I have a NodeJS app running in Kubernetes, which I’m trying to secure. My pod consists of three containers: The NodeJS app, Oauth2_proxy container and Envoy Proxy container (sidecar containers). The latter two handle the authentication part and forward the request to the NodeJS app.
kind: Deployment
[...]
containers:
- name: envoy
ports:
- containerPort: 10000
[...]
- name: oauth2-proxy
[...]
- name: nodejs-app
[...]
kind: Service
spec:
type: NodePort
ports:
- port: 90
targetPort: 10000 #envoy proxy
nodePort: 30000
[...]
I can access the pod using hostIP:30000. Doing it this way, I am redirected through the authentication flow, and afterwards to port 3030 which is the port of the NodeJs app.
The problem is, I can completely bypass the authentication part and access the node app directly, from outside the cluster using ServiceEndpointIP:3030. How can I make any ports other than the targetPort unaccesible from outside the cluster ?