Kubernetes Ingress TLS

Securing external connections to Kubernetes services

Definitions

An Ingress is a Kubernetes resource that lets you define a reverse proxy that exposes services in your cluster to anything outside your container, including internal infrastructure or the internet.

To enable this type of connection, you can specify a kubernetes.io/tls Secret (aka a TLS Secret) for your Ingress to use for TLS (see the official Kubernetes docs for more).

An Admission Controller intercepts requests to the Kubernetes API server and are used to limit requests to create, delete, modify objects or connect to proxy. For example, the Nginx Admission Controller will reconfigure Nginx for you.

An Ingress Controller is a type of Admission Controller that gets called when an Ingress resource is created, updated, or deleted, and manages the proxy.

Our Recommendation

When connecting anything outside Kubernetes to services inside Kubernetes, we recommend securing your Ingress resources by using Smallstep Certificate Manager in combination with step-issuer and Kubernetes’ cert-manager utility. You can find the detailed instructions here.

Extra Credit: I want Mutual TLS

We often talk with users who want to enable mutual TLS authentication (mTLS) for these connections. To add mutual TLS, in addition to issuing server certificates for your Ingress Controllers, you need to issue certificates to the clients connecting into your Kubernetes cluster. These clients could be humans, applications using an API, external services, or any other workload that needs to interact with the cluster.

The Smallstep toolchain is designed to provide reach to all the things in your system. We can automate the issuance and renewal of certificates to secure all your mutual TLS connections. We make it easy to connect users to single sign-on, or unlock the power of internal ACME for automation. Have Questions? We are here to help. Just reach out and ask.