FEATURE RELEASE
The Ambassador Edge Stack & Ambassador API Gateway 1.6 Now Available
Security updates, Schema validation with kubectl, Performance Improvements, Rate-Limiting RPS Dashboards, and more
We’re excited to announce the release of the Ambassador API Gateway and the Ambassador Edge Stack 1.6. This release continues significant enhancements to security and performance.
Real-time Schema Validation
In 1.6, we’ve added schemas to our Custom Resource Definitions. This enables Kubernetes to validate input resources synchronously and is supported on Kubernetes 1.14 or later.
This means that kubectl apply will immediately report any structural errors in your CRDs, instead of requiring you to wait for an error to show up in the web interface. Here’s an example where the Host value is invalid:
kubectl apply -f - <<EOF
apiVersion: getambassador.io/v2
kind: Mapping
metadata:
name: mapping
spec:
prefix: /foo/
service: foo-service
host:
- example.com
EOFThe Mapping "mapping" is invalid: spec.host: Invalid value: "array": spec.host in body must be of type string: "array"Security
Security Audit and Penetration Tests
Penetration testing is part of our strategy around our risk-based approach to security. With this release, we’ve mitigated all medium severity issues identified as part of the penetration test (we had no critical issues in the penetration test, and our high severity issues were addressed immediately).
Envoy 1.14.4 Security Update
The 1.6 release updates Envoy to 1.14.4, addressing CVE-2020–15104. CVE-2020–15104 has a CVSS score of 6.6 (Medium) and addresses a defect in how Envoy validates TLS certificates for subdomains. This vulnerability is only applicable to situations where you intend to trust a subdomain such as api.subdomain.example.com. In this situation, an untrusted actor can obtain a signed TLS certificate for *.example.com.
Performance
In this release, we’ve also tuned Ambassador for significantly better performance when large numbers of Mapping resources are being used. We now generate diagnostics on demand instead of on every reconfiguration. We’ve also added a fast validation path for Ambassador resources. Due to the invasive nature of this change, enabling the fast validation path is not turned on by default. You’ll need to set theAMBASSADOR_FAST_VALIDATION environment variable to true to enable this path. We expect to change the default in the next release of Ambassador.
Tracing
Distributed tracing is a popular observability technique, and Ambassador supports integrations with DataDog, Jaeger, LightStep, and Zipkin. In 1.6, we’ve added support for sampling, which allows target percentages of requests to be traced. For more information, see the tracing service configuration documentation.
Rate-Limiting Dashboards
People ask us all the time: what’s my RPS?
With 1.6, the Ambassador Edge Stack will now give you visibility into your requests per second workload. There are two speedometers. On the left, the speedometer indicates the current and peak requests per second of traffic that is flowing through the AES rate limiter. On the right, the speedometer indicates the current and peak requests per second of traffic flowing through the AES authentication systems. In the AES, traffic that needs to be rate limited or authenticated is free for up to 5 requests per second. Traffic that is not rate limited or authenticated is free for unlimited use.
Additional Bug Fixes and Enhancements
The following other fixes and enhancements apply to both the Ambassador API Gateway and the Ambassador Edge Stack 1.6:
- Incorporate the Envoy 1.14.4 security update.
- API CHANGE: Turning off the Diagnostics UI via the Ambassador Module disables access to it from outside the Ambassador Pod.
- API CHANGE: Default to not updating
Mappingstatus; see below. - Feature: Add support for circuit breakers in TCP mapping (thanks, Pierre Fersing (https://github.com/PierreF)!)
- Feature: Ambassador CRDs now include schema. This enables validation by
kubectl apply. - Feature: Advanced TLS configuration can be specified in
Hostresource viatlsContextandtlsfields. - Feature: Implement sampling percentage in tracing service.
- Internal: Configuration endpoints used internally by Ambassador are no longer accessible from outside the Ambassador Pod.
- Bugfix:
envoy_log_formatcan now be set withenvoy_log_type: text. - Docs: Fixed OAuth2 documentation spelling errors (thanks, Travis Byrum (https://github.com/travisbyrum)!)
- As previously announced, the default value of
AMBASSADOR_UPDATE_MAPPING_STATUShas now changed fromtruetofalse; Ambassador will no longer attempt to update theStatusof aMappingunless you explicitly setAMBASSADOR_UPDATE_MAPPING_STATUS=truein the environment. If you do not have tooling that relies onMappingstatus updates, we do not recommend settingAMBASSADOR_UPDATE_MAPPING_STATUS. - *In Ambassador 1.7*, TLS secrets in
Ingressresources will not be able to use.namespacesuffixes to cross namespaces.
The following other fixes and enhancements apply to the Ambassador Edge Stack 1.6:
- Feature: The Edge Policy Console’s Debugging page now has a “Log Out” button to terminate all EPC sessions.
- Feature:
X-Content-Type-Options: nosniffto response headers are now set for the Edge Policy Console, to prevent MIME confusion attacks. - Feature: The
OAuth2Filter now has anallowMalformedAccessTokensetting to enable use with IDPs that generate access tokens that are not compliant with RFC 6750. - Bugfix: All JWT Filter errors are now formatted per the specified
errorResponse. - Feature: Options for making Redis connection pooling configurable.
- Bugfix: User is now directed to the correct URL after clicking in Microsoft Office.
- Feature: The Console’s Dashboard page has speedometer gauges to visualize Rate Limited and Authenticated traffic.
Get Started Today
The Ambassador Edge Stack is a complete superset of the open-source Ambassador API Gateway, with integrated support for rate limiting, authentication, filter management, and more. You can install the Ambassador Edge Stack in three simple steps. To get started, follow the quick start.
Installing and Upgrading to 1.6
The latest versions of Ambassador are now available here:
- Ambassador API Gateway: https://hub.docker.com/r/datawire/ambassador
- Ambassador Edge Stack: https://hub.docker.com/r/datawire/aes
You can also install it with Helm.
# Add repository and create namespace
helm repo add datawire https://www.getambassador.io
# Helm 3
kubectl create namespace ambassador && helm install ambassador --namespace ambassador datawire/ambassador# Helm 2
kubectl create namespace ambassador && helm install --name ambassador --namespace ambassador datawire/ambassador
To install the Ambassador Edge Stack, follow the quick start.
Upgrading
If you are upgrading your existing Ambassador API Gateway or Ambassador Edge Stack installation, you should apply our updated CRD configuration. This is true whether you use YAML or Helm installation — Helm will not upgrade existing CRDs. Type:
kubectl apply -f https://www.getambassador.io/yaml/aes-crds.yamlThen, upgrade normally by changing the version in your image to 1.6.
