首页 文章

Ingress Controller(Traefik)与Kubernetes后端服务之间的安全通信

提问于
浏览
1

我试图在Traefik代理后面的Kubernetes集群中保护Nifi . 两者都在K8S中作为服务运行 . Traefik获得公共证书 . 我希望它将呼叫重定向到nifi,同时确保Traefik(作为Ingress Controller)和后端pod之间的通信:Nifi .

看起来安全配置应该在我的Ingress YAML描述符中使用 . 看起来我应该发出一个CA root来生成Nifi自签名证书并在Traefik中加载这个CA Root,这样它就可以验证Nifi发送的证书,同时与它握手 .

但是......我无法弄清楚1)这是不是很好的方法,2)我如何使用CA Root为NiFi生成我的商店(信任,...),3)我应该如何设置我的YAML(似乎不支持 insecureSkipVerify ,...)

提前,谢谢你的帮助 .

干杯,

奥利维尔

1 回答

  • 0

    我有同样的问题,可以用 insecureSkipVerify 标志来解决它 .
    traefik的问题是,NiFi从traefik获取请求并发送它's self signed certificate back to traefik for hand shaking. Traefik doesn' t接受它,因此握手失败,导致NiFi中的 bad_certificate 异常(具有loglevel DEBUG ,因此您必须更改 logback.xml 文件) .

    因此,一种解决方案可能是将您的自签名证书添加到traefik,这是目前无法实现的,see this (currently) open issue .

    没有'insecuring'你现有的traefik的另一个解决方案是在traefik和NiFi之间增加一个 nginx . 所以traefik与nginx谈论 HTTP ,与NiFi谈论 HTTPS (这将是我正在尝试的下一件事) .

    或者您可以像在此_1595948中一样在traefik中设置 insecureSkipVerify 标志:

    apiVersion: extensions/v1beta1
    kind: DaemonSet
    metadata:
      creationTimestamp: 2018-06-21T16:18:46Z
      generation: 4
      labels:
        k8s-app: traefik-internal
        release: infrastructure
      name: traefik-internal
      namespace: infrastructure
      resourceVersion: "18860064"
      selfLink: /apis/extensions/v1beta1/namespaces/infrastructure/daemonsets/traefik-internal
      uid: c64a20e1-776e-11f8-be83-42010a9c0ff6
    spec:
      revisionHistoryLimit: 10
      selector:
        matchLabels:
          k8s-app: traefik-internal
          name: traefik-internal
          release: infrastructure
      template:
        metadata:
          creationTimestamp: null
          labels:
            k8s-app: traefik-internal
            name: traefik-internal
            release: infrastructure
        spec:
          containers:
          - args:
            - --api
            - --ping
            - --defaultEntryPoints=http,https
            - --logLevel=INFO
            - --accessLog
            - --kubernetes
            - --kubernetes.ingressClass=traefik-internal
            - --metrics.prometheus=true
            - --entryPoints=Name:https Address::443 TLS:/certs/cert.pem,/certs/cert.key
              CA:/certs/clientca.pem
            - --entryPoints=Name:http Address::80 Redirect.EntryPoint:https
            - --insecureSkipVerify=true
            image: traefik:1.6.0-rc6-alpine
            imagePullPolicy: IfNotPresent
            name: traefik-internal
            resources: {}
            securityContext:
              privileged: true
            terminationMessagePath: /dev/termination-log
            terminationMessagePolicy: File
            volumeMounts:
            - mountPath: /certs
              name: traefik-internal-certs
              readOnly: true
          dnsPolicy: ClusterFirst
          restartPolicy: Always
          schedulerName: default-scheduler
          securityContext: {}
          serviceAccount: sa-traefik
          serviceAccountName: sa-traefik
          terminationGracePeriodSeconds: 60
          volumes:
          - name: traefik-internal-certs
            secret:
              defaultMode: 420
              secretName: traefik-internal
      templateGeneration: 4
      updateStrategy:
        rollingUpdate:
          maxUnavailable: 1
        type: RollingUpdate
    status:
      currentNumberScheduled: 3
      desiredNumberScheduled: 3
      numberAvailable: 3
      numberMisscheduled: 0
      numberReady: 3
      observedGeneration: 4
      updatedNumberScheduled: 3
    

    insecureSkipVerify 标志在 spec.containers.args 内更改 .

    希望有所帮助!

相关问题