Fedora Account System
Red Hat Associate
Red Hat Customer
The gorch service template (gorch/templates/service.tmpl.yaml:27-32) publishes https-tls: 8032->8032 (unproxied orchestrator) and built-in-detector-metrics: 8080->8080 alongside the proxied ports, even when auth is enabled. The root cause is gorch/auth.go:30 which configures kube-rbac-proxy upstream as %s-service.%s.svc:8032 (Service DNS), architecturally requiring port 8032 to remain on the Service. Any pod on the cluster network can bypass kube-rbac-proxy by hitting port 8032 directly. By contrast, NemoGuardrails properly switches to proxied-only ports when auth is enabled. EvalHub always deploys with kube-rbac-proxy and API_HOST=127.0.0.1 loopback binding, proving auth-by-default is architecturally achievable. No NetworkPolicy exists anywhere in the codebase (grep returns zero results). Gorch port bypass (even with auth enabled): 1. Enable auth on gorch via annotation 2. kube-rbac-proxy is deployed on port 8443 3. Port 8032 (orchestrator) and 8080 (detector metrics) remain exposed on the Service 4. Any pod hits port 8032 directly, bypassing kube-rbac-proxy