Json Yaml Gateway Server Uses Http
Description
Detects when Kubernetes API server configurations use insecure HTTP protocol instead of HTTPS. Using HTTP for Kubernetes API server traffic allows sensitive cluster management data to be transmitted in plaintext, potentially exposing credentials and other confidential information to network eavesdropping.
Detection Strategy
• Inspects Kubernetes gateway configuration templates and files
• Identifies URL configurations and endpoints in the gateway settings
• Reports a vulnerability when 'http://' protocol is specified instead of 'https://'
• Specifically focuses on server/gateway configurations rather than client connections
Vulnerable code example
apiVersion: networking.istio.io/v1
kind: Gateway
metadata:
name: vulnerable-gateway
spec:
selector:
app: gateway-controller
servers:...✅ Secure code example
apiVersion: networking.istio.io/v1
kind: Gateway
metadata:
name: secure-gateway
namespace: prod-gateway # Explicitly define namespace for better isolation
spec:
selector:
app: gateway-controller...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.