https://docs.kics.io/latest/queries/kubernetes-queries/2b1836f1-dcce-416e-8e16-da8c71920633/ says that specifying a host port is bad for security, which makes sense as it increases the attack surface through the exposed port on the nodes interface.
The query for terraform is exactly the other way around: https://github.com/Checkmarx/kics/blob/master/assets/queries/terraform/kubernetes/workload_host_port_not_specified/query.rego#L20 (and I think it just checks port and not port.host_port)
Example:
resource "kubernetes_deployment" "example" {
metadata {
name = "example"
}
spec {
...
template {
spec {
container {
name = "example"
image = "docker.io/rellyson/http-echo:0.3.0"
port {
container_port = 3000
}
}
}
}
}Expected Behavior
no error
Actual Behavior
orkload Host Port Not Specified, Severity: LOW, Results: 1
Description: Verifies if Kubernetes workload's host port is specified
Platform: Terraform
CWE: 665
Risk Score: 2.3
Learn more about this vulnerability: https://docs.kics.io/latest/queries/terraform-queries/4e74cf4f-ff65-4c1a-885c-67ab608206ce
[1]: ../../data/echo-server.tf:30
029: image = "docker.io/rellyson/http-echo:0.3.0"
030: port {
031: container_port = 3000
Steps to Reproduce the Problem
just scan the example
Specifications
N/A
https://docs.kics.io/latest/queries/kubernetes-queries/2b1836f1-dcce-416e-8e16-da8c71920633/ says that specifying a host port is bad for security, which makes sense as it increases the attack surface through the exposed port on the nodes interface.
The query for terraform is exactly the other way around: https://github.com/Checkmarx/kics/blob/master/assets/queries/terraform/kubernetes/workload_host_port_not_specified/query.rego#L20 (and I think it just checks
portand notport.host_port)Example:
Expected Behavior
no error
Actual Behavior
Steps to Reproduce the Problem
just scan the example
Specifications
N/A