Security issues with multiple services behind Kubernetes ingress

Backend
1

I’m having trouble with my Kubernetes setup. I’ve got several backend services behind one ingress controller. The main portal loads fine and shows as secure. But when I open certain apps from the portal menu, they show up as insecure. What’s weird is this makes the portal page insecure too, even without refreshing it.

This only happens with some apps. I’ve got multiple apps on some containers, and only certain ones cause this issue. It’s like if I open four secure apps, then a fifth insecure one, all of them become insecure.

I’ve tried a few things:

  1. Switched from port 8080 to 8443 with HTTPS
  2. Enabled crossContext in Tomcat

My ingress YAML looks something like this:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: 'myapp'
  namespace: 'testenv'
  annotations:
    myapp.ingress.kubernetes.io/backend-path-prefix: '/'
    nginx.ingress.kubernetes.io/backend-protocol: HTTPS
    nginx.ingress.kubernetes.io/ssl-redirect: 'true'
spec:
  ingressClassName: nginx
  rules:
    - host: example.mycompany.net
      http:
        paths:
          - path: /
            pathType: ImplementationSpecific
            backend:
              service:
                name: main-portal
                port:
                  number: 8443
          # More paths here...
  tls:
    - hosts:
        - example.mycompany.net

Any ideas what could be causing this? Is it a browser issue or something in my setup?

2

im curious if u r seeing this issue because some apps load non-secure content from external sources?

try ensuring all endpoints use the same ssl cert and check network logs for mixed content. what changes did u notice with different apps?

3

Hey there! sounds like u might be dealing with mixed content. have u checked if those problematic apps are loading any resources over http? that could trigger the browser to flag everything as insecure. maybe try using content security policy headers to enforce https across the board?

4

Based on your description, this issue likely stems from mixed content loading. Some of your applications may be fetching resources over insecure HTTP connections, triggering browser security warnings. To resolve this, conduct a thorough audit of all your applications, especially those causing the problem. Inspect their code and configurations to ensure they’re exclusively using HTTPS for all resource requests. Additionally, implement strict Content Security Policies (CSP) at the ingress level to enforce HTTPS usage across your entire cluster. This approach should prevent any app from inadvertently loading insecure content and compromising the overall security posture of your setup.