如何配置 Kubernetes 来加密节点和 Pod 之间的流量? [英] How to configure Kubernetes to encrypt the traffic between nodes, and pods?
问题描述
为了满足 HIPAA 合规性,我们正在转换 Kubernetes 集群,以在整个队列中(在所有 Pod 之间)使用安全端点.由于集群由大约 8-10 个当前使用 HTTP 连接的服务组成,因此由 Kubernetes 处理这将非常有用.
In preparation for HIPAA compliance, we are transitioning our Kubernetes cluster to use secure endpoints across the fleet (between all pods). Since the cluster is composed of about 8-10 services currently using HTTP connections, it would be super useful to have this taken care of by Kubernetes.
我们想要解决的具体攻击向量是节点(物理服务器)之间的数据包嗅探.
The specific attack vector we'd like to address with this is packet sniffing between nodes (physical servers).
这个问题分为两部分:
- Kubernetes 是否对 Pod 和 Pod 之间的流量进行加密?默认节点?
- 如果没有,有没有办法配置它?
非常感谢!
推荐答案
实际上正确的答案是视情况而定".我会将集群拆分为 2 个独立的网络.
Actually the correct answer is "it depends". I would split the cluster into 2 separate networks.
1.控制平面网络
这个网络就是物理网络或者底层网络.
This network is that of the physical network or the underlay network in other words.
k8s 控制平面元素 - kube-apiserver、kube-controller-manager、kube-scheduler、kube-proxy、kubelet - 以各种方式相互通信.除了少数端点(例如指标),可以在所有端点上配置加密.
k8s control-plane elements - kube-apiserver, kube-controller-manager, kube-scheduler, kube-proxy, kubelet - talk to each other in various ways. Except for a few endpoints (eg. metrics), it is possible to configure encryption on all endpoints.
如果您也在进行渗透测试,那么 kubelet authn/authz 也应该打开.否则,加密不会阻止对 kubelet 的未授权访问.这个端点(在端口 10250)很容易被劫持.
If you're also pentesting, then kubelet authn/authz should be switched on too. Otherwise, the encryption doesn't prevent unauthorized access to the kubelet. This endpoint (at port 10250) can be hijacked with ease.
2.集群网络
集群网络是 Pod 使用的网络,也称为覆盖网络.加密留给第 3 方覆盖插件来实现,否则,应用程序必须实现.
The cluster network is the one used by the Pods, which is also referred to as the overlay network. Encryption is left to the 3rd-party overlay plugin to implement, failing which, the app has to implement.
Weave 覆盖支持加密.@lukas-eichler 建议的服务网格链接器也可以实现这一点,但在不同的网络层上.
The Weave overlay supports encryption. The service mesh linkerd that @lukas-eichler suggested can also achieve this, but on a different networking layer.
这篇关于如何配置 Kubernetes 来加密节点和 Pod 之间的流量?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
