|
|
|
|
|
|
by rcconf
445 days ago
|
|
|
I am a little confused about the comment section about this being overblown, it really isn't. Ignore all the comments in this post and fix this ASAP. Here's a simple test: `kubectl exec -it` a pod: curl -k --fail https://ingress-nginx-controller-admission.ingress-nginx.svc... If you see 400 Bad Request, that means this pod has access to the admission controller. How easy would it be to find an avenue to make a request to the admission controller for anything running on your k8s cluster? (maybe your service takes any kind of URL and makes a request on your server...there's infinite possibilities of exploiting this.) I am rethinking my choice in using ingress-nginx entirely, perhaps it's time to find a simpler solution that has more secure defaults. |
|
|