How to fulfill AKS advisor recommendation "Kubernetes clusters should be accessible only over HTTPS"

9/30/2021

Given following AKS advisor recommendation "Kubernetes clusters should be accessible only over HTTPS" with following remediation steps:

  1. Disable HTTP by including the kubernetes.io/ingress.allow-http annotation in your ingress manifest. Set the value of the annotation to "false".
  2. Add the Transport Layer Security (TLS) configuration to your ingress manifest. After making your changes, redeploy the updated ingress object.

I added the annotation kubernetes.io/ingress.allow-http: "false" to my ingress resource. TLS configuration is IMHO fulfilled too, this results in following ingress manifest:

kind: Ingress
metadata:
  annotations:
    kubernetes.io/ingress.allow-http: "false"
    kubernetes.io/ingress.class: nginx
    meta.helm.sh/release-name: my-release-name
    meta.helm.sh/release-namespace: my-namespace
    nginx.ingress.kubernetes.io/backend-protocol: HTTPS
    nginx.ingress.kubernetes.io/rewrite-target: /$1
  creationTimestamp: "2021-09-28T12:37:21Z"
  generation: 1
  labels:
    app.kubernetes.io/managed-by: Helm
  name: my-service
  namespace: my-namespace
  resourceVersion: "xxx"
  uid: xxx
spec:
  rules:
  - host: my-service.my-domain.com
    http:
      paths:
      - backend:
          service:
            name: my-service
            port:
              number: 443
        path: /(.*)
        pathType: ImplementationSpecific
  tls:
  - hosts:
    - my-service.my-domain.com
    secretName: my-ingress-tls
status:
  loadBalancer:
    ingress:
    - ip: 10.xxx.xxx.xxx

... but the resource is still being listed for this recommendation. What do I miss here, what should I change in order to fulfill this recommendation?

-- sl3dg3
azure-advisor
azure-aks
kubernetes
security

1 Answer

3/6/2022

Kindly use below annotations in Ingress resource to resolve this alert

kubernetes.io/ingress.allow-http: "false"    
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"   
-- Sudhanshu Shukla
Source: StackOverflow