Scribd
Upload
18 views5 pages

Ingress TLS

The document provides a step-by-step guide for implementing TLS termination for a Kubernetes Service called accounts-svc using Ingress. It includes instructions for generating self-signed certificates, creating a Secret to store them, and configuring an Ingress resource to secure communications. The guide emphasizes the importance of securing the Service against potential attacks due to unencrypted HTTP communications.

Uploaded by

akdeniz.erdem
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
18 views5 pages

Ingress TLS

The document provides a step-by-step guide for implementing TLS termination for a Kubernetes Service called accounts-svc using Ingress. It includes instructions for generating self-signed certificates, creating a Secret to store them, and configuring an Ingress resource to secure communications. The guide emphasizes the importance of securing the Service against potential attacks due to unencrypted HTTP communications.

Uploaded by

akdeniz.erdem
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 5

hour duration

Professional
VIDEOS
GUIDE

Add TLS to a Kubernetes Service with


Ingress
Introduction
Your company, SecuriCorp, is using Kubernetes to run a variety of applications. Recently,
hackers have been trying various techniques to break into the Kubernetes cluster and steal
data.

Your developers have built a Service called accounts-svc that provides user account data,
but the Service itself uses an unencrypted HTTP protocol. This makes communications with
that service vulnerable to various forms of attack.

Use an Ingress to implement TLS termination for the Service.

Note: The cluster does not have any Ingress controllers set up. However, for now, all you
need to do is implement the Ingress configuration.

Solution
Log in to the control plane node server using the credentials provided:

ssh cloud_user@<PUBLIC_IP_ADDRESS>

Generate Self-Signed Certificates for the Service and Store Them in a Secret

1. List the Services on the accounts namespace:

kubectl get service -n accounts

2. Create a self-signed certificate and key for the accounts-svc Service:

openssl req -nodes -new -x509 -keyout accounts.key -out accounts.crt


-subj "/CN=accounts.svc"

3. Create a Secret file to store the certificate and key:

vi accounts-tls-certs-secret.yml

4. Paste in the following YAML:


5. apiVersion: v1
6. kind: Secret
7. type: kubernetes.io/tls
8. metadata:
9. name: accounts-tls-certs
10. namespace: accounts
11. data:
12. tls.crt: |
13. <base64-encoded cert data from accounts.crt>
14. tls.key: |
<base64-encoded key data from accounts.key>

15. To save and exit the file, press Escape and enter :wq.
16. Get a Base64-encoded version of the certificate:

base64 accounts.crt

17. Copy the Base64-encoded string output.


18. Edit the manifest file:

vi accounts-tls-certs-secret.yml

19. Enter the command :set paste and i to enter insert mode.
20. Under tls.crt:, replace the placeholder text with the copied Base64-encoded string
output.
21. Press Escape and enter :wq.
22. Get a Base64-encoded version of the key:

base64 accounts.key

23. Copy the Base64-encoded string output.


24. Edit the manifest file again:

vi accounts-tls-certs-secret.yml

25. Enter the command :set paste and i to enter insert mode.
26. Under tls.key:, replace the placeholder text with the copied Base64-encoded string
output.
27. Press Escape and enter :wq.
28. Create the Secret:

kubectl create -f accounts-tls-certs-secret.yml

Create an Ingress on Top of the Service That Configures TLS Termination

1. Create a YAML manifest for the Ingress:

vi accounts-tls-ingress.yml

2. Paste in the following YAML:


3. apiVersion: networking.k8s.io/v1
4. kind: Ingress
5. metadata:
6. name: accounts-tls
7. namespace: accounts
8. spec:
9. tls:
10. - hosts:
11. - accounts.svc
12. secretName: accounts-tls-certs
13. rules:
14. - host: accounts.svc
15. http:
16. paths:
17. - path: /
18. pathType: Prefix
19. backend:
20. service:
21. name: accounts-svc
22. port:
number: 80

23. Press Escape and enter :wq.


24. Create the Ingress:

kubectl create -f accounts-tls-ingress.yml

25. Verify that the Ingress is appropriately mapping to the backend:

kubectl describe ingress accounts-tls -n accounts

loud_user@k8s-control:~$ history

1 kubectl get service -n accounts

2 openssl req -nodes -new -x509 -keyout accounts.key -out accounts.crt -subj "/CN=accounts.svc"

3 base64 accounts.crt

4 base64 accounts.key

5 vi secret.yml

6 kubectl create -f secret.yml

7 vi secret2.yml

8 kubectl create -f secret2.yml

9 vi ingress.yml
10 kubectl create -f ingress.yml

11 kubectl get ingress -n accounts

12 history

You might also like