HPA Targets Invalid Object

• Query id: 2f652c42-619d-4361-b361-9f599688f8ca
• Query name: HPA Targets Invalid Object
• Platform: Kubernetes
• Severity: Low
• Category: Availability
• CWE: 400
• URL: Github

Description

The Horizontal Pod Autoscaler must target a valid object
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file

apiVersion: autoscaling/v2beta2
kind: HorizontalPodAutoscaler
metadata:
  name: php-apache
spec:
  scaleTargetRef:
    apiVersion: apps/v1
    kind: Deployment
    name: php-apache
  minReplicas: 1
  maxReplicas: 10
  metrics:
  - type: Object
    object:
      metric:
        name: requests-per-second
      target:
        type: Value
        value: 10k
      describedObject:
        apiVersion: networking.k8s.io/v1beta1
        kind: Ingress

Code samples without security vulnerabilities

Negative test num. 1 - yaml file

apiVersion: autoscaling/v2beta2
kind: HorizontalPodAutoscaler
metadata:
  name: php-apache
spec:
  scaleTargetRef:
    apiVersion: apps/v1
    kind: Deployment
    name: php-apache
  minReplicas: 1
  maxReplicas: 10
  metrics:
  - type: Object
    object:
      metric:
        name: requests-per-second
      describedObject:
        apiVersion: networking.k8s.io/v1beta1
        kind: Ingress
        name: main-route
      target:
        type: Value
        value: 10k

Negative test num. 2 - yaml file

apiVersion: autoscaling/v2beta2
kind: HorizontalPodAutoscaler
metadata:
  name: matching-svc
  namespace: default
spec:
  metrics:
    - resource:
        name: cpu
        target:
          averageUtilization: 50
          type: Utilization
      type: Resource
  minReplicas: 1
  maxReplicas: 5
  scaleTargetRef:
    apiVersion: apps/v1
    kind: Deployment
    name: matching-svc