Add policy restricting usage of Istio annotations #1017
Comments
|
cc @bburky would be helpful to get your take on which annotations are particular important to block |
|
There's so many it's hard to say. Conservatively I'd say all, and exempt things one by one if we know they're safe. I know it's a bit of hassle to create more Exceptions, but I'd also suggest all the per-port mTLS exemptions should be flagged and allowed by Exception. Similarly permissive TLS (but that's a whole separate CR, not an annotation.) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Istio provides a number of resource annotations that can be used to adjust the sidecar's configuration. In particular there are a number of
traffic.sidecar.istio.io/annotations that can be used to modify how traffic is captured by the sidecar.These annotations should be evaluated for security impact and where necessary we should block annotations with a policy. This policy should allow an exemption, likely named something like
RestrictIstioAnnotations.The text was updated successfully, but these errors were encountered: