brunojensen
commented
4 years ago Hi,
actually, values.yaml is kind of a template. What should be used to install the services with helm is the files under: https://github.com/brunojensen/chainsaw-kube/tree/master/charts/chainsaw-app-service/development
As it is basically a service running internally on k8s, it will not be exposed at those port. It means that internally the service will be accessed via port 80 so its clients only have to know the service name (DNS), also the application is targeted at port 8080.
But for sure I can consider the use of TLS, it should be done with the introduction of a service mesh like Istio.
If it was running at on-promise service, I'd definitely agree that is not a good approach.
thanks for your comment.
Description
Greetings,
We are security researchers and we are looking for insecure coding patterns and configurations in the microservice architecture repositories. In your repository, we have found instances of default port usage. According to a recent report default port usages must be avoided: https://www.bleepingcomputer.com/news/security/most-cyber-attacks-focus-on-just-three-tcp-ports/#:~:text=According%20to%20the%20report%2C%20the,(Hypertext%20Transfer%20Protocol%20Secure)
What should happen?
Default ports and HTTP without TLS should be avoided
What happens instead?
Default ports are used
Source: https://github.com/brunojensen/chainsaw-kube/blob/master/charts/chainsaw-app-service/values.yaml
Fix: https://github.com/brunojensen/chainsaw-kube/pull/27
I am interested to know if you agree with the findings. Any feedback is appreciated.