feat(agentgateway): scope inference-gateway LB to allowed source ranges#1138
Conversation
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: ASSERTIVE Plan: Enterprise Run ID: 📒 Files selected for processing (4)
📝 WalkthroughWalkthroughThis PR adds a new Helm value Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes 🚥 Pre-merge checks | ✅ 4✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@docs/user/component-catalog.md`:
- Line 70: Update the sentence that first uses "CIDRs" to define the acronym on
first use by expanding it to "Classless Inter-Domain Routing (CIDR)" before
using the short form; specifically modify the line mentioning
agentgateway.allowedSourceRanges and spec.loadBalancerSourceRanges so it reads
something like "set agentgateway.allowedSourceRanges to a list of Classless
Inter-Domain Routing (CIDR) blocks (CIDRs)" and then continue using "CIDRs"
afterward.
In `@recipes/components/agentgateway/values.yaml`:
- Around line 49-51: Update the comment that currently states "list values
cannot be passed via `--set` (scalar only)" to avoid being incorrect: reword it
to acknowledge that Helm 3 supports setting lists via `--set` (e.g., `{a,b}` or
indexed form `servers[0]=...`) and `--set-json`, but recommend using a recipe
overlay override for better maintainability and clarity; edit the comment block
in values.yaml where the current guidance about `--set` and recipe overlays
appears so it suggests overlays as the preferred approach rather than the only
option.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: ASSERTIVE
Plan: Enterprise
Run ID: 97e23cbf-6960-4278-894e-38bfea62c6e1
📒 Files selected for processing (4)
docs/user/component-catalog.mdrecipes/components/agentgateway/manifests/inference-gateway.yamlrecipes/components/agentgateway/values.yamltests/chainsaw/bundle-templates/agentgateway/chainsaw-test.yaml
0c24cc5 to
9e2e31e
Compare
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@recipes/components/agentgateway/values.yaml`:
- Line 59: The template condition in manifests/inference-gateway.yaml uses if
$agw.allowedSourceRanges so an empty list (allowedSourceRanges: []) is treated
the same as unset; update the test or the values to make the presence
detectable: either change the template to test for the key’s existence (e.g.,
check if hasKey .Values "agentgateway" and index existence or use default nil
distinction) or update recipes/components/agentgateway/values.yaml to set a
non-empty default for allowedSourceRanges when you want the “present” assertion
(replace [] with a sentinel like ["0.0.0.0/0"] or another non-empty override
used in tests); refer to the $agw variable,
.Values.agentgateway.allowedSourceRanges, and
service.spec.loadBalancerSourceRanges when making the fix.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: ASSERTIVE
Plan: Enterprise
Run ID: ce0efd1e-9ee9-4bdf-b480-706c5abd93af
📒 Files selected for processing (4)
docs/user/component-catalog.mdrecipes/components/agentgateway/manifests/inference-gateway.yamlrecipes/components/agentgateway/values.yamltests/chainsaw/bundle-templates/agentgateway/chainsaw-test.yaml
50ee459 to
825162a
Compare
The agentgateway controller materializes the inference-gateway Gateway into a type=LoadBalancer Service, which every cloud provisions as an internet-facing load balancer open to 0.0.0.0/0 — exposing the plaintext, unauthenticated inference endpoint to the public internet. Add an `agentgateway.allowedSourceRanges` value rendered into the generated Service's spec.loadBalancerSourceRanges via the AgentgatewayParameters CR. This field is honored by the AWS, GCP, Azure, and OCI cloud load balancers, so one setting locks the gateway down on every platform. The default is intentionally empty (unrestricted) so deployments work out of the box regardless of network; a baked-in CIDR would firewall every downstream deployment to one network. Operators scope it via a recipe/componentRef override (lists cannot be passed through scalar-only --set). Extends the agentgateway bundle-template chainsaw test to cover both the open-by-default and configured-source-range paths, and documents the exposure and the knob in the component catalog.
825162a to
d9adba3
Compare
…exposure The agentgateway inference-gateway is provisioned as a public LoadBalancer open to 0.0.0.0/0 by default (NVIDIA#1138). The default is defensible, but the exposure was silent — nothing in bundle output or validation flagged that the inference endpoint is internet-facing. Add two guardrails that keep open-by-default while removing the silence. 1. Bundle-time warning (pkg/bundler): when a bundle includes agentgateway with an empty allowedSourceRanges, emit a non-blocking warning that the inference-gateway will be open to 0.0.0.0/0, with remediation. Mirrors the existing storageClassName PVC warning and inspects the merged component values, so it catches the empty state regardless of override mechanism. 2. Conformance finding (validators/conformance): extend the existing inference-gateway check (already wired into every inference overlay) to assess the gateway's LoadBalancer Service and record its exposure as evidence — scoped source ranges, or an explicit open-to-0.0.0.0/0 finding. Open-by-default stays a non-fatal warning; AICR_REQUIRE_SCOPED_INFERENCE_GATEWAY=true escalates it to a check failure (fail-closed policy). Docs: component-catalog gains an "Exposure guardrails" subsection; cli-reference documents the bundle warning; validation.md and the validator env table cover the conformance finding and the enforcement env var. Closes NVIDIA#1160
…exposure The agentgateway inference-gateway is provisioned as a public LoadBalancer open to 0.0.0.0/0 by default (NVIDIA#1138). The default is defensible, but the exposure was silent — nothing in bundle output or validation flagged that the inference endpoint is internet-facing. Add two guardrails that keep open-by-default while removing the silence. 1. Bundle-time warning (pkg/bundler): when a bundle includes agentgateway with an empty allowedSourceRanges, emit a non-blocking warning that the inference-gateway will be open to 0.0.0.0/0, with remediation. Mirrors the existing storageClassName PVC warning and inspects the merged component values, so it catches the empty state regardless of override mechanism. 2. Conformance finding (validators/conformance): extend the existing inference-gateway check (already wired into every inference overlay) to assess the gateway's LoadBalancer Service and record its exposure as evidence — scoped source ranges, or an explicit open-to-0.0.0.0/0 finding. Open-by-default stays a non-fatal warning; AICR_REQUIRE_SCOPED_INFERENCE_GATEWAY=true escalates it to a check failure (fail-closed policy). Docs: component-catalog gains an "Exposure guardrails" subsection; cli-reference documents the bundle warning; validation.md and the validator env table cover the conformance finding and the enforcement env var. Closes NVIDIA#1160
…exposure The agentgateway inference-gateway is provisioned as a public LoadBalancer open to 0.0.0.0/0 by default (NVIDIA#1138). The default is defensible, but the exposure was silent — nothing in bundle output or validation flagged that the inference endpoint is internet-facing. Add two guardrails that keep open-by-default while removing the silence. 1. Bundle-time warning (pkg/bundler): when a bundle includes agentgateway with an unscoped allowedSourceRanges, emit a non-blocking warning that the inference-gateway will be open to 0.0.0.0/0, with remediation. Mirrors the existing storageClassName PVC warning and inspects the merged component values, so it catches the open state regardless of override mechanism. 2. Conformance finding (validators/conformance): extend the existing inference-gateway check (already wired into every inference overlay) to assess the gateway's LoadBalancer Service and record its exposure as evidence — scoped source ranges, or an explicit open-to-0.0.0.0/0 finding. Open-by-default stays a non-fatal warning; AICR_REQUIRE_SCOPED_INFERENCE_GATEWAY=true escalates it to a check failure (fail-closed policy). An "unscoped" source-range list is empty OR contains an any-source CIDR (0.0.0.0/0 or ::/0) — a length-only check would let an explicit ["0.0.0.0/0"] pass enforcement. The exposure assessment filters to the inference-gateway Service by name (mirroring the EndpointSlice readiness filter) so a co-located LoadBalancer is neither mislabeled nor able to fail enforce mode. The InferenceGatewayCheckName constant is exported and locked by TestEmbeddedCatalog_InferenceGatewayEntryExists so a catalog rename can't silently no-op enforcement forwarding. Docs: component-catalog gains an "Exposure guardrails" subsection; cli-reference documents the bundle warning; validation.md and the validator env table cover the conformance finding and the enforcement env var. Closes NVIDIA#1160
…exposure The agentgateway inference-gateway is provisioned as a public LoadBalancer open to 0.0.0.0/0 by default (NVIDIA#1138). The default is defensible, but the exposure was silent — nothing in bundle output or validation flagged that the inference endpoint is internet-facing. Add two guardrails that keep open-by-default while removing the silence. 1. Bundle-time warning (pkg/bundler): when a bundle includes agentgateway with an unscoped allowedSourceRanges, emit a non-blocking warning that the inference-gateway will be open to 0.0.0.0/0, with remediation. Mirrors the existing storageClassName PVC warning and inspects the merged component values, so it catches the open state regardless of override mechanism. 2. Conformance finding (validators/conformance): extend the existing inference-gateway check (already wired into every inference overlay) to assess the gateway's LoadBalancer Service and record its exposure as evidence — scoped source ranges, or an explicit open-to-0.0.0.0/0 finding. Open-by-default stays a non-fatal warning; AICR_REQUIRE_SCOPED_INFERENCE_GATEWAY=true escalates it to a check failure (fail-closed policy). An "unscoped" source-range list is empty OR contains an any-source CIDR (0.0.0.0/0 or ::/0) — a length-only check would let an explicit ["0.0.0.0/0"] pass enforcement. The exposure assessment filters to the inference-gateway Service by name (mirroring the EndpointSlice readiness filter) so a co-located LoadBalancer is neither mislabeled nor able to fail enforce mode. The InferenceGatewayCheckName constant is exported and locked by TestEmbeddedCatalog_InferenceGatewayEntryExists so a catalog rename can't silently no-op enforcement forwarding. Docs: component-catalog gains an "Exposure guardrails" subsection; cli-reference documents the bundle warning; validation.md and the validator env table cover the conformance finding and the enforcement env var. Closes NVIDIA#1160
…exposure The agentgateway inference-gateway is provisioned as a public LoadBalancer open to 0.0.0.0/0 by default (NVIDIA#1138). The default is defensible, but the exposure was silent — nothing in bundle output or validation flagged that the inference endpoint is internet-facing. Add two guardrails that keep open-by-default while removing the silence. 1. Bundle-time warning (pkg/bundler): when a bundle includes agentgateway with an unscoped allowedSourceRanges, emit a non-blocking warning that the inference-gateway will be open to 0.0.0.0/0, with remediation. Mirrors the existing storageClassName PVC warning and inspects the merged component values, so it catches the open state regardless of override mechanism. 2. Conformance finding (validators/conformance): extend the existing inference-gateway check (already wired into every inference overlay) to assess the gateway's LoadBalancer Service and record its exposure as evidence — scoped source ranges, or an explicit open-to-0.0.0.0/0 finding. Open-by-default stays a non-fatal warning; AICR_REQUIRE_SCOPED_INFERENCE_GATEWAY=true escalates it to a check failure (fail-closed policy). An "unscoped" source-range list is empty OR contains an any-source CIDR (0.0.0.0/0 or ::/0) — a length-only check would let an explicit ["0.0.0.0/0"] pass enforcement. The exposure assessment filters to the inference-gateway Service by name (mirroring the EndpointSlice readiness filter) so a co-located LoadBalancer is neither mislabeled nor able to fail enforce mode. The InferenceGatewayCheckName constant is exported and locked by TestEmbeddedCatalog_InferenceGatewayEntryExists so a catalog rename can't silently no-op enforcement forwarding. Docs: component-catalog gains an "Exposure guardrails" subsection; cli-reference documents the bundle warning; validation.md and the validator env table cover the conformance finding and the enforcement env var. Closes NVIDIA#1160
…exposure The agentgateway inference-gateway is provisioned as a public LoadBalancer open to 0.0.0.0/0 by default (NVIDIA#1138). The default is defensible, but the exposure was silent — nothing in bundle output or validation flagged that the inference endpoint is internet-facing. Add two guardrails that keep open-by-default while removing the silence. 1. Bundle-time warning (pkg/bundler): when a bundle includes agentgateway with an unscoped allowedSourceRanges, emit a non-blocking warning that the inference-gateway will be open to 0.0.0.0/0, with remediation. Mirrors the existing storageClassName PVC warning and inspects the merged component values, so it catches the open state regardless of override mechanism. 2. Conformance finding (validators/conformance): extend the existing inference-gateway check (already wired into every inference overlay) to assess the gateway's LoadBalancer Service and record its exposure as evidence — scoped source ranges, or an explicit open-to-0.0.0.0/0 finding. Open-by-default stays a non-fatal warning; AICR_REQUIRE_SCOPED_INFERENCE_GATEWAY=true escalates it to a check failure (fail-closed policy). An "unscoped" source-range list is empty OR contains an any-source CIDR (0.0.0.0/0 or ::/0) — a length-only check would let an explicit ["0.0.0.0/0"] pass enforcement. The exposure assessment filters to the inference-gateway Service by name (mirroring the EndpointSlice readiness filter) so a co-located LoadBalancer is neither mislabeled nor able to fail enforce mode. The InferenceGatewayCheckName constant is exported and locked by TestEmbeddedCatalog_InferenceGatewayEntryExists so a catalog rename can't silently no-op enforcement forwarding. Docs: component-catalog gains an "Exposure guardrails" subsection; cli-reference documents the bundle warning; validation.md and the validator env table cover the conformance finding and the enforcement env var. Closes NVIDIA#1160
…exposure The agentgateway inference-gateway is provisioned as a public LoadBalancer open to 0.0.0.0/0 by default (NVIDIA#1138). The default is defensible, but the exposure was silent — nothing in bundle output or validation flagged that the inference endpoint is internet-facing. Add two guardrails that keep open-by-default while removing the silence. 1. Bundle-time warning (pkg/bundler): when a bundle includes agentgateway with an unscoped allowedSourceRanges, emit a non-blocking warning that the inference-gateway will be open to 0.0.0.0/0, with remediation. Mirrors the existing storageClassName PVC warning and inspects the merged component values, so it catches the open state regardless of override mechanism. 2. Conformance finding (validators/conformance): extend the existing inference-gateway check (already wired into every inference overlay) to assess the gateway's LoadBalancer Service and record its exposure as evidence — scoped source ranges, or an explicit open-to-0.0.0.0/0 finding. Open-by-default stays a non-fatal warning; AICR_REQUIRE_SCOPED_INFERENCE_GATEWAY=true escalates it to a check failure (fail-closed policy). An "unscoped" source-range list is empty OR contains an any-source CIDR (0.0.0.0/0 or ::/0) — a length-only check would let an explicit ["0.0.0.0/0"] pass enforcement. The exposure assessment filters to the inference-gateway Service by name (mirroring the EndpointSlice readiness filter) so a co-located LoadBalancer is neither mislabeled nor able to fail enforce mode. The InferenceGatewayCheckName constant is exported and locked by TestEmbeddedCatalog_InferenceGatewayEntryExists so a catalog rename can't silently no-op enforcement forwarding. Docs: component-catalog gains an "Exposure guardrails" subsection; cli-reference documents the bundle warning; validation.md and the validator env table cover the conformance finding and the enforcement env var. Closes NVIDIA#1160
…exposure The agentgateway inference-gateway is provisioned as a public LoadBalancer open to 0.0.0.0/0 by default (NVIDIA#1138). The default is defensible, but the exposure was silent — nothing in bundle output or validation flagged that the inference endpoint is internet-facing. Add two guardrails that keep open-by-default while removing the silence. 1. Bundle-time warning (pkg/bundler): when a bundle includes agentgateway with an unscoped allowedSourceRanges, emit a non-blocking warning that the inference-gateway will be open to 0.0.0.0/0, with remediation. Mirrors the existing storageClassName PVC warning and inspects the merged component values, so it catches the open state regardless of override mechanism. 2. Conformance finding (validators/conformance): extend the existing inference-gateway check (already wired into every inference overlay) to assess the gateway's LoadBalancer Service and record its exposure as evidence — scoped source ranges, or an explicit open-to-0.0.0.0/0 finding. Open-by-default stays a non-fatal warning; AICR_REQUIRE_SCOPED_INFERENCE_GATEWAY=true escalates it to a check failure (fail-closed policy). An "unscoped" source-range list is empty OR contains an any-source CIDR (0.0.0.0/0 or ::/0) — a length-only check would let an explicit ["0.0.0.0/0"] pass enforcement. The exposure assessment filters to the inference-gateway Service by name (mirroring the EndpointSlice readiness filter) so a co-located LoadBalancer is neither mislabeled nor able to fail enforce mode. The InferenceGatewayCheckName constant is exported and locked by TestEmbeddedCatalog_InferenceGatewayEntryExists so a catalog rename can't silently no-op enforcement forwarding. Docs: component-catalog gains an "Exposure guardrails" subsection; cli-reference documents the bundle warning; validation.md and the validator env table cover the conformance finding and the enforcement env var. Closes NVIDIA#1160
…exposure The agentgateway inference-gateway is provisioned as a public LoadBalancer open to 0.0.0.0/0 by default (NVIDIA#1138). The default is defensible, but the exposure was silent — nothing in bundle output or validation flagged that the inference endpoint is internet-facing. Add two guardrails that keep open-by-default while removing the silence. 1. Bundle-time warning (pkg/bundler): when a bundle includes agentgateway with an unscoped allowedSourceRanges, emit a non-blocking warning that the inference-gateway will be open to 0.0.0.0/0, with remediation. Mirrors the existing storageClassName PVC warning and inspects the merged component values, so it catches the open state regardless of override mechanism. 2. Conformance finding (validators/conformance): extend the existing inference-gateway check (already wired into every inference overlay) to assess the gateway's LoadBalancer Service and record its exposure as evidence — scoped source ranges, or an explicit open-to-0.0.0.0/0 finding. Open-by-default stays a non-fatal warning; AICR_REQUIRE_SCOPED_INFERENCE_GATEWAY=true escalates it to a check failure (fail-closed policy). An "unscoped" source-range list is empty OR contains an any-source CIDR (0.0.0.0/0 or ::/0) — a length-only check would let an explicit ["0.0.0.0/0"] pass enforcement. The exposure assessment filters to the inference-gateway Service by name (mirroring the EndpointSlice readiness filter) so a co-located LoadBalancer is neither mislabeled nor able to fail enforce mode. The InferenceGatewayCheckName constant is exported and locked by TestEmbeddedCatalog_InferenceGatewayEntryExists so a catalog rename can't silently no-op enforcement forwarding. Docs: component-catalog gains an "Exposure guardrails" subsection; cli-reference documents the bundle warning; validation.md and the validator env table cover the conformance finding and the enforcement env var. Closes NVIDIA#1160
…exposure The agentgateway inference-gateway is provisioned as a public LoadBalancer open to 0.0.0.0/0 by default (NVIDIA#1138). The default is defensible, but the exposure was silent — nothing in bundle output or validation flagged that the inference endpoint is internet-facing. Add two guardrails that keep open-by-default while removing the silence. 1. Bundle-time warning (pkg/bundler): when a bundle includes agentgateway with an unscoped allowedSourceRanges, emit a non-blocking warning that the inference-gateway will be open to 0.0.0.0/0, with remediation. Mirrors the existing storageClassName PVC warning and inspects the merged component values, so it catches the open state regardless of override mechanism. 2. Conformance finding (validators/conformance): extend the existing inference-gateway check (already wired into every inference overlay) to assess the gateway's LoadBalancer Service and record its exposure as evidence — scoped source ranges, or an explicit open-to-0.0.0.0/0 finding. Open-by-default stays a non-fatal warning; AICR_REQUIRE_SCOPED_INFERENCE_GATEWAY=true escalates it to a check failure (fail-closed policy). An "unscoped" source-range list is empty OR contains an any-source CIDR (0.0.0.0/0 or ::/0) — a length-only check would let an explicit ["0.0.0.0/0"] pass enforcement. The exposure assessment filters to the inference-gateway Service by name (mirroring the EndpointSlice readiness filter) so a co-located LoadBalancer is neither mislabeled nor able to fail enforce mode. The InferenceGatewayCheckName constant is exported and locked by TestEmbeddedCatalog_InferenceGatewayEntryExists so a catalog rename can't silently no-op enforcement forwarding. Docs: component-catalog gains an "Exposure guardrails" subsection; cli-reference documents the bundle warning; validation.md and the validator env table cover the conformance finding and the enforcement env var. Closes NVIDIA#1160
…exposure The agentgateway inference-gateway is provisioned as a public LoadBalancer open to 0.0.0.0/0 by default (NVIDIA#1138). The default is defensible, but the exposure was silent — nothing in bundle output or validation flagged that the inference endpoint is internet-facing. Add two guardrails that keep open-by-default while removing the silence. 1. Bundle-time warning (pkg/bundler): when a bundle includes agentgateway with an unscoped allowedSourceRanges, emit a non-blocking warning that the inference-gateway will be open to 0.0.0.0/0, with remediation. Mirrors the existing storageClassName PVC warning and inspects the merged component values, so it catches the open state regardless of override mechanism. 2. Conformance finding (validators/conformance): extend the existing inference-gateway check (already wired into every inference overlay) to assess the gateway's LoadBalancer Service and record its exposure as evidence — scoped source ranges, or an explicit open-to-0.0.0.0/0 finding. Open-by-default stays a non-fatal warning; AICR_REQUIRE_SCOPED_INFERENCE_GATEWAY=true escalates it to a check failure (fail-closed policy). An "unscoped" source-range list is empty OR contains an any-source CIDR (0.0.0.0/0 or ::/0) — a length-only check would let an explicit ["0.0.0.0/0"] pass enforcement. The exposure assessment filters to the inference-gateway Service by name (mirroring the EndpointSlice readiness filter) so a co-located LoadBalancer is neither mislabeled nor able to fail enforce mode. The InferenceGatewayCheckName constant is exported and locked by TestEmbeddedCatalog_InferenceGatewayEntryExists so a catalog rename can't silently no-op enforcement forwarding. Docs: component-catalog gains an "Exposure guardrails" subsection; cli-reference documents the bundle warning; validation.md and the validator env table cover the conformance finding and the enforcement env var. Closes NVIDIA#1160
…exposure The agentgateway inference-gateway is provisioned as a public LoadBalancer open to 0.0.0.0/0 by default (NVIDIA#1138). The default is defensible, but the exposure was silent — nothing in bundle output or validation flagged that the inference endpoint is internet-facing. Add two guardrails that keep open-by-default while removing the silence. 1. Bundle-time warning (pkg/bundler): when a bundle includes agentgateway with an unscoped allowedSourceRanges, emit a non-blocking warning that the inference-gateway will be open to 0.0.0.0/0, with remediation. Mirrors the existing storageClassName PVC warning and inspects the merged component values, so it catches the open state regardless of override mechanism. 2. Conformance finding (validators/conformance): extend the existing inference-gateway check (already wired into every inference overlay) to assess the gateway's LoadBalancer Service and record its exposure as evidence — scoped source ranges, or an explicit open-to-0.0.0.0/0 finding. Open-by-default stays a non-fatal warning; AICR_REQUIRE_SCOPED_INFERENCE_GATEWAY=true escalates it to a check failure (fail-closed policy). An "unscoped" source-range list is empty OR contains an any-source CIDR (0.0.0.0/0 or ::/0) — a length-only check would let an explicit ["0.0.0.0/0"] pass enforcement. The exposure assessment filters to the inference-gateway Service by name (mirroring the EndpointSlice readiness filter) so a co-located LoadBalancer is neither mislabeled nor able to fail enforce mode. The InferenceGatewayCheckName constant is exported and locked by TestEmbeddedCatalog_InferenceGatewayEntryExists so a catalog rename can't silently no-op enforcement forwarding. Docs: component-catalog gains an "Exposure guardrails" subsection; cli-reference documents the bundle warning; validation.md and the validator env table cover the conformance finding and the enforcement env var. Closes NVIDIA#1160
…exposure The agentgateway inference-gateway is provisioned as a public LoadBalancer open to 0.0.0.0/0 by default (NVIDIA#1138). The default is defensible, but the exposure was silent — nothing in bundle output or validation flagged that the inference endpoint is internet-facing. Add two guardrails that keep open-by-default while removing the silence. 1. Bundle-time warning (pkg/bundler): when a bundle includes agentgateway with an unscoped allowedSourceRanges, emit a non-blocking warning that the inference-gateway will be open to 0.0.0.0/0, with remediation. Mirrors the existing storageClassName PVC warning and inspects the merged component values, so it catches the open state regardless of override mechanism. 2. Conformance finding (validators/conformance): extend the existing inference-gateway check (already wired into every inference overlay) to assess the gateway's LoadBalancer Service and record its exposure as evidence — scoped source ranges, or an explicit open-to-0.0.0.0/0 finding. Open-by-default stays a non-fatal warning; AICR_REQUIRE_SCOPED_INFERENCE_GATEWAY=true escalates it to a check failure (fail-closed policy). An "unscoped" source-range list is empty OR contains an any-source CIDR (0.0.0.0/0 or ::/0) — a length-only check would let an explicit ["0.0.0.0/0"] pass enforcement. The exposure assessment filters to the inference-gateway Service by name (mirroring the EndpointSlice readiness filter) so a co-located LoadBalancer is neither mislabeled nor able to fail enforce mode. The InferenceGatewayCheckName constant is exported and locked by TestEmbeddedCatalog_InferenceGatewayEntryExists so a catalog rename can't silently no-op enforcement forwarding. Docs: component-catalog gains an "Exposure guardrails" subsection; cli-reference documents the bundle warning; validation.md and the validator env table cover the conformance finding and the enforcement env var. Closes NVIDIA#1160
Summary
Adds an
agentgateway.allowedSourceRangesoption that scopes theinference-gatewayLoadBalancer to operator-supplied source CIDRs (rendered into the generated Service'sspec.loadBalancerSourceRanges). One portable setting locks the gateway down on AWS, GCP, Azure, and OCI.Motivation / Context
The agentgateway controller materializes the
inference-gatewayGateway into atype: LoadBalancerService, which every cloud provisions as an internet-facing load balancer open to0.0.0.0/0— exposing the plaintext, unauthenticated inference endpoint to the public internet. A security scan flagged exactly this on an AICR-provisioned cluster. There was previously no first-class way to restrict that exposure from a recipe.Fixes: N/A
Related: AICR inference-gateway public-exposure finding (internal security review)
Type of Change
Component(s) Affected
recipes/components/agentgateway)docs/)tests/chainsaw(bundle-template test)Implementation Notes
AgentgatewayParametersCR (spec.service.spec.loadBalancerSourceRanges), which the controller merges onto the generated Service — so no new mechanism is introduced.--set, the knob is set through a recipe overlay /componentRefoverride (documented in the component catalog).Alternative considered: ClusterIP-by-default
A stronger, secure-by-default alternative was prototyped: default the gateway Service to
ClusterIP(no public load balancer at all — reach it in-cluster or viakubectl port-forward), withLoadBalancer+ source ranges / internal-scheme annotations as an explicit opt-in. It removes the public surface entirely rather than narrowing it, and verified end-to-end (default ClusterIP, opt-in LoadBalancer+ranges, internal-LB-via-annotations all render correctly).This PR takes the less disruptive path — keep the existing LoadBalancer behavior and add scoping — because ClusterIP-by-default changes out-of-the-box behavior (no external ingress unless explicitly enabled) and is a broader product decision. The ClusterIP-default variant can be adopted as a follow-up if the team prefers secure-by-default; the
allowedSourceRangesknob composes with it.Testing
Recipes-YAML / docs / chainsaw-test only — no Go changes — so per the repo's infra-only verification guidance, scoped checks were run in place of full
make qualify(Go unit tests,-race, e2e, and golangci-lint cannot regress from non-code changes):Also verified on a live EKS cluster: with
allowedSourceRangesset, the generated ELB security group admitted only the configured CIDR (no0.0.0.0/0); requests from out-of-range sources were dropped at the ELB.CRD field-path validity (resolves the cross-review open question)
AgentgatewayParameters.spec.service.spec.loadBalancerSourceRangesis accepted by the installed CRD and is merged onto the generated Service:Review follow-up:
--setwording hardenedCodeRabbit correctly flagged that the docs understated the
--setrisk. Confirmed empirically:--set agentgateway:allowedSourceRanges=1.2.3.4/32exits 0 but rendersloadBalancerSourceRanges: 1.2.3.4/32(a bare string, not a list) — a type-invalid Service. The values.yaml comment and the component-catalog doc now warn against--setfor this key and point to the overlay/componentRefoverride (which renders a correct list). Also hardened the chainsaw assertions withset -eso each check fails closed (without it, only the last command's status counted).Risk Assessment
Rollout notes: No migration needed. The default (empty) renders no source-range restriction, identical to prior behavior. Operators opt into scoping via an overlay/
componentRefoverride.Checklist
make test/-raceN/A: no Go changes)yamllintclean (golangci-lint N/A: no Go changes)git commit -S)