End to end encryption to the services deployed in Kubernetes.

These are the few options which were explored for enabling End to end encryption of services deplpoyed on Kubernetes.

AWS Application Load Balancer (ALB) Ingress Controller

1. Does not support pass through implying that decryption and then encryption again will happen at the Load Balancer
2. Does not validate backend cert . Kevin Burke’s article. https://kevin.burke.dev/kevin/aws-alb-validation-tls-reply/
3. Each namespace provisions new load balancer, so the cost benefit is limited

Follow this pattern for TLS between Load balancer to the service.

• Install certs on the application container. OR
• Install cert on side car container such as nginx and use proxy_pass from nginx to redirect to application port. (To dump request on nginx use use client_body_in_file_only on, see body_filter_by_lua for response)

Use following annotations on the ingress resource

alb.ingress.kubernetes.io/backend-protocol: https

alb.ingress.kubernetes.io/certificate-arn: <certificate-arn>

References :

Kubernetes Ingress with AWS ALB Ingress Controller | Amazon Web Services

Using a Network Load Balancer with the NGINX Ingress Controller on Amazon EKS | Amazon Web Services