Profile applicability: Level 2
Encrypt traffic to HTTPS load balancers using Google-managed SSL certificates.
Encrypting traffic between users and the Kubernetes workload is fundamental to protecting
data sent over the web.
Google-managed SSL Certificates are provisioned, renewed, and managed for domain names.
This is only available for HTTPS load balancers created using Ingress Resources, and
not TCP/UDP load balancers created using service of
type:LoadBalancer. |
NoteBy default, Google-managed SSL Certificates are not created when an Ingress resource
is defined.
|
Impact
Google-managed SSL Certificates are less flexible than certificates that are self
obtained and managed. Managed certificates support a single, non-wildcard domain.
Self-managed certificates can support wildcards and multiple subject alternative names
(SANs).
Audit
Using Command Line:
Identify if there are any workloads exposed publicly using services of
type:LoadBalancer: kubectl get svc -A -o json | jq '.items[] | select(.spec.type=="LoadBalancer")'
Consider using ingresses instead of these services in order to use Google managed
SSL certificates.
For the ingresses within the cluster, run the following command:
kubectl get ingress -A -o json | jq .items[] | jq '{name: .metadata.name,
annotations: .metadata.annotations, namespace: .metadata.namespace, status:
.status}'
The above command should return the name of the ingress, namespace, annotations and
status. Check that the following annotation is present to ensure managed certificates
are referenced.
"annotations": {
...
"networking.gke.io/managed-certificates": "<example_certificate>"
},
For completeness, run the following command to ensure that the managed certificate
resource exists:
kubectl get managedcertificates -A
The above command returns a list of managed certificates for which
<example_certificate> should exist within the same namespace as the ingress.Remediation
If services of
type:LoadBalancer are discovered, consider replacing the service with an Ingress. To configure the Ingress and use Google-managed SSL certificates, follow these instructions.