托管在 kubernetes ingress 中的应用程序的安全性
[英]Security for applications hosted in kubernetes ingress
问题描述
I need to host the frontend and backend parts of my application on ingress kubernetes.
我需要在入口 kubernetes 上托管我的应用程序的前端和后端部分。 I would like only the frontend part to be sent to the backend part, even though both are available in ingress under one host (but a different path).我只想将前端部分发送到后端部分,即使两者都在一个主机下的入口中可用(但路径不同)。 Is it possible to set something like this in a kubernetes cluster?是否可以在 kubernetes 集群中设置这样的东西? So that no other applications can send requests to the backend part.这样没有其他应用程序可以向后端部分发送请求。 Can you do something like this with kubernetes security headers?你能用 kubernetes 安全头做这样的事情吗?
1 个解决方案
解决方案1
0 已采纳 2020-09-20 17:44:57
Within the cluster, you can restrict traffic between services by using Network Policies .在集群内,您可以使用网络策略限制服务之间的流量。 Eg you can declare that service A can send traffic to service B, but that service C can not send traffic to service B. However, you need to make sure that your cluster has a CNI with support for Network Policies.例如,您可以声明服务 A 可以向服务 B 发送流量,但服务 C 不能向服务 B 发送流量。但是,您需要确保您的集群具有支持网络策略的CNI 。 Calico is an example for such add-on. Calico是此类附加组件的一个示例。
Ingress is useful for declaring what services can receive traffic from outside of the cluster. Ingress 可用于声明哪些服务可以从集群外部接收流量。
Also, Service Meshes, like Istio is useful for further enhance this security.此外,像Istio这样的服务网格对于进一步增强这种安全性很有用。 Eg by using an Egress proxy, mTLS and require JWT based authentication between services.例如,通过使用 Egress 代理、mTLS 并要求在服务之间进行基于 JWT 的身份验证。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.