feat: introduce ingress proxy recommended hardening/uning settings

This commit is contained in:
Stefan Reimer 2021-04-20 16:33:45 +02:00
parent 64dd6160cb
commit 401f024be6
7 changed files with 95 additions and 80 deletions

View File

@ -1,6 +1,6 @@
# https://www.envoyproxy.io/docs/envoy/v1.17.1/configuration/best_practices/edge#configuring-envoy-as-an-edge-proxy
# https://github.com/istio/istio/issues/24715
{{- if or (index .Values "istio-ingress" "enabled") (index .Values "istio-private-ingress" "enabled") }}
apiVersion: v1
kind: ConfigMap
metadata:
@ -39,10 +39,21 @@ data:
{
"name": "envoy.resource_monitors.fixed_heap",
"typed_config": {
"@type": "type.googleapis.com/envoy.extensions.resource_monitors.fixed_heap.v3.FixedHeapConfig",
"@type": "type.googleapis.com/envoy.config.resource_monitor.fixed_heap.v2alpha.FixedHeapConfig",
"max_heap_size_bytes": 536870912
}
}
]
},
"layeredRuntime": {
"layers": [
{
"name": "static_layer_0",
"staticLayer": {
"overload.global_downstream_max_connections": 50000
}
}
]
}
}
{{- end }}

View File

@ -0,0 +1,36 @@
{{- if or (index .Values "istio-ingress" "enabled") (index .Values "istio-private-ingress" "enabled") }}
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: ingressgateway-hardening
namespace: {{ .Release.Namespace }}
spec:
configPatches:
- applyTo: CLUSTER
patch:
operation: MERGE
value:
connect_timeout: 15s
per_connection_buffer_limit_bytes: 32768 # 32 KiB
- applyTo: NETWORK_FILTER
match:
listener:
filterChain:
filter:
name: "envoy.filters.network.http_connection_manager"
patch:
operation: MERGE
value:
name: "envoy.filters.network.http_connection_manager"
typed_config:
"@type": "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager"
common_http_protocol_options:
idle_timeout: 3600s # 1 hour
# headers_with_underscores_action: REJECT_REQUEST
http2_protocol_options:
max_concurrent_streams: 500
initial_stream_window_size: 65536 # 64 KiB
initial_connection_window_size: 1048576 # 1 MiB
#stream_idle_timeout: 300s # 5 mins, must be disabled for long-lived and streaming requests
#request_timeout: 300s # 5 mins, must be disabled for long-lived and streaming requests
{{- end }}

View File

@ -0,0 +1,31 @@
{{- if or (index .Values "istio-ingress" "enabled") (index .Values "istio-private-ingress" "enabled") }}
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: ingressgateway-listener-tcp-keepalive
namespace: {{ .Release.Namespace }}
spec:
configPatches:
- applyTo: LISTENER
patch:
operation: MERGE
value:
socket_options:
# SOL_SOCKET = 1
# SO_KEEPALIVE = 9
- level: 1
name: 9
int_value: 1
state: STATE_LISTENING
# IPPROTO_TCP = 6
# TCP_KEEPIDLE = 4
- level: 6
name: 4
int_value: 60
state: STATE_LISTENING
# TCP_KEEPINTVL = 5
- level: 6
name: 5
int_value: 60
state: STATE_LISTENING
{{- end }}

View File

@ -1,70 +0,0 @@
{{- if index .Values "istio-ingress" "enabled" }}
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: ingressgateway-listener-tcp-keepalive
namespace: {{ .Release.Namespace }}
spec:
workloadSelector:
labels:
istio: ingressgateway
configPatches:
- applyTo: LISTENER
patch:
operation: MERGE
value:
socket_options:
# SOL_SOCKET = 1
# SO_KEEPALIVE = 9
- level: 1
name: 9
int_value: 1
state: STATE_LISTENING
# IPPROTO_TCP = 6
# TCP_KEEPIDLE = 4
- level: 6
name: 4
int_value: 60
state: STATE_LISTENING
# TCP_KEEPINTVL = 5
- level: 6
name: 5
int_value: 60
state: STATE_LISTENING
{{- end }}
{{- if index .Values "istio-private-ingress" "enabled" }}
---
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: private-ingressgateway-listener-tcp-keepalive
namespace: {{ .Release.Namespace }}
spec:
workloadSelector:
labels:
istio: private-ingressgateway
configPatches:
- applyTo: LISTENER
patch:
operation: MERGE
value:
socket_options:
# SOL_SOCKET = 1
# SO_KEEPALIVE = 9
- level: 1
name: 9
int_value: 1
state: STATE_LISTENING
# IPPROTO_TCP = 6
# TCP_KEEPIDLE = 4
- level: 6
name: 4
int_value: 60
state: STATE_LISTENING
# TCP_KEEPINTVL = 5
- level: 6
name: 5
int_value: 60
state: STATE_LISTENING
{{- end }}

View File

@ -37,8 +37,17 @@ istio-ingress:
topologyKey: kubernetes.io/hostname
values: istio-ingressgateway
type: NodePort
#podAnnotations:
# sidecar.istio.io/bootstrapOverride: istio-gateway-bootstrap-config
podAnnotations:
proxy.istio.io/config: '{ "terminationDrainDuration": "20s" }'
# custom hardened bootstrap config
env:
ISTIO_BOOTSTRAP_OVERRIDE: /etc/istio/custom-bootstrap/custom_bootstrap.json
configVolumes:
- name: custom-bootstrap-volume
mountPath: /etc/istio/custom-bootstrap
configMapName: istio-gateway-bootstrap-config
# The node selector is normally the list of nodeports, see CloudBender
nodeSelector:
node.kubernetes.io/ingress.public: "30080_30443"
@ -107,6 +116,9 @@ istio-private-ingress:
topologyKey: kubernetes.io/hostname
values: istio-private-ingressgateway
type: NodePort
podAnnotations:
# sidecar.istio.io/bootstrapOverride: istio-gateway-bootstrap-config
proxy.istio.io/config: '{ "terminationDrainDuration": "20s" }'
nodeSelector:
node.kubernetes.io/ingress.private: "31080_31443"
#nodeSelector: "31080_31443_31671_31672_31224"

View File

@ -1,2 +1,3 @@
istioctl
istio
istio.zdt

View File

@ -35,11 +35,5 @@ istio-discovery:
enabled: false
meshConfig:
defaultConfig:
terminationDrainDuration: 20s
accessLogFile: /dev/stdout
accessLogEncoding: 'JSON'
h2UpgradePolicy: 'DO_NOT_UPGRADE'
tcpKeepalive:
interval: 30s
time: 60s