436185818d
Live verification 2026-04-24 caught POST /blobs on dist.flowercore.io returning 201 Created with the blob persisted — admin write operations reachable on the public surface. Controller-level strict entitlement was on, but that gates reads; writes weren't blocked at all. Fix: add Method(GET) || Method(HEAD) to the Host match on the public IngressRoute. POST/PUT/PATCH/DELETE now miss every route for dist.flowercore.io and Traefik returns 404 before the pod sees the request. Edge-level defense-in-depth on top of the controller's strict-mode entitlement check. The internal IngressRoute for dist.iamworkin.lan stays unrestricted — admin POST /blobs + POST /manifests flows keep working from the lab.
17 KiB
17 KiB