Kubernetes API proxy for HTTPS endpoints

9/23/2017

Kubernetes surfaces an API proxy, which allows querying the internal services via eg: https://myhost.com/api/v1/proxy/namespaces/kube-system/services/kubernetes-dashboard/

This is all well, and good. However, for security & compliance reasons, all of our services expose an HTTPS endpoint. Attempting to access them by going to https://myhost/api/v1/proxy/namespaces/default/services/myhttpsservice:3000/ results in

 Error: 'read tcp 172.20.122.129:48830->100.96.29.113:3000: read: connection reset by peer' 
Trying to reach: 'http://100.96.29.113:3000/'

Because the endpoint, 100.96.29.113:3000 is in fact https.

Is there any way to configure the proxy to apply SSL to specific service endpoints?

(Edit: If this is not currently possible, a relevant github issue link for tracking the feature request is also acceptable answer until it will be)

-- Silver Dragon
kubernetes
kubernetes-security

1 Answer

9/24/2017

As documented at https://kubernetes.io/docs/tasks/access-application-cluster/access-cluster/#manually-constructing-apiserver-proxy-urls, (and pointed out on slack), you can access services behind HTTPS by prefixing the servicename with "https:" ;

Using the example from above, correctly it would be: https://myhost/api/v1/proxy/namespaces/default/services/https:myhttpsservice:3000/

-- Silver Dragon
Source: StackOverflow