Ingress Controller (Traefik) 和 Kubernetes 上的后端服务之间的安全通信 [英] Secure communication between Ingress Controller (Traefik) and backend service on Kubernetes

问题描述

我正在尝试保护 Kubernetes 集群中的 Nifi，在 Traefik 代理后面.两者都在 K8S 中作为服务运行.Traefik 使用公共证书进行保护.我希望它将调用重定向到 nifi，同时保护 Traefik(作为入口控制器)和后端 pod 之间的通信:Nifi.

I'm trying to secure Nifi in a Kubernetes cluster, behind a Traefik proxy. Both are running as services in K8S. Traefik is secured with a public certificate. I want it to redirect calls to nifi, while securing the communication between Traefik (as an Ingress Controller) and the backend pods : Nifi.

看起来安全配置应该在我的 Ingress YAML 描述符中.看起来我应该颁发一个 CA 根来生成 Nifi 自签名证书并将这个 CA 根加载到 Traefik 中，这样它就可以在与 Nifi 握手的同时验证它发送的证书.

Looks like the secure confiuration should lire in my Ingress YAML descriptor. Looks like I should issue a CA root to generate Nifi self signed certificate and load this CA Root in Traefik so it can validate the certificate sent by Nifi while handshaking with it.

但是...我不知道 1) 这是否是好方法，2) 我如何使用 CA Root 为 NiFi 生成我的商店(信任，...)，3)我应该如何设置我的 YAML(insecureSkipVerify 似乎不受支持，...)

But... I can't figure out 1) if this is the good approach, 2) how I can generate my stores (trust, ...) for NiFi using a CA Root, 3) how I should setup my YAML (insecureSkipVerify seems not to be supported, ...)

提前，感谢您的帮助.

干杯，

奥利维尔

推荐答案

我遇到了同样的问题，可以使用 insecureSkipVerify 标志解决它.
traefik 的问题是，NiFi 从 traefik 获取请求并将其自签名证书发送回 traefik 进行握手.Traefik 不接受它，因此握手失败，导致 NiFi 中的 bad_certificate 异常(具有日志级别 DEBUG，因此您必须更改 logback.xml 文件).

I had the same problem and could solve it with the insecureSkipVerify flag.
The problem with traefik is, that NiFi gets the request from traefik and sends it's self signed certificate back to traefik for hand shaking. Traefik doesn't accept it, thus the handshake fails, leading to a bad_certificate exception in NiFi (has loglevel DEBUG, so you have to change the logback.xml file).

因此，一种解决方案可能是将您的自签名证书添加到 traefik，目前这是不可能的，查看此(当前)未解决的问题.

So one solution could be to add your self signed certificate to traefik, which is not possible at the moment, see this (currently) open issue.

另一个解决方案是在 traefik 和 NiFi 之间添加一个 nginx 而不不安全"您现有的 traefik.所以 traefik 与 nginx 对话 HTTP，它与 NiFi 对话 HTTPS(这将是我接下来要尝试的事情).

Another solution, without 'insecuring' your existing traefik would be to add an nginx between traefik and NiFi. So traefik talk HTTP with nginx, which talks HTTPS with NiFi (this will be the next thing I'm trying).

或者你可以在 traefik 中设置 insecureSkipVerify 标志，就像我在这个 daemonset.yaml 中所做的那样:

Or you can set the insecureSkipVerify flag within traefik like I did in this daemonset.yaml:

apiVersion: extensions/v1beta1
kind: DaemonSet
metadata:
  creationTimestamp: 2018-06-21T16:18:46Z
  generation: 4
  labels:
    k8s-app: traefik-internal
    release: infrastructure
  name: traefik-internal
  namespace: infrastructure
  resourceVersion: "18860064"
  selfLink: /apis/extensions/v1beta1/namespaces/infrastructure/daemonsets/traefik-internal
  uid: c64a20e1-776e-11f8-be83-42010a9c0ff6
spec:
  revisionHistoryLimit: 10
  selector:
    matchLabels:
      k8s-app: traefik-internal
      name: traefik-internal
      release: infrastructure
  template:
    metadata:
      creationTimestamp: null
      labels:
        k8s-app: traefik-internal
        name: traefik-internal
        release: infrastructure
    spec:
      containers:
      - args:
        - --api
        - --ping
        - --defaultEntryPoints=http,https
        - --logLevel=INFO
        - --accessLog
        - --kubernetes
        - --kubernetes.ingressClass=traefik-internal
        - --metrics.prometheus=true
        - --entryPoints=Name:https Address::443 TLS:/certs/cert.pem,/certs/cert.key
          CA:/certs/clientca.pem
        - --entryPoints=Name:http Address::80 Redirect.EntryPoint:https
        - --insecureSkipVerify=true
        image: traefik:1.6.0-rc6-alpine
        imagePullPolicy: IfNotPresent
        name: traefik-internal
        resources: {}
        securityContext:
          privileged: true
        terminationMessagePath: /dev/termination-log
        terminationMessagePolicy: File
        volumeMounts:
        - mountPath: /certs
          name: traefik-internal-certs
          readOnly: true
      dnsPolicy: ClusterFirst
      restartPolicy: Always
      schedulerName: default-scheduler
      securityContext: {}
      serviceAccount: sa-traefik
      serviceAccountName: sa-traefik
      terminationGracePeriodSeconds: 60
      volumes:
      - name: traefik-internal-certs
        secret:
          defaultMode: 420
          secretName: traefik-internal
  templateGeneration: 4
  updateStrategy:
    rollingUpdate:
      maxUnavailable: 1
    type: RollingUpdate
status:
  currentNumberScheduled: 3
  desiredNumberScheduled: 3
  numberAvailable: 3
  numberMisscheduled: 0
  numberReady: 3
  observedGeneration: 4
  updatedNumberScheduled: 3

insecureSkipVerify 标志在 spec.containers.args 中发生了变化.

The insecureSkipVerify flag is changed within spec.containers.args.

希望有帮助！

这篇关于Ingress Controller (Traefik) 和 Kubernetes 上的后端服务之间的安全通信的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！