New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
envoy: add support for bind_config bootstrap options #2772
Conversation
Code Climate has analyzed commit 309a6b5 and detected 0 issues on this pull request. View more on Code Climate. |
👍 that behavior sounds correct for that configuration. For reference/searchability - Beyond just offering more precise control over source address, it is also used to alter the outbound routing table when a system has multiple vrfs. |
attributes: | | ||
- Environment Variable: `ENVOY_ADMIN_ADDRESS`, `ENVOY_ADMIN_ACCESS_LOG_PATH`, `ENVOY_ADMIN_PROFILE_PATH` | ||
- Config File Keys: `envoy_admin_address`, `envoy_admin_access_log_path`, `envoy_admin_profile_path` | ||
- Config File Keys: `envoy_admin_address`, `envoy_admin_access_log_path`, `envoy_admin_profile_path`, `envoy_bind_config_freebind`, `envoy_bind_config_source_address` | ||
- Type: `string` | ||
- Optional | ||
doc: | |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The doc
section should probably work in a link to the cluster manager proto for these options.
/cc @alexfornuto
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@travisgroth: Updated, should be reviewed by an SME.
Looks like there's more to this. Our control plane and communication to authorize and databroker are also subject to this setting since they're represented by clusters internally. I think we at least need an exception for control plane to always be |
I updated the config so that the |
I updated the docs. For review: 309a6b5 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍, pending a 👍 from an SME on my docs additions.
Summary
Add support for Envoy
upstream_bind_config
options in the bootstrap: https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/bootstrap/v3/bootstrap.proto.html?highlight=bindconfig#config-bootstrap-v3-clustermanagerI'm not sure what these options are supposed to be used for but I tried setting
127.0.0.1
and it allowed access to local services, but not to services on the internet. I believe this is the intended functionality.Related issues
Fixes https://github.com/pomerium/internal/issues/628
Checklist
improvement
/bug
/ etc)