Compute
Elastic Cloud Server
Huawei Cloud Flexus
Bare Metal Server
Auto Scaling
Image Management Service
Dedicated Host
FunctionGraph
Cloud Phone Host
Huawei Cloud EulerOS
Networking
Virtual Private Cloud
Elastic IP
Elastic Load Balance
NAT Gateway
Direct Connect
Virtual Private Network
VPC Endpoint
Cloud Connect
Enterprise Router
Enterprise Switch
Global Accelerator
Management & Governance
Cloud Eye
Identity and Access Management
Cloud Trace Service
Resource Formation Service
Tag Management Service
Log Tank Service
Config
OneAccess
Resource Access Manager
Simple Message Notification
Application Performance Management
Application Operations Management
Organizations
Optimization Advisor
IAM Identity Center
Cloud Operations Center
Resource Governance Center
Migration
Server Migration Service
Object Storage Migration Service
Cloud Data Migration
Migration Center
Cloud Ecosystem
KooGallery
Partner Center
User Support
My Account
Billing Center
Cost Center
Resource Center
Enterprise Management
Service Tickets
HUAWEI CLOUD (International) FAQs
ICP Filing
Support Plans
My Credentials
Customer Operation Capabilities
Partner Support Plans
Professional Services
Analytics
MapReduce Service
Data Lake Insight
CloudTable Service
Cloud Search Service
Data Lake Visualization
Data Ingestion Service
GaussDB(DWS)
DataArts Studio
Data Lake Factory
DataArts Lake Formation
IoT
IoT Device Access
Others
Product Pricing Details
System Permissions
Console Quick Start
Common FAQs
Instructions for Associating with a HUAWEI CLOUD Partner
Message Center
Security & Compliance
Security Technologies and Applications
Web Application Firewall
Host Security Service
Cloud Firewall
SecMaster
Anti-DDoS Service
Data Encryption Workshop
Database Security Service
Cloud Bastion Host
Data Security Center
Cloud Certificate Manager
Edge Security
Situation Awareness
Managed Threat Detection
Blockchain
Blockchain Service
Web3 Node Engine Service
Media Services
Media Processing Center
Video On Demand
Live
SparkRTC
MetaStudio
Storage
Object Storage Service
Elastic Volume Service
Cloud Backup and Recovery
Storage Disaster Recovery Service
Scalable File Service Turbo
Scalable File Service
Volume Backup Service
Cloud Server Backup Service
Data Express Service
Dedicated Distributed Storage Service
Containers
Cloud Container Engine
SoftWare Repository for Container
Application Service Mesh
Ubiquitous Cloud Native Service
Cloud Container Instance
Databases
Relational Database Service
Document Database Service
Data Admin Service
Data Replication Service
GeminiDB
GaussDB
Distributed Database Middleware
Database and Application Migration UGO
TaurusDB
Middleware
Distributed Cache Service
API Gateway
Distributed Message Service for Kafka
Distributed Message Service for RabbitMQ
Distributed Message Service for RocketMQ
Cloud Service Engine
Multi-Site High Availability Service
EventGrid
Dedicated Cloud
Dedicated Computing Cluster
Business Applications
Workspace
ROMA Connect
Message & SMS
Domain Name Service
Edge Data Center Management
Meeting
AI
Face Recognition Service
Graph Engine Service
Content Moderation
Image Recognition
Optical Character Recognition
ModelArts
ImageSearch
Conversational Bot Service
Speech Interaction Service
Huawei HiLens
Video Intelligent Analysis Service
Developer Tools
SDK Developer Guide
API Request Signing Guide
Terraform
Koo Command Line Interface
Content Delivery & Edge Computing
Content Delivery Network
Intelligent EdgeFabric
CloudPond
Intelligent EdgeCloud
Solutions
SAP Cloud
High Performance Computing
Developer Services
ServiceStage
CodeArts
CodeArts PerfTest
CodeArts Req
CodeArts Pipeline
CodeArts Build
CodeArts Deploy
CodeArts Artifact
CodeArts TestPlan
CodeArts Check
CodeArts Repo
Cloud Application Engine
MacroVerse aPaaS
KooMessage
KooPhone
KooDrive
Help Center/ Cloud Container Engine/ User Guide/ Network/ Service/ LoadBalancer/ Configuring TLS for a LoadBalancer Service

Configuring TLS for a LoadBalancer Service

Updated on 2024-09-30 GMT+08:00

TLS can be used if ultra-high performance and large-scale TLS offloading are required. You can use TLS to forward encrypted TCP requests from clients for a Service.

NOTE:

Service TLS relies on ELB. Before enabling TLS on a Service, check whether TLS is supported in the current region.

Prerequisites

  • A Kubernetes cluster is available and the cluster version meets the following requirements:
    • v1.23: v1.23.14-r0 or later
    • v1.25: v1.25.9-r0 or later
    • v1.27: v1.27.6-r0 or later
    • v1.28: v1.28.4-r0 or later
    • Other clusters of later versions
  • To create a cluster using commands, ensure kubectl is used. For details, see Connecting to a Cluster Using kubectl.

Notes and Constraints

When TLS is used, sticky session is not allowed.

Using the CCE Console

  1. Log in to the CCE console and click the cluster name to access the cluster console.
  2. In the navigation pane, choose Services & Ingresses. In the upper right corner, click Create Service.
  3. Configure Service parameters. In this example, only mandatory parameters required for using TLS are listed. For details about how to configure other parameters, see Using the Console.

    • Service Name: Specify a Service name, which can be the same as the workload name.
    • Service Type: Select LoadBalancer.
    • Selector: Add a label and click Confirm. The Service will use this label to select pods. You can also click Reference Workload Label to use the label of an existing workload. In the dialog box that is displayed, select a workload and click OK.
    • Load Balancer: Select a load balancer type and creation mode.
      • In this example, only dedicated load balancers are supported, and the type of the load balancer must be Network (TCP/UDP/TLS) or Network (TCP/UDP/TLS) & Application (HTTP/HTTPS). Otherwise, TLS cannot be enabled on the listener port.
      • This section uses an existing load balancer as an example. For details about the parameters for automatically creating a load balancer, see Table 1.
    • Ports
      • Protocol: Select TCP. If you select UDP, TLS will be unavailable.
      • Service Port: port used by the Service. The port number ranges from 1 to 65535.
      • Container Port: listener port of the workload. For example, Nginx uses port 80 by default.
      • Frontend Protocol: In this example, select TLS for the Service. For a dedicated load balancer, to use TLS, the type of the load balancer must be Network (TCP/UDP/TLS).
    • Listener
      • SSL Authentication: Select this option if HTTPS/TLS is enabled on the listener port. This parameter is available only in clusters of v1.23.14-r0, v1.25.9-r0, v1.27.6-r0, v1.28.4-r0, or later versions.
        • One-way authentication: Only the backend server is authenticated. If you also need to authenticate the identity of the client, select mutual authentication.
        • Mutual authentication: If you want the clients and the load balancer to authenticate each other, select this option. Only authenticated clients will be allowed to access the load balancer.
      • CA Certificate: If SSL Authentication is set to Mutual authentication, add a CA certificate to authenticate the client. A CA certificate is issued by a certificate authority (CA) and used to verify the certificate issuer. If mutual authentication is required, connections can be established only when the client provides a certificate issued by a specific CA.
      • Server Certificate: Select a server certificate. If no certificate is available, create one on the ELB console. For details, see Adding a Certificate.
      • ProxyProtocol: transfers the source IP addresses of clients to backend servers.
        NOTE:

        Ensure the backend servers support ProxyProtocol. Otherwise, services may be interrupted.

      • Security Policy: If TLS is enabled on the listener port, you can select a security policy. This parameter is available only in clusters of v1.23.14-r0, v1.25.9-r0, v1.27.6-r0, v1.28.4-r0, or later versions.
      • Backend Protocol: If TLS is enabled on the listener port, TCP or TLS can be used to access the backend server. The default value is TCP. This parameter is available only in clusters of v1.23.14-r0, v1.25.9-r0, v1.27.6-r0, v1.28.4-r0, or later versions.
    Figure 1 Configuring TLS

  4. Click OK.

Using kubectl

This section uses an existing load balancer as an example. An example YAML file of a TLS-compliant Service is as follows:
apiVersion: v1
kind: Service
metadata:
  name: test-tls
  labels:
    app: nginx
  namespace: default
  annotations:
    kubernetes.io/elb.class: performance                                        # Load balancer type, which can only be performance (dedicated load balancer) supported by a TLS listener
    kubernetes.io/elb.id: 35cb350b-23e6-4551-ac77-10d5298f5204                  # ID of an existing load balancer
    kubernetes.io/elb.protocol-port: tls:443                                    # Port on which TLS is to be enabled
    kubernetes.io/elb.cert-id: 98e91cb03dea418582a438a212b461d5                 # TLS server certificate
    kubernetes.io/elb.tls-certificate-ids: e59934f5bc7044f58693de79f1cb4b6d     # TLS SNI certificate
    kubernetes.io/elb.client-ca-cert-id: 5b5178323a2f4eddbafed065945d9069       # Client CA certificate in TLS mutual authentication
    kubernetes.io/elb.proxy-protocol-enable: 'true'                             # ProxyProtocol for transferring the IP addresses of clients to backend servers
    kubernetes.io/elb.security-pool-protocol: 'on'                              # Backend security protocol. If this function is enabled, the backend protocol is TLS. Otherwise, the backend protocol is TCP.
    kubernetes.io/elb.security-policy-id: 175318e0-b6cb-44c5-80a2-0dc372f20df5  # ID of the custom security policy, whose priority is higher than that of the preset security policy
    kubernetes.io/elb.tls-ciphers-policy: tls-1-2-fs                            # Preset security policy
spec:
  selector:
    app: nginx
  externalTrafficPolicy: Cluster
  ports:
    - name: cce-service-0
      targetPort: 80
      nodePort: 0
      port: 443
      protocol: TCP
  type: LoadBalancer
  loadBalancerIP: **.**.**.**
Table 1 Key parameters

Parameter

Type

Description

kubernetes.io/elb.protocol-port

String

If a Service is TLS/HTTP/HTTPS-compliant, configure the protocol and port number in the format of "protocol:port".

where,

  • protocol: specifies the protocol used by the listener port. The value can be tls, http, or https.
  • port: Service port specified by spec.ports[].port.

For example, to create a TLS listener, the Service protocol must be tls and the Service port must be 443. Therefore, the parameter value is tls:443.

kubernetes.io/elb.cert-id

String

ID of an ELB certificate, which is used as the TLS/HTTPS server certificate.

To obtain the certificate, log in to the CCE console, choose Service List > Networking > Elastic Load Balance, and click Certificates in the navigation pane. In the load balancer list, copy the ID under the target certificate name.

kubernetes.io/elb.tls-certificate-ids

String

In ELB, the IDs of SNI certificates that must contain a domain name are separated by commas (,). To change an ID, remove the SNI certificate by specifying an empty string "".

To obtain the certificate, log in to the CCE console, choose Service List > Networking > Elastic Load Balance, and click Certificates in the navigation pane. In the load balancer list, copy the ID under the target certificate name.

kubernetes.io/elb.client-ca-cert-id

String

ID of an ELB CA certificate. A CA certificate is issued by a certificate authority (CA) and used to verify the certificate issuer. If TLS/HTTPS mutual authentication is required, TLS/HTTPS connections can be established only when the client provides a certificate issued by a specific CA. To change an ID, remove the CA certificate by specifying an empty string "".

To obtain the certificate, log in to the CCE console, choose Service List > Networking > Elastic Load Balance, click Certificates in the navigation pane, and filter CA certificates. In the load balancer list, copy the ID under the target certificate name.

kubernetes.io/elb.security-pool-protocol

String

If the frontend protocol of a listener is TLS or HTTPS, you can enable the backend security protocol TLS or HTTPS. The backend security protocol of an existing listener cannot be changed. The modification takes effect only on new listeners that are created by changing the protocol or port.

  • on/true: enabled
  • off/false: disabled

kubernetes.io/elb.security-policy-id

String

ID of a custom security policy, whose priority is higher than that of a preset security policy. To change an ID, remove the policy by specifying an empty string "".

To obtain a security policy, log in to the CCE console, choose Service List > Networking > Elastic Load Balance > TLS Security Policies, and click the Custom Security Policies tab. In the security policy list, copy the ID under the target policy.

kubernetes.io/elb.tls-ciphers-policy

String

Preset security policy, which is tls-1-0 by default.

To obtain a security policy, log in to the CCE console, choose Service List > Networking > Elastic Load Balance > TLS Security Policies, and click the Default Security Policies tab. In the security policy list, copy the name of the target policy.

kubernetes.io/elb.proxy-protocol-enable

String

ProxyProtocol is enabled, which is available only when the frontend protocol is TLS. ProxyProtocol can be used to transfer the IP addresses of clients to backend servers.

  • on/true: enabled
  • off/false: disabled
NOTE:

Ensure the backend servers support ProxyProtocol. Otherwise, services may be interrupted.

We use cookies to improve our site and your experience. By continuing to browse our site you accept our cookie policy. Find out more

Feedback

Feedback

Feedback

0/500

Selected Content

Submit selected content with the feedback