icy · December 10, 2019 16:35
diff --git a/security-nginx-ingress-controller.yaml b/security-nginx-ingress-controller.yaml
 ### A flaw setup of nginx ingress controller

 Assuming you have two sites `publicA` and `privateB`, both are running on
 the same `k8s` cluster and exposing accesses through nginx ingress controller.
 The site `publicA` requires authentication and the site `privateB`
 doesn't. Let's consider the following setup

    public ELB/ALB  --> public A with authentication
    private ELB/ALB --> private B

 If `privateB` doesn't have any password protection, it may be accessed
 from public domain as below

    curl -L <publicA> -H "Host: <privateB>"

 Mitigation:

 * Using some whitelist
 * Use a different ingress class for private services
	### A flaw setup of nginx ingress controller

	Assuming you have two sites `publicA` and `privateB`, both are running on
	the same `k8s` cluster and exposing accesses through nginx ingress controller.
	The site `publicA` requires authentication and the site `privateB`
	doesn't. Let's consider the following setup

	public ELB/ALB --> public A with authentication
	private ELB/ALB --> private B

	If `privateB` doesn't have any password protection, it may be accessed
	from public domain as below

	curl -L <publicA> -H "Host: <privateB>"

	Mitigation:

	* Using some whitelist
	* Use a different ingress class for private services