如何配置Kubernetes加密节点和Pod之间的流量? [英] How to configure Kubernetes to encrypt the traffic between nodes, and pods?

问题描述

为了满足HIPAA的要求，我们正在过渡Kubernetes集群，以在整个机队(所有Pod之间)使用安全端点.由于该集群由当前使用HTTP连接的大约8-10个服务组成，因此由Kubernetes负责将非常有用.

In preparation for HIPAA compliance, we are transitioning our Kubernetes cluster to use secure endpoints across the fleet (between all pods). Since the cluster is composed of about 8-10 services currently using HTTP connections, it would be super useful to have this taken care of by Kubernetes.

我们要解决的特定攻击媒介是节点(物理服务器)之间的数据包嗅探.

The specific attack vector we'd like to address with this is packet sniffing between nodes (physical servers).

此问题分为两部分:

• Kubernetes是否对Pod&默认情况下是节点?
• 如果没有，是否有办法进行配置?

非常感谢！

推荐答案

实际上正确的答案是取决于".我将群集分为两个独立的网络.

Actually the correct answer is "it depends". I would split the cluster into 2 separate networks.

1.控制平面网络

此网络是物理网络或底层网络的网络.

This network is that of the physical network or the underlay network in other words.

k8s控制平面元素-kube-apiserver，kube-controller-manager，kube-scheduler，kube-proxy，kubelet-以各种方式相互交谈.除了少数端点(例如度量标准)之外，还可以在所有端点上配置加密.

k8s control-plane elements - kube-apiserver, kube-controller-manager, kube-scheduler, kube-proxy, kubelet - talk to each other in various ways. Except for a few endpoints (eg. metrics), it is possible to configure encryption on all endpoints.

如果您也在进行测试，则 kubelet authn/authz 也应该打开.否则，加密不会阻止未经授权的访问kubelet.可以轻松劫持此端点(在端口10250处).

If you're also pentesting, then kubelet authn/authz should be switched on too. Otherwise, the encryption doesn't prevent unauthorized access to the kubelet. This endpoint (at port 10250) can be hijacked with ease.

2.群集网络

集群网络是Pods使用的网络，也称为覆盖网络.加密留给第三方覆盖插件来实施，否则，应用必须实施.

The cluster network is the one used by the Pods, which is also referred to as the overlay network. Encryption is left to the 3rd-party overlay plugin to implement, failing which, the app has to implement.

Weave叠加层支持加密. @ lukas-eichler建议的服务网格链接程序也可以实现此目的，但是在不同的网络层上.

The Weave overlay supports encryption. The service mesh linkerd that @lukas-eichler suggested can also achieve this, but on a different networking layer.

这篇关于如何配置Kubernetes加密节点和Pod之间的流量?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！