fix(*): localhost exposed application shouldn't be reachable (#4750)

Signed-off-by: Łukasz Dziedziak <lukidzi@gmail.com>

UPGRADE.md

@@ -24,6 +24,7 @@ changed to agree with the other `image` values.
 * The `/versions` endpoint was removed. This is not something that was reliable enough and version compatibility
 is checked inside the DP
 * We are deprecating `kuma.io/builtindns` and `kuma.io/builtindnsport` annotations in favour of the clearer `kuma.io/builtin-dns` and `kuma.io/builtin-dns-port`. The behavior of the new annotations is unchanged but you should migrate (a warning is present on the log if you are using the deprecated version).
+* Applications that are binding to `localhost` won't be reachable anymore. We are changing the default inbound cluster that was always pointing to `localhost` to `DataplaneIP`. Before upgrade check if your applications are listening on `localhost` and should be exposed. In this case change address on which application listen to `0.0.0.0`. Other option is to define `dataplane.networking.inbound[].serviceAddress` to the address which service is binding. Another way is to disable the new behavior by setting `kuma-cp` configuration `KUMA_DEFAULTS_ENABLE_LOCALHOST_INBOUND_CLUSTERS` to `true` or `defaults.enableLocalhostInboundClusters` to `true`. The last option is going to be removed in further versions.
 
 ## Upgrade to `1.7.x`
 

api/mesh/v1alpha1/dataplane_helpers.go

@@ -12,6 +12,10 @@ import (
 	"github.com/pkg/errors"
 )
 
+// To remove in the future.
+// TODO: https://github.com/kumahq/kuma/issues/4772
+var EnableLocalhostInboundClusters bool
+
 const (
 	// Mandatory tag that has a reserved meaning in Kuma.
 	ServiceTag     = "kuma.io/service"
@@ -158,7 +162,12 @@ func (n *Dataplane_Networking) ToInboundInterface(inbound *Dataplane_Networking_
 	if inbound.ServiceAddress != "" {
 		iface.WorkloadIP = inbound.ServiceAddress
 	} else {
-		iface.WorkloadIP = "127.0.0.1"
+		switch EnableLocalhostInboundClusters {
+		case true:
+			iface.WorkloadIP = "127.0.0.1"
+		default:
+			iface.WorkloadIP = iface.DataplaneIP
+		}
 	}
 	if inbound.ServicePort != 0 {
 		iface.WorkloadPort = inbound.ServicePort

api/mesh/v1alpha1/dataplane_helpers_test.go

@@ -133,7 +133,7 @@ var _ = Describe("Dataplane_Networking", func() {
 						},
 					},
 					expected: []InboundInterface{
-						{DataplaneAdvertisedIP: "192.168.0.1", DataplaneIP: "192.168.0.1", DataplanePort: 80, WorkloadIP: "127.0.0.1", WorkloadPort: 80},
+						{DataplaneAdvertisedIP: "192.168.0.1", DataplaneIP: "192.168.0.1", DataplanePort: 80, WorkloadIP: "192.168.0.1", WorkloadPort: 80},
 						{DataplaneAdvertisedIP: "192.168.0.2", DataplaneIP: "192.168.0.2", DataplanePort: 443, WorkloadIP: "192.168.0.3", WorkloadPort: 8443},
 					},
 				}),

app/kuma-dp/cmd/run.go

@@ -22,6 +22,7 @@ import (
 	"github.com/kumahq/kuma/pkg/core/resources/model/rest"
 	"github.com/kumahq/kuma/pkg/core/runtime/component"
 	core_xds "github.com/kumahq/kuma/pkg/core/xds"
+	"github.com/kumahq/kuma/pkg/util/net"
 	"github.com/kumahq/kuma/pkg/util/proto"
 	kuma_version "github.com/kumahq/kuma/pkg/version"
 	"github.com/kumahq/kuma/pkg/xds/bootstrap/types"
@@ -295,9 +296,11 @@ func getApplicationsToScrape(kumaSidecarConfiguration *types.KumaSidecarConfigur
 	if kumaSidecarConfiguration != nil {
 		for _, item := range kumaSidecarConfiguration.Metrics.Aggregate {
 			applicationsToScrape = append(applicationsToScrape, metrics.ApplicationToScrape{
+				Address:       item.Address,
 				Name:          item.Name,
 				Path:          item.Path,
 				Port:          item.Port,
+				IsIPv6:        net.IsAddressIPv6(item.Address),
 				QueryModifier: metrics.RemoveQueryParameters,
 			})
 		}
@@ -306,7 +309,9 @@ func getApplicationsToScrape(kumaSidecarConfiguration *types.KumaSidecarConfigur
 	applicationsToScrape = append(applicationsToScrape, metrics.ApplicationToScrape{
 		Name:          "envoy",
 		Path:          "/stats",
+		Address:       "127.0.0.1",
 		Port:          envoyAdminPort,
+		IsIPv6:        false,
 		QueryModifier: metrics.AddPrometheusFormat,
 		Mutator:       metrics.MergeClusters,
 	})

app/kuma-dp/pkg/dataplane/envoy/remote_bootstrap_test.go

@@ -300,14 +300,16 @@ var _ = Describe("Remote Bootstrap", func() {
 					Metrics: types.MetricsConfiguration{
 						Aggregate: []types.Aggregate{
 							{
-								Name: "my-app",
-								Port: 123,
-								Path: "/stats",
+								Address: "127.0.0.1",
+								Name:    "my-app",
+								Port:    123,
+								Path:    "/stats",
 							},
 							{
-								Name: "my-app-2",
-								Port: 12345,
-								Path: "/stats/2",
+								Address: "1.2.3.4",
+								Name:    "my-app-2",
+								Port:    12345,
+								Path:    "/stats/2",
 							},
 						},
 					},
@@ -343,13 +345,15 @@ var _ = Describe("Remote Bootstrap", func() {
 		Expect(bootstrap).ToNot(BeNil())
 		Expect(len(kumaSidecarConfiguration.Metrics.Aggregate)).To(Equal(2))
 		Expect(kumaSidecarConfiguration.Metrics.Aggregate).To(ContainElements(types.Aggregate{
-			Name: "my-app",
-			Port: 123,
-			Path: "/stats",
+			Address: "127.0.0.1",
+			Name:    "my-app",
+			Port:    123,
+			Path:    "/stats",
 		}, types.Aggregate{
-			Name: "my-app-2",
-			Port: 12345,
-			Path: "/stats/2",
+			Address: "1.2.3.4",
+			Name:    "my-app-2",
+			Port:    12345,
+			Path:    "/stats/2",
 		}))
 
 	})

app/kuma-dp/pkg/dataplane/metrics/server.go

@@ -9,6 +9,7 @@ import (
 	"net/http"
 	"net/url"
 	"os"
+	"strconv"
 	"sync"
 
 	"github.com/pkg/errors"
@@ -20,6 +21,9 @@ import (
 	"github.com/kumahq/kuma/pkg/xds/envoy"
 )
 
+var inPassThroughIPv4 = &net.TCPAddr{IP: net.ParseIP("127.0.0.6")}
+var inPassThroughIPv6 = &net.TCPAddr{IP: net.ParseIP("::6")}
+
 var prometheusRequestHeaders = []string{"accept", "accept-encoding", "user-agent", "x-prometheus-scrape-timeout-seconds"}
 var logger = core.Log.WithName("metrics-hijacker")
 
@@ -40,22 +44,41 @@ func AddPrometheusFormat(queryParameters url.Values) string {
 
 type ApplicationToScrape struct {
 	Name          string
+	Address       string
 	Path          string
 	Port          uint32
+	IsIPv6        bool
 	QueryModifier QueryParametersModifier
 	Mutator       MetricsMutator
 }
 
 type Hijacker struct {
-	socketPath           string
-	httpClient           http.Client
-	applicationsToScrape []ApplicationToScrape
+	socketPath                     string
+	upstreamOverrideHttpClientIPv4 http.Client
+	upstreamOverrideHttpClientIPv6 http.Client
+	applicationsToScrape           []ApplicationToScrape
 }
 
 func New(dataplane kumadp.Dataplane, applicationsToScrape []ApplicationToScrape) *Hijacker {
+	// we need this in case of not localhost requests, it returns fast in iptabels
+	dialerV4 := &net.Dialer{
+		LocalAddr: inPassThroughIPv4,
+	}
+	dialerV6 := &net.Dialer{
+		LocalAddr: inPassThroughIPv6,
+	}
 	return &Hijacker{
-		socketPath:           envoy.MetricsHijackerSocketName(dataplane.Name, dataplane.Mesh),
-		httpClient:           http.Client{},
+		socketPath: envoy.MetricsHijackerSocketName(dataplane.Name, dataplane.Mesh),
+		upstreamOverrideHttpClientIPv4: http.Client{
+			Transport: &http.Transport{
+				DialContext: dialerV4.DialContext,
+			},
+		},
+		upstreamOverrideHttpClientIPv6: http.Client{
+			Transport: &http.Transport{
+				DialContext: dialerV6.DialContext,
+			},
+		},
 		applicationsToScrape: applicationsToScrape,
 	}
 }
@@ -110,10 +133,10 @@ func (s *Hijacker) Start(stop <-chan struct{}) error {
 
 // We pass QueryParameters only for the specific application.
 // Currently, we only support QueryParameters for Envoy metrics.
-func rewriteMetricsURL(path string, port uint32, queryModifier QueryParametersModifier, in *url.URL) string {
+func rewriteMetricsURL(address string, port uint32, path string, queryModifier QueryParametersModifier, in *url.URL) string {
 	u := url.URL{
 		Scheme:   "http",
-		Host:     fmt.Sprintf("127.0.0.1:%d", port),
+		Host:     net.JoinHostPort(address, strconv.FormatUint(uint64(port), 10)),
 		Path:     path,
 		RawQuery: queryModifier(in.Query()),
 	}
@@ -157,14 +180,19 @@ func (s *Hijacker) ServeHTTP(writer http.ResponseWriter, req *http.Request) {
 }
 
 func (s *Hijacker) getStats(ctx context.Context, initReq *http.Request, app ApplicationToScrape) []byte {
-	req, err := http.NewRequest("GET", rewriteMetricsURL(app.Path, app.Port, app.QueryModifier, initReq.URL), nil)
+	req, err := http.NewRequest("GET", rewriteMetricsURL(app.Address, app.Port, app.Path, app.QueryModifier, initReq.URL), nil)
 	if err != nil {
 		logger.Error(err, "failed to create request")
 		return nil
 	}
 	s.passRequestHeaders(req.Header, initReq.Header)
 	req = req.WithContext(ctx)
-	resp, err := s.httpClient.Do(req)
+	var resp *http.Response
+	if app.IsIPv6 {
+		resp, err = s.upstreamOverrideHttpClientIPv6.Do(req)
+	} else {
+		resp, err = s.upstreamOverrideHttpClientIPv4.Do(req)
+	}
 	if err != nil {
 		logger.Error(err, "failed call", "name", app.Name, "path", app.Path, "port", app.Port)
 		return nil

app/kuma-dp/pkg/dataplane/metrics/server_test.go

@@ -10,6 +10,7 @@ import (
 var _ = Describe("Rewriting the metrics URL", func() {
 	type testCase struct {
 		input         string
+		address       string
 		adminPort     uint32
 		expected      string
 		queryModifier QueryParametersModifier
@@ -18,21 +19,24 @@ var _ = Describe("Rewriting the metrics URL", func() {
 		func(given testCase) {
 			u, err := url.Parse(given.input)
 			Expect(err).ToNot(HaveOccurred())
-			Expect(rewriteMetricsURL("/stats", given.adminPort, given.queryModifier, u)).Should(Equal(given.expected))
+			Expect(rewriteMetricsURL(given.address, given.adminPort, "/stats", given.queryModifier, u)).Should(Equal(given.expected))
 		},
 		Entry("use the admin port", testCase{
+			address:       "1.2.3.4",
 			input:         "http://foo/bar",
 			adminPort:     99,
-			expected:      "http://127.0.0.1:99/stats?format=prometheus",
+			expected:      "http://1.2.3.4:99/stats?format=prometheus",
 			queryModifier: AddPrometheusFormat,
 		}),
 		Entry("preserve query parameters", testCase{
+			address:       "1.2.3.4",
 			input:         "http://foo/bar?one=two&three=four&filter=test_.*&usedonly",
 			adminPort:     80,
-			expected:      "http://127.0.0.1:80/stats?filter=test_.%2A&format=prometheus&one=two&three=four&usedonly=",
+			expected:      "http://1.2.3.4:80/stats?filter=test_.%2A&format=prometheus&one=two&three=four&usedonly=",
 			queryModifier: AddPrometheusFormat,
 		}),
 		Entry("remove query parameters", testCase{
+			address:       "127.0.0.1",
 			input:         "http://foo/bar?one=two&three=four",
 			adminPort:     80,
 			expected:      "http://127.0.0.1:80/stats",

go.mod

@@ -28,7 +28,7 @@ require (
 	github.com/gruntwork-io/terratest v0.40.19
 	github.com/hoisie/mustache v0.0.0-20160804235033-6375acf62c69
 	github.com/kelseyhightower/envconfig v1.4.0
-	github.com/kumahq/kuma-net v0.4.2
+	github.com/kumahq/kuma-net v0.4.3
 	github.com/kumahq/protoc-gen-kumadoc v0.3.1
 	github.com/lib/pq v1.10.6
 	github.com/miekg/dns v1.1.50
@@ -111,7 +111,7 @@ require (
 	github.com/evanphx/json-patch v4.12.0+incompatible // indirect
 	github.com/fatih/color v1.13.0 // indirect
 	github.com/fsnotify/fsnotify v1.5.4 // indirect
-	github.com/go-errors/errors v1.0.2-0.20180813162953-d98b870cc4e0 // indirect
+	github.com/go-errors/errors v1.4.2 // indirect
 	github.com/go-kit/kit v0.11.0 // indirect
 	github.com/go-logfmt/logfmt v0.5.1 // indirect
 	github.com/go-openapi/jsonpointer v0.19.5 // indirect
@@ -175,6 +175,8 @@ require (
 	github.com/stretchr/testify v1.7.1 // indirect
 	github.com/subosito/gotenv v1.3.0 // indirect
 	github.com/urfave/cli v1.22.2 // indirect
+	github.com/vishvananda/netlink v1.2.1-beta.2 // indirect
+	github.com/vishvananda/netns v0.0.0-20211101163701-50045581ed74 // indirect
 	github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect
 	github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect
 	github.com/xeipuuv/gojsonschema v1.2.0 // indirect

go.sum

@@ -549,8 +549,8 @@ github.com/ghodss/yaml v0.0.0-20150909031657-73d445a93680/go.mod h1:4dBDuWmgqj2H
 github.com/ghodss/yaml v1.0.0 h1:wQHKEahhL6wmXdzwWG11gIVCkOv05bNOh+Rxn0yngAk=
 github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
 github.com/go-errors/errors v1.0.1/go.mod h1:f4zRHt4oKfwPJE5k8C9vpYG+aDHdBFUsgrm6/TyX73Q=
-github.com/go-errors/errors v1.0.2-0.20180813162953-d98b870cc4e0 h1:skJKxRtNmevLqnayafdLe2AsenqRupVmzZSqrvb5caU=
-github.com/go-errors/errors v1.0.2-0.20180813162953-d98b870cc4e0/go.mod h1:f4zRHt4oKfwPJE5k8C9vpYG+aDHdBFUsgrm6/TyX73Q=
+github.com/go-errors/errors v1.4.2 h1:J6MZopCL4uSllY1OfXM374weqZFFItUbrImctkmUxIA=
+github.com/go-errors/errors v1.4.2/go.mod h1:sIVyrIiJhuEF+Pj9Ebtd6P/rEYROXFi3BopGUQ5a5Og=
 github.com/go-fonts/dejavu v0.1.0/go.mod h1:4Wt4I4OU2Nq9asgDCteaAaWZOV24E+0/Pwo0gppep4g=
 github.com/go-fonts/latin-modern v0.2.0/go.mod h1:rQVLdDMK+mK1xscDwsqM5J8U2jrRa3T0ecnM9pNujks=
 github.com/go-fonts/liberation v0.1.1/go.mod h1:K6qoJYypsmfVjWg8KOVDQhLc8UDgIK2HYqyqAO9z7GY=
@@ -1018,8 +1018,8 @@ github.com/kumahq/gateway-api v0.0.0-20220714082056-fbb05ce01577 h1:YPnAD+6Sier4
 github.com/kumahq/gateway-api v0.0.0-20220714082056-fbb05ce01577/go.mod h1:x0AP6gugkFV8fC/oTlnOMU0pnmuzIR8LfIPRVUjxSqA=
 github.com/kumahq/go-control-plane v0.9.10-0.20211022075049-d35edcf0813a h1:RtOjGzZDv0JDtpWthWmxDHXhZRnJBaeIoIHcQrigWdE=
 github.com/kumahq/go-control-plane v0.9.10-0.20211022075049-d35edcf0813a/go.mod h1:utjuSZ1DPHuYf0cTZ8WEsaQf5bwmT1TZiWaQjpJtBF0=
-github.com/kumahq/kuma-net v0.4.2 h1:eNiExbfcs1Oc9veE39MXif5YrXK+TbYX6GULVoo7Oxo=
-github.com/kumahq/kuma-net v0.4.2/go.mod h1:f6FAs2ULvGoJ4NeOoOD5F58oERXQpxZiKUww+iRQPZc=
+github.com/kumahq/kuma-net v0.4.3 h1:Dx9c3DcMWZ0D92pLImxGfKC0FD5yG5739HkrqZKKSzg=
+github.com/kumahq/kuma-net v0.4.3/go.mod h1:Od2oGVTSoOc9teLwPsC81+Qse0FYoHXOB/bxS4BuAsA=
 github.com/kumahq/protoc-gen-kumadoc v0.3.1 h1:tY2dGQJTYVGkhxAHN154fddcWDRy55Pl4+oLT+FhsHo=
 github.com/kumahq/protoc-gen-kumadoc v0.3.1/go.mod h1:F+c9RjgKlv1Q3UEoPJCtMJw8Fd+X5PfG5jlkTSfZOMA=
 github.com/lann/builder v0.0.0-20180802200727-47ae307949d0/go.mod h1:dXGbAdH5GtBTC4WfIxhKZfyBF/HBFgRZSWwZ9g/He9o=
@@ -1492,10 +1492,14 @@ github.com/vishvananda/netlink v0.0.0-20181108222139-023a6dafdcdf/go.mod h1:+SR5
 github.com/vishvananda/netlink v1.1.0/go.mod h1:cTgwzPIzzgDAYoQrMm0EdrjRUBkTqKYppBueQtXaqoE=
 github.com/vishvananda/netlink v1.1.1-0.20201029203352-d40f9887b852/go.mod h1:twkDnbuQxJYemMlGd4JFIcuhgX83tXhKS2B/PRMpOho=
 github.com/vishvananda/netlink v1.1.1-0.20210330154013-f5de75959ad5/go.mod h1:twkDnbuQxJYemMlGd4JFIcuhgX83tXhKS2B/PRMpOho=
+github.com/vishvananda/netlink v1.2.1-beta.2 h1:Llsql0lnQEbHj0I1OuKyp8otXp0r3q0mPkuhwHfStVs=
+github.com/vishvananda/netlink v1.2.1-beta.2/go.mod h1:twkDnbuQxJYemMlGd4JFIcuhgX83tXhKS2B/PRMpOho=
 github.com/vishvananda/netns v0.0.0-20180720170159-13995c7128cc/go.mod h1:ZjcWmFBXmLKZu9Nxj3WKYEafiSqer2rnvPr0en9UNpI=
 github.com/vishvananda/netns v0.0.0-20191106174202-0a2b9b5464df/go.mod h1:JP3t17pCcGlemwknint6hfoeCVQrEMVwxRLRjXpq+BU=
 github.com/vishvananda/netns v0.0.0-20200728191858-db3c7e526aae/go.mod h1:DD4vA1DwXk04H54A1oHXtwZmA0grkVMdPxx/VGLCah0=
 github.com/vishvananda/netns v0.0.0-20210104183010-2eb08e3e575f/go.mod h1:DD4vA1DwXk04H54A1oHXtwZmA0grkVMdPxx/VGLCah0=
+github.com/vishvananda/netns v0.0.0-20211101163701-50045581ed74 h1:gga7acRE695APm9hlsSMoOoE65U4/TcqNj90mc69Rlg=
+github.com/vishvananda/netns v0.0.0-20211101163701-50045581ed74/go.mod h1:DD4vA1DwXk04H54A1oHXtwZmA0grkVMdPxx/VGLCah0=
 github.com/willf/bitset v1.1.11-0.20200630133818-d5bec3311243/go.mod h1:RjeCKbqT1RxIR/KWY6phxZiaY1IyutSBfGjNPySAYV4=
 github.com/willf/bitset v1.1.11/go.mod h1:83CECat5yLh5zVOf4P1ErAgKA5UDvKtgyUABdr3+MjI=
 github.com/xanzy/go-gitlab v0.15.0/go.mod h1:8zdQa/ri1dfn8eS3Ir1SyfvOKlw7WBJ8DVThkpGiXrs=

pkg/config/app/kuma-cp/config.go

@@ -27,6 +27,11 @@ var _ config.Config = &Defaults{}
 
 type Defaults struct {
 	SkipMeshCreation bool `yaml:"skipMeshCreation" envconfig:"kuma_defaults_skip_mesh_creation"`
+	// If true, instead of providing inbound clusters with address of dataplane, generates cluster with localhost.
+	// Enabled can cause security threat by exposing application listing on localhost. This configuration is going to
+	// removed.
+	// TODO: https://github.com/kumahq/kuma/issues/4772
+	EnableLocalhostInboundClusters bool `yaml:"enableLocalhostInboundClusters" envconfig:"kuma_defaults_enable_localhost_inbound_clusters"`
 }
 
 func (d *Defaults) Sanitize() {
@@ -174,7 +179,8 @@ var DefaultConfig = func() Config {
 		BootstrapServer:            bootstrap.DefaultBootstrapServerConfig(),
 		Runtime:                    runtime.DefaultRuntimeConfig(),
 		Defaults: &Defaults{
-			SkipMeshCreation: false,
+			SkipMeshCreation:               false,
+			EnableLocalhostInboundClusters: false,
 		},
 		Metrics: &Metrics{
 			Dataplane: &DataplaneMetrics{

pkg/config/app/kuma-cp/kuma-cp.defaults.yaml

@@ -288,6 +288,7 @@ runtime:
 # Default Kuma entities configuration
 defaults:
   skipMeshCreation: false # ENV: KUMA_DEFAULTS_SKIP_MESH_CREATION
+  enableLocalhostInboundClusters: false #ENV: KUMA_DEFAULTS_ENABLE_LOCALHOST_INBOUND_CLUSTERS
 
 # Metrics configuration
 metrics:

pkg/config/loader_test.go

@@ -211,6 +211,7 @@ var _ = Describe("Config loader", func() {
 			Expect(cfg.Multizone.Zone.KDS.MaxMsgSize).To(Equal(uint32(2)))
 
 			Expect(cfg.Defaults.SkipMeshCreation).To(BeTrue())
+			Expect(cfg.Defaults.EnableLocalhostInboundClusters).To(BeTrue())
 
 			Expect(cfg.Diagnostics.ServerPort).To(Equal(uint32(5003)))
 			Expect(cfg.Diagnostics.DebugEndpoints).To(BeTrue())
@@ -434,6 +435,7 @@ dnsServer:
   serviceVipEnabled: false
 defaults:
   skipMeshCreation: true
+  enableLocalhostInboundClusters: true
 diagnostics:
   serverPort: 5003
   debugEndpoints: true
@@ -617,6 +619,7 @@ proxy:
 				"KUMA_MULTIZONE_ZONE_KDS_MAX_MSG_SIZE":                                                     "2",
 				"KUMA_MULTIZONE_GLOBAL_KDS_ZONE_INSIGHT_FLUSH_INTERVAL":                                    "5s",
 				"KUMA_DEFAULTS_SKIP_MESH_CREATION":                                                         "true",
+				"KUMA_DEFAULTS_ENABLE_LOCALHOST_INBOUND_CLUSTERS":                                          "true",
 				"KUMA_DIAGNOSTICS_SERVER_PORT":                                                             "5003",
 				"KUMA_DIAGNOSTICS_DEBUG_ENDPOINTS":                                                         "true",
 				"KUMA_XDS_SERVER_DATAPLANE_STATUS_FLUSH_INTERVAL":                                          "7s",

pkg/core/bootstrap/bootstrap.go

@@ -6,6 +6,7 @@ import (
 
 	"github.com/pkg/errors"
 
+	mesh_proto "github.com/kumahq/kuma/api/mesh/v1alpha1"
 	"github.com/kumahq/kuma/pkg/api-server/customization"
 	kuma_cp "github.com/kumahq/kuma/pkg/config/app/kuma-cp"
 	config_core "github.com/kumahq/kuma/pkg/config/core"
@@ -125,6 +126,9 @@ func buildRuntime(appCtx context.Context, cfg kuma_cp.Config) (core_runtime.Runt
 		))
 	}
 
+	// The setting should be removed, and there is no easy way to set it without breaking most of the code
+	mesh_proto.EnableLocalhostInboundClusters = builder.Config().Defaults.EnableLocalhostInboundClusters
+
 	builder.WithAccess(core_runtime.Access{
 		ResourceAccess:       resources_access.NewAdminResourceAccess(builder.Config().Access.Static.AdminResources),
 		DataplaneTokenAccess: tokens_access.NewStaticGenerateDataplaneTokenAccess(builder.Config().Access.Static.GenerateDPToken),