Service Does Not Target Pod
- Query id: 3ca03a61-3249-4c16-8427-6f8e47dda729
- Query name: Service Does Not Target Pod
- Platform: Kubernetes
- Severity: Low
- Category: Insecure Configurations
- CWE: Ongoing
- URL: Github
Description¶
Service should Target a Pod
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
apiVersion: v1
kind: Service
metadata:
name: helloworld2
spec:
type: NodePort
selector:
app: helloworld2
ports:
- name: http
nodePort: 30475
port: 9377
protocol: TCP
targetPort: 9377
---
apiVersion: v1
kind: Pod
metadata:
name: nginx2
labels:
app: hellowwwworld
spec:
containers:
- name: nginx
image: nginx
ports:
- containerPort: 9377
Positive test num. 2 - yaml file
apiVersion: v1
kind: Service
metadata:
name: helloworld3
spec:
type: NodePort
selector:
app: helloworld3
ports:
- name: http
nodePort: 30475
port: 9377
protocol: TCP
targetPort: 9377
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-deployment
labels:
app: helloworld3
spec:
replicas: 3
selector:
matchLabels:
app: helloworld3
template:
metadata:
labels:
app: helloworld3
spec:
containers:
- name: nginx
image: nginx:1.14.2
ports:
- containerPort: 80
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
apiVersion: v1
kind: Service
metadata:
name: helloworld
spec:
type: NodePort
selector:
app: helloworld
ports:
- name: http
nodePort: 30475
port: 8089
protocol: TCP
targetPort: 8089
---
apiVersion: v1
kind: Pod
metadata:
name: nginx
labels:
app: helloworld
spec:
containers:
- name: nginx
image: nginx
ports:
- containerPort: 8089
Negative test num. 2 - yaml file
apiVersion: v1
kind: Service
metadata:
name: negative2
spec:
type: ClusterIP
ports:
- name: http
port: 80
protocol: TCP
targetPort: 8080
- name: health
port: 8081
protocol: TCP
targetPort: 8082
selector:
app: negative2
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: negative2
labels:
app: negative2
spec:
selector:
matchLabels:
app: negative2
template:
metadata:
labels:
app: negative2
spec:
containers:
- name: webserver
image: nginx:latest
ports:
- containerPort: 8080
- containerPort: 8082
Negative test num. 3 - yaml file
apiVersion: v1
kind: Service
metadata:
name: negative3
spec:
type: NodePort
selector:
app: negative3
ports:
- name: http
nodePort: 30475
port: 9377
protocol: TCP
targetPort: web
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-deployment
labels:
app: negative3
spec:
replicas: 3
selector:
matchLabels:
app: negative3
template:
metadata:
labels:
app: negative3
spec:
containers:
- name: nginx
image: nginx:1.14.2
ports:
- name: web
containerPort: 80
Negative test num. 4 - yaml file
apiVersion: v1
kind: Service
metadata:
name: negative4
spec:
selector:
app: negative4
tier: backend
ports:
- protocol: TCP
port: 80
targetPort: http
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: backend
spec:
selector:
matchLabels:
app: negative4
tier: backend
track: stable
replicas: 3
template:
metadata:
labels:
app: negative4
tier: backend
track: stable
spec:
containers:
- name: negative4
image: "gcr.io/google-samples/hello-go-gke:1.0"
ports:
- name: http
containerPort: 80
Negative test num. 5 - yaml file
apiVersion: v1
kind: Service
metadata:
name: negative5
spec:
selector:
app: negative5
tier: backend
ports:
- protocol: TCP
port: 80
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: backend
spec:
selector:
matchLabels:
app: negative5
tier: backend
track: stable
replicas: 3
template:
metadata:
labels:
app: negative5
tier: backend
track: stable
spec:
containers:
- name: negative5
image: "gcr.io/google-samples/hello-go-gke:1.0"
ports:
- name: http
containerPort: 80
Negative test num. 6 - yaml file
apiVersion: v1
kind: Service
metadata:
name: helloworld
spec:
type: NodePort
selector:
app: helloworld
ports:
- name: http
nodePort: 30475
port: 8089
protocol: TCP
targetPort: 8089
---
apiVersion: v1
kind: Pod
metadata:
name: nginx3
labels:
app: helloworld
spec:
containers:
- name: nginx
image: nginx
ports:
- containerPort: 808
---
apiVersion: v1
kind: Pod
metadata:
name: nginx
labels:
app: helloworld
spec:
containers:
- name: nginx
image: nginx
ports:
- containerPort: 8089