Enforces that every ingress uses TLS encryption. This prevents accidentally creating insecure, unencrypted entry points to your cluster.
Note that this policy is part of the following security standards:
bsi/containerization
: BSI IT-Grundschutz "Containerisierung": Section: SYS.1.6.A21apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: missing-tls
spec:
rules:
- host: missing-tls.example.syncier.cloud
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: backend-server
port:
number: 8080
+ tls:
+ - hosts:
+ - missing-tls.example.syncier.cloud
+ secretName: lets-encrypt-wildcard
securitytower.io/policy.exclusion.enforceingresstls
as on the example below.
apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: your-ingress annotations: securitytower.io/policy.exclusion.enforceingresstls: |- Describe why the ingress does not have an tls section. ...