Profile applicability: Level 2
Encrypt traffic to HTTPS load balancers using Google-managed SSL certificates.
Encrypting traffic between users and the Kubernetes workload is fundamental to protecting
data sent over the web. Google-managed SSL Certificates are provisioned, renewed,
and managed for domain names. This is only available for HTTPS load balancers created
using Ingress Resources, and not TCP/UDP load balancers created using Service of
type:LoadBalancer. |
NoteBy default, Google-managed SSL Certificates are not created when an Ingress resource
is defined.
|
Impact
Google-managed SSL Certificates are less flexible than certificates that are self
obtained and managed. Managed certificates support a single, non-wildcard domain.
Self-managed certificates can support wildcards and multiple subject alternative names
(SANs).
Audit
Using Command Line:
Identify if there are any workloads exposed publicly using Services of
type:LoadBalancer:kubectl get svc -A -o json | jq '.items[] | select(.spec.type=="LoadBalancer")'
Consider using ingresses instead of these services in order to use Google managed
SSL certificates.
For the ingresses within the cluster, run the following command:
kubectl get ingress -A -o json | jq .items[] | jq '{name: .metadata.name, annotations: .metadata.annotations, namespace: .metadata.namespace, status: .status}'
The above command should return the name of the ingress, namespace, annotations and
status. Check that the following annotation is present to ensure managed certificates
are referenced:
"annotations": {
...
"networking.gke.io/managed-certificates": "<example_certificate>"
},
For completeness, run the following command to ensure that the managed certificate
resource exists:
kubectl get managedcertificates -A
The above command returns a list of managed certificates for which
<example_certificate> should exist within the same namespace as the ingress.Remediation
If services of
type:LoadBalancer are discovered, consider replacing the Service with an Ingress. To configure the Ingress and use Google-managed SSL certificates, follow the instructions
at: GKE documentation.