Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
A
A
Alexey Verkhovtsev2020-07-04 13:44:49
TLS
Alexey Verkhovtsev, 2020-07-04 13:44:49

How to work with TLS in Kubernetes?

Hello!
Introduction:
I have 2 applications (gRPC client and server, though it doesn't matter which) and they need to communicate via TLS. Without Kubernets, everything is quite simple. I create my CA via cfssl in a separate container, get the root certificate and put it in trust for 2 of my grpc applications (in the Dockerfile) so that any certificate signed by my CA will be verified.

Next, Kubernetes comes into play. I'm still playing locally using minikube. I run minikube start on mac (maybe it's important, don't know...)

Problem:
How will this flow work with kuber? As I understand it, there is already a CA inside the cuber (correct if this is not the case). I read a lot of articles, but I didn’t really understand anything. Tried examples from this articlehttps://kubernetes.io/docs/tasks/tls/managing-tls-...
Going through the steps
1) Create a signing request

cat <<EOF | cfssl genkey - | cfssljson -bare server
{
  "hosts": [
    "my-svc.my-namespace.svc.cluster.local",
    "my-pod.my-namespace.pod.cluster.local",
    "192.0.2.24",
    "10.0.34.2"
  ],
  "CN": "my-pod.my-namespace.pod.cluster.local",
  "key": {
    "algo": "ecdsa",
    "size": 256
  }
}
EOF

The first thing I didn't understand was the hosts. For example my-svc.my-namespace.svc.cluster.local is the full name of my service? (I mean the service in the cuber kind: Service). I have it in the namespace "dev" and its name is user-app-sesrvice. Should I specify user-app-sesrvice.dev.svc.cluster.local then like this? or just user-app-sesrvice. Or is there some command to get the full service name? 192.0.2.24 - how, I understand this is the ip of the service, it is also not clear whether it is necessary to specify it or is it possible only the name of the service? What if I have clusterIP: None set, then there will be no ip. my-pod.my-namespace.pod.cluster.local - is this required? After all, if I have several pods, should I list them all? Then the problem is in the dynamics, because the pods are recreated, are removed and added and I need to send a new signature request each time. And the same questions that were for the service for the my-pod watch and namespace? Plus, is it possible to somehow see also the full name of the pod with all this data. 10.0.34.2 - pod ip, same questions as for service ip.

What I tried, I tried just specifying the name of my user-app-service in the host and CN (as if I work without Kuber). I have created a signature and a key. Then everything is step by step, I created a signature request object in the cuber

cat <<EOF | kubectl apply -f -
apiVersion: certificates.k8s.io/v1beta1
kind: CertificateSigningRequest
metadata:
  name: my-svc.my-namespace
spec:
  request: $(cat server.csr | base64 | tr -d '\n')
  usages:
  - digital signature
  - key encipherment
  - server auth
EOF


then I made it apruve and received a certificate
Further, based on security, I need a key and a certificate, as I understand it, to throw it into secrets and get it in a container (for test purposes, I just put them in a container in a dockerfile, hardcoded so to speak), this is in a gRPC server. I deployed the deployment and created a client, specifying config := &tls.Config{} in the code so that it pulls trusted certificates from the system itself, I thought that since the cuber has a CA, but I didn’t find in the dock how to get its certificate, then the kuber itself somehow adds it to all containers. It looks like this is not the case and naturally got the error Unavailable desc = connection error: desc = "transport: authentication handshake failed: x509: certificate signed by unknown authority". How is all this supposed to work? Where can I get a CA certificate from Kuber? And then, I need him, too, hands to each container to add to the dockerfile? or is this not the right tactic and is there some kind of automation from the cuber?

I found another way, this is to try to deploy cfssl https://hub.docker.com/r/cfssl/cfssl/ on a pod of kuber and already work with it, as if there is no kuber (I haven’t tried this method yet, because, it seems to me, since there is already a CA, why bother with something else)

In general, how to put it all together into a working system, what options to use and why, as well as important questions about the signature that I indicated above. Maybe there are some full-fledged articles. I wrote a lot, maybe a little chaotically, but I hope it's clear. I really need the help of knowledgeable people.

Thanks in advance

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

0 answer(s)
Similar questions
W
weredy2016-12-01 19:19:29
How exactly is the Diffie-Hellman session key obtained in the TLS protocol? 2Reply
D
dron1122021-02-02 18:28:46
What is the error when running composer install? 1Reply
V
Vladislav Efremov2015-01-30 18:21:31
Do I need an SSL certificate when transferring from server to server? 0Reply
E
Evgeny Vasilenko2020-01-13 15:34:46
Transparent Proxy for e-book Amazon Kindle? 0Reply
N
Nikxp2020-04-07 11:34:52
How to issue a TLS certificate to a user? 1Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question