Summary
The agentgateway component's inference-gateway Gateway is materialized by the controller into a type: LoadBalancer Service with no source-range restriction. On every cloud this provisions an internet-facing load balancer open to 0.0.0.0/0, exposing the (plaintext HTTP, unauthenticated) inference endpoint to the public internet.
Impact
A security scan flagged this on an AICR-provisioned EKS cluster. Any inference recipe deployment got a publicly reachable gateway by default, with no first-class way to restrict it from a recipe.
Resolution
Fixed by #1138 — adds agentgateway.allowedSourceRanges, rendered into the generated Service's spec.loadBalancerSourceRanges (honored by the AWS, GCP, Azure, and OCI cloud load balancers), so operators scope the gateway via a recipe overlay / componentRef override.
Live remediation already applied to the affected clusters:
- EKS
aicr2 (H100) and b40 — scoped to the NV HQ range (216.228.127.128/30); ELB security groups confirmed admitting only that CIDR.
- GB200 EKS — pre-scoped to the same range (its gateway LoadBalancer had not provisioned, so no live public surface).
Notes / follow-ups
allowedSourceRanges filters by source IP only; it does not add TLS or authentication to the gateway listener (separate hardening follow-up).
- Default remains empty (non-breaking); operators opt into scoping. A secure-by-default
ClusterIP alternative is documented in the PR for future consideration.
Summary
The
agentgatewaycomponent'sinference-gatewayGateway is materialized by the controller into atype: LoadBalancerService with no source-range restriction. On every cloud this provisions an internet-facing load balancer open to0.0.0.0/0, exposing the (plaintext HTTP, unauthenticated) inference endpoint to the public internet.Impact
A security scan flagged this on an AICR-provisioned EKS cluster. Any inference recipe deployment got a publicly reachable gateway by default, with no first-class way to restrict it from a recipe.
Resolution
Fixed by #1138 — adds
agentgateway.allowedSourceRanges, rendered into the generated Service'sspec.loadBalancerSourceRanges(honored by the AWS, GCP, Azure, and OCI cloud load balancers), so operators scope the gateway via a recipe overlay /componentRefoverride.Live remediation already applied to the affected clusters:
aicr2(H100) andb40— scoped to the NV HQ range (216.228.127.128/30); ELB security groups confirmed admitting only that CIDR.Notes / follow-ups
allowedSourceRangesfilters by source IP only; it does not add TLS or authentication to the gateway listener (separate hardening follow-up).ClusterIPalternative is documented in the PR for future consideration.