If you are using GCP HTTPS LB to deliver your public services, be sure to apply an explicit SSL Policy that controls how TLS is negotiated with clients. Setting a SSL policy allows you to control minimum version of TLS as well as available cipher families.
A basic SSL policy that limits clients to TLS1.2+ and limits cipher family to a modern set can be created like:
gcloud compute ssl-policies create my-ssl-policy --min-tls-version=1.2 --profile=MODERN
This SSL policy is then referenced in a FrontendConfig object.
apiVersion: networking.gke.io/v1beta1 kind: FrontendConfig metadata: name: ssl-frontend-policy spec: sslPolicy: my-ssl-policy
And the FrontEndConfig is referenced in your Ingress’ annotation like below.
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: my-ingress
annotations:
kubernetes.io/ingress.class: gce
networking.gke.io/v1beta1.FrontendConfig: ssl-frontend-policy
With the proper certificate, this simple configuration above can bring your Qualys SSL score up to an A.
Note this does not apply to Internal HTTPS LB (kubernetes.io/ingress.class: gce-internal), which are not compatible with FrontendConfig.
REFERENCES
google, using SSL policies on Ingress
google, load balancer logging and monitoring
google, exposing service mesh apps through gke ingress
google, GKE how to load balance ingress