-
Sheogorath authored
The usage of the trusted-ip config resulted in a security incident that allowed access to any oauth2-proxy protected endpoint without requiring authentication. Thankfully all significant endpoints had been protected by additional measures such as network restrictions and are therefore not affected. Only the prometheus and alertmanager endpoints have been exposed to the public internet, but are not exposing sensitive data beyond metrics. A check of the relevant logs didn't provide any indication of compromise.