I have a NodeJS app running in Kubernetes, which I’m trying to secure. My pod consists of three containers: The NodeJS app, Oauth2_proxy container and Envoy Proxy container (sidecar containers). The latter two handle the authentication part and forward the request to the NodeJS app.
kind: Deployment [...] containers: - name: envoy ports: - containerPort: 10000 [...] - name: oauth2-proxy [...] - name: nodejs-app [...]
kind: Service spec: type: NodePort ports: - port: 90 targetPort: 10000 #envoy proxy nodePort: 30000 [...]
I can access the pod using hostIP:30000. Doing it this way, I am redirected through the authentication flow, and afterwards to port 3030 which is the port of the NodeJs app.
The problem is, I can completely bypass the authentication part and access the node app directly, from outside the cluster using ServiceEndpointIP:3030. How can I make any ports other than the targetPort unaccesible from outside the cluster ?