Back to all scenarios
Scenario #298
Security
Kubernetes v1.24, NGINX Ingress

Ingress Controller Exposed /metrics Without Auth

Prometheus scraping endpoint /metrics was exposed without authentication and revealed sensitive internal details.

Find this helpful?
What Happened

A misconfigured ingress rule allowed external users to access /metrics, which included upstream paths, response codes, and error logs.

Diagnosis Steps
  • 1Scanned public URLs.
  • 2Found /metrics exposed to unauthenticated traffic.
  • 3Inspected NGINX ingress annotations.
Root Cause

Ingress annotations missing auth and whitelist rules.

Fix/Workaround
• Applied IP whitelist and basic auth for /metrics.
• Added network policies to restrict access.
Lessons Learned

Even observability endpoints need protection.

How to Avoid
  • 1Enforce auth for all public endpoints.
  • 2Separate internal vs. external monitoring targets.
Previous ScenarioNext Scenario