Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/kelseyhightower/docker-kubernetes-tls-guide
Step by step guide on how to secure Docker and Kubernetes using TLS with CloudFlare’s CFSSL
https://github.com/kelseyhightower/docker-kubernetes-tls-guide
Last synced: about 2 months ago
JSON representation
Step by step guide on how to secure Docker and Kubernetes using TLS with CloudFlare’s CFSSL
- Host: GitHub
- URL: https://github.com/kelseyhightower/docker-kubernetes-tls-guide
- Owner: kelseyhightower
- Created: 2015-06-27T16:39:11.000Z (about 9 years ago)
- Default Branch: master
- Last Pushed: 2015-08-09T03:23:16.000Z (about 9 years ago)
- Last Synced: 2024-04-22T02:17:08.512Z (5 months ago)
- Size: 132 KB
- Stars: 192
- Watchers: 13
- Forks: 26
- Open Issues: 2
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
- awesome-starred - kelseyhightower/docker-kubernetes-tls-guide - Step by step guide on how to secure Docker and Kubernetes using TLS with CloudFlare’s CFSSL (others)
README
# Docker and Kubernetes TLS Guide
This guide will walk you through setting up TLS and TLS cert client authentication for Docker and Kubernetes.
## Install CFSSL
The first step in securing Docker and Kubernetes is to set up a PKI infrastructure for managing TLS certificates.
https://github.com/cloudflare/cfssl
## Review and customize CSRs
The CFSSL tool takes various JSON configuration files to initial a CA and produce certificates. Clone this repo and review the current set of configs and adjust them for you environment.
```
$ git clone https://github.com/kelseyhightower/docker-kubernetes-tls-guide.git
```
## Initialize a CA
Before we can generate any certs we need to initialize a CA.
```
$ cfssl gencert -initca ca-csr.json | cfssljson -bare ca
```
## Docker
The Docker daemon can be [protected using TLS certificates](https://docs.docker.com/articles/https), but instead of using the openssl tools we are going to leverage our PKI from above.
### Generate Server and Client Certs
#### Docker Engine
```
$ cfssl gencert \
-ca=ca.pem \
-ca-key=ca-key.pem \
-config=ca-config.json \
-profile=server \
docker-server-csr.json | cfssljson -bare docker-server
```
Results:
```
docker-server-key.pem
docker-server.csr
docker-server.pem
```
#### Docker Client
```
$ cfssl gencert \
-ca=ca.pem \
-ca-key=ca-key.pem \
-config=ca-config.json \
-profile=client \
docker-client-csr.json | cfssljson -bare docker-client
```
Results:
```
docker-client-key.pem
docker-client.csr
docker-client.pem
```
### Configure Docker
#### Docker Daemon
Copy the server certs to the Docker host.
```
$ scp ca.pem docker-server-key.pem docker-server.pem [email protected]:~/
```
Move the server certs into place and fix permissions.
```
$ ssh [email protected]
$ sudo mv ca.pem /etc/docker/ca.pem
$ sudo mv docker-server-key.pem /etc/docker/server-key.pem
$ sudo mv docker-server.pem /etc/docker/server.pem
$ sudo chmod 0444 /etc/docker/ca.pem
$ sudo chmod 0400 /etc/docker/server-key.pem
$ sudo chmod 0444 /etc/docker/server.pem
```
Configure the Docker daemon to use the certs.
```
cat > /etc/systemd/system/docker.service < policy.jsonl <