Fluid Attacks Database

Description

Detects Kubernetes services configured with insecure HTTP ports in Terraform manifests. This represents a security risk as unencrypted HTTP traffic could expose sensitive data or allow traffic interception in a Kubernetes cluster.

Weakness:

332 - Use of insecure channel - Source code

Category: Information Collection

Detection Strategy

• Identifies Terraform resources of type 'kubernetes_service' or 'kubernetes_service_v1'

• Examines the 'spec' block within the service definition

• Checks if ports are configured to use insecure HTTP communication

• Reports a vulnerability when a service is exposed using non-encrypted HTTP ports without TLS/HTTPS

Vulnerable code example

resource "kubernetes_service" "example" {
  metadata {
    name = "vulnerable-service"
  }
  spec {
    selector = {
      app = "example"
    }...

✅ Secure code example

resource "kubernetes_service" "example" {
  metadata {
    name = "secure-service"
    labels = {
      "app.kubernetes.io/name" = "example"  # Standard K8s label format for better security classification
    }
  }
  spec {...

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.