Envoy proxy, the open source edge and service proxy designed for cloud-native applications, today announced the general availability of 1.15.0. The update includes some exciting extensions, including a Postgres filter for network observability. Tetrate’s Chris Pakulski has written a useful walk-through on how to use the Postgres filter.
Starting with release 1.15.0 Envoy proxy supports decoding of Postgres messages for statistics purposes. This feature allows for an aggregated view of the types of Postgres transactions happening in the network. That aggregated view instantly provides a breakdown of types of Postgres operations and the number and severity of errors. Presented in a time series format allows for a clear overview of how the error rate of composition of queries changed over time.
Istio and the Envoy proxy security team have announced releases that address HIGH severity CVE-2020-11080, with a CVSS score of 7.5.
The identified vulnerability relates to excessive CPU usage when processing HTTP/2 SETTINGS frames that would cause denial of service. A malicious attacker might repeatedly construct a SETTINGS frame with a length of 14,400 bytes (2400 individual settings entries), causing the CPU to spike at 100%.
To address the vulnerability, we encourage Envoy users to upgrade to Envoy proxy 1.12.4, 1.13.2 or 1.14.2. You can get the latest release from GetEnvoy.
Istio users should update to 1.5.5 or later for 1.5.x deployments and 1.6.2 or later for 1.6.x deployments.
Users of Istio and Envoy are strongly encouraged to upgrade to Istio 1.4.6 and Envoy 1.13.1 or 1.12.3 to address four newly discovered security vulnerabilities. The Envoy update is also available via GetEnvoy.io.
CVE-2020-8659 (CVSS score 7.5, High): Excessive CPU and/or memory usage when proxying HTTP/1.1 Envoy version 1.13.0 or earlier may consume excessive amounts of memory when proxying HTTP/1.1 requests or responses with many small (e.g., 1 byte) chunks.
The co-creators of Istio– Louis Ryan of Google and Tetrate’s Varun Talwar– talk with TC Currie on the history of Istio, how it came to exist in its current form and the collaboration between Google, IBM and Lyft that got the project off the ground. They address how the project was designed to allow businesses to solve observability issues, routing problems, security, and policy concerns all in one place.
Going to KubeCon San Diego? Visit us at Booth SE65.
KubeCon is just 2 weeks away, and Tetrate is excited to be sending our engineers, including top Istio and Envoy contributors. Look for the newly released Istio roadmap, Istio Up and Running, by Lee Calcote and our own Zack Butcher. And stop by and ask us anything about bridging legacy with cloud native.
By SAI SITHARAMAN
There are a lot of advantages to using gRPC instead of HTTP/JSON when building new APIs, like HTTP/2, streaming, cross-language support, server push, etc. The hardest part tends to be legacy services that expect HTTP/JSON. This is why gRPC-JSON transcoding is so attractive: we can implement gRPC servers but expose them to legacy services with a HTTP/JSON interface. Typically, we would use the gRPC Gateway or a product like Google Cloud Endpoints to handle gRPC-JSON transcoding for us, but Envoy implements transcoding too!
Why Envoy Proxy
If you’re running a large, distributed architecture, you’ve probably heard of Envoy, if not pored over its features for controlling, securing and monitoring a system with unwieldy, heterogeneous components. A quick walkthrough, if you haven’t: Originally built at Lyft, Envoy is an open source, edge and service proxy that abstracts the networking functionality away from applications, providing common, platform-agnostic features. Envoy proxies can be deployed beside your applications as a sidecar or run as an edge proxy. (For details, we recommend this CNCF primer).
In his 2019 talks at KubeCon Barcelona, Tetrate Engineer and Envoy Senior Maintainer Lizan Zhou presented an overview of Envoy and a deep dive into its extensibility. The service proxy solves a host of operational problems related to observability and networking in large distributed systems, and its extensibility allows it to be adapted to a large variety of end use cases. Tetrate’s GetEnvoy, which provides enterprise with certified and tested Envoy proxy builds, launches next week.
At KubeCon Barcelona this May 20-23, 2019, 7,700 attendees gathered to discuss emerging trends in cloud native computing, microservices architectures and container orchestration. Tetrate, which offers enterprise-ready service mesh solutions for networking and observability, was proud to send four of its engineers to participate in five of the scheduled sessions.
Lizan Zhou, who is both a founding engineer at Tetrate and a senior maintainer of Envoy, led both an “Intro to Envoy” session…
…and a “Deep Dive into Envoy” focused on extensability.