Ingress Controller Exposes Workload
- Query id: 69bbc5e3-0818-4150-89cc-1e989b48f23b
- Query name: Ingress Controller Exposes Workload
- Platform: Kubernetes
- Severity: Medium
- Category: Insecure Configurations
- CWE: 779
- URL: Github
Description¶
Ingress Controllers should not expose workload in order to avoid vulnerabilities and DoS attacks
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
apiVersion: v1
kind: Service
metadata:
name: app
labels:
app: app
spec:
type: ClusterIP
ports:
- port: 3000
targetPort: 3000
selector:
app: app
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: app-ingress
annotations:
kubernetes.io/ingress.class: "nginx"
labels:
app: app
spec:
rules:
- host: app.acme.org
http:
paths:
- backend:
serviceName: app
servicePort: 3000
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
apiVersion: v1
kind: Service
metadata:
name: app
labels:
app: app
spec:
type: ClusterIP
ports:
- port: 3000
targetPort: 3000
selector:
app: app
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: app-ingress
annotations:
kubernetes.io/ingress.class: "nginx"
labels:
app: app
spec:
rules:
- host: app.acme.org
http:
paths:
- backend:
serviceName: app2
servicePort: 3000