-
Notifications
You must be signed in to change notification settings - Fork 2.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[v1.14] Author backport of #32200 #32265
[v1.14] Author backport of #32200 #32265
Conversation
[ upstream commit 1bc2c75 ] Currently, when L7 policies (egress or ingress) are enforced for traffic between Pods, Envoy might change x-forwarded-for related headers because the corresponding Envoy listeners don't trust the downstream headers because `XffNumTrustedHops` is set to `0`. e.g. `x-forwarded-proto` header: > Downstream x-forwarded-proto headers will only be trusted if xff_num_trusted_hops is non-zero. If xff_num_trusted_hops is zero, downstream x-forwarded-proto headers and :scheme headers will be set to http or https based on if the downstream connection is TLS or not. https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/headers#x-forwarded-proto This might be problematic if L7 policies are used for egress traffic for Pods from a non-Cilium ingress controller (e.g. nginx). If the Ingress Controller is terminating TLS traffic and forwards the protocol via `x-forwarded-proto=https`, Cilium Envoy Proxy changes this header to `x-forwarded-proto=http` (if no tls termination itself is used in the policy configuration). This breaks applications that depend on the forwarded protocol. Therefore, this commit introduces two new config flags `proxy-xff-num-trusted-hops-ingress` and `proxy-xff-num-trusted-hops-egresss` that configures the property `XffNumTrustedHops` on the respective L7 policy Envoy listeners. For backwards compabitility and security reasons, the values still default to `0`. Note: It's also possible to configure these values via Helm (`envoy.xffNumTrustedHopsL7PolicyIngress` & `envoy.xffNumTrustedHopsL7PolicyEgress`). Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com>
/test-backport-1.14 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Heads up @mhofstetter if you have a section with |
👍 Good to know - thanks Joe. |
Currently, when L7 policies (egress or ingress) are enforced for traffic between Pods, Envoy might change x-forwarded-for related headers because the corresponding Envoy listeners don't trust the downstream headers because
XffNumTrustedHops
is set to0
.e.g.
x-forwarded-proto
header:https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/headers#x-forwarded-proto
This might be problematic if L7 policies are used for egress traffic for Pods from a non-Cilium ingress controller (e.g. nginx). If the Ingress Controller is terminating TLS traffic and forwards the protocol via
x-forwarded-proto=https
, Cilium Envoy Proxy changes this header tox-forwarded-proto=http
(if no tls termination itself is used in the policy configuration).This breaks applications that depend on the forwarded protocol.
Therefore, this commit introduces two new config flags
proxy-xff-num-trusted-hops-ingress
andproxy-xff-num-trusted-hops-egresss
that configures the propertyXffNumTrustedHops
on the respective L7 policy Envoy listeners.For backwards compabitility and security reasons, the values still default to
0
.Note: It's also possible to configure these values via Helm (
envoy.xffNumTrustedHopsL7PolicyIngress
&envoy.xffNumTrustedHopsL7PolicyEgress
).Author Backport of #32200 (Config properties not yet in Hive Cell on v1.14)
Once this PR is merged, a GitHub action will update the labels of these PRs: