Nginx Sidecar for TLS/SSL Termination on Kubernetes

The Sidecar

We have a requirement to force encrypted communication between all kubernetes pods running within our Google Container Engine (GKE) cluster. TLS termination can be done a number of ways within GKE using an ingress, but if we're to achieve encrypted pod to pod traffic, we need something within each pod to make this happen.

We decided to use an nginx process to perform our TLS termination, and configured it as a reverse proxy within each of our application pods. A depiction of the traffic flow is below.

Traffic arrives at the edge of the cluster in its encrypted state. Kubernetes routes traffic to the application pod based on a kubernetes service configuration. The nginx container is listening on 443, so it receives the traffic, terminates SSL, and proxies the request to our application container over localhost:8080.

(For more details on how networking works within Google Container Engine, please watch this great video from Google Cloud Next '17)

This nginx sidecar is a similar technique used in more sophisticated sidecars such as Lyft's Envoy and Google's Cloud Endpoints Extensible Service Proxy. We felt it was a good place to start without involving those frameworks (we're not there yet).

You can find a working implementation of this technique here: https://github.com/pbrumblay/tls-sidecar

References

This work was inspired by the following articles, how-to's and tools

• https://github.com/kubernetes/kubernetes/blob/master/examples/https-nginx/default.conf 
• https://www.nginx.com/resources/admin-guide/nginx-tcp-ssl-termination/
• https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
• https://mozilla.github.io/server-side-tls/ssl-config-generator
• https://github.com/cloudendpoints/esp