Istio
EnvoyFilter
With removal of sensitive HTTP headers
The following EnvoyFilter resource removes the HTTP headers:
x-envoy-decorator-operation: reveals the internal hostname to external networksx-envoy-upstream-service-time: reveals that Envoy is being usedserver: reveals the server technology being used
Create and apply the following EnvoyFilter using kubectl apply -f ./path/to/envoyfilter.yaml:
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
# name: {{ include "istio.fullname" . }}-header-removal
# labels:
# {{- include "istio.labels" . | nindent 4 }}
name: x-envoy-header-removal
namespace: web-app
spec:
configPatches:
- applyTo: NETWORK_FILTER
match:
context: SIDECAR_INBOUND
listener:
filterChain:
filter:
name: envoy.filters.network.http_connection_manager
patch:
operation: MERGE
value:
typed_config:
'@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
server_header_transformation: PASS_THROUGH
- applyTo: HTTP_ROUTE
match:
context: SIDECAR_INBOUND
patch:
operation: MERGE
value:
decorator:
propagate: false
response_headers_to_remove:
- "server"
- "x-envoy-decorator-operation"
- "x-envoy-upstream-service-time"
- "x-powered-by"VirtualService
Basic example
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: {{ include "template.name" . }}
annotations:
external-dns.alpha.kubernetes.io/target: {{ .Values.loadBalancer.hostname }}
labels:
{{- include "template.labels" . | nindent 4 }}
spec:
hosts:
{{ range .Values.config.istio.ingress.urls -}}
- {{ . | quote }}
{{ end }}
gateways:
- {{ .Values.istio.gateway.namespace }}/{{ .Values.istio.gateway.name }}
http:
- match:
- uri:
prefix: /
route:
- destination:
host: {{ .Values.istio.ingress.hostname }}
port:
number: {{ .Values.service.port }}Last updated