Ingress Audit

I've done a simple audit to all our Ingress (the old way exposing our service. The latest practice is using Istio Ingress Gateway) in staging and production cluster listed in here: https://docs.google.com/spreadsheets/d/1kLpQCi07RnXfcYKkbhcGr_DbbLeUKT2y0bClsK_8vx8/edit?usp=sharing.

Some finding points

I found that some of those services are accessible directly (return status code 2xx) by using https://<public-ip> (not having hostname validation or having routed by hostname header).
By our standard, for service that is not intended for public (e.g: internal dashboard tool), it should be at least protected by Login mechanism. You can also utilize our SSO Proxy layer (guarded with Auth0 Login) by following this instruction: https://github.com/tvlk-data/data-devops/wiki/Istio-How-To-Expose-Dashboard-To-Public.

What you need to do