Skip to content
This repository has been archived by the owner on Jul 10, 2023. It is now read-only.

Latest commit

 

History

History
129 lines (101 loc) · 3 KB

securing-k8s.md

File metadata and controls

129 lines (101 loc) · 3 KB

Securing Kubernetes with SSL/TLS

Step 1: Generate a certificate

samples/nginx/generate_cert.sh .

Step 2: Merge certificate and key into PEM (HAProxy requirement)

sudo cat cert/server.crt cert/server.key | sudo tee server.pem

Step 3: Create ConfigMap for SSL certificate

kubectl create configmap config-map-cert-haproxy --from-file=server.pem

Step 4: Edit values.yaml for HAProxy to find the certificate

values.yaml

haproxy:
  service:
    type: NodePort
  extraVolumeMounts:
    - mountPath: /usr/local/etc/haproxy/servers.map
      name: haproxy-map
      subPath: servers.map
    - mountPath: /etc/ssl/server.pem
      name: haproxy-cert
      subPath: server.pem
  extraVolumes:
    - configMap:
        name: server-maps-haproxy
      name: haproxy-map
    - configMap:
        name: config-map-cert-haproxy
      name: haproxy-cert

Step 5: Edit haproxy-template.cfg with 443 SSL binding

samples/kubernetes/src/pipeline-server-k8s-controller/haproxy-template.cfg

.
.
.
frontend myfrontend
  bind :443 ssl crt /etc/ssl/server.pem
  acl is_controller_api path_end pipelines/status
  acl is_post method POST
.
.
.

Step 6: Compile pipeline-server-k8s-controller with the new haproxy-template.cfg

To deploy on Kubernetes, you will need to push the image to a registry, this example is using Docker Hub.

cd src/pipeline-server-k8s-controller/

docker build -t username/dlstreamer-pipeline-server-k8s-controller .

docker push username/dlstreamer-pipeline-server-k8s-controller

Update your values.yaml with your new image

values.yaml

controlplane:
  enabled: true
  controller:
    image: username/dlstreamer-pipeline-server-k8s-controller

Step 7: Test your setup

Remove previous installation if you have and install the latest package:

helm uninstall dlstreamer

helm install dlstreamer .

You can test your setup by providing the server.crt into the curl when querying.

httpsk8s

Port forward port 443 from HAProxy

POD_NAME=$(kubectl get pods | grep haproxy | cut -d' ' -f1)
kubectl --namespace default port-forward $POD_NAME 8080:443

Example #1: Get status of all pipeline instances

curl --cacert cert/server.crt https://localhost:8080/pipelines/status
[]

Example #2: Submit work request (launch pipeline instance)

curl --cacert cert/server.crt https://localhost:8080/pipelines/object_detection/person_vehicle_bike -X POST -H "Content-Type: application/json" -d '{
   "source":{
      "uri":"https://github.com/intel-iot-devkit/sample-videos/blob/master/person-bicycle-car-detection.mp4?raw=true",
      "type":"uri"
   },
   "destination":{
      "frame":{
         "type":"rtsp",
         "path":"ps1"
      }
   }
}'
"c6f2476444f811ed81550242ac120003"

Step 7: Using Pipeline Client

Pipeline Client also supports submitting work requests on Kubernetes Clusters with HTTPS. Test your setup using the Pipeline Client HTTPS example.