For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/kubernetes-service-does-not-target-pod.md. A documentation index is available at /llms.txt.

Service does not target a Pod

This product is not supported for your selected Datadog site. ().

Metadata

Id: kubernetes-service-does-not-target-pod

Platform: Kubernetes

Severity: Low

Category: Insecure Configurations

Learn More

Description

The Service must target at least one Pod. Its .spec.selector must match labels on Pod-bearing resources (Pod, ReplicationController, ReplicaSet, Deployment, DaemonSet, StatefulSet, Job, or CronJob job template). Each Service port must reference a container port on at least one matched Pod — either by numeric targetPort, by named targetPort, or by falling back to the Service port when targetPort is unspecified.

Compliant Code Examples


apiVersion: v1
kind: Service
metadata:
  name: helloworld
spec:
  type: NodePort
  selector:
    app: helloworld
  ports:
    - name: http
      nodePort: 30475
      port: 8089
      protocol: TCP
      targetPort: 8089

---

apiVersion: v1
kind: Pod
metadata:
  name: nginx
  labels:
    app: helloworld
spec:
  containers:
  - name: nginx
    image: nginx
    ports:
      - containerPort: 8089

apiVersion: v1
kind: Service
metadata:
  name: negative2
spec:
  type: ClusterIP
  ports:
    - name: http
      port: 80
      protocol: TCP
      targetPort: 8080
    - name: health
      port: 8081
      protocol: TCP
      targetPort: 8082
  selector:
    app: negative2
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: negative2
  labels:
    app: negative2
spec:
  selector:
    matchLabels:
      app: negative2
  template:
    metadata:
      labels:
        app: negative2
    spec:
      containers:
        - name: webserver
          image: nginx:latest
          ports:
            - containerPort: 8080
            - containerPort: 8082

apiVersion: v1
kind: Service
metadata:
  name: negative3
spec:
  type: NodePort
  selector:
    app: negative3
  ports:
    - name: http
      nodePort: 30475
      port: 9377
      protocol: TCP
      targetPort: web
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-deployment
  labels:
    app: negative3
spec:
  replicas: 3
  selector:
    matchLabels:
      app: negative3
  template:
    metadata:
      labels:
        app: negative3
    spec:
      containers:
        - name: nginx
          image: nginx:1.14.2
          ports:
            - name: web
              containerPort: 80

Non-Compliant Code Examples

apiVersion: v1
kind: Service
metadata:
  name: helloworld2
spec:
  type: NodePort
  selector:
    app: helloworld2
  ports:
    - name: http
      nodePort: 30475
      port: 9377
      protocol: TCP
      targetPort: 9377
---
apiVersion: v1
kind: Pod
metadata:
  name: nginx2
  labels:
    app: hellowwwworld
spec:
  containers:
    - name: nginx
      image: nginx
      ports:
        - containerPort: 9377

apiVersion: v1
kind: Service
metadata:
  name: helloworld3
spec:
  type: NodePort
  selector:
    app: helloworld3
  ports:
    - name: http
      nodePort: 30475
      port: 9377
      protocol: TCP
      targetPort: 9377
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-deployment
  labels:
    app: helloworld3
spec:
  replicas: 3
  selector:
    matchLabels:
      app: helloworld3
  template:
    metadata:
      labels:
        app: helloworld3
    spec:
      containers:
        - name: nginx
          image: nginx:1.14.2
          ports:
            - containerPort: 80