Ingress Controller(Traefik)与Kubernetes上的后端服务之间的安全通信 [英] Secure communication between Ingress Controller (Traefik) and backend service on Kubernetes

问题描述

我正在尝试在Traefik代理后面的Kubernetes集群中保护Nifi.两者都在K8S中作为服务运行. Traefik已获得公共证书的担保.我希望它将调用重定向到nifi，同时确保Traefik(作为Ingress控制器)与后端Pod:Nifi之间的通信.

I'm trying to secure Nifi in a Kubernetes cluster, behind a Traefik proxy. Both are running as services in K8S. Traefik is secured with a public certificate. I want it to redirect calls to nifi, while securing the communication between Traefik (as an Ingress Controller) and the backend pods : Nifi.

好像安全配置应该隐藏在我的Ingress YAML描述符中.看来我应该发出CA根目录来生成Nifi自签名证书，并将此CA Root加载到Traefik中，以便它可以在与Nifi握手时验证Nifi发送的证书.

Looks like the secure confiuration should lire in my Ingress YAML descriptor. Looks like I should issue a CA root to generate Nifi self signed certificate and load this CA Root in Traefik so it can validate the certificate sent by Nifi while handshaking with it.

但是...我不知道1)如果这是个好方法，2)如何使用CA Root为NiFi生成我的商店(信任，...)，3)我应该如何设置我的YAML(似乎不支持insecureSkipVerify，...)

But... I can't figure out 1) if this is the good approach, 2) how I can generate my stores (trust, ...) for NiFi using a CA Root, 3) how I should setup my YAML (insecureSkipVerify seems not to be supported, ...)

提前，谢谢您的帮助.

干杯

奥利维尔

推荐答案

我遇到了同样的问题，可以使用insecureSkipVerify标志来解决.
traefik的问题在于，NiFi从traefik获取请求并将其自签名证书发送回traefik进行握手. Traefik不接受它，因此握手失败，导致NiFi中的bad_certificate异常(日志级别为DEBUG，因此您必须更改logback.xml文件).

I had the same problem and could solve it with the insecureSkipVerify flag.
The problem with traefik is, that NiFi gets the request from traefik and sends it's self signed certificate back to traefik for hand shaking. Traefik doesn't accept it, thus the handshake fails, leading to a bad_certificate exception in NiFi (has loglevel DEBUG, so you have to change the logback.xml file).

因此，一种解决方案是将您的自签名证书添加到traefik中，目前这是不可能的，

So one solution could be to add your self signed certificate to traefik, which is not possible at the moment, see this (currently) open issue.

另一种解决方案是在traefik和NiFi之间添加nginx，而不会保护"现有的traefik.因此，traefik与nginx进行了HTTP的对话，而与NiFi进行了HTTPS的对话(这是我要尝试的下一件事).

Another solution, without 'insecuring' your existing traefik would be to add an nginx between traefik and NiFi. So traefik talk HTTP with nginx, which talks HTTPS with NiFi (this will be the next thing I'm trying).

或者您可以像在此daemonset.yaml中一样在traefik中设置insecureSkipVerify标志:

Or you can set the insecureSkipVerify flag within traefik like I did in this daemonset.yaml:

apiVersion: extensions/v1beta1
kind: DaemonSet
metadata:
  creationTimestamp: 2018-06-21T16:18:46Z
  generation: 4
  labels:
    k8s-app: traefik-internal
    release: infrastructure
  name: traefik-internal
  namespace: infrastructure
  resourceVersion: "18860064"
  selfLink: /apis/extensions/v1beta1/namespaces/infrastructure/daemonsets/traefik-internal
  uid: c64a20e1-776e-11f8-be83-42010a9c0ff6
spec:
  revisionHistoryLimit: 10
  selector:
    matchLabels:
      k8s-app: traefik-internal
      name: traefik-internal
      release: infrastructure
  template:
    metadata:
      creationTimestamp: null
      labels:
        k8s-app: traefik-internal
        name: traefik-internal
        release: infrastructure
    spec:
      containers:
      - args:
        - --api
        - --ping
        - --defaultEntryPoints=http,https
        - --logLevel=INFO
        - --accessLog
        - --kubernetes
        - --kubernetes.ingressClass=traefik-internal
        - --metrics.prometheus=true
        - --entryPoints=Name:https Address::443 TLS:/certs/cert.pem,/certs/cert.key
          CA:/certs/clientca.pem
        - --entryPoints=Name:http Address::80 Redirect.EntryPoint:https
        - --insecureSkipVerify=true
        image: traefik:1.6.0-rc6-alpine
        imagePullPolicy: IfNotPresent
        name: traefik-internal
        resources: {}
        securityContext:
          privileged: true
        terminationMessagePath: /dev/termination-log
        terminationMessagePolicy: File
        volumeMounts:
        - mountPath: /certs
          name: traefik-internal-certs
          readOnly: true
      dnsPolicy: ClusterFirst
      restartPolicy: Always
      schedulerName: default-scheduler
      securityContext: {}
      serviceAccount: sa-traefik
      serviceAccountName: sa-traefik
      terminationGracePeriodSeconds: 60
      volumes:
      - name: traefik-internal-certs
        secret:
          defaultMode: 420
          secretName: traefik-internal
  templateGeneration: 4
  updateStrategy:
    rollingUpdate:
      maxUnavailable: 1
    type: RollingUpdate
status:
  currentNumberScheduled: 3
  desiredNumberScheduled: 3
  numberAvailable: 3
  numberMisscheduled: 0
  numberReady: 3
  observedGeneration: 4
  updatedNumberScheduled: 3

insecureSkipVerify标志在spec.containers.args中更改.

希望有帮助！

这篇关于Ingress Controller(Traefik)与Kubernetes上的后端服务之间的安全通信的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！