Home / BeaverDeck / Docs / Insights Guide / Networking Insights / Ingress TLS

Ingress TLS

BeaverDeck uses this check to identify a specific networking condition that may need operator review.

Permissions: viewing checks requires insights: view. Opening a linked object or logs requires the corresponding resource permission, and the BeaverDeck ServiceAccount must be allowed to read the Kubernetes resources used by the check. Suppressing a finding requires insights: edit and affects all users.

Check type	`ingress-tls`
Insights section	Networking Insights
Alert severity	Critical

When It Reports A Finding

An Ingress TLS entry has no secretName, references a missing Secret, references a Secret that is not type kubernetes.io/tls, or the Secret lacks tls.crt or tls.key.

Why This Is A Problem

The ingress controller may fail to configure HTTPS or serve the wrong/default certificate, causing client errors and insecure fallback behavior.

Recommended Response

Correct every Ingress TLS secretName and keep the Secret in the same namespace as the Ingress.
Create a kubernetes.io/tls Secret containing non-empty tls.crt and tls.key, preferably through the cluster's certificate process.
Check the ingress controller and certificate controller after updating the Secret.

Scope And Limitations

The check validates references, Secret type, and key presence. It does not validate certificate expiry, hostname coverage, trust chain, or whether the private key matches the certificate.

After remediation: refresh Networking Insights and verify the underlying resource or metric. Suppress the finding only when the condition is intentional and its risk is accepted.