istio
/
istio.io
mirror of https://github.com/istio/istio.io.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add content to the security doc around hardening based on a previousl… (#9095) 

* Add content to the security doc around hardening based on a previously disclosed cve

* Fix indentation to what command prints out

* Run make gen
This commit is contained in:
jacob-delgado 2021-05-15 04:09:23 -06:00 committed by GitHub
parent 62a65e3d23
commit 7ead79afb5
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 101 additions and 38 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

37
content/en/boilerplates/cve-2020-007-configmap.md Normal file
View File

@ -0,0 +1,37 @@
---
---
1. Create a config map by downloading [custom-bootstrap-runtime.yaml](/news/security/istio-security-2020-007/custom-bootstrap-runtime.yaml). Update `global_downstream_max_connections` in the config map according to the number of concurrent connections needed by individual gateway instances in your deployment. Once the limit is reached, Envoy will start rejecting tcp connections.
{{< text bash >}}
$ kubectl -n istio-system apply -f custom-bootstrap-runtime.yaml
{{< /text >}}
1. Patch the ingress gateway deployment to use the above configuration. Download [gateway-patch.yaml](/news/security/istio-security-2020-007/gateway-patch.yaml) and apply it using the following command.
{{< text bash >}}
$ kubectl --namespace istio-system patch deployment istio-ingressgateway --patch "$(cat gateway-patch.yaml)"
{{< /text >}}
1. Confirm that the new limits are in place.
{{< text bash >}}
$ ISTIO_INGRESS_PODNAME=$(kubectl get pods -l app=istio-ingressgateway -n istio-system -o jsonpath="{.items[0].metadata.name}")
$ kubectl --namespace istio-system exec -i -t "${ISTIO_INGRESS_PODNAME}" -c istio-proxy -- curl -sS http://localhost:15000/runtime
{
"entries": {
"overload.global_downstream_max_connections": {
"layer_values": [
"",
"250000",
""
],
"final_value": "250000"
}
},
"layers": [
"static_layer_0",
"admin"
]
}
{{< /text >}}

54
content/en/boilerplates/snips/cve-2020-007-configmap.sh Normal file
View File

@ -0,0 +1,54 @@
#!/bin/bash
# shellcheck disable=SC2034,SC2153,SC2155,SC2164
# Copyright Istio Authors. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
####################################################################################################
# WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL MARKDOWN FILE:
# boilerplates/cve-2020-007-configmap.md
####################################################################################################
bpsnip_cve_2020_007_configmap__1() {
kubectl -n istio-system apply -f custom-bootstrap-runtime.yaml
}
bpsnip_cve_2020_007_configmap__2() {
kubectl --namespace istio-system patch deployment istio-ingressgateway --patch "$(cat gateway-patch.yaml)"
}
bpsnip_cve_2020_007_configmap__3() {
ISTIO_INGRESS_PODNAME=$(kubectl get pods -l app=istio-ingressgateway -n istio-system -o jsonpath="{.items[0].metadata.name}")
kubectl --namespace istio-system exec -i -t "${ISTIO_INGRESS_PODNAME}" -c istio-proxy -- curl -sS http://localhost:15000/runtime
}
! read -r -d '' bpsnip_cve_2020_007_configmap__3_out <<\ENDSNIP
{
"entries": {
"overload.global_downstream_max_connections": {
"layer_values": [
"",
"250000",
""
],
"final_value": "250000"
}
},
"layers": [
"static_layer_0",
"admin"
]
}
ENDSNIP

8
content/en/docs/ops/best-practices/security/index.md
View File

@ -443,4 +443,10 @@ To determine if your cluster supports third party tokens, look for the `TokenReq
}
{{< /text >}}
While most cloud providers support this feature now, many local development tools and custom installations may not prior to Kubernetes 1.20. To enable this feature, please refer to the [Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#service-account-token-volume-projection).
While most cloud providers support this feature now, many local development tools and custom installations may not prior to Kubernetes 1.20. To enable this feature, please refer to the [Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#service-account-token-volume-projection).
## Configure a limit on downstream connections
By default, Istio (and Envoy) have no limit on the number of downstream connections. This can be exploited by a malicious actor (see [security bulletin 2020-007](/news/security/istio-security-2020-007/)). To work around you this, you must configure an appropriate connection limit for your environment.
{{< boilerplate cve-2020-007-configmap >}}

40
content/en/news/security/istio-security-2020-007/index.md
View File

@ -11,6 +11,8 @@ keywords: [CVE]
skip_seealso: true
---
CVE-2020-8663 is addressed in Envoy by adding a configurable limit on [downstream connections](https://www.envoyproxy.io/docs/envoy/v1.14.3/configuration/operations/overload_manager/overload_manager#limiting-active-connections). The limit must be configured to mitigate this vulnerability. Perform the following steps to configure limits at the ingress gateway.
{{< security_bulletin >}}
Envoy, and subsequently Istio, are vulnerable to four newly discovered vulnerabilities:
@ -40,42 +42,6 @@ An attacker could cause increased memory usage when processing specially crafted
You must take the following additional steps to mitigate CVE-2020-8663.
{{< /warning >}}
CVE-2020-8663 is addressed in Envoy by adding a configurable limit on [downstream connections](https://www.envoyproxy.io/docs/envoy/v1.14.3/configuration/operations/overload_manager/overload_manager#limiting-active-connections). The limit must be configured to mitigate this vulnerability. Perform the following steps to configure limits at the ingress gateway.
1. Create a config map by downloading [custom-bootstrap-runtime.yaml](/news/security/istio-security-2020-007/custom-bootstrap-runtime.yaml). Update `global_downstream_max_connections` in the config map according to the number of concurrent connections needed by individual gateway instances in your deployment. Once the limit is reached, Envoy will start rejecting tcp connections.
{{< text bash >}}
$ kubectl -n istio-system apply -f custom-bootstrap-runtime.yaml
{{< /text >}}
1. Patch the ingress gateway deployment to use the above configuration. Download [gateway-patch.yaml](/news/security/istio-security-2020-007/gateway-patch.yaml) and apply it using the following command.
{{< text bash >}}
$ kubectl --namespace istio-system patch deployment istio-ingressgateway --patch "$(cat gateway-patch.yaml)"
{{< /text >}}
1. Confirm that the new limits are in place.
{{< text bash >}}
$ ISTIO_INGRESS_PODNAME=$(kubectl get pods -l app=istio-ingressgateway -n istio-system -o jsonpath="{.items[0].metadata.name}")
$ kubectl --namespace istio-system exec -i -t ${ISTIO_INGRESS_PODNAME} -c istio-proxy -- curl -sS http://localhost:15000/runtime
{
"entries": {
"overload.global_downstream_max_connections": {
"layer_values": [
"",
"250000",
""
],
"final_value": "250000"
}
},
"layers": [
"static_layer_0",
"admin"
]
}
{{< /text >}}
{{< boilerplate cve-2020-007-configmap >}}
{{< boilerplate "security-vulnerability" >}}