Block use of NodePort services [MTB-PL1-BC-HI-1]
Profile Applicability:
1
Type:
Behavioral Check
Category:
Host Isolation
Description:
Tenants should not be able to create services of type NodePort.
Rationale:
NodePorts configure host ports that cannot be secured using Kubernetes network policies and require upstream firewalls. Also, multiple tenants cannot use the same host port numbers.
Audit:
Create a deployment and an associated service exposing a NodePort. The service creation must fail.
Remediation:
Use a policy engine such as OPA/Gatekeeper or Kyverno to block NodePort Services. You can use the policies present here.
namespaceRequired:
1