Kubernetes 入口 - 自动验证由中间证书颁发的证书
[英]Kubernetes Ingress - Automatically validating Certificates issued by Intermedia Certificate
问题描述
I'm currently setting up my Ingress in Kubernetes.
我目前正在 Kubernetes 中设置我的 Ingress。 We do have the requirement to enable SSL/TLS and validate the certificates.我们确实需要启用 SSL/TLS 并验证证书。 For this, we have a root ca, which issues a certificate the intermedia ca.为此,我们有一个根 ca,它为中间 ca 颁发证书。 The intermedia ca issues again certificates for all our clients.中介机构再次为我们所有的客户颁发证书。 The client certificates do have the subject name "Device".客户端证书确实具有主题名称“设备”。
The intermedia ca certificate is stored in a kubernetes secret.中间 ca 证书存储在 kubernetes 密钥中。 Now I would like to configure ingress to automatically validate all incoming requests from clients and check that their certificate was indeed issued by our intermedia ca.现在我想将入口配置为自动验证来自客户端的所有传入请求,并检查他们的证书确实是由我们的中介机构颁发的。 In addition, I was wondering if it would be possible to validate the subject name of the client certificate.此外,我想知道是否可以验证客户端证书的主题名称。
Do you guys know if that is possible, or do I need to add this logic to my application?你们知道这是否可能,还是我需要将此逻辑添加到我的应用程序中?
I was somehow not able to find any information on that.我不知何故无法找到任何相关信息。 Hence, it would be great if you could help me out here.因此,如果您能在这里帮助我,那就太好了。
Thanks a lot in advance!!非常感谢提前!!
Greetings from Berlin, David来自柏林的问候,大卫
1 个解决方案
解决方案1
0 2021-11-26 13:40:44
Based on my understanding you are planning to use the cert verification根据我的理解,您计划使用证书验证
It is possible to enable Client-Certificate Authentication by adding additional annotations to your Ingress Resource.可以通过向 Ingress 资源添加额外的注释来启用客户端证书身份验证。 Before getting started you must have the following Certificates Setup:在开始之前,您必须具有以下证书设置:
- CA certificate and Key(Intermediate Certs need to be in CA) CA 证书和密钥(中间证书需要在 CA 中)
- Server Certificate(Signed by CA) and Key (CN should be equal the hostname you will use)服务器证书(由 CA 签名)和密钥(CN 应该等于您将使用的主机名)
- Client Certificate(Signed by CA) and Key客户端证书(由 CA 签名)和密钥
You can refer to this ingress setup and give it try:你可以参考这个入口设置并试一试:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
# Enable client certificate authentication
nginx.ingress.kubernetes.io/auth-tls-verify-client: "on"
# Create the secret containing the trusted ca certificates
nginx.ingress.kubernetes.io/auth-tls-secret: "default/ca-secret"
# Specify the verification depth in the client certificates chain
nginx.ingress.kubernetes.io/auth-tls-verify-depth: "1"
# Specify an error page to be redirected to verification errors
nginx.ingress.kubernetes.io/auth-tls-error-page: "http://example.io/error-cert.html"
# Specify if certificates are passed to upstream server
nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream: "true"
name: nginx-test
namespace: default
spec:
ingressClassName: nginx
rules:
- host: mydomain.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: http-svc
port:
number: 80
tls:
- hosts:
- mydomain.com
secretName: tls-secret
Read more at: https://kubernetes.github.io/ingress-nginx/examples/auth/client-certs/阅读更多: https://kubernetes.github.io/ingress-nginx/examples/auth/client-certs/
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.