Documentation

Hardening TaskD Security

After TaskD is started, the gRPC client is started to communicate with ClusterD through gRPC. In addition, gRPC communication also exists between internal components (Manager, Proxy, Agent, and Worker) of TaskD. By default, TaskD uses the insecure gRPC communication mode. You can use the TLS/SSL encryption mode to prevent attacks during communication.

The following uses Nginx as an example to describe how to use the local network proxy to encrypt and authenticate the cross-node communication of TaskD.

Prerequisites

Before performing bidirectional authentication, you need to prepare the following certificate files.

  • rootCA.crt
  • client.crt
  • client.key
  • server.crt
  • server.key

Procedure

  1. Pull the Nginx image.
    docker pull nginx
  2. Save all the certificate files in Prerequisites to path A.
  3. Prepare the Nginx proxy configuration file of the master pod. Create the conf folder in path A, create a file named master_nginx.conf in the folder, and write the following content to the file:
    worker_processes 1;
worker_cpu_affinity 0001;

worker_rlimit_nofile 4096;
events {
 worker_connections 4096;
}
http {
 access_log /etc/nginx/access.log;
 error_log /etc/nginx/error.log;
 server {
  listen 127.0.0.1:8899;
                http2 on;
  location / {
   grpc_pass grpcs://{Pod IP address of ClusterD}:9500;
   grpc_ssl_verify on;
   grpc_ssl_trusted_certificate /etc/nginx/rootCA.crt;
   grpc_ssl_certificate /etc/nginx/client.crt;
   grpc_ssl_certificate_key /etc/nginx/client.key;
   grpc_ssl_verify_depth 2;
   grpc_ssl_protocols TLSv1.2 TLSv1.3;
   grpc_ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4";
   grpc_ssl_name {SAN or CN in the service certificate};   
  }
 }

        # You do not need to configure the following server for a single-Pod task.
 server {
  listen {IP address of the master pod}:9601 ssl;
  proxy_ssl_session_reuse off;
  http2 on;
  ssl_certificate     /etc/nginx/server.crt;      # Server certificate path (permission: 400)
  ssl_certificate_key /etc/nginx/server.key;      # Private key path on the server. The private key cannot be configured in plaintext (permission: 400)
  ssl_client_certificate /etc/nginx/rootCA.crt;   # Root certificate path
  ssl_verify_client on;
  ssl_verify_depth 2;
  ssl_protocols TLSv1.2 TLSv1.3;
  ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4";
  location / {
   grpc_pass grpc://127.0.0.1:9601;
  }
 }
}
  4. Skip this step for a single-pod task. Prepare the Nginx proxy configuration file of the worker pod. Create the conf folder in path A, create a file named worker_nginx.conf in the folder, and write the following content to the file:
    worker_processes 1;
worker_cpu_affinity 0001;
worker_rlimit_nofile 4096;
events {
 worker_connections 4096;
}
http {
 access_log /etc/nginx/access.log;
 error_log /etc/nginx/error.log;
 server {
  listen 127.0.0.1:9601;
                http2 on;
  location / {
   grpc_pass grpcs://{master svc ip}:9601;  # You can run the kubectl get svc -A |grep {jobname} command to query the svc IP address.
   grpc_ssl_verify on;
   grpc_ssl_trusted_certificate /etc/nginx/rootCA.crt;
   grpc_ssl_certificate /etc/nginx/client.crt;
   grpc_ssl_certificate_key /etc/nginx/client.key;
   grpc_ssl_verify_depth 2;
   grpc_ssl_protocols TLSv1.2 TLSv1.3;
   grpc_ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4";
   grpc_ssl_name DomainCA.com;
  }
 }
}
  5. Inject the environment variables used by the local proxy into the task YAML file.
              env:
              - name: TTP_PORT             
                value: "8000"
              - name: LOCAL_PROXY_ENABLE
                value: "on"          # Whether to use the local proxy for communication.
  6. Add the following fields in bold to the task pod:
        # Add the following information to containers in the deployment:
           - name: nginx
             image: nginx:latest
             imagePullPolicy: Never
             command: [ "/bin/bash", "-c", "--"]
             args: [ "sleep infinity" ]
             volumeMounts:
               - name: nginx-conf
                 mountPath: /etc/nginx

   # Add the following information to volumes in the deployment:
           - name: nginx-conf
             hostPath:
               path: /{Path A}/       # Path of the Nginx startup configuration file and certificate key file. Replace Path A with the file path in Step 2.
  7. Start Nginx in the task pod, including the master pod Nginx and worker pod Nginx. Skip this step for a single-Pod task.
    ## Access the Nginx container.
kubectl exec -it -n {Task namespace} {Task pod name} -c nginx bash       
## Run the following command to start the Nginx process and enter the key password as prompted:
nginx -c /etc/nginx/conf/{master or worker}_nginx.conf
Parent topic: Security Hardening
This site uses cookies to improve your browsing experience. By continuing to browse this site, you agree to our use of cookies.View Details