Workload can bypass ACL through ingress controller service

[zip-chanko]

Hello,

Is there a way to prevent a workload trying to access another workload which it isn't supposed to be via the ingress controller service? May I request any example if there is way to prevent?

In the below diagram, app-b is not allowed to talk to app-a by preventing using the ServerAuthorization ACL. ingress-controller can talk to both apps to forward the traffic from external. So ingress-controller identity is allowed in both apps' Server objects.

But somehow there is a way app-b can bypass the app-a ACL and talk to ingress-controller service instead by manipulating the host header.

[olix0r]

So, essentially, your ingress controller is an open relay: anything that can access it can access app-a. Your best option is probably to restrict access to your ingress controller to originate from outside the cluster network. This can probably be accomplished with an AuthorizationPolicy that, ideally, only allows traffic from the ALB network.

[zip-chanko]

I guess you are mentioning about using kind: NetworkAuthentication. The problem is normally the cidr range is same for both ALB network and pods network when using a EKS with vpc-cni on AWS. Also the IPs of the ALB are not static. It will still allow the pods to ingress nginx if the ALB network is allowed.