bluejay/bluejay-infra
1
0
Fork 0
Code Issues Pull Requests 14 Actions Packages Projects Releases Wiki Activity

fc-distribution: restrict public IngressRoute to GET+HEAD only

Browse Source 
Live verification 2026-04-24 caught POST /blobs on dist.flowercore.io
returning 201 Created with the blob persisted — admin write operations
reachable on the public surface. Controller-level strict entitlement
was on, but that gates reads; writes weren't blocked at all.

Fix: add Method(GET) || Method(HEAD) to the Host match on the public
IngressRoute. POST/PUT/PATCH/DELETE now miss every route for
dist.flowercore.io and Traefik returns 404 before the pod sees the
request. Edge-level defense-in-depth on top of the controller's
strict-mode entitlement check.

The internal IngressRoute for dist.iamworkin.lan stays unrestricted —
admin POST /blobs + POST /manifests flows keep working from the lab.
This commit is contained in:
Andrew Stoltz
2026-04-23 20:12:25 -05:00
parent c3cc404beb
commit 436185818d
1 changed files with 6 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
apps/fc-distribution/fc-distribution.yaml
View File

@@ -331,7 +331,12 @@ spec:
entryPoints: entryPoints:
- websecure - websecure
routes: routes:
- match: Host(`dist.flowercore.io`) # Method allowlist: Host + (GET || HEAD). Anything else misses every
# route and Traefik returns 404 before reaching the pod — edge-level
# defense-in-depth over the controller's strict-mode entitlement check.
# Together these block admin ops (POST /blobs, POST /manifests*) from
# ever being processed on the public surface.
- match: Host(`dist.flowercore.io`) && (Method(`GET`) || Method(`HEAD`))
kind: Rule kind: Rule
middlewares: middlewares:
- name: dist-public-profile-header - name: dist-public-profile-header