Document possible risk w.r.t exposing the admin API in Envoy (#10817)

Add a section to the Connect Security page which highlights the risks
of exposing Envoy's administration interface outside of localhost.

Resolves #5692

Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com>
Co-authored-by: Kent 'picat' Gruber <kent@hashicorp.com>
This commit is contained in:
Blake Covarrubias 2021-08-13 10:05:29 -07:00 committed by GitHub
parent 24166d9631
commit 247397dcd2
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 19 additions and 0 deletions

View File

@ -97,3 +97,22 @@ using a local Connect proxy. This is documented in the
**If non-proxy traffic can communicate with the service**, this traffic **If non-proxy traffic can communicate with the service**, this traffic
will not be encrypted or authorized via Connect. will not be encrypted or authorized via Connect.
### Restrict Access to Envoy's Administration Interface
Envoy exposes an **unauthenticated**
[administration interface](https://www.envoyproxy.io/docs/envoy/latest/operations/admin)
that can be used to query and modify the proxy. This interface
allows potentially sensitive information to be retrieved, such as:
* Envoy configuration
* TLS certificates
* List of upstream services and endpoints
We **strongly advise** only exposing the administration interface on a loopback
address (default configuration) and restricting access to a subset of users.
**If the administration interface is exposed externally**, for
example by specifying a routable [`-admin-bind`](/commands/connect/envoy#admin-bind)
address, it may be possible for a malicious actor to gain access to Envoy's
configuration, or impact the service's availability within the cluster.