Workload is exposed through an ingress policy (medium risk)

[avik-so]

Is there a way to tell kube-scan that this is intentional?
Also, what is the suggested fix here if you want your service to be accessible from the internet?

[thehh1974]

There isn't a way to mark external exposure as intentional. While it may not be a misconfiguration, it adds risk of compromise of that workload.
Possible mitigation include:

• Reducing the container capabilities of the exposed workload.
• Creating network policies which limit outbound traffic from that workload only to other services it needs to access
• Avoiding mount of a service account token in that workload.

[avik-so]

The result of this is developers ignoring the warning in other cases when it is not intentional.
Sounds like those mitigations would still cause the warning to be reported?

[thehh1974]

We are working on taking into account mitigations when calculating the risk score.
It will not cause exposure not to be reported though.
The way to express intent is via policy, which at this time, is only supported in our (Octarine) enterprise product.

[avik-so]

Thanks for your response. A lower score would be very helpful. You can close this issue, in the chance that you want to use this issue for that feature you are working on, I'm not closing it myself.