• Stars
    star
    191
  • Rank 202,846 (Top 4 %)
  • Language
  • Created over 9 years ago
  • Updated about 9 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Step by step guide on how to secure Docker and Kubernetes using TLS with CloudFlare’s CFSSL

Docker and Kubernetes TLS Guide

This guide will walk you through setting up TLS and TLS cert client authentication for Docker and Kubernetes.

Install CFSSL

The first step in securing Docker and Kubernetes is to set up a PKI infrastructure for managing TLS certificates.

https://github.com/cloudflare/cfssl

Review and customize CSRs

The CFSSL tool takes various JSON configuration files to initial a CA and produce certificates. Clone this repo and review the current set of configs and adjust them for you environment.

$ git clone https://github.com/kelseyhightower/docker-kubernetes-tls-guide.git 

Initialize a CA

Before we can generate any certs we need to initialize a CA.

$ cfssl gencert -initca ca-csr.json | cfssljson -bare ca

Docker

The Docker daemon can be protected using TLS certificates, but instead of using the openssl tools we are going to leverage our PKI from above.

Generate Server and Client Certs

Docker Engine

$ cfssl gencert \
-ca=ca.pem \
-ca-key=ca-key.pem \
-config=ca-config.json \
-profile=server \
docker-server-csr.json | cfssljson -bare docker-server

Results:

docker-server-key.pem
docker-server.csr
docker-server.pem

Docker Client

$ cfssl gencert \
-ca=ca.pem \
-ca-key=ca-key.pem \
-config=ca-config.json \
-profile=client \
docker-client-csr.json | cfssljson -bare docker-client

Results:

docker-client-key.pem
docker-client.csr
docker-client.pem

Configure Docker

Docker Daemon

Copy the server certs to the Docker host.

$ scp ca.pem docker-server-key.pem docker-server.pem [email protected]:~/

Move the server certs into place and fix permissions.

$ ssh [email protected]
$ sudo mv ca.pem /etc/docker/ca.pem
$ sudo mv docker-server-key.pem /etc/docker/server-key.pem
$ sudo mv docker-server.pem /etc/docker/server.pem
$ sudo chmod 0444 /etc/docker/ca.pem
$ sudo chmod 0400 /etc/docker/server-key.pem
$ sudo chmod 0444 /etc/docker/server.pem

Configure the Docker daemon to use the certs.

cat > /etc/systemd/system/docker.service <<EOF
[Unit]
Description=Docker Application Container Engine
Documentation=http://docs.docker.io

[Service]
ExecStart=/usr/bin/docker --daemon \
--bip=10.200.0.1/24 \
--host=tcp://0.0.0.0:2376 \
--host=unix:///var/run/docker.sock \
--tlsverify \
--tlscacert=/etc/docker/ca.pem \
--tlscert=/etc/docker/server.pem \
--tlskey=/etc/docker/server-key.pem \
--storage-driver=overlay
Restart=on-failure
RestartSec=5

[Install]
WantedBy=multi-user.target
EOF

Start or restart the Docker daemon

$ sudo systemctl start docker
$ sudo systemctl daemon-reload
$ sudo systemctl restart docker

Client

Copy the client certs to the Docker client config dir.

$ mkdir -pv ~/.docker
$ cp -v ca.pem ~/.docker/ca.pem
$ cp -v docker-client.pem ~/.docker/cert.pem
$ cp -v docker-client-key.pem ~/.docker/key.pem
$ chmod 0444 ~/.docker/ca.pem
$ chmod 0444 ~/.docker/cert.pem
$ chmod 0400 ~/.docker/key.pem
$ export DOCKER_HOST="tcp://docker.kubestack.io:2376" DOCKER_TLS_VERIFY=1
$ docker ps

Kubernetes

Generate Server and Client Certs

kube-apiserver

$ cfssl gencert \
-ca=ca.pem \
-ca-key=ca-key.pem \
-config=ca-config.json \
-profile=server \
kube-apiserver-server-csr.json | cfssljson -bare kube-apiserver-server

Results:

kube-apiserver-server-key.pem
kube-apiserver-server.csr
kube-apiserver-server.pem

kubelet

$ cfssl gencert \
-ca=ca.pem \
-ca-key=ca-key.pem \
-config=ca-config.json \
-profile=client \
kubelet-client-csr.json | cfssljson -bare kubelet-client

Results:

kubelet-client-key.pem
kubelet-client.csr
kubelet-client.pem

kube-proxy

$ cfssl gencert \
-ca=ca.pem \
-ca-key=ca-key.pem \
-config=ca-config.json \
-profile=client \
kube-proxy-client-csr.json | cfssljson -bare kube-proxy-client

Results

kube-proxy-client-key.pem 
kube-proxy-client.csr
kube-proxy-client.pem

kubectl

$ cfssl gencert \
-ca=ca.pem \
-ca-key=ca-key.pem \
-config=ca-config.json \
-profile=client \
kubernetes-admin-user.csr.json | cfssljson -bare kubernetes-admin-user

Results:

kubernetes-admin-user-key.pem
kubernetes-admin-user.csr
kubernetes-admin-user.pem

Configure Kubernetes

Controllers

A Kubernetes controller includes the API server, Controller Manager, and the Scheduler.

Copy the server certs to the Kubernetes API server.

$ scp ca.pem kube-apiserver-server-key.pem kube-apiserver-server.pem [email protected]:~/
$ ssh [email protected]
$ sudo mkdir -p /etc/kubernetes/kube-apiserver
$ sudo mv ca.pem /etc/kubernetes/kube-apiserver/ca.pem
$ sudo mv kube-apiserver-server-key.pem /etc/kubernetes/kube-apiserver/server-key.pem
$ sudo mv kube-apiserver-server.pem /etc/kubernetes/kube-apiserver/server.pem
$ sudo chmod 0444 /etc/kubernetes/kube-apiserver/ca.pem
$ sudo chmod 0400 /etc/kubernetes/kube-apiserver/server-key.pem
$ sudo chmod 0444 /etc/kubernetes/kube-apiserver/server.pem
cat > policy.jsonl <<EOF
{"user":"admin"}
{"user":"scheduler", "readonly": true, "resource": "pods"}
{"user":"scheduler", "resource": "bindings"}
{"user":"kubelet",  "readonly": true, "resource": "pods"}
{"user":"kubelet",  "readonly": true, "resource": "services"}
{"user":"kubelet",  "readonly": true, "resource": "endpoints"}
{"user":"kubelet", "resource": "events"}
EOF
$ scp policy.jsonl [email protected]:~/
$ ssh [email protected]
$ sudo mv policy.jsonl /etc/kubernetes/kube-apiserver/policy.jsonl
$ sudo chmod 0644 /etc/kubernetes/kube-apiserver/policy.jsonl

Start the Kubernetes Controller containers

$ docker-compose -p kubernetes -f compose-controller.yaml up -d

Workers

A Kubernetes worker includes the kubelet and the proxy.

Copy the client certs to the worker node.

$ scp ca.pem [email protected]:~/
$ scp kube-proxy-client-key.pem kube-proxy-client.pem [email protected]:~/
$ scp kubelet-client-key.pem kubelet-client.pem [email protected]:~/
$ ssh [email protected]
$ sudo mkdir -p /etc/kubernetes
$ sudo mv ca.pem /etc/kubernetes/ca.pem
$ sudo mv kube-proxy-client-key.pem /etc/kubernetes/kube-proxy/client-key.pem
$ sudo mv kube-proxy-client.pem /etc/kubernetes/kube-proxy/client.pem
$ sudo mv kubelet-client-key.pem /etc/kubernetes/kubelet/client-key.pem
$ sudo mv kubelet-client.pem /etc/kubernetes/kubelet/client.pem
$ sudo chmod 0444 /etc/kubernetes/ca.pem
$ sudo chmod 0400 /etc/kubernetes/kube-proxy/client-key.pem
$ sudo chmod 0444 /etc/kubernetes/kube-proxy/client.pem
$ sudo chmod 0400 /etc/kubernetes/kubelet/client-key.pem
$ sudo chmod 0444 /etc/kubernetes/kubelet/client.pem

Copy the kubeconfigs for the kubelet and proxy services.

$ scp kubeconfigs/kubelet.kubeconfig [email protected]:~/
$ scp kubeconfigs/proxy.kubeconfig [email protected]:~/
$ ssh [email protected]
$ sudo mv kubelet.kubeconfig /etc/kubernetes/kubelet/
$ sudo mv proxy.kubeconfig /etc/kubernetes/kube-proxy/
$ sudo chmod 0444 /etc/kubernetes/kubelet/kubelet.kubeconfig
$ sudo chmod 0444 /etc/kubernetes/kube-proxy/proxy.kubeconfig

kubectl

$ kubectl config set-cluster secure \
--certificate-authority=ca.pem \
--embed-certs=true \
--server=https://kube-apiserver.kubestack.io:6443
$ kubectl config set-credentials admin \
--client-key=kubernetes-admin-user-key.pem \
--client-certificate=kubernetes-admin-user.pem \
--embed-certs=true
$ kubectl config set-context secure \
--cluster=secure \
--user=admin
$ kubectl config use-context secure
$ kubectl cluster-info
$ kubectl get cs

More Repositories

1

nocode

The best way to write secure and reliable applications. Write nothing; deploy nowhere.
Dockerfile
60,298
star
2

kubernetes-the-hard-way

Bootstrap Kubernetes the hard way. No scripts.
40,351
star
3

confd

Manage local application configuration files using templates and data from etcd or consul
Go
8,339
star
4

envconfig

Golang library for managing configuration data from environment variables
Go
5,023
star
5

kube-cert-manager

Manage Lets Encrypt certificates for a Kubernetes cluster.
Go
1,094
star
6

intro-to-kubernetes-workshop

Intro to Kubernetes Workshop
1,018
star
7

pipeline

A step by step guide on creating build and deployment pipelines for Kubernetes.
749
star
8

consul-on-kubernetes

Running HashiCorp's Consul on Kubernetes
Shell
600
star
9

konfd

Manage application configuration using Kubernetes secrets, configmaps, and Go templates.
Go
493
star
10

kubernetes-cluster-federation

Kubernetes cluster federation tutorial
458
star
11

vault-controller

Automate the creation of unique Vault tokens for Kubernetes Pods using init containers.
Go
447
star
12

compose2kube

Convert docker-compose service files to Kubernetes objects.
Go
417
star
13

serverless-vault-with-cloud-run

Guide to running Vault on Cloud Run
Shell
396
star
14

vault-on-google-kubernetes-engine

How to guide on running HashiCorp's Vault on Google Kubernetes Engine
Shell
387
star
15

app

Example 12 Facter App
Go
379
star
16

terminus

Get facts about a Linux system.
Go
361
star
17

nomad-on-kubernetes

Tutorial on running Nomad on Kubernetes.
Shell
349
star
18

istio-ingress-tutorial

How to run the Istio Ingress Controller on Kubernetes
Shell
325
star
19

kubernetes-initializer-tutorial

Hands-on tutorial for building and deploying Kubernetes Initializers.
Go
321
star
20

kubestack

Manage Kubernetes with Packer and Terraform on Google Compute Engine.
297
star
21

grpc-hello-service

grpc examples
Go
272
star
22

coreos-ipxe-server

CoreOS iPXE server
Go
218
star
23

kubernetes-redis-cluster

Kubernetes Redis Cluster configs and tutorial
Shell
215
star
24

standalone-kubelet-tutorial

Standalone Kubelet Tutorial
Go
211
star
25

grafeas-tutorial

A step by step guide for getting started with Grafeas and Kubernetes.
Go
190
star
26

google-cloud-functions-go

Google Cloud Function tutorial and hacks to enable the use of Go.
Go
181
star
27

helloworld

Go
180
star
28

scheduler

Toy Kubernetes Scheduler
Go
180
star
29

craft-kubernetes-workshop

Craft Kubernetes Workshop
Shell
172
star
30

ingress-with-static-ip

Tutorial on creating a Kubernetes Ingress Resource with a Static IP Address in GCP or GKE
165
star
31

mesh

Cloud native service mesh for the rest of us.
159
star
32

denyenv-validating-admission-webhook

An Kubernetes validating admission webhook that rejects pods that use environment variables.
JavaScript
156
star
33

lobsters-on-kubernetes

Lobsters, the Hacker News clone, on Kubernetes
Shell
155
star
34

vault-init

Automate the initialization and unsealing of HashiCorp Vault on Google Cloud Platform.
Go
149
star
35

certificate-init-container

Bootstrap TLS certificates for Pods using the Kubernetes certificates API.
Go
146
star
36

kubeadm-single-node-cluster

How to bootstrap a single-node Kubernetes cluster on Google Compute Engine using kubeadm.
Shell
140
star
37

hashiapp

Demo 12 Factor application that utilizes Hashicorp tools.
Go
134
star
38

kubernetes-envoy-sds

Kubernetes Envoy Service Discovery Service.
Go
134
star
39

setup-network-environment

Create an environment file with system networking information.
Go
131
star
40

kargo

Go
125
star
41

self-deploying-hello-universe

What if applications could deploy themselves?
Go
124
star
42

contributors

Display GitHub contributors for a specific repo.
Go
123
star
43

konfig

Go
119
star
44

event-gateway-on-kubernetes

How to guide on running Serverless.com's Event Gateway on Kubernetes
Go
119
star
45

gke-service-accounts-tutorial

A tutorial on using Google Cloud service account with Google Container Engine (GKE).
Go
110
star
46

run

Package run provides helper functions for building Cloud Run applications.
Go
108
star
47

hashiconf-eu-2016

HashiConf EU 2016
Shell
106
star
48

talks

Shell
99
star
49

badger

Generate build status images for Google Cloud Build
Go
98
star
50

riff-tutorial

How-to guide for testing the riff FaaS platform and Istio on Google Kubernetes Engine.
Go
97
star
51

cri-o-tutorial

A guided tutorial for the cri-o (ocid) Kubernetes container runtime.
95
star
52

lambda-on-cloud-run

Tutorial: Running Lambda Functions on Cloud Run
Dockerfile
82
star
53

gophercon-2018

Kelsey's GopherCon 2018 Keynote: Going Serverless
Go
72
star
54

12-fractured-apps

Example code for the 12 Fractured Apps blog posts.
Go
71
star
55

etcd-production-setup

Setting up etcd to run in production.
69
star
56

cmd-tutorial

68
star
57

jira-on-kubernetes

Notes: Running Atlassian's Jira on Kubernetes
68
star
58

oscon-2017-kubernetes-tutorial

OSCON 2017 Kubernetes Tutorial
68
star
59

conf2kube

conf2kube can read and create Kubernetes secrets based on the contents of configuration files.
Go
64
star
60

endpoints

Kubernetes endpoints load balancer.
Go
62
star
61

oscon-metrics-tutorial

OSCON Metrics Tutorial
60
star
62

echo

echo prints the first positional argument to stdout
Assembly
59
star
63

memkv

Simple in-memory key/value store backed by a map
Go
58
star
64

motorboat

Dynamically sync Nginx Plus backends from Kubernetes service endpoints.
Go
57
star
65

app-healthz

Example app with a healthz endpoint
Go
56
star
66

dynamic-ports-tutorial

A prototype of using dynamic ports with Kubernetes.
Go
56
star
67

ipxed

Web interface and api for ipxed
Go
51
star
68

helloworld-infrastructure-production

51
star
69

intro-to-go-workshop

Intro to Go Workshop
Go
50
star
70

pipeline-application

Go
47
star
71

reposync

Sync GitHub and Google Cloud Source Repos
Go
45
star
72

journal-2-logentries

Ship systemd journal entries to logentries.com
Go
45
star
73

pm

Package manager
Go
44
star
74

time

Educational package to teach aspiring programmers about history through the lens of time.
Go
44
star
75

container-instance-metadata-server

Cloud Run Container Instance Metadata Server Emulator
Go
41
star
76

kube

Basic single node Kubernetes using a bash script.
Shell
40
star
77

gcscache

GCS Cache implements the autocet.Cache interface using Google Cloud Storage.
Go
36
star
78

helloworld-infrastructure-staging

36
star
79

helloworld-infrastructure-qa

35
star
80

memq

In memory message queue prototype.
Go
32
star
81

jsonrpc-server

Complete example on using net/rpc over HTTP with the jsonrpc encoding
Go
32
star
82

kubestack-solo

Create a single node Kubernetes image for local testing with VMware Fusion.
32
star
83

opa-on-cloud-run

Tutorial: Open Policy Agent on Cloud Run
Shell
31
star
84

hello-cuelang

Learning CUE in public
Go
30
star
85

confidence

Example application which demonstrates various configuration options for modern applications.
Go
30
star
86

cloud-functions-min-instances-tutorial

Cloud Functions Min Instances Tutorial
Go
30
star
87

kube-rsa

Generate self-signed TLS certificates for Kubernetes
Go
29
star
88

buildinfo

Go
28
star
89

kur

Kubernetes Up and Running
Shell
28
star
90

echod

A small echo server written in x86-32 asm
Assembly
28
star
91

redis-enterprise-on-kubernetes

How to deploy Redis Enterprise on Kubernetes
Shell
27
star
92

kubernetes-letsencrypt-tutorial

WIP: Kubernetes Lets Encrypt Tutorial
Go
27
star
93

twelve

Go
26
star
94

krane

Convert Google Compute Engine (GCE) autoscaling instance groups to Kubernetes autoscaling deployments.
Go
26
star
95

config-connector-policy-demo

Kubernetes Config Connector Policy Demo.
Open Policy Agent
25
star
96

istio-initializer

Kubernetes Initializer that injects the Istio sidecar into pods.
Go
24
star
97

etcd-pod-gen

Generate etcd pod specs for running under the Kubernetes Kubelet
Go
24
star
98

dialogflow

The best way to create Dialogflow webhooks in Go.
Go
23
star
99

functions

Google Cloud Functions Helpers
Go
23
star
100

terraform-kcc-demo

Terraform KCC Demo
Shell
22
star