kelseyhightower/docker-kubernetes-tls-guide kelseyhightower/docker-kubernetes-tls-guide

  • Stars
    star
    191
  • Rank 195,719 (Top 4 %)
  • Language
  • Created almost 9 years ago
  • Updated over 8 years ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
kelseyhightower/docker-kubernetes-tls-guide
github

kelseyhightower

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Step by step guide on how to secure Docker and Kubernetes using TLS with CloudFlare’s CFSSL

Docker and Kubernetes TLS Guide

This guide will walk you through setting up TLS and TLS cert client authentication for Docker and Kubernetes.

Install CFSSL

The first step in securing Docker and Kubernetes is to set up a PKI infrastructure for managing TLS certificates.

https://github.com/cloudflare/cfssl

Review and customize CSRs

The CFSSL tool takes various JSON configuration files to initial a CA and produce certificates. Clone this repo and review the current set of configs and adjust them for you environment.

$ git clone https://github.com/kelseyhightower/docker-kubernetes-tls-guide.git

Initialize a CA

Before we can generate any certs we need to initialize a CA.

$ cfssl gencert -initca ca-csr.json | cfssljson -bare ca

Docker

The Docker daemon can be protected using TLS certificates, but instead of using the openssl tools we are going to leverage our PKI from above.

Generate Server and Client Certs

Docker Engine

$ cfssl gencert \
-ca=ca.pem \
-ca-key=ca-key.pem \
-config=ca-config.json \
-profile=server \
docker-server-csr.json | cfssljson -bare docker-server

Results:

docker-server-key.pem
docker-server.csr
docker-server.pem

Docker Client

$ cfssl gencert \
-ca=ca.pem \
-ca-key=ca-key.pem \
-config=ca-config.json \
-profile=client \
docker-client-csr.json | cfssljson -bare docker-client

Results:

docker-client-key.pem
docker-client.csr
docker-client.pem

Configure Docker

Docker Daemon

Copy the server certs to the Docker host.

$ scp ca.pem docker-server-key.pem docker-server.pem [email protected]:~/

Move the server certs into place and fix permissions.

$ ssh [email protected]
$ sudo mv ca.pem /etc/docker/ca.pem
$ sudo mv docker-server-key.pem /etc/docker/server-key.pem
$ sudo mv docker-server.pem /etc/docker/server.pem
$ sudo chmod 0444 /etc/docker/ca.pem
$ sudo chmod 0400 /etc/docker/server-key.pem
$ sudo chmod 0444 /etc/docker/server.pem

Configure the Docker daemon to use the certs.

cat > /etc/systemd/system/docker.service <<EOF
[Unit]
Description=Docker Application Container Engine
Documentation=http://docs.docker.io

[Service]
ExecStart=/usr/bin/docker --daemon \
--bip=10.200.0.1/24 \
--host=tcp://0.0.0.0:2376 \
--host=unix:///var/run/docker.sock \
--tlsverify \
--tlscacert=/etc/docker/ca.pem \
--tlscert=/etc/docker/server.pem \
--tlskey=/etc/docker/server-key.pem \
--storage-driver=overlay
Restart=on-failure
RestartSec=5

[Install]
WantedBy=multi-user.target
EOF

Start or restart the Docker daemon

$ sudo systemctl start docker

$ sudo systemctl daemon-reload
$ sudo systemctl restart docker

Client

Copy the client certs to the Docker client config dir.

$ mkdir -pv ~/.docker
$ cp -v ca.pem ~/.docker/ca.pem
$ cp -v docker-client.pem ~/.docker/cert.pem
$ cp -v docker-client-key.pem ~/.docker/key.pem
$ chmod 0444 ~/.docker/ca.pem
$ chmod 0444 ~/.docker/cert.pem
$ chmod 0400 ~/.docker/key.pem

$ export DOCKER_HOST="tcp://docker.kubestack.io:2376" DOCKER_TLS_VERIFY=1
$ docker ps

Kubernetes

Generate Server and Client Certs

kube-apiserver

$ cfssl gencert \
-ca=ca.pem \
-ca-key=ca-key.pem \
-config=ca-config.json \
-profile=server \
kube-apiserver-server-csr.json | cfssljson -bare kube-apiserver-server

Results:

kube-apiserver-server-key.pem
kube-apiserver-server.csr
kube-apiserver-server.pem

kubelet

$ cfssl gencert \
-ca=ca.pem \
-ca-key=ca-key.pem \
-config=ca-config.json \
-profile=client \
kubelet-client-csr.json | cfssljson -bare kubelet-client

Results:

kubelet-client-key.pem
kubelet-client.csr
kubelet-client.pem

kube-proxy

$ cfssl gencert \
-ca=ca.pem \
-ca-key=ca-key.pem \
-config=ca-config.json \
-profile=client \
kube-proxy-client-csr.json | cfssljson -bare kube-proxy-client

Results

kube-proxy-client-key.pem 
kube-proxy-client.csr
kube-proxy-client.pem

kubectl

$ cfssl gencert \
-ca=ca.pem \
-ca-key=ca-key.pem \
-config=ca-config.json \
-profile=client \
kubernetes-admin-user.csr.json | cfssljson -bare kubernetes-admin-user

Results:

kubernetes-admin-user-key.pem
kubernetes-admin-user.csr
kubernetes-admin-user.pem

Configure Kubernetes

Controllers

A Kubernetes controller includes the API server, Controller Manager, and the Scheduler.

Copy the server certs to the Kubernetes API server.

$ scp ca.pem kube-apiserver-server-key.pem kube-apiserver-server.pem [email protected]:~/
$ ssh [email protected]
$ sudo mkdir -p /etc/kubernetes/kube-apiserver
$ sudo mv ca.pem /etc/kubernetes/kube-apiserver/ca.pem
$ sudo mv kube-apiserver-server-key.pem /etc/kubernetes/kube-apiserver/server-key.pem
$ sudo mv kube-apiserver-server.pem /etc/kubernetes/kube-apiserver/server.pem
$ sudo chmod 0444 /etc/kubernetes/kube-apiserver/ca.pem
$ sudo chmod 0400 /etc/kubernetes/kube-apiserver/server-key.pem
$ sudo chmod 0444 /etc/kubernetes/kube-apiserver/server.pem

cat > policy.jsonl <<EOF
{"user":"admin"}
{"user":"scheduler", "readonly": true, "resource": "pods"}
{"user":"scheduler", "resource": "bindings"}
{"user":"kubelet",  "readonly": true, "resource": "pods"}
{"user":"kubelet",  "readonly": true, "resource": "services"}
{"user":"kubelet",  "readonly": true, "resource": "endpoints"}
{"user":"kubelet", "resource": "events"}
EOF

$ scp policy.jsonl [email protected]:~/
$ ssh [email protected]
$ sudo mv policy.jsonl /etc/kubernetes/kube-apiserver/policy.jsonl
$ sudo chmod 0644 /etc/kubernetes/kube-apiserver/policy.jsonl

Start the Kubernetes Controller containers

$ docker-compose -p kubernetes -f compose-controller.yaml up -d

Workers

A Kubernetes worker includes the kubelet and the proxy.

Copy the client certs to the worker node.

$ scp ca.pem [email protected]:~/
$ scp kube-proxy-client-key.pem kube-proxy-client.pem [email protected]:~/
$ scp kubelet-client-key.pem kubelet-client.pem [email protected]:~/

$ ssh [email protected]
$ sudo mkdir -p /etc/kubernetes
$ sudo mv ca.pem /etc/kubernetes/ca.pem
$ sudo mv kube-proxy-client-key.pem /etc/kubernetes/kube-proxy/client-key.pem
$ sudo mv kube-proxy-client.pem /etc/kubernetes/kube-proxy/client.pem
$ sudo mv kubelet-client-key.pem /etc/kubernetes/kubelet/client-key.pem
$ sudo mv kubelet-client.pem /etc/kubernetes/kubelet/client.pem
$ sudo chmod 0444 /etc/kubernetes/ca.pem
$ sudo chmod 0400 /etc/kubernetes/kube-proxy/client-key.pem
$ sudo chmod 0444 /etc/kubernetes/kube-proxy/client.pem
$ sudo chmod 0400 /etc/kubernetes/kubelet/client-key.pem
$ sudo chmod 0444 /etc/kubernetes/kubelet/client.pem

Copy the kubeconfigs for the kubelet and proxy services.

$ scp kubeconfigs/kubelet.kubeconfig [email protected]:~/
$ scp kubeconfigs/proxy.kubeconfig [email protected]:~/

$ ssh [email protected]
$ sudo mv kubelet.kubeconfig /etc/kubernetes/kubelet/
$ sudo mv proxy.kubeconfig /etc/kubernetes/kube-proxy/
$ sudo chmod 0444 /etc/kubernetes/kubelet/kubelet.kubeconfig
$ sudo chmod 0444 /etc/kubernetes/kube-proxy/proxy.kubeconfig

kubectl

$ kubectl config set-cluster secure \
--certificate-authority=ca.pem \
--embed-certs=true \
--server=https://kube-apiserver.kubestack.io:6443

$ kubectl config set-credentials admin \
--client-key=kubernetes-admin-user-key.pem \
--client-certificate=kubernetes-admin-user.pem \
--embed-certs=true

$ kubectl config set-context secure \
--cluster=secure \
--user=admin

$ kubectl config use-context secure

$ kubectl cluster-info
$ kubectl get cs

More Repositories

1

nocode

The best way to write secure and reliable applications. Write nothing; deploy nowhere.
Dockerfile
59,013
star
2

kubernetes-the-hard-way

Bootstrap Kubernetes the hard way on Google Cloud Platform. No scripts.
38,169
star
3

confd

Manage local application configuration files using templates and data from etcd or consul
Go
8,274
star
4

envconfig

Golang library for managing configuration data from environment variables
Go
4,881
star
5

kube-cert-manager

Manage Lets Encrypt certificates for a Kubernetes cluster.
Go
1,087
star
6

intro-to-kubernetes-workshop

Intro to Kubernetes Workshop
1,016
star
7

pipeline

A step by step guide on creating build and deployment pipelines for Kubernetes.
747
star
8

consul-on-kubernetes

Running HashiCorp's Consul on Kubernetes
Shell
598
star
9

konfd

Manage application configuration using Kubernetes secrets, configmaps, and Go templates.
Go
494
star
10

kubernetes-cluster-federation

Kubernetes cluster federation tutorial
458
star
11

vault-controller

Automate the creation of unique Vault tokens for Kubernetes Pods using init containers.
Go
448
star
12

compose2kube

Convert docker-compose service files to Kubernetes objects.
Go
417
star
13

serverless-vault-with-cloud-run

Guide to running Vault on Cloud Run
Shell
392
star
14

vault-on-google-kubernetes-engine

How to guide on running HashiCorp's Vault on Google Kubernetes Engine
Shell
387
star
15

app

Example 12 Facter App
Go
379
star
16

terminus

Get facts about a Linux system.
Go
361
star
17

nomad-on-kubernetes

Tutorial on running Nomad on Kubernetes.
Shell
342
star
18

istio-ingress-tutorial

How to run the Istio Ingress Controller on Kubernetes
Shell
322
star
19

kubernetes-initializer-tutorial

Hands-on tutorial for building and deploying Kubernetes Initializers.
Go
321
star
20

kubestack

Manage Kubernetes with Packer and Terraform on Google Compute Engine.
297
star
21

grpc-hello-service

grpc examples
Go
272
star
22

coreos-ipxe-server

CoreOS iPXE server
Go
218
star
23

kubernetes-redis-cluster

Kubernetes Redis Cluster configs and tutorial
Shell
215
star
24

standalone-kubelet-tutorial

Standalone Kubelet Tutorial
Go
204
star
25

grafeas-tutorial

A step by step guide for getting started with Grafeas and Kubernetes.
Go
191
star
26

google-cloud-functions-go

Google Cloud Function tutorial and hacks to enable the use of Go.
Go
180
star
27

helloworld

Go
180
star
28

scheduler

Toy Kubernetes Scheduler
Go
174
star
29

craft-kubernetes-workshop

Craft Kubernetes Workshop
Shell
172
star
30

ingress-with-static-ip

Tutorial on creating a Kubernetes Ingress Resource with a Static IP Address in GCP or GKE
165
star
31

mesh

Cloud native service mesh for the rest of us.
160
star
32

lobsters-on-kubernetes

Lobsters, the Hacker News clone, on Kubernetes
Shell
156
star
33

denyenv-validating-admission-webhook

An Kubernetes validating admission webhook that rejects pods that use environment variables.
JavaScript
154
star
34

vault-init

Automate the initialization and unsealing of HashiCorp Vault on Google Cloud Platform.
Go
151
star
35

certificate-init-container

Bootstrap TLS certificates for Pods using the Kubernetes certificates API.
Go
146
star
36

kubeadm-single-node-cluster

How to bootstrap a single-node Kubernetes cluster on Google Compute Engine using kubeadm.
Shell
140
star
37

hashiapp

Demo 12 Factor application that utilizes Hashicorp tools.
Go
134
star
38

kubernetes-envoy-sds

Kubernetes Envoy Service Discovery Service.
Go
133
star
39

setup-network-environment

Create an environment file with system networking information.
Go
131
star
40

kargo

Go
125
star
41

contributors

Display GitHub contributors for a specific repo.
Go
123
star
42

self-deploying-hello-universe

What if applications could deploy themselves?
Go
123
star
43

konfig

Go
119
star
44

event-gateway-on-kubernetes

How to guide on running Serverless.com's Event Gateway on Kubernetes
Go
119
star
45

gke-service-accounts-tutorial

A tutorial on using Google Cloud service account with Google Container Engine (GKE).
Go
109
star
46

run

Package run provides helper functions for building Cloud Run applications.
Go
107
star
47

hashiconf-eu-2016

HashiConf EU 2016
Shell
106
star
48

talks

Shell
99
star
49

badger

Generate build status images for Google Cloud Build
Go
98
star
50

riff-tutorial

How-to guide for testing the riff FaaS platform and Istio on Google Kubernetes Engine.
Go
97
star
51

cri-o-tutorial

A guided tutorial for the cri-o (ocid) Kubernetes container runtime.
95
star
52

lambda-on-cloud-run

Tutorial: Running Lambda Functions on Cloud Run
Dockerfile
83
star
53

gophercon-2018

Kelsey's GopherCon 2018 Keynote: Going Serverless
Go
72
star
54

12-fractured-apps

Example code for the 12 Fractured Apps blog posts.
Go
71
star
55

etcd-production-setup

Setting up etcd to run in production.
69
star
56

cmd-tutorial

68
star
57

oscon-2017-kubernetes-tutorial

OSCON 2017 Kubernetes Tutorial
68
star
58

jira-on-kubernetes

Notes: Running Atlassian's Jira on Kubernetes
67
star
59

conf2kube

conf2kube can read and create Kubernetes secrets based on the contents of configuration files.
Go
64
star
60

endpoints

Kubernetes endpoints load balancer.
Go
62
star
61

oscon-metrics-tutorial

OSCON Metrics Tutorial
60
star
62

echo

echo prints the first positional argument to stdout
Assembly
59
star
63

memkv

Simple in-memory key/value store backed by a map
Go
58
star
64

motorboat

Dynamically sync Nginx Plus backends from Kubernetes service endpoints.
Go
57
star
65

app-healthz

Example app with a healthz endpoint
Go
55
star
66

dynamic-ports-tutorial

A prototype of using dynamic ports with Kubernetes.
Go
54
star
67

ipxed

Web interface and api for ipxed
Go
51
star
68

helloworld-infrastructure-production

51
star
69

intro-to-go-workshop

Intro to Go Workshop
Go
50
star
70

pipeline-application

Go
48
star
71

reposync

Sync GitHub and Google Cloud Source Repos
Go
45
star
72

journal-2-logentries

Ship systemd journal entries to logentries.com
Go
45
star
73

pm

Package manager
Go
44
star
74

time

Educational package to teach aspiring programmers about history through the lens of time.
Go
44
star
75

container-instance-metadata-server

Cloud Run Container Instance Metadata Server Emulator
Go
41
star
76

kube

Basic single node Kubernetes using a bash script.
Shell
40
star
77

helloworld-infrastructure-staging

36
star
78

gcscache

GCS Cache implements the autocet.Cache interface using Google Cloud Storage.
Go
35
star
79

helloworld-infrastructure-qa

35
star
80

memq

In memory message queue prototype.
Go
32
star
81

kubestack-solo

Create a single node Kubernetes image for local testing with VMware Fusion.
32
star
82

jsonrpc-server

Complete example on using net/rpc over HTTP with the jsonrpc encoding
Go
32
star
83

opa-on-cloud-run

Tutorial: Open Policy Agent on Cloud Run
Shell
31
star
84

confidence

Example application which demonstrates various configuration options for modern applications.
Go
30
star
85

cloud-functions-min-instances-tutorial

Cloud Functions Min Instances Tutorial
Go
30
star
86

hello-cuelang

Learning CUE in public
Go
29
star
87

kube-rsa

Generate self-signed TLS certificates for Kubernetes
Go
29
star
88

kur

Kubernetes Up and Running
Shell
28
star
89

echod

A small echo server written in x86-32 asm
Assembly
28
star
90

redis-enterprise-on-kubernetes

How to deploy Redis Enterprise on Kubernetes
Shell
27
star
91

kubernetes-letsencrypt-tutorial

WIP: Kubernetes Lets Encrypt Tutorial
Go
27
star
92

krane

Convert Google Compute Engine (GCE) autoscaling instance groups to Kubernetes autoscaling deployments.
Go
27
star
93

twelve

Go
26
star
94

buildinfo

Go
25
star
95

etcd-pod-gen

Generate etcd pod specs for running under the Kubernetes Kubelet
Go
24
star
96

istio-initializer

Kubernetes Initializer that injects the Istio sidecar into pods.
Go
24
star
97

config-connector-policy-demo

Kubernetes Config Connector Policy Demo.
Open Policy Agent
24
star
98

dialogflow

The best way to create Dialogflow webhooks in Go.
Go
23
star
99

functions

Google Cloud Functions Helpers
Go
23
star
100

terraform-kcc-demo

Terraform KCC Demo
Shell
22
star