From e435c78b5a83980541833f2754b368709106fa1a Mon Sep 17 00:00:00 2001
From: Mateus Caruccio <mateus.caruccio@getupcloud.com>
Date: Tue, 3 Oct 2023 13:06:14 -0300
Subject: [PATCH] Restricts service check for type=LoadBalancer only

Service of type=LoadBalancer are the only where TLS/SSL annotations make sense. This patch avoids false-negatives for services of other ttypes.
---
 hardeneks/namespace_based/security/network_security.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hardeneks/namespace_based/security/network_security.py b/hardeneks/namespace_based/security/network_security.py
index 5607d4f..fba609d 100644
--- a/hardeneks/namespace_based/security/network_security.py
+++ b/hardeneks/namespace_based/security/network_security.py
@@ -13,7 +13,7 @@ def check(self, namespaced_resources: NamespacedResources):
         offenders = []
         for service in namespaced_resources.services:
             annotations = service.metadata.annotations
-            if annotations:
+            if service.spec.type == 'LoadBalancer' and annotations:
                 ssl_cert = (
                     "service.beta.kubernetes.io/aws-load-balancer-ssl-cert"
                     in annotations