HostAuthorization blocks internal k8s cluster traffic #238

New issue

Closed

opened 2026-06-16 12:32:36 +00:00 by ldraney · 0 comments

ldraney commented 2026-06-16 12:32:36 +00:00

Owner

Copy link

Type

Bug

Lineage

Regression from PR #232 which fixed health probe blocking but left other internal traffic exposed.

Repo

ldraney/landscaping-assistant

What Broke

Production logs are wall-to-wall Blocked hosts: 10.42.0.127:3000. HostAuthorization returns 403 for every internal k8s request where the Host header is the pod IP instead of the hostname. AlertManager firing.

Expected Behavior

Internal k8s traffic (service mesh, ingress, probes) should pass through HostAuthorization without being blocked.

Repro Steps

1. Deploy current main to k8s
2. kubectl logs -n landscaping-assistant <pod> --tail=50
3. Observe continuous Blocked hosts: 10.42.0.127:3000

Environment

• Production k8s (landscaping-assistant namespace)
• Pod IP: 10.42.0.127
• Image: 2147dfecb8

Acceptance Criteria

• Blocked hosts log spam stops
• Health probes still pass (pod 1/1)
• External access via landscaping-assistant.tail5b443a.ts.net unaffected
• DNS rebinding protection still active for named hosts

Related

• PR #232 — previous partial fix
• PR #230 — added config.hosts entries

### Type Bug ### Lineage Regression from PR #232 which fixed health probe blocking but left other internal traffic exposed. ### Repo ldraney/landscaping-assistant ### What Broke Production logs are wall-to-wall `Blocked hosts: 10.42.0.127:3000`. HostAuthorization returns 403 for every internal k8s request where the Host header is the pod IP instead of the hostname. AlertManager firing. ### Expected Behavior Internal k8s traffic (service mesh, ingress, probes) should pass through HostAuthorization without being blocked. ### Repro Steps 1. Deploy current main to k8s 2. `kubectl logs -n landscaping-assistant <pod> --tail=50` 3. Observe continuous `Blocked hosts: 10.42.0.127:3000` ### Environment - Production k8s (landscaping-assistant namespace) - Pod IP: 10.42.0.127 - Image: 2147dfecb8f612ee1a722339975f91796cedf33c ### Acceptance Criteria - [ ] `Blocked hosts` log spam stops - [ ] Health probes still pass (pod 1/1) - [ ] External access via `landscaping-assistant.tail5b443a.ts.net` unaffected - [ ] DNS rebinding protection still active for named hosts ### Related - PR #232 — previous partial fix - PR #230 — added config.hosts entries

ldraney referenced this issue from a pull request that will close it, 2026-06-16 12:32:50 +00:00

Fix HostAuthorization blocking internal k8s cluster traffic #239

ldraney referenced this issue 2026-06-16 12:34:10 +00:00

Fix HostAuthorization blocking internal k8s cluster traffic #239

ldraney closed this issue 2026-06-16 12:50:15 +00:00

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

docs/update-app-architecture

revert-213

move-other-crew-bottom-remove-schedule

feature/today-view-improvements

154-enable-assume-ssl

revert-145-person-icon

docs/user-stories-auth

docs/update-infra-pipeline-post-incident

fix-cache-step-blocking-deploy

fix-kaniko-registry-pull

deactivate-from-today

feature/quick-address-entry

No results found.

Labels

Clear labels

No items

No labels

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

ldraney/landscaping-assistant#238

No description provided.