TYPE envoy_cluster_bind_errors counter
envoy_cluster_bind_errors{cluster_name=“xds-grpc”} 0
TYPE envoy_cluster_default_total_match_count counter
envoy_cluster_default_total_match_count{cluster_name=“xds-grpc”} 1
TYPE envoy_cluster_http2_dropped_headers_with_underscores counter
envoy_cluster_http2_dropped_headers_with_underscores{cluster_name=“xds-grpc”} 0
TYPE envoy_cluster_http2_header_overflow counter
envoy_cluster_http2_header_overflow{cluster_name=“xds-grpc”} 0
…
Health Check服务如下:
curl http://127.0.0.1:15021/healthz/ready -v
* Trying 127.0.0.1:15021…
- Connected to 127.0.0.1 (127.0.0.1) port 15021 (#0)
GET /healthz/ready HTTP/1.1
Host: 127.0.0.1:15021
User-Agent: curl/7.69.1
Accept: /
- Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< date: Tue, 16 Mar 2021 05:31:43 GMT
< content-length: 0
< x-envoy-upstream-service-time: 0
< server: envoy
<
- Connection #0 to host 127.0.0.1 left intact
Debug 服务
========
15000端口提供了Envoy admin API,该端口绑定在本地环回地址上,只能在Pod内访问。当攻击者控制了某容器,即可请求该服务来获取敏感信息。
curl http://127.0.0.1:15000/help
admin commands are:
/: Admin home page
/certs: print certs on machine
/clusters: upstream cluster status
/config_dump: dump current Envoy configs (experimental)
/contenti