使用TLS保护Kubernetes中从入口到服务的连接 [英] Securing connections from ingress to services in Kubernetes with TLS
问题描述
我正在使用入口规则中配置的TLS连接来保护Kubernetes集群的安全,该规则实际上是在负载均衡器处终止SSL连接.到目前为止,一切都很好.
I am working on securing my Kubernetes cluster with a TLS connection configured in the ingress rule, which essentially terminates the SSL connection at the load balancer. So far so good.
出现一个问题,即确保从负载均衡器到Kubernetes集群中运行的每个服务的连接是否合理是合理的.我对Kubernetes的工作方式的理解是,服务应该能够动态上升和下降,并且不能保证私有IP保持不变,因此尝试通过TLS连接保护服务没有任何意义.同样,每个服务都不能直接暴露于公共互联网(我的配置是配置单个入口规则,而使用Istio的路由规则将注意路由到不同服务的事实),因此在网络中提供了安全性.层.
A question came up about whether it would make sense to secure the connection from the load balancer to each of the services running in Kubernetes cluster. My understanding of how Kubernetes works is that services should be able to go up and come down dynamically with no guarantee that the private IPs remain unchanged, so it does not make sense to try to secure the services with TLS connections. Also, the fact that each of the services cannot be exposed to the public internet directly (my configuration is to configure a single ingress rule and routing rules with Istio will take care the routing to the different services), the security is provided in the networking layer.
我的推理在概念上有什么问题吗?另外,如果我想改善群集的安全性设置,是否应该考虑其他机制? Istio Auth不适合我的用例,因为我根本没有调用其他服务的服务-我的所有服务都不会相互交互.
Is there anything conceptually wrong with my reasoning? Also, is there other mechanism I should be looking at if I want to improve the security setup of my cluster? Istio Auth is not right for my use case, as I do not have services calling other services at all - all my services do not interact with one another.
推荐答案
通过service我想您是指服务不应动态上升或下降.您指的是本质上短暂的Pod.为了使Pod更永久",将Service标记到该Pod.当Pods来来去去时,kubernetes更新iptables规则以将流量路由到实时Pod.
Services are not supposed to go up and down dynamically. What you refer to is the Pod which is ephemeral in nature. To make a Pod "more permanent", a Service is tagged to it. When Pods come and go, kubernetes updates iptables rules to route traffic to the live Pods.
可以通过对应用程序与Ingress(第7层)之间或集群网络覆盖(第3层)之间的流量进行加密来实现群集内的流量加密.参见此页面了解更多信息.
Traffic encryption within the cluster can be achieved by encrypting the traffic between the app and the Ingress (Layer 7), or on the cluster network overlay (Layer 3). See this page for more info.
这篇关于使用TLS保护Kubernetes中从入口到服务的连接的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
