Support annotations for AWS ELB Security Policies

[ostankin]

What keywords did you search in Kubernetes issues before filing this one? (If you have found any duplicates, you should instead reply there.):

aws elb security policy

---

Is this a BUG REPORT or FEATURE REQUEST? (choose one): FEATURE REQUEST

Kubernetes version (use kubectl version):

$ kubectl version
Client Version: version.Info{Major:"1", Minor:"5", GitVersion:"v1.5.4", GitCommit:"7243c69eb523aa4377bce883e7c0dd76b84709a1", GitTreeState:"clean", BuildDate:"2017-03-07T23:53:09Z", GoVersion:"go1.7.4", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"5", GitVersion:"v1.5.4+coreos.0", GitCommit:"97c11b097b1a2b194f1eddca8ce5468fcc83331c", GitTreeState:"clean", BuildDate:"2017-03-08T23:54:21Z", GoVersion:"go1.7.4", Compiler:"gc", Platform:"linux/amd64"}

Environment:

• Cloud provider or hardware configuration: AWS
• OS (e.g. from /etc/os-release):

$ cat /etc/os-release
NAME="Container Linux by CoreOS"
ID=coreos
VERSION=1298.5.0
VERSION_ID=1298.5.0
BUILD_ID=2017-02-28-0013
PRETTY_NAME="Container Linux by CoreOS 1298.5.0 (Ladybug)"
ANSI_COLOR="38;5;75"
HOME_URL="https://coreos.com/"
BUG_REPORT_URL="https://github.com/coreos/bugs/issues"

• Kernel (e.g. uname -a):

$ uname -a
Linux ip-10-4-22-250.us-west-2.compute.internal 4.9.9-coreos-r1 #1 SMP Tue Feb 28 00:06:10 UTC 2017 x86_64 Intel(R) Xeon(R) CPU E5-2676 v3 @ 2.40GHz GenuineIntel GNU/Linux

• Install tools: AWS CloudFormation
• Others:

What happened: Default AWS ELB Security policy at the moment is 2016-08. This policy is not PCI-DSS compliant, as it allows protocols TLS 1.0 and TLS 1.1. Therefore, all Elastic Load Balancers, created by Kubernetes, are not PCI-DSS compliant. AWS has a predefined policiy for ELBs: TLS-1-2-2017-01, who does not allow TLS versions 1.0 and 1.1. However, there is no way to make this policy default.

What you expected to happen: I would like to be able to use annotations for specifying a given security policy, so that new ELBs created by LoadBalancer type services, would have the specified security policy. The annotation could be named service.beta.kubernetes.io/aws-load-balancer-security-policy.

How to reproduce it (as minimally and precisely as possible): Example of a service config with service.beta.kubernetes.io/aws-load-balancer-security-policy annotation:

apiVersion: v1
kind: Service
metadata:
  name: app
  annotations: {
    "service.beta.kubernetes.io/aws-load-balancer-ssl-cert": "arn:aws:acm:us-east-1:XXXXXXXXXX:certificate/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXX",
    "service.beta.kubernetes.io/aws-load-balancer-backend-protocol": "http",
    "service.beta.kubernetes.io/aws-load-balancer-ssl-ports": "443",
    "service.beta.kubernetes.io/aws-load-balancer-security-policy": "ELBSecurityPolicy-TLS-1-2-2017-01"
  }
spec:
  ports:
  - name: http
    port: 80
    protocol: TCP
    targetPort: 3005
  - name: https
    port: 443
    protocol: TCP
    targetPort: 3005
  selector:
    app: app
  type: LoadBalancer

Anything else we need to know:

[jsleeio]

Just noting that I am in the same situation as @ostankin — trying to build a Kubernetes environment that our PCI-DSS auditor folks are happy with

[philloooo]

same here, would be great if we can support the latest policy

[danielchg]

It should be great, I also need to force the use of only TLSv1.2 on the ELBs.

[lobboblaw]

Chiming in to say that this would be fantastic.

[micahhausler]

I'm going to take this one on: hopefully should get this in for 1.9