Kubernetes Actions: Port Forward to Pod
No violationsstackroxmediumruntimeAlerts when Kubernetes API receives port forward request
- Rationale
- 'pods/portforward' is non-standard way to access applications running on Kubernetes. Attackers with permissions could gain access to application and compromise it
- Remediation
- Restrict RBAC access to the 'pods/portforward' resource according to the Principle of Least Privilege. Limit exposing application through port forwarding only development, testing or debugging (non-production) activities. For external traffic, expose application through a LoadBalancer/NodePort service or Ingress Controller
CategoriesKubernetes Events
Compliance mappingsView coverage →
- DORA EU 2022/2554
- Art. 10.1
- ISO/IEC 27001 2022
- A.8.16
- NIST SP 800-53 rev. 5
- AU-2
- PCI DSS 4.0
- 10.2.1
- SOC 2 2017 TSC
- CC7.2
Generated artifacts
1 of 5 targets supportedkubernetes-actions-port-forward-to-pod.yaml
- rule: kubernetes-actions-port-forward-to-pod
desc: Alerts when Kubernetes API receives port forward request
condition: ka.target.resource in ("pods_portforward")
output: "Process %proc.name executed by user %user.name (uid=%user.uid) in container %container.id image=%container.image.repository (policy=Kubernetes Actions: Port Forward to Pod)"
priority: WARNING
source: syscall
tags:
- stackrox-import
- policy
IR (canonical)
{
"id": "742e0361-bddd-4a2d-8758-f2af6197f61d",
"name": "Kubernetes Actions: Port Forward to Pod",
"description": "Alerts when Kubernetes API receives port forward request",
"rationale": "'pods/portforward' is non-standard way to access applications running on Kubernetes. Attackers with permissions could gain access to application and compromise it",
"remediation": "Restrict RBAC access to the 'pods/portforward' resource according to the Principle of Least Privilege. Limit exposing application through port forwarding only development, testing or debugging (non-production) activities. For external traffic, expose application through a LoadBalancer/NodePort service or Ingress Controller",
"severity": "medium",
"categories": [
"Kubernetes Events"
],
"lifecycle": [
"runtime"
],
"eventSource": "deployment",
"scope": [],
"exclusions": [
{
"name": "alertmanager-main",
"namespace": "openshift-monitoring"
}
],
"enforcement": {
"failBuild": false
},
"expression": {
"op": "criterion",
"field": "kubernetes-resource",
"values": [
"PODS_PORTFORWARD"
],
"valuesOp": "or",
"negate": false
},
"disabled": false
}Original StackRox JSON
{
"id": "742e0361-bddd-4a2d-8758-f2af6197f61d",
"name": "Kubernetes Actions: Port Forward to Pod",
"description": "Alerts when Kubernetes API receives port forward request",
"rationale": "'pods/portforward' is non-standard way to access applications running on Kubernetes. Attackers with permissions could gain access to application and compromise it",
"remediation": "Restrict RBAC access to the 'pods/portforward' resource according to the Principle of Least Privilege. Limit exposing application through port forwarding only development, testing or debugging (non-production) activities. For external traffic, expose application through a LoadBalancer/NodePort service or Ingress Controller",
"disabled": false,
"categories": [
"Kubernetes Events"
],
"lifecycleStages": [
"RUNTIME"
],
"eventSource": "DEPLOYMENT_EVENT",
"exclusions": [
{
"name": "Don't alert on deployment alertmanager-main in openshift-monitoring namespace",
"deployment": {
"name": "alertmanager-main",
"scope": {
"cluster": "",
"namespace": "openshift-monitoring",
"label": null
}
},
"image": null
}
],
"scope": [],
"severity": "MEDIUM_SEVERITY",
"enforcementActions": [],
"policySections": [
{
"sectionName": "",
"policyGroups": [
{
"fieldName": "Kubernetes Resource",
"booleanOperator": "OR",
"negate": false,
"values": [
{
"value": "PODS_PORTFORWARD"
}
]
}
]
}
],
"notifiers": [],
"lastUpdated": null,
"SORTName": "",
"SORTLifecycleStage": "",
"SORTEnforcement": false,
"policyVersion": "1.1",
"mitreAttackVectors": [
{
"tactic": "TA0002",
"techniques": [
"T1609"
]
}
],
"criteriaLocked": true,
"mitreVectorsLocked": true,
"isDefault": true,
"source": "IMPERATIVE"
}