Ingress control versus external and internal application endpoint security
An ingress controller controls the traffic into the Kubernetes cluster. Typically, this is done with the help of nginx. An Ingress-nginx controller can be configured to use the certificate. Kubernetes is a system for managing the containerized applications. It facilitates deployment and scaling. As part of deployment, applications have to set up passwords, keys, certificates and other secrets. These secrets are necessary to be made available as files and environment variables for the deployment to go through. Keys and certificates are used to secure data by using the public key to encrypt and the private key to decrypt. A certificate is used as a stamp of authority. It can include the public key. The certificate then becomes usable to secure the ends of a channel such as https. Applications tend to require a key and a certificate in their configuration. Sometimes they require keystores and truststores as alternative formats. Keystores is a combination of key and certificate. It is made available in the form of a file with pfx extension or p12 extension. The truststores is merely a collection of certificates to be trusted. It could include a certificate chain if the certificates are signed. Kubernetes takes keys, certificates, keystores and truststores as secrets. For example, we can specify:
kubectl create secret tls ${CERT_NAME} --key ${KEY_FILE} --cert ${CERT_FILE}
There are ttwo steps required to secure the ingress controller include the following:
1) Use a library such as cert-manager to generate keys and certificates.
2) Use the generated key and certificates as Kubernetes secrets and generate the keystore and truststore whose location is specified in the SSL configuration of the application.
An ingress resource is defined say for example on the nginx where the http and https ports are defined. The ingress resource is merely a declaration of the traffic policy. An ingress control can be strictly https by redirecting http traffic to https. Therefore this works more like a gateway.
In addition, application may define their own endpoints that have their own ports or even required certificates beyond the catch all that the ingress resource provides. In such cases, the applications requires its own configuration with even a separate pair of key and certificate.
An ingress controller controls the traffic into the Kubernetes cluster. Typically, this is done with the help of nginx. An Ingress-nginx controller can be configured to use the certificate. Kubernetes is a system for managing the containerized applications. It facilitates deployment and scaling. As part of deployment, applications have to set up passwords, keys, certificates and other secrets. These secrets are necessary to be made available as files and environment variables for the deployment to go through. Keys and certificates are used to secure data by using the public key to encrypt and the private key to decrypt. A certificate is used as a stamp of authority. It can include the public key. The certificate then becomes usable to secure the ends of a channel such as https. Applications tend to require a key and a certificate in their configuration. Sometimes they require keystores and truststores as alternative formats. Keystores is a combination of key and certificate. It is made available in the form of a file with pfx extension or p12 extension. The truststores is merely a collection of certificates to be trusted. It could include a certificate chain if the certificates are signed. Kubernetes takes keys, certificates, keystores and truststores as secrets. For example, we can specify:
kubectl create secret tls ${CERT_NAME} --key ${KEY_FILE} --cert ${CERT_FILE}
There are ttwo steps required to secure the ingress controller include the following:
1) Use a library such as cert-manager to generate keys and certificates.
2) Use the generated key and certificates as Kubernetes secrets and generate the keystore and truststore whose location is specified in the SSL configuration of the application.
An ingress resource is defined say for example on the nginx where the http and https ports are defined. The ingress resource is merely a declaration of the traffic policy. An ingress control can be strictly https by redirecting http traffic to https. Therefore this works more like a gateway.
In addition, application may define their own endpoints that have their own ports or even required certificates beyond the catch all that the ingress resource provides. In such cases, the applications requires its own configuration with even a separate pair of key and certificate.
No comments:
Post a Comment