TLS 1.2 or higher enforced at ingress for all external traffic

ab-001635 · infrastructure-hardening.network-tls.tls-enforced

Severity: highactive

Why it matters

Plaintext HTTP exposes session tokens, API keys, and user credentials to passive network interception — any attacker on the same network segment can harvest credentials in seconds (CWE-319, OWASP A02). NIST 800-53 SC-8 requires transmission confidentiality for all authenticated sessions. CIS Kubernetes 5.4.1 mandates TLS at ingress. Beyond credential theft, transport without TLS enables active MITM attacks where responses are modified in transit — undermining the integrity of every API response the client trusts.

Severity rationale

High because cleartext transmission of authentication tokens enables passive credential harvesting with no active exploit required — any network observer captures sessions.

Remediation

Configure TLS on every Kubernetes Ingress resource and redirect all HTTP to HTTPS. In your Ingress manifest (k8s/ingress.yaml):

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: app-ingress
  annotations:
    nginx.ingress.kubernetes.io/ssl-redirect: "true"
    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
spec:
  tls:
    - hosts:
        - example.com
      secretName: tls-secret
  rules:
    - host: example.com
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: app-service
                port:
                  number: 80

Enforce TLS 1.2 minimum by setting the TLS policy in your ingress controller config. Disable TLS 1.0 and 1.1 explicitly.

Detection

ID: tls-enforced
Severity: high
What to look for: Enumerate every external-facing Ingress, Service of type LoadBalancer, and API gateway configuration. For each, check whether TLS is configured with a minimum version of at least 1.2. Count the total external endpoints and how many enforce TLS 1.2+. Verify plaintext HTTP is not accepted for authenticated endpoints.
Pass criteria: All external traffic across every Ingress and load balancer is encrypted with TLS 1.2 or higher. Each Ingress specifies tls.hosts and certificate references. No authenticated endpoint accepts plaintext HTTP — all HTTP traffic is redirected to HTTPS. Report: "X of Y external endpoints enforce TLS 1.2+."
Fail criteria: Any Ingress does not specify TLS, any authenticated endpoint accepts plaintext HTTP, or TLS is configured but the minimum version is below 1.2 (e.g., TLS 1.0 or 1.1 still allowed).
Skip (N/A) when: The project has no external-facing endpoints or is internal-only with no authentication.
Detail on fail: Quote the Ingress name and its TLS config. Example: "Kubernetes Ingress 'app-ingress' does not specify TLS configuration. Endpoints served over plaintext HTTP." or "Ingress TLS is configured but supports TLS 1.0 — minimum should be 1.2"

Remediation: Enforce TLS 1.2+ at the ingress layer. In Kubernetes, add TLS to Ingress:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: app-ingress
spec:
  tls:
    - hosts:
        - example.com
      secretName: tls-secret
  rules:
    - host: example.com
      http:
        paths:
          - path: /
            backend:
              service:
                name: app-service
                port:
                  number: 80

Or redirect HTTP to HTTPS at the load balancer or ingress controller level. Disable TLS 1.0 and 1.1 in your TLS policy.

External references

cwe · CWE-319 — Cleartext Transmission of Sensitive Information
owasp:2021 · A02 — Cryptographic Failures
nist:rev5 · SC-8 — Transmission Confidentiality and Integrity
external · CIS-Kubernetes-5.4.1 — CIS Kubernetes Benchmark §5.4.1 — Prefer using secrets over environment variables

Taxons

cryptography-and-secrets operational-readiness

History

2026-04-18·v1.0.0·Initial import from infrastructure-hardening·automated