From 2ba239e68d0db1b8a0274d778d9bfd99bb34d4df Mon Sep 17 00:00:00 2001 From: Jackie Elliott Date: Thu, 6 Feb 2025 16:04:49 +0000 Subject: [PATCH 1/3] Clarify relationship btw MeshNetworks and ENABLE_HCM_INTERNAL_NET Add comments explaining the ability to use MeshNetworks to configure Envoy's internal_address_config via ENABLE_HCM_INTERNAL_NETWORK Signed-off-by: Jackie Elliott --- mesh/v1alpha1/istio.mesh.v1alpha1.pb.html | 2 ++ mesh/v1alpha1/network.pb.go | 3 +++ mesh/v1alpha1/network.proto | 3 +++ 3 files changed, 8 insertions(+) diff --git a/mesh/v1alpha1/istio.mesh.v1alpha1.pb.html b/mesh/v1alpha1/istio.mesh.v1alpha1.pb.html index 968b40a2fb..6776bbdf85 100644 --- a/mesh/v1alpha1/istio.mesh.v1alpha1.pb.html +++ b/mesh/v1alpha1/istio.mesh.v1alpha1.pb.html @@ -3746,6 +3746,8 @@

ProxyConfig

metadataExchangeHeaders: mode: IN_MESH +

If ENABLE_HCM_INTERNAL_NETWORKS is set to true, MeshNetworks can be used to +to explicitly define the networks in Envoy’s internal address configuration.

diff --git a/mesh/v1alpha1/network.pb.go b/mesh/v1alpha1/network.pb.go index da259a63b0..fb31fcf238 100644 --- a/mesh/v1alpha1/network.pb.go +++ b/mesh/v1alpha1/network.pb.go @@ -117,6 +117,9 @@ func (x *Network) GetGateways() []*Network_IstioNetworkGateway { // locality: us-east-1a // // ``` +// +// If `ENABLE_HCM_INTERNAL_NETWORKS` is set to true, MeshNetworks can be used to +// to explicitly define the networks in Envoy's internal address configuration. type MeshNetworks struct { state protoimpl.MessageState `protogen:"open.v1"` // The set of networks inside this mesh. Each network should diff --git a/mesh/v1alpha1/network.proto b/mesh/v1alpha1/network.proto index 26083d5ed4..1bdc915f79 100644 --- a/mesh/v1alpha1/network.proto +++ b/mesh/v1alpha1/network.proto @@ -114,6 +114,9 @@ message Network { // locality: us-east-1a // ``` // +// If `ENABLE_HCM_INTERNAL_NETWORKS` is set to true, MeshNetworks can be used to +// to explicitly define the networks in Envoy's internal address configuration. +// message MeshNetworks { // The set of networks inside this mesh. Each network should // have a unique name and information about how to infer the endpoints in From 4768139bb2b0143b406fe3b55e1c079c330be15e Mon Sep 17 00:00:00 2001 From: Jackie Elliott Date: Thu, 6 Feb 2025 18:08:35 +0000 Subject: [PATCH 2/3] Add release note Signed-off-by: Jackie Elliott --- mesh/v1alpha1/istio.mesh.v1alpha1.pb.html | 4 ++-- .../notes/mesh-network-internal-addr-config.yaml | 10 ++++++++++ 2 files changed, 12 insertions(+), 2 deletions(-) create mode 100644 releasenotes/notes/mesh-network-internal-addr-config.yaml diff --git a/mesh/v1alpha1/istio.mesh.v1alpha1.pb.html b/mesh/v1alpha1/istio.mesh.v1alpha1.pb.html index 6776bbdf85..a6c7cfef6b 100644 --- a/mesh/v1alpha1/istio.mesh.v1alpha1.pb.html +++ b/mesh/v1alpha1/istio.mesh.v1alpha1.pb.html @@ -3746,8 +3746,6 @@

ProxyConfig

metadataExchangeHeaders: mode: IN_MESH -

If ENABLE_HCM_INTERNAL_NETWORKS is set to true, MeshNetworks can be used to -to explicitly define the networks in Envoy’s internal address configuration.

@@ -4423,6 +4421,8 @@

MeshNetworks

port: 15443 locality: us-east-1a +

If ENABLE_HCM_INTERNAL_NETWORKS is set to true, MeshNetworks can be used to +to explicitly define the networks in Envoy’s internal address configuration.

diff --git a/releasenotes/notes/mesh-network-internal-addr-config.yaml b/releasenotes/notes/mesh-network-internal-addr-config.yaml new file mode 100644 index 0000000000..71d0e4900c --- /dev/null +++ b/releasenotes/notes/mesh-network-internal-addr-config.yaml @@ -0,0 +1,10 @@ +apiVersion: release-notes/v2 +kind: bug-fix +area: documentation +issue: + - https://github.com/istio/istio/issues/53402 + +releaseNotes: + - | + **Fixed** documentation for using MeshNetworks to configure envoy internal address configuration + when ENABLE_HCM_INTERNAL_NETWORKS is set to true. From 3a5c67fe4ac717e6d0f1a412ad25c79b592cb899 Mon Sep 17 00:00:00 2001 From: Jackie Elliott Date: Thu, 6 Feb 2025 19:46:01 +0000 Subject: [PATCH 3/3] Clarify security implications of enabling HCM internal networks and configuring MeshNetworks. Signed-off-by: Jackie Elliott --- mesh/v1alpha1/istio.mesh.v1alpha1.pb.html | 14 +++++++++++++- mesh/v1alpha1/network.pb.go | 12 ++++++++++++ mesh/v1alpha1/network.proto | 12 ++++++++++++ .../notes/mesh-network-internal-addr-config.yaml | 8 +++++++- 4 files changed, 44 insertions(+), 2 deletions(-) diff --git a/mesh/v1alpha1/istio.mesh.v1alpha1.pb.html b/mesh/v1alpha1/istio.mesh.v1alpha1.pb.html index a6c7cfef6b..0c442fe3cf 100644 --- a/mesh/v1alpha1/istio.mesh.v1alpha1.pb.html +++ b/mesh/v1alpha1/istio.mesh.v1alpha1.pb.html @@ -4422,7 +4422,19 @@

MeshNetworks

locality: us-east-1a

If ENABLE_HCM_INTERNAL_NETWORKS is set to true, MeshNetworks can be used to -to explicitly define the networks in Envoy’s internal address configuration.

+to explicitly define the networks in Envoy’s internal address configuration. +Envoy uses the IPs in the internalAddressConfig to decide whether or not to sanitize +Envoy headers. If the IP address is listed an internal, the Envoy headers are not +sanitized. As of Envoy 1.33, the default value for internalAddressConfig is set to +an empty set. Previously, the default value was the set of all private IPs. Setting +the internalAddressConfig to all private IPs (via Envoy’s previous default behavior +or via the MeshNetworks) will leave users with an Istio Ingress Gateway potentially +vulnerable to x-envoy header manipulation by external sources. More information about +this vulnerability can be found here: +https://github.com/envoyproxy/envoy/security/advisories/GHSA-ffhv-fvxq-r6mf +To preserve headers, you must explicitly configure MeshNetworks and set +ENABLE_HCM_INTERNAL_NETWORKS to true. Envoy’s internalAddressConfig will be set to +the endpointed specified by fromCidr.

diff --git a/mesh/v1alpha1/network.pb.go b/mesh/v1alpha1/network.pb.go index fb31fcf238..5c65c44234 100644 --- a/mesh/v1alpha1/network.pb.go +++ b/mesh/v1alpha1/network.pb.go @@ -120,6 +120,18 @@ func (x *Network) GetGateways() []*Network_IstioNetworkGateway { // // If `ENABLE_HCM_INTERNAL_NETWORKS` is set to true, MeshNetworks can be used to // to explicitly define the networks in Envoy's internal address configuration. +// Envoy uses the IPs in the `internalAddressConfig` to decide whether or not to sanitize +// Envoy headers. If the IP address is listed an internal, the Envoy headers are not +// sanitized. As of Envoy 1.33, the default value for `internalAddressConfig` is set to +// an empty set. Previously, the default value was the set of all private IPs. Setting +// the `internalAddressConfig` to all private IPs (via Envoy's previous default behavior +// or via the MeshNetworks) will leave users with an Istio Ingress Gateway potentially +// vulnerable to `x-envoy` header manipulation by external sources. More information about +// this vulnerability can be found here: +// https://github.com/envoyproxy/envoy/security/advisories/GHSA-ffhv-fvxq-r6mf +// To preserve headers, you must explicitly configure MeshNetworks and set +// `ENABLE_HCM_INTERNAL_NETWORKS` to true. Envoy's `internalAddressConfig` will be set to +// the endpointed specified by `fromCidr`. type MeshNetworks struct { state protoimpl.MessageState `protogen:"open.v1"` // The set of networks inside this mesh. Each network should diff --git a/mesh/v1alpha1/network.proto b/mesh/v1alpha1/network.proto index 1bdc915f79..1dfafa7e49 100644 --- a/mesh/v1alpha1/network.proto +++ b/mesh/v1alpha1/network.proto @@ -116,6 +116,18 @@ message Network { // // If `ENABLE_HCM_INTERNAL_NETWORKS` is set to true, MeshNetworks can be used to // to explicitly define the networks in Envoy's internal address configuration. +// Envoy uses the IPs in the `internalAddressConfig` to decide whether or not to sanitize +// Envoy headers. If the IP address is listed an internal, the Envoy headers are not +// sanitized. As of Envoy 1.33, the default value for `internalAddressConfig` is set to +// an empty set. Previously, the default value was the set of all private IPs. Setting +// the `internalAddressConfig` to all private IPs (via Envoy's previous default behavior +// or via the MeshNetworks) will leave users with an Istio Ingress Gateway potentially +// vulnerable to `x-envoy` header manipulation by external sources. More information about +// this vulnerability can be found here: +// https://github.com/envoyproxy/envoy/security/advisories/GHSA-ffhv-fvxq-r6mf +// To preserve headers, you must explicitly configure MeshNetworks and set +// `ENABLE_HCM_INTERNAL_NETWORKS` to true. Envoy's `internalAddressConfig` will be set to +// the endpointed specified by `fromCidr`. // message MeshNetworks { // The set of networks inside this mesh. Each network should diff --git a/releasenotes/notes/mesh-network-internal-addr-config.yaml b/releasenotes/notes/mesh-network-internal-addr-config.yaml index 71d0e4900c..eb24cad69b 100644 --- a/releasenotes/notes/mesh-network-internal-addr-config.yaml +++ b/releasenotes/notes/mesh-network-internal-addr-config.yaml @@ -7,4 +7,10 @@ issue: releaseNotes: - | **Fixed** documentation for using MeshNetworks to configure envoy internal address configuration - when ENABLE_HCM_INTERNAL_NETWORKS is set to true. + when ENABLE_HCM_INTERNAL_NETWORKS is set to true. As of Envoy 1.33, the default value for + internalAddressConfig is set to an empty set. Previously, the default value was the set of all + private IPs. To preserve Envoy headers, you must explicitly configure MeshNetworks + or revert to Envoy's prior behavior by setting envoy.reloadable_features.explicit_internal_address_config + to false. Setting MeshNetworks to all private IPs or reverting to Envoy's previous behavior will leave + users with an Istio Ingress Gateway potentially vulnerable to x-envoy header manipulation by external + sources. More information about this vulnerability can be found here: https://github.com/envoyproxy/envoy/security/advisories/GHSA-ffhv-fvxq-r6mf