index-worker & reindex-worker are exposed
When a record-changed event is triggered by Storage, it results in a Service Bus message from Storage that is handled by the indexer-queue service. This service calls standard HTTP endpoints for indexer service via its kubernetes-internal name, never transiting through the App Gateway (or out of the cluster).
The indexer service exposes those same endpoints outside the cluster. While most endpoints for services are protected by an Istio AuthorizationPolicy to require a valid token (and subsequently use that token to extract user information for authorization within the service), there is no token sent with these requests by the indexer-queue and the indexer service's AuthorizationPolicy excludes these endpoints from the token requirement.
This means any outside caller can send requests to these endpoints, with no authorization and no restriction. This could be exploited to cause denial-of-service attacks, send forged event messages, or use vulnerabilities within the indexer service to compromise the entire OSDU system. Because no token is required, these attacks can be done by anyone. Because the OSDU Community software is open-source, even "security through obscurity" is not effective here.
Recommended approaches to solve this:
- Use indexer VirtualService to reject external requests to these endpoints, making them reachable only from within Kubernetes.
- Add a token to the requests going to **indexer **service's index-worker and reindex-worker endpoints
- [additionally] Consider using Istio's mTLS and/or Kubernetes Network Policy to restrict communication to the indexer service's index-worker and reindex-worker endpoints to traffic coming from indexer-queue
There may be other acceptable solutions.