You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
As it is basically a service running internally on k8s, it will not be exposed at those port. It means that internally the service will be accessed via port 80 so its clients only have to know the service name (DNS), also the application is targeted at port 8080.
But for sure I can consider the use of TLS, it should be done with the introduction of a service mesh like Istio.
If it was running at on-promise service, I'd definitely agree that is not a good approach.
Description
Greetings,
We are security researchers and we are looking for insecure coding patterns and configurations in the microservice architecture repositories. In your repository, we have found instances of default port usage. According to a recent report default port usages must be avoided: https://www.bleepingcomputer.com/news/security/most-cyber-attacks-focus-on-just-three-tcp-ports/#:~:text=According%20to%20the%20report%2C%20the,(Hypertext%20Transfer%20Protocol%20Secure)
What should happen?
Default ports and HTTP without TLS should be avoided
What happens instead?
Default ports are used
Source: https://github.com/brunojensen/chainsaw-kube/blob/master/charts/chainsaw-app-service/values.yaml
Fix: #27
I am interested to know if you agree with the findings. Any feedback is appreciated.
The text was updated successfully, but these errors were encountered: