All Products
Search

This Product

    Container Service for Kubernetes:NGINX Ingress controller security encryption

    Document Center

    Container Service for Kubernetes:NGINX Ingress controller security encryption

    Last Updated:Mar 26, 2026

    Nginx Ingress Controller security encryption applies to business scenarios with high security requirements for data transmission. This topic describes how to configure and verify Nginx Ingress Controller security settings.

    Prerequisites

    Before you begin, ensure that you have:

    Security encryption configuration

    Configure Transport Layer Security (TLS) protocol versions and cipher suites using the ssl-protocols and ssl-ciphers fields in the nginx-configuration ConfigMap under the kube-system namespace.

    Field Description Default value
    ssl-protocols The TLS protocol versions accepted by the ingress. Only TLS 1.2 and TLS 1.3 are enabled by default. For more information, see ssl-protocols. TLSv1.2 TLSv1.3
    ssl-ciphers The cipher suites accepted by the ingress, specified in OpenSSL format. The order determines algorithm priority — the default list prioritizes algorithms that support perfect forward secrecy (PFS). For more information, see ssl-ciphers. ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
    Cipher suite order matters because it determines which algorithms are selected first. The default list prioritizes PFS-capable cipher suites. Unless you have specific security requirements, keep the default configuration.

    After applying the configuration, verify it using testssl.sh or SSL Labs.

    Update the ConfigMap

    Console

    1. Log on to the Container Service Management Console. In the left navigation pane, click Clusters.

    2. On the Clusters page, click the name of your cluster. In the left navigation pane, choose Configurations > ConfigMaps.

    3. On the ConfigMap page, select kube-system from the Namespace drop-down list. Enter nginx-configuration in the Name search box and click the search icon. Find nginx-configuration and click Edit in the Actions column.

    4. On the Edit page, click +Add. Fill in the Name and Value of the configuration item, then click OK.

    kubectl

    Run the following command to open the ConfigMap in your editor:

    kubectl edit cm -n kube-system nginx-configuration

    Add or update the ssl-protocols and ssl-ciphers fields:

    apiVersion: v1
kind: ConfigMap
metadata:
  name: nginx-configuration
  namespace: kube-system
data:
  ssl-protocols: "TLSv1.2 TLSv1.3"  # Only TLS 1.2 and TLS 1.3 are allowed.
  ssl-ciphers: "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"  # Default cipher suite list.

    Verify TLS version and cipher suite security

    Use either of the following methods to confirm that the configuration is active and secure.

    • Method 1: Download testssl.sh and run:

      ./testssl.sh <site-domain-name>

      When the tool detects weak cipher suites or deprecated TLS protocol versions, it highlights them in red. The expected output for a correctly configured ingress is similar to:

       Testing protocols via sockets except NPN+ALPN
 SSLv2      not offered (OK)
 SSLv3      not offered (OK)
 TLS 1      not offered
 TLS 1.1    not offered
 TLS 1.2    offered (OK)
 TLS 1.3    offered (OK): final
 NPN/SPDY   not offered
 ALPN/HTTP2 h2, http/1.1 (offered)
 Testing cipher categories
 NULL ciphers (no encryption)                  not offered (OK)
 Anonymous NULL Ciphers (no authentication)    not offered (OK)
 Export ciphers (w/o ADH+NULL)                 not offered (OK)
 LOW: 64 Bit + DES, RC[2,4] (w/o export)       not offered (OK)
 Triple DES Ciphers / IDEA                     not offered
 Obsolete CBC ciphers (AES, ARIA etc.)         not offered
 Strong encryption (AEAD ciphers)              offered (OK)
 Testing robust (perfect) forward secrecy, (P)FS -- omitting Null Authentication/Encryption, 3DES, RC4
 PFS is offered (OK)          TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-CHACHA20-POLY1305
                              TLS_AES_128_GCM_SHA256 ECDHE-RSA-AES128-GCM-SHA256
 Elliptic curves offered:     prime256v1 secp384r1 secp521r1 X25519 X448
 Finite field group:          ffdhe2048 ffdhe3072 ffdhe4096 ffdhe6144 ffdhe8192
 Testing server preferences
 Has server cipher order?     yes (OK) -- TLS 1.3 and below
 Negotiated protocol          TLSv1.3
 Negotiated cipher            TLS_AES_256_GCM_SHA384, 253 bit ECDH (X25519)
 Cipher order
    TLSv1.2:   ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-CHACHA20-POLY1305
    TLSv1.3:   TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 TLS_AES_128_GCM_SHA256
...

    • Method 2: Enter your site domain name into the SSL Labs SSL Server Test online tool.

    View configured cipher suites

    To see the cipher suites currently active in the Nginx configuration, run:

    kubectl -n kube-system exec deploy/nginx-ingress-controller -- nginx -T | grep ssl_ciphers

    Expected output:

    Defaulted container "nginx-ingress-controller" out of: nginx-ingress-controller, init-sysctl (init)
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
        ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
nginx: configuration file /etc/nginx/nginx.conf test is successful

    FAQ

    Does Nginx Ingress Controller support Chinese cryptographic algorithms?

    No. ACK Nginx Ingress Controller is based on the Kubernetes community ingress-nginx project and does not currently support Chinese cryptographic algorithms.

    What cipher suites does Nginx Ingress support?

    Nginx uses OpenSSL for encryption and decryption. To see which cipher suites are available in your controller, exec into the Nginx Ingress Controller pod:

    kubectl exec -it -n kube-system <nginx-ingress-pod-name> bash

    Inside the container, run nginx -V to check the Nginx and OpenSSL versions:

    nginx-ingress-controller-5c455d7d9f-nr7dd:/etc/nginx$ nginx -V

    Expected output:

    nginx version: nginx/1.21.6
built by gcc 12.2.1 20220924 (Alpine 12.2.1_git20220924-r10)
built with OpenSSL 3.1.3 19 Sep 2023 (running with OpenSSL 3.1.5 30 Jan 2024)
TLS SNI support enabled
configure arguments: --prefix=/usr/local/nginx --conf-path=/etc/nginx/nginx.conf --modules-path=/etc/nginx/modules --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-compat --with-pcre-jit --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_addition_module --with-http_geoip_module --with-http_gzip_static_module --with-http_sub_module --with-http_v2_module --with-stream --with-stream_ssl_module --with-stream_realip_module --with-stream_ssl_preread_module --with-threads --with-http_secure_link_module --with-http_gunzip_module --with-file-aio --without-mail_pop3_module --without-mail_smtp_module --without-mail_imap_module --without-http_uwsgi_module --without-http_scgi_module --with-cc-opt='-g -O3 -flto -fPIE -fstack-protector-strong -Wformat -Werror=format-security -Wno-deprecated-declarations -fno-strict-aliasing -D_FORTIFY_SOURCE=2 --param=ssp-buffer-size=4 -DTCP_FASTOPEN=23 -fPIC -I/root/.hunter/_Base/d45d77d/aab92d8/3b7ee27/Install/include -Wno-cast-function-type -m64 -mtune=generic' --with-ld-opt='-flto -fPIE -fPIC -pie -Wl,-z,relro -Wl,-z,now -L/root/.hunter/_Base/d45d77d/aab92d8/3b7ee27/Install/lib' --user=www-data --group=www-data --add-module=/tmp/build/ngx_devel_kit-0.3.2 --add-module=/tmp/build/set-misc-nginx-module-0.33 --add-module=/tmp/build/headers-more-nginx-module-0.34 --add-module=/tmp/build/ngx_http_substitutions_filter_module-b8a71eacc7f986ba091282ab8b1bbbc6ae1807e0 --add-module=/tmp/build/lua-nginx-module-0.10.25 --add-module=/tmp/build/stream-lua-nginx-module-0.0.13 --add-module=/tmp/build/lua-upstream-nginx-module-8aa93ead98ba2060d4efd594ae33a35d153589bf --add-dynamic-module=/tmp/build/nginx-http-auth-digest-1.0.0 --add-dynamic-module=/tmp/build/nginx-opentracing-0.19.0/opentracing --add-dynamic-module=/tmp/build/ModSecurity-nginx-1.0.3 --add-dynamic-module=/tmp/build/ngx_http_geoip2_module-a26c6beed77e81553686852dceb6c7fdacc5970d --add-dynamic-module=/tmp/build/ngx_brotli

    Run openssl ciphers to list all cipher suites supported by the OpenSSL build:

    nginx-ingress-controller-5c455d7d9f-nr7dd:/etc/nginx$ openssl ciphers

    Expected output:

    TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:RSA-PSK-AES256-GCM-SHA384:DHE-PSK-AES256-GCM-SHA384:RSA-PSK-CHACHA20-POLY1305:DHE-PSK-CHACHA20-POLY1305:ECDHE-PSK-CHACHA20-POLY1305:AES256-GCM-SHA384:PSK-AES256-GCM-SHA384:PSK-CHACHA20-POLY1305:RSA-PSK-AES128-GCM-SHA256:DHE-PSK-AES128-GCM-SHA256:AES128-GCM-SHA256:PSK-AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:ECDHE-PSK-AES256-CBC-SHA384:ECDHE-PSK-AES256-CBC-SHA:SRP-RSA-AES-256-CBC-SHA:SRP-AES-256-CBC-SHA:RSA-PSK-AES256-CBC-SHA384:DHE-PSK-AES256-CBC-SHA384:RSA-PSK-AES256-CBC-SHA:DHE-PSK-AES256-CBC-SHA:AES256-SHA:PSK-AES256-CBC-SHA384:PSK-AES256-CBC-SHA:ECDHE-PSK-AES128-CBC-SHA256:ECDHE-PSK-AES128-CBC-SHA:SRP-RSA-AES-128-CBC-SHA:SRP-AES-128-CBC-SHA:RSA-PSK-AES128-CBC-SHA256:DHE-PSK-AES128-CBC-SHA256:RSA-PSK-AES128-CBC-SHA:DHE-PSK-AES128-CBC-SHA:AES128-SHA:PSK-AES128-CBC-SHA256:PSK-AES128-CBC-SHA

    Run openssl ciphers -tls1_2 -v to list cipher suites that support TLS 1.2:

    nginx-ingress-controller-5c455d7d9f-nr7dd:/etc/nginx$ openssl ciphers -tls1_2 -v

    Expected output:

    TLS_AES_256_GCM_SHA384         TLSv1.3 Kx=any      Au=any   Enc=AESGCM(256)            Mac=AEAD
TLS_CHACHA20_POLY1305_SHA256   TLSv1.3 Kx=any      Au=any   Enc=CHACHA20/POLY1305(256) Mac=AEAD
TLS_AES_128_GCM_SHA256         TLSv1.3 Kx=any      Au=any   Enc=AESGCM(128)            Mac=AEAD
ECDHE-ECDSA-AES256-GCM-SHA384  TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(256)            Mac=AEAD
ECDHE-RSA-AES256-GCM-SHA384    TLSv1.2 Kx=ECDH     Au=RSA   Enc=AESGCM(256)            Mac=AEAD
DHE-RSA-AES256-GCM-SHA384      TLSv1.2 Kx=DH       Au=RSA   Enc=AESGCM(256)            Mac=AEAD
ECDHE-ECDSA-CHACHA20-POLY1305  TLSv1.2 Kx=ECDH     Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
ECDHE-RSA-CHACHA20-POLY1305    TLSv1.2 Kx=ECDH     Au=RSA   Enc=CHACHA20/POLY1305(256) Mac=AEAD
...

    How do I get the OpenSSL name for an IANA/RFC cipher suite name?

    Cipher suites follow two naming conventions: OpenSSL names are concise (for example, AES128-SHA), while IANA/RFC names are more descriptive (for example, TLS_RSA_WITH_AES_128_CBC_SHA).

    To convert an IANA name to its OpenSSL equivalent, use either method:

    • Look up the mapping in the OpenSSL–IANA cipher name mapping table.

    • Run openssl ciphers -convert <IANA-cipher-suite-name> inside the controller container. For example:

      nginx-ingress-controller-5c455d7d9f-nr7dd:/etc/nginx$ openssl ciphers -convert TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
OpenSSL cipher name: ECDHE-RSA-AES128-GCM-SHA256