istio
/
istio.io
mirror of https://github.com/istio/istio.io.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

update release notes and authz task for a critical bug (#8543)

This commit is contained in:
Yangmin Zhu 2020-11-20 21:32:30 -08:00 committed by GitHub
parent d470f572b7
commit 4c02c73112
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 24 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
content/en/docs/tasks/security/authorization/authz-ingress/index.md
View File

@ -66,6 +66,14 @@ If a packet goes through an external proxy load balancer and/or kube-proxy, then
{{< tab name="TCP/UDP Proxy Load Balancer" category-value="proxy" >}}
{{< warning >}}
A critical [bug](https://groups.google.com/g/envoy-security-announce/c/aqtBt5VUor0) has been identified in Envoy that the proxy protocol downstream address is restored incorrectly for non-HTTP connections.
Please DO NOT USE the `remoteIpBlocks` field and `remote_ip` attribute with proxy protocol on non-HTTP connections until a newer version of Istio is released with a proper fix.
Note that Istio doesn't support the proxy protocol and it can be enabled only with the `EnvoyFilter` API and should be used at your own risk.
{{< /warning >}}
If you are using a TCP/UDP Proxy external load balancer (AWS Classic ELB), it can use the [Proxy Protocol](https://www.haproxy.com/blog/haproxy/proxy-protocol/) to embed the original client IP address in the packet data. Both the external load balancer and the Istio ingress gateway must support the proxy protocol for it to work. In Istio, you can enable it with an `EnvoyFilter` like below:
{{< text yaml >}}

8
content/en/news/releases/1.8.x/announcing-1.8/change-notes/index.md
View File

@ -82,6 +82,14 @@ default, can be disabled by `REQUIRE_3P_TOKEN` environment variable in Istiod, w
- **Added** `AuthorizationPolicy` now supports a `Source` of type `remoteIpBlocks`/`notRemoteIpBlocks` that map to a new `Condition` attribute called `remote.ip` that can also be used in the "when" clause. If using an http/https load balancer in front of the ingress gateway, the `remote.ip` attribute is set to the original client IP address determined by the `X-Forwarded-For` http header from the trusted proxy configured through the `numTrustedProxies` field of the `gatewayTopology` under the `meshConfig` when you install Istio or set it via an annotation on the ingress gateway. See the documentation here: [Configuring Gateway Network Topology](/docs/ops/configuration/traffic-management/network-topologies/). If using a TCP load balancer with the Proxy Protocol in front of the ingress gateway, the `remote.ip` is set to the original client IP address as given by the Proxy Protocol.
([reference](/docs/reference/config/security/authorization-policy/))([usage](/docs/ops/configuration/traffic-management/network-topologies/))([usage](/docs/tasks/security/authorization/authz-ingress/)) ([Issue #22341](https://github.com/istio/istio/issues/22341))
{{< warning >}}
A critical [bug](https://groups.google.com/g/envoy-security-announce/c/aqtBt5VUor0) has been identified in Envoy that the proxy protocol downstream address is restored incorrectly for non-HTTP connections.
Please DO NOT USE the `remoteIpBlocks` field and `remote_ip` attribute with proxy protocol on non-HTTP connections until a newer version of Istio is released with a proper fix.
Note that Istio doesn't support the proxy protocol and it can be enabled only with the `EnvoyFilter` API and should be used at your own risk.
{{< /warning >}}
## Telemetry
- **Updated** the "Control Plane Dashboard" and the "Performance Dashboard" to use the `container_memory_working_set_bytes` metric

8
content/en/news/releases/1.8.x/announcing-1.8/upgrade-notes/index.md
View File

@ -90,6 +90,14 @@ This timeout has been disabled by default. This has the following impacts:
## Update AuthorizationPolicy resources to use `remoteIpBlocks`/`notRemoteIpBlocks` instead of `ipBlocks`/`notIpBlocks` if using the Proxy Protocol
{{< warning >}}
A critical [bug](https://groups.google.com/g/envoy-security-announce/c/aqtBt5VUor0) has been identified in Envoy that the proxy protocol downstream address is restored incorrectly for non-HTTP connections.
Please DO NOT USE the `remoteIpBlocks` field and `remote_ip` attribute with proxy protocol on non-HTTP connections until a newer version of Istio is released with a proper fix.
Note that Istio doesn't support the proxy protocol and it can be enabled only with the `EnvoyFilter` API and should be used at your own risk.
{{< /warning >}}
If using the Proxy Protocol on a load balancer in front an ingress gateway in conjunction with `ipBlocks`/`notIpBlocks` on an AuthorizationPolicy to perform IP-based access control, then please update the AuthorizationPolicy to use `remoteIpBlocks`/`notRemoteIpBlocks` instead after upgrading. The `ipBlocks`/`notIpBlocks` fields now strictly refer to the source IP address of the packet that arrives at the sidecar.
## `AUTO_PASSTHROUGH` Gateway mode