The Envoy Gateway End User Threat Model, in collaboration with the Linux Foundation

By ControlPlane

Envoy, a Graduated Cloud Native Computing Foundation (CNCF) project, is an acclaimed cloud native proxy solution commonly used in microservice architectures. Within the Envoy project, Envoy Gateway provides a way of managing Envoy Proxy as a Kubernetes application gateway following the Gateway API specification. Envoy Gateway allows developers and cluster administrators to manage ingress to their applications by leveraging existing Envoy Proxy capabilities.

As part of their commitment to cloud native security, The Linux Foundation tasked ControlPlane with threat modelling Envoy Gateway to identify key threats and risks affecting the project. Rather than performing a formal security audit of the Envoy Gateway project, the goal was instead to focus on different possible deployment topologies for Envoy Gateway with the goal of deriving recommendations and best practice guidance for end users.

During the exercise, ControlPlane carried out a comprehensive analysis of an Envoy Gateway deployment in a multi-tenant scenario, in order to explore different possible deployment configurations. Additionally, the Gateway API security model and container security best practices where considered to extend the assessment and produce a complete list of recommendations for end users.

As a result, a report containing risks, threats and associated recommendations was delivered. Moreover, a set of attack trees was generated to show the most important attack paths regarding an Envoy Gateway deployment.

This report can be leveraged by any end user to:

• Secure Envoy Gateway deployments and evaluate their associated risks
• Assess attack paths on Envoy Gateway deployments by using the attack trees
• Understand secure by default features provided by Envoy Gateway and the risks associated to misconfigurations

The full report can be found in the Envoy Documentation.