Control: 7.1.2 Ensure TLS 1.2 for all inbound traffic at IBM Cloud Kubernetes Service Ingress
Description
Ensure that all insecure (HTTP) client requests to applications and services hosted on IBM Cloud Kubernetes Service are redirected to secure TLS connections (HTTPS), and ensure that only TLS versions 1.2+ are supported. You set up your Ingress ALB to secure your domain with the IBM-provided TLS certificate or your custom TLS certificate. Some users might try to access your apps by using an insecure http request to your ALB domain, for example http://www.myingress.com, instead of using https. You can use the redirect annotation to always convert insecure HTTP requests to HTTPS.
Remediation
- Edit the configuration file for the ibm-cloud-provider-ingress-cm configmap resource by running the following command:
kubectl edit cm ibm-cloud-provider-ingress-cm -n kube-system
In the data section, remove the ssl-protocols key, or remove TLSv1 and TLSv1.1 from the value.
Edit the configuration for your Ingress resource by running the following command:
kubectl edit ingress <my_ingress> -n <my_namespace>
- In the annotations section, add ingress.bluemix.net/redirect-to-https:"True".
apiVersion: networking.k8s.io/v1beta1 kind: Ingress metadata: name: myingress annotations: ingress.bluemix.net/redirect-to-https: "True" spec: tls: - hosts: - mydomain secretName: mytlssecret rules: - host: mydomain http: paths: - path: / backend: serviceName: myservice servicePort: 8080
Usage
Run the control in your terminal:
powerpipe control run ibm_compliance.control.cis_v100_7_1_2Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run ibm_compliance.control.cis_v100_7_1_2 --shareSQL
This control uses a named query:
manual_control