From 15ee4d5bccd428c5a16514a9bf65886ba23b8b94 Mon Sep 17 00:00:00 2001
From: Micah Hausler <hausler.m@gmail.com>
Date: Thu, 9 Nov 2017 16:44:52 -0500
Subject: [PATCH] Documented service annotation for AWS ELB SSL policy

---
 docs/concepts/services-networking/service.md | 19 ++++++++++++++++++-
 1 file changed, 18 insertions(+), 1 deletion(-)

diff --git a/docs/concepts/services-networking/service.md b/docs/concepts/services-networking/service.md
index 29b23a891ed0e..2f1f6a6c856d0 100644
--- a/docs/concepts/services-networking/service.md
+++ b/docs/concepts/services-networking/service.md
@@ -516,7 +516,7 @@ metadata:
 For partial SSL support on clusters running on AWS, starting with 1.3 three
 annotations can be added to a `LoadBalancer` service:
 
-```
+```yaml
 metadata:
   name: my-service
   annotations:
@@ -561,6 +561,23 @@ In the above example, if the service contained three ports, `80`, `443`, and
 `8443`, then `443` and `8443` would use the SSL certificate, but `80` would just
 be proxied HTTP.
 
+Beginning in 1.9, services can use [predefined AWS SSL policies](http://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-security-policy-table.html)
+for any HTTPS or SSL listeners. To see which policies are available for use, run
+the awscli command:
+
+```bash
+aws elb describe-load-balancer-policies --query 'PolicyDescriptions[].PolicyName'
+```
+
+Any one of those policies can then be specified using the following annotation:
+
+```yaml
+    metadata:
+      name: my-service
+      annotations:
+        service.beta.kubernetes.io/aws-load-balancer-ssl-negotiation-policy: "ELBSecurityPolicy-TLS-1-2-2017-01"
+```
+
 #### PROXY protocol support on AWS
 
 To enable [PROXY protocol](https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt)