Back to all scenarios
Scenario #257
Security
K8s v1.21, Google Cloud

Exposing Cluster Services via LoadBalancer with Public IP

A service was exposed to the public internet via a LoadBalancer without proper access control, making it vulnerable to attacks.

Find this helpful?
What Happened

A service was inadvertently exposed to the internet via an external LoadBalancer, which was not secured. Attackers were able to send requests directly to the service, attempting to exploit vulnerabilities.

Diagnosis Steps
  • 1Inspected the service configuration and found that the type: LoadBalancer was used without any access restrictions.
  • 2Detected unauthorized attempts to interact with the service from external IPs.
Root Cause

Misconfiguration allowed the service to be exposed to the public internet without access control.

Fix/Workaround
• Updated the service configuration to use type: ClusterIP or added an appropriate ingress controller with restricted access.
• Added IP whitelisting or authentication to the exposed services.
Lessons Learned

Always secure services exposed via LoadBalancer by restricting public access or using proper authentication mechanisms.

How to Avoid
  • 1Use ingress controllers with proper access control lists (ACLs) to control inbound traffic.
  • 2Avoid exposing services unnecessarily ; restrict access to only trusted IP ranges.
Previous ScenarioNext Scenario