---
WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL SOURCE IN THE 'https://github.com/istio/api' REPO
source_repo: https://github.com/istio/api
title: Wasm Plugin
description: Extend the functionality provided by the Istio proxy through WebAssembly filters.
location: https://istio.io/docs/reference/config/proxy_extensions/wasm-plugin.html
layout: protoc-gen-docs
generator: protoc-gen-docs
schema: istio.extensions.v1alpha1.WasmPlugin
aliases: [/docs/reference/config/extensions/v1alpha1/wasm-plugin]
number_of_entries: 3
---
<h2 id="WasmPlugin">WasmPlugin</h2>
<section>
<p>WasmPlugins provides a mechanism to extend the functionality provided by
the Istio proxy through WebAssembly filters.</p>

<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="WasmPlugin-selector">
<td><code>selector</code></td>
<td><code><a href="/docs/reference/config/type/workload-selector/#WorkloadSelector">WorkloadSelector</a></code></td>
<td>
<p>Criteria used to select the specific set of pods/VMs on which
this plugin configuration should be applied. If omitted, this
configuration will be applied to all workload instances in the same
namespace. If the <code>WasmPlugin</code> is present in the config root
namespace, it will be applied to all applicable workloads in any
namespace.</p>

</td>
<td>
No
</td>
</tr>
<tr id="WasmPlugin-url">
<td><code>url</code></td>
<td><code>string</code></td>
<td>
<p>URL of a Wasm module or OCI container. If no scheme is present,
defaults to <code>oci://</code>, referencing an OCI image. Other valid schemes
are <code>file://</code> for referencing .wasm module files present locally
within the proxy container, and <code>http[s]://</code> for .wasm module files
hosted remotely.</p>

</td>
<td>
No
</td>
</tr>
<tr id="WasmPlugin-sha256">
<td><code>sha256</code></td>
<td><code>string</code></td>
<td>
<p>SHA256 checksum that will be used to verify Wasm module or OCI container.
If the <code>url</code> field already references a SHA256 (using the <code>@sha256:</code>
notation), it must match the value of this field. If an OCI image is
referenced by tag and this field is set, its checksum will be verified
against the contents of this field after pulling.</p>

</td>
<td>
No
</td>
</tr>
<tr id="WasmPlugin-image_pull_policy">
<td><code>imagePullPolicy</code></td>
<td><code><a href="#PullPolicy">PullPolicy</a></code></td>
<td>
<p>The pull behaviour to be applied when fetching an OCI image. Only
relevant when images are referenced by tag instead of SHA. Defaults
to IfNotPresent, except when an OCI image is referenced in the <code>url</code>
and the <code>latest</code> tag is used, in which case <code>Always</code> is the default,
mirroring K8s behaviour.
Setting is ignored if <code>url</code> field is referencing a Wasm module directly
using <code>file://</code> or <code>http[s]://</code></p>

</td>
<td>
No
</td>
</tr>
<tr id="WasmPlugin-image_pull_secret">
<td><code>imagePullSecret</code></td>
<td><code>string</code></td>
<td>
<p>Credentials to use for OCI image pulling.
Name of a K8s Secret in the same namespace as the <code>WasmPlugin</code> that
contains a docker pull secret which is to be used to authenticate
against the registry when pulling the image.</p>

</td>
<td>
No
</td>
</tr>
<tr id="WasmPlugin-verification_key">
<td><code>verificationKey</code></td>
<td><code>string</code></td>
<td>
<p>Public key that will be used to verify signatures of signed OCI images
or Wasm modules. Must be supplied in PEM format.</p>

</td>
<td>
No
</td>
</tr>
<tr id="WasmPlugin-plugin_config">
<td><code>pluginConfig</code></td>
<td><code><a href="https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#struct">Struct</a></code></td>
<td>
<p>The configuration that will be passed on to the plugin.</p>

</td>
<td>
No
</td>
</tr>
<tr id="WasmPlugin-plugin_name">
<td><code>pluginName</code></td>
<td><code>string</code></td>
<td>
<p>The plugin name to be used in the Envoy configuration (used to be called
<code>rootID</code>). Some .wasm modules might require this value to select the Wasm
plugin to execute.</p>

</td>
<td>
No
</td>
</tr>
<tr id="WasmPlugin-phase">
<td><code>phase</code></td>
<td><code><a href="#PluginPhase">PluginPhase</a></code></td>
<td>
<p>Determines where in the filter chain this <code>WasmPlugin</code> is to be injected.</p>

</td>
<td>
No
</td>
</tr>
<tr id="WasmPlugin-priority">
<td><code>priority</code></td>
<td><code><a href="https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#int64value">Int64Value</a></code></td>
<td>
<p>Determines ordering of <code>WasmPlugins</code> in the same <code>phase</code>.
When multiple <code>WasmPlugins</code> are applied to the same workload in the
same <code>phase</code>, they will be applied by priority, in descending order.
If <code>priority</code> is not set, or two <code>WasmPlugins</code> exist with the same
value, the ordering will be deterministically derived from name and
namespace of the <code>WasmPlugins</code>. Defaults to <code>0</code>.</p>

</td>
<td>
No
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="PluginPhase">PluginPhase</h2>
<section>
<p>The phase in the filter chain where the plugin will be injected.</p>

<table class="enum-values">
<thead>
<tr>
<th>Name</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr id="PluginPhase-UNSPECIFIED_PHASE">
<td><code>UNSPECIFIED_PHASE</code></td>
<td>
<p>Control plane decides where to insert the plugin. This will generally
be at the end of the filter chain, right before the Router.
Do not specify <code>PluginPhase</code> if the plugin is independent of others.</p>

</td>
</tr>
<tr id="PluginPhase-AUTHN">
<td><code>AUTHN</code></td>
<td>
<p>Insert plugin before Istio authentication filters.</p>

</td>
</tr>
<tr id="PluginPhase-AUTHZ">
<td><code>AUTHZ</code></td>
<td>
<p>Insert plugin before Istio authorization filters and after Istio authentication filters.</p>

</td>
</tr>
<tr id="PluginPhase-STATS">
<td><code>STATS</code></td>
<td>
<p>Insert plugin before Istio stats filters and after Istio authorization filters.</p>

</td>
</tr>
</tbody>
</table>
</section>
<h2 id="PullPolicy">PullPolicy</h2>
<section>
<p>The pull behaviour to be applied when fetching an OCI image,
mirroring K8s behaviour.</p>

<p>buf:lint:ignore ENUM<em>VALUE</em>UPPER<em>SNAKE</em>CASE</p>

<table class="enum-values">
<thead>
<tr>
<th>Name</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr id="PullPolicy-UNSPECIFIED_POLICY">
<td><code>UNSPECIFIED_POLICY</code></td>
<td>
<p>Defaults to IfNotPresent, except for OCI images with tag <code>latest</code>, for which
the default will be Always.</p>

</td>
</tr>
<tr id="PullPolicy-IfNotPresent">
<td><code>IfNotPresent</code></td>
<td>
<p>If an existing version of the image has been pulled before, that
will be used. If no version of the image is present locally, we
will pull the latest version.</p>

</td>
</tr>
<tr id="PullPolicy-Always">
<td><code>Always</code></td>
<td>
<p>We will always pull the latest version of an image when applying
this plugin.</p>

</td>
</tr>
</tbody>
</table>
</section>