Service With External Load Balancer

  • Query id: 26763a1c-5dda-4772-b507-5fca7fb5f165
  • Query name: Service With External Load Balancer
  • Platform: Kubernetes
  • Severity: Medium
  • Category: Networking and Firewall
  • CWE: 552
  • URL: Github

Description

Service has an external load balancer, which may cause accessibility from other networks and the Internet
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file
apiVersion: v1
kind: Service
metadata:
  name: sample-service 05
spec:
  ports:
    - port: 80
      targetPort: 80
      protocol: TCP
  type: LoadBalancer
  selector:
    app: nginx
---
apiVersion: v1
kind: Service
metadata:
  name: sample-service 05334443
  annotations:
    service.beta.kubernetes.io/aws-load-balancer-internal: 'false'
spec:
  ports:
    - port: 80
      targetPort: 80
      protocol: TCP
  type: LoadBalancer
  selector:
    app: nginx
---
apiVersion: v1
kind: Service
metadata:
  name: sample-service 07
  annotations:
    service.beta.kubernetes.io/azure-load-balancer-internal: 'false'
spec:
  ports:
    - port: 80
      targetPort: 80
      protocol: TCP
  type: LoadBalancer
  selector:
    app: nginx
---
apiVersion: v1
kind: Service
metadata:
  name: sample-service 08
  annotations:
    networking.gke.io/load-balancer-type: 'External'
spec:
  ports:
    - port: 80
      targetPort: 80
      protocol: TCP
  type: LoadBalancer
  selector:
    app: nginx
---
apiVersion: v1
kind: Service
metadata:
  name: sample-service 09
  annotations:
    cloud.google.com/load-balancer-type: 'External'
spec:
  ports:
    - port: 80
      targetPort: 80
      protocol: TCP
  type: LoadBalancer
  selector:
    app: nginx

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
apiVersion: v1
kind: Service
metadata:
  name: sample-service 01
  annotations:
    cloud.google.com/load-balancer-type: 'Internal'
spec:
  ports:
    - port: 80
      targetPort: 80
      protocol: TCP
  type: LoadBalancer
  selector:
    app: nginx
---
apiVersion: v1
kind: Service
metadata:
  name: sample-service 02
  annotations:
    service.beta.kubernetes.io/aws-load-balancer-internal: 'true'
spec:
  ports:
    - port: 80
      targetPort: 80
      protocol: TCP
  type: LoadBalancer
  selector:
    app: nginx
---
apiVersion: v1
kind: Service
metadata:
  name: sample-service 03
  annotations:
    service.beta.kubernetes.io/azure-load-balancer-internal: 'true'
spec:
  ports:
    - port: 80
      targetPort: 80
      protocol: TCP
  type: LoadBalancer
  selector:
    app: nginx
---
apiVersion: v1
kind: Service
metadata:
  name: sample-service 04
  annotations:
    networking.gke.io/load-balancer-type: 'Internal'
spec:
  ports:
    - port: 80
      targetPort: 80
      protocol: TCP
  type: LoadBalancer
  selector:
    app: nginx