Commit 96259268 authored by k8s-merge-robot's avatar k8s-merge-robot

Merge pull request #25574 from Clarifai/elb

Automatic merge from submit-queue Update AWS under the hood doc with ELB SSL annotations Document #23495. No e2e tests or release notes needed (the other PR is already in the release docs).
parents f9355072 54c55fda
...@@ -139,7 +139,8 @@ pods. ...@@ -139,7 +139,8 @@ pods.
ELB has some restrictions: ELB has some restrictions:
* ELB requires that all nodes listen on a single port, * ELB requires that all nodes listen on a single port,
* ELB acts as a forwarding proxy (i.e. the source IP is not preserved). * ELB acts as a forwarding proxy (i.e. the source IP is not preserved, but see below
on ELB annotations for pods speaking HTTP).
To work with these restrictions, in Kubernetes, [LoadBalancer To work with these restrictions, in Kubernetes, [LoadBalancer
services](../user-guide/services.md#type-loadbalancer) are exposed as services](../user-guide/services.md#type-loadbalancer) are exposed as
...@@ -162,6 +163,32 @@ services or for LoadBalancer. To consume a NodePort service externally, you ...@@ -162,6 +163,32 @@ services or for LoadBalancer. To consume a NodePort service externally, you
will likely have to open the port in the node security group will likely have to open the port in the node security group
(`kubernetes-minion-<clusterid>`). (`kubernetes-minion-<clusterid>`).
For SSL support, starting with 1.3 two annotations can be added to a service:
```
service.beta.kubernetes.io/aws-load-balancer-ssl-cert=arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012
```
The first specifies which certificate to use. It can be either a
certificate from a third party issuer that was uploaded to IAM or one created
within AWS Certificate Manager.
```
service.beta.kubernetes.io/aws-load-balancer-backend-protocol=(https|http|ssl|tcp)
```
The second annotation specificies which protocol a pod speaks. For HTTPS and
SSL, the ELB will expect the pod to authenticate itself over the encrypted
connection.
HTTP and HTTPS will select layer 7 proxying: the ELB will terminate
the connection with the user, parse headers and inject the `X-Forwarded-For`
header with the user's IP address (pods will only see the IP address of the
ELB at the other end of its connection) when forwarding requests.
TCP and SSL will select layer 4 proxying: the ELB will forward traffic without
modifying the headers.
### Identity and Access Management (IAM) ### Identity and Access Management (IAM)
kube-proxy sets up two IAM roles, one for the master called kube-proxy sets up two IAM roles, one for the master called
...@@ -308,6 +335,7 @@ Salt and Kubernetes from the S3 bucket, and then triggering Salt to actually ...@@ -308,6 +335,7 @@ Salt and Kubernetes from the S3 bucket, and then triggering Salt to actually
install Kubernetes. install Kubernetes.
<!-- BEGIN MUNGE: GENERATED_ANALYTICS --> <!-- BEGIN MUNGE: GENERATED_ANALYTICS -->
[![Analytics](https://kubernetes-site.appspot.com/UA-36037335-10/GitHub/docs/design/aws_under_the_hood.md?pixel)]() [![Analytics](https://kubernetes-site.appspot.com/UA-36037335-10/GitHub/docs/design/aws_under_the_hood.md?pixel)]()
<!-- END MUNGE: GENERATED_ANALYTICS --> <!-- END MUNGE: GENERATED_ANALYTICS -->
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment