Kubernetes API-GW service
KONG with TLS + Auth
Ambassandor with TLS + Auth
- TLS
- https://github.com/kubernetes/kubernetes/issues/53100
1
openssl rsa -in encryedprivate.key -out unencryed.key
- gcloud user has to be cluster-admin role, so that it can create new role for Ambassador role binding.
1
kubectl create clusterrolebinding cluster-admin-binding --clusterrole=cluster-admin --user=$(gcloud info --format="value(config.account)")
- ambassador need a service account to bind specific role to check cluster’s services,secrets and configmaps.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44
--- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: namespace: iot-proxy name: ambassador rules: - apiGroups: [""] resources: - services verbs: ["get", "list", "watch"] - apiGroups: [""] resources: - configmaps verbs: ["create", "update", "patch", "get", "list", "watch"] - apiGroups: [""] resources: - secrets verbs: ["get", "list", "watch"] --- apiVersion: v1 kind: ServiceAccount metadata: namespace: iot-proxy name: ambassador --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: namespace: iot-proxy name: ambassador roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: ambassador subjects: - kind: ServiceAccount name: ambassador namespace: iot-proxy - kind: ServiceAccount name: default namespace: iot-proxy
- Auth