WASM OCI image fetch failure with failOpen:true still invalidates entire EnvoyExtensionPolicy including ExtProc #7886
Description
Description
When an EnvoyExtensionPolicy contains both extProc and wasm filters, and the WASM OCI image fails to be fetched (e.g., image doesn't exist), the entire policy is marked as Invalid with Accepted: False. This causes the extProc filter to NOT be applied, even though:
- ExtProc has no dependency on WASM
- WASM is configured with failOpen: true
Expected Behavior:
- WASM filter should be skipped gracefully (since failOpen: true)
- ExtProc filter should still be applied to the route
- Policy status should reflect partial application or warning, not complete rejection
Actual Behavior:
- Entire policy marked Invalid / Accepted: False
- Neither ExtProc nor WASM filters are applied
- Requests bypass all processing and go directly to backend
- This is a security issue as authentication/authorization in ExtProc is bypassed
Repro Steps
- Deploy an EnvoyExtensionPolicy with both extProc and wasm:
apiVersion: gateway.envoyproxy.io/v1alpha1
kind: EnvoyExtensionPolicy
metadata:
name: test-policy
namespace: inference
spec:
targetRef:
group: gateway.networking.k8s.io
kind: HTTPRoute
name: my-route
extProc:
- backendRefs:
- name: my-extproc-service
port: 9001
failOpen: false
messageTimeout: 5s
processingMode:
request:
body: Buffered
response: {}
wasm:
- name: response-logger
rootID: response_logger_root
failOpen: true # <-- This should allow graceful degradation
code:
type: Image
image:
pullSecretRef:
name: docker-registry
url: my-registry.example.com/wasm:nonexistent-tag # <-- Image doesn't exist
config:
sink_cluster: sink
-
Check policy status:
kubectl get envoyextensionpolicy test-policy -o yaml -
Observe status shows Invalid / Accepted: False:
status:
ancestors:
- ancestorRef:
group: gateway.networking.k8s.io
kind: Gateway
name: envoy
namespace: envoyproxy-gateway-system
conditions:
- lastTransitionTime: '2026-01-08T01:15:00Z'
message: >-
Wasm: failed to get Wasm module
oci://my-registry.example.com/wasm:nonexistent-tag
after 10 attempts.
reason: Invalid
status: 'False'
type: Accepted
- Check Envoy config - no extProc filters present for this route
- Send request to the route - request goes directly to backend without ExtProc processing
Environment
- Envoy Gateway Version: v1.6.0
- Envoy Version: v1.36.4 (distroless)
- Kubernetes Version: 1.31
- WASM Code Type: OCI Image
Logs
Envoy Gateway Controller Logs:
2026-01-08T01:15:02.256Z ERROR wasm-cache wasm/httpserver.go:175 {"error": "failed to get Wasm module oci://my-registry.example.com/wasm:nonexistent-tag after 10 attempts"}
2026-01-08T01:15:02.256Z ERROR wasm-cache wasm/httpserver.go:175 {"error": "failed to get Wasm module oci://my-registry.example.com/wasm:nonexistent-tag after 10 attempts"}
Envoy Proxy Logs:
[warning][wasm] [source/extensions/common/wasm/wasm.cc:318] Wasm remote code fetch is unstable and may cause a crash
Impact
Security: Authentication and authorization logic in ExtProc is completely bypassed when WASM has any image availability issue. This could lead to unauthorized access to backend services.