0
点赞
收藏
分享

微信扫一扫

Kubernetes CKS 2021【4】---Cluster Setup - Secure Ingress

alonwang 2022-05-31 阅读 24
nginxkuberneteshtml5e云计算


文章目录

  • ​​1. 介绍​​
  • ​​2. Practice - create an Ingress​​
  • ​​3. Practice - Secure an Ingress​​

1. 介绍

Kubernetes CKS 2021【4】---Cluster Setup - Secure Ingress_kubernetes
Kubernetes CKS 2021【4】---Cluster Setup - Secure Ingress_nginx_02

2. Practice - create an Ingress

Kubernetes CKS 2021【4】---Cluster Setup - Secure Ingress_5e_03
部署链接:​​​https://kubernetes.github.io/ingress-nginx/deploy/#bare-metal​​

root@master:~/cks/nginx-ingress# kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v0.40.2/deploy/static/provider/baremetal/deploy.yaml
namespace/ingress-nginx created
serviceaccount/ingress-nginx created
configmap/ingress-nginx-controller created
clusterrole.rbac.authorization.k8s.io/ingress-nginx created
clusterrolebinding.rbac.authorization.k8s.io/ingress-nginx created
role.rbac.authorization.k8s.io/ingress-nginx created
rolebinding.rbac.authorization.k8s.io/ingress-nginx created
service/ingress-nginx-controller-admission created
service/ingress-nginx-controller created
deployment.apps/ingress-nginx-controller created
validatingwebhookconfiguration.admissionregistration.k8s.io/ingress-nginx-admission created
serviceaccount/ingress-nginx-admission created
clusterrole.rbac.authorization.k8s.io/ingress-nginx-admission created
clusterrolebinding.rbac.authorization.k8s.io/ingress-nginx-admission created
role.rbac.authorization.k8s.io/ingress-nginx-admission created
rolebinding.rbac.authorization.k8s.io/ingress-nginx-admission created
job.batch/ingress-nginx-admission-create created
job.batch/ingress-nginx-admission-patch created


root@master:~/cks/nginx-ingress# k get pod,svc -n ingress-nginx
NAME                                            READY   STATUS      RESTARTS   AGE
pod/ingress-nginx-admission-create-2zdxl        0/1     Completed   0          41s
pod/ingress-nginx-admission-patch-tnwlh         0/1     Completed   1          41s
pod/ingress-nginx-controller-548df9766d-6m74x   1/1     Running     0          41s

NAME                                         TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)                      AGE
service/ingress-nginx-controller             NodePort    10.104.236.124   <none>        80:31459/TCP,443:30640/TCP   42s
service/ingress-nginx-controller-admission   ClusterIP   10.97.93.128     <none>        443/TCP                      42s

应用ingress链接:​​https://kubernetes.io/zh/docs/concepts/services-networking/ingress/​​

root@master:~/cks/nginx-ingress# cat secure-ingress.yaml 
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: secure-ingress
  annotations:
    nginx.ingress.kubernetes.io/rewrite-target: /
spec:
  rules:
  - http:
      paths:
      - path: /service1
        pathType: Prefix
        backend:
          service:
            name: service1
            port:
              number: 80
      - path: /service2
        pathType: Prefix
        backend:
          service:
            name: service2
            port:
              number: 80


root@master:~/cks/nginx-ingress# k create -f secure-ingress.yaml 
ingress.networking.k8s.io/secure-ingress created
root@master:~/cks/nginx-ingress# k get ing
NAME             CLASS    HOSTS   ADDRESS          PORTS   AGE
secure-ingress   <none>   *       192.168.211.41   80      30s

root@master:~/cks/nginx-ingress# k run pod1 --image=nginx
root@master:~/cks/nginx-ingress# k run pod2 --image=httpd

root@master:~/cks/nginx-ingress# k expose pod pod1 --port 80 --name service1
service/service1 exposed
root@master:~/cks/nginx-ingress# k expose pod pod2 --port 80 --name service2
service/service2 exposed

root@master:~/cks/nginx-ingress# curl  http://192.168.211.40:31459/service1
DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!title>
<style>
    body {
        width: 35em;
        margin: 0 auto;
        font-family: Tahoma, Verdana, Arial, sans-serif;
    }
style>
head>
<body>
<h1>Welcome to nginx!h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.p>

<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.orga>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.coma>.p>

<p><em>Thank you for using nginx.em>p>
body>
html>



root@master:~/cks/nginx-ingress# curl  http://192.168.211.40:31459/service2
<html><body><h1>It works!h1>body>html>

3. Practice - Secure an Ingress

参考链接:​​https://kubernetes.io/docs/concepts/services-networking/ingress/#tls​​​Kubernetes CKS 2021【4】---Cluster Setup - Secure Ingress_nginx_04

root@master:~/cks/nginx-ingress# curl  https://192.168.211.40:32300/service1 -kv
*   Trying 192.168.211.40...
* TCP_NODELAY set
* Connected to 192.168.211.40 (192.168.211.40) port 32300 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS Unknown, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Unknown (8):
* TLSv1.3 (IN), TLS Unknown, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS Unknown, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS Unknown, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Client hello (1):
* TLSv1.3 (OUT), TLS Unknown, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:                                   #认证失败,没有tls证书
*  subject: O=Acme Co; CN=Kubernetes Ingress Controller Fake Certificate
*  start date: Apr 21 07:16:50 2021 GMT
*  expire date: Apr 21 07:16:50 2022 GMT
*  issuer: O=Acme Co; CN=Kubernetes Ingress Controller Fake Certificate
*  SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* TLSv1.3 (OUT), TLS Unknown, Unknown (23):
* TLSv1.3 (OUT), TLS Unknown, Unknown (23):
* TLSv1.3 (OUT), TLS Unknown, Unknown (23):
* Using Stream ID: 1 (easy handle 0x558de9977430)
* TLSv1.3 (OUT), TLS Unknown, Unknown (23):
> GET /service1 HTTP/2
> Host: 192.168.211.40:32300
> User-Agent: curl/7.58.0
> Accept: */*
> 
* TLSv1.3 (IN), TLS Unknown, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS Unknown, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS Unknown, Unknown (23):
* Connection state changed (MAX_CONCURRENT_STREAMS updated)!
* TLSv1.3 (OUT), TLS Unknown, Unknown (23):
* TLSv1.3 (IN), TLS Unknown, Unknown (23):
* TLSv1.3 (IN), TLS Unknown, Unknown (23):
< HTTP/2 200 
< date: Wed, 21 Apr 2021 07:51:52 GMT
< content-type: text/html
< content-length: 612
< last-modified: Tue, 13 Apr 2021 15:13:59 GMT
< etag: "6075b537-264"
< accept-ranges: bytes
< strict-transport-security: max-age=15724800; includeSubDomains
< 



Welcome to nginx!



Welcome to nginx!
If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.


For online documentation and support please refer to
nginx.org.

Commercial support is available at
nginx.com.


Thank you for using nginx.



* TLSv1.3 (IN), TLS Unknown, Unknown (23):
* Connection #0 to host 192.168.211.40 left intact

#创建证书
root@master:~/cks/nginx-ingress# openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes
Generating a 4096 bit RSA private key
....++
........................................................................................................................................................................++
writing new private key to 'key.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:secure-ingress.com
Email Address []:
root@master:~/cks/nginx-ingress# ls
cert.pem  deploy_0.40.2.yaml  deploy_0.43.0.yaml  key.pem  secure-ingress.yaml

#创建secret
root@master:~/cks/nginx-ingress# k create secret tls secure-ingress --cert=cert.pem --key=key.pem
secret/secure-ingress created
root@master:~/cks/nginx-ingress# k get sec
error: the server doesn't have a resource type "sec"
root@master:~/cks/nginx-ingress# k get secret
NAME                  TYPE                                  DATA   AGE
default-token-rkqr7   kubernetes.io/service-account-token   3      92d
secure-ingress        kubernetes.io/tls                     2      9s



root@master:~/cks/nginx-ingress# vim secure-ingress.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: secure-ingress
  annotations:
    nginx.ingress.kubernetes.io/rewrite-target: /
spec:
  tls:
  - hosts:
      - secure-ingress.com
    secretName: secure-ingress
  rules:
  - host: secure-ingress.com  
    http:
      paths:
      - path: /service1
        pathType: Prefix
        backend:
          service:
            name: service1
            port:
              number: 80

      - path: /service2
        pathType: Prefix
        backend:
          service:
            name: service2
            port:
              number: 80
root@master:~/cks/nginx-ingress# k apply -f secure-ingress.yaml 
ingress.networking.k8s.io/secure-ingress configured



root@master:~/cks/nginx-ingress# curl  https://secure-ingress.com:32300/service2 -kv --resolv secure-ingress.com:32300:192.168.211.41
* Added secure-ingress.com:32300:192.168.211.41 to DNS cache
* Hostname secure-ingress.com was found in DNS cache
*   Trying 192.168.211.41...
* TCP_NODELAY set
* Connected to secure-ingress.com (192.168.211.41) port 32300 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS Unknown, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Unknown (8):
* TLSv1.3 (IN), TLS Unknown, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS Unknown, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS Unknown, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Client hello (1):
* TLSv1.3 (OUT), TLS Unknown, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:                        #认证成功
*  subject: C=AU; ST=Some-State; O=Internet Widgits Pty Ltd; CN=secure-ingress.com
*  start date: Apr 21 07:55:47 2021 GMT
*  expire date: Apr 21 07:55:47 2022 GMT
*  issuer: C=AU; ST=Some-State; O=Internet Widgits Pty Ltd; CN=secure-ingress.com
*  SSL certificate verify result: self signed certificate (18), continuing anyway.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* TLSv1.3 (OUT), TLS Unknown, Unknown (23):
* TLSv1.3 (OUT), TLS Unknown, Unknown (23):
* TLSv1.3 (OUT), TLS Unknown, Unknown (23):
* Using Stream ID: 1 (easy handle 0x55b3c09e2430)
* TLSv1.3 (OUT), TLS Unknown, Unknown (23):
> GET /service2 HTTP/2
> Host: secure-ingress.com:32300
> User-Agent: curl/7.58.0
> Accept: */*
> 
* TLSv1.3 (IN), TLS Unknown, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS Unknown, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS Unknown, Unknown (23):
* Connection state changed (MAX_CONCURRENT_STREAMS updated)!
* TLSv1.3 (OUT), TLS Unknown, Unknown (23):
* TLSv1.3 (IN), TLS Unknown, Unknown (23):
* TLSv1.3 (IN), TLS Unknown, Unknown (23):
< HTTP/2 200 
< date: Wed, 21 Apr 2021 08:13:30 GMT
< content-type: text/html
< content-length: 45
< last-modified: Mon, 11 Jun 2007 18:53:14 GMT
< etag: "2d-432a5e4a73a80"
< accept-ranges: bytes
< strict-transport-security: max-age=15724800; includeSubDomains
< 
It works!
* TLSv1.3 (IN), TLS Unknown, Unknown (23):
* Connection #0 to host secure-ingress.com left intact

举报

相关推荐

Kubernetes CKS 2021【3】---Cluster Setup - Dashboard

kubernetes7zgithub4s云计算

Kubernetes CKS 2021【6】---Cluster Setup - CIS Benchmarks

kubernetesdocker容器cloud native云原生云计算

Kubernetes CKS 2021【7】---Cluster Setup - Verify Platform

kuberneteslinux2dd3云计算

Kubernetes CKS 2021【5】---Cluster Setup - Node Metadata

kubernetesnginxbash.net云计算

Kubernetes CKS 2021--网络策略networkpolicy

dockerkubernetes云原生容器ci/cd云计算

Cluster Setup - Network Policies 网络规则

kubernetesdockerk8s容器nginx

Kubernetes Ingress 详解

kubernetes容器云原生主机名负载均衡Html/CSS前端开发

Kubernetes Cluster Autoscaler

容器Docker&...

Kubernetes系列-Ingress

spring bootjava数据库

Kubernetes 的Ingress

nginxPodNginx系统/运维
0 条评论