OpenShift must protect the confidentiality and integrity of transmitted information.

STIG ID: CNTR-OS-000820  |  SRG: SRG-APP-000439-CTR-001080 |  Severity: medium |  CCI: CCI-002418 |  Vulnerability Id: V-257567 | 

Vulnerability Discussion

OpenShift provides for two types of application level ingress types, Routes, and Ingresses. Routes have been a part of OpenShift since version 3. Ingresses were promoted out of beta in Aug 2020 (kubernetes v1.19). Routes provides for three type of TLS configuration options; Edge, Passthrough, and Re-encrypt. Each of those options provide TLS encryption over HTTP for inbound transmissions originating outside the cluster. Ingresses will have an IngressController associated that manages the routing and proxying of inbound transmissions.

Check

Verify that routes and ingress are using secured transmission ports and protocols by executing the following:

oc get routes --all-namespaces

Review the ingress ports, if the Ingress is not using a secure TLS transport, this is a finding.

Fix

Delete any Route or Ingress that does not use a secure transport.

oc delete route -n

or

oc delete ingress -n
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.