Increase header size in Istio

Question

When the user has many roles associated with it, the Authorization bearer token will exceed the max header size provided by istio which blocks all the requests.

The authorization bearer token has more than 35,000 characters with 34K size.

How can I increase the max header size provided by istio?

Answer 1

As far as I know since istio 1.5 you would use Control Headers and Routing

But as mentioned in above link

The mixer policy is deprecated in Istio 1.5 and not recommended for production usage.

Consider using Envoy ext_authz filter, lua filter, or write a filter using the Envoy-wasm sandbox.

---

As mentioned in envoy documentation, you can use max_request_headers to increase your header size.

max_request_headers_kb

The maximum request headers size for incoming connections. If unconfigured, the default max request headers allowed is 60 KiB. Requests that exceed this limit will receive a 431 response. The max configurable limit is 96 KiB, based on current implementation constraints.

---

As mentioned above you could use envoy filter to change it.

EnvoyFilter provides a mechanism to customize the Envoy configuration generated by Istio Pilot. Use EnvoyFilter to modify values for certain fields, add specific filters, or even add entirely new listeners, clusters, etc. This feature must be used with care, as incorrect configurations could potentially destabilize the entire mesh. Unlike other Istio networking objects, EnvoyFilters are additively applied. Any number of EnvoyFilters can exist for a given workload in a specific namespace. The order of application of these EnvoyFilters is as follows: all EnvoyFilters in the config root namespace, followed by all matching EnvoyFilters in the workload’s namespace.

Take a look at example with max_request_headers here.

And you can find more examples with envoy filter here and here.