L13. Ingress Security: TLS Termination, WAF and Rate Limiting
Video generating
Check back soon for the video lesson on Ingress Security: TLS Termination, WAF and Rate Limiting
The ingress controller is the front door to your cluster. Learn how to configure TLS termination, integrate a Web Application Firewall, and add rate limiting to protect against abuse.
Ingress Controllers
An Ingress controller exposes HTTP/HTTPS routes from outside the cluster to services inside the cluster. Popular options include NGINX Ingress Controller, Traefik, HAProxy, and cloud-native load balancers (AWS ALB, Azure Application Gateway, GCP Cloud Load Balancer).
The Ingress controller is the most exposed component in your cluster because it directly handles external traffic.
TLS Termination
Always terminate TLS at the ingress. Store TLS certificates as Kubernetes Secrets:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: app-ingress
annotations:
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
spec:
tls:
<ul class="list-disc pl-6 mb-4 space-y-2">
<li class="text-slate-300">hosts:</li>
<li class="text-slate-300">app.example.com</li>
</ul>
secretName: app-tls-cert
rules:
<ul class="list-disc pl-6 mb-4 space-y-2">
<li class="text-slate-300">host: app.example.com</li>
</ul>
http:
paths:
<ul class="list-disc pl-6 mb-4 space-y-2">
<li class="text-slate-300">path: /</li>
</ul>
pathType: Prefix
backend:
service:
name: app-service
port:
number: 8080Security Headers
Add security headers at the ingress level to protect against common web attacks:
annotations:
nginx.ingress.kubernetes.io/configuration-snippet: |
more_set_headers "X-Frame-Options: DENY";
more_set_headers "X-Content-Type-Options: nosniff";
more_set_headers "Referrer-Policy: strict-origin-when-cross-origin";
more_set_headers "Content-Security-Policy: default-src 'self'";
more_set_headers "Strict-Transport-Security: max-age=31536000; includeSubDomains";Rate Limiting
Protect against brute force, credential stuffing, and DoS with rate limiting:
annotations:
nginx.ingress.kubernetes.io/limit-rps: "10"
nginx.ingress.kubernetes.io/limit-burst-multiplier: "5"
nginx.ingress.kubernetes.io/limit-connections: "5"This limits each client IP to 10 requests per second with a burst allowance of 50 and a maximum of 5 concurrent connections.
Web Application Firewall (WAF)
Integrate a WAF at the ingress layer to detect and block OWASP Top 10 attacks: ModSecurity with NGINX Ingress:
annotations:
nginx.ingress.kubernetes.io/enable-modsecurity: "true"
nginx.ingress.kubernetes.io/enable-owasp-modsecurity-crs: "true"
nginx.ingress.kubernetes.io/modsecurity-snippet: |
SecRuleEngine On
SecAuditLog /dev/stdoutmTLS from Ingress to Backend
For defense in depth, enable mTLS between the ingress controller and backend pods. On NGINX Ingress:
annotations:
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
nginx.ingress.kubernetes.io/proxy-ssl-verify: "on"This ensures traffic is encrypted both from the client to the ingress and from the ingress to the backend service.
- ✓The ingress controller is the most exposed cluster component: it directly handles all external traffic
- ✓Always terminate TLS at the ingress and use cert-manager for automated certificate provisioning and renewal
- ✓Add security headers (HSTS, X-Frame-Options, CSP, X-Content-Type-Options) at the ingress level
- ✓Rate limiting at the ingress protects against brute force, credential stuffing, and DoS attacks
- ✓Enable mTLS between the ingress controller and backend pods for defense in depth
1. Why should TLS be terminated at the ingress controller?
2. Which tool automates TLS certificate provisioning and renewal in Kubernetes?
3. What NGINX Ingress annotation enables ModSecurity with OWASP CRS rules?