使用TLS保护Kubernetes服务
[英]Securing Kubernetes Service with TLS
问题描述
I have an application that is internal and exposed only to other application on the cluster by a service with cluster IP. 
我有一个内部应用程序,只有集群IP服务才能将其暴露给集群上的其他应用程序。 Other services are accessing this application via it's DNS ( serviceName-namespace.svc.cluster.local ). 其他服务通过它的DNS( serviceName-namespace.svc.cluster.local )访问此应用程序。 This application handles sensitive data, so although all the communication is inside the cluster I would like to use TLS to secure the communications to this application. 此应用程序处理敏感数据,因此尽管所有通信都在集群内部,但我希望使用TLS来保护与此应用程序的通信。
My question is - how can I enable TLS on a service? 我的问题是 - 如何在服务上启用TLS? Is there something already exist or should I handle it on the application code? 是否存在某些东西或应该在应用程序代码上处理它? Also, is there already a CA I can use on the cluster that can sign certificates for .svc.cluster.local ? 此外,是否已经有可以在群集上使用的CA,可以为.svc.cluster.local签署证书?
To clarify, I know I can use ingress for this purpose. 为了澄清,我知道我可以使用入口来达到这个目的。 The only problem is keeping this service internal only - so only services inside the cluster will be able to access it. 唯一的问题是只保留此服务内部 - 因此只有集群内的服务才能访问它。
Thanks, Omer 谢谢,奥梅尔
4 个解决方案
解决方案1
2 已采纳 2018-07-17 14:02:30
I just found that Kubernetes API can be used to generate a certificate that will be trusted by all the pods running on the cluster. 我刚刚发现Kubernetes API可用于生成一个证书,该证书将受到群集上运行的所有pod的信任。 This option might be simpler than the alternatives. 此选项可能比替代选项更简单。 You can find the documentation here , including full flow of generating a certificate and using it. 您可以在此处找到文档,包括生成证书和使用它的完整流程。
解决方案2
1 2018-06-17 04:34:55
Following @vonc comments from bellow, I think I have a solution: 关注来自轰鸣声的@vonc评论,我想我有一个解决方案:
- Purchase a public valid domain for this service (eg
something.mycompany.com).为此服务购买公共有效域(例如something.mycompany.com)。 - Use CoreDNS to add override rule so all requests to
something.mycompany.comwill go tosomething-namesapce.svc.cluster.local, as the service is not exposed externally (this can be done also with normal A record for my use case).使用CoreDNS添加覆盖规则,以便对something.mycompany.com所有请求都将转到something-namesapce.svc.cluster.local,因为该服务不在外部公开(对于我的用例,也可以使用普通的A记录) 。 - Use Nginx or something else to handle TLS with the certificate for
something.mycompany.com.使用Nginx或其他东西来处理带有something.mycompany.com证书的TLS。
This sounds pretty complicated but might work. 这听起来很复杂但可能有效。 What do you think? 你怎么看?
解决方案3
0 2018-06-17 04:18:34
Check if the tutorial " Secure Kubernetes Services with Ingress, TLS and LetsEncrypt " could apply to you: 检查教程“ 使用Ingress,TLS和LetsEncrypt安全Kubernetes服务 ”是否适用于您:
Ingress can be backed by different implementations through the use of different Ingress Controllers.
Give it a domain name and enable TLS.
In order for this to work correctly, a public domain name is required and should have an A record pointing to the external IP of the Nginx service.
For limiting to inside the cluster domain though ( svc.cluster.local ), you might need CoreDNS . 要限制到集群域内部( svc.cluster.local ), 您可能需要CoreDNS 。
解决方案4
-1 2019-07-29 08:25:24
On Google Cloud you can make load balancer service internal, like this: 在Google Cloud上,您可以在内部创建负载均衡器服务,如下所示:
annotations = {
"cloud.google.com/load-balancer-type" = "Internal"
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.