EKS service SSL endpoint

Aviran

5/11/24, 9:03 PM

When creating a service using EKS, it is exposed using http through a AWS load balancer.

kubectl apply -f service.yaml - Will create a load balancer that's managed by EKS, and can not be modified. any modification, valid or not will be overriden by AWS at some point.

I'm going down the rabbit hole of trying to expose the service as HTTPS.

Modifying the aws load balancer to listen on 443 in https with and acm certificate, will provide a temporary solution, which will be reset when EKS will refresh the load balancer back to 'factory settings'.

Best approach seems to be to create an ingress load balancer that can support HTTPS. following these articles:

https://docs.aws.amazon.com/eks/latest/userguide/aws-load-balancer-controller.html

https://docs.aws.amazon.com/eks/latest/userguide/alb-ingress.html

listen-ports and certificate-arn were added to the ingress yaml

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  namespace: game-2048
  name: ingress-2048
  annotations:
    alb.ingress.kubernetes.io/scheme: internet-facing
    alb.ingress.kubernetes.io/target-type: ip
    alb.ingress.kubernetes.io/listen-ports: '[{"HTTP":80},{"HTTPS":443}]' # Added by me
    alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:us-east-1:411686525067:certificate/8adf7812-a1af-4eae-af1b-ea425a238a67

spec:
  ingressClassName: alb
  rules:
    - http:
        paths:
        - path: /
          pathType: Prefix
          backend:
            service:
              name: service-2048
              port:
                number: 80

EKS will create an ALB with a host name such as: k8s--------d4ees4dc9b-1296497080.eu-central-1.elb.amazonaws.com which is under the amazonaws.com.

When adding to the yaml config, certificate-arn the ALB will be created with a port 443 listener, and will be attached the ACM certificate that was specified.

But, since the ALB host is under the amazonaws.com domain, the certificate mismatches and I'm back to square one.

How can I make EKS create an https ALB?

On a higher level, I manage DNS on cloudflare and will create a CNAME proxy record for api.mydomain.com to the ALB host k8s--------d4ees4dc9b-1296497080.eu-central-1.elb.amazonaws.com

For the DNS proxy to work well, both 'sides' must support https.

130

1 + 0

amazon-web-services

amazon-eks

aws-eks

Score:0

Server

Aviran

5/13/24, 10:34 AM

The configuration described in the question is all you need to get an SSL endpoint

Once configured with an ALB that listens on https/443 and a proper alb.ingress.kubernetes.io/certificate-arn for your non aws domain.com.

a proxy CNAME record (cloudflare) from domain.com to k8sd4ees4dc9b-1296497080.eu-central-1.elb.amazonaws.com will enable connection to domain.com through the ALB with the valid SSL certification provided by the ALB.

connecting to the aws generating address using SSL will invoke the SSL mismatch warning, which is fine and as it should be.

The alternative is to go with aws PCA, which requires more complex configuration.

+ 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: EKS service SSL endpoint

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.