forked from envoyproxy/envoy
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathextensions_schema.yaml
121 lines (117 loc) · 4 KB
/
extensions_schema.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
builtin:
- envoy.request_id.uuid
- envoy.upstreams.tcp.generic
- envoy.transport_sockets.tls
- envoy.upstreams.http.http_protocol_options
- envoy.upstreams.http.generic
- envoy.route.early_data_policy.default
- envoy.matching.inputs.request_headers
- envoy.matching.inputs.request_trailers
- envoy.matching.inputs.response_headers
- envoy.matching.inputs.response_trailers
- envoy.matching.inputs.destination_ip
- envoy.matching.inputs.destination_port
- envoy.matching.inputs.source_ip
- envoy.matching.inputs.source_port
- envoy.matching.inputs.direct_source_ip
- envoy.matching.inputs.source_type
- envoy.matching.inputs.server_name
- envoy.matching.inputs.transport_protocol
- envoy.matching.inputs.application_protocol
- envoy.matching.inputs.uri_san
- envoy.matching.inputs.dns_san
- envoy.matching.inputs.subject
- envoy.regex_engines.google_re2
# All Envoy extensions must be tagged with their security hardening stance with
# respect to downstream and upstream data plane threats. These are verbose
# labels intended to make clear the trust that operators may place in
# extensions.
security_postures:
- name: robust_to_untrusted_downstream
description: |
This extension is intended to be robust against untrusted downstream traffic. It
assumes that the upstream is trusted.
- name: robust_to_untrusted_downstream_and_upstream
description: |
This extension is intended to be robust against both untrusted downstream and
upstream traffic.
- name: requires_trusted_downstream_and_upstream
description: |
This extension is not hardened and should only be used in deployments
where both the downstream and upstream are trusted.
- name: unknown
# This is functionally equivalent to
# requires_trusted_downstream_and_upstream, but acts as a placeholder to
# allow us to identify extensions that need classifying.
description: |
This extension has an unknown security posture and should only be
used in deployments where both the downstream and upstream are
trusted.
- name: data_plane_agnostic
# Not relevant to data plane threats, e.g. stats sinks.
description: |
This extension does not operate on the data plane and hence is intended to be robust against untrusted traffic.
# Extension categories as defined by factories
categories:
- envoy.access_loggers
- envoy.bootstrap
- envoy.clusters
- envoy.compression.compressor
- envoy.compression.decompressor
- envoy.config.validators
- envoy.filters.http
- envoy.filters.listener
- envoy.filters.network
- envoy.filters.udp_listener
- envoy.formatter
- envoy.grpc_credentials
- envoy.guarddog_actions
- envoy.health_checkers
- envoy.http.cache
- envoy.http.header_validators
- envoy.http.stateful_header_formatters
- envoy.internal_redirect_predicates
- envoy.io_socket
- envoy.http.original_ip_detection
- envoy.matching.common_inputs
- envoy.matching.input_matchers
- envoy.tls.key_providers
- envoy.quic.proof_source
- envoy.quic.server.crypto_stream
- envoy.rate_limit_descriptors
- envoy.regex_engines
- envoy.request_id
- envoy.resource_monitors
- envoy.retry_host_predicates
- envoy.retry_priorities
- envoy.route.early_data_policy
- envoy.stats_sinks
- envoy.thrift_proxy.filters
- envoy.tracers
- envoy.sip_proxy.filters
- envoy.transport_sockets.downstream
- envoy.transport_sockets.upstream
- envoy.tls.cert_validator
- envoy.upstreams
- envoy.udp_packet_writer
- envoy.wasm.runtime
- envoy.common.key_value
- envoy.network.dns_resolver
- envoy.network.connection_balance
- envoy.rbac.matchers
- envoy.access_loggers.extension_filters
- envoy.http.stateful_session
- envoy.matching.http.input
- envoy.matching.network.input
- envoy.matching.network.custom_matchers
status_values:
- name: stable
# This extension is stable and is expected to be production usable.
description:
- name: alpha
description: |
This extension is functional but has not had substantial production burn time,
use only with this caveat.
- name: wip
description: |
This extension is work-in-progress. Functionality is incomplete and it is not intended for production use.