Kubernetes Ingress TLS
Securing external connections to Kubernetes services
Definitions
An Ingress is a Kubernetes resource that lets you define a reverse proxy that exposes services in your cluster to anything outside your container, including internal infrastructure or the internet.
To enable this type of connection, you can specify a kubernetes.io/tls
Secret (aka a TLS Secret) for your Ingress to use for TLS (see the official Kubernetes docs for more).
An Admission Controller intercepts requests to the Kubernetes API server and are used to limit requests to create, delete, modify objects or connect to proxy. For example, the Nginx Admission Controller will reconfigure Nginx for you.
An Ingress Controller is a type of Admission Controller that gets called when an Ingress
resource is created, updated, or deleted, and manages the proxy.
Our Recommendation
When connecting anything outside Kubernetes to services inside Kubernetes, we recommend securing your Ingress resources by using Smallstep Certificate Manager in combination with step-issuer
and Kubernetes’ cert-manager utility. You can find the detailed instructions here.
Extra Credit: I want Mutual TLS
We often talk with users who want to enable mutual TLS authentication (mTLS) for these connections. To add mutual TLS, in addition to issuing server certificates for your Ingress Controllers, you need to issue certificates to the clients connecting into your Kubernetes cluster. These clients could be humans, applications using an API, external services, or any other workload that needs to interact with the cluster.
The Smallstep toolchain is designed to provide reach to all the things in your system. We can automate the issuance and renewal of certificates to secure all your mutual TLS connections. We make it easy to connect users to single sign-on, or unlock the power of internal ACME for automation. Have Questions? We are here to help. Just reach out and ask.