Cert Manager for securing pod-to-pod communication
Bhanu Pratap
Cloud Architect & DevOps Expert | End-to-End Solutions Architect | Passionate about Driving Innovation
To secure pod-to-pod communication in Kubernetes using cert-manager, you can use mutual TLS (mTLS). This involves setting up cert-manager to issue certificates for your pods and configuring your services to use these certificates for secure communication.
Here's a step-by-step guide:
Step 1: Install cert-manager
First, install cert-manager in your Kubernetes cluster:
helm upgrade cert-manager jetstack/cert-manager `
--install `
--create-namespace `
--namespace cert-manager `
--set installCRDs=true `
--set nodeSelector."kubernetes\.io/os"=linux
Step 2: Create a Certificate Issuer
Create an Issuer or ClusterIssuer that cert-manager will use to issue certificates. Here’s an example of a self-signed ClusterIssuer:
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: selfsigned-cluster-issuer
spec:
selfSigned: {}
Apply this configuration:
kubectl apply -f cluster-issuer.yaml
Step 3: Create a Certificate for Each Pod
Create a Certificate resource for each pod that needs to communicate securely. Here’s an example:
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: app01
spec:
secretName: app01-tls-cert-secret
privateKey:
rotationPolicy: Always
commonName: app01.default.svc.cluster.local
dnsNames:
- app01.default.svc.cluster.local
usages:
- digital signature
- key encipherment
- server auth
issuerRef:
name: selfsigned
kind: ClusterIssuer
Apply this configuration:
kubectl apply -f app-cert.yaml
领英推荐
Step 4: Mount the Certificate in the Pod
Modify your Deployment specification to mount the certificate and key as volumes. Here’s an example:
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: app01
name: app01
spec:
replicas: 3
selector:
matchLabels:
app: app01
template:
metadata:
labels:
app: app01
spec:
restartPolicy: Always
volumes:
- name: app01-tls
secret:
secretName: app01-tls-cert-secret
containers:
- name: app01
image: us-docker.pkg.dev/google-samples/containers/gke/hello-app-tls:1.0
ports:
- containerPort: 8443
volumeMounts:
- name: app01-tls
mountPath: /etc/tls
readOnly: true
env:
- name: TLS_CERT
value: /etc/tls/tls.crt
- name: TLS_KEY
value: /etc/tls/tls.key
---
apiVersion: v1
kind: Service
metadata:
labels:
app: app01
name: app01
spec:
ports:
- port: 443
protocol: TCP
targetPort: 8443
selector:
app: app01
type: ClusterIP
Apply this configuration:
kubectl apply -f app.yaml
Step 5: Configure Your Application to Use the Certificates
Ensure your application is configured to use the mounted certificates for mTLS. This will depend on your specific application and how it handles TLS configuration.
Step 6: Verify Secure Communication
Deploy your pods and verify that they can communicate securely using the issued certificates. You can use tools like curl with the --cert and --key options to test mTLS communication between pods.
kubectl run nginx --image=nginx
kubectl exec -it nginx -- curl --insecure https://app01.default.svc.cluster.local
Verify TLS certificate
kubectl exec -it nginx -- curl --insecure -v https://app01.default.svc.cluster.local
This article was inspired by the following video