Skip to content

agentgateway inference-gateway provisions a public LoadBalancer open to 0.0.0.0/0 #1139

Description

@yuanchen8911

Summary

The agentgateway component's inference-gateway Gateway is materialized by the controller into a type: LoadBalancer Service with no source-range restriction. On every cloud this provisions an internet-facing load balancer open to 0.0.0.0/0, exposing the (plaintext HTTP, unauthenticated) inference endpoint to the public internet.

Impact

A security scan flagged this on an AICR-provisioned EKS cluster. Any inference recipe deployment got a publicly reachable gateway by default, with no first-class way to restrict it from a recipe.

Resolution

Fixed by #1138 — adds agentgateway.allowedSourceRanges, rendered into the generated Service's spec.loadBalancerSourceRanges (honored by the AWS, GCP, Azure, and OCI cloud load balancers), so operators scope the gateway via a recipe overlay / componentRef override.

Live remediation already applied to the affected clusters:

  • EKS aicr2 (H100) and b40 — scoped to the NV HQ range (216.228.127.128/30); ELB security groups confirmed admitting only that CIDR.
  • GB200 EKS — pre-scoped to the same range (its gateway LoadBalancer had not provisioned, so no live public surface).

Notes / follow-ups

  • allowedSourceRanges filters by source IP only; it does not add TLS or authentication to the gateway listener (separate hardening follow-up).
  • Default remains empty (non-breaking); operators opt into scoping. A secure-by-default ClusterIP alternative is documented in the PR for future consideration.

Metadata

Metadata

Assignees

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions