Kubernetes / Docker - SSL certificates for web service use

6/3/2020

I have a Python web service that collects data from frontend clients. Every few seconds, it creates a Pulsar producer on our topic and sends the collected data. I have also set up a dockerfile to build an image and am working on deploying it to our organization's Kubernetes cluster.

The Pulsar code relies on certificate and key .pem files for TLS authentication, which are loaded over file paths in the test code. However, if the .pem files are included in the built Docker image, it will result in an obvious compliance violation from the Twistlock scan on our Kubernetes instance.

I am pretty inexperienced with Docker, Kubernetes, and security with certificates in general. What would be the best way to store and load the .pem files for use with this web service?

-- user3093540
docker
kubernetes
ssl

1 Answer

6/3/2020

You can mount certificates in the Pod with Kubernetes secret.

First, you need to create a Kubernetes secret: (Copy your certificate to somewhere kubectl is configured for your Kubernetes cluster. For example file mykey.pem and copy it to the /opt/certs folder.)

kubectl create secret generic mykey-pem --from-file=/opt/certs/

Confirm it was created correctly:

kubectl describe secret mykey-pem

Mount your secret in your deployment (for example nginx deployment):

apiVersion:  apps/v1
kind: Deployment 
metadata:
  labels:
    app: nginx
  name: nginx
spec:
  replicas: 1
  selector:
    matchLabels:
      app: nginx
  strategy:
    type: Recreate
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
      - image: nginx
        name: nginx
        volumeMounts:
          - mountPath: "/etc/nginx/ssl"
            name: nginx-ssl
            readOnly: true
        ports:
        - containerPort: 80
      volumes:
        - name: nginx-ssl
          secret:
            secretName: mykey-pem
      restartPolicy: Always

After that .pem files will be available inside the container and you don't need to include them in the docker image.

-- Alex0M
Source: StackOverflow