mjnagel
commented
4 days ago cc @bburky would be helpful to get your take on which annotations are particular important to block
Open mjnagel opened 4 days ago
mjnagel
commented
4 days ago cc @bburky would be helpful to get your take on which annotations are particular important to block
bburky
commented
4 days ago There's so many it's hard to say. Conservatively I'd say all, and exempt things one by one if we know they're safe.
I know it's a bit of hassle to create more Exceptions, but I'd also suggest all the per-port mTLS exemptions should be flagged and allowed by Exception. Similarly permissive TLS (but that's a whole separate CR, not an annotation.)
Istio provides a number of resource annotations that can be used to adjust the sidecar's configuration. In particular there are a number of
traffic.sidecar.istio.io/annotations that can be used to modify how traffic is captured by the sidecar.These annotations should be evaluated for security impact and where necessary we should block annotations with a policy. This policy should allow an exemption, likely named something like
RestrictIstioAnnotations.