TLS for Ingress/Gateway
TLS (Transport Layer Security) encrypts traffic between clients and your Kubernetes services. It’s essential for protecting sensitive data in transit.
Why TLS?
TLS provides:
- Encryption - Data is encrypted in transit
- Authentication - Verifies server identity
- Integrity - Detects tampering
- Compliance - Required by many regulations
TLS for Ingress
Basic TLS Configuration
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: tls-ingress
spec:
tls:
- hosts:
- example.com
secretName: tls-secret
rules:
- host: example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: web-service
port:
number: 80
Create TLS Secret
kubectl create secret tls tls-secret \
--cert=tls.crt \
--key=tls.key
cert-manager
cert-manager automates certificate management:
Install
kubectl apply -f https://github.com/cert-manager/cert-manager/releases/latest/download/cert-manager.yaml
Create ClusterIssuer
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-prod
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: [email protected]
privateKeySecretRef:
name: letsencrypt-prod
solvers:
- http01:
ingress:
class: nginx
Use in Ingress
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: tls-ingress
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
spec:
tls:
- hosts:
- example.com
secretName: tls-secret
rules:
- host: example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: web-service
port:
number: 80
Gateway API TLS
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
name: tls-gateway
spec:
listeners:
- name: https
protocol: HTTPS
port: 443
tls:
mode: Terminate
certificateRefs:
- name: tls-secret
allowedRoutes:
namespaces:
from: All
mTLS
Mutual TLS authenticates both client and server:
Istio mTLS
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: default
namespace: production
spec:
mtls:
mode: STRICT
Best Practices
- Use cert-manager - Automate certificate management
- Enable TLS everywhere - Encrypt all external traffic
- Use strong ciphers - Configure secure TLS settings
- Rotate certificates - Keep certificates up to date
- Monitor expiration - Alert before certificates expire
See Also
- Network Security - Overview of network security
- Network Policies - Pod-to-pod isolation