[Bug 2098393] [NEW] [needs-packaging] azure-proxy-agent
Launchpad Bug Tracker
2098393 at bugs.launchpad.net
Wed Feb 19 15:03:13 UTC 2025
You have been subscribed to a public bug by Gauthier Jolly (gjolly):
URL: https://github.com/Azure/GuestProxyAgent/
License: MIT
Notes:
The GuestProxyAgent (GPA) enhances the security of Azure Instance Metadata Service (IMDS) and Azure Wireserver endpoints (e.g., 169.254.169.254 and 168.63.129.16) on Azure IaaS virtual machines. It introduces strong authentication and authorization measures to mitigate common attacks such as confused deputy (e.g., SSRF) and sandbox escapes that target metadata services.
GPA intercepts HTTP requests to these endpoints using eBPF, allowing it
to verify the identity of in-guest processes. By transitioning from a
default-open to a default-closed access model, GPA ensures that only
authorized processes (as defined by a trusted delegate established at
provisioning) can retrieve sensitive metadata. Requests must include an
HMAC-based signature generated with a long-lived secret negotiated
during setup, reinforcing the point-to-point trust relationship.
Test builds are available from ppa:gjolly/azure-proxy-agent
(https://launchpad.net/~gjolly/+archive/ubuntu/azure-proxy-agent2)
** Affects: ubuntu
Importance: Wishlist
Status: New
** Tags: needs-packaging
--
[needs-packaging] azure-proxy-agent
https://bugs.launchpad.net/bugs/2098393
You received this bug notification because you are a member of Ubuntu Sponsors, which is subscribed to the bug report.
More information about the Ubuntu-sponsors
mailing list