rspec/rules/S5332/kubernetes/rule.adoc

include::../description.adoc[]

== Ask Yourself Whether

* Application data needs to be protected against tampering or leaks when transiting over the network.
* Application data transits over an untrusted network.
* Compliance rules require the service to encrypt data in transit.
* OS-level protections against clear-text traffic are deactivated.

There is a risk if you answered yes to any of those questions.

== Recommended Secure Coding Practices

* Make application data transit over a secure, authenticated and encrypted protocol like TLS or SSH. Here are a few alternatives to the most common clear-text protocols:
** Use ``++sftp++``, ``++scp++``, or ``++ftps++`` instead of ``++ftp++``.
** Use ``++https++`` instead of ``++http++``.

It is recommended to secure all transport channels, even on local networks, as it can take a single non-secure connection to compromise an entire application or system.

== Sensitive Code Example

[source,yaml]
----
apiVersion: batch/v1
kind: Job
metadata:
  name: curl
spec:
  template:
    spec:
      containers:
      - name: curl
        image: curlimages/curl
        command: ["curl"]
        args: ["http://example.com/"] # Sensitive
----

== Compliant Solution

[source,yaml]
----
apiVersion: batch/v1
kind: Job
metadata:
  name: curl
spec:
  template:
    spec:
      containers:
      - name: curl
        image: curlimages/curl
        command: ["curl"]
        args: ["https://example.com/"]
----


== See

include::../common/resources/documentation.adoc[]

include::../common/resources/articles.adoc[]

include::../common/resources/standards-iac.adoc[]


ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

== Message

* Make sure that using clear-text protocols is safe here.

== Highlighting

Highlight the URL.

'''

endif::env-github,rspecator-view[]
Create rule S5332 (#3526) 2024-01-29 15:16:07 +01:00			`include::../description.adoc[]`

			`== Ask Yourself Whether`

			`* Application data needs to be protected against tampering or leaks when transiting over the network.`
			`* Application data transits over an untrusted network.`
			`* Compliance rules require the service to encrypt data in transit.`
			`* OS-level protections against clear-text traffic are deactivated.`

			`There is a risk if you answered yes to any of those questions.`

			`== Recommended Secure Coding Practices`

			`* Make application data transit over a secure, authenticated and encrypted protocol like TLS or SSH. Here are a few alternatives to the most common clear-text protocols:`
			** Use ``++sftp++``, ``++scp++``, or ``++ftps++`` instead of ``++ftp++``.
			** Use ``++https++`` instead of ``++http++``.

			`It is recommended to secure all transport channels, even on local networks, as it can take a single non-secure connection to compromise an entire application or system.`

			`== Sensitive Code Example`

			`[source,yaml]`
			`----`
			`apiVersion: batch/v1`
			`kind: Job`
			`metadata:`
			`name: curl`
			`spec:`
			`template:`
			`spec:`
			`containers:`
			`- name: curl`
			`image: curlimages/curl`
			`command: ["curl"]`
			`args: ["http://example.com/"] # Sensitive`
			`----`

			`== Compliant Solution`

			`[source,yaml]`
			`----`
			`apiVersion: batch/v1`
			`kind: Job`
			`metadata:`
			`name: curl`
			`spec:`
			`template:`
			`spec:`
			`containers:`
			`- name: curl`
			`image: curlimages/curl`
			`command: ["curl"]`
			`args: ["https://example.com/"]`
			`----`

Modify rules: Add STIG AS&D 2023-06-08 mappings (#3914) * Update JSON schema to include STIG ASD 2023-06-08 mapping * Update rules to add STIG metadata mappings --------- Co-authored-by: Loris Sierra <loris.sierra@sonarsource.com> 2024-05-06 07:56:31 +01:00
Create rule S5332 (#3526) 2024-01-29 15:16:07 +01:00			`== See`

Modify rules: Add STIG AS&D 2023-06-08 mappings (#3914) * Update JSON schema to include STIG ASD 2023-06-08 mapping * Update rules to add STIG metadata mappings --------- Co-authored-by: Loris Sierra <loris.sierra@sonarsource.com> 2024-05-06 07:56:31 +01:00			`include::../common/resources/documentation.adoc[]`

			`include::../common/resources/articles.adoc[]`

			`include::../common/resources/standards-iac.adoc[]`

Create rule S5332 (#3526) 2024-01-29 15:16:07 +01:00
			`ifdef::env-github,rspecator-view[]`

			`'''`
			`== Implementation Specification`
			`(visible only on this page)`

			`== Message`

			`* Make sure that using clear-text protocols is safe here.`

			`== Highlighting`

			`Highlight the URL.`

			`'''`

			`endif::env-github,rspecator-view[]`