Skip to content

Commit

Permalink
Automator: update istio.io@ reference docs (istio#16258)
Browse files Browse the repository at this point in the history
  • Loading branch information
@istio-testing
istio-testing authored Feb 20, 2025
1 parent 01b9b54 commit 9997707
Show file tree
Hide file tree
Showing 4 changed files with 38 additions and 0 deletions.
5 changes: 5 additions & 0 deletions content/en/docs/reference/commands/istioctl/index.html
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3819,6 +3819,11 @@ <h3 id="istioctl-experimental-workload-group-create">istioctl experimental workl
<td>The labels to apply to the workload instances; e.g. -l env=prod,vers=2 (default `[]`)</td>
</tr>
<tr>
<td><code>--locality &lt;string&gt;</code></td>
<td></td>
<td>The locality associated with the endpoint. (default ``)</td>
</tr>
<tr>
<td><code>--name &lt;string&gt;</code></td>
<td></td>
<td>The name of the workload group (default ``)</td>
Expand Down
14 changes: 14 additions & 0 deletions content/en/docs/reference/config/istio.mesh.v1alpha1/index.html
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4423,6 +4423,20 @@ <h2 id="MeshNetworks">MeshNetworks</h2>
port: 15443
locality: us-east-1a
</code></pre>
<p>If <code>ENABLE_HCM_INTERNAL_NETWORKS</code> is set to true, MeshNetworks can be used to
to explicitly define the networks in Envoy&rsquo;s internal address configuration.
Envoy uses the IPs in the <code>internalAddressConfig</code> to decide whether or not to sanitize
Envoy headers. If the IP address is listed an internal, the Envoy headers are not
sanitized. As of Envoy 1.33, the default value for <code>internalAddressConfig</code> is set to
an empty set. Previously, the default value was the set of all private IPs. Setting
the <code>internalAddressConfig</code> to all private IPs (via Envoy&rsquo;s previous default behavior
or via the MeshNetworks) will leave users with an Istio Ingress Gateway potentially
vulnerable to <code>x-envoy</code> header manipulation by external sources. More information about
this vulnerability can be found here:
<a href="https://github.com/envoyproxy/envoy/security/advisories/GHSA-ffhv-fvxq-r6mf">https://github.com/envoyproxy/envoy/security/advisories/GHSA-ffhv-fvxq-r6mf</a>
To preserve headers, you must explicitly configure MeshNetworks and set
<code>ENABLE_HCM_INTERNAL_NETWORKS</code> to true. Envoy&rsquo;s <code>internalAddressConfig</code> will be set to
the endpointed specified by <code>fromCidr</code>.</p>

<table class="message-fields">
<thead>
Expand Down
5 changes: 5 additions & 0 deletions content/zh/docs/reference/commands/istioctl/index.html
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3819,6 +3819,11 @@ <h3 id="istioctl-experimental-workload-group-create">istioctl experimental workl
<td>The labels to apply to the workload instances; e.g. -l env=prod,vers=2 (default `[]`)</td>
</tr>
<tr>
<td><code>--locality &lt;string&gt;</code></td>
<td></td>
<td>The locality associated with the endpoint. (default ``)</td>
</tr>
<tr>
<td><code>--name &lt;string&gt;</code></td>
<td></td>
<td>The name of the workload group (default ``)</td>
Expand Down
14 changes: 14 additions & 0 deletions content/zh/docs/reference/config/istio.mesh.v1alpha1/index.html
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4423,6 +4423,20 @@ <h2 id="MeshNetworks">MeshNetworks</h2>
port: 15443
locality: us-east-1a
</code></pre>
<p>If <code>ENABLE_HCM_INTERNAL_NETWORKS</code> is set to true, MeshNetworks can be used to
to explicitly define the networks in Envoy&rsquo;s internal address configuration.
Envoy uses the IPs in the <code>internalAddressConfig</code> to decide whether or not to sanitize
Envoy headers. If the IP address is listed an internal, the Envoy headers are not
sanitized. As of Envoy 1.33, the default value for <code>internalAddressConfig</code> is set to
an empty set. Previously, the default value was the set of all private IPs. Setting
the <code>internalAddressConfig</code> to all private IPs (via Envoy&rsquo;s previous default behavior
or via the MeshNetworks) will leave users with an Istio Ingress Gateway potentially
vulnerable to <code>x-envoy</code> header manipulation by external sources. More information about
this vulnerability can be found here:
<a href="https://github.com/envoyproxy/envoy/security/advisories/GHSA-ffhv-fvxq-r6mf">https://github.com/envoyproxy/envoy/security/advisories/GHSA-ffhv-fvxq-r6mf</a>
To preserve headers, you must explicitly configure MeshNetworks and set
<code>ENABLE_HCM_INTERNAL_NETWORKS</code> to true. Envoy&rsquo;s <code>internalAddressConfig</code> will be set to
the endpointed specified by <code>fromCidr</code>.</p>

<table class="message-fields">
<thead>
Expand Down

0 comments on commit 9997707

Please sign in to comment.