Kubernetes如何使用mTLS

--- tags: Kubernetes, mTLS, Security --- # Kubernetes如何使用mTLS mTLS為pod與pod之間溝通時，使用憑證的一種做法 **service mesh、network policy、ingress是不同的功能** **本文不包含linkerd安裝** * istio, linkerd為service mesh所用套件，非原生K8S就包含 **參考資料：** 1. [Securing a Cluster](https://kubernetes.io/docs/tasks/administer-cluster/securing-a-cluster/ "Securing a Cluster") 2. [Manage TLS Certificates in a Cluster](https://kubernetes.io/docs/tasks/tls/managing-tls-in-a-cluster/ "Manage TLS Certificates in a Cluster") 3. [Certificate Signing Requests](https://kubernetes.io/docs/reference/access-authn-authz/certificate-signing-requests/ "CSR") 4. [11 Ways (Not) to Get Hacked ](https://kubernetes.io/blog/2018/07/18/11-ways-not-to-get-hacked/ "11 Ways (Not) to Get Hacked ") 5. [Automatic mTLS](https://linkerd.io/2/features/automatic-mtls/ "Automatic mTLS") 6. [Securing Your Application with mTLS](https://linkerd.io/2/tasks/securing-your-service/ "Securing Your Application with mTLS") :::info 1. linkerd的sample有些出入，可參考底下內容 2. 本例現階段使用linkerd進行 ::: ## 建立 inwin@master:~$ wget https://run.linkerd.io/emojivoto.yml `抓任何東西回來後，都要先看一下內容，再決定要不要使用` ``` inwin@master:~$ cat emojivoto.yml |linkerd inject --enable-debug-sidecar - |kubectl create -f - namespace "emojivoto" injected serviceaccount "emoji" skipped serviceaccount "voting" skipped serviceaccount "web" skipped service "emoji-svc" skipped service "voting-svc" skipped service "web-svc" skipped deployment "emoji" injected deployment "vote-bot" injected deployment "voting" injected deployment "web" injected namespace/emojivoto created serviceaccount/emoji created serviceaccount/voting created serviceaccount/web created service/emoji-svc created service/voting-svc created service/web-svc created deployment.apps/emoji created deployment.apps/vote-bot created deployment.apps/voting created deployment.apps/web created inwin@master:~$ kubectl get -n emojivoto deploy,po NAME READY UP-TO-DATE AVAILABLE AGE deployment.apps/emoji 0/1 1 0 40s deployment.apps/vote-bot 0/1 1 0 40s deployment.apps/voting 0/1 1 0 40s deployment.apps/web 0/1 1 0 40s NAME READY STATUS RESTARTS AGE pod/emoji-5cc85dbbdd-qffn2 0/3 PodInitializing 0 40s pod/vote-bot-5b78d54d9-zzlcw 0/3 PodInitializing 0 40s pod/voting-57659b8c87-lkq9p 0/3 PodInitializing 0 40s pod/web-6f4fdf6bc9-6qhnj 0/3 PodInitializing 0 40s ... ... ... inwin@master:~$ kubectl get -n emojivoto deploy,po NAME READY UP-TO-DATE AVAILABLE AGE deployment.apps/emoji 1/1 1 1 2m29s deployment.apps/vote-bot 1/1 1 1 2m29s deployment.apps/voting 1/1 1 1 2m29s deployment.apps/web 1/1 1 1 2m29s NAME READY STATUS RESTARTS AGE pod/emoji-5cc85dbbdd-qffn2 3/3 Running 0 2m29s pod/vote-bot-5b78d54d9-zzlcw 3/3 Running 0 2m29s pod/voting-57659b8c87-lkq9p 3/3 Running 0 2m29s pod/web-6f4fdf6bc9-6qhnj 3/3 Running 0 2m29s ``` ## 使用linkerd確認 **注意tls=true即是** ``` inwin@master:~$ linkerd -n emojivoto tap deploy vote-bot req id=0:0 proxy=out src=10.6.235.166:53974 dst=10.6.235.165:8080 tls=true :method=GET :authority=web-svc.emojivoto:80 :path=/api/list rsp id=0:0 proxy=out src=10.6.235.166:53974 dst=10.6.235.165:8080 tls=true :status=200 latency=105505µs end id=0:0 proxy=out src=10.6.235.166:53974 dst=10.6.235.165:8080 tls=true duration=45µs response-length=4513B req id=0:1 proxy=out src=10.6.235.166:53974 dst=10.6.235.165:8080 tls=true :method=GET :authority=web-svc.emojivoto:80 :path=/api/vote ``` ## 其他常見狀況 1. 如果是已經建立的deploy是否可套用service mesh? **可，主要行為是加上side-car，需要使用replace重建** ``` inwin@master:~$ kubectl create deployment alreadydeploy --image=nginx --replicas=2 deployment.apps/alreadydeploy created inwin@master:~$ kubectl get deploy,po NAME READY UP-TO-DATE AVAILABLE AGE deployment.apps/alreadydeploy 2/2 2 2 16s NAME READY STATUS RESTARTS AGE pod/alreadydeploy-6656f65957-tdccr 1/1 Running 0 16s pod/alreadydeploy-6656f65957-wnk9k 1/1 Running 0 16s inwin@master:~$ kubectl get deployments.apps alreadydeploy -o yaml |linkerd inject - |kubectl replace -f - deployment "alreadydeploy" injected deployment.apps/alreadydeploy replaced inwin@master:~$ kubectl get deploy,pod NAME READY UP-TO-DATE AVAILABLE AGE deployment.apps/alreadydeploy 2/2 2 2 2m42s NAME READY STATUS RESTARTS AGE pod/alreadydeploy-6656f65957-wnk9k 1/1 Terminating 0 2m42s pod/alreadydeploy-dd556b4d6-b22xq 2/2 Running 0 58s pod/alreadydeploy-dd556b4d6-qfsfp 2/2 Running 0 34s ``` 2. 使用run建出來的pod不支援此功能