UNCLASSIFIED - NO CUI

Skip to content

Resolve "Implement HSTS / Envoy Default Security Headers Filter"

General MR

Summary

Adds a default EnvoyFilter to increase the security of the Istio cluster adding the following headers to all gateway-enabled Virtual Services.

  • Strict-Transport-Security: max-age=31536000; includeSubDomains
  • X-Frame-Options: SAMEORIGIN
  • X-Content-Type-Options: nosniff
  • Referrer-Policy: strict-origin

Relevant logs/screenshots

✅ alertmanager.dev.bigbang.mil -->  strict-transport-security: max-age=31536000; includeSubDomains
✅ anchore-api.dev.bigbang.mil -->  strict-transport-security: max-age=31536000; includeSubDomains
✅ anchore.dev.bigbang.mil -->  strict-transport-security: max-age=31536000; includeSubDomains
✅ argocd.dev.bigbang.mil -->  strict-transport-security: max-age=31536000; includeSubDomains
✅ chat.dev.bigbang.mil -->  strict-transport-security: max-age=31536000; includeSubDomains
✅ containers.dev.bigbang.mil -->  strict-transport-security: max-age=31536000; includeSubDomains
✅ fortify.dev.bigbang.mil -->  strict-transport-security: max-age=31536000; includeSubDomains
✅ gitlab.dev.bigbang.mil -->  strict-transport-security: max-age=31536000; includeSubDomains
✅ grafana.dev.bigbang.mil -->  strict-transport-security: max-age=31536000; includeSubDomains
✅ harbor.dev.bigbang.mil -->  strict-transport-security: max-age=31536000; includeSubDomains
✅ holocron.dev.bigbang.mil -->  strict-transport-security: max-age=31536000; includeSubdomains;
✅ kiali.dev.bigbang.mil -->  strict-transport-security: max-age=31536000; includeSubDomains
✅ kibana.dev.bigbang.mil -->  strict-transport-security: max-age=31536000; includeSubDomains
✅ loki.dev.bigbang.mil -->  strict-transport-security: max-age=31536000; includeSubDomains
✅ minio-api.dev.bigbang.mil -->  strict-transport-security: max-age=31536000; includeSubDomains
✅ minio.dev.bigbang.mil -->  strict-transport-security: max-age=31536000; includeSubDomains
✅ neuvector.dev.bigbang.mil -->  strict-transport-security: max-age=31536000; includeSubDomains
✅ nexus.dev.bigbang.mil -->  strict-transport-security: max-age=31536000; includeSubDomains
✅ prometheus.dev.bigbang.mil -->  strict-transport-security: max-age=31536000; includeSubDomains
✅ registry.dev.bigbang.mil -->  strict-transport-security: max-age=31536000; includeSubDomains
✅ sonarqube.dev.bigbang.mil -->  strict-transport-security: max-age=31536000; includeSubDomains;
✅ tempo.dev.bigbang.mil -->  strict-transport-security: max-age=31536000; includeSubDomains
✅ thanos.dev.bigbang.mil -->  strict-transport-security: max-age=31536000; includeSubDomains
✅ thanos-minio.dev.bigbang.mil -->  strict-transport-security: max-age=31536000; includeSubDomains
✅ tracing.dev.bigbang.mil -->  strict-transport-security: max-age=31536000; includeSubDomains
✅ twistlock.dev.bigbang.mil -->  strict-transport-security: max-age=31536000; includeSubDomains
✅ vault.dev.bigbang.mil -->  strict-transport-security: max-age=31536000; includeSubDomains

Big Bang test runs here: big-bang/bigbang!5293 (closed) . The upgrade fails with all-packages, but that seems to be a CI issue. I successfully upgraded a cluster from release 2.38.0 to this branch.

Linked Issue

For #239 (closed)

Upgrade Notices

This release adds a default EnvoyFilter to increase the security of the Istio cluster. This filter -- which defaults to enabled -- can be disabled using e.g. istio.Values.defaultSecurityHeaders.enabled: false. The filter will add the following HTTP headers when the back-end service does not already provide the header.

  • Strict-Transport-Security: max-age=31536000; includeSubDomains
  • X-Frame-Options: SAMEORIGIN
  • X-Content-Type-Options: nosniff
  • Referrer-Policy: strict-origin

In the event these additional headers cause issues with any deployment, you can disable the filter and reach out to the Big Bang team.

Edited by Michael Martin

Merge request reports

Loading