Kubernetes中的SSL / TLS证书管理
[英]SSL/TLS certificates management in Kubernetes
问题描述
We have 10 different kubernetes pods which runs inside a private VPN, this pods are HTTP serving endpoints(not HTTPS). 
我们有10个不同的kubernetes Pod,它们在私有VPN内运行,这些Pod是HTTP服务端点(不是HTTPS)。 But this services would interact with HTTPS serving endpoints. 但是,此服务将与HTTPS服务端点进行交互。 Logically to make call to HTTP-S serving endpoints from a HTTP serving pod , the SSL server certificate trust is required. 从逻辑上讲,要从HTTP服务窗格调用HTTP-S服务端点,需要SSL服务器证书信任。 Hence we decided to store the SSL certificates inside each HTTP Service pods to make call to HTTPS serving pods. 因此,我们决定将SSL证书存储在每个HTTP服务窗格中,以调用HTTPS服务窗格。
I am wondering is there are any alternative approaches for managing SSL certificates across different pods in Kubernetes cluster? 我想知道是否有其他方法可以跨Kubernetes集群中的不同Pod管理SSL证书? How about kubeadm for K8s certificate management ... any suggestions ? kubeadm用于K8s证书管理怎么样?有什么建议吗?
1 个解决方案
解决方案1
2 2019-09-16 16:33:15
This is more of a general SSL certificate question rather than specific to Kubernetes. 这更多是一个通用的SSL证书问题,而不是特定于Kubernetes。
If the containers/pods providing the HTTPS endpoint already have their SSL correctly configured and the SSL certificate you are using was purchased/generated from a known, trusted CA (like letsencrypt or any one of the known, trusted certificate companies out there) then there is no reason your other container apps that are making connections to your HTTPS endpoint serving pods would need anything special stored in them. 如果提供HTTPS端点的容器/吊舱已经正确配置了SSL,并且您使用的SSL证书是从已知的受信任CA(例如letsencrypt或那里的任何已知受信任证书公司)购买/生成的,您的其他与HTTPS终结点服务Pod建立连接的容器应用没有理由不需要在其中存储任何特殊内容。
The only exception to this is if you have your own private CA and you've generated certificates on that internally and are installing them in your HTTPS serving containers. 唯一的例外是,如果您有自己的专用CA,并且已在内部生成了证书并将其安装在HTTPS服务容器中。 (Or if you are generating self-signed certs). (或者,如果您正在生成自签名证书)。 Your pods/containers connecting to the https endpoints would then need to know about the CA certificate. 然后,连接到https端点的吊舱/容器将需要了解CA证书。 Here is a stackoverflow question/answer that deals with this scenario: 这是处理这种情况的stackoverflow问题/答案:
How do I add a CA root certificate inside a docker image? 如何在docker映像中添加CA根证书?
Lastly, there are better patterns to manage SSL in containers and container schedulers like Kubernetes. 最后,还有更好的模式可以在容器和容器调度程序(如Kubernetes)中管理SSL。 It all depends on your design/architecture. 这一切都取决于您的设计/架构。
Some general ideas: 一些一般的想法:
- Terminate SSL at a load balancer before traffic hits your pods. 在流量到达您的Pod之前,在负载均衡器上终止SSL。 The load balancer then handles the traffic from itself to the pods as HTTP, and your clients terminate SSL at the Load Balancer. 然后,负载均衡器将其自身到Pod的流量作为HTTP处理,并且您的客户端在负载均衡器处终止SSL。 (This doesn't really tackle your specific use case though) (但是,这实际上并不能解决您的特定用例)
- Use something like Hashicorp Vault as an internal CA, and use automation around this product and Kubernetes to manage certificates automatically. 使用Hashicorp Vault之类的东西作为内部CA,并使用围绕此产品和Kubernetes的自动化来自动管理证书。
- Use something like cert-manager by jetstack to manage SSL in your kubernetes environment automatically. 使用jetstack的cert-manager之类的东西来自动管理kubernetes环境中的SSL。 It can connect to a multitude of 'providers' such as letsencrypt for free SSL. 它可以连接到多个“提供程序”,例如letencrypt以获得免费的SSL。 https://github.com/jetstack/cert-manager https://github.com/jetstack/cert-manager
Hope that helps. 希望能有所帮助。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.