turbot/ibm_compliance

Control: 7.1.2 Ensure TLS 1.2 for all inbound traffic at IBM Cloud Kubernetes Service Ingress

Description

Ensure that all insecure (HTTP) client requests to applications and services hosted on IBM Cloud Kubernetes Service are redirected to secure TLS connections (HTTPS), and ensure that only TLS versions 1.2+ are supported. You set up your Ingress ALB to secure your domain with the IBM-provided TLS certificate or your custom TLS certificate. Some users might try to access your apps by using an insecure http request to your ALB domain, for example http://www.myingress.com, instead of using https. You can use the redirect annotation to always convert insecure HTTP requests to HTTPS.

Remediation

  1. Edit the configuration file for the ibm-cloud-provider-ingress-cm configmap resource by running the following command:
kubectl edit cm ibm-cloud-provider-ingress-cm -n kube-system
  1. In the data section, remove the ssl-protocols key, or remove TLSv1 and TLSv1.1 from the value.

  2. Edit the configuration for your Ingress resource by running the following command:

kubectl edit ingress <my_ingress> -n <my_namespace>
  1. In the annotations section, add ingress.bluemix.net/redirect-to-https:"True".
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: myingress
annotations:
ingress.bluemix.net/redirect-to-https: "True"
spec:
tls:
- hosts:
- mydomain
secretName: mytlssecret
rules:
- host: mydomain
http:
paths:
- path: /
backend:
serviceName: myservice
servicePort: 8080

Usage

Run the control in your terminal:

powerpipe control run ibm_compliance.control.cis_v100_7_1_2

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run ibm_compliance.control.cis_v100_7_1_2 --share

SQL

This control uses a named query:

manual_control

Tags