Back to catalog

Deployments with externally exposed endpoints

No violationsstackroxmediumdeploy

Deployments with externally exposed endpoints represent a higher risk

Rationale
Deployments with services exposed outside the cluster are at a higher risk of attempted intrusions because they are reachable outside of the cluster.
Remediation
Verify that service exposure outside of the cluster is required. If the service is only needed for intra-cluster communication, use service type ClusterIP.
CategoriesDevOps Best PracticesSecurity Best Practices
Compliance mappingsView coverage →
DORA EU 2022/2554
Art. 9.2
ISO/IEC 27001 2022
A.8.25A.8.9
NIST SP 800-53 rev. 5
CM-2SC-7
PCI DSS 4.0
1.2.52.2.1
SOC 2 2017 TSC
CC8.1

Generated artifacts

3 of 5 targets supported
deployments-with-externally-exposed-endpoints.yaml
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: deployments-with-externally-exposed-endpoints
  annotations:
    policies.kyverno.io/title: Deployments with externally exposed endpoints
    policies.kyverno.io/category: DevOps Best Practices, Security Best Practices
    policies.kyverno.io/severity: medium
    policies.kyverno.io/description: Deployments with externally exposed endpoints represent a higher risk
    policies.kyverno.io/remediation: Verify that service exposure outside of the cluster is required. If the service is only needed for intra-cluster communication, use service type ClusterIP.
    policies.kyverno.io/rationale: Deployments with services exposed outside the cluster are at a higher risk of attempted intrusions because they are reachable outside of the cluster.
    policies.io/source: stackrox
    policies.io/source-id: 78cd366c-4e06-4d9a-9b78-e547f18e7f0b
spec:
  validationFailureAction: Audit
  background: true
  rules:
    - name: deployments-with-externally-exposed-endpoints
      match:
        any:
          - resources:
              kinds:
                - Pod
      validate:
        message: 'Policy "Deployments with externally exposed endpoints" violated: Deployments with externally exposed endpoints represent a higher risk'
        deny:
          conditions:
            all:
              - key: "{{ request.object.spec.type || 'ClusterIP' }}"
                operator: AnyIn
                value:
                  - ROUTE
                  - EXTERNAL
                  - NODE
                  - HOST
IR (canonical)
{
  "id": "78cd366c-4e06-4d9a-9b78-e547f18e7f0b",
  "name": "Deployments with externally exposed endpoints",
  "description": "Deployments with externally exposed endpoints represent a higher risk",
  "rationale": "Deployments with services exposed outside the cluster are at a higher risk of attempted intrusions because they are reachable outside of the cluster.",
  "remediation": "Verify that service exposure outside of the cluster is required. If the service is only needed for intra-cluster communication, use service type ClusterIP.",
  "severity": "medium",
  "categories": [
    "DevOps Best Practices",
    "Security Best Practices"
  ],
  "lifecycle": [
    "deploy"
  ],
  "eventSource": "none",
  "scope": [],
  "exclusions": [],
  "enforcement": {
    "failBuild": false
  },
  "expression": {
    "op": "criterion",
    "field": "port-exposure-method",
    "values": [
      "ROUTE",
      "EXTERNAL",
      "NODE",
      "HOST"
    ],
    "valuesOp": "or",
    "negate": false
  },
  "disabled": true
}
Original StackRox JSON
{
  "id": "78cd366c-4e06-4d9a-9b78-e547f18e7f0b",
  "name": "Deployments with externally exposed endpoints",
  "description": "Deployments with externally exposed endpoints represent a higher risk",
  "rationale": "Deployments with services exposed outside the cluster are at a higher risk of attempted intrusions because they are reachable outside of the cluster.",
  "remediation": "Verify that service exposure outside of the cluster is required. If the service is only needed for intra-cluster communication, use service type ClusterIP.",
  "disabled": true,
  "categories": [
    "DevOps Best Practices",
    "Security Best Practices"
  ],
  "lifecycleStages": [
    "DEPLOY"
  ],
  "eventSource": "NOT_APPLICABLE",
  "exclusions": [],
  "scope": [],
  "severity": "MEDIUM_SEVERITY",
  "enforcementActions": [],
  "policySections": [
    {
      "sectionName": "Policy Section 1",
      "policyGroups": [
        {
          "fieldName": "Port Exposure Method",
          "booleanOperator": "OR",
          "negate": false,
          "values": [
            {
              "value": "ROUTE"
            },
            {
              "value": "EXTERNAL"
            },
            {
              "value": "NODE"
            },
            {
              "value": "HOST"
            }
          ]
        }
      ]
    }
  ],
  "notifiers": [],
  "lastUpdated": null,
  "SORTName": "",
  "SORTLifecycleStage": "",
  "SORTEnforcement": false,
  "policyVersion": "1.1",
  "mitreAttackVectors": [],
  "criteriaLocked": true,
  "mitreVectorsLocked": true,
  "isDefault": true,
  "source": "IMPERATIVE"
}