End to end encryption to the services deployed in Kubernetes.
1 min readApr 11, 2020
These are the few options which were explored for enabling End to end encryption of services deplpoyed on Kubernetes.
AWS Application Load Balancer (ALB) Ingress Controller
- Does not support pass through implying that decryption and then encryption again will happen at the Load Balancer
- Does not validate backend cert . Kevin Burke’s article. https://kevin.burke.dev/kevin/aws-alb-validation-tls-reply/
- Each namespace provisions new load balancer, so the cost benefit is limited
Follow this pattern for TLS between Load balancer to the service.
- Install certs on the application container. OR
- Install cert on side car container such as nginx and use proxy_pass from nginx to redirect to application port. (To dump request on nginx use use
client_body_in_file_only on, see body_filter_by_lua for response)
Use following annotations on the ingress resource
alb.ingress.kubernetes.io/backend-protocol: https
alb.ingress.kubernetes.io/certificate-arn: <certificate-arn>
References :