如何实现 AKS 顾问建议 "Kubernetes clusters should be accessible only over HTTPS"
How to fulfill AKS advisor recommendation "Kubernetes clusters should be accessible only over HTTPS"
鉴于以下 AKS 顾问建议“Kubernetes 集群应该只能通过 HTTPS 访问” 并采取以下补救步骤:
- 通过在入口清单中包含 kubernetes.io/ingress.allow-http 注释来禁用 HTTP。将注释的值设置为“false”。
- 将传输层安全性 (TLS) 配置添加到您的入口清单。进行更改后,重新部署更新后的入口对象。
我在入口资源中添加了注释 kubernetes.io/ingress.allow-http: "false"。恕我直言,TLS 配置也已完成,这导致以下入口清单:
kind: Ingress
metadata:
annotations:
kubernetes.io/ingress.allow-http: "false"
kubernetes.io/ingress.class: nginx
meta.helm.sh/release-name: my-release-name
meta.helm.sh/release-namespace: my-namespace
nginx.ingress.kubernetes.io/backend-protocol: HTTPS
nginx.ingress.kubernetes.io/rewrite-target: /
creationTimestamp: "2021-09-28T12:37:21Z"
generation: 1
labels:
app.kubernetes.io/managed-by: Helm
name: my-service
namespace: my-namespace
resourceVersion: "xxx"
uid: xxx
spec:
rules:
- host: my-service.my-domain.com
http:
paths:
- backend:
service:
name: my-service
port:
number: 443
path: /(.*)
pathType: ImplementationSpecific
tls:
- hosts:
- my-service.my-domain.com
secretName: my-ingress-tls
status:
loadBalancer:
ingress:
- ip: 10.xxx.xxx.xxx
...但是此建议仍在列出资源。我在这里错过了什么,我应该改变什么才能实现这个建议?
请在 Ingress 资源中使用以下注释来解决此警报
kubernetes.io/ingress.allow-http: "false"
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
鉴于以下 AKS 顾问建议“Kubernetes 集群应该只能通过 HTTPS 访问” 并采取以下补救步骤:
- 通过在入口清单中包含 kubernetes.io/ingress.allow-http 注释来禁用 HTTP。将注释的值设置为“false”。
- 将传输层安全性 (TLS) 配置添加到您的入口清单。进行更改后,重新部署更新后的入口对象。
我在入口资源中添加了注释 kubernetes.io/ingress.allow-http: "false"。恕我直言,TLS 配置也已完成,这导致以下入口清单:
kind: Ingress
metadata:
annotations:
kubernetes.io/ingress.allow-http: "false"
kubernetes.io/ingress.class: nginx
meta.helm.sh/release-name: my-release-name
meta.helm.sh/release-namespace: my-namespace
nginx.ingress.kubernetes.io/backend-protocol: HTTPS
nginx.ingress.kubernetes.io/rewrite-target: /
creationTimestamp: "2021-09-28T12:37:21Z"
generation: 1
labels:
app.kubernetes.io/managed-by: Helm
name: my-service
namespace: my-namespace
resourceVersion: "xxx"
uid: xxx
spec:
rules:
- host: my-service.my-domain.com
http:
paths:
- backend:
service:
name: my-service
port:
number: 443
path: /(.*)
pathType: ImplementationSpecific
tls:
- hosts:
- my-service.my-domain.com
secretName: my-ingress-tls
status:
loadBalancer:
ingress:
- ip: 10.xxx.xxx.xxx
...但是此建议仍在列出资源。我在这里错过了什么,我应该改变什么才能实现这个建议?
请在 Ingress 资源中使用以下注释来解决此警报
kubernetes.io/ingress.allow-http: "false"
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"