I have an application that is internal and exposed only to other application on the cluster by a service with cluster IP. Other services are accessing this application via it's DNS (serviceName-namespace.svc.cluster.local
). This application handles sensitive data, so although all the communication is inside the cluster I would like to use TLS to secure the communications to this application.
My question is - how can I enable TLS on a service? Is there something already exist or should I handle it on the application code? Also, is there already a CA I can use on the cluster that can sign certificates for .svc.cluster.local
?
To clarify, I know I can use ingress for this purpose. The only problem is keeping this service internal only - so only services inside the cluster will be able to access it.
Thanks, Omer
One important aspect of Kubernetes security is the use of TLS encryption to protect all traffic between clusters. Implementing mutual TLS (mTLS) authentication is a best practice for enhancing the security of Kubernetes and ensuring that only authenticated entities are communicating with your clusters.
At a minimum, get the YAML file that corresponds to your secret and save it to a private Git repo. Encrypt the repo and back it up off-site. Paste each piece of base64 encoded data into the appropriate sections of the YAML file as one line. Make sure your text editor doesn't add any carriage returns to wrap the lines.
How to secure applications running on Kubernetes (SSL/TLS Certificates)? You can secure an application running on Kubernetes by creating a secret that contains a TLS (Transport Layer Security) private key and certificate. Currently, Ingress supports a single TLS port, 443, and assumes TLS termination.
In general, it is recommended to put a Service in front of a Deployment that manages pods in Kubernetes. The Service creates a stable DNS and IP endpoint for pods that may be deleted and be assigned a different IP address when recreated.
Use Transport Layer Security (TLS) for all API traffic. Kubernetes expects that all API communication in the cluster is encrypted by default with TLS, and the majority of installation methods will allow the necessary certificates to be created and distributed to the cluster components.
Meaning, when you add TLS certificates to the ingress resource as a kubernetes secret, the ingress controller access it and makes it part of its configuration. For example, in the Nginx controller, the SSL certificates are dynamically handled by the following block in nginx.conf The following diagram shows the high-level ingress TLS workflow.
I just found that Kubernetes API can be used to generate a certificate that will be trusted by all the pods running on the cluster. This option might be simpler than the alternatives. You can find the documentation here, including full flow of generating a certificate and using it.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With