K
Q

Encrypt Traffic in EKS

3/29/2019

I'm setting up an EKS cluster on AWS and I want to secure all the data in flight in the Kuberentes cluster (and also between EKS and external systems but thats out of scope here).

In Kubernetes are different protocols in use between the different pods, mainly Rest/HTTP but also communication between microservice-pods with a KafkaBroker and JDBC between microservice-pods and database pods (Zalando Postgres), between a filebeat-pod and elasticsearch, ...

I see several options but I don't like any of them.

  • Encrypt every communication individually --> too much work. operational nightmare
  • Istio or LinkerD --> Works only for Http and gRPC, not for KafkaCommunication. Heavy ControlPlane.
  • a CNI like WeaveNet --> no support for SecurityGroups, FlowLogs, ACLs

Are there better alternatives? Would you recommend any of these options?

-- christian
amazon-web-services
cni
eks
istio
kubernetes

Similar Questions

How can I achieve an active/passive setup across multiple kubernetes clusters?
How to add a static IP to nginx-ingress installed via helm
Unable to write file. Volume mounted as root
Getting error while trying to setup kubernetes on debian using helm

1 Answer

3/29/2019

One possible solution could be using a nginx sidecar reverse proxy on all your pods to capture all outbound traffic in conjunction with nginx's proxy_protocol directive to operate with ELBs and other load balancers.

You can accomplish this by modifying the iptables (or whatever SDN/pattern you choose to use in your setup) to force all outbound traffic into the reverse proxy instead of sending it out to the internet. You then use directives within proxy_protocol to force all upstream TCP connections to use SSL using a certificate defined by the reverse proxy for encryption.

This should work for the protocols you defined since they're all based on TCP.

-- asdf
Source: StackOverflow