設定 Knative 系統內部加密¶
警告
Knative Serving 加密功能 cluster-local-domain-tls 和 system-internal-tls 處於實驗狀態。請謹慎使用!
開始之前¶
您必須符合下列需求才能啟用安全的 HTTPS 連線
- 必須安裝 Knative Serving。有關安裝 Serving 元件的詳細資訊,請參閱 Knative 安裝指南。
警告
此功能目前僅支援以 Kourier 作為網路層。
安裝和設定 cert-manager 及整合¶
首先,您需要安裝和設定 cert-manager 和 Knative cert-manager 整合。請參閱 設定 Knative cert-manager 整合 以取得詳細資訊。
啟用 system-internal-tls¶
若要啟用 system-internal-tls,請更新 knative-serving 命名空間中的 config-network ConfigMap
-
執行以下命令來編輯您的
config-networkConfigMapkubectl edit configmap config-network -n knative-serving -
在
data區段下新增system-internal-tls: Enabled屬性apiVersion: v1 kind: ConfigMap metadata: name: config-network namespace: knative-serving data: ... system-internal-tls: Enabled ... -
重新啟動 Knative 啟用器和控制器元件,以啟動 Knative cert-manager 整合
kubectl rollout restart deploy/activator -n knative-serving kubectl rollout restart deploy/controller -n knative-serving
恭喜!Knative 現在將在其內部系統元件(Ingress-Controller、Activator 和 Queue-Proxy)之間使用 TLS。
驗證¶
-
部署 Knative 服務
-
使用
kubectl get kcert -n <您的 Knative 服務命名空間>檢查憑證是否已建立且就緒 -
使用以下命令檢查 Queue-Proxy 容器是否在啟動時讀取憑證
kubectl logs your-pod -n your-knative-service-namespace -c queue-proxy | grep -E 'certDir|Certificate|tls'它看起來應該像這樣
{"severity":"INFO","timestamp":"2024-01-03T07:07:32.892810888Z","logger":"queueproxy","caller":"certificate/watcher.go:62","message":"Starting to watch the following directories for changes{certDir 15 0 /var/lib/knative/certs <nil>} {keyDir 15 0 /var/lib/knative/certs <nil>}","commit":"86420f2-dirty","knative.dev/key":"first/helloworld-00001","knative.dev/pod":"helloworld-00001-deployment-75fbb7d488-qgmxx"} {"severity":"INFO","timestamp":"2024-01-03T07:07:32.89397512Z","logger":"queueproxy","caller":"certificate/watcher.go:131","message":"Certificate and/or key have changed on disk and were reloaded.","commit":"86420f2-dirty","knative.dev/key":"first/helloworld-00001","knative.dev/pod":"helloworld-00001-deployment-75fbb7d488-qgmxx"} {"severity":"INFO","timestamp":"2024-01-03T07:07:32.894232939Z","logger":"queueproxy","caller":"sharedmain/main.go:282","message":"Starting tls server admin:8022","commit":"86420f2-dirty","knative.dev/key":"first/helloworld-00001","knative.dev/pod":"helloworld-00001-deployment-75fbb7d488-qgmxx"} {"severity":"INFO","timestamp":"2024-01-03T07:07:32.894268548Z","logger":"queueproxy","caller":"sharedmain/main.go:282","message":"Starting tls server main:8112","commit":"86420f2-dirty","knative.dev/key":"first/helloworld-00001","knative.dev/pod":"helloworld-00001-deployment-75fbb7d488-qgmxx"}
信任¶
警告
關於信任的簡短說明,如果 cert-manager 簽發者允許將 CA 直接放入憑證 Secret 的 ca.crt 欄位中,Knative 將自動信任簽署憑證的 CA。無論如何,叢集管理員應始終提供信任捆綁包,如 設定 Knative cert-manager 整合 中所述。這在 cert-manager 文件 中也強烈建議,以避免輪換問題。