kubernetes / website

Kubernetes website and documentation repo:
https://kubernetes.io
Creative Commons Attribution 4.0 International
4.44k stars 14.32k forks source link

Document how to set up TLS for a workload #14725

Open sftim opened 5 years ago

sftim commented 5 years ago

This is a Feature Request

What would you like to be added Add documentation that covers the different ways to protect communications in transit for a workload.

Explain prerequisites to include an understanding of SSL / TLS, maybe SNI and X.509 too. Help readers understand the topic and signpost away anyone looking for other docs (eg how to use TLS with the control plane)

Explain prerequisites to deploying TLS: stable hostname, private key, certificate Maybe mention ACME if this doesn't make the page too long.

Discuss hosting options:

What's next: signpost readers to relevant add-ons, eg https://github.com/jetstack/cert-manager signpost readers to learn about using

for TLS.

Why is this needed There are several options for using TLS in connection with Kubernetes for application workloads. If you learn N-1 of these, it's not easy to spot that you haven't encountered all of them.

Comments The aim I have in mind is that there's a single page for the topic. If I meet someone who wants to learn about TLS for workloads on Kubernetes I give them a link to that page and they can find what they need to by reading the page and clicking links (they don't have to rely on the search form or on a 3rd-party search website).

If linking to 3rd party content, bear the content guide in mind.

14727 is kind of similar; it's more broadly focused on a encryption at rest in general. It feels OK to focus on TLS rather than the bigger picture of encryption in transit. Cluster operators are going to be much, much more likely to pick TLS to protect their application data over (eg) Kerberos or IPSEC.

fejta-bot commented 5 years ago

Issues go stale after 90d of inactivity. Mark the issue as fresh with /remove-lifecycle stale. Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta. /lifecycle stale

sftim commented 5 years ago

/kind feature /priority important-longterm

fejta-bot commented 4 years ago

Stale issues rot after 30d of inactivity. Mark the issue as fresh with /remove-lifecycle rotten. Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta. /lifecycle rotten

sftim commented 4 years ago

/remove-lifecycle rotten

sftim commented 4 years ago

Also see #17848

fejta-bot commented 4 years ago

Issues go stale after 90d of inactivity. Mark the issue as fresh with /remove-lifecycle stale. Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta. /lifecycle stale

fejta-bot commented 4 years ago

Stale issues rot after 30d of inactivity. Mark the issue as fresh with /remove-lifecycle rotten. Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta. /lifecycle rotten

sftim commented 4 years ago

/remove-lifecycle rotten

sftim commented 4 years ago

Think this is important enough to merit /lifecycle frozen

sftim commented 4 years ago

Relevant to PR https://github.com/kubernetes/website/pull/23522

sftim commented 3 years ago

/sig security

sftim commented 3 years ago

Also IMO /sig usability

sftim commented 3 years ago

/language en

sftim commented 3 years ago

/remove-priority important-longterm I'll let SIG Security decide on that

savitharaghunathan commented 3 years ago

/priority important-longterm

savitharaghunathan commented 3 years ago

/triage accepted

sftim commented 2 years ago

Duplicated by https://github.com/kubernetes/website/issues/31269

tomkivlin commented 2 years ago

I'd like to work on this. @sftim do you see this as a page in /concepts/security/ with the description of what TLS is and what it's used for in Kubernetes, with some "what's next" content pointing to a new page in /tasks/tls/ with the scenarios you've described etc.?

tomkivlin commented 2 years ago

/assign

sftim commented 2 years ago

do you see this as a page in /concepts/security/ with the description of what TLS is and what it's used for in Kubernetes, with some "what's next" content pointing to a new page in /tasks/tls/ with the scenarios you've described etc.?

I hadn't got that far @tomkivlin. What you suggests sounds good to me.

Have a think about the concept would be “encryption in transit” or specifically “TLS”. If you have the appetite for it, the concept could even be “How Kubernetes Uses Encryption”.

Maybe there will be more than one task page. Also some existing task pages cover TLS in one way or another.

tomkivlin commented 2 years ago

@sftim I like that idea. What I'll do then is a new page e.g. /concepts/security/kubernetes-encryption.md which can cover encryption at rest (etcd, secrets, volumes, etc.), in transit (Pods, Services, Ingress, etc.) and link off to other existing pages. I'll create any task pages as needed.

sftim commented 2 years ago

Encryption is also used for authn in various ways. I don't think we use if for nonrepudiation.

tomkivlin commented 2 years ago

NB I have started work on this, will prepare a PR when I'm back from holiday.

https://github.com/tomkivlin/website/blob/tomkivlin/issue14725/content/en/docs/concepts/security/kubernetes-encryption.md

sftim commented 2 years ago

Great! I look forward to seeing this merged.

mehabhalodiya commented 1 year ago

@tomkivlin I don't see any updates regarding any PR; so unassigning you. Please feel free to assign, if you come back here again and are willing to work on 🙂 /unassign @tomkivlin

tomkivlin commented 1 year ago

/assign

insaaniManav commented 5 months ago

Hi I'd love to make this happen can I be assigned this issue ?

sftim commented 5 months ago

Here's how to work on this:

We've a lengthier guide at https://kubernetes.io/docs/contribute/new-content/

insaaniManav commented 5 months ago

/assign

insaaniManav commented 5 months ago

Hi so continuing this conversation are we still going with what was suggested by @tomkivlin on this ? is it okay if I continue work where they left off on their branch ?

sftim commented 5 months ago

(yes, it's OK - because we have a CLA in place for @tomkivlin)

tomkivlin commented 5 months ago

Hi so continuing this conversation are we still going with what was suggested by @tomkivlin on this ? is it okay if I continue work where they left off on their branch ?

Fine by me! Sorry for not being able to continue this.