Skip to content

@davecheney davecheney released this Apr 9, 2019 · 454 commits to master since this release

VMware is proud to present version 0.11 of Contour, our Envoy powered Kubernetes Ingress Controller. As always, thank you to the many community contributors -- we literally couldn't do it without you!

Contour 0.11 address a path traversal security issue in Envoy 1.9.0. It is recommended that all users upgrade to Contour 0.11 and the corresponding Envoy 1.9.1 release.

New and improved

Contour 0.11 includes several new features and one important security patch.

Envoy 1.9.1 and CVE-2019-9901 mitigations

Envoy 1.9.0 and earlier are vulnerable to a path normalisation attack. For example, a remote attacker may craft a path with a relative path, e.g. /public/../admin, to bypass access control, e.g. a block on /admin. When deployed with Contour as an ingress controller this means traffic which was intended to be directed via one route may be sent to another via a denormalised request path.

The fix for this attack is available in Envoy 1.9.1, however it is not sufficient to simply upgrade Envoy as path normalisation is currently opt in. Contour 0.11.0 generates the correct configuration to secure Envoy 1.9.1 by requesting path normalisation for all routes.

Details of the vulnerability

Fixes #983. Thanks @stevesloka

Support of TLS enabled backends

Contour 0.11 adds the ability to connect to backend Service that require TLS. This is enabled by a new annotation on the Service object:

contour.heptio.com/upstream-protocol.tls: {port,portName}

The question of what L7 protocol a Service's port speaks is a property of the Service, not the Ingress/IngressRoute, hence the annotation is placed on the Service object.

See the Annotation documentation for more information

Note: Envoy does not perform any validation of the certificate presented by the backend Service.

Fixes #406, #569, and #963.

Thanks again to @stevesloka

Other improvements

  • A design document for adding retry and timeout behaviour to IngressRoute has been merged. Big thank you to @prasoontelang. Updates #815.
  • Contour is now built with Go 1.12.1 (1.12.2 was not available at the time of this release). Thanks @avni. Fixes #848
  • Upgrade to envoyproxy/go-control-plane v0.6.9. Fixes #933
  • Upgrade to k8s.io/client-go v1.12.6. Thanks @vaamarnath. Fixes #934.
  • Improve PR contribution templates. Thanks @andrewsykim.
  • Contour now uses the shared informer client-go infrastructure. Thanks @andrewsykim.
  • Contour has migrated from dep to Go modules for dependency management. Thanks @vaamarnath. Fixes #598.
  • Envoy's deprecated --v2-config-only flag has been removed from our sample deployments/. Thanks @rata. Fixes #971.
  • Prometheus integration documentation has been updated. Thanks @indradhanush.

Bug fixes

Several bugs in CRD validation have been fixed during the 0.11 development cycle.

  • The documentation and validation for TLS Certificate validation (introduced in Contour 0.10) incorrectly suggested that spec.delegations took only a single item. This is incorrect, spec.delegations takes a list. The documentation has been corrected and additional CRD validation introduced to reject the previously incorrect YAML. Thanks to @joshrosso for spotting the issue. Fixes #977.
  • A bug in the validation for the Ingressroute spec.tls.secretName prevented names with a forward slash, /, from being used. This has been corrected. Thanks @arminbuerkle. Fixes #965.
  • The deployment/ds-hostnet-split example YAML failed to pass validation under newer versions of Kubernetes. This has been fixed. Thanks @stevesloka. Fixes #940.
  • A typo in the contour serve documentation has been fixed. Thanks @shivanshu21. Fixes #966.

Upgrading

  • Several issues with CRD validation have been fixed in Contour 0.11. Please redeploy Contour using the supplied deployment/ artifacts.
  • Envoy's --v2-config-only flag has been deprecated in Envoy 1.9.x, and will be removed entirely in Envoy 1.10. Please remove it from your deployments to prevent Envoy failing to start.
  • Contour 0.11 requires Envoy 1.9.1.
    docker.io/envoyproxy/envoy:v1.9.1
    
    Previous versions of Envoy are not compatible with the configuration generated by Contour 0.11. If Envoy fails to start after upgrading Contour to 0.11 with an error similar to this, you have not upgraded Envoy to 1.9.1.
    [2019-04-08 01:54:58.396][000001][critical][main] [source/server/server.cc:86] error initializing configuration '/config/contour.json': Unable to parse JSON as proto (INVALID_ARGUMENT:normalize_path: Cannot find field.): {"codec_type":"AUTO","http_filters":[{"name":"envoy.health_check","config":{"headers":[{"name":":path","exact_match":"/healthz"}],"pass_through_mode":"false"}},{"name":"envoy.router"}],"stat_prefix":"stats","normalize_path":true,"route_config":{"virtual_hosts":{"routes":[{"match":{"prefix":"/stats"},"route":{"cluster":"service_stats"}}],"domains":["*"],"name":"backend"}}}                                [2019-04-08 01:54:58.397][000001][info][main] [source/server/server.cc:507] exiting
    
    Versions of Envoy later than 1.9.1 are not tested and not guaranteed to work with Contour 0.11.
Assets 2
You can’t perform that action at this time.