Kubernetes service - Loadbalancer with HTTPS

Question

I am using Kubernetes with service as ClusterIP and placing ingress in front of the service to expose this to outside the Kubernetes cluster.

Running ingress with https and to make it https, I created the secret and using the same in ingress.

kubectl create secret tls test-secret --key key --cert cert

Using netscalar in our Kubernetes cluster and hence, I am able to use X-Forward-For, Session affinity, Load balancing algorithms along with ingress.

Now, trying to make the service type as LoadBalancer so that I don't have to have ingress. I know, service type loadbalancer provides L4-loadbalancer and hence there won't be session affinity feature in the load balancer. Since it is okay for few services, I am trying to use this.

I would like to make the service HTTPS and I came across:

https://kubernetes.io/docs/concepts/services-networking/connect-applications-service/#securing-the-service

Here, we create TLS secret and using the reference in the deployment section and not in the service section. I am not sure how it works. Also, when I use https://servicename.namespace.svc.XXXXX.com in the browser getting the cert error.

My application is running as https and it needs keystore and truststore in a property file like,

ssl.trustore=PATH_TO_THE_FILE
ssl.keystore=PATH_TO_THE_FILE

I am confused - how can I make the service type loadbalancer https?

score 16 · Answer 1 · answered Jun 14 '19 at 23:43

If you are using a cloud provider for example AWS you can enable TLS termination in a LoadBalancer Service like this:

apiVersion: v1
kind: Service
metadata:
  name: api
  annotations:
    service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:acm:...
    service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http
spec:
  type: LoadBalancer
  selector:
    app: myApp
  ports:
    -  protocol: TCP
       port: 443
       targetPort: 8080

score 14 · Accepted Answer · answered Jun 20 '18 at 15:40

14

You answered yourself, but you didn't realize it.

As you well said, LoadBalancer type service creates a L4 load balancer. L4 load balancers are aware about source IP:port and destination IP:port, but they are not aware about anything on the application layer.

HTTP/HTTPS load balancers are on L7, therefor they are application aware.

So, basically you can't get a HTTPS load balancer from a Loadbalancer type service. You want it to be an ingress.

answered Jun 20 '18 at 15:40

suren

7,817
1
30
51

But, the document says we can. https://kubernetes.io/docs/concepts/services-networking/connect-applications-service/#securing-the-service – user1578872 Jun 20 '18 at 15:55
5

With that you are securing the traffic, and making the necessary setting (at server level) to serve on port 443, instead of 80. But that doesn't make a LB L7, as it still has no idea about application data, like path. Makes sense? – suren Jun 20 '18 at 16:48

Kubernetes service - Loadbalancer with HTTPS

2 Answers2

Linked