Deployments with externally exposed endpoints
No violationsstackroxmediumdeployDeployments with externally exposed endpoints represent a higher risk
- Rationale
- Deployments with services exposed outside the cluster are at a higher risk of attempted intrusions because they are reachable outside of the cluster.
- Remediation
- Verify that service exposure outside of the cluster is required. If the service is only needed for intra-cluster communication, use service type ClusterIP.
CategoriesDevOps Best PracticesSecurity Best Practices
Compliance mappingsView coverage →
- DORA EU 2022/2554
- Art. 9.2
- ISO/IEC 27001 2022
- A.8.25A.8.9
- NIST SP 800-53 rev. 5
- CM-2SC-7
- PCI DSS 4.0
- 1.2.52.2.1
- SOC 2 2017 TSC
- CC8.1
Generated artifacts
3 of 5 targets supporteddeployments-with-externally-exposed-endpoints.yaml
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: deployments-with-externally-exposed-endpoints
annotations:
policies.kyverno.io/title: Deployments with externally exposed endpoints
policies.kyverno.io/category: DevOps Best Practices, Security Best Practices
policies.kyverno.io/severity: medium
policies.kyverno.io/description: Deployments with externally exposed endpoints represent a higher risk
policies.kyverno.io/remediation: Verify that service exposure outside of the cluster is required. If the service is only needed for intra-cluster communication, use service type ClusterIP.
policies.kyverno.io/rationale: Deployments with services exposed outside the cluster are at a higher risk of attempted intrusions because they are reachable outside of the cluster.
policies.io/source: stackrox
policies.io/source-id: 78cd366c-4e06-4d9a-9b78-e547f18e7f0b
spec:
validationFailureAction: Audit
background: true
rules:
- name: deployments-with-externally-exposed-endpoints
match:
any:
- resources:
kinds:
- Pod
validate:
message: 'Policy "Deployments with externally exposed endpoints" violated: Deployments with externally exposed endpoints represent a higher risk'
deny:
conditions:
all:
- key: "{{ request.object.spec.type || 'ClusterIP' }}"
operator: AnyIn
value:
- ROUTE
- EXTERNAL
- NODE
- HOST
IR (canonical)
{
"id": "78cd366c-4e06-4d9a-9b78-e547f18e7f0b",
"name": "Deployments with externally exposed endpoints",
"description": "Deployments with externally exposed endpoints represent a higher risk",
"rationale": "Deployments with services exposed outside the cluster are at a higher risk of attempted intrusions because they are reachable outside of the cluster.",
"remediation": "Verify that service exposure outside of the cluster is required. If the service is only needed for intra-cluster communication, use service type ClusterIP.",
"severity": "medium",
"categories": [
"DevOps Best Practices",
"Security Best Practices"
],
"lifecycle": [
"deploy"
],
"eventSource": "none",
"scope": [],
"exclusions": [],
"enforcement": {
"failBuild": false
},
"expression": {
"op": "criterion",
"field": "port-exposure-method",
"values": [
"ROUTE",
"EXTERNAL",
"NODE",
"HOST"
],
"valuesOp": "or",
"negate": false
},
"disabled": true
}Original StackRox JSON
{
"id": "78cd366c-4e06-4d9a-9b78-e547f18e7f0b",
"name": "Deployments with externally exposed endpoints",
"description": "Deployments with externally exposed endpoints represent a higher risk",
"rationale": "Deployments with services exposed outside the cluster are at a higher risk of attempted intrusions because they are reachable outside of the cluster.",
"remediation": "Verify that service exposure outside of the cluster is required. If the service is only needed for intra-cluster communication, use service type ClusterIP.",
"disabled": true,
"categories": [
"DevOps Best Practices",
"Security Best Practices"
],
"lifecycleStages": [
"DEPLOY"
],
"eventSource": "NOT_APPLICABLE",
"exclusions": [],
"scope": [],
"severity": "MEDIUM_SEVERITY",
"enforcementActions": [],
"policySections": [
{
"sectionName": "Policy Section 1",
"policyGroups": [
{
"fieldName": "Port Exposure Method",
"booleanOperator": "OR",
"negate": false,
"values": [
{
"value": "ROUTE"
},
{
"value": "EXTERNAL"
},
{
"value": "NODE"
},
{
"value": "HOST"
}
]
}
]
}
],
"notifiers": [],
"lastUpdated": null,
"SORTName": "",
"SORTLifecycleStage": "",
"SORTEnforcement": false,
"policyVersion": "1.1",
"mitreAttackVectors": [],
"criteriaLocked": true,
"mitreVectorsLocked": true,
"isDefault": true,
"source": "IMPERATIVE"
}