Service does not restrict ingress sources Affecting Service service in Kubernetes
CCSS (Common Configuration Scoring System) is a set of measures used to determine the severity of the rule.
Each rule is associated with a high-level category. For example IAM, Container, Monitoring, Logging, Network, etc.
Is your environment affected by this misconfiguration?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-CC-00648
- creditSnyk Research Team
Description
Defining a Load balancer Service without setting the loadBalancerSourceRanges property will use the default value of 0.0.0.0/0.
How to fix?
Set loadBalancerSourceRanges attribute value to specific IP addresses".
Example configuration: ```yaml
apiVersion: v1 kind: Service metadata: name: valid spec: type: LoadBalancer ports: - port: 8080 targetPort: http protocol: TCP name: http selector: app.kubernetes.io/name: demo-app app.kubernetes.io/instance: demo-app-instance loadBalancerSourceRanges:
- "143.231.0.0/16"
Set load_balancer_source_ranges attribute value to specific IP addresses.
Example configuration:
variable "k8s_15_var" {
default = ""
}
resource "kubernetes_service" "allowed" {
metadata {
name = "terraform-example648-1"
}
spec {
selector = {
app = var.k8s_15_var
}
session_affinity = "ClientIP"
port {
port = 8080
target_port = 80
}
load_balancer_source_ranges = ["127.1.1.1/24"]
type = "LoadBalancer"
}
}