How to properly secure a container(nodeJs app)

I have a NodeJS app running in Kubernetes, which I’m trying to secure. My pod consists of three containers: The NodeJS app, Oauth2_proxy container and Envoy Proxy container (sidecar containers). The latter two handle the authentication part and forward the request to the NodeJS app.

kind: Deployment
[...]
  containers:
        - name: envoy        
          ports:
            - containerPort: 10000
          [...]

        - name: oauth2-proxy
          [...] 

        - name: nodejs-app
          [...]

kind: Service 
spec:
  type: NodePort
  ports:
    - port: 90
      targetPort: 10000 #envoy proxy
      nodePort: 30000
 [...]

I can access the pod using hostIP:30000. Doing it this way, I am redirected through the authentication flow, and afterwards to port 3030 which is the port of the NodeJs app.
The problem is, I can completely bypass the authentication part and access the node app directly, from outside the cluster using ServiceEndpointIP:3030. How can I make any ports other than the targetPort unaccesible from outside the cluster ?

any ideas ? :confused:

Where is it getting port 3030 from? is it exposed in one of the containers?

All the containers within a pod share a network namespace, so you should also be able to bind the oauth2-proxy and app to listen in on localhost only with envoy being the only thing listening on 0.0.0.0.

Yes, port 3030 is exposed in the container of the Node app. I tried to make the node app to listen to localhost only, but now I can’t access it(envoy gives upstream error) after doing the log in process. Thanks anyways :slight_smile: