istio
/
istio.io
mirror of https://github.com/istio/istio.io.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Automator: update istio.io@ reference docs (#16258)

This commit is contained in:
Istio Automation 2025-02-19 21:13:50 -05:00 committed by GitHub
parent 01b9b546ee
commit 9997707482
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
4 changed files with 38 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
content/en/docs/reference/commands/istioctl/index.html
View File

@ -3819,6 +3819,11 @@ The default output is serialized YAML, which can be piped into 'kubectl appl
<td>The labels to apply to the workload instances; e.g. -l env=prod,vers=2 (default `[]`)</td>
</tr>
<tr>
<td><code>--locality &lt;string&gt;</code></td>
<td></td>
<td>The locality associated with the endpoint. (default ``)</td>
</tr>
<tr>
<td><code>--name &lt;string&gt;</code></td>
<td></td>
<td>The name of the workload group (default ``)</td>

14
content/en/docs/reference/config/istio.mesh.v1alpha1/index.html
View File

@ -4423,6 +4423,20 @@ inside a mesh and how to route to endpoints in each network. For example</p>
port: 15443
locality: us-east-1a
</code></pre>
<p>If <code>ENABLE_HCM_INTERNAL_NETWORKS</code> is set to true, MeshNetworks can be used to
to explicitly define the networks in Envoy&rsquo;s internal address configuration.
Envoy uses the IPs in the <code>internalAddressConfig</code> to decide whether or not to sanitize
Envoy headers. If the IP address is listed an internal, the Envoy headers are not
sanitized. As of Envoy 1.33, the default value for <code>internalAddressConfig</code> is set to
an empty set. Previously, the default value was the set of all private IPs. Setting
the <code>internalAddressConfig</code> to all private IPs (via Envoy&rsquo;s previous default behavior
or via the MeshNetworks) will leave users with an Istio Ingress Gateway potentially
vulnerable to <code>x-envoy</code> header manipulation by external sources. More information about
this vulnerability can be found here:
<a href="https://github.com/envoyproxy/envoy/security/advisories/GHSA-ffhv-fvxq-r6mf">https://github.com/envoyproxy/envoy/security/advisories/GHSA-ffhv-fvxq-r6mf</a>
To preserve headers, you must explicitly configure MeshNetworks and set
<code>ENABLE_HCM_INTERNAL_NETWORKS</code> to true. Envoy&rsquo;s <code>internalAddressConfig</code> will be set to
the endpointed specified by <code>fromCidr</code>.</p>
<table class="message-fields">
<thead>

5
content/zh/docs/reference/commands/istioctl/index.html
View File

@ -3819,6 +3819,11 @@ The default output is serialized YAML, which can be piped into &#39;kubectl appl
<td>The labels to apply to the workload instances; e.g. -l env=prod,vers=2 (default `[]`)</td>
</tr>
<tr>
<td><code>--locality &lt;string&gt;</code></td>
<td></td>
<td>The locality associated with the endpoint. (default ``)</td>
</tr>
<tr>
<td><code>--name &lt;string&gt;</code></td>
<td></td>
<td>The name of the workload group (default ``)</td>

14
content/zh/docs/reference/config/istio.mesh.v1alpha1/index.html
View File

@ -4423,6 +4423,20 @@ inside a mesh and how to route to endpoints in each network. For example</p>
port: 15443
locality: us-east-1a
</code></pre>
<p>If <code>ENABLE_HCM_INTERNAL_NETWORKS</code> is set to true, MeshNetworks can be used to
to explicitly define the networks in Envoy&rsquo;s internal address configuration.
Envoy uses the IPs in the <code>internalAddressConfig</code> to decide whether or not to sanitize
Envoy headers. If the IP address is listed an internal, the Envoy headers are not
sanitized. As of Envoy 1.33, the default value for <code>internalAddressConfig</code> is set to
an empty set. Previously, the default value was the set of all private IPs. Setting
the <code>internalAddressConfig</code> to all private IPs (via Envoy&rsquo;s previous default behavior
or via the MeshNetworks) will leave users with an Istio Ingress Gateway potentially
vulnerable to <code>x-envoy</code> header manipulation by external sources. More information about
this vulnerability can be found here:
<a href="https://github.com/envoyproxy/envoy/security/advisories/GHSA-ffhv-fvxq-r6mf">https://github.com/envoyproxy/envoy/security/advisories/GHSA-ffhv-fvxq-r6mf</a>
To preserve headers, you must explicitly configure MeshNetworks and set
<code>ENABLE_HCM_INTERNAL_NETWORKS</code> to true. Envoy&rsquo;s <code>internalAddressConfig</code> will be set to
the endpointed specified by <code>fromCidr</code>.</p>
<table class="message-fields">
<thead>