kubernetes Pods 之间的 TLS 通信(更轻量级的解决方案)
[英]kubernetes TLS communication between pods (lighter solution)
问题描述
I am adding security to my cluster.
我正在为我的集群添加安全性。 One of the requirements is that the communication between pods is secure.要求之一是 Pod 之间的通信是安全的。
The most viable option I found is to implement a "service mesh".我发现的最可行的选择是实现“服务网格”。 I have seen that Calico, Istio, Linkerd are good options.我已经看到 Calico、Istio、Linkerd 是不错的选择。 But I don't know which one is the lightest as any of them have a lot of components that I won't really need.但我不知道哪一个最轻,因为它们中的任何一个都有很多我并不真正需要的组件。
If you have another recommendation, it is welcome.如果您有其他建议,欢迎提出。
I read:我读:
- What is pod to pod encryption in kubernetes? Kubernetes 中的 pod 到 pod 加密是什么? And How to implement pod to pod encryption by using mTLS in kubernetes? 以及如何在 kubernetes 中使用 mTLS 实现 pod to pod 加密?
- How to configure Kubernetes to encrypt the traffic between nodes, and pods? 如何配置 Kubernetes 来加密节点和 Pod 之间的流量?
- https://medium.com/@santhoz/nginx-sidecar-reverse-proxy-for-performance-http-to-https-redirection-in-kubernetes-dd9dbe2fd0c7 https://medium.com/@santhoz/nginx-sidecar-reverse-proxy-for-performance-http-to-https-redirection-in-kubernetes-dd9dbe2fd0c7
1 个解决方案
解决方案1
1 已采纳 2020-09-03 19:19:04
Calico is an overlay network and CNI implementation. Calico 是一个覆盖网络和 CNI 实现。 It won't automatically encrypt the communication between pods on its own, as far as I know.据我所知,它不会自动加密 Pod 之间的通信。
Linkerd and Istio are service meshes which implement CNI to encrypt traffic with a CNI provider like calico, but a CNI provider is not required. Linkerd 和 Istio 是服务网格,它们实现 CNI 以使用 CNI 提供程序(如 calico)加密流量,但不需要 CNI 提供程序。
Linkerd will automatically encrypt traffic with mTLS out of the box. Linkerd 将使用开箱即用的 mTLS自动加密流量。
I think Istio added that feature recently.我认为 Istio 最近添加了该功能。
Linkerd is much easier to install and use, and its proxy is faster and uses fewer resources . Linkerd 更容易安装和使用,它的代理速度更快,使用的资源更少。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.