Kubernetes 入口和客户端身份验证应用程序
Kuberntes ingress and client auth application
我有一个spring启动应用程序
我按照 here
所述使用 spring 安全和 X509 身份验证来保护它
到目前为止,一切都很好...一切都很好。
现在我需要将它部署到 kubernetes 应用程序中。可能吗?
当我使用 K8S 时,K8S 入口控制器“消耗”了证书,而在我的应用程序上它丢失了....是这样吗?我可以配置它以保留证书以便我可以在我的 HttpServletRequest 属性中找到它吗?
谢谢
安杰洛
正如评论中指出的那样:
Hello, have you considered to use service of type LoadBalancer to send the traffic to your Pods without any facilities to "consume" your certificate? Also if you are using nginx-ingress you could look on SSL passthrough: kubernetes.github.io/ingress-nginx/user-guide/tls/…
在 Kubernetes 中的 Client 和 Pod 之间建立连接而不“消耗”证书可以通过以下任一方式完成:
LoadBalancerIngress 带有 SSL 直通
Loadbalancer
类型的服务
LoadBalancer: Exposes the Service externally using a cloud provider's load balancer. NodePort and ClusterIP Services, to which the external load balancer routes, are automatically created.
您可以配置一项服务,在第 4 层 (TCP/UDP) 上向外部公开您的流量。流量将被路由到您所需的工作负载 (Deployment/Statefulset)。
示例:
apiVersion: v1
kind: Service
metadata:
name: nginx-service
spec:
selector:
app: nginx
ports:
- protocol: TCP
port: 443
targetPort: 443
type: LoadBalancer
Ingress controller 使用 SSL 直通
您还可以使用 Ingress controller 能够 SSL Passthrough。具有此功能的控制器之一是 ingress-nginx:
SSL Passthrough leverages SNI and reads the virtual domain from the TLS negotiation, which requires compatible clients. After a connection has been accepted by the TLS listener, it is handled by the controller itself and piped back and forth between the backend and the client.
This feature is implemented by intercepting all traffic on the configured HTTPS port (default: 443) and handing it over to a local TCP proxy. This bypasses NGINX completely and introduces a non-negligible performance penalty.
-- Kubernetes.github.io: Ingress nginx: User guide: TLS: SSL passthrough
Remember!
The --enable-ssl-passthrough flag enables the SSL Passthrough feature, which is disabled by default.
作为更多的变通解决方案,您还可以查看(link 中有一个示例):
Exposing TCP and UDP services
Ingress does not support TCP or UDP services. For this reason this Ingress controller uses the flags --tcp-services-configmap and --udp-services-configmap to point to an existing config map where the key is the external port to use and the value indicates the service to expose using the format: <namespace/service name>:<service port>:[PROXY]:[PROXY]
-- Kubernetes.github.io: Ingress nginx: User guide: Exposing tcp and udp services
我有一个spring启动应用程序
我按照 here
所述使用 spring 安全和 X509 身份验证来保护它到目前为止,一切都很好...一切都很好。
现在我需要将它部署到 kubernetes 应用程序中。可能吗?
当我使用 K8S 时,K8S 入口控制器“消耗”了证书,而在我的应用程序上它丢失了....是这样吗?我可以配置它以保留证书以便我可以在我的 HttpServletRequest 属性中找到它吗?
谢谢
安杰洛
正如评论中指出的那样:
Hello, have you considered to use service of type LoadBalancer to send the traffic to your Pods without any facilities to "consume" your certificate? Also if you are using nginx-ingress you could look on SSL passthrough: kubernetes.github.io/ingress-nginx/user-guide/tls/…
在 Kubernetes 中的 Client 和 Pod 之间建立连接而不“消耗”证书可以通过以下任一方式完成:
LoadBalancer 类型的服务
Ingress带有SSL直通 的控制器
Loadbalancer
类型的服务
LoadBalancer: Exposes the Service externally using a cloud provider's load balancer. NodePort and ClusterIP Services, to which the external load balancer routes, are automatically created.
您可以配置一项服务,在第 4 层 (TCP/UDP) 上向外部公开您的流量。流量将被路由到您所需的工作负载 (Deployment/Statefulset)。
示例:
apiVersion: v1
kind: Service
metadata:
name: nginx-service
spec:
selector:
app: nginx
ports:
- protocol: TCP
port: 443
targetPort: 443
type: LoadBalancer
Ingress controller 使用 SSL 直通
您还可以使用 Ingress controller 能够 SSL Passthrough。具有此功能的控制器之一是 ingress-nginx:
SSL Passthrough leverages SNI and reads the virtual domain from the TLS negotiation, which requires compatible clients. After a connection has been accepted by the TLS listener, it is handled by the controller itself and piped back and forth between the backend and the client.
This feature is implemented by intercepting all traffic on the configured HTTPS port (default: 443) and handing it over to a local TCP proxy. This bypasses NGINX completely and introduces a non-negligible performance penalty.
-- Kubernetes.github.io: Ingress nginx: User guide: TLS: SSL passthrough
Remember!
The
--enable-ssl-passthroughflag enables the SSL Passthrough feature, which is disabled by default.
作为更多的变通解决方案,您还可以查看(link 中有一个示例):
Exposing TCP and UDP services
Ingress does not support TCP or UDP services. For this reason this Ingress controller uses the flags
--tcp-services-configmapand--udp-services-configmapto point to an existing config map where the key is the external port to use and the value indicates the service to expose using the format:<namespace/service name>:<service port>:[PROXY]:[PROXY]-- Kubernetes.github.io: Ingress nginx: User guide: Exposing tcp and udp services