Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

hubble: port-forward only to localhost #1317

Merged
merged 1 commit into from
Jan 10, 2023
Merged

hubble: port-forward only to localhost #1317

merged 1 commit into from
Jan 10, 2023

Conversation

kaworu
Copy link
Member

@kaworu kaworu commented Jan 6, 2023
edited
Loading

Avoid exposing Hubble Relay and UI to the network, restrict to localhost. After the patch:

% ./cilium hubble port-forward
% ss -l -t 'sport = :4245'
State           Recv-Q          Send-Q                    Local Address:Port                     Peer Address:Port          Process
LISTEN          0               4096                          127.0.0.1:4245                          0.0.0.0:*
LISTEN          0               4096                              [::1]:4245                             [::]:*

and

% ./cilium hubble ui
% ss -l -t 'sport = :12000'
State           Recv-Q          Send-Q                   Local Address:Port                        Peer Address:Port         Process
LISTEN          0               4096                         127.0.0.1:entextxid                        0.0.0.0:*
LISTEN          0               4096                             [::1]:entextxid                           [::]:*

@kaworu kaworu added the kind/enhancement This would improve or streamline existing functionality. label Jan 6, 2023
@kaworu kaworu requested a review from a team as a code owner January 6, 2023 15:32
@kaworu kaworu temporarily deployed to ci January 6, 2023 15:32 — with GitHub Actions Inactive
@maintainer-s-little-helper maintainer-s-little-helper bot added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Jan 6, 2023
rolinh
rolinh reviewed Jan 9, 2023
View reviewed changes
hubble/relay.go
"--address", "0.0.0.0",
"--address", "::",
"--address", "127.0.0.1",
"--address", "::1",
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The patch LGTM but with issue #1093 in mind, do we actually want to bind to the v6 address?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd suggest to address that in a follow-up PR for #1093 specifically.

@tklauser tklauser merged commit 61d0611 into master Jan 10, 2023
@tklauser tklauser deleted the pr/kaworu/localhost-portfwd branch January 10, 2023 08:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rolinh rolinh rolinh approved these changes

@tklauser tklauser tklauser left review comments

@glibsm glibsm glibsm approved these changes

Assignees
No one assigned
Labels
kind/enhancement This would improve or streamline existing functionality. ready-to-merge This PR has passed all tests and received consensus from code owners to merge.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@kaworu @glibsm @tklauser @rolinh