Services of type LoadBalancer are exposed externally. This may be unintentional and could expose internal services to the internet.
apiVersion: rules.spotter.dev/v1alpha1
kind: SpotterRule
metadata:
name: spotter-network-002
labels:
severity: "critical"
category: "network"
annotations:
rules.spotter.dev/title: "Service With External Load Balancer"
rules.spotter.dev/version: "1.0.0"
rules.spotter.dev/cwe: "CWE-501"
rules.spotter.dev/description: "Services of type LoadBalancer are exposed externally. This may be unintentional and could expose internal services to the internet."
spec:
match:
resources:
kubernetes:
apiGroups:
- ""
versions:
- "v1"
kinds:
- Service
namespaces:
include: ["*"]
exclude: ["kube-system", "kube-public"]
cel: |
has(object.spec.type) && object.spec.type == "LoadBalancer" &&
!(
(has(object.metadata.annotations) &&
(
("cloud.google.com/load-balancer-type" in object.metadata.annotations &&
object.metadata.annotations["cloud.google.com/load-balancer-type"] == "Internal") ||
("service.beta.kubernetes.io/aws-load-balancer-internal" in object.metadata.annotations &&
object.metadata.annotations["service.beta.kubernetes.io/aws-load-balancer-internal"] == "true") ||
("service.beta.kubernetes.io/azure-load-balancer-internal" in object.metadata.annotations &&
object.metadata.annotations["service.beta.kubernetes.io/azure-load-balancer-internal"] == "true") ||
("networking.gke.io/load-balancer-type" in object.metadata.annotations &&
object.metadata.annotations["networking.gke.io/load-balancer-type"] == "Internal")
))
)
remediation:
manual: "If the service is not intended to be public, change the service type to ClusterIP and expose it using a Ingress resource."
references:
- title: "Kubernetes Service Types"
url: "https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types"