custom-error-pages: Add an ability to disable "/metrics", "/healthz" and "/debug/vars" endpoints

[ucinskij]

The custom-error-pages backend does it job pretty well, however during a security scan it was detected that it exposes three endpoints:
/metrics
/healthz
/debug/vars

/metrics and /healthz are implemented by

ingress-nginx/images/custom-error-pages/rootfs/main.go

Line 78 in 499dbf5

func main() {

/debug/vars at a first sight seems to be coming with github.com/prometheus/client_golang which includes expvar: https://pkg.go.dev/expvar

Especially the first and last ones expose information that might be considered as 'sensitive' by some organizations. Hence why I would like to ask for a feature toggle that would allow to disable those endpoints. It is to be considered if those should be exposed by default or not.

[longwuyuan]

@rikatz seems like one reason to focus on this, like you had suggested. Will do as per your advise

[strongjz]

/triage accepted
/priority backlog
/kind feature
/assign @strongjz

[Routhinator]

FYI I've just had this bug raised from a OpenBugBounty. None of the things exposed are overly sensitive here, but this does leave an operator unexpectedly exposed to any CVE related to these endpoints. They are exposed publicly and reachable from the internet as soon as someone uses the custom-error-pages container.

[Routhinator]

Defaults should definitely prevent these from being reachable by the internet. Scrapeable by internal services by default, sure - but never exposed to the internet by default.

[ucinskij]

Hi @strongjz,
I don't intend to put any pressure here but perhaps you know when we could expect this to be done? Unfortunately internal security scans within the company reqiure an action on this from our side, the security team simply complains too much about this.