Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to force SSL for Kubernetes Ingress on GKE

Is there a way to force an SSL upgrade for incoming connections on the ingress load-balancer? Or if that is not possible with, can I disable port :80? I haven't found a good documentation pages that outlines such an option in the YAML file. Thanks a lot in advance!

like image 295
Simon Heinzle Avatar asked May 03 '16 10:05

Simon Heinzle


People also ask

How do I add an SSL certificate to Gke?

To configure a Google-managed SSL certificate and associate it with an Ingress, you need to: Create a ManagedCertificate object in the same namespace as the Ingress. Associate the ManagedCertificate object to an Ingress by adding the networking.gke.io/managed-certificates annotation to the Ingress.


2 Answers

https://github.com/kubernetes/ingress-gce#frontend-https

You can block HTTP through the annotation kubernetes.io/ingress.allow-http: "false" or redirect HTTP to HTTPS by specifying a custom backend. Unfortunately GCE doesn't handle redirection or rewriting at the L7 layer directly for you, yet. (see https://github.com/kubernetes/ingress-gce#ingress-cannot-redirect-http-to-https)

Update: GCP now handles redirection rules for load balancers, including HTTP to HTTPS. There doesn't appear to be a method to create these through Kubernetes YAML yet.

like image 158
Prashanth B Avatar answered Sep 18 '22 20:09

Prashanth B


This was already correctly answered by a comment on the accepted answer. But since the comment is buried I missed it several times.

As of GKE version 1.18.10-gke.600 you can add a k8s frontend config to redirect from http to https.

https://cloud.google.com/kubernetes-engine/docs/how-to/ingress-features#https_redirect

apiVersion: networking.gke.io/v1beta1 kind: FrontendConfig metadata:   name: ssl-redirect spec:   redirectToHttps:     enabled: true  # add below to ingress # metadata: #   annotations: #     networking.gke.io/v1beta1.FrontendConfig: ssl-redirect 
like image 39
George B Avatar answered Sep 18 '22 20:09

George B