Security Misconfiguration: HTTP Without TLS
akondasif opened this issue · comments
Dear Colleague,
We are looking to find ways to help developers find security misconfigurations, i.e., Kubernetes manifest configurations that violate security best practices for Kubernetes manifests.
We have noticed an instance of HTTP without TLS/SSL in one of your Kubernetes manifests. The recommended practice is use of secure HTTP for each team's development and production environment. Enabling TLS ensures secure communication between cluster components. Otherwise, the communication could susceptible to man in the middle attacks.
Location of security misconfiguration:
Please use SSL/TLS to fix this misconfiguration. We would like to hear if you agree to fix this misconfiguration or have fixed the misconfiguration.
Enabling TLS ensures secure communication between cluster components
You do realise that podinfo is not a cluster component right? TLS is fully supported in podinfo when using a service mesh or cert-manager.
Thanks for the feedback.