Yes, this is something we need to fully consider. I was exposed to this type of vulnerability in Kubernetes ingress-nginx last year.
Chao Zhang <zchao1...@gmail.com> 于2022年3月22日周二 11:41写道: > Hi Community, > > What I care about is if this will cause some security vulnerabilities such > as: > > I just write 127.0.0.1:9090 (APISIX Control API Address) in the > ExternalName service, and the privacy data of APISIX will be exposed. > > If we really want to implement this feature, security is the most important > step. > > Chao Zhang > https://github.com/tokers > > On March 21, 2022 at 09:34:21, Jintao Zhang (zhangjin...@apache.org) > wrote: > > I have seen some voices in the community, hoping that APISIX Ingress can > proxy external services e.g: [1], [2] > > For these two types of requirements, it is a relatively simple requirement > for [1], we only need to add the corresponding External name type service > to complete. > > But for [2], I found a very interesting situation. No other Ingress > controller implements similar functionality yet, and I think this would be > a huge feature. > > APISIX actually supports setting the domain name to nodes in the upstream. > But APISIX Ingress is not yet supported. > > To achieve the above function, we can set a special resolveGranularity to > directly convert the record of external name to Node. > > To achieve the above function, we can set a special resolveGranularity to > directly convert the record of external name to Node. > > > WDYT? > > > [1]: [ > > https://github.com/apache/apisix-ingress-controller/issues/813](https://github.com/apache/apisix-ingress-controller/issues/813) > > [2]: [ > > https://github.com/apache/apisix-ingress-controller/issues/645](https://github.com/apache/apisix-ingress-controller/issues/645) >
