From 247397dcd2534bdf108278fb577075f150c7f550 Mon Sep 17 00:00:00 2001 From: Blake Covarrubias Date: Fri, 13 Aug 2021 10:05:29 -0700 Subject: [PATCH] Document possible risk w.r.t exposing the admin API in Envoy (#10817) Add a section to the Connect Security page which highlights the risks of exposing Envoy's administration interface outside of localhost. Resolves #5692 Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com> Co-authored-by: Kent 'picat' Gruber --- website/content/docs/connect/security.mdx | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/website/content/docs/connect/security.mdx b/website/content/docs/connect/security.mdx index 685160c0d..1c9385811 100644 --- a/website/content/docs/connect/security.mdx +++ b/website/content/docs/connect/security.mdx @@ -97,3 +97,22 @@ using a local Connect proxy. This is documented in the **If non-proxy traffic can communicate with the service**, this traffic will not be encrypted or authorized via Connect. + +### Restrict Access to Envoy's Administration Interface + +Envoy exposes an **unauthenticated** +[administration interface](https://www.envoyproxy.io/docs/envoy/latest/operations/admin) +that can be used to query and modify the proxy. This interface +allows potentially sensitive information to be retrieved, such as: + +* Envoy configuration +* TLS certificates +* List of upstream services and endpoints + +We **strongly advise** only exposing the administration interface on a loopback +address (default configuration) and restricting access to a subset of users. + +**If the administration interface is exposed externally**, for +example by specifying a routable [`-admin-bind`](/commands/connect/envoy#admin-bind) +address, it may be possible for a malicious actor to gain access to Envoy's +configuration, or impact the service's availability within the cluster.