Resolve "Implement HSTS / Envoy Default Security Headers Filter"
General MR
Summary
Adds a default EnvoyFilter to increase the security of the Istio cluster adding the following headers to all gateway-enabled Virtual Services.
- Strict-Transport-Security: max-age=31536000; includeSubDomains
- X-Frame-Options: SAMEORIGIN
- X-Content-Type-Options: nosniff
- Referrer-Policy: strict-origin
Relevant logs/screenshots
✅ alertmanager.dev.bigbang.mil --> strict-transport-security: max-age=31536000; includeSubDomains
✅ anchore-api.dev.bigbang.mil --> strict-transport-security: max-age=31536000; includeSubDomains
✅ anchore.dev.bigbang.mil --> strict-transport-security: max-age=31536000; includeSubDomains
✅ argocd.dev.bigbang.mil --> strict-transport-security: max-age=31536000; includeSubDomains
✅ chat.dev.bigbang.mil --> strict-transport-security: max-age=31536000; includeSubDomains
✅ containers.dev.bigbang.mil --> strict-transport-security: max-age=31536000; includeSubDomains
✅ fortify.dev.bigbang.mil --> strict-transport-security: max-age=31536000; includeSubDomains
✅ gitlab.dev.bigbang.mil --> strict-transport-security: max-age=31536000; includeSubDomains
✅ grafana.dev.bigbang.mil --> strict-transport-security: max-age=31536000; includeSubDomains
✅ harbor.dev.bigbang.mil --> strict-transport-security: max-age=31536000; includeSubDomains
✅ holocron.dev.bigbang.mil --> strict-transport-security: max-age=31536000; includeSubdomains;
✅ kiali.dev.bigbang.mil --> strict-transport-security: max-age=31536000; includeSubDomains
✅ kibana.dev.bigbang.mil --> strict-transport-security: max-age=31536000; includeSubDomains
✅ loki.dev.bigbang.mil --> strict-transport-security: max-age=31536000; includeSubDomains
✅ minio-api.dev.bigbang.mil --> strict-transport-security: max-age=31536000; includeSubDomains
✅ minio.dev.bigbang.mil --> strict-transport-security: max-age=31536000; includeSubDomains
✅ neuvector.dev.bigbang.mil --> strict-transport-security: max-age=31536000; includeSubDomains
✅ nexus.dev.bigbang.mil --> strict-transport-security: max-age=31536000; includeSubDomains
✅ prometheus.dev.bigbang.mil --> strict-transport-security: max-age=31536000; includeSubDomains
✅ registry.dev.bigbang.mil --> strict-transport-security: max-age=31536000; includeSubDomains
✅ sonarqube.dev.bigbang.mil --> strict-transport-security: max-age=31536000; includeSubDomains;
✅ tempo.dev.bigbang.mil --> strict-transport-security: max-age=31536000; includeSubDomains
✅ thanos.dev.bigbang.mil --> strict-transport-security: max-age=31536000; includeSubDomains
✅ thanos-minio.dev.bigbang.mil --> strict-transport-security: max-age=31536000; includeSubDomains
✅ tracing.dev.bigbang.mil --> strict-transport-security: max-age=31536000; includeSubDomains
✅ twistlock.dev.bigbang.mil --> strict-transport-security: max-age=31536000; includeSubDomains
✅ vault.dev.bigbang.mil --> strict-transport-security: max-age=31536000; includeSubDomainsBig Bang test runs here: big-bang/bigbang!5293 (closed) . The upgrade fails with all-packages, but that seems to be a CI issue. I successfully upgraded a cluster from release 2.38.0 to this branch.
Linked Issue
For #239 (closed)
Upgrade Notices
This release adds a default EnvoyFilter to increase the security of the Istio cluster. This filter -- which defaults to enabled -- can be disabled using e.g. istio.Values.defaultSecurityHeaders.enabled: false. The filter will add the following HTTP headers when the back-end service does not already provide the header.
- Strict-Transport-Security: max-age=31536000; includeSubDomains
- X-Frame-Options: SAMEORIGIN
- X-Content-Type-Options: nosniff
- Referrer-Policy: strict-origin
In the event these additional headers cause issues with any deployment, you can disable the filter and reach out to the Big Bang team.