block some unauthenticated routes in kurl-proxy (#4108)

* block some unauthenticated routes in kurl-proxy * do not block troubleshoot routes
replicatedhq · Nov 3, 2023 · 5c2bb44 · 5c2bb44
1 parent e048c7b
commit 5c2bb44
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 0 deletions.
diff --git a/kurl_proxy/cmd/main.go b/kurl_proxy/cmd/main.go
@@ -449,6 +449,14 @@ func getHttpsServer(upstream, dexUpstream *url.URL, tlsSecretName string, secret
 		}()
 	})
 
+	// these paths should not be exposed outside the cluster
+	r.GET("/license/v1/license", func(c *gin.Context) {
+		c.AbortWithStatus(http.StatusForbidden)
+	})
+	r.POST("/api/v1/app/custom-metrics", func(c *gin.Context) {
+		c.AbortWithStatus(http.StatusForbidden)
+	})
+
 	if dexUpstream != nil {
 		r.Any("/dex/*path", gin.WrapH(httputil.NewSingleHostReverseProxy(dexUpstream)))
 	}

diff --git a/pkg/handlers/handlers.go b/pkg/handlers/handlers.go
@@ -339,6 +339,9 @@ func RegisterTokenAuthRoutes(handler *Handler, debugRouter *mux.Router, loggingR
 }
 
 func RegisterUnauthenticatedRoutes(handler *Handler, kotsStore store.Store, debugRouter *mux.Router, loggingRouter *mux.Router) {
+	// These routes are not authenticated
+	// if the route does not need to be accessed from outside the cluster, it should be blocked in kurl-proxy
+
 	debugRouter.HandleFunc("/healthz", handler.Healthz)
 	loggingRouter.HandleFunc("/api/v1/login", handler.Login)
 	loggingRouter.HandleFunc("/api/v1/login/info", handler.GetLoginInfo)