github
/
k3s
mirror of https://github.com/k3s-io/k3s
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Merge pull request #25574 from Clarifai/elb 

Automatic merge from submit-queue

Update AWS under the hood doc with ELB SSL annotations

Document #23495. No e2e tests or release notes needed (the other PR is already in the release docs).
pull/6/head
k8s-merge-robot 2016-05-20 09:45:09 -07:00
parent f935507235 54c55fdac3
commit 9625926852
1 changed files with 29 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
docs/design/aws_under_the_hood.md
View File

@ -139,7 +139,8 @@ pods.
ELB has some restrictions: ELB has some restrictions:
* ELB requires that all nodes listen on a single port, * ELB requires that all nodes listen on a single port,
* ELB acts as a forwarding proxy (i.e. the source IP is not preserved). * ELB acts as a forwarding proxy (i.e. the source IP is not preserved, but see below
on ELB annotations for pods speaking HTTP).
To work with these restrictions, in Kubernetes, [LoadBalancer To work with these restrictions, in Kubernetes, [LoadBalancer
services](../user-guide/services.md#type-loadbalancer) are exposed as services](../user-guide/services.md#type-loadbalancer) are exposed as
@ -162,6 +163,32 @@ services or for LoadBalancer. To consume a NodePort service externally, you
will likely have to open the port in the node security group will likely have to open the port in the node security group
(`kubernetes-minion-<clusterid>`). (`kubernetes-minion-<clusterid>`).
For SSL support, starting with 1.3 two annotations can be added to a service:
```
service.beta.kubernetes.io/aws-load-balancer-ssl-cert=arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012
```
The first specifies which certificate to use. It can be either a
certificate from a third party issuer that was uploaded to IAM or one created
within AWS Certificate Manager.
```
service.beta.kubernetes.io/aws-load-balancer-backend-protocol=(https|http|ssl|tcp)
```
The second annotation specificies which protocol a pod speaks. For HTTPS and
SSL, the ELB will expect the pod to authenticate itself over the encrypted
connection.
HTTP and HTTPS will select layer 7 proxying: the ELB will terminate
the connection with the user, parse headers and inject the `X-Forwarded-For`
header with the user's IP address (pods will only see the IP address of the
ELB at the other end of its connection) when forwarding requests.
TCP and SSL will select layer 4 proxying: the ELB will forward traffic without
modifying the headers.
### Identity and Access Management (IAM) ### Identity and Access Management (IAM)
kube-proxy sets up two IAM roles, one for the master called kube-proxy sets up two IAM roles, one for the master called
@ -308,6 +335,7 @@ Salt and Kubernetes from the S3 bucket, and then triggering Salt to actually
install Kubernetes. install Kubernetes.
<!-- BEGIN MUNGE: GENERATED_ANALYTICS --> <!-- BEGIN MUNGE: GENERATED_ANALYTICS -->
[![Analytics](https://kubernetes-site.appspot.com/UA-36037335-10/GitHub/docs/design/aws_under_the_hood.md?pixel)]() [![Analytics](https://kubernetes-site.appspot.com/UA-36037335-10/GitHub/docs/design/aws_under_the_hood.md?pixel)]()
<!-- END MUNGE: GENERATED_ANALYTICS --> <!-- END MUNGE: GENERATED_ANALYTICS -->