dip
/
tenant-catalog
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Repository for dip
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
4 Commits
17 Branches
0 Tags
3.2 MiB
Tag: Branch: Tree: service-kubeflow
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'service-kubeflow'
${ noResults }
tenant-catalog/kubeflow/common/istio-cni-1-24/istio-install/base/patches/disable-debugging.yaml

18 lines
819 B
Raw Permalink Blame History

# Penetration test enahncement: check port 15010 & 8080 in istiod: According to https://istio.io/latest/docs/ops/best-practices/security/#control-plane port 15010
# is not that problematic (only resource discovery). Other parts of the documentation also say| 15010 | GRPC | XDS and CA services (Plaintext, only for secure networks) |
# We have a secure network layer and only XDS is served.
# Port 8080 is not listed in the service and even if it would be somehow reachable by IP it only "offers read access".
# Nevertheless we set ENABLE_DEBUG_ON_HTTP=false do disable it entirely.
apiVersion: apps/v1
kind: Deployment
metadata:
name: istiod
namespace: istio-system
spec:
template:
spec:
containers:
- name: discovery
env:
- name: ENABLE_DEBUG_ON_HTTP
value: 'false'