AWS: Proposed set of annotations for ELB "advanced features" #24978
Comments
|
@justinsb what would the annotation for deciding whether to proxy SSL (L4, terminate at the pod) vs HTTPS (L7, terminate at the ELB, add X-Forwarded-For header)? |
|
cc @jsravn |
|
@therc good question - I forgot about that axis! I do think HTTP vs TCP should be a separate annotation. Perhaps |
|
I think |
Automatic merge from submit-queue AWS: SSL support for ELB listeners through annotations In the API, ports have only either TCP or UDP as their protocols, but ELB distinguishes HTTPS->HTTP[S]? from SSL->(SSL|TCP). Per #24978, this is implemented through two separate annotations: `service.beta.kubernetes.io/aws-load-balancer-ssl-cert=arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012` `service.beta.kubernetes.io/aws-load-balancer-backend-protocol=(https|http|ssl|tcp)` Mixing plain-text and encrypted listeners will be in a separate PR, implementing #24978's `aws-load-balancer-ssl-ports=LIST`
|
+1 |
Fixes kubernetes#26268 Implements the second SSL ELB annotation, per kubernetes#24978 service.beta.kubernetes.io/aws-load-balancer-ssl-ports=* (or e.g. https) If not specified, all ports are secure (SSL or HTTPS).
Automatic merge from submit-queue AWS: support mixed plaintext/encrypted ports in ELBs via service.beta.kubernetes.io/aws-load-balancer-ssl-ports annotation Fixes #26268 Implements the second SSL ELB annotation, per #24978 `service.beta.kubernetes.io/aws-load-balancer-ssl-ports=*` (comma-separated list of port numbers or e.g. `https`) If not specified, all ports are secure (SSL or HTTPS).
ghost
added
area/cluster-federation
sig/network
|
@kubernetes/sig-cluster-federation |
|
@justinsb - Just to clarify, has an annotation been accepted for creating L4 vs L7 load balancers as mentioned above? I haven't seen anything explicitly noting that ELBv2 / L7 ALBs have an annotation, and if so, what that annotation may be. Thanks. |
|
Cleaning up old issues. @justinsb, do we still need this one, or can it be closed? |
ghost
added
priority/backlog
csbell
added
sig/multicluster
|
Issues go stale after 90d of inactivity. Prevent issues from auto-closing with an If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or |
k8s-ci-robot
added
the
lifecycle/stale
|
Stale issues rot after 30d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
k8s-ci-robot
added
lifecycle/rotten
|
Rotten issues close after 30d of inactivity. Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
Bug 1835042: UPSTREAM: 91066: tweak exec-probe log statement to be more concise Origin-commit: 9b487585358aef05dfbbe042d15cb93f1f563577
There are a few PRs in flight to use annotations to add extra features to the ELBs that k8s sets up (DNS, SSL, Proxy Protocol), and I've written up here what I think a consistent set of those annotations would be. I think the PRs that we have are pretty close to what we have here.
Proxy protocol support:
service.beta.kubernetes.io/aws-load-balancer-proxy-protocol=*This is required to get the client IP, but the service must be aware of the extra header bytes that are sent. Likely our ingress controllers will turn this on and then set an HTTP X-Forwarded-For header, and also some advanced services might set it also to indicate they "speak proxy protocol".
cc @williamsandrew and cf #24569
SSL support at the ELB:
service.beta.kubernetes.io/aws-load-balancer-ssl-cert=arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012service.beta.kubernetes.io/aws-load-balancer-ssl-ports=*(or e.g.https)If the user wants the ELB to do SSL decryption, they should set these annotations. ssl-cert specifies the certificate to use; ssl-ports specifies on which ports we should enable SSL. ssl-ports can be optional and default to "*". We need not implement ssl-ports right away, because the primary use for SSL and non-SSL is likely http and https for webservers, and they will likely use ingress, which will likely use SNI instead. (But I do think some people will want direct-to-the-service http & https, so I bet we'll want it eventually..)
cc @therc and cf #23495
DNS support at the service level:
service.beta.kubernetes.io/hostname=myservice.myzone.comIf set, Kubernetes will configure a DNS alias for the ELB. Because this isn't specific to AWS, I don't think it gets an "aws-" prefix.
cc @chbatey and @quinton-hoole and cf #21397
Sharing / reusing an ELB
service.beta.kubernetes.io/load-balancer-secret=some-sort-of-secret-valueThis allows an ELB to be (safely?) shared between two k8s clusters. If set, k8s will look for an ELB with a tag derived from the secret. If it finds one, it will use that ELB, otherwise it will create one (and tag it). In this way, two k8s clusters with services with the same tag will share an ELB. If the secret is kept reasonably secret then a user won't be able to "steal" someone else's ELB (this will be more realistic when we have RBAC etc).
cf #23483
The text was updated successfully, but these errors were encountered: