injector: restrict envoy admin access to localhost

The Envoy admin interface allows to perform destructive operations as well as exposes sensitive information. Access to the portal should be restricted to within the localhost. More info can be found at https://www.envoyproxy.io/docs/envoy/latest/operations/admin Port forwarding to the proxy pod to access the admin portal over localhost will work as expected. Signed-off-by: Shashank Ram <shashr2204@gmail.com>
openservicemesh · Mar 12, 2021 · b956469 · b956469
1 parent 2d13cfe
commit b956469
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 2 deletions.
diff --git a/pkg/injector/envoy_config.go b/pkg/injector/envoy_config.go
@@ -21,7 +21,7 @@ func getEnvoyConfigYAML(config envoyBootstrapConfigMeta, cfg configurator.Config
 			"access_log_path": "/dev/stdout",
 			"address": map[string]interface{}{
 				"socket_address": map[string]string{
-					"address":    "0.0.0.0",
+					"address":    constants.LocalhostIPAddress,
 					"port_value": strconv.Itoa(config.EnvoyAdminPort),
 				},
 			},

diff --git a/pkg/injector/test_fixtures/expected_envoy_bootstrap_config.yaml b/pkg/injector/test_fixtures/expected_envoy_bootstrap_config.yaml
@@ -2,7 +2,7 @@ admin:
   access_log_path: /dev/stdout
   address:
     socket_address:
-      address: 0.0.0.0
+      address: 127.0.0.1
       port_value: "15000"
 dynamic_resources:
   ads_config: