How to set AWS ELB TLS Security Policy from K8s Ingress?

If you are creating AWS ELB using Kubernetes Ingress file, you might be using an Ingress yaml like the following.

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: test-ingress
  annotations:
    kubernetes.io/ingress.class: alb
    alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS":443}]'
    alb.ingress.kubernetes.io/ssl-policy: 'ELBSecurityPolicy-TLS-1-2-Ext-2018-06'
    alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:us-west-1:*********
    alb.ingress.kubernetes.io/scheme: internet-facing
    alb.ingress.kubernetes.io/healthcheck-path: /index.htm
    alb.ingress.kubernetes.io/target-type: ip

If you don’t specify alb.ingress.kubernetes.io/ssl-policy , then ALB will default to ELBSecurityPolicy-2016–08 . The ELBSecurityPolicy-2016–08 has support for TLS 1.0, 1,1 which are out-of-date protocols which them open to vulnerabilities.

It is recommended that you use ELB security policies like ELBSecurityPolicy-TLS-1–2-Ext-2018–06 which supports TLS 1.2 using the annotation : alb.ingress.kubernetes.io/ssl-policy: ‘ELBSecurityPolicy-TLS-1–2-Ext-2018–06’, as shown in the above code snippet.