Kubernetes Exposed Service Created With Type NodePort

Last updated 2 months ago on 2025-06-18

Created 3 years ago on 2022-07-05

About

This rule detects an attempt to create or modify a service as type NodePort. The NodePort service allows a user to externally expose a set of labeled pods to the internet. This creates an open port on every worker node in the cluster that has a pod for that service. When external traffic is received on that open port, it directs it to the specific pod through the service representing it. A malicious user can configure a service as type Nodeport in order to intercept traffic from other pods or nodes, bypassing firewalls and other network security measures configured for load balancers within a cluster. This creates a direct method of communication between the cluster and the outside world, which could be used for more malicious behavior and certainly widens the attack surface of your cluster.

Tags

Data Source: KubernetesTactic: ExecutionTactic: PersistenceLanguage: kuery

Severity

medium

Risk Score

MITRE ATT&CK™

Persistence (TA0003)(opens in a new tab or window)

↳ External Remote Services (T1133)(opens in a new tab or window)

False Positive Examples

Developers may have a legitimate use for NodePorts. For frontend parts of an application you may want to expose a Service onto an external IP address without using cloud specific Loadbalancers. NodePort can be used to expose the Service on each Node's IP at a static port (the NodePort). You'll be able to contact the NodePort Service from outside the cluster, by requesting <NodeIP>:<NodePort>. NodePort unlike Loadbalancers, allow the freedom to set up your own load balancing solution, configure environments that aren't fully supported by Kubernetes, or even to expose one or more node's IPs directly.

License

Elastic License v2(opens in a new tab or window)

Definition

Rule Type: Query (Kibana Query Language)
Integration Pack: Prebuilt Security Detection Rules
Index Patterns: logs-kubernetes.audit_logs-*
Related Integrations: kubernetes(opens in a new tab or window)
Query

event.dataset : "kubernetes.audit_logs"
  and kubernetes.audit.annotations.authorization_k8s_io/decision:"allow"
  and kubernetes.audit.objectRef.resource:"services"
  and kubernetes.audit.verb:("create" or "update" or "patch")
  and kubernetes.audit.requestObject.spec.type:"NodePort"

Install detection rules in Elastic Security

Detect Kubernetes Exposed Service Created With Type NodePort in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).