cancel
Showing results for 
Search instead for 
Did you mean: 

Can I ssl passthrough with LTM connecting to kubernetes?

yk1
Nimbostratus
Nimbostratus

Hi, I'm working on applying LTM to kubernetes cluster, and I have a question.

I want to setup f5 BIG-IP controller with cluster mode, but if I do so, because of lack of virtual server's type configuration, virtual server will be standard type. I know L4 virtual server can passthrough, and I used to do. But now, on the standard virtual server, I have never been able to passthrough ssl. Are there any way to passthrough ssl with kubernetes cluster? Or can I manage virtual server type?

6 REPLIES 6

Passthrough SSL on a standard virtual server simply means not applying any server or client SSL profile. It simply works.

Thank you for your early reply, Kevin. 

I tried it but my server wouldn't reply to client hello... I use tcpdump in the pod, and the request seems not to reach to the pod. The server send ACK to client hello, but doesn't send server hello. When I send request by curl to service's IP(in one of my cluster node), in other words when the request doesn't through BIG-IP, I can get index page(it worked)...

Even its been a while since this post, I was facing a similar issue and I would like to add to Kevin's reply the following link [1] which states:

Important: HTTP profiles are incompatible with encrypted pass-through traffic, such as SSL and require a Client SSL profile to decrypt the traffic for L7 HTTP inspection. If the virtual server processing the encrypted traffic is configured with an HTTP profile and no Client SSL profile, the connection fails

In my case I was trying to setup a K8S cluster with Kubespray using an external load balancer. Initially I did what Kevin suggested as I read that before and I was sure that was the way, however, I was getting an issue initializing the first master. Checking the virtual servr I found that a HTTP profile was set (it was set by terraform) so I just set it to none and boom, kubespray finished with no issues.

I hope it helps someone because I struggled a lot with this simple thing.

 

 

[1]: https://support.f5.com/csp/article/K40243113#:~:text=Important%3A%20HTTP%20profiles,the%20connection...

 

Stanislas_Piro2
Cumulonimbus
Cumulonimbus

If the server does not support ssl (no answer to client hello), why do you want to enable ssl passthrough?

Our server should support ssl (curl in Kubernetes cluster with service IP and 443 https port return correct response). Only when attempting to through BIG-IP, server would not answer to client hello.

yk1
Nimbostratus
Nimbostratus

Capturing by Wireshark, I found that server sent Reset flag. Why the server force to disconnect? I have no idea...