TLS 1.2 or higher enforced at ingress for all external traffic

Plaintext HTTP exposes session tokens, API keys, and user credentials to passive network interception — any attacker on the same network segment can harvest credentials in seconds (CWE-319, OWASP A02). NIST 800-53 SC-8 requires transmission confidentiality for all authenticated sessions. CIS Kubernetes 5.4.1 mandates TLS at ingress. Beyond credential theft, transport without TLS enables active MITM attacks where responses are modified in transit — undermining the integrity of every API response the client trusts.

Configure TLS on every Kubernetes Ingress resource and redirect all HTTP to HTTPS. In your Ingress manifest (k8s/ingress.yaml):

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: app-ingress
  annotations:
    nginx.ingress.kubernetes.io/ssl-redirect: "true"
    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
spec:
  tls:
    - hosts:
        - example.com
      secretName: tls-secret
  rules:
    - host: example.com
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: app-service
                port:
                  number: 80

Enforce TLS 1.2 minimum by setting the TLS policy in your ingress controller config. Disable TLS 1.0 and 1.1 explicitly.

• ID: infrastructure-hardening.network-tls.tls-enforced

• Severity: high

• What to look for: Enumerate every external-facing Ingress, Service of type LoadBalancer, and API gateway configuration. For each, check whether TLS is configured with a minimum version of at least 1.2. Count the total external endpoints and how many enforce TLS 1.2+. Verify plaintext HTTP is not accepted for authenticated endpoints.

• Pass criteria: All external traffic across every Ingress and load balancer is encrypted with TLS 1.2 or higher. Each Ingress specifies tls.hosts and certificate references. No authenticated endpoint accepts plaintext HTTP — all HTTP traffic is redirected to HTTPS. Report: "X of Y external endpoints enforce TLS 1.2+."

• Fail criteria: Any Ingress does not specify TLS, any authenticated endpoint accepts plaintext HTTP, or TLS is configured but the minimum version is below 1.2 (e.g., TLS 1.0 or 1.1 still allowed).

• Skip (N/A) when: The project has no external-facing endpoints or is internal-only with no authentication.

• Detail on fail: Quote the Ingress name and its TLS config. Example: "Kubernetes Ingress 'app-ingress' does not specify TLS configuration. Endpoints served over plaintext HTTP." or "Ingress TLS is configured but supports TLS 1.0 — minimum should be 1.2"

• Remediation: Enforce TLS 1.2+ at the ingress layer. In Kubernetes, add TLS to Ingress:

  apiVersion: networking.k8s.io/v1
  kind: Ingress
  metadata:
    name: app-ingress
  spec:
    tls:
      - hosts:
          - example.com
        secretName: tls-secret
    rules:
      - host: example.com
        http:
          paths:
            - path: /
              backend:
                service:
                  name: app-service
                  port:
                    number: 80
  

  Or redirect HTTP to HTTPS at the load balancer or ingress controller level. Disable TLS 1.0 and 1.1 in your TLS policy.