Documented service annotation for AWS ELB SSL policy

kubernetes · Nov 17, 2017 · c59e38a · c59e38a
1 parent 3b85f60
commit c59e38a
Showing 1 changed file with 21 additions and 2 deletions.
diff --git a/docs/concepts/services-networking/service.md b/docs/concepts/services-networking/service.md
@@ -481,7 +481,7 @@ metadata:
         cloud.google.com/load-balancer-type: "Internal"
 [...]
 ```
-Use `cloud.google.com/load-balancer-type: "internal"` for masters with version 1.7.0 to 1.7.3.  
+Use `cloud.google.com/load-balancer-type: "internal"` for masters with version 1.7.0 to 1.7.3.
 For more information, see the [docs](https://cloud.google.com/kubernetes-engine/docs/internal-load-balancing).
 {% endcapture %}
 
@@ -515,7 +515,7 @@ metadata:
 For partial SSL support on clusters running on AWS, starting with 1.3 three
 annotations can be added to a `LoadBalancer` service:
 
-```
+```yaml
 metadata:
   name: my-service
   annotations:
@@ -560,6 +560,25 @@ In the above example, if the service contained three ports, `80`, `443`, and
 `8443`, then `443` and `8443` would use the SSL certificate, but `80` would just
 be proxied HTTP.
 
+Beginning in 1.9, services can use [predefined AWS SSL policies](http://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-security-policy-table.html)
+for any HTTPS or SSL listeners. To see which policies are available for use, run
+the awscli command:
+
+```bash
+aws elb describe-load-balancer-policies --query 'PolicyDescriptions[].PolicyName'
+```
+
+Any one of those policies can then be specified using the
+"`service.beta.kubernetes.io/aws-load-balancer-ssl-negotiation-policy`"
+annotation, for example:
+
+```yaml
+    metadata:
+      name: my-service
+      annotations:
+        service.beta.kubernetes.io/aws-load-balancer-ssl-negotiation-policy: "ELBSecurityPolicy-TLS-1-2-2017-01"
+```
+
 #### PROXY protocol support on AWS
 
 To enable [PROXY protocol](https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt)