From 7ead79afb5084f803548c941c7da9019a96f5454 Mon Sep 17 00:00:00 2001
From: jacob-delgado <jacob.delgado@volunteers.acasi.info>
Date: Sat, 15 May 2021 04:09:23 -0600
Subject: [PATCH] =?UTF-8?q?Add=20content=20to=20the=20security=20doc=20aro?=
 =?UTF-8?q?und=20hardening=20based=20on=20a=20previousl=E2=80=A6=20(#9095)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* Add content to the security doc around hardening based on a previously disclosed cve

* Fix indentation to what command prints out

* Run make gen
---
 .../en/boilerplates/cve-2020-007-configmap.md | 37 +++++++++++++
 .../snips/cve-2020-007-configmap.sh           | 54 +++++++++++++++++++
 .../docs/ops/best-practices/security/index.md |  8 ++-
 .../security/istio-security-2020-007/index.md | 40 ++------------
 4 files changed, 101 insertions(+), 38 deletions(-)
 create mode 100644 content/en/boilerplates/cve-2020-007-configmap.md
 create mode 100644 content/en/boilerplates/snips/cve-2020-007-configmap.sh

diff --git a/content/en/boilerplates/cve-2020-007-configmap.md b/content/en/boilerplates/cve-2020-007-configmap.md
new file mode 100644
index 0000000000..47e2ba3989
--- /dev/null
+++ b/content/en/boilerplates/cve-2020-007-configmap.md
@@ -0,0 +1,37 @@
+---
+---
+1. Create a config map by downloading [custom-bootstrap-runtime.yaml](/news/security/istio-security-2020-007/custom-bootstrap-runtime.yaml). Update `global_downstream_max_connections` in the config map according to the number of concurrent connections needed by individual gateway instances in your deployment. Once the limit is reached, Envoy will start rejecting tcp connections.
+
+    {{< text bash >}}
+    $ kubectl -n istio-system apply -f custom-bootstrap-runtime.yaml
+    {{< /text >}}
+
+1. Patch the ingress gateway deployment to use the above configuration. Download [gateway-patch.yaml](/news/security/istio-security-2020-007/gateway-patch.yaml) and apply it using the following command.
+
+    {{< text bash >}}
+    $ kubectl --namespace istio-system patch deployment istio-ingressgateway --patch "$(cat gateway-patch.yaml)"
+    {{< /text >}}
+
+1. Confirm that the new limits are in place.
+
+    {{< text bash >}}
+    $ ISTIO_INGRESS_PODNAME=$(kubectl get pods -l app=istio-ingressgateway -n istio-system  -o jsonpath="{.items[0].metadata.name}")
+    $ kubectl --namespace istio-system exec -i -t  "${ISTIO_INGRESS_PODNAME}" -c istio-proxy -- curl -sS http://localhost:15000/runtime
+
+    {
+     "entries": {
+      "overload.global_downstream_max_connections": {
+        "layer_values": [
+          "",
+          "250000",
+          ""
+        ],
+        "final_value": "250000"
+      }
+     },
+     "layers": [
+      "static_layer_0",
+      "admin"
+     ]
+    }
+    {{< /text >}}
diff --git a/content/en/boilerplates/snips/cve-2020-007-configmap.sh b/content/en/boilerplates/snips/cve-2020-007-configmap.sh
new file mode 100644
index 0000000000..072faa4ab5
--- /dev/null
+++ b/content/en/boilerplates/snips/cve-2020-007-configmap.sh
@@ -0,0 +1,54 @@
+#!/bin/bash
+# shellcheck disable=SC2034,SC2153,SC2155,SC2164
+
+# Copyright Istio Authors. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+####################################################################################################
+# WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL MARKDOWN FILE:
+#          boilerplates/cve-2020-007-configmap.md
+####################################################################################################
+
+bpsnip_cve_2020_007_configmap__1() {
+kubectl -n istio-system apply -f custom-bootstrap-runtime.yaml
+}
+
+bpsnip_cve_2020_007_configmap__2() {
+kubectl --namespace istio-system patch deployment istio-ingressgateway --patch "$(cat gateway-patch.yaml)"
+}
+
+bpsnip_cve_2020_007_configmap__3() {
+ISTIO_INGRESS_PODNAME=$(kubectl get pods -l app=istio-ingressgateway -n istio-system  -o jsonpath="{.items[0].metadata.name}")
+kubectl --namespace istio-system exec -i -t  "${ISTIO_INGRESS_PODNAME}" -c istio-proxy -- curl -sS http://localhost:15000/runtime
+}
+
+! read -r -d '' bpsnip_cve_2020_007_configmap__3_out <<\ENDSNIP
+
+{
+ "entries": {
+  "overload.global_downstream_max_connections": {
+    "layer_values": [
+      "",
+      "250000",
+      ""
+    ],
+    "final_value": "250000"
+  }
+ },
+ "layers": [
+  "static_layer_0",
+  "admin"
+ ]
+}
+ENDSNIP
diff --git a/content/en/docs/ops/best-practices/security/index.md b/content/en/docs/ops/best-practices/security/index.md
index b5d2ff6185..f4e7bb3599 100644
--- a/content/en/docs/ops/best-practices/security/index.md
+++ b/content/en/docs/ops/best-practices/security/index.md
@@ -443,4 +443,10 @@ To determine if your cluster supports third party tokens, look for the `TokenReq
     }
     {{< /text >}}
 
-While most cloud providers support this feature now, many local development tools and custom installations may not prior to Kubernetes 1.20. To enable this feature, please refer to the [Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#service-account-token-volume-projection).
\ No newline at end of file
+While most cloud providers support this feature now, many local development tools and custom installations may not prior to Kubernetes 1.20. To enable this feature, please refer to the [Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#service-account-token-volume-projection).
+
+## Configure a limit on downstream connections
+
+By default, Istio (and Envoy) have no limit on the number of downstream connections. This can be exploited by a malicious actor (see [security bulletin 2020-007](/news/security/istio-security-2020-007/)). To work around you this, you must configure an appropriate connection limit for your environment.
+
+{{< boilerplate cve-2020-007-configmap >}}
diff --git a/content/en/news/security/istio-security-2020-007/index.md b/content/en/news/security/istio-security-2020-007/index.md
index a7a8070bf6..8ef13065da 100644
--- a/content/en/news/security/istio-security-2020-007/index.md
+++ b/content/en/news/security/istio-security-2020-007/index.md
@@ -11,6 +11,8 @@ keywords: [CVE]
 skip_seealso: true
 ---
 
+CVE-2020-8663 is addressed in Envoy by adding a configurable limit on [downstream connections](https://www.envoyproxy.io/docs/envoy/v1.14.3/configuration/operations/overload_manager/overload_manager#limiting-active-connections). The limit must be configured to mitigate this vulnerability. Perform the following steps to configure limits at the ingress gateway.
+
 {{< security_bulletin >}}
 
 Envoy, and subsequently Istio, are vulnerable to four newly discovered vulnerabilities:
@@ -40,42 +42,6 @@ An attacker could cause increased memory usage when processing specially crafted
 You must take the following additional steps to mitigate CVE-2020-8663.
 {{< /warning >}}
 
-CVE-2020-8663 is addressed in Envoy by adding a configurable limit on [downstream connections](https://www.envoyproxy.io/docs/envoy/v1.14.3/configuration/operations/overload_manager/overload_manager#limiting-active-connections). The limit must be configured to mitigate this vulnerability. Perform the following steps to configure limits at the ingress gateway.
-
-1. Create a config map by downloading [custom-bootstrap-runtime.yaml](/news/security/istio-security-2020-007/custom-bootstrap-runtime.yaml). Update `global_downstream_max_connections` in the config map according to the number of concurrent connections needed by individual gateway instances in your deployment. Once the limit is reached, Envoy will start rejecting tcp connections.
-
-    {{< text bash >}}
-    $ kubectl -n istio-system apply -f custom-bootstrap-runtime.yaml
-    {{< /text >}}
-
-1. Patch the ingress gateway deployment to use the above configuration. Download [gateway-patch.yaml](/news/security/istio-security-2020-007/gateway-patch.yaml) and apply it using the following command.
-
-    {{< text bash >}}
-    $ kubectl --namespace istio-system patch deployment istio-ingressgateway --patch "$(cat gateway-patch.yaml)"
-    {{< /text >}}
-
-1. Confirm that the new limits are in place.
-
-    {{< text bash >}}
-    $ ISTIO_INGRESS_PODNAME=$(kubectl get pods -l app=istio-ingressgateway -n istio-system  -o jsonpath="{.items[0].metadata.name}")
-    $ kubectl --namespace istio-system exec -i -t  ${ISTIO_INGRESS_PODNAME} -c istio-proxy -- curl -sS http://localhost:15000/runtime
-
-    {
-    "entries": {
-     "overload.global_downstream_max_connections": {
-      "layer_values": [
-       "",
-       "250000",
-       ""
-      ],
-      "final_value": "250000"
-     }
-    },
-    "layers": [
-     "static_layer_0",
-     "admin"
-    ]
-    }
-    {{< /text >}}
+{{< boilerplate cve-2020-007-configmap >}}
 
 {{< boilerplate "security-vulnerability" >}}