diff --git a/kurl_proxy/cmd/main.go b/kurl_proxy/cmd/main.go index bf408803be..b0a69d0f59 100644 --- a/kurl_proxy/cmd/main.go +++ b/kurl_proxy/cmd/main.go @@ -449,6 +449,14 @@ func getHttpsServer(upstream, dexUpstream *url.URL, tlsSecretName string, secret }() }) + // these paths should not be exposed outside the cluster + r.GET("/license/v1/license", func(c *gin.Context) { + c.AbortWithStatus(http.StatusForbidden) + }) + r.POST("/api/v1/app/custom-metrics", func(c *gin.Context) { + c.AbortWithStatus(http.StatusForbidden) + }) + if dexUpstream != nil { r.Any("/dex/*path", gin.WrapH(httputil.NewSingleHostReverseProxy(dexUpstream))) } diff --git a/pkg/handlers/handlers.go b/pkg/handlers/handlers.go index f8853fc4b1..7af485a2d1 100644 --- a/pkg/handlers/handlers.go +++ b/pkg/handlers/handlers.go @@ -339,6 +339,9 @@ func RegisterTokenAuthRoutes(handler *Handler, debugRouter *mux.Router, loggingR } func RegisterUnauthenticatedRoutes(handler *Handler, kotsStore store.Store, debugRouter *mux.Router, loggingRouter *mux.Router) { + // These routes are not authenticated + // if the route does not need to be accessed from outside the cluster, it should be blocked in kurl-proxy + debugRouter.HandleFunc("/healthz", handler.Healthz) loggingRouter.HandleFunc("/api/v1/login", handler.Login) loggingRouter.HandleFunc("/api/v1/login/info", handler.GetLoginInfo)