yaml.kubernetes.security.skip-tls-verify-cluster.skip-tls-verify-cluster

returntocorp

Author

418

Download Count*

License

Cluster is disabling TLS certificate verification when communicating with the server. This makes your HTTPS connections insecure. Remove the 'insecure-skip-tls-verify: true' key to secure communication.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit Rule View Source

Open in Playground

rules:
  - id: skip-tls-verify-cluster
    pattern: |
      cluster:
        ...
        insecure-skip-tls-verify: true
    message: "Cluster is disabling TLS certificate verification when communicating
      with the server. This makes your HTTPS connections insecure. Remove the
      'insecure-skip-tls-verify: true' key to secure communication."
    metadata:
      cwe:
        - "CWE-319: Cleartext Transmission of Sensitive Information"
      references:
        - https://kubernetes.io/docs/reference/config-api/client-authentication.v1beta1/#client-authentication-k8s-io-v1beta1-Cluster
      category: security
      technology:
        - kubernetes
      owasp:
        - A03:2017 - Sensitive Data Exposure
        - A02:2021 - Cryptographic Failures
      subcategory:
        - vuln
      likelihood: MEDIUM
      impact: MEDIUM
      confidence: MEDIUM
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    languages:
      - yaml
    severity: WARNING

Examples

skip-tls-verify-cluster.test.yaml

apiVersion: v1
clusters:
  # ruleid: skip-tls-verify-cluster
  - cluster:
      server: https://192.168.0.100:8443
      insecure-skip-tls-verify: true
    name: minikube1
  # ok: skip-tls-verify-cluster
  - cluster:
      server: https://192.168.0.101:8443
    name: minikube2
contexts:
  - context:
      cluster: minikube
      user: minikube
    name: minikube
current-context: minikube
kind: Config
preferences: {}
users:
  - name: minikube
    user:
      client-certificate: client.crt
      client-key: client.key

Short Link: https://sg.run/okyn