Service with external load balancer

Docs > Datadog Security > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > Service with external load balancer

Metadata

Id: 26763a1c-5dda-4772-b507-5fca7fb5f165

Cloud Provider: k8s

Framework: Kubernetes

Severity: Medium

Category: Networking and Firewall

Learn More

Provider Reference

Description

The Service has an external load balancer, which may allow access from other networks and the internet.

Compliant Code Examples

apiVersion: v1
kind: Service
metadata:
  name: sample-service 01
  annotations:
    cloud.google.com/load-balancer-type: 'Internal'
spec:
  ports:
    - port: 80
      targetPort: 80
      protocol: TCP
  type: LoadBalancer
  selector:
    app: nginx
---
apiVersion: v1
kind: Service
metadata:
  name: sample-service 02
  annotations:
    service.beta.kubernetes.io/aws-load-balancer-internal: 'true'
spec:
  ports:
    - port: 80
      targetPort: 80
      protocol: TCP
  type: LoadBalancer
  selector:
    app: nginx
---
apiVersion: v1
kind: Service
metadata:
  name: sample-service 03
  annotations:
    service.beta.kubernetes.io/azure-load-balancer-internal: 'true'
spec:
  ports:
    - port: 80
      targetPort: 80
      protocol: TCP
  type: LoadBalancer
  selector:
    app: nginx
---
apiVersion: v1
kind: Service
metadata:
  name: sample-service 04
  annotations:
    networking.gke.io/load-balancer-type: 'Internal'
spec:
  ports:
    - port: 80
      targetPort: 80
      protocol: TCP
  type: LoadBalancer
  selector:
    app: nginx

Non-Compliant Code Examples

apiVersion: v1
kind: Service
metadata:
  name: sample-service 05
spec:
  ports:
    - port: 80
      targetPort: 80
      protocol: TCP
  type: LoadBalancer
  selector:
    app: nginx
---
apiVersion: v1
kind: Service
metadata:
  name: sample-service 05334443
  annotations:
    service.beta.kubernetes.io/aws-load-balancer-internal: 'false'
spec:
  ports:
    - port: 80
      targetPort: 80
      protocol: TCP
  type: LoadBalancer
  selector:
    app: nginx
---
apiVersion: v1
kind: Service
metadata:
  name: sample-service 07
  annotations:
    service.beta.kubernetes.io/azure-load-balancer-internal: 'false'
spec:
  ports:
    - port: 80
      targetPort: 80
      protocol: TCP
  type: LoadBalancer
  selector:
    app: nginx
---
apiVersion: v1
kind: Service
metadata:
  name: sample-service 08
  annotations:
    networking.gke.io/load-balancer-type: 'External'
spec:
  ports:
    - port: 80
      targetPort: 80
      protocol: TCP
  type: LoadBalancer
  selector:
    app: nginx
---
apiVersion: v1
kind: Service
metadata:
  name: sample-service 09
  annotations:
    cloud.google.com/load-balancer-type: 'External'
spec:
  ports:
    - port: 80
      targetPort: 80
      protocol: TCP
  type: LoadBalancer
  selector:
    app: nginx