Wasm plugin as a JSON object.
Specific contents depend on the plugin implementation.
pluginName:
type: string
description: >-
The plugin name to be used in the Envoy configuration (used for
logging and debugging).
phase:
type: string
enum:
- UNSPECIFIED_PHASE
- AUTHN
- AUTHZ
- STATS
description: >-
Determines where in the filter chain this WasmPlugin is to be
injected.
priority:
type: integer
description: >-
Determines ordering of WasmPlugins in the same phase. Higher
priority is processed first.
failStrategy:
type: string
enum:
- FAIL_CLOSE
- FAIL_OPEN
description: >-
Specifies the failure behavior for the proxy when the remote
Wasm module is unavailable or has errors.
vmConfig:
type: object
properties:
env:
type: array
items:
type: object
properties:
name:
type: string
valueFrom:
type: string
enum:
- INLINE
- HOST
value:
type: string
description: Configuration for the Wasm Virtual Machine.
match:
type: array
items:
type: object
properties:
mode:
type: string
enum:
- UNDEFINED
- CLIENT
- SERVER
- CLIENT_AND_SERVER
ports:
type: array
items:
type: object
properties:
number:
type: integer
description: >-
Specifies the criteria to determine which traffic is passed to
the WasmPlugin.
targetRefs:
type: array
items:
type: object
properties:
kind:
type: string
group:
type: string
name:
type: string
description: References to the target resources.
WasmPluginList:
type: object
properties:
apiVersion:
type: string
kind:
type: string
enum:
- WasmPluginList
metadata:
$ref: '#/components/schemas/ListMeta'
items:
type: array
items:
$ref: '#/components/schemas/WasmPlugin'
securitySchemes:
BearerAuth:
type: http
scheme: bearer
description: Kubernetes API server bearer token authentication
tags:
- name: WasmPlugin
description: WebAssembly plugin configuration for Envoy proxy extensions
externalDocs:
url: https://istio.io/latest/docs/reference/config/