September 29, 2020 — The Envoy Product Security Team (PST) announced the availability of a security fix and a series of patches for Envoy versions 1.12,1.13, 1.14 and 1.15 to address two high-risk vulnerabilities related to header values and HTTP URL paths. In response to CVE-2020-25017. Additionally the Istio community recommends users to upgrade to 1.6.11+ for 1.6.x deployments or 1.7.3 or later for 1.7.x deployments.
Istio founders and contributors Zack Butcher, Sven Mawson, and Liam White discussed all things Istio– covering the latest Istio 1.7 release, what’s to come in 1.8, and practical advice for end users of Istio and the Envoy proxy in Tetrate’s September Istio AMA session.
The release of Istio 1.7 was highly anticipated by the service mesh community and end-users because it addresses a problem that Tetrate was founded to solve: Bringing VMs into the mesh.
As an Open Source project, Envoy has a huge following, and the user numbers are continuing to grow because of how it can be used to solve networking problems that occur in any large, distributed system. But what is it? How do you get started?
How do Virtual Machines and containers talk to each other? How does an Istio mesh make that process easier? Since Istio’s 1.6 release, which has helped bring VMs under control of the mesh, it becomes significantly easier. Istio’s aim as a project is to make life easier, and give organizations a single point of control.
It’s been a common problem that we’ve been asked to address, and something that pops up frequently. Can I use Istio with other ingress proxies? In a word? Yes.
Users of Istio and Envoy are strongly encouraged to upgrade to Istio 1.4.6 and Envoy 1.13.1 or 1.12.3 to address four newly discovered security vulnerabilities. The Envoy update is also available via GetEnvoy.io.
CVE-2020-8659 (CVSS score 7.5, High): Excessive CPU and/or memory usage when proxying HTTP/1.1 Envoy version 1.13.0 or earlier may consume excessive amounts of memory when proxying HTTP/1.1 requests or responses with many small (e.g., 1 byte) chunks.
The Identity Management & Access Control for Multi-Cloud Conference co-hosted this January by Tetrate and NIST drew 300 attendees to Maryland and and some 600 more participants online. A major takeaway: a Zero Trust Architecture needs service mesh technologies (Istio and Envoy) and Next Generation Access Control (NGAC).
TC Currie sat down with Autotrader UK’s Karl Stoney– a DevOps thought leader– to discuss what led them to Istio.
Karl explains that the main reason for the move had been their wish for transparent, mutual TLS, which they wanted to implement without modification to existing apps. He explains that they understood the best way to do this was using a sidecar model, and began their transformation with the use of Google’s managed Kubernetes offering ‘GKE’ when the conversations then pointed to Istio.
