mirror of https://github.com/hashicorp/consul
website: address PR feedback
parent
a4abd8dd76
commit
1b02b9e3c1
|
@ -3,18 +3,18 @@ layout: "docs"
|
||||||
page_title: "Connect Sidecar - Kubernetes"
|
page_title: "Connect Sidecar - Kubernetes"
|
||||||
sidebar_current: "docs-platform-k8s-connect"
|
sidebar_current: "docs-platform-k8s-connect"
|
||||||
description: |-
|
description: |-
|
||||||
Connect is a feature built-in to Consul that enables automatic service-to-service authorization and connection encryption across your Consul services. Connect can be used with Kubernetes to secure pod communication with other services.
|
Connect is a feature built into to Consul that enables automatic service-to-service authorization and connection encryption across your Consul services. Connect can be used with Kubernetes to secure pod communication with other services.
|
||||||
---
|
---
|
||||||
|
|
||||||
# Connect Sidecar on Kubernetes
|
# Connect Sidecar on Kubernetes
|
||||||
|
|
||||||
[Connect](/docs/connect/index.html) is a feature built-in to Consul that enables
|
[Connect](/docs/connect/index.html) is a feature built into to Consul that enables
|
||||||
automatic service-to-service authorization and connection encryption across
|
automatic service-to-service authorization and connection encryption across
|
||||||
your Consul services. Connect can be used with Kubernetes to secure pod
|
your Consul services. Connect can be used with Kubernetes to secure pod
|
||||||
communication with other services.
|
communication with other pods and external Kubernetes services.
|
||||||
|
|
||||||
The Connect sidecar running [Envoy](#) can be automatically injected
|
The Connect sidecar running Envoy can be automatically injected into pods in
|
||||||
into pods in your cluster. This makes Connect configuration for Kubernetes automatic.
|
your cluster, making configuration for Kubernetes automatic.
|
||||||
This functionality is provided by the
|
This functionality is provided by the
|
||||||
[consul-k8s project](https://github.com/hashicorp/consul-k8s) and can be
|
[consul-k8s project](https://github.com/hashicorp/consul-k8s) and can be
|
||||||
automatically installed and configured using the
|
automatically installed and configured using the
|
||||||
|
@ -24,7 +24,7 @@ automatically installed and configured using the
|
||||||
|
|
||||||
When the
|
When the
|
||||||
[Connect injector is installed](/docs/platform/k8s/connect.html#installation-and-configuration),
|
[Connect injector is installed](/docs/platform/k8s/connect.html#installation-and-configuration),
|
||||||
the Connect sidecar is automatically added to pods. This sidecar can both
|
the Connect sidecar is automatically added to all pods. This sidecar can both
|
||||||
accept and establish connections using Connect, enabling the pod to communicate
|
accept and establish connections using Connect, enabling the pod to communicate
|
||||||
to clients and dependencies exclusively over authorized and encrypted
|
to clients and dependencies exclusively over authorized and encrypted
|
||||||
connections.
|
connections.
|
||||||
|
@ -32,6 +32,8 @@ connections.
|
||||||
-> **Note:** The pod specifications in this section are valid and use
|
-> **Note:** The pod specifications in this section are valid and use
|
||||||
publicly available images. If you've installed the Connect injector, feel free
|
publicly available images. If you've installed the Connect injector, feel free
|
||||||
to run the pod specifications in this section to try Connect with Kubernetes.
|
to run the pod specifications in this section to try Connect with Kubernetes.
|
||||||
|
Please note the documentation below this sectionn on how to properly install
|
||||||
|
and configure the Connect injector.
|
||||||
|
|
||||||
### Accepting Inbound Connections
|
### Accepting Inbound Connections
|
||||||
|
|
||||||
|
@ -40,7 +42,7 @@ connections. Notice that the pod would still be fully functional without
|
||||||
Connect. Minimal to zero modifications are required to pod specifications to
|
Connect. Minimal to zero modifications are required to pod specifications to
|
||||||
enable Connect in Kubernetes.
|
enable Connect in Kubernetes.
|
||||||
|
|
||||||
This pod specification starts an server that responds to any
|
This pod specification starts a server that responds to any
|
||||||
HTTP request with the static text "hello world".
|
HTTP request with the static text "hello world".
|
||||||
|
|
||||||
```yaml
|
```yaml
|
||||||
|
@ -71,7 +73,7 @@ installation requires opt-in using the annotation shown above.
|
||||||
|
|
||||||
This will start a Connect sidecar that listens on a random port registered
|
This will start a Connect sidecar that listens on a random port registered
|
||||||
with Consul and proxies valid inbound connections to port 8080 in the pod.
|
with Consul and proxies valid inbound connections to port 8080 in the pod.
|
||||||
To establish a connection to the pod, a client must use another Connect
|
To establish a connection to the pod using Connect, a client must use another Connect
|
||||||
proxy. The client Connect proxy will use Consul service discovery to find
|
proxy. The client Connect proxy will use Consul service discovery to find
|
||||||
all available upstream proxies and their public ports.
|
all available upstream proxies and their public ports.
|
||||||
|
|
||||||
|
@ -108,33 +110,35 @@ spec:
|
||||||
Pods must specify upstream dependencies with the
|
Pods must specify upstream dependencies with the
|
||||||
[`consul.hashicorp.com/connect-service-upstreams` annotation](/docs/platform/k8s/connect.html#consul-hashicorp-com-connect-service-upstreams).
|
[`consul.hashicorp.com/connect-service-upstreams` annotation](/docs/platform/k8s/connect.html#consul-hashicorp-com-connect-service-upstreams).
|
||||||
This annotation declares the names of any upstream dependencies and a
|
This annotation declares the names of any upstream dependencies and a
|
||||||
local port to listen on. When a connection is established to that local
|
local port for the proxy to listen on. When a connection is established to that local
|
||||||
port, the proxy establishes a connection to the target service
|
port, the proxy establishes a connection to the target service
|
||||||
("static-server" in this example) using
|
("static-server" in this example) using
|
||||||
mutual TLS and identifying as the source service ("static-client" in this
|
mutual TLS and identifying as the source service ("static-client" in this
|
||||||
example).
|
example).
|
||||||
|
|
||||||
The injector will also set environment variables `<NAME>_CONNECT_SERVICE_HOST`
|
The injector will also set environment variables `<NAME>_CONNECT_SERVICE_HOST`
|
||||||
and `<NAME>_CONNECT_SERVICE_PORT` for every defined upstream. This is
|
and `<NAME>_CONNECT_SERVICE_PORT` in every container in the pod for every defined
|
||||||
analogous to the standard Kubernetes service environment variables, but
|
upstream. This is analogous to the standard Kubernetes service environment variables, but
|
||||||
point instead to the correct local proxy port to establish connections via
|
point instead to the correct local proxy port to establish connections via
|
||||||
Connect.
|
Connect.
|
||||||
|
|
||||||
Any containers running in the pod that need to establish connections
|
Any containers running in the pod that need to establish connections
|
||||||
to dependencies must be reconfigured to use the local upstream address.
|
to dependencies must be reconfigured to use the local upstream address either
|
||||||
|
directly or using the environment variables set by the injector (defined above).
|
||||||
This means pods should not use Kubernetes service DNS or environment
|
This means pods should not use Kubernetes service DNS or environment
|
||||||
variables for these connections.
|
variables for these connections.
|
||||||
|
|
||||||
|
|
||||||
We can verify access to the static text server using `kubectl exec`. Notice
|
We can verify access to the static text server using `kubectl exec`. Notice
|
||||||
that we `curl` the local address and local port 1234 specified with our
|
that we use the local address and port from the upstream annotation (1234)
|
||||||
upstreams.
|
for this verification.
|
||||||
|
|
||||||
```sh
|
```sh
|
||||||
$ kubectl exec static-client -- curl -s http://127.0.0.1:1234/
|
$ kubectl exec static-client -- curl -s http://127.0.0.1:1234/
|
||||||
"hello world"
|
"hello world"
|
||||||
```
|
```
|
||||||
|
|
||||||
|
We can control access to the server using [intentions](/docs/connect/intentions.html).
|
||||||
If you use the Consul UI or [CLI](/docs/commands/intention/create.html) to
|
If you use the Consul UI or [CLI](/docs/commands/intention/create.html) to
|
||||||
create a deny [intention](/docs/connect/intentions.html) between
|
create a deny [intention](/docs/connect/intentions.html) between
|
||||||
"static-client" and "static-server", connections are immediately rejected
|
"static-client" and "static-server", connections are immediately rejected
|
||||||
|
@ -152,9 +156,9 @@ Annotations can be used to configure the injection behavior.
|
||||||
|
|
||||||
* `consul.hashicorp.com/connect-inject` - If this is "true" then injection
|
* `consul.hashicorp.com/connect-inject` - If this is "true" then injection
|
||||||
is enabled. If this is "false" then injection is explicitly disabled.
|
is enabled. If this is "false" then injection is explicitly disabled.
|
||||||
The default is configurable on the injector itself. When installing
|
The default injector behavior requires pods to opt-in to injection by
|
||||||
the injector, the default behavior requires pod specify this to opt-in to
|
specifying this value as "true". This default can be changed in the
|
||||||
injection.
|
injector's configuration if desired.
|
||||||
|
|
||||||
* `consul.hashicorp.com/connect-service` - For pods that accept inbound
|
* `consul.hashicorp.com/connect-service` - For pods that accept inbound
|
||||||
connections, this specifies the name of the service that is being
|
connections, this specifies the name of the service that is being
|
||||||
|
@ -162,10 +166,11 @@ Annotations can be used to configure the injection behavior.
|
||||||
|
|
||||||
* `consul.hashicorp.com/connect-service-port` - For pods that accept inbound
|
* `consul.hashicorp.com/connect-service-port` - For pods that accept inbound
|
||||||
connections, this specifies the port to route inbound connections to. This
|
connections, this specifies the port to route inbound connections to. This
|
||||||
is the port that the service is listening on. The proxy will listen on
|
is the port that the service is listening on. The service port defaults to
|
||||||
a dynamic port. This defaults to the first exposed port on any container
|
the first exposed port on any container in the pod. If specified, the value
|
||||||
in the pod. If specified, the value can be the _name_ of a configured port,
|
can be the _name_ of a configured port, such as "http" or it can be a direct
|
||||||
such as "http" or it can be a direct port value such as "8080".
|
port value such as "8080". This is the port of the _service_, the proxy
|
||||||
|
public listener will listen on a dynamic port.
|
||||||
|
|
||||||
* `consul.hashicorp.com/connect-service-upstreams` - The list of upstream
|
* `consul.hashicorp.com/connect-service-upstreams` - The list of upstream
|
||||||
services that this pod needs to connect to via Connect along with a static
|
services that this pod needs to connect to via Connect along with a static
|
||||||
|
|
|
@ -320,10 +320,12 @@ and consider if they're appropriate for your deployment.
|
||||||
If true, the injector will inject the Connect sidecar into all pods by
|
If true, the injector will inject the Connect sidecar into all pods by
|
||||||
default. Otherwise, pods must specify the
|
default. Otherwise, pods must specify the
|
||||||
[injection annotation](/docs/platform/k8s/connect.html#consul-hashicorp-com-connect-inject)
|
[injection annotation](/docs/platform/k8s/connect.html#consul-hashicorp-com-connect-inject)
|
||||||
to opt-in to Connect injection.
|
to opt-in to Connect injection. If this is true, pods can use the same
|
||||||
|
annotation to explicitly opt-out of injection.
|
||||||
|
|
||||||
- <a name="v-connectinject-namespaceselector" href="#v-connectinject-namespaceselector">`namespaceSelector`</a> (`string: ""`) -
|
- <a name="v-connectinject-namespaceselector" href="#v-connectinject-namespaceselector">`namespaceSelector`</a> (`string: ""`) -
|
||||||
A selector for restricting injection to only matching namespaces. By default
|
A [selector](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/)
|
||||||
|
for restricting injection to only matching namespaces. By default
|
||||||
all namespaces except the system namespace will have injection enabled.
|
all namespaces except the system namespace will have injection enabled.
|
||||||
|
|
||||||
- <a name="v-connectinject-certs" href="#v-connectinject-certs">`certs`</a> -
|
- <a name="v-connectinject-certs" href="#v-connectinject-certs">`certs`</a> -
|
||||||
|
@ -332,10 +334,10 @@ and consider if they're appropriate for your deployment.
|
||||||
webhook. By default, the injector will generate and manage its own certs,
|
webhook. By default, the injector will generate and manage its own certs,
|
||||||
but this requires the ability for the injector to update its own
|
but this requires the ability for the injector to update its own
|
||||||
`MutatingWebhookConfiguration`. In a production environment, custom certs
|
`MutatingWebhookConfiguration`. In a production environment, custom certs
|
||||||
should probaly be used. Configure the values below to enable this.
|
should probably be used. Configure the values below to enable this.
|
||||||
|
|
||||||
* <a name="v-connectinject-certs-secretname" href="#v-connectinject-certs-secretname">`secretName`</a> (`string: null`) -
|
* <a name="v-connectinject-certs-secretname" href="#v-connectinject-certs-secretname">`secretName`</a> (`string: null`) -
|
||||||
secretName is the name of the secret that has the TLS certificate and
|
secretName is the name of the Kubernetes secret that has the TLS certificate and
|
||||||
private key to serve the injector webhook. If this is null, then the
|
private key to serve the injector webhook. If this is null, then the
|
||||||
injector will default to its automatic management mode.
|
injector will default to its automatic management mode.
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue