--- title: Service does not target a Pod description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: >- Docs > Datadog Security > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > Service does not target a Pod --- # Service does not target a Pod {% callout %} # Important note for users on the following Datadog sites: app.ddog-gov.com, us2.ddog-gov.com {% alert level="danger" %} This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ({% placeholder "user-datadog-site-name" /%}). {% /alert %} {% /callout %} ## Metadata{% #metadata %} **Id:** `kubernetes-service-does-not-target-pod` **Platform:** Kubernetes **Severity:** Low **Category:** Insecure Configurations #### Learn More{% #learn-more %} - [Provider Reference](https://kubernetes.io/docs/concepts/services-networking/service/) ### Description{% #description %} The Service must target at least one Pod. Its `.spec.selector` must match labels on Pod-bearing resources (Pod, ReplicationController, ReplicaSet, Deployment, DaemonSet, StatefulSet, Job, or CronJob job template). Each Service port must reference a container port on at least one matched Pod — either by numeric `targetPort`, by named `targetPort`, or by falling back to the Service `port` when `targetPort` is unspecified. ## Compliant Code Examples{% #compliant-code-examples %} ```yaml apiVersion: v1 kind: Service metadata: name: helloworld spec: type: NodePort selector: app: helloworld ports: - name: http nodePort: 30475 port: 8089 protocol: TCP targetPort: 8089 --- apiVersion: v1 kind: Pod metadata: name: nginx labels: app: helloworld spec: containers: - name: nginx image: nginx ports: - containerPort: 8089 ``` ```yaml apiVersion: v1 kind: Service metadata: name: negative2 spec: type: ClusterIP ports: - name: http port: 80 protocol: TCP targetPort: 8080 - name: health port: 8081 protocol: TCP targetPort: 8082 selector: app: negative2 --- apiVersion: apps/v1 kind: Deployment metadata: name: negative2 labels: app: negative2 spec: selector: matchLabels: app: negative2 template: metadata: labels: app: negative2 spec: containers: - name: webserver image: nginx:latest ports: - containerPort: 8080 - containerPort: 8082 ``` ```yaml apiVersion: v1 kind: Service metadata: name: negative3 spec: type: NodePort selector: app: negative3 ports: - name: http nodePort: 30475 port: 9377 protocol: TCP targetPort: web --- apiVersion: apps/v1 kind: Deployment metadata: name: nginx-deployment labels: app: negative3 spec: replicas: 3 selector: matchLabels: app: negative3 template: metadata: labels: app: negative3 spec: containers: - name: nginx image: nginx:1.14.2 ports: - name: web containerPort: 80 ``` ## Non-Compliant Code Examples{% #non-compliant-code-examples %} ```yaml apiVersion: v1 kind: Service metadata: name: helloworld2 spec: type: NodePort selector: app: helloworld2 ports: - name: http nodePort: 30475 port: 9377 protocol: TCP targetPort: 9377 --- apiVersion: v1 kind: Pod metadata: name: nginx2 labels: app: hellowwwworld spec: containers: - name: nginx image: nginx ports: - containerPort: 9377 ``` ```yaml apiVersion: v1 kind: Service metadata: name: helloworld3 spec: type: NodePort selector: app: helloworld3 ports: - name: http nodePort: 30475 port: 9377 protocol: TCP targetPort: 9377 --- apiVersion: apps/v1 kind: Deployment metadata: name: nginx-deployment labels: app: helloworld3 spec: replicas: 3 selector: matchLabels: app: helloworld3 template: metadata: labels: app: helloworld3 spec: containers: - name: nginx image: nginx:1.14.2 ports: - containerPort: 80 ```