From 0a3f0cef1556d3352ab0c14f7b58fde2d540e19e Mon Sep 17 00:00:00 2001 From: PDTeamX <8293321+ehsandeep@users.noreply.github.com> Date: Fri, 1 Aug 2025 00:33:16 +0530 Subject: [PATCH 1/5] Add Discovery Target Exclusions documentation - Add comprehensive documentation for asset exclusion functionality - Create cloud/assets/exclusions.mdx with detailed usage guide - Include pattern examples, best practices, and management instructions - Add exclusions section to Assets navigation in mint.json - Update overview.mdx to include Target Exclusions card - Document global nature of exclusions across all discovery operations - Clarify navigation path through Settings rather than Assets sidebar --- cloud/assets/exclusions.mdx | 184 ++++++++++++++++++++++++++++++++++++ cloud/assets/overview.mdx | 7 ++ mint.json | 1 + 3 files changed, 192 insertions(+) create mode 100644 cloud/assets/exclusions.mdx diff --git a/cloud/assets/exclusions.mdx b/cloud/assets/exclusions.mdx new file mode 100644 index 0000000..ed2d42d --- /dev/null +++ b/cloud/assets/exclusions.mdx @@ -0,0 +1,184 @@ +--- +title: "Discovery Target Exclusions" +description: "Configure patterns to exclude specific targets from asset discovery" +sidebarTitle: "Target Exclusions" +--- + +## Overview + +Discovery Target Exclusions allow you to proactively prevent specific assets or patterns from being discovered during asset enumeration. When exclusions are configured, these targets are actively filtered out of the discovery process, helping you focus on relevant assets and reduce noise in your asset inventory. + +This feature is particularly useful for excluding internal staging environments, test domains, government domains, or any other assets that should not be included in your attack surface monitoring. + + + **Quick Access**: Discovery Target Exclusions are managed in [Settings → Discovery Target Exclusions](https://cloud.projectdiscovery.io/settings/exclusions). + + +## How It Works + +The exclusion system operates at the discovery layer, filtering out targets before they are added to your asset inventory. This ensures that excluded patterns are never discovered, scanned, or monitored by the platform. + + + **Global Exclusions**: Target exclusions are applied globally across all discovery operations. Once configured, exclusions affect all current and future asset discoveries, not just individual discovery sessions. + + +### Supported Exclusion Types + + + + Exclude specific subdomains from discovery + + + Exclude individual IP addresses or ranges + + + Use wildcard patterns to exclude multiple targets + + + +## Configuration + +### Adding Exclusions + +1. Navigate to **Settings → Discovery Target Exclusions** or visit [cloud.projectdiscovery.io/settings/exclusions](https://cloud.projectdiscovery.io/settings/exclusions) +2. Click **+ Add Exclusion** to open the exclusion configuration panel +3. Enter your exclusion patterns in the text area (one pattern per line) +4. Click **Add** to save your exclusions + +### Exclusion Pattern Examples + +#### Basic Subdomain Exclusions +``` +staging.company.com +dev.company.com +test.company.com +internal-tools.company.com +``` + +#### Wildcard Patterns +``` +*.staging.company.com +test.*.company.com +dev-*.internal.company.com +``` + +#### IP Address Exclusions +``` +192.168.1.100 +10.0.0.0/8 +172.16.0.0/12 +``` + +#### Government and Restricted Domains +``` +*.gov +*.mil +*.edu +``` + +## Pattern Syntax + +### Wildcard Support + +The exclusion system supports wildcard patterns using the asterisk (`*`) character: + +- **Prefix wildcards**: `*.staging.company.com` - Excludes any subdomain ending with `.staging.company.com` +- **Suffix wildcards**: `test.*.company.com` - Excludes any subdomain starting with `test.` and ending with `.company.com` +- **Multiple wildcards**: `*.staging.*.company.com` - Supports multiple wildcards in a single pattern + +### Pattern Matching Rules + +- Patterns are **case-insensitive** +- Each line represents a separate exclusion pattern +- Patterns are matched during the discovery phase +- Once excluded, targets will not appear in any subsequent discovery results + +## Best Practices + + + + Use wildcard patterns to exclude entire environment categories: + ``` + *.staging.company.com + *.dev.company.com + *.test.company.com + ``` + + + + Exclude internal-only domains and IP ranges: + ``` + *.internal.company.com + 10.0.0.0/8 + 192.168.0.0/16 + 172.16.0.0/12 + ``` + + + + Respect organizational policies by excluding restricted domains: + ``` + *.gov + *.mil + *.edu + client-*.company.com + ``` + + + + Use broader patterns when possible to reduce configuration complexity: + - Instead of listing individual staging subdomains, use `*.staging.company.com` + - Group similar patterns together for better organization + - Regularly review and update exclusion patterns as your infrastructure evolves + + + +## Important Considerations + + + **Exclusions are Permanent**: Once a target is excluded, it will not be discovered in future enumerations. Make sure your exclusion patterns are accurate to avoid missing important assets. + + + + **Discovery Impact**: Exclusions only affect the discovery process. If an asset was already discovered before adding an exclusion, it will remain in your inventory until manually removed. + + + + **Testing Patterns**: Start with specific exclusions and gradually expand to broader patterns. This helps ensure you don't accidentally exclude important assets. + + +## Managing Exclusions + +### Viewing Current Exclusions + +All active exclusions are displayed in the [Discovery Target Exclusions](https://cloud.projectdiscovery.io/settings/exclusions) interface as individual items in a list format. Each exclusion shows: +- The exact pattern configured +- A remove button (X icon) for easy deletion + +### Removing Exclusions + +To remove individual exclusions: +1. Navigate to **Settings → Discovery Target Exclusions** or visit [cloud.projectdiscovery.io/settings/exclusions](https://cloud.projectdiscovery.io/settings/exclusions) +2. Locate the exclusion you want to remove in the list +3. Click the **X** icon next to the exclusion pattern +4. The exclusion will be immediately removed from your configuration + + + Removing exclusions will allow those targets to be discovered in future enumerations. + + +## Integration with Discovery Workflows + +Target exclusions integrate seamlessly with all discovery methods and are applied globally across the platform: + +- **Automatic Discovery**: Exclusions apply to all automated asset discovery processes +- **Manual Enumeration**: Manually triggered discoveries respect exclusion patterns +- **Cloud Integration**: Cloud-discovered assets are filtered against exclusion patterns + + + **Global Application**: All exclusion patterns apply to every discovery operation across your organization, ensuring consistent filtering regardless of the discovery method or who initiates it. + + +--- + +By implementing target exclusions, you can ensure that your asset discovery process focuses on the assets that matter most to your security posture while automatically filtering out noise and irrelevant targets. \ No newline at end of file diff --git a/cloud/assets/overview.mdx b/cloud/assets/overview.mdx index 90e73a5..bd35df6 100644 --- a/cloud/assets/overview.mdx +++ b/cloud/assets/overview.mdx @@ -45,6 +45,13 @@ Our next‑generation asset discovery platform is built on a revolutionary three > Automatically discover and track all external-facing and internal assets using integrated tools like Subfinder, Naabu, Httpx, and more + + Configure patterns to exclude specific targets from discovery using subdomains, IPs, or wildcard patterns + Date: Fri, 1 Aug 2025 01:57:07 +0530 Subject: [PATCH 2/5] Add Scan Exclusions documentation for vulnerability scanning - Create cloud/scanning/exclusions.mdx with comprehensive scan exclusions guide - Document both Scan Target Exclusions and Scan Template Exclusions - Include pattern examples for targets (domains, IPs, wildcards) and templates (CVEs, template IDs) - Add best practices and use cases for both exclusion types - Update cloud/scanning/overview.mdx to include Scan Exclusions card - Add exclusions section to Vulnerability Scanning navigation in mint.json - Document global application across all scanning operations - Clarify management through Settings rather than scanning interface - Provide examples matching the interface (CVE-2021-26855, CVE-2016-7981, etc.) --- cloud/scanning/exclusions.mdx | 301 ++++++++++++++++++++++++++++++++++ cloud/scanning/overview.mdx | 9 + mint.json | 1 + 3 files changed, 311 insertions(+) create mode 100644 cloud/scanning/exclusions.mdx diff --git a/cloud/scanning/exclusions.mdx b/cloud/scanning/exclusions.mdx new file mode 100644 index 0000000..545a30e --- /dev/null +++ b/cloud/scanning/exclusions.mdx @@ -0,0 +1,301 @@ +--- +title: "Scan Exclusions" +description: "Configure target and template exclusions for vulnerability scanning" +sidebarTitle: "Scan Exclusions" +--- + +## Overview + +Scan Exclusions provide granular control over your vulnerability scanning operations by allowing you to exclude specific targets or templates from scans. This feature helps optimize scan performance, reduce noise, and focus scanning efforts on relevant assets and vulnerabilities. + +The exclusion system operates at two levels: +- **Scan Target Exclusions**: Prevent specific targets from being scanned +- **Scan Template Exclusions**: Prevent specific vulnerability templates from being executed + + + **Quick Access**: Scan Exclusions are managed in [Settings → Scan Exclusions](https://cloud.projectdiscovery.io/settings/exclusions), available on the same page as Discovery Target Exclusions. + + +## How It Works + +Scan exclusions are applied during the vulnerability scanning process, filtering targets and templates before scan execution. This ensures excluded patterns are never scanned or tested, optimizing scan performance and reducing irrelevant results. + + + **Global Exclusions**: Scan exclusions are applied globally across all vulnerability scanning operations. Once configured, exclusions affect all current and future scans across your organization. + + +## Scan Target Exclusions + +### Overview + +Scan Target Exclusions allow you to exclude specific targets or patterns from vulnerability scanning. These targets will be skipped during all scan operations, including automated scans, manual scans, and scheduled scans. + + + + Exclude specific subdomains from vulnerability scanning + + + Exclude individual IP addresses or ranges from scans + + + Use wildcard patterns to exclude multiple targets + + + +### Configuration + +#### Adding Target Exclusions + +1. Navigate to **Settings → Scan Exclusions** or visit [cloud.projectdiscovery.io/settings/exclusions](https://cloud.projectdiscovery.io/settings/exclusions) +2. In the **Scan Target Exclusions** section, click **+ Add Exclusion** +3. Enter your exclusion patterns in the text area (one pattern per line) +4. Click **Add** to save your exclusions + +#### Target Exclusion Examples + +##### Basic Target Exclusions +``` +staging.company.com +dev.company.com +test.company.com +``` + +##### Wildcard Patterns +``` +*.staging.company.com +dev-*.company.com +test.*.internal.company.com +``` + +##### IP Address Exclusions +``` +192.168.1.100 +10.0.0.0/8 +172.16.0.0/12 +``` + +##### Production Systems +``` +prod.company.com +api.company.com +*.production.company.com +``` + +### Target Exclusion Use Cases + + + + Exclude development and testing environments to focus scans on production systems: + ``` + *.dev.company.com + *.staging.company.com + *.test.company.com + ``` + + + + Exclude internal-only systems that don't require external vulnerability assessment: + ``` + *.internal.company.com + 192.168.0.0/16 + 10.0.0.0/8 + ``` + + + + Exclude third-party managed services or customer environments: + ``` + *.amazonaws.com + *.azure.com + customer-*.company.com + ``` + + + +## Scan Template Exclusions + +### Overview + +Scan Template Exclusions allow you to exclude specific vulnerability templates, CVEs, or template patterns from being executed during scans. This is useful for avoiding false positives, excluding low-priority vulnerabilities, or skipping checks that are not relevant to your environment. + + + + Exclude specific CVE vulnerability checks + + + Exclude specific Nuclei template identifiers + + + Use patterns to exclude groups of related templates + + + +### Configuration + +#### Adding Template Exclusions + +1. Navigate to **Settings → Scan Exclusions** or visit [cloud.projectdiscovery.io/settings/exclusions](https://cloud.projectdiscovery.io/settings/exclusions) +2. In the **Scan Template Exclusions** section, click **+ Add Exclusion** +3. Enter your template exclusion patterns (one pattern per line) +4. Click **Add** to save your exclusions + +#### Template Exclusion Examples + +##### CVE Exclusions +``` +CVE-2021-26855 +CVE-2016-7981 +CVE-2021-1491 +``` + +##### Template ID Exclusions +``` +apache-detect +nginx-version +wordpress-detect +``` + +##### Pattern-Based Exclusions +``` +*-detect +CVE-2020-* +wordpress-* +apache-* +``` + +### Template Exclusion Use Cases + + + + Exclude templates that consistently produce false positives in your environment: + ``` + CVE-2021-26855 + exchange-server-* + specific-template-id + ``` + + + + Exclude low-severity or informational checks to focus on critical issues: + ``` + *-detect + *-version + *-disclosure + ``` + + + + Exclude templates for technologies not present in your environment: + ``` + wordpress-* + drupal-* + joomla-* + sharepoint-* + ``` + + + + Exclude older CVEs that are not applicable to your modern infrastructure: + ``` + CVE-2010-* + CVE-2011-* + CVE-2012-* + ``` + + + +## Pattern Syntax + +### Wildcard Support + +Both target and template exclusions support wildcard patterns using the asterisk (`*`) character: + +- **Prefix wildcards**: `*.staging.company.com` or `CVE-2021-*` +- **Suffix wildcards**: `wordpress-*` or `test-*.company.com` +- **Multiple wildcards**: `*.staging.*.company.com` or `*-detect-*` + +### Pattern Matching Rules + +- Patterns are **case-insensitive** +- Each line represents a separate exclusion pattern +- Patterns are matched during the scan planning phase +- Once excluded, targets/templates will not be included in any scan operations + +## Managing Exclusions + +### Viewing Current Exclusions + +All active exclusions are displayed in the respective sections of the [Scan Exclusions](https://cloud.projectdiscovery.io/settings/exclusions) interface as individual items in a list format. Each exclusion shows: +- The exact pattern configured +- A remove button (X icon) for easy deletion + +### Removing Exclusions + +To remove individual exclusions: +1. Navigate to **Settings → Scan Exclusions** or visit [cloud.projectdiscovery.io/settings/exclusions](https://cloud.projectdiscovery.io/settings/exclusions) +2. Locate the exclusion you want to remove in the appropriate section +3. Click the **X** icon next to the exclusion pattern +4. The exclusion will be immediately removed from your configuration + + + Removing target exclusions will allow those targets to be scanned in future operations. Removing template exclusions will re-enable those vulnerability checks in upcoming scans. + + +## Best Practices + + + + Focus exclusions on systems that shouldn't be scanned: + - Development and staging environments + - Internal management interfaces + - Third-party managed services + - Customer-owned infrastructure + + + + Exclude templates that add noise without value: + - Known false positives for your environment + - Informational checks for technologies you don't use + - Low-priority vulnerabilities that distract from critical issues + - Legacy CVEs not applicable to your infrastructure + + + + Periodically review and update exclusions: + - Remove exclusions for systems that now need scanning + - Add exclusions for new development environments + - Re-evaluate template exclusions as your infrastructure evolves + - Monitor scan results to identify new false positive patterns + + + +## Important Considerations + + + **Security Impact**: Target exclusions prevent vulnerability scanning of specified assets. Ensure excluded targets are secured through other means or don't require scanning. + + + + **Template Coverage**: Template exclusions disable specific vulnerability checks. Make sure excluded templates aren't critical for your security posture. + + + + **Performance Optimization**: Use exclusions strategically to improve scan performance by focusing on relevant assets and vulnerabilities while reducing noise. + + +## Integration with Scanning Workflows + +Scan exclusions integrate seamlessly with all scanning operations and are applied globally across the platform: + +- **Automated Scans**: Exclusions apply to all automated vulnerability scanning processes +- **Manual Scans**: User-initiated scans respect both target and template exclusions +- **Scheduled Scans**: All scheduled scan operations honor exclusion patterns +- **Retesting**: Vulnerability retesting operations also respect exclusion configurations + + + **Global Application**: All exclusion patterns apply to every scanning operation across your organization, ensuring consistent filtering regardless of the scan method or who initiates it. + + +--- + +By implementing scan exclusions, you can optimize your vulnerability scanning operations to focus on relevant targets and vulnerabilities while reducing noise and improving scan performance. This targeted approach ensures your security team can concentrate on the most important security issues affecting your infrastructure. \ No newline at end of file diff --git a/cloud/scanning/overview.mdx b/cloud/scanning/overview.mdx index 34f7428..cbf7927 100644 --- a/cloud/scanning/overview.mdx +++ b/cloud/scanning/overview.mdx @@ -17,6 +17,15 @@ ProjectDiscovery's vulnerability scanning platform combines an attacker's mindse + + + Configure target and template exclusions to optimize scanning performance and reduce noise + + + Verify vulnerability fixes through automated retesting workflows + + + ## Attacker's Mindset vs Traditional Scanners Traditional vulnerability scanners tend to focus on known vulnerabilities by matching software versions to CVE entries or using simple signature checks. ProjectDiscovery's platform takes an attacker's perspective from the start: diff --git a/mint.json b/mint.json index 4bc3e75..52bf0e7 100644 --- a/mint.json +++ b/mint.json @@ -404,6 +404,7 @@ "cloud/scanning/overview", "cloud/scanning/external-scan", "cloud/scanning/internal-scan", + "cloud/scanning/exclusions", "cloud/scanning/retesting", "cloud/scanning/parameters", "cloud/scanning/real-time-scans" From 86210d0e20ebb17d8bac8a3085a6babdcaedc639 Mon Sep 17 00:00:00 2001 From: PDTeamX <8293321+ehsandeep@users.noreply.github.com> Date: Fri, 1 Aug 2025 02:00:31 +0530 Subject: [PATCH 3/5] Fix: Clarify that Scan Template Exclusions don't support wildcards - Remove wildcard pattern examples from template exclusions section - Update Pattern Syntax to distinguish between target and template exclusions - Clarify that template exclusions require exact CVE IDs and template IDs only - Remove Pattern Matching card and update to 2-column layout for template cards - Add explicit note about exact match requirement for template exclusions - Update all use case examples to show only exact template identifiers --- cloud/scanning/exclusions.mdx | 75 +++++++++++++++++++---------------- 1 file changed, 41 insertions(+), 34 deletions(-) diff --git a/cloud/scanning/exclusions.mdx b/cloud/scanning/exclusions.mdx index 545a30e..8e68951 100644 --- a/cloud/scanning/exclusions.mdx +++ b/cloud/scanning/exclusions.mdx @@ -116,20 +116,21 @@ api.company.com ### Overview -Scan Template Exclusions allow you to exclude specific vulnerability templates, CVEs, or template patterns from being executed during scans. This is useful for avoiding false positives, excluding low-priority vulnerabilities, or skipping checks that are not relevant to your environment. +Scan Template Exclusions allow you to exclude specific vulnerability templates or CVEs from being executed during scans. This is useful for avoiding false positives, excluding low-priority vulnerabilities, or skipping checks that are not relevant to your environment. - + Exclude specific CVE vulnerability checks Exclude specific Nuclei template identifiers - - Use patterns to exclude groups of related templates - + + **Exact Match Only**: Template exclusions require exact template IDs or CVE identifiers. Wildcard patterns are not supported for template exclusions. + + ### Configuration #### Adding Template Exclusions @@ -153,70 +154,76 @@ CVE-2021-1491 apache-detect nginx-version wordpress-detect -``` - -##### Pattern-Based Exclusions -``` -*-detect -CVE-2020-* -wordpress-* -apache-* +exchange-server-rce +drupal-sqli ``` ### Template Exclusion Use Cases - Exclude templates that consistently produce false positives in your environment: + Exclude specific templates that consistently produce false positives in your environment: ``` CVE-2021-26855 - exchange-server-* + exchange-server-rce specific-template-id + apache-default-page ``` - Exclude low-severity or informational checks to focus on critical issues: + Exclude specific low-severity or informational checks to focus on critical issues: ``` - *-detect - *-version - *-disclosure + apache-detect + nginx-version + server-disclosure + http-title ``` - Exclude templates for technologies not present in your environment: + Exclude specific templates for technologies not present in your environment: ``` - wordpress-* - drupal-* - joomla-* - sharepoint-* + wordpress-detect + drupal-version + joomla-core + sharepoint-detect ``` - Exclude older CVEs that are not applicable to your modern infrastructure: + Exclude specific older CVEs that are not applicable to your modern infrastructure: ``` - CVE-2010-* - CVE-2011-* - CVE-2012-* + CVE-2010-3972 + CVE-2011-3192 + CVE-2012-1823 + CVE-2013-2251 ``` ## Pattern Syntax -### Wildcard Support +### Target Exclusions - Wildcard Support + +Target exclusions support wildcard patterns using the asterisk (`*`) character: + +- **Prefix wildcards**: `*.staging.company.com` +- **Suffix wildcards**: `test-*.company.com` +- **Multiple wildcards**: `*.staging.*.company.com` + +### Template Exclusions - Exact Match Only -Both target and template exclusions support wildcard patterns using the asterisk (`*`) character: +Template exclusions require exact identifiers: -- **Prefix wildcards**: `*.staging.company.com` or `CVE-2021-*` -- **Suffix wildcards**: `wordpress-*` or `test-*.company.com` -- **Multiple wildcards**: `*.staging.*.company.com` or `*-detect-*` +- **CVE IDs**: Must match exactly (e.g., `CVE-2021-26855`) +- **Template IDs**: Must match the exact template identifier (e.g., `apache-detect`) +- **No wildcards**: Patterns like `CVE-2021-*` or `*-detect` are not supported ### Pattern Matching Rules -- Patterns are **case-insensitive** +- **Target patterns** are case-insensitive and support wildcards +- **Template patterns** are case-sensitive and require exact matches - Each line represents a separate exclusion pattern - Patterns are matched during the scan planning phase - Once excluded, targets/templates will not be included in any scan operations From ccb8dacd9a0c2c4659664a5f4141d4c50eb349da Mon Sep 17 00:00:00 2001 From: PDTeamX <8293321+ehsandeep@users.noreply.github.com> Date: Fri, 1 Aug 2025 02:08:44 +0530 Subject: [PATCH 4/5] Update mint.json --- mint.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/mint.json b/mint.json index 52bf0e7..d1f0cca 100644 --- a/mint.json +++ b/mint.json @@ -402,12 +402,12 @@ "iconType": "regular", "pages": [ "cloud/scanning/overview", + "cloud/scanning/real-time-scans", "cloud/scanning/external-scan", "cloud/scanning/internal-scan", - "cloud/scanning/exclusions", "cloud/scanning/retesting", "cloud/scanning/parameters", - "cloud/scanning/real-time-scans" + "cloud/scanning/exclusions" ] }, { From 1ab24867f12c84b157e3121fcb304af634f7566a Mon Sep 17 00:00:00 2001 From: PDTeamX <8293321+ehsandeep@users.noreply.github.com> Date: Mon, 4 Aug 2025 15:29:54 -0700 Subject: [PATCH 5/5] Clarify Kubernetes integration requires public/external access - Add warning that Kubernetes integration only works with publicly accessible clusters - Clarify that internal-only clusters will fail to integrate - Add troubleshooting section for common integration failures - Provide alternative solutions for internal clusters (cloud provider integrations) - Fix formatting issue with Verify button text - Add detailed accessibility requirements and examples --- cloud/integrations.mdx | 27 ++++++++++++++++++++++++++- 1 file changed, 26 insertions(+), 1 deletion(-) diff --git a/cloud/integrations.mdx b/cloud/integrations.mdx index ab6ad23..8c1ddaf 100644 --- a/cloud/integrations.mdx +++ b/cloud/integrations.mdx @@ -630,8 +630,20 @@ Supported Kubernetes Services: - Ingresses - Cross-cloud cluster discovery + + **Public/External Access Required**: Kubernetes integration only works with clusters that are publicly accessible or have external endpoints. Internal-only clusters (accessible only within private networks) will fail to integrate as ProjectDiscovery cannot reach them from the cloud platform. + + **Kubernetes Integration Method** + + **Cluster Accessibility**: Before attempting integration, ensure your Kubernetes cluster has public/external endpoints that ProjectDiscovery can access. This includes: + - Publicly accessible API servers + - External load balancers exposing services + - Internet-facing ingress controllers + - Clusters with public IP addresses + + 1. **Prepare Base64-Encoded Kubeconfig** - Your kubeconfig file is typically located at: @@ -660,7 +672,20 @@ Supported Kubernetes Services: - Use the relevant context name if required. 3. **Define Integration Name & Verify** - Choose a unique, descriptive name for this integration and click \*\*Verify \*\*to complete the integration. + Choose a unique, descriptive name for this integration and click **Verify** to complete the integration. + +**Troubleshooting Integration Failures** + +If your Kubernetes integration fails, the most common cause is cluster accessibility: + +- **Internal Clusters**: Clusters only accessible within private networks (VPN, internal VPCs) cannot be reached by ProjectDiscovery +- **Firewall Restrictions**: Ensure your cluster's API server and services are accessible from the internet +- **Network Policies**: Check that network policies allow external access to required endpoints +- **Load Balancer Configuration**: Verify that external load balancers are properly configured and accessible + + + **Alternative for Internal Clusters**: For internal-only Kubernetes clusters, consider using the cloud provider integration (AWS EKS, GCP GKE, Azure AKS) which can discover cluster endpoints through the cloud provider's APIs, or manually add the cluster's external endpoints as assets. + References