Document possible risk w.r.t exposing the admin API in Envoy (#10817)

Add a section to the Connect Security page which highlights the risks
of exposing Envoy's administration interface outside of localhost.

Resolves #5692

Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com>
Co-authored-by: Kent 'picat' Gruber <kent@hashicorp.com>
pull/10854/head
Blake Covarrubias 3 years ago committed by GitHub
parent 8a396ae73f
commit 97b4fdff0d
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

@ -97,3 +97,22 @@ using a local Connect proxy. This is documented in the
**If non-proxy traffic can communicate with the service**, this traffic
will not be encrypted or authorized via Connect.
### Restrict Access to Envoy's Administration Interface
Envoy exposes an **unauthenticated**
[administration interface](https://www.envoyproxy.io/docs/envoy/latest/operations/admin)
that can be used to query and modify the proxy. This interface
allows potentially sensitive information to be retrieved, such as:
* Envoy configuration
* TLS certificates
* List of upstream services and endpoints
We **strongly advise** only exposing the administration interface on a loopback
address (default configuration) and restricting access to a subset of users.
**If the administration interface is exposed externally**, for
example by specifying a routable [`-admin-bind`](/commands/connect/envoy#admin-bind)
address, it may be possible for a malicious actor to gain access to Envoy's
configuration, or impact the service's availability within the cluster.

Loading…
Cancel
Save