Kubernetes Nginx Ingress to pod communication over https

2
votes

I am doing some research on how to implement https secure connection between Nginx Ingress -> backend services. So far I have SSL setup in Nginx Ingress controller that uses Lets Encrypt cert manager to rotate certificate using http-01 challenge.

Here is my scenario:

  1. Client from internet -> 2. Load balancer -> 3. Ingress Controller (that terminates TLS traffic) -> 4. Service (port 80) -> 5. Pod (port 80).

So my question is how can I secure communication between ingress controller and pod so that traffic is encrypted end to end? Do I need my own certificate authority to do that? If so, are there any open source solution that can handle certificate management just like Cert manager?

2
nginxsslkubernetescert-manager
The Ingress controller should be a part of your cluster only and the cluster shall reside in a VPN itself, aren' you talking about something like "doing SSL based communication inside the cluster", how is it beneficial even ?Tushar Mahajan

2 Answers

0
votes

Replace let`s encrypt with aws certificates because they are free. Validate your domains you use inside you cluster and then edit the main service of your ingress controller.Use this annotations if you like if you use aws.

annotations: service.beta.kubernetes.io/aws-load-balancer-ssl-cert: "arn:aws:acm:XXXXXXXX" service.beta.kubernetes.io/aws-load-balancer-backend-protocol: "http" service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "https" service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: "60" service.beta.kubernetes.io/aws-load-balancer-ssl-negotiation-policy:"ELBSecurityPolicy-TLS-1-2-2017-01"

0
votes

1. Nginx ingress controller + DAPR

I am not sure I can post here youtube urls(at least I have never seen anyone doing that) but.. I think this is 100% exactly what you want. Your scenario is discussed in 1st topic, you need watch only it. Plus as a benefit - you will see step-by-step installation there. Personally I found that video very helpful

Secure Ingress pods communication

2. You can achieve that with Istio itself. Istio By Example!:Secure Ingress

3. Istio + Calico network policy for Istio

Enforce network policy for Istio

The Calico support for Istio service mesh has the following benefits:

-Pod traffic controls

Lets you restrict ingress traffic inside and outside pods and mitigate common threats to Istio-enabled apps.

-Supports security goals

Enables adoption of a zero trust network model for security, including traffic encryption, multiple enforcement points, and multiple identity criteria for authentication.