Document how to set up TLS for a workload

[sftim]

This is a Feature Request

What would you like to be added
Add documentation that covers the different ways to protect communications in transit for a workload.

Explain prerequisites to include an understanding of SSL / TLS, maybe SNI and X.509 too. Help readers understand the topic and signpost away anyone looking for other docs (eg how to use TLS with the control plane)

Explain prerequisites to deploying TLS: stable hostname, private key, certificate
Maybe mention ACME if this doesn't make the page too long.

Discuss hosting options:

• deploying Pods with containers that implement TLS themselves, along with a TCP-level Service, and a Secret to protect private key material
• setting up a Service that uses TLS (eg via a cloud provider extension)
• setting up an Ingress that uses TLS
• using Gateway

What's next:
signpost readers to relevant add-ons, eg https://github.com/jetstack/cert-manager
signpost readers to learn about using

• hardware security modules
• hardware acceleration
• whatever the generic term is for AWS Certificate Manager for Nitro Enclaves
  using confidential computing mechanisms to access managed encryption services

for TLS.

Why is this needed
There are several options for using TLS in connection with Kubernetes for application workloads. If you learn N-1 of these, it's not easy to spot that you haven't encountered all of them.

Comments
The aim I have in mind is that there's a single page for the topic. If I meet someone who wants to learn about TLS for workloads on Kubernetes I give them a link to that page and they can find what they need to by reading the page and clicking links (they don't have to rely on the search form or on a 3rd-party search website).

If linking to 3rd party content, bear the content guide in mind.

#14727 is kind of similar; it's more broadly focused on a encryption at rest in general. It feels OK to focus on TLS rather than the bigger picture of encryption in transit. Cluster operators are going to be much, much more likely to pick TLS to protect their application data over (eg) Kerberos or IPSEC.

[fejta-bot]

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

[sftim]

/kind feature
/priority important-longterm

[fejta-bot]

Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle rotten

[sftim]

/remove-lifecycle rotten

[sftim]

Also see #17848

[fejta-bot]

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

[fejta-bot]

Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle rotten

[sftim]

/remove-lifecycle rotten

[sftim]

Think this is important enough to merit
/lifecycle frozen

[sftim]

Relevant to PR #23522

[sftim]

/sig security

[sftim]

Also IMO
/sig usability

[sftim]

/language en

[sftim]

Duplicated by #31269

[tomkivlin]

I'd like to work on this. @sftim do you see this as a page in /concepts/security/ with the description of what TLS is and what it's used for in Kubernetes, with some "what's next" content pointing to a new page in /tasks/tls/ with the scenarios you've described etc.?

[tomkivlin]

/assign

[sftim]

do you see this as a page in /concepts/security/ with the description of what TLS is and what it's used for in Kubernetes, with some "what's next" content pointing to a new page in /tasks/tls/ with the scenarios you've described etc.?

I hadn't got that far @tomkivlin. What you suggests sounds good to me.

Have a think about the concept would be “encryption in transit” or specifically “TLS”. If you have the appetite for it, the concept could even be “How Kubernetes Uses Encryption”.

Maybe there will be more than one task page. Also some existing task pages cover TLS in one way or another.

[tomkivlin]

@sftim I like that idea. What I'll do then is a new page e.g. /concepts/security/kubernetes-encryption.md which can cover encryption at rest (etcd, secrets, volumes, etc.), in transit (Pods, Services, Ingress, etc.) and link off to other existing pages. I'll create any task pages as needed.

[sftim]

Encryption is also used for authn in various ways. I don't think we use if for nonrepudiation.

[tomkivlin]

NB I have started work on this, will prepare a PR when I'm back from holiday.

https://github.com/tomkivlin/website/blob/tomkivlin/issue14725/content/en/docs/concepts/security/kubernetes-encryption.md

[sftim]

Great! I look forward to seeing this merged.

[mehabhalodiya]

@tomkivlin I don't see any updates regarding any PR; so unassigning you. Please feel free to assign, if you come back here again and are willing to work on 🙂
/unassign @tomkivlin

[tomkivlin]

/assign

[insaaniManav]

Hi I'd love to make this happen can I be assigned this issue ?

[sftim]

Here's how to work on this:

• open a pull request as a draft
• in the description, mention Document how to set up TLS for a workload #14725
• when you're ready, mark the pull request as ready for review

We've a lengthier guide at https://kubernetes.io/docs/contribute/new-content/

[insaaniManav]

/assign

[insaaniManav]

Hi so continuing this conversation are we still going with what was suggested by @tomkivlin on this ? is it okay if I continue work where they left off on their branch ?

[sftim]

(yes, it's OK - because we have a CLA in place for @tomkivlin)

[tomkivlin]

Hi so continuing this conversation are we still going with what was suggested by @tomkivlin on this ? is it okay if I continue work where they left off on their branch ?

Fine by me! Sorry for not being able to continue this.

[sftim]

Want help? Feel free to reply with questions.