We are delighted to present version 1.15.1 of Contour Operator, which provides a method for packaging, deploying, and managing Contour.
Fixes
Upgrade to Contour 1.15.1 and Envoy 1.18.3
Upgrades the default Contour version to v1.15.1 & the default Envoy version to 1.18.3 for security and bug fixes. See the Envoy 1.18.3 changelogs for more details.
- CVE-2021-29492 (CVSS score 8.3, High): Envoy versions 1.18.2 and earlier does not decode escaped slash sequences %2F and %5C in HTTP URL paths. A remote attacker may craft a path with escaped slashes, e.g. /something%2F..%2Fadmin, to bypass access control, e.g. a block on /admin. A backend server could then decode slash sequences and normalize path which would provide an attacker access beyond the scope provided for by the access control policy.
GatewayClass spec.parametersRef is now a required field
gatewayclasses.spec.parametersRef
is now a required field when using the operator to manage the GatewayClass
, i.e. controller: projectcontour.io/contour-operator
. The referent should be namespace-scoped and refer to an instance of the Contour
CRD. For example:
kind: GatewayClass
apiVersion: networking.x-k8s.io/v1alpha1
metadata:
name: example
spec:
controller: projectcontour.io/contour-operator
parametersRef:
group: operator.projectcontour.io
kind: Contour
scope: Namespace
name: contour-gateway-sample
namespace: contour-operator
This resolves a panic in the Operator when gatewayclasses.spec.parametersRef
was not provided.