fullstop icon indicating copy to clipboard operation
fullstop copied to clipboard

Published 20 hours ago verified publisher icon zalando-stups

UNSECURED_PUBLIC_ENDPOINT violations: Hard to track offending application on K8s

Open alexkops opened this issue 7 years ago • 3 comments

Expected behavior

When I see a UNSECURED_PUBLIC_ENDPOINT violation I want to see the offending applications. In terms of a Kubernetes deployment I only see the ELB with an autogenerated ID, but I would like to see the offending application id.

Step needed

From there you need to know how to resolve the application, e.g. with zkubectl get svc -o wide or by looking up the security group in the AWS console. It would be nice if this could be done in fullstop already.

Dependencies

K8s apis?

alexkops avatar Sep 13 '17 11:09 alexkops

@alexkops you can see all the calls zkubectl (kubectl) does, if you pass --v=9.

API to query to get the information from the default namespace: https:///api/v1/namespaces/default/services

szuecs avatar Sep 13 '17 12:09 szuecs

Thanks for raising the issue. Currently Fullstop has no dedicated K8S support, but just applies its normal rule set to the AWS accounts where the clusters are hosted. We need to improve here.

harti2006 avatar Sep 13 '17 13:09 harti2006

PR #520 ignores the Kubernetes ELBs for now. We need to rework a good part of that check anyway, since it does not cover ELBv2 at the moment :-/

harti2006 avatar Nov 23 '17 16:11 harti2006