-
Notifications
You must be signed in to change notification settings - Fork 7.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Wasm capability restrictions #45118
Labels
lifecycle/staleproof
Indicates a PR or issue has been deemed to be immune from becoming stale and/or automatically closed
Comments
CC @mathetake |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
lifecycle/staleproof
Indicates a PR or issue has been deemed to be immune from becoming stale and/or automatically closed
Currently, Istio places no restrictions on Wasm modules running in Envoy. Wasm modules receive all the data, can write any data, make HTTP calls, or modify the internal filter state. This is not consistent with the principle of the least privilege when dealing with the un-trusted third party code. This is a proposal to add restrictions to Wasm execution by default:
The default capabilities in Wasm can be grouped as follows:
DEFAULT:
BASIC:
ADVANCED:
The logic for grouping is that:
cc @ramaraochavali @ingwonsong
The text was updated successfully, but these errors were encountered: