fix(*): localhost exposed application shouldn't be reachable

[lukidzi]

Summary

When a user deploys Kuma the behavior of communication with services changes.
When there is no Kuma and the application running within the pod is binding to PodIP or Wildcard(0.0.0.0) other pods are able to reach the application. After Kuma is deployed it's not possible anymore. Instead, applications that bind to localhost or wildcard are exposed outside. That's a big security threat. In this PR we are introducing a different way how the inbound listener is configured by default.

Previously we had an inbound listener that had a static cluster that pointed to the address localhost:PORT. Now it's going to work a bit differently and might be breaking change for applications that were listening on localhost.

1. if dataplane.networking.inbound[].serviceAddress is not defined and transparent proxy is enabled:

• We are creating an inbound cluster that is ORIGINAL_DST so depends on the real Envoy is going to route traffic to the application:
  Flow:
  POD1(curl 10.2.0.5:8080) -> kuma-dp(POD1)/or no kuma-dp -> kuma-dp (POD2) -> listener (inbound:8080) -> cluster (inbound:8080) which is original dst and is going to request 10.2.0.5:8080 but with source IP 127.0.0.6 -> iptables (MESH_OUTPUT) 1 rules -> application listening on 0.0.0.0 or 10.2.0.5.

2. if dataplane.networking.inbound[].serviceAddress is not defined and transparent proxy is disabled:

• We are creating a static cluster with dataplaneIP because we are not able to get the IP address and we don't want to expose localhost. In this case, cluster is using upstream_bind_config to make a faster jump to the application in the first rule of iptables (MESH_OUTPUT) rule 1. This case is tricky and without this we could break health checking on universal.

3. if dataplane.networking.inbound[].serviceAddress is set, we are just using it and creating a static cluster, with the same flow as above to return fast from IPTABLES

What can I do to make the smooth upgrade?

• check if your applications are listening on localhost and should be exposed outside - if no change to 0.0.0.0
• if you want to expose application binding to localhost set dataplane.networking.inbound[].serviceAddress to 127.0.0.1
• you can disable this behavior with kuma-cp configuration or env to kuma-cp KUMA_DEFAULTS_ENABLE_INBOUND_PASSTHROUGH - not recommended, we are going to remove this flag in the future

Full changelog

• [Changed the default inbound cluster from STATIC to ORIGINAL_DST]
• [Setting upstream_bind_address for inbound clusters that don't set have localhost address]
• [Added e2e tests that check behavior with different application bindings]
• [On universal we are using dataplane Ip as fallback when address is not defined and there is no transparent proxy]
• [Changed inbound clusters naming: localhost -> inbound]
• [Made changes to applications metrics scraper to use different address and allows to configure it]

Issues resolved

Fix #4630

Documentation

• Link to the website documentation PR

Testing

• Unit tests
• E2E tests
• Manual testing on Universal
• Manual testing on Kubernetes

Backwards compatibility

• Update UPGRADE.md with any steps users will need to take when upgrading.
• [ ] Add backport-to-stable label if the code follows our backporting policy

[codecov-commenter]

Codecov Report

Merging #4654 (ca96fab) into master (fd3c678) will increase coverage by 0.00%.
The diff coverage is 55.28%.

@@           Coverage Diff            @@
##           master    #4654    +/-   ##
========================================
  Coverage   46.43%   46.44%            
========================================
  Files         687      688     +1     
  Lines       46710    46847   +137     
========================================
+ Hits        21692    21758    +66     
- Misses      23097    23161    +64     
- Partials     1921     1928     +7     

Impacted Files	Coverage Δ
api/mesh/v1alpha1/metrics.pb.go	12.24% <0.00%> (-0.21%)	⬇️
pkg/api-server/server.go	74.38% <0.00%> (-0.31%)	⬇️
pkg/core/bootstrap/bootstrap.go	0.00% <0.00%> (ø)
pkg/hds/tracker/callbacks.go	0.00% <0.00%> (ø)
pkg/plugins/runtime/k8s/metadata/annotations.go	68.88% <ø> (ø)
pkg/xds/bootstrap/components.go	0.00% <0.00%> (ø)
pkg/xds/bootstrap/handler.go	35.89% <0.00%> (-0.47%)	⬇️
...s/envoy/clusters/v3/cleanup_interval_configurer.go	0.00% <0.00%> (ø)
pkg/xds/envoy/names/resource_names.go	21.73% <0.00%> (-0.99%)	⬇️
pkg/xds/sync/dataplane_proxy_builder.go	0.00% <0.00%> (ø)
... and 23 more

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update fd3c678...ca96fab. Read the comment docs.

[lukidzi]

I need to add some tests but the basic logic should be ready.

[michaelbeaumont]

@lukidzi would it be possible to break this into logical commits? IMO it's hard to review a PR this big otherwise

[michaelbeaumont]

Does this change need to be here?

[jakubdyszkiewicz]

revert?

[jakubdyszkiewicz]

also add a security threat if you disable it, and the fact that this will be removed.

[jakubdyszkiewicz]

why would anyone need to set this to anything other than Pod IP?

[jakubdyszkiewicz]

shouldn't it just be added to PassThroughClusterConfigurer?

[jakubdyszkiewicz]

I could use some explanation what is going on here. Why are we setting upstream bind config on this condition?

[jakubdyszkiewicz]

how did it work... we should only be able to delete mesh from global cp

[jakubdyszkiewicz]

global does not have mesh apps

[jakubdyszkiewicz]

same here

[jakubdyszkiewicz]

I'd consider splitting this to Describe("k8s to universal communication") and many Its

Same for other its and second file with e2e tests

[jakubdyszkiewicz]

I'd rather see this in BeforeSuit / BeforeAll / It section. Right now, the scope of this change is not really clear to me.

[lobkovilya]

Great job! I think I covered just half of the changes, I'll need another round

[lobkovilya]

maybe it should be formatted as todo?

[lobkovilya]

and a linked issue to get rid of this

[lobkovilya]

can we use IsUsingInboundTransparentProxy here?

[lobkovilya]

probably just

return d.GetNetworking().GetTransparentProxying().GetRedirectPortInbound() != 0

is enough

[lobkovilya]

Suggested change

	// Address on which a service listen for incoming requests.
	// Address on which a service listens for incoming requests.

[lobkovilya]

I can imagine users just deleting enableInboundPassthrough if they want to disable this behavior. So I'd rather call it DisableInboundPassthrough and in that case deleting it in the future won't be a breaking change if you don't have this field in the config. Also DisableInboundPassthrough gives the user a hint that this is a less desired behavior. WDYT?

[lobkovilya]

can we be sure there are no concurrent reads/writes to this variable?

[lobkovilya]

should this be:

localClusterName = envoy_names.GetInboundClusterName(endpoint. DataplanePort)

because otherwise localClusterName is the same regardless EnableInboundPassthrough

[lobkovilya]

why timeouts are different depending on EnableInboundPassthrough?

[lobkovilya]

I'd call it inboundsByPort to be more obvious what's the key

[lukidzi]

I've redesigned the solution and I will create a new PR which is going to be easier to review. This solution might break the current matching of rules that's why I've implemented this a bit differently. Didn't want to push them here because a number of commits would make it unreadable. Here is the new PR #4750