自签名证书可以保护多个CN/FQDN吗? [英] Can a self-signed cert secure multiple CNs / FQDNs?
问题描述
这是一个愚蠢的设置,但这是我现在正在查看的内容:
This is a bit of a silly setup, but here's what I'm looking at right now:
- 我正在学习Kubernetes
- 我想将自定义代码推送到我的Kubernetes集群,这意味着该代码必须作为Docker映像提供,可从 some Docker存储库(默认为Docker Hub)获得
- 尽管我愿意为Docker Hub付费(尽管我宁愿避免这样做),但我担心将自定义代码放在第三方服务上. 突然的速率限制 ,安全漏洞,突然的ToS更改,等等
- 为此,我正在Kubernetes集群中运行自己的Docker注册表
- 我不想将在Kubernetes节点上运行的Docker客户端配置为信任不安全的(HTTP)Docker注册表.如果我确实选择从外部注册表中提取任何图像(例如,像
nginx这样的公共图像,我可能会从Docker Hub中提取而不是在本地托管),那么我就不会轻易受到MITM攻击而被交换掉图像 - 最终,我将在集群中使用构建工具(无论是詹金斯还是其他人),从git中提取我的代码,构建映像,并将其推送到我的内部注册表中.然后,从注册表中提取的所有节点都位于群集中.由于注册表永远不需要从群集外部的源接收图像或将图像传递到群集外部的源,因此注册表不需要NodePort服务,而可以是ClusterIP服务.... 最终
- 在我准备好最终设置之前,我正在本地计算机上构建映像,并希望将其推送到注册表(从Internet)
- 因为我不打算最终使注册表可以从外界访问,所以我无法利用Let's Encrypt为其生成有效的证书(即使我要让Docker注册表对外界可用, 无论如何,我不能使用让我们加密" ,而无需编写一些额外的代码使用certbot之类的东西)
- I'm learning Kubernetes
- I want to push custom code to my Kubernetes cluster, which means the code must be available as a Docker image available from some Docker repository (default is Docker Hub)
- While I'm willing to pay for Docker Hub if I have to (though I'd rather avoid it), I have concerns about putting my custom code on a third-party service. Sudden rate limits, security breaches, sudden ToS changes, etc
- To this end, I'm running my own Docker registry within my Kubernetes cluster
- I do not want to configure the Docker clients running on the Kubernetes nodes to trust insecure (HTTP) Docker registries. If I do choose to pull any images from an external registry (e.g. public images like
nginxI may pull from Docker Hub instead of hosting locally) then I don't want to be vulnerable to MITM attacks swapping out the image - Ultimately I will have a build tool within the cluster (Jenkins or otherwise) pull my code from git, build the image, and push it to my internal registry. Then all nodes pulling from the registry live within the cluster. Since the registry never needs to receive images from sources outside of the cluster or delivery them to sources outside of the cluster, the registry does not need a NodePort service but can instead be a ClusterIP service.... ultimately
- Until I have that ultimate setup ready, I'm building images on my local machine and wish to push them to the registry (from the internet)
- Because I don't plan on making the registry accessible from the outside world (eventually), I can't utilize Let's Encrypt to generate valid certs for it (even if I were making my Docker registry available to the outside world, I can't use Let's Encrypt, anyway without writing some extra code to utilize certbot or something)
My plan is to follow the example in this StackOverflow post: generate a self-signed cert and then launch the Docker registry using that certificate. Then use a DaemonSet to make this cert trusted on all nodes in the cluster.
现在您已经设置好了,这是我问题的症结所在:在群集中,可以通过简单的主机名(例如"docker-registry")访问Docker注册表,但是在群集之外,我需要通过指向节点或负载均衡器的节点IP地址或域名进行访问.
Now that you have the setup, here's the crux of my issue: within my cluster my Docker registry can be accessed via a simple host name (e.g. "docker-registry"), but outside of my cluster I need to either access it via a node IP address or a domain name pointing at a node or a load balancer.
生成我的自签名证书时,要求我提供证书的CN/FQDN.我输入了"docker-registry" -我打算使用的内部主机名.然后,我尝试在本地访问注册表以将映像推送到它:
When generating my self-signed cert I was asked to provide a CN / FQDN for the certificate. I put in "docker-registry" -- the internal host name I plan to utilize. I then tried to access my registry locally to push an image to it:
> docker pull ubuntu
> docker tag ubuntu example.com:5000/my-ubuntu
> docker push example.com:5000/my-ubuntu
The push refers to repository [example.com:5000/my-ubuntu]
Get https://example.com:5000/v2/: x509: certificate is valid for docker-registry, not example.com
我可以为example.com而不是docker-registry生成证书,但是我担心如果我提供这样的外部域而不是从群集内部配置服务或连接注册表时会遇到问题内部主机名.
I can generate a certificate for example.com instead of for docker-registry, however I worry that I'll have issues configuring the service or connecting to my registry from within my cluster if I provide my external domain like this instead of an internal host name.
这就是为什么我想问一下我是否可以将我的自签名证书同时应用于 example.com 和 docker-registry.如果没有,其他两个可接受的解决方案将是:
This is why I'm wondering if I can just say that my self-signed cert applies to both example.com and docker-registry. If not, two other acceptable solutions would be:
- 我可以告诉Docker客户端不要验证主机名,而只是隐式地信任证书吗?
- 我可以告诉Docker注册表根据用于访问它的主机名提供两个 不同 证书之一吗?
如果这三个选项都不可行,那么我总是可以放弃从本地计算机推送图像,并开始在集群中构建图像的过程-但我希望将其推迟到以后.我现在正在学习很多东西,并努力避免被切向的事物分散注意力.
If none of the three options are possible, then I can always just forego pushing images from my local machine and start the process of building images within the cluster -- but I was hoping to put that off until later. I'm learning a lot right now and trying to avoid getting distracted by tangential things.
推荐答案
解决问题的最简单方法可能是使用Docker的insecure-registry功能.您在帖子中提到的问题(以后将使您面临安全风险)可能不会适用,因为该功能通过指定要信任的特定IP地址或主机名来起作用.
Probably the easiest way to solve your problem would be to use Docker's insecure-registry feature. The concern you mention about this in your post (that it would open you up to security risks later) probably won't apply as the feature works by specifying specific IP addresses or host names to trust.
例如,您可以配置类似
{
"insecure-registries" : [ "10.10.10.10:5000" ]
}
该Docker守护进程不使用TLS即可访问的唯一IP地址就是该主机和端口号.
and the only IP address that your Docker daemons will access without TLS is the one at that host and port number.
如果您不想这样做,则需要获得一个受信任的TLS证书.您提到的关于每个证书具有多个名称的问题通常由主题备用名称字段处理证书. (实际上Kubernetes大量使用了该功能).
If you don't want to do that, then you'll need to get a trusted TLS certificate in place. The issue you mentioned about having multiple names per cert is usually handled with the Subject Alternative Name field in a cert. (indeed Kubernetes uses that feature quite a bit).
这篇关于自签名证书可以保护多个CN/FQDN吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
