Group items tagged

cert-manager mainly uses two different custom Kubernetes resources - known as CRDs - to configure and control how it operates, as well as to store state. These resources are Issuers and Certificates.

using annotations on the ingress with ingress-shim or directly creating a certificate resource.

a typo will result in the ingress-nginx-controller falling back to its self-signed certificate.

this is a container format that may include just the public certificate (such as with Apache installs, and CA certificate files /etc/ssl/certs), or may include an entire certificate chain including public key, private key, and root certificates

Privacy Enhanced Mail (PEM), a failed method for secure email but the container format it used lives on

This is a PEM formatted file containing just the private-key of a specific certificate and is merely a conventional name and not a standardized one.

The rights on these files are very important

/etc/ssl/private

OpenSSL can convert these to .pem

.cert .cer .crt A .pem (or rarely .der) formatted file with a different extension

there are four different ways to present certificates and their components

used preferentially by open-source software

The parent format of PEM

a binary version of the base64-encoded PEM file.

X.509 certificates are one type of data that is commonly encoded using PEM.

support multiple virtual hosts for a container

to connect to your backend using HTTPS instead of HTTP, set VIRTUAL_PROTO=https on the backend container.

The contents of /path/to/certs should contain the certificates and private keys for any virtual hosts in use.

to replace the default proxy settings for the nginx container, add a configuration file at /etc/nginx/proxy.conf

The default configuration blocks the Proxy HTTP request header from being sent to downstream servers

add your configuration file under /etc/nginx/conf.d using a name ending in .conf

If your container exposes multiple ports, nginx-proxy will default to the service running on port 80. If you need to specify a different port, you can set a VIRTUAL_PORT env var to select a different one.

To add settings on a per-VIRTUAL_HOST basis, add your configuration file under /etc/nginx/vhost.d

SNI

The default behavior for the proxy when port 80 and 443 are exposed is as follows: If a container has a usable cert, port 80 will redirect to 443 for that container so that HTTPS is always preferred when available. If the container does not have a usable cert, a 503 will be returned.

Copy only the certificates in the above list. kubeadm will take care of generating the rest of the certificates with the required SANs for the joining control-plane instances.

You can use role-based access control (RBAC) and other security mechanisms to make sure that users and workloads can get access to the resources they need, while keeping workloads, and the cluster itself, secure. You can set limits on the resources that users and workloads can access by managing policies and container resources.

you need to plan how to scale to relieve increased pressure from more requests to the control plane and worker nodes or scale down to reduce unused resources.

Managed control plane: Let the provider manage the scale and availability of the cluster's control plane, as well as handle patches and upgrades.

The simplest Kubernetes cluster has the entire control plane and worker node services running on the same machine.

You can deploy a control plane using tools such as kubeadm, kops, and kubespray.

Secure communications between control plane services are implemented using certificates.

Separate and backup etcd service: The etcd services can either run on the same machines as other control plane services or run on separate machines

Create multiple control plane systems: For high availability, the control plane should not be limited to a single machine

Some deployment tools set up Raft consensus algorithm to do leader election of Kubernetes services. If the primary goes away, another service elects itself and take over.

Groups of zones are referred to as regions.

if you installed with kubeadm, there are instructions to help you with Certificate Management and Upgrading kubeadm clusters.

Production-quality workloads need to be resilient and anything they rely on needs to be resilient (such as CoreDNS).

Add nodes to the cluster: If you are managing your own cluster you can add nodes by setting up your own machines and either adding them manually or having them register themselves to the cluster’s apiserver.

Set up node health checks: For important workloads, you want to make sure that the nodes and pods running on those nodes are healthy.

Authentication: The apiserver can authenticate users using client certificates, bearer tokens, an authenticating proxy, or HTTP basic auth.

Authorization: When you set out to authorize your regular users, you will probably choose between RBAC and ABAC authorization.

Role-based access control (RBAC): Lets you assign access to your cluster by allowing specific sets of permissions to authenticated users. Permissions can be assigned for a specific namespace (Role) or across the entire cluster (ClusterRole).

Attribute-based access control (ABAC): Lets you create policies based on resource attributes in the cluster and will allow or deny access based on those attributes.

Set limits on workload resources

Set namespace limits: Set per-namespace quotas on things like memory and CPU

Prepare for DNS demand: If you expect workloads to massively scale up, your DNS service must be ready to scale up as well.