Kubernetes Nginx Ingress to pod communication over https

Question

I am doing some research on how to implement https secure connection between Nginx Ingress -> backend services. So far I have SSL setup in Nginx Ingress controller that uses Lets Encrypt cert manager to rotate certificate using http-01 challenge.

Here is my scenario:

1. Client from internet -> 2. Load balancer -> 3. Ingress Controller (that terminates TLS traffic) -> 4. Service (port 80) -> 5. Pod (port 80).

So my question is how can I secure communication between ingress controller and pod so that traffic is encrypted end to end? Do I need my own certificate authority to do that? If so, are there any open source solution that can handle certificate management just like Cert manager?

Answer 1

1. Nginx ingress controller + DAPR

I am not sure I can post here youtube urls(at least I have never seen anyone doing that) but.. I think this is 100% exactly what you want. Your scenario is discussed in 1st topic, you need watch only it. Plus as a benefit - you will see step-by-step installation there. Personally I found that video very helpful

Secure Ingress pods communication

2. You can achieve that with Istio itself. Istio By Example!:Secure Ingress

3. Istio + Calico network policy for Istio

Enforce network policy for Istio

The Calico support for Istio service mesh has the following benefits:

-Pod traffic controls

Lets you restrict ingress traffic inside and outside pods and mitigate common threats to Istio-enabled apps.

-Supports security goals

Enables adoption of a zero trust network model for security, including traffic encryption, multiple enforcement points, and multiple identity criteria for authentication.