Securing GKE with Managed SSL

Using Google Managed SSL Certificates with a GKE Cluster


Tool Requirements

Infrastructure Requirements

Previous Article

Deploy Application with SSL Support

Deploy the Deployment Controller

kubectl create --filename gce_ssl_deploy.yaml

Deploy the ManagedCertificate CRD

MY_DNS_NAME=<put_your_domain_here> # hello.test.acme.comsed -i "s/\$MY_DNS_NAME/$MY_DNS_NAME/" gce_ssl_managed_cert.yaml
kubectl create --filename gce_ssl_managed_cert.yaml

Deploy the Service

kubectl create --filename gce_ssl_service.yaml

Deploy the Ingress Resource

MY_DNS_NAME=<put_your_domain_here> # hello.test.acme.comsed -i "s/\$MY_DNS_NAME/$MY_DNS_NAME/" gce_ssl_ingress.yaml
kubectl create --filename gce_ssl_ingress.yaml

Verify Certificate is Available

Check with kubectl

kubectl describe \

Check with gcloud

# SAN cert can have multiple domains, so newline as separator
# Format string with multi-line domain column
gcloud compute ssl-certificates list \
--filter "hello." \
--format "$FORMAT"

Test the Web Application


cat hello_*.yaml | kubectl delete --filename -

Notes on Google Managed SSL Certificates

Managed SAN Certificate Behavior

Reserved External IP Address

ADDRESS_NAME=acme-address-name# create address
gcloud compute addresses create $ADDRESS_NAME --global
# retrieve the IP address
gcloud compute addresses describe $ADDRESS_NAME --global | \
awk '/^address:/{print $2}' acme-address-name


Blog Source Code

Google Documentation


Linux NinjaPants Automation Engineering Mutant — exploring DevOps, Kubernetes, CNI, IAC

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store