Fedora Account System
Red Hat Associate
Red Hat Customer
controllers/utils/auth.go:22-25 implements RequiresAuth() as return ok && strings.ToLower(val) == "true". The annotation key security.opendatahub.io/enable-auth has no CRD default or mutating webhook. Out-of-the-box deployments serve plain HTTP with no authn/authz for gorch and NemoGuardrails. Attack vector: 1. Deploy gorch or NemoGuardrails without setting enable-auth annotation 2. Service exposes plain HTTP endpoints to cluster network 3. Any pod can access AI guardrails/orchestrator API without authentication RequiresAuth() (auth.go:22-25) returns false when the annotation is absent, with no CRD default or webhook to set it.