Workload is exposed through an ingress policy (medium risk)

octarinesec / kube-scan

kube-scan: Octarine k8s cluster risk assessment tool

https://www.octarinesec.com/

MIT License

795 stars 101 forks source link

Workload is exposed through an ingress policy (medium risk) #25

Open avik-so opened 4 years ago

avik-so commented 4 years ago

Is there a way to tell kube-scan that this is intentional? Also, what is the suggested fix here if you want your service to be accessible from the internet?

thehh1974 commented 4 years ago

There isn't a way to mark external exposure as intentional. While it may not be a misconfiguration, it adds risk of compromise of that workload. Possible mitigation include:

Reducing the container capabilities of the exposed workload.
Creating network policies which limit outbound traffic from that workload only to other services it needs to access
Avoiding mount of a service account token in that workload.

avik-so commented 4 years ago

The result of this is developers ignoring the warning in other cases when it is not intentional. Sounds like those mitigations would still cause the warning to be reported?

thehh1974 commented 4 years ago

We are working on taking into account mitigations when calculating the risk score. It will not cause exposure not to be reported though. The way to express intent is via policy, which at this time, is only supported in our (Octarine) enterprise product.

avik-so commented 4 years ago

Thanks for your response. A lower score would be very helpful. You can close this issue, in the chance that you want to use this issue for that feature you are working on, I'm not closing it myself.