GCP: enabling SSL policies on HTTPS LB Ingress

If you are using GCP HTTPS LB to deliver your public services, be sure to apply an explicit SSL Policy that controls how TLS is negotiated with clients.   Setting a SSL policy allows you to control minimum version of TLS as well as available cipher families.

A basic SSL policy that limits clients to TLS1.2+ and limits cipher family to a modern set can be created like:

gcloud compute ssl-policies create my-ssl-policy --min-tls-version=1.2 --profile=MODERN

This SSL policy is then referenced in a FrontendConfig object.

apiVersion: networking.gke.io/v1beta1
kind: FrontendConfig
metadata:
  name: ssl-frontend-policy
spec:
  sslPolicy: my-ssl-policy

And the FrontEndConfig is referenced in your Ingress’ annotation like below.

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: my-ingress
  annotations:
    kubernetes.io/ingress.class: gce
    networking.gke.io/v1beta1.FrontendConfig: ssl-frontend-policy

With the proper certificate, this simple configuration above can bring your Qualys SSL score up to an A.

Note this does not apply to Internal HTTPS LB (kubernetes.io/ingress.class: gce-internal), which are not compatible with FrontendConfig.

 

REFERENCES

google, using SSL policies on Ingress

google, load balancer types

google, load balancer logging and monitoring

google, exposing service mesh apps through gke ingress

google, GKE how to load balance ingress