kube-scan icon indicating copy to clipboard operation
kube-scan copied to clipboard

Published 20 hours ago verified publisher icon octarinesec

Workload is exposed through an ingress policy (medium risk)

Open avik-so opened this issue 4 years ago • 4 comments

Is there a way to tell kube-scan that this is intentional? Also, what is the suggested fix here if you want your service to be accessible from the internet?

avik-so avatar Jun 09 '20 06:06 avik-so

There isn't a way to mark external exposure as intentional. While it may not be a misconfiguration, it adds risk of compromise of that workload. Possible mitigation include:

  • Reducing the container capabilities of the exposed workload.
  • Creating network policies which limit outbound traffic from that workload only to other services it needs to access
  • Avoiding mount of a service account token in that workload.

thehh1974 avatar Jun 10 '20 19:06 thehh1974

The result of this is developers ignoring the warning in other cases when it is not intentional. Sounds like those mitigations would still cause the warning to be reported?

avik-so avatar Jun 14 '20 12:06 avik-so

We are working on taking into account mitigations when calculating the risk score. It will not cause exposure not to be reported though. The way to express intent is via policy, which at this time, is only supported in our (Octarine) enterprise product.

thehh1974 avatar Jul 02 '20 00:07 thehh1974

Thanks for your response. A lower score would be very helpful. You can close this issue, in the chance that you want to use this issue for that feature you are working on, I'm not closing it myself.

avik-so avatar Jul 02 '20 06:07 avik-so