feat: introduce ingress proxy recommended hardening/uning settings

2021-04-20 16:33:45 +02:00 · 2021-04-20 16:33:45 +02:00 · 401f024be6
commit 401f024be6
parent 64dd6160cb
7 changed files with 95 additions and 80 deletions
--- a/charts/kubezero-istio-ingress/templates/bootstrap-config.yaml
+++ b/charts/kubezero-istio-ingress/templates/bootstrap-config.yaml
@ -1,6 +1,6 @@
 # https://www.envoyproxy.io/docs/envoy/v1.17.1/configuration/best_practices/edge#configuring-envoy-as-an-edge-proxy
 # https://github.com/istio/istio/issues/24715
-
+{{- if or (index .Values "istio-ingress" "enabled") (index .Values "istio-private-ingress" "enabled") }}
 apiVersion: v1
 kind: ConfigMap
 metadata:
@ -39,10 +39,21 @@ data:
          {
            "name": "envoy.resource_monitors.fixed_heap",
            "typed_config": {
-              "@type": "type.googleapis.com/envoy.extensions.resource_monitors.fixed_heap.v3.FixedHeapConfig",
+              "@type": "type.googleapis.com/envoy.config.resource_monitor.fixed_heap.v2alpha.FixedHeapConfig",
              "max_heap_size_bytes": 536870912
            }
          }
        ]
+      },
+      "layeredRuntime": {
+        "layers": [
+          {
+            "name": "static_layer_0",
+            "staticLayer": {
+              "overload.global_downstream_max_connections": 50000
+            }
+          }
+        ]
      }
    }
+{{- end }}
--- a/charts/kubezero-istio-ingress/templates/envoyfilter-hardening.yaml
+++ b/charts/kubezero-istio-ingress/templates/envoyfilter-hardening.yaml
@ -0,0 +1,36 @@
+{{- if or (index .Values "istio-ingress" "enabled") (index .Values "istio-private-ingress" "enabled") }}
+apiVersion: networking.istio.io/v1alpha3
+kind: EnvoyFilter
+metadata:
+  name: ingressgateway-hardening
+  namespace: {{ .Release.Namespace }}
+spec:
+  configPatches:
+  - applyTo: CLUSTER
+    patch:
+      operation: MERGE
+      value:
+        connect_timeout: 15s
+        per_connection_buffer_limit_bytes: 32768 # 32 KiB
+  - applyTo: NETWORK_FILTER
+    match:
+      listener:
+        filterChain:
+          filter:
+            name: "envoy.filters.network.http_connection_manager"
+    patch:
+      operation: MERGE
+      value:
+        name: "envoy.filters.network.http_connection_manager"
+        typed_config:
+          "@type": "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager"
+          common_http_protocol_options:
+            idle_timeout: 3600s # 1 hour
+            # headers_with_underscores_action: REJECT_REQUEST
+          http2_protocol_options:
+            max_concurrent_streams: 500
+            initial_stream_window_size: 65536 # 64 KiB
+            initial_connection_window_size: 1048576 # 1 MiB
+          #stream_idle_timeout: 300s # 5 mins, must be disabled for long-lived and streaming requests
+          #request_timeout: 300s # 5 mins, must be disabled for long-lived and streaming requests
+{{- end }}
--- a/charts/kubezero-istio-ingress/templates/envoyfilter-keepalive-nlb.yaml
+++ b/charts/kubezero-istio-ingress/templates/envoyfilter-keepalive-nlb.yaml
@ -0,0 +1,31 @@
+{{- if or (index .Values "istio-ingress" "enabled") (index .Values "istio-private-ingress" "enabled") }}
+apiVersion: networking.istio.io/v1alpha3
+kind: EnvoyFilter
+metadata:
+  name: ingressgateway-listener-tcp-keepalive
+  namespace: {{ .Release.Namespace }}
+spec:
+  configPatches:
+  - applyTo: LISTENER
+    patch:
+      operation: MERGE
+      value:
+        socket_options:
+          # SOL_SOCKET = 1
+          # SO_KEEPALIVE = 9
+          - level: 1
+            name: 9
+            int_value: 1
+            state: STATE_LISTENING
+          # IPPROTO_TCP = 6
+          # TCP_KEEPIDLE = 4
+          - level: 6
+            name: 4
+            int_value: 60
+            state: STATE_LISTENING
+          # TCP_KEEPINTVL = 5
+          - level: 6
+            name: 5
+            int_value: 60
+            state: STATE_LISTENING
+{{- end }}
--- a/charts/kubezero-istio-ingress/templates/envoyfilter.yaml
+++ b/charts/kubezero-istio-ingress/templates/envoyfilter.yaml
@ -1,70 +0,0 @@
-{{- if index .Values "istio-ingress" "enabled" }}
-apiVersion: networking.istio.io/v1alpha3
-kind: EnvoyFilter
-metadata:
-  name: ingressgateway-listener-tcp-keepalive
-  namespace: {{ .Release.Namespace }}
-spec:
-  workloadSelector:
-    labels:
-      istio: ingressgateway
-  configPatches:
-  - applyTo: LISTENER
-    patch:
-      operation: MERGE
-      value:
-        socket_options:
-          # SOL_SOCKET = 1
-          # SO_KEEPALIVE = 9
-          - level: 1
-            name: 9
-            int_value: 1
-            state: STATE_LISTENING
-          # IPPROTO_TCP = 6
-          # TCP_KEEPIDLE = 4
-          - level: 6
-            name: 4
-            int_value: 60
-            state: STATE_LISTENING
-          # TCP_KEEPINTVL = 5
-          - level: 6
-            name: 5
-            int_value: 60
-            state: STATE_LISTENING
-{{- end }}
-
-{{- if index .Values "istio-private-ingress" "enabled" }}
---
-apiVersion: networking.istio.io/v1alpha3
-kind: EnvoyFilter
-metadata:
-  name: private-ingressgateway-listener-tcp-keepalive
-  namespace: {{ .Release.Namespace }}
-spec:
-  workloadSelector:
-    labels:
-      istio: private-ingressgateway
-  configPatches:
-  - applyTo: LISTENER
-    patch:
-      operation: MERGE
-      value:
-        socket_options:
-          # SOL_SOCKET = 1
-          # SO_KEEPALIVE = 9
-          - level: 1
-            name: 9
-            int_value: 1
-            state: STATE_LISTENING
-          # IPPROTO_TCP = 6
-          # TCP_KEEPIDLE = 4
-          - level: 6
-            name: 4
-            int_value: 60
-            state: STATE_LISTENING
-          # TCP_KEEPINTVL = 5
-          - level: 6
-            name: 5
-            int_value: 60
-            state: STATE_LISTENING
-{{- end }}
--- a/charts/kubezero-istio-ingress/values.yaml
+++ b/charts/kubezero-istio-ingress/values.yaml
@ -37,8 +37,17 @@ istio-ingress:
        topologyKey: kubernetes.io/hostname
        values: istio-ingressgateway
      type: NodePort
-      #podAnnotations:
-      #  sidecar.istio.io/bootstrapOverride: istio-gateway-bootstrap-config
+      podAnnotations:
+        proxy.istio.io/config: '{ "terminationDrainDuration": "20s" }'
+
+      # custom hardened bootstrap config
+      env:
+        ISTIO_BOOTSTRAP_OVERRIDE: /etc/istio/custom-bootstrap/custom_bootstrap.json
+      configVolumes:
+      - name: custom-bootstrap-volume
+        mountPath: /etc/istio/custom-bootstrap
+        configMapName: istio-gateway-bootstrap-config
+
      # The node selector is normally the list of nodeports, see CloudBender
      nodeSelector:
        node.kubernetes.io/ingress.public: "30080_30443"
@ -107,6 +116,9 @@ istio-private-ingress:
        topologyKey: kubernetes.io/hostname
        values: istio-private-ingressgateway
      type: NodePort
+      podAnnotations:
+      #  sidecar.istio.io/bootstrapOverride: istio-gateway-bootstrap-config
+        proxy.istio.io/config: '{ "terminationDrainDuration": "20s" }'
      nodeSelector:
        node.kubernetes.io/ingress.private: "31080_31443"
        #nodeSelector: "31080_31443_31671_31672_31224"
--- a/charts/kubezero-istio/.gitignore
+++ b/charts/kubezero-istio/.gitignore
@ -1,2 +1,3 @@
 istioctl
 istio
+istio.zdt
--- a/charts/kubezero-istio/values.yaml
+++ b/charts/kubezero-istio/values.yaml
@ -35,11 +35,5 @@ istio-discovery:
    enabled: false

  meshConfig:
-    defaultConfig:
-      terminationDrainDuration: 20s
    accessLogFile: /dev/stdout
    accessLogEncoding: 'JSON'
-    h2UpgradePolicy: 'DO_NOT_UPGRADE'
-    tcpKeepalive:
-      interval: 30s
-      time: 60s