I've set up an F5 BIGIP (CIS) that forwards traffic to some applications in Kubernetes using NodePort, but these applications only support HTTP—no TLS. Right now, I've configured the virtual servers with a client SSL profile using edge termination. While everything is functioning well, I want to ensure that the communication between F5 and the Kubernetes nodes is secure. I'm using Cilium for the CNI, which has transparent encryption enabled. What steps can I take to secure this communication without changing the applications to support TLS?
4 Answers
You could implement a reverse proxy, such as Traefik or NGINX Ingress, inside your Kubernetes cluster. This would allow F5 to terminate TLS at the edge and then re-encrypt the traffic to Traefik using HTTPS. This method ensures end-to-end encryption while keeping your applications running with HTTP.
Why not have the F5 VIP handle TLS termination and send unencrypted traffic to your worker nodes? We use NGINX Ingress with A10 load balancers similar to your setup, terminating TLS at NGINX. This way, client connections remain secure while communication between NGINX and the pods can remain unencrypted.
One solution is to set up a gateway within your cluster, like Traefik. The F5 would forward traffic to Traefik on NodePort, which can effectively route it to the appropriate pod in Kubernetes. This way, you can secure the connections without modifying the applications themselves.
Consider adding a server SSL profile on your F5 to encrypt traffic going to NodePorts. If you want to go full mTLS, implementing a service mesh like Istio or a platform that supports mTLS could be beneficial.
Related Questions
How To: Running Codex CLI on Windows with Azure OpenAI
Set Wordpress Featured Image Using Javascript
How To Fix PHP Random Being The Same
Why no WebP Support with Wordpress
Replace Wordpress Cron With Linux Cron
Customize Yoast Canonical URL Programmatically