Skip to content

envoy: remove world access to admin socket#44512

Merged
joestringer merged 1 commit intocilium:mainfrom
0xch4z:pr/ck/envoy-admin-socket-perm
Feb 26, 2026
Merged

envoy: remove world access to admin socket#44512
joestringer merged 1 commit intocilium:mainfrom
0xch4z:pr/ck/envoy-admin-socket-perm

Conversation

@0xch4z
Copy link
Copy Markdown
Contributor

@0xch4z 0xch4z commented Feb 24, 2026

Explicitly sets mode 0660 on admin.sock for both embedded and standalone envoy. Without this the socket is created world-accessible.

Fix envoy admin socket being created as world-accessible

@0xch4z 0xch4z requested review from a team as code owners February 24, 2026 16:26
@0xch4z 0xch4z requested a review from jrajahalme February 24, 2026 16:26
@maintainer-s-little-helper maintainer-s-little-helper bot added the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Feb 24, 2026
@0xch4z 0xch4z requested review from nebril and youngnick February 24, 2026 16:26
@github-actions github-actions bot added the kind/community-contribution This was a contribution made by a community member. label Feb 24, 2026
@0xch4z
envoy: remove world access to admin socket
2c388a6 
Explicitly sets mode 0660 on admin.sock for both embedded and standalone
envoy. Without this the socket is created world-accessible.

Signed-off-by: Charlie Kenney <charles.kenney@isovalent.com>
@0xch4z 0xch4z force-pushed the pr/ck/envoy-admin-socket-perm branch from 0979c70 to 2c388a6 Compare February 24, 2026 16:32
@joestringer joestringer added release-note/bug This PR fixes an issue in a previous release of Cilium. needs-backport/1.17 This PR / issue needs backporting to the v1.17 branch needs-backport/1.18 This PR / issue needs backporting to the v1.18 branch needs-backport/1.19 This PR / issue needs backporting to the v1.19 branch labels Feb 24, 2026
@maintainer-s-little-helper maintainer-s-little-helper bot removed the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Feb 24, 2026
@joestringer
Copy link
Copy Markdown
Member

joestringer commented Feb 24, 2026

/test

nebril
nebril approved these changes Feb 25, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@nebril nebril left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice catch!

@joestringer joestringer disabled auto-merge February 26, 2026 01:29
@joestringer joestringer merged commit 7bfbdd5 into cilium:main Feb 26, 2026
78 of 79 checks passed
@nebril nebril mentioned this pull request Mar 2, 2026
Merged
3 tasks
@nebril nebril added backport-pending/1.17 The backport for Cilium 1.17.x for this PR is in progress. and removed needs-backport/1.17 This PR / issue needs backporting to the v1.17 branch labels Mar 2, 2026
@nebril nebril mentioned this pull request Mar 2, 2026
Merged
2 tasks
@nebril nebril added backport-pending/1.18 The backport for Cilium 1.18.x for this PR is in progress. and removed needs-backport/1.18 This PR / issue needs backporting to the v1.18 branch labels Mar 2, 2026
@nebril nebril mentioned this pull request Mar 2, 2026
Merged
5 tasks
@nebril nebril added the backport-pending/1.19 The backport for Cilium 1.19.x for this PR is in progress. label Mar 2, 2026
@nebril nebril removed the needs-backport/1.19 This PR / issue needs backporting to the v1.19 branch label Mar 2, 2026
@github-actions github-actions bot added backport-done/1.19 The backport for Cilium 1.19.x for this PR is done. backport-done/1.18 The backport for Cilium 1.18.x for this PR is done. backport-done/1.17 The backport for Cilium 1.17.x for this PR is done. and removed backport-pending/1.19 The backport for Cilium 1.19.x for this PR is in progress. backport-pending/1.18 The backport for Cilium 1.18.x for this PR is in progress. backport-pending/1.17 The backport for Cilium 1.17.x for this PR is in progress. labels Mar 3, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@joestringer joestringer joestringer approved these changes

@nebril nebril nebril approved these changes

@youngnick youngnick youngnick approved these changes

@jrajahalme jrajahalme Awaiting requested review from jrajahalme jrajahalme is a code owner automatically assigned from cilium/envoy

Assignees

No one assigned

Labels

backport-done/1.17 The backport for Cilium 1.17.x for this PR is done. backport-done/1.18 The backport for Cilium 1.18.x for this PR is done. backport-done/1.19 The backport for Cilium 1.19.x for this PR is done. kind/community-contribution This was a contribution made by a community member. release-note/bug This PR fixes an issue in a previous release of Cilium.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@0xch4z @joestringer @nebril @youngnick @msune