I am curious what firewall configurations one would recommend for internet facing network traffic in a kubernetes cluster?<p>I am using EKS but would love to hear any and all options, suggestions regardless if only available from another cloud vender managed solution.<p>My first instinct was to use the new AWS Load Balancer Controller which can create an ALB + WAF setup. This guide seems like exactly what I was thinking of: https://aws.amazon.com/premiumsupport/knowledge-center/eks-alb-ingress-aws-waf/.<p>However, I learned that the only certs the ALB works with are from ACM. So I looked into setting up my hands free dns + cert management (external-dns + cert-manager) with a ACM cert manager Issuer. But seems like that not possible?!
https://github.com/kubernetes-sigs/aws-load-balancer-controller/issues/1143
https://github.com/kubernetes-sigs/aws-load-balancer-controller/issues/1084<p>Cert-manager only supports an add-on for AWS' Private Cert Manager, not for public certs.<p>Given I do not want to manually deal with certs or have to create them outside of the my ingress defs the ALB approach seems effectively like a dead-end at the moment.<p>Thanks for your input. Hopefully this tale & post helps someone else as well.<p>Edit: Not really looking for a CNI setup as I am really looking for "firewall service" I can use at the edge of the cluster. However, would be interested in hearing about how you used CNI to suite this need if possible?
I've seen people use Wallarm (<a href="https://www.wallarm.com/" rel="nofollow">https://www.wallarm.com/</a>). They have a controller based on nginx-ingress-controller that you can deploy into your k8s cluster. I'm building a platform on top of k8s and the clusters we provision use the same setup (cert-manager + ALB + nginx-ingress). Worth a try!