mirror of
https://github.com/jpetazzo/container.training.git
synced 2026-07-16 19:39:27 +00:00
➕ Add CA injector content
This commit is contained in:
60
slides/k8s/cainjector.md
Normal file
60
slides/k8s/cainjector.md
Normal file
@@ -0,0 +1,60 @@
|
||||
## CA injector - overview
|
||||
|
||||
- The Kubernetes API server can invoke various webhooks:
|
||||
|
||||
- conversion webhooks (registered in CustomResourceDefinitions)
|
||||
|
||||
- mutation webhooks (registered in MutatingWebhookConfigurations)
|
||||
|
||||
- validation webhooks (registered in ValidatingWebhookConfiguration)
|
||||
|
||||
- These webhooks must be served over TLS
|
||||
|
||||
- These webhooks must use valid TLS certificates
|
||||
|
||||
---
|
||||
|
||||
## Webhook certificates
|
||||
|
||||
- Option 1: certificate issued by a global CA
|
||||
|
||||
- doesn't work with internal services
|
||||
<br/>
|
||||
(their CN must be `<servicename>.<namespace>.svc`)
|
||||
|
||||
- Option 2: certificate issued by private CA + CA certificate in system store
|
||||
|
||||
- requires access to API server certificates tore
|
||||
|
||||
- generally not doable on managed Kubernetes clusters
|
||||
|
||||
- Option 3: certificate issued by private CA + CA certificate in `caBundle`
|
||||
|
||||
- pass the CA certificate in `caBundle` field
|
||||
<br/>
|
||||
(in CRD or webhook manifests)
|
||||
|
||||
- can be managed automatically by cert-manager
|
||||
|
||||
---
|
||||
|
||||
## CA injector - details
|
||||
|
||||
- Add annotation to *injectable* resource
|
||||
(CustomResouceDefinition, MutatingWebhookConfiguration, ValidatingWebhookConfiguration)
|
||||
|
||||
- Annotation refers to the thing holding the certificate:
|
||||
|
||||
- `cert-manager.io/inject-ca-from: <namespace>/<certificate>`
|
||||
|
||||
- `cert-manager.io/inject-ca-from-secret: <namespace>/<secret>`
|
||||
|
||||
- `cert-manager.io/inject-apiserver-ca: true` (use API server CA)
|
||||
|
||||
- When injecting from a Secret, the Secret must have a special annotation:
|
||||
|
||||
`cert-manager.io/allow-direct-injection: "true"`
|
||||
|
||||
- See [cert-manager documentation][docs] for details
|
||||
|
||||
[docs]: https://cert-manager.io/docs/concepts/ca-injector/
|
||||
@@ -62,6 +62,7 @@ content:
|
||||
- k8s/ingress-tls.md
|
||||
- k8s/ingress-advanced.md
|
||||
- k8s/cert-manager.md
|
||||
- k8s/cainjector.md
|
||||
- k8s/eck.md
|
||||
- #7
|
||||
- k8s/admission.md
|
||||
|
||||
@@ -84,6 +84,7 @@ content:
|
||||
- k8s/ingress-advanced.md
|
||||
- k8s/ingress-tls.md
|
||||
- k8s/cert-manager.md
|
||||
- k8s/cainjector.md
|
||||
- k8s/kustomize.md
|
||||
- k8s/helm-intro.md
|
||||
- k8s/helm-chart-format.md
|
||||
|
||||
Reference in New Issue
Block a user