Https 证书和 Kubernetes (EKS)
[英]Https certificates and Kubernetes (EKS)
问题描述
I would like to secure my web application running on Kubernetes (EKS).
我想保护在 Kubernetes (EKS) 上运行的 Web 应用程序。 All the nodes attached to the cluster are running on private subnets.连接到集群的所有节点都在私有子网上运行。
I have one front-end service and a dozen back-end services.我有一个前端服务和十几个后端服务。
The front-end service is a pod running a container which is running on port 80. It is configured to be attached to an ELB which is only accepting traffic from 443 with an https certificate.前端服务是一个运行在端口 80 上的容器的 pod。它被配置为附加到一个 ELB,该 ELB 只接受来自 443 的带有 https 证书的流量。
apiVersion: v1
kind: Service
metadata:
name: service_name
labels:
app: service_name
annotations:
service.beta.kubernetes.io/aws-load-balancer-ssl-cert: xxxxxxxxxx
service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http
spec:
ports:
- port: 443 # Exposed port
targetPort: 80 # Container port
selector:
app: service_name
type: LoadBalancer
The back-end services are pods running containers also running on port 80. None of them have been configured to be accessible from outside the cluster.后端服务是运行容器的 pod,也在端口 80 上运行。它们都没有被配置为可以从集群外部访问。 Back-end services talk to each other by pointing to http://service_name (NOT https) as I configured them with this template:后端服务通过指向http://service_name (不是 https)相互通信,因为我用这个模板配置了它们:
apiVersion: v1
kind: Service
metadata:
name: service_name
spec:
ports:
- port: 80 # Exposed port
targetPort: 80 # Container port
selector:
app: service_name
It all works but is it sufficient?这一切都有效,但足够了吗?
Should the front-end/back-end containers use certificate/443 too with a wildcard https certificate?前端/后端容器也应该使用带有通配符 https 证书的 certificate/443 吗? Should this configuration be done inside the container or on the services' configurations?这个配置应该在容器内完成还是在服务的配置上完成?
1 个解决方案
解决方案1
3 2018-11-25 06:47:28
I have done quite a bit of investigation now and here is what I came down to.我现在已经做了很多调查,这就是我得出的结论。
All my EKS EC2 instances are running on the private subnets which means they are not accessible from outside.我所有的 EKS EC2 实例都在私有子网上运行,这意味着它们无法从外部访问。 Yes, by default Kubernetes does not encrypt traffic between pods which means that a hacker who gained access to my VPC (could be a rogue AWS engineer, someone who manages to physically access AWS data centers, someone who managed to access my AWS account...) will be able to sniff the network traffic.是的,默认情况下 Kubernetes 不会加密 Pod 之间的流量,这意味着获得我的 VPC 访问权限的黑客(可能是流氓 AWS 工程师、设法物理访问 AWS 数据中心的人、设法访问我的 AWS 帐户的人.. .) 将能够嗅探网络流量。 At the same time, I feel that in that instance the hacker will have access to much more!同时,我觉得在那种情况下,黑客将获得更多! If he has access to my AWS account, he can download the https certificate himself for instance.例如,如果他可以访问我的 AWS 账户,他可以自己下载 https 证书。 If he manages to walk into an (high security) AWS data center and finds my server - it's good to compare the risk he has to take against the value of your data.如果他设法走进(高安全性)AWS 数据中心并找到我的服务器 - 最好将他必须承担的风险与您的数据价值进行比较。 If your data includes credit card/payments or sensitive personal data (date of birth, health details...), SSL encryption is a must.如果您的数据包括信用卡/付款或敏感的个人数据(出生日期、健康详细信息...),则必须使用 SSL 加密。 Anyway, to secure pods traffic, there are 2 options.无论如何,为了保护 Pod 流量,有两种选择。
- Update all the pod source code and add the certificate there.更新所有 pod 源代码并在那里添加证书。 It requires a lot of maintenance if you are running many pods and certificates expire every other year..如果您运行许多 Pod 并且证书每隔一年到期,则需要大量维护。
- Add an extra 'network layer' like https://istio.io/ .添加一个额外的“网络层”,如https://istio.io/ 。 This will add complexity to your cluster and in the case of EKS, support from AWS will be 'best effort'.这将增加您的集群的复杂性,对于 EKS,AWS 的支持将是“尽力而为”。 Ideally, you would pay for Istio support.理想情况下,您会为 Istio 支持付费。
For the load balancer, I decided to add an ingress to the cluster (Ngnix, Traefik...) and set it up with https.对于负载均衡器,我决定向集群(Ngnix、Traefik...)添加一个入口,并使用 https 进行设置。 That's critical as the ELB sits on the public subnets.这很重要,因为 ELB 位于公共子网上。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.