我的书签
添加书签
移除书签Install Typha
We will use mutually authenticated TLS to ensure that calico/node and Typha communicate securely. In this section, we generate a certificate authority (CA) and use it to sign a certificate for Typha.
Create the CA certificate and key
Store the CA certificate in a ConfigMap that Typha & calico/node will access.
kubectl create configmap -n kube-system calico-typha-ca --from-file=typhaca.crt
Create the Typha key and certificate signing request (CSR)
openssl req -newkey rsa:4096 \-keyout typha.key \-nodes \-out typha.csr \-subj "/CN=calico-typha"
The certificate presents the Common Name (CN) as calico-typha. calico/node will be configured to verify this name.
openssl x509 -req -in typha.csr \-CA typhaca.crt \-CAkey typhaca.key \-CAcreateserial \-out typha.crt \-days 365
Store the Typha key and certificate in a secret that Typha will access
Create a ServiceAccount that will be used to run Typha.
kubectl create serviceaccount -n kube-system calico-typha
Define a cluster role for Typha with permission to watch Calico datastore objects.
kubectl apply -f - <<EOFkind: ClusterRoleapiVersion: rbac.authorization.k8s.io/v1metadata:name: calico-typharules:- apiGroups: [""]resources:- pods- namespaces- serviceaccounts- endpoints- services- nodesverbs:# Used to discover service IPs for advertisement.- watch- list- apiGroups: ["networking.k8s.io"]resources:- networkpolicies- watch- listresources:- globalfelixconfigs- felixconfigurations- bgppeers- globalbgpconfigs- bgpconfigurations- ippools- ipamblocks- globalnetworkpolicies- globalnetworksets- networkpolicies- clusterinformations- hostendpoints- blockaffinities- networksetsverbs:- get- list- watch- apiGroups: ["crd.projectcalico.org"]resources:#- ippools#- felixconfigurations- clusterinformationsverbs:- get- create- updateEOF
Bind the cluster role to the calico-typha ServiceAccount.
kubectl create clusterrolebinding calico-typha --clusterrole=calico-typha --serviceaccount=kube-system:calico-typha
Since Typha is required by calico/node, and calico/node establishes the pod network, we run Typha as a host networked pod to avoid a chicken-and-egg problem. We run 3 replicas of Typha so that even during a rolling update, a single failure does not make Typha unavailable.
Verify Typha is up an running with three instances
kubectl get pods -l k8s-app=calico-typha -n kube-system
Result:
NAME READY STATUS RESTARTS AGEcalico-typha-66498ddfbd-2pzsr 1/1 Running 0 69scalico-typha-66498ddfbd-lrtzw 1/1 Running 0 50scalico-typha-66498ddfbd-scckd 1/1 Running 0 62s
uses a Kubernetes Service to get load-balanced access to Typha.
kubectl apply -f - <<EOFkind: Servicemetadata:name: calico-typhanamespace: kube-systemlabels:k8s-app: calico-typhaspec:ports:- port: 5473protocol: TCPtargetPort: calico-typhaname: calico-typhaselector:k8s-app: calico-typhaEOF
Validate that Typha is using TLS.
Result
* Rebuilt URL to: https://10.103.120.116:5473/* Trying 10.103.120.116...* TCP_NODELAY set* Connected to 10.103.120.116 (10.103.120.116) port 5473 (#0)* ALPN, offering h2* ALPN, offering http/1.1* successfully set certificate verify locations:* CAfile: typhaca.crtCApath: /etc/ssl/certs* (304) (OUT), TLS handshake, Client hello (1):* (304) (IN), TLS handshake, Server hello (2):* TLSv1.2 (IN), TLS handshake, Certificate (11):* TLSv1.2 (IN), TLS handshake, Server key exchange (12):* TLSv1.2 (IN), TLS handshake, Request CERT (13):* TLSv1.2 (IN), TLS handshake, Server finished (14):* TLSv1.2 (OUT), TLS handshake, Certificate (11):* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):* TLSv1.2 (OUT), TLS change cipher, Client hello (1):* TLSv1.2 (OUT), TLS handshake, Finished (20):* TLSv1.2 (IN), TLS alert, Server hello (2):* error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate* stopped the pause stream!* Closing connection 0curl: (35) error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate
