k8s nginx ingress配置TLS

Posted 2022-07-04 lyc94620

tags:

篇首语：本文由小常识网(cha138.com)小编为大家整理，主要介绍了k8s nginx ingress配置TLS相关的知识，希望对你有一定的参考价值。

在没有配置任何nginx下，k8s的nginx默认只支持TLS1.2，不支持TLS1.0和TLS1.1

默认的 nginx-config（部分可能叫 nginx-configuration）的配置如下：

apiVersion: v1
data:
  allow-backend-server-header: ‘true‘
  enable-underscores-in-headers: ‘true‘
  generate-request-id: ‘true‘
  http-redirect-code: ‘301‘
  ignore-invalid-headers: ‘true‘
  max-worker-connections: ‘65536‘
  proxy-body-size: 20m
  proxy-connect-timeout: ‘10‘
  reuse-port: ‘true‘
  server-tokens: ‘false‘
  ssl-redirect: ‘false‘
  worker-cpu-affinity: auto
kind: ConfigMap
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: >
      "apiVersion":"v1","data":"allow-backend-server-header":"true","enable-underscores-in-headers":"true","generate-request-id":"true","ignore-invalid-headers":"true","max-worker-connections":"65536","proxy-body-size":"20m","proxy-connect-timeout":"10","reuse-port":"true","server-tokens":"false","ssl-redirect":"false","worker-cpu-affinity":"auto","kind":"ConfigMap","metadata":"annotations":,"labels":"app":"ingress-nginx","name":"nginx-configuration","namespace":"kube-system"
  labels:
    app: ingress-nginx
  name: nginx-configuration
  namespace: kube-system
  selfLink: /api/v1/namespaces/kube-system/configmaps/nginx-configuration

看了下官方的文档，如果需要支持TLS1.0和TLS1.1需要改下 nginx-config 同时重启下容器即可

To provide the most secure baseline configuration possible,

nginx-ingress defaults to using TLS 1.2 only and a secure set of TLS ciphers.

The default configuration, though secure, does not support some older browsers and operating systems.

For instance, TLS 1.1+ is only enabled by default from android 5.0 on. At the time of writing, May 2018, approximately 15% of Android devices are not compatible with nginx-ingress‘s default configuration.

To change this default behavior, use a ConfigMap.

A sample ConfigMap fragment to allow these older clients to connect could look something like the following:

kind: ConfigMap
apiVersion: v1
metadata:
  name: nginx-config
data:
  ssl-ciphers: "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA"
  ssl-protocols: "TLSv1 TLSv1.1 TLSv1.2"

为了避免影响到之前的配置，切勿直接复制这个yaml配置替换你的配置！！！

在你原有的配置上加上 ssl-ciphers 和 ssl-protocols 配置即可

apiVersion: v1
data:
  allow-backend-server-header: ‘true‘
  enable-underscores-in-headers: ‘true‘
  generate-request-id: ‘true‘
  http-redirect-code: ‘301‘
  ignore-invalid-headers: ‘true‘
  max-worker-connections: ‘65536‘
  proxy-body-size: 20m
  proxy-connect-timeout: ‘10‘
  reuse-port: ‘true‘
  server-tokens: ‘false‘
  ssl-ciphers: >-
    ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
  ssl-protocols: TLSv1 TLSv1.1 TLSv1.2
  ssl-redirect: ‘false‘
  worker-cpu-affinity: auto
kind: ConfigMap
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: >
      "apiVersion":"v1","data":"allow-backend-server-header":"true","enable-underscores-in-headers":"true","generate-request-id":"true","ignore-invalid-headers":"true","max-worker-connections":"65536","proxy-body-size":"20m","proxy-connect-timeout":"10","reuse-port":"true","server-tokens":"false","ssl-redirect":"false","worker-cpu-affinity":"auto","kind":"ConfigMap","metadata":"annotations":,"labels":"app":"ingress-nginx","name":"nginx-configuration","namespace":"kube-system"
  labels:
    app: ingress-nginx
  name: nginx-configuration
  namespace: kube-system
  selfLink: /api/v1/namespaces/kube-system/configmaps/nginx-configuration

加上配置之后呢，需要重启下容器 nginx-ingress

参考文档：https://kubernetes.github.io/ingress-nginx/user-guide/tls/#legacy-tls

以上是关于k8s nginx ingress配置TLS的主要内容，如果未能解决你的问题，请参考以下文章

k8s ingress-nginx

k8s部署ingress-nginx

k8s Nginx-ingress配置https

k8s Nginx Ingress 常用的 9个配置（annotation）

[k8s]nginx-ingress配置4/7层测试

K8s之Ingress-nginx原理及配置