1

In Kubernetes, I use an nginx ingress controller to do TLS termination and load balancing.

When mutual TLS is used, the ingress controller can be configured to forward the client certificate as an http field, but this information is obviously not spoof proof.

What are best practices for downstream web servers to trust the ingress controller?

Notes:

  • Checking the originating IP to be the ingress is not safe, as any other process that succeeds i sending a message from this IP could generate a similar message, regardless whether or not that process has done any TLS termination or not, or the process has any special privileges. Checking IP is also brittle design because they can change.
  • CloudFlare adds a signed JWT as a header field with information that can be trusted/verified.
Lemon Sky
  • 153
  • 4

1 Answers1

1

In terms of solutions, the main one here would likely be re-encrypting the connection from the ingress to the pod running the workload, probably using a service mesh, although you could possibly do it manually as well.

Service mesh solutions like linkerd can be integrated with nginx ingress to implement mTLS between the ingress controller and the workloads. You could use this to authenticate the connection then use the identity information passed by ingress to identify the client workloads.

Rory McCune
  • 60,923
  • 14
  • 136
  • 217