Kubernetes:我应该使用HTTPS在服务之间进行通信 [英] Kubernetes: should I use HTTPS to communicate between services
问题描述
假设我正在使用GCE ingress
来处理来自群集外部的流量并终止TLS(https://example.com/api/items
),从此处请求将被路由到仅在群集内部可用的两个services
之一.到目前为止,一切都很好.
如果我必须从服务A调用服务B,该怎么办,应该使用群集的外部IP/域并使用HTTPS(https://example.com/api/user/1
)来调用服务,还是可以使用服务器的内部IP?服务并使用HTTP(http://serviceb/api/user/1
)?我是否必须加密数据,或者只要它不离开专用k8s网络,它是否安全"?
如果我想拥有只能从群集内部访问的内部"端点,该怎么办-当我始终使用外部https-url时,每个人都可以使用这些端点.直接调用该服务,我可以执行http://serviceb/internal/info/abc
.
如果我必须从服务A调用服务B,该怎么办,应该使用群集的外部IP/域并使用HTTPS( http://serviceb/api/user/1 )?
如果您需要使用API网关提供的功能(身份验证,缓存,高可用性,负载平衡),请选择是,否则不要使用.面向外部的API应该仅包含外部客户端(从群集外部)使用的端点.
我是否必须加密数据,或者只要它不离开专用k8s网络,它是否安全"?
安全"是一个非常相关的词,我相信没有100%安全的网络.您应该权衡某人"或某物"从网络中嗅探数据的可能性和如果发生这种情况对您的业务的影响.>
如果这对您有帮助:对于我工作过的任何项目(或从我认识的人那里听到的消息),容器/服务之间的专用网络都绰绰有余.
如果我想拥有只能从群集内部访问的内部"端点,该怎么办-当我始终使用外部https-url时,每个人都可以使用这些端点.
我的回答完全是我所说的.将这些端点保留在群集中将使它们无法从外部进行设计.
最后一件事,为许多内部服务管理许多SSL
证书是一个痛苦,如果没有必要,应该避免这种痛苦.
Let's say I'm using an GCE ingress
to handle traffic from outside the cluster and terminate TLS (https://example.com/api/items
), from here the request gets routed to one of two services
that are only available inside the cluster. So far so good.
What if I have to call service B from service A, should I go all the way and use the cluster's external IP/domain and use HTTPS (https://example.com/api/user/1
) to call the service or could I use the internal IP of the service and use HTTP (http://serviceb/api/user/1
)? Do I have to encrypt the data or is it "safe" as long as it isn't leaving the private k8s network?
What if I want to have "internal" endpoints that should only be accessible from within the cluster - when I'm always using the external https-url those endpoints would be reachable for everyone. Calling the service directly, I could just do a http://serviceb/internal/info/abc
.
What if I have to call service B from service A, should I go all the way and use the cluster's external IP/domain and use HTTPS (https://example.com/api/user/1) to call the service or could I use the internal IP of the service and use HTTP (http://serviceb/api/user/1)?
If you need to use the features that you API Gateway is offering (authentication, cache, high availability, load balancing) then YES, otherwise DON'T. The External facing API should contain only endpoints that are used by external clients (from outside the cluster).
Do I have to encrypt the data or is it "safe" as long as it isn't leaving the private k8s network?
"safe" is a very relative word and I believe that there are no 100% safe networks. You should put in the balance the probability of "somebody" or "something" sniffing data from the network and the impact that it has on your business if that happens.
If this helps you: for any project that I've worked for (or I heard from somebody I know), the private network between containers/services was more than sufficient.
What if I want to have "internal" endpoints that should only be accessible from within the cluster - when I'm always using the external https-url those endpoints would be reachable for everyone.
Exactly what I was saying on top of the answer. Keeping those endpoints inside the cluster makes them inaccessible by design from outside.
One last thing, managing a lot of SSL
certificates for a lot of internal services is a pain that one should avoid if not necessary.
这篇关于Kubernetes:我应该使用HTTPS在服务之间进行通信的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!