Merge pull request #25574 from Clarifai/elb

Automatic merge from submit-queue Update AWS under the hood doc with ELB SSL annotations Document #23495. No e2e tests or release notes needed (the other PR is already in the release docs).
kubernetes · May 20, 2016 · 9625926 · 9625926
2 parents f935507 + 54c55fd
commit 9625926
Showing 1 changed file with 29 additions and 1 deletion.
diff --git a/docs/design/aws_under_the_hood.md b/docs/design/aws_under_the_hood.md
@@ -139,7 +139,8 @@ pods.
 
 ELB has some restrictions:
 * ELB requires that all nodes listen on a single port,
-* ELB acts as a forwarding proxy (i.e. the source IP is not preserved).
+* ELB acts as a forwarding proxy (i.e. the source IP is not preserved, but see below
+on ELB annotations for pods speaking HTTP).
 
 To work with these restrictions, in Kubernetes, [LoadBalancer
 services](../user-guide/services.md#type-loadbalancer) are exposed as
@@ -162,6 +163,32 @@ services or for LoadBalancer. To consume a NodePort service externally, you
 will likely have to open the port in the node security group
 (`kubernetes-minion-<clusterid>`).
 
+For SSL support, starting with 1.3 two annotations can be added to a service:
+
+```
+service.beta.kubernetes.io/aws-load-balancer-ssl-cert=arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012
+```
+
+The first specifies which certificate to use. It can be either a
+certificate from a third party issuer that was uploaded to IAM or one created
+within AWS Certificate Manager.
+
+```
+service.beta.kubernetes.io/aws-load-balancer-backend-protocol=(https|http|ssl|tcp)
+```
+
+The second annotation specificies which protocol a pod speaks. For HTTPS and
+SSL, the ELB will expect the pod to authenticate itself over the encrypted
+connection.
+
+HTTP and HTTPS will select layer 7 proxying: the ELB will terminate
+the connection with the user, parse headers and inject the `X-Forwarded-For`
+header with the user's IP address (pods will only see the IP address of the
+ELB at the other end of its connection) when forwarding requests.
+
+TCP and SSL will select layer 4 proxying: the ELB will forward traffic without
+modifying the headers.
+
 ### Identity and Access Management (IAM)
 
 kube-proxy sets up two IAM roles, one for the master called
@@ -308,6 +335,7 @@ Salt and Kubernetes from the S3 bucket, and then triggering Salt to actually
 install Kubernetes.
 
 
+
 <!-- BEGIN MUNGE: GENERATED_ANALYTICS -->
 [![Analytics](https://kubernetes-site.appspot.com/UA-36037335-10/GitHub/docs/design/aws_under_the_hood.md?pixel)]()
 <!-- END MUNGE: GENERATED_ANALYTICS -->