rspec/rules/S5332/kubernetes/rule.adoc

include::../description.adoc[]

== Ask Yourself Whether

* Application data needs to be protected against tampering or leaks when transiting over the network.
* Application data transits over an untrusted network.
* Compliance rules require the service to encrypt data in transit.
* OS-level protections against clear-text traffic are deactivated.

There is a risk if you answered yes to any of those questions.

== Recommended Secure Coding Practices

* Make application data transit over a secure, authenticated and encrypted protocol like TLS or SSH. Here are a few alternatives to the most common clear-text protocols:
** Use ``++sftp++``, ``++scp++``, or ``++ftps++`` instead of ``++ftp++``.
** Use ``++https++`` instead of ``++http++``.

It is recommended to secure all transport channels, even on local networks, as it can take a single non-secure connection to compromise an entire application or system.

== Sensitive Code Example

[source,yaml]
----
apiVersion: batch/v1
kind: Job
metadata:
  name: curl
spec:
  template:
    spec:
      containers:
      - name: curl
        image: curlimages/curl
        command: ["curl"]
        args: ["http://example.com/"] # Sensitive
----

== Compliant Solution

[source,yaml]
----
apiVersion: batch/v1
kind: Job
metadata:
  name: curl
spec:
  template:
    spec:
      containers:
      - name: curl
        image: curlimages/curl
        command: ["curl"]
        args: ["https://example.com/"]
----

== See

* https://cwe.mitre.org/data/definitions/200[MITRE, CWE-200] - Exposure of Sensitive Information to an Unauthorized Actor
* https://cwe.mitre.org/data/definitions/319[MITRE, CWE-319] - Cleartext Transmission of Sensitive Information
* https://security.googleblog.com/2016/09/moving-towards-more-secure-web.html[Google, Moving towards more secure web]
* https://blog.mozilla.org/security/2015/04/30/deprecating-non-secure-http/[Mozilla, Deprecating non secure http]

ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

== Message

* Make sure that using clear-text protocols is safe here.

== Highlighting

Highlight the URL.

'''

endif::env-github,rspecator-view[]
Create rule S5332 (#3526) 2024-01-29 15:16:07 +01:00			`include::../description.adoc[]`

			`== Ask Yourself Whether`

			`* Application data needs to be protected against tampering or leaks when transiting over the network.`
			`* Application data transits over an untrusted network.`
			`* Compliance rules require the service to encrypt data in transit.`
			`* OS-level protections against clear-text traffic are deactivated.`

			`There is a risk if you answered yes to any of those questions.`

			`== Recommended Secure Coding Practices`

			`* Make application data transit over a secure, authenticated and encrypted protocol like TLS or SSH. Here are a few alternatives to the most common clear-text protocols:`
			** Use ``++sftp++``, ``++scp++``, or ``++ftps++`` instead of ``++ftp++``.
			** Use ``++https++`` instead of ``++http++``.

			`It is recommended to secure all transport channels, even on local networks, as it can take a single non-secure connection to compromise an entire application or system.`

			`== Sensitive Code Example`

			`[source,yaml]`
			`----`
			`apiVersion: batch/v1`
			`kind: Job`
			`metadata:`
			`name: curl`
			`spec:`
			`template:`
			`spec:`
			`containers:`
			`- name: curl`
			`image: curlimages/curl`
			`command: ["curl"]`
			`args: ["http://example.com/"] # Sensitive`
			`----`

			`== Compliant Solution`

			`[source,yaml]`
			`----`
			`apiVersion: batch/v1`
			`kind: Job`
			`metadata:`
			`name: curl`
			`spec:`
			`template:`
			`spec:`
			`containers:`
			`- name: curl`
			`image: curlimages/curl`
			`command: ["curl"]`
			`args: ["https://example.com/"]`
			`----`

			`== See`

			`* https://cwe.mitre.org/data/definitions/200[MITRE, CWE-200] - Exposure of Sensitive Information to an Unauthorized Actor`
			`* https://cwe.mitre.org/data/definitions/319[MITRE, CWE-319] - Cleartext Transmission of Sensitive Information`
			`* https://security.googleblog.com/2016/09/moving-towards-more-secure-web.html[Google, Moving towards more secure web]`
			`* https://blog.mozilla.org/security/2015/04/30/deprecating-non-secure-http/[Mozilla, Deprecating non secure http]`

			`ifdef::env-github,rspecator-view[]`

			`'''`
			`== Implementation Specification`
			`(visible only on this page)`

			`== Message`

			`* Make sure that using clear-text protocols is safe here.`

			`== Highlighting`

			`Highlight the URL.`

			`'''`

			`endif::env-github,rspecator-view[]`