Limit SSL protocols to be used by Google HTTP(S) LoadBalancer with Kubernetes Ingress in GKE

10/27/2021

We are using Kubernetes v1.19.13 hosted on Google Kubernetes Engine. We want to configure an Ingress controller so that the Google HTTP(S) LoadBalancer is configured to allow only TLS 1.2 and 1.3 and these features/ciphers:

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256

We would prefer to do this using annotations but most examples we have found uses a ConfigMap or FrontendConfig.

Is this possible to configure this using annotations? If not, what is the recommended way of achieving this?

Note that we want to configure this using Kubernetes and not using the Google Cloud Console.

-- David Göransson
google-cloud-load-balancer
google-cloud-platform
google-kubernetes-engine
kubernetes
kubernetes-ingress

2 Answers

10/27/2021
  1. To configure an Ingress controller to allow only TLS 1.2 and 1.3, you can use ngnix.ingress.kubernetes.io/proxy-ssl-protocols annotation. nginx.ingress.kubernetes.io/proxy-ssl-protocols: Enables the specified protocols for requests to a proxied HTTPS server.
    **For Example:** 
    annotations"nginx.ingress.kubernetes.io/proxy-ssl-protocols" = "TLSv1.2 TLSv1.3"
  2. To configure an Ingress controller to ciphers, you can use ngnix.ingress.kubernetes.io/proxy-ssl-ciphers annotation. nginx.ingress.kubernetes.io/proxy-ssl-ciphers: Specifies the enabled ciphers for requests to a proxied HTTPS server. The ciphers are specified in the format understood by the OpenSSL library.

Using ssl_ciphers annotation will set the ssl_ciphers directive at the server level. This configuration is active for all the paths in the host.

For Example Cipher :

nginx.ingress.kubernetes.io/ssl-ciphers: "ALL:!aNULL:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP"

Refer SSL-ciphers for more information.

-- Tatikonda vamsikrishna
Source: StackOverflow

10/31/2021

You won't be able to do this using annotations. You cannot currently create an SSL Policy via annotations. SSL Policies need to be created via gcloud CLI or via the GCP API.

You'll then need to create a FrontendConfig resource which references the policy and then attach it to your ingress resource:

apiVersion: networking.gke.io/v1beta1
kind: FrontendConfig
metadata:
  name: FRONTENDCONFIG_NAME
spec:
  sslPolicy: allowed-ciphers

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    networking.gke.io/v1beta1.FrontendConfig: "FRONTENDCONFIG_NAME"
...

The good news is that you can (re)use the SSL Policy and/or FrontendConfig.

If you want to do everything via the k8s API, you can try using Config Connector and create ComputeSSLPolicy resource.

-- Gari Singh
Source: StackOverflow