Clarify relationship btw MeshNetworks and ENABLE_HCM_INTERNAL_NET (#3433

) * Clarify relationship btw MeshNetworks and ENABLE_HCM_INTERNAL_NET Add comments explaining the ability to use MeshNetworks to configure Envoy's internal_address_config via ENABLE_HCM_INTERNAL_NETWORK Signed-off-by: Jackie Elliott <[email protected]> * Add release note Signed-off-by: Jackie Elliott <[email protected]> * Clarify security implications of enabling HCM internal networks and configuring MeshNetworks. Signed-off-by: Jackie Elliott <[email protected]> --------- Signed-off-by: Jackie Elliott <[email protected]>
istio · Feb 19, 2025 · f4ae20b · f4ae20b
1 parent 391fae2
commit f4ae20b
Show file tree

Hide file tree

Showing 4 changed files with 60 additions and 0 deletions.
diff --git a/mesh/v1alpha1/istio.mesh.v1alpha1.pb.html b/mesh/v1alpha1/istio.mesh.v1alpha1.pb.html
diff --git a/mesh/v1alpha1/network.pb.go b/mesh/v1alpha1/network.pb.go
diff --git a/mesh/v1alpha1/network.proto b/mesh/v1alpha1/network.proto
@@ -114,6 +114,21 @@ message Network {
 //       locality: us-east-1a
 // ```
 //
+// If `ENABLE_HCM_INTERNAL_NETWORKS` is set to true, MeshNetworks can be used to
+// to explicitly define the networks in Envoy's internal address configuration.
+// Envoy uses the IPs in the `internalAddressConfig` to decide whether or not to sanitize
+// Envoy headers. If the IP address is listed an internal, the Envoy headers are not
+// sanitized. As of Envoy 1.33, the default value for `internalAddressConfig` is set to
+// an empty set. Previously, the default value was the set of all private IPs. Setting
+// the `internalAddressConfig` to all private IPs (via Envoy's previous default behavior
+// or via the MeshNetworks) will leave users with an Istio Ingress Gateway potentially
+// vulnerable to `x-envoy` header manipulation by external sources. More information about
+// this vulnerability can be found here:
+// https://github.com/envoyproxy/envoy/security/advisories/GHSA-ffhv-fvxq-r6mf
+// To preserve headers, you must explicitly configure MeshNetworks and set
+// `ENABLE_HCM_INTERNAL_NETWORKS` to true. Envoy's `internalAddressConfig` will be set to
+// the endpointed specified by `fromCidr`.
+//
 message MeshNetworks {
   // The set of networks inside this mesh. Each network should
   // have a unique name and information about how to infer the endpoints in

diff --git a/releasenotes/notes/mesh-network-internal-addr-config.yaml b/releasenotes/notes/mesh-network-internal-addr-config.yaml
@@ -0,0 +1,16 @@
+apiVersion: release-notes/v2
+kind: bug-fix
+area: documentation
+issue:
+  - https://github.com/istio/istio/issues/53402
+
+releaseNotes:
+  - |
+    **Fixed** documentation for using MeshNetworks to configure envoy internal address configuration
+    when ENABLE_HCM_INTERNAL_NETWORKS is set to true. As of Envoy 1.33, the default value for
+    internalAddressConfig is set to an empty set. Previously, the default value was the set of all
+    private IPs. To preserve Envoy headers, you must explicitly configure MeshNetworks
+    or revert to Envoy's prior behavior by setting envoy.reloadable_features.explicit_internal_address_config
+    to false. Setting MeshNetworks to all private IPs or reverting to Envoy's previous behavior will leave
+    users with an Istio Ingress Gateway potentially vulnerable to x-envoy header manipulation by external
+    sources. More information about this vulnerability can be found here: https://github.com/envoyproxy/envoy/security/advisories/GHSA-ffhv-fvxq-r6mf