问题描述
我目前正在 k8s 集群中使用 NGINX 入口控制器.我试图使端到端加密工作,并且我能够使连接一直安全到 Pod.
I'm currently playing with NGINX ingress controller in my k8s cluster. I was trying to make end-to-end encryption work and I was able to make the connection secure all the way to the pod.
为了实现 HTTPS 到 pod,不得不使用注解
In order to achieve HTTPS all the way till pod, I had to use annotation
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
样本入口:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: foo-api-ingress
annotations:
kubernetes.io/ingress.class: "nginx"
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
spec:
tls:
- hosts:
- foo.example.com
secretName: foo-cert
rules:
- host: foo.example.com
http:
paths:
- path: /path1
backend:
serviceName: foo-api-path1-service
servicePort: 443
- path: /path2
backend:
serviceName: foo-api-path2-service
servicePort: 443
我很困惑这到底是怎么发生的,因为当我们加密连接路径时也会被加密,那么 NGINX 如何进行基于路径的路由?它是否在入口解密连接并重新加密它?另外,使用这种方法会影响性能吗?
I'm confused in terms of how exactly this happens because when we encrypt the connection path also get encrypted then how NGINX does path-based routing? does it decrypt the connection at ingress and re-encrypt it? also, does performance get affected by using this method?
推荐答案
TL;DR
它会在入口解密连接并重新加密吗?
简而言之,是的.请参阅下面的说明.
In short, yes. Please see the explanation below.
请求到达Pod
的路径可以看作:
The path that a request is travelling to get to a Pod
can be seen as:
假设我们有一个 Ingress 控制器
(nginx-ingress
) 代替了 Ingress
,您可以通过多种方式连接您的客户端带有 Pod
(简化):
Assuming that we have an Ingress controller
(nginx-ingress
) in place of an Ingress
you can have several ways to connect your client with a Pod
(simplified):
- 未加密:
client
-- (HTTP) -->入口控制器
-- (HTTP) -->服务
---->Pod
- Unencrypted:
client
-- (HTTP) -->Ingress controller
-- (HTTP) -->Service
---->Pod
- 在
Ingress 控制器
加密(使用nginx.ingress.kubernetes.io/backend-protocol:HTTPS"
)client
-- (HTTP) -->入口控制器
-- (HTTPS) -->服务
---->Pod
- Encrypted at the
Ingress controller
(withnginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
)client
-- (HTTP) -->Ingress controller
-- (HTTPS) -->Service
---->Pod
- 在
Ingress 控制器
加密和解密,其中 TLS 终止 发生:client
-- (HTTPS) -->Ingress controller
(TLS Termination) -- (HTTP) -->服务
---->Pod
- Encrypted and decrypted at the
Ingress controller
where TLS Termination happens:client
-- (HTTPS) -->Ingress controller
(TLS Termination) -- (HTTP) -->Service
---->Pod
您的设置:
- 在
Ingress
控制器上加密和解密,其中 nginx.ingress.kubernetes.io/backend-protocol:HTTPS" 连接到 HTTPS 后端时,noreferrer">TLS 终止发生并再次加密代码>:client
-- (HTTPS) -->Ingress controller
(TLS Termination) -- (HTTPS) -->服务
---->Pod
- Encrypted and decrypted at the
Ingress
controller where TLS Termination happens and encrypted once again when connecting with a HTTPS backend bynginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
:client
-- (HTTPS) -->Ingress controller
(TLS Termination) -- (HTTPS) -->Service
---->Pod
- 在
Pod
加密和解密,其中Ingress controller
配置了 SSL Passthrough:client
-- (HTTPS) -->入口控制器
-- (HTTPS) -->服务
---->Pod
- Encrypted and decrypted at the
Pod
whereIngress controller
is configured with SSL Passthrough:client
-- (HTTPS) -->Ingress controller
-- (HTTPS) -->Service
---->Pod
免责声明!
这只是一个简单的解释.如需更多参考,您可以查看此评论:
This is only a simplified explanation. For more reference you can look at this comment:
这里缺少一个细节,SSL Passthrough 流量永远不会到达入口控制器中的 NGINX.有一个用于 TLS 连接的 go 侦听器,它只是将流量通过管道传输到入口中定义的服务.
有关更多参考,您可以查看类似问题(附有答案):
For more reference you can look on the similar question (with an answer):
您还可以使用与您类似的示例设置查看这篇文章:
You can also check this article with example setup similar to yours:
其他资源:
- Github.com: Kubernetes: Ingress nginx: 是否有可能安全来自 nginx 控制器的后端连接?
- Github.com:Kubernetes:Ingress nginx:Nginx 配置:注解:后端证书认证
这篇关于NGINX Ingress 控制器后端协议注释如何在基于路径的路由中工作?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!