Ingress controller exposes workload

This product is not supported for your selected Datadog site. ().
이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Metadata

Id: 69bbc5e3-0818-4150-89cc-1e989b48f23b

Cloud Provider: Kubernetes

Platform: Kubernetes

Severity: Medium

Category: Insecure Configurations

Learn More

Description

Ingress controllers should not expose workloads, as this can create vulnerabilities and enable denial-of-service (DoS) attacks. This rule detects Ingress entries that route traffic to Services whose ports map directly to pod targetPorts, indicating direct exposure of workload ports. When such mappings are found, the rule flags the Ingress resource with an IncorrectValue issue identifying the resource and offending backend path.

Compliant Code Examples

apiVersion: v1
kind: Service
metadata:
  name: app
  labels:
    app: app
spec:
  type: ClusterIP
  ports:
  - port: 3000
    targetPort: 3000
  selector:
    app: app


---

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: app-ingress
  annotations:
    kubernetes.io/ingress.class: "nginx"
  labels:
    app: app
spec:
  rules:
  - host: app.acme.org
    http:
      paths:
      - backend:
          serviceName: app2
          servicePort: 3000

Non-Compliant Code Examples

apiVersion: v1
kind: Service
metadata:
  name: app
  labels:
    app: app
spec:
  type: ClusterIP
  ports:
  - port: 3000
    targetPort: 3000
  selector:
    app: app


---

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: app-ingress
  annotations:
    kubernetes.io/ingress.class: "nginx"
  labels:
    app: app
spec:
  rules:
  - host: app.acme.org
    http:
      paths:
      - backend:
          serviceName: app
          servicePort: 3000