Securing Kubernetes Service with TLS

Following @vonc comments from bellow, I think I have a solution:

  • Purchase a public valid domain for this service (e.g.
  • Use CoreDNS to add override rule so all requests to will go to something-namesapce.svc.cluster.local, as the service is not exposed externally (this can be done also with normal A record for my use case).
  • Use Nginx or something else to handle TLS with the certificate for

This sounds pretty complicated but might work. What do you think?

I just found that Kubernetes API can be used to generate a certificate that will be trusted by all the pods running on the cluster. This option might be simpler than the alternatives. You can find the documentation here, including full flow of generating a certificate and using it.