Configuring GCE Ingress Controller to accept only SSL1.2 connection and up using Terraform

2 min readJun 7, 2021

Creating SSL Policy

Create a `policies.tf` file in your terraform folder and add ssl_policy

# policies.tfresource "google_compute_ssl_policy" "ssl-policy" {
  name            = "ssl-policy"
  project         = google_project.hello_world.project_id
  profile         = "MODERN"
  min_tls_version = "TLS_1_2"
}

Setting min_tls_version to TLS_1_2 will force GCE controller to allow only SSL connections with version 1.2 and up.

Setting up FrontendConfig

Frontend config manages the traffic before it hits the ingress controller and Backend config manages the traffic after it hits the ingress controller. Currently we cannot set this up using Terraform, so here is the sample yaml file:

# frontend-config.yamlapiVersion: networking.gke.io/v1beta1
kind: FrontendConfig
metadata:
  name: frontend-config
  namespace: default
spec:
  sslPolicy: ssl-policy

Configuring Ingress controller to use the Frontend Config

We have to add the following annotation to our ingress controller to tell it to use the frontend config we have defined:

` “networking.gke.io/v1beta1.FrontendConfig” = “frontend-config”`

# k8s-ingress.tfresource "kubernetes_ingress" "example_ingress" {
  metadata {
    name = "example-ingress"
    annotations = {
      "networking.gke.io/v1beta1.FrontendConfig" = "frontend-config"
    }
  }

  spec {
    backend {
      service_name = "MyApp1"
      service_port = 8080
    }

    rule {
      http {
        path {
          backend {
            service_name = "MyApp1"
            service_port = 8080
          }

          path = "/app1/*"
        }

        path {
          backend {
            service_name = "MyApp2"
            service_port = 8080
          }

          path = "/app2/*"
        }
      }
    }

    tls {
      secret_name = "tls-secret"
    }
  }
}

Create the Frontend config using kubectl . Then apply your terraform scripts using terraform apply .

Testing

You can use the following command to check if your ingress controller is stopping connections below TLS1.2

# Testing for connection using TLS 1.0 and this should failopenssl s_client -connect ip:port -tls1# Testing for connection using TLS 1.2 and this should not failopenssl s_client -connect ip:port -tls1_2

Alternatively you can use https://www.cdn77.com/tls-test, to check what all versions of TLS are allowed and what are blocked.

Configuring GCE Ingress Controller to accept only SSL1.2 connection and up using Terraform

Creating SSL Policy

Setting up FrontendConfig

Configuring Ingress controller to use the Frontend Config

Testing

Written by NG Sai Prasanth