TLS安全的etcd上的Kubernetes

Question

Running CoreOS, etcd is not secured by default. To secure it I can use TLS, which adds a level of complexity I'm willing to work on.

Now, is Kubernetes able to use a TLS secured etcd cluster?

In the config for the kubelet and various pods, Kubernetes passes the etcd endpoints as parameters, so they require etcd and will need the certificates to talk to it if it is secured. If Kubernetes supports TLS connection to etcd, how does it get configured?

Thanks

Answer 1

The API server is the only component that speaks directly to etcd. When starting the API server, you can pass a --etcd-config=/path/to/client/config parameter instead of just pointing to an unsecured etcd server with --etcd-server

In that config file, you would specify the etcd servers, along with the client credentials (cert/key) to use to connect.

The format is that expected by the go-etcd client NewClientFromFile function, which expects a JSON serialization of the Client struct, specifically the config and cluster keys

Answer 2

digging further and asking on the github project, I was directed towards this post that I hope answers the question:

https://groups.google.com/forum/#!topic/google-containers/bTfEcRQ3N28/discussion

In short the config file should look like:

{
  "cluster": {
    "machines": [
          "https://kube-master.internal:2379",
          "https://kube-minion1.internal:2379",
          "https://kube-minion2.internal:2379"
    ]
  },
  "config": {
    "certFile": "/etc/etcd/kube-master.internal.pem",
    "keyFile": "/etc/etcd/kube-master.internal.key",
    "caCertFiles": [ "/etc/etcd/kubecluster-ca.pem" ],
    "consistency": "STRONG_CONSISTENCY"
  }
}

Haven't tried yet but will asap.