area/adminarea/securityhelp wantedtech debt
仓库指标
- Star
- (27,997 star)
- PR 合并指标
- (平均合并 8天) (30 天内合并 378 个 PR)
描述
The admin endpoint today is unsecured (no authentication or TLS), with the assumption that it is only available to localhost or accessible on a trusted network. Ideally:
- We want to be able to restrict access to only trusted IPs, client certificates and ensure we have transport security.
- We want to have some ability to distinguish roles and access to the admin console, i.e. distinct identities might be allowed to operate
/quitquitquitvs. stats monitoring.
Beyond just security, there's also the question of what the admin console is. Is it just a curlable utility, an interactive web console or is it a first-class API intended for programatic use? Should it offer gRPC endpoints (in particular as we are moving towards a proto definition of its contents in places such as https://github.com/envoyproxy/envoy/issues/2172). Answers to this affect the framing of security considerations.
Opening this issue to start the design discussion here.