Enable the classification banner
What you’ll accomplish
Section titled “What you’ll accomplish”After completing this guide, web applications exposed through the Istio service mesh will display a security classification banner at the top (and optionally the bottom) of the page. The banner color automatically corresponds to the standard classification markings.
Prerequisites
Section titled “Prerequisites”- UDS CLI installed
- Access to a Kubernetes cluster with UDS Core deployed
Before you begin
Section titled “Before you begin”The classification banner is injected into HTTP responses by an Istio EnvoyFilter on the gateway. Because it modifies the HTML response body, it works best with standard server-rendered web applications. Single-page applications or apps with non-standard content delivery may not render the banner correctly — validate in a staging environment before adopting.
For custom-built applications, implementing the banner natively within the application is often a more reliable approach.
-
Configure the banner text and footer
Set the classification level via bundle overrides. The footer banner is enabled by default (
addFooter: true) — include it in your overrides only if you need to disable it.uds-bundle.yaml packages:- name: corerepository: registry.defenseunicorns.com/public/coreref: x.x.x-upstreamoverrides:istio-controlplane:uds-global-istio-config:values:- path: classificationBanner.textvalue: "UNCLASSIFIED"Supported classification levels:
Value Banner color UNCLASSIFIEDGreen CUIPurple CONFIDENTIALBlue SECRETRed TOP SECRETOrange TOP SECRET//SCIYellow UNKNOWNBlack (default) -
Specify which hosts display the banner
The banner is opt-in per host. Add each hostname to the
enabledHostsarray:uds-bundle.yaml packages:- name: corerepository: registry.defenseunicorns.com/public/coreref: x.x.x-upstreamoverrides:istio-controlplane:uds-global-istio-config:values:- path: classificationBanner.textvalue: "UNCLASSIFIED"- path: classificationBanner.addFootervalue: true- path: classificationBanner.enabledHostsvalue:- keycloak.{{ .Values.adminDomain }}- sso.{{ .Values.domain }}- grafana.{{ .Values.adminDomain }} -
Create and deploy your bundle
Terminal window uds create <path-to-bundle-dir>uds deploy uds-bundle-<name>-<arch>-<version>.tar.zst
Verification
Section titled “Verification”Open one of the configured hosts in a browser. You should see a colored banner at the top of the page displaying the classification text. If addFooter is enabled, the same banner appears at the bottom.
Troubleshooting
Section titled “Troubleshooting”Problem: Banner not appearing on a host
Section titled “Problem: Banner not appearing on a host”Symptom: A configured host loads normally but no classification banner is displayed.
Solution: Verify the hostname is included in the enabledHosts array. The host must match exactly, including any subdomain prefixes. Check the deployed EnvoyFilter:
uds zarf tools kubectl get envoyfilter classification-banner -n istio-system -o yamlProblem: Banner breaks page layout or doesn’t render correctly
Section titled “Problem: Banner breaks page layout or doesn’t render correctly”Symptom: The banner HTML is injected but the page layout is disrupted or the banner is invisible.
Solution: This can happen with single-page applications or apps that manipulate the DOM after initial load. For these applications, consider implementing the classification banner natively within the application instead of relying on EnvoyFilter injection.
Related Documentation
Section titled “Related Documentation”- Astro UXDS Classification Markings — standard color and formatting reference
- Istio EnvoyFilter — how Istio modifies HTTP responses at the gateway