CVE Fixes, Envoy Proxy & GetEnvoy, Security

Envoy and Istio security releases – June 2020

Istio and the Envoy proxy security team have announced releases that address HIGH severity CVE-2020-11080, with a CVSS score of 7.5.

The identified vulnerability relates to excessive CPU usage when processing HTTP/2 SETTINGS frames that would cause denial of service. A malicious attacker might repeatedly construct a SETTINGS frame with a length of 14,400 bytes (2400 individual settings entries), causing the CPU to spike at 100%.

To address the vulnerability, we encourage Envoy users to upgrade to Envoy proxy 1.12.4, 1.13.2 or 1.14.2. You can get the latest release from GetEnvoy.

Istio users should update to 1.5.5 or later for 1.5.x deployments and 1.6.2 or later for 1.6.x deployments.

Read More
CVE Fixes, Envoy Proxy & GetEnvoy, Istio, Open Source, Security

Upgrade: Istio and Envoy CVE security fixes

Users of Istio and Envoy are strongly encouraged to upgrade to Istio 1.4.6 and Envoy 1.13.1 or 1.12.3 to address four newly discovered security vulnerabilities. The Envoy update is also available via GetEnvoy.io.

CVE-2020-8659 (CVSS score 7.5, High): Excessive CPU and/or memory usage when proxying HTTP/1.1 Envoy version 1.13.0 or earlier may consume excessive amounts of memory when proxying HTTP/1.1 requests or responses with many small (e.g., 1 byte) chunks.

Read More
Envoy Proxy & GetEnvoy, Istio, Open Source

Podcast: How complex is Istio? Learn from its co-founders

The co-creators of Istio– Louis Ryan of Google and Tetrate’s Varun Talwar– talk with TC Currie on the history of Istio, how it came to exist in its current form and the collaboration between Google, IBM and Lyft that got the project off the ground. They address how the project was designed to allow businesses to solve observability issues, routing problems, security, and policy concerns all in one place.

Read More
KubeCon and CloudNativeCon
Case Studies, Envoy Proxy & GetEnvoy, Events, Istio, Open Source, Tetrate

Tetrate highlights from KubeCon San Diego: Istio, Envoy, and a brownfield to greenfield use case

Going to KubeCon San Diego? Visit us at Booth SE65.

KubeCon is just 2 weeks away, and Tetrate is excited to be sending our engineers, including top Istio and Envoy contributors. Look for the newly released Istio roadmap, Istio Up and Running, by Lee Calcote and our own Zack Butcher. And stop by and ask us anything about bridging legacy with cloud native.

Read More
Envoy Proxy & GetEnvoy, Tetrate

gRPC Transcoding With Istio

By SAI SITHARAMAN

There are a lot of advantages to using gRPC instead of HTTP/JSON when building new APIs, like HTTP/2, streaming, cross-language support, server push, etc. The hardest part tends to be legacy services that expect HTTP/JSON. This is why gRPC-JSON transcoding is so attractive: we can implement gRPC servers but expose them to legacy services with a HTTP/JSON interface. Typically, we would use the gRPC Gateway or a product like Google Cloud Endpoints to handle gRPC-JSON transcoding for us, but Envoy implements transcoding too!

Read More
Envoy Proxy
Envoy Proxy & GetEnvoy, Open Source

Announcing GetEnvoy, making Envoy adoption easier

Why Envoy Proxy

If you’re running a large, distributed architecture, you’ve probably heard of Envoy, if not pored over its features for controlling, securing and monitoring a system with unwieldy, heterogeneous components. A quick walkthrough, if you haven’t: Originally built at Lyft, Envoy is an open source, edge and service proxy that abstracts the networking functionality away from applications, providing common, platform-agnostic features. Envoy proxies can be deployed beside your applications as a sidecar or run as an edge proxy. (For details, we recommend this CNCF primer).

Read More
Tetrate Engineer and Envoy Senior Maintainer Lizan Zhou
Envoy Proxy & GetEnvoy, Events, Security

The basics of Envoy and Envoy extensibility

In his 2019 talks at KubeCon Barcelona, Tetrate Engineer and Envoy Senior Maintainer Lizan Zhou presented an overview of Envoy and a deep dive into its extensibility. The service proxy solves a host of operational problems related to observability and networking in large distributed systems, and its extensibility allows it to be adapted to a large variety of end use cases. Tetrate’s GetEnvoy, which provides enterprise with certified and tested Envoy proxy builds, launches next week.

Read More
Configuring Envoy Envoy 101: Configuring Envoy as a Gateway
Envoy Proxy & GetEnvoy, Events, Istio, Service Mesh, Tetrate

Envoy extensibility and service mesh; Video highlights from KubeCon Barcelona 2019

At KubeCon Barcelona this May 20-23, 2019, 7,700 attendees gathered to discuss emerging trends in cloud native computing, microservices architectures and container orchestration. Tetrate, which offers enterprise-ready service mesh solutions for networking and observability, was proud to send four of its engineers to participate in five of the scheduled sessions.

Lizan Zhou, who is both a founding engineer at Tetrate and a senior maintainer of Envoy, led both an “Intro to Envoy” session…

Lizan Zhou, “Intro to Envoy”

…and a “Deep Dive into Envoy” focused on extensability.

Read More
Matt Klein - Envoy Proxy
Envoy Proxy & GetEnvoy, Events, Open Source, Tetrate

Envoy Proxy: Matt Klein on the standard data plane and where it’s going

Matt Klein, the creator of Envoy, says he had greatly underestimated the market demand for a proxy that could be used in a generic way. The Lyft software engineer wrote Envoy as a “communication bus” to handle issues like rate limiting, circuit breaking, and load balancing. It facilitates network-transparent applications and allows developers to focus on business logic rather than debugging and network management.

The keynote at Tetrate’s Service Mesh Day 2019 spoke about the rise of Envoy, its ecosystem, and its growth from a proxy into more of a platform.

Read More