SECURITY: The /health endpoint should be on a different port than the webhook #73

NickLarsenNZ · 2025-01-21T10:12:09Z

Problem

Currently, the /health endpoint runs on the same port as the webhook.

The webhook doesn't implement any authentication mechanism, which means you must expose the webhook to the rest of the cluster (and possibly outside the cluster, depending on the CNI) just to enable readiness/liveness probes.

It would be ideal to limit it to local connections from external-dns to external-dns-ionos-webhook when running as a side-car (ie: listen on 127.0.0.1). But this currently breaks the readiness/liveness probes.

Proposal:

Run a separate server (in a go routine) specifically for /health which can safely be exposed.

Similar to what is done (opt-in) for metrics: #70

The text was updated successfully, but these errors were encountered:

NickLarsenNZ changed the title ~~security: health endpoint should be on a different port than the webhook~~ SECURITY: health endpoint should be on a different port than the webhook Jan 21, 2025

NickLarsenNZ changed the title ~~SECURITY: health endpoint should be on a different port than the webhook~~ SECURITY: The /health endpoint should be on a different port than the webhook Jan 21, 2025

NickLarsenNZ mentioned this issue Jan 21, 2025

SECURITY: Support basic authentication for webhook endpoints #74

Open

2 tasks

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

SECURITY: The /health endpoint should be on a different port than the webhook #73

SECURITY: The /health endpoint should be on a different port than the webhook #73

NickLarsenNZ commented Jan 21, 2025 •

edited

Loading

SECURITY: The /health endpoint should be on a different port than the webhook #73

SECURITY: The /health endpoint should be on a different port than the webhook #73

Comments

NickLarsenNZ commented Jan 21, 2025 • edited Loading

Problem

Proposal:

NickLarsenNZ commented Jan 21, 2025 •

edited

Loading