最近更新时间:2022-08-04 10:59:23
本文将介绍如何在金山云容器服务中配置HTTPS安全访问。
根据访问方式的不同,目前可以分为两种配置证书的方式:
cloud-controller-manager
正常运行。[root@vm10-0-33-13 ~]# kubectl get deploy -n kube-system | grep cloud
cloud-controller-manager 1 1 1 1 35d
[root@vm10-0-33-13 CAtest]# openssl req -newkey rsa:2048 -nodes -keyout tls.key -x509 -days 365 -out tls.crt
Generating a 2048 bit RSA private key
...............+++
.............................+++
writing new private key to 'tls.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Beijing
Locality Name (eg, city) [Default City]:Beijing
Organization Name (eg, company) [Default Company Ltd]:Kingsoft
Organizational Unit Name (eg, section) []:Ksyun
Common Name (eg, your name or your server's hostname) []:foo.bar.com
Email Address []:ksyun@kingsoft.com
特点:证书配置在负载均衡上,为应用提供外部的访问入口,集群内部访问仍然使用HTTP的形式。
适用场景:应用不使用Ingress暴露访问方式,直接通过LoadBalancer类型的service进行应用访问的暴露。
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: nginx
spec:
replicas: 2
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: nginx
ⅰ.进入金山云负载均衡控制台,选择证书 > 负载均衡证书,点击创建证书。
ⅱ.在创建证书的弹窗中,填写证书名称,在证书内容和私钥中上传我们在前提条件中创建的证书和私钥,点击创建,完成证书的创建。
ⅲ.在证书详情中获取证书的id。
注意:
service.beta.kubernetes.io/ksc-loadbalancer-protocol-port
,注释的格式是“PROTOCOL:PORT”(PORT必须和spec:ports中的port一致)
apiVersion: v1
kind: Service
metadata:
annotations:
service.beta.kubernetes.io/ksc-loadbalancer-protocol-port: "HTTPS:443"
service.beta.kubernetes.io/ksc-loadbalancer-cert-id: "your-cert-id" # 请填写您的证书id
labels:
app: nginx
name: https-lb
spec:
ports:
- port: 443
protocol: TCP
targetPort: 80
selector:
app: nginx
type: LoadBalancer
[root@vm10-0-33-13]# kubectl create -f nginx-deploy.yaml
deployment.extensions/nginx created
[root@vm10-0-33-13]# kubectl create -f nginx-svc.yaml
service/nginx created
[root@vm10-0-33-13 CAtest]# kubectl get svc | grep nginx
nginx LoadBalancer 10.254.101.229 120.92.86.xx 443:31937/TCP 76d
备注:
获取nginx服务对应的公网ip,这里我们将测试域名foo.bar.com解析到nginx服务的公网IP,可以在hosts文件中添加一条记录。
120.92.86.xx foo.bar.com
在浏览器中输入https://foo.bar.com 验证。
特点:无需改动SLB的配置;每一个应用都可以通过Ingress管理自己的证书,互不干扰。
适用场景:每个应用都需要单独的证书进行访问;或者集群中存在需要证书才能访问的应用。
[root@vm10-0-33-13]# kubectl create secret tls secret-https --key tls.key --cert tls.crt
secret/secret-https created
将集群部署的nginx-ingress服务暴露到公网,详见Nginx-ingress使用。
创建服务nginx的service,这里我们仅需将nginx服务暴露到集群内部即可,服务端口80,nginx-service.yaml如下:
apiVersion: v1
kind: Service
metadata:
labels:
app: nginx
name: nginx
spec:
ports:
- port: 80
protocol: TCP
targetPort: 80
selector:
app: nginx
type: ClusterIP
ingress.yaml
如下:apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: nginx-https
annotations:
kubernetes.io/ingress.class: nginx-ingress
spec:
rules:
- host: foo.bar.com
http:
paths:
- backend:
serviceName: nginx
servicePort: 80
tls:
- hosts:
- foo.bar.com
secretName: secret-https
[root@vm10-0-33-13]# kubectl create -f svc.yaml
service/nginx created
[root@vm10-0-33-13]# kubectl create -f ingress.yaml
ingress.extensions/nginx-https created
[root@vm10-0-33-13 CAtest]# kubectl get svc | grep nginx
nginx ClusterIP 10.254.99.223 <none> 80/TCP 3m35s
[root@vm10-0-33-13 CAtest]# kubectl get ing
NAME HOSTS ADDRESS PORTS AGE
nginx-https foo.bar.com 80, 443 2m26s
备注:这里我们将测试域名foo.bar.com解析到nginx-ingress服务的公网IP,可以在hosts文件中添加一条记录。
120.92.xx.xxx foo.bar.com
在浏览器中输入https://foo.bar.com 验证。
纯净模式