envoyproxy/envoy

Admin endpoint security

Open

#2,763 opened on Mar 8, 2018

View on GitHub
 (38 comments) (39 reactions) (0 assignees)C++ (5,373 forks)batch import
area/adminarea/securityhelp wantedtech debt

Repository metrics

Stars
 (27,997 stars)
PR merge metrics
 (Avg merge 8d) (378 merged PRs in 30d)

Description

The admin endpoint today is unsecured (no authentication or TLS), with the assumption that it is only available to localhost or accessible on a trusted network. Ideally:

  • We want to be able to restrict access to only trusted IPs, client certificates and ensure we have transport security.
  • We want to have some ability to distinguish roles and access to the admin console, i.e. distinct identities might be allowed to operate /quitquitquit vs. stats monitoring.

Beyond just security, there's also the question of what the admin console is. Is it just a curlable utility, an interactive web console or is it a first-class API intended for programatic use? Should it offer gRPC endpoints (in particular as we are moving towards a proto definition of its contents in places such as https://github.com/envoyproxy/envoy/issues/2172). Answers to this affect the framing of security considerations.

Opening this issue to start the design discussion here.

Contributor guide